1. Using Access Certifications
  2. Display Role Briefings

Display Role Briefings

For each user-role combination in the enhanced worksheet, a role briefing can display data that informs the certification decision. Each briefing includes these elements:

  • AI-generated summaries that describe the access granted by the role's privileges. One summary depicts the role as a whole, while others break down its activities into functional categories.

  • Information about the assignment of the role to the user. This includes a data-security definition, which determines the set of records to which the user can apply the role. It also provides the number of risks that access controls have detected for the role assignment.

  • Context for the role assignment. You can review the numbers of people assigned the role within your organization as a whole, within the hierarchy of positions overseen by the user's direct manager, and among that manager's direct reports. You can also review a history of certification decisions for the role.

Here are some preliminary notes:

  • For you to view role briefings, an admin has to set a profile option. (See Activate the Enhanced Worksheet for Access Certifications.)

  • The first time you open the briefing for any role assignment, the AI-generated summaries take up to 30 seconds to be composed. Once the summaries for a role exist, they're used in the briefing for that role's assignment to any user, and briefings involving the role open without delay.

  • Summaries are saved only until the Access Certification Synchronization job runs, typically once each day. After the job runs, even AI summaries that had been generated must be regenerated. Information conveyed in regenerated summaries doesn't change, but wordings might change slightly.

  • The AI feature doesn't create summaries for any role with more than 500 privileges. In place of the role summary, a message reports that the summary is unavailable.

To view a role briefing, click the role name in the record of a user-role combination you're reviewing. A Role Briefing drawer opens. The briefing is divided into seven sections.

A Highlights section presents an AI-generated paragraph that summarizes what the role's privileges enable a user to do. Because it's specific to the role, the paragraph appears in the role briefing for any user assigned the role. The Highlights section also presents information about the user whose assignment is the focus of the record in which you opened the briefing. This may include when the user was last certified or decertified for the role, what the assignment's data-security definition is, numbers of users who are assigned the role or have been certified for it within the last 12 months, and the number of access risks inherent to the role or in conflict with other roles the user has access to.

A Summary of privileges by functional category section uses AI to define categories into which the role's privileges fit, and to describe what the privileges in each category enable a user to do. Like the role summary in the Highlights section, these summaries appear in the role briefing for any user assigned the role.

A Related data access permissions section documents a security definition, which determines the data to which the user can apply the role's functionality. It consists of a security context and one or more security values. The context is an attribute recognized by the Manage Data Access for Users task in Oracle Fusion Functional Setup Manager, for example Business Unit. The value is one or more items configured by your organization that are appropriate for a context. If your organization had a business unit called Consumer Electronics, for example, the data-security definition "Business Unit equals Consumer Electronics" would enable the user to work with data associated with that unit.

A Usage in the organization section reports numbers of users assigned the role this briefing is concerned with. Counts include users throughout your organization, users who report directly or indirectly to the manager of the user who's the focus of this briefing, and users who report directly to that manager. (The results involving a manager apply only if the record of the user-role combination identifies a direct manager.) Or, this section reports that no users are assigned the role if that's the case for any of these categories.

An Access certification history section reports the number of users certified to keep the role this briefing is concerned with, and the number for whom role removal was recommended, in the last 12 months. It also gives the date on which the most recent certification of the role assignment was completed, or whether the role has not been included in a certification in the last 12 months.

An Inherent risks and incident history section gives the numbers of access risks resulting from the assignment of the role to the user. There are two types of risk. A role on its own may contain privileges that grant risky access. For example, it may enable a user both to create a purchase order and approve payment on it. The briefing refers to this as "inherent separation-of-duties" risk. Or, a role may contain a privilege that conflicts with a privilege in another role assigned to the user. For example, one role might have the create-purchase-order privilege, and the other the approve-payment privilege. The briefing refers to this as "access incident" risk. Both types are detected by access controls created in Oracle Fusion Cloud Advanced Controls.

A Complete list of privileges section presents a list of all the privileges included in the role this briefing is concerned with.