1. Using Access Certifications
  2. Display Security Briefings

Display Security Briefings

For each user-role combination in the enhanced worksheet, a security briefing can display data that informs the certification decision. Each briefing includes AI-generated descriptions of the access granted by the role's privileges, information about the assignment of the role to the user, and context for the role assignment.

Here are some preliminary notes:

  • For you to view security briefings, an admin has to set a profile option. (See Activate the Enhanced Worksheet for Access Certifications.)

  • The first time you open the briefing for any role assignment, the AI-generated summaries take up to 30 seconds to be composed. Once the summaries for a role exist, they're used in the briefing for that role's assignment to any user, and briefings involving the role open without delay.

  • Summaries are saved only until the Access Certification Synchronization job runs, typically once each day. After the job runs, even AI summaries that had been generated must be regenerated. Information conveyed in regenerated summaries doesn't change, but wordings might change slightly.

  • The AI feature doesn't create summaries for any role with more than 500 privileges. In place of the role summary, a message reports that the summary is unavailable.

To view a security briefing, click the role name in the record of a user-role combination you're reviewing. A Security Briefing drawer opens. The briefing is divided into nine sections.

A Highlights section presents an AI-generated paragraph that summarizes what the role's privileges enable a user to do. Because it's specific to the role, the paragraph appears in the security briefing for any user assigned the role. The Highlights section also presents a list of statements about the user-role combination that's the focus of the record in which you opened the briefing. The list presents salient facts selected from the remaining sections.

A Summary of privileges by functional category section uses AI to define categories into which the role's privileges fit, and to describe what the privileges in each category enable a user to do. Like the role summary in the Highlights section, these summaries appear in the security briefing for any user assigned the role.

An Elevated privileges section tells whether the role is, is similar to, or includes a role from a set of IT roles that provide sensitive access. If so, it identifies the IT role. The role being considered for certification is similar to an IT role if it includes 75 percent of the IT role's privileges.

An Unusual privileges section tells whether the role contains privileges that aren't typically appropriate for the job title or position of the user whose role assignment is being evaluated. Typically, the role contains sensitive IT privileges, but the job title or position suggests the role isn't IT-related. If the role includes unusual privileges, the message includes the job name, position name, or both. (If neither a job name nor a position name is available for the user-role combination, a message reports that no determination can be made.)

A Related data access permissions section documents a security definition, which determines the data to which the user can apply the role's functionality. It consists of a security context and one or more security values. The context is an attribute recognized by the Manage Data Access for Users task in Oracle Fusion Functional Setup Manager, for example Business Unit. The value is one or more items configured by your organization that are appropriate for a context. If your organization had a business unit called Consumer Electronics, for example, the data-security definition "Business Unit equals Consumer Electronics" would enable the user to work with data associated with that unit.

A Usage in the organization section reports that the user who's the focus of this briefing may not be human, if a set of tests suggests this to be likely. (This section doesn't comment if the tests determine the user is likely to be human.) The section also reports numbers of users assigned the role this briefing is concerned with. Counts include users throughout your organization, users who report directly or indirectly to the manager of the user who's the focus of this briefing, and users who report directly to that manager. (The results involving a manager apply only if the record of the user-role combination identifies a direct manager.) Or, this section reports that no users are assigned the role if that's the case for any of these categories.

An Access certification history section reports the number of users certified to keep the role this briefing is concerned with, and the number for whom role removal was recommended, in the last 12 months. It also gives the date on which the most recent certification of the role assignment was completed, or whether the role has not been included in a certification in the last 12 months.

An Inherent risks and incident history section gives the numbers of access risks resulting from the assignment of the role to the user. There are two types of risk. A role on its own may contain privileges that grant risky access. For example, it may enable a user both to create a purchase order and approve payment on it. The briefing refers to this as "inherent separation-of-duties" risk. Or, a role may contain a privilege that conflicts with a privilege in another role assigned to the user. For example, one role might have the create-purchase-order privilege, and the other the approve-payment privilege. The briefing refers to this as "access incident" risk. Both types are detected by access controls created in Oracle Fusion Cloud Advanced Controls.

A Complete list of privileges section presents a list of all the privileges included in the role this briefing is concerned with.