16Create and Edit Job, Abstract, and Duty Roles

This chapter contains the following:

Overview of Security Configuration

This chapter describes some of the ways in which you can configure the predefined sales security model.

The Oracle implementation of role-based access control is designed to handle a wide range of security requirements in different environments. As a result, most companies can use the standard security settings without modification. If necessary, however, you can configure the default settings to meet specific business requirements. Before making any changes to the security reference implementation, however, do the following:

  • Clearly define the change that is required and review the proposed changes with Oracle Support.

  • Make sure you understand the interrelationships of the various security components and the effect of the proposed change on user access.

  • Document any changes you make.

This chapter describes how you can create your own roles and role hierarchies. For information about configuring data security, see the chapter Configure and Troubleshoot Data Security.

For additional information about changing the standard security settings, go to the Security Resource Center, which is available at 1609084.1 (Article ID) on My Oracle Support. The Security Resource Center provides templates you can use to track the changes you make to standard settings.

Guidelines for Copying Sales Roles

Copying predefined roles and editing the copies is the recommended approach to creating roles. This topic describes some of the issues to consider when copying a role on the Security Console.

Note: You can copy the predefined roles but can't edit them. Predefined roles have role codes with the prefix ORA_.

Role-Copy Options

When you copy a role on the Security Console, you have the option of copying the top role only (shallow copy), or of copying the top role and its inherited roles (deep copy). The result of selecting each of these copy options is described in this section.

  • Copying the Top Role

    If you select the Copy top role option, you copy only the role you have selected. The source role has links to roles in its hierarchy, and the copy inherits links to the original versions of those roles. Subsequent changes to the inherited roles affect not only the source top role, but also your copy. The result of selecting the Copy top role option, therefore, is as follows:

    • You can add roles directly to the copied role without affecting the source role.

    • You can remove any role that's inherited directly by the copied role without affecting the source role.

    • If you remove any role that's inherited indirectly by the copied role, then the removal affects both the copied role and any other role that inherits the removed role's parent role, including the source role.

    • If you edit any inherited role, then the changes affect any role that inherits the edited role. The changes aren't limited to the copied role.

      To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. You can either select the Copy top role and inherited roles option or copy individual inherited roles separately, edit the copies, and use them to replace the existing versions.

  • Copying the Top Role and Inherited Roles

    If you select the Copy top role and inherited roles option, you copy not only the role you have selected, but also all of the roles in its hierarchy. Your copy of the top role is connected to new copies of subordinate roles.

    Note: Inherited duty roles are copied if a copy of the role with the same name doesn't already exist. Otherwise, the copied role inherits links to the existing copies of the duty roles.

    When inherited duty roles are copied, you can edit them without affecting other roles. Equally, changes made subsequently to duty roles in the source role hierarchy aren't reflected in the copied role.

Reviewing the Role Hierarchy

When you copy a predefined job, abstract or duty role, it's recommended that you first review the role hierarchy to identify any inherited roles that you want to either copy, add, or delete in your custom role. You can review the role hierarchy on the Roles tab of the Security Console in either graphical or tabular format. You can also:

  • Export the role hierarchy to a spreadsheet from the Roles tab.

  • Review the role hierarchy and export it to a spreadsheet from the Analytics tab.

  • Run the User and Role Access Audit Report.

Job and abstract roles inherit function security privileges and data security policies from the roles that they inherit. Function security privileges and data security policies may also be granted directly to a job or abstract role. Review these directly granted privileges on the Roles tab of the Security Console, as follows

  • In the graphical view of a role, its inherited roles and function security privileges are visible at the same time.

  • In the tabular view, you set the Show value to switch between roles and function security privileges. You can export either view to a spreadsheet.

Once your custom role exists, edit it to add or remove directly granted function security privileges.

Note: Data security policies are visible only when you edit your role; they don't display in the graphical or tabular role views. However, you can view the data security policies assigned to a role from the Analytics tab of the Security Console.

Report and Analytics Roles

You cannot copy roles that are used to secure sales analytics and reports. Therefore you cannot copy any of the following types of roles:

  • Transaction Analysis Duty roles

  • Business Intelligence roles

  • Any role with a role code prefix of OBIA, for example, OBIA_ANALYSIS_GENERIC_DUTY

You can however, add any of these roles to custom job roles that you create.

Naming Copied Roles

By default, a copied role has the same name as its source role with the suffix Custom. The role codes of copied roles have the suffix _CUSTOM. Copied roles lose the prefix ORA_ automatically from their role codes. You can define a local naming convention for custom roles, with a prefix, suffix, or both, on the Roles subtab of the Security Console Administration tab.

Note: Copied roles take their naming pattern from the default values specified on the Roles subtab of the Security Console Administration tab. You can override this pattern on the Copy Role: Basic Information page for the role that you're copying. However, the names of roles inherited by the copied role are unaffected. For example, if you perform a deep copy of the Employee role, then duty roles inherited by that role take their naming pattern from the default values.

If any role in the hierarchy already exists when you copy a role, then no copy of that role is made. For example, if you make a second copy of the Employee role, then copies of the inherited duty roles might already exist. In this case, the copied role inherits links to the existing copies of the roles. To create unique copies of inherited roles, you must enter unique values on the Administration tab of the Security Console before you perform a deep copy. To retain links to the predefined job or abstract role hierarchy, perform a shallow copy of the predefined role.

Copy Job or Abstract Roles

You can copy any job role or abstract role and use it as the basis for a custom role. Copying roles is more efficient than creating them from scratch, especially if your changes are minor. This topic explains how to copy a role to create a new role. You must have the IT Security Manager job role to perform this task.

Note: You can identify predefined job and abstract roles easily by their role codes, which have the prefix ORA_.

Copying a Role

To copy a job or abstract role:

  1. On the Roles tab of the Security Console, search for the role to copy.

  2. Select the role in the search results. The role hierarchy appears in tabular format by default.

    Tip: Click the Show Graph icon to show the hierarchy in graphical format.
  3. In the search results, click the down arrow for the selected role and select Copy Role.

  4. In the Copy Options dialog box, select a copy option.

  5. Click Copy Role.

  6. On the Copy Role: Basic Information page, review and edit the Role Name, Role Code, and Description values, as appropriate.

    Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make here.
  7. Click the Summary and Impact Report train stop.

  8. Click Submit and Close, then OK to close the confirmation message.

  9. Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. Once the status is Complete, you can edit the copied role.

Edit Job or Abstract Roles

You can create a role by copying a predefined job role or abstract role and then editing the copy. This topic describes how to edit a role on the Security Console. You must have the IT Security Manager job role to perform this task.

Editing the Role

To edit a job or abstract role:

  1. On the Roles tab of the Security Console, search for and select your custom role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code.

  4. Click Next.

Managing Functional Security Privileges

On the Edit Role: Function Security Policies page, any functional security privileges granted directly to the copied role appear on the Privileges tab. Click Load Inherited Policies to populate the table with privileges that the role inherits. To view details of the code resources that a privilege secures, select the privilege in the Details section of the page.

You can add or delete existing privileges from copied roles but can't create new functional security policies. To delete a privilege that is added directly to the copied role, select the privilege and click the Delete icon. You can't delete inherited privileges.

To add a privilege to the copied role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from the role to your custom role. If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

    All the privileges you selected are listed on the Edit Role: Function Security Policies page.

  7. Click Next.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Managing Data Security Privileges

On the Edit Role: Data Security Policies page, any data security policies granted to the copied role appear. You can add or remove policies from the copied role, or edit the existing policies. For information about creating, editing, and adding data security policies to a role, see the topic Editing Data Security Policies on the Security Console.

Click Next to continue to the next page.

Adding and Removing Inherited Roles

The Edit Role: Role Hierarchy page shows the copied role and its inherited duty roles. The hierarchy is in tabular format by default but you can switch to graphical mode. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Assigning the Role to Users

On the Edit Role: Users page you can assign the copied role to users.

To remove user access to a role:

  1. Select the user in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

To add user access to a role:

  1. Click the Add User button.

  2. In the Add User dialog box, search for and select a user or role (job or abstract role).

  3. If you select a role, then click Add Selected Users to add all the users assigned the role to your custom role. If you select a single user, then click Add User to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional users.

  6. Close the Add User dialog box.

    The Edit Role: User page shows the updated role membership.

  7. Click Next.

Reviewing the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Then do the following:

  1. Click Back to make corrections.

  2. When you have completed any corrections required, click Save and Close to save the role.

  3. Click OK to close the confirmation message.

The role is available immediately.

Create Job or Abstract Roles

If the predefined job or abstract roles don't meet enterprise requirements, then you can create new job or abstract roles. In many cases, an efficient method of creating a role is to copy an existing role, then edit the copy to meet your requirements. However, if the predefined roles aren't similar enough to the roles that you require, then you can create a job role or abstract role from scratch as described in this topic. To perform this task, you must have the IT Security Manager job role.

Entering Basic Information

To create the new role, perform the following steps:

  1. On the Roles tab of the Security Console, click Create Role.

  2. On the Create Role: Basic Information page, enter the role's display name in the Role Name field. For example, enter Inside Sales Representative.

  3. Enter a unique Role Code value. For example, enter INSIDE_SALES_REP_JOB.

    Abstract roles have the suffix _ABSTRACT, and job roles have the suffix _JOB.

  4. In the Role Category field, select the appropriate role category, for example, CRM - Job Roles.

  5. Click Next.

Adding Functional Security Policies

When you create a role from scratch, you're most likely to add one or more duty roles to your role. You're less likely to grant function security privileges directly to the role. If you aren't granting function security privileges, then click Next.

To grant function security privileges to the new role:

  1. On the Create Role: Functional Security Policies page, click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

    You can either add an individual privilege or copy all the privileges that belong to an existing role.

  3. If you select a role, then click Add Selected Privileges to add all the function security privileges assigned to the selected role to your custom role. If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

    All the privileges you added are listed on the Create Role: Functional Security Policies page. You can:

    • Click on a privilege to view details of the code resource that it secures.

    • Delete any privilege by selecting the privilege and clicking the Delete icon.

  7. Click Next.

Note: You can add existing privileges to the new role but can't create new functional security policies.

Adding Data Security Policies

On the Create Role: Data Security Policies page, you can assign data security policies to your new role. For information about creating and adding data security policies to a role, see the topic Editing Data Security Policies on the Security Console.

Click Next to continue to the next page.

Building the Role Hierarchy

The Create Role: Role Hierarchy page shows the hierarchy of your custom role in tabular format by default. You can add one or more job, abstract, and duty roles to the new role. Typically, when creating a job or abstract role you add duty roles. Roles are always added directly to the role that you're creating.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Create Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Assigning the Role to Users

On the Create Role: Users page, you can assign the job or abstract role you are creating to selected users.

To assign the role to a user:

  1. Click Add User.

  2. In the Add User dialog box, search for and select a user or role.

  3. If you select a role, then click Add Selected Users to add all the users assigned the role to the role you're creating. If you select a single user, then click Add User to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 to add additional users.

  6. Close the Add User dialog box.

    The Create Role: Users page shows the updated role membership.

  7. Click Next.

Reviewing the Role

To review the role, do the following:

  1. On the Create Role: Summary and Impact Report page, review the selections you have made.

    Summary listings show the numbers of function security policies, data security policies, roles, and users you have added and removed; an Impact listing shows the number of roles and users affected by your changes. Expand any of these listings to see names of policies, roles, or users included in its counts.

  2. If you determine you need to make changes, click Back to navigate back to the appropriate page, then make the correction.

  3. If you're satisfied with the role, click Save and Close to save the role.

  4. Click OK to close the confirmation message.

Your custom role is available immediately on the Security Console.

Tip: Search for the job or abstract role on the Security Console and review its visualization. Edit the role to make any corrections.

Copy and Edit Duty Roles

You can copy a duty role and then edit the copy to create a new duty role. Copying duty roles is the recommended way of creating duty roles. This topic explains how to copy a duty role and edit the copy. You must have the IT Security Manager job role to perform these tasks.

Copying a Duty Role

To copy a duty role:

  1. On the Roles tab of the Security Console, search for the duty role to copy.

  2. Select the role in the search results.

    The role is displayed in tabular format by default. Click the Show Graph icon to show the hierarchy in graphical format.

  3. In the search results, click the down arrow for the selected role and select Copy Role.

  4. In the Copy Options dialog box, select a copy option.

    • If you select Copy top role, then only the selected role is copied. The copied role inherits the same role instances as the source role.

    • If you select Copy top role and inherited roles, then a copy is made of every role in the role hierarchy provided that a copy of the role with the same name doesn't already exist.

  5. Click Copy Role.

  6. On the Copy Role: Basic Information page, edit the Role Name, Role Code, and Description values, as appropriate.

    Tip: The Role Name and Role Code values are assigned the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. The prefix ORA_ is also removed from the role code. You can overwrite the default prefix and suffix for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make here.
  7. Click the Summary and Impact Report train stop.

  8. Click Submit and Close, then OK to close the confirmation message.

  9. Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. Once the status is Complete, you can edit the copied role.

Editing the Copied Duty Role

To edit the copied role, perform the following steps:

  1. On the Roles tab of the Security Console, search for and select your copy of the duty role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code.

  4. Click Next.

Managing Functional Security Policies

On the Edit Role: Function Security Policies page, any functional security privileges granted directly to the copied role appear on the Privileges tab. Click Load Inherited Policies to populate the table with privileges that the role inherits. To view details of the code resources that a privilege secures, select the privilege in the Details section of the page.

You can add or delete existing privileges from copied duty roles but can't create new functional security policies. To delete a privilege that is added directly to the copied role, select the privilege and click the Delete icon. You can't delete inherited privileges.

To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privilege to grant all function security privileges from the role to your custom role. If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

    All the privileges you selected are listed on the Edit Role: Function Security Policies page.

  7. Click Next.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Managing Data Security Policies

On the Edit Role: Data Security Policies page, any data security policies granted to the copied role appear. You can edit or remove policies from the copied role, or create a new policy for the role. For information about creating, editing, and adding data security policies to a role, see the topic Editing Data Security Policies on the Security Console.

Click Next to continue to the next page.

Adding and Removing Inherited Roles

The Edit Role: Role Hierarchy page shows the copied duty role and any duty roles that it inherits. The hierarchy is displayed in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the information message.

To add a role:

  1. Click Add Role.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Viewing Users Assigned the Role

On the Edit Role: Users page, click Next. You can't provision duty roles directly to users.

Reviewing the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Then do the following:

  1. Click Back to make corrections.

  2. When you have completed any corrections required, click Save and Close to save the role.

  3. Click OK to close the confirmation message.

The role is available immediately.

Edit Data Security Policies on the Security Console

This topic describes how to edit data security policies when creating, copying or editing roles on the Roles tab of the Security Console.

Editing Data Security Policies for Roles

To create a role, it's recommended that you copy a predefined role rather than create a role from scratch. In this case, your role automatically has the data security policies of the copied role. You can edit or remove the copied data security policies if necessary.

To edit or remove a data security policy for a role:

  1. On the Data Security Policies page, locate the policy then click the down arrow at the end of the policy row to show the actions menu.

  2. Select one of the options listed:

    • To remove the policy, select the Remove Data Security Policy option.

      The policy is removed from the role.

    • To edit the policy, do the following:

      1. Select the Edit Data Security Policy option.

        The Edit Data Security Policy dialog box is displayed.

      2. Change the values as required, for example, you can change the start date, the data set, or the action specified for the policy.

      3. Click OK to save your changes, and close the confirmation message.

Creating Data Security Policies for Roles

You're unlikely to create data security policies unless you create roles from scratch. However, you can do so if required.

To create a data security policy:

  1. On the Data Security Policies page, click Create Data Security Policy.

    The Create Data Security Policy dialog box is displayed. A Start Date value is automatically assigned to the policy but can be changed.

  2. In the Policy Name field, enter a policy name.

    The names of predefined data security policies begin with the words Grant on.

  3. Search for and select the database resource for which you're defining the policy, for example, search for a table name.

  4. In the Data Set field, select the subset of the data made available by the database resource the policy applies to.

    The following table describes the values you can choose for the Data Set field.

    Value Description

    Select by key

    Use to limit the data set to a single record in the data resource. If you select this option, you must specify the primary key value that identifies the record in the database resource.

    Select by instance set

    Use to limit the data set to a subset of the data in the data resource. If you select this option, you must select a condition that defines a subset of the data. Conditions vary by resource.

    If the predefined conditions available for a resource are not appropriate, you can create custom conditions for the predefined database resource. For additional information, see the topic Managing Database Resources.

    All values

    Use to include all data from the data resource in the data set.

  5. Complete the remaining fields, which depend on the selected combination of database resource and data set values.

  6. In the Actions field, select the actions to which this data security policy applies.

  7. Click OK to save the data security policy.

    You can view the new policy on the Data Security Policies page by scrolling to the end of the list of policies.