16Review and Analyze Roles

This chapter contains the following:

Overview of Reviewing Roles

This chapter describes how you can use the Security Console to review and analyze role information. You perform these tasks from the Roles and Analytics tabs of the Security Console.

You can perform these tasks from the Roles tab:

  • Visualize role hierarchies and role assignments to users.

  • Review Navigator menus available to roles or users, identifying roles that grant access to Navigator items and the privileges required for that access.

  • Compare roles.

  • Copy roles, create roles, and edit custom job, abstract, and duty roles.

    For information about copying roles and creating roles, see the chapter Creating Job, Abstract, and Duty Roles.

From the Analytics tab, you can perform these tasks:

  • Review statistics concerning role categories, the roles belonging to each category, and the components of each role.

  • View the data security policies, roles, and users associated with each database resource.

Note: You can also use the Security Dashboard to get an overview of the security roles and how they're provisioned in your environment. For information, see the topic describing the Security Dashboard in this chapter.

Graphical and Tabular Role Visualizations

On the Roles tab, you can review role hierarchies. You can choose whether to display role hierarchies using either a tabular or a graphical view. The view you see by default depends on the setting of the Enable default table view option on the Administration tab. This topic describes how to use each of these views.

Role hierarchies stretch from users at the top of the hierarchy to privileges at the bottom. In both graphical and tabular views, you can set the direction of the displayed hierarchy.

  • To show from the selected user, role, or privilege up the hierarchy, set Expand Toward to Users.

  • To show from the selected user, role, or privilege down the hierarchy, set Expand Toward to Roles.

The Tabular View

If the tabular view doesn't appear when you select a security artifact on the Roles tab, then you can click the View as Table icon. In the tabular view, you can:

  • Review the complete role hierarchy for a selected user or role. The table shows roles inherited both directly and indirectly.

  • Search for a security artifact by entering a search term in the column search field and pressing Enter.

  • Set the contents of the table as follows:

    • If Expand Toward is set to Privileges, then you can set Show to either Privileges or Roles.

    • If Expand Toward is set to Users, then you can set Show to either Roles or Users.

    The resulting contents of the table depend on the start point. For example, if you select a privilege, Expand Toward is set to Privileges, and Show is set to Roles, then the table is empty.

  • Export the displayed details to a Microsoft Excel spreadsheet.

The Graphical View

If the graphical view doesn't appear when you select a security artifact on the Roles tab, then you can click the Show Graph icon. In the graphical view, users, privileges, and the various types of roles are represented by nodes and differentiated by both color and labels. These values are defined in the Legend. You can:

  • Review roles inherited directly by the selected role or user. To see roles and privileges inherited indirectly, select a directly inherited role, right-click, and select either Expand or Expand All. Select Collapse or Collapse All to reverse the action. Alternatively, double-click a node to expand or collapse it.

  • Use the Set as Focus action to make any selected node the center of the visualization.

  • Use the Overview icon to manipulate the visualization. For example, clicking a node in the Overview moves the node to the center of the visualization. You can also use drag and drop.

  • Hover on a legend entry to highlight the corresponding nodes in the visualization. Click a legend entry to add or remove corresponding nodes in the visualization.

In the Control Panel, you can:

  • Switch the layout between radial and layered representations.

  • Click the Search icon and enter a search term to find a security artifact among currently displayed nodes.

  • Zoom in and out using either the Zoom in and Zoom out icons or the mouse wheel.

  • Magnify areas of the visualization by clicking the Magnify icon and dragging it to the area of interest. Click the icon again to switch it off.

  • Click the Zoom to Fit icon to center the image and fill the display area.

Review Role Hierarchies

On the Security Console you can review the role hierarchy of a job role, an abstract role, or a duty role. You must have the IT Security Manager job role to perform this task.

To review a role's hierarchy:

  1. On the Roles tab of the Security Console, ensure that Expand Toward is set to Privileges.

  2. Search for and select the role.

    Depending on the enterprise setting, either a table or a graphical representation of the role is displayed.

  3. If the table doesn't appear by default, click the View as Table icon.

    The table lists every role inherited either directly or indirectly by the selected role. To view the privileges inherited by the role, set the Show field to Privileges.

    Tip: Enter text in a column search field and press Enter to show only those roles or privileges that contain the specified text.
  4. Click Export to Excel to export the current table data to Microsoft Excel.

Simulate Navigator Menus

You can simulate the Navigator for both users and roles. This feature can help you to identify how access is provided to specific work areas and tasks. You can then use this information when creating roles, for example.

Simulate the Navigator for a Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for the role, which can be of any type.

  2. In the search results, select Simulate Navigator in the Actions menu for the role. The Simulate Navigator page opens. Icons may appear against Navigator entries. In particular:

    • The Lock icon indicates that the role can't access the entry.

    • The Warning icon indicates that the entry may not appear in the Navigator as the result of configuration, for example.

    Entries without either of these icons are available to the role.

Tip: To view just the entries that the role can access, set Show to Access granted.

View Roles That Grant Access to a Navigator Entry

For any entry in the Navigator, regardless of whether it's available to the role, you can identify the roles that grant access. Follow these steps:

  1. Click the entry.

  2. Select View Roles That Grant Access.

  3. In the Roles That Grant Access dialog box, review the list of roles. The roles can be of all types. After reviewing this list, you can decide how to enable this access, if appropriate. For example, you may decide to provision an abstract role to a user or add a duty to a custom role.

  4. Click OK to close the Roles That Grant Access dialog box.

View Privileges Required for Menu

For any entry in the Navigator, regardless of whether it's available to the role, you can identify the privileges that grant access to:

  • The Navigator entry

  • Tasks in the associated work area

Follow these steps:

  1. Click the entry.

  2. Select View Privileges Required for Menu.

  3. In the View Privileges for Work Area Access dialog box, review the list of privileges that grant access to:

    • The Navigator menu item.

    • Task panel entries in the associated work area. In the Access Granted column of this table, you can see whether the selected role can access these tasks.

    You can use this information when creating roles, for example. You can identify how to both add and remove access to specific tasks and work areas.

  4. Click OK to close the View Privileges for Work Area Access dialog box.

  5. Click Close to close the Simulate Navigator page.

Simulate the Navigator for a User

Search for the user on the Roles tab of the Security Console and select Simulate Navigator in the Actions menu for the user. Follow the instructions for simulating the Navigator for a role.

Review Role Assignments

You can use the Security Console to:

  • View the roles assigned to a user.

  • Identify users who have a specific role.

You must have the IT Security Manager job role to perform these tasks.

View the Roles Assigned to a User

Follow these steps:

  1. Open the Security Console.

  2. On the Roles tab, search for and select the user.

    Depending on the enterprise setting, either a table or a graphical representation of the user's role hierarchy appears. Switch to the graphical representation if necessary to see the user and any roles that the user inherits directly. User and role names appear on hover. To expand an inherited role:

    1. Select the role and right-click.

    2. Select Expand. Repeat these steps as required to move down the hierarchy.

Tip: Switch to the table to see the complete role hierarchy at once. You can export the details to Microsoft Excel from this view.

Identify Users Who Have a Specific Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select the role.

  2. Depending on the enterprise setting, either a table or a graphical representation of the role hierarchy appears. Switch to the graphical representation if it doesn't appear by default.

  3. Set Expand Toward to Users.

    Tip: Set the Expand Toward option to control the direction of the graph. You can move either up the hierarchy from the selected role (toward users) or down the hierarchy from the selected role (toward privileges).

    In the refreshed graph, user names appear on hover. Users may inherit roles either directly or indirectly from other roles. Expand a role to view its hierarchy.

  4. In the Legend, click the Tabular View icon for the User icon. The table lists all users who have the role. You can export this information to Microsoft Excel.

Compare Roles

You can compare any two roles to see the structural differences between them. As you compare roles, you can also add function and data security policies existing in the first role to the second role, providing that the second role isn't a predefined role.

For example, assume you have copied a role and edited the copy. You then upgrade to a new release. You can compare your edited role from the earlier release with the role as shipped in the later release. You may then decide whether to incorporate upgrade changes into your edited role. If the changes consist of new function or data security policies, you can upgrade your edited role by adding the new policies to it.

Selecting Roles for Comparison

  1. Select the Roles tab in the Security Console.

  2. Do any of the following:

    • Click the Compare Roles button.

    • Create a visualization graph, right-click one of its roles, and select the Compare Roles option.

    • Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click its menu icon. In the menu, select Compare Roles.

  3. Select roles for comparison:

    • If you began by clicking the Compare Roles button, select roles in both First Role and Second Role fields.

    • If you began by selecting a role in a visualization graph or the Search Results column, the First Role field displays the name of the role you selected. Select another role in the Second Role field.

    For either field, click the search icon, enter text, and select from a list of roles whose names contain that text.

Comparing Roles

  1. Select two roles for comparison.

  2. Use the Filter Criteria field to filter for any combination of these artifacts in the two roles:

    • Function security policies

    • Data security policies

    • Inherited roles

  3. Use the Show field to determine whether the comparison returns:

    • All artifacts existing in each role

    • Those that exist only in one role, or only in the other role

    • Those that exist only in both roles

  4. Click the Compare button.

You can export the results of a comparison to a spreadsheet. Select the Export to Excel option.

After you create the initial comparison, you can change the filter and show options. When you do, a new comparison is generated automatically.

Adding Policies to a Role

  1. Select two roles for comparison.

    • As the First Role, select a role in which policies already exist.

    • As the Second Role, select the role to which you're adding the policies. This must be a custom role. You can't modify a predefined role.

  2. Ensure that your selection in the Filter Criteria field excludes the Inherited roles option. You may select Data security policies, Function security policies, or both.

  3. As a Show value, select Only in first role.

  4. Click the Compare button.

  5. Among the artifacts returned by the comparison, select those you want to copy.

  6. An Add to Second Role option becomes active. Select it.

Analytics for Roles

You can review statistics about the roles that exist in your Oracle Cloud instance.

On the Analytics page, click the Roles tab. Then view these analyses:

  • Role Categories. Each role belongs to a category that defines some common purpose. Typically, a category contains a type of role configured for an application, for example, "Financials - Duty Roles."

    For each category, a Roles Category grid displays the number of:

    • Roles

    • Role memberships (roles belonging to other roles within the category)

    • Security policies created for those roles

    In addition, a Roles by Category pie chart compares the number of roles in each category with those in other categories.

  • Roles in Category. Click a category in the Role Categories grid to list roles belonging to that category. For each role, the Roles in Category grid also shows the number of:

    • Role memberships

    • Security policies

    • Users assigned to the role

  • Individual role statistics. Click the name of a role in the Roles in Category grid to list the security policies and users associated with the role. The page also presents collapsible diagrams of hierarchies to which the role belongs.

    Click Export to export data from this page to a spreadsheet.

Analytics for Database Resources

You can review information about data security policies that grant access to a database resource, or about roles and users granted access to that resource.

  1. On the Analytics page, click the Database Resources tab.

  2. Select the resource you want to review in the Database Resource field.

  3. Click Go.

    Results are presented in three tables.

Data Security Policies

The Data Security Policies table documents policies that grant access to the selected database resource.

Each row documents a policy, specifying by default:

  • The data privileges it grants.

  • The condition that defines how data is selected from the database resource.

  • The policy name and description.

  • A role that includes the policy.

For any given policy, this table may include multiple rows, one for each role in which the policy is used.

Authorized Roles

The Authorized Roles table documents roles with direct or indirect access to the selected database resource. Any given role may comprise the following:

  • Include one or more data security policies that grant access to the database resource. The Authorized Roles table includes one row for each policy belonging to the role.

  • Inherit access to the database resource from one or more roles in its hierarchy. The Authorized Roles table includes one row for each inheritance.

By default, each row specifies the following:

  • The name of the role it documents.

  • The name of a subordinate role from which access is inherited, if any. (If the row documents access provided by a data security policy assigned directly to the subject role, this cell is blank.)

  • The data privileges granted to the role.

  • The condition that defines how data is selected from the database resource.

Note: A role's data security policies and hierarchy may grant access to any number of database resources. However, the Authorized Roles table displays records only of access to the database resource you selected.

Authorized Users

The Authorized Users table documents users who are assigned roles with access to the selected database resource.

By default, each row specifies a user name, a role the user is assigned, the data privileges granted to the user, and the condition that defines how data is selected from the database resource. For any given user, this table may include multiple rows, one for each grant of access by a data security policy belonging to, or inherited by, a role assigned to the user.

Manipulating the Results

In any of these three tables, you can do the following actions:

  • Add or remove columns. Select View - Columns.

  • Search among the results. Select View - Query by Example to add a search field on each column in a table.

  • Export results to a spreadsheet. Select the Export to Excel option available for each table.

View Role Information Using Security Dashboard

As an IT Security Manager, you can use the Security Dashboard to get a snapshot of the security roles and how those roles are provisioned in the Oracle Cloud Applications. The information is sorted by role category and you can view details such as data security policy, function security policy, and users associated with a role. You can also perform a reverse search on a data security policy or a function security policy and view the associated roles.

You can search for roles using the Role Overview page. You can view the count of the roles which includes the inherited roles, data security policies, and function security policies on this page. Clicking the number in a tile on this page takes you to the corresponding page in the Role Dashboard. You can view role details either on the Role Overview page of the Security Dashboard or the Role Dashboard.

You can view role information such as the directly assigned function security policies and data security policies, roles assigned to users, directly assigned roles, and inherited roles list using the Role Dashboard. Clicking any role-related link on a page of the Security Dashboard takes you to the relevant page in the Role Dashboard. You can export the role information to a spreadsheet. The information on each tab is exported to a sheet in the spreadsheet. This dashboard supports a print-friendly view for a single role.

Here are the steps to view the Security Dashboard:

  1. In the Reports and Analytics work area, click Browse Catalog.

  2. On the Oracle BI page, open Shared Folders > Security > Transaction Analysis Samples > Security Dashboard.

    All pages of the dashboard are listed.

  3. To view the Role Category Overview page, click Open.

    The page displays the number of roles in each role category in both tabular and graphical formats.

  4. In the Number of Roles column, click the numeral value to view the role-related details.

  5. Click View Role to view the role-specific information in the Role Dashboard.