5Set Up Applications Security

This chapter contains the following:

Overview of Applications Security Setup Tasks

If you're assigned the IT Security Manager job role, then during implementation you can prepare the application security environment by performing the tasks described in this chapter. These are some of the security setup tasks:

  • Manage Applications Security Preferences

    This task opens the Administration tab of the Security Console. Select the appropriate tab of the Security Console to set enterprise-wide preferences that affect users, roles, and notifications to application users.

  • Import Users and Roles into Application Security

    This task runs a process that initializes and maintains the Oracle Fusion Applications Security tables.

  • Import User Login History

    This task runs a process that imports the history of user access to Oracle Fusion Applications.

  • Run User and Roles Synchronization Process

    This task runs a process that copies data from the LDAP directory to Oracle Fusion Applications Security tables.

In the Setup and Maintenance work area, security setup tasks are located in the Users and Security functional area of the Sales offering.

Import Users and Roles into Applications Security

To implement security, you use the Security Console. But before you can use the Security Console, you must initialize the Oracle Fusion Applications Security tables with existing user and role information. To initialize these tables, you perform the Import Users and Roles into Application Security task described here.

Run the Import User and Role Application Security Data Process

Sign in as a setup user and follow these steps:

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Sales

    • Functional Area: Users and Security

    • Task: Import Users and Roles into Application Security

  2. On the Import Users and Roles into Application Security page, click Submit.

This action starts the Import User and Role Application Security Data process. Once the process completes, you can use the Security Console.

Note: Oracle recommends that you schedule this process to run daily.

Synchronize User and Role Information

Run the Retrieve Latest LDAP Changes process once during implementation to initialize the Oracle Fusion Applications tables.

User accounts for Oracle Fusion Applications users are maintained in your Lightweight Directory Access Protocol (LDAP) directory. The LDAP directory also stores information about the roles provisioned to users. During implementation, any existing information about users and their roles must be copied from the LDAP directory to the Oracle Fusion Applications tables. After that, the data is synchronized automatically. To copy this user and role information, use the task Run User and Roles Synchronization Process. This task calls the Retrieve Latest LDAP Changes process.

Run the Retrieve Latest LDAP Changes Process

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Sales

    • Functional Area: Users and Security

    • Task: Run User and Roles Synchronization Process

  2. On the process submission page for the Retrieve Latest LDAP Changes process, click Submit.

  3. Click OK to close the confirmation message.

Application Security Preferences

There are a number of options on the Security Console that you can use to control the default behavior of functionality such as working with roles or certificates. Some of these options can be overridden, but it's a good idea to set these options during implementation, before you start to create application users or configure your security environment.

To configure the security preferences, the initial user, or a setup user with the IT Security Manager job role, performs the task Manage Applications Security Preferences. This task opens the Administration tab of the Security Console from where you can set these default values and preferences:

  • On the General subtab of the Security Console Administration tab, you can set these values:

    • Specify for how long certificates remain valid by default.

      Note: The sales and service applications don't use certificate functionality.
    • Specify how often a warning appears to remind Security Console users to import latest user and role information.

  • On the Roles subtab of the Security Console Administration tab, you can set these values:

    • Specify default prefix and suffix values for copied roles.

    • Specify a limit to the number of nodes that can appear in graphical representations of roles on the Roles tab of the Security Console.

    • Specify whether hierarchies on the Roles tab appear in graphical or tabular format by default.

  • On the User Categories tab of the Security Console, you can set these values:

    • Create user categories and add users to a category.

    • Specify the default format of user names for the user category.

    • Manage the password policy for a user category.

    • Manage the notification of user and password events to users in a selected user category.

    • Create notification templates for a user category.

You can also configure security preferences by navigating directly to the Security Console (Navigator > Tools > Security Console). For detailed information about configuring default functionality for user names, roles, notifications, and passwords, see the topics in the remainder of this chapter.

Options on the Security Console also allow you to implement location-based access, to configure a bridge between Oracle Applications Cloud and Microsoft Active Directory, and to set up single sign-on authentication. For information on these configuration tasks, see the relevant chapters in the guide.

Set the Default User-Name Format

During implementation, you specify the default format of user names for users in the default user category. The default format you select is used to automatically generate a user name for a user if you don't explicitly specify the user name when you create the user. This topic describes how to specify the default format of user names and the formats that are available.

Specify the Format of User Names

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Sales

    • Functional Area: Users and Security

    • Task: Manage Applications Security Preferences

    The Administration page of the Security Console opens.

    Tip: You can navigate directly to the Security Console at any time by clicking Security Console from the Navigator.
  2. Click the User Categories tab, then click the name of the default user category to open it.

  3. Click Edit on the Details subtab.

  4. In the User Name Generation Rule field, select one of the available user-name formats.

    This table describes the available user name formats.

    Format Name Description

    Email

    The work email (or party email, for party users) is the user name. For example, the user name for john.smith@example.com is john.smith@example.com. To make duplicate names unique, a number is added. For example, john.smith2@example.com may be used if john.smith@example.com and john.smith1@example.com already exist.

    Email is the default format.

    FirstName.LastName

    The user name is the user's first and last names separated by a single period. For example, the user name for John Frank Smith is john.smith. To make duplicate names unique, either the user's middle name or a random character is used. For example, John Smith's user name could be john.frank.smith or john.x.smith.

    FLastName

    The user name is the user's last name prefixed with the initial of the user's first name. For example, the user name for John Smith is jsmith.

    Person or party number

    The person or party number generated by the application is the user name. For example, if John Smith's party number is 100000000178803, then the user name is 100000000178803.

    Because user names generated from party or person numbers can be difficult to remember you might prefer not to select this option.

  5. Enable or disable the option Generate system user name when generation rule fails. This option controls whether a system user name is generated if the user name rule fails. For example, a user name rule will fail if the default user name format is party number or email but these values aren't available when the user is created.

    • If the option is enabled, a system user name is generated by applying these options in the following order until a unique user name is defined:

      1. Email

      2. FirstName.LastName

      3. If only the last name is available, then a random character is prefixed to the last name.

    • If the option is disabled, then an error is raised if the user name can't be generated in the selected format.

  6. Click Save and Close. Any changes take effect immediately.

Edit User Names

When creating users on the Create User page, you can enter user names in any format to override the default user names. You can also edit user names for individual users on the Edit User page.

Password Policy

During implementation, you set the password policy for the default user category. This topic describes the available options. To set the password policy, you perform the Manage Applications Security Preferences task, which opens the Administration page of the Security Console. Click the User Categories tab and click the name of the default category to open it. Click Edit on the Password Policy subtab to edit the policy. You can change the password policy for any user category at any time.

Password Policy Options

This table describes the available options for setting password policy.

Password-Policy Option Description Default Value

Days Before Password Expiration

Specifies the number of days for which a password remains valid. After this period, users must reset their passwords. By default, users whose passwords expire must follow the Forgot Password process.

90

Days Before Password Expiry Warning

Specifies when a user is notified that a password is about to expire. By default, users are prompted to sign in and change their passwords. This value must be equal to or less than the value of the Days Before Password Expiration option.

80

Note: This value is 10 for new installations from Update 18B.

Hours Before Password Reset Token Expiration

When users request a password reset, they're sent a password-reset link. This option specifies how long a reset-password link remains active. If the link expires before the password is reset, then reset must be requested again. You can enter any value between 1 and 9999.

4

Password Complexity

Specifies whether passwords must be simple, complex, or very complex. Password validation rules identify passwords that fail the selected complexity test.

Simple

Disallow last password

Select to ensure that the new password is different from the last password.

If the user requests password reset by selecting Settings and Actions > Set Preferences > Password, then this option determines whether the last password can be reused. However, when a user's password expires, the user can reuse the last password. This option doesn't affect password reuse after expiry.

No

Administrator can manually reset password

Passwords can be either generated automatically or reset manually by the IT Security Manager. Select this option to allow user passwords to be reset manually. All passwords, whether reset manually or generated automatically, must satisfy the current complexity rule.

Yes

Note: Users are notified of password events only if appropriate notification templates are enabled for their user categories. The predefined notification templates for these events are Password Expiry Warning Template, Password Expiration Template, and Password Reset Template.

Password Expiry Report

The Password Expiry Report sends the password-expiration-warning and password-expired notifications. You must schedule the Password Expiry Report to run daily. To schedule the report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. In the Schedule Process dialog box, search for and select the Password Expiry Report process.

  3. Click OK.

  4. In the Process Details dialog box, click Advanced.

  5. On the Schedule tab, set Run to Using a schedule.

  6. Select a Frequency value. For example, select Daily.

  7. Select a start date and time.

  8. Click Submit.

Role Preferences

Select default role preferences for the enterprise during implementation. To set role preferences, you perform the Manage Applications Security Preferences task, which opens the General subtab of the Security Console Administration tab. From there, click the Roles subtab to display the Role Preferences page. You can also set role preferences at any time on the Security Console. This topic describes the role preferences and their effects.

Copied-Role Names

It's best practice when creating roles to copy predefined roles and edit the copied versions of the roles. When you copy a predefined role:

  • The ORA_ prefix, which identifies predefined roles, is removed automatically from the role code of the copied role.

  • The enterprise prefix and suffix values are added automatically to the role name and code of the copied role.

You specify enterprise prefix and suffix values on the Role Preferences page. These are the default values:

  • Prefix values are blank.

  • The role-name suffix is Custom.

  • The role-code suffix is _CUSTOM.

For example, if you copy the Channel Account Manager job role (ORA_ZPM_CHANNEL_ACCOUNT_MANAGER_JOB), then the default name and code of the copied role are:

  • Channel Account Manager Custom

  • ZPM_CHANNEL_ACCOUNT_MANAGER_JOB_CUSTOM

You can supply prefix values and change the suffix values on the Role Preferences page as required. If you change these values, click Save and the changes take effect immediately.

Graph Nodes and Default Views

On the Roles tab of the Security Console, you can display role hierarchies. By default, these hierarchies appear in tabular format. If you want to display role hierarchies in graphical format by default instead, deselect the Enable default table view option on the Role Preferences page.

When role hierarchies appear on the Roles tab, the number of nodes can be very high. You can limit the number of nodes by setting the Graph Node Limit option on the Role Preferences page. When you display a role hierarchy with more nodes than the specified limit, gray arrows indicate additional nodes. You can set such a node as the focus node to see the rest of its hierarchy.

Overview of User Categories

You can categorize and segregate users based on the various functional and operational requirements. A user category provides you with an option to group a set of users such that the specified settings apply to everyone in that group. Typical scenarios in which you may want to group users are:

  • Users belong to different organizations within an enterprise and each organization follows a different user management policy.

  • Practices related to resetting passwords aren't uniform across users.

  • Users have different preferences in receiving automated notifications for various tasks they perform in the application.

On the Security Console page, click the User Category tab. You can perform the following tasks:

  • Segregate users into categories

  • Specify Next URL

  • Set user preferences

  • Define password policy

  • Enable notifications

Segregate Users into Categories

Create user categories and add existing users to them. All existing users are automatically assigned to the Default user category unless otherwise specified. You can create more categories depending upon your requirement and assign users to those categories.

Note: You can assign a user to only one category.

Specify Next URL

Specify a URL to redirect your users to a website or an application instead of going back to the Sign In page, whenever they reset their password. For example, a user places a password reset request and receives an email for resetting the password. After the new password is authenticated, the user can be directed to a website or application. If nothing is specified, the user is directed to the Oracle Applications Cloud Sign In page. You can specify only one URL per user category.

Set User Preferences

Select the default format of the User Name, the value that identifies a user when signed in. It is generated automatically in the format you select. For additional information, see the topic Setting the Default User Name Format.

Define Password Policy

Determine the password policy for a user category. For example, specify the number of days a password remains valid or select a password format. For additional information, see the topic Setting Password Policy.

Enable Notifications

Notifications are enabled by default, but you can disable them if required. You can also enable or disable notifications separately for each user category. If users belonging to a specific category don't want to receive any notification, you can disable notifications for all life cycle events. Alternatively, if users want to receive notifications only for some events, you can selectively enable the functionality for those events.

Notifications are sent for a set of predefined events. To trigger a notification, you must create a notification template and map it to the required event. Depending on the requirement, you can add or delete a template that's mapped to a particular event. For additional information, see the topic Managing User-Name and Password Notifications.

Note: You can't edit or delete predefined notification templates that begin with the prefix ORA. You can only enable or disable them. However, you can update or delete the user-defined templates.

User Category feature supports both SCIM protocol and HCM Data Loader for performing any bulk updates.

Using the Security Console, you can add existing users to an existing user category or create a new category and add them. When you create new users, they're automatically assigned to the default category. At a later point, you can edit the user account and update the user category. You can assign a user to only one category.

Note: If you're creating new users using Security Console, you can also assign a user category at the time of creation.

You can add users to a user category in three different ways:

  • Create a user category and add users to it

  • Add users to an existing user category

  • Specify the user category for an existing user

Note: You can create and delete a user category only using the Security Console. Once the required user categories are available in the application, you can use them in SCIM REST APIs and data loaders. You can't rename a user category.

Adding Users to a New User Category

To create a user category and add users:

  1. On the Security Console, click User Categories > Create.

  2. Click Edit, specify the user category details, and click Save and Close.

  3. Click the Users tab and click Edit.

  4. On the Users Category: Users page, click Add.

  5. In the Add Users dialog box, search for and select the user, and click Add.

  6. Repeat adding users until you have added the required users and click Done.

  7. Click Done on each page until you return to the User Categories page.

Adding Users to an Existing User Category

To add users to an existing user category:

  1. On the Security Console, click User Categories and click an existing user category to open it.

  2. Click the Users tab and click Edit.

  3. On the Users Category: Users page, click Add.

  4. On the Add Users dialog box, search for and select the user, and click Add.

  5. Repeat adding users until you have added the required users and click Done.

  6. Click Done on each page until you return to the User Categories page.

Specifying the User Category for an Existing User

To add an existing user to a user category:

  1. On the Security Console, click Users.

  2. Search for and select the user for whom you want to specify the user category.

  3. On the User Account Details page, click Edit.

  4. In the User Information section, select the User Category. The Default user category remains set for a user until you change it.

  5. Click Save and Close.

  6. On the User Account Details page, click Done.

You can delete user categories if you don't require them. However, you must ensure that no user is associated with that user category. Otherwise, you can't proceed with the delete task. On the User Categories page, click the X icon in the row to delete the user category.

User-Name and Password Notifications

Users in all user categories are notified automatically of changes to their user accounts and passwords by default. These notifications are based on notification templates. During implementation, identify the notifications that you plan to use for each user category and disable any that aren't needed. Many templates are predefined, but you can also create templates for a user category. This topic introduces the predefined notification templates and explains how to enable and disable notifications.

Predefined Notification Templates

This table describes the predefined notification templates. Each template is associated with a predefined event. For example, the Password Reset Template is associated with the password-reset event. You can see these notification templates and their associated events on the User Category: Notifications page of the Security Console for a user category.

Notification Template Description

Password Expiry Warning Template

Warns the user that a password is expiring soon and provides instructions for resetting the password.

Password Expiration Template

Notifies the user that a password has expired and provides instructions for resetting the password.

Forgot User Name Template

Sends the user name to a user who requested the reminder.

Password Generated Template

Notifies the user that a password has been generated automatically and provides instructions for resetting the password.

Password Reset Template

Sends a reset-password link to a user who requested a new password.

Users can request new passwords by selecting the Forgot Password link on the application Sign In page, or by selecting the Password option on the Preferences page (Settings and Actions > Set Preferences).

Password Reset Confirmation Template

Notifies the user when a password has been reset.

New Account Template

Notifies a user when a user account is created and provides a reset-password link.

New Account Manager Template

Notifies the user's manager when a user account is created.

When you create a user category, it's associated automatically with the predefined notification templates, which are all enabled.

You can't edit the predefined templates but you can create new templates and disable the predefined versions. Each predefined event can be associated with only one enabled notification template at a time.

Note: If you're using the sales application with Oracle HCM Cloud, additional notification templates are available which you can use to redirect user name and password notifications to a user's manager if the user doesn't have a work email. For additional information, see the Oracle Human Capital Management Cloud Securing HCM guide.

Enable and Disable Notifications

For any notification to be sent to the users in a user category, notifications in general must be enabled for the user category. Ensure that the Enable notifications option on the User Category: Notifications page is selected. When notifications are enabled, you can disable specific templates. For example, if you disable the New Account Template, then users in the relevant user category aren't notified when their accounts are created. Other notifications continue to be sent.

To disable a template:

  1. On the User Category: Notifications page, click Edit.

  2. Click the template name.

  3. In the template dialog box, deselect the Enabled option.

  4. Click Save and Close.

Create a Notification Template

Predefined notification templates exist for events related to the user-account life cycle, such as user-account creation and password reset. When templates are enabled, users are notified automatically of events that affect them. To provide your own notifications, you create notification templates. This topic explains how to create a notification template for a user category.

Follow these steps:

  1. Open the Security Console and click the User Categories tab.

  2. On the User Categories page, click the name of the relevant user category.

  3. On the User Categories: Details page, click the Notifications subtab.

  4. On the User Category: Notifications page, click Edit.

  5. Click Add Template.

  6. In the Add Notification Template dialog box:

    1. Enter the template name.

    2. In the Event field, select a value. The predefined content for the selected event appears automatically in the Message Subject and Message Text fields. Tokens in the message text are replaced automatically in generated notifications with values specific to the user.

    3. Update the Message Subject field, as required. The text that you enter here appears in the subject line of the notification email.

    4. Update the message text, as required.

      This table shows the tokens supported in the message text.

      Token Meaning Events

      userLoginId

      User name

      • Forgot user name

      • Password expired

      • Password reset confirmation

      firstName

      User's first name

      All events

      lastName

      User's last name

      All events

      managerFirstName

      Manager's first name

      • New account created - manager

      • Password reset confirmation - manager

      • Password reset - manager

      managerLastName

      Manager's last name

      • New account created - manager

      • Password reset confirmation - manager

      • Password reset - manager

      loginURL

      URL where the user can sign in

      • Expiring external IDP signing certificate

      • Password expired

      • Password expiry warning

      resetURL

      URL where the user can reset his or her password

      • New account created - manager

      • New user created

      • Password generated

      • Password reset

      • Password reset - manager

      CRLFX

      New line

      All events

      SP4

      Four spaces

      All events

      adminActivityUrl

      URL where an administrator initiates an administration activity

      Administration activity requested

      providerName

      External identity provider

      Expiring external IDP signing certificate

      signingCertDN

      Signing certificate

      Expiring external IDP signing certificate

      signingCertExpiration

      Signing certificate expiration date

      • Expiring external IDP signing certificate

      • Expiring service provider signing certificate

      encryptionCertExpiration

      Encryption certificate expiration date

      Expiring service provider encryption certificate

      adminFirstName

      Administrator's first name

      • Administration activity location based access disabled confirmation

      • Administration activity single sign-on disabled confirmation

      adminLastName

      Administrator's last name

      • Administration activity location based access disabled confirmation

      • Administration activity single sign-on disabled confirmation

    5. To enable the template, select the Enabled option.

    6. Click Save and Close.

  7. Click Save on the User Category: Notifications page.

Note: When you enable an added template for a predefined event, the predefined template for the same event is automatically disabled.

Schedule the Import User and Role Application Security Data Process

You must run the Import User and Role Application Security Data process to set up and maintain the Security Console. During implementation, you perform the Import Users and Roles into Application Security task to run this process. It copies users, roles, privileges, and data security policies from the LDAP directory, policy store, and Applications Core Grants schema to Oracle Fusion Applications Security tables. Having this information in the Oracle Fusion Applications Security tables makes the assisted search feature of the Security Console fast and reliable. After the process runs to completion for the first time, you're recommended to schedule Import User and Role Application Security Data to run daily. This topic describes how to schedule the process.

Note: Whenever you run the process, it copies only those changes that were made since it last ran.

Schedule the Process

Follow these steps to schedule the Import User and Role Application Security Data process:

  1. Open the Scheduled Processes work area.

  2. In the Search Results section of the Overview page, click Schedule New Process.

  3. In the Schedule New Process dialog box, search for and select the Import User and Role Application Security Data process.

  4. Click OK.

  5. In the Process Details dialog box, click Advanced.

  6. On the Schedule tab, set Run to Using a schedule.

  7. Set Frequency to Daily and Every to 1.

  8. Enter start and end dates and times. The start time should be after any daily run of the Send Pending LDAP Requests process completes.

  9. Click Submit.

  10. Click OK to close the confirmation message.

Review Synchronization Process Preferences

On the General subtab of the Security Console Administration tab, you can set the Synchronization Process Preferences option. This option controls how frequently you're reminded to run the Import User and Role Application Security Data process. By default, the warning appears if the process hasn't run successfully in the last 6 hours. If you schedule the process to run daily, then you may want to increment this option to a value greater than 24.

Schedule the Import User Login History Process

During implementation, you perform the Import User Login History task in the Setup and Maintenance work area. This task runs a process that imports information about user access to Oracle Fusion Applications to the Oracle Fusion Applications Security tables. This information is required by the Inactive Users Report, which reports on users who have been inactive for a specified period. After you perform Import User Login History for the first time, you're recommended to schedule it to run daily. In this way, you can ensure that the Inactive Users Report is up to date.

Schedule the Process

Follow these steps:

  1. Open the Scheduled Processes work area.

  2. In the Search Results section of the Overview page, click Schedule New Process.

  3. In the Schedule New Process dialog box, search for and select the Import User Login History process.

  4. Click OK.

  5. In the Process Details dialog box, click Advanced.

  6. On the Schedule tab, set Run to Using a schedule.

  7. Set Frequency to Daily and Every to 1.

  8. Enter start and end dates and times.

  9. Click Submit.

  10. Click OK to close the Confirmation message.

Why you Run the Send Pending LDAP Requests Process

It's best practice to run the Send Pending LDAP Requests process daily to send future-dated and bulk requests to your LDAP directory server. Schedule the process in the Scheduled Processes work area. This topic describes the purpose of Send Pending LDAP Requests.

Send Pending LDAP Requests sends the following items to the LDAP directory:

  • Requests to create, suspend, and reactivate user accounts.

    • When you create a person record for a worker, a user-account request is generated automatically.

    • When a person has no roles and no current work relationships, a request to suspend the user account is generated automatically.

    • A request to reactivate a suspended user account is generated automatically if you rehire a terminated worker.

    The process sends these requests to the LDAP directory unless the automatic creation and management of user accounts are disabled for the enterprise.

  • Work e-mails.

    If you include work e-mails when you create person records, then the process sends those e-mails to the LDAP directory.

  • Role provisioning and deprovisioning requests.

    The process sends these requests to the LDAP directory unless automatic role provisioning is disabled for the enterprise.

  • Changes to person attributes for individual users.

    The process sends this information to the LDAP directory unless the automatic management of user accounts is disabled for the enterprise.

Note: All of these items are sent to the LDAP directory automatically unless they're either future-dated or generated by bulk data upload. You run the process Send Pending LDAP Requests to send future-dated and bulk requests to the LDAP directory.

Only one instance of Send Pending LDAP Requests can run at a time.

Schedule the Send Pending LDAP Requests Process

The Send Pending LDAP Requests process sends bulk requests and future-dated requests that are now active to your LDAP directory. You're recommended to schedule the Send Pending LDAP Requests process to run daily. This procedure explains how to schedule the process.

Note: Schedule the process only when your implementation is complete. After you schedule the process you can't run it on an as-needed basis, which may be necessary during implementation.

Schedule the Send Pending LDAP Requests Process

Follow these steps:

  1. Open the Scheduled Processes work area.

  2. Click Schedule New Process in the Search Results section of the Overview page.

  3. In the Schedule New Process dialog box, search for and select the Send Pending LDAP Requests process.

  4. In the Process Details dialog box, set User Type to identify the types of users to be processed. Values are Person, Party, and All. You're recommended to leave User Type set to All.

  5. The Batch Size field specifies the number of requests in a single batch. For example, if 400 requests exist and you set Batch Size to 25, then the process creates 16 batches of requests to process in parallel.

    The value A, which means that the batch size is calculated automatically, is recommended.

  6. Click Advanced.

  7. On the Schedule tab, set Run to Using a schedule.

  8. In the Frequency field, select Daily.

  9. Enter the start and end dates and times.

  10. Click Submit.

Give Users the Permission to View All Scheduled Processes

Your application setup requires you to run numerous scheduled processes and ensure they complete successfully. By default, users can only see the scheduled processes they themselves submit. By creating a custom role in the Security Console and assigning all of the setup users to it, you ensure that everyone can see what processes are running and their status, no matter who submitted them.

  1. Open the Security Console.

  2. Click the Roles tab.

  3. On the Roles tab, click Create Role.

    The Create Role page displays a series of steps you can click directly or reach using the Next button.

    Screenshot of the Create Role Monitor ESS Processes:
Basic Information page. The Basic Information page is the first of
a series of steps in the train to create the role.
  4. In the Create Role: Basic Information step, make the following entries:

    Field Suggested Entry

    Role Name

    Monitor ESS Processes

    Role Code

    MonitorESSProcesses

    Role Category

    Common -Abstract Roles

  5. Click the Role Hierarchy step.

    Create Role: Role Hierarchy step with callouts
highlighting the Add Role button and the Role Hierarchy step
  6. Click Add Role.

  7. In the Add Role Membership window, search for ESS Monitor Role and click Add Role Membership.

    Add Role Membership window
  8. Click Cancel to close the Add Role Membership window.

  9. Click the Users step.

  10. Click Add User and add all of the setup users by searching for each by name and clicking Add User to Role.

  11. Click Cancel when you are done.

    The Users step should list all of the users you added.

  12. Click Next to get to the Summary and Impact Report step.

  13. Click Save and Close.

    The users you added to the role can now monitor all of the scheduled processes in the Schedule Processes work area.