Guidelines for Copying Roles
Copying predefined roles and editing the copies is the recommended approach to creating roles. This topic describes some of the issues to consider when copying a role on the Security Console.
Role-Copy Options
When you copy a role on the Security Console, you have the option of copying the top role only (shallow copy), or of copying the top role and its inherited roles (deep copy). The result of selecting each of these copy options is described in this section.
-
Copying the Top Role
If you select the Copy top role option, you copy only the role you have selected. The source role has links to roles in its hierarchy, and the copy inherits links to the original versions of those roles. Subsequent changes to the inherited roles affect not only the source top role, but also your copy. The result of selecting the Copy top role option, therefore, is as follows:
-
You can add roles directly to the copied role without affecting the source role.
-
You can remove any role that's inherited directly by the copied role without affecting the source role.
-
If you remove any role that's inherited indirectly by the copied role, then the removal affects both the copied role and any other role that inherits the removed role's parent role, including the source role.
-
If you edit any inherited role, then the changes affect any role that inherits the edited role. The changes aren't limited to the copied role.
To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. You can either select the Copy top role and inherited roles option or copy individual inherited roles separately, edit the copies, and use them to replace the existing versions.
-
-
Copying the Top Role and Inherited Roles
If you select the Copy top role and inherited roles option, you copy not only the role you have selected, but also all of the roles in its hierarchy. Your copy of the top role is connected to new copies of subordinate roles.
Note: Inherited duty roles are copied if a copy of the role with the same name doesn't already exist. Otherwise, the copied role inherits links to the existing copies of the duty roles.When inherited duty roles are copied, you can edit them without affecting other roles. Equally, changes made subsequently to duty roles in the source role hierarchy aren't reflected in the copied role.
Reviewing the Role Hierarchy
When you copy a predefined job, abstract or duty role, it's recommended that you first review the role hierarchy to identify any inherited roles that you want to either copy, add, or delete in your custom role. You can review the role hierarchy on the Roles tab of the Security Console in either graphical or tabular format. You can also:
-
Export the role hierarchy to a spreadsheet from the Roles tab.
-
Review the role hierarchy and export it to a spreadsheet from the Analytics tab.
-
Run the User and Role Access Audit Report.
Job and abstract roles inherit function security privileges and data security policies from the roles that they inherit. Function security privileges and data security policies may also be granted directly to a job or abstract role. Review these directly granted privileges on the Roles tab of the Security Console, as follows
-
In the graphical view of a role, its inherited roles and function security privileges are visible at the same time.
-
In the tabular view, you set the Show value to switch between roles and function security privileges. You can export either view to a spreadsheet.
Once your custom role exists, edit it to add or remove directly granted function security privileges.
Naming Copied Roles
By default, a copied role has the same name as its source role with the suffix Custom. The role codes of copied roles have the suffix _CUSTOM. Copied roles lose the prefix ORA_ automatically from their role codes. You can define a local naming convention for custom roles, with a prefix, suffix, or both, on the Roles subtab of the Security Console Administration tab.
If any role in the hierarchy already exists when you copy a role, then no copy of that role is made. For example, if you make a second copy of the Employee role, then copies of the inherited duty roles might already exist. In this case, the copied role inherits links to the existing copies of the roles. To create unique copies of inherited roles, you must enter unique values on the Administration tab of the Security Console before you perform a deep copy. To retain links to the predefined job or abstract role hierarchy, perform a shallow copy of the predefined role.
Copying Roles and Access Groups
When you copy a job role, a custom job role is created that includes the same duty roles and the same function and data security policies as the original role. A system access group is also generated for the custom job role, but it isn't assigned any object sharing rules.
To provide your users with data access using the access group generated for the custom role, you must either add rules to the group manually, or copy the rules from the access group generated for the source role you copied, then edit the rules as required. For additional information, see the topics Overview of Managing System Access Groups and Copy Object Sharing Rules from One Access Group to Another in the Access Groups chapter.
Report and Analytics Roles
You can't copy roles that are used to secure sales analytics and reports. Therefore you can't copy any of the following types of roles:
-
Transaction Analysis Duty roles
-
Business Intelligence roles
-
Any role with a role code prefix of OBIA, for example, OBIA_ANALYSIS_GENERIC_DUTY
You can however, add any of these roles to custom job roles that you create. When you create a custom job role, either from scratch or by copying an existing job role and editing it, make sure that the role is assigned the BI Consumer role and BI Author role if the custom role is to provide access to analyses and reports. The BI Consumer role provides view-only access to analyses and reports; the BI Author role provides access to create and edit analyses and reports.