1. Securing Sales and Fusion Service
  2. Role Hierarchies and Role Inheritance

Role Hierarchies and Role Inheritance

Each role is a hierarchy of other roles that are linked to each other in a parent-child relationship. As this hierarchy chart shows, users are assigned job and abstract roles, which inherit duty roles and their associated privileges.

Duty roles in turn can inherit privileges from subordinate duty roles. You can explore the complete structure of a job or abstract role on the Security Console.

Role inheritance

Role hierarchies allow privileges to be grouped to represent a feature set, which simplifies feature management. Role hierarchies also provide privilege granularity and facilitate role reuse. For example, each role hierarchy beneath the job role represents a feature that's available through the job role to the user. Roles at lower levels of the hierarchy represent functionality that the feature requires. If this functionality is required by other features, the role that provides the functionality can be shared across roles.

Note: Having many levels in a role hierarchy isn't recommended. Deep role hierarchies are difficult to manage, and modification of the privileges in roles that are heavily reused can cause undesired consequences in other features.

Role Inheritance Example

This example shows how roles and privileges are inherited for a user, Tom Green, assigned the Sales Manager job role. The chart shows a few of the duty roles that Tom inherits.

Diagram shows the duty roles inherited by a user assigned the Sales Manager job role

As an employee sales manager, Tom Green is provisioned with the roles required to do the job: the Sales Manager job role, and the Employee and Resource abstract roles. Roles are inherited as follows:

  • The Sales Manager job role inherits duty roles including the Sales Party Management duty role and the Opportunity Sales Manager duty role.

  • Duty roles inherit other duty roles. For example, the Sales Party Management duty inherits the Sales Party Review duty and the Trading Community Import Batch Management duty, as well as many privileges.

  • The duty roles can be associated with functional security policies and data security policies. For example, the inherited Sales Party Review duty includes security policies that specify which application pages sales managers can access to export assets.

  • Data security policies are also assigned to the Sales Manager job role directly.
  • When the sales manager Tom Green is provisioned with the Sales Manager job role, he's also automatically enrolled into a system access group, the Sales Manager Group, which is assigned rules that provide the same access to data as the data security policies assigned to the Sales Manager job role.

    If you were provisioned with the sales application for the first time in release 22B or later, your database resources are secured using system access groups and rules by default. Using access groups and rules is also the recommended way of configuring data security. For additional information about access groups, see the topic Data Privileges and Access Groups.