Duty Role Components
A typical duty role consists of function security privileges and data security policies. Duty roles may also inherit aggregate privileges and other duty roles.
Data Security Policies
For a given duty role, you may create any number of data security policies. Each policy selects a set of data required for the duty to be completed, and actions that may be performed on that data. The duty role may also acquire data security policies indirectly, from its aggregate privileges.
Each data security policy combines:
-
A duty role, for example Inventory Transaction Management Duty.
-
A business object that's being accessed, for example Inventory Transaction.
-
The condition, if any, that controls access to specific instances of the business object. For example, a condition may allow access to data for the inventory organizations in which the user can operate.
-
A data security privilege, which defines what may be done with the specified data, for example Manage Inventory Transaction Data.
Function Security Privileges
Many function security privileges are granted directly to a duty role. It also acquires function security privileges indirectly from its aggregate privileges.
Each function security privilege secures the code resources that make up the relevant pages, such as the Manage Grades and Manage Locations pages.