13Configuring Roles Using the Security Console

This chapter contains the following:

Creating Custom Roles

Create Roles in the Security Console

You can use the Security Console to create duty, job, or abstract roles.

In many cases, an efficient method of creating a role is to copy an existing role, then edit the copy to meet your requirements. Typically, you would create a role from scratch if no existing role is similar to the role you want to create.

To create a role from scratch, select the Roles tab in the Security Console, then click the Create Role button. Enter values in a series of role-creation pages, selecting Next or Back to navigate among them.

Providing Basic Information

On a Basic Information page:

  1. In the Role Name field, create a display name, for example North America Accounts Receivable Specialist.

  2. In the Role Code field, create an internal name for the role, such as AR_NA_ACCOUNTS_RECEIVABLE_SPECIALIST_JOB.

    Note: Do not use "ORA_" as the beginning of a role code. This prefix is reserved for roles predefined by Oracle. You can't edit a role with the ORA_ prefix.
  3. In the Role Category field, select a tag that identifies a purpose the role serves in common with other roles. Typically, a tag specifies a role type and an application to which the role applies, such as Financials - Job Roles.

    If you select a duty-role category, you can't assign the role you're creating directly to users. To assign it, you would include it in the hierarchy of a job or abstract role, then assign that role to users.

  4. Optionally, describe the role in the Description field.

Adding Function Security Policies

A function security policy selects a set of functional privileges, each of which permits use of a field or other user-interface feature. On a Function Security Policies page, you may define a policy for:

  • A duty role. In this case, the policy selects functional privileges that may be inherited by duty, job, or abstract roles to which the duty is to belong.

  • A job or abstract role. In this case, the policy selects functional privileges specific to that role.

As you define a policy, you can either add an individual privilege or copy all the privileges that belong to an existing role:

  1. Select Add Function Security Policy.

  2. In the Search field, select the value Privileges or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

  3. Select a privilege or role. If you select a privilege, click Add Privilege to Role. If you select a role, click Add Selected Privileges.

    Note: The search results display all roles, whether they contain privileges or not. If a role doesn't contain privileges, there's nothing to add here. To add roles that don't contain privileges, go to the Role Hierarchy page.

The Function Security Policies page lists all selected privileges. When appropriate, it also lists the role from which a privilege is inherited. You can:

  • Click a privilege to view details of the code resource it secures.

  • Delete a privilege. You may, for example, have added the privileges associated with a role. If you want to use only some of them, you must delete the rest. To delete a privilege, click its x icon.

Adding Data Security Policies

A data security policy may be explicit or implicit.

  • An explicit policy grants access to a particular set of data, such as that pertaining to a particular business unit. This type of policy isn't used in predefined roles in Oracle ERP Cloud.

  • An implicit policy applies a data privilege (such as read) to a set of data from a specified data resource. Create this type of policy for a duty, job, or abstract role. For each implicit policy, you must grant at least the read and view privileges.

You can use a Data Security Policies page to manage implicit policies.

Note: For the Data Security Policies page to be active, you must select an "Enable edit of data security policies" option. To locate it, select the Administration tab, and then the Roles tab on the Administration page. If this option isn't selected, the Data Security Policies page is read-only.

To create a data security policy, click the Create Data Security Policy button, then enter values that define the policy. A start date is required; a name, an end date, and a description are optional. Values that define the data access include:

  • Database Resource: A database table.

  • Data Set: A definition that selects a subset of the data made available by the database resource.

    • Select by key. Choose a primary key value, to limit the data set to a record in the data resource whose primary key matches the value you select.

    • Select by instance set. Choose a condition that defines a subset of the data in the data resource. Conditions vary by resource.

    • All values: Include all data from the data resource in your data set.

  • Actions: Select one or more data privileges to apply to the data set you have defined.

The Data Security Polices page lists all policies defined for the role. You can edit or delete a policy: click the Actions button, and select the Edit or Remove option.

Configuring the Role Hierarchy

A Role Hierarchy page displays either a visualization graph, with the role you're creating as its focus, or a visualization table. Select the Show Graph button or View as Table button to select between them. In either case, link the role you're creating to other roles from which it's to inherit function and data security privileges.

  • If you're creating a duty role, you can add duty roles or aggregate privileges to it. In effect, you're creating an expanded set of duties for incorporation into a job or abstract role.

  • If you're creating a job or abstract role, you can add aggregate privileges, duty roles, or other job or abstract roles to it.

To add a role:

  1. Select Add Role.

  2. In a Search field, select a combination of role types and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

  3. Select the role you want, and click Add Role Membership. You add not only the role you have selected, but also its entire hierarchy.

In the graph view, you can use the visualization Control Panel, Legend, and Overview tools to manipulate the nodes that define your role hierarchy.

Adding Users

On a Users page, you can select users to whom you want to assign a job or abstract role you're creating. (You can't assign a duty role directly to users.)

Note: For the Users page to be active, you must select an "Enable edit of user role membership" option. To locate it, select the Administration tab, and then the Roles tab on the Administration page. If this option isn't selected, the Users page is read-only.

To add a user:

  1. Select Add User.

  2. In a Search field, select the value Users or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

  3. Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users; this adds all its assigned users to the role you're creating.

The Users page lists all selected users. You can delete a user. You may, for example, have added all the users associated with a role. If you want to assign your new role only to some of them, you must delete the rest. To delete a user, click its x icon.

Completing the Role

On a Summary and Impact Report page, review the selections you have made. Summary listings show the numbers of function security policies, data security policies, roles, and users you have added and removed. An Impact listing shows the number of roles and users affected by your changes. Expand any of these listings to see names of policies, roles, or users included in its counts.

If you determine you must make changes, navigate back to the appropriate page and do so. If you're satisfied with the role, select Save and Close.

Role Copying or Editing

Rather than create a role from scratch, you can copy a role, then edit the copy to create a new role. Or you can edit existing roles.

Initiate a copy or an edit from the Roles tab in the Security Console. Do either of the following:

  • Create a visualization graph and select any role in it. Right-click and select Copy Role or Edit Role.

  • Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click its menu icon. In the menu, select Copy Role or Edit Role.

If you're copying a role, select one of two options in a Copy Option dialog:

  • Copy top role: You copy only the role you have selected. The source role has links to roles in its hierarchy, and the copy inherits links to the original versions of those roles. If you select this option, subsequent changes to the inherited roles affect not only the source highest role, but also your copy.

  • Copy top role and inherited roles: You copy not only the role you have selected, but also all of the roles in its hierarchy. Your copy of the highest role is connected to the new copies of subordinate roles. If you select this option, you insulate the copied role from changes to the original versions of the inherited roles.

Next, an editing train opens. Essentially, you follow the same process in editing a role as you would to create one. However, note the following:

  • In the Basic Information page, a Predefined role box is checked if you selected the Edit Role option for a role shipped by Oracle. In that case, you can:

    • Add custom data security policies. Modify or remove those custom data security policies.

    • Add or remove users if the role is a job, abstract, or discretionary role.

    You can't:

    • Modify, add, or remove function security policies.

    • Modify or remove data security policies provided by Oracle.

    • Modify the role hierarchy.

    The Predefined role check box is cleared if you're editing a custom role or if you have copied a role. In that case, you can make any changes to role components.

  • By default, the name and code of a copied role match the source role's, except a prefix, suffix, or both are appended. In the Roles Administration page, you can configure the default prefix and suffix for each value.

  • A copied role can't inherit users from a source job or abstract role. You must select users for the copied role. (They may include users who belong to the source role.)

  • When you copy a role, the Role Hierarchy page displays all roles subordinate to it. However, you can add roles only to, or remove them from, the highest role you copied.

To monitor the status of a role-copy job, select the Administration tab, and then the Role Copy Status tab of the Administration page.

Security Console Role-Copy Options

When you copy a role on the Security Console, you select one of the following options:

  • Copy top role

  • Copy top role and inherited roles

This topic explains the effects of each of these options.

Copy Top Role

If you select the Copy top role option, then only the top role from the selected role hierarchy is copied. Memberships are created for the copy in the roles of which the original is a member. That is, the copy of the top role references the inherited role hierarchy of the source role. Any changes made to those inherited roles appear in both the source role and the copy. Therefore, you must take care when you edit the role hierarchy of the copy. You can:

  • Add roles directly to the copy without affecting the source role.

  • Remove any role from the copy that it inherits directly without affecting the source role. However, if you remove any role that's inherited indirectly by the copy, then any role that inherits the removed role's parent role is affected.

  • Add or remove function and data security privileges that are granted directly to the copy of the top role.

If you copy a custom role and edit any inherited role, then the changes affect any role that inherits the edited role.

The option of copying the top role is referred to as a shallow copy. This figure summarizes the effects of a shallow copy. It shows that the copy references the same instances of the inherited roles as the source role. No copies are made of the inherited roles.

The source job role inherits an aggregate privilege
and a duty role. That duty role inherits another duty role. The copy
of the job role references the inherited roles of the source role.
The duty roles and aggregate privilege belonging to the source role
haven't been copied.

You're recommended to create a shallow copy unless you must make changes that could affect other roles or that you couldn't make to predefined roles. To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. To copy the inherited roles, select the Copy top role and inherited roles option.

Tip: The Copy Role: Summary and Impact Report page provides a useful summary of your changes. Review this information to ensure that you haven't accidentally made a change that affects other roles.

Copy Top Role and Inherited Roles

Selecting Copy top role and inherited roles is a request to copy the entire role hierarchy. These rules apply:

  • Inherited aggregate privileges are never copied. Instead, membership is added to each aggregate privilege for the copy of the source role.

  • Inherited duty roles are copied if a copy with the same name doesn't already exist. Otherwise, membership is added to the existing copies of the duty roles for the new role.

When inherited duty roles are copied, custom duty roles are created. Therefore, you can edit them without affecting other roles. Equally, changes made subsequently to the source duty roles don't appear in the copies of those roles. For example, if those duty roles are predefined and are updated during upgrade, then you may have to update your copies manually after upgrade. This option is referred to as a deep copy.

This figure shows the effects of a deep copy. In this example, copies of the inherited duty roles with the same name don't already exist. Therefore, the inherited duty roles are copied when you copy the top role. Aggregate privileges are referenced from the new role.

The source job role inherits an aggregate privilege
and a duty role. That duty role inherits another duty role. The copy
of the source job role inherits copies of the duty roles from the
source role. The aggregate privilege belonging to the source role
is referenced by the copy of the top role.

Copy Job and Abstract Roles

You can copy any job role or abstract role and use it as the basis for a custom role. Copying roles is more efficient than creating them from scratch, especially if your changes are minor. This topic explains how to copy a role to create a role. You must have the IT Security Manager job role or privileges to perform this task.

Copy a Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for the role to copy.

  2. Select the role in the search results. The role hierarchy appears in tabular format by default.

    Tip: If you prefer, click the Show Graph icon to show the hierarchy in graphical format.
  3. In the search results, click the down arrow for the selected role and select Copy Role.

  4. In the Copy Options dialog box, select a copy option.

  5. Click Copy Role.

  6. On the Copy Role: Basic Information page, review and edit the Role Name, Role Code, Description, and Enable Role for Access from All IP Addresses values, as appropriate. Enable Role for Access from All IP Addresses appears only if location-based access is enabled.

    Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make on the Copy Role: Basic Information page.
  7. Click the Summary and Impact Report train stop.

  8. Click Submit and Close, then OK to close the confirmation message.

  9. Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. When the status is Complete, you can edit the copied role.

    If you prefer, you can visit the intermediate train stops after the Copy Role: Basic Information page and edit your copy of the role before you save it.

Edit Job and Abstract Roles

You can create a role by copying a predefined job role or abstract role and editing the copy. This topic describes how to edit a role on the Security Console. You must have the IT Security Manager job role or privileges to perform this task.

Edit the Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select your custom role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code. If location-based access is enabled, then you can also manage the Enable Role for Access from All IP Addresses option.

  4. Click Next.

Manage Functional Security Privileges

On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures in the Details section of the page.

To remove a privilege from the role, select the privilege and click the Delete icon. To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from the selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Edit Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Manage Data Security Policies

Make no changes on the Copy Role: Data Security Policies page.

Add and Remove Inherited Roles

The Edit Role: Role Hierarchy page shows the copied role and its inherited aggregate privileges and duty roles. The hierarchy is in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

Note: The role that you're removing must be inherited directly by the role that you're editing. If the role is inherited indirectly, then you must edit its parent role.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Provision the Role to Users

To provision the role to users, you must create a role mapping. Don't provision the role to users on the Security Console.

Review the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

The role is available immediately.

Guidelines for Copying HCM Roles

Copying predefined roles and editing the copies is the recommended approach to creating roles. This topic describes what to consider when you're copying a role.

Reviewing the Role Hierarchy

When you copy a predefined job, abstract, or duty role, you're recommended first to review the role hierarchy. This review is to identify the inherited roles that you want to refer to, copy, or delete in your custom role. For example, the Payroll Manager job role inherits the Payroll Administrator job role, among others. When copying the Payroll Manager role, you must decide whether to copy the Payroll Administrator role, refer to it, or remove it from your copy. You can review the role hierarchy on the Roles tab of the Security Console in either graphical or tabular format. You can also:

  • Export the role hierarchy to a spreadsheet from the Roles tab.

  • Review the role hierarchy and export it to a spreadsheet from the Analytics tab.

  • Run the User and Role Access Audit Report.

Tip: Aggregate privileges are never copied. When you copy a job or abstract role, its inherited aggregate privileges are referred to from your copy.

Reviewing Privileges

Job and abstract roles inherit function security privileges and data security policies from the roles that they inherit. Function security privileges and data security policies may also be granted directly to a job or abstract role. You can review these directly granted privileges on the Roles tab of the Security Console, as follows:

  • In the graphical view of a role, its inherited roles and function security privileges are visible at the same time.

  • In the tabular view, you set the Show value to switch between roles and function security privileges. You can export either view to a spreadsheet.

Once your custom role exists, edit it to add or remove directly granted function security privileges.

Note: Data security policies are visible only when you edit your role. You're recommended to leave data security policies unchanged.

Transaction Analysis Duty Roles

Some roles, such as the Human Resource Analyst job role, inherit Transaction Analysis Duty roles, which are used in Oracle Transactional Business Intelligence report permissions. If you copy the Human Resource Analyst job role, or any other role that inherits Transaction Analysis Duty roles, then don't copy the Transaction Analysis Duty roles. If you copy the roles, then you must update the permissions for the relevant reports to secure them using your copies of the roles. Instead, add the predefined Transaction Analysis Duty roles to your copy of the relevant job role, such as Human Resource Analyst.

Naming Copied Roles

By default, a copied role has the same name as its source role with the suffix Custom. The role codes of copied roles have the suffix _CUSTOM. Copied roles lose the prefix ORA_ automatically from their role codes. You can define a local naming convention for custom roles, with a prefix, suffix, or both, on the Administration tab of the Security Console.

Note: Copied roles take their naming pattern from the default values specified on the Administration tab of the Security Console. You can override this pattern on the Copy Role: Basic Information page for the role that you're copying. However, the names of roles inherited by the copied role are unaffected. For example, if you perform a deep copy of the Employee role, then inherited duty roles take their naming pattern from the default values.

Duplicate Roles

If any role in the hierarchy already exists when you copy a role, then no copy of that role is made. For example, if you make a second copy of the Employee role, then copies of the inherited duty roles may already exist. In this case, membership is added to the existing copies of the roles. To create unique copies of inherited roles, you must enter unique values on the Administration tab of the Security Console before performing a deep copy.

To retain membership of the predefined job or abstract role hierarchy, perform a shallow copy of the predefined role.

What Role Copy Does

When you copy a role on the Security Console, the role is copied in accordance with the role-copy options that you specify. Nothing else is updated. For example:

  • If the role that you're copying is referenced in an EL expression, then the expression isn't updated to include the new role.

  • The new role isn't assigned automatically to users who have the original role.

Create Job and Abstract Roles from Scratch

If the predefined roles aren't suitable or you need a role with few privileges, then you can create a role from scratch. This topic explains how to create a job role or abstract role. To perform this task, you must have the IT Security Manager job role or privileges.

Enter Basic Information

Follow these steps:

  1. On the Roles tab of the Security Console, click Create Role.

  2. On the Create Role: Basic Information page, enter the role's display name in the Role Name field. For example, enter Sales Department Administration Job Role.

  3. Complete the Role Code field. For example, enter SALES_DEPT_ADMIN_JOB.

    Abstract roles have the suffix _ABSTRACT, and job roles have the suffix _JOB.

  4. In the Role Category field, select either HCM - Abstract Roles or HCM - Job Roles, as appropriate.

    Note: Be sure to select the HCM - Job Roles category when creating job roles. Otherwise, your job roles don't appear in the list of available job roles when you create an HCM data role.
  5. If you're using location-based access, then you see the Enable Role for Access from All IP Addresses option. If you select this option, then users who have the role can access the tasks that the role secures from any IP address.

  6. Click Next.

Add Functional Security Policies

When you create a role from scratch, you're most likely to add one or more aggregate privileges or duty roles to your role. You're less likely to grant function security privileges directly to the role.

If you aren't granting function security privileges, then click Next. Otherwise, to grant function security privileges to the role:

  1. On the Privileges tab of the Create Role: Functional Security Policies page, click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from a selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Create Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

Create Data Security Policies

Make no entries on the Create Role: Data Security Policies page.

Build the Role Hierarchy

The Create Role: Role Hierarchy page shows the hierarchy of your custom role in tabular format by default. You can add one or more aggregate privileges, job roles, abstract roles, and duty roles to the role. Typically, when creating a job or abstract role you add aggregate privileges. Roles are always added directly to the role that you're creating.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. When you finish adding roles, close the Add Role Membership dialog box.

  7. Click Next.

Provision the Role

To provision the role to users, you must create a role mapping when the role exists. Don't provision the role to users on the Security Console.

Review the Role

On the Create Role: Summary and Impact Report page, review the summary of the changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

Your custom role is available immediately.

Copy and Edit Duty Roles

You can copy a duty role and edit the copy to create a duty role. Copying duty roles is the recommended way of creating duty roles. This topic explains how to copy a duty role and edit the copy. You must have the IT Security Manager job role or privileges to perform these tasks.

Copy a Duty Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for the duty role to copy.

  2. Select the role in the search results. The role hierarchy appears in tabular format by default.

    Tip: If you prefer, click the Show Graph icon to show the hierarchy in graphical format.
  3. In the search results, click the down arrow for the selected role and select Copy Role.

  4. In the Copy Options dialog box, select a copy option.

  5. Click Copy Role.

  6. On the Copy Role: Basic Information page, edit the Role Name, Role Code, and Description values, as appropriate.

    Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make on the Copy Role: Basic Information page.
  7. Click the Summary and Impact Report train stop.

  8. Click Submit and Close, then OK to close the confirmation message.

  9. Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. Once the status is Complete, you can edit the copied role.

Edit the Copied Duty Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select your copy of the duty role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code.

  4. Click Next.

Manage Functional Security Policies

On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures.

To remove a privilege from the role, select the privilege and click the Delete icon. To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to grant all function security privileges from the selected role to your custom role. If you select a single privilege, then click Add Privilege to Role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Edit Role: Role Hierarchy page, if appropriate.
  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Functional Security Policies dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Manage Data Security Policies

Make no changes on the Edit Role: Data Security Policies page.

Add and Remove Inherited Roles

The Edit Role: Role Hierarchy page shows the copied duty role and any duty roles and aggregate privileges that it inherits. The hierarchy is in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the information message.

To add a role:

  1. Click Add Role.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Review the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

The role is available immediately.

Role Optimization

Role Optimizer

Role optimization is the process used to analyze the existing role hierarchy for redundancies or other inefficiencies. Role optimization enables you to create a role hierarchy that minimizes the number of roles necessary to authorize every job role to its currently authorized privileges. The role optimizer feature automates the analysis process and generates a report you can use to optimize your job hierarchies.

Reasons to Optimize

Changes to the predefined role hierarchies can put the privacy of your application data at risk. You can unintentionally make your data less secure if you:

  • Create duty roles with small groups of privileges in an attempt to minimize:

    • Dependencies

    • The impact of making incremental changes

  • Grant privileges that already exist in the role hierarchy

The following figure shows how roles can proliferate or have duplicate privileges over time making your role hierarchy less efficient.

The figure shows a role hierarchy with three jobs.
Each job is associated with a duty role. For example, job 1 is associated
with duty role 1.1 and 1.2. These duty roles proliferate to privileges
P1 to P6. The figure also shows how privileges overlap; for example,
both duty role 1.1 and 1.2 requires access to privilege P2.

Benefits of Optimization

By using the role optimizer, you can:

  • Increase user productivity.

    You save time that you can perform other tasks.

  • Reduce administrative costs.

    You reduce the number of security objects and the amount of time you spend maintaining that you must administer them.

  • Decrease access risk associated with undocumented role hierarchy changes.

    You identify and can eliminate redundant and inappropriate grants of privilege.

The following figure shows how the role optimizer can suggest more efficient role hierarchies.

The figure illustrates an optimized role hierarchy
with privilege clusters that you can map to duty roles.

Role Optimizer Access

The role optimizer feature is available as a predefined report. Schedule and submit the Role Optimization Report on the Overview page of the Scheduled Processes work area. The process:

  1. Analyzes your existing job role hierarchies.

  2. Generates the optimized job role hierarchy and stores the data for each job role in a separate CSV file.

  3. Archives and attaches the CSV files as the process output.

  4. Generates a log and archives it as a ZIP file. The log file includes technical details of the analysis for troubleshooting.

Note: The role optimization process makes no changes to your security structures. You use the report to map privileges to roles and update the role hierarchies.

Role Optimization Report

Use the Role Optimization Report to create the most efficient role hierarchy for your organization. Use the report results to evaluate and, if necessary, update your role hierarchy. The report results enable you to create a role hierarchy with the minimum number of roles necessary to authorize every job role to every privilege it’s currently authorized to.

Users with the IT Security Manager role can run the Role Optimization Report, which is available from the security console.

You should run this report if you:

  • Make changes to the predefined role hierarchy.

  • Implement your own role hierarchy instead of the predefined role hierarchy.

Note: The process makes no changes to your role hierarchies.

The predefined role hierarchy in the security reference implementation is optimized as delivered.

Report Files

Monitor the process status on the Overview page. When the status value is Succeeded, two files appear in the Log and Output section of the report details.

The following table describes the two files that appear when you run the Role Optimization report.

File Name Description

ClusterAnalysis-Job-CSVs.zip

Contains one CSV file for every job role. Each CSV file contains the duty roles and privileges that make up the optimized job role hierarchy. The name of a CSV file, identifies the job role hierarchy data that the file contains.

For example, the ClustersforJob-AR_REVENUE_MANAGER_JOB_14240.csv file contains all of the role hierarchy data for the Accounts Receivables Revenue Manager job role.

Diagnostics.zip

Contains a log file that provides technical details about the analysis process. You can use this file for troubleshooting purposes.

Import the raw data from the CSV file into your preferred application to read the results. Report data appears in these two sections:

  • Privilege Clusters

  • Cluster Details

Role Optimization Report Results
Privilege Clusters

The Privilege Clusters section lists each privilege and the name of a recommended privilege cluster. Specific cluster recommendations are described in the cluster details section.

Cluster Details

A Cluster Details section appears for each privilege cluster referenced in the Privilege Clusters section. Each detail section includes:

  • Cluster name.

  • Names of recommended candidate roles that map to the privilege cluster.

  • Names and descriptions of the jobs and privileges associated with the cluster.

The following table provides descriptions of the fields that appear in the Cluster Details section.

Field Name Description

Cluster Name

The name of the optimized cluster, usually in this format: Cluster ###

Primary, Secondary, Tertiary Candidate Role

Recommended role mappings for the privileges in the cluster. Up to three recommended duty roles map to the listed privileges.

Select a role. Then assign the privileges in the cluster to that role.

Jobs in Cluster

The number of job roles that inherit the privilege cluster.

A list of job names and descriptions is also included.

Privileges in Cluster

The number of privileges that make up the cluster.

A list of privilege names and descriptions is also included.

FAQs for Configuring Roles Using the Security Console

Why didn't the role optimization process update my roles?

The role optimization process doesn't change any security structures. It analyzes your role hierarchy and provides data in a report you can use to optimize the role hierarchy.