12Reviewing Roles and Role Assignments

This chapter contains the following:

Review Role Assignments

You can use the Security Console to:

  • View the roles assigned to a user.

  • Identify users who have a specific role.

You must have the IT Security Manager job role to perform these tasks.

View the Roles Assigned to a User

Follow these steps:

  1. Open the Security Console.

  2. On the Roles tab, search for and select the user.

    Depending on the enterprise setting, either a table or a graphical representation of the user's role hierarchy appears. Switch to the graphical representation if necessary to see the user and any roles that the user inherits directly. User and role names appear on hover. To expand an inherited role:

    1. Select the role and right-click.

    2. Select Expand. Repeat these steps as required to move down the hierarchy.

Tip: Switch to the table to see the complete role hierarchy at once. You can export the details to Microsoft Excel from this view.

Identify Users Who Have a Specific Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select the role.

  2. Depending on the enterprise setting, either a table or a graphical representation of the role hierarchy appears. Switch to the graphical representation if it doesn't appear by default.

  3. Set Expand Toward to Users.

    Tip: Set the Expand Toward option to control the direction of the graph. You can move either up the hierarchy from the selected role (toward users) or down the hierarchy from the selected role (toward privileges).

    In the refreshed graph, user names appear on hover. Users may inherit roles either directly or indirectly from other roles. Expand a role to view its hierarchy.

  4. In the Legend, click the Tabular View icon for the User icon. The table lists all users who have the role. You can export this information to Microsoft Excel.

Review Role Hierarchies

On the Security Console you can review the role hierarchy of a job role, an abstract role, a duty role, or an HCM data role. You must have the IT Security Manager job role to perform this task.

Note: Although you can review HCM data roles on the Security Console, you must manage them on the Manage HCM Data Role and Security Profiles page. Don't attempt to edit them on the Security Console.

Follow these steps:

  1. On the Roles tab of the Security Console, ensure that Expand Toward is set to Privileges.

  2. Search for and select the role. Depending on the enterprise setting, either a table or a graphical representation of the role appears.

  3. If the table doesn't appear by default, click the View as Table icon. The table lists every role inherited either directly or indirectly by the selected role. Set Show to Privileges to switch from roles to privileges.

    Tip: Enter text in a column search field and press Enter to show only those roles or privileges that contain the specified text.

Click Export to Excel to export the current table data to Microsoft Excel.

Compare Roles

You can compare any two roles to see the structural differences between them. As you compare roles, you can also add function and data security policies existing in the first role to the second role, providing that the second role isn't a predefined role.

For example, assume you have copied a role and edited the copy. You then upgrade to a new release. You can compare your edited role from the earlier release with the role as shipped in the later release. You may then decide whether to incorporate upgrade changes into your edited role. If the changes consist of new function or data security policies, you can upgrade your edited role by adding the new policies to it.

Selecting Roles for Comparison

  1. Select the Roles tab in the Security Console.

  2. Do any of the following:

    • Click the Compare Roles button.

    • Create a visualization graph, right-click one of its roles, and select the Compare Roles option.

    • Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click its menu icon. In the menu, select Compare Roles.

  3. Select roles for comparison:

    • If you began by clicking the Compare Roles button, select roles in both First Role and Second Role fields.

    • If you began by selecting a role in a visualization graph or the Search Results column, the First Role field displays the name of the role you selected. Select another role in the Second Role field.

    For either field, click the search icon, enter text, and select from a list of roles whose names contain that text.

Comparing Roles

  1. Select two roles for comparison.

  2. Use the Filter Criteria field to filter for any combination of these artifacts in the two roles:

    • Function security policies

    • Data security policies

    • Inherited roles

  3. Use the Show field to determine whether the comparison returns:

    • All artifacts existing in each role

    • Those that exist only in one role, or only in the other role

    • Those that exist only in both roles

  4. Click the Compare button.

You can export the results of a comparison to a spreadsheet. Select the Export to Excel option.

After you create the initial comparison, you can change the filter and show options. When you do, a new comparison is generated automatically.

Adding Policies to a Role

  1. Select two roles for comparison.

    • As the First Role, select a role in which policies already exist.

    • As the Second Role, select the role to which you're adding the policies. This must be a custom role. You can't modify a predefined role.

  2. Ensure that your selection in the Filter Criteria field excludes the Inherited roles option. You may select Data security policies, Function security policies, or both.

  3. As a Show value, select Only in first role.

  4. Click the Compare button.

  5. Among the artifacts returned by the comparison, select those you want to copy.

  6. An Add to Second Role option becomes active. Select it.

User and Role Access Audit Report

The User and Role Access Audit Report provides details of the function and data security privileges granted to specified users or roles. This information is equivalent to the information that you can see for a user or role on the Security Console. This report is based on data in the Applications Security tables, which you populate by running the Import User and Role Application Security Data process.

To run the User and Role Access Audit Report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the User and Role Access Audit Report process.

  3. In the Process Details dialog box, set parameters and click Submit.

  4. Click OK to close the confirmation message.

User and Role Access Audit Report Parameters

Population Type

Set this parameter to one of these values to run the report for one user, one role, multiple users, or all roles.

  • All roles

  • Multiple users

  • Role name

  • User name

User Name

Search for and select the user name of a single user.

This field is enabled only when Population Type is User name.

Role Name

Search for and select the name of a single aggregate privilege or data, job, abstract, or duty role.

This field is enabled only when Population Type is Role name.

From User Name Starting With

Enter one or more characters from the start of the first user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

To User Name Starting With

Enter one or more characters from the start of the last user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

User Role Name Starts With

Enter one or more characters from the start of a role name.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users and roles.

Data Security Policies

Select Data Security Policies to view the data security report for any population. If you leave the option deselected, then only the function security report is generated.

Note: If you don't need the data security report, then leave the option deselected to reduce the report processing time.
Debug

Select Debug to include the role GUID in the report. The role GUID is used to troubleshoot. Select this option only when requested to do so by Oracle Support.

Viewing the Report Results

The report produces either one or two .zip files, depending on the parameters you select. When you select Data Security Policies, two .zip files are generated, one for data security policies and one for functional security policies in a hierarchical format.

The file names are in the following format: [FILE_PREFIX]_[PROCESS_ID]_[DATE]_[TIME]_[FILE_SUFFIX]. The file prefix depends on the specified Population Type value.

This table shows the file prefix values for each report type.

Report Type File Prefix

User name

USER_NAME

Role name

ROLE_NAME

Multiple users

MULTIPLE_USERS

All roles

ALL_ROLES

This table shows the file suffix, file format, and file contents for each report type.

Report Type File Suffix File Format File Contents

Any

DataSec

CSV

Data security policies. The .zip file contains one file for all users or roles. The data security policies file is generated only when Data Security Policies is selected.

Note: Extract the data security policies only when necessary, as generating this report is time consuming.

Any

Hierarchical

CSV

Functional security policies in a hierarchical format. The .zip file contains one file for each user or role.

  • Multiple users

  • All roles

CSV

CSV

Functional security policies in a comma-separated, tabular format.

The process also produces a .zip file containing a diagnostic log.

For example, if you report on a job role at 13.30 on 17 December 2015 with process ID 201547 and the Data Security Policies option selected, then the report files are:

  • ROLE_NAME_201547_12-17-2015_13-30-00_DataSec.zip

  • ROLE_NAME_201547_12-17-2015_13-30-00_Hierarchical.zip

  • Diagnostic.zip