1. Implementing Risk Management
  2. Configure Global Users

Configure Global Users

You can select the attributes that define global users. You can then either run the synchronization job that generates global users or schedule the job to run regularly.

Having run the job, you can review the users it creates to evaluate whether you selected the best combination of attributes for deriving global users.

To complete any of these tasks, use either of two paths to navigate to the Global User Configuration page:

  • Select the Global User Configuration tab in the Setup and Administration work area.

  • In the Advanced Controls work area, select the Models tab. In the Actions menu on the Models page, select Global User Configuration.

Select Attributes

Select one or more identifying attributes that define users uniquely in your environment. The Email attribute is selected by default. If you want to use that attribute and no other, you don't need to select attributes. (You do, however, need to run or schedule the synchronization job.)

If you use two or more attributes, they have an AND relationship. Two records are related only if values for all identifying attributes match. If the values for any attribute don't match, the records constitute distinct global users.

In addition to Email, attributes include First Name, Last Name, and User Name. Select identifying attributes whose values are most likely to be distinguishing and least likely to change over time in your environment.

To select attributes:

  1. In the Identifying Attributes panel, select the attributes you want in the Available field. To select one, click it. To select a continuous set, click the first one, hold down the Shift key, and click the last one. To select a discontinuous set, hold down the Ctrl key as you click attributes.

  2. Click the Move Selected Items button to move the attributes to the Selected field.

  3. As needed, remove attributes: select them in the Selected field and click the Remove Selected Items button to move them to the Available field.

  4. When you're satisfied with your selections, click Save.

Modify Attributes

At any time, you can modify the selection of identifying attributes that define your global users. You may move attributes from the Selected field to the Available field, move new attributes from the Available field to the Selected field, or both.

Doing so, however, has a significant effect: When you save the new configuration, all existing global users are purged. So are access model results and control incidents. So are results and incidents for transaction models and controls that incorporate the User business object. New global users are created according to your new configuration when you run global-user synchronization. You'd subsequently need to rerun models and controls to replace model results and control incidents.

Run or Schedule the Synchronization Job

Once you've saved a set of identifying attributes, or as you add, modify, or inactivate users in your business applications, run a synchronization job. Expand the Actions menu, then select either of these options:

  • Run, to run a global-user synchronization once, immediately. A message displays a number; make a note of it.

    Check the status of the job in the Monitor Jobs page: Select the Monitor Jobs tab in the Setup and Administration work area. Review information in the row for the job whose number you noted.

  • Schedule, to create a schedule on which global-user synchronization jobs run automatically. Enter values that set the name of the schedule, its start date and time, how regularly synchronization should occur, and an end date (if any). Then click the Schedule button.

  • You can also schedule the job, or run it on demand, from the Scheduling page: Select the Scheduling tab in the Setup and Administration work area.
Note: A job called Advanced Access Request Analysis supports Advanced Access Requests, a self-service workflow for requesting and assigning ERP roles. If you use that feature, schedule the Global Synchronization job to run before the Advanced Access Request Analysis job. This ensures that new users are correctly accounted for in access requests.

Review Global Users and Related Users

A Global Users grid displays records of the global and related users generated by the identifying attributes you've selected. Review these to determine whether your attributes identify each person uniquely.

Suppose, for example, you were to select Email as the only identifying attribute. As you review records in the grid, you may discover two global users, both displaying a single email address but each with its own user name. If your company expects unique email addresses, this person may have arranged for a second, "ghost" account to be created for himself. This may indicate suspect activity that requires investigation.

As you work with the grid, you can:

  • Use View options to select or reorder the columns on display, or sort their contents.

  • Use query-by-example fields at the heads of the columns to filter records.

  • In a Count column, view the number of data sources in which each user has business-application accounts. You can select a Show users with count value greater than one check box to filter the list so that it shows only users active in multiple data sources.

  • In a Data Source column, view the name of the data source in which each user has business-application accounts. If the Count value is greater than one, the Data Source value is Multiple.

  • When a Count value is greater than one, click it to open a Related Global Users page. It displays the global-user record and related-user records for the person whose Count value has been selected, and it identifies the data source for each record.