Security : Creating Roles

Creating Roles on the Security Console

Ways to Create Jobs and Abstract Roles:

• Copy an Existing Role

The recommended method for creating roles is to use the Security Console to copy a predefined role and then modify the copy.

• Create a Role from Scratch

If a predefined role is not suitable or if you need a role with fewer privileges, you can create a new role from scratch using the Security Console.

?

Role Copying or Editing

Before You Copy a Role:

• Review the role hierarchy, privileges, and structure of the predefined role.

This will help you identify the components you want to reference, copy, or remove when creating your custom role.

• Remove any security profiles.

Before copying a job or abstract role, make sure to remove any security profiles directly assigned to the role. You can do this by using the Revoke Security Profiles option on the Data Roles and Security Profiles page. Failing to remove these security profiles may grant users access to more data than intended.

• Look for Transaction Analysis Duty Roles.

Some roles inherit Transaction Analysis Duty roles, which are used in Oracle Transactional Business Intelligence report permissions. If you copy such a role, avoid copying the Transaction Analysis Duty roles. Instead, add the predefined Transaction Analysis Duty roles to your new custom role. If you copy them, you'll need to update permissions on the relevant reports to secure them using your new role copy.

To copy a role, go to the Security Console and search for and select the role that you want to copy. Then, open the actions list and select Copy Role.

When you select the Copy Role action, the Copy Options dialog box opens with two options: Copy top role and Copy top role and inherited roles

If you're copying a role, select one of two options in a Copy Option dialog:

• Copy Top Role:

When you copy a top role, you only copy the selected role. The source role has links to other roles in its hierarchy, and the copy inherits links to the original versions of those roles. If you choose this option, any subsequent changes to the inherited roles will affect both the source top role and your copy.

This method is known as a shallow copy.

Note: A shallow copy is the recommended method for creating custom roles.

• After copying, you can add or remove roles from the copied role without affecting the source role.
• If you remove or edit any role inherited indirectly by the copy, those changes will affect any role that inherits the edited role.
• With a shallow copy, you only need to maintain one role. However, if you need to customize any child roles, you’ll need to update and manage those relationships yourself. It’s recommended to create a shallow copy unless you need to make changes that could affect other roles or changes that can't be applied to predefined roles.

?

• Copy Top Role and Inherited Roles:

When you copy a top role and its inherited roles, you copy not only the selected role but also all the roles in its hierarchy. The copied top role will be linked to the new copies of the subordinate roles. By selecting this option, you isolate the copied role from any changes made to the original versions of the inherited roles.?

This option is referred to as a deep copy.

• In a deep copy, inherited aggregate privileges are not copied, as they must always remain as delivered. Instead, role membership is added to each aggregate privilege for the copied role.
• When inherited duty roles are copied, custom duty roles are created. This allows you to edit them without affecting other roles.
• If copies of the duty roles with the same names already exist, role membership is added to the existing copies of those duty roles for the copied role.
• A deep copy is used when you want to edit the inherited roles and ensure those changes do not affect other roles.
• To create unique copies of inherited roles, you must enter unique values in the role copy prefix and suffix fields on the Security Console Administration tab.

?

Next, an editing train opens. Essentially, you follow the same process in editing a role as you would follow to create one. However, note the following:

On the Copy Role: Basic Information page you see the following details:

• Role name. By default, this is the name of the source role with the default suffix. You can edit this to ensure that the name is unique.
• Role code. By default, this is the code of the source role with the default suffix. You can also edit this to ensure that it's unique.
• Finally, you can enter the description in the description field.

Click Submit and Close to finish the copying.

Monitor the copy process on the Administration tab.

Important: Do not attempt to edit the role until after you have created the copy.

Editing Copied Roles

To edit the role, search for the role on the Security Console and select the Edit Role action.

In the Basic Information page, a?Predefined role?box is checked if you selected the Edit Role option for a role shipped by Oracle. In that case, you can:

• Add custom data security policies. Modify or remove those custom data security policies.
• Add or remove users if the role is a job, abstract, or discretionary role.

You can't:

• Modify, add, or remove function security policies.
• Modify or remove data security policies provided by Oracle.
• Modify the role hierarchy.

The?Predefined role?check box is cleared if you're editing a custom role or if you have copied a role. In that case, you can make any changes to role components.

• By default, the name and code of a copied role match the source role's, except a prefix, suffix, or both are appended. In the Roles Administration page, you can configure the default prefix and suffix for each value.
• A copied role can't inherit users from a source job or abstract role. You must select users for the copied role. (They may include users who belong to the source role.)
• When you copy a role, the Role Hierarchy page displays all roles subordinate to it. However, you can add roles only to, or remove them from, the highest role you copied.

To monitor the status of a role-copy job, select the Administration tab, and then the Role Status tab of the Administration page.

Create a Role from Scratch.

To create a role from scratch, select the Roles tab in the Security Console, then click the Create Role button. Enter values in a series of role-creation pages, selecting Next or Back to navigate among them.

On a Basic Information page:

1. In the Role Name field, create a display name, for example North America Accounts Receivable Specialist.
2. In the Role Code field, create an internal name for the role, such as AR_NA_ACCOUNTS_RECEIVABLE_SPECIALIST_JOB. Note:?Do not use "ORA_" as the beginning of a role code. This prefix is reserved for roles predefined by Oracle. You can't edit a role with the ORA_ prefix.
3. In the Role Category field, select a tag that identifies a purpose the role serves in common with other roles. Typically, a tag specifies a role type and an application to which the role applies, such as Financials - Job Roles.

If you select a duty-role category, you can't assign the role you're creating directly to users. To assign it, you would include it in the hierarchy of a job or abstract role, then assign that role to users.

Note:?You can't change the role category for existing roles.

4.???? Optionally, describe the role in the Description field.

?A Function Security policy selects a set of functional privileges, each of which permits use of a field or other user-interface feature. On a Function Security Policies page, you may define a policy for:

• A duty role. In this case, the policy selects functional privileges that may be inherited by duty, job, or abstract roles to which the duty is to belong.
• A job or abstract role. In this case, the policy selects functional privileges specific to that role.?

As you define a policy, you can either add an individual privilege or copy all the privileges that belong to an existing role:

Select Add Function Security Policy.

Search with Privilege and click on Add Privilege to Role

• In the Search field, select the value Privileges or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.
• Select a privilege or role. If you select a privilege, click Add Privilege to Role. If you select a role, click Add Selected Privileges.
• Note: The search results display all roles, whether they contain privileges or not. If a role doesn't contain privileges, there's nothing to add here. To add roles that don't contain privileges, go to the Role Hierarchy page.

The Function Security Policies page lists all selected privileges. When appropriate, it also lists the role from which a privilege is inherited. You can:

• Click a privilege to view details of the code resource it secures.
• Delete a privilege. You may, for example, have added the privileges associated with a role. If you want to use only some of them, you must delete the rest. To delete a privilege, click its x icon.

A Data Security Policy may be explicit or implicit.

• An explicit policy grants access to a particular set of data, such as that pertaining to a particular business unit. This type of policy isn't used in predefined roles in Oracle Fusion Cloud ERP.
• An implicit policy applies a data privilege (such as read) to a set of data from a specified data resource. Create this type of policy for a duty, job, or abstract role. For each implicit policy, you must grant at least the read and view privileges.

You can use a Data Security Policies page to manage implicit policies.

To create a data security ?policy, click the Create Data Security Policy button

Then enter values that define the policy. A start date is required; a name, an end date, and a description are optional

?Values that define the data access include:

• Data Resource: A database table.
• Data Set: A definition that selects a subset of the data made available by the data resource.

o Select by key. Choose a primary key value, to limit the data set to a record in the data resource whose primary key matches the value you select.

o?Select by instance set. Choose a condition that defines a subset of the data in the data resource. Conditions vary by resource.

o?All values: Include all data from the data resource in your data set.

• Actions: Select one or more data privileges to apply to the data set you have defined.

?The Data Security Polices page lists all policies defined for the role. You can edit or delete a policy: click the Actions button, and select the Edit or Remove option.

A Role Hierarchy page displays either a visualization graph, with the role you're creating as its focus, or a visualization table. Select the Show Graph button or View as Table button to select between them. In either case, link the role you're creating to other roles from which it's to inherit function and data security privileges.

• If you're creating a duty role, you can add duty roles or aggregate privileges to it. In effect, you're creating an expanded set of duties for incorporation into a job or abstract role.
• If you're creating a job or abstract role, you can add aggregate privileges, duty roles, or other job or abstract roles to it.

To add a role:

1.?Select Add Role.

2.?In a Search field, select a combination of role types and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

3.?Select the role you want, and click Add Role Membership. You add not only the role you have selected, but also its entire hierarchy.

In the graph view, you can use the visualization Control Panel, Legend, and Overview tools to manipulate the nodes that define your role hierarchy.

?

On a Users page, you can select users to whom you want to assign a job or abstract role you're creating. (You can't assign a duty role directly to users.)

To add a user:

1. Select Add User.

2. In a Search field, select the value Users or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

3.?Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users; this adds all its assigned users to the role you're creating.

The Users page lists all selected users. You can delete a user. You may, for example, have added all the users associated with a role. If you want to assign your new role only to some of them, you must delete the rest. To delete a user, click its x icon.

On a Summary and Impact Report page, review the selections you have made. Summary listings show the numbers of function security policies, data security policies, roles, and users you have added and removed. An Impact listing shows the number of roles and users affected by your changes. Expand any of these listings to see names of policies, roles, or users included in its counts.

If you determine you must make changes, navigate back to the appropriate page and do so. If you're satisfied with the role, select Save and Close.