Introduction
Roles provide user access to data and functions. To provision a role to users, we define a relationship, called a role mapping, between the role and some conditions. All types of roles are provisioned using role mappings. In this article, we would try to understand role mappings for automatic and manual role provisioning.
For each role mapping to happen there are certain conditions, which needs to be met. The available attributes available are listed in table below:
|
Role Mapping Condition Attributes |
|
Legal Employer |
|
Business Unit |
|
Department |
|
Job |
|
Position |
|
Grade |
|
Location |
|
Assignment Type |
|
System Person Type |
|
User Person Type (Gets Enabled Only when System Person Type has a value) |
|
HR Assignment Status |
|
Assignment Status |
|
Resource Role |
|
Party Type Usage |
|
Manager with Reports |
|
Manager Type |
We can verify the same by logging into the application with a user having appropriate permissions and then follow the navigation:
Navigator -> Setup and Maintenance -> Manage HCM Role Provisioning Rules
Once we click on the name it would open the ‘Manage Role Mappings ’ page
Once you click on the (+) icon it would allow us to create a New Role Mapping and this page would display all the attributes, available for creating conditions for the Role Mapping.
Role Provisioning Option
There are three types of Role Provisioning Options available namely:
-
Requestable: * Qualifying users can provision the role to other users.
-
Self-Requestable: *Qualifying users can request the role for themselves
-
Autoprovision: *Qualifying users acquire the role automatically
*Users having at least one assignment that matches the role mapping condition are considered as Qualifying users.
Autoprovision is the default option selected whenever one creates a new role mapping. One should ensure to de-select the option if autoprovisioning is not desired.
The Delegation Allowed option indicates whether users who have the role or can provision it to others can also delegate it. We cannot change this value, which is part of the role definition. However, this is a search enabled field meaning one can search for the roles that allow delegation when we add roles to role mapping.
We are allowed to choose multiple roles in the associated roles section, the role-mapping conditions are applicable to all the roles listed here.
Role Types Available for Provisioning
We can provision both predefined and custom data roles to users. Also Abstract Roles and Job Roles are available for provisioning too.
Role Provisioning Methods
We can provision roles to users in two ways:
-
Automatically
-
Manually
-
Users such as line managers can provision roles manually to other users.
-
Users can request roles for themselves.
For both automatic and manual role provisioning, you create a role mapping to specify when a user becomes eligible for a role.
Automatic Provisioning of Roles to Users
Users acquire a role automatically when at least one of their assignments satisfies the conditions in the relevant role mapping. Provisioning occurs when you create or update worker assignments.
For example, when you promote a worker to a management position, the worker acquires the line manager role automatically if an appropriate role mapping exists. All changes to assignments cause review and update of a worker's automatically provisioned roles
Role provisioning occurs automatically if:
-
At least one of the user's assignments matches all role-mapping conditions.
-
Select ‘Autoprovision’ Option for the role in the role mapping.
For example, for the data role Data Processing Role, you could select the Autoprovision option and specify the following conditions.
|
Attribute Name |
Attribute Value |
|
Job |
Data Processing |
|
Assignment Status |
Active – Payroll Eligible |
Users with at least one assignment that matches these conditions acquire the role automatically when you create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.
Manual Provisioning of Roles to Users
Users such as line managers can provision roles manually to other users if:
-
At least one of the assignments of the user who's provisioning the role (for example, the line manager) matches all role-mapping conditions.
-
You select the Requestable option for the role in the role mapping.
For example, for the data role Sales Manager, we could select the Requestable option and specify the following conditions.
|
Attribute Name |
Attribute Value |
|
Department |
Sales |
|
Manager with Reports |
Yes |
|
Assignment Status |
Active – Payroll Eligible |
Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users.
Users keep manually provisioned roles until either all of their work relationships are terminated or you de-provision the roles manually.
Scheduled Processes associated with Autoprovisioning
While the name autoprovisioning suggests that roles would be automatically allocated to users in reality it required some scheduled process which makes a request to Oracle Identity Management which processes the request on effective dates.
We have an option to run the Autoprovision for a single user or for multiple users at the same time.
Autoprovision Roles for All Users
The Autoprovision Roles for All Users process compares all current user assignments with all current role mappings.
-
Users with at least one assignment that matches the conditions in a role mapping and who don't currently have the associated roles acquire those roles.
-
Users who currently have the roles but no longer satisfy the associated role-mapping conditions lose those roles.
When a user has no roles, his or her user account is also suspended automatically by default.
The process creates requests immediately to add or remove roles. When running the process, you can specify whether role requests are to be processed immediately or deferred as a batch to the next run of the Send Pending LDAP Requests process, which is usually scheduled to run daily. Deferring the processing is better for performance, especially when thousands of role requests may be generated. Set the Process Generated Role Requests parameter to No to defer the processing. If you process the requests immediately, then Autoprovision Roles for All Users produces a report identifying the LDAP request ranges that were generated.
One should always run Autoprovision Roles for All Users after creating or editing role mappings and after loading person records in bulk. Avoid running the process more than once in any day. Otherwise, the number of role requests that the process generates may slow the provisioning process.
Only one instance of Autoprovision Roles for All Users can run at a time
Autoprovisioning for Individual Users
Sometimes there might be a need to run Autoprovision roles for a single user ( newly created user, assignment changes which made the user eligible for a certain roles .. etc) and on those situations we might run the process for an individual user.
One would need to navigate to ‘Manage User Account ’ page and select ‘Autoprovision Roles ’ under Action
Role Provisioning Status Values
By now we have understood Role provisioning is a process where a request is made by the application to Oracle Identity Management which processes the same and allocates/de-allocates roles based on eligibility. However, it is not always that the process is successful and the request’s progress is denoted by status value. T he request status values appears on the Manage User Account, New Person Roles, Create User, and Edit User pages. The various status value for role provisioning requests are:
|
Status |
Meaning |
|
Complete |
The request completed successfully. The user has the role. |
|
Failed |
The request failed, and the role wasn't provisioned to the user. The associated error message provides more information. |
|
Partially Complete |
The request is in progress |
|
Pending |
Oracle Identity Management received the request but processing hasn't yet started. |
|
Rejected |
The request was rejected, and the role wasn't provisioned to the user. An associated error message may provide more information |
|
Requested |
The request was made but Oracle Identity Management hasn't yet acknowledged it. |
Editing/Modifying Role Mappings
We can make changes to the existing role mappings on the Edit Role Mappings page. Any change in start/end-date, role mapping conditions or the associated roles may effect the current role provisioning.
The below table explains when the changes gets effected as well as the impact such changes have once the Role Mappings have been modified.
|
Role Types |
Impact of Changing the Role Mappings |
|
Autoprovisioned Roles |
Changes Take Effect when:
|
|
Requestable Roles |
Immediately. If we remove a requestable role from the role mapping or change the role-mapping conditions, then:
|
|
Self-Requestable Roles |
Immediately. If we remove a self-requestable role from the role mapping or change the role-mapping conditions, then:
|
Role Deprovisioning
So long we have only discussed about Role Provisioning, Role Mappings, Various type of role provisioning options along with the impact which happens when we change the Role Mappings but this article would not be complete until we discuss about Role Deprovisioning a little bit.
Users lose automatically provisioned roles when they no longer satisfy the role-mapping conditions. For example, a line manager loses an automatically provisioned line manager role when he or she stops being a line manager. You can also manually deprovision automatically provisioned roles at any time.
Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.
When you terminate a work relationship, the user automatically loses all automatically provisioned roles for which he or she no longer qualifies. The user loses manually provisioned roles only if he or she has no other work relationships. Otherwise, the user keeps manually provisioned roles until you remove them manually.
The user who's terminating a work relationship specifies when the user loses roles. Deprovisioning can occur:
-
On the termination date
-
On the day after the termination date
If you enter a future termination date, then role deprovisioning doesn't occur until that date or the day after. The Role Requests in the Last 30 Days section on the Manage User Account page is updated only when the deprovisioning request is created. Entries remain in that section until they're processed.
Role mappings can provision roles to users automatically at termination. For example, a terminated worker could acquire the custom role Retiree at termination based on assignment status and person type values.
Reversing a termination removes any roles that the user acquired automatically at termination. It also provisions roles to the user as follows:
-
Any manually provisioned roles that were lost automatically at termination are reinstated.
-
As the autoprovisioning process runs automatically when a termination is reversed, roles are provisioned automatically as specified by current role-provisioning rules.
You must reinstate manually any roles that you removed manually, if appropriate.
Automatic role provisioning and deprovisioning are based on current data. For a future-dated transaction, such as a future promotion, role provisioning occurs on the day the changes take effect. The Send Pending LDAP Requests process identifies future-dated transactions and manages role provisioning and deprovisioning at the appropriate time.
These role-provisioning changes take effect on the system date. Therefore, a delay of up to 24 hours may occur before users in other time zones acquire their roles.
Apps2Fusion Articles 
Comments
keep up the good work!
my web site Shaunte: http://Charissabussey7.Wikidot.com/blog:19
It is pretty worth enough for me. In my opinion, if all
site owners and bloggers made good content as you did, the net will be a lot more useful than ever before.|
I could not resist commenting.
Well written!|
I'll immediately take hold of your rss feed as I can not find your e-mail subscription hyperlink
or newsletter service. Do you've any? Please allow me realize so that I could subscribe.
Thanks. |
It is the best time to make some plans for the future and it's time to be
happy. I have read this post and if I could I desire to suggest you
some interesting things or suggestions. Maybe you could write next articles referring to this article.
also pay a visit this web site on regular basis to take updated from hottest
news.
thanks.
RSS feed for comments to this post