Defining Roles

Context

You use Define Roles to create and maintain attributes for role types. The role types are categorized as either technical roles or business roles.

Technical roles are roles that physically exist on the back-end system. You assign a technical role to a user to grant them authorization and access to the back-end system that contains the role. For example, you want to grant HR authorizations to a user for system Sys_1. You would create a technical role HR_USER_SYS_1 with the authorizations and assign the technical role to the user in the back end.

Business roles are logical roles that exist only in the Access Control; they do not exist in the back-end systems. They allow you to grant authorizations to a user for multiple roles. The roles may be from multiple systems, rather than manually assigning separate roles for each system.

Procedure

  1. Choose Create, and then select a role type to create.

    The New Role screen appears. The application displays different tabs, based on the role you are creating.

  2. On the Details tab, enter information for:

    • Application type

    • Landscape

    • Business process

    • Subprocess

    • Project release

    • Role name

  3. On the Properties tab, do the following:
    1. In the Certification Period in Days field, enter the number of days for reviewing and approving the role.
    2. Under the Properties area, enter information for Critical Level, Sensitivity, and Identifier as needed.
    3. Under the Role Reaffirm area, in the Reaffirm Period in Days field, enter the number of days after which the role must be reaffirmed. For example, you can specify that after 180 days, the role owner, or approver, must review the role and reaffirm that it is valid.
    4. Under the User Provisioning area, select the following:

      • Comments Mandatory, to require the approver or owner to enter a comment when approving or rejecting the role

      • Enable for Firefighting, to make the role available as a firefighting role.

  4. On the Functional Area tab, select the required functional areas.

    Maintain the list of functional areas in the Customizing activity Maintain Functional Areas under Start of the navigation pathGovernance, Risk, and Compliance Next navigation step Access Control Next navigation step Role ManagementEnd of the navigation path.

  5. On the Company tab, select the required companies.

    Maintain the companies in the Customizing activity Define Companies under Start of the navigation pathGovernance, Risk, and Compliance Next navigation step Access Control Next navigation step Role ManagementEnd of the navigation path.

  6. On the Custom Fields tab, maintain custom fields that you have defined.

    Maintain the list of companies in the Customizing activity Define Companies under Start of the navigation pathGovernance, Risk, and Compliance Next navigation step General Settings Next navigation step User-Defined FieldsEnd of the navigation path.

  7. On the Owners/Approvers tab, do the following:
    1. Choose Edit to enable the buttons.
    2. Choose Add, and then select a role to be the owner or approver.
    3. Select the checkboxes to specify the role as Assignment Approver, Role Owner, or both.
    4. In the Alternate column, select a user to serve as a backup if the owner or approver is not able to perform their duties.
    5. Choose Default Approvers to use the default approvers, rather than specifying owners or approvers.
  8. On the Roles tab, select the roles to associate with this role. This is available only for composite roles and business roles.
  9. On the Prerequisite tab, add any prerequisites that are required for the user to be assigned this role.
    1. Select the Verify on Request checkbox to require the application to verify that the user has completed the prerequisites before allowing the role assignment.
    2. Select the Active checkbox to enable the prerequisite.

    Maintain the prerequisites in the Customizing activities Define Prerequisite Types and Define Role Prerequisites under Start of the navigation pathGovernance, Risk, and Compliance Next navigation step Access Control Next navigation step Role ManagementEnd of the navigation path.

  10. On the Role Mapping tab, you can assign roles as child roles. This allows anyone who is assigned this role to be assigned the authorizations and access for the child roles also.

    Select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignore any approvers associated with the child roles.

Next Steps

Using Emergency Access Management