Show TOC

Procedure documentationDefining Roles Locate this document in the navigation structure

 

You use Define Roles to create and maintain attributes for various role types. The role types are categorized as either technical roles or business roles.

Technical roles are roles that physically exist on the back-end system. You assign a technical role to a user to grant them authorization and access to the back-end system that contains the role. For example, you want to grant HR authorizations to a user for system Sys_1. You would create a technical role HR_USER_SYS_1 with the necessary authorizations and assign the technical role to the user in the back end.

Business roles are logical roles that exist only in the access control application; they do not exist in the back-end systems. They allow you to grant authorizations to a user for multiple roles. The roles may be from multiple systems, rather than manually assigning separate roles for each system.

Procedure

  1. Choose Create, and then select a role type to create.

    The New Role screen appears. The application displays different tab pages, based on the role you are creating.

  2. On the Details tab page, enter information for:

    • Application type

    • Landscape

    • Business process

    • Subprocess

    • Project Release

    • Role name

  3. On the Properties tab page, do the following:

    1. In the Certification Period in Days field, enter the number of days you want to allow for reviewing and approving the role.

    2. Under the Properties area, enter information for Critical Level, Sensitivity, and Identifier as needed.

    3. Under the Role Reaffirm area, in the Reaffirm Period in Days field, enter the number of days you after which the role must be reaffirmed. For example, you can specify that after 180 days, the role owner, or approver, must review the role and reaffirm that it is still valid.

    4. Under the User Provisioning area, select the following checkboxes:

      • Comments Mandatory, to require the approver or owner enter a comment when approving or rejecting the role

      • Enable for Firefighting, to make the role available as a firefighting role.

  4. On the Functional Area tab page, select the required functional areas.

    You maintain the list of functional areas in the Customizing activity Maintain Functional Areas under   Governance, Risk, and Compliance   Access Control   Role Management  .

  5. On the Company tab page, select the required companies.

    You maintain the list of companies in the Customizing activity Define Companies under   Governance, Risk, and Compliance   Access Control   Role Management  .

  6. On the Custom Fields tab page, maintain any custom fields that you have defined.

    You maintain the list of companies in the Customizing activity Define Companies under   Governance, Risk, and Compliance   General Settings   User-Defined Fields  .

  7. On the Owners/Approvers tab page, do the following:

    1. Choose Edit to enable the pushbuttons.

    2. Choose Add, and then select a role to be the owner or approver.

    3. Select the respective checkboxes to specify the role as Assignment Approver, Role Owner, or both.

    4. In the Alternate column, select a user to serve as a backup if the owner or approver is not able to perform their duties.

    5. Choose Default Approvers to use the default approvers, rather than specifying specific owners or approvers.

    Note Note

    Before you can make changes on the Owners/Approvers tab page, you must save the role. The functions for this tab page are disabled in Create mode.

    End of the note.
  8. On the Roles tab page, select the roles to associate with this role. This is available only for composite roles and business roles.

  9. On the Prerequisite tab page, add any prerequisites that are required in order for the user to be assigned this role.

    1. Select the Verify on Request checkbox, to require the application verify that the user has completed all the prerequisites before allowing the role assignment.

    2. Select the Active checkbox, to enable the prerequisite.

    You maintain the prerequisites in the Customizing activities Define Prerequisite Types and Define Role Prerequisites under   Governance, Risk, and Compliance   Access Control   Role Management  .

  10. On the Role Mapping tab page, you can assign roles as child roles. This allows anyone who is assigned this role to also be assigned the authorizations and access for the child roles.

    Select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignore any approvers associated with the child roles.

    Note Note

    If you are using a business role, you do not need this function.

    End of the note.

More Information

Superuser Management