Manage Roles

A role is a group of access bundles. The access bundles contained within a role can span multiple targets. An example might be a role of Database Administrator, which groups together the DBAdmin_Oracle. DBAdmin_DB2, and DBAdmin_MySQL access bundles. This allows you to create roles which collect together the relevant access bundles to be able to perform that role. These roles can then be associated with identities via policies.

Note:

a role does not provide access to a resource by default. Access is given to an identity when a role is assigned to that identity via a policy or self-service request.

Create a Role

You can create a role in the Oracle Access Governance Console by following the steps below:

Create Role

  1. In your browser, navigate to the Oracle Access Governance service home page, and log in as a user with the Administrator or Access Control Administrator application role.
  2. On the Oracle Access Governance service home page, click on the navigation menu icon, then select Access Controls → Roles → Create a Role. Select Create a role from the Roles page. This will navigate you to the Create a new role flow, which guides you through the steps to setup a role.
  3. Role settings is the first step of the flow. Enter values for the following:
    1. Who can request this role?: Define which identities can request this role. Select from one of the following values:
      • No one
      • Anyone
    2. Which approval workflow?: Select the name of the approval workflow you want to associate with this role from the list. If No one was selected in the previous step, then this selection will be disabled.
    3. Would you like to add any tags to this resource?: Enter any tags for this role that you would like to be able to search on. Examples may include regulatory compliance standards such as SOX, HIPPA, GDPR and others.
    4. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
    5. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.

      You can view the Primary Owner in the view list. All the owners can view and manage the resources that they own.

    When you are happy with your selections, click Next to continue to the next step.

  4. Next step is Select access bundles. You can search for, and select, access bundles that you want your role to contain. These access bundles can originate from multiple targets if required.
  5. Next step is Add details. Enter values for the following:
    • What is the name of this role?: Enter a name for the role you are creating.
    • How do you want to describe this role?: Enter a description of the role you are creating.

    When you are happy with your inputs, select Next to proceed to the next step.

  6. Next step is Review and submit. Here you will see a summary of the details you entered for the role, namely:
    • Name
    • Description
    • Requestable by
    • Approval workflow
    • Tags
    • Additional details

    If you decide not to create the role, select Cancel to reject the changes, else if you want to amend any details, select Back.

    If you are happy with the changes reviewed then you have three options to proceed.
    1. Role assignment: a role will not give access to anybody until it is assigned. If you select the Start assignment after creation checkbox, you will automatically navigate to the assignment flow on selecting the Create role and assign button. This is the default option.
    2. Create role: if you deselect the Start assignment after creation checkbox, you create the role, but do not navigate automatically to the assignment flow. On selecting the Create button, the role is saved and you are returned to the Roles page.
    3. Save as draft: you can select to save the role as a draft. You can edit the role later by selecting from the Roles page.

Assign Role

If you selected Start assignment after creation, or selected the Add assignment option, you will navigate to the role assignment page, which gives you the option to assign your role to an existing policy, or to create a new policy and assign the role to that. Initially, you are asked Do you want to assign the role through an existing policy or create a new one?

If you select Existing policy:

You can assign your role to an existing policy by following the steps below:

  1. Select the policy you would like to add your role to from the drop-down list Which policy do you want to assign it to?.
  2. You have the option Do you want to add the role to existing associations or create a new one?.
  3. If the policy selected has existing role associations, then they are displayed under Which associations do you want to add this role to?. The role associations display as a tile which identifies which identities are associated with which roles. To add an association between your newly created role and the identities, select the relevant role association, at which point your new role name is displayed on the tile. To save the association, click on Add assignment. Your role assignment is saved and you are returned to the Roles page.

If you select Create a new policy:

You create a new policy with the following steps:

  1. Add the name of your policy in the What do you want to call this policy? field.
  2. Add a description of your policy in the How would you describe this policy? field.
  3. Under Which identity collections do you want to associate this role with? select the identity collections you want to associate with this role by selecting from the tiles displayed or entering a search.
  4. Click on Add assignment to save your changes.

Edit a Role

To edit an existing or draft role, perform the steps described below.

  1. On the Oracle Access Governance service home page, click on the navigation menu icon, then select Access Controls → Roles. You can select the option to edit a role in any one of the following ways:
    1. Select the name of the role to navigate to the View details page. Click on the Actions menu and select Edit.
    2. From the list of roles, select the Action menu Action menu. Select Edit.
    3. From the list of roles, select the Action menu Action menu. Select View details. From the View details page, select Edit.
  2. You navigate to the Role workflow. Make any amendments and save your changes.

Delete a Role

You can delete a role using the Oracle Access Governance Console.

  1. On the Oracle Access Governance service home page, click on the navigation menu icon, then select Access Controls → Roles to navigate to the Role page.
  2. Select the name of the role you want to delete, click on the Actions menu and select Delete.
  3. You are prompted to confirm that you want to delete the role. Select Delete to remove the role, or Cancel if you decide to retain the role.