This guide walks Oracle Fusion Cloud administrators through the end-to-end process of creating a custom role from a seeded role and assigning it to a user.
Audience: System
Administrators, Security Administrators, IT Consultants
Prerequisites: IT Security Manager or Application Implementation Consultant role required.
Section 1: Understanding Roles in Oracle Fusion Cloud
Oracle Fusion Cloud uses a Role-Based Access Control (RBAC) model. Every action a user can perform - and every piece of data they can see - is governed by roles assigned to their user account.
1.1 Role
Types
|
Role Type |
Description |
Example |
|
Job Role |
Assigned directly to users; represents a job function |
Accounts Payable Manager |
|
Duty Role |
Aggregates function security policies for a task area |
Manage Supplier Invoices |
|
Abstract Role |
Provides baseline access for a broad group |
Employee, Line Manager |
|
Data Role |
Scopes access to specific data sets / business units |
Payables Manager – BU France |
1.2 Why
Copy a Seeded Role Instead of Modifying It?
By copying a seeded role you:
- Preserve Oracle's original role definition untouched
- Protect customizations from being overwritten during quarterly updates
- Maintain a clear audit trail of custom vs Oracle-delivered access
- Use Oracle's tested privilege set as a secure starting point
Section 2: Creating a Custom Role from a Seeded
Role
1. Navigate to the Security Console
The Security Console is Oracle Fusion's central hub for all
role and user security configuration.
- Log in to your Oracle Fusion Cloud environment as an administrator.
- Click the Navigator icon in the top-left of the home page.
- Expand the Tools section in the navigator menu.
- Click Security Console to open it.
You can also access the Security Console by typing 'Security Console' in the Oracle Fusion search bar at the top of any page.
2. Navigate to the Roles Tab and Search for the Seeded Role
Once inside the Security Console you will see
several tabs. The Roles tab is where all role management happens.
- Click the Roles tab in the Security Console header.
- In the search bar, type the name of the seeded role you want to copy. For example: Order Entry Specialist or Procurement Manager.
- Press Enter or click the Search icon.
- The matching roles will appear in the search results below.
3. Copy the Seeded Role
Oracle requires you to copy (not edit) a seeded
role. The Copy Role option creates a full duplicate of the seeded role
including its entire privilege inheritance chain.
- In the search results, locate your target seeded role.
- Click the dropdown arrow (▼) next to the role name in the search results.
- Select Copy Role from the dropdown menu.
- The Copy Options dialog box will appear. Select Copy top role (recommended - this copies only the top-level role and inherits all child duty roles and privileges by reference, keeping the role hierarchy clean).
- Click the Copy Role button in the dialog to proceed.
Note - Copy Top Role vs Copy All Roles
Copy top role (Recommended): Creates a copy of only the job role. All duty roles and privileges are inherited by reference from Oracle's seeded set - your copy will automatically receive Oracle's updates to those duties. Copy top role and inherited roles: Creates copies of every role in the hierarchy. Use only when you need to modify individual duty roles. Results in a larger role footprint to maintain.
4. Enter Basic Information for the Custom Role
After clicking Copy Role you are taken to the
Role creation wizard. Step 1 of the wizard is Basic Information.
- In the Role Name field, enter a meaningful name for your custom role.
- In the Role Code field, enter a unique code. Avoid starting with 'ORA_' - this prefix is reserved for Oracle seeded roles. Example: ASP_PO_PROCUREMENT_MANAGER.
- Select the appropriate Role Category. For most business user roles, this will be the relevant module followed by '– Job Roles', e.g., Procurement – Job Roles.
- Enter a meaningful Description that explains the role's purpose and the business requirement that prompted its creation.
- Click Next or click Step 2 in the wizard navigation at the top to proceed.
5. Review and Modify Function Security Policies
Function Security Policies define what actions
(UI pages, buttons, menu items) a user with this role can perform. Because you
copied a seeded role, all original function security policies are already
inherited.
- In the wizard, click Step 2 – Function Security Policies
- You will see the list of all inherited function security policies from the source seeded role.
To Remove a Policy (reduce access):
- Locate the policy you want to remove and click the X / Remove icon next to it.
- Confirm the removal when prompted.
- Click + Add Function Security Policy.
- In the search dialog, type the privilege name or code.
- Select the privilege from the results and click OK.
6. Review the Role Hierarchy
The Role Hierarchy tab shows the duty roles and
abstract roles that your new custom role inherits. If you chose 'Copy top
role', all these are inherited references - no copies were made.
- Click Step 3 – Role Hierarchy in the wizard.
- Review the list of inherited roles. These are the duty roles that provide the grouped privileges.
- You can add additional duty roles by clicking '+ Add Role' if the business requirement needs more access.
- You can remove inherited duty roles if the copied seeded role has more access than required.
7. Review Summary and Submit
Before submitting, the wizard presents a summary
of all changes you are making to the role.
- Navigate to Step 7 - Summary by clicking it in the wizard header.
- Review the summary showing counts of added and removed policies:
- Function Security Policies: Added (x), Removed (x)
- Data Security Policies: Added (x), Removed (x)
- Role Hierarchy: Added (x), Removed (x)
- Users: Added (x), Removed (x)
- If everything looks correct, click Submit and Close.
- Oracle Fusion will begin the role copy process in the background. This may take a few minutes.
Monitor the Role Copy Status:
- In the Security Console, click the Administration tab.
- Click Role Copy Status.
- Find your role code in the list and verify that the Status column shows Complete.
Section 3: Assigning the Custom Role to a User
Once the role copy process is complete, you can
assign the new custom role to one or more users. There are two methods - via
the Security Console (recommended for administrators) or via User Management.
1. Navigate to User Accounts in the Security Console
- In the Security Console, click the Users tab.
- In the search bar, type the user's name, username, or email address.
- Press Enter or click Search.
- Click the user's name in the search results to open their user account.
2. Assign the Custom Role to the User
Inside the user's account record you can view
all currently assigned roles and add new ones.
- On the user's detail page, click Edit and locate the Roles section.
- Click Add Role.
- In the role search dialog, type the name or code of your newly created custom role.
- Select the role from the search results.
- Click Add Role Membership and Done to confirm.
- After adding the role, click Save and Close on the user record.
- Oracle Fusion will provision the role to the user. This may take a few minutes to propagate.
3. Verify the Role Assignment
It is good practice to verify that the role has
been correctly assigned and that the user can now access the expected
functions.
Verify from the Security Console:
- Return to Security Console → Users and search for the same user.
- Open the user record and scroll to the Roles section.
- Confirm your custom role appears in the list with the correct effective dates.
Verify from the User's Perspective:- Ask the user to log out and log back in to
refresh their session.
- Navigate to the function or page that the role
should grant access to.
- Confirm the user can see the expected menu
items, buttons, and data.
Thank you.
- Ask the user to log out and log back in to refresh their session.
- Navigate to the function or page that the role should grant access to.
- Confirm the user can see the expected menu items, buttons, and data.
Thank you.
No comments:
Post a Comment