If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario.


The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined on the security scenario, are not considered.

Note that:
  • A duty can be shown several times, for a different securable object.
  • A securable object can be shown several times as it can be linked to several duties.
  • For each entry, the related license types are shown.
This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.


Standard procedure

1. Click Security management.
2. Click the Scenarios tab.
3. In the list, find and select the desired record.
4. Sub-task: Match roles.
  4.1 Click Match roles.
  4.2 Fill in the fields as desired.
  4.3 Click OK.
5. Sub-task: Select matched duties.
  5.1 On the Matched duties tab, select the duties that you want to use for the new role.
  5.2 If you have selected one or more duties, you can highlight the duties with the same securable object. So, the non-highlighted duties need your attention. These are related to the not-yet-covered securable objects from the security scenario. If all duties are highlighted, you have covered all securable objects from the security scenario.
  Click Find matched entry points.
6. Sub-task: Create security role.
  6.1 Click Create role from duties.
  6.2 In the Role Name field, type a value.
 

Note: The default prefix for the role name is defined in the Security and compliance studio parameters.

  6.3 In the Description field, type a value.
  6.4 You can create the new role with only the securable objects as defined in the security scenario. To do so, all other entry points of the selected duties must be excluded. As a result, for each securable object type, a new privilege is created with the related securable objects and added to the new role.
  Select the Remove excess menu items check box.
 

Note: The selected duties are not changed. Only the relevant entry points are copied from these duties and added to the new privileges.

  6.5 In the new role, the access level for each securable object from the security scenario is the highest of one of these: - The access level as defined for the securable object in the security scenario. - The access level from the related entry point in a selected duty. You can choose to overrule this and make the access levels as defined in the security scenario, the access levels for the related securable objects in the new role.
  Select the Use access level from recorded entry point check box.
  6.6 It can be that a securable object from the security scenario is not part of any duty. If so, you can add this securable object, with the defined access level, to the related new privilege of the new role.
  Select the Add entry points outside privileges to new privilege check box.
  6.7 Click OK.
 

Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules.

  6.8 Each new role must be published to become effective. You can choose to directly publish the new security role. Otherwise, you must publish it from the Unpublished objects.
  Click Yes.
7. Close the page.
Related to Notes

Match roles

 

Provide feedback