Inheritance of E-Business Suite entitlements based on categories
In One Identity Manager, user accounts can selectively inherit entitlements. To do this, entitlements, and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. In the other tables, enter your categories for the permissions. Each table contains the category positions position 1 to position 63.
Every user account can be assigned to one or more categories. Each entitlement can also be assigned to one or more categories. If at least one of the category items between the user account and the assigned entitlement is the same, the entitlement is inherited by the user account. If the entitlement or the user account is not classified in a category, the entitlement is also inherited by the user account.
NOTE: Inheritance through categories is only taken into account when entitlements are assigned indirectly through hierarchical roles. Categories are not taken into account when entitlements are directly assigned to user accounts.
Table 30: Category examples
1 |
Default user |
Default entitlements |
2 |
System users |
System user entitlements |
3 |
System administrator |
System administrator entitlements |
Figure 2: Example of inheriting through categories.
To use inheritance through categories
- Define the categories in the E-Business Suite system.
- Assign categories to user accounts through their main data.
- Assign categories to entitlements through their main data.
Related topics
Invalid entitlement assignments
Entitlement assignments cannot be deleted. Different inheritance processes in One Identity Manager can cause an entitlement assignment to become invalid. The following processes may be responsible for this:
-
Cancelation of a requested entitlement assignment or reaching the expiration date of an assignment
-
Removal of a direct entitlement assignment in One Identity Manager
-
Deletion of the assignment of an entitlement to hierarchical or dynamic roles or system roles
-
Deletion of the user account’s membership in hierarchical or dynamic roles
-
Deletion of the assignment of a user account to system roles
-
Exclusion of entitlements
-
Changes to the category to which a user account or an entitlement is classified
-
Disabling/deletion/security risk to employees and handling of user accounts through an account definition
For user accounts with the Full managed manage level, the account definition defines how entitlement assignments are handled if the employee is classified as a security risk, or the employee is disabled or marked for deletion. If you do not want to retain the entitlement assignments, they are marked as invalid.
-
Disabling user accounts
If the user account is managed by an account definition, the account definition defines how entitlement assignments are handled. If you do not want to retain the entitlement assignments, they are marked as invalid.
For invalid entitlement assignments, the validity period is in the past. If the assignments are inherited or requested, or if an entitlement assignment is deleted in the Manager, XOrigin is assigned a value of 16.
If the cause of a entitlement assignment becoming invalid is resolved, the final validity date and XOrigin are reset to their original values.
Related topics
Overview of all assignments
The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Examples:
-
If the report is created for a resource, all roles are determined in which there are employees with this resource.
-
If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
-
If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
-
If the report is created for a department, all roles are determined in which employees of the selected department are also members.
-
If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.
To display detailed information about assignments
-
To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
-
Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.
-
Double-click a control to show all child roles belonging to the selected role.
-
By clicking the button in a role's control, you display all employees in the role with the base object.
-
Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.
Figure 3: Toolbar of the Overview of all assignments report.
Table 31: Meaning of icons in the report toolbar
|
Show the legend with the meaning of the report control elements |
|
Saves the current report view as a graphic. |
|
Selects the role class used to generate the report. |
|
Displays all roles or only the affected roles. |
Mapping of E-Business Suite objects in One Identity Manager
You use One Identity Manager to manage all objects of the Oracle E-Business Suite, that are required for the optimization of access control in the target system. These objects are imported into the One Identity Manager database during synchronization. You cannot display or edit their properties in the Manager.