Using Role Mappings and Auto-provisioning Rules
Using Role Mappings and Auto-provisioning Rules

 785 total views

In this article we will look into how the roles are auto provisioned to users once they are hired/terminated/promoted/transferred.

  • What is Role Mapping?
  • When to Run the Auto Provisioning Process?
  • Automatic Role Provisioning
  • Role Deprovisioning
  • Can we run Autoprovisioning for Individual Users?
  • How to run the Autoprovisioning Process?
  • SQL Queries to get the Role Mapping information

Normally assigning the roles to users using security console is the manual way to achieve this requirement. However there could be ‘n’ number of employees and every day their eligibility could change. Ex A person might get promoted to a manger, so the line manager role should be added. Another person got terminated, so his roles needs to be removed and his user account should be suspended.

It could be a gigantic task for the security team if it were to handle manually. So, Oracle has provided us with a feature called Role Mappings where we can define the Role and the criteria that should be met in order for employees to be eligible for it.

What is Role Mapping?

Roles give users access to data and functions. To provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. Use the Manage Role Provisioning Rules task in the Setup and Maintenance work area.

Note: All role provisioning generates requests to provision roles. Only when those requests are processed successfully is role provisioning complete.

Here we can search for the existing mapping rules or create a new one.

This is how the first part of the page looks like. Here we would mention the criteria for the employees to be part of this role mapping. As we can see, the Assignment Type should be ‘Employee’, Assignment Status should be ‘Active’ and the Resource Role should be ‘Incentive Compensation Super User’ to be eligible for this Role Mapping of ‘Incentive Compensation Super User’.

The second part of the page contains the list of roles the employees would be eligible for if they meet the criteria listed in the first part.

Delegation Allowed Flag:

This option indicates whether users who have the role or can provision it to others can also delegate it. You can’t change this value, which is part of the role definition. When adding roles to a role mapping, you can search for roles that allow delegation.

Requestable Flag:

Users such as line managers can provision roles manually to other users if:

  • At least one of the assignments of the user who’s provisioning the role, for example, the line manager, matches all role-mapping conditions.
  • You select the Requestable option for the role in the role mapping.

Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users. Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Self-Requestable Flag:

Users can request a role if at least one of their assignments matches all role-mapping conditions and if the Self-requestable option for the role in the role mapping.

Any user with at least one assignment that matches these conditions can request the role. Self-requested roles are defined as manually provisioned.
Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Autoprovision Flag:

Role provisioning occurs automatically if:

  • At least one of the user’s assignments matches all role-mapping conditions.
  • You select the Autoprovision option for the role in the role mapping.

Users with at least one assignment that matches these conditions acquire the role automatically when you either create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.

Now that we have looked into the setup of Role mappings, next we will look into the process which needs to be executed to get these roles assigned to employees who match the filter criteria.

When to Run the Auto Provisioning Process?

Oracle recommends to run Autoprovision Roles for All Users after creating or editing role mappings. We might also need to run it after loading person records in bulk if user accounts are created for them. If an appropriate role mapping exists before the load, then this process isn’t necessary. Otherwise, you must run it to provision roles to new users loaded in bulk. Avoid running the process more than once in any day. Otherwise, the number of role requests that the process generates may slow the provisioning process.

Note: Only one instance of Autoprovision Roles for All Users can run at a time.

Automatic Role Provisioning

Users acquire a role automatically when at least one of their assignments  satisfies the conditions in the relevant role mapping. Provisioning occurs when you create or update worker assignments. For example, when you promote a worker to a management position, the worker acquires the line manager role automatically if an appropriate role mapping exists. All changes to assignments cause review and update of a worker’s automatically provisioned roles.

Role Deprovisioning

Users lose automatically provisioned roles when they no longer satisfy the role-mapping conditions. For example, a line manager loses an automatically provisioned line manager role when he or she stops being a line manager. You can also manually deprovision automatically provisioned roles at any time. Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.

Can we run Autoprovisioning for Individual Users?

Yes we can run autoprovisioning for individual users on the Manage User Account page.

How to run the Autoprovisioning Process?

We can run the auto provisioning process manually from Tools > Scheduled Processes. The Job name is “Autoprovision Roles for All Users“.

Ideally this process should be scheduled daily once in order to automatically apply the rules and add/remove roles appropriately to users who meet or don’t meet the criteria on that day. This Autoprovisoning process will creates requests to add/remove roles, however it will not directly add/remove for employees. There is another process “Send Pending LDAP Requests” which should be run post this process which picks up the requests and processes them. More details on “Send Pending LDAP Requests” https://fusionhcmknowledgebase.com/2019/05/Important-scheduled-processes-list-in-Fusion-HCM/

We will look into how to run the process now.

We have a parameter for this process “Process Generated Role Requests” with Yes/No Values. If you select No, the processing of requests will be deferred. If you process the requests immediately, then Autoprovision Roles for All Users produces a report identifying the LDAP request ranges that were generated. Requests are processed on their effective dates.

SQL Queries to get the Role Mapping information

Role Mapping Criteria:

select distinct PRM.MAPPING_NAME
,PRM.Date_from
,PRM.DATE_TO
,PLE.NAME LEGAL_EMPLOYER_NAME
,POU.NAME BUSINESS_UNIT
,PD.NAME AS DEPARTMENT
,PJ.NAME AS JOB
,HAP.NAME POSITION
,PG.NAME AS GRADE
,HL.LOCATION_NAME LOCATION
,PRM.ASSIGNMENT_TYPE
,(SELECT MEANING FROM fnd_lookup_values
WHERE LOOKUP_TYPE='SYSTEM_PERSON_TYPE'
AND LOOKUP_CODE=PRM.SYSTEM_PERSON_TYPE
and rownum = 1) SYSTEM_PERSON_TYPE
,PPT.USER_PERSON_TYPE
,(SELECT MEANING FROM fnd_lookup_values
WHERE LOOKUP_TYPE='ACTIVE_INACTIVE'
AND LOOKUP_CODE=PRM.ASSIGNMENT_STATUS
and rownum = 1) AS HR_ASSIGNMENT_STATUS
,PAAM.ASSIGNMENT_STATUS_TYPE
,DECODE(PRM.CURRENT_MANAGER_FLAG,'N','No','Y','Yes',PRM.CURRENT_MANAGER_FLAG) AS MANAGER_WITH_REPORTS
,PRM.MANAGER_TYPE
FROM
PER_ROLE_MAPPINGS PRM
,PER_ROLE_MAPPING_ROLES PRMR
,PER_ROLES_DN_VL PRDV
,PER_JOBS PJ
,PER_GRADES PG
,HR_LOCATIONS_ALL HL
,HR_ALL_POSITIONS_F_VL HAP
,PER_DEPARTMENTS PD
,PER_ALL_ASSIGNMENTS_M PAAM
,PER_PERSON_TYPES_VL PPT
,PER_LEGAL_EMPLOYERS PLE
,HR_ORGANIZATION_UNITS_F_TL POU
WHERE
PRM.ROLE_MAPPING_ID=PRMR.ROLE_MAPPING_ID(+)
AND PRMR.ROLE_ID=PRDV.ROLE_ID
AND PRM.JOB_ID=PJ.JOB_ID(+)
AND PRM.GRADE_ID=PG.GRADE_ID(+)
AND PRM.LOCATION_ID=HL.LOCATION_ID(+)
AND PRM.POSITION_ID=HAP.POSITION_ID(+)
AND PRM.DEPARTMENT_ID=PD.ORGANIZATION_ID(+)
AND PRM.ASSIGNMENT_STATUS_TYPE_ID=PAAM.ASSIGNMENT_STATUS_TYPE_ID(+)
AND PRM.USER_PERSON_TYPE_ID=PPT.PERSON_TYPE_ID(+)
AND PRM.LEGAL_EMPLOYER_ID=PLE.ORGANIZATION_ID(+)
AND PRM.BUSINESS_UNIT_ID=POU.ORGANIZATION_ID(+)
AND SYSDATE BETWEEN POU.EFFECTIVE_START_DATE(+)
AND NVL(POU.EFFECTIVE_END_DATE(+),TO_DATE('31-12-4712','DD-MM-YYYY'))

Sample data will look like:

Role Mapping Roles:

select PRM.MAPPING_NAME
,PRDV.ROLE_NAME
,DECODE(PRDV.DELEGATION_ALLOWED,'Y','Yes','N','No',PRDV.DELEGATION_ALLOWED) AS DELEGATION_ALLOWED
,DECODE(PRMR.SELF_REQUESTABLE_FLAG,'Y','Yes','N','No',PRMR.SELF_REQUESTABLE_FLAG) AS SELF_REQUESTABLE_FLAG
,DECODE(PRMR.REQUESTABLE_FLAG,'Y','Yes','N','No',PRMR.REQUESTABLE_FLAG) AS REQUESTABLE_FLAG
,DECODE(PRMR.USE_FOR_AUTO_PROVISIONING_FLAG,'Y','Yes','N','No',PRMR.USE_FOR_AUTO_PROVISIONING_FLAG) AS USE_FOR_AUTO_PROVISIONING_FLAG
FROM
PER_ROLE_MAPPINGS PRM
,PER_ROLE_MAPPING_ROLES PRMR
,PER_ROLES_DN_VL PRDV
,PER_JOBS PJ
,PER_GRADES PG
,HR_LOCATIONS_ALL HL
,HR_ALL_POSITIONS_F_VL HAP
,PER_DEPARTMENTS PD
,PER_ALL_ASSIGNMENTS_M PAAM
,PER_PERSON_TYPES_VL PPT
,PER_LEGAL_EMPLOYERS PLE
,HR_ORGANIZATION_UNITS_F_TL POU
WHERE
PRM.ROLE_MAPPING_ID=PRMR.ROLE_MAPPING_ID(+)
AND PRMR.ROLE_ID=PRDV.ROLE_ID(+)
AND PRM.JOB_ID=PJ.JOB_ID(+)
AND PRM.GRADE_ID=PG.GRADE_ID(+)
AND PRM.LOCATION_ID=HL.LOCATION_ID(+)
AND PRM.POSITION_ID=HAP.POSITION_ID(+)
AND PRM.DEPARTMENT_ID=PD.ORGANIZATION_ID(+)
AND PRM.ASSIGNMENT_STATUS_TYPE_ID=PAAM.ASSIGNMENT_STATUS_TYPE_ID(+)
AND PRM.USER_PERSON_TYPE_ID=PPT.PERSON_TYPE_ID(+)
AND PRM.LEGAL_EMPLOYER_ID=PLE.ORGANIZATION_ID(+)
AND PRM.BUSINESS_UNIT_ID=POU.ORGANIZATION_ID(+)
AND SYSDATE BETWEEN POU.EFFECTIVE_START_DATE(+)
AND NVL(POU.EFFECTIVE_END_DATE(+),TO_DATE('31-12-4712','DD-MM-YYYY'))

Sample data will look like:

Hope this helps you understand the importance of Auto provisioning rules in Fusion.

If you have any questions, please feel free to reach out to me by posting in comments section.

If you are interested in learning Fusion Technical tools go through this post

If you liked the article, please share it with your friends/ colleagues/ teammates or anyone who might also benefit from it.

The following two tabs change content below.
Sricharan is a Fusion HCM Solution Architect with over 13+ years of overall experience and 5+ years of Fusion experience. He is passionate about technical aspects of Fusion HCM and writes interesting articles on HCM Extracts, HCM Data Loader, Fast Formula, BI Publisher, Integrations and Automation etc.

Leave a Reply