If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges. 


Standard procedure

1. Click Security management.
2. Click the Scenarios tab.
3. In the list, find and select the desired record.
4. Sub-task: Match roles.
  4.1 Click Match roles.
  4.2 Decide on whether you want to do an exact match or minimum/maximum match and fill in the fields accordingly.
  4.3 To be able to add duties and privileges to a partially matched role, make sure the unmatched entry points are searched for.
  Select yes in the Search for unmatched entry points? field.
  4.4 Click OK.
5. Sub-task: Select security role and duties and/or privileges.
  5.1 On the Roles tab, in the list, select a partially matched role.
  5.2 To the new role, you can add duties that give access to one or more of the unmatched securable objects.
  On the Duties that give access to the securable objects that cannot be accessed with the selected role tab, select the duties that you want to add to the new role.
  5.3 To the new role, you can add privileges that give access to one or more of the unmatched securable objects.
  On the privileges that give access to the securable objects that cannot be accessed with the selected role tab, select the privileges that you want to add to the new role.
  5.4 If you have selected duties and/or privileges, you can highlight the duties and privileges with the same securable object. So, the non-highlighted duties and privileges need your attention. These are related to the not-yet-covered securable objects from the security scenario. If all duties and privileges are highlighted, you have covered all securable objects from the security scenario.
  Click Find matched entry points.
6. Sub-task: Create role.
  6.1 Click Create role.
  6.2 In the Role Name field, type a value.
 

Note: The default role name consists of these elements:
- The prefix as defined in the Security and compliance studio parameters.
- The name of the selected role.

  6.3 In the Description field, type a value.
  6.4 You can create the new role with only the securable objects as defined in the security scenario. To do so, all other entry points of the selected role, duties, and privileges must be excluded.
As a result, for each securable object type, a new privilege is created with the related securable objects and added to the new role.
  Select the Remove excess menu items check box.
 

Note: The selected role, duties, and privileges, are not changed. Only the relevant entry points are copied from these entities and added to the new privileges.

  6.5 In the new role, the access level for each securable object from the security scenario is the highest of one of these:
- The access level as defined for the securable object in the security scenario.
- The access level from the related entry point in a selected role, duty, or privilege.
You can choose to overrule this and make the access levels as defined in the security scenario, the access levels for the related securable objects in the new role.
  Select the Use access level from recorded entry point check box.
  6.6 It can be that a securable object from the security scenario is not part of any role, duty, or privilege. If so, you can add this securable object, with the defined access level, to the related new privilege of the new role.
  Select the Add entry points outside privileges to new privilege check box.
  6.7 Click OK.
 

Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules.

  6.8 Each new role must be published to become effective. You can choose to directly publish the new security role. Otherwise, you must publish it from the Unpublished objects.
  Click Yes.
7. Close the page.
Related to Notes

Match roles

 

Provide feedback