If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario.
The matched privileges have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined in the security scenario, are not considered.
Note that:

  • A privilege can be shown several times, for a different securable object.
  • A securable object can be shown several times as it can be linked to several privileges.
  • For each entry, the related license types are shown.

This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type.


Standard procedure

1. Click Security management.
2. Click the Scenarios tab.
3. Sub-task: Match roles.
4. In the list, find and select the desired record.
5. Click Match roles.
  5.1 Fill in the fields as desired.
  5.2 Click OK.
6. Sub-task: Select matched privileges.
  6.1 On the Matched privileges tab, select the privileges that you want to use for the new role.
  6.2 If you have selected one or more privileges, you can highlight the privileges with the same securable object. So, the non-highlighted privileges need your attention. These are related to the not-yet-covered securable objects from the security scenario. If all privileges are highlighted, you have covered all securable objects from the security scenario.
  Click Find matched entry points.
7. Sub-task: Create security role.
  7.1 Click Create role from privileges.
  7.2 In the Role Name field, type a value.
 

Note: The default prefix for the role name is defined in the Security and compliance studio parameters.

  7.3 In the Description field, type a value.
  7.4 You can create the new role with only the securable objects as defined in the security scenario. To do so, all other entry points of the selected privileges must be excluded. As a result, for each securable object type, a new privilege is created with the related securable objects and added to the new role.
  Select the Remove excess menu items check box.
 

Note: The selected privileges are not changed. Only the relevant entry points are copied from these privileges and added to the new privileges.

  7.5 In the new role, the access level for each securable object from the security scenario is the highest of one of these: - The access level as defined for the securable object in the security scenario. - The access level from the related entry point in a selected privilege. You can choose to overrule this and make the access levels as defined in the security scenario, the access levels for the related securable objects in the new role.
  Select the Use access level from recorded entry point check box.
  7.6 It can be that a securable object from the security scenario is not part of any privilege. If so, you can add this securable object, with the defined access level, to the related new privilege of the new role.
  Select the Add entry points outside privileges to new privilege check box.
  7.7 Click OK.
 

Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules.

  7.8 Each new role must be published to become effective. You can choose to directly publish the new security role. Otherwise, you must publish it from the Unpublished objects.
  Click Yes.
8. Close the page.
Related to Notes

Match roles

 

Provide feedback