Introduction

Businesses today must provide timely access to enterprise information systems while also ensuring that such access is compliant with government regulations and policies. However, in today’s global business environment, managing data across users, organizations, locations and reporting structures quickly becomes a critical challenge. Often, the maintenance of this information remains a manual task, making it difficult to secure and costly to respond to business events in real time. As a result, the process for providing access is prone to errors, lags behind organizational changes, and lacks the necessary flexibility to represent the many complex and dynamic relationships in today’s organizations.

Oracle Role Manager solves these challenges by providing a comprehensive feature set for role lifecycle management, business and organizational relationships and resources. Built using scalable J2EE architecture, Oracle Role Manager enables business users to define user access by abstracting resources and entitlements as roles. Organization data in existing applications can be managed within Oracle Role Manager to model complex relationship paths across business structures such as reporting organization hierarchies and locations. Business policies defined in Oracle Role Manager utilize organization and relationship data to drive role membership and ultimately access. Through seamless integration with Identity and Access Management (IAM) applications, Oracle Role Manager enables you to automate provisioning events, addressing governance and compliance needs across your existing information technology (IT) infrastructure.

With Oracle Role Manager, you will be able to:

• Enhance security by dramatically improving the timeliness and accuracy of provisioning and de-provisioning of resources as role membership changes
• Accelerate your role management implementation by mining for candidate roles
• Maintain a single authoritative source for roles
• Strengthen regulatory compliance through detailed audits on who should have access to what, and why user was given access—with complete reports

Key Benefits of Oracle Role Manager

Enhanced security
Oracle Role Manager dramatically improves the accuracy of resource provisioning based on policy. By responding in real-time to business events, such as a new hire or transfer, automated role-based provisioning ensures that access and entitlements align with business policy. Oracle Role Manager also offers mining tools to identify rogue entitlements, uncover users with no entitlements (“orphaned” users), and discover candidate roles. Not only do these tools assist in analyzing and cleaning up your existing data, they quickly add value to your IAM investment and create a secure foundation for role lifecycle management.

Authoritative source for roles and entitlements
As the comprehensive source for role and role lifecycle management, Oracle Role Manager can provide contextual and policy based roles to a variety of enterprise applications, including Business Process Management (BPM) workflows and IAM applications. As an abstraction of entitlements, roles provide a mechanism for defining contextual policies that ultimately answer the question of “Who should have access to what?”.

Authoritative modeling of business and operational data
Operational data such as employee white pages, reporting structures and even external data about partners or customers often lose value by being spread across disparate systems that remain unconnected to security policy. By bringing together diverse operational data into a single authoritative application Oracle Role Manager can easily model organizational structures and relationships. These business models form the foundation for building secure and accurate role policy. Oracle Role Manager also provides mining tools to assist in data cleansing and analysis, ensuring accurate modeling of operational data.

Enable scalable role management process
Automated provisioning events based on role membership and policy improves IT productivity, limits manual workarounds and prevents security violations. Business users can utilize Oracle Role Manager to define and manage roles and create business policy to drive automated provisioning events. The abstraction of entitlements as roles and the capturing of business context enable the business users to engage in the corporate security process. Business user involvement is critical toward deploying a scalable security process where role and policy data can be kept accurate and up-to-date.

Enable high level of service level and business continuation integrity
Role membership is updated automatically based on changes to organizations, people, and resources. Out-of-the-box integration with IAM systems means that as role membership changes, access and entitlements change. Integration with IAM combined with the authoritative repository for operational data makes Oracle Role Manager an ideal tool to plan and prepare for unforeseen events, such as disaster and emergency situations. Automating emergency access based on pre-configured business continuity model can enable core business operations to continue while minimizing the overall impacts to your organization and your clients during a catastrophic emergency.

Overview of Oracle Role Manager Features and Functionality

• Role and Rule Mining: Accelerate your role management implementation by importing existing data about users, resources and entitlements to discover candidate roles and membership policies.
• Context-Aware, Polyarchy Enabled Role Engine: Oracle Role Manager features a powerful role engine that uses your business policy and traverses the relationships between users and organizations to derive accurate, real-time role membership
• Authoritative Role and Entitlement Repository: Aggregate and manage contextual business information such as organizational relationships into a comprehensive role repository. Serving as the central source of information for roles, these complex relationships supply authoritative entitlement data to enterprise systems.
• Configurable and Extensible Role and Relationship Model: Oracle Role Manager makes it easy to model unique business structures and relationships and provides tools for customizing the user interface.
• Role Delegation: By providing delegated administration of roles, Oracle Role Manager enables business users to easily delegate access and privileges without violating existing business policy.
  

Enterprise Role Lifecycle Management

Oracle Role Manager provides comprehensive tools to support enterprise role lifecycle management (RLM). Utilizing a web-based user interface, users across the enterprise can create and manage roles, define role membership according to business policy, map roles to resources and entitlements and change the state of roles to control access. As business events occur and the organization changes, role membership is dynamically recalculated, ensuring appropriate access and preventing security holes and compliance violations.

Role and Rule Mining
Tools for role mining take existing enterprise data about users, entitlements and the relationships between them to discover candidate IT roles. This process, commonly referred to as “bottom-up” analysis, identifies patterns in existing entitlements and user memberships to suggest roles that can be exported and managed in Oracle Role Manager.

Adopting a role management solution can be a daunting task for businesses trying to sort through data across the enterprise. The process for role mining first leads the business through data analysis and validation, role mining and finally rule mining which can further refine candidate IT role membership.

Oracle Role Manager accelerates your role management implementation by:

• Importing user, resource, and privilege information from diverse sources for analysis and validation. Data analysis tools assist in the process of cleansing data to delete orphaned user accounts and uncover existing violations of security policy.
• 
  
• Allowing role mining parameters to be configured improves the accuracy of mined results. Changing the values of role mining parameters based on the unique characteristics of an imported dataset increases the probability of quality candidate roles.
• 
  
• Discovering and structuring candidate roles as a role hierarchy allows users to easily review clusters of entitlements. Hierarchical structures streamline analysis and validation of mining results ensuring that roles contain the correct entitlements.
• 
  
• Discovering potential rules and policies for mined roles. Rules are derived from user attributes and relationships and assist in refining role membership for more secure role definitions.
• 
  
• Exporting role definitions for complete role lifecycle management. Desirable mined roles and rules that have undergone evaluation from the business can be selected for export into a role management system.

Context-Aware, Polyarchy Enabled Role Engine
Oracle Role Manager features powerful role engine that uses your business policy and traverses the relationships between users and organizations to derive accurate, real-time role membership. This contextually aware engine resolves complex relationships across business organizations to ensure that access is aligned with corporate strategy.

For example, you can specify:

• A cost center manager is a person who is in a manager relationship with an organization in a cost center hierarchy.
• 
  
• A European account executive is a person who has a specific job code or team membership in the sales branch of the reporting hierarchy and who is located in the European branch of the location hierarchy.

Oracle Role Manager supports three main types of roles out of the box: Business, IT and Approver. Business roles, which can be policy based, rely on contextual business information to refine membership such as a job code attribute or membership in the engineering organization. To manage roles effectively, business owners should manage business role definitions and role memberships that reflect what a person does.

IT roles, which can be thought of as a collection of privileges or entitlements, are mapped to business roles, automating access to members of the role. The IT organization should manage IT role definitions and the entitlements to ensure that appropriate access is granted to role members.

Approver roles are defined contextually, and can resolve complex queries such as “Who is the cost center manager for Joe?”. Business roles that are policy based incorporate hierarchical information across the business to provide accurate scope, and context for the assignment. This allows people who understand and manage the organizational structure to define the structure and automate role membership.

Oracle Role Manager also supports the traditional, ad hoc way of managing business role memberships manually. This strategy may be employed when a business role should not be based on policy or when the complexity of the role and its supporting data are more easily managed statically.

Though Oracle Role Manager provides three types of roles out of the box, custom role types can be configured to meet the needs of today’s dynamic enterprises.

Authoritative Role and Entitlement Repository
Oracle Role Manager aggregates and manages contextual business information such as organizational relationships into a comprehensive role repository. Serving as the central source of information for roles, these complex relationships supply authoritative entitlement data to enterprise systems.

Configurable and Extensible Role and Relationship Model
Organization structures, relationships and business operational models can be unique and diverse as businesses themselves. While one business may depend on a traditional reporting organization hierarchy, another business may have a more collaborative organization. Oracle Role Manager responds to this need by making it easy to model unique business structures and relationships and providing tools for customizing the user interface.

Organization and Relationship Management

The complexity of an individual’s relationships in a dynamic organization poses a significant challenge for existing applications and directories, which lack the ability to capture and manage complex business relationships and temporal dimensions. At best, directories can describe one organizational hierarchy, leaving additional hierarchies and memberships to be represented as simple Boolean attributes. For example, with directories, you can indicate whether Jane is a manager, but you cannot capture the full context of her role, including what Jane manages, who she manages, what her span of control or authority is, and what entitlements she has across heterogeneous applications. To properly reflect organizational reality and to maintain data integrity among interdependent hierarchies, you need a model that maps the intersection of multiple, overlapping hierarchies or “polyarchies”.

To understand how modeling the polyarchy enhances role lifecycle management, it helps to look at the business problems of a leading national grocery chain. The grocery chain was faced with managing retail stores that spanned multiple geographies, managing different supply chains for different products and adapting to high personnel turnover and routine changes in staff responsibility. By modeling each of these business structures as separate hierarchies and then building the relationships across them, the grocery chain was able to fix identity and access problems such as multiple retail clerks sharing one register account. Role policy for retail clerks could be written in terms that business users can understand by utilizing the hierarchies for employees and retail stores. Using the polyarchy to define role policy is crucial for operational efficiency and provides the foundation for business integrity.

Oracle Role Manager’s web-based GUI accelerates role engineering and allows business users and administrators alike to define and manage roles.
Oracle Role Manager integrates with existing business applications to model multiple organizational structures and the relationships between them as first-class objects. In addition to providing out of the box standard organization structures, Oracle Role Manager can easily be configured to support unique business operation models and relationships. The Oracle Role Manager graphical user interface (GUI) provides multiple views of intersecting business hierarchies and relationships. Examples of common organization models include reporting organization, locations, teams, customers or partners. Additionally, Oracle Role Manager can respond to organizational lifecycle events, ensuring that information updates occur in real-time. These complex relationships become a powerful store of data that role engineers can use to define policies for roles. As common business events occur, policy based role membership is re-calculated and entitlements are granted or revoked according to policy.

Integration Solutions

Oracle Role Manager serves as the role management repository for identity and access management (IAM) systems. It utilizes previous investments in IAM systems and synchronizes roles and polices with entitlements in target systems. For external task assignment integration, such as Business Process Management (BPM) or workflow, other systems can also leverage Oracle Role Manager’s contextually derived roles for role resolution in approval workflows.

Integration with Identity Provisioning

Oracle Role Manager provides out of the box integration with Oracle Identity Manager (OIM) to initiate provisioning events. The provisioning system extracts user attributes including role and relationship data from Oracle Role Manager using application programming interfaces (APIs). A comprehensive, time-stamped audit trail is maintained of all user provisioning activities. This seamless integration uses role membership and policy to automate and enforce user access to information, applications and systems.

Oracle Role Manger’s integration with OIM ensures that:

• Provisioning events occur when role membership changes
• 
  
• Provisioning events occur when business role and IT role mappings change
• 
  
• Business events, such as a new hire or transfer, trigger role membership changes and thus provisioning

Business Applications / ERP and HR

In addition to ensuring the proper role based access for business applications. Oracle Role Manager can also provide business applications rich role information to better automate transactions. Large enterprises often have complex rules when it comes to routing business transactions for both approval and processing. For example, the rules governing how a purchase request should be routed through a global purchase organization may be based on the item being purchased, the organization affiliation of the requestor, the type of items and service being purchased, or the vendor of the product. The rules that determine which buyer should handle a particular purchase request and which approvers need to approve the request often rely on hard coded rules in the procurement application.

Oracle Role Manager can also provide extensibility for human resource applications. HR applications historically have limited ability to model complex hierarchies. Management of more advanced concepts such as job role and position may often require deployment of additional modules. Oracle Role Manager's powerful polyarchy and role capabilities can be an attractive option to extend the HR application, offering the additional benefit of providing out-of-the-box consistency between HR roles and IT entitlements.

Another common challenge with application management is granting of emergency access to ensure business continuity. Emergency access is often granted without proper level of control or audit in today's enterprise. Oracle Role Manager allows an organization to model its operational plan in case of emergencies. Employees can be granted roles and access automatically based on a pre-defined configuration during an emergency event.

Via its integration to Oracle Identity Manager, Oracle Role Manager offers out-of-the-box integration with leading business applications such as Oracle E-Business Suite, PeopleSoft, Siebel, SAP and JD Edward, as well as vertical applications such as Oracle Retail Suite and Oracle Clinical Solutions.

Governance, Risk and Compliance (GRC)

Role management should be a critical part of any enterprise GRC solution. Role management is the authoritative source for role and entitlement data and the natural enforcement point for Segregation of Duties (SOD). Since role management is also the authoritative source for "who should have what", the roles and policies in role management application also need to be tightly controlled and attested to on a periodic basis.

Oracle Role Manager captures auditable data for role configuration and role memberships. This data is readily available via the out-of-the-box reporting feature and can be exported to an audit platform such as Oracle GRC Manager as evidence of compliance. Using the attestation feature in Oracle Identity Manager, roles and entitlement memberships can also be re-certified per audit requirements.

Oracle Role Manager can also be integrated with enterprise application control (EAC) products from vendors such as LogicalApps/Oracle, Virsa/SAP and Approva. EAC products excel at deep SOD controls for specific ERP applications. Oracle Role Manage complements EAC application by adding enterprise-wide role SOD across heterogeneous systems, extending EAC coverage to critical IT infrastructure as well as legacy business applications such as mainframe based applications.

In today's security-conscious business environment, companies need a sound strategy for building a complete identity and access management infrastructure. Unfortunately, commonly used applications like directories lack the architectural flexibility to capture and maintain information about people and complex organizational relationships.

Oracle Role Manager is an elegant solution based on standards and patented technology with solid architectural flexibility. Applications across the enterprise can leverage it to ensure accurate and timely management of information about roles, organizations and relationships and entitlements. Oracle Role Manager provides the necessary tools for comprehensive role lifecycle management, allowing users to effectively manage access and resources across the enterprise. The end result: simpler IT administration, lower costs, and reduced security risk.

Top of Page

Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065

Worldwide Inquiries:
+1.650.506.7000
Fax +1.650.506.7200
http://www.oracle.com/

Copyright © Oracle Corporation 2008
All Rights Reserved

This document is provided for informational purposes only,
and the information herein is subject to change
without notice.  Please report any errors herein to
Oracle Corporation.  Oracle Corporation does not provide
any warranties covering and specifically disclaims any
liability in connection with this document.

Oracle is a registered trademark of Oracle Corporation.

All other company and product names mentioned are used
for identification purposes only and may be trademarks of
their respective owners.