Oracle Role Manager
Businesses today must provide timely access to enterprise information systems while also ensuring that such access is compliant with government regulations and policies. However, in today’s global business environment, managing data across users, organizations, locations and reporting structures quickly becomes a critical challenge. Often, the maintenance of this information remains a manual task, making it difficult to secure and costly to respond to business events in real time. As a result, the process for providing access is prone to errors, lags behind organizational changes, and lacks the necessary flexibility to represent the many complex and dynamic relationships in today’s organizations.
With Oracle Role Manager, you will be able to:
Key Benefits of Oracle Role Manager
Authoritative modeling of business and operational data
Enable scalable role management process
Enable high level of service level and business continuation integrity
Overview of Oracle Role Manager Features and Functionality
Enterprise Role Lifecycle Management
Oracle Role Manager provides comprehensive tools to support enterprise role lifecycle management (RLM). Utilizing a web-based user interface, users across the enterprise can create and manage roles, define role membership according to business policy, map roles to resources and entitlements and change the state of roles to control access. As business events occur and the organization changes, role membership is dynamically recalculated, ensuring appropriate access and preventing security holes and compliance violations.
Role and Rule Mining
Adopting a role management solution can be a daunting task for businesses trying to sort through data across the enterprise. The process for role mining first leads the business through data analysis and validation, role mining and finally rule mining which can further refine candidate IT role membership.
Oracle Role Manager accelerates your role management implementation by:
Context-Aware, Polyarchy Enabled Role Engine
For example, you can specify:
Oracle Role Manager supports three main types of roles out of the box: Business, IT and Approver. Business roles, which can be policy based, rely on contextual business information to refine membership such as a job code attribute or membership in the engineering organization. To manage roles effectively, business owners should manage business role definitions and role memberships that reflect what a person does.
IT roles, which can be thought of as a collection of privileges or entitlements, are mapped to business roles, automating access to members of the role. The IT organization should manage IT role definitions and the entitlements to ensure that appropriate access is granted to role members.
Approver roles are defined contextually, and can resolve complex queries such as “Who is the cost center manager for Joe?”. Business roles that are policy based incorporate hierarchical information across the business to provide accurate scope, and context for the assignment. This allows people who understand and manage the organizational structure to define the structure and automate role membership.
Oracle Role Manager also supports the traditional, ad hoc way of managing business role memberships manually. This strategy may be employed when a business role should not be based on policy or when the complexity of the role and its supporting data are more easily managed statically.
Though Oracle Role Manager provides three types of roles out of the box, custom role types can be configured to meet the needs of today’s dynamic enterprises.
Authoritative Role and Entitlement Repository
Configurable and Extensible Role and Relationship Model
Common business scenarios require the ability to delegate access and privileges to users. By providing delegated administration of roles, Oracle Role Manager enables business users to easily delegate access and privileges without violating existing business policy. Delegated administration provides business users the ability to manage access, a function normally centralized in IT departments. This feature of Oracle Role Manager highlights how identity and access management tasks quickly scale across the organization to lower IT costs.
Organization and Relationship Management
The complexity of an individual’s relationships in a dynamic organization poses a significant challenge for existing applications and directories, which lack the ability to capture and manage complex business relationships and temporal dimensions. At best, directories can describe one organizational hierarchy, leaving additional hierarchies and memberships to be represented as simple Boolean attributes. For example, with directories, you can indicate whether Jane is a manager, but you cannot capture the full context of her role, including what Jane manages, who she manages, what her span of control or authority is, and what entitlements she has across heterogeneous applications. To properly reflect organizational reality and to maintain data integrity among interdependent hierarchies, you need a model that maps the intersection of multiple, overlapping hierarchies or “polyarchies”.
To understand how modeling the polyarchy enhances role lifecycle management, it helps to look at the business problems of a leading national grocery chain. The grocery chain was faced with managing retail stores that spanned multiple geographies, managing different supply chains for different products and adapting to high personnel turnover and routine changes in staff responsibility. By modeling each of these business structures as separate hierarchies and then building the relationships across them, the grocery chain was able to fix identity and access problems such as multiple retail clerks sharing one register account. Role policy for retail clerks could be written in terms that business users can understand by utilizing the hierarchies for employees and retail stores. Using the polyarchy to define role policy is crucial for operational efficiency and provides the foundation for business integrity.
Oracle Role Manager serves as the role management repository for identity and access management (IAM) systems. It utilizes previous investments in IAM systems and synchronizes roles and polices with entitlements in target systems. For external task assignment integration, such as Business Process Management (BPM) or workflow, other systems can also leverage Oracle Role Manager’s contextually derived roles for role resolution in approval workflows.
Integration with Identity Provisioning
Oracle Role Manager provides out of the box integration with Oracle Identity Manager (OIM) to initiate provisioning events. The provisioning system extracts user attributes including role and relationship data from Oracle Role Manager using application programming interfaces (APIs). A comprehensive, time-stamped audit trail is maintained of all user provisioning activities. This seamless integration uses role membership and policy to automate and enforce user access to information, applications and systems.Based on roles and corporate policy, appropriate provisioning workflows can be triggered within OIM. OIM leverages Oracle Role Manager for dynamic provisioning approvals by mapping approver roles to user groups. When all required approvals are in place, OIM triggers provisioning workflows to complete the user provisioning process.
Business Applications / ERP and HR
In addition to ensuring the proper role based access for business applications. Oracle Role Manager can also provide business applications rich role information to better automate transactions. Large enterprises often have complex rules when it comes to routing business transactions for both approval and processing. For example, the rules governing how a purchase request should be routed through a global purchase organization may be based on the item being purchased, the organization affiliation of the requestor, the type of items and service being purchased, or the vendor of the product. The rules that determine which buyer should handle a particular purchase request and which approvers need to approve the request often rely on hard coded rules in the procurement application.
Oracle Role Manager can also provide extensibility for human resource applications. HR applications historically have limited ability to model complex hierarchies. Management of more advanced concepts such as job role and position may often require deployment of additional modules. Oracle Role Manager's powerful polyarchy and role capabilities can be an attractive option to extend the HR application, offering the additional benefit of providing out-of-the-box consistency between HR roles and IT entitlements.
Another common challenge with application management is granting of emergency access to ensure business continuity. Emergency access is often granted without proper level of control or audit in today's enterprise. Oracle Role Manager allows an organization to model its operational plan in case of emergencies. Employees can be granted roles and access automatically based on a pre-defined configuration during an emergency event.
Via its integration to Oracle Identity Manager, Oracle Role Manager offers out-of-the-box integration with leading business applications such as Oracle E-Business Suite, PeopleSoft, Siebel, SAP and JD Edward, as well as vertical applications such as Oracle Retail Suite and Oracle Clinical Solutions.
Governance, Risk and Compliance (GRC)
Role management should be a critical part of any enterprise GRC solution. Role management is the authoritative source for role and entitlement data and the natural enforcement point for Segregation of Duties (SOD). Since role management is also the authoritative source for "who should have what", the roles and policies in role management application also need to be tightly controlled and attested to on a periodic basis.
Oracle Role Manager captures auditable data for role configuration and role memberships. This data is readily available via the out-of-the-box reporting feature and can be exported to an audit platform such as Oracle GRC Manager as evidence of compliance. Using the attestation feature in Oracle Identity Manager, roles and entitlement memberships can also be re-certified per audit requirements.
Oracle Role Manager can also be integrated with enterprise application control (EAC) products from vendors such as LogicalApps/Oracle, Virsa/SAP and Approva. EAC products excel at deep SOD controls for specific ERP applications. Oracle Role Manage complements EAC application by adding enterprise-wide role SOD across heterogeneous systems, extending EAC coverage to critical IT infrastructure as well as legacy business applications such as mainframe based applications.
In today's security-conscious business environment, companies need a sound strategy for building a complete identity and access management infrastructure. Unfortunately, commonly used applications like directories lack the architectural flexibility to capture and maintain information about people and complex organizational relationships.
Oracle Role Manager is an elegant solution based on standards and patented technology with solid architectural flexibility. Applications across the enterprise can leverage it to ensure accurate and timely management of information about roles, organizations and relationships and entitlements. Oracle Role Manager provides the necessary tools for comprehensive role lifecycle management, allowing users to effectively manage access and resources across the enterprise. The end result: simpler IT administration, lower costs, and reduced security risk.
Copyright © Oracle Corporation 2008
This document is provided for informational purposes only,
Oracle is a registered trademark of Oracle Corporation.
All other company and product names mentioned are used