2. Fusion Role Mappings
Introduction.........................................................................................................3
How to access Role Mappings..........................................................................3
Basic Principles....................................................................................................4
Auto provisioning................................................................................................4
Requestable roles.................................................................................................4
Self Requestable Roles........................................................................................5
Termination..........................................................................................................5
Running Auto Provisioning...............................................................................6
Fusion Role Mappings Page 2
3. Fusion Role Mappings
INTRODUCTION
In Fusion, access to all parts of the system is controlled with Enterprise Roles in LDAP. Granting roles to a user is
essential to allow them to access the system, and at the same time making sure that only the right people have access
to roles is necessary for security reasons.
Within Fusion, the Role Mapping definitions or Role Provisioning Rules is the mechanism used both to
automatically grant the correct roles to users, and to restrict who has access to request roles for themselves or assign
roles to others. Any role that will be provisioned to your users, must be defined in a role mapping definition.
HOW TO ACCESS ROLE MAPPINGS
To access the role mappings screen, you must log in with a user who has the IT Security Manager role. When you do
that, navigate to the Setup and Maintenance area, and search for the task Manage HCM Role Provisioning Rules. Click on
Go to Task to go to the screen to search for existing Role Mappings. Here you can either search for existing role
mappings, or click on the Create icon to create a new role mapping.
Fusion Role Mappings Page 3
4. BASIC PRINCIPLES
When creating role mappings, it is key to understand the basic principles behind the screen.
AUTO PROVISIONING
The role mappings are intended to automate the granting of the most common roles to users in the system to help
reduce the workload of the managers and administrators. Most customers find that 80% of their role assignments
are covered by a dozen role mappings. An example that may cover most of your role mappings is;
Role Condition
Employee Assignment Type = Employee, Assignment
Status=Active
Line Manager Assignment Type = Employee, Assignment
Status=Active, Manager with Reports = Yes
Sales Manager Assignment Status=Active, Resource Role=Channel
Sales Manager
HR Specialist Assignment Status=Active, Department = Human
Resources
US Financial Analyst Assignment Status=Active, Department=Finance, Legal
Employer=Vision US
You will note that this doesn’t cover 80% of the roles you may use, but rather 80% of the role assignments. Beyond
this, most customers have a large number of roles, assigned to a low number of users. For that scenario, we will
define a separate Requestable roles mapping definition instead.
It is also important to note that Autoprovisioned roles are allocated to a user based on the user’s HR record and
their TCA party data. It does not depend on the data of the logged in user, but on the user who is receiving the
roles.
REQUESTABLE ROLES
In addition to the most common roles that you have auto-provisioned, you probably have a number of other roles in
use that are only typically assigned to a few people. It is more efficient to set these up as being requestable by the
appropriate people in your organization. It is also important to note that no roles are requestable unless you add
them to the list. This is for security reasons, so that, for example, a rogue employee or employees can’t request a
highly-privileged role for someone else in their team. You might therefore want to split the roles that you want to
make requestable by anyone in to one group, and those that you want requestable by a limited number of people in
to another group. Here is an example of that;
Role Condition
Expenses Auditor
Expenses Manager
Assignment Type = Employee, Assignment
Fusion Role Mappings Page 4
5. Expenses Analyst
Financial Analyst
Financial Application Administrator
Financial Supply Chain Manufacturing Application
Administrator
Human Resources Analyst
Benefits Administrator
…
Status=Active, Manager with Reports = Yes
Functional Setups User
IT Security Manager
Assignment Status=Active, Job=Human Resource
Manager
In this case, the person requesting the role on behalf of others must match these criteria themselves, so in this
example any line manager can request that one of their employees be assigned one of the long list of roles, but only
someone with the job of HR Manager can request the two restricted roles be granted to someone. The former is
where the majority of the roles are expected to be in most installations.
SELF REQUESTABLE ROLES
Sometimes you want your employees to have access to some functionality if they need it, but don’t want to push it
out to everyone, because it may needlessly clutter their screens. For example, you may want to allow employees to
request the Expenses role if they need to submit expenses, but don’t want to have it there by default. Under those
circumstances, you can make a role self requestable. When someone whose employee record matches the criteria
enters the My Account screen, they are then able to request that role. Here is an example of that;
Role Condition
Expenses User
Procurement Requestor
Assignment Type = Employee, Assignment
Status=Active
TERMINATION
You will have noticed that all of the examples so far have conditions with the Assignment Status set to Active. This
will restrict those roles to be granted to active employees only. Once the employees are terminated, they will loose all
manually provisioned roles, and any automatically provisioned roles which they are no longer entitled to. If they have
no roles left, their user account will also be suspended on the next working day. It is important to note though that it
is valid to have roles which are applicable both before and after termination, or even only after termination. Some
examples are that you might want to grant access to your job site to all past and present employees so that they can
apply for new jobs. Or you might need to grant access to expenses and benefits to ex-employees so that they can
manage their affairs after termination. In the recruiting example, you would simply not specify the Assignment
Status, and in the Benefits and Expenses example, you would specify an Assignment Status of Inactive.
Fusion Role Mappings Page 5
6. RUNNING AUTO PROVISIONING
Auto-provisioning of roles will occur whenever an employee is hired, terminated, or any of their employment data is
changed. If a past or present-dated change is made, the roles will be auto-provisioned as of today. If a future-dated
change is made, the roles will be auto-provisioned when that future date arrives. To enable this functionality to work
correctly, you must schedule the Person Synchronization and ProcessLdapRequests ESS jobs to run once a day.
If you create a new auto provisioning rule, it will not be applied to users until their data changes. To apply the rule
immediately, press the Apply Autoprovisioning button on the Role Mappings page. Note, this will run auto
provisioning for all users for all role mappings, so if you are creating multiple role mappings wait until you have
created them all before choosing this button. This is a very process intensive task, so you would be best advised to
plan to create your role mappings carefully.
Bulk Loading
When bulk loading people thorough interfaces such as HR2HR, roles will be auto-provisioned for all of the people
according to the rules that you have defined. However, the roles will not be added to the users immediately in this
mode. They will be held in a queue until the batch has finished loading. To process the requests to modify users and
roles after loading the people, run the ProcessLdapRequests ESS job.
If you are loading a lot of historic data in one single HR2HR run, a auto provisioning will run for each and every
row in the person’s history. If someone’s role entitlement has changed several times over their history, the HR2HR
load will grant them all of the roles that they would be entitled to over this period. To remove any unwanted roles at
the end of loading the history in this way, run the Apply Autoprovisioning functionality on the role mappings screen.
Fusion Role Mappings Page 6