How to Customize a Role to Remove a Privilege from it

Please follow the steps below to remove the Privilege "Create Payables Payment" for the “Accounts
Payable Payment Supervisor” role:
In order to remove a privilege from a role we need to create a custom role because roles should not be removed
from Oracle seeded roles.

1. Log into a user who has “IT_Security_Manager” privileges and go to “Tools” and select “Security Console”.

2. Search for Job Role “Accounts Payable Payment Supervisor” and select it

3. We need to copy this role and rename it into a role that would be easily identifiable so it will not be
confused with the original seeded role. Click on the down arrow and select “Copy Role”.
4. For the “Copy Options” select “Copy top role and inherited roles” and click “Copy Role”.

5. Now create the custom role name you want, for my example I went with:
Role Name - Accounts Payable Payment Supervisor Without Create Payables Payment
Role Code- Accounts_Payable_Payment_Supervisor_Without_Create_Payables_Payment

6. Click on step 7 “Summary” and then click “Submit and Close”

7. You should see a confirmation box appear, click the OK” box.

8. Now search for the new role you just created – “Accounts Payable Payment Supervisor Without Create
Payables Payment”, click on the down arrow and select “Edit Role”
9. Click on Step 2 “Function Security Policies” and in the search field enter “Create Payables Payment” and
hit enter.

10. You will notice nothing comes up that is because you need to click on “Load Inherited Policies” once you
do the privilege will show up.

11. The privilege should now show, look for the “Inherited from Role” which should be “ASE_Payables
Payment Creation_200801_131135” (or similar). Highlight and copy this role.
12. Click on step 4 “Role Hierarchy” and in the “Role Name” search field paste the role “ASE_Payables
Payment Creation_200801_131135” into the form and select enter. (This is a verification step to see
which role needs to be edited). Click cancel to get back to security console.

13. In the search box for Job roles enter “ASE_Payables Payment Creation_200801_131135” and verify the
“DUTY” role is the one we have not the “DUTY_CRM”.

14. Click on the down arrow again and select “Copy Role”

15. For the “Copy Options” select “Copy top role and inherited roles” and click “Copy Role”.
16. Now create the custom role name you want for this priviege, for my example I went with:
Role Name - Payables Payment Creation without Quick Payment Option
Role Code- Payables_Payment_Creation_without_Quick_Payment_Option

17. Click on step 7 “Summary” and then click “Submit and Close”

18. You should see a confirmation box appear, click the OK” box.

19. Now search for the new role privilege you just created – “Payables Payment Creation without Quick
Payment Option”, click on the down arrow and select “Edit Role”.
20. Click on Step 2 “Function Security Policies” and this time you should already see the “Create Payables
Payment” Privilege and the “Delete” option should be grayed out.

21. Select the privilege below it, which should be “Manage Payables Payment Process Request Template”,
and the “Delete” option should now be a Dark black which means we can remove a privilege.

22. Now select the “Create Payables Payment” privilege and click on the “Delete” button.

23. You should see a warning window stating you will be deleting the privilege, click on the “Yes” button.
24. The “Create Payables Payment” privilege should now be gone.

25. Click on step 7 “Summary” and then click “Save and Close”

26. You should see a confirmation box appear, click the OK” box.

27. Now search for the new role you just created – “Accounts Payable Payment Supervisor Without Create
Payables Payment”, click on the down arrow and select “Edit Role”.

28. Click on Step 4 “Role Hierarchy” and in the search field enter “ASE_Payables Payment
Creation_200801_131135” and hit enter.
29. Select the “ASE_Payables Payment Creation_200801_131135” DUTY role (not the DUTY_CRM role) and
click on the “Delete” button.

30. You should see a warning window stating you will be deleting the role membership, click on the “Yes”
button.

31. The previous role will be removed, now click on the “Add Role” button and the “Add Role Membership”
window should appear.

32. In the Search box enter the customer role we previously created: “Payables Payment Creation without
Quick Payment Option” and click on the “Add Role Membership” button.

33. Click the “X” button in the upper-right of the same window to close it.
 34. Click on step 7 “Summary” and if you want to review the changes being made click on the dropdown
arrow for “Role Hierarchy” and it should show the deletion and addition of the roles. Once you have
reviewed it and confirmed its correct click “Save and Close”.

35. You should see a confirmation box appear, click the OK” box.

36. If you want to verify the role no longer has the “Create Payables Payment” privilege you can edit the
“Accounts Payable Payment Supervisor Without Create Payables Payment” role and search for it. Should
not show up anymore. Click “Cancel” to leave the edit screen.

37. At this point it is about adding the custom role to your user and replacing the seeded Oracle role for the
one you created. As I mentioned before you can name the customer role anything you want. The name I
used was just a placeholder.

After you add/Remove any role/privilege to any user, you need to run the below required jobs from
"Scheduled Processes":

a. Send Pending LDAP Requests.

b. Retrieve Latest LDAP Changes
c. Import User and Role Application Security Data

Once you have done this “Quick Payment” should be completely disabled for this user with this custom role
profile.