A system security officer can define role hierarchies such that if a user has one role, the user also has roles lower in the hierarchy. When you grant a role, role1, to another role, say, role2, you set up a hierarchy where role2 contains role1. For example, the “chief_financial_officer” role might contain both the “financial_analyst” and the “salary_administrator” roles.
The chief financial officer can perform all tasks and see all data that can be viewed by salary administrators and financial analysts.
Additionally, you can define a role’s mutual exclusivity to enforce static or dynamic separation of duty policies. Roles can be defined to be mutually exclusive for:
Membership – one user cannot be granted two different roles. For example, you might not want the “payment_requestor” and “payment_approver” roles to be granted to the same user.
Activation – one user cannot activate, or enable, two different roles. For example, a user might be granted both the “senior_auditor” and the “equipment_buyer” roles, but not permitted to have both roles enabled at the same time.
System roles, as well as user-defined roles, can be defined to be in a role hierarchy, or to be mutually exclusive. For example, you might want a “super_user” role to contain the system administrator, operator, and Technical Support roles. To enforce a separation of roles, you may want to define the system administrator and system security officer roles to be mutually exclusive for membership; that is, one user cannot be granted both roles.
