Scenario: Improper role design has financial implications far beyond the separation of duties & sensitive access paradigms. If not built correctly they can impact which and how many Oracle modules are called which means potentially what you are being billed for from Oracle

Solution: 

Utilize best practices approaches for role design:

1. Use a least privileged access design principle. Keeping in mind the lesser the access also means fewer users calling that role which means fewer users accessing that module.

2. Remediate any “intra” role conflicts or roles that may have excessive access which will also reduce potential module usage

3. Start with seeded roles and delete access where it is not needed again based on a least privileged access principle

4. Avoid building from scratch. We have seen many cases where the subscription costs were extremely higher as a result of incorrect roles with major design flaws.

Authorizations (Across all RM Objects)

Owner - The user can view, edit, delete, and modify the security of the risk management object

Editor - The user can view and edit the object but cannot delete or modify the security

View - The user can only view the object and/or data

Models

There is only one level of security for models. This means a user can be assigned to a model as an Owner, Editor, or Viewer and can see the model details, logic, and results regardless of authorization.

Controls

There are two levels of security for controls: Control Security and Result Security. There are two levels as opposed to one, like Models, because there needs to be a separation of duties once users work with controls in a Production environment. Controls are what the reports gather data from and where remediation occurs. 

Control Security: Grants a user access to the control itself, meaning the control details, comments, logic, and security assignment (depending on authorization).

Result Security: This feature grants users access to the results, which they can remediate or view (depending on authorization).

Best Practice Solution for Controls Security Assignment

Suppose a user needs access to remediate a control's results. In that case, they should be assigned as Viewers of the Control Security so they can only see the control details but not modify anything, and they should be Owners or Editors of the Result Security.