A system security officer can define role hierarchies such that if a user has one role, the user also has roles lower in the hierarchy. For example, the “chief_financial_officer” role might contain both the “financial_analyst” and the “salary_administrator” roles, as shown in Figure 14-2.
The Chief Financial Officer can perform all tasks and see all data that can be viewed by the Salary Administrators and Financial Analysts.
Additionally, you can define a role’s mutual exclusivity to enforce static or dynamic separation of duty policies. Roles can be defined to be mutually exclusive for:
Membership – one user cannot be granted two different roles. For example, you might not want the “payment_requestor” and “payment_approver” roles to be granted to the same user.
Activation – one user cannot activate, or enable, two different roles. For example, a user might be granted both the “senior_auditor” and the “equipment_buyer” roles, but not permitted to have both roles enabled at the same time.
System roles, as well as user-defined roles, can be defined to be in a role hierarchy or to be mutually exclusive. For example, you might want a “super_user” role to contain the system administrator, Operator, and Technical Support roles. To enforce a separation of roles, you might also want to define the system administrator and system security officer roles to be mutually exclusive for membership; that is, one user cannot be granted both roles.
