# Custom Roles Custom roles can be used to control access to specific features and functions within the system, and they can be customized to fit the specific needs of an organization. For example, an administrator might create a custom role that allows a user to view and edit employee records, but not to delete them. These are the roles that I recommend you assign to your user - Custom roles. Of course, there should be more, but I believe this is the bare minimum required to begin your implementation tasks. I decided to duplicate one standard role and associate it with some Functions and Role hierarchy to grant permission to some features (LACLS, BPM, DFF, Lookups, and so on). To create a copy role, select the Role Name / Code: Employee / ORA PER EMPLOYEE ABSTRACT. {% content-ref url="../how-to-select-the-best-roles-to-begin-setups" %} [how-to-select-the-best-roles-to-begin-setups](https://clouderprookies.gitbook.io/docs/1.-basic-concepts-and-navigation/roles/how-to-select-the-best-roles-to-begin-setups) {% endcontent-ref %} #### Privilege

Role Name	Role Code	Type	Description
Financials Administration for Brazil	ORA_JL_BRAZIL_CONFIGURATION_ADMINISTRATION_DUTY	Security Policy \|\| Privilege	Configure Brazil country specific functionality for Financials.
Fiscal Document Generation	ORA_JG_FISCAL_DOCUMENT_GENERATION_DUTY	Security Policy \|\| Privilege	Control the ability to submit, print and void fiscal documents.
Payables Management for Brazil	ORA_JL_AP_BRAZIL_MANAGEMENT_DUTY	Security Policy \|\| Privilege	Allows the import and management of Payables collection documents and bank returns as per Brazil country specific requirements.
Receivables Management for Brazil	ORA_JL_AR_BRAZIL_MANAGEMENT_DUTY	Security Policy \|\| Privilege	Allows the creation and management of Receivables collection documents for Brazil country specific requirements.
Geography Administration	ORA_GEO_ADMIN_DUTY	Security Policy \|\| Privilege	Grants privileges to set up geographies
Edit Approval Rules in Oracle BPM Worklist	POR_EDIT_APPROVAL_RULES_IN_BPM_WORKLIST_PRIV (Obsolete 22A)	Security Policy \|\| Privilege to Role	Allows users to edit approval rules in Oracle Business Process Management Worklist Application after using the Oracle Procurement Manage Approvals to edit rules.
Run File Import Scheduler	ZCA_RUN_FILE_IMPORT_SCHEDULER_PRIV (Obsolete 22A)	Security Policy \|\| Privilege to Role	Allows scheduling and monitoring the process that schedules file import activities.
Set Up File Import Activity	ZCA_SET_UP_FILE_IMPORT_ACTIVITY_PRIV (Obsolete 22A)	Security Policy \|\| Privilege to Role	Allows creating and maintaining import activities that contain process criteria, file mapping, and schedule to import external files containing business objects, such as customers and contacts, into staging tables.
Set Up File Import Object and Mapping	ZCA_SET_UP_FILE_IMPORT_OBJECT_AND_MAPPING_PRIV (Obsolete 22A)	Security Policy \|\| Privilege to Role	Allows reviewing and registering business objects, such as sales leads and opportunities, intended for import from external files. Also allows creating and maintaining maps of external source file columns to target staging table columns for use in importing those business objects, such as sales leads, customers, contacts, and sales catalogs.
Capture Tax Authority Return Manually	JG_FDG_CAPTURE_TAX_AUTHORITY_RETURN_MANUALLY_PRIV	Security Policy \|\| Privilege to Role	Allows manual capture of tax authority return, which determines the approval or rejection of the fiscal document.
Manage Application Standard Lookup	FND_APP_MANAGE_STANDARD_LOOKUP_PRIV	Security Policy \|\| Privilege to Role	Manage sub-type entities stored in the Application Standard Lookup Values entity. Lookup Types are lists of values such as "Days of the Week" or "Yes/No" which can be used to validate columns values.
Manage Application Flexfield Value Set	FND_APP_MANAGE_FLEXFIELD_VALUE_SET_PRIV	Security Policy \|\| Privilege to Role	Allows management of value sets to validate the content of a flexfield segment. Value sets provide declarative validation for use in applications flexfield attributes and key segments.
Manage Application Descriptive Flexfield	FND_APP_MANAGE_DESCRIPTIVE_FLEXFIELD_PRIV	Security Policy \|\| Privilege to Role	Allows management of application descriptive flexfields.
Set Issue Recording Advanced Options	FND_SET_ISSUE_RECORDING_ADVANCED_OPTIONS_PRIV	Security Policy \|\| Privilege to Role	Allows update of advanced options when recording an issue.
Record and View Issue	FND_RECORD_AND_VIEW_ISSUE_PRIV	Security Policy \|\| Privilege to Role	Allows update of advanced options when recording an issue.
Submit Purchasing Document Online Bypassing Approval	PO_BYPASS_PURCHASE_ORDER_APPROVAL_ONLINE_PRIV	Security Policy \|\| Privilege to Role	Restricted feature that allows procurement agents to bypass approvals when creating purchase orders or agreements online. Do not use in production environments.
BPM Workflow All Domains Administrator Role	BPMWorkflowAllDomainsAdmin	Role Hierarchy \|\| Role Membership	Administer the BPM tasks for all domains and their workflow processes.
BPM Workflow Financials Administrator	BPMWorkflowFINAdmin	Role Hierarchy \|\| Role Membership	Administer the BPM tasks for Financials workflow processes.
BPM Admin Role	BPMProcessAdmin	Role Hierarchy \|\| Role Membership	BPM application admin role, has full privilege for performing any operations including security related.
BPM Workflow System Admin Role	BPMWorkflowAdmin	Role Hierarchy \|\| Role Membership	BPM Workflow Administrator Application Role.

{% hint style="danger" %} Don't forget to finish the custom rule and the task "Manage Data Role and Security Profiles" as well. {% endhint %}

{% hint style="warning" %} Because there will be no data access, these positions can be combined into a single role. This will simplify the access control procedure and reduce the system's complexity. This strategy will help increase system security by reducing the number of roles with access to sensitive data. {% endhint %} {% hint style="info" %} Don't forget to run these jobs after you've finished registering these roles to synchronize your access: * Retrieve Latest LDAP Changes * Import User and Role Application Security Data * Send Pending LDAP Requests * Send Personal Data for Multiple Users to LDAP {% endhint %} **Retrieve Latest LDAP Changes** It is critical that all User Account information be synced with the Cloud application from the LDAP directory; otherwise, you will encounter the issue of not seeing Roles and user accounts in the application. **Import User and Role Application Security Data** Is a key step for system security. This process imports user and role data from LDAP to the Fusion HCM Security Console tables. It creates a privilege with the job name preceded by "RUN\_", which is crucial for allowing users to execute specific jobs from the Scheduled Processes interface. Moreover, it's recommended to run this process periodically, at least twice a day, to ensure the latest changes in LDAP are reflected in the system, maintaining security data integrity and access control policies effectiveness. **Send Pending LDAP Requests** Help with many important functions in the Cloud Application, such as creating, suspending, and reactivating user accounts. **Send Personal Data for Multiple Users to LDAP** **All Users:** The process sends personal information for all users to the Identity Store, regardless of whether the information has changed since the last time it was sent. **Changed users only:** The process only sends personal information that has changed since the last time the information was sent to the Identity Store (regardless of how they were sent). This is the standard-setting. More details into "Securing Sales and Fusion Service":