Adding entitlements to roles
Once you have added a role, you can add resource entitlements, including accounts, managed groups, and other roles you have already defined.
Note the following:
A role should contain at least one account.
Group memberships should be requested as part of a role that includes an account, or in addition to a role. Do not create a role that only contains managed groups.
It is recommended that template accounts are not themselves members of managed groups. This allows you to control group membership by including the group as a member of a role.
You cannot add a “closed” managed group (no membership changes allowed) to a role.
It is recommended that a role contains at least one required entitlement.
If users are given the same resource from multiple roles, they would only lose the resource when all roles that give them the resource are removed from their profile.
You cannot add an entitlement to a role if it would cause the role to be in violation of an SoD rule.
You cannot add a role as an entitlement to another role if it will cause a cycle. For example, ROLE1 cannot be ROLE2 ’s entitlement if ROLE2 is already ROLE1 ’s entitlement.
To add resource entitlements to a role:
Navigate to the Role information page .
Click the Entitlements tab, then the sub-tab link for:
Account
Managed group
Role
Click Select… .
Select the entitlements you want to include then click Select.
Set the Necessity type.
Click Update.
Next:
Configure role enforcement if required. See Configuring role enforcement .