Oracle Cloud application, access to its functionality and data is secured using the industry-standard framework for authorization, role-based access control. In a role-based access control model, users are assigned roles, and roles are assigned access privileges to protected resources. The relationship between users, roles, and privileges is shown in the following figure.
Role Hierarchy
This diagram illustrates that users inherit privileges and
security policy by way of roles assigned to them, which is described in the
text that follows.
In Oracle Fusion every user action is controlled by roles and privileges. While seeded roles work well as a starting point, real-world implementations often require more precision than what standard roles provide. This is where custom roles become a critical part of a clean and secure Fusion implementation.
Rather than treating custom roles as a technical task, they
should be approached as a business control mechanism—one that balances
usability, compliance, and license optimization.
When Seeded Roles Are Not Enough
In theory, seeded roles simplify security. In practice, they often introduce challenges such as:
- Users receiving access to features they never use
- Overlapping privileges creating segregation-of-duty risks
- Reporting or inquiry access triggering unnecessary licenses
These gaps don’t indicate a weakness in Fusion; they
highlight the need for role refinement aligned with business processes.
Understanding the Building Blocks of Fusion Roles
Every custom role in Fusion is shaped by two fundamental elements:
- Action permissions – what the user can perform.
- Data scope – which records the user can access
Both must be designed together. Granting a task without
properly restricting data can lead to unintended exposure, even if the role
looks minimal on paper.
A Smarter Approach to Custom Role Design
- Define what the user actually does day to day. Similar titles don’t always require the same access.
- Review Oracle’s seeded roles, copy the closest match, and refine it instead of building roles from scratch.
- Remove unnecessary privileges first and test incrementally to maintain least-privilege access.
- Ensure roles expose only the required business units, ledgers, or organizations—especially in multi-BU environments.
- Validate end-to-end processes, restricted screens, and report visibility to catch gaps early.
From Security Console, lets create custom role
Seach a seeded Role and select Copy Role menu option
Then select copy top role
Enter Role name and code and click next
At this state you can amend the privileges, in my case, I am
removing the Manage Contract Deliverable Privilege
Even experienced teams fall into these traps:
- Creating too many highly specific roles that are hard to maintain
- Assigning roles directly to users instead of using role mappings
- Forgetting to reassess roles during quarterly updates
- Treating reporting access the same as transactional access
Recognizing these early can save significant cleanup effort
post-go-live.
Governance Matters More Than Creation
A well-designed custom role can still fail if governance is
weak. Maintain:
- A simple role-to-job mapping document
- Clear naming conventions
- Change tracking for audits and troubleshooting
Security design is not a one-time activity—it evolves as the
business evolves.
Why Custom Roles Matter Beyond Security
When done correctly, custom roles deliver benefits beyond access control:
- Reduced licensing exposure
- Faster user onboarding
- Cleaner audit results
- Better user confidence in the system
These outcomes make security design a value-adding
activity, not just a compliance requirement.
Conclusion
Custom roles in Oracle Fusion Cloud should be designed with
intent, not urgency. By focusing on real job functions, controlled data access,
and disciplined governance, organizations can build a security model that
supports growth without sacrificing control.
For functional consultants, mastering this approach is a
strong differentiator—especially in complex, multi-module Fusion environments.
Oracle Documentation Refrerences
Create and Assign a Custom Role
Managing Roles in Public Sector Compliance and Regulation
Add Users, Assign Policies and Roles