Use Role Permissions Maintain (36.3.6.5) to associate application resources with a role. Application resources must be associated with a role to be available to a system user. See Defining Role Permissions for details on this program.

If a role currently has no resources associated with it, the role can be associated with any resource. If a role has existing associations, it can only be associated with a resource that has a segregation of duties category that is compatible with the existing categories in the role’s segregation of duties category set.

If you try to associate an application resource with a role that has an incompatible segregation of duties category, the system displays an error message and the association is not saved. Use SOD Matrix Maintain (36.3.27.3) to maintain the compatibility of segregation of duties categories. See Maintaining the Segregation of Duties Matrix.

If a user has been assigned one or more roles, the user can be assigned to the role only if each of roles is compatible with the current role, or if there is a policy exception that exempts any incompatible pair of roles.

If you try to assign a user to a role that is incompatible with one or more of the roles already assigned to the user, when you attempt to update the database the system displays an error and does not assign the role.

When a user is restricted from using an application resource, the user cannot access a resource by typing its name.