This describes the XML representation of the UCF's Roles database. Each of the elements, types, and attributes that make up the format are described in detail.

The URL for the Roles XML structure is as follows:

http://unifiedcompliance.com/NFI/XSDs/UCF_Roles_v2_1.xsd

The primary goal of the Roles XML table is to present an organization's roles in a consistent manner, linking those roles directly to Authority Document controls. The secondary goal is to gather enough information to be able to create role definition documents as well as gather enough information to automatically create organizational charts from the supplied data.

UCF_Role_Item (UCF_Role_Item_Type)

The UCF role is the role being called in during an audit interview or being observed during that audit method. If the audit item is linked to more than one role, there will be multiple roles listed. The same thing with Controls; if a control calls out a specific role, that role will be linked to the Control and there can be multiple roles per control.

The UCF_Roles_List is comprised of the UCF_Role_Item containers. Each container is split into three key elements that must be present at all times:

• UCF_Meta_Data

• UCF_Basic_Info

• UCF_References

UCF_Meta_Data (UCF_Meta_Data_Type)

For detailed documentation of Meta Data fields, please refer to the Meta Data documentation. Below is a list of the meta data fields that are included in the Roles list.

• UCF_Role_ID

• UCF_Role_ID_CheckDigit

• UCF_Role_Live_Status

• UCF_Role_Deprecated_By

• UCF_Role_Deprecation_Notes

• UCF_Role_Date_Added

• UCF_Role_Date_Modified

• UCF_Role_Release_Version

UCF_Basic_Info (UCF_Basic_Info_Type)

The UCF_Basic_Info element has exactly what you'd expect - the most critical information that pertains to all types of roles.

UCF_Role_Name (ucf:non-empty-string)

Each role's name represents what that function is supposed to achieve. Remember that this is much different than a job title, such as CIO, Database Administrator, Security Manager. This doesn't describe a person. It describes the collective set of responsibilities that are assigned to the role. Hence, Role Names are represented as "Define and Manage Business Value," "Conduct Security Administration," or "Manage IT and Compliance Policies and Standards." As such, any number of roles can be assigned to any different IT title the organization sees fit to assign the role to.

UCF_Role_Description (xs:string)

This is the generalized description of the Role based upon the controls assigned to the role to further illustrate what the role is supposed to represent.

UCF_Role_Position_Type (xs:string)

Roles are categorized into different types. At the present time, those types are as follows:

• Executive

• Manager

• Position

• Consultant

• Assistant

• Staff

This directly coincides with the position types found within Microsoft Visio's Organizational Chart Wizard.

UCF_References

These elements represent the connected references from one role to another (for the Reports_To and Dotted_Line_Reports_To elements) and back to the Controls list.

UCF_Role_Reports_To (xs:string)

This field contains the UCF_Role_ID (if any) of the role that this role reports to. To make this work in your own database, you'll need to create a self-join relationship from the roles database to itself.

UCF_Role_Dotted_Line_Reports_To (xs:string)

Just like Role_Reports_To above, this field contains the UCF_Role_ID (if any) of the role that this role has a dotted line relationship to in an organizational chart.

UCF_Role_Linked_Controls (xs:string)

The UCF_Role_Linked_Controls field contains a return-delimited list of any Control ID's (UCF_CE_ID's) that are related to this role record. These ID's are the same ID's contained in the Roles to Controls Join table and are not needed for data linking purpose. We include this information because we ask that you erase and repopulate your joins each release. By providing this field, change records will be created that summarize which controls were added and removed from the join table from release to release.