Function security involves granting a user, by means of the user's membership in a role, the ability to perform operations in pages or task flows such as view or manage. A function security policy consists of privileges assigned to duty roles and those duty roles assigned to a job or abstract role. Function security policies are defined in the Authorization Policy Manager (APM). The functions that a user can access via roles are interface elements, such as the pages or widgets of a task flow. Functions are organized separately from menu navigation and access to functions is granted to users via roles. Policies comprised of grants with access entitlement to components are stored in the policy store, and application roles within role hierarchies are defined with access rights through policies. The access entitlement to a component consists of allowable actions, or privilege, on the component. Users of Oracle Fusion Applications must be able to access the functions necessary for performing their jobs and be excluded from functions that are irrelevant or improper to their roles in the enterprise. This may require changes to the roles available for provisioning. For the broadest possible access to the functionality in Oracle Fusion Applications, the role to which broad entitlement is granted would be a role high in the role hierarchy, such as worker. Such broad entitlement should not include access rights to any functions that violate the security policies of the enterprise, but allow performance of all duties associated with the role.