Oracle HCM Cloud Release 12 Security

Upgrade FAQs
Release 12
ORACLE WHITE PAPER | FEBRUARY 2017
Table of Contents

Introduction 3

Questions and Answers 3

Which roles will be reset during the upgrade to Release 12? 3

Which role has access to the Security Customization Report? 3

I cannot see any parameters when I run the Security Customization Report 3

Should we run the Security Customization Report only if we have customized pre-

defined roles? 5

I cannot see a LOV in the Stripe parameter 5

I cannot find the Security Customization Report in the Scheduled Processes page 5

I can see a process called Functional and Data Security Customization Report.

Should I run it? 5

If I have removed some duties from pre-defined roles that were delivered in Release

9, will those duties be restored by the Release 12 upgrade? 5

How long does the Security Customization Report take to run? 5

Should I run the Security Customization Report against stripes other than HCM? 5

How will customizations to FND and ASM roles be handled? 6

How does Oracle know who has customized which roles? 6

If Oracle knows which roles have been customized, why do customers have to run

the Security Customization Report? 6

What should I do if the Security Customization Report shows customizations to

privileges or resources? 6

1 | ORACLE HCM CLOUD R12 SECURITY FAQS

2 | ORACLE HCM CLOUD R12 SECURITY FAQS
Introduction
This document provides answers to frequently asked questions for customers who are preparing to
upgrade from Oracle HCM Cloud Release 11 to Oracle HCM Cloud Release 12. It will be updated as
and when new questions arise.

Please refer to the Upgrade Guide for Oracle HCM Release 12 for detailed information on how to
prepare for your upgrade to Release 12.

A recording of the Release 12 Security Pre-upgrade Planning for HCM Customers webcast is available
from Applications Customer Connect.

Questions and Answers

Which roles will be reset during the upgrade to Release 12?

Pre-defined roles that have been delivered by Oracle since Release 10. These have role codes with an
ORA_prefix.

Custom roles are not impacted.

Roles that were delivered by Oracle prior to Release 10 do not have ORA_ prefixes and have been
treated as custom roles since Release 10.These roles are not impacted either,

Which role has access to the Security Customization Report?

IT Security Manager.

I cannot see any parameters when I run the Security Customization Report

Check that you are using the latest version of the IT Security Manager role.

If you first implemented Oracle Fusion HCM in Release 9 or earlier you might still be using the old
Release 9 version of this job role. Search for the IT Security Manager role in APM and look at the duty
roles that it inherits. If it inherits duty roles with names ending with Duty you are using the Release 9
version of the role, and you should migrate your IT Security Manager role to the simplified reference
role model.

3 | ORACLE HCM CLOUD R12 SECURITY FAQS

The steps for performing this migration are provided in the Upgrade Guide for Oracle HCM Release 10

If your IT Security Manager job role inherits IT Security Manager application job roles in the hcm,
fscm, crm and obi policy stripes in APM you have the correct version of the role.

4 | ORACLE HCM CLOUD R12 SECURITY FAQS

Should we run the Security Customization Report only if we have customized pre-defined roles?

Oracle recommends that all HCM customers run the Security Customization Report even if you have
not customized pre-defined roles so that you can see which roles might be reset during the Release 12
upgrade.

I cannot see a LOV in the Stripe parameter

The stripe parameter LOV was introduced in the Release 11 February Quarterly Update Bundle
(PB14). If you are using the Security Customization Report that was delivered in the Release 11
January Monthly Update Bundle (PB13) the parameter is defaulted to HCM but there is no LOV.

I cannot find the Security Customization Report in the Scheduled Processes page

The process LOV is case sensitive. Enter Security in the search field, not security.

I can see a process called Functional and Data Security Customization Report. Should I run it?

No. This is a different report. It has been replaced by the Security Customization Report.

If I have removed some duties from pre-defined roles that were delivered in Release 9, will those duties
be restored by the Release 12 upgrade?

No. The only roles that will be reset by the Release 12 upgrade are the ORA_ roles that were first
delivered in Release 10. All roles deliver prior to Release 10 are treated as custom roles and will not
be reset.

How long does the Security Customization Report take to run?

About 5 minutes.

Should I run the Security Customization Report against stripes other than HCM?

Most customizations that have been made against HCM roles have been made in the HCM stripe.
This is the stripe against which you should run the report.

A very small number of customizations to HCM roles have been against other stripes. If you know you
have made customizations to HCM roles in the FSCM stripe you can run the report against that stripe,
and it will report the customizations that have been made in that stripe.

But be careful how you interpret the output of the report if you are implementing ERP/SCM and/or
OSC in addition to HCM in the same environment.

5 | ORACLE HCM CLOUD R12 SECURITY FAQS

If you run the report against the FSCM stripe, customizations to ERP/SCM roles may be reported. If
you run the report against the CRM stripe, customizations to OSC roles may be reported. These roles
should be automatically copied for you by Oracle so you do not need to copy them yourself.

Please refer to the ERP / SCM - R12 Security Deep Dive for ERP Customers with Pre-Upgrade Effort
webcast on Applications Customer Connect for more information about how customizations to ERP
and SCM roles will be handled, and to the Release 12 Security Deep Dive for Oracle Sales Cloud
Customers with Pre-upgrade Effort webcast for more information about how customizations to OSC
roles will be handled.

How will customizations to FND and ASM roles be handled?

Very few customizations have been made to these roles. Customizations to these roles will usually, but
not always, get reported against the FSCM stripe. Oracle will contact customers who we believe have
made customizations to these roles to provide guidance.

How does Oracle know who has customized which roles?

Oracle performs periodic fleet scans against production pods to detect customizations that have been
made to pre-defined roles that will be reset during the Release 12 upgrade. The most recent scan was
run in December 2016.

If Oracle knows which roles have been customized, why do customers have to run the Security
Customization Report?

The information on customized pre-defined roles that is available to Oracle is only as recent as the last
fleet scan. The fleet scans that Oracle performs are against the production environments.
Customizations to pre-defined roles in a stage or test environments will not show up in our fleet scans.

When you run the Security Customization Report against one of your own environments the results
that are reported reflect the state of that environment at the time the report was run.

What should I do if the Security Customization Report shows customizations to privileges or resources?

Privileges and resources will be locked down in Release 12. All pre-defined privilege and resource
definitions will be reset during the Release 12 upgrade.

If the report identifies changes to privilege names or descriptions you need take no action.

If the report identifies changes to resource display names or descriptions you need take no action.

6 | ORACLE HCM CLOUD R12 SECURITY FAQS

If the report identifies any other types of customization to privileges or resources please contact Oracle
for guidance. Log an SR with the problem type HCM Security and upload a copy of the report output
to the SR.

7 | ORACLE HCM CLOUD R12 SECURITY FAQS

 Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

CONNECT W ITH US

blogs.oracle.com/oracle
Copyright 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
twitter.com/oracle means, electronic or mechanical, for any purpose, without our prior written permission.

oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116

Oracle HCM Cloud Security Upgrade Guide Release 12

January 2017