Beruflich Dokumente
Kultur Dokumente
This lesson introduces students to Oracle Fusion HCM security concepts and functionality. It
describes the process of creating data roles and security profiles, and explains how roles are
assigned to users. If students are interested in these more in-depth topics, they should attend the
two-day Oracle Fusion HCM Security course.
Objectives
After completing this lesson, you should be able to:
Describe the key features of Oracle Fusion Applications security
Differentiate the types of roles used in Oracle Fusion Applications security
Identify key components of the Security Reference Implementation
Describe how to create security profiles and assign them to data roles
Describe how user accounts are created and roles are provisioned to users
When she signs on to Oracle Fusion Applications, all of these roles are active concurrently. The
functions and data she can access are determined by the combination of roles to which she is
assigned. As an employee, Julie has access to employee functions and data, and as a line manager,
she has access to line-manager functions and data.
Roles Assigned to Users
Contrast the Oracle Fusion Applications approach, where users have multiple roles active
simultaneously, with the EBS approach, where users select a responsibility and operate within that
responsibility only. Use the Security Component Terminology Comparison slide later in this section
to show how role types and other security components in Oracle Fusion correspond to features in
EBS and PeopleSoft.
If questions about security occur in other lessons (such as how to prevent a user from doing
something or how to enable a user to do something), the answer is always the same: the roles
provisioned to the user determine what the user can (and cannot) do.
These predefined roles are included in the Security Reference Implementation. You can review
details of the HCM security implementation in the Oracle Fusion Applications Human Capital
Management Security Reference Manual. The Oracle Fusion Applications Common Security
Reference Manual covers roles that are common across Oracle Fusion Applications, such as the
Application Implementation Consultant and IT Security Manager roles.
Role Inheritance
Instructor Note: Duty Roles
Although this lesson does not cover creation of custom job or duty roles, it does describe how duty
roles fit into the role hierarchy. Predefined job and abstract roles are associated with a predefined
set of duty roles, which control the actions that the role can perform.
Data Role Inheritance
Role inheritance is a key concept in the Oracle Fusion HCM security model. In the figure below,
Human Resource Specialist – Vision Corporation and Human Resource Specialist – Vision Services
are data roles that inherit the Human Resource Specialist job role. This gives them access to the
tasks that an HR Specialist needs to perform. The security profiles that are assigned to the data
roles provide the data access.
Note that the two data roles have different security profiles, granting access to different sets of
data.
Abstract Roles represent a worker's role in the enterprise, independently of the job the
worker is hired to do. Three abstract roles are delivered with Oracle Fusion HCM: Employee,
Line Manager, and Contingent Worker. You can also create custom abstract roles. You
assign abstract roles directly to users.
Job roles align with the job a worker is hired to perform. Examples of predefined job roles
are Human Resource Analyst and Payroll Manager. You can create custom job roles.
Typically, you include job roles in data roles, and assign those data roles to users. (The IT
Security Manager and Application Implementation Consultant job roles are exceptions,
because they are not considered HCM job roles and don't restrict data using security
profiles.)
Duty roles align with the individual duties that users perform as part of their job. They grant
access to work areas, dashboards, task flows, application pages, reports, batch programs,
and so on. They may carry both function and data security grants. Duty roles are inherited
by job and abstract roles, and can also be inherited by other duty roles. Duty roles are
delivered as part of the reference implementation, and can be used as building blocks when
creating your own job and abstract roles. You do not assign duty roles directly to users.
Most security profiles are defined by customers and assigned to data roles and abstract roles. (A
small set of predefined security profiles is delivered as part of the security reference
implementation.)
The HCM security model supports several different types of security profiles, each used to control
access to a different type of data.
Start Here
Oracle Fusion Applications Sign On screen
Demonstrate Function Security
1. Log in as Curtis.Feitty, using the password provided to you by the instructor.
Information Function security also secures the task pane (displayed on the left side of the page) for
a work area. Each of the task pane entries corresponds to a task flow, which is secured with a
function security privilege. The function security privileges that are granted to the user (through his
or her roles) control the task pane entries that the user can see.
You can create HCM security profiles for the following HCM business objects:
Person (managed)
Person (public)
Organization
Position
Legislative Data Group
Country
Document Type
Payroll
Payroll Flow
Workforce Business Process
Two uses for the person security profile exist because many users need to access two distinct sets of
people from each of their roles: people whom they manage and people whose public contact details
they need to access (for example, in a worker directory).
The Person (managed) profile controls which people you can perform actions against.
The Person (public) profile controls which people you can search for in the Person Gallery.
This profile is also used to secure some person LOVs. For example, the Change Manager
page and New Hire flows display a person LOV that is secured using the public person
security profile, rather than the person security profile. This is because the person who is
selecting the manager for a worker might not have view access for that manager through
their person security profile.
Give employees access to their own records, the person records of their emergency contacts,
beneficiaries, and dependents, and all public-person records. Assign relevant HCM security
profiles directly to the employee abstract role.
Give managers access to the person records of direct and indirect reports. Assign relevant
HCM security profiles directly to the line manager abstract role.
For individual job roles, determine whether all users with that job role access the same HCM
business object instances. In this scenario, you do not need to create a data role; you can
simply assign the security profiles to the job role.
Once you have defined the security profile, you assign it to a data role using the Manage Data Role
and Security Profiles task.
Note: You do not need to create a security profile in advance; you can create one when you create
the data role as you will see in the next slide.
Manage Data Role and Security Profiles > Manage Data Role and Security Profiles page > Create
Data Role > Create Data Role: Select Role page
Click Next to define the security criteria for the data role. In the sample screen below, existing
security profiles were selected for all criteria except Person. A new person security profile will be
created as part of the data role creation process.
Manage Data Role and Security Profiles > Manage Data Role and Security Profiles page > Create
Data Role > Create Data Role: Select Role page > Create Data Role: Select Criteria page
When you click Next, you see a series of pages, one for each security profile assigned to the data
role. When you get to the Person page, you can define criteria for the new person security profile:
Manage Data Role and Security Profiles > Manage Data Role and Security Profiles page > Create
Data Role > Create Data Role: Select Role page > Create Data Role: Select Criteria page > Assign
Security Profiles to Role: Person Security Profile page.
Note: You can also use the Manage Data Role and Security Profiles task to assign security profiles to
existing data roles.
Users can self-request new roles if role mapping rules have been defined (as described on the next
page) and the user meets the specified criteria. Line managers and HR specialists can request new
roles for the people they manage and revoke existing roles from people they manage.
Note: By default, users have no access to functions and data. To enable users to access functions
and data, you must provision roles to them.
Instructor Note: Roles Must Be Provisioned
You cannot emphasize this point too strongly: roles, even standard roles such as Employee and
Line Manager, must be provisioned to users. Hiring a person as an employee is not the same as
provisioning the Employee role to the worker; they are separate tasks. However, often (as in this
training environment) Employee and Line Manager roles are automatically provisioned, and default
role mapping rules are provided in Cloud HCM pods.
Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role Mapping page
Note: You cannot assign a role to a user unless a role-provisioning rule exits for that role and the
conditions defined in the rule are met.
Role-Provisioning Options
When defining role-provisioning rules on the Create Role Mapping page, you have several
provisioning options:
Auto Provision. Provisions roles automatically to all eligible users when at least one of their
assignments is either created or updated and satisfies the role-mapping conditions. An
automatically provisioned role is deprovisioned automatically when the user’s assignments
cease to satisfy the role-mapping conditions.
Requestable. Enables users, such as line managers and human resource specialists, to
provision roles manually to other users. Users retain roles that are provisioned to them
manually until either all their work relationships are terminated or the roles are
deprovisioned manually.
Note: The criteria defined in the Conditions section must be satisfied by the user who is provisioning
the role to other users, not by the users who are receiving the role.
Self-Requestable. Enables users to request roles for themselves. Users retain roles that they
request for themselves manually until either all their work relationships are terminated or
the roles are deprovisioned manually.
Apply Auto Provisioning. Provisions roles to users immediately, rather than waiting until the
role is provisioned automatically or requested manually. When you click this button, all
assignments and role mappings in the enterprise are reviewed and any necessary
provisioning and deprovisioning of roles occurs immediately. You can also perform auto
provisioning from an individual user's account, in which case only that user’s assignments
are reviewed and any necessary provisioning and deprovisioning of roles for that user occur
immediately.
Manager Resources > New Person > Hire an Employee > Identification page
Manager Resources > New Person > Hire an Employee > Identification page > Person Information
page > Employment Information page
To manually provision additional roles to the user, click Add Role and select the role you want to
give to this user.
You can use the Manage Users task to add or remove roles from an existing user.