HCM Security Overview

This lesson introduces students to Oracle Fusion HCM security concepts and functionality. It
describes the process of creating data roles and security profiles, and explains how roles are
assigned to users. If students are interested in these more in-depth topics, they should attend the
two-day Oracle Fusion HCM Security course.
Objectives
After completing this lesson, you should be able to:
 Describe the key features of Oracle Fusion Applications security
 Differentiate the types of roles used in Oracle Fusion Applications security
 Identify key components of the Security Reference Implementation
 Describe how to create security profiles and assign them to data roles
 Describe how user accounts are created and roles are provisioned to users

HCM Security Basics

Role-Based Security Model
Oracle Fusion Applications use a role-based access control security model. Users are assigned roles
through which they gain access to functions and data within the applications.
In the figure below, Julie Brown has three roles:

When she signs on to Oracle Fusion Applications, all of these roles are active concurrently. The
functions and data she can access are determined by the combination of roles to which she is
assigned. As an employee, Julie has access to employee functions and data, and as a line manager,
she has access to line-manager functions and data.
Roles Assigned to Users
Contrast the Oracle Fusion Applications approach, where users have multiple roles active
simultaneously, with the EBS approach, where users select a responsibility and operate within that
responsibility only. Use the Security Component Terminology Comparison slide later in this section
to show how role types and other security components in Oracle Fusion correspond to features in
EBS and PeopleSoft.

If questions about security occur in other lessons (such as how to prevent a user from doing
something or how to enable a user to do something), the answer is always the same: the roles
provisioned to the user determine what the user can (and cannot) do.

Predefined HCM Roles

The following is a partial list of the roles that are predefined and delivered with Oracle Fusion HCM:
 Benefits Administrator
 Benefits Manager
 Benefits Specialist
 Compensation Administrator
 Compensation Analyst
 Compensation Manager
 Compensation Specialist
 Contingent Worker
 Employee
 Human Capital Management Application Administrator
 Human Resource Analyst
 Human Resource Manager
 Human Resource Specialist
 Human Resource VP
 Line Manager
 Payroll Administrator
 Payroll Manager

These predefined roles are included in the Security Reference Implementation. You can review
details of the HCM security implementation in the Oracle Fusion Applications Human Capital
Management Security Reference Manual. The Oracle Fusion Applications Common Security
Reference Manual covers roles that are common across Oracle Fusion Applications, such as the
Application Implementation Consultant and IT Security Manager roles.

Role Inheritance
Instructor Note: Duty Roles
Although this lesson does not cover creation of custom job or duty roles, it does describe how duty
roles fit into the role hierarchy. Predefined job and abstract roles are associated with a predefined
set of duty roles, which control the actions that the role can perform.
Data Role Inheritance
Role inheritance is a key concept in the Oracle Fusion HCM security model. In the figure below,
Human Resource Specialist – Vision Corporation and Human Resource Specialist – Vision Services
are data roles that inherit the Human Resource Specialist job role. This gives them access to the
tasks that an HR Specialist needs to perform. The security profiles that are assigned to the data
roles provide the data access.

Note that the two data roles have different security profiles, granting access to different sets of
data.

User Role Inheritance

When individual users are assigned to data roles, they inherit the data and function security
associated with those roles.
Role Types
Oracle Fusion Applications uses four types of roles for security management:
 Data Roles are a combination of a worker's job and the data instances that users with the
role need to access. For example, the HCM data role Payroll Administrator Payroll US
combines a job (Payroll Administrator) with a data scope (Payroll US). Data roles are not
delivered as part of the reference implementation. They are defined by customers and are
assigned directly to users.

 Abstract Roles represent a worker's role in the enterprise, independently of the job the
worker is hired to do. Three abstract roles are delivered with Oracle Fusion HCM: Employee,
Line Manager, and Contingent Worker. You can also create custom abstract roles. You
assign abstract roles directly to users.

 Job roles align with the job a worker is hired to perform. Examples of predefined job roles
are Human Resource Analyst and Payroll Manager. You can create custom job roles.
Typically, you include job roles in data roles, and assign those data roles to users. (The IT
Security Manager and Application Implementation Consultant job roles are exceptions,
because they are not considered HCM job roles and don't restrict data using security
profiles.)

 Duty roles align with the individual duties that users perform as part of their job. They grant
access to work areas, dashboards, task flows, application pages, reports, batch programs,
and so on. They may carry both function and data security grants. Duty roles are inherited
by job and abstract roles, and can also be inherited by other duty roles. Duty roles are
delivered as part of the reference implementation, and can be used as building blocks when
creating your own job and abstract roles. You do not assign duty roles directly to users.

Role Inheritance Example

In reality, abstract and job roles inherit many duty roles. The following figure shows a simplified
example:
In this example, the duty roles give the user access to all the tasks and functions that an HR
specialist needs to perform plus all the tasks, unrelated to a specific job, that every employee needs
to perform.

Most security profiles are defined by customers and assigned to data roles and abstract roles. (A
small set of predefined security profiles is delivered as part of the security reference
implementation.)

The HCM security model supports several different types of security profiles, each used to control
access to a different type of data.

Demonstration: Fusion HCM Security in Action

Demonstration Background
As an Oracle Fusion Applications user, you access functions and data through the roles that have
been assigned to you.
Demonstration Scope
Explore the functions and data available for viewing by different users based on their assigned
roles.
Demonstration Scope

Start Here
Oracle Fusion Applications Sign On screen
Demonstrate Function Security
1. Log in as Curtis.Feitty, using the password provided to you by the instructor.

2. In the menu bar at the top of the page, click Navigator

Information Function security is used to secure the Navigator menu. Each menu entry corresponds
to a work area or dashboard, and each of these is secured with a function security privilege. The
function security privileges that are granted to the user (through his or her roles) control the menu
entries that the user can see.

3. Select Workforce Structures under Workforce Management.

Information Function security also secures the task pane (displayed on the left side of the page) for
a work area. Each of the task pane entries corresponds to a task flow, which is secured with a
function security privilege. The function security privileges that are granted to the user (through his
or her roles) control the task pane entries that the user can see.

4. Select My Information > My Account from the Navigator.

Location: Manage User Account page

Security Profiles and Data Roles
Data Security Through Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security profile
identifies a set of data of a single type, such as persons or organizations. For example, you could
create security profiles to identify:
 All workers in department HCM US
 The legal employer InFusion Corp USA1
 Business units USA1 and USA2

Customers assign security profiles to:

 Data roles. Data roles always inherit job roles. The job roles provide the function security
access, while the security profiles assigned to the data role provide access to the data
required to perform the duties of the job.
 Abstract roles. Three abstract roles are delivered with HCM: employee, line manager, and
contingent worker. You assign security profiles to predefined abstract roles, such as
employee, to grant access to HCM business objects, such as the worker's own person
record. You can also assign security profiles to the custom abstract roles that you create.
Note: In Cloud environments, security profiles are preassigned to the Employee, Line
Manager, and Contingent Worker abstract roles.
 Job roles. Assigning security profiles directly to job roles is less common, since users with
the same job often access different sets of data.

Security Profiles Example

Security profiles are assigned to roles that are directly assigned to users.
In the following example, Tim Thompson and Patricia Smith are both human resource specialists,
Tim in US Marketing and Patricia in US Sales. Each has a data role that inherits the job role Human
Resource Specialist and the duty roles appropriate to that job role. Therefore, Tim and Patricia can
perform the same functions and see the same entries in the Navigator, work area Tasks panes, and
menus. However, each user accesses different sets of data, which are identified in separate sets of
security profiles.
Note: If Tim and Patricia could access the same sets of data, you would assign the same data role to
both users.

You can create HCM security profiles for the following HCM business objects:
 Person (managed)
 Person (public)
 Organization
 Position
 Legislative Data Group
 Country
 Document Type
 Payroll
 Payroll Flow
 Workforce Business Process
Two uses for the person security profile exist because many users need to access two distinct sets of
people from each of their roles: people whom they manage and people whose public contact details
they need to access (for example, in a worker directory).
 The Person (managed) profile controls which people you can perform actions against.
 The Person (public) profile controls which people you can search for in the Person Gallery.
This profile is also used to secure some person LOVs. For example, the Change Manager
page and New Hire flows display a person LOV that is secured using the public person
security profile, rather than the person security profile. This is because the person who is
selecting the manager for a worker might not have view access for that manager through
their person security profile.

Predefined HCM Security Profiles

The following HCM security profiles are predefined:
You cannot:
 Edit or delete the predefined security profiles.
 Create a custom security profile that provides access to all objects; you must use the
appropriate predefined View All security profile instead.
HCM Security Profiles Best Practices
The following recommendations apply to all types of HCM security profiles:
 HCM security profiles are reusable and modular. Once you create a security profile, you can
assign it to multiple data roles.
 You can reference organization, position, payroll, and other security profiles in a person
security profile. For example, you might define an organization security profile that allows
access to a particular business unit. You can then reference the organization security profile
in a person security profile to provide access to people who are assigned to that business
unit.
 Use the predefined security profiles wherever appropriate.
 Define a naming scheme that identifies clearly the set of business objects in the security
profile's data instance set, such as HCM US Departments or US Marketing Positions. Security
profile names must be unique in the enterprise for the security profile type.

Approaches to Assigning Security Profiles to HCM Roles

Consider these approaches when assigning security profiles to HCM roles:

 Give employees access to their own records, the person records of their emergency contacts,
beneficiaries, and dependents, and all public-person records. Assign relevant HCM security
profiles directly to the employee abstract role.
 Give managers access to the person records of direct and indirect reports. Assign relevant
HCM security profiles directly to the line manager abstract role.
 For individual job roles, determine whether all users with that job role access the same HCM
business object instances. In this scenario, you do not need to create a data role; you can
simply assign the security profiles to the job role.

Creating Security Profiles

You create a security profile using one of the following tasks:
 Manage Country Security Profile
 Manage Document Type Security Profile
 Manage Legislative Data Group Security Profile
 Manage Organization Security Profile
 Manage Payroll Flow Security Profile
 Manage Payroll Security Profile
 Manage Person Security Profile
 Manage Position Security Profile
 Manage Workforce Business Process Security Profile

The following screen is used to create a person security profile:

Manage Person Security Profile > Manage Person Security Profiles page > Create Person Security
Profile.

Once you have defined the security profile, you assign it to a data role using the Manage Data Role
and Security Profiles task.

Note: You do not need to create a security profile in advance; you can create one when you create
the data role as you will see in the next slide.

Creating Data Roles

Use the Manage Data Role and Security Profiles task to create and manage data roles and assign
security profiles to them.
When you create a new data role, you must first select the job role (or abstract role) on which the
data role is based:

Manage Data Role and Security Profiles > Manage Data Role and Security Profiles page > Create
Data Role > Create Data Role: Select Role page

Click Next to define the security criteria for the data role. In the sample screen below, existing
security profiles were selected for all criteria except Person. A new person security profile will be
created as part of the data role creation process.
Manage Data Role and Security Profiles > Manage Data Role and Security Profiles page > Create
Data Role > Create Data Role: Select Role page > Create Data Role: Select Criteria page

When you click Next, you see a series of pages, one for each security profile assigned to the data
role. When you get to the Person page, you can define criteria for the new person security profile:
Manage Data Role and Security Profiles > Manage Data Role and Security Profiles page > Create
Data Role > Create Data Role: Select Role page > Create Data Role: Select Criteria page > Assign
Security Profiles to Role: Person Security Profile page.

Note: You can also use the Manage Data Role and Security Profiles task to assign security profiles to
existing data roles.

User and Role Provisioning

Provisioning Roles to Users: Overview
Role provisioning is built into Oracle Fusion HR flows. You can initiate the provisioning and revoking
of roles from within the following flows:
 Hire an Employee
 Promote Worker
 Transfer Worker

Users can self-request new roles if role mapping rules have been defined (as described on the next
page) and the user meets the specified criteria. Line managers and HR specialists can request new
roles for the people they manage and revoke existing roles from people they manage.
Note: By default, users have no access to functions and data. To enable users to access functions
and data, you must provision roles to them.
Instructor Note: Roles Must Be Provisioned
You cannot emphasize this point too strongly: roles, even standard roles such as Employee and
Line Manager, must be provisioned to users. Hiring a person as an employee is not the same as
provisioning the Employee role to the worker; they are separate tasks. However, often (as in this
training environment) Employee and Line Manager roles are automatically provisioned, and default
role mapping rules are provided in Cloud HCM pods.

Defining Role-Provisioning Rules

Role-provisioning rules determine the roles that a user should have based on their HR assignments.
Also referred to as role mappings, role-provisioning rules define an association between a set of
conditions (typically assignment attribute values) and one or more job, abstract, and data roles.
Use the Manage HCM Role Provisioning Rules task in the Setup and Maintenance work area to
create and manage role-provisioning rules.

Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role Mapping page

Note: You cannot assign a role to a user unless a role-provisioning rule exits for that role and the
conditions defined in the rule are met.

Role-Provisioning Options
When defining role-provisioning rules on the Create Role Mapping page, you have several
provisioning options:
 Auto Provision. Provisions roles automatically to all eligible users when at least one of their
assignments is either created or updated and satisfies the role-mapping conditions. An
automatically provisioned role is deprovisioned automatically when the user’s assignments
cease to satisfy the role-mapping conditions.
 Requestable. Enables users, such as line managers and human resource specialists, to
provision roles manually to other users. Users retain roles that are provisioned to them
 manually until either all their work relationships are terminated or the roles are
deprovisioned manually.

Note: The criteria defined in the Conditions section must be satisfied by the user who is provisioning
the role to other users, not by the users who are receiving the role.
 Self-Requestable. Enables users to request roles for themselves. Users retain roles that they
request for themselves manually until either all their work relationships are terminated or
the roles are deprovisioned manually.
 Apply Auto Provisioning. Provisions roles to users immediately, rather than waiting until the
role is provisioned automatically or requested manually. When you click this button, all
assignments and role mappings in the enterprise are reviewed and any necessary
provisioning and deprovisioning of roles occurs immediately. You can also perform auto
provisioning from an individual user's account, in which case only that user’s assignments
are reviewed and any necessary provisioning and deprovisioning of roles for that user occur
immediately.

Predefined Role-Provisioning Rules

The following role-provisioning rules are predefined for HCM Cloud environments:
 Employee. Automatically provisions the Employee role
 Contingent Worker. Automatically provisions the Contingent Worker role
 Line Manager. Automatically provisions the Line Manager role
 Requestable Roles. Defines all predefined View All data roles as Requestable (manually
provisioned)
New Hire Process
You can demo the Hire an Employee flow to show how roles are assigned during the new hire
process. However, this process requires you to provide data in a large number of fields in order to
progress through the entire flow. It may be faster (and perfectly adequate) to display and discuss
the screens that follow, rather than doing a demonstration.

Integration with New Hire Flow

The following screens illustrate how role provisioning is integrated into the New Hire flow.
To meet the conditions defined in the role mapping example on the Defining Role Provisioning Rules
page, an employee would need to work for InFusion Corp USA1 and be assigned the job of HR010.HR
Specialist. You specify the employee's legal employer on the Identification page of the Hire an
Employee flow, as shown in this figure:

Manager Resources > New Person > Hire an Employee > Identification page

New Hire Flow - Job Assignment

You specify the employee's job on the Employment Information page of the Hire an Employee flow,
as shown in this figure:
Manager Resources > New Person > Hire an Employee > Identification page > Person Information
page > Employment Information page

New Hire Flow - Role Requests

The Roles page of the flow shows the roles that will be automatically provisioned to the employee
based on the selected job, along with the Employee abstract role:

Manager Resources > New Person > Hire an Employee > Identification page > Person Information
page > Employment Information page
To manually provision additional roles to the user, click Add Role and select the role you want to
give to this user.
You can use the Manage Users task to add or remove roles from an existing user.