24 define security for hcm

Partner Boot Camp - Fusion HCM Global HR Manage Security for HCM Instructor Guide

August 8, 2013

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

CONTENTS Lesson 1: Define Security for HCM .............................................. 1

Objectives ................................................................................................ 1 Security Overview ..................................................................................... 2

Role-Based Security Model ....................................................................... 2 Instructor Note: Roles Assigned to Users .................................................. 3

Role-Based Access Control ....................................................................... 4 Predefined HCM Roles .............................................................................. 5 Role Inheritance ..................................................................................... 6

Data Role Inheritance ............................................................................ 7 User Role Inheritance ............................................................................ 8

Role Types ............................................................................................. 9 Role Inheritance Example ....................................................................... 10 Security Privileges ................................................................................. 11

Instructor Note: Details Will Come Later ................................................. 12 Security Component Terminology Comparison ........................................... 13 Role Evaluation ..................................................................................... 14 Customizing Security for Your Needs ........................................................ 15

Instructor Note: Currently No Way to Copy Roles .................................... 16 Instructor Note: Demo Timing ................................................................. 17 Demonstration: Function Security in Action ............................................... 18 Instructor Note: Demo Timing ................................................................. 21 Demonstration: Data Security in Action .................................................... 22 Exploring the Security Reference Manual .................................................. 24

Instructor Note: Security Reference Implementation ................................ 26 Security Profiles and Data Roles ................................................................ 27

Data Security Through Security Profiles .................................................... 27 Security Profiles Example ....................................................................... 28 HCM Security Profile Types ..................................................................... 29 Predefined HCM Security Profiles ............................................................. 30 HCM Security Profiles Best Practices ........................................................ 31 Approaches to Creating Data Roles .......................................................... 32 Instructor Note: Demo Timing ................................................................. 33 Demonstration: Managing Data Roles and Security Policies ......................... 34 Key Points for Creating Security Profiles ................................................... 38 Instructor Note: Notes on Activities ......................................................... 41 Instructor Note: Activity Timing .............................................................. 42 Activity 1 Introduction ........................................................................... 43

Activity 1: Creating Security Profiles and Assigning to a New Data Role ...... 44 Assigning Security Profiles to Existing Roles .............................................. 48 Editing Security Profiles ......................................................................... 49 Security Profiles Review Question 1 ......................................................... 50 Security Profiles Review Question 2 ......................................................... 51 Security Profiles Review Question 3 ......................................................... 52 Security Profiles Questions and Answers ................................................... 53

User and Role Provisioning ....................................................................... 54 User Account Creation and Maintenance Scenarios ..................................... 54

Instructor Note: User Account Management Scenarios .............................. 55 User Account Provisioning ...................................................................... 56 Enterprise-Level User and Role-Provisioning Options .................................. 57

Setting Enterprise-Level Options ........................................................... 58 Instructor Note: User and Role Provisioning ............................................ 59

Provisioning Roles to Users: Overview ...................................................... 60 Instructor Note: Roles Must Be Provisioned ............................................. 61

Instructor Note: Role-Provisioning Rules ................................................... 62

i

Defining Role-Provisioning Rules ............................................................. 63 Role-Provisioning Options ....................................................................... 65 Predefined Role-Provisioning Rules .......................................................... 66 Integration with New Hire Flow ............................................................... 67

Instructor Note: New Hire Process ......................................................... 67 Integration with New Hire Flow ............................................................. 68 New Hire Flow - Job Assignment ........................................................... 69 New Hire Flow - Role Requests .............................................................. 70

Tip: Role-Provisioning Strategies ............................................................. 71 Implementation Users ........................................................................... 72

Instructor Note: Implementation Users for the Cloud ............................... 74 Instructor Note: Demo Timing ................................................................. 75 Demonstration: Creating Additional Implementation Users .......................... 76 Instructor Note: Demo Timing ................................................................. 79 Demonstration: Using the Manage Users Task to Create HR Users ................ 80 Instructor Note: Password Policy Management for Cloud Customers ............. 83 Instructor Note: Activity Timing .............................................................. 84 Activity 2 Introduction ........................................................................... 85

Activity 2: Creating a New User and Assigning a Data Role........................ 86 User and Role Provisioning Review Question 1 ........................................... 91 User and Role Provisioning Review Question 2 ........................................... 92 User and Role-Provisioning Review Question 3 .......................................... 93 User and Role-Provisioning Questions and Answers .................................... 94

User Interfaces for Security Tasks ............................................................. 95 User Interface Overview ......................................................................... 95 Setup Tools and Tasks ........................................................................... 96 Access to Security Tasks ........................................................................ 98

Instructor Note: HCM Security Task List ............................................... 100 Instructor Note: Demo Timing ............................................................... 101 Demonstration: Viewing Roles in OIM .................................................... 102

Managing Job Roles and Duty Roles ......................................................... 104 Instructor Note: Demo Timing ............................................................... 104 Demonstration: Using OIM to View and Manage Roles .............................. 105

Instructor Note: Do Not Use OIM to Create Data Roles ........................... 112 HCM Security Management Data Stores .................................................. 113 Instructor Note: Demo Timing ............................................................... 115 Demonstration: Using APM to Manage Duties .......................................... 116 Fusion Applications, OIM, and APM Terminology Differences ...................... 120 Instructor Note: Notes on Tools and Tasks .............................................. 121 Regenerating Data Roles ...................................................................... 122

Instructor Note: Regeneration of Data Roles ......................................... 124 Instructor Note: Activity Timing ............................................................ 125 Activity 3 Introduction ......................................................................... 126

Instructor Note: Troubleshooting Activity ............................................. 127 Activity 3: Creating a New Job Role ..................................................... 128

Instructor Note: Activity Timing ............................................................ 132 Activity 4 Introduction ......................................................................... 133

Activity 4: Creating a New Data Role and Assigning to User .................... 134 Instructor Note: Troubleshooting Activity 4 ............................................. 137 User Interfaces for Security Review Question 1 ....................................... 138 User Interfaces for Security Review Question 2 ....................................... 139 User Interfaces for Security Review Question 3 ....................................... 140 User Interfaces for Security Questions and Answers ................................. 141

HCM Security Deep Dive ......................................................................... 142 Instructor Note: Deep Dive Target Audience ........................................... 142 Duty Roles in Detail ............................................................................. 143 Function Security Privileges .................................................................. 144 Instructor Note: Read-Only Roles .......................................................... 145 Data Security Policy Components .......................................................... 146

ii

iii

Data Security Policies .......................................................................... 147 Data Security - Application Role Creation ................................................ 148 Data Security - FND_GRANTS Generation ............................................... 149 Data Security - Data Role Creation ........................................................ 150 Data Security in Action ........................................................................ 152 Instructor Note: Demo Timing ............................................................... 153 Demonstration: Viewing Security Policies in APM ..................................... 154 Instructor Note on Activity 5: Bulk Regeneration ..................................... 161 Instructor Note: Activity Timing ............................................................ 162 Activity 5 Introduction ......................................................................... 163

Activity 5: Creating a Custom Duty Role ............................................... 164 Security Deep Dive Review Question 1 ................................................... 169 Security Deep Dive Review Question 2 ................................................... 170 Security Deep Dive Questions and Answers ............................................. 171 Instructor Note: Final Activities ............................................................. 172 Instructor Note: Activity Timing ............................................................ 173 Activity 6 Introduction ......................................................................... 174

Activity 6: Creating a Custom Line Manager Role ................................... 176 Tying It All Together .............................................................................. 183

Resilience to Change ........................................................................... 183 Lesson Review Questions ..................................................................... 185

Lesson Review Question 1 .................................................................. 185 Lesson Review Question 2 .................................................................. 186 Lesson Review Question 3 .................................................................. 187 Lesson Review Question 4 .................................................................. 188 Lesson Review Question 5 .................................................................. 189 Lesson Questions and Answers ........................................................... 190

Instructor Note: Activity Timing ............................................................ 191 Additional Security Activity Introduction ................................................. 192

Additional Security Activity: Creating a Custom Employee Role ................ 194 References ........................................................................................... 198 Lesson Highlights .................................................................................. 200

Lesson Details .................................................................................... 201 Tip: Minimizing the Number of Data Roles .............................................. 205

Dynamic Security Profiles and Areas of Responsibility ............................. 206 Defining Areas of Responsibility .......................................................... 207 Creating a Dynamic Security Profile ..................................................... 208

Tip: Impersonation and Delegation ........................................................ 210

Lesson 1: Define Security for HCM


Objectives After completing this lesson, you should be able to:

• Describe the key features of Oracle Fusion Applications security • Differentiate the four types of roles used in Oracle Fusion Applications

security • Identify key components of the Security Reference Implementation • Create a new data role and assign security profiles • Describe how user accounts are created and roles are provisioned to users • Manage provisioning rules that map roles to users based on their HR

assignments • Identify the three main tools used to manage security in Oracle Fusion

Applications • Create a custom job role • Create a custom duty role • Describe how security policies are generated for roles that inherit a duty

role • Describe the steps involved in creating custom line manager and employee

abstract roles

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1


Security Overview

Role-Based Security Model Oracle Fusion Applications use a role-based access control security model. Users are assigned roles through which they gain access to functions and data within the applications. In the figure below, Julie Brown has three roles:

When she signs on to Oracle Fusion Applications, all of these roles are active concurrently. The functions and data she can access are determined by the combination of roles to which she is assigned. As an employee, Julie has access to employee functions and data, and as a line manager, she has access to line-manager functions and data.

2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.


Instructor Note: Roles Assigned to Users Contrast the Oracle Fusion Applications approach, where users have multiple roles active simultaneously, with the EBS approach, where users select a responsibility and operate within that responsibility only. Use the Security Component Terminology Comparison slide later in this section to show how role types and other security components in Oracle Fusion correspond to features in EBS and PeopleSoft. If questions about security occur in other lessons (such as how to prevent a user from doing something or how to enable a user to do something), the answer is always the same: the roles provisioned to the user determine what the user can (and cannot) do.



Role-Based Access Control Role-based security in Oracle Fusion Applications controls who can do what on which data. For example:

• Who is a role assigned to a user.

• What is a function that users with the role can perform.

• Which Data is the set of data that users with this role can access when performing this function. In Oracle Fusion HCM, "Which Data" is defined using security profiles.



Predefined HCM Roles The following is a partial list of the roles that are predefined and delivered with Oracle Fusion HCM:

• Benefits Administrator • Benefits Manager • Benefits Specialist • Compensation Administrator • Compensation Analyst • Compensation Manager • Compensation Specialist • Contingent Worker • Employee • Human Capital Management Application Administrator • Human Resource Analyst • Human Resource Manager • Human Resource Specialist • Human Resource VP • Line Manager • Payroll Administrator • Payroll Manager

These predefined roles are included in the Security Reference Implementation. You can review details of the HCM security implementation in the Oracle Fusion Applications Human Capital Management Security Reference Manual. The Oracle Fusion Applications Common Security Reference Manual covers roles that are common across Oracle Fusion Applications, such as the Application Implementation Consultant and IT Security Manager roles.



Role Inheritance Role inheritance is a key concept in the Oracle Fusion HCM security model. The figure below illustrates the hierarchy of job and duty inheritance.

Human Resource Specialist is a job role that inherits a number of duties.



Data Role Inheritance In the figure below, Human Resource Specialist – Vision Corporation and Human Resource Specialist – Vision Services are data roles that inherit the Human Resource Specialist job role. This gives them access to the tasks that an HR Specialist needs to perform. The security profiles that are assigned to the data roles provide the data access.

Note that the two data roles have different security profiles, granting access to different sets of data.



User Role Inheritance When individual users are assigned to data roles, they inherit the data and function security associated with those roles.



Role Types Oracle Fusion Applications uses four types of roles for security management:

• Data Roles are a combination of a worker's job and the data instances that users with the role need to access. For example, the HCM data role Payroll Administrator Payroll US combines a job (Payroll Administrator) with a data scope (Payroll US). Data roles are not delivered as part of the reference implementation. They are defined by customers and are assigned directly to users.

• Abstract Roles represent a worker's role in the enterprise, independently of the job the worker is hired to do. Three abstract roles are delivered with Oracle Fusion HCM: Employee, Line Manager, and Contingent Worker. You can also create custom abstract roles. You assign abstract roles directly to users.

• Job roles align with the job a worker is hired to perform. Examples of predefined job roles are Human Resource Analyst and Payroll Manager. You can create custom job roles. Typically, you include job roles in data roles, and assign those data roles to users. (The IT Security Manager and Application Implementation Consultant job roles are exceptions, because they are not considered HCM job roles and don't restrict data using security profiles.)

• Duty roles align with the individual duties that users perform as part of their job. They grant access to work areas, dashboards, task flows, application pages, reports, batch programs, and so on. They may carry both function and data security grants. Duty roles are inherited by job and abstract roles, and can also be inherited by other duty roles. Duty roles are delivered as part of the reference implementation, and can be used as building blocks when creating your own job and abstract roles. You do not assign duty roles directly to users.



Role Inheritance Example In reality, abstract and job roles inherit many duty roles. The following figure shows a simplified example:

In this example, the duty roles give the user access to all the tasks and functions that an HR specialist needs to perform plus all the tasks, unrelated to a specific job, that every employee needs to perform. Most security profiles are defined by customers and assigned to data roles and abstract roles. (A small set of predefined security profiles is delivered as part of the security reference implementation.) The HCM security model supports several different types of security profiles, each used to control access to a different type of data.



Security Privileges When you look deeper into the role hierarchy, you can see that the Worker Promotion Duty is associated with a function security privilege and two data security policies.

• The Promote Worker function security privilege secures access to the Promote Worker page.

• One data security policy determines which people can be promoted.

• A second data security policy determines which positions the person can be promoted into.

Each data security policy defines a role (such as Worker Promotion Duty), a business object being accessed (such as Person Assignment), the condition that must be met for access to be granted, and a data security privilege that defines the action being performed. Function security privileges and data security policies are covered in detail in a later section.



Instructor Note: Details Will Come Later Sometimes the previous slide spawns questions from students who want to know a lot more about what happens under the hood, because they find it very difficult to understand what data security policies are, how they are used, and how they work. Inform the class that this information is covered in detail later in the class in the HCM Security Deep Dive section. In this overview, we're just introducing the concepts of function security and data security and the related function security privileges and data security privileges. Ask students to hold their detailed questions on data security policies until later, and assure them that they will have an opportunity to see these features up close.



Security Component Terminology Comparison This table shows how security components in Oracle Fusion Applications correspond directly to security features in E-Business Suite and PeopleSoft.



Role Evaluation By default, users do not have access to Oracle Fusion Applications functions and data. Users are granted access by means of the roles provisioned to them. Prior to implementation, you must:

• Review how the security reference implementation of roles and policies fits with the jobs in your enterprise.

• Identify the jobs that people have in your enterprise.

• Decide whether the duties defined for the jobs in the security reference implementation match the duties performed by corresponding jobs in your enterprise.



Customizing Security for Your Needs In cases where the predefined security reference implementation does not adequately represent the needs of your enterprise, you can make changes. For example, a predefined job role may be too narrowly defined. You can create a new job role and give it a role hierarchy of different duty roles than a similar predefined job role, and provision your newly created job role to users who should have broader access. For example, the predefined Line Manager role includes compensation management duties. If some of your line managers do not handle compensation, you could create a custom line manager role without those duties. Evaluate the predefined roles and privileges in the security reference implementation against the needs of your enterprise and determine the necessary security setup actions:

• If jobs exist in your enterprise that are not represented by the security reference implementation, you create a new job role or abstract role.

• If the duties for a predefined job role are not the same as the corresponding job description in your enterprise, you add duties to and subtract duties from the job role.

• If the duties for a job are not defined in the security reference implementation, you create custom duty roles.

The demonstrations and activities in this lesson will show you how to perform each of these setup actions. Note: As you make changes to the security reference implementation for an Oracle Fusion Applications deployment, it is good practice to create your own custom roles rather than modify predefined roles. Upgrade and maintenance patches to the security reference implementation preserve your changes. Thus, if you do modify predefined roles, you won't be able to restore them to their original state by upgrading.



Instructor Note: Currently No Way to Copy Roles There is currently no way of copying roles. This is being addressed in a future release of Oracle Fusion Applications.



Instructor Note: Demo Timing

Approximate Demonstration Timing: 5 minutes



Demonstration: Function Security in Action Demonstration Background As an Oracle Fusion Applications user, you access functions through the roles that have been assigned to you. Demonstration Scope Go to the Navigator, and view the available options. Select an option, and view the available tasks in the task pane. Demonstration Steps Start Here Oracle Fusion Applications Sign On screen

1. Log in as Curtis.Feitty, using the password provided to you by the instructor.

2. In the menu bar at the top of the page, click Navigator.

Information

Function security is used to secure the Navigator menu. Each menu entry corresponds to a work area or dashboard, and each of these is secured with a function security privilege. The function security privileges that are granted to the user (through his or her roles) control the menu entries that the user can see.



3. Select Workforce Structures under Workforce Management.

Information

Function security also secures the task pane (displayed on the left side of the page) for a work area. Each of the task pane entries corresponds to a task flow, which is secured with a function security privilege. The function security privileges that are granted to the user (through his or her roles) control the task pane entries that the user can see.

4. Select My Information > My Account from the Navigator. Location: Manage User Account page

5. Scroll down to the Current Roles section.

Information Curtis is assigned a great many roles, which is useful for testing (and for training courses like this). He has functional manager roles, as well as IT Security Manager. In the real world, few users would have this many different and powerful roles.

6. Click Sign Out at the top of the page, and then sign back in as jessica.mullen.



7. Click the Navigator menu again. Information Jessica is an HR Analyst with fewer privileges than Curtis. Jessica does not have access to the Workforce Structures function, so it does not appear on her menu.

8. Select My Information > My Account from the Navigator, and then scroll down to the Current Roles section to view Jessica's assigned roles.

9. Sign out.

You have demonstrated how to view menu options and tasks managed by function security.



Demonstration: Data Security in Action Demonstration Background As an Oracle Fusion Applications user, you access data via the roles that have been assigned to you. Demonstration Scope Explore the data available for viewing by different users based on their assigned roles. Demonstration Steps Start Here Oracle Fusion Applications Sign On screen

1. Log in as Jack.Fisher. Information This user has employee and line manager roles. He also has several direct reports.

2. In the menu bar at the top of the page, click Navigator and select Person Gallery.

3. Select the My Portrait tab. Information

When you look at your own portrait, you can see your benefit enrollments, compensation data, and so on. The actions that are available in the Actions menu are controlled using data security. The actions you can perform include things like Change Marital Status, but do not include actions like Promote.

4. Select the Organization Chart tab to show the management reporting hierarchy.

5. Click the name of Jack's manager, Linda Swift. Information When an employee views their manager's portrait, only publicly available information appears. No actions are available. Data security controls access to data that you can view for other people. A public person security profile controls which people a user can search for in Person Gallery. Once a user has selected a person, data security controls the Person Gallery cards that can be seen for that person and also what actions can be performed against them.



6. Select the Organization Chart tab again.

7. Hover your mouse over the point at the bottom of Jack's box on the chart, and then click the + sign to show Jack's direct reports.

8. Click Mark Winterling's name. Information In the Actions section, you can see the functions available to Jack. He can promote, terminate, manage the salary and compensation, and view absence balances for Mark.

9. Sign out and sign back in as Curtis.Feitty.

10. Navigate to the Person Gallery, and search for Linda Swift. (Enter Linda's name in the Keywords field, click Search, and then click Swift, Linda in the Search Results.) Information When viewing Linda in the Person Gallery, Curtis can see more cards and has more actions than Jack. This is because Curtis has the HR Specialist - View All role, which allows him a greater level of access.

You have demonstrated how to view application pages managed by data security and noted the differences that result from provisioned data restrictions.



Exploring the Security Reference Manual The Oracle Fusion Applications Human Capital Management Security Reference Manual includes descriptions of all the predefined data that is included in the security reference implementation for HCM. The Oracle Fusion Applications Common Security Reference Manual provides descriptions of predefined data that is common across Oracle Fusion Applications. Note: All information presented in the manuals can be accessed in the various user interface pages of Oracle Fusion Applications. However, the manuals make it easier to compare and plan your customizations. There are several ways to access the Security Reference Manuals online: From the Search window in Oracle Fusion Help:

1. Click the Help link at the top of any application window. 2. Select Applications Help to display the Oracle Fusion Applications Help

window. 3. In the Search field, type the name of the manual you want to view, such as

Oracle Fusion Applications Human Capital Management Security Reference Manual.

4. Click the icon button. 5. In the Search Results, click the link for the manual.

Information From here, you can view, print, or save the manual to your local drive.

From the Guides Menu in Oracle Fusion Help:

1. Click the Help link at the top of the application window. 2. Select Applications Help to display the Oracle Fusion Applications Help

window. 3. Click the Guides link, and then select the manual you want to view.

From the Oracle Fusion Applications Documentation Page for Your Release:

1. Access the main Oracle Fusion Application Documentation page at: http://www.oracle.com/technetwork/documentation/fusion-apps-doc-1508435.html

2. Under Oracle Fusion Applications Documentation, click on the link for your Oracle Fusion Applications release.

3. On the Oracle Fusion Applications Documentation page, click the Human Capital Management tab.



4. Under Administration Guides, click the PDF or HTML link for the manual you want to view.

HCM Security Reference Manual The HCM Security Reference Manual contains a section for each predefined HCM job and abstract role. For each role, you can review its:

• duties • role hierarchy • function security privileges • data security policies

This information can help you understand which users should be provisioned with the role, or which adjustments your enterprise requires before the role can be provisioned. Additional Information For additional information and links, see the References page at the end of this lesson.



Instructor Note: Security Reference Implementation This training was originally developed for Release 7, prior to the Rel 7 GA, and the Document Library was not yet finalized for that release. For that reason, the Guides link from the Help>Applications Help menu did not work in the training environment. If the training is delivered post Rel 7 GA, these links should work. Otherwise, advise students to search for the reference manual from the help portal. If there is time at the end of this module, ask the students to access the HCM Security Reference Manual online and explore the contents.



Security Profiles and Data Roles

Data Security Through Security Profiles Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security profile identifies a set of data of a single type, such as persons or organizations. For example, you could create security profiles to identify:

• All workers in department HCM US • The legal employer InFusion Corp USA1 • Business units USA1 and USA2

Customers assign security profiles to:

• Data roles. Data roles always inherit job roles. The job roles provide the function security access, while the security profiles assigned to the data role provide access to the data required to perform the duties of the job.

• Abstract roles. Three abstract roles are delivered with HCM: employee, line manager, and contingent worker. You assign security profiles to predefined abstract roles, such as employee, to grant access to HCM business objects, such as the worker's own person record. You can also assign security profiles to the custom abstract roles that you create. Note: In Cloud environments, security profiles are preassigned to the Employee, Line Manager, and Contingent Worker abstract roles.

• Job roles. Assigning security profiles directly to job roles is less common, since users with the same job often access different sets of data.



Security Profiles Example Security profiles are assigned to roles that are directly assigned to users. In the following example, Tim Thompson and Patricia Smith are both human resource specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that inherits the job role Human Resource Specialist and the duty roles appropriate to that job role. Therefore, Tim and Patricia can perform the same functions and see the same entries in the Navigator, work area Tasks panes, and menus. However, each user accesses different sets of data, which are identified in separate sets of security profiles.

Note: If Tim and Patricia could access the same sets of data, you would assign the same data role to both users.



HCM Security Profile Types You can create HCM security profiles for the following HCM business objects:

• Person (managed) • Person (public) • Organization • Position • Legislative Data Group • Country • Document Type • Payroll • Payroll Flow • Workforce Business Process

Two uses for the person security profile exist because many users need to access two distinct sets of people in a single HCM data role: people whom they manage and people whose public contact details they need to access (for example, in a worker directory).

• The Person (managed) profile controls which people you can perform actions against.

• The Person (public) profile controls which people you can search for in the Person Gallery. This profile is also used to secure some person LOVs. For example, the Change Manager page and New Hire flows display a person LOV that is secured using the public person security profile, rather than the person security profile. This is because the person who is selecting the manager for a worker might not have view access for that manager through their person security profile.



Predefined HCM Security Profiles The following HCM security profiles are predefined:

You cannot:

• Edit or delete the predefined security profiles. • Create a custom security profile that provides access to all objects; you must use

the appropriate predefined View All security profile instead.



HCM Security Profiles Best Practices The following recommendations apply to all types of HCM security profiles:

• HCM security profiles are reusable and modular. Once you create a security profile, you can assign it to multiple data roles.

• You can reference organization, position, payroll, and other security profiles in a person security profile. For example, you might define an organization security profile that allows access to a particular business unit. You can then reference the organization security profile in a person security profile to provide access to people who are assigned to that business unit.

• Use the predefined security profiles wherever appropriate.

• Define a naming scheme that identifies clearly the set of business objects in the security profile's data instance set, such as HCM US Departments or US Marketing Positions. Security profile names must be unique in the enterprise for the security profile type.



Approaches to Creating Data Roles Consider these approaches when creating HCM data roles:

• Give employees access to their own records, the person records of their emergency contacts, beneficiaries, and dependents, and all public-person records.

• Assign relevant HCM security profiles directly to the employee abstract role.

• Give managers access to the person records of direct and indirect reports. Assign relevant HCM security profiles directly to the line manager abstract role.

• For individual job roles, determine whether all users with that job role access the same HCM business object instances. In this scenario, you do not need to create a data role; you can simply assign the security profiles to the job role.



Demonstration: Managing Data Roles and Security Policies Demonstration Background During security setup, you create data roles and assign security profiles to them. Demonstration Scope Use the Manage Data Role and Security Profiles task to demonstrate the process of creating a data role and assigning security profiles to it. Demonstration Steps Start Here Oracle Fusion Applications Sign On screen

1. Log in as Curtis.Feitty, if not already logged in.

2. Navigate to the Setup and Maintenance work area. Location: Overview page, All Tasks tab

3. In the Name field, enter Manage Data Role and Security Profiles and click

Search. Location: Search Results section

4. In the Manage Data Role and Security Profiles task row, click Go to Task.

Location: Manage Data Roles and Security Profiles page

5. In the Search Results section toolbar, click the Create icon button.

Location: Create Data Role: Select Role page

6. In the Data Role field, enter XX HR Specialist InFusion, where XX represents

your initials.

7. In the Job Role field, search for and select Human Resource Specialist. Information

A data role is always associated with a job role, from which it inherits duties.

8. Click Next.



Location: Create Data Role: Security Criteria page Information Here you select the security criteria for the role. For each business object that the job role needs to access, a section appears on this page. To identify data set instances for each business object, you can either select an existing security profile or create a new security profile. Note: Any security profiles that you create while defining the data role exist independently of the data role and can be reused.

9. In the Organization section, select the predefined View All Organizations organization profile.

10. In the Person section, select the Create New hyperlink at the bottom of the Person Security Profile LOV.

11. In the Name field, enter XX Person Security Profile InFusion.

12. Select the Secure by Global Name Range option.



13. For all other sections, select any one of the predefined View All security profiles.

14. Click Next.

Location: Assign Security Profiles to Role: Organization Security Profile page Information This is the first of a series of pages for defining security profiles. Since you only need to create a Person profile, you could skip to the Person page now by clicking Person in the process train at the top of the page. However, for this demonstration, we will review each page to see the criteria associated with each business object. Key points about each profile type are included in the pages following this demonstration.

15. Click Next, noting the security criteria on each page, until you reach the Person train stop. Location: Assign Security Profiles to Role: Person Security Profile page Note: In the Global Name Range section, the Secure by Global Name Range



option is selected based on your previous entry (step 12).

16. In the Global Name Range section, enter A in the From Person Name field, and enter L in the To Person Name field. Information This criteria limits access to persons whose global list names are in the range A through L.

17. To view the remaining security profile pages, continue clicking Next until you reach the Review page.

18. Click Submit. Location: Manage Data Roles and Security Profiles page Information After submitting, it is a good idea to verify that the new role was successfully created and profiles were assigned.

19. Search for the data role you just created. (Enter XX HR Specialist InFusion in the Role field, and click Search.)

20. In the Search Results, verify that the Security Profiles Assigned column for your role displays a green checkmark.

21. Click Done.

At this point, you should have created a new data role and assigned the necessary security profiles.



Key Points for Creating Security Profiles All Security Profile Types

• A security profile defines criteria that identify a data instance set for a particular business object.

• You can define any combination of available criteria. For example, you can identify an organization data instance set by any combination of organization hierarchy, organization classification, and organization name.

• If you define criteria by name (or a list or range of names), the data instance set is the same for all users and changes only if you update the security profile. However, if you use other criteria, such as hierarchy or classification, the data instance set may vary by user and may change independently of the security profile.

• If you define criteria by hierarchy, you can include a subset of the items in the hierarchy by specifying the top level of the hierarchy. For example, you can include a subset of organizations in the organization hierarchy by specifying the top organization.

• Business objects must satisfy all of the criteria in the security profile to belong to its data instance set.

• To provide access to all records, use the predefined View All security profile.

Organization Security Profiles

• Users need access to organizations either because they manage their definitions or because they perform tasks where lists of organizations are presented. For example, a human resource specialist selects a legal employer, business unit, and department when hiring a worker.

• An organization security profile should include all the organizations you need to access. For example, if you need to hire employees, your organization security profile should include the business units, legal employers, and departments into which you will be hiring employees.

• You can define multiple organization classifications. Organizations with multiple classifications appear in the data instance set if they satisfy any one of the classification criteria.



• If you use the organization from the user's assignment as the top organization in the organization hierarchy, the data instance set varies by user, even though the organization security profile is the same for all users. If the user has multiple assignments in the organization hierarchy, all relevant organizations from all assignments belong to the data instance set.

Position Security Profiles

• Users need access to positions because they either manage position definitions or perform tasks where lists of positions are presented.

• When you identify positions by department or business unit, you include positions defined for those departments or business units. To identify the departments and business units, you select existing organization security profiles: the position security profile inherits the data instance sets of the selected organization security profiles.

• If you use the position from the user's assignment as the top position in the position hierarchy, the data instance set varies by user, even though the position security profile is the same for all users. If the user has multiple positions in the position hierarchy, all relevant positions belong to the data instance set.

Person Security Profiles

• Users access person records either because they need to update them (for example, because they manage those people) or because they need to contact those people. You create separate person security profiles for each of these purposes.

• A user who has access to a person record has access to relevant information from all of the person's assignments, even if only one of the person's assignments satisfies the criteria in the person security profile.

• Workforce structures include department, legal employer, business unit, position, legislative data group, and payroll. To secure person records by one or more of these workforce structures, you select an appropriate security profile. The person security profile inherits the data instance set of the selected security profile.

• If you identify person records by manager hierarchy, you select either a person-level or an assignment-level hierarchy. In a person-level hierarchy, the data instance set includes any worker in a direct or indirect reporting line to the signed-on user. Use this approach unless workers have multiple assignments that are not all managed by the same manager. In an assignment-level hierarchy, the data instance set includes both workers who report to the signed-on manager directly and workers who report to the



assignments that the signed-on manager manages. In enterprises where workers have multiple assignments reporting to various managers, this approach ensures that only managers who are directly responsible for a worker have access to that worker.

Public Person Security Profiles

• A public person security profile identifies the set of workers whose work contact details the signed-on user needs to access (for example, in the Person Gallery).

Document Type Security Profiles

• Users need access to document types because they either manage the definitions of those document types or need to access instances of those document types in the person records to which they have access.

• A document type security profile includes criteria that identify one or more locally defined document types. You do not need to include criteria for accessing the standard predefined document types, such as visas, driver's licenses, and passports; access to a person record includes access to these document types for that person.

• You identify one or more document types by name and indicate whether to include or exclude those document types. If you include document types, users can access only the specified document types; the data instance set never changes unless you update the security profile. If you exclude document types, users can access all document types except those in the security profile; therefore, the data instance set may change independently of the security profile.



Instructor Note: Notes on Activities Note Regarding All Activities in this Guide

• Use of Implementation Projects During an actual implementation, an implementation user typically performs assigned tasks from their implementation project and tracks their progress as they go. For activities in this lesson, students can run the assigned tasks from their implementation project or launch tasks from the All Tasks tab (as described in the activity steps). The latter is faster and works perfectly well. However, if users want to track the completion of their setup activities, they should start activities from their implementation project and mark them as complete when they are done.

• Each Activity Builds on the Previous One Students will create business objects in each activity, and will use the objects they create in subsequent activities. So it's important that they successfully complete each one. The activities specify the names to use for the business objects created. Instruct students to use the specified names as it will help when referring to the objects later on. Likewise, instruct students to enter all field values exactly as instructed, as those values must be present for future activities.

• Environment Issues All activities have been tested, but we have encountered intermittent problems with the following: User Creation - When a user is created using the Manage Users task, the user record should be immediately available in OIM. However, sometimes there is a lag between the time the new user record is saved and the time it shows up in OIM. There is nothing to do here but wait. Problem starting OIM - When using the Manage Job Roles task to access OIM, a new browser window opens. Sometimes that window is blank and OIM does not start. If this happens, don't wait more than a minute or two. The best thing is to close the blank browser window and then sign out of Oracle Fusion completely. Start Fusion again in a new browser window, and then start OIM. This usually solves the problem right away.



Instructor Note: Activity Timing

Approximate Activity Timing: 15 minutes



Activity 1 Introduction Background When HR specialists perform tasks where lists of organizations are presented, they must be able to select their department and should not be able to view certain restricted departments. A new data role is required, with security profiles that restrict the data the role can access. Requirements

• Use the bold text for the object names, replacing the XX with your initials. • You must have access to Oracle Fusion Application InFusion database (or

comparable training or test instance at your site) on which to complete this activity.

Activity Scope



Activity 1: Creating Security Profiles and Assigning to a New Data Role In this activity, you create two security profiles:

• An organization security profile that grants access to the Operations US department and all departments under it in the department hierarchy, except the Organizational Development US department and its parent, the Human Resource US department.

• A person security profile that grants access to persons in the Operations US department, with the same two exclusions.

Once you have created both security profiles, you create an HCM data role, based on the Human Resource Specialist job role, and assign the two security profiles to it. Start Here Oracle Fusion HCM Sign On screen Create Organization Security Profile

1. Log in as Curtis.Feitty.

2. Navigate to the Setup and Maintenance work area. Location: Overview page, All Tasks tab

3. In the Name field, enter Manage Organization Security Profile and click

Search. Location: Search Results section

4. In the Manage Organization Security Profile task row, click Go to Task.

Location: Manage Organization Security Profiles page


Location: Create Organization Security Profile page

6. In the Name field, enter XX Operations US.

7. In the Organization Hierarchy section, select the Secure by Organization

Hierarchy option.



8. In the Tree Structure field, select Department Hierarchy.

9. In the Department Tree field, select InFusion Department Tree.

10. In the Top Organization Selection field, select the Specify Organization option.

11. In the Organization LOV, search for and select the Operations US.

12. In the Organizations section, select the Secure by Organization List option.

13. Click the Add (+) icon button.

14. In the Organization LOV, search for and select Human Resources US. Information If you search for the organization, enter Department as the Classification Name in the Search and Select: Organization window.

15. Select the Exclude option.

16. Click the Add (+) icon button again.

17. In the Organization LOV, search for and select Organizational Development US.

18. Select the Exclude option.

19. Click Save and Close.

20. Click Done.

Create Person Security Profile

1. In the Setup and Maintenance work area, search for the Manage Person Security Profile task.

2. In the Search Results, select the Manage Person Security Profile task row and click Go to Task. Location: Manage Person Security Profiles page


4. In the Name field, enter XX Operations US People Only.



5. In the Workforce Structures section, select the Secure by Department option.

6. In the Secure by Department LOV, select the XX Operations US organization security profile you created earlier.

7. Click Save and Close. Information Click Yes to the warning message to allow future changes, if it is displayed.

8. Click Done.

Create a Data Role and Assign Security Profiles

1. In the Setup and Maintenance work area, search for the Manage Data Role and Security Profiles task.

2. In the Search Results, select the Manage Data Role and Security Profiles task row, click Go to Task. Location: Manage Data Roles and Security Profiles page


Location: Create Data Role: Select Role page

4. In the Data Role field, enter XX HR Spec Data.

Information The name cannot exceed 55 characters.

5. In the Job Role field, search for and select Human Resource Specialist. Information The job role selection affects which security profiles you can assign to the role. For example, selection of the Human Resource Analyst job role will not allow you to control security of the payroll flow, since that is not part of the job.

6. Click Next. Location: Create Data Role: Security Criteria page

7. In the Organization section, select the organization security profile you created

in this activity (XX Operations US).



8. In the Person section, select the person security profile you created in this activity (XX Operations US People Only).

9. In all other sections, search for and select any one of the predefined View All options.

10. Click Review.

11. Click Submit. Location: Manage Data Roles and Security Profiles page

12. Search for the profile you just created. (Enter XX HR Spec Data in the Role field,

and click Search.)

13. In the Search Results, verify that the Security Profiles Assigned column displays a green checkmark.

14. Click Done.



Assigning Security Profiles to Existing Roles To assign security profiles to an existing role, use the Manage Data Roles and Security Profiles task you just used to create a data role. On the Manage HCM Data Roles page, search for the role. In the Search Results section, select the role and then click the Assign button. The Assign HCM Data Role: Select Security Criteria page shows the types of security profiles currently used by the selected role.

Make any necessary changes to the security criteria, and click Next. The series of pages displayed when you assign security profiles to an existing data role is the same as when you assign profiles to a new data role. Click Submit on the final page to save your changes.



Editing Security Profiles You cannot modify existing security profiles using the Manage Data Role and Security Profiles task. If you want to change the definition of an existing security profile, use the appropriate task in the Setup and Maintenance work area:

• Manage Country Security Profile • Manage Document Type Security Profile • Manage Legislative Data Group Security Profile • Manage Organization Security Profile • Manage Payroll Flow Security Profile • Manage Payroll Security Profile • Manage Person Security Profile • Manage Position Security Profile • Manage Workforce Business Process Security Profile

Search for the profile, and then open it for editing. When you save your changes, they are picked up immediately by any data roles that reference them.



Security Profiles Review Question 1 Which of the following is not a predefined HCM security profile?

1. View Own Record 2. View All Positions 3. View All Jobs 4. View All Document Types



Security Profiles Review Question 2 You can identify a set of person records in a person security profile by:

1. Legislative data group 2. Custom criteria 3. Person type 4. Payroll 5. All of the above



Security Profiles Review Question 3 A user who has access to a person record has access to all of the person's assignments.

1. True 2. False



Security Profiles Questions and Answers Which of the following is not a predefined HCM security profile? 3. View All Jobs You can identify a set of person records in a person security profile by: 5. All of the above (legislative data group, custom criteria, person type, and payroll) A user who has access to a person record has access to all of the person's assignments. 1. True



User and Role Provisioning

User Account Creation and Maintenance Scenarios A customer's approach to account creation and maintenance for Oracle Fusion HCM users depends on their existing user base, whether or not their users are shared among multiple applications, and whether they plan to use Oracle Fusion HCM to handle their ongoing user account management needs. There are several possible scenarios, such as:

• The customer plans to create new users within Oracle Fusion HCM on an ongoing basis. In this scenario, Oracle Fusion HCM operates as a standalone system, and HCM users are not shared with other applications in the enterprise. At implementation time, existing users might be imported into Oracle Fusion HCM, or a set of new users might be created when workers are loaded into Oracle Fusion HCM.

• The customer maintains a set of users in an on-premise LDAP that connects to multiple applications using Single Sign-On (SSO). The customer wants to allow these existing users to access Oracle Fusion HCM using SSO. New users are provisioned in the on-premise LDAP and copied to Oracle Identity Manager (OIM) for use by Oracle Fusion HCM. Fusion HCM roles are maintained in OIM.

• The customer, typically a very large company, has its own user account and role-provisioning system. The customer wants to use their own system, rather than Oracle Fusion HCM, to manage all user and role provisioning for all applications in the enterprise.



Instructor Note: User Account Management Scenarios This training focuses on the first of the three scenarios on the previous page. Single Sign-On is not covered (due to time constraints and because e-training is available for this feature). Ask students to take this e-training, as homework, after the first day of class. (See the Reference section at the end of this lesson for a link to the training.) If students have any questions after taking the training, they should bring them to class on the following day. If the instructor or attending SMEs do not have answers to the questions, they should attempt to find and communicate the answers by the end of the training day.



User Account Provisioning User Account Creation

• You can configure Oracle Fusion HCM to create user accounts automatically when workers are hired using the New Hire flow.

• You can also create user accounts using the Manage Users task. This is a quicker way of getting employees into the system than using the New Hire flow. (There is a demonstration later in this section that illustrates this process.) Note: Once an implementation is complete, HCM users do not typically use the Manage Users task; they use the New Hire flows, which are more functionally rich.

• During initial implementation, user accounts are typically migrated to Oracle Fusion Applications using batch processes. Once you have implemented Oracle Fusion Applications, user accounts can be automatically provisioned using Oracle Fusion HCM tasks.

• Use the Create Implementation Users task to create implementation users. Users created with this task are not mapped to an HR Person Type, such as Employee or Contingent Worker. You can map an implementation user to an employee later, however.

User Account Maintenance

• User accounts can be maintained using the Manage Users task in the Setup and Maintenance work area and the Manage User Account task in the Person Management work area.

• User accounts can be automatically revoked when workers are terminated (based on account provisioning rules).

• User passwords can be reset using the Manage Job Roles task in the Setup and Maintenance work area and the Manage User Account task in the Person Management work area.



Enterprise-Level User and Role-Provisioning Options You can define enterprise-level settings to control:

• User Creation • Send User Name and Password • User Account Role Provisioning • User Account Maintenance

To configure enterprise-wide user and role-provisioning options, use the Manage Enterprise HCM Information task in the Setup and Maintenance work area.

Setup and Maintenance work area > Manage Enterprise HCM Information >

Edit Enterprise page _______________________________________________________



Setting Enterprise-Level Options User and Role Provisioning Information

• User Account Creation: Controls whether user accounts are created in OIM when persons are added in Oracle Fusion HR. Defaults to Yes. You cannot override this enterprise-level setting at the user level.

• Send User Name and Password: Controls whether to send new users and their managers an email notification when their Oracle Fusion account is accessible. Defaults to Yes. Set to No to suppress notifications if, for example, you are starting an implementation or doing a pilot program and do not want notifications sent during this period. You can override this enterprise-level setting for individual users on the Create User page (Manage Users task). Note: You can request notifications later for all users who have not yet been sent their user names and passwords. To do so, select Navigator>Tools>Scheduled Processes and run the Send Initial User Name and Password Email Notifications process.

• User Account Role Provisioning: Controls whether to provision and deprovision roles to users. Defaults to Yes. If set to No, no roles are assigned or removed from OIM; provisioning requests are created and held in the LDAP requests table, but marked with a “suppressed” status and not sent to OIM.

• User Account Maintenance: Controls whether to send updated user account data to OIM when changes are made to any of the following: name fields, person type, work email, manager of primary assignment, work address and fax details of primary assignment, and username. Defaults to Yes. If set to No, no updates are sent to OIM. Note: Internal Oracle users can view a full list of fields in the Users and Roles Technical Solution Overview, Data Passed to LDAP from Fusion section at: http://hcmwiki.us.oracle.com:8880/display/corehr/Users+and+Roles+V1+Technical+Solution+Overview#UsersandRolesV1TechnicalSolutionOverview-DataPassedtoLDAPfromFusion

• Alternate Contact E-Mail Address: An enterprise-level e-mail address to which user names and passwords are sent in addition to, or instead of, the user and the user’s line manager. This is typically used for testing purposes.

• Default User Name Format: The default name format to use for automatically generated user names, if the User Account Creation option is set to Yes.



Instructor Note: User and Role Provisioning Some (large) customers have their own custom role-provisioning systems that they want to use to provision Fusion HCM roles to their users instead of using the HCM role-provisioning pages. If a customer turns off user account role provisioning, any roles that are requested for users using HCM pages (such as Manage User Account) are stored as pending requests but are not actioned.



Provisioning Roles to Users: Overview Role provisioning is built into Oracle Fusion HR flows. You can initiate the provisioning and revoking of roles from within the following flows:

• Hire an Employee • Promote Worker • Transfer Worker

Users can self-request new roles if role mapping rules have been defined (as described on the next page) and the user meets the specified criteria. Line managers and HR specialists can request new roles for the people they manage and revoke existing roles from people they manage. Note: By default, users have no access to functions and data. To enable users to access functions and data, you must provision roles to them.



Instructor Note: Roles Must Be Provisioned You cannot emphasize this point too strongly: roles, even standard roles such as Employee and Line Manager, must be provisioned to users. Hiring a person as an employee is not the same as provisioning the Employee role to the worker; they are separate tasks. However, often (as in this training environment) Employee and Line Manager roles are automatically provisioned, and default role mapping rules are provided in Cloud HCM pods.



Instructor Note: Role-Provisioning Rules When presenting the information on the Defining Role Provision Rules page, you can either present the page from the guide or navigate to Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role Mapping page and demo it. When you have finished discussing the Role Provisioning Options page, ask students to look carefully at the screen shot on the Defining Role Provision Rules page. Tell them there are two problems with the security setup portrayed in the screen shot. Ask if they can spot the (deliberate!) mistakes in this role mapping rule:

• The data role name doesn't match the legal employer. They should always make sure that the data role they select is the appropriate one, as there will be many available for selection.

• Both the Auto Provision and the Requestable options are selected. This means that anyone who is in the HR010.HR Specialist job and works for Vision Corporation can give the role to anyone in their person security profile, which doesn't make sense given that this role is being automatically provisioned. You would typically choose one or the other of these options.



Defining Role-Provisioning Rules Role-provisioning rules determine the roles that a user should have based on their HR assignments. Also referred to as role mappings, role-provisioning rules define an association between a set of conditions (typically assignment attribute values) and one or more job, abstract, and data roles. Use the Manage HCM Role Provisioning Rules task in the Setup and Maintenance work area to create and manage role-provisioning rules.

Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role Mapping page

_______________________________________________________ Key Points

• Use the Conditions area to define the conditions that must be met for the mapping to apply.

• Use the Associated Roles section to add one or more existing roles to the mapping rule.

• Use the checkboxes (described in detail on the following page) to determine whether a given role can be assigned automatically, manually, or by user request. Note that the Auto Provision option is selected by default; you must deselect it if you do not want the role to be automatically provisioned.



• In the sample screen above, the conditions mean that any employee who works for Vision Corporation and is assigned the job of HR010.HR Specialist will automatically be given the Human Resource Specialist – Vision Operations data role (since the Auto Provision option is selected). If the user subsequently transfers to a different job, they will automatically lose this role.



Role-Provisioning Options When defining role-provisioning rules on the Create Role Mapping page, you have several provisioning options:

• Auto Provision. Provisions roles automatically to all eligible users when at least one of their assignments is either created or updated and satisfies the role-mapping conditions. An automatically provisioned role is deprovisioned automatically when the user’s assignments cease to satisfy the role-mapping conditions.

• Requestable. Enables users, such as line managers and human resource specialists, to provision roles manually to other users. Users retain roles that are provisioned to them manually until either all their work relationships are terminated or the roles are deprovisioned manually. Note: The criteria defined in the Conditions section must be satisfied by the user who is provisioning the role to other users, not by the users who are receiving the role.

• Self-Requestable. Enables users to request roles for themselves. Users retain roles that they request for themselves manually until either all their work relationships are terminated or the roles are deprovisioned manually.

• Apply Auto Provisioning. Provisions roles to users immediately, rather than waiting until the role is provisioned automatically or requested manually. When you click this button, all assignments and role mappings in the enterprise are reviewed and any necessary provisioning and deprovisioning of roles occurs immediately. You can also perform auto provisioning from an individual user's account, in which case only that user’s assignments are reviewed and any necessary provisioning and deprovisioning of roles for that user occur immediately.



Predefined Role-Provisioning Rules The following role-provisioning rules are predefined for HCM Cloud environments:

• Employee. Automatically provisions the Employee role

• Contingent Worker. Automatically provisions the Contingent Worker role

• Line Manager. Automatically provisions the Line Manager role

• Requestable Roles. Defines all predefined View All data roles as Requestable

(manually provisioned)



Integration with New Hire Flow

Instructor Note: New Hire Process You can demo the Hire an Employee flow to show how roles are assigned during the new hire process. However, this process requires you to provide data in a large number of fields in order to progress through the entire flow. It may be faster (and perfectly adequate) to display and discuss the screens that follow, rather than doing a demonstration.



Integration with New Hire Flow The following screens illustrate how role provisioning is integrated into the New Hire flow. To meet the conditions defined in the role mapping example on the Defining Role Provisioning Rules page, an employee would need to work for InFusion Corp USA1 and be assigned the job of HR010.HR Specialist. You specify the employee's legal employer on the Identification page of the Hire an Employee flow, as shown in this figure:

Manager Resources > New Person > Hire an Employee > Identification page

_______________________________________________________



New Hire Flow - Job Assignment You specify the employee's job on the Employment Information page of the Hire an Employee flow, as shown in this figure:

Manager Resources > New Person > Hire an Employee > Identification page > Person Information page > Employment Information page

_______________________________________________________



New Hire Flow - Role Requests

The Roles page of the flow shows the roles that will be automatically provisioned to the employee based on the selected job, along with the Employee abstract role:

Manager Resources > New Person > Hire an Employee > Identification page > Person Information page > Employment Information page

_______________________________________________________



Tip: Role-Provisioning Strategies During implementation, consider the following approaches to role provisioning:

• Determine the roles that all workers of a particular type must have, and create role mappings to provision those roles automatically. For example, to ensure that all employees have the employee role, create a role mapping to autoprovision the role to eligible users.

• Determine the roles that all line managers must have, and create role mappings to provision those roles automatically. For example, if all line managers must have both the line manager role and a locally defined Expenses Manager role, then create a role mapping to autoprovision both of those roles to eligible users. Note: Automatic role-provisioning rules for employee and line manager roles are predefined for Cloud HCM customers.

• Determine the roles that only some workers of a particular type will need, and autoprovision the roles if possible. For example, some human resource specialists may also need the benefits analyst role. If you can autoprovision those roles based on specific conditions, then create role mappings to provision those roles automatically. Otherwise, decide whether workers can request those roles for themselves or whether they must be provisioned by other users, such as line managers, and create the appropriate role mappings.

Remember that:

• Automatic role provisioning is a time-saver and recommended for standard roles, such as abstract roles. It is highly efficient for mass role provisioning.

• A single role mapping definition can be used to manage multiple roles and a mix of provisioning strategies, provided that the role mapping conditions are the same in all cases.



Implementation Users Implementation users typically do the following:

• Administer Oracle Fusion Applications users and security • Manage implementation projects for Oracle Fusion Applications offerings • Set up basic enterprise structures needed to implement Oracle Fusion

Applications offerings

The following implementation users are predefined for HCM Cloud environments. In each user name, xx is a 2 or 3 character prefix specific to the customer. xx_Admin Intended for technical super users. Has the following roles:

• IT Security Manager • Application Implementation Consultant • Administrators (WebLogic access) • Application Diagnostics Administrator • Application Diagnostics Advanced User

xxOIMAdmin Intended for security administrators. Has the following role:

• IT Security Manager

hcm.user Intended for users who are performing the Oracle Fusion HCM implementation. Has the following roles:

• Application Administrator • Application Implementation Consultant • Application Diagnostics Regular User • Application Diagnostics Viewer



In addition, the following roles are provided based on which HCM services a customer has subscribed for:

• {CustomerNm}_HRAnalyst_ViewAll • {CustomerNm}_HCMApplicationAdministrator_ViewAll • {CustomerNm}_HRSpecialist_ViewAll • {CustomerNm}_CompensationAdmin_ViewAll • {CustomerNm}_CompensationMgr_ViewAll • {CustomerNm}_PayrollAdmin_ViewAll • {CustomerNm}_PayrollMgr_ViewAll

IMPORTANT! Application Implementation Consultant is a powerful role that has unrestricted access to a large amount of data. Once the implementation has been completed, this role should be revoked from all users (using the Revoke Data Role from Implementation Users task). For ongoing maintenance of Oracle Fusion HCM setup data, use a less powerful role, such as a data role based on the Human Capital Management Application Administrator role or other HCM job roles, or create custom job roles. Other types of implementation users you might want to create are:

• Applications Implementation Project Manager. Optionally created by the IT Security Manager user based on needs dictated by the size and organization of the implementation team.

• Product Family Application Administrator. Created by the IT Security Manager and used if a customer is implementing multiple Oracle Fusion products at the same time and wants to restrict implementers to performing only setup steps for a specific product. Each product family has its own administrator role, such as Human Capital Management Application Administrator and Financials Application Administrator. Each role has access to only the setup tasks for that product family, while the Application Implementation Consultant role has access to all Oracle Fusion Application setup tasks, including HCM, Financials, SCM, CRM, and so on. Note: Product family application administrator job roles do not have predefined access to data. Customers must use the Create Data Role for Implementation Users task to define data roles for these roles.



Instructor Note: Implementation Users for the Cloud These predefined users only exist in HCM Cloud environments.



Demonstration: Creating Additional Implementation Users Demonstration Background During implementation for on-premise environments, you must create at least one initial implementation user and give that user the ability to create other users and access other implementation tasks. This is optional for HCM Cloud customers, who can use the predefined hcm.user as their implementation user. Cloud customers may use this task if they want to give each implementation consultant a unique user ID. Note: When you create an implementation user, no person record is created in HR. Only a user account is created. Use the Manage Users task or the New Hire flows to create both a user account and an HR person that are automatically linked together. Demonstration Scope Demonstrate the Create Implementation Users task. Give the user two roles: IT Security Manager and Application Implementation Consultant. Demonstration Steps Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty)

1. Search for and launch the Create Implementation Users task. Location: Oracle Identity Manager - Self Service page Note: This task takes you automatically to the Oracle Identity Manager (OIM) application. OIM will be discussed in detail later in this lesson.

2. Click the Administration link in the top-right corner of the page. Location: Welcome to Identity Manager Delegated Administration page

3. Under the Users heading, click Create User.

4. Enter names in the First Name and Last Name fields.

Information You can use any names you like here; this user won't be referenced later in the lesson.

5. In the Organization field, select Xellerate Users.



6. In the User Type field, select Non Worker.

7. Enter a User Login, such as XX_IMPLEMENTATION_USER.

8. In the Password field, enter aBc123XX.

9. Enter the password again to confirm.

10. Click Save.

11. Click the Roles tab.

12. Click Assign.

13. Enter IT in the Display Name Begins With field, and click Search.

14. Select IT Security Manager in the Search Results, and click Add.

15. Click Assign.

16. Enter Application Implementation in the Display Name Begins With field, and click Search.

17. Select Application Implementation Consultant in the Search Results, and click Add.

Verify Role Provisioning

1. Return to the Welcome tab, and click Advanced Search - Roles. Location: Advanced Search: Roles page

2. Enter IT in the Display Name Begins With field, and click Search.

3. Click IT Security Manager in the Search Results.

4. Select the Members tab.

5. Confirm that your user name in the list of All Members and Direct Members.

Information

The implementation user you created is not an Indirect Member, because the IT Security Manager role was assigned directly, not through a role hierarchy or another role that inherits the IT Security Manager role.



6. Return to the Advanced Search – Roles tab, and search for the Application Implementation Consultant role.

7. Click Application Implementation Consultant in the Search Results.

8. Select the Members tab.

9. Verify that your user is listed as a member for this role too.

10. Close the OIM browser window, and return to the Oracle Fusion Applications Setup and Maintenance work area. (Don't sign out; just close the browser window.)



Demonstration: Using the Manage Users Task to Create HR Users Demonstration Background The Manage Users task provides a quick alternative to the New Hire process, which requires more information to be entered for each person. Demonstration Scope Use the Manage Users task to create a new user. The user will be mapped to an HR person. Demonstration Steps Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty)

1. Search for and launch the Manage Users task. Information You can also access this task by selecting Navigator > Manager Resources > Manage Users. Location: Manage Users (Search Person) page


Location: Create User page



3. In the First Name and Last Name fields, enter your own first and last name (or any name you choose).

4. In the E-Mail field, enter [email protected].

5. In the User Name field, enter XX_TEST_USER.

6. Deselect the Send user name and password option.

7. In the Person Type field, select Employee. Information The Employment Information section expands to display additional fields.



8. In the Legal Employer field, select InFusion Corp USA1.

9. In the Business Unit field, select USA1 Business Unit.

10. In the Roles section, click the Autoprovision Roles button. Information The application reviews all enterprise role mappings and automatically provisions the appropriate ones based on this user's employment information. In this environment, the Employee abstract role is automatically provisioned to users whose Person Type is Employee.

11. Click the Add Role button to assign an existing role to the user. Location: Add Role page

12. Search for the data role you created in Activity 1 (XX HR Spec Data).

Note: You won't be able to find the data role because it is not yet available for provisioning to a user. You must create a role-provisioning rule for the role before you can assign it to a user. You will see how to do that in your next activity. Exit the Search window and return to the Create User window.


14. Click Done. Location: Overview page in Setup and Maintenance work area

You have now demonstrated the user creation process.



Instructor Note: Password Policy Management for Cloud Customers In Activity 2, students will create a user account and reset the password. An information note in the activity references 'password policies set up in Oracle Identity Manager.' Cloud customers do not have access to the area of OIM in which password policies are managed. If they want to change the default password policies, they would need to raise an SR. Regarding the Password Reset In a real-world environment, when a new user is created, the users gets an email with their login credentials. In this class, we're not assigning email addresses, so we will use the Reset Password feature in OIM to set the initial password. When the student logs on as their new user, they must reset their password at that time. The Reset Password option available from the Manage My Account option in Fusion also generates and sends a new password via email, so we are unable to use that task during class.



Activity 2 Introduction Background New user accounts can be created using the Manage Users task (in addition to the New Hire flow). Before you can provision roles to users, you must create a role-provisioning rule. Role-provisioning rules map one or more data roles to a set of conditions that define which users can be assigned those roles. They also define how each role can be provisioned. Requirements

• Use the bold text for the object names, replacing the XX with your initials.

• You must have access to Oracle Fusion Application InFusion database (or comparable training or test instance at your site) on which to complete this practice.

• You must have successfully created a data role in Activity 1 (XX HR Spec Data).

Activity Scope



Activity 2: Creating a New User and Assigning a Data Role In this activity, you create a mapping rule for the data role you created in Activity 1. Then you create a new user and assign to it the data role you created in Activity 1. Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty) Create a Role Mapping Rule In this task, you create a rule that allows the new data role to be manually provisioned to users.

1. Search for and launch the Manage HCM Role Provisioning Rules task. Location: Manage Role Mappings page


Location: Create Role Mapping page

3. In the Mapping Name field, enter XX Generic Mapping Rule and press Enter.

Information Do not specify any conditions for now.

4. In the Associated Roles section, click the Add Row (+) icon button.

5. In the Role Name field, select the data role you created in Activity 1 (XX HR Spec Data).

6. Deselect the Autoprovision option, and select the Requestable option. Information It is very important to deselect the Autoprovision option; otherwise, every user will get this role since you did not provide any conditions.

7. Click Save and Close, and then click OK to dismiss the Confirmation window.

8. Click Done.



Create a User In this task, you use the Manage Users task to create a user quickly. Note: This task is intended for creating test users. When creating real employees, use the New Hire flow so that the full set of attributes can be captured.

1. In the Setup and Maintenance work area, search for and launch the Manage Users task. Location: Manage Users (Search Person) page



3. Enter the following values:

Note: Make sure that you use the specified Hire Date, as this will be important in a later activity.

4. In the Roles section, click Autoprovision Roles. Information The Employee role appears in the Role Requests table. Note: If any other roles are automatically provisioned to your user, remove them by selecting them and clicking the X (Remove) icon button. (Roles may appear here if other students create autoprovisioning rules for the roles they create in training.)



5. Click Add Role.

6. Search for and select the data role you created in Activity 1 (XX HR Spec Data).


8. Click Done.

Reset the User Password In the training environment, the application can't send your new user's login credentials via email, so you need to set an initial password in Oracle Identity Manager.

1. In the Setup and Maintenance work area, launch the Manage Job Roles task. Information You are taken to the Oracle Identity Manager (OIM) interface.

2. Click the Administration link in the top-right corner of the page. Location: Oracle Identify Manager - Delegated Administration page, Welcome tab

3. Click Advanced Search - Users.

Location: Advanced Search: Users page

4. Search for the user you just created. (Enter search values for First Name, Last

Name, or User Login and click Search.)

5. Click the user’s name in the Search Results.

6. Click the Reset Password button. Location: Reset Password window Information There are two methods for resetting a user's password: manually and automatically (random generation). Note also that password strength is measured by the password policies set up in Oracle Identity Manager.

7. Select the Manually change the password option.

8. Enter a new password, such as aBc123XX, and reenter to confirm.

9. Deselect the E-mail the new password to the user option.



10. Click Reset Password.

11. Close the Oracle Identify Manager browser window. Information You can leave this window open if you expect to return to OIM, but do not sign out. Signing out of OIM signs you out of Oracle Fusion Applications as well.

Log on as the New User and Verify Security

1. Return to the Oracle Fusion Applications window.

2. Navigate to the Person Management work area. Location: Search Person page

3. In the Keywords field, enter Human Resources US.

4. In the Search Results, verify that you (logged in as Curtis Feitty) can see people

in the Human Resources US department.

5. Sign out and sign back in as the new user you just created (Security.UserXX), using the new password you just reset. Location: Password Management window Information The Password Management window prompts you to reset your password, since this is the first time you are logging on.

6. Enter the password you used in the password reset (such as aBc123XX).

7. Enter a new password, such as xYz456AA, and renter.

8. Select challenge questions and provide the answers (if prompted to do so on this page).

9. Click Submit.

10. Navigate to the Person Management work area, and enter a keyword of Human Resources US.

11. Verify that you cannot see users in the Human Resources US department (one of the departments you excluded in your organization security profile), but you can see people in the Operations US department.



12. Verify that you cannot see users in the Organizational Development US department either (the other exclusion).

13. Sign out of Oracle Fusion Applications.



User and Role Provisioning Review Question 1 Roles can be provisioned to users:

1. Automatically 2. By other users 3. On user request 4. All of the above



User and Role Provisioning Review Question 2 All roles in a role mapping must have the same provisioning option.

1. True 2. False



User and Role-Provisioning Review Question 3 Which of the following roles can be provisioned to users directly?

1. Duty roles 2. Abstract roles 3. Job roles 4. Data roles



User and Role-Provisioning Questions and Answers Roles can be provisioned to users: 4. All of the above (automatically, by other users, and on user request) All roles in a role mapping must have the same provisioning option. 2. False Which of the following roles can be provisioned to users directly? 2, 3, and 4: 2. Abstract roles 3. Job roles 4 Data roles



User Interfaces for Security Tasks

User Interface Overview When performing security setup and administration tasks in Oracle Fusion Applications, users access user interfaces that are native or provided by a foundation of Oracle Fusion Middleware and Oracle Database products.

Note: The Middleware group refers to APM as Entitlement Server, while Oracle Fusion still refers to it as APM.



Setup Tools and Tasks The following tools are used for managing HCM security data: Oracle Fusion HCM Security Tasks

• Manage Users. Create and manage users who are mapped to persons in Oracle Fusion HR.

• Import Worker Users. Load workers using the HCM spreadsheet loader.

• Manage Data Role and Security Profiles. Create and manage data roles and assign security profiles to them.

• Manage [Business Object] Security Profiles. Create and manage security profiles for all types of business objects.

• Manage User Accounts. View and manage roles associated with user accounts.

• Revoke User Accounts. Run for terminated employees.

• Manage HCM Role Provisioning Rules. Create rules for how roles can be provisioned to users.

• Send Pending LDAP Requests. Implementers should run this scheduled process after bulk loads of workers and schedule it to run on a frequent basis.

• Retrieve Latest LDAP Changes. Run this scheduled process as needed and schedule it to run on a frequent basis.

• Create Data Role for Implementation Users. Create data roles for implementation user job roles, such as the product family administrator roles, which have no predefined data roles.

Oracle Identity Manager (OIM) Security Tasks

• Create Implementation Users. Create users, who are not mapped to persons in Oracle Fusion HR, for the purpose and duration of implementation.

• Revoke Data Role from Implementation Users

• Provision Roles to Implementation Users

• Manage Job Roles. Create job and abstract roles; reset user passwords.



Authorization Policy Manager (APM) Security Tasks

• Manage Duties. View and manage duty roles, role hierarchies, and security policies.

Application Access Controls Governor (AACG) in Oracle Enterprise Governance, Risk and Compliance (GRC)

• Specific applications or product families, such as Oracle Fusion Financials, support additional security setup and administration tasks.

.



Access to Security Tasks You can navigate to all Oracle Fusion Applications security tasks from the Setup and Maintenance work area, provided by the integrated Oracle Fusion Functional Setup Manager (FSM). You can see most of the HCM security setup tasks by expanding the Define Security for Human Capital Management folder:

Navigator > Tools > Setup and Maintenance work area > Define Security for Human Capital Management task list

_______________________________________________________

To access tasks related to setting up implementation users, expand the Define Implementation Users folder:



Navigator > Tools > Setup and Maintenance work area > Define Implementation Users task list

_______________________________________________________

Use the Send Pending LDAP Requests and Retrieve Latest LDAP Changes processes in the Scheduled Processes work area to synchronize HR and LDAP data.

Navigator > Tools > Scheduled Processes > Schedule New Process

_______________________________________________________



Instructor Note: HCM Security Task List Although most of the HCM security tasks are in the Define Security for Human Capital Management folder in FSM, a few are located elsewhere, such as Define Security for Payroll and Define Security for Workforce Business Processes. This is because the task lists present tasks in the correct sequence within offerings. For example, we cannot create payroll security profiles before we've created payrolls. Point out that OIM and APM are security administration UIs, and should be used by security administrators, not HCM business users. The only role that has access to these UIs is the IT Security Manager. HCM business users should use the HCM user and role management UIs, such as Manage Users (when creating test users) and Manage User Account.



Demonstration: Viewing Roles in OIM Demonstration Background OIM refers to data, job, and abstract roles as simply 'roles.' Role-naming conventions allow you to distinguish between role types in OIM pages. Demonstration Scope Use the Manage Job Roles task to access Oracle Identify Manager and view different types of roles. Demonstration Steps Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty)

1. Search for and launch the Manage Job Roles task. Location: Oracle Identity Manager - Self Service page

2. Click the Administration link in the top-right corner of the page.

Location: Oracle Identify Manager - Delegated Administration page, Welcome tab

3. Under the Roles heading, click Advanced Search - Roles.

Location: Advanced Search: Roles page

4. In the Display Name (Begins With) field, enter Human Resource and click

Search. Information The Search Results display both data roles and job roles. Job roles, such as Human Resource Specialist, do not display a dash in their names. The roles with a dash, such as Human Resource Manager - US LDG Only, are data roles. Fusion role-naming conventions append _JOB at the end of a job role name and _DATA at the end of a data role name. The internal name is created based on the Display Name and the _JOB or _DATA suffix to distinguish between the role types.

5. Click the Human Resource Manager job role in the Search Results.



6. Information Note that the Role Category Name is HCM - Job Roles.

7. Return to the Advanced Search - Roles tab, and open the Human Resource Analyst - View All data role. Information The Role Category Name for all data roles is automatically set to Default.

8. Return to the Advanced Search: Roles tab.

9. In the Display Name (Begins With) field, enter Employee and click Search. Information Employee is a predefined abstract role. Abstract role names should have _ABSTRACT at the end of the role name.

10. Click the Employee role in the Search Results. Information

The Role Category Name is HCM - Abstract Roles.



Managing Job Roles and Duty Roles





Demonstration: Using OIM to View and Manage Roles Demonstration Background Viewing and managing job roles is an important part of HCM security management. Oracle Identify Manager is used to create and manage HCM job roles. Demonstration Scope This demonstration looks at the data roles assigned to an existing user and shows the job roles that are inherited by those data roles. It also demonstrates how to search for a role and display a list of all users assigned to that role. Demonstration Steps Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty) Review the Roles Assigned to a User

1. Search for and select the Manage Job Roles task. Location: Oracle Identify Manager - Self Service page, Welcome tab

2. Click the Administration link in the top-right corner of the page. Location: Oracle Identify Manager - Delegated Administration page, Welcome tab Information From this page, you can create new job roles, as you will see in Activity 3.

3. Click Advanced Search - Users.

4. In the Display Name field, search for Curtis Feitty, then click his name in the Search Results.



5. Select the Roles tab to view the roles assigned to this user.



Information This page shows all roles assigned to Curtis, including data roles, abstract roles, and job roles (if any).

6. Click on a data role, such as Benefits Admin - View All, and click Open.



7. Click the Hierarchy tab.

Information Here you can see that the Benefits Admin - View All data role inherits the Benefits Administrator job role.



8. Click the Members tab to see all the users assigned to this data role.

9. Return to the Welcome tab, and select Advanced Search - Roles.

10. Search for the Payroll Manager job role, and then open it. Information

Note that the attribute information and the tabs displayed for the job role are the same as for the data role you just explored. Remember that in OIM, the term role refers collectively to job, abstract, and data roles; the role category name, such as HCM - Job Roles, identifies both the role type and the Oracle Fusion Application where the role is used.

11. Click the Hierarchy tab.



Information This job role inherits several roles, including the Functional Setups User abstract role and the Payroll Administrator job role. Note: When you are creating a job role, you can use this tab to add one or more parent roles from which to inherit permissions. This is useful if you are creating a manager job role that performs all the functions that an administrator job performs, plus more. In this case, you would add the administrator job role as a parent role to the manager job role. This role hierarchy is also visible in APM, as you will see later.

12. Click the Members tab.



Information This is useful if you need to quickly determine which users are assigned to a role. Note: On this tab, the Member Type (for most members) is Indirect Role because users are not directly assigned the Payroll Manager job role. They inherit it via a data role that is based on the Payroll Administrator job role.




Instructor Note: Do Not Use OIM to Create Data Roles Regarding the Demonstration: Using OIM to View and Manage Roles OIM allows users to create several different types of roles. However, OIM should not be used to create data roles for HCM users; data roles should only be created using the Manage Data Role and Security Privileges task, as will become clear later when we look closely at security policies. Remind students that OIM and APM are not specific to Oracle Fusion Applications; they can be used independently of Fusion applications. These middleware products provide capabilities that Oracle Fusion Application users do not need to use for HCM setup and, in fact, should NOT use. The only tasks that users should perform in OIM and APM are those identified on the Setup Tools and Task page: Oracle Identity Manager (OIM)

• Create Implementation Users • Create Data Role for Implementation Users • Revoke Data Role from Implementation Users • Provision Roles to Implementation Users • Manage Job Roles (Create job and abstract roles, reset user passwords)

Authorization Policy Manager (APM)

• Manage Duties (View and manage role hierarchies, security policies, and permission grants)

• Do not create new resource types, resources, entitlements, or authorization policies.

• Do not manually modify data security policies, except to add custom duty roles.



HCM Security Management Data Stores This figure shows where security data, managed by different Oracle applications, is stored and shared.

Key Points OIM Identify Store

• OIM maintains user accounts in the Oracle Fusion Applications Identity Store. It stores the definitions of abstract, job, and data roles (enterprise roles in OIM), and holds information about roles provisioned to users.

• Job and abstract roles created in OIM must be synchronized so that the new role names and other attributes are available to Oracle Fusion HCM.

• You cannot view duty roles in OIM, only in APM.

APM Policy Store

• Duty roles are created in APM and stored in the Policy Store, along with function security policies.



• The Policy Store holds copies of users and enterprise roles stored in the Identify Store.

• Duty roles do not have to be synchronized with HCM.

Fusion Application Database Tables

• These tables store data security policies, HCM role-provisioning rules, security profiles, part of the data role definitions, and copies of the job and abstract roles.



Demonstration: Using APM to Manage Duties Demonstration Background Managing duty roles is an important part of security management. Implementers may be required to create new duty roles if the predefined ones do not meet the needs of the enterprise. Authorization Policy Manager is used to manage duty roles and associated security policies. Demonstration Scope This demonstration uses the Manage Duties task to look at existing data and job roles. It demonstrates how to view the duties associated with job roles and where to go if you need to add or remove duties from a role. Demonstration Steps Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty)

1. Search for and launch the Manage Duties task.



Information You are now viewing the Authorization Policy Manager (APM) user interface.

2. In the Application Name section, select hcm.

3. Under the Search and Create heading, click Search - External Roles. Note: Remember that job roles, data roles, and abstract roles are all referred to as external roles in APM. Location: Search - External Roles page

4. In the Display Name field, enter Benefits Admin - View All, and click Search.

5. Select the Benefits Admin - View All role in the Search Results, and click

Open Role.

6. Select the External Role Hierarchy tab.

Information This page shows the job role (Benefits Administrator) inherited by the Benefits Admin - View All data role.

7. Click the Application Role Mapping tab.

8. Expand the hcm folder in the Display Name column.



Information The Benefits Admin - View All (HCM) role shown here is a special type of application role that was automatically generated when the Benefits Admin - View All data role was created. This is explained in more detail in the HCM Security Deep Dive section later in the lesson.

9. Return to the Search External Roles tab, and search for the Benefits Administrator job role.

10. Select the Benefits Administrator role in the Search Results, and click Open Role.

11. Click the Application Role Mapping tab, and open the hcm folder.



Information Here you can see all of the duty roles associated with the Benefits Administrator job role. From this page, you can map additional application roles (duties) to this job role, as you will see in the next activity.


You have demonstrated how to use APM to view and manage job roles.



Fusion Applications, OIM, and APM Terminology Differences OIM and APM are middleware products that are available independently of Oracle Fusion Applications. For that reason, the terminology adopted by and used throughout Oracle Fusion Applications is not always the same as the terminology used in OIM and APM. It is important to understand these terminology differences as you manage business objects in each application interface. The following table lists the terminology used by each product when referring to common business objects:

Data, job, and abstract roles are also referred to as enterprise roles. Application roles are specific to a particular grouping of applications (such as Oracle Fusion HCM or CRM).



Instructor Note: Notes on Tools and Tasks Note on Authorization Policy Manager (APM): To create data roles for HCM, always use the Manage Data Role and Security Profiles task in the Setup and Maintenance work area. Although APM provides the ability to create data roles using data role templates, data role templates are rarely used in HCM. (They are only used if you are implementing Oracle Fusion Global Payroll with Oracle Fusion Subledger Accounting. We do deliver some HCM data role templates, but these are no longer used.) Note on Application Access Controls Governor (AACG): This is usually used in conjunction with Financials rather than HCM.



Regenerating Data Roles You must regenerate a data role if you make any changes to the role hierarchy that underlies the data role (such as the duties inherited by the job role that is inherited by the data role). You must regenerate an abstract role if you make any changes to its role hierarchy. Regenerating a role causes all its data security policies to be updated based on these changes. To regenerate a data or abstract role:

1. Launch the Manage Data Role and Security Profiles task in the Setup and Maintenance work area.

2. Search for the role that needs to be regenerated.

3. Select the role in the Search Results, and click Assign. Information A flow is initiated (the same one you saw when you created a data role in the previous activity) that allows you to view the security criteria and all assigned



security profiles.

4. Click Review, and then click Submit. Information When you click Submit, the security profiles assigned to the role are used to generate the data security policies for that role. Note: Security policies are regenerated only for the selected role. If you needed to regenerate data security policies for multiple roles, you would have to run this task (and click Assign) for each role.



Instructor Note: Regeneration of Data Roles An enhancement request (ER) has been logged for a data role regeneration process that will be more efficient. You can demo the regeneration of a single data role, but it's actually as simple as finding the role and pressing a few buttons. A later activity will include this as a task.



Activity 3 Introduction Background A custom job role is needed because the predefined job role has duties associated with it that the enterprise does not want to grant to their users. The new job role will have only two duties: Department Management Duty and Approve Transactions Duty. Requirements

• Use the bold text for the object names, replacing the XX with your initials. • You must have access to Oracle Fusion Application InFusion database (or

comparable training or test instance at your site) on which to complete this practice.

Activity Scope



Instructor Note: Troubleshooting Activity

When searching for the second duty role, the search results may show only the first duty role, no matter what search criteria you enter. To resolve this issue, you must close the Map Application Roles to External Role window, return to the Search External Roles tab, open the duty role again, and conduct a new search.



Activity 3: Creating a New Job Role In this activity you will create a new job role, retrieve the role information from LDAP (synchronize between OIM and HCM), and then add two duty roles to the new job role. This job role will be authorized to manage departments and department trees only. Start Here Oracle Fusion Applications Sign On page Create New Job Role

1. Log in as Curtis.Feitty.

2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks tab.

3. Search for and launch the Manage Job Roles task. Location: Oracle Identify Manager Self-Service page, Welcome tab

4. Click the Administration link in the top-right corner of the page.

Location: Oracle Identify Manager - Delegated Administration page, Welcome tab

5. Under the Roles heading, click Create Role.

Location: Create Role page

6. In the Name field, enter XX_DEPT_ADMIN_JOB.

7. In the Display Name field, enter XX Dept Admin Job Role.

8. In the Role Category Name field, select HCM - Job Roles.

9. Click Save.

10. Close the OIM browser window.

Information

You are returned to the Oracle Fusion Applications Setup and Maintenance work area



Synchronize Roles between LDAP and HCM After creating a new job role, you must run the following synchronization process so that the job role is available to HCM tasks and UI pages, such as Manage Data Role and Security Profiles. Note: Only one user can run the process at a time. If you are sharing an environment with someone else, you can run the Retrieve Latest LDAP Changes once to synchronize all of the job roles to HCM.

1. Navigate to the Scheduled Processes work area. Location: Scheduled Processes Overview page

2. If the Search Results displays a row for the Retrieve Latest LDAP Changes

process where the Status is Succeeded, select the row and click Resubmit, then confirm. Skip to step 10. If the process is listed with a status of Running, wait until it has completed successfully, and then resubmit as described above. (Click the Refresh icon button periodically to display the updated status.) If the process is not listed, continue with the next step.

3. Click Schedule New Process. Location: Schedule New Process window

4. Open the Name LOV and click the Search link at the bottom of the LOV list.

Location: Search and Select: Name window

5. In the Name field, enter Retrieve and click Search.

6. In the search results, select the Retrieve Latest LDAP Changes process and

click OK.

7. Click OK to dismiss the Schedule New Process window. Location: Process Details page

8. Click Submit.

9. Click OK to confirm, and then click Close.

Location: Scheduled Processes page



10. Click the Refresh icon button. Information You can see the status of the process. It usually completes very quickly. While this process is running, you can continue with the next step.

Assign Duties to Your Job Role

1. Navigate to the Setup and Maintenance work area, and launch the Manage Duties task. Location: Oracle Entitlements Server Authorization Management page


Note: This step is important. If you do not select hcm, you will not be able to search for the HCM roles.

3. Under the Search and Create heading, click Search - External Roles. Location: Search - External Roles page

4. In the Display Name field, search for the job role (XX Dept Admin Job Role)

you created earlier.

5. Select the role in the Search Results, and click the Open Role button.

6. Click the Application Role Mapping tab.

7. Click the + Map icon button. Location: Map Application Roles to External Role page

8. In the Application field, select hcm.

9. In the Display Name field, enter Department Management Duty and click

Search.

10. Select the role in the Search Results, and click Map Roles. Information The selected role is listed under the hcm folder on the Application Role Mapping tab.

11. Click the + Map icon button.




13. In the Display Name field, enter Approve Transactions Duty and click Search.

14. Select the role in the Search Results, and click Map Roles. Information You should now have 2 application roles (duties) in the hcm folder on the Application Role Mapping tab.

15. Close the Authorization Management browser window. Information You are returned to the Oracle Fusion Applications window, Setup and Maintenance work area. (As with the OIM window, you can leave the APM window open if you plan to return; just don't sign out.)

You have now created a job role with two assigned duties roles.



Activity 4 Introduction Background After creating a new role, you typically create a mapping rule that defines criteria for how the role can be provisioned to users. You can then assign the role to users who fit those criteria. Requirements



• You must have successfully created a new user (Security.UserXX) in Activity 2.

• You must have successfully created a role-provisioning rule (XX Generic Mapping Rule) in Activity 2.

• You must have successfully created a job role (XX Dept Admin Job Role) in Activity 3.

Activity Scope



Activity 4: Creating a New Data Role and Assigning to User In this activity you create a new data role that inherits the XX Dept Admin job role you created in Activity 3. You also add the role to the role-provisioning rule you created in Activity 2. Finally, you add the new role to the user you created in Activity 2. Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty) Create a New Data Role for the Custom Job Role

1. Search for and launch the Manage Data Role and Security Profiles task. Information You used this task in Activity 1 to create a data role, so you should be familiar with the screens and the process.


3. In the Data Role field, enter XX Dept Admin - View All.

4. In the Job Role field, search for and select the custom job role you created (XX Dept Admin Job Role). Information If you don't can't find the job role you created earlier, make sure that the synchronization process completed successfully. Also, make sure you selected HCM - Job Roles as the Role Category when you created the job role. If you accepted the default role category during creation, you won't be able to find the job role here.

5. Click Next.

6. In the Organization Security Profile field, select View All Organizations.

7. Click Next, click Review, and then click Submit.

8. Click Done.



Add the Data Role to the Existing Mapping Rule Rather than create a new mapping rule, you can add the new role to your existing mapping rule.

1. In the Setup and Maintenance work area, launch the Manage HCM Role Provisioning Rules task. Location: Manage Role Mappings page

2. Search for the XX Generic Mapping Rule you created in Activity 2.

3. Select the rule in the Search Results, and click the Edit icon button.

Location: Edit Role Mapping page

4. In the Associated Roles section, click the Add (+) icon button.

5. Search for and select the new XX Dept Admin - View All data role. (Don't select

the job role.)

6. Deselect the Autoprovision option, and select the Requestable option. Information If you do not select Requestable, you won't be able to assign this role to users.

7. Click Save and Close, and then click OK to confirm. Information This rule now contains two mappings.

8. Click Done.

Add the Role to Your New User

1. Navigate to the Setup and Maintenance work area, and launch the Manage Users task.

2. Search for the user you created in Activity 2 (enter the last name in the Keywords field and click the Search icon button).

3. Click the user name in the Search Results. Location: Edit User page

4. In the Roles section, click Add Role.

Location: Add Role window



5. Search for the XX Dept Admin - View All data role you created earlier in this activity. Note: If you cannot find the role you created, make sure that: - You created a mapping rule for the role

- You selected the Requestable option for the role mapping

- The user's assignment information matches the mapping criteria (We didn't set any criteria in our generic mapping rule, so that should not be a problem.)

6. Select the role and click OK. Location: Edit User page

7. In the Current Roles section, select the XX HR Spec Data role you assigned to

this user earlier, and click the X (Remove) icon button, then confirm.


9. Click Done.

Verify Security Setup

1. Sign out, and sign back on as the user you created (Security.UserXX) and whose password you reset.

2. Select Workforce Management > Workforce Structures from the Navigator.

3. Verify that only the Manage Departments and Manage Department Trees tasks are visible under Organizations. You should no longer be able to see the HR Specialist menu options.

4. Sign out.



Instructor Note: Troubleshooting Activity 4 Troubleshooting Activity 4 If students are still seeing the full set of HR Specialist menu entries, ask them to navigate to the My Account and check which roles their user has assigned. Their user might have more roles than they are expecting. For example, their user might have been automatically provisioned data roles based on HR Specialist from an earlier activity if someone has inadvertently created automatic role-provisioning rules.



User Interfaces for Security Review Question 1 Which tool is used to create job roles?

1. Oracle Authorization Policy Manager (APM) 2. Oracle Identify Manager (OIM) 3. Oracle Fusion Functional Setup Manager (FSM)



User Interfaces for Security Review Question 2 To manage duty role hierarchies, you use:

1. Oracle Fusion HCM 2. Oracle Fusion Middleware Authorization Policy Manager (APM) 3. Oracle Identity Management (OIM)



User Interfaces for Security Review Question 3 A(n) ____ role in Oracle Fusion HCM is implemented as an application role in APM?

1. abstract 2. job 3. data 4. duty



User Interfaces for Security Questions and Answers Which tool is used to create job roles? 2. Oracle Identify Manager (OIM) To manage duty-role hierarchies, you use: 2. Oracle Fusion Middleware Authorization Policy Manager (APM) A(n) ____ role in Oracle Fusion HCM is implemented as an application role in APM? 4. duty



HCM Security Deep Dive

Instructor Note: Deep Dive Target Audience The content in this lesson gets a little technical. It is intended primarily for implementers who want to understand how data and functional security policies work. The information in this lesson will help students understand what they see when they use the Authorization Policy Manager (APM) to manage duties and security policies. It will also help students understand why they must regenerate data roles after making a change to the role hierarchy for a job or abstract role -- a step that is often omitted (and often causes some confusion) during security setup. If your class consists of mostly functional users, you may choose to omit this section. Alternatively, you can allow functional users to take a break while you present this section. Another option would be to present the activity (duty role creation) as a demonstration, and talk through the steps rather than asking students to complete them. If, at the beginning of this section, students become confused about data security policies, tell them that it should become clearer as we dig deeper into the technical details and they see how the pieces fit together. The demonstration and activity should also help them understand the various components and their relationships.



Duty Roles in Detail HCM duty roles typically have function security privileges and data security policies. In the duty role pictured below:

• The Promote Worker function security privilege secures access to the Promote Worker page.

• One data security policy determines which people can be promoted.

• Another data security policy determines which positions the person can be promoted into.



Function Security Privileges Looking at the function security privilege in more detail, you can see that the privilege is securing a number of resources, or code artifacts, that comprise the worker promotion page.



Instructor Note: Read-Only Roles Read-Only Roles A very small number of read-only pages are delivered under the Human Resource Analyst role. Other pages can be configured as read-only by customizing them to hide the Save or Submit buttons based on the user's current role. We are actively working on improving support for read-only in a future release.



Data Security Policy Components A data security policy comprises:

• a role • a data security privilege • a business object • a condition

Data security policies are represented in the Security Reference Manuals in the following format: <Role> can <verb> <business object> <condition> using <data security privilege> For example, the two data security policies in our current example would be represented as follows:

• Human Resource Specialist can promote Person for people in their person security profile using Promote Worker Data

• Human Resource Specialist can choose Position for positions in their

position security profile using Choosing Position Data Note: Data security policies are published at the level of a job or abstract role, and they take into account the duty roles that are inherited by the job and abstract roles. This makes them more readable, as it can be difficult to understand a data security policy if presented at the level of a duty role.



Data Security Policies Looking at the data security policies for the worker promotion duty role, you can see that the two policies are implemented as rows in a table called FND_GRANTS.

The conditions for duty role data security policies are usually implemented as 1=2 predicates. (A predicate is an SQL expression that evaluates to TRUE or FALSE. The predicate is automatically added to the Where clause of any Select statements that are issued within the Oracle Fusion HCM pages.) The 1=2 predicate, which evaluates to FALSE, means that the Worker Promotion Duty role, when viewed in isolation, has no access to data. The Human Resource Specialist job role inherits this duty role, which means that it cannot actually promote anyone. Data access is usually determined by FND_GRANTS rows that are generated for the data roles to which users are assigned (as you will see later). This is why data roles are so important!



Data Security - Application Role Creation When you create an HR Specialist – View All data role on top of the HR Specialist job role, several things happen. First, a set of three new application roles is created: one for HCM, one for FSCM, and one for CRM.

These application roles have names that are derived from the data role name.



Data Security - FND_GRANTS Generation Next, FND_GRANTS data are generated for each of these application roles. The FND_GRANTS generated for the new application roles are similar to the FND_GRANTS for the original duty role, except:

• The role name references the data role, not the job role.

• The predicate value is 1=1, meaning that no restrictions are applied when the HCM application page selects it from the database.

In the simplified example below, the 1=1 predicate is taken from View All person and position security profiles assigned to the data role.



Data Security - Data Role Creation Finally, the data role is created. The application roles and the security policies (FND_GRANTS) that were generated earlier are linked to the data role. (All three application roles are linked, although only one is pictured here.) The data role is linked to the Human Resource Specialist job role. However, it is the security policies inherited by the data role that provide access to the data.

Note: A predicate of 1=1 is the simplest of examples, used only in View All profiles. In reality, most predicates are more complicated. For example, the predicate for the View Own Record person security profile is shown here:



EXISTS ((SELECT 1 from PER_PERSONS P WHERE ROWNUM>0 AND P.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND ( P.PERSON_ID=(SELECT U.PERSON_ID FROM PER_USERS U WHERE U.USER_GUID=FND_GLOBAL.USER_GUID ) )) UNION ALL SELECT 1 FROM PER_CONTACT_RELSHIPS_F R WHERE TRUNC(SYSDATE) BETWEEN R.EFFECTIVE_START_DATE AND R.EFFECTIVE_END_DATE AND R.CONTACT_PERSON_ID=&TABLE_ALIAS.PERSON_ID AND NOT EXISTS(SELECT 1 FROM PER_PERIODS_OF_SERVICE PS WHERE PS.PERSON_ID=R.CONTACT_PERSON_ID) AND EXISTS ((SELECT 1 from PER_PERSONS P WHERE ROWNUM>0 AND P.PERSON_ID=R.PERSON_ID AND ( P.PERSON_ID=(SELECT U.PERSON_ID FROM PER_USERS U WHERE U.USER_GUID=FND_GLOBAL.USER_GUID ) ))))



Data Security in Action

When an HCM application page issues a Select statement to retrieve data from the database, it makes a data security privilege check by calling a data security API, passing the following information:

• The name of the database table in which to find the data. In our example, the table name is PER_ALL_ASSIGNMENTS_M.

• The data security privilege name. In our example, this is PER_PROMOTE_WORKER_DATA (taken from the FUNCTION_NAME in the FND_GRANTS row).

The data security code looks in the FND_GRANTS table for all rows that match any of the user's roles, the table name, and the data security privilege name.

• If it finds no matches, no data is returned.

• If it finds one match, the predicate for that FND_GRANTS row is used to filter the data that is returned. (If the predicate is 1=2, no data is returned.)

• If it finds more than one match, the predicates are OR'd together. (If either is TRUE, then the result evaluates to TRUE).

In our example of a View All data role, two predicates would be returned: 1=1 and 1=2. When OR'd together, the end result is that the page can select data from the assignment table with no restrictions applied.



Demonstration: Viewing Security Policies in APM Demonstration Background Viewing the security policies associated with duty roles can help you understand an important part of the HCM security model. Demonstration Scope Use the Manage Duties task in the Setup and Maintenance work area to access APM, where you can view duties and their associated data and function security policies. Demonstration Steps Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty)

1. Launch the Manage Duties task. Location: Authorization Management page


3. Select Search under Application Roles.

Information Remember that duty roles are referred to as application roles in APM. Location: Role Catalog page

4. In the Display Name field, enter Worker Promotion Duty and click Search.

5. In the Search Results, select the Worker Promotion Duty role and click the

Open icon button.

Viewing Functional Security Policies

1. Click Find Policies in the upper-right-hand corner of the screen, and then select Default Policy Domain.

2. Review the policies listed on the Functional Policies tab.



Information This role has only one function security policy: Policy for Worker Promotion Duty. It controls access to this function from the Oracle Fusion HCM menus and work areas.

3. To view the code artifacts that are secured using this function security policy, go back to the Home tab (but don't close this tab).

4. Select hcm in the Application Name field, and then click Search under Entitlements. Location: Search Entitlements page Note: Remember that, in APM terminology, an entitlement equates to an Oracle Fusion Applications function security privilege.

5. In the Display Name field, enter Promote Worker and click Search.

6. Select the Promote Worker entitlement in the Search Results, and click the Open icon button.



Information The code artifacts that are secured against this entitlement are shown in the Resources section of the page.

7. Return to the Search Authorization Policy tab. (The Worker Promotion Duty role should still be displayed.)

Viewing Data Security Policies

1. Select the Data Security tab, and review the data security policies for this role.



Information This role has several data security policies: Choose Department, Choose Position, Promote Worker, and so on. These policies provide access to all of the different types of data that a user must view, select, or manage when performing the Worker Promotion Duty. As you can see, managing data security policies can be very complex. However, if you use the delivered duty roles as building blocks when defining custom job roles in HCM, then security policies are generated automatically for you. You do not need to manage them manually in APM.

2. In the right-hand corner of the Actions column header, click the Sort Descending icon button to resort the column. Information This just makes it easier to find the role, as the list is very long.

3. Select the Promote Worker row, and click the Edit icon button. Location: Data Security Policy: Edit page



4. Select the Rule tab. Information This tab shows the condition for the privilege. When expanded, the condition is: Access the person assignment for table PER_ALL_ASSIGNMENTS_M for persons and assignments in their person and assignment security profile. This tab does not show the SQL predicate. To view the SQL predicate, you must navigate to the data security policy from a different direction.

5. Return to the Home tab, and click Search - Policies under the Search and Create heading. Location: Search Policies tab

6. Click the Database Resource button at the top of this tab.

Location: Manage Database Resources and Policies page

7. In the Display Name field, enter Person Work Terms Assignment and click

Search. Information The Search Results lists all of the data security policies for the PER_ALL_ASSIGNMENTS_M database table.

8. In the PER_ALL_ASSIGNMENTS_M: Policies Details section, click the Detach button. Location: Detached Table page Note: Detaching the table makes it easier to browse and navigate, and allows you to view the SQL predicate in the condition.

9. Right-click the Role column header, and select Sort > Descending.

10. Scroll down to the PER_WORKER_PROMOTION_DUTY role (there are two rows), and select the row with the Description: Worker promotion duty can search worker... (The Policy column for this role displays Grant on Person Assignment.)

11. Click the Edit icon button. Location: Edit Data Security: PER_ALL_ASSIGNMENTS_M page

12. Select the Condition tab.



Information Note the SQL predicate for the condition in the first row. The other conditions on the Conditions tab are generated from security profiles. The condition Display Name includes the security profile name.

13. Select the first condition, and click the Edit icon button.

Information You can view the full condition details here. Note the SQL Predicate value of 1=2, as discussed previously. IMPORTANT! Don't edit the conditions! The conditions for HCM data security policies are generated automatically from security profiles and should not be changed.



14. Click Cancel.

15. Close the APM browser window.

You have demonstrated how to view function and data security policies.



Instructor Note on Activity 5: Bulk Regeneration Regarding regeneration of data roles in Activity 5, inform students that a bulk regeneration process for data roles is currently under development.



Activity 5 Introduction Background A new duty role is required because the predefined duty role has more function security privileges and data security policies than you want the role to have in your enterprise. Requirements



• You must have successfully created a job role (XX Dept Admin) in Activity 3.

Activity Scope



Activity 5: Creating a Custom Duty Role In this activity, you create a custom duty role, using a predefined role as a reference. You add data and function security policies to the role and then add the new duty role to the job role you created in Activity 3. Finally, you generate the data security policies for the roles that inherit this new duty. Start Here Setup and Maintenance work area, Overview page, All Tasks tab (logged on Curtis.Feitty) Create the New Duty Role

1. Launch the Manage Duties task. Location: Authorization Management page


3. Under the Application Roles heading, click New.

4. In the Display Name field, enter XX Department Duty.

5. In the Role Name field, enter XX_DEPT_DUTY.

6. Click Save.

Add Function Security Privileges to the Role

1. Click the Create Policy button in the top-right corner of the tab, and select Default Policy Domain. Location: Untitled page

2. In the Display Name field, enter XX Policy for XX Department Duty.

Information Predefined security polices use the naming format: Policy for <duty role name>.

3. In the Name field, enter XX_DEPT_DUTY_POL.

4. In the Targets section, click the Add Targets (+) icon button. Location: Search Targets page



Information APM uses generic security terminology. In this context, a target is a function security privilege, and a principal is a role. Thus, when a target is granted to the principal, it means that the function security privilege is granted to the duty role.

5. In the Display Name (Starts With) field, enter Manage Department, and click Search.

6. Select Manage Department, and click the Add Selected button (located above the search results). Information The security privilege is added to the Selected Targets list.

7. Click Add Targets (at the bottom of the page), and then click Save. Information You have now added the Manage Department function security privilege to your duty role.

Add Data Security Policies to the Duty Role

1. Return to the Home tab, and click Search under Application Roles. Location: Role Catalog page

2. In the Display Name field, enter Department Management Duty and click

Search. Information This is the predefined duty role you will use as a reference for your custom duty role. You want to find the data security policies assigned to that role and add your role to them.

3. Select the role in the Search Results, and click the Open icon button. Location: Department Management Duty page

4. In the upper-right-hand corner of the page, click Find Policies and select

Default Policy Domain.

5. In the Policies for: Department Management Duty section, select the Data Security tab. Information There are three data security policies for this role.



6. Select the first data security policy.

7. Click the Edit icon button.

8. Select the Roles tab, and click the Add icon button. Location: Select and Add: Roles page

9. Search for your new duty role. (Enter XX_DEPT_DUTY in the Role Name field,

select hcm as the Application, and then click Search.)

10. Select the XX Department Duty role, and click OK. Information You have now created a copy of this data security policy against your custom duty role.

11. Click Save, and click OK to dismiss the confirmation window. Location: Search Authorization Policies tab (which displays the Department Management Duty role).

12. Select the second security policy on the Data Security tab, and repeat steps 7-11.

13. Select the third (and last) security policy, and repeat steps 7-11 again. Information You have now created copies of these three data security policies against your custom duty role. The duty role is complete. Take a moment now to verify that all policies were added.

14. Return to the Home tab.

15. Select hcm in the Application Name field, and select Search under Application Roles.

16. Search for the duty role (Display Name: XX Department Duty) and open it from the Search Results.

17. Click Find Policies, and select Default Policy Domain. Information You should see one policy on the Functional Policies tab and three on the Data Security tab.

18. Return to the Home tab.



Assign the New Duty Role to a Job Role

1. Select hcm for the Application Name, and select Search - External Roles under the Search and Create heading. Location: Search - External Roles page

2. Search for the XX Dept Admin Job Role you created in Activity 3.

3. Select the job role in the Search Results, and click Open Role.

4. Select the Application Role Mapping tab.

5. Remove the predefined Department Management Duty role. (Open the hcm

folder, select the role, click the Remove Roles icon button, and then confirm.)

6. Add your custom XX Department Duty role. (Click + Map, select hcm, search for the XX Department Duty duty role, select it, and click Map Roles.) Information The job role now has two duties: your custom department duty role and the original Approve Transaction Duty role.

Generate the Data Security Policies for the Roles that Inherit this Duty Role

1. Return to Oracle Fusion Applications and navigate to the Setup and Maintenance work area.

2. Launch the Manage Data Role and Security Profiles task.

3. Search for your XX Dept Admin - View All data role, and then click Assign.

4. Proceed through the pages in the flow until you get to the Review page, and then click Submit. Information Although you did not make any changes to the data role, you must run this task to regenerate its security policies because you changed the job role that the data role inherits. Note: Security policies are regenerated only for the selected role. If you needed to regenerate data security policies for multiple data roles, you would have to run this task (and click Assign) for each role.

5. Click Done.



Verify Your Provisioning

1. Sign out and sign back in as the user you created earlier (Security.UserXX).

2. Navigate to the Workforce Structures work area.

3. Verify that you can only see the Manage Departments task under Organizations in the Workforce Structures work area.



Security Deep Dive Review Question 1 If you make changes to a job role or any of its duty roles, you must:

1. Delete all data roles based on the job role and recreate them 2. Regenerate all the data roles that inherit the job role 3. Reassign security profiles to all data roles that inherit the job role



Security Deep Dive Review Question 2 A data security policy consists of:

1. A role and a privilege 2. A business object and a condition 3. All of the above



Security Deep Dive Questions and Answers If you make changes to a job role or any of its duty roles, what must you do: 2. Regenerate all the data roles that inherit the job role OR 3. Reassign security profiles to all data roles that inherit the job role It is the process of reassigning security profiles (using the Manage Data Role and Security Profiles task and the Assign action) that regenerates the data roles and associated security privileges and policies. The reason that #3 also applies is because if you add new duty roles to a job role, that could require additional security profiles to be assigned to the data role. A data security policy consists of: 3. All of the above



Instructor Note: Final Activities The remaining activities require participants to apply what they’ve learned to real-world scenarios. Encourage them to attempt the activities using only the information provided in the activity introductions. If they get stuck, they can refer to the detailed steps. However, they should try to figure out which tasks to perform and which data to enter in order to achieve the desired results. The Additional Security Activity provides the detailed steps for the scenario described in next section's review questions. If there is not enough time to do the final exercises, students can do them as post-work. There are no new concepts or tasks in these activities.



Activity 6 Introduction Background The predefined line manager role has access to actions that you don’t want all your line managers to use. A custom line manager role is required to meet your needs. Requirements



• You must have successfully created a user in Activity 2.

• You must have successfully created a role-provisioning rule in Activity 2.

Activity Scope Note: Students are encouraged to attempt to complete this activity using only the summarized steps below. The complete set of detailed steps is available on the following page should you need them. However, you've already performed each of these tasks at least once, so you may be able to work out the detailed steps yourselves.

1. Use the Manage Job Roles task to create a custom abstract role for a line manager. This process is basically the same as creating a job role.

2. Use the Retrieve Latest LDAP Changes scheduled process to synchronize the new role information between LDAP and HCM.

3. Use the Manage Duties task to grant access to the following manager actions only: Promote, Transfer, Change Manager, and Change Working Hours. (To find the exact names of the duties, you can search the HCM Security Reference Manual. You must also grant manager access to the Person Gallery to be able to see these actions.)

4. Use the Manage Data Role and Security Profiles task to assign the View Manager Hierarchy predefined security profile to the new abstract role.

5. Use the Manage HCM Role Provisioning Rules task to add a mapping rule for the new role so that it can be provisioned to users. Use the same task to modify the Line Manager mapping rule so that the predefined Line Manager role will no



longer be automatically provisioned.

6. Use the Manage Users task to create a new user who will report to the line manager user. The new employee has the same legal employer (InFusion Corp USA1) and business unit (USA1 Business Unit) as the employee you created earlier. Do not assign any roles, other than the automatically provisioned employee role.

7. Use the Manage Users task to assign the custom line manager role to the user you created in Activity 2.

8. Verify the security provisioning for the new user and compare with a user who has the standard line manager role, such as Jack.Fisher.



Activity 6: Creating a Custom Line Manager Role In this activity you will create a custom line manager abstract role and perform all necessary tasks (as summarized on the previous page) to assign the new role to the user you created earlier. You will also deprovision the predefined Line Manager role, for which there is an autoprovision rule in place. You will also create a new user, who will report to the line manager. This allows you to verify that the custom line manager role you created provides access to the manager duties you assigned to it. Create Custom Line Manager Role

1. Log in to Oracle Fusion applications as Curtis.Feitty.


3. Search for and launch the Manage Job Roles task. Location: Oracle Identify Manager page

4. Click Administration, and then click Create Role.


5. In the Name field, enter XX_LINE_MGR_ROLE.

6. In the Display Name field, enter XX Line Manager.

7. In the Role Category Name field, select HCM - Abstract Roles.

8. Click Save.


Synchronize Roles between LDAP and HCM

1. Navigate to the Scheduled Processes work area.

2. In the Search Results, select a Retrieve Latest LDAP Changes process where the Status is Succeeded.

3. Click Resubmit, then click Yes to confirm.



Assign Duties to Your Role

1. Navigate to the Setup and Maintenance work area, and launch the Manage Duties task. Location: Oracle Entitlements Server Authorization Management page


3. Under the Search and Create heading, click Search - External Roles.

Location: Search - External Roles page

4. In the Display Name field, search for the XX Line Manager role you created

earlier.

5. Select the role in the Search Results, and click the Open Role button.

6. Click the Application Role Mapping tab to assign duty roles to the job role.

7. Click the + Map icon button. Location: Map Application Roles to External Role page


9. In the Display Name field, enter Worker Transfer Duty and click Search.

10. Select the role in the Search Results, and click Map Roles.

11. Repeat steps 7-10 to add the following additional duty roles:

Worker Working Hours Change Duty

Worker Promotion Duty

Worker Manager Change Duty

Manager Gallery Access Duty Information Once all 5 duty roles have been added, your custom line manager role is complete.




Assign Security Profiles to the Custom Role

1. Navigate to the Setup and Maintenance work area, and launch the Manage Data Role and Security Profiles task.

2. Search for the new line manager role (XX Line Manager) you just created. Information In the Search Results, note that the Security Profiles Assigned column for this role is blank, as no security profiles have been assigned yet.

3. Select it from the Search Results and click Assign. Location: Assign Data Role: Security Criteria page

4. In the Organization section, search for and select View All Organizations.

5. In the Position section, select View All Positions.

6. In the Person section, search for and select View Manager Hierarchy.

7. In the Public Person section, search for and select View All People.

Information All of these profiles are predefined.

8. Click Review, and then Submit. Location: Manage Data Roles and Security Profiles - Search page

9. Search for the role, and verify that it now displays a checkmark in the Security

Profiles Assigned column.

Create a Mapping Rule for the Custom Role You can add this mapping rule to an existing role-provisioning rule.

1. Navigate to the Setup and Maintenance work area, and launch the Manage HCM Role Provisioning Rules task. Location: Manage Role Mappings page

2. Search for the mapping rule (XX Generic Mapping Rule) you created in Activity

2. Information You could create a new mapping rule, but it's easier for now to use the one



created earlier, since it has no conditions.

3. Select the rule in the Search Results and click the Edit icon button. Information There should be two rows for this rule; you can select either one.

4. In the Associated Roles section, click the Add (+) icon button.

5. Select the custom abstract role (XX Line Manager).

6. Deselect Autoprovision option, and select the Requestable option. Information In an actual implementation, you might want to configure your custom line manager rule for autoprovisioning, in place of the predefined Line Manager role.

7. Click Save and Close, and then click OK to dismiss the confirmation message. Location: Manage Data Roles and Security Profiles - Search page

8. In the Mapping Name field, search for the predefined Line Manager With

Reports rule.

9. Select the role in the Search Results, and click the Edit icon button.

10. In the Associated Roles section, select the Line Manager role, and then set deselect the Autoprovision option. Note: If the Autoprovision option is already deselected or the role does not appear in the Associated Roles list, it means that another student who shares your training environment has already performed this step. Information If the line manager role is set to autoprovision, it would be automatically provisioned to your security user when you select that user as a manager in the next task. In a real implementation, you would probably set up your custom line manager role for autoprovisioning, but we don't want do that in the training environment (since multiple students are creating custom line manager roles).

11. Click Save and Close, and then click OK.

12. Click Done.



Create a User Who Works for the Line Manager

1. In the Setup and Maintenance work area, launch the Manage Users task. Location: Manage Users (Search Person) page



3. Enter the following values:

Note: Make sure that you use the specified Hire Date.

4. In the Roles section, click Autoprovision Roles. Information The Employee role appears in the Role Requests table Note: If any roles other than Employee appear in the Role Requests table, delete them. (Additional roles may appear if other trainees created roles and mistakenly set them up for autoprovisioning.




Add the Custom Line Manager Role to Your First User

1. In the Manage Users (Search Person) page, search for the user you created in Activity 2. (You can search by your last name.)

2. Click the user name in the Search Results. Location: Edit User page

3. In the Roles section, click Add Role.

Location: Add Role window

4. Search for and select the custom line manager role (XX Line Manager) you

created earlier in this activity. Note: If you cannot find the role you created, make sure that: - You created a mapping rule for the role

- You selected the Requestable option for the role mapping

- The user's assignment information matches the mapping criteria (we didn't set any criteria in our generic mapping rule)

5. In the Current Roles section, select the XX Dept Admin - View All role you assigned to this user earlier, and click the X (Remove) icon button, then confirm. Important If you updated the Line Manager with Reports role-provisioning rule, as described above, the Line Manager role should not have been provisioned. If it was, delete it now.

6. Remove any other roles, other than Employee, that may have been automatically provisioned.


8. Click Done. Note: It may take a few moments for the role changes to take effect.

Verify Security Setup

1. Sign out, and sign back on as the line manager user (Security.UserXX).

2. Navigate to Person Gallery.

3. Select the Organization Chart tab.



4. Open the Actions>Personal and Employment menu for the subordinate employee. Information You should see the following manager actions under Personal and Employment: Change Manager, Change Working Hours, Promote, and Transfer. You should also see the Information Sharing action, which comes from the automatically provisioned Employee role.



Tying It All Together

Resilience to Change Resilience to change refers to the amount of change a system can undergo and still operate properly within expected parameters. When this concept is applied to HCM security management, you can see that the security model is quite robust when you make changes to higher level objects, such as job roles. The deeper you go into the hierarchy, the more careful you must be when making changes.

Now that you've seen the types of changes you can make, you should consider the level of resilience associated with each type: Most Robust

• Creating custom job roles and using existing duty roles as building blocks

Less Robust - Requires More Testing to Ensure Expected Results

• Creating custom duty roles and assigning function and data security policies As demonstrated earlier, function and data security policies work together to provide users with the access they need to do their job. If you create a duty role and do not configure both types of policies correctly, the duty role will not operate properly. Testing is required to verify expected results. The more you change and the deeper your changes go in the hierarchy, the more testing is required and the more complex the testing becomes.



Least Robust - Not Recommended

• Creating new resource types, resources, entitlements (function security policies), or authorization policies

• Manually modifying data security policies, except for adding custom duty roles

Note: It should not be necessary to create your own data security policies. When you are creating custom duty roles, the predefined security policies should be adequate for your needs.



Lesson Review Questions

Lesson Review Question 1 Answer the question below given the information in the following scenario:

• An enterprise needs to create a custom employee role, because the predefined employee abstract role allows access to several cards in the Person Gallery that the enterprise wants to hide. The customer wants the new employee role to have access only to the Person Gallery function and the Change Marital Status action. They should only be able to see their own employee information.

Based on the HCM security reference information you have available online for the predefined employee abstract role, how many duty roles must you add to your custom employee role to enable access to these functions? 1. 1 duty role 2. 2 duty roles 3. 4 duty roles 4. 5 duty roles





After planning your customization, which of the following tasks would you perform first:

1. Create a custom abstract role 2. Create custom duty roles 3. Remove duty roles from the predefined abstract role





After creating a new abstract role, you must synchronize data between LDAP and HCM before you can: 1. Add duties to the abstract role 2. Create a mapping rule for the abstract role 3. Assign the abstract role to a user 4. All of the above except 1





Which predefined person security profile could be used for this new employee role:

1. View Own Record 2. View All Workers 3. View Manager Hierarchy





Which public person security profile could be used for this new employee role:

1. View Own Record 2. View All Workers 3. View Manager Hierarchy



Lesson Questions and Answers Based on the HCM security reference information you have available online for the predefined employee abstract role, how many duty roles must you add to your custom employee role to enable access to these functions: 4. 5 duty roles The roles are:

• Public Person Selection Duty • Approval Notification Duty • Approve Transactions Duty • Gallery Access Duty • Person Marital Status Maintenance Duty

After planning your customization, which of the following tasks would you perform first: 1. Create a custom abstract role After creating a new abstract role, you must synchronize data between LDAP and HCM before you can: 4. All of the above except 1 Which predefined person security profile could be used for this new employee role: 1. View Own Record Which public person security profile could be used for this new employee role: 2. View All Workers or View Own Record. Use the latter if you do not want to allow employees to browse the Person Gallery for other employees.



Additional Security Activity Introduction Background The predefined employee role allows access to several cards in the Person Gallery that you don’t want users to view. A custom employee role is required to meet your needs. The new employee role should have access to the My Portrait function and the Change Marital Status action. They should only be able to see their own employee information. Requirements



• You must have successfully created a user in Activity 2.

• You must have successfully created a role-provisioning rule in Activity 2.

Activity Scope Note: As with the previous activity, students are encouraged to complete this activity using only the summarized steps below. This time, we've left a bit more for you to figure out than in the last activity.

1. Create a custom employee abstract role that has access to the My Portrait function and the Change Marital Status action. Restrict their data access to their own record only in the Person Gallery.

2. Determine the names of the duties that should be added to this role by reviewing the roles and duties in the HCM Security Reference Manual, and then add the appropriate duties to the new employee role.

3. Assign the predefined View Own Record person security profile to the custom employee role.

4. Assign the predefined View Own Record public person security profile to the custom employee role.

5. Create a mapping rule for the custom employee role.



6. Assign the custom employee role to a user.

7. Verify your security provisioning.



Additional Security Activity: Creating a Custom Employee Role In this activity you will create a custom Employee abstract role with access only to the My Portrait and Marital Status actions. After creating the abstract role and assigning the appropriate duty roles, perform the necessary steps to assign the job role to a user. Create Custom Employee Role

1. Log in to Oracle Fusion applications as Curtis.Feitty.


3. Search for and launch the Manage Job Roles task. Location: Oracle Identify Manager page

4. Click Administration, and then click Create Role.


5. Enter the following information:

Name: XX_EMPLOYEE_ROLE

Display Name: XX Employee

Role Category Name: HCM - Abstract Roles

6. Click Save.


Synchronize Roles between LDAP and HCM

1. Navigate to the Scheduled Processes work area.

2. In the Search Results, select a Retrieve Latest LDAP Changes process where the Status is Succeeded.

3. Click Resubmit, then click Yes to confirm.



Assign Duties to Your Role

1. Navigate to the Setup and Maintenance work area, and launch the Manage Duties task. Location: Authorization Management page


3. Select Search - External Roles.

Location: Search - External Roles page

4. Search for the XX Employee role you created earlier.

5. Select the role in the Search Results and click the Open Role button.

6. Click the Application Role Mapping tab to assign duty roles to the job role.

7. Click the + Map icon button.

Location: Map Application Roles to External Role page


9. In the Display Name field, enter Person Marital Status Maintenance.

10. Select the role in the Search Results and click Map Roles.

11. Repeat steps 8-11 for each of the following additional roles

Public Person Selection Duty

Approval Notification Duty

Approve Transactions Duty

Gallery Access Duty

Assign a Security Profile to the Role

1. Navigate to the Setup and Maintenance work area, and launch the Manage Data Role and Security Profiles task.

2. Search for the custom employee role you just created.

3. Select it from the Search Results and click Assign.



4. Click Next.

5. In the Person section, select the predefined View Own Record profile.

6. In the Public Person section, select the View Own Record profile.

7. For all other sections, select one of the View All profiles.

8. Click Review, and then Submit. Information If you search for the role, you should see a checkmark in the Security Profiles Assigned column.

Create a Mapping Rule for the Employee Role Follow the steps presented in Activity 6 to create a mapping rule for the new role. (Open the existing mapping rule, XX Generic Mapping Rule, and add a mapping for your new XX Employee role. Deselect autoprovisioning, and select the Requestable option.) Assign the Role to a User Follow the steps presented in Activity 6 to assign the XX Employee role to the user you created in Activity 2. Deprovision the predefined Employee role and any other roles assigned to the user. Verify your Security Provisioning

1. Log in as your user and navigate to the Person Gallery.

2. Verify that you can only access the My Portrait tab and the Change Marital Status action.

Troubleshooting If, after completing this activity, you try to perform the Change Marital Status action, you may encounter the following errors:

• You cannot edit your marital status because legislative information is missing from your account. Contact your support representative. (PER-1531137)

• A current or future-dated change of this type exists for this person. Contact your support representative.

Error: You cannot edit your marital status because legislative information is missing from your account.



This error occurs because the person doesn't yet have a marital status. (The Manage Users page used to create this user doesn't capture all of the employee information that is captured by the New Hire flow. This is an example of why you should always use the proper HR flows once the implementation is complete. The Manage Users task is not intended to be used by HCM users in a production environment.) You can resolve this error as follows:

1. Sign on as Curtis.Feitty. 2. Navigate to Person Management and open the person record for editing. 3. On the Manage Person page, Person Information tab, Legislative

Information section, select a Country (United States). 4. Open the Gender and Marital Status section for editing, and select a marital

status for this person. 5. Save.

Error: A current or future-dated change of this type exists for this person This error occurs because an employee cannot change their own marital status on the same day that it was last changed. To work around this, you can:

• Try again tomorrow (or any date thereafter)

• Ask an HR Specialist to make the change for you on the Manage Person page (or log on as a user with that role, if you have access to one).

Note: If you used the current date rather than 1-Jun-13 (the value you were instructed to use) for the employee's hire date, then you can log in as Curtis.Feitty and change the hire date to an earlier date, using the Manage Work Relationship task in the Person Management work area.



References

• For information about Single Sign-On in Oracle Fusion Applications, see: SaaS SSO Using Identity Federation eSeminar on My Oracle Support (MOS). You can take the training online or download the slides. Link: http://oukc.oracle.com/static09/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1222182178 See also: Fusion Applications Technology: Master Note on Fusion Federation, Document ID: 1484345.1 on MOS. Link: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1484345.1

• For a mapping of duties and privileges to roles across all offerings, see:

Mapping of Roles, Duties and Privileges in Fusion Applications, Document ID 1459828.1 on MOS. Link: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1459828.1

• For information about how duty roles and privileges map to top-level menus, see: Mapping of Duty Roles to Top Level Menu Items, Document ID 1460486.1 on MOS. Link: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1460486.1

• For descriptions of all the predefined data that is included in the security

reference implementation for HCM, see: Oracle Fusion Applications Human Capital Management Security Reference Manual. Latest version is available from Oracle Fusion Applications Help.

• For information about the common roles required to set up and administer an offering, see: Oracle Fusion Applications Common Security Reference Manual. Latest version is available from Oracle Fusion Applications Help.

• For an overview and detailed information about the Oracle Fusion Applications security approach, including an explanation of role types, enforcement, and how to implement and administer security for your deployment, see:



Oracle Fusion Applications Security Guide. Latest version is available from Oracle Fusion Applications Help.

• For information on security hardening, see: Oracle Fusion Applications Security Hardening Guide in the Oracle Fusion Applications Documentation Library. Link: http://docs.oracle.com/cd/E37583_01/nav/hcm.htm



Lesson Highlights

• Roles • Security Profiles • Users and Role Provisioning • User Interfaces for Managing Security • Creating Data Roles and Security Profiles • Creating Custom Job Roles • Creating Custom Duty Roles



Lesson Details Roles Security in Oracle Fusion Applications is role-based, where roles control who can do what on which data. Oracle Fusion Applications defines four types of roles:

• Abstract roles • Data roles • Job roles • Duty roles

Security Profiles Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security profile identifies a set of data of a single type, for example, you could create security profiles to identify all workers in department HCM US. HCM security profiles are an Oracle Fusion HCM feature; they are not used by other Oracle Fusion Applications. Users and Role Provisioning

• User Provisioning: Oracle Fusion Applications are tightly integrated with Oracle Identity Management (OIM). When you hire a worker, a user account can be created automatically for that worker in the OIM Identity store.

• Roles Provisioning: Abstract and data roles must be provisioned to users so that they can access the functions and data that enable them to perform their jobs. The process of assigning roles to users is known as role provisioning.

User Interfaces for Managing Security Three applications provide the user interfaces for managing HCM security:

• Oracle Fusion HCM - Functional Setup Manager • Oracle Identify Manager (OIM) • Authorization Policy Manager (APM)



Creating Data Roles and Security Profiles This figure shows the process of creating new data roles and security profiles:



Creating Custom Job Roles This figure shows the process of creating a new job role:



Creating Custom Duty Roles This figure shows the process of creating a new duty role:



Tip: Minimizing the Number of Data Roles Consider that Mitch, David, and Linda are HR representatives for employees based in different business units. They all perform the same job, but access different sets of data. One way to set up security for this scenario would be to create four different data roles, each with its own static security profile, as shown here:

Note: In this example, access to HR data is secured by business unit. However, it could be based on legal employer, department, or any level within the organization.



Dynamic Security Profiles and Areas of Responsibility Another approach would be to use the Areas of Responsibility feature to define the location that each HR representative is responsible for and then create a dynamic security profile that restricts data access based on the defined areas of responsibility. Using dynamic security profiles and areas of responsibility, you need just two data roles:



Defining Areas of Responsibility To define the area of responsibility for Mitch Blum in our scenario, select USA1 Business Unit from the Business Unit field on the Create Area of Responsibility page.

Workforce Management > Person Management > Manage Areas of Responsibility > Manage Areas of Responsibility page > Create Area of Responsibility page

_______________________________________________________ Define areas of responsibility for the other two HR specialists, David and Linda, in the same way. For David, you must create two areas of responsibility records, one for USA2 Business Unit and another for USA Health Business Unit.



Creating a Dynamic Security Profile After defining areas of responsibility for all HR representatives, create a person security profile. In the Custom Criteria section of the Create Person Security Profile page, enter an SQL fragment that grants each HR representative access only to the person records within the location defined in their Areas of Responsibility. The figure below shows where the SQL fragment is entered:

Manage Person Security Profile > Manage Person Security Profiles page > Create Person Security Profile

_______________________________________________________ To secure person records by business unit, you would enter an SQL fragment similar to the following: &TABLE_ALIAS.PERSON_ID IN (SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M A



WHERE A.BUSINESS_UNIT_ID IN (SELECT B.BUSINESS_UNIT_ID FROM PER_ASG_RESPONSIBILITIES B, PER_USERS C WHERE C.USER_GUID = FND_GLOBAL.USER_GUID AND C.PERSON_ID = B.PERSON_ID AND B.RESPONSIBILITY_TYPE = 'HR_REP')) Note: The actual SQL fragment for this scenario would be a little more complex than the sample fragment, because it would need to take into account the effective dates of both the areas of responsibility records and the worker's assignment record. TIP: If, by using this feature, you reduce the number of data roles down to one, you could assign the security profiles directly to the job role (rather than creating a data role). However, assigning security profiles directly to job roles only works if the areas of responsibility criteria provide users with all the data access they need. In our scenario, we want to provide some users with View All access and others with more restricted access based on areas of responsibility. Therefore, we need two data roles: one that uses areas of responsibility criteria and one that has a View All security profile. Both of these data roles would be based on the same job role.




Tip: Impersonation and Delegation Impersonation and Delegation User Impersonation The user impersonation feature is disabled for HCM Cloud customers. It can be enabled on request, but Oracle does not recommend its use by HCM Cloud customers. User impersonation potentially allows the proxy user uncontrolled access to the personal data of the user they are impersonating; the proxy user gets all of that user's roles, which is particularly dangerous if a customer is implementing employee self-service. Role Delegation Currently in HCM, you can implement role delegation, but it must be done manually. There are two types of role delegation:

• Delegating the ability to approve transactions: This is done from the BPM Worklist. The process is covered in the Approvals lesson.

• Delegating the ability to initiate transactions: This is done by configuring new roles, defining role mappings, and manually provisioning the roles to users. Likewise, you can manually revoke roles from users. These tasks are covered in this lesson.

Note: Improved support for role delegation is currently under development and is targeted for a future release of Fusion HCM.