Professional Documents
Culture Documents
HCM Global HR
Manage Security for HCM
Instructor Guide
August 8, 2013
Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Disclaimer
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other
names may be trademarks of their respective owners.
CONTENTS
Lesson 1: Define Security for HCM .............................................. 1
Objectives ................................................................................................1
Security Overview .....................................................................................2
Role-Based Security Model .......................................................................2
Instructor Note: Roles Assigned to Users .................................................. 3
Role-Based Access Control .......................................................................4
Predefined HCM Roles ..............................................................................5
Role Inheritance .....................................................................................6
Data Role Inheritance ............................................................................7
User Role Inheritance ............................................................................8
Role Types .............................................................................................9
Role Inheritance Example ....................................................................... 10
Security Privileges ................................................................................. 11
Instructor Note: Details Will Come Later................................................. 12
Security Component Terminology Comparison ........................................... 13
Role Evaluation ..................................................................................... 14
Customizing Security for Your Needs ........................................................ 15
Instructor Note: Currently No Way to Copy Roles .................................... 16
Instructor Note: Demo Timing................................................................. 17
Demonstration: Function Security in Action ............................................... 18
Instructor Note: Demo Timing................................................................. 21
Demonstration: Data Security in Action .................................................... 22
Exploring the Security Reference Manual .................................................. 24
Instructor Note: Security Reference Implementation ................................ 26
Security Profiles and Data Roles ................................................................ 27
Data Security Through Security Profiles .................................................... 27
Security Profiles Example ....................................................................... 28
HCM Security Profile Types ..................................................................... 29
Predefined HCM Security Profiles ............................................................. 30
HCM Security Profiles Best Practices ........................................................ 31
Approaches to Creating Data Roles .......................................................... 32
Instructor Note: Demo Timing................................................................. 33
Demonstration: Managing Data Roles and Security Policies ......................... 34
Key Points for Creating Security Profiles ................................................... 38
Instructor Note: Notes on Activities ......................................................... 41
Instructor Note: Activity Timing .............................................................. 42
Activity 1 Introduction ........................................................................... 43
Activity 1: Creating Security Profiles and Assigning to a New Data Role ...... 44
Assigning Security Profiles to Existing Roles .............................................. 48
Editing Security Profiles ......................................................................... 49
Security Profiles Review Question 1 ......................................................... 50
Security Profiles Review Question 2 ......................................................... 51
Security Profiles Review Question 3 ......................................................... 52
Security Profiles Questions and Answers ................................................... 53
User and Role Provisioning ....................................................................... 54
User Account Creation and Maintenance Scenarios ..................................... 54
Instructor Note: User Account Management Scenarios .............................. 55
User Account Provisioning ...................................................................... 56
Enterprise-Level User and Role-Provisioning Options .................................. 57
Setting Enterprise-Level Options ........................................................... 58
Instructor Note: User and Role Provisioning ............................................ 59
Provisioning Roles to Users: Overview ...................................................... 60
Instructor Note: Roles Must Be Provisioned ............................................. 61
Instructor Note: Role-Provisioning Rules ................................................... 62
i
Defining Role-Provisioning Rules ............................................................. 63
Role-Provisioning Options ....................................................................... 65
Predefined Role-Provisioning Rules .......................................................... 66
Integration with New Hire Flow ............................................................... 67
Instructor Note: New Hire Process ......................................................... 67
Integration with New Hire Flow ............................................................. 68
New Hire Flow - Job Assignment ........................................................... 69
New Hire Flow - Role Requests.............................................................. 70
Tip: Role-Provisioning Strategies ............................................................. 71
Implementation Users ........................................................................... 72
Instructor Note: Implementation Users for the Cloud ............................... 74
Instructor Note: Demo Timing................................................................. 75
Demonstration: Creating Additional Implementation Users .......................... 76
Instructor Note: Demo Timing................................................................. 79
Demonstration: Using the Manage Users Task to Create HR Users ................ 80
Instructor Note: Password Policy Management for Cloud Customers ............. 83
Instructor Note: Activity Timing .............................................................. 84
Activity 2 Introduction ........................................................................... 85
Activity 2: Creating a New User and Assigning a Data Role........................ 86
User and Role Provisioning Review Question 1 ........................................... 91
User and Role Provisioning Review Question 2 ........................................... 92
User and Role-Provisioning Review Question 3 .......................................... 93
User and Role-Provisioning Questions and Answers .................................... 94
User Interfaces for Security Tasks ............................................................. 95
User Interface Overview......................................................................... 95
Setup Tools and Tasks ........................................................................... 96
Access to Security Tasks ........................................................................ 98
Instructor Note: HCM Security Task List ............................................... 100
Instructor Note: Demo Timing............................................................... 101
Demonstration: Viewing Roles in OIM .................................................... 102
Managing Job Roles and Duty Roles ......................................................... 104
Instructor Note: Demo Timing............................................................... 104
Demonstration: Using OIM to View and Manage Roles .............................. 105
Instructor Note: Do Not Use OIM to Create Data Roles ........................... 112
HCM Security Management Data Stores.................................................. 113
Instructor Note: Demo Timing............................................................... 115
Demonstration: Using APM to Manage Duties .......................................... 116
Fusion Applications, OIM, and APM Terminology Differences ...................... 120
Instructor Note: Notes on Tools and Tasks .............................................. 121
Regenerating Data Roles ...................................................................... 122
Instructor Note: Regeneration of Data Roles ......................................... 124
Instructor Note: Activity Timing ............................................................ 125
Activity 3 Introduction ......................................................................... 126
Instructor Note: Troubleshooting Activity ............................................. 127
Activity 3: Creating a New Job Role ..................................................... 128
Instructor Note: Activity Timing ............................................................ 132
Activity 4 Introduction ......................................................................... 133
Activity 4: Creating a New Data Role and Assigning to User .................... 134
Instructor Note: Troubleshooting Activity 4 ............................................. 137
User Interfaces for Security Review Question 1 ....................................... 138
User Interfaces for Security Review Question 2 ....................................... 139
User Interfaces for Security Review Question 3 ....................................... 140
User Interfaces for Security Questions and Answers ................................. 141
HCM Security Deep Dive......................................................................... 142
Instructor Note: Deep Dive Target Audience ........................................... 142
Duty Roles in Detail ............................................................................. 143
Function Security Privileges .................................................................. 144
Instructor Note: Read-Only Roles .......................................................... 145
Data Security Policy Components .......................................................... 146
ii
Data Security Policies .......................................................................... 147
Data Security - Application Role Creation ................................................ 148
Data Security - FND_GRANTS Generation ............................................... 149
Data Security - Data Role Creation ........................................................ 150
Data Security in Action ........................................................................ 152
Instructor Note: Demo Timing............................................................... 153
Demonstration: Viewing Security Policies in APM ..................................... 154
Instructor Note on Activity 5: Bulk Regeneration ..................................... 161
Instructor Note: Activity Timing ............................................................ 162
Activity 5 Introduction ......................................................................... 163
Activity 5: Creating a Custom Duty Role ............................................... 164
Security Deep Dive Review Question 1 ................................................... 169
Security Deep Dive Review Question 2 ................................................... 170
Security Deep Dive Questions and Answers ............................................. 171
Instructor Note: Final Activities ............................................................. 172
Instructor Note: Activity Timing ............................................................ 173
Activity 6 Introduction ......................................................................... 174
Activity 6: Creating a Custom Line Manager Role ................................... 176
Tying It All Together .............................................................................. 183
Resilience to Change ........................................................................... 183
Lesson Review Questions ..................................................................... 185
Lesson Review Question 1 .................................................................. 185
Lesson Review Question 2 .................................................................. 186
Lesson Review Question 3 .................................................................. 187
Lesson Review Question 4 .................................................................. 188
Lesson Review Question 5 .................................................................. 189
Lesson Questions and Answers ........................................................... 190
Instructor Note: Activity Timing ............................................................ 191
Additional Security Activity Introduction ................................................. 192
Additional Security Activity: Creating a Custom Employee Role ................ 194
References ........................................................................................... 198
Lesson Highlights .................................................................................. 200
Lesson Details .................................................................................... 201
Tip: Minimizing the Number of Data Roles .............................................. 205
Dynamic Security Profiles and Areas of Responsibility ............................. 206
Defining Areas of Responsibility .......................................................... 207
Creating a Dynamic Security Profile ..................................................... 208
Tip: Impersonation and Delegation ........................................................ 210
iii
Lesson 1: Define Security for HCM
Security Overview
Role-Based Security Model
Oracle Fusion Applications use a role-based access control security model. Users are
assigned roles through which they gain access to functions and data within the
applications.
When she signs on to Oracle Fusion Applications, all of these roles are active
concurrently. The functions and data she can access are determined by the
combination of roles to which she is assigned. As an employee, Julie has access to
employee functions and data, and as a line manager, she has access to line-manager
functions and data.
If questions about security occur in other lessons (such as how to prevent a user from
doing something or how to enable a user to do something), the answer is always the
same: the roles provisioned to the user determine what the user can (and cannot) do.
For example:
Which Data is the set of data that users with this role can access when
performing this function. In Oracle Fusion HCM, "Which Data" is defined using
security profiles.
Benefits Administrator
Benefits Manager
Benefits Specialist
Compensation Administrator
Compensation Analyst
Compensation Manager
Compensation Specialist
Contingent Worker
Employee
Human Capital Management Application Administrator
Human Resource Analyst
Human Resource Manager
Human Resource Specialist
Human Resource VP
Line Manager
Payroll Administrator
Payroll Manager
These predefined roles are included in the Security Reference Implementation. You
can review details of the HCM security implementation in the Oracle Fusion Applications
Human Capital Management Security Reference Manual. The Oracle Fusion
Applications Common Security Reference Manual covers roles that are common across
Oracle Fusion Applications, such as the Application Implementation Consultant and IT
Security Manager roles.
Role Inheritance
Role inheritance is a key concept in the Oracle Fusion HCM security model. The figure
below illustrates the hierarchy of job and duty inheritance.
Note that the two data roles have different security profiles, granting access to different
sets of data.
Role Types
Oracle Fusion Applications uses four types of roles for security management:
Data Roles are a combination of a worker's job and the data instances that users
with the role need to access. For example, the HCM data role Payroll
Administrator Payroll US combines a job (Payroll Administrator) with a data
scope (Payroll US). Data roles are not delivered as part of the reference
implementation. They are defined by customers and are assigned directly to
users.
Job roles align with the job a worker is hired to perform. Examples of predefined
job roles are Human Resource Analyst and Payroll Manager. You can create
custom job roles. Typically, you include job roles in data roles, and assign those
data roles to users. (The IT Security Manager and Application Implementation
Consultant job roles are exceptions, because they are not considered HCM job
roles and don't restrict data using security profiles.)
Duty roles align with the individual duties that users perform as part of their job.
They grant access to work areas, dashboards, task flows, application pages,
reports, batch programs, and so on. They may carry both function and data
security grants. Duty roles are inherited by job and abstract roles, and can also
be inherited by other duty roles. Duty roles are delivered as part of the reference
implementation, and can be used as building blocks when creating your own job
and abstract roles. You do not assign duty roles directly to users.
In this example, the duty roles give the user access to all the tasks and functions that an
HR specialist needs to perform plus all the tasks, unrelated to a specific job, that every
employee needs to perform.
Most security profiles are defined by customers and assigned to data roles and abstract
roles. (A small set of predefined security profiles is delivered as part of the security
reference implementation.)
The HCM security model supports several different types of security profiles, each used
to control access to a different type of data.
Security Privileges
When you look deeper into the role hierarchy, you can see that the Worker Promotion
Duty is associated with a function security privilege and two data security policies.
The Promote Worker function security privilege secures access to the Promote
Worker page.
A second data security policy determines which positions the person can be
promoted into.
Each data security policy defines a role (such as Worker Promotion Duty), a business
object being accessed (such as Person Assignment), the condition that must be met for
access to be granted, and a data security privilege that defines the action being
performed.
Function security privileges and data security policies are covered in detail in a later
section.
Inform the class that this information is covered in detail later in the class in the HCM
Security Deep Dive section. In this overview, we're just introducing the concepts of
function security and data security and the related function security privileges and data
security privileges. Ask students to hold their detailed questions on data security
policies until later, and assure them that they will have an opportunity to see these
features up close.
Role Evaluation
By default, users do not have access to Oracle Fusion Applications functions and data.
Users are granted access by means of the roles provisioned to them.
Review how the security reference implementation of roles and policies fits with
the jobs in your enterprise.
Decide whether the duties defined for the jobs in the security reference
implementation match the duties performed by corresponding jobs in your
enterprise.
For example, the predefined Line Manager role includes compensation management
duties. If some of your line managers do not handle compensation, you could create a
custom line manager role without those duties.
Evaluate the predefined roles and privileges in the security reference implementation
against the needs of your enterprise and determine the necessary security setup
actions:
If jobs exist in your enterprise that are not represented by the security
reference implementation, you create a new job role or abstract role.
If the duties for a predefined job role are not the same as the
corresponding job description in your enterprise, you add duties to and
subtract duties from the job role.
If the duties for a job are not defined in the security reference
implementation, you create custom duty roles.
The demonstrations and activities in this lesson will show you how to perform each of
these setup actions.
Note: As you make changes to the security reference implementation for an Oracle
Fusion Applications deployment, it is good practice to create your own custom roles
rather than modify predefined roles. Upgrade and maintenance patches to the security
reference implementation preserve your changes. Thus, if you do modify predefined
roles, you won't be able to restore them to their original state by upgrading.
Demonstration Scope
Go to the Navigator, and view the available options. Select an option, and view the
available tasks in the task pane.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
Information
Function security is used to secure the Navigator menu. Each menu entry
corresponds to a work area or dashboard, and each of these is secured with a
function security privilege. The function security privileges that are granted to the
user (through his or her roles) control the menu entries that the user can see.
Information
Function security also secures the task pane (displayed on the left side of the
page) for a work area. Each of the task pane entries corresponds to a task flow,
which is secured with a function security privilege. The function security
privileges that are granted to the user (through his or her roles) control the task
pane entries that the user can see.
Information
Curtis is assigned a great many roles, which is useful for testing (and for training
courses like this). He has functional manager roles, as well as IT Security
Manager. In the real world, few users would have this many different and
powerful roles.
6. Click Sign Out at the top of the page, and then sign back in as jessica.mullen.
Information
Jessica is an HR Analyst with fewer privileges than Curtis. Jessica does not have
access to the Workforce Structures function, so it does not appear on her
menu.
8. Select My Information > My Account from the Navigator, and then scroll down
to the Current Roles section to view Jessica's assigned roles.
9. Sign out.
You have demonstrated how to view menu options and tasks managed by function
security.
Demonstration Scope
Explore the data available for viewing by different users based on their assigned roles.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
1. Log in as Jack.Fisher.
Information
This user has employee and line manager roles. He also has several direct
reports.
2. In the menu bar at the top of the page, click Navigator and select Person
Gallery.
Information
When you look at your own portrait, you can see your benefit enrollments,
compensation data, and so on. The actions that are available in the Actions
menu are controlled using data security. The actions you can perform include
things like Change Marital Status, but do not include actions like Promote.
4. Select the Organization Chart tab to show the management reporting hierarchy.
Information
When an employee views their manager's portrait, only publicly available
information appears. No actions are available. Data security controls access to
data that you can view for other people. A public person security profile controls
which people a user can search for in Person Gallery. Once a user has selected
a person, data security controls the Person Gallery cards that can be seen for
that person and also what actions can be performed against them.
7. Hover your mouse over the point at the bottom of Jack's box on the chart, and
then click the + sign to show Jack's direct reports.
Information
In the Actions section, you can see the functions available to Jack. He can
promote, terminate, manage the salary and compensation, and view absence
balances for Mark.
10. Navigate to the Person Gallery, and search for Linda Swift. (Enter Linda's
name in the Keywords field, click Search, and then click Swift, Linda in the
Search Results.)
Information
When viewing Linda in the Person Gallery, Curtis can see more cards and has
more actions than Jack. This is because Curtis has the HR Specialist - View All
role, which allows him a greater level of access.
You have demonstrated how to view application pages managed by data security and
noted the differences that result from provisioned data restrictions.
Note: All information presented in the manuals can be accessed in the various user
interface pages of Oracle Fusion Applications. However, the manuals make it easier to
compare and plan your customizations.
There are several ways to access the Security Reference Manuals online:
From the Oracle Fusion Applications Documentation Page for Your Release:
4. Under Administration Guides, click the PDF or HTML link for the manual you
want to view.
The HCM Security Reference Manual contains a section for each predefined HCM job
and abstract role. For each role, you can review its:
duties
role hierarchy
function security privileges
data security policies
This information can help you understand which users should be provisioned with the
role, or which adjustments your enterprise requires before the role can be provisioned.
Additional Information
For additional information and links, see the References page at the end of this lesson.
If there is time at the end of this module, ask the students to access the HCM Security
Reference Manual online and explore the contents.
Data roles. Data roles always inherit job roles. The job roles provide the function
security access, while the security profiles assigned to the data role provide
access to the data required to perform the duties of the job.
Abstract roles. Three abstract roles are delivered with HCM: employee, line
manager, and contingent worker. You assign security profiles to predefined
abstract roles, such as employee, to grant access to HCM business objects, such
as the worker's own person record. You can also assign security profiles to the
custom abstract roles that you create.
Job roles. Assigning security profiles directly to job roles is less common, since
users with the same job often access different sets of data.
In the following example, Tim Thompson and Patricia Smith are both human resource
specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that
inherits the job role Human Resource Specialist and the duty roles appropriate to that
job role. Therefore, Tim and Patricia can perform the same functions and see the same
entries in the Navigator, work area Tasks panes, and menus. However, each user
accesses different sets of data, which are identified in separate sets of security profiles.
Note: If Tim and Patricia could access the same sets of data, you would assign the
same data role to both users.
Person (managed)
Person (public)
Organization
Position
Legislative Data Group
Country
Document Type
Payroll
Payroll Flow
Workforce Business Process
Two uses for the person security profile exist because many users need to access two
distinct sets of people in a single HCM data role: people whom they manage and people
whose public contact details they need to access (for example, in a worker directory).
The Person (managed) profile controls which people you can perform actions
against.
The Person (public) profile controls which people you can search for in the
Person Gallery. This profile is also used to secure some person LOVs. For
example, the Change Manager page and New Hire flows display a person LOV
that is secured using the public person security profile, rather than the person
security profile. This is because the person who is selecting the manager for a
worker might not have view access for that manager through their person
security profile.
You cannot:
HCM security profiles are reusable and modular. Once you create a security
profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other security profiles in a
person security profile. For example, you might define an organization security
profile that allows access to a particular business unit. You can then reference
the organization security profile in a person security profile to provide access to
people who are assigned to that business unit.
Define a naming scheme that identifies clearly the set of business objects in the
security profile's data instance set, such as HCM US Departments or US
Marketing Positions. Security profile names must be unique in the enterprise for
the security profile type.
Give employees access to their own records, the person records of their
emergency contacts, beneficiaries, and dependents, and all public-person
records.
Assign relevant HCM security profiles directly to the employee abstract role.
Give managers access to the person records of direct and indirect reports.
Assign relevant HCM security profiles directly to the line manager abstract role.
For individual job roles, determine whether all users with that job role access the
same HCM business object instances. In this scenario, you do not need to create
a data role; you can simply assign the security profiles to the job role.
Demonstration Scope
Use the Manage Data Role and Security Profiles task to demonstrate the process of
creating a data role and assigning security profiles to it.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
3. In the Name field, enter Manage Data Role and Security Profiles and click
Search.
4. In the Manage Data Role and Security Profiles task row, click Go to Task.
5. In the Search Results section toolbar, click the Create icon button.
7. In the Job Role field, search for and select Human Resource Specialist.
Information
A data role is always associated with a job role, from which it inherits duties.
8. Click Next.
Information
Here you select the security criteria for the role. For each business object that the
job role needs to access, a section appears on this page. To identify data set
instances for each business object, you can either select an existing security
profile or create a new security profile.
Note: Any security profiles that you create while defining the data role exist
independently of the data role and can be reused.
10. In the Person section, select the Create New hyperlink at the bottom of the
Person Security Profile LOV.
13. For all other sections, select any one of the predefined View All security profiles.
Information
This is the first of a series of pages for defining security profiles. Since you only
need to create a Person profile, you could skip to the Person page now by
clicking Person in the process train at the top of the page. However, for this
demonstration, we will review each page to see the criteria associated with each
business object. Key points about each profile type are included in the pages
following this demonstration.
15. Click Next, noting the security criteria on each page, until you reach the Person
train stop.
Note: In the Global Name Range section, the Secure by Global Name Range
16. In the Global Name Range section, enter A in the From Person Name field,
and enter L in the To Person Name field.
Information
This criteria limits access to persons whose global list names are in the range A
through L.
17. To view the remaining security profile pages, continue clicking Next until you
reach the Review page.
Information
After submitting, it is a good idea to verify that the new role was successfully
created and profiles were assigned.
19. Search for the data role you just created. (Enter XX HR Specialist InFusion in
the Role field, and click Search.)
20. In the Search Results, verify that the Security Profiles Assigned column for
your role displays a green checkmark.
At this point, you should have created a new data role and assigned the necessary
security profiles.
A security profile defines criteria that identify a data instance set for a particular
business object.
You can define any combination of available criteria. For example, you can
identify an organization data instance set by any combination of organization
hierarchy, organization classification, and organization name.
If you define criteria by name (or a list or range of names), the data instance set
is the same for all users and changes only if you update the security profile.
However, if you use other criteria, such as hierarchy or classification, the data
instance set may vary by user and may change independently of the security
profile.
If you define criteria by hierarchy, you can include a subset of the items in the
hierarchy by specifying the top level of the hierarchy. For example, you can
include a subset of organizations in the organization hierarchy by specifying the
top organization.
Business objects must satisfy all of the criteria in the security profile to belong to
its data instance set.
To provide access to all records, use the predefined View All security profile.
Users need access to organizations either because they manage their definitions
or because they perform tasks where lists of organizations are presented. For
example, a human resource specialist selects a legal employer, business unit,
and department when hiring a worker.
An organization security profile should include all the organizations you need to
access. For example, if you need to hire employees, your organization security
profile should include the business units, legal employers, and departments into
which you will be hiring employees.
If you use the organization from the user's assignment as the top organization in
the organization hierarchy, the data instance set varies by user, even though the
organization security profile is the same for all users. If the user has multiple
assignments in the organization hierarchy, all relevant organizations from all
assignments belong to the data instance set.
Users need access to positions because they either manage position definitions
or perform tasks where lists of positions are presented.
When you identify positions by department or business unit, you include positions
defined for those departments or business units. To identify the departments and
business units, you select existing organization security profiles: the position
security profile inherits the data instance sets of the selected organization
security profiles.
If you use the position from the user's assignment as the top position in the
position hierarchy, the data instance set varies by user, even though the position
security profile is the same for all users. If the user has multiple positions in the
position hierarchy, all relevant positions belong to the data instance set.
Users access person records either because they need to update them (for
example, because they manage those people) or because they need to contact
those people. You create separate person security profiles for each of these
purposes.
A user who has access to a person record has access to relevant information
from all of the person's assignments, even if only one of the person's
assignments satisfies the criteria in the person security profile.
If you identify person records by manager hierarchy, you select either a person-
level or an assignment-level hierarchy.
In a person-level hierarchy, the data instance set includes any worker in a direct
or indirect reporting line to the signed-on user. Use this approach unless workers
have multiple assignments that are not all managed by the same manager.
A public person security profile identifies the set of workers whose work contact
details the signed-on user needs to access (for example, in the Person Gallery).
Users need access to document types because they either manage the
definitions of those document types or need to access instances of those
document types in the person records to which they have access.
A document type security profile includes criteria that identify one or more locally
defined document types. You do not need to include criteria for accessing the
standard predefined document types, such as visas, driver's licenses, and
passports; access to a person record includes access to these document types
for that person.
You identify one or more document types by name and indicate whether to
include or exclude those document types.
If you include document types, users can access only the specified document
types; the data instance set never changes unless you update the security
profile.
If you exclude document types, users can access all document types except
those in the security profile; therefore, the data instance set may change
independently of the security profile.
Students will create business objects in each activity, and will use the objects
they create in subsequent activities. So it's important that they successfully
complete each one.
The activities specify the names to use for the business objects created. Instruct
students to use the specified names as it will help when referring to the objects
later on. Likewise, instruct students to enter all field values exactly as instructed,
as those values must be present for future activities.
Environment Issues
All activities have been tested, but we have encountered intermittent problems
with the following:
User Creation - When a user is created using the Manage Users task, the user
record should be immediately available in OIM. However, sometimes there is a
lag between the time the new user record is saved and the time it shows up in
OIM. There is nothing to do here but wait.
Problem starting OIM - When using the Manage Job Roles task to access OIM,
a new browser window opens. Sometimes that window is blank and OIM does
not start. If this happens, don't wait more than a minute or two. The best thing is
to close the blank browser window and then sign out of Oracle Fusion
completely. Start Fusion again in a new browser window, and then start OIM.
This usually solves the problem right away.
Activity 1 Introduction
Background
When HR specialists perform tasks where lists of organizations are presented, they
must be able to select their department and should not be able to view certain restricted
departments. A new data role is required, with security profiles that restrict the data the
role can access.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
activity.
Activity Scope
Once you have created both security profiles, you create an HCM data role, based on
the Human Resource Specialist job role, and assign the two security profiles to it.
Start Here
Oracle Fusion HCM Sign On screen
1. Log in as Curtis.Feitty.
3. In the Name field, enter Manage Organization Security Profile and click
Search.
5. In the Search Results section toolbar, click the Create icon button.
10. In the Top Organization Selection field, select the Specify Organization
option.
11. In the Organization LOV, search for and select the Operations US.
12. In the Organizations section, select the Secure by Organization List option.
14. In the Organization LOV, search for and select Human Resources US.
Information
If you search for the organization, enter Department as the Classification
Name in the Search and Select: Organization window.
17. In the Organization LOV, search for and select Organizational Development
US.
1. In the Setup and Maintenance work area, search for the Manage Person
Security Profile task.
2. In the Search Results, select the Manage Person Security Profile task row
and click Go to Task.
3. In the Search Results section toolbar, click the Create icon button.
Information
Click Yes to the warning message to allow future changes, if it is displayed.
8. Click Done.
1. In the Setup and Maintenance work area, search for the Manage Data Role
and Security Profiles task.
2. In the Search Results, select the Manage Data Role and Security Profiles
task row, click Go to Task.
3. In the Search Results section toolbar, click the Create icon button.
Information
The name cannot exceed 55 characters.
5. In the Job Role field, search for and select Human Resource Specialist.
Information
The job role selection affects which security profiles you can assign to the role.
For example, selection of the Human Resource Analyst job role will not allow you
to control security of the payroll flow, since that is not part of the job.
6. Click Next.
7. In the Organization section, select the organization security profile you created
in this activity (XX Operations US).
8. In the Person section, select the person security profile you created in this
activity (XX Operations US People Only).
9. In all other sections, search for and select any one of the predefined View All
options.
12. Search for the profile you just created. (Enter XX HR Spec Data in the Role field,
and click Search.)
13. In the Search Results, verify that the Security Profiles Assigned column
displays a green checkmark.
On the Manage HCM Data Roles page, search for the role. In the Search Results
section, select the role and then click the Assign button.
The Assign HCM Data Role: Select Security Criteria page shows the types of
security profiles currently used by the selected role.
Make any necessary changes to the security criteria, and click Next. The series of
pages displayed when you assign security profiles to an existing data role is the same
as when you assign profiles to a new data role.
If you want to change the definition of an existing security profile, use the appropriate
task in the Setup and Maintenance work area:
Search for the profile, and then open it for editing. When you save your changes, they
are picked up immediately by any data roles that reference them.
1. True
2. False
You can identify a set of person records in a person security profile by:
5. All of the above (legislative data group, custom criteria, person type, and payroll)
A user who has access to a person record has access to all of the person's
assignments.
1. True
The customer plans to create new users within Oracle Fusion HCM on an
ongoing basis.
In this scenario, Oracle Fusion HCM operates as a standalone system, and HCM
users are not shared with other applications in the enterprise.
At implementation time, existing users might be imported into Oracle Fusion
HCM, or a set of new users might be created when workers are loaded into
Oracle Fusion HCM.
The customer wants to allow these existing users to access Oracle Fusion HCM
using SSO. New users are provisioned in the on-premise LDAP and copied to
Oracle Identity Manager (OIM) for use by Oracle Fusion HCM. Fusion HCM roles
are maintained in OIM.
The customer, typically a very large company, has its own user account
and role-provisioning system.
The customer wants to use their own system, rather than Oracle Fusion HCM, to
manage all user and role provisioning for all applications in the enterprise.
Ask students to take this e-training, as homework, after the first day of class. (See the
Reference section at the end of this lesson for a link to the training.) If students have
any questions after taking the training, they should bring them to class on the following
day. If the instructor or attending SMEs do not have answers to the questions, they
should attempt to find and communicate the answers by the end of the training day.
You can configure Oracle Fusion HCM to create user accounts automatically
when workers are hired using the New Hire flow.
You can also create user accounts using the Manage Users task. This is a
quicker way of getting employees into the system than using the New Hire flow.
(There is a demonstration later in this section that illustrates this process.)
Note: Once an implementation is complete, HCM users do not typically use the
Manage Users task; they use the New Hire flows, which are more functionally
rich.
User accounts can be maintained using the Manage Users task in the Setup and
Maintenance work area and the Manage User Account task in the Person
Management work area.
User passwords can be reset using the Manage Job Roles task in the Setup
and Maintenance work area and the Manage User Account task in the Person
Management work area.
User Creation
Send User Name and Password
User Account Role Provisioning
User Account Maintenance
Setup and Maintenance work area > Manage Enterprise HCM Information >
Edit Enterprise page
_______________________________________________________
User Account Creation: Controls whether user accounts are created in OIM
when persons are added in Oracle Fusion HR. Defaults to Yes. You cannot
override this enterprise-level setting at the user level.
Send User Name and Password: Controls whether to send new users and their
managers an email notification when their Oracle Fusion account is accessible.
Defaults to Yes. Set to No to suppress notifications if, for example, you are
starting an implementation or doing a pilot program and do not want notifications
sent during this period. You can override this enterprise-level setting for
individual users on the Create User page (Manage Users task).
Note: You can request notifications later for all users who have not yet been sent
their user names and passwords. To do so, select Navigator>Tools>Scheduled
Processes and run the Send Initial User Name and Password Email
Notifications process.
Note: Internal Oracle users can view a full list of fields in the Users and Roles
Technical Solution Overview, Data Passed to LDAP from Fusion section at:
http://hcmwiki.us.oracle.com:8880/display/corehr/Users+and+Roles+V1+Technic
al+Solution+Overview#UsersandRolesV1TechnicalSolutionOverview-
DataPassedtoLDAPfromFusion
Default User Name Format: The default name format to use for automatically
generated user names, if the User Account Creation option is set to Yes.
If a customer turns off user account role provisioning, any roles that are requested for
users using HCM pages (such as Manage User Account) are stored as pending
requests but are not actioned.
Hire an Employee
Promote Worker
Transfer Worker
Users can self-request new roles if role mapping rules have been defined (as described
on the next page) and the user meets the specified criteria. Line managers and HR
specialists can request new roles for the people they manage and revoke existing roles
from people they manage.
Note: By default, users have no access to functions and data. To enable users to
access functions and data, you must provision roles to them.
When you have finished discussing the Role Provisioning Options page, ask students
to look carefully at the screen shot on the Defining Role Provision Rules page. Tell
them there are two problems with the security setup portrayed in the screen shot. Ask if
they can spot the (deliberate!) mistakes in this role mapping rule:
The data role name doesn't match the legal employer. They should always make
sure that the data role they select is the appropriate one, as there will be many
available for selection.
Both the Auto Provision and the Requestable options are selected. This means
that anyone who is in the HR010.HR Specialist job and works for Vision
Corporation can give the role to anyone in their person security profile, which
doesn't make sense given that this role is being automatically provisioned. You
would typically choose one or the other of these options.
Use the Manage HCM Role Provisioning Rules task in the Setup and Maintenance
work area to create and manage role-provisioning rules.
Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role
Mapping page
_______________________________________________________
Key Points
Use the Conditions area to define the conditions that must be met for the
mapping to apply.
Use the Associated Roles section to add one or more existing roles to the
mapping rule.
In the sample screen above, the conditions mean that any employee who works
for Vision Corporation and is assigned the job of HR010.HR Specialist will
automatically be given the Human Resource Specialist Vision Operations
data role (since the Auto Provision option is selected). If the user subsequently
transfers to a different job, they will automatically lose this role.
Role-Provisioning Options
When defining role-provisioning rules on the Create Role Mapping page, you have
several provisioning options:
Auto Provision. Provisions roles automatically to all eligible users when at least
one of their assignments is either created or updated and satisfies the role-
mapping conditions.
Note: The criteria defined in the Conditions section must be satisfied by the user
who is provisioning the role to other users, not by the users who are receiving the
role.
When you click this button, all assignments and role mappings in the enterprise
are reviewed and any necessary provisioning and deprovisioning of roles occurs
immediately. You can also perform auto provisioning from an individual user's
account, in which case only that users assignments are reviewed and any
necessary provisioning and deprovisioning of roles for that user occur
immediately.
Requestable Roles. Defines all predefined View All data roles as Requestable
(manually provisioned)
To meet the conditions defined in the role mapping example on the Defining Role
Provisioning Rules page, an employee would need to work for InFusion Corp USA1
and be assigned the job of HR010.HR Specialist. You specify the employee's legal
employer on the Identification page of the Hire an Employee flow, as shown in this
figure:
Manager Resources > New Person > Hire an Employee > Identification page
_______________________________________________________
Manager Resources > New Person > Hire an Employee > Identification page >
Person Information page > Employment Information page
_______________________________________________________
Manager Resources > New Person > Hire an Employee > Identification page >
Person Information page > Employment Information page
_______________________________________________________
Determine the roles that all workers of a particular type must have, and
create role mappings to provision those roles automatically.
For example, to ensure that all employees have the employee role, create a role
mapping to autoprovision the role to eligible users.
Determine the roles that all line managers must have, and create role
mappings to provision those roles automatically.
For example, if all line managers must have both the line manager role and a
locally defined Expenses Manager role, then create a role mapping to
autoprovision both of those roles to eligible users.
Note: Automatic role-provisioning rules for employee and line manager roles are
predefined for Cloud HCM customers.
Determine the roles that only some workers of a particular type will need,
and autoprovision the roles if possible.
For example, some human resource specialists may also need the benefits
analyst role. If you can autoprovision those roles based on specific conditions,
then create role mappings to provision those roles automatically. Otherwise,
decide whether workers can request those roles for themselves or whether they
must be provisioned by other users, such as line managers, and create the
appropriate role mappings.
Remember that:
A single role mapping definition can be used to manage multiple roles and a mix
of provisioning strategies, provided that the role mapping conditions are the
same in all cases.
Implementation Users
Implementation users typically do the following:
The following implementation users are predefined for HCM Cloud environments. In
each user name, xx is a 2 or 3 character prefix specific to the customer.
xx_Admin
IT Security Manager
Application Implementation Consultant
Administrators (WebLogic access)
Application Diagnostics Administrator
Application Diagnostics Advanced User
xxOIMAdmin
IT Security Manager
hcm.user
Intended for users who are performing the Oracle Fusion HCM implementation.
Has the following roles:
Application Administrator
Application Implementation Consultant
Application Diagnostics Regular User
Application Diagnostics Viewer
In addition, the following roles are provided based on which HCM services a
customer has subscribed for:
{CustomerNm}_HRAnalyst_ViewAll
{CustomerNm}_HCMApplicationAdministrator_ViewAll
{CustomerNm}_HRSpecialist_ViewAll
{CustomerNm}_CompensationAdmin_ViewAll
{CustomerNm}_CompensationMgr_ViewAll
{CustomerNm}_PayrollAdmin_ViewAll
{CustomerNm}_PayrollMgr_ViewAll
Note: Product family application administrator job roles do not have predefined
access to data. Customers must use the Create Data Role for Implementation
Users task to define data roles for these roles.
Note: When you create an implementation user, no person record is created in HR.
Only a user account is created. Use the Manage Users task or the New Hire flows to
create both a user account and an HR person that are automatically linked together.
Demonstration Scope
Demonstrate the Create Implementation Users task. Give the user two roles: IT
Security Manager and Application Implementation Consultant.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Note: This task takes you automatically to the Oracle Identity Manager (OIM)
application. OIM will be discussed in detail later in this lesson.
Information
You can use any names you like here; this user won't be referenced later in the
lesson.
13. Enter IT in the Display Name Begins With field, and click Search.
14. Select IT Security Manager in the Search Results, and click Add.
16. Enter Application Implementation in the Display Name Begins With field, and
click Search.
2. Enter IT in the Display Name Begins With field, and click Search.
5. Confirm that your user name in the list of All Members and Direct Members.
Information
The implementation user you created is not an Indirect Member, because the IT
Security Manager role was assigned directly, not through a role hierarchy or
another role that inherits the IT Security Manager role.
6. Return to the Advanced Search Roles tab, and search for the Application
Implementation Consultant role.
9. Verify that your user is listed as a member for this role too.
10. Close the OIM browser window, and return to the Oracle Fusion Applications
Setup and Maintenance work area. (Don't sign out; just close the browser
window.)
Demonstration Scope
Use the Manage Users task to create a new user. The user will be mapped to an HR
person.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Information
You can also access this task by selecting Navigator > Manager Resources >
Manage Users.
2. In the Search Results section toolbar, click the Create icon button.
3. In the First Name and Last Name fields, enter your own first and last name (or
any name you choose).
Information
The Employment Information section expands to display additional fields.
Information
The application reviews all enterprise role mappings and automatically provisions
the appropriate ones based on this user's employment information. In this
environment, the Employee abstract role is automatically provisioned to users
whose Person Type is Employee.
11. Click the Add Role button to assign an existing role to the user.
12. Search for the data role you created in Activity 1 (XX HR Spec Data).
Note: You won't be able to find the data role because it is not yet available for
provisioning to a user. You must create a role-provisioning rule for the role before
you can assign it to a user. You will see how to do that in your next activity. Exit
the Search window and return to the Create User window.
Cloud customers do not have access to the area of OIM in which password policies are
managed. If they want to change the default password policies, they would need to
raise an SR.
The Reset Password option available from the Manage My Account option in Fusion
also generates and sends a new password via email, so we are unable to use that task
during class.
Activity 2 Introduction
Background
New user accounts can be created using the Manage Users task (in addition to the New
Hire flow). Before you can provision roles to users, you must create a role-provisioning
rule. Role-provisioning rules map one or more data roles to a set of conditions that
define which users can be assigned those roles. They also define how each role can be
provisioned.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
practice.
You must have successfully created a data role in Activity 1 (XX HR Spec Data).
Activity Scope
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
1. Search for and launch the Manage HCM Role Provisioning Rules task.
2. In the Search Results section toolbar, click the Create icon button.
3. In the Mapping Name field, enter XX Generic Mapping Rule and press Enter.
Information
Do not specify any conditions for now.
4. In the Associated Roles section, click the Add Row (+) icon button.
5. In the Role Name field, select the data role you created in Activity 1 (XX HR
Spec Data).
Information
It is very important to deselect the Autoprovision option; otherwise, every user
will get this role since you did not provide any conditions.
7. Click Save and Close, and then click OK to dismiss the Confirmation window.
8. Click Done.
Create a User
In this task, you use the Manage Users task to create a user quickly.
Note: This task is intended for creating test users. When creating real employees, use
the New Hire flow so that the full set of attributes can be captured.
1. In the Setup and Maintenance work area, search for and launch the Manage
Users task.
2. In the Search Results section toolbar, click the Create icon button.
Note: Make sure that you use the specified Hire Date, as this will be important in
a later activity.
Information
The Employee role appears in the Role Requests table.
Note: If any other roles are automatically provisioned to your user, remove them
by selecting them and clicking the X (Remove) icon button. (Roles may appear
here if other students create autoprovisioning rules for the roles they create in
training.)
6. Search for and select the data role you created in Activity 1 (XX HR Spec Data).
8. Click Done.
In the training environment, the application can't send your new user's login credentials
via email, so you need to set an initial password in Oracle Identity Manager.
1. In the Setup and Maintenance work area, launch the Manage Job Roles task.
Information
You are taken to the Oracle Identity Manager (OIM) interface.
4. Search for the user you just created. (Enter search values for First Name, Last
Name, or User Login and click Search.)
Information
There are two methods for resetting a user's password: manually and
automatically (random generation). Note also that password strength is
measured by the password policies set up in Oracle Identity Manager.
Information
You can leave this window open if you expect to return to OIM, but do not sign
out. Signing out of OIM signs you out of Oracle Fusion Applications as well.
4. In the Search Results, verify that you (logged in as Curtis Feitty) can see people
in the Human Resources US department.
5. Sign out and sign back in as the new user you just created (Security.UserXX),
using the new password you just reset.
Information
The Password Management window prompts you to reset your password, since
this is the first time you are logging on.
6. Enter the password you used in the password reset (such as aBc123XX).
8. Select challenge questions and provide the answers (if prompted to do so on this
page).
9. Click Submit.
10. Navigate to the Person Management work area, and enter a keyword of Human
Resources US.
11. Verify that you cannot see users in the Human Resources US department (one
of the departments you excluded in your organization security profile), but you
can see people in the Operations US department.
12. Verify that you cannot see users in the Organizational Development US
department either (the other exclusion).
1. Automatically
2. By other users
3. On user request
4. All of the above
1. True
2. False
1. Duty roles
2. Abstract roles
3. Job roles
4. Data roles
All roles in a role mapping must have the same provisioning option.
2. False
Note: The Middleware group refers to APM as Entitlement Server, while Oracle Fusion
still refers to it as APM.
Manage Users. Create and manage users who are mapped to persons in Oracle
Fusion HR.
Import Worker Users. Load workers using the HCM spreadsheet loader.
Manage Data Role and Security Profiles. Create and manage data roles and
assign security profiles to them.
Manage User Accounts. View and manage roles associated with user accounts.
Manage HCM Role Provisioning Rules. Create rules for how roles can be
provisioned to users.
Retrieve Latest LDAP Changes. Run this scheduled process as needed and
schedule it to run on a frequent basis.
Create Data Role for Implementation Users. Create data roles for
implementation user job roles, such as the product family administrator roles,
which have no predefined data roles.
Create Implementation Users. Create users, who are not mapped to persons in
Oracle Fusion HR, for the purpose and duration of implementation.
Manage Job Roles. Create job and abstract roles; reset user passwords.
Manage Duties. View and manage duty roles, role hierarchies, and security
policies.
You can see most of the HCM security setup tasks by expanding the Define Security
for Human Capital Management folder:
Navigator > Tools > Setup and Maintenance work area > Define Security for Human
Capital Management task list
_______________________________________________________
Navigator > Tools > Setup and Maintenance work area > Define Implementation Users
task list
_______________________________________________________
Use the Send Pending LDAP Requests and Retrieve Latest LDAP Changes
processes in the Scheduled Processes work area to synchronize HR and LDAP data.
Navigator > Tools > Scheduled Processes > Schedule New Process
_______________________________________________________
Point out that OIM and APM are security administration UIs, and should be used by
security administrators, not HCM business users. The only role that has access to these
UIs is the IT Security Manager. HCM business users should use the HCM user and role
management UIs, such as Manage Users (when creating test users) and Manage User
Account.
100 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 101
Lesson 1: Define Security for HCM
Demonstration Scope
Use the Manage Job Roles task to access Oracle Identify Manager and view different
types of roles.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
4. In the Display Name (Begins With) field, enter Human Resource and click
Search.
Information
The Search Results display both data roles and job roles. Job roles, such as
Human Resource Specialist, do not display a dash in their names. The roles with
a dash, such as Human Resource Manager - US LDG Only, are data roles.
Fusion role-naming conventions append _JOB at the end of a job role name and
_DATA at the end of a data role name. The internal name is created based on
the Display Name and the _JOB or _DATA suffix to distinguish between the role
types.
5. Click the Human Resource Manager job role in the Search Results.
102 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
6. Information
Note that the Role Category Name is HCM - Job Roles.
7. Return to the Advanced Search - Roles tab, and open the Human Resource
Analyst - View All data role.
Information
The Role Category Name for all data roles is automatically set to Default.
9. In the Display Name (Begins With) field, enter Employee and click Search.
Information
Employee is a predefined abstract role. Abstract role names should have
_ABSTRACT at the end of the role name.
Information
The Role Category Name is HCM - Abstract Roles.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 103
Lesson 1: Define Security for HCM
104 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Demonstration Scope
This demonstration looks at the data roles assigned to an existing user and shows the
job roles that are inherited by those data roles. It also demonstrates how to search for a
role and display a list of all users assigned to that role.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Information
From this page, you can create new job roles, as you will see in Activity 3.
4. In the Display Name field, search for Curtis Feitty, then click his name in the
Search Results.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 105
Lesson 1: Define Security for HCM
5. Select the Roles tab to view the roles assigned to this user.
106 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
This page shows all roles assigned to Curtis, including data roles, abstract roles,
and job roles (if any).
6. Click on a data role, such as Benefits Admin - View All, and click Open.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 107
Lesson 1: Define Security for HCM
Information
Here you can see that the Benefits Admin - View All data role inherits the
Benefits Administrator job role.
108 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
8. Click the Members tab to see all the users assigned to this data role.
10. Search for the Payroll Manager job role, and then open it.
Information
Note that the attribute information and the tabs displayed for the job role are the
same as for the data role you just explored. Remember that in OIM, the term role
refers collectively to job, abstract, and data roles; the role category name, such
as HCM - Job Roles, identifies both the role type and the Oracle Fusion
Application where the role is used.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 109
Lesson 1: Define Security for HCM
Information
This job role inherits several roles, including the Functional Setups User abstract
role and the Payroll Administrator job role.
Note: When you are creating a job role, you can use this tab to add one or more
parent roles from which to inherit permissions. This is useful if you are creating a
manager job role that performs all the functions that an administrator job
performs, plus more. In this case, you would add the administrator job role as a
parent role to the manager job role.
This role hierarchy is also visible in APM, as you will see later.
110 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
This is useful if you need to quickly determine which users are assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect Role because
users are not directly assigned the Payroll Manager job role. They inherit it via a
data role that is based on the Payroll Administrator job role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 111
Lesson 1: Define Security for HCM
Remind students that OIM and APM are not specific to Oracle Fusion Applications; they
can be used independently of Fusion applications. These middleware products provide
capabilities that Oracle Fusion Application users do not need to use for HCM setup and,
in fact, should NOT use. The only tasks that users should perform in OIM and APM are
those identified on the Setup Tools and Task page:
Manage Duties (View and manage role hierarchies, security policies, and
permission grants)
112 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Key Points
OIM maintains user accounts in the Oracle Fusion Applications Identity Store. It
stores the definitions of abstract, job, and data roles (enterprise roles in OIM),
and holds information about roles provisioned to users.
Job and abstract roles created in OIM must be synchronized so that the new role
names and other attributes are available to Oracle Fusion HCM.
Duty roles are created in APM and stored in the Policy Store, along with function
security policies.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 113
Lesson 1: Define Security for HCM
The Policy Store holds copies of users and enterprise roles stored in the Identify
Store.
These tables store data security policies, HCM role-provisioning rules, security
profiles, part of the data role definitions, and copies of the job and abstract roles.
114 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 115
Lesson 1: Define Security for HCM
Demonstration Scope
This demonstration uses the Manage Duties task to look at existing data and job roles.
It demonstrates how to view the duties associated with job roles and where to go if you
need to add or remove duties from a role.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
116 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
You are now viewing the Authorization Policy Manager (APM) user interface.
3. Under the Search and Create heading, click Search - External Roles.
Note: Remember that job roles, data roles, and abstract roles are all referred to
as external roles in APM.
4. In the Display Name field, enter Benefits Admin - View All, and click Search.
5. Select the Benefits Admin - View All role in the Search Results, and click
Open Role.
Information
This page shows the job role (Benefits Administrator) inherited by the Benefits
Admin - View All data role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 117
Lesson 1: Define Security for HCM
Information
The Benefits Admin - View All (HCM) role shown here is a special type of
application role that was automatically generated when the Benefits Admin -
View All data role was created. This is explained in more detail in the HCM
Security Deep Dive section later in the lesson.
9. Return to the Search External Roles tab, and search for the Benefits
Administrator job role.
10. Select the Benefits Administrator role in the Search Results, and click Open
Role.
11. Click the Application Role Mapping tab, and open the hcm folder.
118 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
Here you can see all of the duty roles associated with the Benefits Administrator
job role. From this page, you can map additional application roles (duties) to this
job role, as you will see in the next activity.
You have demonstrated how to use APM to view and manage job roles.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 119
Lesson 1: Define Security for HCM
The following table lists the terminology used by each product when referring to
common business objects:
Data, job, and abstract roles are also referred to as enterprise roles. Application roles
are specific to a particular grouping of applications (such as Oracle Fusion HCM or
CRM).
120 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
To create data roles for HCM, always use the Manage Data Role and Security
Profiles task in the Setup and Maintenance work area. Although APM provides the
ability to create data roles using data role templates, data role templates are rarely used
in HCM. (They are only used if you are implementing Oracle Fusion Global Payroll with
Oracle Fusion Subledger Accounting. We do deliver some HCM data role templates, but
these are no longer used.)
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 121
Lesson 1: Define Security for HCM
You must regenerate an abstract role if you make any changes to its role hierarchy.
Regenerating a role causes all its data security policies to be updated based on these
changes.
1. Launch the Manage Data Role and Security Profiles task in the Setup and
Maintenance work area.
Information
A flow is initiated (the same one you saw when you created a data role in the
previous activity) that allows you to view the security criteria and all assigned
122 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
security profiles.
Information
When you click Submit, the security profiles assigned to the role are used to
generate the data security policies for that role.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple roles, you would have to run this
task (and click Assign) for each role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 123
Lesson 1: Define Security for HCM
You can demo the regeneration of a single data role, but it's actually as simple as
finding the role and pressing a few buttons. A later activity will include this as a task.
124 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 125
Lesson 1: Define Security for HCM
Activity 3 Introduction
Background
A custom job role is needed because the predefined job role has duties associated with
it that the enterprise does not want to grant to their users. The new job role will have
only two duties: Department Management Duty and Approve Transactions Duty.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
practice.
Activity Scope
126 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
When searching for the second duty role, the search results may show only the first
duty role, no matter what search criteria you enter. To resolve this issue, you must close
the Map Application Roles to External Role window, return to the Search External Roles
tab, open the duty role again, and conduct a new search.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 127
Lesson 1: Define Security for HCM
Start Here
1. Log in as Curtis.Feitty.
2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks
tab.
9. Click Save.
Information
You are returned to the Oracle Fusion Applications Setup and Maintenance work
area
128 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
After creating a new job role, you must run the following synchronization process so that
the job role is available to HCM tasks and UI pages, such as Manage Data Role and
Security Profiles.
Note: Only one user can run the process at a time. If you are sharing an environment
with someone else, you can run the Retrieve Latest LDAP Changes once to
synchronize all of the job roles to HCM.
2. If the Search Results displays a row for the Retrieve Latest LDAP Changes
process where the Status is Succeeded, select the row and click Resubmit,
then confirm. Skip to step 10.
If the process is listed with a status of Running, wait until it has completed
successfully, and then resubmit as described above. (Click the Refresh icon
button periodically to display the updated status.)
4. Open the Name LOV and click the Search link at the bottom of the LOV list.
6. In the search results, select the Retrieve Latest LDAP Changes process and
click OK.
8. Click Submit.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 129
Lesson 1: Define Security for HCM
Information
You can see the status of the process. It usually completes very quickly. While
this process is running, you can continue with the next step.
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
Note: This step is important. If you do not select hcm, you will not be able to
search for the HCM roles.
3. Under the Search and Create heading, click Search - External Roles.
4. In the Display Name field, search for the job role (XX Dept Admin Job Role)
you created earlier.
5. Select the role in the Search Results, and click the Open Role button.
9. In the Display Name field, enter Department Management Duty and click
Search.
10. Select the role in the Search Results, and click Map Roles.
Information
The selected role is listed under the hcm folder on the Application Role Mapping
tab.
130 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
13. In the Display Name field, enter Approve Transactions Duty and click Search.
14. Select the role in the Search Results, and click Map Roles.
Information
You should now have 2 application roles (duties) in the hcm folder on the
Application Role Mapping tab.
Information
You are returned to the Oracle Fusion Applications window, Setup and
Maintenance work area. (As with the OIM window, you can leave the APM
window open if you plan to return; just don't sign out.)
You have now created a job role with two assigned duties roles.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 131
Lesson 1: Define Security for HCM
132 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Activity 4 Introduction
Background
After creating a new role, you typically create a mapping rule that defines criteria for
how the role can be provisioned to users. You can then assign the role to users who fit
those criteria.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
practice.
You must have successfully created a job role (XX Dept Admin Job Role) in
Activity 3.
Activity Scope
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 133
Lesson 1: Define Security for HCM
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
1. Search for and launch the Manage Data Role and Security Profiles task.
Information
You used this task in Activity 1 to create a data role, so you should be familiar
with the screens and the process.
2. In the Search Results section toolbar, click the Create icon button.
4. In the Job Role field, search for and select the custom job role you created (XX
Dept Admin Job Role).
Information
If you don't can't find the job role you created earlier, make sure that the
synchronization process completed successfully. Also, make sure you selected
HCM - Job Roles as the Role Category when you created the job role. If you
accepted the default role category during creation, you won't be able to find the
job role here.
5. Click Next.
8. Click Done.
134 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
1. In the Setup and Maintenance work area, launch the Manage HCM Role
Provisioning Rules task.
3. Select the rule in the Search Results, and click the Edit icon button.
4. In the Associated Roles section, click the Add (+) icon button.
5. Search for and select the new XX Dept Admin - View All data role. (Don't select
the job role.)
Information
If you do not select Requestable, you won't be able to assign this role to users.
Information
This rule now contains two mappings.
8. Click Done.
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Users task.
2. Search for the user you created in Activity 2 (enter the last name in the
Keywords field and click the Search icon button).
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 135
Lesson 1: Define Security for HCM
5. Search for the XX Dept Admin - View All data role you created earlier in this
activity.
Note: If you cannot find the role you created, make sure that:
(We didn't set any criteria in our generic mapping rule, so that should not be a
problem.)
7. In the Current Roles section, select the XX HR Spec Data role you assigned to
this user earlier, and click the X (Remove) icon button, then confirm.
9. Click Done.
1. Sign out, and sign back on as the user you created (Security.UserXX) and
whose password you reset.
3. Verify that only the Manage Departments and Manage Department Trees
tasks are visible under Organizations. You should no longer be able to see the
HR Specialist menu options.
4. Sign out.
136 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
If students are still seeing the full set of HR Specialist menu entries, ask them to
navigate to the My Account and check which roles their user has assigned. Their user
might have more roles than they are expecting. For example, their user might have
been automatically provisioned data roles based on HR Specialist from an earlier
activity if someone has inadvertently created automatic role-provisioning rules.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 137
Lesson 1: Define Security for HCM
138 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 139
Lesson 1: Define Security for HCM
1. abstract
2. job
3. data
4. duty
140 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 141
Lesson 1: Define Security for HCM
If your class consists of mostly functional users, you may choose to omit this section.
Alternatively, you can allow functional users to take a break while you present this
section. Another option would be to present the activity (duty role creation) as a
demonstration, and talk through the steps rather than asking students to complete them.
If, at the beginning of this section, students become confused about data security
policies, tell them that it should become clearer as we dig deeper into the technical
details and they see how the pieces fit together. The demonstration and activity should
also help them understand the various components and their relationships.
142 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
The Promote Worker function security privilege secures access to the Promote
Worker page.
Another data security policy determines which positions the person can be
promoted into.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 143
Lesson 1: Define Security for HCM
144 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 145
Lesson 1: Define Security for HCM
a role
a data security privilege
a business object
a condition
Data security policies are represented in the Security Reference Manuals in the
following format:
For example, the two data security policies in our current example would be
represented as follows:
Human Resource Specialist can promote Person for people in their person
security profile using Promote Worker Data
Note: Data security policies are published at the level of a job or abstract role,
and they take into account the duty roles that are inherited by the job and
abstract roles. This makes them more readable, as it can be difficult to
understand a data security policy if presented at the level of a duty role.
146 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
The conditions for duty role data security policies are usually implemented as 1=2
predicates. (A predicate is an SQL expression that evaluates to TRUE or FALSE. The
predicate is automatically added to the Where clause of any Select statements that are
issued within the Oracle Fusion HCM pages.)
The 1=2 predicate, which evaluates to FALSE, means that the Worker Promotion Duty
role, when viewed in isolation, has no access to data. The Human Resource Specialist
job role inherits this duty role, which means that it cannot actually promote anyone.
Data access is usually determined by FND_GRANTS rows that are generated for the
data roles to which users are assigned (as you will see later). This is why data roles
are so important!
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 147
Lesson 1: Define Security for HCM
First, a set of three new application roles is created: one for HCM, one for FSCM,
and one for CRM.
These application roles have names that are derived from the data role name.
148 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
The FND_GRANTS generated for the new application roles are similar to the
FND_GRANTS for the original duty role, except:
The role name references the data role, not the job role.
The predicate value is 1=1, meaning that no restrictions are applied when the
HCM application page selects it from the database.
In the simplified example below, the 1=1 predicate is taken from View All person and
position security profiles assigned to the data role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 149
Lesson 1: Define Security for HCM
The application roles and the security policies (FND_GRANTS) that were generated
earlier are linked to the data role. (All three application roles are linked, although only
one is pictured here.)
The data role is linked to the Human Resource Specialist job role. However, it is the
security policies inherited by the data role that provide access to the data.
Note: A predicate of 1=1 is the simplest of examples, used only in View All profiles. In
reality, most predicates are more complicated. For example, the predicate for the View
Own Record person security profile is shown here:
150 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 151
Lesson 1: Define Security for HCM
When an HCM application page issues a Select statement to retrieve data from the
database, it makes a data security privilege check by calling a data security API,
passing the following information:
The name of the database table in which to find the data. In our example, the
table name is PER_ALL_ASSIGNMENTS_M.
The data security code looks in the FND_GRANTS table for all rows that match any of
the user's roles, the table name, and the data security privilege name.
If it finds one match, the predicate for that FND_GRANTS row is used to filter the
data that is returned. (If the predicate is 1=2, no data is returned.)
If it finds more than one match, the predicates are OR'd together. (If either is
TRUE, then the result evaluates to TRUE).
In our example of a View All data role, two predicates would be returned: 1=1 and 1=2.
When OR'd together, the end result is that the page can select data from the
assignment table with no restrictions applied.
152 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 153
Lesson 1: Define Security for HCM
Demonstration Scope
Use the Manage Duties task in the Setup and Maintenance work area to access APM,
where you can view duties and their associated data and function security policies.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Information
Remember that duty roles are referred to as application roles in APM.
4. In the Display Name field, enter Worker Promotion Duty and click Search.
5. In the Search Results, select the Worker Promotion Duty role and click the
Open icon button.
1. Click Find Policies in the upper-right-hand corner of the screen, and then select
Default Policy Domain.
154 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
This role has only one function security policy: Policy for Worker Promotion Duty.
It controls access to this function from the Oracle Fusion HCM menus and work
areas.
3. To view the code artifacts that are secured using this function security policy, go
back to the Home tab (but don't close this tab).
4. Select hcm in the Application Name field, and then click Search under
Entitlements.
5. In the Display Name field, enter Promote Worker and click Search.
6. Select the Promote Worker entitlement in the Search Results, and click the
Open icon button.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 155
Lesson 1: Define Security for HCM
Information
The code artifacts that are secured against this entitlement are shown in the
Resources section of the page.
7. Return to the Search Authorization Policy tab. (The Worker Promotion Duty
role should still be displayed.)
1. Select the Data Security tab, and review the data security policies for this role.
156 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
This role has several data security policies: Choose Department, Choose
Position, Promote Worker, and so on. These policies provide access to all of the
different types of data that a user must view, select, or manage when performing
the Worker Promotion Duty.
As you can see, managing data security policies can be very complex. However,
if you use the delivered duty roles as building blocks when defining custom job
roles in HCM, then security policies are generated automatically for you. You do
not need to manage them manually in APM.
2. In the right-hand corner of the Actions column header, click the Sort
Descending icon button to resort the column.
Information
This just makes it easier to find the role, as the list is very long.
3. Select the Promote Worker row, and click the Edit icon button.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 157
Lesson 1: Define Security for HCM
Information
This tab shows the condition for the privilege. When expanded, the condition is:
This tab does not show the SQL predicate. To view the SQL predicate, you must
navigate to the data security policy from a different direction.
5. Return to the Home tab, and click Search - Policies under the Search and
Create heading.
7. In the Display Name field, enter Person Work Terms Assignment and click
Search.
Information
The Search Results lists all of the data security policies for the
PER_ALL_ASSIGNMENTS_M database table.
Note: Detaching the table makes it easier to browse and navigate, and allows
you to view the SQL predicate in the condition.
9. Right-click the Role column header, and select Sort > Descending.
158 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
Note the SQL predicate for the condition in the first row. The other conditions on
the Conditions tab are generated from security profiles. The condition Display
Name includes the security profile name.
13. Select the first condition, and click the Edit icon button.
Information
You can view the full condition details here. Note the SQL Predicate value of
1=2, as discussed previously.
IMPORTANT!
Don't edit the conditions! The conditions for HCM data security policies are
generated automatically from security profiles and should not be changed.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 159
Lesson 1: Define Security for HCM
You have demonstrated how to view function and data security policies.
160 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 161
Lesson 1: Define Security for HCM
162 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Activity 5 Introduction
Background
A new duty role is required because the predefined duty role has more function security
privileges and data security policies than you want the role to have in your enterprise.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
practice.
You must have successfully created a job role (XX Dept Admin) in Activity 3.
Activity Scope
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 163
Lesson 1: Define Security for HCM
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
6. Click Save.
1. Click the Create Policy button in the top-right corner of the tab, and select
Default Policy Domain.
Information
Predefined security polices use the naming format: Policy for <duty role name>.
4. In the Targets section, click the Add Targets (+) icon button.
164 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Information
APM uses generic security terminology. In this context, a target is a function
security privilege, and a principal is a role. Thus, when a target is granted to the
principal, it means that the function security privilege is granted to the duty role.
5. In the Display Name (Starts With) field, enter Manage Department, and click
Search.
6. Select Manage Department, and click the Add Selected button (located above
the search results).
Information
The security privilege is added to the Selected Targets list.
7. Click Add Targets (at the bottom of the page), and then click Save.
Information
You have now added the Manage Department function security privilege to your
duty role.
1. Return to the Home tab, and click Search under Application Roles.
2. In the Display Name field, enter Department Management Duty and click
Search.
Information
This is the predefined duty role you will use as a reference for your custom duty
role. You want to find the data security policies assigned to that role and add
your role to them.
3. Select the role in the Search Results, and click the Open icon button.
4. In the upper-right-hand corner of the page, click Find Policies and select
Default Policy Domain.
5. In the Policies for: Department Management Duty section, select the Data
Security tab.
Information
There are three data security policies for this role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 165
Lesson 1: Define Security for HCM
8. Select the Roles tab, and click the Add icon button.
9. Search for your new duty role. (Enter XX_DEPT_DUTY in the Role Name field,
select hcm as the Application, and then click Search.)
Information
You have now created a copy of this data security policy against your custom
duty role.
12. Select the second security policy on the Data Security tab, and repeat steps 7-
11.
13. Select the third (and last) security policy, and repeat steps 7-11 again.
Information
You have now created copies of these three data security policies against your
custom duty role. The duty role is complete. Take a moment now to verify that all
policies were added.
15. Select hcm in the Application Name field, and select Search under Application
Roles.
16. Search for the duty role (Display Name: XX Department Duty) and open it from
the Search Results.
Information
You should see one policy on the Functional Policies tab and three on the Data
Security tab.
166 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
1. Select hcm for the Application Name, and select Search - External Roles
under the Search and Create heading.
2. Search for the XX Dept Admin Job Role you created in Activity 3.
3. Select the job role in the Search Results, and click Open Role.
5. Remove the predefined Department Management Duty role. (Open the hcm
folder, select the role, click the Remove Roles icon button, and then confirm.)
6. Add your custom XX Department Duty role. (Click + Map, select hcm, search
for the XX Department Duty duty role, select it, and click Map Roles.)
Information
The job role now has two duties: your custom department duty role and the
original Approve Transaction Duty role.
Generate the Data Security Policies for the Roles that Inherit this Duty Role
3. Search for your XX Dept Admin - View All data role, and then click Assign.
4. Proceed through the pages in the flow until you get to the Review page, and then
click Submit.
Information
Although you did not make any changes to the data role, you must run this task
to regenerate its security policies because you changed the job role that the data
role inherits.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple data roles, you would have to run
this task (and click Assign) for each role.
5. Click Done.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 167
Lesson 1: Define Security for HCM
1. Sign out and sign back in as the user you created earlier (Security.UserXX).
3. Verify that you can only see the Manage Departments task under
Organizations in the Workforce Structures work area.
168 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
1. Delete all data roles based on the job role and recreate them
2. Regenerate all the data roles that inherit the job role
3. Reassign security profiles to all data roles that inherit the job role
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 169
Lesson 1: Define Security for HCM
170 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
It is the process of reassigning security profiles (using the Manage Data Role and
Security Profiles task and the Assign action) that regenerates the data roles and
associated security privileges and policies. The reason that #3 also applies is because if
you add new duty roles to a job role, that could require additional security profiles to be
assigned to the data role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 171
Lesson 1: Define Security for HCM
The Additional Security Activity provides the detailed steps for the scenario described in
next section's review questions.
If there is not enough time to do the final exercises, students can do them as post-work.
There are no new concepts or tasks in these activities.
172 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 173
Lesson 1: Define Security for HCM
Activity 6 Introduction
Background
The predefined line manager role has access to actions that you dont want all your line
managers to use. A custom line manager role is required to meet your needs.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
practice.
Activity Scope
Note: Students are encouraged to attempt to complete this activity using only the
summarized steps below. The complete set of detailed steps is available on the
following page should you need them. However, you've already performed each of
these tasks at least once, so you may be able to work out the detailed steps yourselves.
1. Use the Manage Job Roles task to create a custom abstract role for a line
manager. This process is basically the same as creating a job role.
2. Use the Retrieve Latest LDAP Changes scheduled process to synchronize the
new role information between LDAP and HCM.
3. Use the Manage Duties task to grant access to the following manager actions
only: Promote, Transfer, Change Manager, and Change Working Hours. (To find
the exact names of the duties, you can search the HCM Security Reference
Manual. You must also grant manager access to the Person Gallery to be able to
see these actions.)
4. Use the Manage Data Role and Security Profiles task to assign the View
Manager Hierarchy predefined security profile to the new abstract role.
5. Use the Manage HCM Role Provisioning Rules task to add a mapping rule for
the new role so that it can be provisioned to users. Use the same task to modify
the Line Manager mapping rule so that the predefined Line Manager role will no
174 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
6. Use the Manage Users task to create a new user who will report to the line
manager user. The new employee has the same legal employer (InFusion Corp
USA1) and business unit (USA1 Business Unit) as the employee you created
earlier. Do not assign any roles, other than the automatically provisioned
employee role.
7. Use the Manage Users task to assign the custom line manager role to the user
you created in Activity 2.
8. Verify the security provisioning for the new user and compare with a user who
has the standard line manager role, such as Jack.Fisher.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 175
Lesson 1: Define Security for HCM
2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks
tab.
8. Click Save.
2. In the Search Results, select a Retrieve Latest LDAP Changes process where
the Status is Succeeded.
176 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
3. Under the Search and Create heading, click Search - External Roles.
4. In the Display Name field, search for the XX Line Manager role you created
earlier.
5. Select the role in the Search Results, and click the Open Role button.
6. Click the Application Role Mapping tab to assign duty roles to the job role.
9. In the Display Name field, enter Worker Transfer Duty and click Search.
10. Select the role in the Search Results, and click Map Roles.
11. Repeat steps 7-10 to add the following additional duty roles:
Information
Once all 5 duty roles have been added, your custom line manager role is
complete.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 177
Lesson 1: Define Security for HCM
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Data Role and Security Profiles task.
2. Search for the new line manager role (XX Line Manager) you just created.
Information
In the Search Results, note that the Security Profiles Assigned column for this
role is blank, as no security profiles have been assigned yet.
4. In the Organization section, search for and select View All Organizations.
6. In the Person section, search for and select View Manager Hierarchy.
7. In the Public Person section, search for and select View All People.
Information
All of these profiles are predefined.
9. Search for the role, and verify that it now displays a checkmark in the Security
Profiles Assigned column.
1. Navigate to the Setup and Maintenance work area, and launch the Manage
HCM Role Provisioning Rules task.
2. Search for the mapping rule (XX Generic Mapping Rule) you created in Activity
2.
Information
You could create a new mapping rule, but it's easier for now to use the one
178 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
3. Select the rule in the Search Results and click the Edit icon button.
Information
There should be two rows for this rule; you can select either one.
4. In the Associated Roles section, click the Add (+) icon button.
Information
In an actual implementation, you might want to configure your custom line
manager rule for autoprovisioning, in place of the predefined Line Manager role.
7. Click Save and Close, and then click OK to dismiss the confirmation message.
8. In the Mapping Name field, search for the predefined Line Manager With
Reports rule.
9. Select the role in the Search Results, and click the Edit icon button.
10. In the Associated Roles section, select the Line Manager role, and then set
deselect the Autoprovision option.
Note: If the Autoprovision option is already deselected or the role does not
appear in the Associated Roles list, it means that another student who shares
your training environment has already performed this step.
Information
If the line manager role is set to autoprovision, it would be automatically
provisioned to your security user when you select that user as a manager in the
next task. In a real implementation, you would probably set up your custom line
manager role for autoprovisioning, but we don't want do that in the training
environment (since multiple students are creating custom line manager roles).
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 179
Lesson 1: Define Security for HCM
1. In the Setup and Maintenance work area, launch the Manage Users task.
2. In the Search Results section toolbar, click the Create icon button.
Note: Make sure that you use the specified Hire Date.
Information
The Employee role appears in the Role Requests table
Note: If any roles other than Employee appear in the Role Requests table, delete
them. (Additional roles may appear if other trainees created roles and mistakenly
set them up for autoprovisioning.
180 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
1. In the Manage Users (Search Person) page, search for the user you created in
Activity 2. (You can search by your last name.)
4. Search for and select the custom line manager role (XX Line Manager) you
created earlier in this activity.
Note: If you cannot find the role you created, make sure that:
5. In the Current Roles section, select the XX Dept Admin - View All role you
assigned to this user earlier, and click the X (Remove) icon button, then confirm.
Important
If you updated the Line Manager with Reports role-provisioning rule, as
described above, the Line Manager role should not have been provisioned. If it
was, delete it now.
6. Remove any other roles, other than Employee, that may have been automatically
provisioned.
8. Click Done.
Note: It may take a few moments for the role changes to take effect.
1. Sign out, and sign back on as the line manager user (Security.UserXX).
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 181
Lesson 1: Define Security for HCM
Information
You should see the following manager actions under Personal and Employment:
Change Manager, Change Working Hours, Promote, and Transfer. You should
also see the Information Sharing action, which comes from the automatically
provisioned Employee role.
182 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Resilience to Change
Resilience to change refers to the amount of change a system can undergo and still
operate properly within expected parameters. When this concept is applied to HCM
security management, you can see that the security model is quite robust when you
make changes to higher level objects, such as job roles. The deeper you go into the
hierarchy, the more careful you must be when making changes.
Now that you've seen the types of changes you can make, you should consider the level
of resilience associated with each type:
Most Robust
Creating custom job roles and using existing duty roles as building blocks
Creating custom duty roles and assigning function and data security policies
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 183
Lesson 1: Define Security for HCM
Manually modifying data security policies, except for adding custom duty roles
Note: It should not be necessary to create your own data security policies. When
you are creating custom duty roles, the predefined security policies should be
adequate for your needs.
184 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Based on the HCM security reference information you have available online for the
predefined employee abstract role, how many duty roles must you add to your custom
employee role to enable access to these functions?
1. 1 duty role
2. 2 duty roles
3. 4 duty roles
4. 5 duty roles
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 185
Lesson 1: Define Security for HCM
After planning your customization, which of the following tasks would you perform first:
186 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
After creating a new abstract role, you must synchronize data between LDAP and HCM
before you can:
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 187
Lesson 1: Define Security for HCM
Which predefined person security profile could be used for this new employee role:
188 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Which public person security profile could be used for this new employee role:
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 189
Lesson 1: Define Security for HCM
After planning your customization, which of the following tasks would you
perform first:
1. Create a custom abstract role
After creating a new abstract role, you must synchronize data between LDAP and
HCM before you can:
4. All of the above except 1
Which predefined person security profile could be used for this new employee
role:
1. View Own Record
Which public person security profile could be used for this new employee role:
2. View All Workers or View Own Record.
Use the latter if you do not want to allow employees to browse the Person Gallery for
other employees.
190 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 191
Lesson 1: Define Security for HCM
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
practice.
Activity Scope
Note: As with the previous activity, students are encouraged to complete this activity
using only the summarized steps below. This time, we've left a bit more for you to figure
out than in the last activity.
1. Create a custom employee abstract role that has access to the My Portrait
function and the Change Marital Status action. Restrict their data access to their
own record only in the Person Gallery.
2. Determine the names of the duties that should be added to this role by reviewing
the roles and duties in the HCM Security Reference Manual, and then add the
appropriate duties to the new employee role.
3. Assign the predefined View Own Record person security profile to the custom
employee role.
4. Assign the predefined View Own Record public person security profile to the
custom employee role.
192 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 193
Lesson 1: Define Security for HCM
2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks
tab.
Name: XX_EMPLOYEE_ROLE
Display Name: XX Employee
Role Category Name: HCM - Abstract Roles
6. Click Save.
2. In the Search Results, select a Retrieve Latest LDAP Changes process where
the Status is Succeeded.
194 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
5. Select the role in the Search Results and click the Open Role button.
6. Click the Application Role Mapping tab to assign duty roles to the job role.
10. Select the role in the Search Results and click Map Roles.
11. Repeat steps 8-11 for each of the following additional roles
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Data Role and Security Profiles task.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 195
Lesson 1: Define Security for HCM
4. Click Next.
5. In the Person section, select the predefined View Own Record profile.
6. In the Public Person section, select the View Own Record profile.
7. For all other sections, select one of the View All profiles.
Information
If you search for the role, you should see a checkmark in the Security Profiles
Assigned column.
Follow the steps presented in Activity 6 to create a mapping rule for the new role. (Open
the existing mapping rule, XX Generic Mapping Rule, and add a mapping for your new
XX Employee role. Deselect autoprovisioning, and select the Requestable option.)
Follow the steps presented in Activity 6 to assign the XX Employee role to the user you
created in Activity 2. Deprovision the predefined Employee role and any other roles
assigned to the user.
2. Verify that you can only access the My Portrait tab and the Change Marital
Status action.
Troubleshooting
If, after completing this activity, you try to perform the Change Marital Status action,
you may encounter the following errors:
A current or future-dated change of this type exists for this person. Contact
your support representative.
Error: You cannot edit your marital status because legislative information is
missing from your account.
196 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
This error occurs because the person doesn't yet have a marital status. (The Manage
Users page used to create this user doesn't capture all of the employee information that
is captured by the New Hire flow. This is an example of why you should always use the
proper HR flows once the implementation is complete. The Manage Users task is not
intended to be used by HCM users in a production environment.)
1. Sign on as Curtis.Feitty.
2. Navigate to Person Management and open the person record for editing.
3. On the Manage Person page, Person Information tab, Legislative
Information section, select a Country (United States).
4. Open the Gender and Marital Status section for editing, and select a marital
status for this person.
5. Save.
Error: A current or future-dated change of this type exists for this person
This error occurs because an employee cannot change their own marital status on the
same day that it was last changed.
To work around this, you can:
Ask an HR Specialist to make the change for you on the Manage Person page
(or log on as a user with that role, if you have access to one).
Note: If you used the current date rather than 1-Jun-13 (the value you were instructed
to use) for the employee's hire date, then you can log in as Curtis.Feitty and change the
hire date to an earlier date, using the Manage Work Relationship task in the Person
Management work area.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 197
Lesson 1: Define Security for HCM
References
For information about Single Sign-On in Oracle Fusion Applications, see:
SaaS SSO Using Identity Federation eSeminar on My Oracle Support (MOS).
You can take the training online or download the slides.
Link: http://oukc.oracle.com/static09/opn/login/?t=checkusercookies%7Cr=-
1%7Cc=1222182178
See also:
Fusion Applications Technology: Master Note on Fusion Federation,
Document ID: 1484345.1 on MOS.
Link: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&a
mp;id=1484345.1
For a mapping of duties and privileges to roles across all offerings, see:
Mapping of Roles, Duties and Privileges in Fusion Applications, Document
ID 1459828.1 on MOS.
Link:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id
=1459828.1
For information about how duty roles and privileges map to top-level menus, see:
Mapping of Duty Roles to Top Level Menu Items, Document ID 1460486.1 on
MOS.
Link:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1460486
.1
For descriptions of all the predefined data that is included in the security
reference implementation for HCM, see:
Oracle Fusion Applications Human Capital Management Security Reference
Manual. Latest version is available from Oracle Fusion Applications Help.
For information about the common roles required to set up and administer an
offering, see:
Oracle Fusion Applications Common Security Reference Manual. Latest
version is available from Oracle Fusion Applications Help.
For an overview and detailed information about the Oracle Fusion Applications
security approach, including an explanation of role types, enforcement, and how
to implement and administer security for your deployment, see:
198 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Link: http://docs.oracle.com/cd/E37583_01/nav/hcm.htm
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 199
Lesson 1: Define Security for HCM
Lesson Highlights
Roles
Security Profiles
Users and Role Provisioning
User Interfaces for Managing Security
Creating Data Roles and Security Profiles
Creating Custom Job Roles
Creating Custom Duty Roles
200 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Lesson Details
Roles
Security in Oracle Fusion Applications is role-based, where roles control who can do
what on which data. Oracle Fusion Applications defines four types of roles:
Abstract roles
Data roles
Job roles
Duty roles
Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security
profile identifies a set of data of a single type, for example, you could create security
profiles to identify all workers in department HCM US. HCM security profiles are an
Oracle Fusion HCM feature; they are not used by other Oracle Fusion Applications.
User Provisioning: Oracle Fusion Applications are tightly integrated with Oracle
Identity Management (OIM). When you hire a worker, a user account can be
created automatically for that worker in the OIM Identity store.
Roles Provisioning: Abstract and data roles must be provisioned to users so that
they can access the functions and data that enable them to perform their jobs.
The process of assigning roles to users is known as role provisioning.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 201
Lesson 1: Define Security for HCM
202 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 203
Lesson 1: Define Security for HCM
204 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Note: In this example, access to HR data is secured by business unit. However, it could
be based on legal employer, department, or any level within the organization.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 205
Lesson 1: Define Security for HCM
206 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
Workforce Management > Person Management > Manage Areas of Responsibility >
Manage Areas of Responsibility page > Create Area of Responsibility page
_______________________________________________________
Define areas of responsibility for the other two HR specialists, David and Linda, in the
same way. For David, you must create two areas of responsibility records, one for
USA2 Business Unit and another for USA Health Business Unit.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 207
Lesson 1: Define Security for HCM
Manage Person Security Profile > Manage Person Security Profiles page > Create
Person Security Profile
_______________________________________________________
To secure person records by business unit, you would enter an SQL fragment similar to
the following:
&TABLE_ALIAS.PERSON_ID IN
(SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M A
208 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Lesson 1: Define Security for HCM
WHERE A.BUSINESS_UNIT_ID IN
(SELECT B.BUSINESS_UNIT_ID
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'))
Note: The actual SQL fragment for this scenario would be a little more complex than the
sample fragment, because it would need to take into account the effective dates of both
the areas of responsibility records and the worker's assignment record.
TIP: If, by using this feature, you reduce the number of data roles down to one, you
could assign the security profiles directly to the job role (rather than creating a data
role). However, assigning security profiles directly to job roles only works if the areas of
responsibility criteria provide users with all the data access they need. In our scenario,
we want to provide some users with View All access and others with more restricted
access based on areas of responsibility. Therefore, we need two data roles: one that
uses areas of responsibility criteria and one that has a View All security profile. Both of
these data roles would be based on the same job role.
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 209
Lesson 1: Define Security for HCM
User Impersonation
The user impersonation feature is disabled for HCM Cloud customers. It can be enabled
on request, but Oracle does not recommend its use by HCM Cloud customers. User
impersonation potentially allows the proxy user uncontrolled access to the personal data
of the user they are impersonating; the proxy user gets all of that user's roles, which is
particularly dangerous if a customer is implementing employee self-service.
Role Delegation
Currently in HCM, you can implement role delegation, but it must be done manually.
There are two types of role delegation:
Delegating the ability to approve transactions: This is done from the BPM
Worklist. The process is covered in the Approvals lesson.
Note: Improved support for role delegation is currently under development and is
targeted for a future release of Fusion HCM.
210 Copyright 2013, Oracle and/or its affiliates. All rights reserved.