24 Definesecurityforhcm 161214111001

Partner Boot Camp - Fusion
HCM Global HR
Manage Security for HCM
Instructor Guide
August 8, 2013
Copyright 2013, Oracle and/or its affiliates. All rights reserved.
Disclaimer
This document contains proprietary information and is protected by copyright and

other intellectual property laws. You may copy and print this document solely for
your own use in an Oracle training course. The document may not be modified or
altered in any way. Except where your use constitutes "fair use" under copyright law,
you may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
the express authorization of Oracle.
The information contained in this document is subject to change without notice. If

you find any problems in the document, please report them in writing to: Oracle
University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This
document is not warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using

the documentation on behalf of the United States Government, the following notice
is applicable:
U.S. GOVERNMENT RIGHTS

The U.S. Governments rights to use, modify, reproduce, release, perform, display,
or disclose these training materials are restricted by the terms of the applicable
Oracle license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other
names may be trademarks of their respective owners.
CONTENTS
Lesson 1: Define Security for HCM .............................................. 1
Objectives ................................................................................................1
Security Overview .....................................................................................2
Role-Based Security Model .......................................................................2
Instructor Note: Roles Assigned to Users .................................................. 3
Role-Based Access Control .......................................................................4
Predefined HCM Roles ..............................................................................5
Role Inheritance .....................................................................................6
Data Role Inheritance ............................................................................7
User Role Inheritance ............................................................................8
Role Types .............................................................................................9
Role Inheritance Example ....................................................................... 10
Security Privileges ................................................................................. 11
Instructor Note: Details Will Come Later................................................. 12
Security Component Terminology Comparison ........................................... 13
Role Evaluation ..................................................................................... 14
Customizing Security for Your Needs ........................................................ 15
Instructor Note: Currently No Way to Copy Roles .................................... 16
Instructor Note: Demo Timing................................................................. 17
Demonstration: Function Security in Action ............................................... 18
Demonstration: Data Security in Action .................................................... 22
Exploring the Security Reference Manual .................................................. 24
Instructor Note: Security Reference Implementation ................................ 26
Security Profiles and Data Roles ................................................................ 27
Data Security Through Security Profiles .................................................... 27
Security Profiles Example ....................................................................... 28
HCM Security Profile Types ..................................................................... 29
Predefined HCM Security Profiles ............................................................. 30
HCM Security Profiles Best Practices ........................................................ 31
Approaches to Creating Data Roles .......................................................... 32
Demonstration: Managing Data Roles and Security Policies ......................... 34
Key Points for Creating Security Profiles ................................................... 38
Instructor Note: Notes on Activities ......................................................... 41
Instructor Note: Activity Timing .............................................................. 42
Activity 1 Introduction ........................................................................... 43
Activity 1: Creating Security Profiles and Assigning to a New Data Role ...... 44
Assigning Security Profiles to Existing Roles .............................................. 48
Editing Security Profiles ......................................................................... 49
Security Profiles Review Question 1 ......................................................... 50
Security Profiles Questions and Answers ................................................... 53
User and Role Provisioning ....................................................................... 54
User Account Creation and Maintenance Scenarios ..................................... 54
Instructor Note: User Account Management Scenarios .............................. 55
User Account Provisioning ...................................................................... 56
Enterprise-Level User and Role-Provisioning Options .................................. 57
Setting Enterprise-Level Options ........................................................... 58
Instructor Note: User and Role Provisioning ............................................ 59
Provisioning Roles to Users: Overview ...................................................... 60
Instructor Note: Roles Must Be Provisioned ............................................. 61
Instructor Note: Role-Provisioning Rules ................................................... 62
i
Defining Role-Provisioning Rules ............................................................. 63
Role-Provisioning Options ....................................................................... 65
Predefined Role-Provisioning Rules .......................................................... 66
Integration with New Hire Flow ............................................................... 67
Instructor Note: New Hire Process ......................................................... 67
Integration with New Hire Flow ............................................................. 68
New Hire Flow - Job Assignment ........................................................... 69
New Hire Flow - Role Requests.............................................................. 70
Tip: Role-Provisioning Strategies ............................................................. 71
Implementation Users ........................................................................... 72
Instructor Note: Implementation Users for the Cloud ............................... 74
Demonstration: Creating Additional Implementation Users .......................... 76
Demonstration: Using the Manage Users Task to Create HR Users ................ 80
Instructor Note: Password Policy Management for Cloud Customers ............. 83
Instructor Note: Activity Timing .............................................................. 84
Activity 2 Introduction ........................................................................... 85
Activity 2: Creating a New User and Assigning a Data Role........................ 86
User and Role Provisioning Review Question 1 ........................................... 91
User and Role Provisioning Review Question 2 ........................................... 92
User and Role-Provisioning Review Question 3 .......................................... 93
User and Role-Provisioning Questions and Answers .................................... 94
User Interfaces for Security Tasks ............................................................. 95
User Interface Overview......................................................................... 95
Setup Tools and Tasks ........................................................................... 96
Access to Security Tasks ........................................................................ 98
Instructor Note: HCM Security Task List ............................................... 100
Instructor Note: Demo Timing............................................................... 101
Demonstration: Viewing Roles in OIM .................................................... 102
Managing Job Roles and Duty Roles ......................................................... 104
Demonstration: Using OIM to View and Manage Roles .............................. 105
Instructor Note: Do Not Use OIM to Create Data Roles ........................... 112
HCM Security Management Data Stores.................................................. 113
Demonstration: Using APM to Manage Duties .......................................... 116
Fusion Applications, OIM, and APM Terminology Differences ...................... 120
Instructor Note: Notes on Tools and Tasks .............................................. 121
Regenerating Data Roles ...................................................................... 122
Instructor Note: Regeneration of Data Roles ......................................... 124
Instructor Note: Activity Timing ............................................................ 125
Activity 3 Introduction ......................................................................... 126
Instructor Note: Troubleshooting Activity ............................................. 127
Activity 3: Creating a New Job Role ..................................................... 128
Activity 4: Creating a New Data Role and Assigning to User .................... 134
Instructor Note: Troubleshooting Activity 4 ............................................. 137
User Interfaces for Security Review Question 1 ....................................... 138
User Interfaces for Security Questions and Answers ................................. 141
HCM Security Deep Dive......................................................................... 142
Instructor Note: Deep Dive Target Audience ........................................... 142
Duty Roles in Detail ............................................................................. 143
Function Security Privileges .................................................................. 144
Instructor Note: Read-Only Roles .......................................................... 145
Data Security Policy Components .......................................................... 146
ii
Data Security Policies .......................................................................... 147
Data Security - Application Role Creation ................................................ 148
Data Security - FND_GRANTS Generation ............................................... 149
Data Security - Data Role Creation ........................................................ 150
Data Security in Action ........................................................................ 152
Demonstration: Viewing Security Policies in APM ..................................... 154
Instructor Note on Activity 5: Bulk Regeneration ..................................... 161
Activity 5: Creating a Custom Duty Role ............................................... 164
Security Deep Dive Review Question 1 ................................................... 169
Security Deep Dive Review Question 2 ................................................... 170
Security Deep Dive Questions and Answers ............................................. 171
Instructor Note: Final Activities ............................................................. 172
Activity 6: Creating a Custom Line Manager Role ................................... 176
Tying It All Together .............................................................................. 183
Resilience to Change ........................................................................... 183
Lesson Review Questions ..................................................................... 185
Lesson Review Question 1 .................................................................. 185
Lesson Questions and Answers ........................................................... 190
Additional Security Activity Introduction ................................................. 192
Additional Security Activity: Creating a Custom Employee Role ................ 194
References ........................................................................................... 198
Lesson Highlights .................................................................................. 200
Lesson Details .................................................................................... 201
Tip: Minimizing the Number of Data Roles .............................................. 205
Dynamic Security Profiles and Areas of Responsibility ............................. 206
Defining Areas of Responsibility .......................................................... 207
Creating a Dynamic Security Profile ..................................................... 208
Tip: Impersonation and Delegation ........................................................ 210
iii
Lesson 1: Define Security for HCM

Objectives
After completing this lesson, you should be able to:
Describe the key features of Oracle Fusion Applications security

Differentiate the four types of roles used in Oracle Fusion Applications
security
Identify key components of the Security Reference Implementation
Create a new data role and assign security profiles
Describe how user accounts are created and roles are provisioned to users
Manage provisioning rules that map roles to users based on their HR
assignments
Identify the three main tools used to manage security in Oracle Fusion
Applications
Create a custom job role
Create a custom duty role
Describe how security policies are generated for roles that inherit a duty
role
Describe the steps involved in creating custom line manager and employee
abstract roles
Copyright 2013, Oracle and/or its affiliates. All rights reserved. 1

Security Overview
Role-Based Security Model
Oracle Fusion Applications use a role-based access control security model. Users are
assigned roles through which they gain access to functions and data within the
applications.
In the figure below, Julie Brown has three roles:
When she signs on to Oracle Fusion Applications, all of these roles are active
concurrently. The functions and data she can access are determined by the
combination of roles to which she is assigned. As an employee, Julie has access to
employee functions and data, and as a line manager, she has access to line-manager
functions and data.
2 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Instructor Note: Roles Assigned to Users

Contrast the Oracle Fusion Applications approach, where users have multiple roles
active simultaneously, with the EBS approach, where users select a responsibility and
operate within that responsibility only. Use the Security Component Terminology
Comparison slide later in this section to show how role types and other security
components in Oracle Fusion correspond to features in EBS and PeopleSoft.
If questions about security occur in other lessons (such as how to prevent a user from
doing something or how to enable a user to do something), the answer is always the
same: the roles provisioned to the user determine what the user can (and cannot) do.

Role-Based Access Control

Role-based security in Oracle Fusion Applications controls who can do what on which
data.
For example:
Who is a role assigned to a user.
What is a function that users with the role can perform.
Which Data is the set of data that users with this role can access when
performing this function. In Oracle Fusion HCM, "Which Data" is defined using
security profiles.

Predefined HCM Roles

The following is a partial list of the roles that are predefined and delivered with Oracle
Fusion HCM:
Benefits Administrator
Benefits Manager
Benefits Specialist
Compensation Administrator
Compensation Analyst
Compensation Manager
Compensation Specialist
Contingent Worker
Employee
Human Capital Management Application Administrator
Human Resource Analyst
Human Resource Manager
Human Resource Specialist
Human Resource VP
Line Manager
Payroll Administrator
Payroll Manager
These predefined roles are included in the Security Reference Implementation. You
can review details of the HCM security implementation in the Oracle Fusion Applications
Human Capital Management Security Reference Manual. The Oracle Fusion
Applications Common Security Reference Manual covers roles that are common across
Oracle Fusion Applications, such as the Application Implementation Consultant and IT
Security Manager roles.

Role Inheritance
Role inheritance is a key concept in the Oracle Fusion HCM security model. The figure
below illustrates the hierarchy of job and duty inheritance.
Human Resource Specialist is a job role that inherits a number of duties.

Data Role Inheritance

In the figure below, Human Resource Specialist Vision Corporation and Human
Resource Specialist Vision Services are data roles that inherit the Human Resource
Specialist job role. This gives them access to the tasks that an HR Specialist needs to
perform. The security profiles that are assigned to the data roles provide the data
access.
Note that the two data roles have different security profiles, granting access to different
sets of data.

User Role Inheritance

When individual users are assigned to data roles, they inherit the data and function
security associated with those roles.

Role Types
Oracle Fusion Applications uses four types of roles for security management:
Data Roles are a combination of a worker's job and the data instances that users
with the role need to access. For example, the HCM data role Payroll
Administrator Payroll US combines a job (Payroll Administrator) with a data
scope (Payroll US). Data roles are not delivered as part of the reference
implementation. They are defined by customers and are assigned directly to
users.
Abstract Roles represent a worker's role in the enterprise, independently of the

job the worker is hired to do. Three abstract roles are delivered with Oracle
Fusion HCM: Employee, Line Manager, and Contingent Worker. You can also
create custom abstract roles. You assign abstract roles directly to users.
Job roles align with the job a worker is hired to perform. Examples of predefined
job roles are Human Resource Analyst and Payroll Manager. You can create
custom job roles. Typically, you include job roles in data roles, and assign those
data roles to users. (The IT Security Manager and Application Implementation
Consultant job roles are exceptions, because they are not considered HCM job
roles and don't restrict data using security profiles.)
Duty roles align with the individual duties that users perform as part of their job.
They grant access to work areas, dashboards, task flows, application pages,
reports, batch programs, and so on. They may carry both function and data
security grants. Duty roles are inherited by job and abstract roles, and can also
be inherited by other duty roles. Duty roles are delivered as part of the reference
implementation, and can be used as building blocks when creating your own job
and abstract roles. You do not assign duty roles directly to users.

Role Inheritance Example

In reality, abstract and job roles inherit many duty roles. The following figure shows a
simplified example:
In this example, the duty roles give the user access to all the tasks and functions that an
HR specialist needs to perform plus all the tasks, unrelated to a specific job, that every
employee needs to perform.
Most security profiles are defined by customers and assigned to data roles and abstract
roles. (A small set of predefined security profiles is delivered as part of the security
reference implementation.)
The HCM security model supports several different types of security profiles, each used
to control access to a different type of data.

Security Privileges
When you look deeper into the role hierarchy, you can see that the Worker Promotion
Duty is associated with a function security privilege and two data security policies.
The Promote Worker function security privilege secures access to the Promote
Worker page.
One data security policy determines which people can be promoted.
A second data security policy determines which positions the person can be
promoted into.
Each data security policy defines a role (such as Worker Promotion Duty), a business
object being accessed (such as Person Assignment), the condition that must be met for
access to be granted, and a data security privilege that defines the action being
performed.
Function security privileges and data security policies are covered in detail in a later
section.

Instructor Note: Details Will Come Later

Sometimes the previous slide spawns questions from students who want to know a lot
more about what happens under the hood, because they find it very difficult to
understand what data security policies are, how they are used, and how they work.
Inform the class that this information is covered in detail later in the class in the HCM
Security Deep Dive section. In this overview, we're just introducing the concepts of
function security and data security and the related function security privileges and data
security privileges. Ask students to hold their detailed questions on data security
policies until later, and assure them that they will have an opportunity to see these
features up close.

Security Component Terminology Comparison

This table shows how security components in Oracle Fusion Applications correspond
directly to security features in E-Business Suite and PeopleSoft.

Role Evaluation
By default, users do not have access to Oracle Fusion Applications functions and data.
Users are granted access by means of the roles provisioned to them.
Prior to implementation, you must:
Review how the security reference implementation of roles and policies fits with
the jobs in your enterprise.
Identify the jobs that people have in your enterprise.
Decide whether the duties defined for the jobs in the security reference
implementation match the duties performed by corresponding jobs in your
enterprise.

Customizing Security for Your Needs

In cases where the predefined security reference implementation does not adequately
represent the needs of your enterprise, you can make changes. For example, a
predefined job role may be too narrowly defined. You can create a new job role and give
it a role hierarchy of different duty roles than a similar predefined job role, and provision
your newly created job role to users who should have broader access.
For example, the predefined Line Manager role includes compensation management
duties. If some of your line managers do not handle compensation, you could create a
custom line manager role without those duties.
Evaluate the predefined roles and privileges in the security reference implementation
against the needs of your enterprise and determine the necessary security setup
actions:
If jobs exist in your enterprise that are not represented by the security
reference implementation, you create a new job role or abstract role.
If the duties for a predefined job role are not the same as the
corresponding job description in your enterprise, you add duties to and
subtract duties from the job role.
If the duties for a job are not defined in the security reference
implementation, you create custom duty roles.
The demonstrations and activities in this lesson will show you how to perform each of
these setup actions.
Note: As you make changes to the security reference implementation for an Oracle
Fusion Applications deployment, it is good practice to create your own custom roles
rather than modify predefined roles. Upgrade and maintenance patches to the security
reference implementation preserve your changes. Thus, if you do modify predefined
roles, you won't be able to restore them to their original state by upgrading.

Instructor Note: Currently No Way to Copy Roles

There is currently no way of copying roles. This is being addressed in a future release of
Oracle Fusion Applications.

Instructor Note: Demo Timing
Approximate Demonstration Timing: 5 minutes

Demonstration: Function Security in Action

Demonstration Background
As an Oracle Fusion Applications user, you access functions through the roles that have
been assigned to you.
Demonstration Scope
Go to the Navigator, and view the available options. Select an option, and view the
available tasks in the task pane.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
1. Log in as Curtis.Feitty, using the password provided to you by the instructor.
2. In the menu bar at the top of the page, click Navigator.
Information
Function security is used to secure the Navigator menu. Each menu entry
corresponds to a work area or dashboard, and each of these is secured with a
function security privilege. The function security privileges that are granted to the
user (through his or her roles) control the menu entries that the user can see.

3. Select Workforce Structures under Workforce Management.
Information
Function security also secures the task pane (displayed on the left side of the
page) for a work area. Each of the task pane entries corresponds to a task flow,
which is secured with a function security privilege. The function security
privileges that are granted to the user (through his or her roles) control the task
pane entries that the user can see.
4. Select My Information > My Account from the Navigator.
Location: Manage User Account page
5. Scroll down to the Current Roles section.
Information
Curtis is assigned a great many roles, which is useful for testing (and for training
courses like this). He has functional manager roles, as well as IT Security
Manager. In the real world, few users would have this many different and
powerful roles.
6. Click Sign Out at the top of the page, and then sign back in as jessica.mullen.

7. Click the Navigator menu again.
Information
Jessica is an HR Analyst with fewer privileges than Curtis. Jessica does not have
access to the Workforce Structures function, so it does not appear on her
menu.
8. Select My Information > My Account from the Navigator, and then scroll down
to the Current Roles section to view Jessica's assigned roles.
9. Sign out.
You have demonstrated how to view menu options and tasks managed by function
security.


Demonstration: Data Security in Action

As an Oracle Fusion Applications user, you access data via the roles that have been
assigned to you.
Demonstration Scope
Explore the data available for viewing by different users based on their assigned roles.
Demonstration Steps
Start Here
1. Log in as Jack.Fisher.
Information
This user has employee and line manager roles. He also has several direct
reports.
2. In the menu bar at the top of the page, click Navigator and select Person
Gallery.
3. Select the My Portrait tab.
Information
When you look at your own portrait, you can see your benefit enrollments,
compensation data, and so on. The actions that are available in the Actions
menu are controlled using data security. The actions you can perform include
things like Change Marital Status, but do not include actions like Promote.
4. Select the Organization Chart tab to show the management reporting hierarchy.
5. Click the name of Jack's manager, Linda Swift.
Information
When an employee views their manager's portrait, only publicly available
information appears. No actions are available. Data security controls access to
data that you can view for other people. A public person security profile controls
which people a user can search for in Person Gallery. Once a user has selected
a person, data security controls the Person Gallery cards that can be seen for
that person and also what actions can be performed against them.

6. Select the Organization Chart tab again.
7. Hover your mouse over the point at the bottom of Jack's box on the chart, and
then click the + sign to show Jack's direct reports.
8. Click Mark Winterling's name.
Information
In the Actions section, you can see the functions available to Jack. He can
promote, terminate, manage the salary and compensation, and view absence
balances for Mark.
9. Sign out and sign back in as Curtis.Feitty.
10. Navigate to the Person Gallery, and search for Linda Swift. (Enter Linda's
name in the Keywords field, click Search, and then click Swift, Linda in the
Search Results.)
Information
When viewing Linda in the Person Gallery, Curtis can see more cards and has
more actions than Jack. This is because Curtis has the HR Specialist - View All
role, which allows him a greater level of access.
You have demonstrated how to view application pages managed by data security and
noted the differences that result from provisioned data restrictions.

Exploring the Security Reference Manual

The Oracle Fusion Applications Human Capital Management Security Reference
Manual includes descriptions of all the predefined data that is included in the security
reference implementation for HCM.
The Oracle Fusion Applications Common Security Reference Manual provides

descriptions of predefined data that is common across Oracle Fusion Applications.
Note: All information presented in the manuals can be accessed in the various user
interface pages of Oracle Fusion Applications. However, the manuals make it easier to
compare and plan your customizations.
There are several ways to access the Security Reference Manuals online:
From the Search window in Oracle Fusion Help:
1. Click the Help link at the top of any application window.

2. Select Applications Help to display the Oracle Fusion Applications Help
window.
3. In the Search field, type the name of the manual you want to view, such as
Oracle Fusion Applications Human Capital Management Security Reference
Manual.
4. Click the icon button.
5. In the Search Results, click the link for the manual.
Information
From here, you can view, print, or save the manual to your local drive.
From the Guides Menu in Oracle Fusion Help:
1. Click the Help link at the top of the application window.

2. Select Applications Help to display the Oracle Fusion Applications Help
window.
3. Click the Guides link, and then select the manual you want to view.
From the Oracle Fusion Applications Documentation Page for Your Release:
1. Access the main Oracle Fusion Application Documentation page at:

http://www.oracle.com/technetwork/documentation/fusion-apps-doc-
1508435.html
2. Under Oracle Fusion Applications Documentation, click on the link for your
Oracle Fusion Applications release.
3. On the Oracle Fusion Applications Documentation page, click the Human
Capital Management tab.

4. Under Administration Guides, click the PDF or HTML link for the manual you
want to view.
HCM Security Reference Manual
The HCM Security Reference Manual contains a section for each predefined HCM job
and abstract role. For each role, you can review its:
duties
role hierarchy
function security privileges
data security policies
This information can help you understand which users should be provisioned with the
role, or which adjustments your enterprise requires before the role can be provisioned.
Additional Information
For additional information and links, see the References page at the end of this lesson.

Instructor Note: Security Reference Implementation

This training was originally developed for Release 7, prior to the Rel 7 GA, and the
Document Library was not yet finalized for that release. For that reason, the Guides link
from the Help>Applications Help menu did not work in the training environment. If the
training is delivered post Rel 7 GA, these links should work. Otherwise, advise students
to search for the reference manual from the help portal.
If there is time at the end of this module, ask the students to access the HCM Security
Reference Manual online and explore the contents.

Security Profiles and Data Roles

Data Security Through Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security
profile identifies a set of data of a single type, such as persons or organizations. For
example, you could create security profiles to identify:
All workers in department HCM US

The legal employer InFusion Corp USA1
Business units USA1 and USA2
Customers assign security profiles to:
Data roles. Data roles always inherit job roles. The job roles provide the function
security access, while the security profiles assigned to the data role provide
access to the data required to perform the duties of the job.
Abstract roles. Three abstract roles are delivered with HCM: employee, line
manager, and contingent worker. You assign security profiles to predefined
abstract roles, such as employee, to grant access to HCM business objects, such
as the worker's own person record. You can also assign security profiles to the
custom abstract roles that you create.
Note: In Cloud environments, security profiles are preassigned to the Employee,

Line Manager, and Contingent Worker abstract roles.
Job roles. Assigning security profiles directly to job roles is less common, since
users with the same job often access different sets of data.

Security Profiles Example

Security profiles are assigned to roles that are directly assigned to users.
In the following example, Tim Thompson and Patricia Smith are both human resource
specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that
inherits the job role Human Resource Specialist and the duty roles appropriate to that
job role. Therefore, Tim and Patricia can perform the same functions and see the same
entries in the Navigator, work area Tasks panes, and menus. However, each user
accesses different sets of data, which are identified in separate sets of security profiles.
Note: If Tim and Patricia could access the same sets of data, you would assign the
same data role to both users.

HCM Security Profile Types

You can create HCM security profiles for the following HCM business objects:
Person (managed)
Person (public)
Organization
Position
Legislative Data Group
Country
Document Type
Payroll
Payroll Flow
Workforce Business Process
Two uses for the person security profile exist because many users need to access two
distinct sets of people in a single HCM data role: people whom they manage and people
whose public contact details they need to access (for example, in a worker directory).
The Person (managed) profile controls which people you can perform actions
against.
The Person (public) profile controls which people you can search for in the
Person Gallery. This profile is also used to secure some person LOVs. For
example, the Change Manager page and New Hire flows display a person LOV
that is secured using the public person security profile, rather than the person
security profile. This is because the person who is selecting the manager for a
worker might not have view access for that manager through their person
security profile.

Predefined HCM Security Profiles

The following HCM security profiles are predefined:
You cannot:
Edit or delete the predefined security profiles.

Create a custom security profile that provides access to all objects; you must use
the appropriate predefined View All security profile instead.

HCM Security Profiles Best Practices

The following recommendations apply to all types of HCM security profiles:
HCM security profiles are reusable and modular. Once you create a security
profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other security profiles in a
person security profile. For example, you might define an organization security
profile that allows access to a particular business unit. You can then reference
the organization security profile in a person security profile to provide access to
people who are assigned to that business unit.
Use the predefined security profiles wherever appropriate.
Define a naming scheme that identifies clearly the set of business objects in the
security profile's data instance set, such as HCM US Departments or US
Marketing Positions. Security profile names must be unique in the enterprise for
the security profile type.

Approaches to Creating Data Roles

Consider these approaches when creating HCM data roles:
Give employees access to their own records, the person records of their
emergency contacts, beneficiaries, and dependents, and all public-person
records.
Assign relevant HCM security profiles directly to the employee abstract role.
Give managers access to the person records of direct and indirect reports.
Assign relevant HCM security profiles directly to the line manager abstract role.
For individual job roles, determine whether all users with that job role access the
same HCM business object instances. In this scenario, you do not need to create
a data role; you can simply assign the security profiles to the job role.


Demonstration: Managing Data Roles and Security

Policies
During security setup, you create data roles and assign security profiles to them.
Demonstration Scope
Use the Manage Data Role and Security Profiles task to demonstrate the process of
creating a data role and assigning security profiles to it.
Demonstration Steps
Start Here
1. Log in as Curtis.Feitty, if not already logged in.
2. Navigate to the Setup and Maintenance work area.
Location: Overview page, All Tasks tab
3. In the Name field, enter Manage Data Role and Security Profiles and click
Search.
Location: Search Results section
4. In the Manage Data Role and Security Profiles task row, click Go to Task.
Location: Manage Data Roles and Security Profiles page
5. In the Search Results section toolbar, click the Create icon button.
Location: Create Data Role: Select Role page
6. In the Data Role field, enter XX HR Specialist InFusion, where XX represents

your initials.
7. In the Job Role field, search for and select Human Resource Specialist.
Information
A data role is always associated with a job role, from which it inherits duties.
8. Click Next.

Location: Create Data Role: Security Criteria page
Information
Here you select the security criteria for the role. For each business object that the
job role needs to access, a section appears on this page. To identify data set
instances for each business object, you can either select an existing security
profile or create a new security profile.
Note: Any security profiles that you create while defining the data role exist
independently of the data role and can be reused.
9. In the Organization section, select the predefined View All Organizations

organization profile.
10. In the Person section, select the Create New hyperlink at the bottom of the
Person Security Profile LOV.
11. In the Name field, enter XX Person Security Profile InFusion.
12. Select the Secure by Global Name Range option.

13. For all other sections, select any one of the predefined View All security profiles.
14. Click Next.
Location: Assign Security Profiles to Role: Organization Security Profile

page
Information
This is the first of a series of pages for defining security profiles. Since you only
need to create a Person profile, you could skip to the Person page now by
clicking Person in the process train at the top of the page. However, for this
demonstration, we will review each page to see the criteria associated with each
business object. Key points about each profile type are included in the pages
following this demonstration.
15. Click Next, noting the security criteria on each page, until you reach the Person
train stop.
Location: Assign Security Profiles to Role: Person Security Profile page
Note: In the Global Name Range section, the Secure by Global Name Range

option is selected based on your previous entry (step 12).
16. In the Global Name Range section, enter A in the From Person Name field,
and enter L in the To Person Name field.
Information
This criteria limits access to persons whose global list names are in the range A
through L.
17. To view the remaining security profile pages, continue clicking Next until you
reach the Review page.
18. Click Submit.
Information
After submitting, it is a good idea to verify that the new role was successfully
created and profiles were assigned.
19. Search for the data role you just created. (Enter XX HR Specialist InFusion in
the Role field, and click Search.)
20. In the Search Results, verify that the Security Profiles Assigned column for
your role displays a green checkmark.
21. Click Done.
At this point, you should have created a new data role and assigned the necessary
security profiles.

Key Points for Creating Security Profiles

All Security Profile Types
A security profile defines criteria that identify a data instance set for a particular
business object.
You can define any combination of available criteria. For example, you can
identify an organization data instance set by any combination of organization
hierarchy, organization classification, and organization name.
If you define criteria by name (or a list or range of names), the data instance set
is the same for all users and changes only if you update the security profile.
However, if you use other criteria, such as hierarchy or classification, the data
instance set may vary by user and may change independently of the security
profile.
If you define criteria by hierarchy, you can include a subset of the items in the
hierarchy by specifying the top level of the hierarchy. For example, you can
include a subset of organizations in the organization hierarchy by specifying the
top organization.
Business objects must satisfy all of the criteria in the security profile to belong to
its data instance set.
To provide access to all records, use the predefined View All security profile.
Organization Security Profiles
Users need access to organizations either because they manage their definitions
or because they perform tasks where lists of organizations are presented. For
example, a human resource specialist selects a legal employer, business unit,
and department when hiring a worker.
An organization security profile should include all the organizations you need to
access. For example, if you need to hire employees, your organization security
profile should include the business units, legal employers, and departments into
which you will be hiring employees.
You can define multiple organization classifications. Organizations with multiple

classifications appear in the data instance set if they satisfy any one of the
classification criteria.

If you use the organization from the user's assignment as the top organization in
the organization hierarchy, the data instance set varies by user, even though the
organization security profile is the same for all users. If the user has multiple
assignments in the organization hierarchy, all relevant organizations from all
assignments belong to the data instance set.
Position Security Profiles
Users need access to positions because they either manage position definitions
or perform tasks where lists of positions are presented.
When you identify positions by department or business unit, you include positions
defined for those departments or business units. To identify the departments and
business units, you select existing organization security profiles: the position
security profile inherits the data instance sets of the selected organization
security profiles.
If you use the position from the user's assignment as the top position in the
position hierarchy, the data instance set varies by user, even though the position
security profile is the same for all users. If the user has multiple positions in the
position hierarchy, all relevant positions belong to the data instance set.
Person Security Profiles
Users access person records either because they need to update them (for
example, because they manage those people) or because they need to contact
those people. You create separate person security profiles for each of these
purposes.
A user who has access to a person record has access to relevant information
from all of the person's assignments, even if only one of the person's
assignments satisfies the criteria in the person security profile.
Workforce structures include department, legal employer, business unit, position,

legislative data group, and payroll. To secure person records by one or more of
these workforce structures, you select an appropriate security profile. The person
security profile inherits the data instance set of the selected security profile.
If you identify person records by manager hierarchy, you select either a person-
level or an assignment-level hierarchy.
In a person-level hierarchy, the data instance set includes any worker in a direct
or indirect reporting line to the signed-on user. Use this approach unless workers
have multiple assignments that are not all managed by the same manager.
In an assignment-level hierarchy, the data instance set includes both workers

who report to the signed-on manager directly and workers who report to the

assignments that the signed-on manager manages. In enterprises where workers

have multiple assignments reporting to various managers, this approach ensures
that only managers who are directly responsible for a worker have access to that
worker.
Public Person Security Profiles
A public person security profile identifies the set of workers whose work contact
details the signed-on user needs to access (for example, in the Person Gallery).
Document Type Security Profiles
Users need access to document types because they either manage the
definitions of those document types or need to access instances of those
document types in the person records to which they have access.
A document type security profile includes criteria that identify one or more locally
defined document types. You do not need to include criteria for accessing the
standard predefined document types, such as visas, driver's licenses, and
passports; access to a person record includes access to these document types
for that person.
You identify one or more document types by name and indicate whether to
include or exclude those document types.
If you include document types, users can access only the specified document
types; the data instance set never changes unless you update the security
profile.
If you exclude document types, users can access all document types except
those in the security profile; therefore, the data instance set may change
independently of the security profile.

Instructor Note: Notes on Activities

Note Regarding All Activities in this Guide
Use of Implementation Projects
During an actual implementation, an implementation user typically performs

assigned tasks from their implementation project and tracks their progress as
they go. For activities in this lesson, students can run the assigned tasks from
their implementation project or launch tasks from the All Tasks tab (as described
in the activity steps). The latter is faster and works perfectly well. However, if
users want to track the completion of their setup activities, they should start
activities from their implementation project and mark them as complete when
they are done.
Each Activity Builds on the Previous One
Students will create business objects in each activity, and will use the objects
they create in subsequent activities. So it's important that they successfully
complete each one.
The activities specify the names to use for the business objects created. Instruct
students to use the specified names as it will help when referring to the objects
later on. Likewise, instruct students to enter all field values exactly as instructed,
as those values must be present for future activities.
Environment Issues
All activities have been tested, but we have encountered intermittent problems
with the following:
User Creation - When a user is created using the Manage Users task, the user
record should be immediately available in OIM. However, sometimes there is a
lag between the time the new user record is saved and the time it shows up in
OIM. There is nothing to do here but wait.
Problem starting OIM - When using the Manage Job Roles task to access OIM,
a new browser window opens. Sometimes that window is blank and OIM does
not start. If this happens, don't wait more than a minute or two. The best thing is
to close the blank browser window and then sign out of Oracle Fusion
completely. Start Fusion again in a new browser window, and then start OIM.
This usually solves the problem right away.

Instructor Note: Activity Timing
Approximate Activity Timing: 15 minutes

Activity 1 Introduction
Background
When HR specialists perform tasks where lists of organizations are presented, they
must be able to select their department and should not be able to view certain restricted
departments. A new data role is required, with security profiles that restrict the data the
role can access.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application InFusion database (or
comparable training or test instance at your site) on which to complete this
activity.
Activity Scope

Activity 1: Creating Security Profiles and Assigning to a New

Data Role
In this activity, you create two security profiles:
An organization security profile that grants access to the Operations US

department and all departments under it in the department hierarchy, except the
Organizational Development US department and its parent, the Human Resource
US department.
A person security profile that grants access to persons in the Operations US

department, with the same two exclusions.
Once you have created both security profiles, you create an HCM data role, based on
the Human Resource Specialist job role, and assign the two security profiles to it.
Start Here
Oracle Fusion HCM Sign On screen
Create Organization Security Profile
1. Log in as Curtis.Feitty.
2. Navigate to the Setup and Maintenance work area.
Location: Overview page, All Tasks tab
3. In the Name field, enter Manage Organization Security Profile and click
Search.
Location: Search Results section
4. In the Manage Organization Security Profile task row, click Go to Task.
Location: Manage Organization Security Profiles page
Location: Create Organization Security Profile page
6. In the Name field, enter XX Operations US.
7. In the Organization Hierarchy section, select the Secure by Organization

Hierarchy option.

8. In the Tree Structure field, select Department Hierarchy.
9. In the Department Tree field, select InFusion Department Tree.
10. In the Top Organization Selection field, select the Specify Organization
option.
11. In the Organization LOV, search for and select the Operations US.
12. In the Organizations section, select the Secure by Organization List option.
13. Click the Add (+) icon button.
14. In the Organization LOV, search for and select Human Resources US.
Information
If you search for the organization, enter Department as the Classification
Name in the Search and Select: Organization window.
15. Select the Exclude option.
16. Click the Add (+) icon button again.
17. In the Organization LOV, search for and select Organizational Development
US.
18. Select the Exclude option.
19. Click Save and Close.
20. Click Done.
Create Person Security Profile
1. In the Setup and Maintenance work area, search for the Manage Person
Security Profile task.
2. In the Search Results, select the Manage Person Security Profile task row
and click Go to Task.
Location: Manage Person Security Profiles page
4. In the Name field, enter XX Operations US People Only.

5. In the Workforce Structures section, select the Secure by Department option.
6. In the Secure by Department LOV, select the XX Operations US organization

security profile you created earlier.
Information
Click Yes to the warning message to allow future changes, if it is displayed.
8. Click Done.
Create a Data Role and Assign Security Profiles
1. In the Setup and Maintenance work area, search for the Manage Data Role
and Security Profiles task.
2. In the Search Results, select the Manage Data Role and Security Profiles
task row, click Go to Task.
Location: Create Data Role: Select Role page
4. In the Data Role field, enter XX HR Spec Data.
Information
The name cannot exceed 55 characters.
5. In the Job Role field, search for and select Human Resource Specialist.
Information
The job role selection affects which security profiles you can assign to the role.
For example, selection of the Human Resource Analyst job role will not allow you
to control security of the payroll flow, since that is not part of the job.
6. Click Next.
Location: Create Data Role: Security Criteria page
7. In the Organization section, select the organization security profile you created
in this activity (XX Operations US).

8. In the Person section, select the person security profile you created in this
activity (XX Operations US People Only).
9. In all other sections, search for and select any one of the predefined View All
options.
10. Click Review.
11. Click Submit.
12. Search for the profile you just created. (Enter XX HR Spec Data in the Role field,
and click Search.)
13. In the Search Results, verify that the Security Profiles Assigned column
displays a green checkmark.
14. Click Done.

Assigning Security Profiles to Existing Roles

To assign security profiles to an existing role, use the Manage Data Roles and
Security Profiles task you just used to create a data role.
On the Manage HCM Data Roles page, search for the role. In the Search Results
section, select the role and then click the Assign button.
The Assign HCM Data Role: Select Security Criteria page shows the types of
security profiles currently used by the selected role.
Make any necessary changes to the security criteria, and click Next. The series of
pages displayed when you assign security profiles to an existing data role is the same
as when you assign profiles to a new data role.
Click Submit on the final page to save your changes.

Editing Security Profiles

You cannot modify existing security profiles using the Manage Data Role and Security
Profiles task.
If you want to change the definition of an existing security profile, use the appropriate
task in the Setup and Maintenance work area:
Manage Country Security Profile

Manage Document Type Security Profile
Manage Legislative Data Group Security Profile
Manage Organization Security Profile
Manage Payroll Flow Security Profile
Manage Payroll Security Profile
Manage Person Security Profile
Manage Position Security Profile
Manage Workforce Business Process Security Profile
Search for the profile, and then open it for editing. When you save your changes, they
are picked up immediately by any data roles that reference them.

Security Profiles Review Question 1

Which of the following is not a predefined HCM security profile?
1. View Own Record

2. View All Positions
3. View All Jobs
4. View All Document Types


You can identify a set of person records in a person security profile by:
1. Legislative data group

2. Custom criteria
3. Person type
4. Payroll
5. All of the above


A user who has access to a person record has access to all of the person's
assignments.
1. True
2. False

Security Profiles Questions and Answers

Which of the following is not a predefined HCM security profile?
3. View All Jobs
You can identify a set of person records in a person security profile by:
5. All of the above (legislative data group, custom criteria, person type, and payroll)
A user who has access to a person record has access to all of the person's
assignments.
1. True

User and Role Provisioning

User Account Creation and Maintenance Scenarios
A customer's approach to account creation and maintenance for Oracle Fusion HCM
users depends on their existing user base, whether or not their users are shared among
multiple applications, and whether they plan to use Oracle Fusion HCM to handle their
ongoing user account management needs. There are several possible scenarios, such
as:
The customer plans to create new users within Oracle Fusion HCM on an
ongoing basis.
In this scenario, Oracle Fusion HCM operates as a standalone system, and HCM
users are not shared with other applications in the enterprise.
At implementation time, existing users might be imported into Oracle Fusion
HCM, or a set of new users might be created when workers are loaded into
Oracle Fusion HCM.
The customer maintains a set of users in an on-premise LDAP that

connects to multiple applications using Single Sign-On (SSO).
The customer wants to allow these existing users to access Oracle Fusion HCM
using SSO. New users are provisioned in the on-premise LDAP and copied to
Oracle Identity Manager (OIM) for use by Oracle Fusion HCM. Fusion HCM roles
are maintained in OIM.
The customer, typically a very large company, has its own user account
and role-provisioning system.
The customer wants to use their own system, rather than Oracle Fusion HCM, to
manage all user and role provisioning for all applications in the enterprise.

Instructor Note: User Account Management Scenarios

This training focuses on the first of the three scenarios on the previous page. Single
Sign-On is not covered (due to time constraints and because e-training is available for
this feature).
Ask students to take this e-training, as homework, after the first day of class. (See the
Reference section at the end of this lesson for a link to the training.) If students have
any questions after taking the training, they should bring them to class on the following
day. If the instructor or attending SMEs do not have answers to the questions, they
should attempt to find and communicate the answers by the end of the training day.

User Account Provisioning

User Account Creation
You can configure Oracle Fusion HCM to create user accounts automatically
when workers are hired using the New Hire flow.
You can also create user accounts using the Manage Users task. This is a
quicker way of getting employees into the system than using the New Hire flow.
(There is a demonstration later in this section that illustrates this process.)
Note: Once an implementation is complete, HCM users do not typically use the
Manage Users task; they use the New Hire flows, which are more functionally
rich.
During initial implementation, user accounts are typically migrated to Oracle

Fusion Applications using batch processes. Once you have implemented Oracle
Fusion Applications, user accounts can be automatically provisioned using
Oracle Fusion HCM tasks.
Use the Create Implementation Users task to create implementation users.

Users created with this task are not mapped to an HR Person Type, such as
Employee or Contingent Worker. You can map an implementation user to an
employee later, however.
User Account Maintenance
User accounts can be maintained using the Manage Users task in the Setup and
Maintenance work area and the Manage User Account task in the Person
Management work area.
User accounts can be automatically revoked when workers are terminated

(based on account provisioning rules).
User passwords can be reset using the Manage Job Roles task in the Setup
and Maintenance work area and the Manage User Account task in the Person

Enterprise-Level User and Role-Provisioning Options

You can define enterprise-level settings to control:
User Creation
Send User Name and Password
User Account Role Provisioning
User Account Maintenance
To configure enterprise-wide user and role-provisioning options, use the Manage

Enterprise HCM Information task in the Setup and Maintenance work area.
Setup and Maintenance work area > Manage Enterprise HCM Information >
Edit Enterprise page
_______________________________________________________

Setting Enterprise-Level Options

User and Role Provisioning Information
User Account Creation: Controls whether user accounts are created in OIM
when persons are added in Oracle Fusion HR. Defaults to Yes. You cannot
override this enterprise-level setting at the user level.
Send User Name and Password: Controls whether to send new users and their
managers an email notification when their Oracle Fusion account is accessible.
Defaults to Yes. Set to No to suppress notifications if, for example, you are
starting an implementation or doing a pilot program and do not want notifications
sent during this period. You can override this enterprise-level setting for
individual users on the Create User page (Manage Users task).
Note: You can request notifications later for all users who have not yet been sent
their user names and passwords. To do so, select Navigator>Tools>Scheduled
Processes and run the Send Initial User Name and Password Email
Notifications process.
User Account Role Provisioning: Controls whether to provision and

deprovision roles to users. Defaults to Yes. If set to No, no roles are assigned or
removed from OIM; provisioning requests are created and held in the LDAP
requests table, but marked with a suppressed status and not sent to OIM.
User Account Maintenance: Controls whether to send updated user account

data to OIM when changes are made to any of the following: name fields, person
type, work email, manager of primary assignment, work address and fax details
of primary assignment, and username. Defaults to Yes. If set to No, no updates
are sent to OIM.
Note: Internal Oracle users can view a full list of fields in the Users and Roles
Technical Solution Overview, Data Passed to LDAP from Fusion section at:
http://hcmwiki.us.oracle.com:8880/display/corehr/Users+and+Roles+V1+Technic
al+Solution+Overview#UsersandRolesV1TechnicalSolutionOverview-
DataPassedtoLDAPfromFusion
Alternate Contact E-Mail Address: An enterprise-level e-mail address to which

user names and passwords are sent in addition to, or instead of, the user and the
users line manager. This is typically used for testing purposes.
Default User Name Format: The default name format to use for automatically
generated user names, if the User Account Creation option is set to Yes.

Instructor Note: User and Role Provisioning

Some (large) customers have their own custom role-provisioning systems that they
want to use to provision Fusion HCM roles to their users instead of using the HCM role-
provisioning pages.
If a customer turns off user account role provisioning, any roles that are requested for
users using HCM pages (such as Manage User Account) are stored as pending
requests but are not actioned.

Provisioning Roles to Users: Overview

Role provisioning is built into Oracle Fusion HR flows. You can initiate the provisioning
and revoking of roles from within the following flows:
Hire an Employee
Promote Worker
Transfer Worker
Users can self-request new roles if role mapping rules have been defined (as described
on the next page) and the user meets the specified criteria. Line managers and HR
specialists can request new roles for the people they manage and revoke existing roles
from people they manage.
Note: By default, users have no access to functions and data. To enable users to
access functions and data, you must provision roles to them.

Instructor Note: Roles Must Be Provisioned

You cannot emphasize this point too strongly: roles, even standard roles such as
Employee and Line Manager, must be provisioned to users. Hiring a person as an
employee is not the same as provisioning the Employee role to the worker; they are
separate tasks. However, often (as in this training environment) Employee and Line
Manager roles are automatically provisioned, and default role mapping rules are
provided in Cloud HCM pods.

Instructor Note: Role-Provisioning Rules

When presenting the information on the Defining Role Provision Rules page, you can
either present the page from the guide or navigate to Manage HCM Role Provisioning
Rules > Manage Role Mappings page > Create Role Mapping page and demo it.
When you have finished discussing the Role Provisioning Options page, ask students
to look carefully at the screen shot on the Defining Role Provision Rules page. Tell
them there are two problems with the security setup portrayed in the screen shot. Ask if
they can spot the (deliberate!) mistakes in this role mapping rule:
The data role name doesn't match the legal employer. They should always make
sure that the data role they select is the appropriate one, as there will be many
available for selection.
Both the Auto Provision and the Requestable options are selected. This means
that anyone who is in the HR010.HR Specialist job and works for Vision
Corporation can give the role to anyone in their person security profile, which
doesn't make sense given that this role is being automatically provisioned. You
would typically choose one or the other of these options.

Defining Role-Provisioning Rules

Role-provisioning rules determine the roles that a user should have based on their HR
assignments. Also referred to as role mappings, role-provisioning rules define an
association between a set of conditions (typically assignment attribute values) and one
or more job, abstract, and data roles.
Use the Manage HCM Role Provisioning Rules task in the Setup and Maintenance
work area to create and manage role-provisioning rules.
Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role
Mapping page
_______________________________________________________
Key Points
Use the Conditions area to define the conditions that must be met for the
mapping to apply.
Use the Associated Roles section to add one or more existing roles to the
mapping rule.
Use the checkboxes (described in detail on the following page) to determine

whether a given role can be assigned automatically, manually, or by user
request. Note that the Auto Provision option is selected by default; you must
deselect it if you do not want the role to be automatically provisioned.

In the sample screen above, the conditions mean that any employee who works
for Vision Corporation and is assigned the job of HR010.HR Specialist will
automatically be given the Human Resource Specialist Vision Operations
data role (since the Auto Provision option is selected). If the user subsequently
transfers to a different job, they will automatically lose this role.

Role-Provisioning Options
When defining role-provisioning rules on the Create Role Mapping page, you have
several provisioning options:
Auto Provision. Provisions roles automatically to all eligible users when at least
one of their assignments is either created or updated and satisfies the role-
mapping conditions.
An automatically provisioned role is deprovisioned automatically when the users

assignments cease to satisfy the role-mapping conditions.
Requestable. Enables users, such as line managers and human resource

specialists, to provision roles manually to other users. Users retain roles that are
provisioned to them manually until either all their work relationships are
terminated or the roles are deprovisioned manually.
Note: The criteria defined in the Conditions section must be satisfied by the user
who is provisioning the role to other users, not by the users who are receiving the
role.
Self-Requestable. Enables users to request roles for themselves. Users retain

roles that they request for themselves manually until either all their work
relationships are terminated or the roles are deprovisioned manually.
Apply Auto Provisioning. Provisions roles to users immediately, rather than

waiting until the role is provisioned automatically or requested manually.
When you click this button, all assignments and role mappings in the enterprise
are reviewed and any necessary provisioning and deprovisioning of roles occurs
immediately. You can also perform auto provisioning from an individual user's
account, in which case only that users assignments are reviewed and any
necessary provisioning and deprovisioning of roles for that user occur
immediately.

Predefined Role-Provisioning Rules

The following role-provisioning rules are predefined for HCM Cloud environments:
Employee. Automatically provisions the Employee role
Contingent Worker. Automatically provisions the Contingent Worker role
Line Manager. Automatically provisions the Line Manager role
Requestable Roles. Defines all predefined View All data roles as Requestable
(manually provisioned)

Integration with New Hire Flow

Instructor Note: New Hire Process
You can demo the Hire an Employee flow to show how roles are assigned during the
new hire process. However, this process requires you to provide data in a large number
of fields in order to progress through the entire flow. It may be faster (and perfectly
adequate) to display and discuss the screens that follow, rather than doing a
demonstration.

Integration with New Hire Flow

The following screens illustrate how role provisioning is integrated into the New Hire
flow.
To meet the conditions defined in the role mapping example on the Defining Role
Provisioning Rules page, an employee would need to work for InFusion Corp USA1
and be assigned the job of HR010.HR Specialist. You specify the employee's legal
employer on the Identification page of the Hire an Employee flow, as shown in this
figure:
Manager Resources > New Person > Hire an Employee > Identification page
_______________________________________________________

New Hire Flow - Job Assignment

You specify the employee's job on the Employment Information page of the Hire an
Employee flow, as shown in this figure:
Manager Resources > New Person > Hire an Employee > Identification page >
Person Information page > Employment Information page
_______________________________________________________

New Hire Flow - Role Requests

The Roles page of the flow shows the roles that will be automatically provisioned to the
employee based on the selected job, along with the Employee abstract role:
Manager Resources > New Person > Hire an Employee > Identification page >
Person Information page > Employment Information page
_______________________________________________________

Tip: Role-Provisioning Strategies

During implementation, consider the following approaches to role provisioning:
Determine the roles that all workers of a particular type must have, and
create role mappings to provision those roles automatically.
For example, to ensure that all employees have the employee role, create a role
mapping to autoprovision the role to eligible users.
Determine the roles that all line managers must have, and create role
mappings to provision those roles automatically.
For example, if all line managers must have both the line manager role and a
locally defined Expenses Manager role, then create a role mapping to
autoprovision both of those roles to eligible users.
Note: Automatic role-provisioning rules for employee and line manager roles are
predefined for Cloud HCM customers.
Determine the roles that only some workers of a particular type will need,
and autoprovision the roles if possible.
For example, some human resource specialists may also need the benefits
analyst role. If you can autoprovision those roles based on specific conditions,
then create role mappings to provision those roles automatically. Otherwise,
decide whether workers can request those roles for themselves or whether they
must be provisioned by other users, such as line managers, and create the
appropriate role mappings.
Remember that:
Automatic role provisioning is a time-saver and recommended for standard roles,

such as abstract roles. It is highly efficient for mass role provisioning.
A single role mapping definition can be used to manage multiple roles and a mix
of provisioning strategies, provided that the role mapping conditions are the
same in all cases.

Implementation Users
Implementation users typically do the following:
Administer Oracle Fusion Applications users and security

Manage implementation projects for Oracle Fusion Applications offerings
Set up basic enterprise structures needed to implement Oracle Fusion
Applications offerings
The following implementation users are predefined for HCM Cloud environments. In
each user name, xx is a 2 or 3 character prefix specific to the customer.
xx_Admin
Intended for technical super users.

Has the following roles:
IT Security Manager
Application Implementation Consultant
Administrators (WebLogic access)
Application Diagnostics Administrator
Application Diagnostics Advanced User
xxOIMAdmin
Intended for security administrators.

Has the following role:
IT Security Manager
hcm.user
Intended for users who are performing the Oracle Fusion HCM implementation.
Has the following roles:
Application Administrator
Application Implementation Consultant
Application Diagnostics Regular User
Application Diagnostics Viewer

In addition, the following roles are provided based on which HCM services a
customer has subscribed for:
{CustomerNm}_HRAnalyst_ViewAll
{CustomerNm}_HCMApplicationAdministrator_ViewAll
{CustomerNm}_HRSpecialist_ViewAll
{CustomerNm}_CompensationAdmin_ViewAll
{CustomerNm}_CompensationMgr_ViewAll
{CustomerNm}_PayrollAdmin_ViewAll
{CustomerNm}_PayrollMgr_ViewAll
IMPORTANT! Application Implementation Consultant is a powerful role that has

unrestricted access to a large amount of data. Once the implementation has been
completed, this role should be revoked from all users (using the Revoke Data Role from
Implementation Users task). For ongoing maintenance of Oracle Fusion HCM setup
data, use a less powerful role, such as a data role based on the Human Capital
Management Application Administrator role or other HCM job roles, or create custom
job roles.
Other types of implementation users you might want to create are:
Applications Implementation Project Manager. Optionally created by the IT

Security Manager user based on needs dictated by the size and organization of
the implementation team.
Product Family Application Administrator. Created by the IT Security

Manager and used if a customer is implementing multiple Oracle Fusion products
at the same time and wants to restrict implementers to performing only setup
steps for a specific product. Each product family has its own administrator role,
such as Human Capital Management Application Administrator and Financials
Application Administrator. Each role has access to only the setup tasks for that
product family, while the Application Implementation Consultant role has access
to all Oracle Fusion Application setup tasks, including HCM, Financials, SCM,
CRM, and so on.
Note: Product family application administrator job roles do not have predefined
access to data. Customers must use the Create Data Role for Implementation
Users task to define data roles for these roles.

Instructor Note: Implementation Users for the Cloud

These predefined users only exist in HCM Cloud environments.


Demonstration: Creating Additional Implementation

Users
During implementation for on-premise environments, you must create at least one initial
implementation user and give that user the ability to create other users and access
other implementation tasks. This is optional for HCM Cloud customers, who can use the
predefined hcm.user as their implementation user. Cloud customers may use this task
if they want to give each implementation consultant a unique user ID.
Note: When you create an implementation user, no person record is created in HR.
Only a user account is created. Use the Manage Users task or the New Hire flows to
create both a user account and an HR person that are automatically linked together.
Demonstration Scope
Demonstrate the Create Implementation Users task. Give the user two roles: IT
Security Manager and Application Implementation Consultant.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
1. Search for and launch the Create Implementation Users task.
Location: Oracle Identity Manager - Self Service page
Note: This task takes you automatically to the Oracle Identity Manager (OIM)
application. OIM will be discussed in detail later in this lesson.
2. Click the Administration link in the top-right corner of the page.
Location: Welcome to Identity Manager Delegated Administration page
3. Under the Users heading, click Create User.
4. Enter names in the First Name and Last Name fields.
Information
You can use any names you like here; this user won't be referenced later in the
lesson.
5. In the Organization field, select Xellerate Users.

6. In the User Type field, select Non Worker.
7. Enter a User Login, such as XX_IMPLEMENTATION_USER.
8. In the Password field, enter aBc123XX.
9. Enter the password again to confirm.
10. Click Save.
11. Click the Roles tab.
12. Click Assign.
13. Enter IT in the Display Name Begins With field, and click Search.
14. Select IT Security Manager in the Search Results, and click Add.
15. Click Assign.
16. Enter Application Implementation in the Display Name Begins With field, and
click Search.
17. Select Application Implementation Consultant in the Search Results, and

click Add.
Verify Role Provisioning
1. Return to the Welcome tab, and click Advanced Search - Roles.
Location: Advanced Search: Roles page
2. Enter IT in the Display Name Begins With field, and click Search.
3. Click IT Security Manager in the Search Results.
4. Select the Members tab.
5. Confirm that your user name in the list of All Members and Direct Members.
Information
The implementation user you created is not an Indirect Member, because the IT
Security Manager role was assigned directly, not through a role hierarchy or
another role that inherits the IT Security Manager role.

6. Return to the Advanced Search Roles tab, and search for the Application
Implementation Consultant role.
7. Click Application Implementation Consultant in the Search Results.
8. Select the Members tab.
9. Verify that your user is listed as a member for this role too.
10. Close the OIM browser window, and return to the Oracle Fusion Applications
Setup and Maintenance work area. (Don't sign out; just close the browser
window.)


Demonstration: Using the Manage Users Task to

Create HR Users
The Manage Users task provides a quick alternative to the New Hire process, which
requires more information to be entered for each person.
Demonstration Scope
Use the Manage Users task to create a new user. The user will be mapped to an HR
person.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Search for and launch the Manage Users task.
Information
You can also access this task by selecting Navigator > Manager Resources >
Manage Users.
Location: Manage Users (Search Person) page
Location: Create User page

3. In the First Name and Last Name fields, enter your own first and last name (or
any name you choose).
4. In the E-Mail field, enter XX@dummy.com.
5. In the User Name field, enter XX_TEST_USER.
6. Deselect the Send user name and password option.
7. In the Person Type field, select Employee.
Information
The Employment Information section expands to display additional fields.

8. In the Legal Employer field, select InFusion Corp USA1.
9. In the Business Unit field, select USA1 Business Unit.
10. In the Roles section, click the Autoprovision Roles button.
Information
The application reviews all enterprise role mappings and automatically provisions
the appropriate ones based on this user's employment information. In this
environment, the Employee abstract role is automatically provisioned to users
whose Person Type is Employee.
11. Click the Add Role button to assign an existing role to the user.
Location: Add Role page
12. Search for the data role you created in Activity 1 (XX HR Spec Data).
Note: You won't be able to find the data role because it is not yet available for
provisioning to a user. You must create a role-provisioning rule for the role before
you can assign it to a user. You will see how to do that in your next activity. Exit
the Search window and return to the Create User window.
14. Click Done.
Location: Overview page in Setup and Maintenance work area
You have now demonstrated the user creation process.

Instructor Note: Password Policy Management for

Cloud Customers
In Activity 2, students will create a user account and reset the password. An information
note in the activity references 'password policies set up in Oracle Identity Manager.'
Cloud customers do not have access to the area of OIM in which password policies are
managed. If they want to change the default password policies, they would need to
raise an SR.
Regarding the Password Reset

In a real-world environment, when a new user is created, the users gets an email with
their login credentials. In this class, we're not assigning email addresses, so we will use
the Reset Password feature in OIM to set the initial password. When the student logs on
as their new user, they must reset their password at that time.
The Reset Password option available from the Manage My Account option in Fusion
also generates and sends a new password via email, so we are unable to use that task
during class.


Background
New user accounts can be created using the Manage Users task (in addition to the New
Hire flow). Before you can provision roles to users, you must create a role-provisioning
rule. Role-provisioning rules map one or more data roles to a set of conditions that
define which users can be assigned those roles. They also define how each role can be
provisioned.
Requirements
practice.
You must have successfully created a data role in Activity 1 (XX HR Spec Data).
Activity Scope

Activity 2: Creating a New User and Assigning a Data Role

In this activity, you create a mapping rule for the data role you created in Activity 1.
Then you create a new user and assign to it the data role you created in Activity 1.
Start Here
Curtis.Feitty)
Create a Role Mapping Rule

In this task, you create a rule that allows the new data role to be manually provisioned
to users.
1. Search for and launch the Manage HCM Role Provisioning Rules task.
Location: Manage Role Mappings page
Location: Create Role Mapping page
3. In the Mapping Name field, enter XX Generic Mapping Rule and press Enter.
Information
Do not specify any conditions for now.
4. In the Associated Roles section, click the Add Row (+) icon button.
5. In the Role Name field, select the data role you created in Activity 1 (XX HR
Spec Data).
6. Deselect the Autoprovision option, and select the Requestable option.
Information
It is very important to deselect the Autoprovision option; otherwise, every user
will get this role since you did not provide any conditions.
7. Click Save and Close, and then click OK to dismiss the Confirmation window.
8. Click Done.

Create a User
In this task, you use the Manage Users task to create a user quickly.
Note: This task is intended for creating test users. When creating real employees, use
the New Hire flow so that the full set of attributes can be captured.
1. In the Setup and Maintenance work area, search for and launch the Manage
Users task.
3. Enter the following values:
Note: Make sure that you use the specified Hire Date, as this will be important in
a later activity.
4. In the Roles section, click Autoprovision Roles.
Information
The Employee role appears in the Role Requests table.
Note: If any other roles are automatically provisioned to your user, remove them
by selecting them and clicking the X (Remove) icon button. (Roles may appear
here if other students create autoprovisioning rules for the roles they create in
training.)

5. Click Add Role.
6. Search for and select the data role you created in Activity 1 (XX HR Spec Data).
8. Click Done.
Reset the User Password
In the training environment, the application can't send your new user's login credentials
via email, so you need to set an initial password in Oracle Identity Manager.
1. In the Setup and Maintenance work area, launch the Manage Job Roles task.
Information
You are taken to the Oracle Identity Manager (OIM) interface.
Location: Oracle Identify Manager - Delegated Administration page,

Welcome tab
3. Click Advanced Search - Users.
Location: Advanced Search: Users page
4. Search for the user you just created. (Enter search values for First Name, Last
Name, or User Login and click Search.)
5. Click the users name in the Search Results.
6. Click the Reset Password button.
Location: Reset Password window
Information
There are two methods for resetting a user's password: manually and
automatically (random generation). Note also that password strength is
measured by the password policies set up in Oracle Identity Manager.
7. Select the Manually change the password option.
8. Enter a new password, such as aBc123XX, and reenter to confirm.
9. Deselect the E-mail the new password to the user option.

10. Click Reset Password.
11. Close the Oracle Identify Manager browser window.
Information
You can leave this window open if you expect to return to OIM, but do not sign
out. Signing out of OIM signs you out of Oracle Fusion Applications as well.
Log on as the New User and Verify Security
1. Return to the Oracle Fusion Applications window.
2. Navigate to the Person Management work area.
Location: Search Person page
3. In the Keywords field, enter Human Resources US.
4. In the Search Results, verify that you (logged in as Curtis Feitty) can see people
in the Human Resources US department.
5. Sign out and sign back in as the new user you just created (Security.UserXX),
using the new password you just reset.
Location: Password Management window
Information
The Password Management window prompts you to reset your password, since
this is the first time you are logging on.
6. Enter the password you used in the password reset (such as aBc123XX).
7. Enter a new password, such as xYz456AA, and renter.
8. Select challenge questions and provide the answers (if prompted to do so on this
page).
9. Click Submit.
10. Navigate to the Person Management work area, and enter a keyword of Human
Resources US.
11. Verify that you cannot see users in the Human Resources US department (one
of the departments you excluded in your organization security profile), but you
can see people in the Operations US department.

12. Verify that you cannot see users in the Organizational Development US
department either (the other exclusion).
13. Sign out of Oracle Fusion Applications.

User and Role Provisioning Review Question 1

Roles can be provisioned to users:
1. Automatically
2. By other users
3. On user request
4. All of the above

User and Role Provisioning Review Question 2

All roles in a role mapping must have the same provisioning option.
1. True
2. False

User and Role-Provisioning Review Question 3

Which of the following roles can be provisioned to users directly?
1. Duty roles
2. Abstract roles
3. Job roles
4. Data roles

User and Role-Provisioning Questions and Answers

Roles can be provisioned to users:
4. All of the above (automatically, by other users, and on user request)
All roles in a role mapping must have the same provisioning option.
2. False
Which of the following roles can be provisioned to users directly?

2, 3, and 4:
2. Abstract roles
3. Job roles
4 Data roles

User Interfaces for Security Tasks

User Interface Overview
When performing security setup and administration tasks in Oracle Fusion Applications,
users access user interfaces that are native or provided by a foundation of Oracle
Fusion Middleware and Oracle Database products.
Note: The Middleware group refers to APM as Entitlement Server, while Oracle Fusion
still refers to it as APM.

Setup Tools and Tasks

The following tools are used for managing HCM security data:
Oracle Fusion HCM Security Tasks
Manage Users. Create and manage users who are mapped to persons in Oracle
Fusion HR.
Import Worker Users. Load workers using the HCM spreadsheet loader.
Manage Data Role and Security Profiles. Create and manage data roles and
assign security profiles to them.
Manage [Business Object] Security Profiles. Create and manage security

profiles for all types of business objects.
Manage User Accounts. View and manage roles associated with user accounts.
Revoke User Accounts. Run for terminated employees.
Manage HCM Role Provisioning Rules. Create rules for how roles can be
provisioned to users.
Send Pending LDAP Requests. Implementers should run this scheduled

process after bulk loads of workers and schedule it to run on a frequent basis.
Retrieve Latest LDAP Changes. Run this scheduled process as needed and
schedule it to run on a frequent basis.
Create Data Role for Implementation Users. Create data roles for
implementation user job roles, such as the product family administrator roles,
which have no predefined data roles.
Oracle Identity Manager (OIM) Security Tasks
Create Implementation Users. Create users, who are not mapped to persons in
Oracle Fusion HR, for the purpose and duration of implementation.
Revoke Data Role from Implementation Users
Provision Roles to Implementation Users
Manage Job Roles. Create job and abstract roles; reset user passwords.

Authorization Policy Manager (APM) Security Tasks
Manage Duties. View and manage duty roles, role hierarchies, and security
policies.
Application Access Controls Governor (AACG) in Oracle Enterprise Governance,

Risk and Compliance (GRC)
Specific applications or product families, such as Oracle Fusion Financials,

support additional security setup and administration tasks.

Access to Security Tasks

You can navigate to all Oracle Fusion Applications security tasks from the Setup and
Maintenance work area, provided by the integrated Oracle Fusion Functional Setup
Manager (FSM).
You can see most of the HCM security setup tasks by expanding the Define Security
for Human Capital Management folder:
Navigator > Tools > Setup and Maintenance work area > Define Security for Human
Capital Management task list
_______________________________________________________
To access tasks related to setting up implementation users, expand the Define

Implementation Users folder:

Navigator > Tools > Setup and Maintenance work area > Define Implementation Users
task list
_______________________________________________________
Use the Send Pending LDAP Requests and Retrieve Latest LDAP Changes
processes in the Scheduled Processes work area to synchronize HR and LDAP data.
Navigator > Tools > Scheduled Processes > Schedule New Process
_______________________________________________________

Instructor Note: HCM Security Task List

Although most of the HCM security tasks are in the Define Security for Human Capital
Management folder in FSM, a few are located elsewhere, such as Define Security for
Payroll and Define Security for Workforce Business Processes. This is because the task
lists present tasks in the correct sequence within offerings. For example, we cannot
create payroll security profiles before we've created payrolls.
Point out that OIM and APM are security administration UIs, and should be used by
security administrators, not HCM business users. The only role that has access to these
UIs is the IT Security Manager. HCM business users should use the HCM user and role
management UIs, such as Manage Users (when creating test users) and Manage User
Account.
Demonstration: Viewing Roles in OIM

OIM refers to data, job, and abstract roles as simply 'roles.' Role-naming conventions
allow you to distinguish between role types in OIM pages.
Demonstration Scope
Use the Manage Job Roles task to access Oracle Identify Manager and view different
types of roles.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Search for and launch the Manage Job Roles task.
Location: Oracle Identity Manager - Self Service page

Welcome tab
3. Under the Roles heading, click Advanced Search - Roles.
Location: Advanced Search: Roles page
4. In the Display Name (Begins With) field, enter Human Resource and click
Search.
Information
The Search Results display both data roles and job roles. Job roles, such as
Human Resource Specialist, do not display a dash in their names. The roles with
a dash, such as Human Resource Manager - US LDG Only, are data roles.
Fusion role-naming conventions append _JOB at the end of a job role name and
_DATA at the end of a data role name. The internal name is created based on
the Display Name and the _JOB or _DATA suffix to distinguish between the role
types.
5. Click the Human Resource Manager job role in the Search Results.
6. Information
Note that the Role Category Name is HCM - Job Roles.
7. Return to the Advanced Search - Roles tab, and open the Human Resource
Analyst - View All data role.
Information
The Role Category Name for all data roles is automatically set to Default.
8. Return to the Advanced Search: Roles tab.
9. In the Display Name (Begins With) field, enter Employee and click Search.
Information
Employee is a predefined abstract role. Abstract role names should have
_ABSTRACT at the end of the role name.
10. Click the Employee role in the Search Results.
Information
The Role Category Name is HCM - Abstract Roles.
Managing Job Roles and Duty Roles

Demonstration: Using OIM to View and Manage Roles

Viewing and managing job roles is an important part of HCM security management.
Oracle Identify Manager is used to create and manage HCM job roles.
Demonstration Scope
This demonstration looks at the data roles assigned to an existing user and shows the
job roles that are inherited by those data roles. It also demonstrates how to search for a
role and display a list of all users assigned to that role.
Demonstration Steps
Start Here
Curtis.Feitty)
Review the Roles Assigned to a User
1. Search for and select the Manage Job Roles task.
Location: Oracle Identify Manager - Self Service page, Welcome tab

Welcome tab
Information
From this page, you can create new job roles, as you will see in Activity 3.
3. Click Advanced Search - Users.
4. In the Display Name field, search for Curtis Feitty, then click his name in the
Search Results.
5. Select the Roles tab to view the roles assigned to this user.
Information
This page shows all roles assigned to Curtis, including data roles, abstract roles,
and job roles (if any).
6. Click on a data role, such as Benefits Admin - View All, and click Open.
7. Click the Hierarchy tab.
Information
Here you can see that the Benefits Admin - View All data role inherits the
Benefits Administrator job role.
8. Click the Members tab to see all the users assigned to this data role.
9. Return to the Welcome tab, and select Advanced Search - Roles.
10. Search for the Payroll Manager job role, and then open it.
Information
Note that the attribute information and the tabs displayed for the job role are the
same as for the data role you just explored. Remember that in OIM, the term role
refers collectively to job, abstract, and data roles; the role category name, such
as HCM - Job Roles, identifies both the role type and the Oracle Fusion
Application where the role is used.
11. Click the Hierarchy tab.
Information
This job role inherits several roles, including the Functional Setups User abstract
role and the Payroll Administrator job role.
Note: When you are creating a job role, you can use this tab to add one or more
parent roles from which to inherit permissions. This is useful if you are creating a
manager job role that performs all the functions that an administrator job
performs, plus more. In this case, you would add the administrator job role as a
parent role to the manager job role.
This role hierarchy is also visible in APM, as you will see later.
12. Click the Members tab.
Information
This is useful if you need to quickly determine which users are assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect Role because
users are not directly assigned the Payroll Manager job role. They inherit it via a
data role that is based on the Payroll Administrator job role.
Instructor Note: Do Not Use OIM to Create Data Roles

Regarding the Demonstration: Using OIM to View and Manage Roles
OIM allows users to create several different types of roles. However, OIM should not
be used to create data roles for HCM users; data roles should only be created using
the Manage Data Role and Security Privileges task, as will become clear later when we
look closely at security policies.
Remind students that OIM and APM are not specific to Oracle Fusion Applications; they
can be used independently of Fusion applications. These middleware products provide
capabilities that Oracle Fusion Application users do not need to use for HCM setup and,
in fact, should NOT use. The only tasks that users should perform in OIM and APM are
those identified on the Setup Tools and Task page:
Oracle Identity Manager (OIM)
Create Implementation Users

Create Data Role for Implementation Users
Revoke Data Role from Implementation Users
Provision Roles to Implementation Users
Manage Job Roles (Create job and abstract roles, reset user passwords)
Authorization Policy Manager (APM)
Manage Duties (View and manage role hierarchies, security policies, and
permission grants)
Do not create new resource types, resources, entitlements, or authorization

policies.
Do not manually modify data security policies, except to add custom duty roles.
HCM Security Management Data Stores

This figure shows where security data, managed by different Oracle applications, is
stored and shared.
Key Points
OIM Identify Store
OIM maintains user accounts in the Oracle Fusion Applications Identity Store. It
stores the definitions of abstract, job, and data roles (enterprise roles in OIM),
and holds information about roles provisioned to users.
Job and abstract roles created in OIM must be synchronized so that the new role
names and other attributes are available to Oracle Fusion HCM.
You cannot view duty roles in OIM, only in APM.
APM Policy Store
Duty roles are created in APM and stored in the Policy Store, along with function
security policies.
The Policy Store holds copies of users and enterprise roles stored in the Identify
Store.
Duty roles do not have to be synchronized with HCM.
Fusion Application Database Tables
These tables store data security policies, HCM role-provisioning rules, security
profiles, part of the data role definitions, and copies of the job and abstract roles.
Demonstration: Using APM to Manage Duties

Managing duty roles is an important part of security management. Implementers may be
required to create new duty roles if the predefined ones do not meet the needs of the
enterprise. Authorization Policy Manager is used to manage duty roles and associated
security policies.
Demonstration Scope
This demonstration uses the Manage Duties task to look at existing data and job roles.
It demonstrates how to view the duties associated with job roles and where to go if you
need to add or remove duties from a role.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Search for and launch the Manage Duties task.
Information
You are now viewing the Authorization Policy Manager (APM) user interface.
2. In the Application Name section, select hcm.
3. Under the Search and Create heading, click Search - External Roles.
Note: Remember that job roles, data roles, and abstract roles are all referred to
as external roles in APM.
Location: Search - External Roles page
4. In the Display Name field, enter Benefits Admin - View All, and click Search.
5. Select the Benefits Admin - View All role in the Search Results, and click
Open Role.
6. Select the External Role Hierarchy tab.
Information
This page shows the job role (Benefits Administrator) inherited by the Benefits
Admin - View All data role.
7. Click the Application Role Mapping tab.
8. Expand the hcm folder in the Display Name column.
Information
The Benefits Admin - View All (HCM) role shown here is a special type of
application role that was automatically generated when the Benefits Admin -
View All data role was created. This is explained in more detail in the HCM
Security Deep Dive section later in the lesson.
9. Return to the Search External Roles tab, and search for the Benefits
Administrator job role.
10. Select the Benefits Administrator role in the Search Results, and click Open
Role.
11. Click the Application Role Mapping tab, and open the hcm folder.
Information
Here you can see all of the duty roles associated with the Benefits Administrator
job role. From this page, you can map additional application roles (duties) to this
job role, as you will see in the next activity.
You have demonstrated how to use APM to view and manage job roles.
Fusion Applications, OIM, and APM Terminology

Differences
OIM and APM are middleware products that are available independently of Oracle
Fusion Applications. For that reason, the terminology adopted by and used throughout
Oracle Fusion Applications is not always the same as the terminology used in OIM and
APM. It is important to understand these terminology differences as you manage
business objects in each application interface.
The following table lists the terminology used by each product when referring to
common business objects:
Data, job, and abstract roles are also referred to as enterprise roles. Application roles
are specific to a particular grouping of applications (such as Oracle Fusion HCM or
CRM).
Instructor Note: Notes on Tools and Tasks

Note on Authorization Policy Manager (APM):
To create data roles for HCM, always use the Manage Data Role and Security
Profiles task in the Setup and Maintenance work area. Although APM provides the
ability to create data roles using data role templates, data role templates are rarely used
in HCM. (They are only used if you are implementing Oracle Fusion Global Payroll with
Oracle Fusion Subledger Accounting. We do deliver some HCM data role templates, but
these are no longer used.)
Note on Application Access Controls Governor (AACG):

This is usually used in conjunction with Financials rather than HCM.
Regenerating Data Roles

You must regenerate a data role if you make any changes to the role hierarchy that
underlies the data role (such as the duties inherited by the job role that is inherited by
the data role).
You must regenerate an abstract role if you make any changes to its role hierarchy.
Regenerating a role causes all its data security policies to be updated based on these
changes.
To regenerate a data or abstract role:
1. Launch the Manage Data Role and Security Profiles task in the Setup and
Maintenance work area.
2. Search for the role that needs to be regenerated.
3. Select the role in the Search Results, and click Assign.
Information
A flow is initiated (the same one you saw when you created a data role in the
previous activity) that allows you to view the security criteria and all assigned
security profiles.
4. Click Review, and then click Submit.
Information
When you click Submit, the security profiles assigned to the role are used to
generate the data security policies for that role.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple roles, you would have to run this
task (and click Assign) for each role.
Instructor Note: Regeneration of Data Roles

An enhancement request (ER) has been logged for a data role regeneration process
that will be more efficient.
You can demo the regeneration of a single data role, but it's actually as simple as
finding the role and pressing a few buttons. A later activity will include this as a task.
Background
A custom job role is needed because the predefined job role has duties associated with
it that the enterprise does not want to grant to their users. The new job role will have
only two duties: Department Management Duty and Approve Transactions Duty.
Requirements
practice.
Activity Scope
Instructor Note: Troubleshooting Activity
When searching for the second duty role, the search results may show only the first
duty role, no matter what search criteria you enter. To resolve this issue, you must close
the Map Application Roles to External Role window, return to the Search External Roles
tab, open the duty role again, and conduct a new search.
Activity 3: Creating a New Job Role

In this activity you will create a new job role, retrieve the role information from LDAP
(synchronize between OIM and HCM), and then add two duty roles to the new job role.
This job role will be authorized to manage departments and department trees only.
Start Here
Oracle Fusion Applications Sign On page
Create New Job Role
1. Log in as Curtis.Feitty.
2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks
tab.
Location: Oracle Identify Manager Self-Service page, Welcome tab

Welcome tab
5. Under the Roles heading, click Create Role.
Location: Create Role page
6. In the Name field, enter XX_DEPT_ADMIN_JOB.
7. In the Display Name field, enter XX Dept Admin Job Role.
8. In the Role Category Name field, select HCM - Job Roles.
9. Click Save.
10. Close the OIM browser window.
Information
You are returned to the Oracle Fusion Applications Setup and Maintenance work
area
Synchronize Roles between LDAP and HCM
After creating a new job role, you must run the following synchronization process so that
the job role is available to HCM tasks and UI pages, such as Manage Data Role and
Security Profiles.
Note: Only one user can run the process at a time. If you are sharing an environment
with someone else, you can run the Retrieve Latest LDAP Changes once to
synchronize all of the job roles to HCM.
1. Navigate to the Scheduled Processes work area.
Location: Scheduled Processes Overview page
2. If the Search Results displays a row for the Retrieve Latest LDAP Changes
process where the Status is Succeeded, select the row and click Resubmit,
then confirm. Skip to step 10.
If the process is listed with a status of Running, wait until it has completed
successfully, and then resubmit as described above. (Click the Refresh icon
button periodically to display the updated status.)
If the process is not listed, continue with the next step.
3. Click Schedule New Process.
Location: Schedule New Process window
4. Open the Name LOV and click the Search link at the bottom of the LOV list.
Location: Search and Select: Name window
5. In the Name field, enter Retrieve and click Search.
6. In the search results, select the Retrieve Latest LDAP Changes process and
click OK.
7. Click OK to dismiss the Schedule New Process window.
Location: Process Details page
8. Click Submit.
9. Click OK to confirm, and then click Close.
Location: Scheduled Processes page
10. Click the Refresh icon button.
Information
You can see the status of the process. It usually completes very quickly. While
this process is running, you can continue with the next step.
Assign Duties to Your Job Role
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
Location: Oracle Entitlements Server Authorization Management page
Note: This step is important. If you do not select hcm, you will not be able to
search for the HCM roles.
4. In the Display Name field, search for the job role (XX Dept Admin Job Role)
you created earlier.
5. Select the role in the Search Results, and click the Open Role button.
6. Click the Application Role Mapping tab.
7. Click the + Map icon button.
Location: Map Application Roles to External Role page
8. In the Application field, select hcm.
9. In the Display Name field, enter Department Management Duty and click
Search.
10. Select the role in the Search Results, and click Map Roles.
Information
The selected role is listed under the hcm folder on the Application Role Mapping
tab.
13. In the Display Name field, enter Approve Transactions Duty and click Search.
Information
You should now have 2 application roles (duties) in the hcm folder on the
Application Role Mapping tab.
15. Close the Authorization Management browser window.
Information
You are returned to the Oracle Fusion Applications window, Setup and
Maintenance work area. (As with the OIM window, you can leave the APM
window open if you plan to return; just don't sign out.)
You have now created a job role with two assigned duties roles.
Background
After creating a new role, you typically create a mapping rule that defines criteria for
how the role can be provisioned to users. You can then assign the role to users who fit
those criteria.
Requirements
practice.
You must have successfully created a new user (Security.UserXX) in Activity 2.
You must have successfully created a role-provisioning rule (XX Generic

Mapping Rule) in Activity 2.
You must have successfully created a job role (XX Dept Admin Job Role) in
Activity 3.
Activity Scope
Activity 4: Creating a New Data Role and Assigning to User

In this activity you create a new data role that inherits the XX Dept Admin job role you
created in Activity 3. You also add the role to the role-provisioning rule you created in
Activity 2. Finally, you add the new role to the user you created in Activity 2.
Start Here
Curtis.Feitty)
Create a New Data Role for the Custom Job Role
1. Search for and launch the Manage Data Role and Security Profiles task.
Information
You used this task in Activity 1 to create a data role, so you should be familiar
with the screens and the process.
3. In the Data Role field, enter XX Dept Admin - View All.
4. In the Job Role field, search for and select the custom job role you created (XX
Dept Admin Job Role).
Information
If you don't can't find the job role you created earlier, make sure that the
synchronization process completed successfully. Also, make sure you selected
HCM - Job Roles as the Role Category when you created the job role. If you
accepted the default role category during creation, you won't be able to find the
job role here.
5. Click Next.
6. In the Organization Security Profile field, select View All Organizations.
7. Click Next, click Review, and then click Submit.
8. Click Done.
Add the Data Role to the Existing Mapping Rule

Rather than create a new mapping rule, you can add the new role to your existing
mapping rule.
1. In the Setup and Maintenance work area, launch the Manage HCM Role
Provisioning Rules task.
2. Search for the XX Generic Mapping Rule you created in Activity 2.
3. Select the rule in the Search Results, and click the Edit icon button.
Location: Edit Role Mapping page
4. In the Associated Roles section, click the Add (+) icon button.
5. Search for and select the new XX Dept Admin - View All data role. (Don't select
the job role.)
6. Deselect the Autoprovision option, and select the Requestable option.
Information
If you do not select Requestable, you won't be able to assign this role to users.
7. Click Save and Close, and then click OK to confirm.
Information
This rule now contains two mappings.
8. Click Done.
Add the Role to Your New User
Users task.
2. Search for the user you created in Activity 2 (enter the last name in the
Keywords field and click the Search icon button).
3. Click the user name in the Search Results.
Location: Edit User page
4. In the Roles section, click Add Role.
Location: Add Role window
5. Search for the XX Dept Admin - View All data role you created earlier in this
activity.
Note: If you cannot find the role you created, make sure that:
- You created a mapping rule for the role

- You selected the Requestable option for the role mapping
- The user's assignment information matches the mapping criteria
(We didn't set any criteria in our generic mapping rule, so that should not be a
problem.)
6. Select the role and click OK.
7. In the Current Roles section, select the XX HR Spec Data role you assigned to
this user earlier, and click the X (Remove) icon button, then confirm.
9. Click Done.
Verify Security Setup
1. Sign out, and sign back on as the user you created (Security.UserXX) and
whose password you reset.
2. Select Workforce Management > Workforce Structures from the Navigator.
3. Verify that only the Manage Departments and Manage Department Trees
tasks are visible under Organizations. You should no longer be able to see the
HR Specialist menu options.
4. Sign out.
Instructor Note: Troubleshooting Activity 4

Troubleshooting Activity 4
If students are still seeing the full set of HR Specialist menu entries, ask them to
navigate to the My Account and check which roles their user has assigned. Their user
might have more roles than they are expecting. For example, their user might have
been automatically provisioned data roles based on HR Specialist from an earlier
activity if someone has inadvertently created automatic role-provisioning rules.
User Interfaces for Security Review Question 1

Which tool is used to create job roles?
1. Oracle Authorization Policy Manager (APM)

2. Oracle Identify Manager (OIM)
3. Oracle Fusion Functional Setup Manager (FSM)

To manage duty role hierarchies, you use:
1. Oracle Fusion HCM

2. Oracle Fusion Middleware Authorization Policy Manager (APM)
3. Oracle Identity Management (OIM)

A(n) ____ role in Oracle Fusion HCM is implemented as an application role in APM?
1. abstract
2. job
3. data
4. duty
User Interfaces for Security Questions and Answers

Which tool is used to create job roles?
2. Oracle Identify Manager (OIM)
To manage duty-role hierarchies, you use:

2. Oracle Fusion Middleware Authorization Policy Manager (APM)
A(n) ____ role in Oracle Fusion HCM is implemented as an application role in

APM?
4. duty
HCM Security Deep Dive

Instructor Note: Deep Dive Target Audience
The content in this lesson gets a little technical. It is intended primarily for implementers
who want to understand how data and functional security policies work. The information
in this lesson will help students understand what they see when they use the
Authorization Policy Manager (APM) to manage duties and security policies. It will also
help students understand why they must regenerate data roles after making a change to
the role hierarchy for a job or abstract role -- a step that is often omitted (and often
causes some confusion) during security setup.
If your class consists of mostly functional users, you may choose to omit this section.
Alternatively, you can allow functional users to take a break while you present this
section. Another option would be to present the activity (duty role creation) as a
demonstration, and talk through the steps rather than asking students to complete them.
If, at the beginning of this section, students become confused about data security
policies, tell them that it should become clearer as we dig deeper into the technical
details and they see how the pieces fit together. The demonstration and activity should
also help them understand the various components and their relationships.
Duty Roles in Detail

HCM duty roles typically have function security privileges and data security policies. In
the duty role pictured below:
The Promote Worker function security privilege secures access to the Promote
Worker page.
One data security policy determines which people can be promoted.
Another data security policy determines which positions the person can be
promoted into.
Function Security Privileges

Looking at the function security privilege in more detail, you can see that the privilege is
securing a number of resources, or code artifacts, that comprise the worker promotion
page.
Instructor Note: Read-Only Roles

Read-Only Roles
A very small number of read-only pages are delivered under the Human Resource
Analyst role. Other pages can be configured as read-only by customizing them to hide
the Save or Submit buttons based on the user's current role.
We are actively working on improving support for read-only in a future release.
Data Security Policy Components

A data security policy comprises:
a role
a data security privilege
a business object
a condition
Data security policies are represented in the Security Reference Manuals in the
following format:
<Role> can <verb> <business object> <condition> using <data security

privilege>
For example, the two data security policies in our current example would be
represented as follows:
Human Resource Specialist can promote Person for people in their person
security profile using Promote Worker Data
Human Resource Specialist can choose Position for positions in their

position security profile using Choosing Position Data
Note: Data security policies are published at the level of a job or abstract role,
and they take into account the duty roles that are inherited by the job and
abstract roles. This makes them more readable, as it can be difficult to
understand a data security policy if presented at the level of a duty role.
Data Security Policies

Looking at the data security policies for the worker promotion duty role, you can see that
the two policies are implemented as rows in a table called FND_GRANTS.
The conditions for duty role data security policies are usually implemented as 1=2
predicates. (A predicate is an SQL expression that evaluates to TRUE or FALSE. The
predicate is automatically added to the Where clause of any Select statements that are
issued within the Oracle Fusion HCM pages.)
The 1=2 predicate, which evaluates to FALSE, means that the Worker Promotion Duty
role, when viewed in isolation, has no access to data. The Human Resource Specialist
job role inherits this duty role, which means that it cannot actually promote anyone.
Data access is usually determined by FND_GRANTS rows that are generated for the
data roles to which users are assigned (as you will see later). This is why data roles
are so important!
Data Security - Application Role Creation

When you create an HR Specialist View All data role on top of the HR Specialist job
role, several things happen.
First, a set of three new application roles is created: one for HCM, one for FSCM,
and one for CRM.
These application roles have names that are derived from the data role name.
Data Security - FND_GRANTS Generation

Next, FND_GRANTS data are generated for each of these application roles.
The FND_GRANTS generated for the new application roles are similar to the
FND_GRANTS for the original duty role, except:
The role name references the data role, not the job role.
The predicate value is 1=1, meaning that no restrictions are applied when the
HCM application page selects it from the database.
In the simplified example below, the 1=1 predicate is taken from View All person and
position security profiles assigned to the data role.
Data Security - Data Role Creation

Finally, the data role is created.
The application roles and the security policies (FND_GRANTS) that were generated
earlier are linked to the data role. (All three application roles are linked, although only
one is pictured here.)
The data role is linked to the Human Resource Specialist job role. However, it is the
security policies inherited by the data role that provide access to the data.
Note: A predicate of 1=1 is the simplest of examples, used only in View All profiles. In
reality, most predicates are more complicated. For example, the predicate for the View
Own Record person security profile is shown here:
EXISTS ((SELECT 1 from PER_PERSONS P WHERE ROWNUM>0 AND

P.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND ( P.PERSON_ID=(SELECT
U.PERSON_ID FROM PER_USERS U WHERE
U.USER_GUID=FND_GLOBAL.USER_GUID ) )) UNION ALL SELECT 1 FROM
PER_CONTACT_RELSHIPS_F R WHERE TRUNC(SYSDATE) BETWEEN
R.EFFECTIVE_START_DATE AND R.EFFECTIVE_END_DATE AND
R.CONTACT_PERSON_ID=&TABLE_ALIAS.PERSON_ID AND NOT EXISTS(SELECT
1 FROM PER_PERIODS_OF_SERVICE PS WHERE
PS.PERSON_ID=R.CONTACT_PERSON_ID) AND EXISTS ((SELECT 1 from
PER_PERSONS P WHERE ROWNUM>0 AND P.PERSON_ID=R.PERSON_ID AND (
P.PERSON_ID=(SELECT U.PERSON_ID FROM PER_USERS U WHERE
U.USER_GUID=FND_GLOBAL.USER_GUID ) ))))
Data Security in Action
When an HCM application page issues a Select statement to retrieve data from the
database, it makes a data security privilege check by calling a data security API,
passing the following information:
The name of the database table in which to find the data. In our example, the
table name is PER_ALL_ASSIGNMENTS_M.
The data security privilege name. In our example, this is

PER_PROMOTE_WORKER_DATA (taken from the FUNCTION_NAME in the
FND_GRANTS row).
The data security code looks in the FND_GRANTS table for all rows that match any of
the user's roles, the table name, and the data security privilege name.
If it finds no matches, no data is returned.
If it finds one match, the predicate for that FND_GRANTS row is used to filter the
data that is returned. (If the predicate is 1=2, no data is returned.)
If it finds more than one match, the predicates are OR'd together. (If either is
TRUE, then the result evaluates to TRUE).
In our example of a View All data role, two predicates would be returned: 1=1 and 1=2.
When OR'd together, the end result is that the page can select data from the
assignment table with no restrictions applied.
Demonstration: Viewing Security Policies in APM

Viewing the security policies associated with duty roles can help you understand an
important part of the HCM security model.
Demonstration Scope
Use the Manage Duties task in the Setup and Maintenance work area to access APM,
where you can view duties and their associated data and function security policies.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Launch the Manage Duties task.
Location: Authorization Management page
3. Select Search under Application Roles.
Information
Remember that duty roles are referred to as application roles in APM.
Location: Role Catalog page
4. In the Display Name field, enter Worker Promotion Duty and click Search.
5. In the Search Results, select the Worker Promotion Duty role and click the
Open icon button.
Viewing Functional Security Policies
1. Click Find Policies in the upper-right-hand corner of the screen, and then select
Default Policy Domain.
2. Review the policies listed on the Functional Policies tab.
Information
This role has only one function security policy: Policy for Worker Promotion Duty.
It controls access to this function from the Oracle Fusion HCM menus and work
areas.
3. To view the code artifacts that are secured using this function security policy, go
back to the Home tab (but don't close this tab).
4. Select hcm in the Application Name field, and then click Search under
Entitlements.
Location: Search Entitlements page
Note: Remember that, in APM terminology, an entitlement equates to an Oracle

Fusion Applications function security privilege.
5. In the Display Name field, enter Promote Worker and click Search.
6. Select the Promote Worker entitlement in the Search Results, and click the
Open icon button.
Information
The code artifacts that are secured against this entitlement are shown in the
Resources section of the page.
7. Return to the Search Authorization Policy tab. (The Worker Promotion Duty
role should still be displayed.)
Viewing Data Security Policies
1. Select the Data Security tab, and review the data security policies for this role.
Information
This role has several data security policies: Choose Department, Choose
Position, Promote Worker, and so on. These policies provide access to all of the
different types of data that a user must view, select, or manage when performing
the Worker Promotion Duty.
As you can see, managing data security policies can be very complex. However,
if you use the delivered duty roles as building blocks when defining custom job
roles in HCM, then security policies are generated automatically for you. You do
not need to manage them manually in APM.
2. In the right-hand corner of the Actions column header, click the Sort
Descending icon button to resort the column.
Information
This just makes it easier to find the role, as the list is very long.
3. Select the Promote Worker row, and click the Edit icon button.
Location: Data Security Policy: Edit page
4. Select the Rule tab.
Information
This tab shows the condition for the privilege. When expanded, the condition is:
Access the person assignment for table PER_ALL_ASSIGNMENTS_M for

persons and assignments in their person and assignment security profile.
This tab does not show the SQL predicate. To view the SQL predicate, you must
navigate to the data security policy from a different direction.
5. Return to the Home tab, and click Search - Policies under the Search and
Create heading.
Location: Search Policies tab
6. Click the Database Resource button at the top of this tab.
Location: Manage Database Resources and Policies page
7. In the Display Name field, enter Person Work Terms Assignment and click
Search.
Information
The Search Results lists all of the data security policies for the
PER_ALL_ASSIGNMENTS_M database table.
8. In the PER_ALL_ASSIGNMENTS_M: Policies Details section, click the Detach

button.
Location: Detached Table page
Note: Detaching the table makes it easier to browse and navigate, and allows
you to view the SQL predicate in the condition.
9. Right-click the Role column header, and select Sort > Descending.
10. Scroll down to the PER_WORKER_PROMOTION_DUTY role (there are two

rows), and select the row with the Description: Worker promotion duty can
search worker... (The Policy column for this role displays Grant on Person
Assignment.)
11. Click the Edit icon button.
Location: Edit Data Security: PER_ALL_ASSIGNMENTS_M page
12. Select the Condition tab.
Information
Note the SQL predicate for the condition in the first row. The other conditions on
the Conditions tab are generated from security profiles. The condition Display
Name includes the security profile name.
13. Select the first condition, and click the Edit icon button.
Information
You can view the full condition details here. Note the SQL Predicate value of
1=2, as discussed previously.
IMPORTANT!
Don't edit the conditions! The conditions for HCM data security policies are
generated automatically from security profiles and should not be changed.
14. Click Cancel.
15. Close the APM browser window.
You have demonstrated how to view function and data security policies.
Instructor Note on Activity 5: Bulk Regeneration

Regarding regeneration of data roles in Activity 5, inform students that a bulk
regeneration process for data roles is currently under development.
Background
A new duty role is required because the predefined duty role has more function security
privileges and data security policies than you want the role to have in your enterprise.
Requirements
practice.
You must have successfully created a job role (XX Dept Admin) in Activity 3.
Activity Scope
Activity 5: Creating a Custom Duty Role

In this activity, you create a custom duty role, using a predefined role as a reference.
You add data and function security policies to the role and then add the new duty role to
the job role you created in Activity 3. Finally, you generate the data security policies for
the roles that inherit this new duty.
Start Here
Curtis.Feitty)
Create the New Duty Role
1. Launch the Manage Duties task.
3. Under the Application Roles heading, click New.
4. In the Display Name field, enter XX Department Duty.
5. In the Role Name field, enter XX_DEPT_DUTY.
6. Click Save.
Add Function Security Privileges to the Role
1. Click the Create Policy button in the top-right corner of the tab, and select
Location: Untitled page
2. In the Display Name field, enter XX Policy for XX Department Duty.
Information
Predefined security polices use the naming format: Policy for <duty role name>.
3. In the Name field, enter XX_DEPT_DUTY_POL.
4. In the Targets section, click the Add Targets (+) icon button.
Location: Search Targets page
Information
APM uses generic security terminology. In this context, a target is a function
security privilege, and a principal is a role. Thus, when a target is granted to the
principal, it means that the function security privilege is granted to the duty role.
5. In the Display Name (Starts With) field, enter Manage Department, and click
Search.
6. Select Manage Department, and click the Add Selected button (located above
the search results).
Information
The security privilege is added to the Selected Targets list.
7. Click Add Targets (at the bottom of the page), and then click Save.
Information
You have now added the Manage Department function security privilege to your
duty role.
Add Data Security Policies to the Duty Role
1. Return to the Home tab, and click Search under Application Roles.
Location: Role Catalog page
2. In the Display Name field, enter Department Management Duty and click
Search.
Information
This is the predefined duty role you will use as a reference for your custom duty
role. You want to find the data security policies assigned to that role and add
your role to them.
3. Select the role in the Search Results, and click the Open icon button.
Location: Department Management Duty page
4. In the upper-right-hand corner of the page, click Find Policies and select
5. In the Policies for: Department Management Duty section, select the Data
Security tab.
Information
There are three data security policies for this role.
6. Select the first data security policy.
7. Click the Edit icon button.
8. Select the Roles tab, and click the Add icon button.
Location: Select and Add: Roles page
9. Search for your new duty role. (Enter XX_DEPT_DUTY in the Role Name field,
select hcm as the Application, and then click Search.)
10. Select the XX Department Duty role, and click OK.
Information
You have now created a copy of this data security policy against your custom
duty role.
11. Click Save, and click OK to dismiss the confirmation window.
Location: Search Authorization Policies tab (which displays the Department

Management Duty role).
12. Select the second security policy on the Data Security tab, and repeat steps 7-
11.
13. Select the third (and last) security policy, and repeat steps 7-11 again.
Information
You have now created copies of these three data security policies against your
custom duty role. The duty role is complete. Take a moment now to verify that all
policies were added.
14. Return to the Home tab.
15. Select hcm in the Application Name field, and select Search under Application
Roles.
16. Search for the duty role (Display Name: XX Department Duty) and open it from
the Search Results.
17. Click Find Policies, and select Default Policy Domain.
Information
You should see one policy on the Functional Policies tab and three on the Data
Security tab.
18. Return to the Home tab.
Assign the New Duty Role to a Job Role
1. Select hcm for the Application Name, and select Search - External Roles
under the Search and Create heading.
2. Search for the XX Dept Admin Job Role you created in Activity 3.
3. Select the job role in the Search Results, and click Open Role.
4. Select the Application Role Mapping tab.
5. Remove the predefined Department Management Duty role. (Open the hcm
folder, select the role, click the Remove Roles icon button, and then confirm.)
6. Add your custom XX Department Duty role. (Click + Map, select hcm, search
for the XX Department Duty duty role, select it, and click Map Roles.)
Information
The job role now has two duties: your custom department duty role and the
original Approve Transaction Duty role.
Generate the Data Security Policies for the Roles that Inherit this Duty Role
1. Return to Oracle Fusion Applications and navigate to the Setup and

Maintenance work area.
2. Launch the Manage Data Role and Security Profiles task.
3. Search for your XX Dept Admin - View All data role, and then click Assign.
4. Proceed through the pages in the flow until you get to the Review page, and then
click Submit.
Information
Although you did not make any changes to the data role, you must run this task
to regenerate its security policies because you changed the job role that the data
role inherits.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple data roles, you would have to run
this task (and click Assign) for each role.
5. Click Done.
Verify Your Provisioning
1. Sign out and sign back in as the user you created earlier (Security.UserXX).
2. Navigate to the Workforce Structures work area.
3. Verify that you can only see the Manage Departments task under
Organizations in the Workforce Structures work area.
Security Deep Dive Review Question 1

If you make changes to a job role or any of its duty roles, you must:
1. Delete all data roles based on the job role and recreate them
2. Regenerate all the data roles that inherit the job role
3. Reassign security profiles to all data roles that inherit the job role
Security Deep Dive Review Question 2

A data security policy consists of:
1. A role and a privilege

2. A business object and a condition
3. All of the above
Security Deep Dive Questions and Answers

If you make changes to a job role or any of its duty roles, what must you do:
2. Regenerate all the data roles that inherit the job role
OR
3. Reassign security profiles to all data roles that inherit the job role
It is the process of reassigning security profiles (using the Manage Data Role and
Security Profiles task and the Assign action) that regenerates the data roles and
associated security privileges and policies. The reason that #3 also applies is because if
you add new duty roles to a job role, that could require additional security profiles to be
assigned to the data role.
A data security policy consists of:

3. All of the above
Instructor Note: Final Activities

The remaining activities require participants to apply what theyve learned to real-world
scenarios. Encourage them to attempt the activities using only the information provided
in the activity introductions. If they get stuck, they can refer to the detailed steps.
However, they should try to figure out which tasks to perform and which data to enter in
order to achieve the desired results.
The Additional Security Activity provides the detailed steps for the scenario described in
next section's review questions.
If there is not enough time to do the final exercises, students can do them as post-work.
There are no new concepts or tasks in these activities.
Background
The predefined line manager role has access to actions that you dont want all your line
managers to use. A custom line manager role is required to meet your needs.
Requirements
practice.
You must have successfully created a user in Activity 2.
You must have successfully created a role-provisioning rule in Activity 2.
Activity Scope
Note: Students are encouraged to attempt to complete this activity using only the
summarized steps below. The complete set of detailed steps is available on the
following page should you need them. However, you've already performed each of
these tasks at least once, so you may be able to work out the detailed steps yourselves.
1. Use the Manage Job Roles task to create a custom abstract role for a line
manager. This process is basically the same as creating a job role.
2. Use the Retrieve Latest LDAP Changes scheduled process to synchronize the
new role information between LDAP and HCM.
3. Use the Manage Duties task to grant access to the following manager actions
only: Promote, Transfer, Change Manager, and Change Working Hours. (To find
the exact names of the duties, you can search the HCM Security Reference
Manual. You must also grant manager access to the Person Gallery to be able to
see these actions.)
4. Use the Manage Data Role and Security Profiles task to assign the View
Manager Hierarchy predefined security profile to the new abstract role.
5. Use the Manage HCM Role Provisioning Rules task to add a mapping rule for
the new role so that it can be provisioned to users. Use the same task to modify
the Line Manager mapping rule so that the predefined Line Manager role will no
longer be automatically provisioned.
6. Use the Manage Users task to create a new user who will report to the line
manager user. The new employee has the same legal employer (InFusion Corp
USA1) and business unit (USA1 Business Unit) as the employee you created
earlier. Do not assign any roles, other than the automatically provisioned
employee role.
7. Use the Manage Users task to assign the custom line manager role to the user
you created in Activity 2.
8. Verify the security provisioning for the new user and compare with a user who
has the standard line manager role, such as Jack.Fisher.
Activity 6: Creating a Custom Line Manager Role

In this activity you will create a custom line manager abstract role and perform all
necessary tasks (as summarized on the previous page) to assign the new role to the
user you created earlier. You will also deprovision the predefined Line Manager role, for
which there is an autoprovision rule in place. You will also create a new user, who will
report to the line manager. This allows you to verify that the custom line manager role
you created provides access to the manager duties you assigned to it.
Create Custom Line Manager Role
1. Log in to Oracle Fusion applications as Curtis.Feitty.
tab.
Location: Oracle Identify Manager page
4. Click Administration, and then click Create Role.
5. In the Name field, enter XX_LINE_MGR_ROLE.
6. In the Display Name field, enter XX Line Manager.
7. In the Role Category Name field, select HCM - Abstract Roles.
8. Click Save.
2. In the Search Results, select a Retrieve Latest LDAP Changes process where
the Status is Succeeded.
3. Click Resubmit, then click Yes to confirm.
Assign Duties to Your Role
Duties task.
Location: Oracle Entitlements Server Authorization Management page
4. In the Display Name field, search for the XX Line Manager role you created
earlier.
5. Select the role in the Search Results, and click the Open Role button.
6. Click the Application Role Mapping tab to assign duty roles to the job role.
9. In the Display Name field, enter Worker Transfer Duty and click Search.
11. Repeat steps 7-10 to add the following additional duty roles:
Worker Working Hours Change Duty

Worker Promotion Duty
Worker Manager Change Duty
Manager Gallery Access Duty
Information
Once all 5 duty roles have been added, your custom line manager role is
complete.
Assign Security Profiles to the Custom Role
Data Role and Security Profiles task.
2. Search for the new line manager role (XX Line Manager) you just created.
Information
In the Search Results, note that the Security Profiles Assigned column for this
role is blank, as no security profiles have been assigned yet.
3. Select it from the Search Results and click Assign.
Location: Assign Data Role: Security Criteria page
4. In the Organization section, search for and select View All Organizations.
5. In the Position section, select View All Positions.
6. In the Person section, search for and select View Manager Hierarchy.
7. In the Public Person section, search for and select View All People.
Information
All of these profiles are predefined.
8. Click Review, and then Submit.
Location: Manage Data Roles and Security Profiles - Search page
9. Search for the role, and verify that it now displays a checkmark in the Security
Profiles Assigned column.
Create a Mapping Rule for the Custom Role
You can add this mapping rule to an existing role-provisioning rule.
HCM Role Provisioning Rules task.
2. Search for the mapping rule (XX Generic Mapping Rule) you created in Activity
2.
Information
You could create a new mapping rule, but it's easier for now to use the one
created earlier, since it has no conditions.
3. Select the rule in the Search Results and click the Edit icon button.
Information
There should be two rows for this rule; you can select either one.
4. In the Associated Roles section, click the Add (+) icon button.
5. Select the custom abstract role (XX Line Manager).
6. Deselect Autoprovision option, and select the Requestable option.
Information
In an actual implementation, you might want to configure your custom line
manager rule for autoprovisioning, in place of the predefined Line Manager role.
7. Click Save and Close, and then click OK to dismiss the confirmation message.
Location: Manage Data Roles and Security Profiles - Search page
8. In the Mapping Name field, search for the predefined Line Manager With
Reports rule.
9. Select the role in the Search Results, and click the Edit icon button.
10. In the Associated Roles section, select the Line Manager role, and then set
deselect the Autoprovision option.
Note: If the Autoprovision option is already deselected or the role does not
appear in the Associated Roles list, it means that another student who shares
your training environment has already performed this step.
Information
If the line manager role is set to autoprovision, it would be automatically
provisioned to your security user when you select that user as a manager in the
next task. In a real implementation, you would probably set up your custom line
manager role for autoprovisioning, but we don't want do that in the training
environment (since multiple students are creating custom line manager roles).
11. Click Save and Close, and then click OK.
12. Click Done.
Create a User Who Works for the Line Manager
1. In the Setup and Maintenance work area, launch the Manage Users task.
3. Enter the following values:
Note: Make sure that you use the specified Hire Date.
4. In the Roles section, click Autoprovision Roles.
Information
The Employee role appears in the Role Requests table
Note: If any roles other than Employee appear in the Role Requests table, delete
them. (Additional roles may appear if other trainees created roles and mistakenly
set them up for autoprovisioning.
Add the Custom Line Manager Role to Your First User
1. In the Manage Users (Search Person) page, search for the user you created in
Activity 2. (You can search by your last name.)
2. Click the user name in the Search Results.
3. In the Roles section, click Add Role.
Location: Add Role window
4. Search for and select the custom line manager role (XX Line Manager) you
created earlier in this activity.
Note: If you cannot find the role you created, make sure that:
- You created a mapping rule for the role

- You selected the Requestable option for the role mapping
- The user's assignment information matches the mapping criteria (we didn't set
any criteria in our generic mapping rule)
5. In the Current Roles section, select the XX Dept Admin - View All role you
assigned to this user earlier, and click the X (Remove) icon button, then confirm.
Important
If you updated the Line Manager with Reports role-provisioning rule, as
described above, the Line Manager role should not have been provisioned. If it
was, delete it now.
6. Remove any other roles, other than Employee, that may have been automatically
provisioned.
8. Click Done.
Note: It may take a few moments for the role changes to take effect.
Verify Security Setup
1. Sign out, and sign back on as the line manager user (Security.UserXX).
2. Navigate to Person Gallery.
3. Select the Organization Chart tab.
4. Open the Actions>Personal and Employment menu for the subordinate

employee.
Information
You should see the following manager actions under Personal and Employment:
Change Manager, Change Working Hours, Promote, and Transfer. You should
also see the Information Sharing action, which comes from the automatically
provisioned Employee role.
Tying It All Together
Resilience to Change
Resilience to change refers to the amount of change a system can undergo and still
operate properly within expected parameters. When this concept is applied to HCM
security management, you can see that the security model is quite robust when you
make changes to higher level objects, such as job roles. The deeper you go into the
hierarchy, the more careful you must be when making changes.
Now that you've seen the types of changes you can make, you should consider the level
of resilience associated with each type:
Most Robust
Creating custom job roles and using existing duty roles as building blocks
Less Robust - Requires More Testing to Ensure Expected Results
Creating custom duty roles and assigning function and data security policies
As demonstrated earlier, function and data security policies work together to

provide users with the access they need to do their job. If you create a duty role
and do not configure both types of policies correctly, the duty role will not operate
properly. Testing is required to verify expected results. The more you change and
the deeper your changes go in the hierarchy, the more testing is required and the
more complex the testing becomes.
Least Robust - Not Recommended
Creating new resource types, resources, entitlements (function security policies),

or authorization policies
Manually modifying data security policies, except for adding custom duty roles
Note: It should not be necessary to create your own data security policies. When
you are creating custom duty roles, the predefined security policies should be
adequate for your needs.
Lesson Review Questions

Lesson Review Question 1
Answer the question below given the information in the following scenario:
An enterprise needs to create a custom employee role, because the predefined

employee abstract role allows access to several cards in the Person Gallery that
the enterprise wants to hide. The customer wants the new employee role to have
access only to the Person Gallery function and the Change Marital Status action.
They should only be able to see their own employee information.
Based on the HCM security reference information you have available online for the
predefined employee abstract role, how many duty roles must you add to your custom
employee role to enable access to these functions?
1. 1 duty role
2. 2 duty roles
3. 4 duty roles
4. 5 duty roles


After planning your customization, which of the following tasks would you perform first:
1. Create a custom abstract role

2. Create custom duty roles
3. Remove duty roles from the predefined abstract role


After creating a new abstract role, you must synchronize data between LDAP and HCM
before you can:
1. Add duties to the abstract role

2. Create a mapping rule for the abstract role
3. Assign the abstract role to a user
4. All of the above except 1


Which predefined person security profile could be used for this new employee role:
1. View Own Record

2. View All Workers
3. View Manager Hierarchy


Which public person security profile could be used for this new employee role:
1. View Own Record

2. View All Workers
3. View Manager Hierarchy
Lesson Questions and Answers

Based on the HCM security reference information you have available online for
the predefined employee abstract role, how many duty roles must you add to
your custom employee role to enable access to these functions:
4. 5 duty roles
The roles are:
Public Person Selection Duty

Approval Notification Duty
Approve Transactions Duty
Gallery Access Duty
Person Marital Status Maintenance Duty
After planning your customization, which of the following tasks would you
perform first:
1. Create a custom abstract role
After creating a new abstract role, you must synchronize data between LDAP and
HCM before you can:
4. All of the above except 1
Which predefined person security profile could be used for this new employee
role:
1. View Own Record
Which public person security profile could be used for this new employee role:
2. View All Workers or View Own Record.
Use the latter if you do not want to allow employees to browse the Person Gallery for
other employees.
Additional Security Activity Introduction

Background
The predefined employee role allows access to several cards in the Person Gallery that
you dont want users to view. A custom employee role is required to meet your needs.
The new employee role should have access to the My Portrait function and the Change
Marital Status action. They should only be able to see their own employee information.
Requirements
practice.
You must have successfully created a user in Activity 2.
You must have successfully created a role-provisioning rule in Activity 2.
Activity Scope
Note: As with the previous activity, students are encouraged to complete this activity
using only the summarized steps below. This time, we've left a bit more for you to figure
out than in the last activity.
1. Create a custom employee abstract role that has access to the My Portrait
function and the Change Marital Status action. Restrict their data access to their
own record only in the Person Gallery.
2. Determine the names of the duties that should be added to this role by reviewing
the roles and duties in the HCM Security Reference Manual, and then add the
appropriate duties to the new employee role.
3. Assign the predefined View Own Record person security profile to the custom
employee role.
4. Assign the predefined View Own Record public person security profile to the
custom employee role.
5. Create a mapping rule for the custom employee role.
6. Assign the custom employee role to a user.
7. Verify your security provisioning.
Additional Security Activity: Creating a Custom Employee

Role
In this activity you will create a custom Employee abstract role with access only to the
My Portrait and Marital Status actions. After creating the abstract role and assigning the
appropriate duty roles, perform the necessary steps to assign the job role to a user.
Create Custom Employee Role
1. Log in to Oracle Fusion applications as Curtis.Feitty.
tab.
Location: Oracle Identify Manager page
4. Click Administration, and then click Create Role.
5. Enter the following information:
Name: XX_EMPLOYEE_ROLE
Display Name: XX Employee
Role Category Name: HCM - Abstract Roles
6. Click Save.
2. In the Search Results, select a Retrieve Latest LDAP Changes process where
the Status is Succeeded.
3. Click Resubmit, then click Yes to confirm.
Assign Duties to Your Role
Duties task.
3. Select Search - External Roles.
4. Search for the XX Employee role you created earlier.
5. Select the role in the Search Results and click the Open Role button.
6. Click the Application Role Mapping tab to assign duty roles to the job role.
9. In the Display Name field, enter Person Marital Status Maintenance.
10. Select the role in the Search Results and click Map Roles.
11. Repeat steps 8-11 for each of the following additional roles
Public Person Selection Duty

Approval Notification Duty
Approve Transactions Duty
Gallery Access Duty
Assign a Security Profile to the Role
Data Role and Security Profiles task.
2. Search for the custom employee role you just created.
3. Select it from the Search Results and click Assign.
4. Click Next.
5. In the Person section, select the predefined View Own Record profile.
6. In the Public Person section, select the View Own Record profile.
7. For all other sections, select one of the View All profiles.
8. Click Review, and then Submit.
Information
If you search for the role, you should see a checkmark in the Security Profiles
Assigned column.
Create a Mapping Rule for the Employee Role
Follow the steps presented in Activity 6 to create a mapping rule for the new role. (Open
the existing mapping rule, XX Generic Mapping Rule, and add a mapping for your new
XX Employee role. Deselect autoprovisioning, and select the Requestable option.)
Assign the Role to a User
Follow the steps presented in Activity 6 to assign the XX Employee role to the user you
created in Activity 2. Deprovision the predefined Employee role and any other roles
assigned to the user.
Verify your Security Provisioning
1. Log in as your user and navigate to the Person Gallery.
2. Verify that you can only access the My Portrait tab and the Change Marital
Status action.
Troubleshooting
If, after completing this activity, you try to perform the Change Marital Status action,
you may encounter the following errors:
You cannot edit your marital status because legislative information is

missing from your account. Contact your support representative. (PER-
1531137)
A current or future-dated change of this type exists for this person. Contact
your support representative.
Error: You cannot edit your marital status because legislative information is
missing from your account.
This error occurs because the person doesn't yet have a marital status. (The Manage
Users page used to create this user doesn't capture all of the employee information that
is captured by the New Hire flow. This is an example of why you should always use the
proper HR flows once the implementation is complete. The Manage Users task is not
intended to be used by HCM users in a production environment.)
You can resolve this error as follows:
1. Sign on as Curtis.Feitty.
2. Navigate to Person Management and open the person record for editing.
3. On the Manage Person page, Person Information tab, Legislative
Information section, select a Country (United States).
4. Open the Gender and Marital Status section for editing, and select a marital
status for this person.
5. Save.
Error: A current or future-dated change of this type exists for this person
This error occurs because an employee cannot change their own marital status on the
same day that it was last changed.
To work around this, you can:
Try again tomorrow (or any date thereafter)
Ask an HR Specialist to make the change for you on the Manage Person page
(or log on as a user with that role, if you have access to one).
Note: If you used the current date rather than 1-Jun-13 (the value you were instructed
to use) for the employee's hire date, then you can log in as Curtis.Feitty and change the
hire date to an earlier date, using the Manage Work Relationship task in the Person
References
For information about Single Sign-On in Oracle Fusion Applications, see:
SaaS SSO Using Identity Federation eSeminar on My Oracle Support (MOS).
You can take the training online or download the slides.
Link: http://oukc.oracle.com/static09/opn/login/?t=checkusercookies%7Cr=-
1%7Cc=1222182178
See also:
Fusion Applications Technology: Master Note on Fusion Federation,
Document ID: 1484345.1 on MOS.
Link: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&a
mp;id=1484345.1
For a mapping of duties and privileges to roles across all offerings, see:
Mapping of Roles, Duties and Privileges in Fusion Applications, Document
ID 1459828.1 on MOS.
Link:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id
=1459828.1
For information about how duty roles and privileges map to top-level menus, see:
Mapping of Duty Roles to Top Level Menu Items, Document ID 1460486.1 on
MOS.
Link:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1460486
.1
For descriptions of all the predefined data that is included in the security
reference implementation for HCM, see:
Oracle Fusion Applications Human Capital Management Security Reference
Manual. Latest version is available from Oracle Fusion Applications Help.
For information about the common roles required to set up and administer an
offering, see:
Oracle Fusion Applications Common Security Reference Manual. Latest
version is available from Oracle Fusion Applications Help.
For an overview and detailed information about the Oracle Fusion Applications
security approach, including an explanation of role types, enforcement, and how
to implement and administer security for your deployment, see:
Oracle Fusion Applications Security Guide. Latest version is available from

Oracle Fusion Applications Help.
For information on security hardening, see:

Oracle Fusion Applications Security Hardening Guide in the Oracle Fusion
Applications Documentation Library.
Link: http://docs.oracle.com/cd/E37583_01/nav/hcm.htm
Lesson Highlights
Roles
Security Profiles
Users and Role Provisioning
User Interfaces for Managing Security
Creating Data Roles and Security Profiles
Creating Custom Job Roles
Creating Custom Duty Roles
Lesson Details
Roles
Security in Oracle Fusion Applications is role-based, where roles control who can do
what on which data. Oracle Fusion Applications defines four types of roles:
Abstract roles
Data roles
Job roles
Duty roles
Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security
profile identifies a set of data of a single type, for example, you could create security
profiles to identify all workers in department HCM US. HCM security profiles are an
Oracle Fusion HCM feature; they are not used by other Oracle Fusion Applications.
Users and Role Provisioning
User Provisioning: Oracle Fusion Applications are tightly integrated with Oracle
Identity Management (OIM). When you hire a worker, a user account can be
created automatically for that worker in the OIM Identity store.
Roles Provisioning: Abstract and data roles must be provisioned to users so that
they can access the functions and data that enable them to perform their jobs.
The process of assigning roles to users is known as role provisioning.
User Interfaces for Managing Security

Three applications provide the user interfaces for managing HCM security:
Oracle Fusion HCM - Functional Setup Manager

Oracle Identify Manager (OIM)
Authorization Policy Manager (APM)
Creating Data Roles and Security Profiles

This figure shows the process of creating new data roles and security profiles:
Creating Custom Job Roles

This figure shows the process of creating a new job role:
Creating Custom Duty Roles

This figure shows the process of creating a new duty role:
Tip: Minimizing the Number of Data Roles

Consider that Mitch, David, and Linda are HR representatives for employees based in
different business units. They all perform the same job, but access different sets of data.
One way to set up security for this scenario would be to create four different data roles,
each with its own static security profile, as shown here:
Note: In this example, access to HR data is secured by business unit. However, it could
be based on legal employer, department, or any level within the organization.
Dynamic Security Profiles and Areas of Responsibility

Another approach would be to use the Areas of Responsibility feature to define the
location that each HR representative is responsible for and then create a dynamic
security profile that restricts data access based on the defined areas of responsibility.
Using dynamic security profiles and areas of responsibility, you need just two data
roles:
Defining Areas of Responsibility

To define the area of responsibility for Mitch Blum in our scenario, select USA1
Business Unit from the Business Unit field on the Create Area of Responsibility
page.
Workforce Management > Person Management > Manage Areas of Responsibility >
Manage Areas of Responsibility page > Create Area of Responsibility page
_______________________________________________________
Define areas of responsibility for the other two HR specialists, David and Linda, in the
same way. For David, you must create two areas of responsibility records, one for
USA2 Business Unit and another for USA Health Business Unit.
Creating a Dynamic Security Profile

After defining areas of responsibility for all HR representatives, create a person security
profile. In the Custom Criteria section of the Create Person Security Profile page,
enter an SQL fragment that grants each HR representative access only to the person
records within the location defined in their Areas of Responsibility.
The figure below shows where the SQL fragment is entered:
Manage Person Security Profile > Manage Person Security Profiles page > Create
Person Security Profile
_______________________________________________________
To secure person records by business unit, you would enter an SQL fragment similar to
the following:
&TABLE_ALIAS.PERSON_ID IN
(SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M A
WHERE A.BUSINESS_UNIT_ID IN
(SELECT B.BUSINESS_UNIT_ID
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'))
Note: The actual SQL fragment for this scenario would be a little more complex than the
sample fragment, because it would need to take into account the effective dates of both
the areas of responsibility records and the worker's assignment record.
TIP: If, by using this feature, you reduce the number of data roles down to one, you
could assign the security profiles directly to the job role (rather than creating a data
role). However, assigning security profiles directly to job roles only works if the areas of
responsibility criteria provide users with all the data access they need. In our scenario,
we want to provide some users with View All access and others with more restricted
access based on areas of responsibility. Therefore, we need two data roles: one that
uses areas of responsibility criteria and one that has a View All security profile. Both of
these data roles would be based on the same job role.
Tip: Impersonation and Delegation

Impersonation and Delegation
User Impersonation
The user impersonation feature is disabled for HCM Cloud customers. It can be enabled
on request, but Oracle does not recommend its use by HCM Cloud customers. User
impersonation potentially allows the proxy user uncontrolled access to the personal data
of the user they are impersonating; the proxy user gets all of that user's roles, which is
particularly dangerous if a customer is implementing employee self-service.
Role Delegation
Currently in HCM, you can implement role delegation, but it must be done manually.
There are two types of role delegation:
Delegating the ability to approve transactions: This is done from the BPM
Worklist. The process is covered in the Approvals lesson.
Delegating the ability to initiate transactions: This is done by configuring new

roles, defining role mappings, and manually provisioning the roles to users.
Likewise, you can manually revoke roles from users. These tasks are covered in
this lesson.
Note: Improved support for role delegation is currently under development and is
targeted for a future release of Fusion HCM.

24 Definesecurityforhcm 161214111001

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

24 Definesecurityforhcm 161214111001

Uploaded by

Copyright:

Available Formats

Partner Boot Camp - Fusion

This document contains proprietary information and is protected by copyright and

The information contained in this document is subject to change without notice. If

Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using

U.S. GOVERNMENT RIGHTS

Lesson 1: Define Security for HCM

Describe the key features of Oracle Fusion Applications security

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 1

In the figure below, Julie Brown has three roles:

2 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Instructor Note: Roles Assigned to Users

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 3

Role-Based Access Control

Who is a role assigned to a user.

What is a function that users with the role can perform.

4 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Predefined HCM Roles

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 5

Human Resource Specialist is a job role that inherits a number of duties.

6 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Data Role Inheritance

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 7

User Role Inheritance

8 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Abstract Roles represent a worker's role in the enterprise, independently of the

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 9

Role Inheritance Example

10 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

One data security policy determines which people can be promoted.

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 11

Instructor Note: Details Will Come Later

12 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Security Component Terminology Comparison

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 13

Prior to implementation, you must:

Identify the jobs that people have in your enterprise.

14 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Customizing Security for Your Needs

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 15

Instructor Note: Currently No Way to Copy Roles

16 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Instructor Note: Demo Timing

Approximate Demonstration Timing: 5 minutes

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 17

Demonstration: Function Security in Action

1. Log in as Curtis.Feitty, using the password provided to you by the instructor.

2. In the menu bar at the top of the page, click Navigator.

18 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

3. Select Workforce Structures under Workforce Management.

4. Select My Information > My Account from the Navigator.

Location: Manage User Account page

5. Scroll down to the Current Roles section.

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 19

7. Click the Navigator menu again.

20 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Instructor Note: Demo Timing

Approximate Demonstration Timing: 7 minutes

Copyright 2013, Oracle and/or its affiliates. All rights reserved. 21

Demonstration: Data Security in Action

3. Select the My Portrait tab.

5. Click the name of Jack's manager, Linda Swift.

22 Copyright 2013, Oracle and/or its affiliates. All rights reserved.