ATTENTION – AUDIO Options

You can:
 Either listen the audio broadcast on your computer
 Or join teleconference (dial in)

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Voice Streaming – Audio Broadcast
 Listen only mode
 Advantage: no need to dial in
 What about Questions?
 Type your questions into WebEx Q&A panel
 If you prefer full audio access in order to ask
questions directly, please connect to our
teleconference
 Connect details you will find at next slide

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

ATTENTION – AUDIO INFORMATION
Teleconference Connect details:
1. Conference ID: “Complete your ID here”
2. International dial in: +44 (0) 1452 555 566
3. US Free call: 1866 966 9439
4. List with national toll free numbers is available in
Note ID: 1148600.1
You can view this info anytime during the conference using
Communicate > Teleconference > Join Teleconference
from your WebEx menu

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Safe Harbor Statement

The following is intended to outline our general product direction.

It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon
in making purchasing decision. The development, release, and
timing of any features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Oracle Advisor Webcast
Customizing Roles in Oracle Fusion Applications

Lakshmi Reddeppa Noolu

Senior Principal Software Engineer
Oracle Fusion Security, Global Customer Services
July 10, 2014

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7

Objectives

• Understand various types of roles in FA

• Know tools for managing various roles

• Look at steps to create custom roles

• Review steps to provision roles to users

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Agenda
1 All about Roles
2 Tools for Managing Roles
3 Creating custom roles
4 Data Roles & Security Policies
5 Provisioning roles to users
6 Demo

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 9

Fusion Role Terminology

?
Application Role Job Role
Privilege
Entitlement
Data Role
Enterprise Role

Abstract Role
Policy
Duty Role
?

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 10

Fusion Roles Overview
• Job Role - represent the job that you hire a worker to perform. For e.g,
– Human Resource Analyst, Payroll Manager, Sales Representative
• Abstract Role - represent a worker's role independently of the job that you
hire the worker to do. For e.g,
– Employee, Line Manager, Resource
• Data Role - combine a worker's job and the data that users with the job
must access. For e.g,
– Payroll Administrator US, Human Resource Specialist R&D
• Duty Role - represent the individual duties that users perform as part of
their job. For e.g,
– Worker Duty, Sales Forecasting Duty
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 11
Fusion Roles Overview
Oracle Fusion Apps Oracle Identity Manager Authorization Policy
(OIM) Manager (APM)
Job Role Role External Role
Abstract Role Role External Role
Data Role Role External Role
Duty Role Application Role
Function Security Privilege Entitlement
Service/Taskflow etc. Resource
Database Table Database Resource
Data Security Privilege Action

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 12

Security Model Comparison

Fusion Applications E-Business Suite PeopleSoft

Data Role Responsibility Employee ID + Role

Job Role Top Level Menu Top Level Menu
Duty Role Sub Menu Role(s)
Privilege Form Function Permission Lists
Permission Executable Executable

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 13

Role Inheritance

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 14

Tools To Manage Fusion Roles

Role Tool
Job / Abstract Role Oracle Identity Manager (OIM)
Duty Role Authorization Policy Manager (APM)
Data Role (HCM) Fusion HCM UI / APM

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 15

Role Customization Scenario
• Show / Hide menu links
• Seeded Role has access more than needed
• Seeded Role has less access than needed
• Submenu / Links need to be hidden for a set of users
• Seeded Role does not meet Implementation objectives

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 16

Ways to Customize Roles

• Menu Customization
• Create New Custom Role (Recommended)

• Modify Seeded Role (Not Recommended) !

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 17

Menu Customization
• Show / Hide menu items at Site level
– Check / Uncheck “Rendered” property
• Show / Hide menu items at Role level
– Use EL Expression, #{securityContext.userInRole[‘<ROLE_CODE>']}
– E.g., #{securityContext.userInRole['PER_HUMAN_RESOURCE_MANAGER_JOB']}
– Multiple Roles can be entered as comma separated values
– For more details, refer doc:
• How to Conditionally Hide/Show a Global Menu Node (Doc ID 1438414.1)

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 18

New Custom Job Role
• Need: Menu Customization does not meet requirement
• Suggestion: Create New Custom Job Role
• Advantages:
– Seeded roles are intact
– Not overwritten by upgrades
• New Job Role created in OIM
• Duty Roles added to New Job Role via APM

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 19

New Custom Job Role - Steps
• Navigate to OIM via task “Manage Job Roles” from FSM

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 20

New Custom Job Role - Steps
• Create new Role via Administration => Create Role

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 21

New Custom Job Role - Steps
• Associate new Job Role with seeded and/or custom Application Roles in
APM

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 22

Modify Seeded Job Role
• Add / Remove duties from Job Role
• Advantage – easy to customize
• Disadvantages:
– Seeded functionality is lost
– Not easy to revert customizations
– Upgrades might override customizations

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 23

Modify Seeded Job Role - Steps
• Navigate to APM via task “Manage Duties” from FSM

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 24

Modify Seeded Job Role - Steps
• Search for External Role, open resultant Role
• Add / Remove Duty roles in “Application Role Mapping” tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 25

New Custom Application Role
• Always Create New Custom Application Role
• Advantages:
– Seeded roles are intact
– Not overwritten by upgrades
• Disadvantages:
– Complicated and error prone
– Role copy functionality not yet available
• New Application Role created and managed in APM

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 26

New Custom Application Role - Steps
• Navigate to APM via task “Manage Duties” from FSM
• Select stripe, then click on New Application Role and fill details

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 27

New Custom Application Role - Steps
• Add Duty Roles in Application Role Hierarchy tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 28

New Custom Application Role - Steps
• Add Entitlements via “Create Policy” button

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 29

New Custom Application Role - Steps
• Add Data Security Policies in “Data Security” tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 30

New Custom Application Role - Steps
• Add / Map Job Role in External Role Mapping tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 31

Modify Seeded Application Role
• Add / Remove Entitlements from Duty Role
• Advantage – easy to customize
• Disadvantages:
– Seeded role reference is lost
– Restoration of seeded role definition is difficult
• Refer below docs for details on Duties and Privileges Mapping
– Mapping Of Roles, Duties and Privileges in Fusion Applications (Doc ID 1460486.1)

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 32

Modify Seeded Application Role - Steps
• Navigate to APM via task “Manage Role Templates” from FSM
• Search for Application Role for a stripe, open resultant Role
• Add / Remove Duty role inheritance in “Application Role Heirarchy” tab
• Add / Remove Entitlements via Find Policies => “Functional Policies” tab
• Add / Modify Data Security Policy via Find Policies => “Data Security” tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 33

Modify Seeded Application Role - Steps

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 34

Modify Seeded Application Role - Steps

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 35

HCM Data Role - Steps
• Go to task "Manage Data Role and Security Profiles“ from FSM
• Enter New Data Role name and select Job Role
• For each object type, include only one security profile
• Create new Security Profile where needed
• Review and Submit

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 36

HCM Data Role - Steps

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 37

HCM Data Role - Steps

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 38

HCM Data Role - Steps

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 39

Modify Data Security Policies
• Navigate to APM via task “Manage Duties” from FSM
• Search for Application Role for a stripe, open resultant Role
• Add / Modify Data Security Policy via Find Policies => “Data Security” tab
• Modify Condition from Rule tab
• Choose Actions from Action tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 40

Modify Data Security Policies

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 41

Provision Roles to Users
• Roles can be provisioned to Users Automatically or on Request
• Define Role Mapping Rule via task “Manage HCM Role Provisioning Rules”
• Choose conditions
• Add Roles to definition and choose options (Auto-provision, Requestable,
Self-Requestable)
• Role Mapping Rules apply when User is created in FA
• Apply Auto-provision assigns the roles to all users who meet the condition

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 42

Provision Roles to Users

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 43

Live Demo

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Summary
What we covered today

• We learned on:
– Various roles in Fusion
– What Role name is called where
– Where to manage each role
– How to create new Job Role and Duty Role
– How to provision Role(s) to Users

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Helpful References
• Mapping Of Duty Roles To Top Level Menu Entries in Fusion Applications
(Doc ID 1459828.1)
• Mapping Of Roles, Duties and Privileges in Fusion Applications (Doc ID
1460486.1)
• How to Remove Menu Items in Fusion Applications using Menu Item
Customization (Doc ID 1550048.1)
• How to Conditionally Hide/Show a Global Menu Node (Doc ID 1438414.1)
• Creating Custom Roles in Fusion Applications CRM (Doc ID 1477072.1)
• Customizing Roles In Fusion Applications (Doc ID 1595864.1)

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 46

 Learn More
Available References and Resources to Get Proactive

 About Oracle Support Best Practices

www.oracle.com/goto/proactivesupport

 Get Proactive in My Oracle Support

https://support. oracle.com | Doc ID: 432.1

 My Oracle Support Blog

https://blogs.oracle.com/supportportal/

 Ask the Get Proactive Team

get-proactive_ww@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Q&A

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Accessing My Oracle Support Community
1. Via My Oracle Support -> Community 2. Directly – https://communities.oracle.com
Tab

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Where Can I Get The Slides From This Session?
1. PDF link from Doc ID 740966.1 (within 48 hours)
2. RAC/Scalability Community >Content Tab > Documents (within 24 hours)

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Session Related Community Links

 “The following thread will have a copy

of the presentation and can be used
for additional questions or discussions
on this topic.”

 https://community.oracle.com/thread/
3570481

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Oracle Advisor Webcast Program
Locating Current Schedule & Archived Recordings

From Note ID : 740966.1

drill down to your area
of interest

For us, Oracle Database

Access the DB page

directly via Note ID :
1455369.1

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Oracle Advisor Webcast Program
Locating Current Schedule & Archived Recordings For DB

Note:
 Click column headings to sort
 Hover on Webcast Title for more
information
 Recordings available within 48
hours
 Advisor Webcast Questions on a
webcast or ask questions via the
Questions? link

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

THANK YOU

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 55
Oracle Color Palette

Lights/Darks Accents and default chart color order

R 255 R 95 R 220 R 127 R 255 R 138 R 255 R 70 R 141 R 176

G 255 G 95 G 227 G 127 G0 G 19 G 119 G 87 G 166 G 195
B 255 B 95 B 228 B 127 B 0 B 59 B 0 B 94 B 177 B 200

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 56

Additional Resources

Oracle Corporate Photography Oracle Corporate Hardware Photography

my.oracle.com\site\mktg\creative\graphics\photography my.oracle.com/site/mktg/creative/Graphics/Photography/cnt1375391.htm

Academic Airline Analytics Application ATM

Oracle Corporate Icons Oracle Corporate Logos

my.oracle.com/site/mktg/creative/Graphics/Icons/index.html my.oracle.com/site/mktg/creative/Logos/index.html

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 57

AUDIO INFO – Join Teleconference

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Question and Answer Instructions

Q&A panel

3
Send your question
2
Ask: ALL PANELLIST leave default!

1
type your question here

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Question and Answer Instructions (cont)

your question pop-up here

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |