Value Set Getting The Session - Id or Person - Id

SELECT
"Employee"."Employee Login Name" saw_0,
"Employee"."Employee Email Address" saw_1,
"Employee"."Employee Name" saw_2,
"Sales Account Resource Facts"."# of Sales Account Resource Roles" saw_3
FROM
"Sales - CRM Sales Account Resource" WHERE "Employee"."Employee Login Name" =

VALUEOF(NQ_SESSION."USER")
select * from per_persons

where person_id = HRC_SESSION_UTIL.get_user_personid
Finding the FND_SESSION Session Cookie and Session ID for a Fusion Applications User
Session (Doc ID 1386367.1)
This document describes how to find the Session Cookie for your Fusion Applications
log in session so that this can be used to find information about this session in the
appropriate log files.
SOLUTION
Getting the session cookie in Mozilla Firefox
1. From the menu bar, select Tools -> Options.
2.
3. From the Options dialog, select the Privacy tab, and click the Show Cookies button.
4.
1. Note: If you do not have the "Show Cookies" button, use the "remove individual
cookies" link. Use caution not to accidentally delete this session cookie during
your session.
2.
5. In the Cookies dialog, enter FND_SESSION into the search field. The session cookie will
most likely be selected automatically. The cookie value is located in the Content field
after the string until the following colon. For the screenshots below, the session cookie
is 'f3HjveCx4L//CtSiVshxLftSSwxS2Foh9/bnatdxP/DU+7nIL+aDqvG+MqhxMeTA'
6.
7.
Getting the session cookie in Google Chrome
Follow the instructions in Google_Chrome_Oracle_Fusion_Session_Cookie.doc.
Getting the session cookie in Internet Explorer
1. Download and install the ieHTTPheaders add-

on: http://www.blunck.se/iehttpheaders.html
2. Start Internet Explorer.
3. From the menu bar, select Tools -> Display ieHTTPheaders
4.
5. Once you see the ieHTTPheaders panel, login to Fusion Applications.
6. In the ieHTTPheaders panel, locate FND_SESSION=DEFAULT_PILLAR in the cookie field.
The cookie value is immediately after it between two colons. In this example, the cookie
is 'fqnmDj3gO5ZpEKbNgAaBoZJliHKLx7BHUvJxP2Rc0ZxtFavp9PqMsbihNB3w6l56'
Note the X-ORACLE-DMS-ECID field. If you ever require an ECID value during
troubleshooting, a headers add-on for IE or Firefox will provide it.
7.
Using the Session Cookie to find the Session ID
If you are a Software-as-a-Service (SaaS) customer, the following section need not be
performed by you. Please log a Service Request in My Oracle Support for Oracle to do this for
you.
Fusion Applications concatenates the Session ID to the name of the trace file that is
created. Once you have found the Session Cookie using the instructions above, use the
Fusion Applications table FND_SESSION_ID to correlate this Session Cookie with the
Session ID.
1. From your SQL session, execute the following SQL statement:
SELECT * FROM FND_SESSIONS WHERE USER_GUID IN (SELECT USER_GUID

FROM PER_USERS WHERE USERNAME LIKE 'xyz@xyz.COM' ) and rownum<2 ORDER BY
LAST_UPDATE_DATE
2. An alternative is to run the following two SQL statements:

SELECT * FROM FND_SESSIONS WHERE SESSION_COOKIE = '<session
cookie>';
 The FND_SESSION value will appear in the results in the SESSION_ID column.

 NOTE: The Session Cookie often contains special characters that must be escaped in
your SQL session. In this case it may be easiest to wild card the SQL statement. For
example, with
session Cookie SiR4qwztzM/rXPtZ6Qc9QmXnjMm85DPQM+0xjlFUBmUnOT1wpkvW4SpfC
hoSoo0N, this SQL statement will find the Session ID:
SQL> select session_id, session_cookie

2 from fusion.fnd_sessions
3* where session_cookie like 'SiR4qwztzM%';
SESSION_ID
--------------------------------
SESSION_COOKIE
----------------------------------------------------------------
B4266AA48BAF081DE040F10AC5307302
SiR4qwztzM/rXPtZ6Qc9QmXnjMm85DPQM+0xjlFUBmUnOT1wpkvW4SpfChoSoo0N
After you assign a value set to a flexfield, you can use the following bind variables in
the WHERE clause.
 :{SEGMENT.segment_code}
This bind variable refers to the ID (if the value set is ID-validated) or value (if
not ID-validated) of a segment where segment_code identifies the segment. The
data type of the bind value is the same as the data type of the segment's
column.
The segment must have a sequence number that is less than the sequence
number of the segment with this bind variable. A matching segment must exist
in the current flexfield context.
This bind variable is useful when the set of valid values depends on the value in
another segment. For example, the values to select from a CITIES table might
depend upon the selected country. If SEGMENT1 contains the country value,
then the WHERE clause for the CITIES table might be country_code =
:{SEGMENT.SEGMENT1}.
 :{VALUESET.value_set_code}
This bind variable refers to the ID (if the value set is ID-validated) or value (if
not ID-validated) of the segment that is assigned to the value set that is
identified by the value_set_code. The data type of the bind value is the same as
the data type of the segment's column.
The segment must have a sequence number that is less than the sequence
number of the segment with this bind variable. If more than one segment is
assigned to the value set, the closest prior matching segment will be used to
resolve the bind expression. A matching segment must exist in the current
flexfield context.
This bind variable is useful when the set of valid values depends on the value in
another segment and that segment code can vary, such as when the value set is
used for more than one context or flexfield. For example, the values to select
from a CITIES table might depend upon the selected country. If the value set for
the segment that contains the country value is COUNTRIES, then the WHERE
clause for the CITIES table might be state_code = :{VALUESET.COUNTRIES}.
 :{FLEXFIELD.internal_code}
This bind variable refers to an internal code of the flexfield in which the value set
is used, or to a validation date. The internal_code must be one of the following:
o APPLICATION_ID — the application ID of the flexfield in which this value set

is used. The data type of APPLICATION_ID and its resulting bind value is
NUMBER.
o DESCRIPTIVE_FLEXFIELD_CODE — the identifying code of the flexfield in which
this value set is used. The data type of DESCRIPTIVE_FLEXFIELD_CODE and its
resulting bind value is VARCHAR2. Note that you use this string for both
descriptive and extensible flexfields.
o CONTEXT_CODE — the context code of the flexfield context in which this value
set is used. The data type of CONTEXT_CODE and its resulting bind value is
VARCHAR2.
o SEGMENT_CODE — the identifying code of the flexfield segment in which this
value set is used. The data type of SEGMENT_CODE and its resulting bind value
is VARCHAR2.
o VALIDATION_DATE — the current database date. The data type
of VALIDATION_DATE and its resulting bind value is DATE.
 :{PARAMETER.parameter_code}
This bind variable refers to the value of a flexfield parameter

where parameter_code identifies the parameter. The data type of the resulting bind
value is the same as the parameter's data type.
Note:
You cannot assign a table value set to a context segment if the WHERE clause uses
VALUESET.value_set_code or SEGMENT.segment_code bind variables.
Task: I
Hi SSW,
value sets are the wrong mechanism to approach this.
What you're looking for is probably page composer in combination with OTBI, or alternatively BI
Publisher.
In OTBI you can define parameters for a report, so you can filter it by person. When you embed an
OTBI analysis, or a OBIEE Dashboard into a fusion page, there should be an option within page
composer to send a long string of parameters to the report, which would include the person id. The
problem would be to fetch the correct person id. This must be done within page composer via
expression language. That's not always possible. Some pages have this information, others don't.
I haven't checked the Infolet page in detail, so I can't tell if it's possible there. Usually one of the
following may work:
#{bindings.PersonId.inputValue}
#{pageFlowScope.personId}
#{pageFlowScope.person_id}
...
Alternatively, if you use BI Publisher, you have another option, using the built-in functions to fetch
the current users username or person id when writing your SQL query:
HRC_SESSION_UTIL.get_userid and HRC_SESSION_UTIL.get_user_personid. You can't embed a BI
Publisher report into an Infolet though. If you add it to an OBIEE Dashboard, though, you can embed it into a
normal Fusion page. (bear in mind that the layout gets tricky in such cases).
As a third point, sometimes all this is not needed as BI Reports are driven by security. So depending on your
security setup many employees will only be allowed to see their own data anyway. Therefore by default the
analysis shows only themselves. However, this will fall apart the moment your user is also an HR Specialist or
a Line Manager.
Hope this makes sense.
Check out the following Blog with lots of guidance on page composer:
https://blogs.oracle.com/fadevrel/
Hope this helps
Micha
Thanks alot Micha.... your post was a lot of help.....

i actually got it done by using session variables in filters. HR_SEC_PERSON_ID____FUSN
was the variable which got it done....still testing on different employees.
Regards,
shaheryar
The 'WHERE clause' field on the Value Set definition is not populated. Therefore,
Fnd_Vs_Vt_Table_Ext.where_clause column is null for the record. As such, the following query
is not returning any rows in the Account Rule List of Values:
SELECT value_set_code flex_value_set_name,

value_set_id flex_value_set_id,
description,
DECODE(VALUE_DATA_TYPE,
'VARCHAR2',
DECODE(VALUE_SUBTYPE,
'TIME_HM', 'I',
'TIME_HMS', 'I',
'C'),
'NUMBER', 'N',
'DATE', 'X',
'TIMESTAMP', 'Y',
'C') format_type,
validation_type
FROM fnd_vs_value_sets f WHERE
validation_type = 'TABLE'
AND value_set_code NOT LIKE '$FLEX$%'
AND EXISTS (SELECT 'x' FROM fnd_vs_vt_table_ext t
WHERE t.value_set_id = f.value_set_id
AND t.id_column_name IS NULL
AND t.where_clause not like '$FLEX$') ODM Cause Determination
Can Search Results Be Restricted By Business Unit In Self Service Procurement ? (Doc
ID 2403434.1)
When performing a search in Manage Requisitions, seeded roles will return results that
match the search criteria across all Business Units (BU) regardless of the BU and Data
Security Privileges (DSP) set for the employee performing the search.
Organizations such as Police Forces or Hospitals may pool their back-office operations,
identifying themselves by BU.
As the search results include Name, Department, Job, Phone and E-Mail, this raises
data protection issues, GDPR being an example.
Is it then possible to restrict the results to only those of the BU of the employee
performing the search ?
SOLUTION
The results can be restricted by the using SQL in the Security Profile Custom Criteria
The following is a summary of the steps detailed in the document attached.
1. Duplicate the seeded Procurement Requester, Procurement Preparer, Advanced

Procurement Requester and Employee roles.
2. Create a custom person security profile.
3. Enter the following SQL in the Custom Criteria:
&TABLE_ALIAS.PERSON_ID IN ( SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M WHERE

BUSINESS_UNIT_ID IN ( SELECT business_unit_id FROM per_all_assignments_m AM WHERE
AM.person_id =(SELECT HRC_SESSION_UTIL.GET_USER_PERSONID FROM DUAL) AND trunc(sysdate)
between AM.effective_start_date and AM.effective_end_date AND
AM.EFFECTIVE_LATEST_CHANGE='Y' AND AM.PRIMARY_FLAG='Y' AND AM.ASSIGNMENT_STATUS_TYPE
IN ('ACTIVE', 'SUSPENDED') ) AND trunc(sysdate) between effective_start_date and
effective_end_date
AND EFFECTIVE_LATEST_CHANGE='Y' AND PRIMARY_FLAG='Y' AND ASSIGNMENT_STATUS_TYPE IN
('ACTIVE', 'SUSPENDED') )
Please Note
To ensure non-printable characters are not included, copy and paste the SQL in to MS
Notepad first and then copy and paste in to the Custom Criteria.
4. Assign the custom person security profile to the newly created Procurement
Requester and Employee Roles.
5. Remove the seeded Data Security Policies (DSP) from the new Procurement
Requester role.
6. Remove the seeded DSPs from the new Employee role.
7. Assign the new employee role to your users and remove the old employee role from
them.
Please Note
The seeded Procurement Preparer role inherits the Procurement Requester role.
Depending on the type of copy performed, when the custom Procurement Preparer role
is created, the custom role will still have the seeded Requester role or it would have
created a copy of the Requester role which is still fundamentally the same as the
seeded Procurement Requester role.
Remove the Procurement Requester role in the custom Procurement Preparer role and
replace it with the custom Procurement Requester role that was previously created.
Fusion Global HR - How to Create a Dynamic Data Role for Areas of Responsibility (AOR)
(Doc ID 2055989.1)
GOAL
If an employee's most recent work relationship falls outside the user's AOR, the user
should not see any of that employee's data
SOLUTION
This requirement can be achieved by using custom SQL in the Custom Criteria section
of the person security profile. For example:
EXISTS
(SELECT 1
FROM PER_ALL_ASSIGNMENTS_M ASG, PER_PERIODS_OF_SERVICE
PS, PER_ASG_RESPONSIBILITIES RES
WHERE ASG.ASSIGNMENT_TYPE IN ('E', 'C', 'N', 'P')
AND ASG.EFFECTIVE_LATEST_CHANGE = 'Y'
AND SYSDATE BETWEEN LEAST (SYSDATE, ASG.EFFECTIVE_START_DATE) AND
ASG.EFFECTIVE_END_DATE
AND PS.PERIOD_OF_SERVICE_ID = ASG.PERIOD_OF_SERVICE_ID
AND (ASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE', 'SUSPENDED')
OR (ASG.ASSIGNMENT_STATUS_TYPE IN ('INACTIVE')
AND NOT EXISTS
(SELECT 1
FROM PER_ALL_ASSIGNMENTS_M EXASG
WHERE EXASG.ASSIGNMENT_TYPE IN ('E', 'C', 'N', 'P')
AND EXASG.EFFECTIVE_LATEST_CHANGE = 'Y'
AND EXASG.PERSON_ID = ASG.PERSON_ID
AND SYSDATE BETWEEN LEAST (SYSDATE, EXASG.EFFECTIVE_START_DATE)
AND EXASG.EFFECTIVE_END_DATE
AND EXASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE', 'SUSPENDED')
)
AND PS.ACTUAL_TERMINATION_DATE = (SELECT
MAX (ALLPS.ACTUAL_TERMINATION_DATE) FROM PER_PERIODS_OF_SERVICE ALLPS
WHERE ALLPS.PERSON_ID = ASG.PERSON_ID AND
ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL)
))
AND SYSDATE BETWEEN RES.START_DATE AND NVL(RES.END_DATE, SYSDATE)
AND ASG.PERSON_ID = &TABLE_ALIAS.PERSON_ID
AND RES.PERSON_ID = HRC_SESSION_UTIL.GET_USER_PERSONID
AND RES.RESPONSABILITY_TYPE = 'HR_REP'
AND ASG.ORGANIZATION_ID = RES.ORGANIZATION_ID
)
NOTE: This SQL is provided as an example only, and must be fully tested before
implementing in a production environment.
Please review Note:1950731.1 Oracle Fusion Human Capital Management: Using

Dynamic Security Profiles for more information on setting up dynamic security profiles.
Oracle Fusion Human Capital Management: Using Dynamic Security Profiles (Doc ID
1950731.1)
ABSTRACT
This white paper explains how to set up dynamic security profiles. In dynamic security
profiles, you secure access to person records using custom criteria based on the user’s
areas of responsibility.
HISTORY
Date: 03-Dec-2014, Updated 14-Mar-2016
Author: Prashant Rajewar
Description: This white paper explains how to set up dynamic security profiles. In
dynamic security profiles, you secure access to person records using custom criteria
based on the user’s areas of responsibility.
DETAILS
In dynamic security profiles, you secure access to person records using custom criteria
based on the user’s areas of responsibility. This document describes how to use
dynamic security profiles to reduce the number of data roles and security profiles that
you have to manage. It provides example custom SQL for securing access to person
records based on several security dimensions, including organization, department, legal
employer, location, payroll, and manager hierarchy.
The file Example SQL Predicates for Dynamic Security Profiles.zip contains a separate
file for each example SQL predicate shown in the document Using Dynamic Security
Profiles. Copy and edit the contents of these files as required.
REFERENCES
NOTE:1504483.1 - All White Papers for Fusion Applications HCM

SOLUTION
1. Security works at the Person level, once access is granted to one assignment, user
will be able to access all assignments / work relationships. for this, is needed to be
added a special custom security predicates (custom security profile for searching
person) to override this behavior. These custom security profiles are not only for big
companies, but can be used for many different scenario for a company.
2. Use this SQL predicate to identify workers with assignments in a COUNTRY for which
the signed-in user has the Human Resources Representative responsibility if you have
employees in different countries:
EXISTS (SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE

PS, PER_ASG_RESPONSIBILITIES RES WHERE
ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND ASG.ASSIGNMENT_TYPE
IN('E','C','N','P') AND ASG.EFFECTIVE_LATEST_CHANGE='Y' AND SYSDATE BETWEEN
LEAST(SYSDATE,ASG.EFFECTIVE_START_DATE) AND ASG.EFFECTIVE_END_DATE AND
PS.PERIOD_OF_SERVICE_ID=ASG.PERIOD_OF_SERVICE_ID AND
(ASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED') OR
(ASG.ASSIGNMENT_STATUS_TYPE IN ('INACTIVE') AND NOT EXISTS (SELECT 1 FROM
PER_ALL_ASSIGNMENTS_M EXASG WHERE EXASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND EXASG.EFFECTIVE_LATEST_CHANGE = 'Y' AND EXASG.PERSON_ID =
ASG.PERSON_ID AND SYSDATE BETWEEN
LEAST(SYSDATE,EXASG.EFFECTIVE_START_DATE) AND EXASG.EFFECTIVE_END_DATE
AND EXASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED') ) AND
PS.ACTUAL_TERMINATION_DATE = (SELECT
MAX(ALLPS.ACTUAL_TERMINATION_DATE) FROM PER_PERIODS_OF_SERVICE ALLPS
ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL) )) AND
RES.RESPONSIBILITY_TYPE='HR_REP' AND SYSDATE BETWEEN RES.START_DATE
AND NVL(RES.END_DATE,SYSDATE) AND RES.PERSON_ID= (SELECT
HRC_SESSION_UTIL.GET_USER_PERSONID FROM DUAL) AND
ASG.LEGISLATION_CODE=RES.COUNTRY );
or in a BUSINESS UNIT (it depends by your organization setup):

PS,PER_ASG_RESPONSIBILITIES RES WHERE ASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND ASG.EFFECTIVE_LATEST_CHANGE='Y' AND SYSDATE BETWEEN
ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL) )) AND SYSDATE BETWEEN
RES.START_DATE AND NVL(RES.END_DATE,SYSDATE) AND
ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND RES.PERSON_ID=(SELECT
RES.RESPONSIBILITY_TYPE='HR_REP' AND
ASG.BUSINESS_UNIT_ID=RES.BUSINESS_UNIT_ID )
NOTE:
This fragment restricts access to persons based on the:
a. Responsibility type
b. Business unit
c. Area of responsibility from date
d. Effective dates of the worker's assignment
IMPORTANT: If you create data roles for specific data instance sets, then the number of
data roles in the enterprise may grow quickly. This growth can make maintaining data
roles difficult and lead to serious performance problems. You're recommended to plan
your use of data roles and minimize their number by using dynamic security profiles
wherever possible.
Please review the document: Fusion Global HR: HR Specialist Data Security No Longer
Working (Doc ID 2103268.1) and retest the issue for Business Unit.
Countries See All Employees Instead Of Only The People In Their Own Country
SYMPTOMS
Data security has been configured using a custom criteria, which should restrict
affected users to only see departments with a specific location code. However, users
can see people in all departments.
The issue can be reproduced at will with the following steps:

1. Setup and maintenance > Data Roles and Security - define custom security profile.
2. Assign this role to a suitable employee
3. Login as that employee, Person Management > Search. Observe that employees
from all departments can be seen.
CAUSE
This issue is caused by a setup error - the custom data role inherits the Human
Resources Specialist job role. That role has "View All" access, so the user is not
restricted in their data access. Secured access is evaluated based on all the roles
assigned (direct as well as indirect roles) to the user.
SOLUTION
To resolve this issue, there are alternative options;
(a) Create a more restrictive custom job role

1. Create new data role based on a more restricted job role (e.g. a custom job role that
emulates the HR Specialist job role)
2. Assign this data role to your employees
3. Revoke the existing custom job role, and assign the newly created custom job role.
(b) Revoke the security on the Human Resource Specialist, so that it has no access:
Once a security profile has been assigned to data role , there is no easy way to remove
the data security. The only reliable way to do is that to create a set of Custom dummy
"View None" security profiles. Assign them to the data role 'Human Resource Specialist'.
Once all 'View None' security profiles have been assigned, disable them by unchecking
'Enable' . This would counter effect the security profiles assigned to the role.
Please follow these steps to implement this solution

1. Navigate to Set up & Maintenance .
2. Search for 'Manage Organization Security Profile' (As an example)
3. Create a Custom Security Profile called 'View None'.
4. Assign relevant criteria. Click 'Save and Close'
5. Create similar custom security profiles for 'Manage Position Security Profile','Manage
Country Security Profile','Manage LDG Security Profile','Manage Person Security
Profile','Manage Person Security
Profile','Manage Document Type Security Profile', 'Manage Payroll Security
Profile','Manage Flow Pattern Security Profile','Manage Flow Pattern Security Profile'
6. Navigate to 'Manage Data Role sand Security Profiles'
7. Search for role 'Human resource specialist'. Click 'Assign'
8. Assign all the above created 'View None' security profiles to appropriate options.
8. Navigate to 'Manage Organization Security Profile' (As an example)
9. Search for ''View None'.
10. De-Select 'Enable' . Click 'Save and Close'
11. Repeat step 10 for all the 'View None' security profiles created above.
12. This unchecking of 'Enable' checkbox would revoke the security access given to the
Job Role 'Human Resource Specialist'
To retest:
Log in as a restricted employee, and ensure only the data you expect is seen.
HR Specialist Data Security No Longer Working (Doc ID 2103268.1)
SYMPTOMS
Data security is set up so that specific HR Managers see only those employees within
their own business unit. This is no longer working and when performing a search the
HR Managers can now only see their own record.
CAUSE
Areas of responsibility were changed to use Location and the custom criteria on the
data role setup is set up to secure by Areas of Responsibility by business unit.
SOLUTION
The below custom criteria indicates that Areas of Responsibility are being used to
determine the responsible business unit. The Areas of Responsibility need to include
Business Unit. If an HR manager is responsible for multiple business units, multiple
areas of responsibility records can be set up.
1. Navigator>Person Management
2. Search and Select an HR Manager (or applicable person)
3. Select the Manage Areas of Responsibility task
4. Highlight the Areas of Responsibility record and click the Edit icon
5. Select the applicable Business Unit
6. Click Submit
Custom Person Profile criteria (Manage Data Role and Security Profiles)
On Person Profile, add custom criteria

EXISTS
(SELECT 1
FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE
PS,PER_ASG_RESPONSIBILITIES RES
WHERE ASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND ASG.EFFECTIVE_LATEST_CHANGE='Y'
AND SYSDATE BETWEEN LEAST(SYSDATE,ASG.EFFECTIVE_START_DATE) AND
AND PS.PERIOD_OF_SERVICE_ID=ASG.PERIOD_OF_SERVICE_ID
AND (ASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED')
AND NOT EXISTS
(SELECT 1
WHERE EXASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND SYSDATE BETWEEN LEAST(SYSDATE,EXASG.EFFECTIVE_START_DATE) AND
EXASG.EFFECTIVE_END_DATE
AND EXASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED')
)
))
AND SYSDATE BETWEEN RES.START_DATE AND NVL(RES.END_DATE,SYSDATE)
AND ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND RES.PERSON_ID=(SELECT HRC_SESSION_UTIL.GET_USER_PERSONID FROM
DUAL)
AND RES.RESPONSIBILITY_TYPE='HR'
AND ASG.BUSINESS_UNIT_ID=RES.BUSINESS_UNIT_ID
)
How to restrict data based on Legal Employer in Fusion HCM? (Doc ID 2022319.1)
SOLUTION
1) In Manage Organization Security profiles, create two security profiles :
i) UK Organization
ii) US Organization
In each. under Organization List section, choose the appropriate Legal Employer from
the List and save.
2) In Manage Person Security Profile, create two person security profiles:
i) UK People
ii) US People
In each, check Secure by Legal Employer, and Pull in the Org profile created in 1) for
the respective legal employers, and save
3) In Manage Data Role and Security Profile, Create two data roles based on Inherited
Job Role, Human Resource Specialist:
i) UK HR Specialist Data Role

ii) US HR Specialist Data Role
Navigate to the Eligibility Criteria for each data role, and pull in the security profiles as
follows:
Organization
Pull in respective Organization Security Profile created in 1
Person (Professional User)
Pull in respective Person Security Profile created in 2

All other profiles can remain View All including Public Person
Continue on and submit the transaction to recompile the data role policies.
Then assign the data roles to the appropriate users
Delegation Allowed Option In Manage Data Roles And Security Profiles Screen (Doc ID
2123893.1)
GOAL
What is the signification of "Delegation Allowed" when we create data roles on "Manage
Data Roles and Security Profiles" screen
SOLUTION
If the Delegation Allowed is checked then the user who has that role can delegate those
rights to someone else for a period of time in case of leave, personal time off, medical
situations, etc.
Here are directions to delegating a role to another user.
1. Make sure the Role you are delegating is available to be delegated.

Navigator>Tools>Setup and Maintenance>Manage Data Role and Security
Profiles>Create Data Role......at the first stage (Data Role) there is a box named
Delegation Allowed that needs to be checked.
2. Delegating a Role
Navigator>My Information>My Account
In the Roles and Approvals Delegated to Others section, select the role to delegate, the
dates for the delegation, and the proxy user.
For more details you can consult the following document:

User Impersonation or Role Delegation in Oracle Fusion HCM (Doc ID 2058693.1)
User Impersonation or Role Delegation in Oracle Fusion HCM (Doc ID 2058693.1)
PURPOSE
The purpose of this document is to explain the difference between the two proxy
methods, and which one is supported in Oracle Fusion Human Capital Management
SCOPE
This document will be of interest to all those people administering Oracle Fusion
Human Capital Management
DETAILS
The Oracle Applications Cloud Using Common Features guide, which you can access in
the Oracle Help Center at https://docs.oracle.com/en/ , includes a section entitled
Proxies: Explained
in the Preferences chapter. This section explains how you can designate another user
as your proxy. The proxy user can sign in and perform application tasks as if he, or she
were you.
This feature is known as User Impersonation.
The User Impersonation feature (which you manage by

selecting Set Preferences - Proxies) is not enabled for any Oracle HCM Cloud
role. It can be enabled on request, but its use isn’t
recommended. My Oracle Support note Document 1375999.1 describes how customers
can enable User Impersonation without contacting Oracle Support, but this information
does not apply
to Oracle HCM Cloud customers. User impersonation allows a proxy user uncontrolled
access to the personal data of the impersonated user. The proxy user acquires all of
that user’s roles,
which is dangerous if you use employee self-service.
Instead, customer's are recommended to use Role Delegation. This feature allows you
to delegate individual roles to named users for a specified period. Role delegation is
described in the
Securing Oracle HCM Cloud guide, which is available in the Oracle Help Center at the
above link. Navigate to Cloud -> Applications -> Global Human Resources Cloud, then
click on the Secure
link on the left, and Create HCM Data Roles. In the Contents area on the left, under the
section Creating HCM Data Roles, there are sections entitled Role Delegation: Explained
and Enabling Role
Delegation:Explained which go through how to implement this functionality.
Fusion Apps OTBI - Payroll - Element Entries Real Time Subject Area Data Security - "
Element" Folder Not Returning Data (Doc ID 1608963.1)
SYMPTOMS
Fusion HCM custom business intelligence BI analysis - no data returned
Within the "Payroll - Element Entries Real Time" subject area the "Element" Folder is
not returning any information.
Including any attribute in the folder into an analysis results in No Results being
displayed even though there must be data to display e.g. I can write a report starting
with the "Element Entry Value"."Displayed Input Value" and "Input Value"."Input Value
Name" which returns hundreds of rows with Salary, pensions and allowance type data
however as soon as I add the "Element"."Element Name" field or any other field from
the folder it returns no records.
I am using the HCM.USER user and have access to all the data as far as I can tell
across all the subject areas so I don't this is a security issue.
A fact column is required however, even after testing with a Fact column this was not
resolved.
SELECT 0 s_0, "Payroll - Element Entries Real Time"."Element Entry Value"."Displayed

Input Value" s_1, "Payroll - Element Entries Real Time"."Input Value"."Input Value
Name" s_2 FROM "Payroll - Element Entries Real Time"
ORDER BY 1, 3 ASC NULLS LAST, 2 ASC NULLS LAST FETCH FIRST 65001 ROWS ONLY
/* QUERY_SRC_CD='rawSQL' */ ]] [2013-12-13T14:45:53.000+00:00]
[OracleBIServerComponent] [TRACE:2] [USER-23] [] [ecid:
004vMi4u5ov33F15Rvo2yd0006Ip00029m,0:2:1:1:3] [tid: 46147940] [requestid:
e5880019] [sessionid: e5880000] [username: HCM.USER] -------------------- General
Query Info: [[ Repository: Star, Subject Area: Core, Presentation: Payroll - Element
Entries Real Time ]] [2013-12-13T14:45:53.000+00:00] [OracleBIServerComponent]
[TRACE:2] [USER-18] [] [ecid: 004vMi4u5ov33F15Rvo2yd0006Ip00029m,0:2:1:1:5]
[tid: 46147940] [requestid: e5880019] [sessionid: e5880000] [username: HCM.USER] -
------------------- Sending query to database named HCM_OLTP (id: <>), connection
pool named Connection Pool, logical request hash 6e7af08e, physical request hash
80c20d49: [[ WITH SAWITH0 AS (select T1503195.C259192899 as c1,
T1503195.C364350096 as c2 from (SELECT V152000763.SCREEN_ENTRY_VALUE AS
C259192899, InputValueTranslationPEO.NAME AS C364350096,
InputValueTranslationPEO.LANGUAGE AS C168602675,
V152000763.ELEMENT_ENTRY_VALUE_ID AS PKA_ElementEntryValueId0,
V152000763.EFFECTIVE_START_DATE AS PKA_EffectiveStartDate0,
V152000763.EFFECTIVE_END_DATE AS PKA_EffectiveEndDate0,
InputValueTranslationPEO.INPUT_VALUE_ID AS PKA_InputValueTranslationPEOI0
FROM PAY_ELEMENT_ENTRY_VALUES_F V152000763, PAY_INPUT_VALUES_F
V525814381, PAY_INPUT_VALUES_TL InputValueTranslationPEO WHERE
V525814381.INPUT_VALUE_ID = InputValueTranslationPEO.INPUT_VALUE_ID AND
V152000763.INPUT_VALUE_ID = V525814381.INPUT_VALUE_ID AND ( (
(InputValueTranslationPEO.LANGUAGE = 'US' ) ) ) AND ( DATE'2013-12-13' BETWEEN
V152000763.EFFECTIVE_START_DATE AND V152000763.EFFECTIVE_END_DATE))
T1503195) select D1.c1 as c1, D1.c2 as c2, D1.c3 as c3 from ( select distinct 0 as c1,
D1.c1 as c2, D1.c2 as c3 from SAWITH0 D1 order by c3, c2 ) D1 where rownum >),
connection pool named Connection Pool, logical request hash 6e7af08e, physical
request hash 446448e4: [[ BEGIN
fnd_session_mgmt.attach_session('ED6C6550D09D82CBE0436710C10A7CE6'); END; ]]
[2013-12-13T14:45:53.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18]
[] [ecid: 004vMi4u5ov33F15Rvo2yd0006Ip00029m,0:2:1:1:5:1] [tid: 41554940]
[requestid: e5880019] [sessionid: e5880000] [username: HCM.USER] --------------------
Sending query to database named HCM_OLTP (id: <>), connection pool named
Connection Pool, logical request hash 6e7af08e, physical request hash d90563e6: [[
BEGIN fnd_session_mgmt.detach_session; END; ]] [2013-12-13T14:45:53.000+00:00]
004vMi4u5ov33F15Rvo2yd0006Ip00029m,0:2:1:2] [tid: 46147940] [requestid:
e5880019] [sessionid: e5880000] [username: HCM.USER] --------------------
Query Status: Successful Completion [[ ]] [2013-12-13T14:45:53.000+00:00]
e5880019] [sessionid: e5880000] [username: HCM.USER] --------------------
Rows 432, bytes 255744 retrieved from database query id: <> [[ ]] [2013-12-
13T14:45:53.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-28] [] [ecid:
e5880019] [sessionid: e5880000] [username: HCM.USER] -------------------- Physical
query response time 0 (seconds), id <> [[ ]] [2013-12-13T14:45:53.000+00:00]
Query Summary Stats: Number of physical queries 1, Cumulative time 0, DB-connect
time 0 (seconds) [[ ]] [2013-12-13T14:45:53.000+00:00] [OracleBIServerComponent]
[TRACE:2] [USER-24] [] [ecid: 004vMi4u5ov33F15Rvo2yd0006Ip00029m,0:2:1:2] [tid:
46147940] [requestid: e5880019] [sessionid: e5880000] [username: HCM.USER] -------
------------- Rows returned to Client 432 [[ ]] [
SELECT
0 s_0,
"Payroll - Element Entries Real Time"."Element Entry Value"."Displayed Input Value"
s_1,
"Payroll - Element Entries Real Time"."Element"."Element Name" s_2,
"Payroll - Element Entries Real Time"."Input Value"."Input Value Name" s_3
FROM "Payroll - Element Entries Real Time"
ORDER BY 1, 2 ASC NULLS LAST, 4 ASC NULLS LAST, 3 ASC NULLS LAST
FETCH FIRST 65001 ROWS ONLY
/* QUERY_SRC_CD='rawSQL' */
]]
[] [ecid: 004vMiDOx0N33F15Rvo2yd0006Ip0002Ul,0:2:1:1:3] [tid: 46046940]
General Query Info: [[
Repository: Star, Subject Area: Core, Presentation: Payroll - Element Entries Real Time
]]
[] [ecid: 004vMiDOx0N33F15Rvo2yd0006Ip0002Ul,0:2:1:1:5] [tid: 46046940]
Connection Pool, logical request hash 8035f1e4, physical request hash eb2f729: [[
WITH
SAWITH0 AS (select T1503195.C259192899 as c1,
T1503195.C461953723 as c2,
T1503195.C364350096 as c3
from
(SELECT V152000763.SCREEN_ENTRY_VALUE AS C259192899,
V476371178.ELEMENT_NAME AS C461953723, V525814381.NAME AS C364350096,
V476371178.LANGUAGE500 AS C309140230, V476371178.LANGUAGE716 AS
C413000491, V525814381.LANGUAGE AS C168602675,
V152000763.ELEMENT_ENTRY_VALUE_ID AS PKA_ElementEntryValueId0,
V152000763.EFFECTIVE_START_DATE AS PKA_EffectiveStartDate0,
V152000763.EFFECTIVE_END_DATE AS PKA_EffectiveEndDate0,
V525814381.INPUT_VALUE_ID1 AS PKA_InputValueTranslationPEOI0,
V476371178.ELEMENT_TYPE_ID1 AS PKA_ElementTypeTranslationPEO0,
V476371178.CLASSIFICATION_ID1 AS PKA_ElementClassificationTran0 FROM (SELECT
ElementEntryValueDPEO.CREATED_BY, ElementEntryValueDPEO.CREATION_DATE,
ElementEntryValueDPEO.EFFECTIVE_END_DATE,
ElementEntryValueDPEO.EFFECTIVE_START_DATE,
ElementEntryValueDPEO.ELEMENT_ENTRY_VALUE_ID,
ElementEntryValueDPEO.INPUT_VALUE_ID,
ElementEntryValueDPEO.LAST_UPDATE_LOGIN,
ElementEntryValueDPEO.LAST_UPDATE_DATE,
ElementEntryValueDPEO.LAST_UPDATED_BY,
ElementEntryValueDPEO.OBJECT_VERSION_NUMBER,
ElementEntryValueDPEO.SCREEN_ENTRY_VALUE FROM
PAY_ELEMENT_ENTRY_VALUES_F ElementEntryValueDPEO WHERE ( DATE'2013-12-13'
BETWEEN ElementEntryValueDPEO.EFFECTIVE_START_DATE AND
ElementEntryValueDPEO.EFFECTIVE_END_DATE)) V152000763, (SELECT
InputValueDPEO.INPUT_VALUE_ID, InputValueDPEO.EFFECTIVE_END_DATE,
InputValueDPEO.EFFECTIVE_START_DATE, InputValueDPEO.ELEMENT_TYPE_ID,
InputValueTranslationPEO.INPUT_VALUE_ID AS INPUT_VALUE_ID1,
InputValueTranslationPEO.LANGUAGE, InputValueTranslationPEO.NAME FROM
PAY_INPUT_VALUES_F InputValueDPEO, PAY_INPUT_VALUES_TL
InputValueTranslationPEO WHERE InputValueDPEO.INPUT_VALUE_ID =
InputValueTranslationPEO.INPUT_VALUE_ID AND ( DATE'2013-12-13' BETWEEN
InputValueDPEO.EFFECTIVE_START_DATE AND
InputValueDPEO.EFFECTIVE_END_DATE)) V525814381, (SELECT
ElementTypeDPEO.ELEMENT_TYPE_ID, ElementTypeDPEO.EFFECTIVE_END_DATE,
ElementTypeDPEO.EFFECTIVE_START_DATE,
ElementTypeTranslationPEO.ELEMENT_NAME, ElementTypeTranslationPEO.LANGUAGE
AS LANGUAGE500, ElementTypeTranslationPEO.ELEMENT_TYPE_ID AS
ELEMENT_TYPE_ID1, ElementClassificationTransPE.CLASSIFICATION_ID AS
CLASSIFICATION_ID1, ElementClassificationTransPE.LANGUAGE AS LANGUAGE716
FROM PAY_ELEMENT_TYPES_F ElementTypeDPEO, PAY_ELEMENT_TYPES_TL
ElementTypeTranslationPEO, PAY_ELE_CLASSIFICATIONS ElementClassificationPVO,
PAY_ELE_CLASSIFICATIONS_TL ElementClassificationTransPE WHERE
(ElementTypeDPEO.ELEMENT_TYPE_ID =
ElementTypeTranslationPEO.ELEMENT_TYPE_ID AND
ElementTypeDPEO.CLASSIFICATION_ID =
ElementClassificationPVO.CLASSIFICATION_ID AND
ElementClassificationPVO.CLASSIFICATION_ID =
ElementClassificationTransPE.CLASSIFICATION_ID AND ( DATE'2013-12-13' BETWEEN
ElementTypeDPEO.EFFECTIVE_START_DATE AND
ElementTypeDPEO.EFFECTIVE_END_DATE)) AND ((1=2))) V476371178 WHERE
V152000763.INPUT_VALUE_ID = V525814381.INPUT_VALUE_ID AND
V525814381.ELEMENT_TYPE_ID = V476371178.ELEMENT_TYPE_ID AND ( (
(V525814381.LANGUAGE = 'US' ) ) AND ( (V476371178.LANGUAGE716 = 'US' ) ) AND (
(V476371178.LANGUAGE500 = 'US' ) ) )) T1503195)
select D1.c1 as c1, D1.c2 as c2, D1.c3 as c3, D1.c4 as c4 from ( select distinct 0 as c1,
D1.c1 as c2,
D1.c2 as c3,
D1.c3 as c4
from
SAWITH0 D1
order by c2, c4, c3 ) D1 where rownum
]]
[] [ecid: 004vMiDOx0N33F15Rvo2yd0006Ip0002Ul,0:2:1:1:5:2] [tid: 4260c940]
Connection Pool, logical request hash 8035f1e4, physical request hash 446448e4: [[
BEGIN fnd_session_mgmt.attach_session('ED6C6550D09D82CBE0436710C10A7CE6');
END;
]]
[] [ecid: 004vMiDOx0N33F15Rvo2yd0006Ip0002Ul,0:2:1:1:5:2] [tid: 4260c940]
Connection Pool, logical request hash 8035f1e4, physical request hash d90563e6: [[
BEGIN fnd_session_mgmt.detach_session; END;
]]
[] [ecid: 004vMiDOx0N33F15Rvo2yd0006Ip0002Ul,0:2:1:2] [tid: 46046940] [requestid:
e5880021] [sessionid: e5880000] [username: HCM.USER] -------------------- Query
Status: Successful Completion [[
]]
e5880021] [sessionid: e5880000] [username: HCM.USER] -------------------- Rows 1,
bytes 32772 retrieved from database query id: SQLBypass Gateway [[
]]
query response time 0 (seconds), id SQLBypass Gateway [[
]]
e5880021] [sessionid: e5880000] [username: HCM.USER] -------------------- Rows 0,
bytes 0 retrieved from database query id: <> [[
]]
query response time 0 (seconds), id <> [[
]]
Query Summary Stats: Number of physical queries 2, Cumulative time 0, DB-connect
time 0 (seconds) [[
]]
e5880021] [sessionid: e5880000] [username: HCM.USER] -------------------- Rows
returned to Client 0 [[
CAUSE
Bug 18138158 - OTBI - PAYROLL - ELEMENT ENTRIES REAL TIME SUBJECT AREA -
WHAT ROLES ARE NEEDED
The user should have been assigned Payroll Manager Data role.
Hierarchy will be:
1)Payroll Manager Data Role (Data Role, this should inherit Job role)
2)Payroll Manager Job Role (JOB role, this inherits necessary Payroll
Transaction Analysis Duty role automatically)
3) Transactional Business Intelligence Worker ( DUTY role)
4) Business Intelligence Application Worker ( DUTY role)
Note: The specified Roles will give access to OTBI Payroll reporting ONLY and will not
impact access to the data outside of OTBI.
SOLUTION
Bug 18138158 - OTBI - PAYROLL - ELEMENT ENTRIES REAL TIME SUBJECT AREA -
WHAT ROLES ARE NEEDED
Data Security Profiles, is a HCM specific concept where HCM Security Administrators
must create "Data Roles" which are then assigned to the User
enabling him/her to access a specific set of data.
As verified, both Payroll Manager and Payroll Admin "Job roles" are assigned to the
user.
However this is incorrect for HCM, where the Data Role (which inherits the Job Role) is
assigned to the User
As currently set up in this environment: User assigned to Job Role

Needed: User is assigned to Data Role WHICH
is associated to Data Security Profile(s) AND ALSO inherits the required Job Role
1. Legislative Data Group Security Profiles must be set up for your implementation
(Menu -> Setup and Maintenance -> Search for Manage Legislative Data Group
Security Profiles -> Create a new profile and add all the Legislative Data Groups for
which the user intends to see the data via BI Analysis).
2. Create a new Data Role for Payroll Manager OR Payroll Admin (this Data Role must
inherit the Payroll Manager OR Payroll Admin Job Role)
3. Associate the Legislative Data Group Security Profiles to the new Data Role
4. Assign the Data Role to the User INSTEAD OF the Job Role
3) Transactional Business Intelligence Worker ( DUTY role)
4) Business Intelligence Application Worker ( DUTY role)
Fusion Global HR: HR Specialist Data Security No Longer Working (Doc ID 2103268.1)
SYMPTOMS
Data security is set up so that specific HR Managers see only those employees within
their own business unit. This is no longer working and when performing a search the
HR Managers can now only see their own record.
CAUSE
Areas of responsibility were changed to use Location and the custom criteria on the
data role setup is set up to secure by Areas of Responsibility by business unit.
SOLUTION
The below custom criteria indicates that Areas of Responsibility are being used to
determine the responsible business unit. The Areas of Responsibility need to include
Business Unit. If an HR manager is responsible for multiple business units, multiple
areas of responsibility records can be set up.
1. Navigator>Person Management
2. Search and Select an HR Manager (or applicable person)
3. Select the Manage Areas of Responsibility task
4. Highlight the Areas of Responsibility record and click the Edit icon
5. Select the applicable Business Unit
6. Click Submit
Custom Person Profile criteria (Manage Data Role and Security Profiles)
On Person Profile, add custom criteria

EXISTS
(SELECT 1
FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE
PS,PER_ASG_RESPONSIBILITIES RES
WHERE ASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND ASG.EFFECTIVE_LATEST_CHANGE='Y'
AND SYSDATE BETWEEN LEAST(SYSDATE,ASG.EFFECTIVE_START_DATE) AND
AND PS.PERIOD_OF_SERVICE_ID=ASG.PERIOD_OF_SERVICE_ID
AND (ASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED')
AND NOT EXISTS
(SELECT 1
WHERE EXASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND SYSDATE BETWEEN LEAST(SYSDATE,EXASG.EFFECTIVE_START_DATE) AND
EXASG.EFFECTIVE_END_DATE
AND EXASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED')
)
))
AND SYSDATE BETWEEN RES.START_DATE AND NVL(RES.END_DATE,SYSDATE)
AND ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND RES.PERSON_ID=(SELECT HRC_SESSION_UTIL.GET_USER_PERSONID FROM
DUAL)
AND RES.RESPONSIBILITY_TYPE='HR'
AND ASG.BUSINESS_UNIT_ID=RES.BUSINESS_UNIT_ID
Fusion Global HR: Data Role not working as it should for HR Specialist (Doc ID
2098916.1)
GOAL
You created a new Data role that should show data associated with the following Legal
Employers which are all US based. However, when you run a test on the role
provisioning, you are still able to view UK employees. The user being tested has 2 roles
(e.g.: HR Spec X and Employee). This user can access a record that technically he
shouldn't be able to see because it doesn't sit in the Legal Employers that the data role
should be restricting access to.
SOLUTION
1. Security works at the Person level, once access is granted to one assignment, user
will be able to access all assignments / work relationships.
For this, is needed to be added a special custom security predicates (custom security
profile for searching person) to override this behavior. These custom security profiles
are not only for big companies, but can be used for many different scenario for a
company.
2. Use this SQL predicate to identify workers with assignments in a COUNTRY for which
the signed-in user has the Human Resources Representative responsibility (please
review also HCM_Using_Dynamic_Security_Profiles.pdf) if you have employees in
different countries:

PS, PER_ASG_RESPONSIBILITIES RES WHERE
ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND ASG.ASSIGNMENT_TYPE
IN('E','C','N','P') AND ASG.EFFECTIVE_LATEST_CHANGE='Y' AND SYSDATE BETWEEN
ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL) )) AND
RES.RESPONSIBILITY_TYPE='HR_REP' AND SYSDATE BETWEEN RES.START_DATE
AND NVL(RES.END_DATE,SYSDATE) AND RES.PERSON_ID= (SELECT
ASG.LEGISLATION_CODE=RES.COUNTRY );
or in a BUSINESS UNIT (it depends by your organization setup):

PS,PER_ASG_RESPONSIBILITIES RES WHERE ASG.ASSIGNMENT_TYPE IN('E','C','N','P')
ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL) )) AND SYSDATE BETWEEN
ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND RES.PERSON_ID=(SELECT
RES.RESPONSIBILITY_TYPE='HR_REP' AND
ASG.BUSINESS_UNIT_ID=RES.BUSINESS_UNIT_ID )
NOTE:
This fragment restricts access to persons based on the:
a. Responsibility type
b. Business unit
c. Area of responsibility from date
d. Effective dates of the worker's assignment
IMPORTANT: If you create data roles for specific data instance sets, then the number of
data roles in the enterprise may grow quickly. This growth can make maintaining data
roles difficult and lead to serious performance problems. You're recommended to plan
your use of data roles and minimize their number by using dynamic security profiles
wherever possible.
Person Security Profile For Accessing Employees Who Do Have Any Payroll Relationships
Attached (Doc ID 2354421.1)
GOAL
We have a requirement in the Security wherein HR user-1 from XCorp entity should be
able to view the employees who have payroll relationship called "Regular Payroll".
We are able to achieve this by creating a custom role of the HR Specialist role and
assign Person Security profile based on AOR.
In "Secure by AOR" option, which is available in the Person Security Profile page, we
select scope of restriction as "Payroll" and also assign the same AOR type to the HR
user and specify the AOR scope as the actual Payroll i.e XCorp Regular Payroll.
With above security setup, HR user-1 can access XCorp Regular payroll's Employee
records in Person management and do not get to see "Confidential Payroll" employees
but the issue that HR user-1 is unable to access employees who are not attached to any
Payroll.
Tried to modify the Person Security Profile and selected Secure by Custom criteria and
used Custom criteria SQL predicate above but it does not fetch employees without
payroll relationship.
Simple Test Example (how the application behaves):

Assigning Payroll Representative AOR (Area Of Responsibility) for HR users.
Assigning the Payroll Representative to a HR user and then in the scope of restriction
having selected the Payroll name for which the HR user needs to have access to.
As such, -- HR user can now access employees who are assigned to the above selected
Payroll -- type > however, -- the requirement is to also show the employees who are
Not assigned to any Payroll --....
SOLUTION
The Solution (the way to address the situation / explaining why):

What you are seeing in Testing Example, with current configuration options, is expected
behavior.
Like with any other criteria on the security profile, when access is defined using specific
criteria like one based on assignment based attributes (in this case Payroll) , we look for
qualifying records which satisfy those conditions.
This filters out any records where that assignment attribute itself is null. In some cases
that would be expected thing to do. To do what you want in this case scenario, would
require custom SQL.
Simplified Logic:
1) Copy the sql predicate that has been generated for the existing Payroll
Representative AOR security profile from the SQL preview page in the Person Security
Profile;
2) Create a new Person Security Profile which would be secured by SQL criteria but not
AOR. Paste the SQL predicate from the previous AOR security profile and extend the
custom SQL so that it includes workers who are Not assigned to a Payroll.
Conclusion (custom SQL):

SQL predicate Query for accessing - specific Payroll employees (based on AOR) plus
showing employee with No Payroll (note LEGAL ENTITY cause is also added)
(EXISTS(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE

PS,PER_ASG_RESPONSIBILITIES RES WHERE
ASG.ASSIGNMENT_TYPE IN('E','C','P','N')
AND EXASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED')) AND
ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL))) AND SYSDATE BETWEEN
ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND RES.PERSON_ID=(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1)
FROM DUAL) AND RES.RESPONSIBILITY_TYPE='PAY_REP'
AND ASG.LEGAL_ENTITY_ID=RES.LEGAL_ENTITY_ID
AND (EXISTS(SELECT 1 FROM PAY_REL_GROUPS_DN
PASG,PAY_ASSIGNED_PAYROLLS_DN PAPD WHERE
PASG.ASSIGNMENT_ID=ASG.ASSIGNMENT_ID
AND PASG.GROUP_TYPE='A' AND
PAPD.PAYROLL_TERM_ID=PASG.PARENT_REL_GROUP_ID
AND SYSDATE BETWEEN PAPD.START_DATE AND PAPD.END_DATE AND
PAPD.PAYROLL_ID=RES.PAYROLL_ID)
OR not exists
(SELECT 1 FROM PAY_REL_GROUPS_DN PASG
,PAY_ASSIGNED_PAYROLLS_DN PAPD
WHERE PASG.ASSIGNMENT_ID=ASG.ASSIGNMENT_ID
AND PASG.GROUP_TYPE='A'
AND PAPD.PAYROLL_TERM_ID=PASG.PARENT_REL_GROUP_ID
AND SYSDATE BETWEEN PAPD.START_DATE
AND PAPD.END_DATE ) )) OR
((SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) =
&TABLE_ALIAS.PERSON_ID) )
Organization Security Profile Exclusion Not Working (Doc ID 2380073.1)
GOAL
How to create Organization security profile with 2 organizations excluded?
SOLUTION
1. Go to Manage Person Security Profile.

2. Click on Create.Provide the Name and description.
3. Under the Custom Criteria section, check the Secure by Custom Criteria and provide
the below SQL:
EXISTS (
(
SELECT 1
FROM per_all_assignments_m a
WHERE a.assignment_type IN ('E',
'C',
'N',
'P')
AND a.effective_latest_change='Y'
AND trunc(sysdate) BETWEEN a.effective_start_date AND a.effective_end_date
AND a.person_id=&table_alias.person_id
AND (
a.person_id <>
(
SELECT nvl(hrc_session_util.get_user_personid,-1)
FROM dual)
AND ((
a.assignment_id IS NOT NULL
AND EXISTS
(
SELECT 1
FROM hr_all_organization_units_f houf
WHERE a.legal_entity_id = houf.organization_id
AND trunc(sysdate) BETWEEN houf.effective_start_date AND houf.effective_end_date
AND (
EXISTS
(
SELECT 1
FROM hr_org_unit_classifications_f hoc
WHERE houf.organization_id = hoc.organization_id
AND hoc.classification_code IN ('HCM_LEMP')
AND trunc(sysdate) BETWEEN hoc.effective_start_date AND hoc.effective_end_date)
AND houf.organization_id NOT IN ('300000XXXXXXXXX'))))))))
Please Note: This is a sample SQL created to exclude 1 Legal Employer. You may
modify the SQL as per your requirement and provide the right organization id.
4. Click on Next, Save and close.

5. Go to Manage Data Role and Security Profiles.
6. Click on create, Provide the Name and Inherited job role - Human Resource
Specialist.
7. On the Security Criteria, select View All for all types of criteria except under Person -
> Person Security Profile. Please provide the profile created in the above step.
8. Click on Review and Submit.
9. Assign this newly created Data role to the user and also ensure that there are no
other roles assigned to the user which provides him access to the data which is being
excluded in this profile.
Fusion Core HR: How Can We create a Security Profile that Restricts Employee Data As
Per Organization Tree? (Doc ID 2147112.1)
GOAL
How can we built a Security profile that can restrict the employee data as per
organization hierarchy (using organization tree), excluding a specific department?
SOLUTION
When creating the organization tree, make sure you add the specific department (the
one you want to have it excluded from the visibility) in it as well, and exclude the
department only when creating the organization security profile.
You can set the data as following:
1. Create Organization Tree and include the department you need to exclude the
visibility from.
2. Audit and Flatten the rows for this Organization Tree (see details in Note:1308940.1 -
Case Study: How to Set Up an Organization Tree, and link to a Calendar Event?).
3. In the Organization security profile select the Organization Tree recently created, and
in the Organizations section, select "Exclude" and add the department you need to
exclude.
4. In the Person Security Profile, Workforce Structures section choose "Secure by

Department" and add the profile recently created.
5. When adding the security profile to the Data role:
-> in the Organization section choose the profile you created (it should also check the
"Secure by Organization Hierarchy" and "Secure by Organization List").
-> in the Person section, choose the profile you created (it should also check the
"Secure by Department" option)
-> in the Public Person section, choose the security profile you created (it should also
check the "Secure by Department" option)
Security Profile Based On An Organization Hierarchy Does Not Exclude Organizations As

Expected (Doc ID 1465313.1)
SYMPTOMS
A custom data role was created, with the intention of excluding employees in a specific
organization. A profile based
on an organization tree was created excluding the organization , and this was assigned
to the data role.
The role was assigned to a user but when logged on and using the search in Person
Management, the user could still
see employees in the excluded organization.
CAUSE
There were two issues here.
1. When assigning security criteria to the data role in the Manage Data Role and Security
Profile UI, it is the Person data that
required to be restricted. On the Security Criteria screen , the Organization Section is for
the Organization UIs like Manage
Departments. The Person section controls data available in person searches.
2. The organization tree itself which is the basis for the Organization Security profile needs
to be Active and Row Flattened.
See Note:1308940.1 steps 8,9,10
SOLUTION
1. Create an Organization Tree, make Active, and Row Flatten

2. Create a Profile using Manage Organization Security Profile UI.
Tick Secure by Organization Hierarchy, and enter tree created in 1 above, and Top
Organization.
Tick Secure by Organization List section and exclude organization in the tree as
required.
3. Create a Person Security profile. Tick Secure by Business Unit and select the
organization profile created in 2 above.
4. Create a data role in the Manage Data Role and Security Profile UI , and when assigning
security criteria
choose the Person Security Profile created in 3 above in Person section, then submit.
5. Assign the data role to a user
Data Access For Line Manager
SYMPTOMS
On : 11.1.11.1.0 version, Global Human Resources in Saas Environment
ACTUAL BEHAVIOR
-----------------------------
The data access for the custom line manager is limited by setting up the Person and
Public Person security profiles as "View Manager Hierarchy" .
The Line Manager is able to search for all the employees on Person Gallery.(Search and
Organization Chart)
EXPECTED BEHAVIOR
-------------------------------
Line Manager should be able to search only for his direct reports.
STEPS
-------------
The issue can be reproduced at will with the following steps:
1. Login to Fusion Applications as Line Manager.
2. Navigate to Person Gallery.
3. Search for one his direct reports.
4. The result includes other employees as well.(Not only the direct report)
BUSINESS IMPACT
----------------------------
The issue has the following business impact:
The issue is on production POD.This is very critical as this is impacting Go Live.
CAUSE
The cause of the issue has been determined as mismatch of data security for inherited
role.
EVIDENCE OF CAUSE
---------------------------------
The impacted employees were having the inherited role
'INB_LINE_MANAGER_SELF_SERVICE_DATA_HCM_CUSTOM'.
SUPPORT OF CONCLUSION
-----------------------------------------
The data security for the inherited role was different from the custom Line Manager and
Employee roles.
REFERENCES
--------------------
Bug 26021554 - DATA ACCESS FOR LINE MANAGER
SOLUTION
To implement the solution, executed the following steps:

---------------------------------------------------------------------------
1. Log into Fusion Applications.
2. Navigate to Setup and Maintenance work area.
3. Search for Manage Data Roles and Security Profile.
4. Search for the custom Line Manager role and make the Person and Public person
security profile as 'View Manager Hierarchy'
5. If the Line Manager as any another roles,search for the data roles and limit the data
access same as that of the Line Manger role.
Approval Condition Based On Worker's Line Manager Hierarchy (Doc ID 2315508.1)
GOAL
Approval condition based on worker's line manager hierarchy
SOLUTION
This Functionality Request has been handled in ER Bug 26681038.
This will be considered for a future release.
Oracle makes every effort to listen to you, the customer, and shape our products
accordingly. Although we are unable to follow-up directly or implement all new
functionality requests, we do review and prioritize these requests on a regular basis.
Selected new functionality will be implemented in subsequent releases based on a
number of factors, including feedback from the Product Advisory Council (PAC). If you
have any questions or believe this is not an Enhancement Request functionality, please
contact me at your earliest convenience.
Generally ER get reviewed and considered by Fusion Development for a future release.
It will remain open until it is either incorporated into the product, or it is deemed not
feasible. Due to the fact that this decision can occur over an extended period of time,
this originating SR will be inactivated and the ER will thus need to be monitored via My
Oracle Support).
You can refer KM document "How To Monitor Bugs And Enhancement Requests Via My
Oracle Support" (Doc ID 841907.1) to monitor the same.
Can't Assign A Line Manager To An Employee (Doc ID 1568820.1)
Table Validated Value Sets Not Populated In Value Set Rule Type List of To
Values (Doc ID 1591312.1) Bottom
In this Document
Symptoms
Cause
Solution
References
APPLIES TO:
Oracle Fusion Subledger Accounting - Version 11.1.5.0.0 to 11.1.8.0.0 [Release 1.0]

Oracle Fusion Subledger Accounting Cloud Service - Version 11.1.5.0.0 and later
Information in this document applies to any platform.
SYMPTOMS
While trying to create an Account Rule in Subledger Accounting using a table validated value
set, the value set is not available in the List of Values
1. Navigate to Define Subledger Accounting Methods from within your implementation project
2. Go to Task
3. Expand the task - Define Subledger Accounting Methods
4. Go to 'Manage Account Rules'
5. Click create icon
6. Enter desired values and select 'Value set' on Rule Type drop down.
The table-validated value set is not available in the List of Values
CAUSE
The 'WHERE clause' field on the Value Set definition is not populated. Therefore,
Fnd_Vs_Vt_Table_Ext.where_clause column is null for the record. As such, the following
query is not returning any rows in the Account Rule List of Values:
SELECT value_set_code flex_value_set_name,

value_set_id flex_value_set_id,
description,
DECODE(VALUE_DATA_TYPE,
'VARCHAR2',
DECODE(VALUE_SUBTYPE,
'TIME_HM', 'I',
'TIME_HMS', 'I',
'C'),
'NUMBER', 'N',
'DATE', 'X',
'TIMESTAMP', 'Y',
'C') format_type,
validation_type
FROM fnd_vs_value_sets f WHERE
validation_type = 'TABLE'
AND value_set_code NOT LIKE '$FLEX$%'
AND EXISTS (SELECT 'x' FROM fnd_vs_vt_table_ext t
WHERE t.value_set_id = f.value_set_id
AND t.id_column_name IS NULL
AND t.where_clause not like '$FLEX$') ODM Cause Determination
When the WHERE field on the Value Set definition is populated with a value, for instance 1 =
1, the column will not be null and the Table Validated value sets are seen in the Account Rule
List of Values
SOLUTION
This fix for this issue is currently scheduled to be included in Release 11.1.9.0.0
The following procedure can be implemented to resolve the problem until then:
Log in to Fusion Applications with user with access to Functional Setup Manager
1. Navigate to Setup and Maintenance

2. Find task 'Manage Value Sets', Go to Task
3. Search for the desired Value Set, Edit
4. In the Definition section, the 'WHERE clause' field is blank. Enter 1 =1 and Save
6. Exit this task
5. Navigate to Define Subledger Accounting Methods from within your implementation project
6. Go to Task
7. Expand the task - Define Subledger Accounting Methods
8. Go to 'Manage Account Rules'
9. Click create icon
10. Enter desired values and select 'Value set' on Rule Type drop down.
11. The List of Values will now display the table-validated value set
How To Create Value Sets Where One Segment Is Dependent On The Previous Segment Selection
May 20, 2010 Shivmohan Purohit Oracle Functional$FLEX$, dependent value set, value set
1 Votes
How to create value sets so that one segment is dependent on the previous segment selection?
Example of $FLEX$ Syntax Here is an example of using :$FLEX$.Value_Set_Name to set up value sets
where one
segment depends on a prior segment that itself depends on a prior segment ("cascading
dependencies"). Assume you have a three-segment flexfield where the first segment is car
manufacturer, the second segment is car model, and the third segment is car color. You could limit your
third segment’s values to only include car colors that are available for the car specified in the first two
segments. Your three value sets might be defined as follows:
Segment Name Manufacturer
Value Set Name Car_Maker_Name_Value_Set
Validation Table CAR_MAKERS
Value Column MANUFACTURER_NAME
Description Column MANUFACTURER_DESCRIPTION
Hidden ID Column MANUFACTURER_ID
SQL Where Clause (none)
Segment Name Model
Value Set Name Car_Model_Name_Value_Set
Validation Table CAR_MODELS
Value Column MODEL_NAME
Description Column MODEL_DESCRIPTION
Hidden ID Column MODEL_ID
SQL Where Clause WHERE MANUFACTURER_ID =
:$FLEX$.Car_Maker_Name_Value_Set
Segment Name Color

Value Set Name Car_Color_Name_Value_Set
Validation Table CAR_COLORS
Value Column COLOR_NAME
Description Column COLOR_DESCRIPTION
Hidden ID Column COLOR_ID
SQL Where Clause WHERE MANUFACTURER_ID =
:$FLEX$.Car_Maker_Name_Value_Set AND
MODEL_ID = :$FLEX$.Car_Model_Name_Value_Set
In this example, MANUFACTURER_ID is the hidden ID column and
MANUFACTURER_NAME is the value column of the Car_Maker_Name_Value_Set value set. The Model
segment uses the hidden ID column of the previous value set, Car_Maker_Name_Value_Set, to compare
against its WHERE clause. The end user never sees the hidden ID value for this example.

Value Set Getting The Session - Id or Person - Id

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Value Set Getting The Session - Id or Person - Id

Uploaded by

Copyright:

Available Formats

SELECT

"Employee"."Employee Login Name" saw_0,

"Employee"."Employee Email Address" saw_1,

"Employee"."Employee Name" saw_2,

"Sales Account Resource Facts"."# of Sales Account Resource Roles" saw_3

"Sales - CRM Sales Account Resource" WHERE "Employee"."Employee Login Name" =

select * from per_persons

Getting the session cookie in Mozilla Firefox

1. From the menu bar, select Tools -> Options.

Getting the session cookie in Google Chrome

Follow the instructions in Google_Chrome_Oracle_Fusion_Session_Cookie.doc.

Getting the session cookie in Internet Explorer

1. Download and install the ieHTTPheaders add-

Using the Session Cookie to find the Session ID

1. From your SQL session, execute the following SQL statement:

SELECT * FROM FND_SESSIONS WHERE USER_GUID IN (SELECT USER_GUID

2. An alternative is to run the following two SQL statements:

SQL> select session_id, session_cookie

o APPLICATION_ID — the application ID of the flexfield in which this value set

This bind variable refers to the value of a flexfield parameter

value sets are the wrong mechanism to approach this.

Hope this helps

Thanks alot Micha.... your post was a lot of help.....

SELECT value_set_code flex_value_set_name,

The following is a summary of the steps detailed in the document attached.

1. Duplicate the seeded Procurement Requester, Procurement Preparer, Advanced

2. Create a custom person security profile.

3. Enter the following SQL in the Custom Criteria:

&TABLE_ALIAS.PERSON_ID IN ( SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M WHERE

6. Remove the seeded DSPs from the new Employee role.

Please review Note:1950731.1 Oracle Fusion Human Capital Management: Using

Date: 03-Dec-2014, Updated 14-Mar-2016

Author: Prashant Rajewar

NOTE:1504483.1 - All White Papers for Fusion Applications HCM

EXISTS (SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE

or in a BUSINESS UNIT (it depends by your organization setup):

EXISTS (SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE

The issue can be reproduced at will with the following steps:

To resolve this issue, there are alternative options;

(a) Create a more restrictive custom job role

Please follow these steps to implement this solution

HR Specialist Data Security No Longer Working (Doc ID 2103268.1)

On Person Profile, add custom criteria

1) In Manage Organization Security profiles, create two security profiles :

2) In Manage Person Security Profile, create two person security profiles:

i) UK HR Specialist Data Role

Pull in respective Organization Security Profile created in 1

Person (Professional User)

Pull in respective Person Security Profile created in 2

Then assign the data roles to the appropriate users

1. Make sure the Role you are delegating is available to be delegated.

For more details you can consult the following document:

The User Impersonation feature (which you manage by

Fusion HCM custom business intelligence BI analysis - no data returned

SELECT 0 s_0, "Payroll - Element Entries Real Time"."Element Entry Value"."Displayed

Hierarchy will be:

As currently set up in this environment: User assigned to Job Role

On Person Profile, add custom criteria

EXISTS (SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE

or in a BUSINESS UNIT (it depends by your organization setup):

EXISTS (SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE

Simple Test Example (how the application behaves):

The Solution (the way to address the situation / explaining why):