Fusion Security Profiles

Ramesh Pillai
 Roles in Fusion ApplicationsRole-Based Access Control
Security in Oracle Fusion Applications is role-based, where roles control WHO can
do WHAT on WHICH data.

– Who is a role assigned to a user.

– What is a function that users with the role can perform.
– Which Data is the set of data that users with this role can access when performing
this function.

Users are assigned roles, through which they gain access to functions and data.
Users can have any number of roles

Some of the predefined HCM Roles are:

•Employee
•Contingent Worker
•Benefits Manager, Benefits Administrator, Benefit Specialist
•Compensation Manager, Compensation Administrator, Compensation Specialist
•Human Resource Manager, Analyst, Specialist and VP
•Line Manger
•Payroll Manager, Administrator
We make experts - http://apps2fusion.com
 Role Types
Oracle Fusion HCM defines four types of roles:

–Abstract Role: This role categorizes the roles for reference implementation. It
inherits duty role but does not contain security policies. For example: Employee,
Manager, etc.
–Job Role: This role defines a specific job an employee is responsible for. An
employee may have many job roles. It may require the data role to control the
actions of the respective objects. For example: Benefits Manager, Accounts
Receivable Specialist, etc.
–Data Role: This role defines access to the data within a specific duty. Who can do
what on which set of data? The possible actions are read, update, delete, and
manage. Only duty roles hold explicit entitlement to the data. These entitlements
control the privileges such as in a user interface that can see specific screens,
buttons, data columns, and other artifacts.
–Duty Role: This role defines a set of tasks. It is the most granular form of a role.
The job and abstract roles inherit duty roles. The data security policies are specified
to duty roles to control actions on all respective objects.

We make experts - http://apps2fusion.com

Role Inheritance

Each role is a hierarchy of other roles:

•HCM data roles inherit job or abstract roles.

•Job and abstract roles inherit duty roles.

•Duty roles can inherit other duty roles.

We make experts - http://apps2fusion.com

Role Inheritance: Example

We make experts - http://apps2fusion.com

 Role Provisioning
Why Role Provisioning?
Once we create person record, only user ID and password for that user gets created.
The created user has no access to any function and data in the application. So to
give the user access to application’s function and data we must provision abstract
and data roles to them. Now there are three ways we can provision roles to users:

–Auto Provision: roles are provisioned by default for the qualified users.
–Requestable: roles can be provisioned to the users by other users.
–Self Requestable: roles can be provisioned on request by user itself.

- These methods are controlled by role mapping

What is role mapping?

Role Mapping is to provision roles to users based on certain conditions. In technical

terms it is an association between a set of conditions and one or more job, abstract
and data roles.
We make experts - http://apps2fusion.com
Auto Provisioning of Roles

Role provisioning occurs automatically if:

–At least one of the user's assignments matches all role-mapping conditions.
–We select the Auto provision option for the role in the role mapping.

Automatic provisioning of roles to users is a request to Oracle Identity

Management to provision the role.

Steps to create Role Mapping for Auto Provisioning:

•Login to Fusion Applications and go to Navigator-> Tools ->Setup &
Maintenance
•go to Implementation Projects->click on Project->Expand Workforce
Deployment->Manage HCM Role Provisioning Rules. Click on Task icon.

We make experts - http://apps2fusion.com

Auto Provisioning of Roles
Once you click on this task, Manage Role Mapping page appears.
Click on create button.

We make experts - http://apps2fusion.com

Auto Provisioning of Roles

In Create Role Mapping UI, provide Mapping details.

We make experts - http://apps2fusion.com

 HCM Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles.
HCM security profiles are an Oracle Fusion HCM feature; they are not used by other
Oracle Fusion Applications.
A security profile identifies a set of data of a single type, such as persons or
organizations.
We assign security profiles to abstract and data roles to identify the data instances
that users with those abstract and data roles can access.
In EBS a responsibility has one security profile that identifies all secured data
(persons, organizations, and so on) that the user can access via that responsibility. In
Oracle Fusion HCM, we use a separate security profile for each object type (one for
managed persons, one for organizations, and so on).

We make experts - http://apps2fusion.com

HCM Secured Objects
We can create security profiles for the following HCM object types:
–Person
Managed person
Public person
–Organization
–Position
–Legislative data group (LDG)
–Country
–Document type
–Payroll
–Payroll flow

Unless you grant access to these objects, users cannot access them

We make experts - http://apps2fusion.com

 Grant Access to HCM Secured Objects
To grant access to HCM secured business objects:

Security Criteria in HCM Security Profiles:

In a security profile, we specify the criteria that identify data instances of the relevant type.
For example, in an organization security profile, we can identify organizations by
organization hierarchy, classification, or name. All criteria in a security profile apply. For
example, if we identify organizations by both organization hierarchy and classification, then
only organizations that satisfy both criteria belong to the data instance set.

We make experts - http://apps2fusion.com

Grant Access to HCM Secured Objects
Security Profile Creation:
We can create security profiles either individually or while creating an HCM data role. For
standard requirements, it's more efficient to create the security profiles individually and include
them in appropriate HCM data roles.
To create security profiles individually, use the relevant security profile task. For example, to
create a position security profile, use the task Manage Position Security Profiles (Navigator-
Tools-Setup and Maintenance-Manage Position Security Profiles)
Reusability and Inheritance of Security Profiles

We can include security profiles in other security profiles. For example, you can include an
organization security profile:
-Person security profile, to secure person records by department, business unit, or legal
employer
-Position security profile, to secure positions by department or business unit

One security profile inherits the data instance set defined by another.

We make experts - http://apps2fusion.com

Predefined HCM Security Profiles

We make experts - http://apps2fusion.com

Organization Security Profiles
An organization security profile includes criteria that identify a set of
organizations.
Users need access to organizations either because they manage their
definitions or because they perform tasks where lists of organizations are
presented to them .
We can identify organizations by any combination of
–Organization Hierarchy
–Organization Classification
–Organization Name
Organizations must satisfy all of the criteria in the security profile to belong
to its data instance set.
Go to Manage Organization Security Profile > Manage Organization
Security Profiles page > Create Organization Security Profile

We make experts - http://apps2fusion.com

Organization Security Profile

We make experts - http://apps2fusion.com

 Position Security Profile
A position security profile includes criteria that identify a set of positions.

Users need access to positions because they either manage position definitions or
perform tasks where lists of positions are presented to them
We can identify positions by any combination of :
–Position Hierarchy
–Department
–Business Unit
–Position Name
To identify the departments and business units, we select existing organization
security profiles: the position security profile inherits the data instance sets of the
selected organization security profiles.
Go to Manage Position Security Profile > Manage Position Security Profiles page >
Create Position Security Profile to create it.
We make experts - http://apps2fusion.com
Position Security Profile

We make experts - http://apps2fusion.com

 Person Security Profile
A person security profile includes criteria that identify one or more person records.
Users access person records either because they need to update them (for
example, because they manage those people) or because they need to contact those
people. We create separate person security profiles for each of these purposes .
You can identify person records by any combination of :
–Person Type
–Manager Hierarchy
–Workforce Structure
–Global-name range
–Custom criteria
Go to Manage Person Security Profile > Manage Person Security Profiles page >
Create Person Security Profile to create new Person profile

We make experts - http://apps2fusion.com

Person Security Profile

We make experts - http://apps2fusion.com

Document Type Security Profile

A document type security profile includes criteria that identify one or more
locally defined document types.
Users need access to document types because they either manage the
definitions of those document types or need to access instances of those
document types in the person records to which they have access.
We identify one or more document types by :
– name
– indicate whether to include or exclude those document types

We make experts - http://apps2fusion.com

Document Type Security Profile

We make experts - http://apps2fusion.com

 Legislative Data Group Security Profile
A legislative data group security profile includes the names of one or more
legislative data groups.
Users need access to legislative data groups mainly because they manage their
definitions. If a user is responsible for all legislative data group definitions in the
enterprise, use the predefined security profile View All Legislative Data Groups.

We make experts - http://apps2fusion.com

 Country Security Profiles
A country security profile includes the names of one or more countries.
A country security profile determines which countries appear in lists of countries
presented to the user. Use the predefined security profile View All Countries
unless you want to limit the list.

We make experts - http://apps2fusion.com

Tips for Customizing Security Profile
The following recommendations apply to all types of HCM security profiles:

•HCM security profiles are reusable. During implementation, create HCM security
profiles for standard sets of business objects in the enterprise, such as all legal
employers, all workers in a legal employer, all positions in a position hierarchy, and
individual legislative data groups.

•Use the predefined security profiles wherever appropriate.

•Define a naming scheme that identifies clearly the set of business objects in the
security profile's data instance set, such as HCM US Departments or US Marketing
Positions. Security profile names must be unique in the enterprise for the security
profile type.

We make experts - http://apps2fusion.com

 Manage HCM Data Roles
Job roles and abstract roles inherit duty roles, which define what users with those
job and abstract roles can do.
To give users access to actual HCM data instances, we need to create HCM data
roles. All data roles combine a job or abstract role with a set of data; HCM data roles
combine a job or abstract role with a set of HCM data.
Because data is specific to the enterprise, no predefined data roles exist.
Go to Manage Data Role and Security Profiles > Manage HCM Data Roles page >
Create Data Role: Select Role

We make experts - http://apps2fusion.com

We make experts - http://apps2fusion.com
 Data Roles- Creation
To identify instances of each HCM business object, we can either Select an existing
HCM security profile. Create a new HCM security profile. If we select existing security
profiles in all regions, we can click Review to review the new HCM data role;
otherwise, click Next to proceed with creating new security profiles.

We make experts - http://apps2fusion.com

 Assign Security Profiles to Job or Abstract Role
As an alternative to creating an HCM data role that inherits a job role, you can
assign HCM security profiles directly to job and abstract roles without creating a
separate HCM data role. In this case, any user with the job or abstract role can access
the data identified in the HCM security profiles.
It is commonly used to provide abstract roles, such as employee, with access to
HCM business objects, such as the worker's own person record. You are much less
likely to use this approach with job roles, because users with the same job typically
access different sets of data.
To assign security profiles directly to a job or abstract role, perform the task Manage
Data Role and Security Profiles and search for the job or abstract role on the Manage
HCM Data Roles page, select the role, and click Edit.

We make experts - http://apps2fusion.com

We can either: Select existing HCM security profiles to assign to the job or abstract
role. Create new HCM security profiles. The job or abstract role effectively becomes an
HCM data role because it has access to HCM business object instances.

We make experts - http://apps2fusion.com

 Synchronizing with Oracle Identity Management
Oracle Identity Management maintains Lightweight Directory Access Protocol
(LDAP) user accounts for users of Oracle Fusion Applications.

Oracle Identity Management also stores the definitions of abstract, job, and data
roles, and holds information about roles provisioned to users.

Most changes to user and role information are shared automatically by Oracle
Fusion Human Capital Management (Oracle Fusion HCM) and Oracle Identity
Management. No action is necessary to make this exchange of information happen.

However, we must run the processes Send Pending LDAP Requests and Retrieve
Latest LDAP Changes to manage some types of information exchange between
Oracle Fusion HCM and Oracle Identity Management.
We make experts - http://apps2fusion.com
 Synchronizing with Oracle Identity Management
Send Pending LDAP Requests: Sends bulk requests and future-dated requests that
are now active to Oracle Identity Management. The response to each request from
Oracle Identity Management to Oracle Fusion HCM indicates transaction status (for
example, Completed)
Retrieve Latest LDAP Changes: Requests updates from Oracle Identity Management
that may not have arrived automatically because of a failure or error, for example.

We make experts - http://apps2fusion.com

We make experts - http://apps2fusion.com