Professional Documents
Culture Documents
Compensation Security Troubleshooting
Compensation Security Troubleshooting
Fusion Compensation
Troubleshooting Security
Issues
Releases 8 and 9
Introduction
We commonly see a few security issues that result from missing privileges or from extra privileges granted to
custom job roles. This document describes these issues and provides the steps to troubleshoot and correct them.
No workers or the wrong set of workers are found when Acting as Proxy or using Administer Workers.
Managers can access the compensation history window from the workforce compensation worksheet,
but cannot view the data for some or all workers.
Users have access to the Manage Salary action when they should not.
The salary approval notification is blank or does not display current salary information.
Security works correctly correct in test but not production.
If after following the steps in this document, you are still unable to resolve your issue, log an SR and include the
following information.
1. A detailed explanation of the steps you have already taken to troubleshoot the issue.
2. A screenshot of the page or work area showing the problem.
3. A screenshot that shows all of the user’s job roles.
4. A screenshot of the expanded application role mapping tab from Authorization Policy Manager (APM) of
all the user’s job roles. You access this page from Functional Setup Manager by searching the task name
Manage Duties.
5. A screenshot of the person security profile of the data role for all the user’s jobs.
No workers or the wrong set of workers are found when Acting as Proxy or using
Administer Workers.
The person security profile for the data role controls the workers a user can find when
searching when acting as proxy and managing workers using Administer Workers. If you
cannot search for any workers or the search returns the wrong set of workers, the correct
data privileges are missing or the security profile is configured incorrectly.
1. Does the user have the data role created for the job role? The data role determines the
set of workers the user can search for. The person security profile, specifically,
controls for the workers returned in the search. Ensure that you set up the data role
correctly and that the user has the DATA role that inherits the job role. Giving the user
the job role itself is not sufficient.
2. If you use a custom job role, the custom job inherits the following data privileges:
The search function requires these privileges to return data. If you are missing these data
privileges, add them to one of your custom duty roles and regenerate your data role.
Give both of these privileges to a custom duty role that your line manager job role inherits
and then regenerate the job role.
Release 9
New function and data privileges secure compensation history. Please refer to the Release
9 Compensation Security Changes document available on Customer Connect or in My
Oracle Support for details to troubleshoot your issue.
http://appsconnect.custhelp.com/posts/77449734c5
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1950856.1
Users have access to the Manage Salary Action when they should not.
The function privilege called ‘Enter Salary Details '(CMP_ENTER_SALARY_DETAILS)
controls the Manage Salary action. The following duty roles inherit this privilege out of the
box.
HR Analyst Compensation Review Duty
HR Salary Management Duty
Salary Administration Duty
Salary Management Duty
Remove this function privilege from any duty role that includes it. Removing it does not
impact a user’s ability to view compensation history.
Look through your entire internal role mapping for any of the above duty roles that might be
inherited by other duty roles. Remove the entire duty role, or if you want other privileges
that the duty role contains, create a custom duty and leave out ‘Enter Salary Details’.
Release 8
The delivered Talent Line Manager Duty includes a function privilege called ‘View
Performance Information on Manager Dashboard’. This privilege includes several
compensation resources that give access to the action Manage Salary (and Manage
Compensation). If your role inherits this privilege, you must remove the privilege and create
a custom entitlement that includes the same resources as the delivered privilege, minus
the compensation resources highlighted below.
Does the user have a role that includes the data privilege ‘Enter Salary Details Data’
(CMP_ENTER_SALARY_DETAILS_DATA)? This data privilege is required to view
salary data. If no role the user inherits includes this data privilege, create a custom duty
and add this data privilege, then regenerate the data role. See the first issue for
instructions.
Does the person’s security profile give them access to the person whose salary
adjustment requires approval? If not, correct the person security profile.
1. Verify that the user has the exact same set of roles in both environments.
2. Verify that custom roles are set up exactly the same.
3. In the production environment, regenerate the data role in question.
4. If a data security issue, verify that valid data exists in the production environment.
Additional Resources
Workforce Compensation UI to Privilege Security Map