February 2015

Fusion Compensation
Troubleshooting Security
Issues
Releases 8 and 9
Introduction

We commonly see a few security issues that result from missing privileges or from extra privileges granted to
custom job roles. This document describes these issues and provides the steps to troubleshoot and correct them.

Issues covered in this document:

 No workers or the wrong set of workers are found when Acting as Proxy or using Administer Workers.
 Managers can access the compensation history window from the workforce compensation worksheet,
but cannot view the data for some or all workers.
 Users have access to the Manage Salary action when they should not.
 The salary approval notification is blank or does not display current salary information.
 Security works correctly correct in test but not production.

If after following the steps in this document, you are still unable to resolve your issue, log an SR and include the
following information.

1. A detailed explanation of the steps you have already taken to troubleshoot the issue.
2. A screenshot of the page or work area showing the problem.
3. A screenshot that shows all of the user’s job roles.
4. A screenshot of the expanded application role mapping tab from Authorization Policy Manager (APM) of
all the user’s job roles. You access this page from Functional Setup Manager by searching the task name
Manage Duties.
5. A screenshot of the person security profile of the data role for all the user’s jobs.
No workers or the wrong set of workers are found when Acting as Proxy or using
Administer Workers.
The person security profile for the data role controls the workers a user can find when
searching when acting as proxy and managing workers using Administer Workers. If you
cannot search for any workers or the search returns the wrong set of workers, the correct
data privileges are missing or the security profile is configured incorrectly.

1. Does the user have the data role created for the job role? The data role determines the
set of workers the user can search for. The person security profile, specifically,
controls for the workers returned in the search. Ensure that you set up the data role
correctly and that the user has the DATA role that inherits the job role. Giving the user
the job role itself is not sufficient.

2. If you use a custom job role, the custom job inherits the following data privileges:

- Search Person Live Data (PER_SEARCH_PERSON_LIVE_DATA)

- Allocate Compensation Person Rate by Compensation Manager

(CMP_ALLOCATE_COMPENSATION_PERSON_RATE_BY_COMPENSATION_MAN
AGER_DATA)

The search function requires these privileges to return data. If you are missing these data
privileges, add them to one of your custom duty roles and regenerate your data role.

To add Search Person Live Data a custom duty role:

1. In APM, search for Person Management Duty.
2. In Find Policies, select Default Policy Domain.
3. Select the Data Security tab.
4. Select the row for ‘Search Person Live Data' with the Resource Name 'Person Work
Terms Assignment'.
5. Click the Edit icon.
6. Select the Roles tab
7. Add the custom duty role.
8. Save.
9. In APM, search for Compensation Manager Compensation Management Duty.
10. Repeat steps 2--8. In step 4, select the row ‘Allocate Compensation Person Rate by
Compensation Manager’ with the Resource Name 'Person Work Terms Assignment'.
11. Save.
 12. Use the Manage Data Role and Security Profiles task to regenerate your data
role.

Managers can see the compensation history column in the compensation

worksheet, but cannot view the data for some or all workers.
Release 8
When the compensation history column is enabled in the worksheet and you receive an
error saying that you do not have access to the data, you are missing the correct data
security.

The ‘View Salary Analytics’ (CMP_VIEW_SALARY_ANALYTICS) function privilege gives

access to compensation history dialog box. The ‘Enter Salary Details Data’
(CMP_ENTER_SALARY_DETAILS_DATA) data privilege gives access to view data in the
compensation history dialog box.

Give both of these privileges to a custom duty role that your line manager job role inherits
and then regenerate the job role.

Release 9

New function and data privileges secure compensation history. Please refer to the Release
9 Compensation Security Changes document available on Customer Connect or in My
Oracle Support for details to troubleshoot your issue.

http://appsconnect.custhelp.com/posts/77449734c5
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1950856.1
Users have access to the Manage Salary Action when they should not.
The function privilege called ‘Enter Salary Details '(CMP_ENTER_SALARY_DETAILS)
controls the Manage Salary action. The following duty roles inherit this privilege out of the
box.
 HR Analyst Compensation Review Duty
 HR Salary Management Duty
 Salary Administration Duty
 Salary Management Duty

Remove this function privilege from any duty role that includes it. Removing it does not
impact a user’s ability to view compensation history.

Look through your entire internal role mapping for any of the above duty roles that might be
inherited by other duty roles. Remove the entire duty role, or if you want other privileges
that the duty role contains, create a custom duty and leave out ‘Enter Salary Details’.

Release 8

The delivered Talent Line Manager Duty includes a function privilege called ‘View
Performance Information on Manager Dashboard’. This privilege includes several
compensation resources that give access to the action Manage Salary (and Manage
Compensation). If your role inherits this privilege, you must remove the privilege and create
a custom entitlement that includes the same resources as the delivered privilege, minus
the compensation resources highlighted below.

This issue is fixed in release 9.

The salary approval notification is blank or does not display current salary
information.
If the approver viewing the notification does not have the proper data security to access
the worker whose salary adjustment requires approval, salary data does not appear
correctly.

 Does the user have a role that includes the data privilege ‘Enter Salary Details Data’
(CMP_ENTER_SALARY_DETAILS_DATA)? This data privilege is required to view
salary data. If no role the user inherits includes this data privilege, create a custom duty
and add this data privilege, then regenerate the data role. See the first issue for
instructions.

 Does the person’s security profile give them access to the person whose salary
adjustment requires approval? If not, correct the person security profile.

Security works correctly in test, but not in production.

If you notice a difference in function or data access for a user between the test
environment and the production environment, it’s likely due to custom roles setups or a
user having a job role, rather than a data role, in the production environment.

1. Verify that the user has the exact same set of roles in both environments.
2. Verify that custom roles are set up exactly the same.
3. In the production environment, regenerate the data role in question.
4. If a data security issue, verify that valid data exists in the production environment.

Additional Resources
Workforce Compensation UI to Privilege Security Map

Fusion Security and Workforce Compensation MOS ID 1556468.1

Release 9 Compensation Security Changes

Customer Connect
MOS ID 1950856.1

Troubleshooting Security
Issues
February 2015
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries: Phone:
+1.650.506.7000 Fax:
+1.650.506.7200 oracle.com
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obl igations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel
and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are
trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open
Company, Ltd. 0110