In Oracle EBS it is possible to create security profiles and assign those to responsibilities.

When defining the security profile, you can specify the node in Organization Hierarchy that is used to secure the list of people that you see.

For example, a manager working in IT Department, should only see the details of the staff from Oracle Department or Data WareHouse department, both of which could be the child org’s of the IT Department. In Oracle EBS, you can also set custom SQL to filter the records that the logged in individual can see as per the security profile.

In Fusion HCM, you can assign security profiles to the Job Roles. Therefore in this case the Job Role is equivalent to the Responsibility in Oracle EBS. The basics of security profiles can be learnt from this link

This article shows the steps you will take to attach & configure a security profile with a Job Role.

First, login as XX_FA_SECURITY_ADMIN that we created in a previous article linked here

Next search on Data Role and select Create Data Role for Implementation Users.

Select the Job Role for which you wish to create the Security Profile and give a user friendly name to the Data Role.

Data Role - Security Criteria - Security Profiles - Review

Data Role: Search and select from the list a value in this case "IT Security Manager"

Search and Select: Job Role

Next, you can give the criteria that will apply dynamic SQL where clauses when a person using the Role corresponding to IT Security Manager View All logs in.

There are plenty of options to apply the filters on.
The data security that can be applied has various parameters

You can secure by Organization Hierarchy, by Person Type, or Business Unit or Position or by a custom criteria.

As you will notice, the options to secure the list of people a Manager can see are more versatile in Fusion HCM, as compared to Oracle EBS.

Manage Data Roles and Security Profiles
Request is currently in progress with Identity Management

A couple of caveats that you should be aware of when working on HCM Security profiles.

Limitation in size of where clauses appended

Sometimes when creating a security profile, you may see an error stating that the maximum WHERE predicate length supported by data security grants was exceeded. This is a bug due to the limitation in the size of the where clauses. The more the criterias you select, the longer the SQL where clause predicate becomes that gets attached to the person object dynamically at runtime. The biggest culprit is the option named "Include related contacts".

In order to resolve this, reduce the number of security criteria defined in this security profile, and doing so will reduce the size of the sql predicates that are generated by the security profiles. You can also try to Uncheck "Include related contacts" that will significantly reduce the size of the SQL predicate.

The new job roles created from APM are not visible in HCM

The Authorization Policy Manager (APM)  is bespoke version of Oracle’s Entitlement server. Within APM, you can grant granular entitlements, you can read about APM in the dedicated article for APM. Sometimes the new job roles created in Authorization Policy Manager are not showing in Fusion HCM UIs like

Manage HCM Role Provisioning Rules

Manage Data Role and Security Profiles

To implement the solution, please execute the following steps:

1. Navigator -> Scheduled Processes

2. Run SyncRolesJob process or a process named Retrieve Latest LDAP Changes

Attaching security profiles to Abstract Roles

This can be achieved by following the Oracle Support Note 1625092.1, as per steps listed below

Talent and some non-HCM products also use the predefined Employee, Contingent Worker and Line Manager abstract roles.  These are delivered abstract roles that are pre-defined/seeded by Oracle, but each customer needs to assign security profiles to these so that the security sets are defined particular to their implementation.

Line Manager Abstract Role:

a.   Assign security profiles to existing abstract roles:  Line Manager Abstract Role

                                                              i.      Search Role = Line Manager

                                                            ii.      Highlight the role and click the ASSIGN button.  

                                                           iii.      Initially use the "View All..." defaults for each security profile, except for:

Person Security Profile:  Set value to "View Manager Hierarchy" and Public Person Security Profile:  Set value to "View all Workers”

2.   Review & Submit.

                                                          iv.      You are returned to the HCM Data Roles search.  {NOTE: When you search again, the Line Manager's Security Profiles column now has a green check indicating security profiles have been assigned. }

You need to come back to the Line Manager HCM Data Role and evaluate whether or not you want to permit the "View All..." for the other security profile options!   You may also want to change the Public Person access.

Employee Abstract Role:

a.   Assign security profiles to existing abstract roles:  Employee Abstract Role

                                                            v.      Search **Role = Employee

                                                          vi.      Highlight the role and click the ASSIGN button.  {NOTE: See that the Security Profiles column is blank at this point?}

                                                         vii.      We will initially use the "View All..." defaults for each security profile, except for:

1.       Person Security Profile:  Set value to "View Own Record";

2.        Public Person Security Profile:  Set value to "View all Workers"

3.       Review & Submit.

4.       You are returned to the HCM Data Roles search.  {NOTE: When you search again, the EE's Security Profiles column now has a green check indicating security profiles have been assigned. }

You need to come back to the Employee HCM Data Role and evaluate whether or not you wish to permit the "View All..." for the other security profile options!   You may also want to change the Public Person access.

Contingent Worker Abstract Role:

a.   Assign security profiles to existing abstract roles:  Contingent Worker Abstract Role

                                                       viii.      Search **Role = Contingent Worker

                                                          ix.      Highlight the role and click the ASSIGN button.  {NOTE: See that the Security Profiles column is blank at this point?}

                                                            x.      We will initially use the "View All..." defaults for each security profile, except for:

1.       Person Security Profile:  Set value to "View Own Record"

2.       Public Person Security Profile:  Set value to "View all Workers"

3.       Review & Submit.

4.   You are returned to the HCM Data Roles search.  {NOTE: When you search again, the CWR's Security Profiles column now has a green check indicating security profiles have been assigned.}

You need to come back to the Contingent Worker HCM Data Role and evaluate whether or not you want to permit the "View All..." for the other security profile options!   You may also want to change the Public Person access as per your requirements.

Anil Passi

Add comment