Role-Based Security
In Oracle Fusion Applications, users have roles through which they gain access to functions and data. Users can have any number of roles. 
When Jayashree signs in to Oracle Fusion Human Capital Management (Oracle Fusion HCM), she doesn't have to select a role. All of these roles are active concurrently.
The functions and data that Jayashree can access are determined by this combination of roles.
• As an employee, Jayashree can access employee functions and data.
• As a line manager, Jayashree can access line-manager functions and data.
• As a human resource specialist (HR specialist), Jayashree can access HR specialist functions and data.
Role-Based Access Control
Role-based security in Oracle Fusion Applications controls who can do what on which data.
In role-based access: 
For Example
Predefined HCM Roles:
Many job and abstract roles are predefined in Oracle Fusion Human Capital Management (Oracle Fusion HCM). This list shows the main predefined HCM roles:
• Benefits Administrator
• Benefits Manager
• Benefits Specialist
• Compensation Administrator
• Compensation Analyst
• Compensation Manager
• Compensation Specialist
• Contingent Worker
• Employee
• Human Capital Management Application Administrator
• Human Resource Analyst
• Human Resource Manager
• Human Resource Specialist
• Human Resource VP
• Line Manager
• Payroll Administrator
• Payroll Manager
These predefined roles are part of the Oracle Fusion HCM Security Reference Implementation. The Security Reference Implementation is a predefined set of security definitions that you can use as supplied.
Also included in the Security Reference Implementation are roles that are common to all Oracle Fusion applications, such as:
• Application Implementation Consultant
• IT Security Manager
You can include the predefined roles in HCM data roles, for example. Typically, you assign the Employee, Contingent Worker, and Line Manager abstract roles directly to users.
Role Types:
Oracle Fusion Human Capital Management (Oracle Fusion HCM) defines four types of roles:
• Abstract roles
• Data roles
• Job roles
• Duty roles
Abstract Roles
Abstract roles represent a worker's role in the enterprise independently of the job that you hire the worker to do. Three abstract roles are predefined in Oracle Fusion HCM:
• Employee
• Contingent worker
• Line manager
You can also create custom abstract roles. All workers are likely to have at least one abstract role through which they access standard functions, such as managing their own information and searching the worker directory.
You assign abstract roles directly to users.
Data Roles
Data roles combine a worker's job and the data that users with the job must access. For example, the HCM data role Payroll Administrator Payroll US combines a job (Payroll Administrator) with a data scope (Payroll US). You define all HCM data roles locally and assign them directly to users.
Jayashree is an employee and a payroll administrator for Fusion Corporation. She has the Employee Abstract Role and the locally defined HCM Data Role - Payroll Administrator Payroll US.
Job Roles
A job role is the job that a worker is hired to perform. For example, Human Resource Analyst, Payroll Manager, Human Resources VP, and Cash Manager are all examples of job roles. Many job roles are predefined in Oracle Fusion Applications; you can also create job roles if necessary.
You do not assign job roles directly to users. Instead, you include job roles in HCM data roles, and assign those data roles to users.
In this example, Jayashree’s locally defined HCM Data Role Payroll Administrator Payroll US inherits the predefined Job Role Payroll Administrator.
Duty Roles
Duty roles are the building blocks of abstract and job roles: they represent the individual duties that users with those job or abstract roles can perform. Duty roles are inherited by job and abstract roles; they can also be inherited by other duty roles. You do not assign duty roles directly to users.
This figure shows an example duty role for each of Jayashree’s abstract and job roles. In reality, abstract and job roles inherit many duty roles.
Duty roles grant access to work areas, dashboards, task flows, user-interface pages, reports, batch programs, and so on; therefore, they determine the functions that a user can perform. Duty roles also control the actions that a user can perform in a UI page. For example, Jayashree can navigate to her own Portrait in the Person Gallery and edit her own contact details thanks to the duty roles inherited by her Employee abstract role.
The entries that a user sees in the Navigator, in the Tasks pane of a work area, and in menus are determined by duty roles; differences between users are accounted for by differences in the duty roles that they inherit.
Role Inheritance:
Each role is a hierarchy of other roles:
• HCM data roles inherit job or abstract roles.
• Job and abstract roles inherit duty roles.
• Duty roles can inherit other duty roles.
In addition, when you assign data and abstract roles to users, they inherit the data and function security associated with those roles.
Predefined Security
Oracle Fusion Applications provides a comprehensive set of predefined security data known as the Security Reference Implementation.
The Security Reference Implementation includes predefined:
• Abstract roles
• Job roles
• Duty roles
• Data role templates
• HCM security profiles
HCM Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. HCM security profiles are an Oracle Fusion HCM feature; they are not used by other Oracle Fusion Applications. A security profile identifies a set of data of a single type, such as persons or organizations. For example, you could create security profiles to identify:
- All workers in department HCM US
- The legal employer InFusion Corp USA1
- Business units USA1 and USA2
You assign security profiles to abstract and data roles to identify the data instances that users with those abstract and data roles can access.
Security Profiles in HCM Data Roles
In the following example, Tim Thompson and Patricia Smith are both human resource specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that inherits the job role Human Resource Specialist and the duty roles appropriate to that job role. Therefore, Tim and Patricia can perform the same functions and see the same entries in the Navigator, work-area Tasks panes, and menus. However, each user accesses different sets of data, which are identified in separate sets of security profiles.
Note: If Tim and Patricia could access the same sets of data, you could create one HCM data role rather than two and assign that HCM data role to both users.
Data Role Templates
Data role templates are the second of two ways of creating data roles (the first being HCM data roles). Data role templates secure access to reference data sets and are used by most Oracle Fusion Applications.
Data role templates contain rules for the generation of data roles and are predefined. Each data role created using a data role template combines a single job role and a single reference data set.
Oracle Fusion HCM makes limited use of data role templates. In Oracle Fusion HCM, you use data role templates to secure access to reference data sets for departments, jobs, grades, locations, and performance document templates. If you need to provide a job role (such as Human Capital Management Application Administrator) with access to all of these business objects, then you generate separate data roles for each combination of the job role and a business-object reference data set.
My next article covers the topic of Provisioning Roles to Application Users
Apps2Fusion Articles 
Comments
If you explain more on data role template, would be great.
RSS feed for comments to this post