Oracle® Fusion
Applications Coexistence for HCM Implementation Guide 11g Release 1 (11.1.4) Part Number E20378-02 |
Contents |
Previous |
Next |
This chapter contains the following:
Defining Security for Human Capital Management for Coexistence: Explained
FAQs for Define Security for Human Capital Management for Coexistence
This topic explains the HCM coexistence tasks Manage Job Roles and Manage Duties. These tasks are available to a user with the role IT Security Manager. They are performed during implementation using the Oracle Fusion Functional Setup Manager and can be performed subsequently in the Oracle Fusion Human Capital Management (HCM) Setup and Maintenance work area.
Oracle Fusion HCM provides a comprehensive set of predefined security data, known as the security reference implementation, which includes multiple instances of each of the components in the following table.
Security Reference Implementation Component |
Example |
---|---|
Job role |
Human Resource Specialist |
Abstract role |
Employee |
Duty role |
Worker Work Relationship Termination Duty |
Privilege |
Terminate Work Relationship |
Data security policy |
A Human Resource Specialist can terminate work relationship for persons and assignments in their person and assignment security profile |
Security profile |
View All Workers |
For more information on the security reference implementation for Oracle Fusion HCM, see:
Oracle Fusion Applications Workforce Deployment Security Reference Manual
Oracle Fusion Applications Common Security Reference Manual
You review the security reference implementation to determine whether the predefined components, in particular the job and duty roles, meet enterprise requirements.
If the enterprise job or abstract roles do not exist in the security reference implementation, you may need to create new job or abstract roles. (Having predefined job or abstract roles that the enterprise does not use is not a problem because you do not have to provision those roles to users.)
Job and abstract roles are implemented using Oracle Identity Management (OIM), and you manage them using the Manage Job Roles task. If the security reference implementation contains all enterprise job and abstract roles, you do not need to perform this task.
The security reference implementation provides one or more duty roles for every function in Oracle Fusion Applications; therefore, you need to create new duty roles only if you create custom functions. Typically, you perform the Manage Duties task to manage the duty-role hierarchy. For example, if you create new job or abstract roles, you use Manage Duties to assign duties to those roles. You also need to consider removing unused duty roles from abstract and job roles; otherwise, HCM coexistence users will have access to functions (for example, in menus) that are not relevant to them.
You are most likely to need to remove duty roles from the following predefined roles, because these roles are not specific to a single feature of the HCM coexistence offering:
Contingent worker
Employee
Human Capital Management Application Administrator
Human Resource Analyst
Human Resource Specialist
Human Resource Vice President
Line manager
For example, the predefined job role Human Resource Specialist inherits the duty role Worker Work Relationship Termination Duty. In the HCM coexistence environment, work relationships must be terminated in the source application; therefore, the Worker Work Relationship Termination Duty is an unused duty role that needs to be removed from the job role.
You manage duty roles in the Oracle Fusion Middleware Authorization Policy Manager (APM) using the Manage Duties task. For guidance about the duty roles that you may need to remove from job and abstract roles, see the Oracle Fusion Applications Workforce Deployment Security Reference Manual.
If the enterprise job roles do not exist in the security reference implementation, you:
Create the new job roles in Oracle Identity Management (OIM).
Note
If you create new job or abstract roles, do not add them to the predefined role categories (HCM - Job Roles and HCM - Abstract Roles). Instead, create your own categories and ensure that the category names end with "Job Roles" or "Abstract Roles", as appropriate. For example, you could create a new category for job roles called ABC - Job Roles.
Attach duty roles to the new job roles in the Oracle Fusion Middleware Authorization Policy Manager (APM).
Run the Oracle Fusion Human Capital Management (HCM) process Retrieve Latest LDAP Changes to ensure that the new job roles are visible in the Oracle Fusion HCM Create Data Role interface.
If you add custom job or abstract roles to role categories that do not end with "Job Roles" or "Abstract Roles", they do not appear in the list of jobs in Create Data Role.
Perform the Oracle Fusion HCM task Manage Data Role and Security Profiles to create HCM data roles for the new job roles.
Perform the Oracle Fusion HCM task Manage Role Mappings to create role mappings for the new data roles so that the roles can be provisioned to users.