1. Securing Applications
  2. Create Job Role and Abstract Role from Scratch

Create Job Role and Abstract Role from Scratch

If the predefined roles aren't suitable or you need a role with few privileges, then you can create a role from scratch. To perform this task, you must have the IT Security Manager job role or privileges.

Caution: While creating custom roles, make sure you assign only the required privileges. Assigning all the privileges may impact subscription usage. Before you proceed, see the topic Guidelines for Configuring Security.

Enter Basic Information

Follow these steps:

  1. On the Roles tab of the Security Console, click Create Role.

  2. On the Create Role: Basic Information page, enter the role's display name in the Role Name field. For example, enter XYZ HR Business Partner.

  3. Complete the Role Code field. For example, enter XYZ_HR_BUSINESS_PARTNER_JOB.

    Abstract roles have the suffix _ABSTRACT, and job roles have the suffix _JOB. Default prefixes for role codes and role names can be specified on the Roles subtab of the Security Console's Administration tab. These are used when copying roles. It’s a good practice to use the same prefixes when defining job and abstract roles from scratch as when copying roles. This ensures that your custom roles follow the same naming pattern, whether they have been copied from other roles or created from scratch.

  4. In the Role Category field, select either HCM - Abstract Roles or HCM - Job Roles, as appropriate.

    Note: Be sure to select the HCM - Job Roles category when creating job roles. Otherwise, your job roles don't appear in the list of available job roles when you create an HCM data role.

  5. If you're using location-based access, then you see the Enable Role for Access from All IP Addresses option. If you select this option, then users who have the role can access the tasks that the role secures from any IP address.

  6. Click Next.

Add Functional Security Policies

When you create a role from scratch, you're most likely to add one or more aggregate privileges or duty roles to your role. You're less likely to grant function security privileges directly to the role.

If you aren't granting function security privileges, then click Next. Otherwise, to grant function security privileges to the role:

  1. On the Privileges tab of the Create Role: Functional Security Policies page, click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from a selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Create Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

You’re recommended to include the following function security privileges in all HCM custom job and abstract roles:
  • Approve Transactions - PER_APPROVE_TRANSACTIONS_PRIV
  • View Notification Details - PER_VIEW_NOTIFICATION_DETAILS_PRIV
  • Access HCM Common Components - HRC_ACCESS_HCM_COMMON_COMPONENTS_PRIV

If your custom job and abstract role are granted access to any of the responsive user experience pages, you might need to also add function security privileges that grant access to Lists of Values. For more information, see the topic Privileges Roles Securing Lists of Values in Responsive User Experience Pages.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

Create Data Security Policies

Make no entries on the Create Role: Data Security Policies page.

Build the Role Hierarchy

The Create Role: Role Hierarchy page shows the hierarchy of your custom role in tabular format by default. You can add one or more aggregate privileges, job roles, abstract roles, and duty roles to the role. Typically, when creating a job or abstract role you add aggregate privileges. Roles are always added directly to the role that you're creating.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. When you finish adding roles, close the Add Role Membership dialog box.

  7. Click Next.

If your custom job and abstract role are granted access to any of the responsive user experience pages, you might need to also add aggregate privileges that grant access to Lists of Values. For more information, see the topic Privileges and Roles Securing Lists of Values in Responsive User Experience Pages.

Provision the Role

To provision the role to users, you must create a role mapping when the role exists. Don't provision the role to users on the Security Console.

Review the Role

On the Create Role: Summary and Impact Report page, review the summary of the changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

Your custom role is available immediately.