1An Introduction to HCM Security in the Cloud

This chapter contains the following:

Overview of Securing Oracle HCM Cloud

Oracle Human Capital Management Cloud is secure as delivered. This guide explains how to enable user access to HCM functions and data. You perform many of the tasks in this guide during implementation. You can also perform most of them later and as requirements change. This topic summarizes the scope of this guide and identifies the contents of each chapter.

Guide Structure

This table describes the contents of each chapter in this guide.

Chapter Contents

An Introduction to HCM Security in the Cloud

A brief overview of the concepts of role-based security and an introduction to the Oracle Fusion Applications Security Console

Creating Implementation Users

The role of implementation users and instructions for creating them

Creating HCM Data Roles for Implementation Users

How to provide the data access that enables implementation users to complete the functional implementation

Enabling Basic Data Access for Abstract Roles

How to provide basic data access for all employees, contingent workers, and line managers

Assigning Roles to Implementation Users

How to assign data and abstract roles to implementation users

Setting Up Applications Security

Setting enterprise options on the Security Console and maintaining the Oracle Fusion Applications Security tables.

Working with the Bridge for Microsoft Active Directory

How to install and configure the bridge for Microsoft Active Directory and synchronize user accounts

Managing Location-Based Access

How to enable location-based access, list authorized IP addresses, and make selected roles public

Preparing for Application Users

Enterprise-wide options and related decisions that affect application users

Creating Application Users

The ways in which you can create application users, with instructions for some methods

Managing Application Users

How to maintain user accounts throughout the workforce life cycle

Provisioning Roles to Application Users

The ways in which application users can acquire roles, with instructions for creating some standard role mappings

Reporting on Application Users and Roles

Reporting on user accounts, inactive users, roles provisioned to users, and password changes

HCM Data Roles and Security Profiles

How to create and manage HCM data roles and use HCM security profiles to identify the data that users can access

Person Security Profiles

How to secure access to person records

Organization and Other Security Profiles

How to secure access to organizations, positions, document types, legislative data groups, payrolls, and payroll flows

Using the Security Console

How to use the Security Console to review role hierarchies and role analytics

Creating and Editing Job, Abstract, and Duty Roles

How to copy predefined roles to create roles, how to create roles from scratch, and how to edit custom roles

Regenerating Roles

How to regenerate the data security policies of data and abstract roles when the role hierarchy changes

Securing Access to Value Sets

How value sets are secured, and how APPID users gain access to secured value sets

Securing Content Sections in Person Profiles

How to secure user access to content-type data in person profiles

Securing Access to Succession Plans, Incumbents, and Candidates

How to create a super user role to enable access to all succession plans, and how to configure restricted access to lists of incumbents and candidates

Securing Access to Lists of Values in Responsive User Experience Pages

How to enable custom roles to access lists of values in responsive user experience pages

Security and Reporting

How to enable users to run Oracle Transactional Business Intelligence and Oracle Business Intelligence Publisher reports

Roles for Workflow Access

The predefined roles that enable access to workflow functionality

Auditing Oracle HCM Cloud Business Objects

How to configure audit for HCM business objects and access audit reports

Certificate Management

How to generate, import, export, and delete PGP and X.509 certificates for data encryption and decryption

Role Optimization

How to use the optional Role Optimization Report to analyze the role hierarchy for redundancies and other inefficiencies

Advanced Data Security

An introduction to these optional cloud services:

  • Database Vault for Oracle Fusion Human Capital Management Security Cloud Service

  • Transparent Data Encryption for Oracle Fusion Human Capital Management Security Cloud Service

During implementation, you perform security-related tasks from a functional area task list or implementation project. After the implementation is complete, you can perform most security-related tasks on the Security Console. Any exceptions are identified in relevant topics. For example, you hire workers in the New Person work area, not on the Security Console.

Role-Based Security

In Oracle Fusion Applications, users have roles through which they gain access to functions and data. Users can have any number of roles.

In this figure, user Lynda Jones has three roles.

This figure shows the user Lynda Jones inheriting
three roles. The roles are HR Specialist Vision Operations, Employee
and Line Manager.

When Lynda signs in to Oracle Human Capital Management Cloud (Oracle HCM Cloud), she doesn't have to select a role. All of these roles are active concurrently.

The functions and data that Lynda can access are determined by this combination of roles.

  • As an employee, Lynda can access employee functions and data.

  • As a line manager, Lynda can access line-manager functions and data.

  • As a human resource specialist (HR specialist), Lynda can access HR specialist functions and data for Vision Operations.

Role-Based Access Control

Role-based security in Oracle Fusion Applications controls who can do what on which data.

This table summarizes role-based access.

Component Description

Who

Is a role assigned to a user

What

Is a function that users with the role can perform

Which Data

Is the set of data that users with the role can access when performing the function

This table provides some examples of role-based access.

Who What Which Data

Line managers

Can create performance documents

For workers in their reporting hierarchies

Employees

Can view payslips

For themselves

Payroll managers

Can report payroll balances

For specified payrolls

HR specialists

Can transfer workers

For workers in specified organizations

Predefined HCM Roles

Many job and abstract roles are predefined in Oracle Human Capital Management Cloud (Oracle HCM Cloud). The predefined HCM job roles are:

  • Benefits Administrator

  • Benefits Manager

  • Benefits Specialist

  • Cash Manager

  • Compensation Administrator

  • Compensation Analyst

  • Compensation Manager

  • Compensation Specialist

  • Corporate Social Responsibility Manager

  • Employee Development Manager

  • Employee Wellness Manager

  • Environment, Health and Safety Manager

  • Human Capital Management Application Administrator

  • Human Capital Management Integration Specialist

  • Human Resource Analyst

  • Human Resource Help Desk Administrator

  • Human Resource Help Desk Agent

  • Human Resource Help Desk Manager

  • Human Resource Manager

  • Human Resource Specialist

  • IT Auditor

  • Knowledge Author HCM

  • Knowledge Search HCM

  • Learning Specialist

  • Payroll Administrator

  • Payroll Manager

  • Recruiter

  • Recruiting Administrator

  • Time and Labor Administrator

  • Time and Labor Manager

The predefined HCM abstract roles are:

  • Contingent Worker

  • Employee

  • Executive Manager

  • Hiring Manager

  • Job Application Identity for Recruiting

  • Line Manager

  • Pending Worker

These predefined job and abstract roles are part of the Oracle HCM Cloud security reference implementation. The security reference implementation is a predefined set of security definitions that you can use as supplied.

Also included in the security reference implementation are roles that are common to all Oracle Fusion applications, such as:

  • Application Implementation Consultant

  • IT Security Manager

You can include the predefined roles in HCM data roles, for example. Typically, you assign abstract roles, such as Employee and Line Manager, directly to users.

Role Types

Oracle Human Capital Management Cloud (Oracle HCM Cloud) defines five types of roles:

  • Data roles

  • Abstract roles

  • Job roles

  • Aggregate privileges

  • Duty roles

This topic introduces the role types.

Data Roles

Data roles combine a worker's job and the data that users with the job must access. For example, the HCM data role Country Human Resource Specialist combines a job (human resource specialist) with a data scope (country). You define the data scope of a data role in one or more HCM security profiles. HCM data roles aren't part of the security reference implementation. You define all HCM data roles locally and assign them directly to users.

Abstract Roles

Abstract roles represent a worker's role in the enterprise independently of the job that you hire the worker to do. The three main abstract roles predefined in Oracle HCM Cloud are:

  • Employee

  • Contingent Worker

  • Line Manager

You can also create abstract roles. All workers are likely to have at least one abstract role. Their abstract roles enable users to access standard functions, such as managing their own information and searching the worker directory. You assign abstract roles directly to users.

Job Roles

Job roles represent the job that you hire a worker to perform. Human Resource Analyst and Payroll Manager are examples of predefined job roles. You can also create job roles. Typically, you include job roles in data roles and assign those data roles to users. The IT Security Manager and Application Implementation Consultant predefined job roles are exceptions to this general rule because they're not considered HCM job roles. Also, you don't define their data scope in HCM security profiles.

Aggregate Privileges

Aggregate privileges combine the functional privilege for an individual task or duty with the relevant data security policies. The functional privileges that aggregate privileges provide may grant access to task flows, application pages, work areas, reports, batch programs, and so on. Aggregate privileges don't inherit other roles. All aggregate privileges are predefined and you can't edit them. Although you can't create aggregate privileges, you can include the predefined aggregate privileges in custom job, abstract, and duty roles. You don't assign aggregate privileges directly to users.

Duty Roles

Each predefined duty role represents a logical grouping of privileges that you may want to copy and edit. Duty roles differ from aggregate privileges as follows:

  • They include multiple function security privileges.

  • They can inherit aggregate privileges and other duty roles.

  • You can create duty roles.

Job and abstract roles may inherit duty roles either directly or indirectly. You can include predefined and custom duty roles in custom job and abstract roles. You don't assign duty roles directly to users.

Role Inheritance

Each role is a hierarchy of other roles:

  • HCM data roles inherit job roles.

  • Job and abstract roles inherit many aggregate privileges. They may also inherit a few duty roles.

    In addition to aggregate privileges and duty roles, job and abstract roles are granted many function security privileges and data security policies directly.

  • Duty roles can inherit other duty roles and aggregate privileges.

You can explore the complete structure of a job or abstract role on the Security Console.

When you assign data and abstract roles to users, they inherit all of the data and function security associated with those roles.

Role Inheritance Example

This example shows how roles are inherited.

The figure shows a few representative aggregate privileges and a single duty role. In reality, job and abstract roles inherit many aggregate privileges. Any duty roles that they inherit may themselves inherit duty roles and aggregate privileges.

This figure shows that the user Bob Price inherits
two roles directly. The first of those roles is the data role HR Specialist
Vision Corporation, to which the Vision Corporation security profile
is assigned. The second role is the Employee abstract role, to which
the View Own Record security profile is assigned. The data role HR
Specialist Vision Corporation inherits the Human Resource Specialist
job role. The figure shows examples of duty roles and aggregate privileges
that the Human Resource Specialist job role inherits. These examples
are Manage Work Relationship, Manage Absence Case, and Employee Hire.
It also shows examples of aggregate privileges that the Employee role
inherits, including View Payslip and Access Person Gallery.

In this example, user Bob Price has two roles:

  • HR Specialist Vision Corporation, a data role

  • Employee, an abstract role

This table describes the two roles.

Role Description

HR Specialist Vision Corporation

Inherits the job role Human Resource Specialist. This role inherits the aggregate privileges and duty roles that provide access to the tasks and functions that a human resource specialist performs. The security profile assigned to the data role provides access to secured data for the role.

Employee

Inherits the aggregate privileges and duty roles that provide access to all tasks and functions, unrelated to a specific job, that every employee performs. The security profile assigned to the abstract role provides access to secured data for the role.

Duty Role Components

This topic describes the components of a typical duty role. You must understand how duty roles are constructed if you plan to create duty roles, for example.

Function security privileges and data security policies are granted to duty roles. Duty roles may also inherit aggregate privileges and other duty roles. For example, the Workforce Structures Management duty role has the structure shown in this figure.

This figure shows that the Workforce Structures
Management duty role inherits five aggregate privileges. These privileges
are Manage Departments, Manage Divisions, Compare HCM Information,
View Positions, and Maintain Positions.

In addition to its aggregate privileges, the Workforce Structures Management duty role is granted many function security privileges and data security policies.

Data Security Policies

Many data security policies are granted directly to the Workforce Structures Management duty role, including Manage Location, Manage Assignment Grade, and Manage HR Job. It also acquires data security policies indirectly, from its aggregate privileges.

Each data security policy combines:

  • The role to which the data security policy is granted. The role can be a duty role, such as Workforce Structures Management, job role, abstract role, or aggregate privilege.

  • A business object, such as assignment grade, that's being accessed. The data security policy identifies this resource by its table name, which is PER_GRADES_F for assignment grade.

  • The condition, if any, that controls access to specific instances of the business object. Conditions are usually specified for resources that you secure using HCM security profiles. Otherwise, business object instances can be identified by key values. For example, a user with the Workforce Structures Management duty role can manage all grades in the enterprise.

  • A data security privilege that defines permitted actions on the data. For example, Manage Assignment Grade is a data security privilege.

Function Security Privileges

Many function security privileges are granted directly to the Workforce Structures Management duty role, including Manage Location, Manage Assignment Grade, and Manage HR Job. It also acquires function security privileges indirectly, from its aggregate privileges.

Each function security privilege secures the code resources that make up the relevant pages, such as the Manage Grades and Manage Locations pages. Some user interfaces aren't subject to data security, so some function security privileges have no equivalent data security policy.

Predefined Duty Roles

The predefined duty roles represent logical groupings of privileges that you may want to manage as a group. They also represent real-world groups of tasks. For example, the predefined Human Resource Specialist job role inherits the Workforce Structures Management duty role. To create a Human Resource Specialist job role with no access to workforce structures, you would:

  1. Copy the predefined job role.

  2. Remove the Workforce Structures Management duty role from the copy.

Aggregate Privileges

Aggregate privileges are a type of role. Each aggregate privilege combines a single function security privilege with related data security policies. All aggregate privileges are predefined. This topic describes how aggregate privileges are named and used.

Aggregate Privilege Names

An aggregate privilege takes its name from the function security privilege that it includes. For example, the Promote Worker aggregate privilege includes the Promote Worker function security privilege.

Aggregate Privileges in the Role Hierarchy

Job roles and abstract roles inherit aggregate privileges directly. Duty roles may also inherit aggregate privileges. However, aggregate privileges can't inherit other roles of any type. As most function and data security in job and abstract roles is provided by aggregate privileges, the role hierarchy has few levels. This flat hierarchy is easy to manage.

Use of Aggregate Privileges in Custom Roles

You can include aggregate privileges in the role hierarchy of a custom role. Treat aggregate privileges as role building blocks.

Creating, Editing, or Copying Aggregate Privileges

You can't create, edit, or copy aggregate privileges, nor can you grant the privileges from an aggregate privilege to another role. The purpose of an aggregate privilege is to grant a function security privilege only in combination with a specific data security policy. Therefore, you must use the aggregate privilege as a single entity.

If you copy a job or abstract role, then the source role's aggregate privileges are never copied. Instead, role membership is added automatically to the aggregate privilege for the copied role.

Guidelines for Configuring Security

If the predefined security reference implementation doesn't fully represent your enterprise, then you can make changes. For example, the predefined Line Manager abstract role includes compensation management privileges. If some of your line managers don't handle compensation, then you can create a line manager role without those privileges. To create a role, you can either copy an existing role or create a role from scratch.

During implementation, you evaluate the predefined roles and decide whether changes are needed. You can identify predefined roles easily by their role codes, which all have the prefix ORA_. For example, the role code of the Payroll Manager job role is ORA_PAY_PAYROLL_MANAGER_JOB. All predefined roles are granted many function security privileges and data security policies. They also inherit aggregate privileges and duty roles. To make minor changes to a role, copying and editing the predefined role is the more efficient approach. Creating roles from scratch is most successful when the role has very few privileges and you can identify them easily.

Missing Enterprise Jobs

If jobs exist in your enterprise that aren't represented in the security reference implementation, then you can create your own job roles. Add aggregate privileges and duty roles to custom job roles, as appropriate.

Predefined Roles with Different Privileges

If the privileges for a predefined job role don't match the corresponding job in your enterprise, then you can create your own role. If you copy the predefined role, then you can edit the copy. You can add or remove aggregate privileges, duty roles, function security privileges, and data security policies, as appropriate.

Predefined Roles with Missing Privileges

If the privileges for a job aren't defined in the security reference implementation, then you can create your own duty roles. However, the typical implementation doesn't use custom duty roles. You can't create aggregate privileges.

Options for Reviewing Predefined Roles

This topic describes some of the ways in which you can access information about predefined roles. This information can help you to identify which users need each role and whether to make any changes before provisioning roles.

The Security Console

On the Security Console, you can:

  • Review the role hierarchy of any job, abstract, or duty role.

  • Extract the role hierarchy to a spreadsheet.

  • Identify the function security privileges and data security policies granted to a role.

  • Compare roles to identify differences.

Tip: The role codes of all predefined roles have the prefix ORA_.

Reports

You can run the User and Role Access Audit Report. This XML-format report identifies the function security privileges and data security policies for a specified role, all roles, a specified user, or all users.

The Security Reference Manuals

Two manuals describe the security reference implementation for Oracle HCM Cloud users:

  • The Security Reference for Oracle Applications Cloud includes descriptions of all predefined security data that's common to Oracle Fusion Applications.

  • The Security Reference for Oracle HCM Cloud includes descriptions of all predefined security data for Oracle HCM Cloud.

Both manuals contain a section for each predefined job and abstract role. For each role, you can review its:

  • Duty roles and aggregate privileges

  • Role hierarchy

  • Function security privileges

  • Data security policies

You can access the security reference manuals on docs.oracle.com.

Oracle Fusion Applications Security Console

The Oracle Fusion Applications Security Console is an easy-to-use administrative work area where you perform most security-management tasks. This topic introduces the Security Console and describes how to access it.

Security Console Functions

Use the Security Console to:

  • Review role hierarchies and role analytics.

    Note: You can review HCM data roles on the Security Console. However, you must manage them on the Manage Data Roles and Security Profiles page.
  • Create and manage custom job, abstract, and duty roles.

  • Review the roles assigned to users.

  • Create and manage implementation users and their roles.

  • Compare roles.

  • Simulate the Navigator for a user or role.

  • Create and manage user categories.

  • Manage the default format of user names and the password policy for each user category.

  • Manage notifications for user-lifecycle events, such as password expiration, for each user category.

  • Manage PGP and X.509 certificates for data encryption and decryption.

  • Set up federation, and synchronize user and role information between Oracle Fusion Applications Security and Microsoft Active Directory, if appropriate.

Accessing the Security Console

You must have the IT Security Manager job role to access the Security Console. You open the Security Console by selecting the Security Console work area. These tasks, performed in the Setup and Maintenance work area, also open the Security Console:

  • Create Implementation Users

  • Manage Applications Security Preferences

  • Manage Duties

  • Manage Job Roles

  • Revoke Data Role from Implementation Users