16HCM Data Roles and Security Profiles

This chapter contains the following:

HCM data roles combine a job role with the data that users with the role must access. You identify the data in security profiles. As data roles are specific to the enterprise, no predefined HCM data roles exist.

To create an HCM data role, you perform the Assign Security Profiles to Role task in the Setup and Maintenance work area. After implementation, you can also perform this task in the Workforce Structures work area. The Assign Security Profiles to Role task opens the Manage Data Roles and Security Profiles page. You must have the IT Security Manager job role to perform this task.

Job Role Selection

When you create an HCM data role, you include a job role. The secured HCM object types that the job role accesses are identified automatically, and sections for the appropriate security profiles appear.

For example, if you select the job role Human Resource Analyst, then sections for managed person, public person, organization, position, LDG, document type, and payroll flow appear. You select or create security profiles for those object types in the HCM data role.

If you select a job role that doesn't access objects secured by security profiles, then you can't create an HCM data role.

Note: You must ensure that the job role doesn't have directly assigned security profiles. Search for the job role on the Manage Data Roles and Security Profiles page. In the search results, confirm that no check mark appears in the Security Profiles Assigned column. If security profiles are assigned to the job role, then you must revoke them before including the job role in an HCM data role. You can reassign the security profiles to the job role after creating the HCM data role.

Security Profiles

For each object type, you can include only one security profile in an HCM data role.

Components of the HCM Data Role

The following figure summarizes the components of an HCM data role.

The job role that you select in the HCM data role is granted many function security privileges and data security policies directly. It also inherits many aggregate privileges, and may inherit some duty roles. Each aggregate privilege or duty role has its own function security privileges and related data security policies. Relevant HCM object types are identified automatically from the data security policies that the job role is granted either directly or indirectly. The specific instances of the objects required by this HCM data role are identified in security profiles and stored in a data instance set. This figure shows these components of the HCM data role.

This figure shows the relationships between the
components of the HCM Data Role. It shows that the job role is granted
function security privileges and data security policies both directly
and indirectly. The job role is granted them indirectly from aggregate
privileges and duty roles. The job role's data security policies identify
the HCM objects that the HCM data role can access. The security profiles
assigned to the HCM data role identify the specific instances of those
objects that the HCM data role can access. Those specific object instances
are the HCM data role's data instance set.

For example, the human resource specialist job role inherits the Manage Work Relationship and Promote Worker aggregate privileges, among many others. The aggregate privileges provide both function security privileges, such as Manage Work Relationship and Promote Worker, and access to objects, such as Assignment. Security profiles identify specific instances of those objects for the HCM data role, such as persons with assignments in a specified legal employer.

Security profiles identify instances of Human Capital Management (HCM) objects. For example, a person security profile identifies one or more Person objects, and a payroll security profile identifies one or more Payroll objects. This topic describes how to create and use security profiles and identifies the HCM objects that need them. To manage security profiles, you must have the IT Security Manager job role.

Use of HCM Security Profiles

You include security profiles in HCM data roles to identify the data that users with those roles can access. You can also assign security profiles directly to abstract roles, such as employee. However, you're unlikely to assign them directly to job roles, because users with same job role usually access different sets of data. You're recommended not to assign security profiles directly to job roles.

HCM Object Types

You can create security profiles for the following HCM object types:

  • Country

  • Document Type

  • Job Requisition

  • Legislative Data Group (LDG)

  • Organization

  • Payroll

  • Payroll Flow

  • Person

    • Managed Person

    • Public Person

  • Position

  • Transaction

Two uses exist for the person security profile because many users access two distinct sets of people.

  • The Managed Person security profile identifies people you can perform actions against.

  • The Public Person security profile identifies people you can search for in the worker directory.

    This type of security profile also secures some lists of values. For example, the Change Manager and Hire pages include a person list of values that the public person security profile secures. The person who's selecting the manager for a worker may not have view access to that manager through a managed person security profile.

Predefined security profiles provide view-all access to secured objects. For example, the View All Positions security profile provides access to all positions in the enterprise.

Security Criteria in HCM Security Profiles

In a security profile, you specify the criteria that identify data instances of the relevant type. For example, in an organization security profile, you can identify organizations by organization hierarchy, classification, or name. All criteria in a security profile apply. For example, if you identify organizations by both organization hierarchy and classification, then only organizations that satisfy both criteria belong to the data instance set.

Access to Future-Dated Objects

By default, users can't access future-dated organization, position, or person objects.

Enable access to future-dated objects as follows:

  • For organizations, select the Include future organizations option in the organization security profile

  • For positions, select the Include future positions option in the position security profile

  • For person records, select the Include future people option in the person security profile

Tip: The predefined View All Workers security profile doesn't provide access to future-dated person records. The predefined View All People security profile, which provides access to all person records, including those of contacts, does provide access to future-dated records.

Security Profile Creation

You can create security profiles either individually or while creating an HCM data role. For standard requirements, it's more efficient to create the security profiles individually and include them in appropriate HCM data roles.

To create security profiles individually, use the relevant security profile task. For example, to create a position security profile, use the Manage Position Security Profile task in the Setup and Maintenance or Workforce Structures work area.

Reuse of Security Profiles

Regardless of how you create them, all security profiles are reusable.

You can include security profiles in other security profiles. For example, you can include an organization security profile in a position security profile to secure positions by department or business unit. One security profile inherits the data instance set defined by another.

Predefined HCM Security Profiles

The Oracle Human Capital Management Cloud security reference implementation includes the predefined HCM security profiles shown in this table.

Security Profile Name Security Profile Type Data Instance Set

View All Countries

Country

All countries in the FND_TERRITORIES table

View All Document Types

Document Type

All administrator-defined document types in the enterprise

View All Flows

Payroll Flow

All payroll flows in the enterprise

View All Job Requisitions

Job Requisition

All job requisitions in the enterprise

View All Legislative Data Groups

LDG

All LDGs in the enterprise

View All Organizations

Organization

All organizations in the enterprise

View All Payrolls

Payroll

All payrolls in the enterprise

View All People

Person

All person records in the enterprise

View All Positions

Position

All positions in the enterprise

View All HCM Transactions

Transaction

All HCM transactions on the Transaction Console

View All Transactions

Transaction

All transactions on the Transaction Console

View All Workers

Person

The person records of all people with currently active or suspended assignments in the enterprise

View Manager Hierarchy

Person

The signed-in user's line manager hierarchy

View Own Record

Person

The signed-in user's own person record and the person records of that user's contacts

You can include the predefined security profiles in any HCM data role, but you can't edit them. The View all option is disabled in any security profile that you create. This restriction exists because predefined security profiles meet this requirement.

In this example, you create an HCM data role that you can assign to all human resource (HR) specialists in Vision Corporation. The data role lets HR specialists access person records based on their areas of responsibility. For example, an HR specialist could be the human resources representative for the Vision Canada legal employer. Using this data role, the HR specialist could access person records for workers in Vision Canada.

Before You Start

You need to do a couple of things first:
  1. Define an area of responsibility for each HR specialist. Select the Human resources representative responsibility type and set the scope to the relevant legal employer, for example, Vision Canada.

  2. Check that security profiles aren't assigned directly to the Human Resource Specialist job role. If they are, then you must remove them. Otherwise, the HR specialist's access to person records may not be as expected.

Create the HCM Data Role

Let's look at how you enter the key values for this data role. For other fields, you can use the default values.
  1. Select Navigator > My Client Groups > Workforce Structures.

  2. On the Tasks panel tab of the Workforce Structures work area, select Manage Data Roles and Security Profiles.

  3. In the Search Results section of the Manage Data Roles and Security Profiles page, click Create.

  4. On the Create Data Role: Select Role page, enter these values.

    Field Value

    Data Role

    Legal Employer HR Specialist

    Job Role

    Human Resource Specialist

  5. Click Next to open the Create Data Role: Security Criteria page.

Specify Security Criteria for Each Secured Object

  1. In the Person section, enter these values.

    Field Value

    Person Security Profile

    Create New

    Name

    Workers by Legal Employer

  2. Select Secure by area of responsibility.

  3. For all other security profiles, select a supplied View All profile. For example, in the Public Person section select View All People, and in the Position section, select View All Positions.

  4. Click Next until you reach the Assign Security Profiles to Role: Person Security Profile page.

Create the Person Security Profile

  1. In the Area of Responsibility section, select Secure by area of responsibility if it isn't already selected.

  2. Enter these values.

    Field Value

    Responsibility Type

    Human resources representative

    Scope of Responsibility

    Legal employer

  3. Click Review to open the Create Data Role: Review page.

Review and Submit the HCM Data Role

  1. Review the HCM data role.

  2. Click Submit.

  3. On the Manage Data Roles and Security Profiles page, you can search for the new HCM data role to confirm that it was created successfully. When the roles's status is Complete, you can assign the role to your HR specialists.

Planning your use of HCM data roles and security profiles helps minimize maintenance and eases their introduction in your enterprise. This topic suggests some approaches.

Minimizing Numbers of Data Roles and Security Profiles

Secure access to person records based on a user's areas of responsibility whenever possible. Using this approach, you can:

  • Reduce dramatically the number of HCM data roles and security profiles that you must manage.

  • Avoid the performance problems that can occur with large numbers of HCM data roles.

Identifying Standard Requirements

Most enterprises are likely to have some standard requirements for data access. For example, multiple HCM data roles may need access to all organizations in a single country. If you create an organization security profile that provides this access, then you can include it in multiple HCM data roles. This approach simplifies the management of HCM data roles and security profiles, and may also prevent the creation of duplicate security profiles.

Naming HCM Data Roles and Security Profiles

You're recommended to define and use a naming scheme for HCM data roles and security profiles.

A security profile name can identify the scope of the resulting data instance set. For example, the position security profile name All Positions Sales Department conveys that the security profile identifies all positions in the Sales Department.

An HCM data role name can include both the name of the inherited job role and the data scope. For example, the HCM data role Human Resource Specialist Legal Employer identifies both the job role and the role scope. HCM data role names must contain fewer than 55 characters.

Planning Data Access for Each HCM Data Role

An HCM data role can include only one security profile of each type. For example, you can include one organization security profile, one managed person security profile, and one public person security profile. Therefore, you must plan the requirements of any HCM data role to ensure that each security profile identifies all required data instances. For example, if a user accesses both legal employers and departments, then the organization security profile must identify both types of organizations.

Providing Access to All Instances of an Object

To provide access to all instances of an HCM object, use the appropriate predefined security profile. For example, to provide access to all person records in the enterprise, use the predefined security profile View All People.

Auditing Changes to HCM Data Roles and Security Profiles

A user with the Application Implementation Consultant job role can enable audit of changes to HCM data roles and security profiles for the enterprise.

Regenerate Security Profiles

At times, a new feature may require you to update certain types of your existing, custom security profiles in order for you to use the feature. You only need to regenerate a security profile when it's required for a new feature. You will be told in the What's New documentation for a release if regenerating security profiles is necessary.

Regenerating Security Profiles Individually

You can regenerate a single security profile by editing the profile and then saving it. For example, if you need to regenerate a custom document type security profile, use the Edit Document Type Security Profiles page to make a minor update to the definition of the security profile and then save it.

Regenerating Multiple Security Profiles

You can use the Regenerate Data Security Profiles process to regenerate all of your custom security profiles for any of the following security profile types:

  • Person security profiles

  • Legislative data group (LDG) security profiles

  • Organization security profiles

  • Position security profiles

You only need to run this process when it's required for a new feature. To run the Regenerate Data Security Profiles process, follow these steps:

  1. Sign in with the following roles or privileges:

    • IT Security Manager

    • Human Capital Management Application Administrator

  2. Open the Scheduled Processes work area.

  3. In the Scheduled Processes work area, click Schedule New Process.

  4. In the Schedule New Process dialog box, search for and select the Regenerate Data Security Profiles process.

  5. Click OK.

  6. In the Process Details dialog box, select the type of security profiles to regenerate.

  7. Click Submit.

The generated log file lists the name of each regenerated security profile, along with a time stamp so you know how long it took to regenerate each security profile.

Note: You should not schedule this process, as that could lead to unintended changes in the data. If you used the Security Console to update a condition that was generated for a security profile, this process will overwrite that custom SQL definition according to how it's defined on the respective security profile page.

Role Delegation

Role delegation is the assignment of a role from one user, known as the delegator, to another user, known as the proxy. The delegation can be either for a specified period, such as a planned absence, or indefinite.

You can delegate roles in the Roles and Approvals Delegated to Others section on the Manage User Account page. Select Navigator > Me > Roles and Delegations.

Actions Enabled by Delegation

The proxy user can perform the tasks of the delegated role on the relevant data. For example, a line manager can manage absence records for his or her reports. If that manager delegates the line manager role, then the proxy can also manage the absence records of the delegator's reports. The delegator doesn't lose the role while it's delegated.

The proxy user signs in using his or her own user name, but has extra function and data privileges from the delegated role.

Proxy Users

You can delegate roles to any user whose details you can access by means of a public person security profile. This security profile typically controls access to person details in the worker directory.

Roles That You Can Delegate

You can delegate any role that you have currently, provided that the role is enabled for delegation.

Note: The role may have been autoprovisioned to you based on your assignment attributes. If the relevant assignment has a future termination date, then you can't delegate the role. This restriction doesn't apply to the proxy user, whose assignments can have future-dated terminations.

You can also delegate any role that you can provision to other users, provided that the role is enabled for delegation. By delegating roles rather than provisioning them to a user, you can:

  • Specify a limited period for the delegation.

  • Enable the proxy user to access your data.

If you have the Human Resource Specialist job role, you can use the Manage User Account page to delegate roles that are allowed for delegation on behalf of another selected user. The proxy user can see all delegations and who made them on their user account page, but they can't edit or delete delegations performed by others.

Duplicate Roles

If the proxy user already has the role, then the role isn't provisioned again. However, the proxy user gains access to the data that's accessible using the delegator's role.

For example, you may delegate the line manager role to a proxy user who already has the role. The proxy user can access both your data (for example, your manager hierarchy) and his or her own data while the role is delegated. The proxy's My Account page shows the delegated role in the Roles Delegated to Me section, even though only data access has been delegated.

Delegation from Multiple Delegators

Multiple users can delegate the same role to the same proxy for overlapping periods. If the proxy user already has the role, then the role isn't provisioned again. However, the proxy can access the data associated with the delegated roles. For example, three line managers delegate the line manager role to the same proxy for the following periods:

  • Manager 1, January and February

  • Manager 2, February and March

  • Manager 3, January through April

This table shows by month which manager hierarchies the proxy can access.

Month Manager 1 Hierarchy Manager 2 Hierarchy Manager 3 Hierarchy

January

Yes

No

Yes

February

Yes

Yes

Yes

March

No

Yes

Yes

April

No

No

Yes

For example, the proxy can access the hierarchies of all three managers in February. If the proxy is a line manager, then the proxy can access his or her own manager hierarchy in addition to those from other managers.

Note: A single delegator can't delegate the same role to the same proxy more than once for overlapping periods.

Role Delegation Dates

You can enter both start and end dates or a start date only.

  • If the start date is today's date, then the delegation is immediate.

  • If the start and end dates are the same, then the delegation is immediate on the start date. A request to end the delegation is generated on the same date and processed when the Send Pending LDAP Requests process next runs.

  • If the start and end dates are different and in the future, then requests to start and end delegation are generated on the relevant dates. They're processed when Send Pending LDAP Requests runs on those dates.

  • If you change a delegation date to today's date, then the change is immediate if the start and end dates are different. If they're the same, then a request to end the delegation is generated and processed when Send Pending LDAP Requests next runs.

  • If you enter no end date, then the delegation is indefinite.

Role delegation ends automatically if the proxy user's assignment is terminated.

Limit the Delegation Duration

You can specify the maximum number of days of the duration of role delegations using a predefined profile option. Once specified, the end date for a role delegation is required. If users try to save a role delegation without setting a valid end date, then an error message alerts them to the latest allowable date for the end date.

To set the profile option, follow these steps:

  1. In the Setup and Maintenance work area, use the Manage Administrator Profile Values task.

  2. On the Manage Administrator Profile Values page, enter PER_USER_DELEGATION_MAX_DAYS in the Profile Option Code field and click Search.

  3. In the Profile Values section of the search results, enter the number of days for the duration of delegation in the Profile Value field.

  4. Click Save and Close.

The default profile value is 0, which specifies that the end date for a role delegation is not validated.

Configure Access to List of Proxy Users in Role Delegation

The data security policies that contain the Choose Proxy for Role Delegation privilege secure the list of values using the public person security profile. By default, the list of values shows the people in that public person security profile. In this example, you learn how to create a data security policy to limit the list of values to a user's peers and management hierarchy.

The following table summarizes key decisions for this scenario.

Decisions to Consider In This Example

What is the name and display name of the database resource condition for proxy users?

Peers and Above and Peers and Above

How will the database resource conditions be specified?

SQL predicate

Which workers should appear in the list of proxy users?

The peers and management hierarchy of the delegator.

Summary of the Tasks

Enable access to a restricted list of proxy users by:

  1. Creating a database resource condition.

  2. Editing a data security policy on the Employee role to reference the new database resource condition.

Create a Database Resource Condition

You create a database resource conditions that you will include in data security policy.
  1. Select Navigator > Tools > Security Console.

  2. On the Security Console, click the Administration tab.

  3. On the General subtab, click Manage Database Resources.

  4. On the Manage Database Resources and Policies page, enter PER_PERSONS in the Object Name field and click Search.

  5. In the Search Results section, click the Edit icon.

  6. On the Edit Data Security: PER_PERSONS page, click the Condition tab.

  7. On the Condition tab, click the Create icon.

  8. In the Create Database Resource Condition dialog box, complete the fields as shown in the following fields:

    Field Value

    Name

    Peers and Above

    Display Name

    Peers and Above

    Condition Type

    SQL predicate

    In the SQL Predicate field, enter the following statement:

    &TABLE_ALIAS.PERSON_ID in (select manager_id from per_manager_hrchy_dn 
    where person_id = NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) 
    and trunc(sysdate) between effective_start_date and effective_end_date 
    and manager_type = 'LINE_MANAGER' UNION 
    select b.person_id from per_assignment_supervisors_f a, per_assignment_supervisors_f b 
    where a.person_id =  NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) 
    and trunc(sysdate) between a.effective_start_date 
    and a.effective_end_date and a.manager_type = 'LINE_MANAGER' 
    and a.manager_type = b.manager_type and a.manager_id = b.manager_id 
    and a.person_id != b.person_id 
    and trunc(sysdate) between b.effective_start_date and b.effective_end_date)

  9. Click Save.

Edit the Data Security Policy Granted to the Employee Abstract Role

Edit the Employee role, or your own custom Employee role, so the data security policy references the new database resource condition.
  1. Click the Roles tab on the Security Console.

  2. Search for and select the Employee role.

  3. In the search results, select Edit Role on the roles Actions menu.

  4. On the Basic Information page, click the Data Security Policies train stop.

  5. In the Privilege search field, enter Choose Proxy and press Enter.

  6. In the row containing the specified privilege for the Public Person data resource, select Edit Data Security Policy on the Actions Menu.

  7. In the Edit Data Security Policy dialog box, select Select by instance set in the Data Set field.

  8. In the Condition Name field, select the Peers and Above condition.

  9. Confirm that the Actions field is set to Choose Proxy for Role Delegation.

  10. Click OK to close the Edit Data Security Policy dialog box.

  11. Select the Summary train stop, and click Save and Close.

By default, delegation isn't enabled for any predefined HCM job or abstract role. You can change the delegation setting of any predefined HCM role, except the Employee and Contingent Worker abstract roles. You can also enable delegation for HCM data roles, custom job roles, and custom abstract roles.

This topic describes how to manage role delegation. You can use:

  • The Assign Security Profiles to Role task in the Setup and Maintenance work area

  • The Manage Data Roles and Security Profiles task in the Workforce Structures work area

You must have the IT Security Manager job role to manage role delegation.

Delegation of HCM Data Roles

When you create an HCM data role, you can indicate whether delegation is allowed on the Create Data Role: Select Role page.

When you edit an HCM data role, you can change the delegation setting on the Edit Data Role: Role Details page. If you deselect the Delegation Allowed option, then currently delegated roles aren't affected.

You can delegate HCM data roles in which access to person records is managed using custom criteria. However, the SQL predicate in the Custom Criteria section of the person security profile must handle the delegation logic.

Delegation of Custom Job and Abstract Roles

If you create an abstract role, then you can enable it for delegation when you assign security profiles to it directly. To assign security profiles to abstract roles, you perform the Assign Security Profiles to Role task. On the Edit Data Role: Role Details page, you select Delegation Allowed. As soon as you submit the role, delegation is enabled.

Note: You can't delegate access to your own record. For example, you may assign the predefined View Own Record security profile to your custom role. Alternatively, you may create a person security profile that enables access to your own record and assign it to your custom role. In both cases, you can enable the role for delegation. Although the role itself can be delegated, access to your record isn't delegated. However, the delegated role can provide access to other data instances.

You can enable custom job roles for delegation in the same way, but you're unlikely to assign security profiles to them directly. Typically, job roles are inherited by HCM data roles, which you can enable for delegation.

Assign Security Profiles to Job and Abstract Roles

To give users access to data you usually create HCM data roles, which inherit job roles. However, you can also assign security profiles directly to job and abstract roles. You're most likely to assign security profiles to abstract roles, such as Employee, to provide the data access that all employees need. For example, all employees must have access to the worker directory. You're less likely to assign security profiles to job roles, as users with the same job role typically access different data instances.

This topic describes how to:

  • Assign security profiles directly to a job or abstract role.

  • Remove security profiles from a job or abstract role.

Assign Security Profiles to Roles

You can assign security profiles to both predefined and custom job and abstract roles. Follow these steps to assign security profiles to a role:

  1. In the Setup and Maintenance work area, go to the following:

    • Functional Area: Users and Security

    • Task: Assign Security Profiles to Role

  2. On the Manage Data Roles and Security Profiles page, search for the job or abstract role.

  3. In the search results, select the role and click Edit.

  4. On the Edit Data Role: Role Details page, click Next.

  5. On the Edit Data Role: Security Criteria page, select the security profiles that you want to assign to the role.

  6. Click Review.

  7. On the Edit Data Role: Review page, click Submit.

On the Manage Data Roles and Security Profiles page, search for the role again. In the search results, confirm that the Assigned icon, a check mark, appears in the Security Profiles Assigned column. The Assigned icon confirms that security profiles are assigned to the role.

Note: The role to which you're assigning security profiles may be a copy of another role with security profiles assigned. In this case, no check mark appears in the Security Profiles Assigned column. However, a message warns you that the role already has data security policies from existing security profiles. The message suggests ways of removing these existing policies before proceeding. You're recommended to avoid this situation by revoking security profiles from roles before you copy them.

Revoke Security Profiles from Roles

You can remove security profiles that you assigned directly to a predefined or custom abstract or job role. For example, you may have assigned security profiles directly to a job role and included the job role in a data role later. In this case, users may have access to more data than you intended. Follow these steps to remove security profiles from a role:

  1. On the Manage Data Role and Security Profiles page, search for the job or abstract role.

  2. In the search results, select the role and confirm that security profiles are currently assigned to the role.

  3. Click Revoke Security Profiles. All security profiles currently assigned directly to the role are revoked.

Note: To replace the security profiles in an HCM data role, edit the data role in the usual way. You can't use the Revoke Security Profiles button.

How You Preview HCM Data Security

On occasion, users may report problems with accessing secured data, such as person and organization records. As users typically have multiple roles, diagnosing these problems can be challenging. To help you with this task, you can use the Preview HCM Data Security interface in the Workforce Structures work area. Using this interface, you can analyze a user's data access based on all of his or her current roles and areas of responsibility. This topic explains how to use the Preview HCM Data Security interface.

Identifying the User

To start your analysis, you search for and select the user name. When you select the user, the following sections of the page are populated automatically.

Page Section Section Contents

Currently Assigned Roles

The job, abstract, and data roles that the user currently inherits directly. This section also identifies security profiles assigned to those roles.

Currently Assigned Areas of Responsibility

Details of the user's areas of responsibility, if any. You need this information when investigating access to person or position records if that access is secured by area of responsibility.

Session-Based Roles

The roles associated with the user's latest session. Both directly and indirectly inherited roles are listed.

The user must have signed in at least once, as this information is taken from the user's latest session.

Identifying the Privileges

Most data-access problems are of one of the following types:

  • The user expects to access an instance of a secured object, such as a person record, but the record isn't found.

  • The user expects to perform an action, such as Promote Worker, but the action isn't available.

  • The user can access an instance of a secured object, such as a person record, but the record should not be accessible.

  • The user can perform an action, such as Promote Worker, but the action should not be available.

To investigate these types of problems, start by identifying what the user was trying to do. For example, the user may have found the required person record but couldn't select the Promote Worker action. You then identify the data security privilege and data resource that control this access. If you know the names of the data security privilege and data resource, then you can select them in the Access Based on Privilege section. Alternatively, you can search for the associated data security policy by aggregate privilege name, for example. When you select a value in the search results, the Privilege and Data Resource fields are completed automatically.

Previewing Access

When the fields in the Access Based on Privilege section are complete, you click Preview Access. The Access Verification section of the page is updated automatically to identify every instance of the data security policy that's granted to the user. In the Verify Access For field, you select the secured record that's the subject of this investigation and click Verify. For example, you select the person record of the person the user couldn't promote. The section is updated automatically to show:

  • The roles to which the data security policy is granted, and how the user inherits those roles

  • The security profiles, if any, assigned to those roles

  • Whether the roles make the record or action accessible to the user

This figure shows typical content of the Access Verification section.

This figure shows that the user inherits the Line
Manager role directly. The View Manager Hierarchy security profile
is assigned directly to the Line Manager role. This role makes the
record accessible to the user. The figure also shows that the user
inherits the Promote Worker role indirectly from the Line Manager
role. With this role, the record isn't accessible to the user.

When you click an instance of the role name in the Access Verification section, you see data security policy details, including the SQL predicate. The information provided by all sections of the Preview HCM Data Security page should be sufficient for you to diagnose and resolve most data-access issues.

Configure HCM Data Roles and Security Profiles for Audit

This procedure describes how to configure the attributes of HCM data roles and security profiles for audit. You must have the Application Implementation Consultant job role to perform this task.

  1. In the Setup and Maintenance work area, go to the following:

    • Functional Area: Application Extensions

    • Task: Manage Audit Policies

  2. On the Manage Audit Policies page, click Configure Business Object Attributes in the Oracle Fusion Applications section.

  3. On the Configure Business Object Attributes page, set Product to HCM Core Setup.

  4. In the Audit column of the table of business objects that appears, select an object. For example, select Person Security Profile or Data Role.

  5. In the Audited Attributes section of the page, a list of attributes for the object appears by default. Click Create.

    The Select and Add Audit Attributes dialog box opens.

  6. In the Select and Add Audit Attributes dialog box, you can update the default selection of attributes to audit. For example you can deselect some attributes, if appropriate. Click OK to close the Select and Add Audit Attributes dialog box.

  7. Click Save and Close.

  8. On the Manage Audit Policies page, set Audit Level to Auditing in the Oracle Fusion Applications section.

  9. Click Save and Close.

Changes made from now on to the selected attributes of the object are audited. A user who has the Internal Auditor job role can review audited changes on the Audit Reports page.

HCM Data Roles Configuration Diagnostic Test

The HCM Data Roles Configuration diagnostic test verifies that the Manage HCM Data Roles task flow is configured successfully for a specified user.

To run the HCM Data Roles Configuration diagnostic test, select Settings and Actions > Run Diagnostics Tests.

Diagnostic Test Parameters

User Name

The test is performed for the specified user. The user doesn't have to be signed-in while the test is running. However, the user must have signed in at least once, because the test uses details from the user's current or latest session.

HCM Security Profile Configuration Diagnostic Test

The HCM Security Profile Configuration diagnostic test verifies that the Manage Security Profiles task flows are configured successfully for a specified user.

To run the HCM Security Profile Configuration diagnostic test, select Settings and Actions > Run Diagnostics Tests.

Diagnostic Test Parameters

User Name

The test is performed for the specified user. The user doesn't have to be signed-in while the test is running. However, the user must have signed in at least once, because the test uses details from the user's current or latest session.

HCM Securing Objects Metadata Diagnostic Test

The HCM Securing Objects Metadata diagnostic test validates securing-object metadata for the HCM securing objects.

To run the HCM Securing Objects Metadata diagnostic test, select Settings and Actions > Run Diagnostics Tests.

Diagnostic Test Parameters

Securing Object

Enter the name of an HCM securing object from the following table.

Securing Object Name Description

PERSON

Person

LDG

Legislative Data Group

POSITION

Position

ORGANIZATION

Organization

PAYROLL

Payroll

FLOWPATTERN

Payroll Flow

DOR

Document Type

COUNTRY

Country

If you don't enter the name of a securing object, then the test applies to all securing objects.

FAQs for HCM Data Roles and Security Profiles

You can edit or replace the security profiles in an HCM data role. Saving your changes updates the relevant data instance sets. Users with this HCM data role find the updated data instance sets when they next sign in.

You can't change the HCM data role name or select a different job role. To make such changes, you create a new HCM data role and disable this HCM data role, if appropriate.

On the Create Role Mapping page, create a role mapping for the role.

Select the Autoprovision option to provision the role automatically to any user whose assignment matches the mapping attributes.

Select the Requestable option if any user whose assignment matches the mapping attributes can provision the role manually to other users.

Select the Self-Requestable option if any user whose assignment matches the mapping attributes can request the role.

If the security profile is in use, then saving your changes updates the security profile's data instance set. For example, if you remove a position from a position security profile, the position no longer appears in the data instance set. Users find the updated data instance set when they next access the data.

The security profile returns no data. For example, a user with an HCM data role that allows the user to update organization definitions would continue to access organization-related tasks. However, the user couldn't access organizations identified in a disabled organization security profile.

You can't disable a security profile that another security profile includes.

How can I diagnose any issues with HCM data roles and security profiles?

Run the diagnostic tests shown in this table by selecting Settings and Actions > Run Diagnostics Tests.

Diagnostic Test Name Tests

HCM Data Roles Configuration

Configuration of Manage HCM Data Roles for a user

HCM Data Role Detailed Information

Potential problems with a data role

HCM Security Profile Configuration

Configuration of Manage Security Profiles tasks for a user

HCM Security Profiles Detailed Information

Potential problems with security profiles of a type

HCM Securing Objects Metadata

Securing-object metadata