Duty Role Components

This topic describes the components of a typical duty role. You must understand how duty roles are constructed if you plan to create duty roles, for example.

Function security privileges and data security policies are granted to duty roles. Duty roles may also inherit aggregate privileges and other duty roles.

For example, the Workforce Structures Management duty role has the structure shown in this figure.

The structure of the Workforce Structures Management duty role

In addition to its aggregate privileges, the Workforce Structures Management duty role is granted many function security privileges and data security policies.

Duty roles include:

Policies for Data Security
Privileges for Function Security
Predefined Duty Roles
User-Defined Security Roles and Duties
Granting Portrait Gallery Access

Data Security Policies

Many data security policies are granted directly to the Workforce Structures Management duty role, including Manage Location, Manage Assignment Grade, and Manage HR Job. It also acquires data security policies indirectly, from its aggregate privileges.

Each data security policy combines:

The role to which the data security policy is granted. The role can be a duty role, such as Workforce Structures Management, job role, abstract role, or aggregate privilege.
A business object, such as assignment grade, that's being accessed. The data security policy identifies this resource by its table name, which is PER_GRADES_F for assignment grade.
The condition, if any, that controls access to specific instances of the business object. Conditions are usually specified for resources that you secure using HCM security profiles. Otherwise, business object instances can be identified by key values. For example, a user with the Workforce Structures Management duty role can manage all grades in the enterprise.
A data security privilege that defines permitted actions on the data. For example, Manage Assignment Grade is a data security privilege.

Function Security Privileges

Many function security privileges are granted directly to the Workforce Structures Management duty role, including Manage Location, Manage Assignment Grade, and Manage HR Job. It also acquires function security privileges indirectly, from its aggregate privileges.

Each function security privilege secures the code resources that make up the relevant pages, such as the Grades and Locations tasks. Some user interfaces aren't subject to data security, so some function security privileges have no equivalent data security policy.

Predefined Duty Roles

The predefined duty roles represent logical groupings of privileges that you may want to manage as a group. They also represent real-world groups of tasks. For example, the predefined Human Resource Specialist job role inherits the Workforce Structures Management duty role. To create a Human Resource Specialist job role with no access to workforce structures, you would:

Copy the predefined job role.
Remove the Workforce Structures Management duty role from the copy.

User-Defined Security Roles and Duties

You create security roles as needed for specific employees. One duty role to consider assigning is the Payroll Person Level Administration Duty. This duty role manages individual and group level payroll administration, including managing costing, payment methods, deductions, element entries, and batch data load.

For further info, see Cloud HCM Security Role Mappings (1556500.1) on My Oracle Support.

Granting Portrait Gallery Access

Employers creating employee roles must ensure they add the View US End of Year Tax Form privilege. This privilege is attached to the US Employee Portrait Gallery duty role, which grants employees access to the View End-of-Year Tax Form task on their Person Spotlight.