Configure Access to Lists of Incumbents and Candidates
In this example, you learn how to create an HCM data role that provides access to restricted lists of succession plan incumbents and candidates. Human resource (HR) specialists select incumbents and candidates for succession plans from lists of workers.
By default, the workers who appear in those lists are defined by the person security profile assigned to the HR specialist's data role. You may want to vary this access. For example, you may want to present lists of incumbents and candidates that are restricted in some way.
The following table summarizes key decisions for this scenario.
Decisions to Consider |
In This Example |
---|---|
What's the name of the HCM data role? |
HR Specialist - Restricted Incumbents and Candidates |
What are the name and display name of the database resource condition for incumbents? |
Incumbent List and Incumbent List Securing Condition |
What are the name and display name of the database resource condition for candidates? |
Candidate List and Candidate List Securing Condition |
How will the database resource conditions be specified? |
SQL predicate |
Which workers should appear in the lists of incumbents and candidates for HR specialists? |
Employees in the department for which the HR specialist has the human resources representative responsibility |
What's the name of the data security policy for incumbents? |
Restricted Access to Incumbents Policy |
What's the name of the data security policy for candidates? |
Restricted Access to Candidates Policy |
Summary of the Tasks
Enable access to restricted lists of incumbents and candidates by:
-
Creating an HCM data role
-
Creating two database resource conditions
-
Editing the HCM data role to end date existing data security policies
-
Creating replacement data security policies for the HCM data role that reference the new database resource conditions
Create the HCM Data Role
You create an HCM data role with view-all access.-
Sign in with the IT Security Manager role or privileges.
-
In the Setup and Maintenance work area, go to the following:
-
Offering: Workforce Development
-
Functional Area: Users and Security
-
Task: Assign Security Profiles to Role
-
-
On the Manage Data Roles and Security Profiles page, click Create.
-
On the Create Data Role: Select Role page, complete the fields as shown in this table.
Field
Value
Data Role
HR Specialist - Restricted Incumbents and Candidates
Job Role
Human Resource Specialist
-
Click Next.
-
On the Create Role: Security Criteria page, select the security profiles shown in this table.
Field
Value
Organization Security Profile
View All Organizations
Position Security Profile
View All Positions
Country Security Profile
View All Countries
LDG Security Profile
View All Legislative Data Groups
Person Security Profile (Person)
View All Workers
Person Security Profile (Public Person)
View All People
Document Type Security Profile
View All Document Types
Payroll Security Profile
View All Payrolls
Flow Pattern Security Profile
View All Flows
-
Click Review.
-
On the Create Data Role: Review page, click Submit.
Create Database Resource Conditions
You create two data base resource conditions that you will include in data security policies.-
Select
. -
On the Security Console, click the Administration tab.
-
On the General subtab, click Manage Database Resources.
-
On the Manage Database Resources and Policies page, enter PER_ALL_PEOPLE_F in the Object Name field and click Search.
-
In the Search Results section, click the Edit icon.
-
On the Edit Data Security: PER_ALL_PEOPLE_F page, click the Condition tab.
-
On the Condition tab, click the Create icon.
-
In the Create Database Resource Condition dialog box, complete the fields as shown in this table.
Field
Value
Name
Incumbent List
Display Name
Incumbent List Securing Condition
Condition Type
SQL predicate
In the SQL Predicate field, enter the following statement:
EXISTS(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE PS,PER_ASG_RESPONSIBILITIES RES WHERE ASG.ASSIGNMENT_TYPE IN('E') AND ASG.EFFECTIVE_LATEST_CHANGE='Y' AND SYSDATE BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE AND PS.PERIOD_OF_SERVICE_ID=ASG.PERIOD_OF_SERVICE_ID AND (ASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED') OR (ASG.ASSIGNMENT_STATUS_TYPE IN ('INACTIVE') AND NOT EXISTS SELECT 1 FROM PER_ALL_ASSIGNMENTS_M EXASG WHERE EXASG.ASSIGNMENT_TYPE IN('E','C','N','P') AND EXASG.EFFECTIVE_LATEST_CHANGE = 'Y' AND EXASG.PERSON_ID = ASG.PERSON_ID AND SYSDATE BETWEEN LEAST(SYSDATE,EXASG.EFFECTIVE_START_DATE) AND EXASG.EFFECTIVE_END_DATE AND EXASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED')) AND PS.ACTUAL_TERMINATION_DATE = (SELECT MAX(ALLPS.ACTUAL_TERMINATION_DATE) FROM PER_PERIODS_OF_SERVICE ALLPS WHERE ALLPS.PERSON_ID = ASG.PERSON_ID AND ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL))) AND SYSDATE BETWEEN RES.START_DATE AND NVL(RES.END_DATE,SYSDATE) AND ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND RES.PERSON_ID=(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND RES.RESPONSIBILITY_TYPE='HR_REP' AND ASG.ORGANIZATION_ID=RES.ORGANIZATION_ID AND ((SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL)<>&TABLE_ALIAS.PERSON_ID)))
Tip: To generate a SQL predicate that you can use or edit, create a person security profile with the required conditions. Copy the SQL predicate from the SQL Predicate for Person Access tab on the Create Person Security Profile: Preview page. -
Click Save.
-
Repeat steps 7 through 9 for the candidate condition using the values shown in this table and the same SQL predicate.
Field
Value
Name
Candidate List
Display Name
Candidate List Securing Condition
Condition Type
SQL predicate
End Date Data Security Policies Granted to the HCM Data Role
You edit the HCM data role to end date the existing data security policies.-
Click the Roles tab on the Security Console.
-
Search for and select the HR Specialist - Restricted Incumbents and Candidates data role.
-
In the search results, select Edit Role on the role's Actions menu.
-
On the Basic Information page, click the Data Security Policies train stop.
-
In the Privilege search field, enter Add Worker to Succession Plan and press Enter.
-
In the row containing the specified privilege for the Person Detail data resource, select Edit Data Security Policy on the Actions menu.
-
In the Edit Data Security Policy dialog box, enter today's date in the End Date field.
-
Click OK to close the Edit Data Security Policy dialog box.
-
Repeat from step 5 for the Create Succession Plan for Worker privilege.
Remain on the Data Security Policies page.
Create Data Security Policies
You create two data security policies that provide restricted access to incumbents and candidates for your HCM data role.-
On the Create Data Security Policies page, click Create Data Security Policy.
-
Complete the fields in the Create Data Security Policy dialog box using the values shown in this table.
Field
Value
Policy Name
Restricted Access to Incumbents Policy
Database Resource
Person Detail
Data Set
Select by instance set
Condition Name
Incumbent List Securing Condition
Actions
Create Succession Plan for Worker
-
Click OK.
-
Repeat steps 1 through 3 using the values shown in this table.
Field
Value
Policy Name
Restricted Access to Candidates Policy
Database Resource
Person Detail
Data Set
Select by instance set
Condition Name
Candidate List Securing Condition
Actions
Add Worker to Succession Plan
-
Click the Summary and Impact Report train stop.
-
Click Save and Close to save your changes to the HCM data role.
To provision the HCM data role to users, create a role mapping.
.Tip: To implement these enhancements for the Line Manager abstract role, the steps are the same except that you don't have to create a data role. As the Line Manager role is likely to have directly assigned security profiles, you edit the Line Manager role to end date the relevant data security policies.