Configure Access to Lists of Incumbents and Candidates

In this example, you learn how to create an HCM data role that provides access to restricted lists of succession plan incumbents and candidates. Human resource (HR) specialists select incumbents and candidates for succession plans from lists of workers.

By default, the workers who appear in those lists are defined by the person security profile assigned to the HR specialist's data role. You may want to vary this access. For example, you may want to present lists of incumbents and candidates that are restricted in some way.

The following table summarizes key decisions for this scenario.

Decisions to Consider	In This Example
What's the name of the HCM data role?	HR Specialist - Restricted Incumbents and Candidates
What are the name and display name of the database resource condition for incumbents?	Incumbent List and Incumbent List Securing Condition
What are the name and display name of the database resource condition for candidates?	Candidate List and Candidate List Securing Condition
How will the database resource conditions be specified?	SQL predicate
Which workers should appear in the lists of incumbents and candidates for HR specialists?	Employees in the department for which the HR specialist has the human resources representative responsibility
What's the name of the data security policy for incumbents?	Restricted Access to Incumbents Policy
What's the name of the data security policy for candidates?	Restricted Access to Candidates Policy

Summary of the Tasks

Enable access to restricted lists of incumbents and candidates by:

Creating an HCM data role
Creating two database resource conditions
Editing the HCM data role to end date existing data security policies
Creating replacement data security policies for the HCM data role that reference the new database resource conditions

Create the HCM Data Role

You create an HCM data role with view-all access.

Sign in with the IT Security Manager role or privileges.
In the Setup and Maintenance work area, go to the following:
- Offering: Workforce Development
- Functional Area: Users and Security
- Task: Assign Security Profiles to Role
On the Manage Data Roles and Security Profiles page, click Create.

On the Create Data Role: Select Role page, complete the fields as shown in this table.

Field	Value
Data Role	HR Specialist - Restricted Incumbents and Candidates
Job Role	Human Resource Specialist

Click Next.

On the Create Role: Security Criteria page, select the security profiles shown in this table.

Field	Value
Organization Security Profile	View All Organizations
Position Security Profile	View All Positions
Country Security Profile	View All Countries
LDG Security Profile	View All Legislative Data Groups
Person Security Profile (Person)	View All Workers
Person Security Profile (Public Person)	View All People
Document Type Security Profile	View All Document Types
Payroll Security Profile	View All Payrolls
Flow Pattern Security Profile	View All Flows

Click Review.
On the Create Data Role: Review page, click Submit.

Create Database Resource Conditions

You create two data base resource conditions that you will include in data security policies.

Select Navigator > Tools > Security Console.
On the Security Console, click the Administration tab.
On the General subtab, click Manage Database Resources.
On the Manage Database Resources and Policies page, enter PER_ALL_PEOPLE_F in the Object Name field and click Search.
In the Search Results section, click the Edit icon.
On the Edit Data Security: PER_ALL_PEOPLE_F page, click the Condition tab.
On the Condition tab, click the Create icon.

In the Create Database Resource Condition dialog box, complete the fields as shown in this table.

Field	Value
Name	Incumbent List
Display Name	Incumbent List Securing Condition
Condition Type	SQL predicate

In the SQL Predicate field, enter the following statement:

EXISTS(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M ASG,PER_PERIODS_OF_SERVICE PS,PER_ASG_RESPONSIBILITIES RES WHERE ASG.ASSIGNMENT_TYPE IN('E') 
AND ASG.EFFECTIVE_LATEST_CHANGE='Y' AND SYSDATE BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE AND PS.PERIOD_OF_SERVICE_ID=ASG.PERIOD_OF_SERVICE_ID 
AND (ASG.ASSIGNMENT_STATUS_TYPE IN ('ACTIVE','SUSPENDED') OR (ASG.ASSIGNMENT_STATUS_TYPE IN ('INACTIVE') AND NOT EXISTS 
SELECT 1 FROM PER_ALL_ASSIGNMENTS_M EXASG WHERE EXASG.ASSIGNMENT_TYPE IN('E','C','N','P') AND EXASG.EFFECTIVE_LATEST_CHANGE = 'Y' 
AND EXASG.PERSON_ID = ASG.PERSON_ID AND SYSDATE BETWEEN LEAST(SYSDATE,EXASG.EFFECTIVE_START_DATE) AND EXASG.EFFECTIVE_END_DATE AND EXASG.ASSIGNMENT_STATUS_TYPE IN 
('ACTIVE','SUSPENDED')) AND PS.ACTUAL_TERMINATION_DATE = (SELECT MAX(ALLPS.ACTUAL_TERMINATION_DATE) FROM PER_PERIODS_OF_SERVICE ALLPS WHERE 
ALLPS.PERSON_ID = ASG.PERSON_ID AND ALLPS.ACTUAL_TERMINATION_DATE IS NOT NULL))) AND SYSDATE BETWEEN RES.START_DATE AND NVL(RES.END_DATE,SYSDATE) 
AND ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND RES.PERSON_ID=(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND 
RES.RESPONSIBILITY_TYPE='HR_REP' AND ASG.ORGANIZATION_ID=RES.ORGANIZATION_ID AND ((SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) 
FROM DUAL)<>&TABLE_ALIAS.PERSON_ID)))

Tip: To generate a SQL predicate that you can use or edit, create a person security profile with the required conditions. Copy the SQL predicate from the SQL Predicate for Person Access tab on the Create Person Security Profile: Preview page.

Click Save.

Repeat steps 7 through 9 for the candidate condition using the values shown in this table and the same SQL predicate.

Field	Value
Name	Candidate List
Display Name	Candidate List Securing Condition
Condition Type	SQL predicate

End Date Data Security Policies Granted to the HCM Data Role

You edit the HCM data role to end date the existing data security policies.

Click the Roles tab on the Security Console.
Search for and select the HR Specialist - Restricted Incumbents and Candidates data role.
In the search results, select Edit Role on the role's Actions menu.
On the Basic Information page, click the Data Security Policies train stop.
In the Privilege search field, enter Add Worker to Succession Plan and press Enter.
In the row containing the specified privilege for the Person Detail data resource, select Edit Data Security Policy on the Actions menu.
In the Edit Data Security Policy dialog box, enter today's date in the End Date field.
Click OK to close the Edit Data Security Policy dialog box.
Repeat from step 5 for the Create Succession Plan for Worker privilege.
Remain on the Data Security Policies page.

Create Data Security Policies

You create two data security policies that provide restricted access to incumbents and candidates for your HCM data role.

On the Create Data Security Policies page, click Create Data Security Policy.

Complete the fields in the Create Data Security Policy dialog box using the values shown in this table.

Field	Value
Policy Name	Restricted Access to Incumbents Policy
Database Resource	Person Detail
Data Set	Select by instance set
Condition Name	Incumbent List Securing Condition
Actions	Create Succession Plan for Worker

Click OK.

Repeat steps 1 through 3 using the values shown in this table.

Field	Value
Policy Name	Restricted Access to Candidates Policy
Database Resource	Person Detail
Data Set	Select by instance set
Condition Name	Candidate List Securing Condition
Actions	Add Worker to Succession Plan

Click the Summary and Impact Report train stop.
Click Save and Close to save your changes to the HCM data role.

To provision the HCM data role to users, create a role mapping.
.
Tip: To implement these enhancements for the Line Manager abstract role, the steps are the same except that you don't have to create a data role. As the Line Manager role is likely to have directly assigned security profiles, you edit the Line Manager role to end date the relevant data security policies.