HCM Security Profiles
Security profiles identify instances of Human Capital Management (HCM) objects. For example, a person security profile identifies one or more Person objects, and a payroll security profile identifies one or more Payroll objects.
This topic describes how to create and use security profiles and identifies the HCM objects that need them. To manage security profiles, you must have the IT Security Manager job role.
Use of HCM Security Profiles
You include security profiles in HCM data roles to identify the data that users with those roles can access. You can also assign security profiles directly to abstract roles, such as employee. However, you're unlikely to assign them directly to job roles, because users with same job role usually access different sets of data. You're recommended not to assign security profiles directly to job roles.
HCM Object Types
You can create security profiles for the following HCM object types:
-
Country
-
Document Type
-
Job Requisition
-
Legislative Data Group (LDG)
-
Organization
-
Payroll
-
Payroll Flow
-
Person
-
Managed Person
-
Public Person
-
-
Position
- Talent Pool
-
Transaction
Two uses exist for the person security profile because many users access two distinct sets of people.
-
The Managed Person security profile identifies people you can perform actions against.
-
The Public Person security profile identifies people you can search for in the worker directory.
This type of security profile also secures some lists of values. For example, the Change Manager and Hire pages include a person list of values that the public person security profile secures. The person who's selecting the manager for a worker may not have view access to that manager through a managed person security profile.
Predefined security profiles provide view-all access to secured objects. For example, the View All Positions security profile provides access to all positions in the enterprise.
Security Criteria in HCM Security Profiles
In a security profile, you specify the criteria that identify data instances of the relevant type. For example, in an organization security profile, you can identify organizations by organization hierarchy, classification, or name. All criteria in a security profile apply. For example, if you identify organizations by both organization hierarchy and classification, then only organizations that satisfy both criteria belong to the data instance set.
Access to Future-Dated Objects
By default, users can't access future-dated organization, position, or person objects.
Enable access to future-dated objects as follows:
-
For organizations, select the Include future organizations option in the organization security profile
-
For positions, select the Include future positions option in the position security profile
-
For person records, select the Include future people option in the person security profile
Security Profile Creation
You can create security profiles either individually or while creating an HCM data role. For standard requirements, it's more efficient to create the security profiles individually and include them in appropriate HCM data roles.
To create security profiles individually, use the relevant security profile task. For example, to create a position security profile, use the Manage Position Security Profile task in the Setup and Maintenance or Workforce Structures work area.
Reuse of Security Profiles
Regardless of how you create them, all security profiles are reusable.
You can include security profiles in other security profiles. For example, you can include an organization security profile in a position security profile to secure positions by department or business unit. One security profile inherits the data instance set defined by another.