How You Enable Delegation for a Role
By default, delegation isn't enabled for any predefined HCM job or abstract role. You can change the delegation setting of any predefined HCM role, except the Employee and Contingent Worker abstract roles.
You can also enable delegation for HCM data roles, custom job roles, and custom abstract roles. This topic describes how to manage role delegation. You can use:
-
The Assign Security Profiles to Role task in the Setup and Maintenance work area
-
The Manage Data Roles and Security Profiles task in the Workforce Structures work area
You must have the IT Security Manager job role to manage role delegation.
- Employees can delegate their own roles.
- Human Resource Specialists can delegate roles on behalf of employees.
Delegation of HCM Data Roles
When you create an HCM data role, you can indicate whether delegation is allowed on the Create Data Role: Select Role page.
When you edit an HCM data role, you can change the delegation setting on the Edit Data Role: Role Details page. If you deselect the Delegation Allowed option, then currently delegated roles aren't affected.
You can delegate HCM data roles in which access to person records is managed using custom criteria. However, the SQL predicate in the Custom Criteria section of the person security profile must handle the delegation logic.
Auditing the Role Delegation
It is recommended to turn on auditing on the delegated role business object. You can choose to retrieve audit information either on Role Delegated to Proxy or Role Delegated by Delegator. Find out more about setting up and using the audit in the topic How You Audit Oracle HCM Cloud Business Objects.
It is recommended to enforce a periodic monitoring control to review audit logs. Such a review will help to confirm that role delegation is in line with security practices. Auditing should also be performed on changes to auditing settings, and only a limited set of users should be able to update the auditing configuration.
Delegation of Custom Job and Abstract Roles
If you create an abstract role, then you can enable it for delegation when you assign security profiles to it directly. To assign security profiles to abstract roles, you perform the Assign Security Profiles to Role task. On the Edit Data Role: Role Details page, you select Delegation Allowed. As soon as you submit the role, delegation is enabled.
You can enable custom job roles for delegation in the same way, but you're unlikely to assign security profiles to them directly. Typically, job roles are inherited by HCM data roles, which you can enable for delegation.