How You Enable Delegation for a Role

By default, delegation isn't enabled for any predefined HCM job or abstract role. You can change the delegation setting of any predefined HCM role, except the Employee and Contingent Worker abstract roles.

You can also enable delegation for HCM data roles, custom job roles, and custom abstract roles. This topic describes how to manage role delegation. You can use:

  • The Assign Security Profiles to Role task in the Setup and Maintenance work area

  • The Manage Data Roles and Security Profiles task in the Workforce Structures work area

You must have the IT Security Manager job role to manage role delegation.

The following delegation scenarios are typical:
  • Employees can delegate their own roles.
  • Human Resource Specialists can delegate roles on behalf of employees.
To disable on behalf delegation for Human Resource Specialist role, you must remove the Manage Role Delegations aggregate privilege from that role.
Warning: You must evaluate the impact of enabling delegation for each role. Some roles, such as IT Security Manager, are sensitive and grant wide ranging access to highly restricted information. Such roles must only be granted to select individuals in the organization and should never be set up as delegation-enabled. Before enabling delegation on a role, you should carefully assess the downstream implications of doing so. Periodical review of sensitive roles is recommended to ensure that delegation has not been accidentally granted.

Delegation of HCM Data Roles

When you create an HCM data role, you can indicate whether delegation is allowed on the Create Data Role: Select Role page.

When you edit an HCM data role, you can change the delegation setting on the Edit Data Role: Role Details page. If you deselect the Delegation Allowed option, then currently delegated roles aren't affected.

You can delegate HCM data roles in which access to person records is managed using custom criteria. However, the SQL predicate in the Custom Criteria section of the person security profile must handle the delegation logic.

Auditing the Role Delegation

It is recommended to turn on auditing on the delegated role business object. You can choose to retrieve audit information either on Role Delegated to Proxy or Role Delegated by Delegator. Find out more about setting up and using the audit in the topic How You Audit Oracle HCM Cloud Business Objects.

It is recommended to enforce a periodic monitoring control to review audit logs. Such a review will help to confirm that role delegation is in line with security practices. Auditing should also be performed on changes to auditing settings, and only a limited set of users should be able to update the auditing configuration.

Delegation of Custom Job and Abstract Roles

If you create an abstract role, then you can enable it for delegation when you assign security profiles to it directly. To assign security profiles to abstract roles, you perform the Assign Security Profiles to Role task. On the Edit Data Role: Role Details page, you select Delegation Allowed. As soon as you submit the role, delegation is enabled.

Note: You can't delegate access to your own record. For example, you might assign the predefined View Own Record security profile to your custom role. Alternatively, you might create a person security profile that enables access to your own record and assign it to your custom role. In both cases, you can enable the role for delegation. Although the role itself can be delegated, access to your record isn't delegated. However, the delegated role can provide access to other data instances.

You can enable custom job roles for delegation in the same way, but you're unlikely to assign security profiles to them directly. Typically, job roles are inherited by HCM data roles, which you can enable for delegation.