1. Securing HCM
  2. How You Preview HCM Data Security

How You Preview HCM Data Security

On occasion, users may report problems with accessing secured data, such as person and organization records. As users typically have multiple roles, diagnosing these problems can be challenging. To help you with this task, you can use the Preview HCM Data Security interface.

Using this interface, you can analyze a user's data access based on all of their current roles and areas of responsibility. This topic explains how to use the Preview HCM Data Security interface in the Workforce Structures work area.

Identifying the User

To start your analysis, you search for and select the user name. When you select the user, the following sections of the page are populated automatically.

Page Section

Section Contents

Currently Assigned Roles

The job, abstract, and data roles that the user currently inherits directly. This section also identifies security profiles assigned to those roles.

Currently Assigned Areas of Responsibility

Details of the user's areas of responsibility, if any. You need this information when investigating access to person or position records if that access is secured by area of responsibility.

Session-Based Roles

The roles associated with the user's latest session. Both directly and indirectly inherited roles are listed.

The user must have signed in at least once, as this information is taken from the user's latest session.

Identifying the Privileges

Most data-access problems are of one of the following types:

  • The user expects to access an instance of a secured object, such as a person record, but the record isn't found.

  • The user expects to perform an action, such as Promote Worker, but the action isn't available.

  • The user can access an instance of a secured object, such as a person record, but the record should not be accessible.

  • The user can perform an action, such as Promote Worker, but the action should not be available.

To investigate these types of problems, start by identifying what the user was trying to do. For example, the user may have found the required person record but couldn't select the Promote Worker action. You then identify the data security privilege and data resource that control this access. If you know the names of the data security privilege and data resource, then you can select them in the Access Based on Privilege section. Alternatively, you can search for the associated data security policy by aggregate privilege name, for example. When you select a value in the search results, the Privilege and Data Resource fields are completed automatically.

Previewing Access

When the fields in the Access Based on Privilege section are complete, you click Preview Access. The Access Verification section of the page is updated automatically to identify every instance of the data security policy that's granted to the user. In the Verify Access For field, you select the secured record that's the subject of this investigation and click Verify. For example, you select the person record of the person the user couldn't promote. The section is updated automatically to show:

  • The roles to which the data security policy is granted, and how the user inherits those roles

  • The security profiles, if any, assigned to those roles

  • Whether the roles make the record or action accessible to the user

This figure shows typical content of the Access Verification section.

This figure shows that the user inherits the Line Manager role directly. The View Manager Hierarchy security profile is assigned directly to the Line Manager role. This role makes the record accessible to the user. The figure also shows that the user inherits the Promote Worker role indirectly from the Line Manager role. With this role, the record isn't accessible to the user.

When you click an instance of the role name in the Access Verification section, you see data security policy details, including the SQL predicate. The information provided by all sections of the Preview HCM Data Security page should be sufficient for you to diagnose and resolve most data-access issues.