Guidelines for Securing Organizations

Some users maintain organization definitions. Others access lists of organizations while performing tasks such as creating assignments. The access requirements for these users differ. However, for both types of users you identify relevant organizations in an organization security profile.

This topic discusses the effects of options that you select when creating an organization security profile. To create an organization security profile, use the Manage Organization Security Profile task.

Organizations with Multiple Classifications

Organizations may have more than one classification. For example, a department may also have the legal employer classification. An organization belongs to an organization security profile data instance set if it satisfies any one of the security profile's classification criteria. For example, if you secure by department hierarchy only, a department that's also a legal employer is included because it's a department.

Securing by Organization Classification

To secure access to all organizations of a single classification, select the classification in the Secure by Organization section. For example, to secure access to all legal employers in the enterprise, set the Classification Name in the Secure by Classification section to Legal Employer. You can exclude selected legal employers from this access by listing them in the Organizations section and selecting Exclude in the Include or Exclude Organizations column.

Selecting the Top Organization in an Organization Hierarchy

If you select a named organization as the top organization in an organization hierarchy, then you must ensure that the organization remains valid. No automatic validation of the organization occurs, because changes to the organization hierarchy occur independently of the organization security profile.

Users with Multiple Assignments

You can select the department from the user's assignment as the top organization in an organization hierarchy. Multiple top organizations may exist if the user has multiple assignments. In this case, all departments from the relevant sub-hierarchies of the organization hierarchy belong to the organization security profile data instance set.

The following figure illustrates the effects of this option when the user has multiple assignments. The user has two assignments, one in department B and one in department D, which belongs to the same organization hierarchy. The top organizations are therefore departments B and D, and the user's data instance set of organizations therefore includes departments B, E, D, F, and G.

This figure shows a hierarchy of departments. Department A at the top inherits departments B, C, and D. Department B inherits department E. Department D inherits departments F and G. As the user has assignments in departments B and D, he or she can access all departments in this hierarchy except departments A and C.