How You Secure Content Sections in Person Profiles
Sensitive data for a worker appears in content sections in person profiles. To give users an appropriate level of access to person profile contents, you can secure this information at the content section level.
For example, a person profile can contain information about competencies, performance ratings, job criticality, risk of loss, degrees, and so on. This topic:
-
Introduces content types and content sections
-
Describes the task that manages content-section access for selected roles
-
Explains how data security policies are constructed to secure access to custom content types
-
Describes regeneration of the affected data and abstract roles
Content Types and Content Sections
Content types are the skills, qualities, and qualifications that you track in talent profiles. You select content types from the content library to create content sections for the profile type. You can secure access to content sections in person profiles only. The content types can be either predefined or custom but must be associated with the person profile type.
Manage Profile Content Section Access
Use the Manage Profile Content Section Access task in the Setup and Maintenance work area to secure access to content sections in person profiles. You must have the IT Security Manager job role or privileges to perform this task. For a selected content section, you can:
-
Identify the predefined or custom job roles and abstract roles that can access the content section in person profiles.
-
Specify the level of access for each role. This table describes the levels.
Access Level
Description
View
Users can view content-section data.
Edit
Users can edit content-section data. This access includes View and Report access.
Report
Users can include content-section data in Oracle Business Intelligence Publisher reports.
Data Security Policies
When you map a predefined content type to a role, a predefined data security privilege is granted to the role automatically. When you map a custom content type to a role, a data security privilege is both generated and granted to the role automatically. For example, you could map the custom Leadership content type to the predefined Employee abstract role and set the access level to Edit. This table shows the resulting data security policy. The data security privilege shown in this data security policy would be generated and granted to the role.
|
Data Security Policy |
Data Resource |
Data Security Privilege |
Condition |
|---|---|---|---|
|
ORA_PER_EMPLOYEE_ABSTRACT, Grant on Profile Content Type LEADERSHIP |
Person Detail |
Manage Leadership Content Type |
HCM:PER:PER_ALL_PEOPLE_F:View Own Record |
These rules apply to the data security policy:
-
The policy name is in the form:
role code, Grant on Profile Content Type content type code. The policy description is the same as the policy name. -
The data resource is Person Detail.
-
The data security privileges are in the form:
Manage | Report | View | content type name Content Type -
The condition, which controls access to specific instances of person records, identifies the relevant person security profile.
Regeneration of Data and Abstract Roles
After saving your changes on the Manage Profile Content Section Access page, you must regenerate:
-
Data roles that inherit any of the job roles to which you mapped a content section
-
Abstract roles to which you mapped a content section and to which security profiles are assigned
Regenerating roles updates their data security permissions. If you don't regenerate relevant roles, then users can't access content sections in person profiles.
Restrictions
Content sections in person profiles are unsecured when person profiles are included in:
-
Best-fit analyses
-
Profile comparisons
-
Oracle Transactional Business Intelligence reports