HCM Security Profiles

Security profiles identify instances of Human Capital Management (HCM) objects. For example, a person security profile identifies one or more Person objects, and a payroll security profile identifies one or more Payroll objects.

This topic describes how to create and use security profiles and identifies the HCM objects that need them. To manage security profiles, you must have the IT Security Manager job role.

Use of HCM Security Profiles

You include security profiles in HCM data roles to identify the data that users with those roles can access. You can also assign security profiles directly to abstract roles, such as employee. However, you're unlikely to assign them directly to job roles, because users with same job role usually access different sets of data. You're recommended not to assign security profiles directly to job roles.

HCM Object Types

You can create security profiles for the following HCM object types:

  • Country

  • Document Type

  • Job Requisition

  • Legislative Data Group (LDG)

  • Organization

  • Payroll

  • Payroll Flow

  • Person

    • Managed Person

    • Public Person

  • Position

  • Talent Pool
  • Transaction

Two uses exist for the person security profile because many users access two distinct sets of people.

  • The Managed Person security profile identifies people you can perform actions against.

  • The Public Person security profile identifies people you can search for in the worker directory.

    This type of security profile also secures some lists of values. For example, the Change Manager and Hire pages include a person list of values that the public person security profile secures. The person who's selecting the manager for a worker may not have view access to that manager through a managed person security profile.

Predefined security profiles provide view-all access to secured objects. For example, the View All Positions security profile provides access to all positions in the enterprise.

Security Criteria in HCM Security Profiles

In a security profile, you specify the criteria that identify data instances of the relevant type. For example, in an organization security profile, you can identify organizations by organization hierarchy, classification, or name. All criteria in a security profile apply. For example, if you identify organizations by both organization hierarchy and classification, then only organizations that satisfy both criteria belong to the data instance set.

Access to Future-Dated Objects

By default, users can't access future-dated organization, position, or person objects.

Enable access to future-dated objects as follows:

  • For organizations, select the Include future organizations option in the organization security profile

  • For positions, select the Include future positions option in the position security profile

  • For person records, select the Include future people option in the person security profile

Tip:

The predefined View All Workers security profile doesn't provide access to future-dated person records. The predefined View All People security profile, which provides access to all person records, including those of contacts, does provide access to future-dated records.

Security Profile Creation

You can create security profiles either individually or while creating an HCM data role. For standard requirements, it's more efficient to create the security profiles individually and include them in appropriate HCM data roles.

To create security profiles individually, use the relevant security profile task. For example, to create a position security profile, use the Manage Position Security Profile task in the Setup and Maintenance or Workforce Structures work area.

Reuse of Security Profiles

Regardless of how you create them, all security profiles are reusable.

You can include security profiles in other security profiles. For example, you can include an organization security profile in a position security profile to secure positions by department or business unit. One security profile inherits the data instance set defined by another.