1. Securing HCM
  2. How You Secure Content Sections in Person Profiles

How You Secure Content Sections in Person Profiles

Sensitive data for a worker appears in content sections in person profiles. To give users an appropriate level of access to person profile contents, you can secure this information at the content section level.

For example, a person profile can contain information about competencies, performance ratings, job criticality, risk of loss, degrees, and so on. This topic:

  • Introduces content types and content sections

  • Describes the task that manages content-section access for selected roles

  • Explains how data security policies are constructed to secure access to custom content types

  • Describes regeneration of the affected data and abstract roles

Content Types and Content Sections

Content types are the skills, qualities, and qualifications that you track in talent profiles. You select content types from the content library to create content sections for the profile type. You can secure access to content sections in person profiles only. The content types can be either predefined or custom but must be associated with the person profile type.

Manage Profile Content Section Access

Use the Manage Profile Content Section Access task in the Setup and Maintenance work area to secure access to content sections in person profiles. You must have the IT Security Manager job role or privileges to perform this task. For a selected content section, you can:

  • Identify the predefined or custom job roles and abstract roles that can access the content section in person profiles.

  • Specify the level of access for each role. This table describes the levels.

    Access Level

    Description

    View

    Users can view content-section data.

    Edit

    Users can edit content-section data. This access includes View and Report access.

    Report

    Users can include content-section data in Oracle Business Intelligence Publisher reports.

Data Security Policies

When you map a predefined content type to a role, a predefined data security privilege is granted to the role automatically. When you map a custom content type to a role, a data security privilege is both generated and granted to the role automatically. For example, you could map the custom Leadership content type to the predefined Employee abstract role and set the access level to Edit. This table shows the resulting data security policy. The data security privilege shown in this data security policy would be generated and granted to the role.

Data Security Policy

Data Resource

Data Security Privilege

Condition

ORA_PER_EMPLOYEE_ABSTRACT, Grant on Profile Content Type LEADERSHIP

Person Detail

Manage Leadership Content Type

HCM:PER:PER_ALL_PEOPLE_F:View Own Record

These rules apply to the data security policy:

  • The policy name is in the form: role code, Grant on Profile Content Type content type code. The policy description is the same as the policy name.

  • The data resource is Person Detail.

  • The data security privileges are in the form: Manage | Report | View | content type name Content Type

  • The condition, which controls access to specific instances of person records, identifies the relevant person security profile.

Note:

Don't create custom data security policies on the Security Console to manage profile content section access. Always use the Manage Profile Content Section Access task.

Regeneration of Data and Abstract Roles

After saving your changes on the Manage Profile Content Section Access page, you must regenerate:

  • Data roles that inherit any of the job roles to which you mapped a content section

  • Abstract roles to which you mapped a content section and to which security profiles are assigned

Regenerating roles updates their data security permissions. If you don't regenerate relevant roles, then users can't access content sections in person profiles.

Note:

If you plan to copy abstract or job roles to which security profiles are assigned, then revoke the security profiles before you perform the copy. This precaution ensures that any data security policies, including those generated when you map content sections to a role, aren't copied.

Restrictions

Content sections in person profiles are unsecured when person profiles are included in:

  • Best-fit analyses

  • Profile comparisons

  • Oracle Transactional Business Intelligence reports

Related Topics