One of your ideas has been delivered from your suggestion.Secure Elements through HCM Data Roles

You can now secure and limit access to elements using the HCM Data Roles and the new Element Security Profiles task flow. When you navigate to the Manage Element Entries page, the elements you can manage is restricted to those in your element security profile. You can enter, view, and edit certain earnings and deductions elements that are meant for your respective usage.

For example, a Benefits user can now restrict their access to only the voluntary and pre-tax deductions, but not the regular and supplemental earnings. You can now define an element security profile to include only voluntary and pre-tax deduction elements and attach it to the Benefits Administrator data role.

The Element Security Profile restriction applies to these payroll features:

  • Manage Element Entries (both Manage and View-only)
  • Manage Calculation Entries – Standard Entries only
  • Use REST Service – Element Entries
  • Use REST Service – Element Entries Read Only
  • HSDL – Element Entry
  • HDSL – Element Entry with Costing
  • Quick Pay

It also applies to the following Benefits feature:

  • View Payroll Info under the Enrollment section of the Benefits Summary page.

NOTE: None of the other features are secured by Element Security Profile.

This feature includes these changes:

  • A new Element Security Profile page.
  • A new predefined View All Elements security profile.
  • A new Element Security Profile selection under Security Criteria when you create or edit a Data Role on the HCM Data Roles and Security Profiles page.
  • A new Element sub-train stop on the Assign Security Profiles to Role page.
  • Support for the new profile under Preview HCM Data Security page.
  • A new parameter for the element security profile in the Regenerate Data Security Profiles scheduled process. 
  • Data roles migration support.

For example, when you create a data role referencing the Benefits Specialist job role, you now see an Element section on the Create Data Role: Security Criteria page. From this section, you can either select an existing element security profile or create one for the data role.

By default, all your existing data roles are automatically updated with the View All Elements element security profile as part of the post-upgrade process. If you don’t wish to enable this feature, there’s no further action for you to take.

Create an Element Security Profile

Complete these steps to create an element security profile.

  1. Navigate to My Client Groups -> Show More-> Payroll and select the Element Security Profile quick action.
  2. Click the Add icon to create an Element Security Profile.
  3. Enter a Name for the profile and select the Enabled check box.
  4. Select a Legislative Data Group.

Once you select an LDG, the element classifications applicable to the LDG gets populated in the Classifications region.

Element Security Profile

5.  Select the classifications you want to include in the security profile. All elements within the selected classifications are automatically included.

In this example, all elements with the primary classification of Pretax Deductions and Voluntary Deductions are included in the security profile.

Include or Exclude Individual Elements

As mentioned earlier, once you select an LDG on the Element Security Profile page and select the required primary classifications, all elements within the selected primary classifications are automatically included in the element security profile. However, if required, you can exclude some elements from the selected classifications, or include some elements from a classification you have not selected. Complete these steps to include or exclude individual elements.

  1. Click the Add icon in the Elements section on the Element Security Profile page.
  2. Search for the elements you want to include or exclude. For example, search for these elements:
  • Search for the PM YS Dependent Life element under Voluntary Deductions primary classification.
  • Search for the PM US Imputed GU Award element under Taxable Benefits primary classification.

The Inclusion Status is automatically populated as follows:

  • If the primary classification of the selected element is included in the profile, the inclusion status is set to Exclude.
  • If the primary classification is excluded from the profile, the inclusion status is set to Include.

In this example, the security profile includes these elements:

  • All elements with primary classification of Pretax Deductions.
  • All elements with primary classification of Voluntary Deduction except the PM YS Dependent Life element.
  • PM US Imputed GU Award element with primary classification of Taxable Benefits.

Element Security Profile - Element Classifications

8. Click Save and Close. The Element Security Profile is saved.

NOTE: You can include multiple LDGs within a security profile. Each LDG must have at least one classification or element included.

Add an Element Security Profile to a Data Role

After you create an Element Security Profile, you must add it to a Data Role. By default, for all existing data roles, the Element Security Profile is populated with View All Elements. You can add an Element Security Profile to a Data Role by any of the methods given here.

1. Add an Existing Element Security Profile

Follow these steps to add an existing Element Security Profile and restrict elements for a specific data role.

  1. Navigate to My Client Groups -> Show More-> Workforce Structures Payroll and select the Data Roles and Security Profiles quick action.
  2. Search and select the Data Role and click Edit.
  3. Select an existing profile in the Element Security Profile field.

2. Edit a Data Role and Create an Element Security Profile

You can also create a new Element Security Profile to the Data Role you are editing.

  1. Navigate to My Client Groups -> Show More-> Workforce Structures Payroll and select the Data Roles and Security Profiles quick action.
  2. Search and select the Data Role and click Edit.
  3. Select Create New in the Element Security Profile field.
  4. Enter the name of the profile in the Name field.

Create Data Role

3. Use the Element Tab and Create an Element Security Profile

Follow these steps to create an Element Security Profile using the Element Tab.

  1. Navigate to My Client Groups -> Show More-> Workforce Structures Payroll and select the Data Roles and Security Profiles quick action.
  2. Search and select the Data Role and click Edit.
  3. Click Next and select all the security profiles.
  4. Click Next. Click the Element tab.
  5. Select Create New in the Element Security Profile field.
  6. Enter the name of the profile in the Name field.

Create Element Security Profile

You can now restrict access to certain elements based on your organizational business needs.

Steps to Enable

  • Run the Regenerate Data Security Profiles and Grants job set.

  • By default, all your existing data roles are automatically updated with the View All Elements element security profile as part of the post-upgrade process. If you don’t wish to enable this feature, there’s no further action for you to take. 

  • You can take advantage of this new functionality by defining more restrictive element security profiles. You can create a new Element Security Profile to include or exclude elements as per your specific requirements and add this profile to a specific data role.

Tips And Considerations

  • For backward compatibility after the Update 24A upgrade, the default behavior will continue to have View All access to the elements.

  • When upgrading to Update 24A, the Regenerate Data Security Profiles and Grants job set will be run; you should verify it ran successfully. You should see that the View All default value appears on your data roles after upgrading.

  • If you have any automated test cases that try to edit a role or create a new data role based on impacted job roles, you must populate the element security profile value.

  • LDG security and Element Security Profile are independent of each other. When you implement both LDG and Element Security Profile, ensure that the LDG included in the Element Security Profile is also included in the LDG security profile.

  • Predefined statutory deduction elements exist for a legislation. If you have multiple LDGs within a single legislation, as long as you include the statutory deduction elements for one of the LDGs, they will be available for all LDGs within the same legislation.

  • Element entries displayed on the Quick Pay page are restricted based on the user element security profile. However, all elements are processed when submitting the Quick Pay.

Key Resources

Access Requirements

To use this feature, you need these job roles:

Job Role Name and Code:

  • Application Implementation Consultant (ORA_ASM_APPLICATION_IMPLEMENTATION_CONSULTANT_JOB)
  • Benefits Administrator (ORA_BEN_BENEFITS_ADMINISTRATOR_JOB)
  • Benefits Manager (ORA_BEN_BENEFITS_MANAGER_JOB)
  • Benefits Specialist (ORA_BEN_BENEFITS_SPECIALIST_JOB)
  • Compensation Administrator (ORA_CMP_COMPENSATION_ADMINISTRATOR_JOB)
  • Human Capital Management Application Administrator (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB)
  • Human Capital Management Integration Specialist (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATION_SPECIALIST_JOB)
  • Human Resource Analyst (ORA_PER_HUMAN_RESOURCE_ANALYST_JOB)
  • Human Resource Manager (ORA_PER_HUMAN_RESOURCE_MANAGER_JOB)
  • Human Resource Specialist (ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB)
  • Payroll Administrator (ORA_PAY_PAYROLL_ADMINISTRATOR_JOB)
  • Payroll Manager (ORA_PAY_PAYROLL_MANAGER_JOB)