Bulk Revoke of Share Data Access

The new Revoke Share Data Access process will revoke data security that was granted using the Share Data Access task. You can revoke access in bulk by either the expiration date or creation date.

To revoke access by expiration date, use the Expiration Date field on the Share Data Access page to define the last day that the access is valid. Then, schedule the Revoke Share Data Access process to run daily. The process will remove all records where the expiration date is before the run date. For example, if you run the process on July 1, all records with an expiration date of June 30 or earlier will be revoked. If the expiration date is blank, the access won't be revoked.

Because the Expiration Date field isn't required, and it's a new field added with the Redwood version of the page, it's likely that you have records with a blank expiration date. In that case, you can revoke records based on the creation date. You need to specify the number of days after the creation date, which the process uses to calculate an expiration date.

For example, if you set the Number of Days to 15, the process will calculate the expiration date as 15 days after the record's creation date. A record created on June 15 would have a calculated expiration date of June 30. If you run the process on July 1, the record would be deleted because the calculated expiration date is earlier than the July 1 run date. All records created before June 15 would similarly be deleted. All records created on or after June 16 would remain, because their calculated expiration dates would be July 1 or later.

Be careful when you choose the Days after creation date option, because it may delete more records than you intend. For example, if you set the Number of Days to zero, all records that are one day past their creation date will be deleted. In other words, the only remaining records would be those that were created today. In general, you can use this option to clean up historical records, or in combination with the Recipient parameter.

Revoke Share Data Access

You can also choose to narrow the request to revoke the records only for a specific recipient. This feature is useful if the recipient has moved to another role and no longer needs access to any records that were previously shared.

With this enhancement, you can automate the process of revoking data access that was previously shared.

Steps to Enable

You must run the Revoke Share Data Access process for the data access to be revoked. You can schedule it to run on a regular basis, or run it ad-hoc.

Navigate to Scheduled Processes
Click the Schedule New Process button
Search for and select the process Revoke Share Data Access
Choose a Run Type
- If you choose Expiration date, the process revokes all records with the expiration date before the system date.
- If you choose Days after creation date, the expiration date is ignored. The process calculates an expiration based on number of days after creation date.
If Run Type is Days after creation date, specify the Number of Days
Optionally select a Recipient
- The recipient parameter will revoke only records which were shared with the specified recipient
Submit the process

Tips And Considerations

The Share Data Access task adds rows to PER_SHARE_INFORMATION, and the Revoke Share Data Access process deletes them.
- There isn't an audit on the table.
- Once the data is deleted, it can't be recovered. But you can use the Share Data Access task to manually add it again.
- The data in the table is used by the person security profile. If configured, your person security profile includes the rows in the table when determining data security for your tasks.
When Run Type is Days after creation date, the Expiration Date on the record is ignored. If the data meets the criteria to be deleted based on creation date, it will be deleted even if the expiration date is in the future.
Schedule the Revoke Share Data Access process so that it runs regularly. If you don't run the process, the access won't expire even if the expiration date has passed.

The expiration date attribute is new with the Redwood version of the page. Transition to the Redwood page to take advantage of the flexibility of specifying an expiration date.

Key Resources

For more information, refer to these resources on the Oracle Help Center:

Using Global Human Resources guide, Chapter: Person Information, topic How You Share Data Access With Another Person
Securing HCM guide, Chapter: Person Security Profiles, topic Include Shared People Information in a Person Security Profile

Access Requirements

This table lists the functional privileges that support this feature and the predefined roles that inherit them.

Functional Privilege	Abstract or Job Role
Run Revoke Share Data Access Process PER_RUN_REVOKE_SHARE_DATA_ACCESS_PROCESS	Human Resource Specialist
Run Global HR Processes PER_RUN_HR_PROCESSES_PRIV NOTE: This privilege also gives access to other Global HR processes.	Human Capital Management Application Administrator

Functional Privilege

Abstract or Job Role

Run Revoke Share Data Access Process

PER_RUN_REVOKE_SHARE_DATA_ACCESS_PROCESS

Human Resource Specialist

Run Global HR Processes

PER_RUN_HR_PROCESSES_PRIV

NOTE: This privilege also gives access to other Global HR processes.

Human Capital Management Application Administrator

NOTE: If you're not using the predefined roles, you must add the Run Revoke Share Data Access Process privilege to your custom role.