1. Securing HCM
  2. Role Types

Role Types

This topic introduces the role types in Oracle Human Capital Management Cloud (Oracle HCM Cloud).

Oracle HCM Cloud defines five types of roles:

  • Data roles

  • Abstract roles

  • Job roles

  • Aggregate privileges

  • Duty roles

Data Roles

Data roles combine a worker's job and the data that users with the job must access. For example, the HCM data role Country Human Resource Specialist combines a job (human resource specialist) with a data scope (country). You define the data scope of a data role in one or more HCM security profiles. HCM data roles aren't part of the security reference implementation. You define all HCM data roles locally and assign them directly to users.

Abstract Roles

Abstract roles represent a worker's role in the enterprise independently of the job that you hire the worker to do. The three main abstract roles predefined in Oracle HCM Cloud are:

  • Employee (ORA_PER_EMPLOYEE_ABSTRACT)

  • Contingent Worker (ORA_PER_CONTINGENT_WORKER_ABSTRACT)

  • Line Manager (ORA_PER_LINE_MANAGER_ABSTRACT)

You can also create abstract roles. All workers are likely to have at least one abstract role. Their abstract roles enable users to access standard functions, such as managing their own information and searching the worker directory. You assign abstract roles directly to users.

Job Roles

Job roles represent the job that you hire a worker to perform. Human Resource Analyst and Payroll Manager are examples of predefined job roles. You can also create job roles. Typically, you include job roles in data roles and assign those data roles to users. The IT Security Manager and Application Implementation Consultant predefined job roles are exceptions to this general rule because they're not considered HCM job roles. Also, you don't define their data scope in HCM security profiles.

Aggregate Privileges

Aggregate privileges combine the functional privilege for an individual task or duty with the relevant data security policies. The functional privileges that aggregate privileges provide may grant access to task flows, application pages, work areas, reports, batch programs, and so on. Aggregate privileges don't inherit other roles. All aggregate privileges are predefined and you can't edit them. Although you can't create aggregate privileges, you can include the predefined aggregate privileges in custom job, abstract, and duty roles. You don't assign aggregate privileges directly to users.

Duty Roles

Each predefined duty role represents a logical grouping of privileges that you may want to copy and edit. Duty roles differ from aggregate privileges as follows:

  • They include multiple function security privileges.

  • They can inherit aggregate privileges and other duty roles.

  • You can create duty roles.

Job and abstract roles may inherit duty roles either directly or indirectly. You can include predefined and custom duty roles in custom job and abstract roles. You don't assign duty roles directly to users.