Best Practices for HCM Data Roles and Security Profiles
Planning your use of HCM data roles and security profiles helps minimize maintenance and eases their introduction in your enterprise. This topic suggests some approaches.
Minimizing Numbers of Data Roles and Security Profiles
Secure access to person records based on a user's areas of responsibility whenever possible. Using this approach, you can:
-
Reduce dramatically the number of HCM data roles and security profiles that you must manage.
-
Avoid the performance problems that can occur with large numbers of HCM data roles.
Identifying Standard Requirements
Most enterprises are likely to have some standard requirements for data access. For example, multiple HCM data roles may need access to all organizations in a single country. If you create an organization security profile that provides this access, then you can include it in multiple HCM data roles. This approach simplifies the management of HCM data roles and security profiles, and might also prevent the creation of duplicate security profiles.
Naming HCM Data Roles and Security Profiles
You're recommended to define and use a naming scheme for HCM data roles and security profiles.
A security profile name can identify the scope of the resulting data instance set. For example, the position security profile name All Positions Sales Department conveys that the security profile identifies all positions in the Sales Department.
An HCM data role name can include both the name of the inherited job role and the data scope. For example, the HCM data role Human Resource Specialist Legal Employer identifies both the job role and the role scope. HCM data role names must contain fewer than 55 characters.
Planning Data Access for Each HCM Data Role
An HCM data role can include only one security profile of each type. For example, you can include one organization security profile, one managed person security profile, and one public person security profile. Therefore, you must plan the requirements of any HCM data role to ensure that each security profile identifies all required data instances. For example, if a user accesses both legal employers and departments, then the organization security profile must identify both types of organizations.
Providing Access to All Instances of an Object
To provide access to all instances of an HCM object, use the appropriate predefined security profile. For example, to provide access to all person records in the enterprise, use the predefined security profile View All People.
Auditing Changes to HCM Data Roles and Security Profiles
A user with the Application Implementation Consultant job role can enable audit of changes to HCM data roles and security profiles for the enterprise.
Assigning Duty Roles to Data Roles
Duty roles and aggregate privileges should not be directly added to the HCM Data Role through Security Console. You're recommended to add them only to the underlying job role that's inherited by the HCM Data Role.