Professional Documents
Culture Documents
Security Ed 2
Instructor Guide
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other
names may be trademarks of their respective owners.
CONTENTS
Lesson 1: Course Overview .........................................................1
Welcome .................................................................................................... 1
Course Objectives ........................................................................................ 2
Additional Resources .................................................................................... 3
There are no activities for this lesson ............................................................. 4
i
Manage Payroll Flow Security Profiles ........................................................ 55
Creating Payroll Flow Security Profiles ..................................................... 55
Instructor Note: Notes on Activities ............................................................. 57
Instructor Note: Activity Timing .................................................................. 59
Student Activity: Creating Security Profiles and Assigning to a New Data Role.. 60
Activity 1 Introduction ................................................................................ 61
Activity 1: Creating Security Profiles and Assigning to a New Data Role ......... 62
Assigning Security Profiles to Existing Roles ................................................. 66
Editing Security Profiles .............................................................................. 67
Security Profiles Review Question 1 ............................................................. 68
Security Profiles Review Question 2 ............................................................. 69
Security Profiles Review Question 3 ............................................................. 70
Security Profiles Questions and Answers ...................................................... 71
ii
Lesson 5: HCM Security Management Data Stores ..................129
User Interface Overview ........................................................................... 129
HCM Security Management Data Stores ..................................................... 131
Fusion Applications, OIM, and APM Terminology Differences ......................... 133
Setup Tools and Tasks ............................................................................. 134
Instructor Note: Notes on Tools and Tasks ................................................. 136
Access to Security Tasks .......................................................................... 137
Instructor Note: HCM Security Task List ................................................... 140
There are no activities for this lesson ......................................................... 141
Lesson 6: Managing Job Roles and Abstract Roles ..................142
Instructor Note: Demo Timing .................................................................. 142
Demonstration: Viewing Roles in OIM ........................................................ 143
Instructor Note: Demo Timing .................................................................. 145
Demonstration: Using OIM to Manage Roles ............................................... 146
Important Note on Using OIM and APM ...................................................... 153
Instructor Note: Demo Timing .................................................................. 154
Demonstration: Using APM to View Duty Roles ........................................... 155
Regenerating Roles .................................................................................. 159
Instructor Note: Regeneration of Data Roles ............................................ 160
Instructor Note: Activity Timing ................................................................ 161
Student Activity: Creating a New Job Role .................................................. 162
Activity 3 Introduction .............................................................................. 163
Instructor Note: Notes on Activity 3 ........................................................ 164
Activity 3: Creating a New Job Role ......................................................... 165
Instructor Note: Activity Timing ................................................................ 169
Student Activity: Creating a Data Role for New Job Role and Assigning to User170
Activity 4 Introduction .............................................................................. 171
Activity 4: Creating a New Data Role and Assigning to User ....................... 172
Instructor Note: Troubleshooting Activity 4 ................................................ 175
Managing Job Roles and Abstract Roles Review Question 1........................... 176
Managing Job Roles and Abstract Roles Review Question 2........................... 177
Managing Job Roles and Abstract Roles Review Question 3........................... 178
Managing Job Roles and Abstract Roles Questions and Answers .................... 179
iii
Lesson 9: Tips for Implementing HCM Security .......................214
Resilience to Change ................................................................................ 214
Impersonation ......................................................................................... 216
Advanced Tip: Minimizing the Number of Data Roles ................................... 217
Dynamic Security Profiles and Areas of Responsibility................................ 218
Defining Areas of Responsibility .............................................................. 219
Creating a Dynamic Security Profile ......................................................... 220
Instructor Note: Activity Timing .............................................................. 222
Student Activity: Defining a Dynamic Data Role ........................................ 223
Activity 6 Introduction ........................................................................... 224
Activity 6: Defining a Dynamic Data Role ............................................... 225
Lesson Review Questions.......................................................................... 230
Lesson Review Question 1 ...................................................................... 230
Lesson Review Question 2 ...................................................................... 231
Lesson Review Question 3 ...................................................................... 232
Lesson Review Question 4 ...................................................................... 233
Lesson Questions and Answers ............................................................... 234
iv
Lesson 1: Course Overview
1. Instructor introduction
2. Student introductions
- Name
- Role (Functional Implementer/Technical Consultant)
- Company
- Experience with Oracle (HCM, EBS, PeopleSoft, JDE, etc.)
- Fusion experience
Course Objectives
After completing this course, you should be able to:
Additional Resources
Classroom Resources:
When she signs on to Oracle Fusion Applications, all of these roles are active
concurrently. The functions and data she can access are determined by the
combination of roles to which she is assigned. As an employee, Julie has access to
employee functions and data, and as a line manager, she has access to line-manager
functions and data.
If questions about security occur in other lessons (such as how to prevent a user from
doing something or how to enable a user to do something), the answer is always the
same: the roles provisioned to the user determine what the user can (and cannot) do.
For example:
Which Data is the set of data that users with this role can access when
performing this function. In Oracle Fusion HCM, "Which Data" is defined using
security profiles.
Benefits Administrator
Benefits Manager
Benefits Specialist
Compensation Administrator
Compensation Analyst
Compensation Manager
Compensation Specialist
Contingent Worker
Employee
Human Capital Management Application Administrator
Human Resource Analyst
Human Resource Manager
Human Resource Specialist
Human Resource VP
Line Manager
Payroll Administrator
Payroll Manager
These predefined roles are included in the Security Reference Implementation. You
can review details of the HCM security implementation in the Oracle Fusion Applications
Human Capital Management Security Reference Manual. The Oracle Fusion
Applications Common Security Reference Manual covers roles that are common across
Oracle Fusion Applications, such as the Application Implementation Consultant and IT
Security Manager roles.
Role Inheritance
Role inheritance is a key concept in the Oracle Fusion HCM security model. The figure
below illustrates the hierarchy of job and duty inheritance.
Note that the two data roles have different security profiles, granting access to different
sets of data.
Role Types
Oracle Fusion Applications uses four types of roles for security management:
Data Roles are a combination of a worker's job and the data instances that users
with the role need to access. For example, the HCM data role Payroll
Administrator Payroll US combines a job (Payroll Administrator) with a data
scope (Payroll US). Data roles are not delivered as part of the reference
implementation. They are defined by customers and are assigned directly to
users.
Job roles align with the job a worker is hired to perform. Examples of predefined
job roles are Human Resource Analyst and Payroll Manager. You can create
custom job roles. Typically, you include job roles in data roles, and assign those
data roles to users. (The IT Security Manager and Application Implementation
Consultant job roles are exceptions, because they are not considered HCM job
roles and don't restrict data using security profiles.)
Duty roles align with the individual duties that users perform as part of their job.
They grant access to work areas, dashboards, task flows, application pages,
reports, batch programs, and so on. They may carry both function and data
security grants. Duty roles are inherited by job and abstract roles, and can also
be inherited by other duty roles. Duty roles are delivered as part of the reference
implementation, and can be used as building blocks when creating your own job
and abstract roles. You do not assign duty roles directly to users.
In this example, the duty roles give the user access to all the tasks and functions that an
HR specialist needs to perform plus all the tasks, unrelated to a specific job, that every
employee needs to perform.
Most security profiles are defined by customers and assigned to data roles and abstract
roles. (A small set of predefined security profiles is delivered as part of the security
reference implementation.)
The HCM security model supports several different types of security profiles, each used
to control access to a different type of data.
Security Privileges
When you look deeper into the role hierarchy, you can see that the Worker Promotion
Duty is associated with a function security privilege and two data security policies.
The Promote Worker function security privilege secures access to the Promote
Worker page.
A second data security policy determines which positions the person can be
promoted into.
Each data security policy defines a role (such as Worker Promotion Duty), a business
object being accessed (such as Person Assignment), the condition that must be met for
access to be granted, and a data security privilege that defines the action being
performed.
Function security privileges and data security policies are covered in detail in a later
section.
Inform the class that this information is covered in detail later in the class in the HCM
Security Deep Dive section. In this overview, we're just introducing the concepts of
function security and data security and the related function security privileges and data
security privileges. Ask students to hold their detailed questions on data security
policies until later, and assure them that they will have an opportunity to see these
features up close.
Role Evaluation
By default, users do not have access to Oracle Fusion Applications functions and data.
Users are granted access by means of the roles provisioned to them.
Review how the security reference implementation of roles and policies fits with
the jobs in your enterprise.
Decide whether the duties defined for the jobs in the security reference
implementation match the duties performed by corresponding jobs in your
enterprise.
For example, the predefined Line Manager role includes compensation management
duties. If some of your line managers do not handle compensation, you could create a
custom line manager role without those duties.
Evaluate the predefined roles and privileges in the security reference implementation
against the needs of your enterprise and determine the necessary security setup
actions:
If jobs exist in your enterprise that are not represented by the security
reference implementation, you create a new job role or abstract role.
If the duties for a predefined job role are not the same as the
corresponding job description in your enterprise, you add duties to and
subtract duties from the job role.
If the duties for a job are not defined in the security reference
implementation, you create custom duty roles.
The demonstrations and activities in this lesson will show you how to perform each of
these setup actions.
Note: As you make changes to the security reference implementation for an Oracle
Fusion Applications deployment, it is good practice to create your own custom roles
rather than modify predefined roles. Upgrade and maintenance patches to the security
reference implementation preserve your changes. Thus, if you do modify predefined
roles, you won't be able to restore them to their original state by upgrading.
Demonstration Scope
Go to the Navigator, and view the available options. Select an option, and view the
available tasks in the task pane.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
2. In the menu bar at the top of the page, click the Navigator icon button.
Information
Function security is used to secure the Navigator menu. Each menu entry
corresponds to a work area or dashboard, and each of these is secured with a
function security privilege. The function security privileges that are granted to the
user (through his or her roles) control the menu entries that the user can see.
Information
Function security also secures the task pane (displayed on the left side of the
page) for a work area. Each of the task pane entries corresponds to a task flow,
which is secured with a function security privilege. The function security
privileges that are granted to the user (through his or her roles) control the task
pane entries that the user can see.
Information
Curtis is assigned a great many roles, which is useful for testing (and for training
courses like this). He has functional manager roles, as well as IT Security
Manager. In the real world, few users would have this many different and
powerful roles.
Information
To sign out, click Curtis Feitty in the menu bar and then click Sign Out.
7. On the Navigator menu, notice that Mitch doesn't have access to the Workforce
Structures option and many other options that appear on Curtis's menu.
9. Scroll down to the Current Roles section to view Mitch's assigned roles.
Information
Mitch has fewer roles than Curtis. Mitch's roles don't give him access to the
Workforce Structures function, so it doesn't appear on his menu.
You have demonstrated how to view menu options and tasks managed by function
security.
Demonstration Scope
Explore the data available for viewing by different users based on their assigned roles.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
Information
This user has employee and line manager roles. He also has several direct
reports.
Information
When you look at your own portrait, you can see your benefit enrollments,
compensation data, and so on. The actions that are available in the Actions
menu are controlled using data security. The actions you can perform include
things like Change Marital Status, but do not include actions like Promote.
4. Select the Organization Chart tab to show the management reporting hierarchy.
Information
When an employee views their manager's portrait, only publicly available
information appears. No HR actions are available. Data security controls access
to data that you can view for other people. A public person security profile
controls which people a user can search for in Person Gallery. Once a user has
selected a person, data security controls the Person Gallery cards that can be
seen for that person and also what actions can be performed against them.
7. Hover your mouse over the point at the bottom of Jack's box on the chart, and
then click the + sign to show Jack's direct reports.
Information
In the Actions section, you can see the functions available to Jack. He can
promote, terminate, manage the salary and compensation, and view absence
balances for Mark.
10. Navigate to the Person Gallery, and search for Linda Swift. (Enter Linda's
name in the Keywords field, click Search, and then click Swift, Linda in the
Search Results.)
Information
When viewing Linda in the Person Gallery, Curtis can see more cards and has
more actions than Jack. This is because Curtis has the HR Specialist - View All
role, which allows him a greater level of access.
You have demonstrated how to view application pages managed by data security and
noted the differences that result from provisioned data restrictions.
Note: All information presented in the manuals can be accessed in the various user
interface pages of Oracle Fusion Applications. However, the manuals make it easier to
compare and plan your customizations.
There are several ways to access the Security Reference Manuals online:
1. Click your user name (currently logged in user) at the top of any application
window.
2. Select Applications Help to display the Oracle Fusion Applications Help
window.
3. In the Search field, type the name of the manual you want to view, such as
Oracle Fusion Applications Human Capital Management Security Reference
Manual.
4. Click the icon button.
5. In the Search Results, click the link for the manual.
Information
From here, you can view, print, or save the manual to your local drive.
6. To limit the search results to PDF guides only, expand the Help Type section in
the left panel. Select PDF Guide and deselect all other help types.
The HCM Security Reference Manual contains a section for each predefined HCM job
and abstract role. For each role, you can review its:
duties
role hierarchy
function security privileges
data security policies
This information can help you understand which users should be provisioned with the
role, or which adjustments your enterprise requires before the role can be provisioned.
See also Mapping Of Roles, Duties and Privileges in Fusion Applications on My
Oracle Support (Doc ID 1460486.1).
Additional Information
For additional information and links, see the References page at the end of this lesson.
Data roles. Data roles always inherit job roles. The job roles provide the function
security access, while the security profiles assigned to the data role provide
access to the data required to perform the duties of the job.
Abstract roles. Three abstract roles are delivered with HCM: employee, line
manager, and contingent worker. You assign security profiles to predefined
abstract roles, such as employee, to grant access to HCM business objects, such
as the worker's own person record. You can also assign security profiles to the
custom abstract roles that you create.
Job roles. Assigning security profiles directly to job roles is less common, since
users with the same job often access different sets of data.
In the following example, Tim Thompson and Patricia Smith are both human resource
specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that
inherits the job role Human Resource Specialist and the duty roles appropriate to that
job role. Therefore, Tim and Patricia can perform the same functions and see the same
entries in the Navigator, work area Tasks panes, and menus. However, each user
accesses different sets of data, which are identified in separate sets of security profiles.
Note: If Tim and Patricia could access the same sets of data, you would assign the
same data role to both users.
Person (managed)
Person (public)
Organization
Position
Legislative Data Group
Country
Document Type
Payroll
Payroll Flow
Two uses for the person security profile exist because many users need to access two
distinct sets of people from each of their roles: people whom they manage and people
whose public contact details they need to access (for example, in a worker directory).
The Person (managed) profile controls which people you can perform actions
against.
The Person (public) profile controls which people you can search for in the
Person Gallery. This profile is also used to secure some person LOVs. For
example, the Change Manager page and New Hire flows display a person LOV
that is secured using the public person security profile, rather than the person
security profile. This is because the person who is selecting the manager for a
worker might not have view access for that manager through their person
security profile.
You cannot:
HCM security profiles are reusable and modular. Once you create a security
profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other security profiles in a
person security profile. For example, you might define an organization security
profile that allows access to a particular business unit. You can then reference
the organization security profile in a person security profile to provide access to
people who are assigned to that business unit.
Define a naming scheme that identifies clearly the set of business objects in the
security profile's data instance set, such as HCM US Departments or US
Marketing Positions. Security profile names must be unique in the enterprise for
the security profile type.
Give employees access to their own records, the person records of their
emergency contacts, beneficiaries, and dependents, and all public-person
records. Assign relevant HCM security profiles directly to the employee abstract
role.
Give managers access to the person records of direct and indirect reports.
Assign relevant HCM security profiles directly to the line manager abstract role.
For individual job roles, determine whether all users with that job role access the
same HCM business object instances. In this scenario, you do not need to create
a data role; you can simply assign the security profiles to the job role.
Demonstration Scope
Use the Manage Data Role and Security Profiles task to demonstrate the process of
creating a data role and assigning security profiles to it.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
3. In the Name field, enter Manage Data Role and Security Profiles and click
Search.
4. In the Manage Data Role and Security Profiles task row, click Go to Task.
5. In the Search Results section toolbar, click the Create icon button.
7. In the Job Role field, search for and select Human Resource Specialist.
Information
A data role is always associated with a job role, from which it inherits duties.
The Delegation Allowed field is covered in the Role Delegation section later in
this class. You can leave this option unchecked.
8. Click Next.
Information
Here you select the security criteria for the role. For each business object that the
job role needs to access, a section appears on this page. To identify data set
instances for each business object, you can either select an existing security
profile or create a new security profile.
Note: Any security profiles that you create while defining the data role exist
independently of the data role and can be reused.
10. In the Person section, select the Create New hyperlink at the bottom of the
Person Security Profile LOV.
13. For all other sections, select any one of the predefined View All security profiles.
Information
This is the first of a series of pages for defining security profiles. Since you only
need to create a Person profile, you could skip to the Person page now by
clicking Person in the process train at the top of the page. However, for this
demonstration, we will review each page to see the criteria associated with each
business object. Key points about each profile type are included in the pages
following this demonstration.
15. Click Next, noting the security criteria on each page, until you reach the Person
train stop.
Note: In the Global Name Range section, the Secure by Global Name Range
option is selected based on your previous entry (step 12).
16. In the Global Name Range section, enter A in the From Person Name field,
and enter L in the To Person Name field.
Information
This criteria limits access to persons whose global list names are in the range A
through L.
17. To view the remaining security profile pages, continue clicking Next until you
reach the Review page.
Information
After submitting, it is a good idea to verify that the new role was successfully
created and profiles were assigned.
19. Search for the data role you just created. (Enter XX HR Specialist Vision in the
Role field, and click Search.)
20. In the Search Results, verify that the Security Profiles Assigned column for
your role displays a green checkmark.
At this point, you should have created a new data role and assigned the necessary
security profiles.
A security profile defines criteria that identify a data instance set for a particular
business object.
You can define any combination of available criteria. For example, you can
identify an organization data instance set by any combination of organization
hierarchy, organization classification, and organization name.
If you define criteria by name (or a list or range of names), the data instance set
is the same for all users and changes only if you update the security profile.
However, if you use other criteria, such as hierarchy or classification, the data
instance set may vary by user and may change independently of the security
profile.
If you define criteria by hierarchy, you can include a subset of the items in the
hierarchy by specifying the top level of the hierarchy. For example, you can
include a subset of organizations in the organization hierarchy by specifying the
top organization.
Business objects must satisfy all of the criteria in the security profile to belong to
its data instance set.
To provide access to all records, use the predefined View All security profile.
The subsequent pages provide key details for creating specific types of security profiles.
Users need access to organizations either because they manage their definitions or
because they perform tasks where lists of organizations are presented to them. For
example, a human resource specialist selects a business unit and a department when
hiring a worker. To allow users to access organizations, you create an organization
security profile, include it in an HCM data role, and provision the role to users.
Setup and Maintenance Work Area > Manage Organization Security Profile > Manage
Organization Security Profiles page > Create Organization Security Profile
_______________________________________________________
You must decide how best to identify the set of organizations in the data instance
set. For example, if you list organizations by name, the data instance set can
change only if you update the security profile and is the same for all users. If you
identify organizations by organization hierarchy or classification, the data
instance set may change independently of the security profile and vary among
users.
If you use the organization from the user's assignment as the top organization,
the data instance set varies by user, even though the organization security profile
is the same for all users. If the user has multiple assignments in the organization
hierarchy, all relevant organizations from all assignments belong to the data
instance set.
Organizations must satisfy all of the criteria in the security profile to belong to its
data instance set.
Users need access to positions because they either manage position definitions or
perform tasks where lists of positions are presented to them. To allow users to access
positions, you create a position security profile, include it in an HCM data role, and
provision the role to users.
Setup and Maintenance Work Area > Manage Position Security Profile > Manage
Position Security Profiles page > Create Position Security Profile
_______________________________________________________
When you identify positions by department or business unit, you include positions
defined for those departments or business units. To identify the departments and
business units, you select existing organization security profiles: the position
security profile inherits the data instance sets of the selected organization
security profiles.
You must decide how best to identify the set of positions in the security profile.
For example, if you list the positions by name, the data instance set can change
only if you update the security profile and is the same for all users. If you identify
positions by position hierarchy, department, or business unit, the data instance
set may change independently of the security profile and vary among users.
You can include a subset of the positions from a position hierarchy by specifying
a top position.
If you use the position from the user's assignment as the top position, the data
instance set varies by user, even though the position security profile is the same
for all users. If the user has multiple positions from the position hierarchy, all
relevant positions belong to the data instance set.
A person security profile includes criteria that identify one or more person records.
Users access person records either because they need to update them (for example,
because they manage those people) or because they need to contact those people.
You create separate person security profiles for each of these purposes. To allow users
to access person records, you create person security profiles, include them in an HCM
data role, and provision the role to users.
Setup and Maintenance Work Area > Manage Person Security Profile > Manage Person
Security Profiles page > Create Person Security Profile
_______________________________________________________
Note the Access field in the table in the Secure by Person Types section. After
specifying a person type, you can set the Access to one of the following values:
Select All includes all persons of the specified person type in the instance set.
Other criteria in the security profile have no effect.
Select Restricted to include all persons of the specified person type, restricted
by the other criteria in the security profile.
For example, if you set the System Person Type to Contingent Workers, the Access
to Restricted, and also selected a specific department in the Security by Department
field, then the instance set would comprise all contingent workers in the specified
department only. If Access were set to All, the instance set would comprise all
contingent workers in the enterprise.
You can identify person records by any combination of person type, manager
hierarchy, workforce structures, global-name range, and custom criteria.
If you identify person records by manager hierarchy, you select either a person-
level or an assignment-level hierarchy. In a person-level hierarchy, the data
instance set includes any worker in a direct or indirect reporting line to the
signed-on user. Use this approach unless workers have multiple assignments
that are not all managed by the same manager. In an assignment-level hierarchy,
the data instance set includes both workers who report to the signed-on manager
directly and workers who report to the assignments that the signed-on manager
manages. In enterprises where workers have multiple assignments reporting to
various managers, this approach ensures that only managers who are directly
responsible for a worker have access to that worker.
A user who has access to a person record has access to relevant information
from all of the person's assignments, even if only one of the person's
assignments satisfies the criteria in the person security profile.
To create a public-person security profile, you perform the Manage Person Security
Profile task.
A public-person security profile identifies the set of workers whose contact details the
signed-on user needs to access (for example, in the Person Gallery).
You can identify workers using any of the available criteria. To provide access to all
enterprise workers, use the predefined person security profile View All Workers.
A document type security profile includes criteria that identify one or more locally
defined document types.
Users need access to document types because they either manage the definitions of
those document types or need to access instances of those document types in the
person records to which they have access. To allow users to access document types,
you create a document type security profile, include it in an HCM data role, and
provision the role to users.
Setup and Maintenance Work Area > Manage Document Type Security Profile >
Manage Document Type Security Profiles page > Create Document Type Security
Profile
_______________________________________________________
You identify one or more document types by name and indicate whether to
include or exclude those document types.
You do not include the standard predefined document types, such as visas,
driver's licenses, and passports, in a document type security profile: access to a
person record includes access to these document types for that person.
If you include document types, users can access only the specified document
types; the data instance set never changes unless you update the security
profile.
If you exclude document types, users can access all document types except
those in the security profile; therefore, the data instance set may change
independently of the security profile.
A legislative data group security profile includes the names of one or more legislative
data groups.
Users need access to legislative data groups mainly because they manage their
definitions. If a user is responsible for all legislative data group definitions in the
enterprise, use the predefined security profile View All Legislative Data Groups.
You can secure person records by legislative data group; if you plan to do this, consider
creating a separate security profile for each legislative data group.
Setup and Maintenance Work Area > Manage Legislative Data Group Security Profile >
Manage Legislative Data Group Security Profiles page > Create Legislative Data Group
Security Profile
_______________________________________________________
Setup and Maintenance Work Area > Manage Country Security Profile > Manage
Country Security Profiles page > Create Country Security Profile
_______________________________________________________
Users need access to payrolls either because they manage their definitions or because
they perform tasks where lists of payrolls are presented to them. For example, a payroll
administrator selects a payroll when setting up a worker's payroll relationship or
submitting a payroll flow. To allow users to access payrolls, you create a payroll security
profile, include it in an HCM data role, and provision the role to users.
Setup and Maintenance Work Area > Manage Payroll Security Profile > Manage Payroll
Security Profiles page > Create Payroll Security Profile
_______________________________________________________
The sample screen above illustrates a payroll security profile containing all payrolls
used in a particular organization (InFusion). Payrolls can also be organized by:
Period Type: For example, monthly payrolls are included in one security profile;
semiweekly into another; and so on.
A payroll flow security profile includes criteria that identify a set of payroll flows.
Users need access to payroll flows either because they manage payroll flow definitions
or run payroll flows. For example, a payroll administrator selects a payroll flow when
running a QuickPay or a payroll cycle. To allow users to access payroll flows, you
create a payroll flow security profile, include it in an HCM data role, and provision the
role to users.
Setup and Maintenance Work Area > Manage Payroll Flow Security Profile > Manage
Payroll Flow Pattern Security Profiles page > Create Flow Pattern Security Profile
_______________________________________________________
The sample screen above illustrates a payroll flow security profile containing a set of
flows related to payment distribution. You might choose to organize payroll flows into
security profiles based on:
Note: Users must also be granted access to the appropriate tasks within the flow.
In all activities, students are instructed to replace 'XX' with their initials in the
object names they create. If students are sharing an environment, make sure that
each student's initials are unique in the class. If necessary, tell students to
append their initials with a student number or use a middle initial.
Students will create business objects in each activity, and will use the objects
they create in subsequent activities. So it's important that they successfully
complete each one.
The activities specify the names to use for the business objects created. Instruct
students to use the specified names as it will help when referring to the objects
later on. Likewise, instruct students to enter all field values exactly as instructed,
as those values must be present for future activities.
Environment Issues
All activities have been tested, but we have encountered intermittent problems
with the following:
User Creation - When a user is created using the Manage Users task, the user
record should be immediately available in OIM. However, sometimes there is a
lag between the time the new user record is saved and the time it shows up in
OIM. There is nothing to do here but wait.
Problem starting OIM - When using the Manage Job Roles task to access OIM,
a new browser window opens. Sometimes that window is blank and OIM does
not start. If this happens, don't wait more than a minute or two. The best thing is
to close the blank browser window and then sign out of Oracle Fusion
completely. Start Fusion again in a new browser window, and then start OIM.
This usually solves the problem right away.
Activity 1 Introduction
Background
When HR specialists perform tasks where lists of organizations are presented, they
must be able to select their department and should not be able to view certain restricted
departments. A new data role is required, with security profiles that restrict the data the
role can access.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
activity.
Activity Scope
An organization security profile that grants access to all departments except the
Organizational Development US department and its parent, the Human
Resources US department.
A person security profile that grants access with the same two exclusions.
Once you have created both security profiles, you create an HCM data role, based on
the Human Resource Specialist job role, and assign the two security profiles to it.
Start Here
Oracle Fusion HCM Sign On screen
1. Log in as Curtis.Feitty.
3. In the Name field, enter Manage Organization Security Profile and click
Search.
5. In the Search Results section toolbar, click the Create icon button.
10. In the Organizations section, select the Secure by Organization List option.
12. In the Organization LOV, search for and select Human Resources US.
Information
If you search for the organization, enter Department as the Classification
Name in the Search and Select: Organization window.
15. In the Organization LOV, search for and select Organizational Development
US.
1. In the Setup and Maintenance work area, search for the Manage Person
Security Profile task.
2. In the Search Results, select the Manage Person Security Profile task row
and click Go to Task.
3. In the Search Results section toolbar, click the Create icon button.
Information
8. Click Done.
1. In the Setup and Maintenance work area, search for the Manage Data Role
and Security Profiles task.
2. In the Search Results, select the Manage Data Role and Security Profiles
task row, click Go to Task.
3. In the Search Results section toolbar, click the Create icon button.
Information
The name cannot exceed 55 characters.
5. In the Job Role field, search for and select Human Resource Specialist.
Information
The job role selection affects which security profiles you can assign to the role.
For example, selection of the Human Resource Analyst job role will not allow you
to control security of the payroll flow, since that is not part of the job.
6. Click Next.
7. In the Organization section, select the organization security profile you created
in this activity (XX Operations US).
8. In the Person section, select the person security profile you created in this
activity (XX Operations US People Only).
9. In all other sections, search for and select any one of the predefined View All
options.
12. Search for the data role you just created. (Enter XX HR Spec Data in the Role
field, and click Search.)
13. In the Search Results, verify that the Security Profiles Assigned column
displays a green checkmark.
Make any necessary changes to the security criteria, and click Next. The series of
pages displayed when you assign security profiles to an existing data role is the same
as when you assign profiles to a new data role.
If you want to change the definition of an existing security profile, use the appropriate
task in the Setup and Maintenance work area:
Search for the profile, and then open it for editing. When you save your changes, they
are picked up immediately by any data roles that reference them.
1. True
2. False
You can identify a set of person records in a person security profile by:
5. All of the above (legislative data group, custom criteria, person type, and payroll)
A user who has access to a person record has access to all of the person's
assignments.
1. True
The customer plans to create new users within Oracle Fusion HCM on an
ongoing basis.
In this scenario, Oracle Fusion HCM operates as a standalone system, and HCM
users are not shared with other applications in the enterprise.
At implementation time, existing users might be imported into Oracle Fusion
HCM, or a set of new users might be created when workers are loaded into
Oracle Fusion HCM.
The customer wants to allow these existing users to access Oracle Fusion HCM
using SSO. New users are provisioned in the on-premise LDAP and copied to
Oracle Identity Manager (OIM) for use by Oracle Fusion HCM. Fusion HCM roles
are maintained in OIM.
The customer, typically a very large company, has its own user account
and role-provisioning system.
The customer wants to use their own system, rather than Oracle Fusion HCM, to
manage all user and role provisioning for all applications in the enterprise.
You can configure Oracle Fusion HCM to create user accounts automatically
when workers are hired using the New Hire flow.
You can also create user accounts using the Manage Users task. This is a
quicker way of getting employees into the system than using the New Hire flow.
(There is a demonstration later in this section that illustrates this process.)
Note: Once an implementation is complete, Oracle Fusion HCM users should not
use the Manage Users task; they should use the New Hire flows, which are more
functionally rich and handle creation of key employment information required for
Oracle Fusion HCM implementations. The Manage Users task is intended for use
by Oracle Fusion Applications customers who are not implementing Oracle
Fusion HCM.
User accounts can be maintained using the Manage Users task in the Setup and
Maintenance work area and the Manage User Account task in the Person
Management work area.
A security administrator can reset user passwords using OIM, which is one of the
Fusion Middleware UIs used for administering Oracle Fusion Applications
security. HCM users can request a password reset from any of the following
pages:
User Creation
Send User Name and Password
User Account Role Provisioning
User Account Maintenance
Alternate Contact E-Mail Address
Default User Name Format
Navigator > Tools > Setup and Maintenance work area > Manage Enterprise HCM
Information > Edit Enterprise page
_______________________________________________________
Both person and party users: User accounts are created automatically for both
persons and party users. This is the default setting.
Party users only: User accounts are created automatically for party users only.
Account requests for HCM users are held in the LDAP requests table, where they
are identified as Suppressed and not passed to OIM.
Note: If you disable the automatic creation of user accounts for some or all
users, then you can create user accounts individually in OIM. You can also link
existing OIM user accounts to person and party records using the Manage User
Account or Manage Users tasks. Alternatively, you can use a provisioning
infrastructure other than OIM to create and manage user accounts. In this case,
you are responsible for managing the interface with Oracle Fusion HCM,
including any user-account-related updates.
User Account Role Provisioning: Controls whether to provision and deprovision roles
to users. Options include:
Both person and party users: Roles are provisioned and deprovisioned for
both person and party users. This value is the default setting.
Party users only: Roles are provisioned and deprovisioned for party users only.
HCM user role requests are held in the LDAP requests table, where they are
identified as Suppressed and not passed to OIM.
None: For both person and party users, role requests are held in the LDAP
requests table, where they are identified as Suppressed and not passed to OIM.
User Account Maintenance: Controls whether OIM user accounts are maintained,
suspended, and reactivated automatically. Options include:
Both person and party users: User accounts are maintained automatically for
both person and party users. This is the default setting.
Party users only: User accounts are maintained automatically for party users
only. HCM user account-maintenance requests are held in the LDAP requests
table, where they are identified as Suppressed and not passed to OIM.
None: User accounts are not maintained automatically. Person and party user
account-maintenance requests are held in the LDAP requests table, where they
are identified as Suppressed and not passed to OIM.
Note: By default, user accounts are suspended automatically when the user has
no roles and reactivated when roles are provisioned. In addition, the following
person information is sent automatically from Oracle Fusion HCM to OIM when
you update a person record: person name, work e-mail, work location address,
system person type from the primary assignment, and manager details.
Send User Name and Password: Controls whether to send new users and their
managers an email notification when their Oracle Fusion account is accessible.
If set to Yes, user names and passwords for new OIM user accounts are sent
automatically to the first of the following email addresses that can be found for
the account:
If set to No, no e-mails are sent. You can notify users of their user names and
passwords later by running the process Send User Name and Password E-Mail
Notifications. This process sends e-mails for all users for whom such notifications
have not yet been sent. The e-mails are sent to users or their line managers (not
to the alternate contact e-mail).
Note: The OIM Reset Password notification template must include the user ID
field if you plan to run the process Send User Name and Password E-Mail
Notifications. For more information about OIM notification templates, see the
section Modifying a Notification Template in the Oracle Fusion Middleware
Administrator's Guide for Oracle Identity Manager.
You can override the enterprise setting for individual users on the Create User or
Manage User Account page. If you set the enterprise setting to No and enable
the setting for an individual user, notifications are sent to the user's primary work
e-mail or the user's line manager (not the alternate contact e-mail).
Default User Name Format: The default user-name format to use for automatically
generated user names. Options include:
None: The OIM user-name policy determines the format. By default, OIM uses
the person's first and last names, but this format can be changed in OIM. To
make duplicate user names unique, OIM includes either the person's middle
name or a random alphabetic character. This is the default setting.
Note: The person number can be generated at various points in the Add Person
flows, which affects when the user name itself is generated. For example, if
person numbers are allocated only when a hire transaction is approved, then
user names cannot be generated sooner.
For party users who have no person number, the party e-mail is used instead
when person number is the default user name.
Primary work e-mail: The primary work e-mail (or party e-mail, for party users)
is the user name.
If a person's party number, person number, or e-mail is not available when the
user account is requested, then the account status is Failed until the value
becomes available and the request is resubmitted. If you run the Send Pending
LDAP Requests process daily, then the request is likely to be resubmitted as
soon as possible after the value becomes available. Alternatively, for individual
requests, you can perform the Process User Account Request action on the
Manage User Account page.
If a customer turns off user account role provisioning, any roles that are requested for
users using HCM pages (such as Manage User Account) are stored as pending
requests but are not actioned.
Hire an Employee
Promote Worker
Transfer Worker
Users can self-request new roles if role mapping rules have been defined (as described
on the next page) and the user meets the specified criteria. Line managers and HR
specialists can request new roles for the people they manage and revoke existing roles
from people they manage.
Note: By default, users have no access to functions and data. To enable users to
access functions and data, you must provision roles to them.
Note: You cannot assign a role to a user unless a role-provisioning rule exists for that
role and the conditions defined in the rule are met.
Use the Manage HCM Role Provisioning Rules task in the Setup and Maintenance
work area to create and manage role-provisioning rules.
Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role
Mapping page
_______________________________________________________
Key Points
Use the Conditions area to define the conditions that must be met for the
mapping to apply.
Use the Associated Roles section to add one or more existing roles to the
mapping rule.
When you select a role in the Role Name field, you can see a description of the
role by hovering your mouse cursor over the role name.
When you include a delegatable role in a role mapping, users who qualify for the
role can delegate it if they have the role themselves or if the Requestable option
is selected for the role.
In the sample screen above, the conditions mean that any active employee who works
for InFusion Corp USA1 will automatically be given the Human Resource Specialist –
USA1 BU Set data role (since the Autoprovision option is selected). If the user
subsequently transfers to a different job, they will automatically lose this role.
Role-Provisioning Options
When defining role-provisioning rules on the Create Role Mapping page, you have
several provisioning options:
Note: The criteria defined in the Conditions section must be satisfied by the user
who is provisioning the role to other users, not by the users who are receiving the
role.
When you click this button, all assignments and role mappings in the enterprise
are reviewed and any necessary provisioning and deprovisioning of roles occurs
immediately. You can also perform autoprovisioning from an individual user's
account, in which case only that user’s assignments are reviewed and any
necessary provisioning and deprovisioning of roles for that user occur
immediately.
To meet the conditions defined in the role mapping example on the Defining Role
Provisioning Rules page below, an employee would need to work for InFusion Corp
USA1 and be assigned the job of Human Resource Specialist. You specify the
employee's legal employer on the Identification page of the Hire an Employee flow, as
shown in this figure:
Manager Resources > New Person > Hire an Employee > Identification page
_______________________________________________________
Manager Resources > New Person > Hire an Employee > Identification page > Person
Information page > Employment Information page
_______________________________________________________
Manager Resources > New Person > Hire an Employee > Identification page >
Person Information page > Employment Information page
_______________________________________________________
To manually provision additional roles to the user, click Add Role and select the role
you want to give to this user.
You can use the Manage Users or Manage User Account task to add or remove roles
from an existing user.
Determine the roles that all workers of a particular type must have, and
create role mappings to provision those roles automatically.
For example, to ensure that all employees have the employee role, create a role
mapping to autoprovision the role to eligible users.
Determine the roles that all line managers must have, and create role
mappings to provision those roles automatically.
For example, if all line managers must have both the line manager role and a
locally defined Expenses Manager role, then create a role mapping to
autoprovision both of those roles to eligible users.
Determine the roles that only some workers of a particular type will need,
and autoprovision the roles if possible.
For example, some human resource specialists may also need the benefits
analyst role. If you can autoprovision those roles based on specific conditions,
then create role mappings to provision those roles automatically. Otherwise,
decide whether workers can request those roles for themselves or whether they
must be provisioned by other users, such as line managers, and create the
appropriate role mappings.
Remember that:
A single role mapping definition can be used to manage multiple roles and a mix
of provisioning strategies, provided that the role mapping conditions are the
same in all cases.
Implementation Users
Implementation users typically do the following:
HCM Cloud customers are advised to create the following implementation users before
commencing their Fusion HCM implementation. Steps for creating these users are
documented in the Securing HCM Cloud guide (docs.oracle.com/cloud). In each user
name below, xx is a 2 or 3 character prefix specific to the customer.
xx_Admin
IT Security Manager
Application Implementation Consultant
Administrators (WebLogic access)
Application Diagnostics Administrator
Application Diagnostics Advanced User
xxOIMAdmin
IT Security Manager
hcm.user
Intended for users who are performing the Oracle Fusion HCM implementation steps.
Has the following roles:
Application Administrator
Application Implementation Consultant
Application Diagnostics Regular User
Application Diagnostics Viewer
The Securing HCM Cloud guide includes instructions for creating the following
additional roles, based on which HCM services a customer has subscribed for:
{CustomerNm}_HRAnalyst_ViewAll
{CustomerNm}_HCMApplicationAdministrator_ViewAll
{CustomerNm}_HRSpecialist_ViewAll
{CustomerNm}_CompensationAdmin_ViewAll
{CustomerNm}_CompensationMgr_ViewAll
{CustomerNm}_PayrollAdmin_ViewAll
{CustomerNm}_PayrollMgr_ViewAll
Note: Product family application administrator job roles do not have predefined
access to data. Customers must use the Create Data Role for Implementation
Users task to define data roles for these roles.
Note: When you create an implementation user, no person record is created in HR.
Only a user account is created. Use the Manage Users task or the New Hire flows to
create both a user account and an HR person that are automatically linked together.
Demonstration Scope
Demonstrate the Create Implementation Users task. Give the user two roles: IT
Security Manager and Application Implementation Consultant.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Note: This task takes you automatically to the Oracle Identity Manager (OIM)
application. OIM will be discussed in detail later in this lesson.
Information
You can use any names you like here; this user won't be referenced later in the
lesson.
13. Enter IT in the Display Name Begins With field, and click Search.
14. Select IT Security Manager in the Search Results, and click Add.
16. Enter Application Implementation in the Display Name Begins With field, and
click Search.
2. Enter IT in the Display Name Begins With field, and click Search.
5. Confirm that your user name in the list of All Members and Direct Members.
Information
The implementation user you created is not an Indirect Member, because the IT
Security Manager role was assigned directly, not through a role hierarchy or
another role that inherits the IT Security Manager role.
6. Return to the Advanced Search – Roles tab, and search for the Application
Implementation Consultant role.
9. Verify that your user is listed as a member for this role too.
10. Close the OIM browser window, and return to the Oracle Fusion Applications
Setup and Maintenance work area. (Don't sign out; just close the browser
window.)
100 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Demonstration Scope
Use the Manage Users task to create a new user. The user will be mapped to an HR
person.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Information
You can also access this task by selecting Navigator > Manager Resources >
Manage Users.
2. In the Search Results section toolbar, click the Create icon button.
3. In the First Name and Last Name fields, enter your own first and last name (or
any name you choose).
Information
The Employment Information section expands to display additional fields.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 101
Lesson 4: User and Role Provisioning
Information
The application reviews all enterprise role mappings and automatically provisions
the appropriate ones based on this user's employment information. In this
environment, the Employee abstract role is automatically provisioned to users
whose Person Type is Employee.
11. Click the Add Role button to assign a role to the user manually.
12. Search for the data role you created in Activity 1 (XX HR Spec Data).
Note: You won't be able to find the data role because it is not yet available for
provisioning to a user. You must create a role-provisioning rule for the role before
you can assign it to a user. You will see how to do that in your next activity. Exit
the Search window and return to the Create User window.
102 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
In Activity 2, students will create a user account and reset the password. An information
note in the activity references 'password policies set up in Oracle Identity Manager.'
Cloud customers do not have access to the area of OIM in which password policies are
managed. If they want to change the default password policies, they would need to
raise an SR.
The Reset Password option available from the Manage My Account option in Fusion
also generates and sends a new password via email, so we are unable to use that task
during class.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 103
Lesson 4: User and Role Provisioning
104 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 105
Lesson 4: User and Role Provisioning
Activity 2 Introduction
Background
New user accounts can be created using the Manage Users task (in addition to the New
Hire flow). Before you can provision roles to users, you must create a role-provisioning
rule. Role-provisioning rules map one or more data roles to a set of conditions that
define which users can be assigned those roles. They also define how each role can be
provisioned.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
practice.
You must have successfully created a data role in Activity 1 (XX HR Spec Data).
Activity Scope
106 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
1. Search for and launch the Manage HCM Role Provisioning Rules task.
2. In the Search Results section toolbar, click the Create icon button.
3. In the Mapping Name field, enter XX Generic Mapping Rule and press Enter.
Information
Do not specify any conditions for now.
4. In the Associated Roles section, click the Add Row (+) icon button.
5. In the Role Name field, select the data role you created in Activity 1 (XX HR
Spec Data).
Information
It is very important to deselect the Autoprovision option; otherwise, every user
will get this role since you did not provide any conditions.
8. Click Save and Close, and then click OK to dismiss the Confirmation window.
9. Click Done.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 107
Lesson 4: User and Role Provisioning
Create a User
In this task, you use the Manage Users task to create a user quickly.
Note: This task is intended for creating test users. When creating real employees, use
the New Hire flow so that the full set of attributes can be captured.
1. In the Setup and Maintenance work area, search for and launch the Manage
Users task.
2. In the Search Results section toolbar, click the Create icon button.
Note: Make sure that you use the specified Hire Date, as this will be important in
a later activity.
Information
The Employee role appears in the Role Requests table.
Note: If any other roles are automatically provisioned to your user, remove them
by selecting them and clicking the X (Remove) icon button. (Roles may appear
108 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
here if other students create autoprovisioning rules for the roles they create in
training.)
6. Search for and select the data role you created in Activity 1 (XX HR Spec Data).
8. Click Done.
In the training environment, the application can't send your new user's login credentials
via email, so you need to set an initial password in Oracle Identity Manager.
1. In the Setup and Maintenance work area, launch the Manage Job Roles task.
Information
You are taken to the Oracle Identity Manager (OIM) interface.
4. Search for the user you just created. (Enter search values for First Name, Last
Name, or User Login and click Search.)
Information
There are two methods for resetting a user's password: manually and
automatically (random generation). Note also that password strength is
measured by the password policies set up in Oracle Identity Manager.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 109
Lesson 4: User and Role Provisioning
Information
You can leave this window open if you expect to return to OIM, but do not sign
out. Signing out of OIM signs you out of Oracle Fusion Applications as well.
Verify Security
5. In the Search Results, verify that you (logged in as Curtis Feitty) can see people
in the Human Resources US department.
6. Do another search and verify that you can see people in the Organizational
Development US department.
7. Sign out and sign back in as the new user you created (Security.UserXX), using
the new password you just reset.
Information
The Password Management window prompts you to reset your password, since
this is the first time you are logging on.
8. Enter the password you used in the password reset (such as aBc123XX).
10. Select challenge questions and provide the answers (if prompted to do so on this
page).
110 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Information
You should see several people. However, none of them should be in either the
Human Resources US or Organizational Development US department.
16. Verify that you cannot see any users in this department.
17. In the Department field, enter Human Resources US and click Search.
Information
The search results should show one person, with the last name Wei. If you
access this person's information, you will see that they have two work
relationships: one with Human Resources US and one with Human Resources
CN. You can see them because of their second work relationship.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 111
Lesson 4: User and Role Provisioning
Role Delegation
Role delegation is the assignment of a role from the current owner of the role, known as
the delegator, to another user, known as the proxy. The delegation can be either for a
specified period or indefinite.
You can delegate roles to any user whose details you can access by means of a public
person security profile. This profile typically determines who you can search for in the
Person Gallery.
When you delegate a role, the proxy user can perform all tasks associated with the
delegated role on the relevant data instance set. For example, you may have a line
manager role that enables you to manage absence records for your reports. If you
delegate that role, then the proxy can also manage the absence records of your reports.
You do not lose the role while it is delegated.
The proxy user signs in to Oracle Fusion HCM using his or her own user name, but has
additional function and data privileges associated with the delegated role.
112 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
The assignment that qualifies you for the role does not have a future-dated
termination.
For example, if you try to delegate a role today and the assignment that matches
the role-mapping conditions (as defined in the role's role-provisioning rule) has a
future-dated end date, then you can't delegate the role.
You can also delegate any role that you can provision to other users, provided that the
role is enabled for delegation. Such roles are defined as Requestable in a role mapping
for which you satisfy the role-mapping conditions. By delegating rather than provisioning
roles to a user, you can:
Enable the proxy to access the data that you can access.
No predefined roles are enabled for delegation by default. You cannot delegate the
Employee or Contingent Worker roles. You can enable delegation for any other
predefined role. You can also enable delegation for HCM data roles, custom job roles,
and custom abstract roles.
Note: Information about whether a role can be delegated exists only in Oracle Fusion
HCM. This information is not held in or visible in Oracle Identify Manager (OIM).
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 113
Lesson 4: User and Role Provisioning
To enable a role for delegation, select the Delegation Allowed option on the Create
Data Role or Edit Data Role page.
Navigator > Tools > Setup and Maintenance > Manage Data Role and Security Profiles
> Create Data Role
_______________________________________________________
You can also enter a description for the role. This description is displayed on the role
mapping page, so make it as informative as possible to support role selection.
Note: If you deselect the Delegation Allowed option for an existing role, then any roles
that are currently delegated are unaffected.
114 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Delegating a Role
Use the Roles and Approvals Delegated to Others section of the My Account page to
delegate roles.
In the Roles and Approvals Delegated to Others section, select the role to delegate, the
dates for the delegation, and the proxy user. Note the following about the start and end
dates:
If both dates are today’s date, then the delegation is immediate and a request is
sent to Oracle Identity Management (OIM) to remove the role the next time the
Send Pending LDAP Requests process runs.
If the start date is today but the end date is either blank or in the future, then a
role request is sent immediately to OIM.
If the start date is in the future, then a role request is sent to OIM by the Send
Pending LDAP Requests process on the delegation start date.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 115
Lesson 4: User and Role Provisioning
If you do not enter an end date, then the delegation period is indefinite.
If you enter an end date, then the delegation ends on that date. The request to
end the role delegation is sent to OIM by the Send Pending LDAP Requests
process on the delegation-end date.
If you delegate a role to a user who already has the role, then the role is not provisioned
to that user again. However, the data instance set that is accessible using your role is
assigned to the proxy user.
For example, if you delegate the line manager role to a user who already has the role,
then that user will be able to access your data instance set (for example, the workers in
your manager hierarchy) in addition to his or her own data set while the role is
delegated. The proxy’s My Account page shows the delegated role in the Roles
Delegated to Me section, even though only the associated data instance set has been
delegated.
116 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Use the Approvals Delegated to Others tab on the Roles and Approvals Delegated
to Others section of the My Account page to delegate approvals.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 117
Lesson 4: User and Role Provisioning
You can enter or update an end date at any time during the delegation period. If you
enter today’s date, the delegation ends immediately.
Role delegation ends before the specified end date if the proxy user’s assignment is
terminated.
118 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Both: Provides access to the proxy's own manager hierarchy in addition to the
hierarchy of the delegating manager. Select this value if, for example, the role is
being delegated from one line manager to another.
Navigator > Tools > Setup and Maintenance > Manage Person Security Profiles >
Create (or Edit) Person Security Profiles page
_______________________________________________________
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 119
Lesson 4: User and Role Provisioning
Notes:
If a role can be delegated and access to person records for that role is secured
by manager hierarchy, then you must set Hierarchy Content to either
Delegating manager hierarchy or Both.
When a line manager role is delegated from one line manager to another, the
proxy user can manage the delegator’s reports in the Person Management work
area and Person Gallery. However, no change occurs to the proxy’s Manager
Resources dashboard because the manager hierarchy itself is unaffected by the
role delegation.
If proxy users are in the delegating manager’s hierarchy, then they can access
their own records when Hierarchy Content is set to either Delegating manager
hierarchy or Both.
120 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 121
Lesson 4: User and Role Provisioning
Demonstration Scope
This demonstration will illustrate the following tasks involved in role delegation:
1. Create a person security profile that provides a proxy with access to both their
own and the delegator’s manager hierarchy.
2. Assign the new profile to the line manager role, and verify that the line manager
role is enabled for delegation.
Information
This change will apply to all line managers in the enterprise.
3. Log in as Jack Fisher, and delegate the line manager role to Matt Wagner, who is
a peer and also a line manager. Make the delegation immediate.
4. Log in as Matt Wagner, and verify that you can perform line manager duties on
Jack’s direct reports.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
1. Log in as Curtis.Feitty.
3. Search for and select the Manage Person Security Profile task.
4. On the Manage Person Security Profiles page, click the Create icon button.
122 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
1. On the Setup and Maintenance work area Overview page, search for and launch
the Manage Data Role and Security Profiles task.
3. In the Search Results section, select the Line Manager role and click the Edit
icon button.
5. Click Next.
7. Select the View All Payrolls profile for the Payroll Security Profile, if not already
selected.
1. Log out and log back in to the HCM Simplified UI as Jack Fisher.
3. In the Roles and Approvals Delegated to Others section, click the Create icon
button on the Roles Delegated to Others tab.
4. In the Role Name field, search for and select the Line Manager role.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 123
Lesson 4: User and Role Provisioning
5. In the Start Date field, enter today’s date and leave the End Date field blank.
7. On the Manage User Account page, click Save and then click OK to confirm.
Information
When the role request is sent to OIM, the request appears in the Role Requests
in the Last 30 Days section of the proxy's My Account page. When the role
request succeeds, the role appears in both the Roles Delegated to Me section
and the Current Roles section of the proxy's My Account page. Proxy users can
delete current and future-dated delegated roles from the Roles Delegated to Me
section.
3. Verify that the delegated role is listed in the Roles Delegated to Me section.
4. On the Navigator menu, select Person Gallery. (Ignore any warning that
appears.)
Information
As you can see in the left panel, Mark’s manager is Jack Fisher. However, Matt
can now perform all of the line manager duties listed under the Actions heading
for Mark. If you logged in as Jack Fisher, you would see that Jack still has all the
line manager duties as well.
3. In the Roles and Approvals Delegated to Others section, enter today's date in
the End Date field to end the delegation.
5. Sign out.
124 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
1. Automatically
2. By other users
3. On user request
4. All of the above
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 125
Lesson 4: User and Role Provisioning
1. True
2. False
126 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 4: User and Role Provisioning
1. Duty roles
2. Abstract roles
3. Job roles
4. Data roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 127
Lesson 4: User and Role Provisioning
All roles in a role mapping must have the same provisioning option.
2. False
128 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
Notes:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 129
Lesson 5: HCM Security Management Data Stores
The Middleware group refers to APM as Entitlement Server, while Oracle Fusion
Applications still refer to it as APM.
130 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
Key Points
OIM maintains user accounts in the Oracle Fusion Applications Identity Store. It
stores the definitions of abstract, job, and data roles (enterprise roles in OIM),
and holds information about roles provisioned to users.
Job and abstract roles created in OIM must be synchronized so that the new role
names and other attributes are available to Oracle Fusion HCM.
You cannot view duty roles in OIM, only in APM.
Duty roles (referred to as application roles in APM) are created in APM and
stored in the Policy Store, along with function security privileges.
The Policy Store holds copies of users and enterprise roles stored in the Identify
Store.
Duty roles do not have to be synchronized with HCM.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 131
Lesson 5: HCM Security Management Data Stores
These tables store data security policies, HCM role-provisioning rules, security
profiles, part of the data role definitions, and copies of the job and abstract roles.
132 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
The following table lists the terminology used by each product when referring to
common business objects:
Data, job, and abstract roles are also referred to as enterprise roles. Application roles
are specific to a particular grouping of applications (such as Oracle Fusion HCM or
CRM).
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 133
Lesson 5: HCM Security Management Data Stores
Manage Users. Create and manage users who are mapped to persons in Oracle
Fusion HR.
Import Worker Users. Load workers using the HCM spreadsheet loader.
Manage Data Role and Security Profiles. Create and manage data roles and
assign security profiles to them.
Manage User Accounts. View and manage roles associated with user accounts.
Manage HCM Role Provisioning Rules. Create rules for how roles can be
provisioned to users.
Retrieve Latest LDAP Changes. Run this scheduled process as needed and
schedule it to run on a frequent basis.
Create Data Role for Implementation Users. Create data roles for
implementation user job roles, such as the product family administrator roles,
which have no predefined data roles.
Create Implementation Users. Create users, who are not mapped to persons in
Oracle Fusion HR, for the purpose and duration of implementation.
134 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
Manage Job Roles. Create job and abstract roles; reset user passwords.
Manage Duties. View and manage duty roles, role hierarchies, and security
policies.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 135
Lesson 5: HCM Security Management Data Stores
To create data roles for HCM, always use the Manage Data Role and Security
Profiles task in the Setup and Maintenance work area. Although APM provides the
ability to create data roles using data role templates, data role templates are rarely used
in HCM. (They are only used if you are implementing Oracle Fusion Global Payroll with
Oracle Fusion Subledger Accounting. We do deliver some HCM data role templates, but
these are no longer used.)
136 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
You can see most of the HCM security setup tasks by expanding the Define Security
for Human Capital Management folder:
Navigator > Tools > Setup and Maintenance work area > Define Security for Human
Capital Management task list
_______________________________________________________
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 137
Lesson 5: HCM Security Management Data Stores
Navigator > Tools > Setup and Maintenance work area > Define Implementation Users
task list
_______________________________________________________
Use the Send Pending LDAP Requests and Retrieve Latest LDAP Changes
processes in the Scheduled Processes work area to synchronize HR and LDAP data.
Navigator > Tools > Scheduled Processes > Schedule New Process
_______________________________________________________
138 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
You must run the Retrieve Latest LDAP Changes process after you create a job or
abstract role so that the new role name and other attributes are available to Oracle
Fusion HCM.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 139
Lesson 5: HCM Security Management Data Stores
Point out that OIM and APM are security administration UIs, and should be used by
security administrators, not HCM business users. The only role that has access to these
UIs is the IT Security Manager. HCM business users should use the HCM user and role
management UIs, such as Manage Users (when creating test users) and Manage User
Account.
140 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 5: HCM Security Management Data Stores
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 141
Lesson 6: Managing Job Roles and Abstract Roles
142 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Demonstration Scope
Use the Manage Job Roles task to access Oracle Identify Manager and view different
types of roles.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
4. In the Display Name (Begins With) field, enter H and click Search.
Information
The Search Results display both data roles and job roles. Job roles, such as
Human Resource Specialist, do not display a dash in their names. The roles with
a dash, such as HR Specialist - View All, are data roles.
Fusion role-naming conventions append _JOB at the end of a job role name and
_DATA at the end of a data role name. The internal name is created based on
the Display Name and the _JOB or _DATA suffix to distinguish between the role
types.
5. Click the Human Resource Manager job role in the Search Results.
Information
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 143
Lesson 6: Managing Job Roles and Abstract Roles
6. Return to the Advanced Search - Roles tab, and open the HR Analyst - View
All data role.
Information
The Role Category Name for all data roles is automatically set to Default.
8. In the Display Name (Begins With) field, enter Employee and click Search.
Information
Employee is a predefined abstract role. Abstract role names should have
_ABSTRACT at the end of the role name.
Information
The Role Category Name is HCM - Abstract Roles.
144 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 145
Lesson 6: Managing Job Roles and Abstract Roles
Demonstration Scope
This demonstration looks at the data roles assigned to an existing user and shows the
job roles that are inherited by those data roles. It also demonstrates how to search for a
role and display a list of all users assigned to that role.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
If the OIM window is still open from the previous demonstration, return to the Welcome
tab and start with Step 3 below.
Information
From this page, you can create new job roles, as you will see in Activity 3.
4. In the Display Name field, search for Curtis Feitty, then click his name in the
Search Results.
146 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
5. Select the Roles tab to view the roles assigned to this user.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 147
Lesson 6: Managing Job Roles and Abstract Roles
Information
This page shows all roles assigned to Curtis, including data roles, abstract roles,
and job roles (if any).
6. Click on a data role, such as Benefits Administrator - View All, and click Open.
148 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Information
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 149
Lesson 6: Managing Job Roles and Abstract Roles
Here you can see that the Benefits Administrator - View All data role inherits the
Benefits Administrator job role.
8. Click the Members tab to see all the users assigned to this data role.
10. Search for the Payroll Manager job role, and then open it.
Information
Note that the attribute information and the tabs displayed for the job role are the
same as for the data role you just explored. Remember that in OIM, the term role
refers collectively to job, abstract, and data roles; the role category name, such
as HCM - Job Roles, identifies both the role type and the Oracle Fusion
Application where the role is used.
150 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Information
This job role inherits several roles, including the Functional Setups User abstract
role and the Payroll Administrator job role.
Note: When you are creating a job role, you can use this tab to add one or more
parent roles from which to inherit permissions. This is useful if you are creating a
manager job role that performs all the functions that an administrator job
performs, plus more. In this case, you would add the administrator job role as a
parent role to the manager job role.
This role hierarchy is also visible in APM, as you will see later.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 151
Lesson 6: Managing Job Roles and Abstract Roles
Information
This is useful if you need to quickly determine which users are assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect Role because
users are not directly assigned the Payroll Manager job role. They inherit it via a
data role that is based on the Payroll Administrator job role.
152 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
OIM and APM are not specific to Oracle Fusion Applications; they can be used
independently of Fusion applications. These middleware products provide capabilities
that Oracle Fusion Application users do not need to use for HCM setup and, in fact,
should NOT use. The only tasks that users should perform in OIM and APM are those
identified on the Setup Tools and Task page in lesson 5.
Manage Duties (View and manage role hierarchies, security policies, and
permission grants)
Do not manually modify data security policies, except to add custom duty roles.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 153
Lesson 6: Managing Job Roles and Abstract Roles
154 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Demonstration Scope
This demonstration uses the Manage Duties task to look at existing data and job roles.
It demonstrates how to view the duties associated with job roles and where to go if you
need to add or remove duties from a role.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
Information
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 155
Lesson 6: Managing Job Roles and Abstract Roles
You are now viewing the Authorization Policy Manager (APM) user interface.
3. Under the Search and Create heading, click Search - External Roles.
Note: Remember that job roles, data roles, and abstract roles are all referred to
as external roles in APM.
4. In the Display Name field, enter Benefits Administrator - View All, and click
Search.
5. Select the Benefits Administrator - View All role in the Search Results, and
click Open Role.
Information
This page shows the job role (Benefits Administrator) inherited by the Benefits
Admin - View All data role.
156 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Information
The Benefits Administrator - View All (HCM) role shown here is a special type of
application role that was automatically generated when the Benefits
Administrator - View All data role was created. This is explained in more detail in
the HCM Security Deep Dive section later in the lesson.
10. In the Display Name field, enter Benefits Administrator and click Search.
11. Select the Benefits Administrator job role in the Search Results, and click
Open Role.
12. Click the Application Role Mapping tab, and open the hcm folder.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 157
Lesson 6: Managing Job Roles and Abstract Roles
Information
Here you can see all of the duty roles associated with the Benefits Administrator
job role. From this page, you can map additional application roles (duties) to this
job role, as you will see in the next activity.
You have demonstrated how to use APM to view and manage job roles.
158 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Regenerating Roles
You must regenerate a data role if you make any changes to the role hierarchy that
underlies the data role (such as the duties inherited by the job role that is inherited by
the data role).
You must regenerate an abstract role if you make any changes to its role hierarchy .
Regenerating a role causes all its data security policies to be updated based on these
changes.
1. Launch the Manage Data Role and Security Profiles task in the Setup and
Maintenance work area.
Information
A flow is initiated (the same one you saw when you created a data role in the
previous activity) that allows you to view the security criteria and all assigned
security profiles.
Information
When you click Submit, the security profiles assigned to the role are used to
generate the data security policies for that role.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple roles, you would have to run this
task (and click Assign) for each role.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 159
Lesson 6: Managing Job Roles and Abstract Roles
You can demo the regeneration of a single data role, but it's actually as simple as
finding the role and pressing a few buttons. A later activity will include this as a task.
160 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 161
Lesson 6: Managing Job Roles and Abstract Roles
162 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Activity 3 Introduction
Background
A custom job role is needed because the predefined job role has duties associated with
it that the enterprise does not want to grant to their users. The new job role will have
only three duties: Department Management Duty, Approve Transactions Duty, and
Human Resources Tree Administration Duty.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
practice.
Activity Scope
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 163
Lesson 6: Managing Job Roles and Abstract Roles
The synchronization process may take several minutes to complete. You can continue
clicking the Refresh button until the Status changes to Succeeded. During that time, you
can explain that the following factors impact the length of time it takes for the process to
complete:
Troubleshooting Information
Regarding the troubleshooting note on Step 13 in subtask Assign Duties to Your Job
Role: When searching for the second duty role, the search results may show only the
first duty role, no matter what search criteria you enter. To resolve this issue, you must
close the Map Application Roles to External Role window, return to the Search External
Roles tab, open the duty role again, and conduct a new search.
164 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Start Here
1. Log in as Curtis.Feitty.
2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks
tab.
8. In the Role Category Name field, search and select HCM - Job Roles.
9. Click Save.
Information
You are returned to the Oracle Fusion Applications Setup and Maintenance work
area
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 165
Lesson 6: Managing Job Roles and Abstract Roles
After creating a new job role, you must run the following synchronization process so that
the job role is available to HCM tasks and UI pages, such as Manage Data Role and
Security Profiles.
Note: Only one user can run the process at a time. If you are sharing an environment
with someone else, you can run the Retrieve Latest LDAP Changes once to
synchronize all of the job roles to HCM. If all students are sharing an environment, then
the instructor should perform this task when all students are ready.
2. If the Search Results displays a row for the Retrieve Latest LDAP Changes
process where the Status is Succeeded, select the row and click Resubmit,
then confirm. Skip to step 10.
If the process is listed with a status of Running, wait until it has completed
successfully, and then resubmit as described above. (Click the Refresh icon
button periodically to display the updated status.)
4. Open the Name LOV and click the Search link at the bottom of the LOV list.
6. In the search results, select the Retrieve Latest LDAP Changes process and
click OK.
8. Click Submit.
166 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Information
You can see the status of the process. It usually completes very quickly. While
this process is running, you can continue with the next step.
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
Note: This step is important. If you do not select hcm, you will not be able to
search for the HCM roles.
3. Under the Search and Create heading, click Search - External Roles.
4. In the Display Name field, search for the job role (XX Dept Admin Job Role)
you created earlier.
5. Select the role in the Search Results, and click the Open Role button.
9. In the Display Name field, enter Department Management Duty and click
Search.
10. Select the role in the Search Results, and click Map Roles.
Information
The selected role is listed under the hcm folder on the Application Role Mapping
tab.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 167
Lesson 6: Managing Job Roles and Abstract Roles
13. In the Display Name field, enter Approve Transactions Duty and click Search.
Troubleshooting Note
When searching for the second duty role, the search results may show only the
first duty role. To resolve this issue, close the Map Application Roles to External
Role tab, return to the Search External Roles tab, open the duty role again, and
conduct a new search.
14. Select the role in the Search Results, and click Map Roles.
17. In the Display Name field, enter Human Resources Tree Administration Duty
and click Search. (If the search fails to return this duty role, see the
troubleshooting note in step 13.)
18. Select the role in the Search Results, and click Map Roles.
Information
You should now have 3 application roles (duties) in the hcm folder on the
Application Role Mapping tab.
Information
You are returned to the Oracle Fusion Applications window, Setup and
Maintenance work area. (As with the OIM window, you can leave the APM
window open if you plan to return; just don't sign out.)
You have now created a job role with three assigned duty roles.
168 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 169
Lesson 6: Managing Job Roles and Abstract Roles
170 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Activity 4 Introduction
Background
After creating a new role, you typically create a mapping rule that defines criteria for
how the role can be provisioned to users. You can then assign the role to users who fit
those criteria.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
practice.
You must have successfully created a job role (XX Dept Admin Job Role) in
Activity 3.
Activity Scope
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 171
Lesson 6: Managing Job Roles and Abstract Roles
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
1. Search for and launch the Manage Data Role and Security Profiles task.
Information
You used this task in Activity 1 to create a data role, so you should be familiar
with the screens and the process.
2. In the Search Results section toolbar, click the Create icon button.
4. In the Job Role field, search for and select the custom job role you created (XX
Dept Admin Job Role).
Information
If you can't find the job role you created earlier, make sure that the
synchronization process completed successfully. Also, make sure you selected
HCM - Job Roles as the Role Category when you created the job role. If you
accepted the default role category during creation, you won't be able to find the
job role here.
5. Click Next.
8. Click Done.
172 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
1. In the Setup and Maintenance work area, launch the Manage HCM Role
Provisioning Rules task.
3. Select the rule in the Search Results, and click the Edit icon button.
4. In the Associated Roles section, click the Add Row (+) icon button.
5. Search for and select the new XX Dept Admin - View All data role. (Don't select
the job role.)
Information
If you do not select Requestable, you won't be able to assign this role to users.
8. Click Done.
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Users task.
2. Search for the user you created in Activity 2 (enter the last name in the
Keywords field and click the Search icon button).
5. Search for the XX Dept Admin - View All data role you created earlier in this
activity.
Note: If you cannot find the role you created, make sure that:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 173
Lesson 6: Managing Job Roles and Abstract Roles
(We didn't set any criteria in our generic mapping rule, so that should not be a
problem.)
7. In the Current Roles section, select the XX HR Spec Data role you assigned to
this user earlier, and click the X (Remove) icon button, then confirm.
9. Click Done.
1. Sign out, and sign back on as the user you created (Security.UserXX) and
whose password you reset.
3. Verify that only the Manage Departments and Manage Department Trees
tasks are visible under Organizations. You should no longer be able to see the
HR Specialist menu options.
4. Sign out.
174 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
If students are still seeing the full set of HR Specialist menu entries, ask them to
navigate to the My Account and check which roles their user has assigned. Their user
might have more roles than they are expecting. For example, their user might have
been automatically provisioned data roles based on HR Specialist from an earlier
activity if someone has inadvertently created automatic role-provisioning rules.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 175
Lesson 6: Managing Job Roles and Abstract Roles
176 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 177
Lesson 6: Managing Job Roles and Abstract Roles
1. abstract
2. job
3. data
4. duty
178 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 6: Managing Job Roles and Abstract Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 179
Lesson 7: HCM Security Deep Dive
If your class consists of mostly functional users, you may choose to omit this section.
Alternatively, you can allow functional users to take a break while you present this
section. Another option would be to present the activity (duty role creation) as a
demonstration, and talk through the steps rather than asking students to complete them.
If, at the beginning of this section, students become confused about data security
policies, tell them that it should become clearer as we dig deeper into the technical
details and they see how the pieces fit together. The demonstration and activity should
also help them understand the various components and their relationships.
180 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
The Promote Worker function security privilege secures access to the Promote
Worker page.
Another data security policy determines which positions the person can be
promoted into.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 181
Lesson 7: HCM Security Deep Dive
182 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 183
Lesson 7: HCM Security Deep Dive
a role
a data security privilege
a business object
a condition
Data security policies are represented in the Security Reference Manuals in the
following format:
For example, the two data security policies in our current example would be
represented as follows:
Human Resource Specialist can promote Person for people in their person
security profile using Promote Worker Data
Note: Data security policies are published at the level of a job or abstract role,
and they take into account the duty roles that are inherited by the job and
abstract roles. This makes them more readable, as it can be difficult to
understand a data security policy if presented at the level of a duty role.
184 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
The conditions for duty role data security policies are usually implemented as 1=2
predicates. (A predicate is an SQL expression that evaluates to TRUE or FALSE. The
predicate is automatically added to the Where clause of any Select statements that are
issued within the Oracle Fusion HCM pages.)
The 1=2 predicate, which evaluates to FALSE, means that the Worker Promotion Duty
role, when viewed in isolation, has no access to data. The Human Resource Specialist
job role inherits this duty role, which means that it cannot actually promote anyone.
Data access is usually determined by FND_GRANTS rows that are generated for the
data roles to which users are assigned (as you will see later). This is why data roles
are so important!
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 185
Lesson 7: HCM Security Deep Dive
First, a set of three new application roles is created: one for HCM, one for FSCM,
and one for CRM.
These application roles have names that are derived from the data role name.
186 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
The FND_GRANTS generated for the new application roles are similar to the
FND_GRANTS for the original duty role, except:
The role name references the data role, not the job role.
The predicate value is 1=1, meaning that no restrictions are applied when the
HCM application page selects it from the database.
In the simplified example below, the 1=1 predicate is taken from View All person and
position security profiles assigned to the data role.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 187
Lesson 7: HCM Security Deep Dive
The application roles and the security policies (FND_GRANTS) that were generated
earlier are linked to the data role. (All three application roles are linked, although only
one is pictured here.)
The data role is linked to the Human Resource Specialist job role. However, it is the
security policies inherited by the data role that provide access to the data.
Note: A predicate of 1=1 is the simplest of examples, used only in View All profiles. In
reality, most predicates are more complicated. For example, the predicate for the View
Own Record person security profile is shown below:
188 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 189
Lesson 7: HCM Security Deep Dive
When an HCM application page issues a Select statement to retrieve data from the
database, it makes a data security privilege check by calling a data security API,
passing the following information:
The name of the database table in which to find the data. In our example, the
table name is PER_ALL_ASSIGNMENTS_M.
The data security code looks in the FND_GRANTS table for all rows that match any of
the user's roles, the table name, and the data security privilege name.
If it finds one match, the predicate for that FND_GRANTS row is used to filter the
data that is returned. (If the predicate is 1=2, no data is returned.)
If it finds more than one match, the predicates are OR'd together. (If either is
TRUE, then the result evaluates to TRUE).
In our example of a View All data role, two predicates would be returned: 1=1 and 1=2.
When OR'd together, the end result is that the page can select data from the
assignment table with no restrictions applied.
190 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 191
Lesson 7: HCM Security Deep Dive
Demonstration Scope
Use the Manage Duties task in the Setup and Maintenance work area to access APM,
where you can view duties and their associated data and function security policies.
Demonstration Steps
Start Here
Login screen
1. Log in as HCM_IMPL.
2. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
Information
Remember that duty roles are referred to as application roles in APM.
5. In the Display Name field, enter Worker Promotion Duty and click Search.
6. In the Search Results, select the Worker Promotion Duty role and click the
Open icon button.
1. Click Find Policies in the upper-right-hand corner of the screen, and then select
Default Policy Domain.
192 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Information
This role has only one function security policy: Policy for Worker Promotion Duty.
It controls access to this function from the Oracle Fusion HCM menus and work
areas.
3. To view the code artifacts that are secured using this function security policy, go
back to the Home tab (but don't close this tab).
4. Select hcm in the Application Name field, and then click Search under
Entitlements.
5. In the Display Name field, enter Promote Worker and click Search.
6. Select the Promote Worker entitlement in the Search Results, and click the
Open icon button.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 193
Lesson 7: HCM Security Deep Dive
Information
The code artifacts that are secured against this entitlement are shown in the
Resources section of the page.
7. Return to the Search Authorization Policy tab. (The Worker Promotion Duty
role should still be displayed.)
1. Select the Data Security tab, and review the data security policies for this role.
194 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Information
This role has several data security policies: Choose Department, Choose
Position, Promote Worker, and so on. These policies provide access to all of the
different types of data that a user must view, select, or manage when performing
the Worker Promotion Duty.
As you can see, managing data security policies can be very complex. However,
if you use the delivered duty roles as building blocks when defining custom job
roles in HCM, then security policies are generated automatically for you. You do
not need to manage them manually in APM.
2. In the right-hand corner of the Actions column header, click the Sort
Descending icon button to resort the column.
Information
This just makes it easier to find the role, as the list is very long.
3. Select the Promote Worker row, and click the Edit icon button.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 195
Lesson 7: HCM Security Deep Dive
Information
This tab shows the condition for the privilege. When expanded, the condition is:
This tab does not show the SQL predicate. To view the SQL predicate, you must
navigate to the data security policy from a different direction.
5. Return to the Home tab, and click Search - Policies under the Search and
Create heading.
7. In the Display Name field, enter Person Work Terms Assignment and click
Search.
Information
The Search Results lists all of the data security policies for the
PER_ALL_ASSIGNMENTS_M database table.
Note: Detaching the table makes it easier to browse and navigate, and allows
you to view the SQL predicate in the condition.
9. Right-click the Role column header, and select Sort > Descending.
196 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Information
Note the SQL predicate for the condition in the first row. The other conditions on
the Conditions tab are generated from security profiles. The condition Display
Name includes the security profile name.
13. Select the first condition, and click the Edit icon button.
Information
You can view the full condition details here. Note the SQL Predicate value of
1=2, as discussed previously.
IMPORTANT!
Don't edit the conditions! The conditions for HCM data security policies are
generated automatically from security profiles and should not be changed.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 197
Lesson 7: HCM Security Deep Dive
15. Close the APM browser window and return to the Oracle Fusion Applications
window.
You can also use BI Publisher to generate a list of all data security policies that match a
set of criteria. This method requires a little setup, but once you've performed those
steps, you can run the report as needed. Follow these steps to create a data model, and
then create a report using that data model.
Note:
Make sure you are logged in as hcm_impl. Curtis Feitty does not have adequate
privileges to perform these steps.
3. In the Catalog page toolbar, click the New icon button and then select Data
Model under Published Reporting.
4. On the Diagram tab, click the New Data Set icon button, and then select SQL
Query.
select
g.role_name,
o.obj_name,
f.function_name data_security_privilege,
i.display_name condition_name,
i.predicate
from
198 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
fusion.fnd_menus m
, fusion.fnd_menu_entries me
, fusion.fnd_form_functions_vl f
, fusion.fnd_objects_vl o
, fusion.fnd_object_instance_sets_vl i
, fusion.fnd_grants g
, fusion.fnd_appl_taxonomy p
, fusion.fnd_appl_taxonomy pf
, fusion.fnd_appl_taxonomy_hierarchy h
where g.object_id = o.object_id
and f.object_id = o.object_id
and g.menu_id = m.menu_id
and m.menu_id = me.menu_id
and me.function_id = f.function_id
and g.module_id = p.module_id
and h.target_module_id = pf.module_id
and h.source_module_id = p.module_id
and i.instance_set_id (+) = g.instance_set_id
and pf.module_name = 'HCM'
8. Click OK.
Information
Two dialog boxes appear: Global Level Functions and G_1.
9. In the G_1 box, click the Menu icon button in the box header and select
Properties.
10. Change the Group Name and Display Name to XX_FND_GRANTS, and click
OK.
Information
After processing completes, the tree view for your data model appears.
13. In the menu bar at the top of the page, click the Save icon button.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 199
Lesson 7: HCM Security Deep Dive
1. In the menu bar at the top of the page, click the Create Report icon button.
2. Verify that Use Data Model is selected and the XX_FND_GRANTS_DM data
model appears in the Data Model field.
5. Click Next.
6. Click on each of the five attributes in the Data Source panel on the left, and drag
to the [Drop Fields Here] panel on the right.
8. Click Next.
Information
The report displays all data security privileges matching the Select criteria. (If an
error occurs, click Refresh.)
Define a Filter
You can adjust the filter settings for the report to search for particular type of security
privilege.
1. With the XX_FND_GRANTS_REP open, click the Actions icon button in the top-
right corner of the page and select Edit Report.
Information
The Table tab appears.
200 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
8. Click OK.
Information
You may see "No Data Found: /DATA_DS...." in the sample report output. This
does not indicate a problem.
It just means that the sample data that you saved for the report does not include
any FND_GRANTS rows with
the PER_PROMOTE_WORKER_DATA privilege.
12. Click View Report, and then click the tab for the filtered report.
Information
The report should display a row for each PER_PROMOTE_WORKER_DATA
privilege.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 201
Lesson 7: HCM Security Deep Dive
1. Delete all data roles based on the job role and recreate them
2. Regenerate all the data roles that inherit the job role
3. Reassign security profiles to all data roles that inherit the job role
202 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 203
Lesson 7: HCM Security Deep Dive
It is the process of reassigning security profiles (using the Manage Data Role and
Security Profiles task and the Assign action) that regenerates the data roles and
associated security privileges and policies. The reason that #3 also applies is because if
you add new duty roles to a job role, that could require additional security profiles to be
assigned to the data role.
204 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 7: HCM Security Deep Dive
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 205
Lesson 8: Managing Duty Roles
206 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 8: Managing Duty Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 207
Lesson 8: Managing Duty Roles
Activity 5 Introduction
Background
A new duty role is required because the predefined duty role has more function security
privileges and data security policies than you want the role to have in your enterprise.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
practice.
You must have successfully created a job role (XX Dept Admin) in Activity 3.
Activity Scope
208 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 8: Managing Duty Roles
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
6. Click Save.
1. Click the Create Policy button in the top-right corner of the tab, and select
Default Policy Domain.
Information
Predefined security polices use the naming format: Policy for <duty role name>.
4. In the Targets section, click the Add Targets (+) icon button.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 209
Lesson 8: Managing Duty Roles
Information
APM uses generic security terminology. In this context, a target is a function
security privilege, and a principal is a role. Thus, when a target is granted to the
principal, it means that the function security privilege is granted to the duty role.
5. In the Display Name (Starts With) field, enter Manage Department, and click
Search.
6. Select Manage Department, and click the Add Selected button (located above
the search results).
Information
The security privilege is added to the Selected Targets list.
7. Click Add Targets (at the bottom of the page), and then click Save.
Information
You have now added the Manage Department function security privilege to your
duty role.
1. Return to the Home tab, and click Search under Application Roles.
2. In the Display Name field, enter Department Management Duty and click
Search.
Information
This is the predefined duty role you will use as a reference for your custom duty
role. You want to find the data security policies assigned to that role and add
your role to them.
3. Select the role in the Search Results, and click the Open icon button.
4. In the upper-right-hand corner of the page, click Find Policies and select
Default Policy Domain.
5. In the Policies for: Department Management Duty section, select the Data
Security tab.
Information
There are three data security policies for this role.
210 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 8: Managing Duty Roles
8. Select the Roles tab, and click the Add icon button.
9. Search for your new duty role. (Enter XX_DEPT_DUTY in the Role Name field,
select hcm as the Application, and then click Search.)
Information
You have now created a copy of this data security policy against your custom
duty role.
12. Select the second security policy on the Data Security tab, and repeat steps 7-
11.
13. Select the third (and last) security policy, and repeat steps 7-11 again.
Information
You have now created copies of these three data security policies against your
custom duty role. The duty role is complete. Take a moment now to verify that all
policies were added.
15. Select hcm in the Application Name field, and select Search under Application
Roles.
16. Search for the duty role (Display Name: XX Department Duty) and open it from
the Search Results.
Information
You should see one policy on the Functional Policies tab and three on the Data
Security tab.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 211
Lesson 8: Managing Duty Roles
1. Select hcm for the Application Name, and select Search - External Roles
under the Search and Create heading.
2. Search for the XX Dept Admin Job Role you created in Activity 3.
3. Select the job role in the Search Results, and click Open Role.
5. Remove the predefined Department Management Duty role. (Open the hcm
folder, select the role, click the Remove Roles icon button, and then confirm.)
6. Add your custom XX Department Duty role. (Click + Map, select hcm, search
for the XX Department Duty duty role, select it, and click Map Roles.)
Information
The job role now has three duties: your custom department duty role, the
Approve Transaction Duty role, and the Human Resources Tree Administration
Duty.
Generate the Data Security Policies for the Roles that Inherit this Duty Role
3. Search for your XX Dept Admin - View All data role, and then click Edit.
4. Proceed through the pages in the flow until you get to the Review page, and then
click Submit.
Information
Although you did not make any changes to the data role, you must run this task
to regenerate its security policies because you changed the job role that the data
role inherits.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple data roles, you would have to run
this task (and click Edit) for each role.
5. Click Done.
212 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 8: Managing Duty Roles
1. Sign out and sign back in as the user you created earlier (Security.UserXX).
3. Verify that you can only see the Manage Departments task under
Organizations in the Workforce Structures work area.
4. Sign out.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 213
Lesson 9: Tips for Implementing HCM Security
Now that you've seen the types of changes you can make, you should consider the level
of resilience associated with each type:
Most Robust
Creating custom job roles and using existing duty roles as building blocks
Creating custom duty roles and assigning function and data security policies
214 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
Manually modifying data security policies, except for adding custom duty roles
Note: It should not be necessary to create your own data security policies. When
you are creating custom duty roles, the predefined security policies should be
adequate for your needs.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 215
Lesson 9: Tips for Implementing HCM Security
Impersonation
User Impersonation
The user impersonation feature is disabled for HCM Cloud customers. It can be enabled
on request, but Oracle does not recommend its use by HCM Cloud customers. User
impersonation potentially allows the proxy user uncontrolled access to the personal data
of the user they are impersonating; the proxy user gets all of that user's roles, which is
particularly dangerous if a customer is implementing employee self-service.
216 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
Note: In this example, access to HR data is secured by business unit. However, it could
be based on legal employer, department, or any level within the organization.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 217
Lesson 9: Tips for Implementing HCM Security
218 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
Workforce Management > Person Management > Manage Areas of Responsibility >
Manage Areas of Responsibility page > Create Area of Responsibility page
_______________________________________________________
Define areas of responsibility for the other two HR specialists, David and Linda, in the
same way. For David, you must create two areas of responsibility records, one for
USA2 Business Unit and another for USA Health Business Unit.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 219
Lesson 9: Tips for Implementing HCM Security
Manage Person Security Profile > Manage Person Security Profiles page > Create
Person Security Profile
_______________________________________________________
To secure person records by business unit, you would enter an SQL fragment similar to
the following:
220 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
EXISTS
(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M A
WHERE A.ASSIGNMENT_TYPE IN('E','C','N','P')
AND A.EFFECTIVE_LATEST_CHANGE='Y'
AND TRUNC(SYSDATE) BETWEEN
LEAST(TRUNC(SYSDATE),A.EFFECTIVE_START_DATE) AND
A.EFFECTIVE_END_DATE
AND A.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND EXISTS
(SELECT 1
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE A.BUSINESS_UNIT_ID=B.BUSINESS_UNIT_ID
AND C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'
AND trunc(sysdate) between B.START_DATE and nvl(B.END_DATE,sysdate)))
TIP: If, by using this feature, you reduce the number of data roles down to one, you
could assign the security profiles directly to the job role (rather than creating a data
role). However, assigning security profiles directly to job roles only works if the areas of
responsibility criteria provide users with all the data access they need. In our scenario,
we want to provide some users with View All access and others with more restricted
access based on areas of responsibility. Therefore, we need two data roles: one that
uses areas of responsibility criteria and one that has a View All security profile. Both of
these data roles would be based on the same job role.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 221
Lesson 9: Tips for Implementing HCM Security
222 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 223
Lesson 9: Tips for Implementing HCM Security
Activity 6 Introduction
Background
Using the Areas of Responsibility feature and defining custom criteria in a security
profile provides another way of defining data security.
Requirements
Use the bold text for the object names, replacing the XX with your initials.
You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
practice.
Activity Scope
2. Create a security profile and add an SQL fragment in the Custom Criteria section
that defines security based on a user's areas of responsibility.
224 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
Start Here
Login page
1. Log in as curtis.feitty.
3. Search for the user you created earlier. (Enter the last name in the Keywords
field and click Search.)
6. In the Assigned Areas of Responsibility section toolbar, click the Create icon
button.
9. In the From Date field, select the first day of the current month.
10. In the Business Unit field, search for and select US1 Business Unit.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 225
Lesson 9: Tips for Implementing HCM Security
12. Click Yes to confirm, and then click OK to dismiss the confirmation window.
1. In the Setup and Maintenance work area, launch the Manage Person Security
Profiles task.
2. In the Search Results section toolbar, click the Create icon button.
4. In the Custom Criteria section, select the Secure by Custom Criteria option.
EXISTS
(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M A
WHERE A.ASSIGNMENT_TYPE IN('E','C','N','P')
AND A.EFFECTIVE_LATEST_CHANGE='Y'
AND TRUNC(SYSDATE) BETWEEN
LEAST(TRUNC(SYSDATE),A.EFFECTIVE_START_DATE) AND
A.EFFECTIVE_END_DATE
AND A.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND EXISTS
(SELECT 1
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE A.BUSINESS_UNIT_ID=B.BUSINESS_UNIT_ID
AND C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'
AND trunc(sysdate) between B.START_DATE and nvl(B.END_DATE,sysdate)))
Information
This fragment restricts access to persons based on the responsibility type,
business unit, and effective date defined in the user's areas of responsibility as
well as the effective date of the worker's assignment record.
7. Click Done.
226 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
1. In the Setup and Maintenance work area, launch the Manage Data Role and
Security Profiles task.
2. In the Search Results section toolbar, click the Create icon button.
5. Click Next.
Rather than create a new mapping rule, you can add the new role to your existing
mapping rule.
1. In the Setup and Maintenance work area, launch the Manage HCM Role
Provisioning Rules task.
3. Select the rule in the Search Results, and click the Edit icon button.
4. In the Associated Roles section, click the Add (+) icon button.
5. Search for and select the data role you just created (XX HR Rep Dynamic Data).
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 227
Lesson 9: Tips for Implementing HCM Security
Information
If you do not select Requestable, you won't be able to assign this role to users.
8. Click Done.
2. Search for your user (by first or last name) and then select the user in the Search
Results.
5. In the Current Roles section, select the XX Dept Admin - View All role you
assigned earlier and click the X icon to remove it. (If you previously assigned any
other roles, remove those too so the user has only the Employee role and the
new dynamic one you just requested.)
Verify Security
While logged in as curtis.feitty, search for users in US1 Business Unit and in business
units outside the US. Then sign out and sign back in as your new user and verify that
you can only see users in US1 Business Unit.
2. Click Advanced.
228 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
5. In the Business Unit field, search for and select US1 Business Unit and
click Search.
Information
You should see several names in the Search Results.
6. In the Business Unit field, select Australia Business Unit and click Search.
Information
You should see several names in the Search Results.
Information
Remember to use the password you reset in Activity 2. (The activity suggested
using xYz456AA.)
8. Repeat steps 1-6 above, and verify that you can only see people in the US1
Business Unit.
Information
You should not see any people in the Australia Business Unit (or any other
business unit).
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 229
Lesson 9: Tips for Implementing HCM Security
After planning your customization, which of the following tasks would you perform first:
230 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
After creating a new abstract role, you must synchronize data between LDAP and HCM
before you can:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 231
Lesson 9: Tips for Implementing HCM Security
Which predefined person security profile could be used for this new employee role:
232 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 9: Tips for Implementing HCM Security
Which public person security profile could be used for this new employee role:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 233
Lesson 9: Tips for Implementing HCM Security
After creating a new abstract role, you must synchronize data between LDAP and
HCM before you can:
4. All of the above except 1
Which predefined person security profile could be used for this new employee
role:
1. View Own Record
Which public person security profile could be used for this new employee role:
2. View All Workers or View Own Record.
Use the latter if you do not want to allow employees to browse the Person Gallery for
other employees.
234 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
Subject areas are functionally secured using Fusion duty roles. The duty roles that grant
access to subject areas use the nomenclature of:
xx Transaction Analysis Duty, where xx is a group of similar objects. For example,
Workforce Transaction Analysis Duty.
They can be found under the obi application in APM. The following screen shot shows
the duty roles in APM:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 235
Lesson 10: Security and HCM Reporting
Analyses will not work if the user does not have access to all the subject areas in the
report.
BI Catalog folders are functionally secured using Fusion duty roles. The duty roles that
secure access to the BI catalog folders are the same duty roles that secure access to
the subject areas. So, if a user has a role that inherits Workforce Transaction Analysis
Duty, then he can access the Workforce Management folder in the BI catalog and the
Workforce Management subject areas
236 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
Analyses are secured based on the folders in which they are stored.
If you have not secured BI reports using the report privileges, then by default they are
secured at the folder level. You can set permissions against folders and reports in OBI
for Application Roles, Catalog Groups or Users. You can set permissions to Read,
Execute, Write, Delete, Change Permissions, Set Ownership, Run Publisher Report,
Schedule Publisher Report and View Publisher Output.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 237
Lesson 10: Security and HCM Reporting
Data Security
The data that is returned in OTBI reports is secured in a similar way to how data is
returned in Fusion HCM pages, meaning that access is granted by the roles that are
linked to security profiles.
Each of the (xx) Transaction Analysis Duty roles that grants access to subject areas and
BI Catalog folders inherits one or more (xx) Reporting Data Duty role. These are the
duty roles that grant access to the data. The reporting data duty roles are found under
the hcm application in APM.
If you create custom job roles that have access to OTBI reports, you must give your job
roles both the obi version of the transaction analysis duty roles and the hcm version of
the transaction analysis duty role so that your job role has both the function and data
security access needed to run the reports. For example, if you want your custom role to
have access to the workforce transaction analysis subject areas, ensure that it inherits
the following duty roles:
The following figure is an example of the security for the seeded Line Manager role:
238 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
The arrows indicate inheritance. For example, the Workforce Transaction Analysis Duty
inherits Workforce Reporting Data Duty (thereby providing access to person and
assignment data), the Workforce Structures Reporting Data Duty (thereby providing
access to workforce structures), Absence Management Reporting Data Duty (providing
access to absence data), and finally Business Intelligence Authoring Duty (providing
access to various features in Oracle Business Intelligence Answers.)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 239
Lesson 10: Security and HCM Reporting
OBIEE Security
BI roles apply to both BI Publisher and OTBI. They grant access to functionality within
BI, for example, the ability to run or author reports. Users need one or more of these
roles in addition to the roles that grant access to reports, subject areas, BI catalog
folders, and Fusion HCM data.
BI roles include:
The BI Administrator role is a super-user role. While Oracle HCM Cloud Service
customers can add this role to a user, Oracle recommends that this is done only in a
test environment. None of the predefined HCM roles have BI Administrator access.
The BI Administrator role inherits the BI Author role, which inherits the BI Consumer
role, so users who can author reports can also run them. You can configure custom
roles that have the ability to run reports, (via BI Consumer) but not author them.
The OTBI Transaction Analysis duty roles that are delivered with Fusion HCM inherit
the BI Author role. Therefore, any users with these roles are authorized to create and
edit OTBI reports, as well as run reports.
BI Publisher Data Model Developer role is inherited by the Application Developer role,
which is inherited by the Application Implementation Consultant role. So, users with
either of these predefined roles are able to manage BIP data models.
240 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 241
Lesson 10: Security and HCM Reporting
Demonstration Scope
Use the Manage Duties task in the Setup and Maintenance work area to view the
Transaction Analysis duty roles inherited by the Human Resource Analyst predefined
role.
Use the Reports and Analytics task to access the BI Catalog and view the permissions
associated with sample OTBI reports.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
4. In the Display Name field, enter Human Resource Analyst and click Search.
5. In the Search Results, select the Human Resource Analyst role and click
Open Role.
Information
Note the various Transaction Analysis Duty roles inherited by this predefined
242 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
role.
Information
You can see two roles: Absence Management Reporting Data Duty and
Workforce Structures Reporting Data Duty.
Information
Note the Transaction Analysis Duty roles here as well.
Information
Note the BI Consumer Role under the author role.
3. In the panel on the left, click the Browse Catalog icon button.
5. Expand the Human Capital Management folder, and then expand the Payroll
folder.
Information
A list of reports appears in the center panel.
7. Under Costing Reports in the center pane, click More and then select
Permissions.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 243
Lesson 10: Security and HCM Reporting
Information
Scroll down to see the complete list of permissions, which includes the BI
Administrator Role.
8. Click Cancel.
244 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
BI Publisher
BI Publisher is a set of tools that allows you to create highly formatted reports based on
data models. With BI Publisher, you can:
Some reporting tools combine the data model, layout, and translation into one report
file, requiring Business Intelligence (BI) administrators to maintain multiple copies of the
same report to support minor changes.
BI Publisher separates the data model, layout, and translation, which means that BI
reports can be:
Generated and consumed in many output formats, such as PDF, and EXCEL
Scheduled for delivery to e-mail, printers, and so on
Printed in different languages by adding translation files
Burst and scheduled to be delivered to many recipients
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 245
Lesson 10: Security and HCM Reporting
BI Publisher Security
In conceptual terms, BI catalog folders that contain BI Publisher reports are secured
using duty roles. These duty roles are not the same as those that secure OTBI subject
areas and folders.
Individual BI Publisher reports are secured using function security privileges that are
granted to these duty roles.
For example, the Payroll Register Report is in the Payroll Calculations folder. The report
is secured using a privilege called Run Payroll Register Report, and this privilege is
granted to Payroll Distribution Calculation Management Duty. The Payroll Calculations
folder is secured using this duty role.
The way this is actually implemented in reality is slightly different because BI security
works slightly differently than regular Fusion Applications security. The key difference is
that BI security supports application roles, but it does not support privileges. So, we
implement the privileges that secure BI Publisher reports as application roles.
In the preceding example, the privilege Run Payroll Register Report is implemented as
an application role called Run Payroll Register Report (OBI), which is inherited by
another application role called Payroll Distribution Calculation Management Duty OBI.
You can view this role inheritance under the obi application in APM:
246 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
As discussed in the Security lesson, Fusion Applications duty roles are implemented in
Fusion Middleware as application roles. Function security privileges are implemented as
Entitlements in APM.
In BI, the function security privileges are also implemented as application roles, and the
privilege to duty role grant is implemented as a parent-child relationship in the
application role hierarchy, meaning that the duty role is the parent application role and
the privilege is the child application role.
You can distinguish between application roles that implement duty roles and application
roles that implement privileges by looking at the role names. Application roles that
implement duty roles have names ending with _DUTY_OBI and application roles that
implement privileges have names ending with _PRIV_OBI.
If you have access to the Permissions link in the BI Catalog, these application roles are
visible there. You must have the BI Administrator role to view permissions for the
seeded folders and reports.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 247
Lesson 10: Security and HCM Reporting
1. Select directly from a database table, in which case the data you return is not
subject to data security restrictions. Note that because BI Publisher allows you to
create data models on unsecured data, you should minimize the number of users
who have access to create data models.
2. Join to a secured list view in your select statements, in which case the data
returned will be determined by the security profiles that are assigned to the roles
of the user who is running the report.
The following tables show, for each table, the secured list view, the data security
privilege that is needed to report on data in the table (if accessed via the secured list
view) and the duty role that has the security privilege.
248 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 249
Lesson 10: Security and HCM Reporting
You can find the list of secured views in Oracle Enterprise Repository (OER)
(type=View; Logical Business Area=HCM). You can access OER using the following
URL: https://fusionappsoer.oracle.com/oer/ and sign in with your Oracle ID.
250 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
PER_ADDRESSES_F
PER_DRIVERS_LICENSES
PER_EMAIL_ADDRESSES (work e-mail not protected)
PER_NATIONAL_IDENTIFIERS
PER_PASSPORTS
PER_PHONES (work phone not protected)
PER_VISAS_PERMITS_F
The data in these tables is protected using data security privileges that are granted via
duty roles in the usual way.
This table lists the protected PII tables and the associated privileges that should be
used to report on data in these PII tables:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 251
Lesson 10: Security and HCM Reporting
All of the above privileges are accessible using the Workforce Reporting Data Duty duty
role.
252 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 10: Security and HCM Reporting
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 253
Lesson 11: Course Highlights
254 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 11: Course Highlights
Lesson Details
Roles and Role-Based Security
Security in Oracle Fusion Applications is role-based, where roles control who can do
what on which data. Oracle Fusion Applications defines four types of roles:
Abstract roles
Data roles
Job roles
Duty roles
This figure shows the process of creating new data roles and security profiles:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 255
Lesson 11: Course Highlights
User Provisioning: Oracle Fusion Applications are tightly integrated with Oracle
Identity Management (OIM). When you hire a worker, a user account can be
created automatically for that worker in the OIM Identity store.
Roles Provisioning: Abstract and data roles must be provisioned to users so that
they can access the functions and data that enable them to perform their jobs.
The process of assigning roles to users is known as role provisioning.
HCM Security Data Stores and User Interfaces for Managing Security
Three applications provide the user interfaces for managing HCM security:
256 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 11: Course Highlights
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 257
Lesson 11: Course Highlights
The data that is returned in OTBI reports is secured in a similar way to how data is
returned in Fusion HCM pages, meaning that access is granted by the roles that are
linked to security profiles.
BI catalog folders that contain BI Publisher reports are secured using duty roles.
Individual BI Publisher reports are secured using function security privileges that are
granted to these duty roles. BI security works slightly differently than regular Fusion
Applications security. The key difference is that BI security supports application roles,
but it does not support privileges. So, the privileges that secure BI Publisher reports are
implemented as application roles.
258 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 12: References
For information about how duty roles and privileges map to top-level menus, see
Mapping Of Duty Roles To Top Level Menu Entries in Fusion Applications
(Doc ID 1459828.1) on MOS.
For descriptions of all the predefined data that is included in the security
reference implementation for HCM, see Oracle Fusion Applications Human
Capital Management Security Reference Manual available from the Oracle
Fusion Applications Help and from docs.oracle.com/cloud.
For information about the common roles required to set up and administer an
offering, see Oracle Fusion Applications Common Security Reference
Manual available from the Oracle Fusion Applications Help and from
docs.oracle.com/cloud.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 259
Lesson 13: Appendix
In this scenario, there may be one or more on-premise applications and an on-premise
Identity Provider, while Oracle Fusion Applications reside in the Cloud. When the user
signs on, the Identity Provider authenticates the user and authorizes them for access to
all of their applications. The user does not need to re-login to access Fusion
applications.
260 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
A federation server is a software component that provides users with Single Sign-On
access to systems and applications located across organizational boundaries.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 261
Lesson 13: Appendix
LDAP
262 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
Virtual Directory
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 263
Lesson 13: Appendix
SAML 2.0
SAML 2.0 is an XML-based protocol that uses security tokens containing identify
assertions to pass information about an end user from one IAM system to
another.
264 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
How it Works
Here's how the single sign-on process works:
2. The request is redirected via Webgate and OAM Server to the On-Premise
Federation Server for authentication.
4. The Name Id is matched to the Fusion user ID, providing the appropriate
authorizations and allowing the appropriate application pages to be served up.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 265
Lesson 13: Appendix
Technical View
This diagram shows a detailed technical view of the single sign-on process.
266 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
Oracle Access Manager (OAM) – Provides the core functionality of Web Single
Sign On (SSO), authentication, authorization, centralized policy administration
and agent management, real-time session management, and auditing.
Worker Service – Fusion HCM service that customers can call to create employees
and Fusion IAM users.
File-Based Loader (FBL) – A tool provided by HCM to integrate your HCM data into
Fusion HCM.
Spreadsheet Upload – An integration scheme provided by HCM that enables a one-
time upload of employee data.
Implementation User – An implementation user exists only in Fusion IAM, not in the
Fusion Applications tables. A Fusion Applications user exists in both Fusion IAM and
the shared HCM tables.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 267
Lesson 13: Appendix
If your Oracle Fusion Applications are on the cloud (SaaS), users must exist in
both domains (Fusion Applications and on-premise applications).
If your Oracle Fusion Applications are on-premise, users must either exist in both
domains or Virtual Directory must be enabled so users exist virtually in the
Fusion Domain.
268 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
In this scenario, Oracle Fusion Global Human Resources is being implemented. Once
existing employees are loaded into Oracle Fusion HCM, all new users will be onboarded
to Oracle Fusion HCM SaaS first and then their details will be synchronized to the on-
premise directory. SSO will be enabled via the Federation.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 269
Lesson 13: Appendix
Specify the output format, such as xml, pdf, excel, or flat file
Note: This BI Publisher Report contains the Fusion user ID that can be imported into
the on-premise IdP and then used in the on-premise Federation Server’s SAML
assertion.
To extract user data from Oracle Fusion Cloud Services and load the data into your
local LDAP directory, complete the following steps:
3. Convert the user data extract file into a format that can be loaded into your local
LDAP directory. You can use tools provided by your LDAP vendor. Load this data
into your local LDAP directory.
Oracle Fusion Cloud Services generate user data extracts in XML format. The
data extract is a full dump of identity information. The extract contains the last
update timestamp (COMPOSITE_LAST_UPDATE_DATE), which can be used by
your custom transformation logic to determine if the record has changed since
the processing of the previous extract.
Note: Extracting delta or subsets of user data is currently not supported. You can
extract the user data for Oracle Fusion Cloud Services
only if:
270 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
Administrator.
For more information, see Oracle Support Document 1513123.1, Configuring Identity
Synchronization in Oracle Fusion Cloud Services, at:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1513123.1
(https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1513123.1)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 271
Lesson 13: Appendix
This figure illustrates single sign-on through Federation, where onboarding is done in an
existing on-premise application and synchronization of employees to Oracle Fusion
HCM is performed using File Based Loader (FBL) integration. This is an example of co-
existence, whereby Oracle EBS co-exists with an Oracle Fusion Applications product
such as Oracle Fusion HCM Talent.
In this scenario, provisioning users in your on-premise environment creates new users
in your local LDAP directory. This process is termed as onboarding. First, you must
extract the user data from your local user directory and transfer the data into a format
that is supported by Oracle Fusion Cloud Services. Then, you load the transferred data
into Oracle Fusion Cloud Services.
272 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
Spreadsheet Loader
To extract user data from your local LDAP directory and load the data into Oracle
Fusion Cloud Services, complete the following steps:
1. Extract the newly created user data from your local LDAP directory to a file by
using tools provided by your LDAP vendor.
2. Convert this user data file into a format that is delivered and supported by Oracle
Fusion Cloud Services. You can use tools provided by your LDAP vendor.
3. Load this data into Oracle Fusion Cloud Services using FBL or the Spreadsheet
Loader.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 273
Lesson 13: Appendix
Implementation Scenarios
SSO via Federated Identity for SaaS
All scenarios represent single sign-on through Federated Identity for SaaS.
Prerequisites
Each employee that needs access to the SaaS application must already exist in
the cloud. (Existing employees must be synchronized.)
The SAML 2.0 assertion NameId must contain either the user's email address or
the user's Fusion user ID.
Implementation Notes
Only authentication is necessary; authorization details from Fusion IAM will be used,
based on the identity asserted.
To implement this scenario, customers will need to submit a Service Request (SR) for
SSO enablement. The SR will walk them step-by-step through the process.
Process documentation for this scenario is available on My Oracle Support. (See Co-
Existence and SSO: The SSO Enablement Process for Public Cloud Customers,
Doc ID 1477245.1, at:
https://mosemp.us.oracle.com/epmos/faces/DocumentDisplay?id=1477245.1)
274 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
For on-premise installations, you can use Oracle Virtual Directory to link Fusion
employees with existing users, rather than synchronizing identities.
For details on setting up and configuring Oracle Virtual Directory, refer to the standard
product documentation.
For more information, see Installing and Configuring Oracle Virtual Directory at:
http://docs.oracle.com/cd/E15523_01/install.1111/e12002/ovd.htm
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 275
Lesson 13: Appendix
SSO References
Co-Existence and SSO: The SSO Enablement Process for Public Cloud
Customers on Release 5
My Oracle Support Doc Id:1477245.1
SaaS SSO Using Identity Federation eSeminar (You can take the training
online or download the slides.)
Link: http://oukc.oracle.com/static09/opn/login/?t=checkusercookies%7Cr=-
1%7Cc=1222182178
See also the Additional Resources page at the beginning of this course.
276 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Lesson 13: Appendix
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 277