Fusion Applications HCM Security Rel 8 Instructor Guide PTS

Fusion Applications: HCM
Security Ed 2
Instructor Guide
Course Code: D83523GC20

Edition 2
June 2014
Author Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Jan Somers Disclaimer
Megan Wallace
This document contains proprietary information and is protected by copyright and
other intellectual property laws. You may copy and print this document solely for
Technical Contributors and your own use in an Oracle training course. The document may not be modified or
Reviewers altered in any way. Except where your use constitutes "fair use" under copyright law,
you may not use, share, download, upload, copy, print, display, perform, reproduce,
John Thuringer publish, license, post, transmit, or distribute this document in whole or in part without
Amy Kust the express authorization of Oracle.
Kiran Mundy
The information contained in this document is subject to change without notice. If
you find any problems in the document, please report them in writing to: Oracle
University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This
document is not warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using

the documentation on behalf of the United States Government, the following notice
is applicable:
U.S. GOVERNMENT RIGHTS

The U.S. Government’s rights to use, modify, reproduce, release, perform, display,
or disclose these training materials are restricted by the terms of the applicable
Oracle license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other
names may be trademarks of their respective owners.
CONTENTS
Lesson 1: Course Overview .........................................................1
Welcome .................................................................................................... 1
Course Objectives ........................................................................................ 2
Additional Resources .................................................................................... 3
There are no activities for this lesson ............................................................. 4
Lesson 2: Security Overview .......................................................5

Role-Based Security Model ........................................................................... 5
Instructor Note: Roles Assigned to Users ..................................................... 6
Role-Based Access Control ............................................................................ 7
Predefined HCM Roles .................................................................................. 8
Role Inheritance .......................................................................................... 9
Data Role Inheritance .............................................................................. 10
User Role Inheritance .............................................................................. 11
Role Types ................................................................................................ 12
Role Inheritance Example ........................................................................... 13
Security Privileges ..................................................................................... 14
Instructor Note: Details Will Come Later .................................................... 15
Security Component Terminology Comparison .............................................. 16
Role Evaluation ......................................................................................... 17
Customizing Security for Your Needs ........................................................... 18
Instructor Note: Currently No Way to Copy Roles........................................ 19
Instructor Note: Demo Timing .................................................................... 20
Demonstration: Function Security in Action .................................................. 21
Demonstration: Data Security in Action ....................................................... 25
Exploring the Security Reference Manual ...................................................... 27
There are no activities for this lesson ........................................................... 29
Lesson 3: Security Profiles and Data Roles ...............................30

Data Security Through Security Profiles ....................................................... 30
Security Profiles Example ........................................................................... 31
HCM Security Profile Types ......................................................................... 32
Predefined HCM Security Profiles ................................................................. 33
HCM Security Profiles Best Practices ............................................................ 34
Approaches to Assigning Security Profiles to HCM Roles ................................. 35
Demonstration: Managing Data Roles and Security Profiles ............................ 37
Key Points for Creating Security Profiles ....................................................... 40
Manage Organization and Position Security Profiles ..................................... 41
Creating Organization Security Profiles .................................................... 41
Organization Security Profiles Key Concepts ............................................. 42
Creating Position Security Profiles ........................................................... 43
Position Security Profiles Key Concepts .................................................... 44
Manage Person and Public Person Security Profiles ...................................... 45
Creating Person Security Profiles ............................................................ 45
Person Security Profiles Key Concepts ..................................................... 47
Creating Public-Person Security Profiles ................................................... 48
Manage Document Type, LDG, and Country Security Profiles........................ 49
Creating Document Type Security Profiles ................................................ 49
Document Type Security Profiles Key Concepts ........................................ 50
Managing Legislative Data Group Security Profiles .................................... 51
Managing Country Security Profiles ......................................................... 52
Manage Payroll Security Profiles ................................................................ 53
Creating Payroll Security Profiles ............................................................ 53
i
Manage Payroll Flow Security Profiles ........................................................ 55
Creating Payroll Flow Security Profiles ..................................................... 55
Instructor Note: Notes on Activities ............................................................. 57
Instructor Note: Activity Timing .................................................................. 59
Student Activity: Creating Security Profiles and Assigning to a New Data Role.. 60
Activity 1 Introduction ................................................................................ 61
Activity 1: Creating Security Profiles and Assigning to a New Data Role ......... 62
Assigning Security Profiles to Existing Roles ................................................. 66
Editing Security Profiles .............................................................................. 67
Security Profiles Review Question 1 ............................................................. 68
Security Profiles Questions and Answers ...................................................... 71
Lesson 4: User and Role Provisioning .......................................72

User Account Creation and Maintenance Scenarios ........................................ 72
Instructor Note: User Account Management Scenarios................................. 73
User Account Provisioning .......................................................................... 74
Setting Enterprise-Level Options ................................................................. 76
Enterprise-Level User and Role-Provisioning Options ................................... 77
Instructor Note: User and Role Provisioning ............................................... 80
Provisioning Roles to Users: Overview ......................................................... 81
Instructor Note: Roles Must Be Provisioned ................................................ 82
Defining Role-Provisioning Rules ................................................................. 83
Role-Provisioning Options ........................................................................... 85
Role-Provisioning Rules for Abstract Roles .................................................... 86
Integration with New Hire Flow ................................................................... 87
Instructor Note: New Hire Process ............................................................. 87
Integration with New Hire Flow ................................................................. 88
New Hire Flow - Job Assignment ............................................................... 89
New Hire Flow - Role Requests ................................................................. 90
Tip: Role-Provisioning Strategies ................................................................. 91
Implementation Users ................................................................................ 92
Instructor Note: Implementation Users for the Cloud .................................. 94
Demonstration: Creating Implementation Users ............................................ 96
Instructor Note: Using the Manage Users Task Demo .................................... 99
Instructor Note: Demo Timing .................................................................. 100
Demonstration: Using the Manage Users Task to Create HR Users ................ 101
Instructor Note: Notes on Activity 2........................................................... 103
Instructor Note: Activity Timing ................................................................ 104
Student Activity: Creating a New User and Assigning a Data Role ................. 105
Activity 2 Introduction .............................................................................. 106
Activity 2: Creating a New User and Assigning a Data Role ........................ 107
Role Delegation ....................................................................................... 112
Which Roles Can I Delegate? .................................................................. 113
Enabling a Role for Delegation ................................................................ 114
Delegating a Role .................................................................................. 115
Delegating Approval Tasks ................................................................... 117
Ending Role Delegation .......................................................................... 118
Delegating Access to Manager Hierarchies ................................................ 119
Instructor Note: Demo Timing ................................................................ 121
Demonstration: Delegating the Line Manager Role .................................... 122
User and Role Provisioning Review Question 1 ............................................ 125
User and Role Provisioning Review Question 2 ............................................ 126
User and Role-Provisioning Review Question 3 ............................................ 127
User and Role-Provisioning Questions and Answers ..................................... 128
ii
Lesson 5: HCM Security Management Data Stores ..................129
User Interface Overview ........................................................................... 129
HCM Security Management Data Stores ..................................................... 131
Fusion Applications, OIM, and APM Terminology Differences ......................... 133
Setup Tools and Tasks ............................................................................. 134
Instructor Note: Notes on Tools and Tasks ................................................. 136
Access to Security Tasks .......................................................................... 137
Instructor Note: HCM Security Task List ................................................... 140
There are no activities for this lesson ......................................................... 141
Lesson 6: Managing Job Roles and Abstract Roles ..................142
Demonstration: Viewing Roles in OIM ........................................................ 143
Demonstration: Using OIM to Manage Roles ............................................... 146
Important Note on Using OIM and APM ...................................................... 153
Demonstration: Using APM to View Duty Roles ........................................... 155
Regenerating Roles .................................................................................. 159
Instructor Note: Regeneration of Data Roles ............................................ 160
Student Activity: Creating a New Job Role .................................................. 162
Instructor Note: Notes on Activity 3 ........................................................ 164
Activity 3: Creating a New Job Role ......................................................... 165
Student Activity: Creating a Data Role for New Job Role and Assigning to User170
Activity 4: Creating a New Data Role and Assigning to User ....................... 172
Instructor Note: Troubleshooting Activity 4 ................................................ 175
Managing Job Roles and Abstract Roles Review Question 1........................... 176
Managing Job Roles and Abstract Roles Questions and Answers .................... 179
Lesson 7: HCM Security Deep Dive ..........................................180

Instructor Note: Deep Dive Target Audience ............................................... 180
Duty Roles in Detail ................................................................................. 181
Function Security Privileges ...................................................................... 182
Instructor Note: Read-Only Roles .............................................................. 183
Data Security Policy Components .............................................................. 184
Data Security Policies ............................................................................... 185
Data Security - Application Role Creation ................................................... 186
Data Security - FND_GRANTS Generation ................................................... 187
Data Security - Data Role Creation ............................................................ 188
Data Security in Action ............................................................................. 190
Demonstration: Viewing Security Policies ................................................... 192
Security Deep Dive Review Question 1 ....................................................... 202
Security Deep Dive Review Question 2 ....................................................... 203
Security Deep Dive Questions and Answers ................................................ 204
Lesson 8: Managing Duty Roles ...............................................206

Student Activity: Creating a Custom Duty Role ........................................... 207
Activity 5: Creating a Custom Duty Role .................................................. 209
iii
Lesson 9: Tips for Implementing HCM Security .......................214
Resilience to Change ................................................................................ 214
Impersonation ......................................................................................... 216
Advanced Tip: Minimizing the Number of Data Roles ................................... 217
Dynamic Security Profiles and Areas of Responsibility................................ 218
Defining Areas of Responsibility .............................................................. 219
Creating a Dynamic Security Profile ......................................................... 220
Instructor Note: Activity Timing .............................................................. 222
Student Activity: Defining a Dynamic Data Role ........................................ 223
Activity 6 Introduction ........................................................................... 224
Activity 6: Defining a Dynamic Data Role ............................................... 225
Lesson Review Questions.......................................................................... 230
Lesson Review Question 1 ...................................................................... 230
Lesson Questions and Answers ............................................................... 234
Lesson 10: Security and HCM Reporting ...................................235

OTBI Security.......................................................................................... 235
Data Security ........................................................................................ 238
OBIEE Security ..................................................................................... 240
Instructor Note: Demo Timing ................................................................ 241
Demonstration: Viewing Security-Related Roles and Permissions ................ 242
BI Publisher ............................................................................................ 245
BI Publisher Security ............................................................................. 246
BI Publisher Data Security and Secured List Views .................................... 248
BI Publisher and PII Data ....................................................................... 251
Lesson 11: Course Highlights ...................................................254
Lesson Details ......................................................................................... 255
Lesson 12: References .............................................................259

Lesson 13: Appendix ................................................................260
Single Sign-On ........................................................................................ 260
What is Single Sign-On? ......................................................................... 260
Single Sign-On Components ................................................................... 261
Federated Identity .............................................................................. 261
LDAP ................................................................................................. 262
Virtual Directory ................................................................................. 263
SAML 2.0 ........................................................................................... 264
How it Works ........................................................................................ 265
Technical View ...................................................................................... 266
Single Sign-on Terminology .................................................................... 267
Single Sign-On Patterns ......................................................................... 268
Single Sign-On Prerequisites ................................................................ 268
Fusion HCM SaaS - Scenario 1 .............................................................. 269
Employee Sync SaaS to On-Premise Identity Provider ........................ 270
Fusion HCM SaaS - Scenario 2 .............................................................. 272
Employee Sync On-Premise to Fusion Applications (HCM) ................... 273
Implementation Scenarios ...................................................................... 274
SSO via Federated Identity for SaaS ..................................................... 274
SSO via Federated Identity Plus OVD .................................................... 275
SSO References .................................................................................... 276
There are no activities for this lesson ...................................................... 277
iv
‎Lesson 1: Course Overview
Lesson 1: Course Overview

Welcome
Welcome to the Fusion Applications: Security for HCM course!
1. Instructor introduction
2. Student introductions
- Name
- Role (Functional Implementer/Technical Consultant)
- Company
- Experience with Oracle (HCM, EBS, PeopleSoft, JDE, etc.)
- Fusion experience
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 1

Course Objectives
After completing this course, you should be able to:
 Describe the key features of Oracle Fusion Applications security

 Differentiate the four types of roles used in Oracle Fusion Applications security
 Identify key components of the Security Reference Implementation
 Create a new data role and assign security profiles
 Describe how user accounts are created and roles are provisioned to users
 Manage provisioning rules that map roles to users based on their HR
assignments
 Identify the three main tools used to manage security in Oracle Fusion
Applications
 Create a custom job role
 Create a custom duty role
 Describe how security policies are generated for roles that inherit a duty role
 Describe how HCM security works with Oracle's BI Reporting tools
2 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Additional Resources
Classroom Resources:
 Fusion Applications: HCM Security Ed 2 Student Guide (this guide)

 Oracle Fusion Applications Help
 Instructor
 Other Students
Additional Recommended Resources:

The following guides are available from the Oracle Cloud Learning Center
(docs.oracle.com/cloud):
 Getting Started with Oracle Cloud

 Securing Oracle HCM Cloud
 Security Reference for Common Features
 Security Reference for Oracle HCM Cloud
Related Oracle University Courses:
 Fusion Applications: Security Fundamentals

 Fusion Applications: Install and Configure Identity Management
 Fusion Applications: HCM BI and Ad Hoc Reporting
 Oracle BI Publisher 11g R1: Fundamentals
For additional course information, search education.oracle.com

There are no activities for this lesson

‎Lesson 2: Security Overview
Lesson 2: Security Overview

Role-Based Security Model
Oracle Fusion Applications use a role-based access control security model. Users are
assigned roles through which they gain access to functions and data within the
applications.
In the figure below, Julie Brown has three roles:
When she signs on to Oracle Fusion Applications, all of these roles are active
concurrently. The functions and data she can access are determined by the
combination of roles to which she is assigned. As an employee, Julie has access to
employee functions and data, and as a line manager, she has access to line-manager
functions and data.

Instructor Note: Roles Assigned to Users

Contrast the Oracle Fusion Applications approach, where users have multiple roles
active simultaneously, with the EBS approach, where users select a responsibility and
operate within that responsibility only. Use the Security Component Terminology
Comparison slide later in this section to show how role types and other security
components in Oracle Fusion correspond to features in EBS and PeopleSoft.
If questions about security occur in other lessons (such as how to prevent a user from
doing something or how to enable a user to do something), the answer is always the
same: the roles provisioned to the user determine what the user can (and cannot) do.

Role-Based Access Control

Role-based security in Oracle Fusion Applications controls who can do what on which
data.
For example:
 Who is a role assigned to a user.
 What is a function that users with the role can perform.
 Which Data is the set of data that users with this role can access when
performing this function. In Oracle Fusion HCM, "Which Data" is defined using
security profiles.

Predefined HCM Roles

The following is a partial list of the roles that are predefined and delivered with Oracle
Fusion HCM:
 Benefits Administrator
 Benefits Manager
 Benefits Specialist
 Compensation Administrator
 Compensation Analyst
 Compensation Manager
 Compensation Specialist
 Contingent Worker
 Employee
 Human Capital Management Application Administrator
 Human Resource Analyst
 Human Resource Manager
 Human Resource Specialist
 Human Resource VP
 Line Manager
 Payroll Administrator
 Payroll Manager
These predefined roles are included in the Security Reference Implementation. You
can review details of the HCM security implementation in the Oracle Fusion Applications
Human Capital Management Security Reference Manual. The Oracle Fusion
Applications Common Security Reference Manual covers roles that are common across
Oracle Fusion Applications, such as the Application Implementation Consultant and IT
Security Manager roles.

Role Inheritance
Role inheritance is a key concept in the Oracle Fusion HCM security model. The figure
below illustrates the hierarchy of job and duty inheritance.
Human Resource Specialist is a job role that inherits a number of duties.

Data Role Inheritance

In the figure below, Human Resource Specialist – Vision Corporation and Human
Resource Specialist – Vision Services are data roles that inherit the Human Resource
Specialist job role. This gives them access to the tasks that an HR Specialist needs to
perform. The security profiles that are assigned to the data roles provide the data
access.
Note that the two data roles have different security profiles, granting access to different
sets of data.

User Role Inheritance

When individual users are assigned to data roles, they inherit the data and function
security associated with those roles.

Role Types
Oracle Fusion Applications uses four types of roles for security management:
 Data Roles are a combination of a worker's job and the data instances that users
with the role need to access. For example, the HCM data role Payroll
Administrator Payroll US combines a job (Payroll Administrator) with a data
scope (Payroll US). Data roles are not delivered as part of the reference
implementation. They are defined by customers and are assigned directly to
users.
 Abstract Roles represent a worker's role in the enterprise, independently of the

job the worker is hired to do. Three abstract roles are delivered with Oracle
Fusion HCM: Employee, Line Manager, and Contingent Worker. You can also
create custom abstract roles. You assign abstract roles directly to users.
 Job roles align with the job a worker is hired to perform. Examples of predefined
job roles are Human Resource Analyst and Payroll Manager. You can create
custom job roles. Typically, you include job roles in data roles, and assign those
data roles to users. (The IT Security Manager and Application Implementation
Consultant job roles are exceptions, because they are not considered HCM job
roles and don't restrict data using security profiles.)
 Duty roles align with the individual duties that users perform as part of their job.
They grant access to work areas, dashboards, task flows, application pages,
reports, batch programs, and so on. They may carry both function and data
security grants. Duty roles are inherited by job and abstract roles, and can also
be inherited by other duty roles. Duty roles are delivered as part of the reference
implementation, and can be used as building blocks when creating your own job
and abstract roles. You do not assign duty roles directly to users.

Role Inheritance Example

In reality, abstract and job roles inherit many duty roles. The following figure shows a
simplified example:
In this example, the duty roles give the user access to all the tasks and functions that an
HR specialist needs to perform plus all the tasks, unrelated to a specific job, that every
employee needs to perform.
Most security profiles are defined by customers and assigned to data roles and abstract
roles. (A small set of predefined security profiles is delivered as part of the security
reference implementation.)
The HCM security model supports several different types of security profiles, each used
to control access to a different type of data.

Security Privileges
When you look deeper into the role hierarchy, you can see that the Worker Promotion
Duty is associated with a function security privilege and two data security policies.
 The Promote Worker function security privilege secures access to the Promote
Worker page.
 One data security policy determines which people can be promoted.
 A second data security policy determines which positions the person can be
promoted into.
Each data security policy defines a role (such as Worker Promotion Duty), a business
object being accessed (such as Person Assignment), the condition that must be met for
access to be granted, and a data security privilege that defines the action being
performed.
Function security privileges and data security policies are covered in detail in a later
section.

Instructor Note: Details Will Come Later

Sometimes the previous slide spawns questions from students who want to know a lot
more about what happens under the hood, because they find it very difficult to
understand what data security policies are, how they are used, and how they work.
Inform the class that this information is covered in detail later in the class in the HCM
Security Deep Dive section. In this overview, we're just introducing the concepts of
function security and data security and the related function security privileges and data
security privileges. Ask students to hold their detailed questions on data security
policies until later, and assure them that they will have an opportunity to see these
features up close.

Security Component Terminology Comparison

This table shows how security components in Oracle Fusion Applications correspond
directly to security features in E-Business Suite and PeopleSoft.

Role Evaluation
By default, users do not have access to Oracle Fusion Applications functions and data.
Users are granted access by means of the roles provisioned to them.
Prior to implementation, you must:
 Review how the security reference implementation of roles and policies fits with
the jobs in your enterprise.
 Identify the jobs that people have in your enterprise.
 Decide whether the duties defined for the jobs in the security reference
implementation match the duties performed by corresponding jobs in your
enterprise.

Customizing Security for Your Needs

In cases where the predefined security reference implementation does not adequately
represent the needs of your enterprise, you can make changes. For example, a
predefined job role may be too narrowly defined. You can create a new job role and give
it a role hierarchy of different duty roles than a similar predefined job role, and provision
your newly created job role to users who should have broader access.
For example, the predefined Line Manager role includes compensation management
duties. If some of your line managers do not handle compensation, you could create a
custom line manager role without those duties.
Evaluate the predefined roles and privileges in the security reference implementation
against the needs of your enterprise and determine the necessary security setup
actions:
 If jobs exist in your enterprise that are not represented by the security
reference implementation, you create a new job role or abstract role.
 If the duties for a predefined job role are not the same as the
corresponding job description in your enterprise, you add duties to and
subtract duties from the job role.
 If the duties for a job are not defined in the security reference
implementation, you create custom duty roles.
The demonstrations and activities in this lesson will show you how to perform each of
these setup actions.
Note: As you make changes to the security reference implementation for an Oracle
Fusion Applications deployment, it is good practice to create your own custom roles
rather than modify predefined roles. Upgrade and maintenance patches to the security
reference implementation preserve your changes. Thus, if you do modify predefined
roles, you won't be able to restore them to their original state by upgrading.

Instructor Note: Currently No Way to Copy Roles

There is currently no way of copying roles. This is being addressed in a future release of
Oracle Fusion Applications.

Instructor Note: Demo Timing
Approximate Demonstration Timing: 6 minutes

Demonstration: Function Security in Action

Demonstration Background
As an Oracle Fusion Applications user, you access functions through the roles that have
been assigned to you.
Demonstration Scope
Go to the Navigator, and view the available options. Select an option, and view the
available tasks in the task pane.
Demonstration Steps
Start Here
Oracle Fusion Applications Sign On screen
1. Log in as Curtis.Feitty, using the password provided to you by the instructor.
2. In the menu bar at the top of the page, click the Navigator icon button.
Information
Function security is used to secure the Navigator menu. Each menu entry
corresponds to a work area or dashboard, and each of these is secured with a
function security privilege. The function security privileges that are granted to the
user (through his or her roles) control the menu entries that the user can see.

3. Select Workforce Structures under Workforce Management.
Information
Function security also secures the task pane (displayed on the left side of the
page) for a work area. Each of the task pane entries corresponds to a task flow,
which is secured with a function security privilege. The function security
privileges that are granted to the user (through his or her roles) control the task
pane entries that the user can see.
4. On the Navigator menu under My Information, select My Account.
Location: Manage User Account page
5. Scroll down to the Current Roles section.
Information
Curtis is assigned a great many roles, which is useful for testing (and for training
courses like this). He has functional manager roles, as well as IT Security
Manager. In the real world, few users would have this many different and
powerful roles.
6. Sign out, and then sign back in as mitch.blum.
Information
To sign out, click Curtis Feitty in the menu bar and then click Sign Out.

7. On the Navigator menu, notice that Mitch doesn't have access to the Workforce
Structures option and many other options that appear on Curtis's menu.
9. Scroll down to the Current Roles section to view Mitch's assigned roles.
Information
Mitch has fewer roles than Curtis. Mitch's roles don't give him access to the
Workforce Structures function, so it doesn't appear on his menu.
10. Sign out.
You have demonstrated how to view menu options and tasks managed by function
security.


Demonstration: Data Security in Action

As an Oracle Fusion Applications user, you access data via the roles that have been
assigned to you.
Demonstration Scope
Explore the data available for viewing by different users based on their assigned roles.
Demonstration Steps
Start Here
1. Log in to the HCM Simplified UI as Jack.Fisher.
Information
This user has employee and line manager roles. He also has several direct
reports.
2. On the Navigator menu, select Person Gallery.
3. Select the My Portrait tab.
Information
When you look at your own portrait, you can see your benefit enrollments,
compensation data, and so on. The actions that are available in the Actions
menu are controlled using data security. The actions you can perform include
things like Change Marital Status, but do not include actions like Promote.
4. Select the Organization Chart tab to show the management reporting hierarchy.
5. Click the name of Jack's manager, Linda Swift.
Information
When an employee views their manager's portrait, only publicly available
information appears. No HR actions are available. Data security controls access
to data that you can view for other people. A public person security profile
controls which people a user can search for in Person Gallery. Once a user has
selected a person, data security controls the Person Gallery cards that can be
seen for that person and also what actions can be performed against them.
6. Select the Organization Chart tab again.

7. Hover your mouse over the point at the bottom of Jack's box on the chart, and
then click the + sign to show Jack's direct reports.
8. Click Mark Winterling's name.
Information
In the Actions section, you can see the functions available to Jack. He can
promote, terminate, manage the salary and compensation, and view absence
balances for Mark.
9. Sign out and sign back in as Curtis.Feitty.
10. Navigate to the Person Gallery, and search for Linda Swift. (Enter Linda's
name in the Keywords field, click Search, and then click Swift, Linda in the
Search Results.)
Information
When viewing Linda in the Person Gallery, Curtis can see more cards and has
more actions than Jack. This is because Curtis has the HR Specialist - View All
role, which allows him a greater level of access.
You have demonstrated how to view application pages managed by data security and
noted the differences that result from provisioned data restrictions.

Exploring the Security Reference Manual

The Oracle Fusion Applications Human Capital Management Security Reference
Manual includes descriptions of all the predefined data that is included in the security
reference implementation for HCM.
The Oracle Fusion Applications Common Security Reference Manual provides

descriptions of predefined data that is common across Oracle Fusion Applications.
Note: All information presented in the manuals can be accessed in the various user
interface pages of Oracle Fusion Applications. However, the manuals make it easier to
compare and plan your customizations.
There are several ways to access the Security Reference Manuals online:
From the Search window in Oracle Fusion Help:
1. Click your user name (currently logged in user) at the top of any application
window.
2. Select Applications Help to display the Oracle Fusion Applications Help
window.
3. In the Search field, type the name of the manual you want to view, such as
Oracle Fusion Applications Human Capital Management Security Reference
Manual.
4. Click the icon button.
5. In the Search Results, click the link for the manual.
Information
From here, you can view, print, or save the manual to your local drive.
6. To limit the search results to PDF guides only, expand the Help Type section in
the left panel. Select PDF Guide and deselect all other help types.
From the Oracle Cloud Learning Center:
1. Access the Oracle Cloud Learning Center at docs.oracle.com/cloud.

2. Under Applications Services, click Global Human Resources.
3. Click the Cloud Books tab.
4. Under Security, click Security Reference for Oracle HCM Cloud.
HCM Security Reference Manual
The HCM Security Reference Manual contains a section for each predefined HCM job
and abstract role. For each role, you can review its:
 duties

 role hierarchy
 function security privileges
 data security policies
This information can help you understand which users should be provisioned with the
role, or which adjustments your enterprise requires before the role can be provisioned.
See also Mapping Of Roles, Duties and Privileges in Fusion Applications on My
Oracle Support (Doc ID 1460486.1).
Additional Information
For additional information and links, see the References page at the end of this lesson.


‎Lesson 3: Security Profiles and Data Roles
Lesson 3: Security Profiles and Data Roles

Data Security Through Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security
profile identifies a set of data of a single type, such as persons or organizations. For
example, you could create security profiles to identify:
 All workers in department HCM US

 The legal employer InFusion Corp USA1
 Business units USA1 and USA2
Customers assign security profiles to:
 Data roles. Data roles always inherit job roles. The job roles provide the function
security access, while the security profiles assigned to the data role provide
access to the data required to perform the duties of the job.
 Abstract roles. Three abstract roles are delivered with HCM: employee, line
manager, and contingent worker. You assign security profiles to predefined
abstract roles, such as employee, to grant access to HCM business objects, such
as the worker's own person record. You can also assign security profiles to the
custom abstract roles that you create.
 Job roles. Assigning security profiles directly to job roles is less common, since
users with the same job often access different sets of data.

Security Profiles Example

Security profiles are assigned to roles that are directly assigned to users.
In the following example, Tim Thompson and Patricia Smith are both human resource
specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that
inherits the job role Human Resource Specialist and the duty roles appropriate to that
job role. Therefore, Tim and Patricia can perform the same functions and see the same
entries in the Navigator, work area Tasks panes, and menus. However, each user
accesses different sets of data, which are identified in separate sets of security profiles.
Note: If Tim and Patricia could access the same sets of data, you would assign the
same data role to both users.

HCM Security Profile Types

You can create HCM security profiles for the following HCM business objects:
 Person (managed)
 Person (public)
 Organization
 Position
 Legislative Data Group
 Country
 Document Type
 Payroll
 Payroll Flow
Two uses for the person security profile exist because many users need to access two
distinct sets of people from each of their roles: people whom they manage and people
whose public contact details they need to access (for example, in a worker directory).
 The Person (managed) profile controls which people you can perform actions
against.
 The Person (public) profile controls which people you can search for in the
Person Gallery. This profile is also used to secure some person LOVs. For
example, the Change Manager page and New Hire flows display a person LOV
that is secured using the public person security profile, rather than the person
security profile. This is because the person who is selecting the manager for a
worker might not have view access for that manager through their person
security profile.

Predefined HCM Security Profiles

The following HCM security profiles are predefined:
You cannot:
 Edit or delete the predefined security profiles.

 Create a custom security profile that provides access to all objects; you must use
the appropriate predefined View All security profile instead.

HCM Security Profiles Best Practices

The following recommendations apply to all types of HCM security profiles:
 HCM security profiles are reusable and modular. Once you create a security
profile, you can assign it to multiple data roles.
 You can reference organization, position, payroll, and other security profiles in a
person security profile. For example, you might define an organization security
profile that allows access to a particular business unit. You can then reference
the organization security profile in a person security profile to provide access to
people who are assigned to that business unit.
 Use the predefined security profiles wherever appropriate.
 Define a naming scheme that identifies clearly the set of business objects in the
security profile's data instance set, such as HCM US Departments or US
Marketing Positions. Security profile names must be unique in the enterprise for
the security profile type.

Approaches to Assigning Security Profiles to HCM

Roles
Consider these approaches when assigning security profiles to HCM roles:
 Give employees access to their own records, the person records of their
emergency contacts, beneficiaries, and dependents, and all public-person
records. Assign relevant HCM security profiles directly to the employee abstract
role.
 Give managers access to the person records of direct and indirect reports.
Assign relevant HCM security profiles directly to the line manager abstract role.
 For individual job roles, determine whether all users with that job role access the
same HCM business object instances. In this scenario, you do not need to create
a data role; you can simply assign the security profiles to the job role.


Demonstration: Managing Data Roles and Security

Profiles
During security setup, you create data roles and assign security profiles to them.
Demonstration Scope
Use the Manage Data Role and Security Profiles task to demonstrate the process of
creating a data role and assigning security profiles to it.
Demonstration Steps
Start Here
1. Log in as Curtis.Feitty, if not already logged in.
2. Navigate to the Setup and Maintenance work area.
Location: Overview page, All Tasks tab
3. In the Name field, enter Manage Data Role and Security Profiles and click
Search.
Location: Search Results section
4. In the Manage Data Role and Security Profiles task row, click Go to Task.
Location: Manage Data Roles and Security Profiles page
5. In the Search Results section toolbar, click the Create icon button.
Location: Create Data Role: Select Role page
6. In the Data Role field, enter XX HR Specialist Vision, where XX represents

your initials.
7. In the Job Role field, search for and select Human Resource Specialist.
Information
A data role is always associated with a job role, from which it inherits duties.
The Delegation Allowed field is covered in the Role Delegation section later in
this class. You can leave this option unchecked.

8. Click Next.
Location: Create Data Role: Security Criteria page
Information
Here you select the security criteria for the role. For each business object that the
job role needs to access, a section appears on this page. To identify data set
instances for each business object, you can either select an existing security
profile or create a new security profile.
Note: Any security profiles that you create while defining the data role exist
independently of the data role and can be reused.
9. In the Organization section, select the predefined View All Organizations

organization profile.
10. In the Person section, select the Create New hyperlink at the bottom of the
Person Security Profile LOV.
11. In the Name field, enter XX Person Security Profile Vision.
12. Select the Secure by Global Name Range option.
13. For all other sections, select any one of the predefined View All security profiles.
14. Click Next.
Location: Assign Security Profiles to Role: Organization Security Profile

page
Information
This is the first of a series of pages for defining security profiles. Since you only
need to create a Person profile, you could skip to the Person page now by
clicking Person in the process train at the top of the page. However, for this
demonstration, we will review each page to see the criteria associated with each
business object. Key points about each profile type are included in the pages
following this demonstration.
15. Click Next, noting the security criteria on each page, until you reach the Person
train stop.
Location: Assign Security Profiles to Role: Person Security Profile page
Note: In the Global Name Range section, the Secure by Global Name Range
option is selected based on your previous entry (step 12).
16. In the Global Name Range section, enter A in the From Person Name field,
and enter L in the To Person Name field.

Information
This criteria limits access to persons whose global list names are in the range A
through L.
17. To view the remaining security profile pages, continue clicking Next until you
reach the Review page.
18. Click Submit.
Information
After submitting, it is a good idea to verify that the new role was successfully
created and profiles were assigned.
19. Search for the data role you just created. (Enter XX HR Specialist Vision in the
Role field, and click Search.)
20. In the Search Results, verify that the Security Profiles Assigned column for
your role displays a green checkmark.
21. Click Done.
At this point, you should have created a new data role and assigned the necessary
security profiles.

Key Points for Creating Security Profiles

All Security Profile Types
 A security profile defines criteria that identify a data instance set for a particular
business object.
 You can define any combination of available criteria. For example, you can
identify an organization data instance set by any combination of organization
hierarchy, organization classification, and organization name.
 If you define criteria by name (or a list or range of names), the data instance set
is the same for all users and changes only if you update the security profile.
However, if you use other criteria, such as hierarchy or classification, the data
instance set may vary by user and may change independently of the security
profile.
 If you define criteria by hierarchy, you can include a subset of the items in the
hierarchy by specifying the top level of the hierarchy. For example, you can
include a subset of organizations in the organization hierarchy by specifying the
top organization.
 Business objects must satisfy all of the criteria in the security profile to belong to
its data instance set.
 To provide access to all records, use the predefined View All security profile.
The subsequent pages provide key details for creating specific types of security profiles.

Manage Organization and Position Security Profiles

Creating Organization Security Profiles
An organization security profile includes criteria that identify a set of organizations.
Users need access to organizations either because they manage their definitions or
because they perform tasks where lists of organizations are presented to them. For
example, a human resource specialist selects a business unit and a department when
hiring a worker. To allow users to access organizations, you create an organization
security profile, include it in an HCM data role, and provision the role to users.
Setup and Maintenance Work Area > Manage Organization Security Profile > Manage
Organization Security Profiles page > Create Organization Security Profile
_______________________________________________________

Organization Security Profiles Key Concepts

Some key points about organization security profiles:
 You can identify organizations by any combination of organization hierarchy,

organization classification, and organization name. Organizations with multiple
classifications appear in the data instance set if they satisfy any one of the
classification criteria.
 You must decide how best to identify the set of organizations in the data instance
set. For example, if you list organizations by name, the data instance set can
change only if you update the security profile and is the same for all users. If you
identify organizations by organization hierarchy or classification, the data
instance set may change independently of the security profile and vary among
users.
 You can include a subset of the organizations from an organization hierarchy by

specifying a top organization.
 If you use the organization from the user's assignment as the top organization,
the data instance set varies by user, even though the organization security profile
is the same for all users. If the user has multiple assignments in the organization
hierarchy, all relevant organizations from all assignments belong to the data
instance set.
 Organizations must satisfy all of the criteria in the security profile to belong to its
data instance set.

Creating Position Security Profiles

A position security profile includes criteria that identify a set of positions.
Users need access to positions because they either manage position definitions or
perform tasks where lists of positions are presented to them. To allow users to access
positions, you create a position security profile, include it in an HCM data role, and
provision the role to users.
Setup and Maintenance Work Area > Manage Position Security Profile > Manage
Position Security Profiles page > Create Position Security Profile
_______________________________________________________

Position Security Profiles Key Concepts
Some key points about position security profiles:
 You can identify positions by any combination of position hierarchy, department,

business unit, and position name.
 When you identify positions by department or business unit, you include positions
defined for those departments or business units. To identify the departments and
business units, you select existing organization security profiles: the position
security profile inherits the data instance sets of the selected organization
security profiles.
 You must decide how best to identify the set of positions in the security profile.
For example, if you list the positions by name, the data instance set can change
only if you update the security profile and is the same for all users. If you identify
positions by position hierarchy, department, or business unit, the data instance
set may change independently of the security profile and vary among users.
 You can include a subset of the positions from a position hierarchy by specifying
a top position.
 If you use the position from the user's assignment as the top position, the data
instance set varies by user, even though the position security profile is the same
for all users. If the user has multiple positions from the position hierarchy, all
relevant positions belong to the data instance set.

Manage Person and Public Person Security Profiles

Creating Person Security Profiles
A person security profile includes criteria that identify one or more person records.
Users access person records either because they need to update them (for example,
because they manage those people) or because they need to contact those people.
You create separate person security profiles for each of these purposes. To allow users
to access person records, you create person security profiles, include them in an HCM
data role, and provision the role to users.
Setup and Maintenance Work Area > Manage Person Security Profile > Manage Person
Security Profiles page > Create Person Security Profile
_______________________________________________________
Note the Access field in the table in the Secure by Person Types section. After
specifying a person type, you can set the Access to one of the following values:

 Select All includes all persons of the specified person type in the instance set.
Other criteria in the security profile have no effect.
 Select Restricted to include all persons of the specified person type, restricted
by the other criteria in the security profile.
For example, if you set the System Person Type to Contingent Workers, the Access
to Restricted, and also selected a specific department in the Security by Department
field, then the instance set would comprise all contingent workers in the specified
department only. If Access were set to All, the instance set would comprise all
contingent workers in the enterprise.

Person Security Profiles Key Concepts
Some key points about person security profiles:
 You can identify person records by any combination of person type, manager
hierarchy, workforce structures, global-name range, and custom criteria.
 Workforce structures include department, legal employer, business unit, position,

legislative data group, and payroll. To secure person records by one or more of
these workforce structures, you select an appropriate security profile. The person
security profile inherits the data instance set of the selected security profile.
 If you identify person records by manager hierarchy, you select either a person-
level or an assignment-level hierarchy. In a person-level hierarchy, the data
instance set includes any worker in a direct or indirect reporting line to the
signed-on user. Use this approach unless workers have multiple assignments
that are not all managed by the same manager. In an assignment-level hierarchy,
the data instance set includes both workers who report to the signed-on manager
directly and workers who report to the assignments that the signed-on manager
manages. In enterprises where workers have multiple assignments reporting to
various managers, this approach ensures that only managers who are directly
responsible for a worker have access to that worker.
 The Manager Hierarchy attribute controls access to manager hierarchies when

roles are delegated. This is covered in the Role Delegation section later in this
class.
 A user who has access to a person record has access to relevant information
from all of the person's assignments, even if only one of the person's
assignments satisfies the criteria in the person security profile.

Creating Public-Person Security Profiles
To create a public-person security profile, you perform the Manage Person Security
Profile task.
A public-person security profile identifies the set of workers whose contact details the
signed-on user needs to access (for example, in the Person Gallery).
You can identify workers using any of the available criteria. To provide access to all
enterprise workers, use the predefined person security profile View All Workers.

Manage Document Type, LDG, and Country Security

Profiles
Creating Document Type Security Profiles
A document type security profile includes criteria that identify one or more locally
defined document types.
Users need access to document types because they either manage the definitions of
those document types or need to access instances of those document types in the
person records to which they have access. To allow users to access document types,
you create a document type security profile, include it in an HCM data role, and
provision the role to users.
Setup and Maintenance Work Area > Manage Document Type Security Profile >
Manage Document Type Security Profiles page > Create Document Type Security
Profile
_______________________________________________________

Document Type Security Profiles Key Concepts

Some key points about document type security profiles:
 You identify one or more document types by name and indicate whether to
include or exclude those document types.
 You do not include the standard predefined document types, such as visas,
driver's licenses, and passports, in a document type security profile: access to a
person record includes access to these document types for that person.
 If you include document types, users can access only the specified document
types; the data instance set never changes unless you update the security
profile.
 If you exclude document types, users can access all document types except
those in the security profile; therefore, the data instance set may change
independently of the security profile.

Managing Legislative Data Group Security Profiles
A legislative data group security profile includes the names of one or more legislative
data groups.
Users need access to legislative data groups mainly because they manage their
definitions. If a user is responsible for all legislative data group definitions in the
enterprise, use the predefined security profile View All Legislative Data Groups.
You can secure person records by legislative data group; if you plan to do this, consider
creating a separate security profile for each legislative data group.
Setup and Maintenance Work Area > Manage Legislative Data Group Security Profile >
Manage Legislative Data Group Security Profiles page > Create Legislative Data Group
Security Profile
_______________________________________________________

Managing Country Security Profiles
A country security profile includes the names of one or more countries.
A country security profile determines which countries appear in lists of countries

presented to the user. Use the predefined security profile View All Countries unless you
want to limit the list.
Setup and Maintenance Work Area > Manage Country Security Profile > Manage
Country Security Profiles page > Create Country Security Profile
_______________________________________________________

Manage Payroll Security Profiles

Creating Payroll Security Profiles
A payroll security profile includes criteria that identify a set of payrolls.
Users need access to payrolls either because they manage their definitions or because
they perform tasks where lists of payrolls are presented to them. For example, a payroll
administrator selects a payroll when setting up a worker's payroll relationship or
submitting a payroll flow. To allow users to access payrolls, you create a payroll security
profile, include it in an HCM data role, and provision the role to users.
Setup and Maintenance Work Area > Manage Payroll Security Profile > Manage Payroll
Security Profiles page > Create Payroll Security Profile
_______________________________________________________
The sample screen above illustrates a payroll security profile containing all payrolls
used in a particular organization (InFusion). Payrolls can also be organized by:
 Period Type: For example, monthly payrolls are included in one security profile;
semiweekly into another; and so on.
 Regional Assignments: For example, payrolls run against North American

facilities are included in one security profile, while European facilities are
contained in another.

 Individual Contributors: For example, payroll access may be restricted only to

those administrators who created and manage their definitions.

Manage Payroll Flow Security Profiles

Creating Payroll Flow Security Profiles
A payroll flow security profile includes criteria that identify a set of payroll flows.
Users need access to payroll flows either because they manage payroll flow definitions
or run payroll flows. For example, a payroll administrator selects a payroll flow when
running a QuickPay or a payroll cycle. To allow users to access payroll flows, you
create a payroll flow security profile, include it in an HCM data role, and provision the
role to users.
Setup and Maintenance Work Area > Manage Payroll Flow Security Profile > Manage
Payroll Flow Pattern Security Profiles page > Create Flow Pattern Security Profile
_______________________________________________________
The sample screen above illustrates a payroll flow security profile containing a set of
flows related to payment distribution. You might choose to organize payroll flows into
security profiles based on:
 Payroll Processing: For example, payroll administrators responsible for payroll

processing must be granted permission to submit the Payroll Cycle and
QuickPay flows.

 End of Year Reporting: Administrators responsible for End of Year reporting

must be granted permission to submit the End of Year and Archive End-of-Year
Payroll Results flows. Therefore, their payroll flow security profiles must include
the appropriate flows.
 Hiring and Terminations: Administrators responsible for hiring and terminations

must be granted permission to flows such as New Hire flow and Termination
flow.
Note: Users must also be granted access to the appropriate tasks within the flow.

Instructor Note: Notes on Activities

Note Regarding All Activities in this Guide
 Use of Implementation Projects
During an actual implementation, an implementation user typically performs

assigned tasks from their implementation project and tracks their progress as
they go. For activities in this lesson, students can run the assigned tasks from
their implementation project or launch tasks from the All Tasks tab (as described
in the activity steps). The latter is faster and works perfectly well. However, if
users want to track the completion of their setup activities, they should start
activities from their implementation project and mark them as complete when
they are done.
 Students Must Use Unique Initials in Object Names
In all activities, students are instructed to replace 'XX' with their initials in the
object names they create. If students are sharing an environment, make sure that
each student's initials are unique in the class. If necessary, tell students to
append their initials with a student number or use a middle initial.
 Each Activity Builds on the Previous One
Students will create business objects in each activity, and will use the objects
they create in subsequent activities. So it's important that they successfully
complete each one.
The activities specify the names to use for the business objects created. Instruct
students to use the specified names as it will help when referring to the objects
later on. Likewise, instruct students to enter all field values exactly as instructed,
as those values must be present for future activities.
 Environment Issues
All activities have been tested, but we have encountered intermittent problems
with the following:
User Creation - When a user is created using the Manage Users task, the user
record should be immediately available in OIM. However, sometimes there is a
lag between the time the new user record is saved and the time it shows up in
OIM. There is nothing to do here but wait.
Problem starting OIM - When using the Manage Job Roles task to access OIM,

a new browser window opens. Sometimes that window is blank and OIM does
not start. If this happens, don't wait more than a minute or two. The best thing is
to close the blank browser window and then sign out of Oracle Fusion
completely. Start Fusion again in a new browser window, and then start OIM.
This usually solves the problem right away.

Instructor Note: Activity Timing
Approximate Activity Timing: 15 minutes

Student Activity: Creating Security Profiles and

Assigning to a New Data Role
Using your activity guide, do the activity specified in the title of this page.

Activity 1 Introduction
Background
When HR specialists perform tasks where lists of organizations are presented, they
must be able to select their department and should not be able to view certain restricted
departments. A new data role is required, with security profiles that restrict the data the
role can access.
Requirements
 Use the bold text for the object names, replacing the XX with your initials.
 You must have access to Oracle Fusion Application Vision database (or
comparable training or test instance at your site) on which to complete this
activity.
Activity Scope

Activity 1: Creating Security Profiles and Assigning to

a New Data Role
In this activity, you create two security profiles:
 An organization security profile that grants access to all departments except the
Organizational Development US department and its parent, the Human
Resources US department.
 A person security profile that grants access with the same two exclusions.
Once you have created both security profiles, you create an HCM data role, based on
the Human Resource Specialist job role, and assign the two security profiles to it.
Start Here
Oracle Fusion HCM Sign On screen
Create Organization Security Profile
1. Log in as Curtis.Feitty.
2. Navigate to the Setup and Maintenance work area.
Location: Overview page, All Tasks tab
3. In the Name field, enter Manage Organization Security Profile and click
Search.
Location: Search Results section
4. In the Manage Organization Security Profile task row, click Go to Task.
Location: Manage Organization Security Profiles page
Location: Create Organization Security Profile page
6. In the Name field, enter XX Operations US.
7. In the Organization Classification section, select the Secure by Organization

Classification option.
8. Click the New (+) icon.

9. In the Classification Name field, select Department.
10. In the Organizations section, select the Secure by Organization List option.
11. Click the New (+) icon button.
12. In the Organization LOV, search for and select Human Resources US.
Information
If you search for the organization, enter Department as the Classification
Name in the Search and Select: Organization window.
13. Select the Exclude option.
14. Click the New (+) icon button again.
15. In the Organization LOV, search for and select Organizational Development
US.
16. Select the Exclude option.
17. Click Save and Close.
18. Click Done.
Create Person Security Profile
1. In the Setup and Maintenance work area, search for the Manage Person
Security Profile task.
2. In the Search Results, select the Manage Person Security Profile task row
and click Go to Task.
Location: Manage Person Security Profiles page
4. In the Name field, enter XX Operations US People Only.
5. In the Workforce Structures section, select the Secure by Department option.
6. In the Secure by Department LOV, select the XX Operations US organization

security profile you created earlier.
Information

Click Yes to the warning message to allow future changes, if it is displayed.
8. Click Done.
Create a Data Role and Assign Security Profiles
1. In the Setup and Maintenance work area, search for the Manage Data Role
and Security Profiles task.
2. In the Search Results, select the Manage Data Role and Security Profiles
task row, click Go to Task.
Location: Create Data Role: Select Role page
4. In the Data Role field, enter XX HR Spec Data.
Information
The name cannot exceed 55 characters.
5. In the Job Role field, search for and select Human Resource Specialist.
Information
The job role selection affects which security profiles you can assign to the role.
For example, selection of the Human Resource Analyst job role will not allow you
to control security of the payroll flow, since that is not part of the job.
6. Click Next.
Location: Create Data Role: Security Criteria page
7. In the Organization section, select the organization security profile you created
in this activity (XX Operations US).
8. In the Person section, select the person security profile you created in this
activity (XX Operations US People Only).
9. In all other sections, search for and select any one of the predefined View All
options.
10. Click Review.
11. Click Submit.

12. Search for the data role you just created. (Enter XX HR Spec Data in the Role
field, and click Search.)
13. In the Search Results, verify that the Security Profiles Assigned column
displays a green checkmark.
14. Click Done.

Assigning Security Profiles to Existing Roles

To assign security profiles to an existing role, use the Manage Data Roles and
Security Profiles task. Search for and select the role for editing. On the Assign Data
Role: Role Details page, click Next to display the Assign HCM Data Role: Select
Security Criteria page. This page shows the types of security profiles currently used by
the selected role.
Make any necessary changes to the security criteria, and click Next. The series of
pages displayed when you assign security profiles to an existing data role is the same
as when you assign profiles to a new data role.
Click Submit on the final page to save your changes.

Editing Security Profiles

You cannot modify existing security profiles using the Manage Data Role and Security
Profiles task.
If you want to change the definition of an existing security profile, use the appropriate
task in the Setup and Maintenance work area:
 Manage Country Security Profile

 Manage Document Type Security Profile
 Manage Legislative Data Group Security Profile
 Manage Organization Security Profile
 Manage Payroll Flow Security Profile
 Manage Payroll Security Profile
 Manage Person Security Profile
 Manage Position Security Profile
Search for the profile, and then open it for editing. When you save your changes, they
are picked up immediately by any data roles that reference them.

Security Profiles Review Question 1

Which of the following is not a predefined HCM security profile?
1. View Own Record

2. View All Positions
3. View All Jobs
4. View All Document Types


You can identify a set of person records in a person security profile by:
1. Legislative data group

2. Custom criteria
3. Person type
4. Payroll
5. All of the above


A user who has access to a person record has access to all of the person's
assignments.
1. True
2. False

Security Profiles Questions and Answers

Which of the following is not a predefined HCM security profile?
3. View All Jobs
You can identify a set of person records in a person security profile by:
5. All of the above (legislative data group, custom criteria, person type, and payroll)
A user who has access to a person record has access to all of the person's
assignments.
1. True

‎Lesson 4: User and Role Provisioning
Lesson 4: User and Role Provisioning

User Account Creation and Maintenance Scenarios
A customer's approach to account creation and maintenance for Oracle Fusion HCM
users depends on their existing user base, whether or not their users are shared among
multiple applications, and whether they plan to use Oracle Fusion HCM to handle their
ongoing user account management needs. There are several possible scenarios, such
as:
 The customer plans to create new users within Oracle Fusion HCM on an
ongoing basis.
In this scenario, Oracle Fusion HCM operates as a standalone system, and HCM
users are not shared with other applications in the enterprise.
At implementation time, existing users might be imported into Oracle Fusion
HCM, or a set of new users might be created when workers are loaded into
Oracle Fusion HCM.
 The customer maintains a set of users in an on-premise LDAP that

connects to multiple applications using Single Sign-On (SSO).
The customer wants to allow these existing users to access Oracle Fusion HCM
using SSO. New users are provisioned in the on-premise LDAP and copied to
Oracle Identity Manager (OIM) for use by Oracle Fusion HCM. Fusion HCM roles
are maintained in OIM.
 The customer, typically a very large company, has its own user account
and role-provisioning system.
The customer wants to use their own system, rather than Oracle Fusion HCM, to
manage all user and role provisioning for all applications in the enterprise.

Instructor Note: User Account Management Scenarios

This training focuses on the first of the three scenarios on the previous page. Single
Sign-On is covered later in this course.

User Account Provisioning

User Account Creation
 You can configure Oracle Fusion HCM to create user accounts automatically
when workers are hired using the New Hire flow.
 You can also create user accounts using the Manage Users task. This is a
quicker way of getting employees into the system than using the New Hire flow.
(There is a demonstration later in this section that illustrates this process.)
Note: Once an implementation is complete, Oracle Fusion HCM users should not
use the Manage Users task; they should use the New Hire flows, which are more
functionally rich and handle creation of key employment information required for
Oracle Fusion HCM implementations. The Manage Users task is intended for use
by Oracle Fusion Applications customers who are not implementing Oracle
Fusion HCM.
 During initial implementation, user accounts are typically migrated to Oracle

Fusion Applications using batch processes. Once you have implemented Oracle
Fusion Applications, user accounts can be automatically provisioned using
Oracle Fusion HCM tasks.
 Use the Create Implementation Users task to create implementation users.

Users created with this task are not mapped to an HR Person Type, such as
Employee or Contingent Worker. You can map an implementation user to an
employee later, however.
User Account Maintenance
 User accounts can be maintained using the Manage Users task in the Setup and
Maintenance work area and the Manage User Account task in the Person
Management work area.
 User accounts can be automatically revoked when workers are terminated

(based on account provisioning rules).
 A security administrator can reset user passwords using OIM, which is one of the
Fusion Middleware UIs used for administering Oracle Fusion Applications
security. HCM users can request a password reset from any of the following
pages:
- Manage User Account page (Navigator > Manage Users)

- My Account page (Navigator > My Account)

- User Preferences page (Personalization > Set Preferences)

Setting Enterprise-Level Options

You can define enterprise-level settings to control:
 User Creation
 Send User Name and Password
 User Account Role Provisioning
 User Account Maintenance
 Alternate Contact E-Mail Address
 Default User Name Format
To configure enterprise-wide user and role-provisioning options, use the Manage

Enterprise HCM Information task in the Setup and Maintenance work area.
Navigator > Tools > Setup and Maintenance work area > Manage Enterprise HCM
Information > Edit Enterprise page
_______________________________________________________

Enterprise-Level User and Role-Provisioning Options

User Account Creation: Controls whether user accounts are created automatically in
Oracle Identity Management (OIM) when you create a person or party record. Also
controls automatic provisioning of roles to users at account creation. Options include:
 Both person and party users: User accounts are created automatically for both
persons and party users. This is the default setting.
 Party users only: User accounts are created automatically for party users only.
Account requests for HCM users are held in the LDAP requests table, where they
are identified as Suppressed and not passed to OIM.
 None: No user accounts are created automatically.
Note: If you disable the automatic creation of user accounts for some or all
users, then you can create user accounts individually in OIM. You can also link
existing OIM user accounts to person and party records using the Manage User
Account or Manage Users tasks. Alternatively, you can use a provisioning
infrastructure other than OIM to create and manage user accounts. In this case,
you are responsible for managing the interface with Oracle Fusion HCM,
including any user-account-related updates.
User Account Role Provisioning: Controls whether to provision and deprovision roles
to users. Options include:
 Both person and party users: Roles are provisioned and deprovisioned for
both person and party users. This value is the default setting.
 Party users only: Roles are provisioned and deprovisioned for party users only.
HCM user role requests are held in the LDAP requests table, where they are
identified as Suppressed and not passed to OIM.
 None: For both person and party users, role requests are held in the LDAP
requests table, where they are identified as Suppressed and not passed to OIM.
User Account Maintenance: Controls whether OIM user accounts are maintained,
suspended, and reactivated automatically. Options include:
 Both person and party users: User accounts are maintained automatically for
both person and party users. This is the default setting.

 Party users only: User accounts are maintained automatically for party users
only. HCM user account-maintenance requests are held in the LDAP requests
table, where they are identified as Suppressed and not passed to OIM.
 None: User accounts are not maintained automatically. Person and party user
account-maintenance requests are held in the LDAP requests table, where they
are identified as Suppressed and not passed to OIM.
Note: By default, user accounts are suspended automatically when the user has
no roles and reactivated when roles are provisioned. In addition, the following
person information is sent automatically from Oracle Fusion HCM to OIM when
you update a person record: person name, work e-mail, work location address,
system person type from the primary assignment, and manager details.
Alternate Contact E-Mail Address: An enterprise-wide e-mail to which user names

and passwords for OIM user accounts can be sent. See the next item for more details
on how this address is used.
Send User Name and Password: Controls whether to send new users and their
managers an email notification when their Oracle Fusion account is accessible.
 If set to Yes, user names and passwords for new OIM user accounts are sent
automatically to the first of the following email addresses that can be found for
the account:
- Alternate contact e-mail

- User's primary work e-mail
- Primary work e-mail of the user's line manager
 If set to No, no e-mails are sent. You can notify users of their user names and
passwords later by running the process Send User Name and Password E-Mail
Notifications. This process sends e-mails for all users for whom such notifications
have not yet been sent. The e-mails are sent to users or their line managers (not
to the alternate contact e-mail).
Note: The OIM Reset Password notification template must include the user ID
field if you plan to run the process Send User Name and Password E-Mail
Notifications. For more information about OIM notification templates, see the
section Modifying a Notification Template in the Oracle Fusion Middleware
Administrator's Guide for Oracle Identity Manager.
You can override the enterprise setting for individual users on the Create User or
Manage User Account page. If you set the enterprise setting to No and enable
the setting for an individual user, notifications are sent to the user's primary work
e-mail or the user's line manager (not the alternate contact e-mail).

Default User Name Format: The default user-name format to use for automatically
generated user names. Options include:
 None: The OIM user-name policy determines the format. By default, OIM uses
the person's first and last names, but this format can be changed in OIM. To
make duplicate user names unique, OIM includes either the person's middle
name or a random alphabetic character. This is the default setting.
 Party number: The party number is the user name.
 Person number: The HCM person number is the user name.
Note: The person number can be generated at various points in the Add Person
flows, which affects when the user name itself is generated. For example, if
person numbers are allocated only when a hire transaction is approved, then
user names cannot be generated sooner.
For party users who have no person number, the party e-mail is used instead
when person number is the default user name.
 Primary work e-mail: The primary work e-mail (or party e-mail, for party users)
is the user name.
If a person's party number, person number, or e-mail is not available when the
user account is requested, then the account status is Failed until the value
becomes available and the request is resubmitted. If you run the Send Pending
LDAP Requests process daily, then the request is likely to be resubmitted as
soon as possible after the value becomes available. Alternatively, for individual
requests, you can perform the Process User Account Request action on the
Manage User Account page.

Instructor Note: User and Role Provisioning

Some (large) customers have their own custom role-provisioning systems that they
want to use to provision Fusion HCM roles to their users instead of using the HCM role-
provisioning pages.
If a customer turns off user account role provisioning, any roles that are requested for
users using HCM pages (such as Manage User Account) are stored as pending
requests but are not actioned.
Password Policies for Cloud Customers:
Password policies (such as password length, required special characters, password

duration, challenge questions, and so on) are defaulted and cannot be changed by
HCM Cloud customers. Customers must log an SR to request that their password
policies be changed by Cloud Ops.

Provisioning Roles to Users: Overview

Role provisioning is built into Oracle Fusion HR flows. You can initiate the provisioning
and revoking of roles from within the following flows:
 Hire an Employee
 Promote Worker
 Transfer Worker
Users can self-request new roles if role mapping rules have been defined (as described
on the next page) and the user meets the specified criteria. Line managers and HR
specialists can request new roles for the people they manage and revoke existing roles
from people they manage.
Note: By default, users have no access to functions and data. To enable users to
access functions and data, you must provision roles to them.

Instructor Note: Roles Must Be Provisioned

You cannot emphasize this point too strongly: roles, even standard roles such as
Employee and Line Manager, must be provisioned to users. Hiring a person as an
employee is not the same as provisioning the Employee role to the worker; they are
separate tasks. However, often (as in this training environment) Employee and Line
Manager roles are automatically provisioned.

Defining Role-Provisioning Rules

Role-provisioning rules determine the roles that a user should have based on their HR
assignments. Also referred to as role mappings, role-provisioning rules define an
association between a set of conditions (typically assignment attribute values) and one
or more job, abstract, and data roles.
Note: You cannot assign a role to a user unless a role-provisioning rule exists for that
role and the conditions defined in the rule are met.
Use the Manage HCM Role Provisioning Rules task in the Setup and Maintenance
work area to create and manage role-provisioning rules.
Manage HCM Role Provisioning Rules > Manage Role Mappings page > Create Role
Mapping page
_______________________________________________________
Key Points
 Use the Conditions area to define the conditions that must be met for the
mapping to apply.

 Use the Associated Roles section to add one or more existing roles to the
mapping rule.
 When you select a role in the Role Name field, you can see a description of the
role by hovering your mouse cursor over the role name.
 Use the checkboxes (described in detail on the following page) to determine

whether a given role can be assigned automatically, manually, or by user
request. Note that the Auto Provision option is selected by default; you must
deselect it if you do not want the role to be automatically provisioned. The
Delegation Allowed checkbox is display-only. It indicates whether the role is
enabled for delegation, as defined on the Create Data Role or Edit Data Role
page.
 When you include a delegatable role in a role mapping, users who qualify for the
role can delegate it if they have the role themselves or if the Requestable option
is selected for the role.
In the sample screen above, the conditions mean that any active employee who works
for InFusion Corp USA1 will automatically be given the Human Resource Specialist –
USA1 BU Set data role (since the Autoprovision option is selected). If the user
subsequently transfers to a different job, they will automatically lose this role.

Role-Provisioning Options
When defining role-provisioning rules on the Create Role Mapping page, you have
several provisioning options:
 Autoprovision. Provisions roles automatically to all eligible users when at least

one of their assignments is either created or updated and satisfies the role-
mapping conditions.
An automatically provisioned role is deprovisioned automatically when the user’s

assignments cease to satisfy the role-mapping conditions.
 Requestable. Enables users, such as line managers and human resource

specialists, to provision roles manually to other users. Users retain roles that are
provisioned to them manually until either all their work relationships are
terminated or the roles are deprovisioned manually. Managers can provision
roles to other users using the Manage User Account action in the Person
Gallery. HR Specialists can provision roles using the Manage User Account
task in the Person Management work area.
Note: The criteria defined in the Conditions section must be satisfied by the user
who is provisioning the role to other users, not by the users who are receiving the
role.
 Self-Requestable. Enables users to request roles for themselves. Users retain

roles that they request for themselves manually until either all their work
relationships are terminated or the roles are deprovisioned manually. Workers
can request roles using the Manage User Account action in the Person Gallery
or by selecting Navigator>My Information> My Account.
 Apply Autoprovisioning. Provisions roles to users immediately, rather than

waiting until the role is provisioned automatically or requested manually.
When you click this button, all assignments and role mappings in the enterprise
are reviewed and any necessary provisioning and deprovisioning of roles occurs
immediately. You can also perform autoprovisioning from an individual user's
account, in which case only that user’s assignments are reviewed and any
necessary provisioning and deprovisioning of roles for that user occur
immediately.

Role-Provisioning Rules for Abstract Roles

The Securing HCM Cloud guide provides instructions for creating role mappings for the
following abstract roles:
 Employee. Automatically provisions the Employee role
 Contingent Worker. Automatically provisions the Contingent Worker role
 Line Manager. Automatically provisions the Line Manager role

Integration with New Hire Flow

Instructor Note: New Hire Process
You can demo the Hire an Employee flow to show how roles are assigned during the
new hire process. However, this process requires you to provide data in a large number
of fields in order to progress through the entire flow. It may be faster (and perfectly
adequate) to display and discuss the screens that follow, rather than doing a
demonstration.

Integration with New Hire Flow

The following screens illustrate how role provisioning is integrated into the New Hire
flow.
To meet the conditions defined in the role mapping example on the Defining Role
Provisioning Rules page below, an employee would need to work for InFusion Corp
USA1 and be assigned the job of Human Resource Specialist. You specify the
employee's legal employer on the Identification page of the Hire an Employee flow, as
shown in this figure:
Manager Resources > New Person > Hire an Employee > Identification page
_______________________________________________________

New Hire Flow - Job Assignment

You specify the employee's job on the Employment Information page of the Hire an
Employee flow, as shown in this figure:
Manager Resources > New Person > Hire an Employee > Identification page > Person
Information page > Employment Information page
_______________________________________________________

New Hire Flow - Role Requests

The Roles page of the flow shows the roles that will be automatically provisioned to the
employee based on the selected job, along with the Employee abstract role:
Manager Resources > New Person > Hire an Employee > Identification page >
Person Information page > Employment Information page
_______________________________________________________
To manually provision additional roles to the user, click Add Role and select the role
you want to give to this user.
You can use the Manage Users or Manage User Account task to add or remove roles
from an existing user.

Tip: Role-Provisioning Strategies

During implementation, consider the following approaches to role provisioning:
 Determine the roles that all workers of a particular type must have, and
create role mappings to provision those roles automatically.
For example, to ensure that all employees have the employee role, create a role
mapping to autoprovision the role to eligible users.
 Determine the roles that all line managers must have, and create role
mappings to provision those roles automatically.
For example, if all line managers must have both the line manager role and a
locally defined Expenses Manager role, then create a role mapping to
autoprovision both of those roles to eligible users.
 Determine the roles that only some workers of a particular type will need,
and autoprovision the roles if possible.
For example, some human resource specialists may also need the benefits
analyst role. If you can autoprovision those roles based on specific conditions,
then create role mappings to provision those roles automatically. Otherwise,
decide whether workers can request those roles for themselves or whether they
must be provisioned by other users, such as line managers, and create the
appropriate role mappings.
Remember that:
 Automatic role provisioning is a time-saver and recommended for standard roles,

such as abstract roles. It is highly efficient for mass role provisioning.
 A single role mapping definition can be used to manage multiple roles and a mix
of provisioning strategies, provided that the role mapping conditions are the
same in all cases.

Implementation Users
Implementation users typically do the following:
 Administer Oracle Fusion Applications users and security

 Manage implementation projects for Oracle Fusion Applications offerings
 Set up basic enterprise structures needed to implement Oracle Fusion
Applications offerings
HCM Cloud customers are advised to create the following implementation users before
commencing their Fusion HCM implementation. Steps for creating these users are
documented in the Securing HCM Cloud guide (docs.oracle.com/cloud). In each user
name below, xx is a 2 or 3 character prefix specific to the customer.
xx_Admin
Intended for technical super users.

Has the following roles:
 IT Security Manager
 Application Implementation Consultant
 Administrators (WebLogic access)
 Application Diagnostics Administrator
 Application Diagnostics Advanced User
xxOIMAdmin
Intended for security administrators.

Has the following role:
 IT Security Manager
hcm.user
Intended for users who are performing the Oracle Fusion HCM implementation steps.
Has the following roles:
 Application Administrator
 Application Implementation Consultant
 Application Diagnostics Regular User
 Application Diagnostics Viewer
The Securing HCM Cloud guide includes instructions for creating the following
additional roles, based on which HCM services a customer has subscribed for:

 {CustomerNm}_HRAnalyst_ViewAll
 {CustomerNm}_HCMApplicationAdministrator_ViewAll
 {CustomerNm}_HRSpecialist_ViewAll
 {CustomerNm}_CompensationAdmin_ViewAll
 {CustomerNm}_CompensationMgr_ViewAll
 {CustomerNm}_PayrollAdmin_ViewAll
 {CustomerNm}_PayrollMgr_ViewAll
IMPORTANT! Application Implementation Consultant is a powerful role that has

unrestricted access to a large amount of data. Once the implementation has been
completed, this role should be revoked from all users (using the Revoke Data Role from
Implementation Users task). For ongoing maintenance of Oracle Fusion HCM setup
data, use a less powerful role, such as a data role based on the Human Capital
Management Application Administrator role or other HCM job roles, or create custom
job roles.
Other types of implementation users you might want to create are:
 Applications Implementation Project Manager. Optionally created by the IT

Security Manager user based on needs dictated by the size and organization of
the implementation team.
 Product Family Application Administrator. Created by the IT Security

Manager and used if a customer is implementing multiple Oracle Fusion products
at the same time and wants to restrict implementers to performing only setup
steps for a specific product. Each product family has its own administrator role,
such as Human Capital Management Application Administrator and Financials
Application Administrator. Each role has access to only the setup tasks for that
product family, while the Application Implementation Consultant role has access
to all Oracle Fusion Application setup tasks, including HCM, Financials, SCM,
CRM, and so on.
Note: Product family application administrator job roles do not have predefined
access to data. Customers must use the Create Data Role for Implementation
Users task to define data roles for these roles.

Instructor Note: Implementation Users for the Cloud

Starting in Release 7, no implementation users are predefined for HCM Cloud
customers.


Demonstration: Creating Implementation Users

During implementation, you must create at least one initial implementation user and
give that user the ability to create other users and access other implementation tasks.
Note: When you create an implementation user, no person record is created in HR.
Only a user account is created. Use the Manage Users task or the New Hire flows to
create both a user account and an HR person that are automatically linked together.
Demonstration Scope
Demonstrate the Create Implementation Users task. Give the user two roles: IT
Security Manager and Application Implementation Consultant.
Demonstration Steps
Start Here
Setup and Maintenance work area, Overview page, All Tasks tab (logged on
Curtis.Feitty)
1. Search for and launch the Create Implementation Users task.
Location: Oracle Identity Manager - Self Service page
Note: This task takes you automatically to the Oracle Identity Manager (OIM)
application. OIM will be discussed in detail later in this lesson.
2. Click the Administration link in the top-right corner of the page.
Location: Welcome to Identity Manager Delegated Administration page
3. Under the Users heading, click Create User.
4. Enter names in the First Name and Last Name fields.
Information
You can use any names you like here; this user won't be referenced later in the
lesson.
5. In the Organization field, search for and select Xellerate Users.
6. In the User Type field, select Non Worker.
7. Enter a User Login, such as XX_IMPLEMENTATION_USER.

8. In the Password field, enter aBc123XX.
9. Enter the password again to confirm.
10. Click Save.
11. Click the Roles tab.
12. Click Assign.
13. Enter IT in the Display Name Begins With field, and click Search.
14. Select IT Security Manager in the Search Results, and click Add.
15. Click Assign.
16. Enter Application Implementation in the Display Name Begins With field, and
click Search.
17. Select Application Implementation Consultant in the Search Results, and

click Add.
Verify Role Provisioning
1. Return to the Welcome tab, and click Advanced Search - Roles.
Location: Advanced Search: Roles page
2. Enter IT in the Display Name Begins With field, and click Search.
3. Click IT Security Manager in the Search Results.
4. Select the Members tab.
5. Confirm that your user name in the list of All Members and Direct Members.
Information
The implementation user you created is not an Indirect Member, because the IT
Security Manager role was assigned directly, not through a role hierarchy or
another role that inherits the IT Security Manager role.
6. Return to the Advanced Search – Roles tab, and search for the Application
Implementation Consultant role.
7. Click Application Implementation Consultant in the Search Results.

8. Select the Members tab.
9. Verify that your user is listed as a member for this role too.
10. Close the OIM browser window, and return to the Oracle Fusion Applications
Setup and Maintenance work area. (Don't sign out; just close the browser
window.)

Instructor Note: Using the Manage Users Task Demo

You can skip the Using the Manage Users Task... demo if you prefer, as students will
perform this task in the Activity 2.

Demonstration: Using the Manage Users Task to

Create HR Users
The Manage Users task provides a quick alternative to the New Hire process, which
requires more information to be entered for each person.
Demonstration Scope
Use the Manage Users task to create a new user. The user will be mapped to an HR
person.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Search for and launch the Manage Users task.
Information
You can also access this task by selecting Navigator > Manager Resources >
Manage Users.
Location: Manage Users (Search Person) page
Location: Create User page
3. In the First Name and Last Name fields, enter your own first and last name (or
any name you choose).
4. In the E-Mail field, enter XX@dummy.com.
5. In the User Name field, enter XX_TEST_USER.
6. Deselect the Send user name and password option.
7. In the Person Type field, select Employee.
Information
The Employment Information section expands to display additional fields.
8. In the Legal Employer field, select US1 Legal Entity.
9. In the Business Unit field, select US1 Business Unit.
10. In the Roles section, click the Autoprovision Roles button.
Information
The application reviews all enterprise role mappings and automatically provisions
the appropriate ones based on this user's employment information. In this
environment, the Employee abstract role is automatically provisioned to users
whose Person Type is Employee.
11. Click the Add Role button to assign a role to the user manually.
Location: Add Role page
12. Search for the data role you created in Activity 1 (XX HR Spec Data).
Note: You won't be able to find the data role because it is not yet available for
provisioning to a user. You must create a role-provisioning rule for the role before
you can assign it to a user. You will see how to do that in your next activity. Exit
the Search window and return to the Create User window.
14. Click Done.
Location: Overview page in Setup and Maintenance work area
You have now demonstrated the user creation process.
Instructor Note: Notes on Activity 2

Regarding Password Policy Management
In Activity 2, students will create a user account and reset the password. An information
note in the activity references 'password policies set up in Oracle Identity Manager.'
Cloud customers do not have access to the area of OIM in which password policies are
managed. If they want to change the default password policies, they would need to
raise an SR.
Regarding the Password Reset

In a real-world environment, when a new user is created, the user gets an email with
their login credentials. In this class, we're not assigning email addresses, so we will use
the Reset Password feature in OIM to set the initial password. When the student logs on
as their new user, they must reset their password at that time.
The Reset Password option available from the Manage My Account option in Fusion
also generates and sends a new password via email, so we are unable to use that task
during class.
System Error on New Password Submission

In the Release 8 test environment, a system error occurs after the user submits the
password reset. A bug has been filed. If this error occurs during training, instruct
students to continue and log in with the new password.
Student Activity: Creating a New User and Assigning a

Data Role
Background
New user accounts can be created using the Manage Users task (in addition to the New
Hire flow). Before you can provision roles to users, you must create a role-provisioning
rule. Role-provisioning rules map one or more data roles to a set of conditions that
define which users can be assigned those roles. They also define how each role can be
provisioned.
Requirements
practice.
 You must have successfully created a data role in Activity 1 (XX HR Spec Data).
Activity Scope
Activity 2: Creating a New User and Assigning a Data

Role
In this activity, you create a new user and assign to it the data role you created in
Activity 1. But before you can assign the role to a user, you must create a mapping rule
for the role.
Start Here
Curtis.Feitty)
Create a Role Mapping Rule

In this task, you create a rule that allows the new data role to be manually provisioned
to users.
1. Search for and launch the Manage HCM Role Provisioning Rules task.
Location: Manage Role Mappings page
Location: Create Role Mapping page
3. In the Mapping Name field, enter XX Generic Mapping Rule and press Enter.
Information
Do not specify any conditions for now.
4. In the Associated Roles section, click the Add Row (+) icon button.
5. In the Role Name field, select the data role you created in Activity 1 (XX HR
Spec Data).
6. Deselect the Autoprovision option.
Information
It is very important to deselect the Autoprovision option; otherwise, every user
will get this role since you did not provide any conditions.
7. Select the Requestable option.
8. Click Save and Close, and then click OK to dismiss the Confirmation window.
9. Click Done.
Create a User
In this task, you use the Manage Users task to create a user quickly.
Note: This task is intended for creating test users. When creating real employees, use
the New Hire flow so that the full set of attributes can be captured.
1. In the Setup and Maintenance work area, search for and launch the Manage
Users task.
Location: Manage Users (Search Person) page
Location: Create User page
3. Enter the following values:
Note: Make sure that you use the specified Hire Date, as this will be important in
a later activity.
4. In the Roles section, click Autoprovision Roles.
Information
The Employee role appears in the Role Requests table.
Note: If any other roles are automatically provisioned to your user, remove them
by selecting them and clicking the X (Remove) icon button. (Roles may appear
here if other students create autoprovisioning rules for the roles they create in
training.)
5. Click Add Role.
6. Search for and select the data role you created in Activity 1 (XX HR Spec Data).
8. Click Done.
Reset the User Password
In the training environment, the application can't send your new user's login credentials
via email, so you need to set an initial password in Oracle Identity Manager.
1. In the Setup and Maintenance work area, launch the Manage Job Roles task.
Information
You are taken to the Oracle Identity Manager (OIM) interface.
Location: Oracle Identify Manager - Delegated Administration page,

Welcome tab
3. Click Advanced Search - Users.
Location: Advanced Search: Users page
4. Search for the user you just created. (Enter search values for First Name, Last
Name, or User Login and click Search.)
5. Click the user’s name in the Search Results.
6. Click the Reset Password button.
Location: Reset Password window
Information
There are two methods for resetting a user's password: manually and
automatically (random generation). Note also that password strength is
measured by the password policies set up in Oracle Identity Manager.
7. Select the Manually change the password option.
8. Enter a new password, such as aBc123XX, and reenter to confirm.
9. Deselect the E-mail the new password to the user option.
10. Click Reset Password.
11. Close the Oracle Identify Manager browser window.
Information
You can leave this window open if you expect to return to OIM, but do not sign
out. Signing out of OIM signs you out of Oracle Fusion Applications as well.
Verify Security
1. Return to the Oracle Fusion Applications window.
2. Navigate to the Person Management work area.
Location: Search Person page
3. Click Advanced to display the Department field.
4. In the Department field, enter Human Resources US and click Search.
5. In the Search Results, verify that you (logged in as Curtis Feitty) can see people
in the Human Resources US department.
6. Do another search and verify that you can see people in the Organizational
Development US department.
7. Sign out and sign back in as the new user you created (Security.UserXX), using
the new password you just reset.
Location: Password Management window
Information
The Password Management window prompts you to reset your password, since
this is the first time you are logging on.
8. Enter the password you used in the password reset (such as aBc123XX).
9. Enter a new password, such as xYz456AA, and renter.
10. Select challenge questions and provide the answers (if prompted to do so on this
page).
11. Click Submit.
12. Navigate to the Person Management work area.
13. In the Keywords field, enter Operations US and click Search.
Information
You should see several people. However, none of them should be in either the
Human Resources US or Organizational Development US department.
14. Select Advanced to display the Department field.
15. In the Department field, enter Organizational Development US and click

Search.
16. Verify that you cannot see any users in this department.
17. In the Department field, enter Human Resources US and click Search.
Information
The search results should show one person, with the last name Wei. If you
access this person's information, you will see that they have two work
relationships: one with Human Resources US and one with Human Resources
CN. You can see them because of their second work relationship.
18. Sign out of Oracle Fusion Applications.
Role Delegation
Role delegation is the assignment of a role from the current owner of the role, known as
the delegator, to another user, known as the proxy. The delegation can be either for a
specified period or indefinite.
You can delegate roles to any user whose details you can access by means of a public
person security profile. This profile typically determines who you can search for in the
Person Gallery.
When you delegate a role, the proxy user can perform all tasks associated with the
delegated role on the relevant data instance set. For example, you may have a line
manager role that enables you to manage absence records for your reports. If you
delegate that role, then the proxy can also manage the absence records of your reports.
You do not lose the role while it is delegated.
The proxy user signs in to Oracle Fusion HCM using his or her own user name, but has
additional function and data privileges associated with the delegated role.
Which Roles Can I Delegate?

You can delegate any role that you have currently, provided that:
 The role is enabled for delegation.
 The assignment that qualifies you for the role does not have a future-dated
termination.
For example, if you try to delegate a role today and the assignment that matches
the role-mapping conditions (as defined in the role's role-provisioning rule) has a
future-dated end date, then you can't delegate the role.
You can also delegate any role that you can provision to other users, provided that the
role is enabled for delegation. Such roles are defined as Requestable in a role mapping
for which you satisfy the role-mapping conditions. By delegating rather than provisioning
roles to a user, you can:
 Specify a limited period for the delegation.
 Enable the proxy to access the data that you can access.
No predefined roles are enabled for delegation by default. You cannot delegate the
Employee or Contingent Worker roles. You can enable delegation for any other
predefined role. You can also enable delegation for HCM data roles, custom job roles,
and custom abstract roles.
Note: Information about whether a role can be delegated exists only in Oracle Fusion
HCM. This information is not held in or visible in Oracle Identify Manager (OIM).
Enabling a Role for Delegation

You can enable delegation when you create a role, or you can edit an existing role at
any time to enable delegation.
To enable a role for delegation, select the Delegation Allowed option on the Create
Data Role or Edit Data Role page.
Navigator > Tools > Setup and Maintenance > Manage Data Role and Security Profiles
> Create Data Role
_______________________________________________________
You can also enter a description for the role. This description is displayed on the role
mapping page, so make it as informative as possible to support role selection.
Note: If you deselect the Delegation Allowed option for an existing role, then any roles
that are currently delegated are unaffected.
Delegating a Role
Use the Roles and Approvals Delegated to Others section of the My Account page to
delegate roles.
Navigator > My Information > My Account

_______________________________________________________
In the Roles and Approvals Delegated to Others section, select the role to delegate, the
dates for the delegation, and the proxy user. Note the following about the start and end
dates:
 If both dates are today’s date, then the delegation is immediate and a request is
sent to Oracle Identity Management (OIM) to remove the role the next time the
Send Pending LDAP Requests process runs.
 If the start date is today but the end date is either blank or in the future, then a
role request is sent immediately to OIM.
 If the start date is in the future, then a role request is sent to OIM by the Send
Pending LDAP Requests process on the delegation start date.
 If you do not enter an end date, then the delegation period is indefinite.
 If you enter an end date, then the delegation ends on that date. The request to
end the role delegation is sent to OIM by the Send Pending LDAP Requests
process on the delegation-end date.
If you delegate a role to a user who already has the role, then the role is not provisioned
to that user again. However, the data instance set that is accessible using your role is
assigned to the proxy user.
For example, if you delegate the line manager role to a user who already has the role,
then that user will be able to access your data instance set (for example, the workers in
your manager hierarchy) in addition to his or her own data set while the role is
delegated. The proxy’s My Account page shows the delegated role in the Roles
Delegated to Me section, even though only the associated data instance set has been
delegated.
Delegating Approval Tasks

When you delegate a role, you may want also to delegate any associated approval
tasks. You can delegate roles without also delegating approvals, and vice versa.
Use the Approvals Delegated to Others tab on the Roles and Approvals Delegated
to Others section of the My Account page to delegate approvals.
From here, you can create a delegation rule that specifies:
 The start and end dates for the approval delegation

 The category of approval tasks to delegate
 The user to whom the tasks are delegated
Ending Role Delegation

If you specify an end date when you delegate a role, the delegation ends on that date.
The request to end the role delegation is sent to OIM by the Send Pending LDAP
Requests process on the delegation-end date.
You can enter or update an end date at any time during the delegation period. If you
enter today’s date, the delegation ends immediately.
Role delegation ends before the specified end date if the proxy user’s assignment is
terminated.
Delegating Access to Manager Hierarchies

A proxy for a manager needs access to the records of the delegating manager’s direct
and indirect reports. To delegate access to the delegating manager’s hierarchies, you
can create a person security profile that secures data by Manager Hierarchy, and set
the Hierarchy Content attribute to one of the following:
 Delegating Manager Hierarchy: Provides access to the manager hierarchy

associated with the delegating manager. Select this value if the HCM data role is
being delegated to a user who is not a manager (and therefore has no manager
hierarchy).
 Both: Provides access to the proxy's own manager hierarchy in addition to the
hierarchy of the delegating manager. Select this value if, for example, the role is
being delegated from one line manager to another.
Navigator > Tools > Setup and Maintenance > Manage Person Security Profiles >
Create (or Edit) Person Security Profiles page
_______________________________________________________
Notes:
 If a role can be delegated and access to person records for that role is secured
by manager hierarchy, then you must set Hierarchy Content to either
Delegating manager hierarchy or Both.
 When a line manager role is delegated from one line manager to another, the
proxy user can manage the delegator’s reports in the Person Management work
area and Person Gallery. However, no change occurs to the proxy’s Manager
Resources dashboard because the manager hierarchy itself is unaffected by the
role delegation.
 If proxy users are in the delegating manager’s hierarchy, then they can access
their own records when Hierarchy Content is set to either Delegating manager
hierarchy or Both.
Demonstration: Delegating the Line Manager Role

Line managers can delegate the duties associated with their line manager role if they
are not able to perform them for any reason.
Demonstration Scope
This demonstration will illustrate the following tasks involved in role delegation:
1. Create a person security profile that provides a proxy with access to both their
own and the delegator’s manager hierarchy.
2. Assign the new profile to the line manager role, and verify that the line manager
role is enabled for delegation.
Information
This change will apply to all line managers in the enterprise.
3. Log in as Jack Fisher, and delegate the line manager role to Matt Wagner, who is
a peer and also a line manager. Make the delegation immediate.
4. Log in as Matt Wagner, and verify that you can perform line manager duties on
Jack’s direct reports.
5. Log in as Jack Fisher, and end the delegation.
Demonstration Steps
Start Here
Create Person Security Profile to Enable Access to Delegating Manager's

Hierarchy
2. On the Navigator menu under Tools, select Setup and Maintenance.
3. Search for and select the Manage Person Security Profile task.
4. On the Manage Person Security Profiles page, click the Create icon button.
5. In the Name field, enter View Manager Hierarchy-Both_XX.
6. In the Manager Hierarchy section, select the Secure by Manager Hierarchy

option.
7. In the Hierarchy Content field, select Both.
8. Click Save and Close. (Click OK to the warning message, if it appears.)
Assign the New Security Profile to Line Manager Role
1. On the Setup and Maintenance work area Overview page, search for and launch
the Manage Data Role and Security Profiles task.
2. In the Role field, enter Line Manager and click Search.
3. In the Search Results section, select the Line Manager role and click the Edit
icon button.
Location: Assign Data Role: Role Details page
4. Select the Delegation Allowed option.
5. Click Next.
Location: Assign Data Role: Security Criteria page
6. In the Person section, select the View Manager Hierarchy-Both_XX profile in

the Person Security Profile field.
7. Select the View All Payrolls profile for the Payroll Security Profile, if not already
selected.
8. Click Review and then Submit.
Delegate the Line Manager Role
1. Log out and log back in to the HCM Simplified UI as Jack Fisher.
3. In the Roles and Approvals Delegated to Others section, click the Create icon
button on the Roles Delegated to Others tab.
4. In the Role Name field, search for and select the Line Manager role.
5. In the Start Date field, enter today’s date and leave the End Date field blank.
6. In the Delegated To field, search for and select Matt Wagner.
7. On the Manage User Account page, click Save and then click OK to confirm.
Information
When the role request is sent to OIM, the request appears in the Role Requests
in the Last 30 Days section of the proxy's My Account page. When the role
request succeeds, the role appears in both the Roles Delegated to Me section
and the Current Roles section of the proxy's My Account page. Proxy users can
delete current and future-dated delegated roles from the Roles Delegated to Me
section.
Verify the Role Delegation
1. Log out and log back in as Matt.Wagner.
3. Verify that the delegated role is listed in the Roles Delegated to Me section.
4. On the Navigator menu, select Person Gallery. (Ignore any warning that
appears.)
5. On the Search tab, enter Mark Winterling.
6. Click Mark's name in the Search Results.
Information
As you can see in the left panel, Mark’s manager is Jack Fisher. However, Matt
can now perform all of the line manager duties listed under the Actions heading
for Mark. If you logged in as Jack Fisher, you would see that Jack still has all the
line manager duties as well.
End the Role Delegation
1. Log out and log back in as Jack.Fisher.
3. In the Roles and Approvals Delegated to Others section, enter today's date in
the End Date field to end the delegation.
4. Click Save, and click OK to confirm.
5. Sign out.
User and Role Provisioning Review Question 1

Roles can be provisioned to users:
1. Automatically
2. By other users
3. On user request
4. All of the above
User and Role Provisioning Review Question 2

All roles in a role mapping must have the same provisioning option.
1. True
2. False
User and Role-Provisioning Review Question 3

Which of the following roles can be provisioned to users directly?
1. Duty roles
2. Abstract roles
3. Job roles
4. Data roles
User and Role-Provisioning Questions and Answers

Roles can be provisioned to users:
4. All of the above (automatically, by other users, and on user request)
All roles in a role mapping must have the same provisioning option.
2. False
Which of the following roles can be provisioned to users directly?

2, 3, and 4:
2. Abstract roles
3. Job roles
4 Data roles
‎Lesson 5: HCM Security Management Data Stores
Lesson 5: HCM Security Management Data Stores

User Interface Overview
When performing security setup and administration tasks in Oracle Fusion Applications,
users access user interfaces that are native or provided by a foundation of Oracle
Fusion Middleware and Oracle Database products.
Notes:
The Middleware group refers to APM as Entitlement Server, while Oracle Fusion
Applications still refer to it as APM.
Application Access Controls Governor (AACG) is used primarily by Fusion ERP.
HCM Security Management Data Stores

This figure shows where security data, managed by different Oracle applications, is
stored and shared.
Key Points
OIM Identity Store
 OIM maintains user accounts in the Oracle Fusion Applications Identity Store. It
stores the definitions of abstract, job, and data roles (enterprise roles in OIM),
and holds information about roles provisioned to users.
 Job and abstract roles created in OIM must be synchronized so that the new role
names and other attributes are available to Oracle Fusion HCM.
 You cannot view duty roles in OIM, only in APM.
APM Policy Store
 Duty roles (referred to as application roles in APM) are created in APM and
stored in the Policy Store, along with function security privileges.
 The Policy Store holds copies of users and enterprise roles stored in the Identify
Store.
 Duty roles do not have to be synchronized with HCM.
Fusion Application Database Tables
 These tables store data security policies, HCM role-provisioning rules, security
profiles, part of the data role definitions, and copies of the job and abstract roles.
Fusion Applications, OIM, and APM Terminology

Differences
OIM and APM are middleware products that are available independently of Oracle
Fusion Applications. For that reason, the terminology adopted by and used throughout
Oracle Fusion Applications is not always the same as the terminology used in OIM and
APM. It is important to understand these terminology differences as you manage
business objects in each application interface.
The following table lists the terminology used by each product when referring to
common business objects:
Data, job, and abstract roles are also referred to as enterprise roles. Application roles
are specific to a particular grouping of applications (such as Oracle Fusion HCM or
CRM).
Setup Tools and Tasks

The following tasks are used for managing HCM security data:
Oracle Fusion HCM Security Tasks
 Manage Users. Create and manage users who are mapped to persons in Oracle
Fusion HR.
 Import Worker Users. Load workers using the HCM spreadsheet loader.
 Manage Data Role and Security Profiles. Create and manage data roles and
assign security profiles to them.
 Manage [Business Object] Security Profiles. Create and manage security

profiles for all types of business objects.
 Manage User Accounts. View and manage roles associated with user accounts.
 Revoke User Accounts. Set for terminated employees.
Note: This option is available to HR specialists when terminating an employee.

(Person Management > Personal and Employment > Manage Work Relationship
>Actions >Terminate, User Access section, Revoke User Access option).
 Manage HCM Role Provisioning Rules. Create rules for how roles can be
provisioned to users.
 Send Pending LDAP Requests. Implementers should run this scheduled

process after bulk loads of workers and schedule it to run on a frequent basis.
 Retrieve Latest LDAP Changes. Run this scheduled process as needed and
schedule it to run on a frequent basis.
 Create Data Role for Implementation Users. Create data roles for
implementation user job roles, such as the product family administrator roles,
which have no predefined data roles.
Oracle Identity Manager (OIM) Security Tasks
 Create Implementation Users. Create users, who are not mapped to persons in
Oracle Fusion HR, for the purpose and duration of implementation.
 Revoke Data Role from Implementation Users
 Provision Roles to Implementation Users
 Manage Job Roles. Create job and abstract roles; reset user passwords.
Authorization Policy Manager (APM) Security Tasks
 Manage Duties. View and manage duty roles, role hierarchies, and security
policies.
Instructor Note: Notes on Tools and Tasks

Note on Authorization Policy Manager (APM):
To create data roles for HCM, always use the Manage Data Role and Security
Profiles task in the Setup and Maintenance work area. Although APM provides the
ability to create data roles using data role templates, data role templates are rarely used
in HCM. (They are only used if you are implementing Oracle Fusion Global Payroll with
Oracle Fusion Subledger Accounting. We do deliver some HCM data role templates, but
these are no longer used.)
Access to Security Tasks

You can navigate to all Oracle Fusion Applications security tasks from the Setup and
Maintenance work area, provided by the integrated Oracle Fusion Functional Setup
Manager (FSM).
You can see most of the HCM security setup tasks by expanding the Define Security
for Human Capital Management folder:
Navigator > Tools > Setup and Maintenance work area > Define Security for Human
Capital Management task list
_______________________________________________________
To access tasks related to setting up implementation users, expand the Define

Implementation Users folder:
Navigator > Tools > Setup and Maintenance work area > Define Implementation Users
task list
_______________________________________________________
Use the Send Pending LDAP Requests and Retrieve Latest LDAP Changes
processes in the Scheduled Processes work area to synchronize HR and LDAP data.
Navigator > Tools > Scheduled Processes > Schedule New Process
_______________________________________________________
You must run the Retrieve Latest LDAP Changes process after you create a job or
abstract role so that the new role name and other attributes are available to Oracle
Fusion HCM.
Instructor Note: HCM Security Task List

Although most of the HCM security tasks are in the Define Security for Human Capital
Management folder in FSM, a few are located elsewhere, such as Define Security for
Payroll. This is because the task lists present tasks in the correct sequence within
offerings. For example, we cannot create payroll security profiles before we've created
payrolls.
Point out that OIM and APM are security administration UIs, and should be used by
security administrators, not HCM business users. The only role that has access to these
UIs is the IT Security Manager. HCM business users should use the HCM user and role
management UIs, such as Manage Users (when creating test users) and Manage User
Account.
‎Lesson 6: Managing Job Roles and Abstract Roles
Lesson 6: Managing Job Roles and Abstract Roles

Demonstration: Viewing Roles in OIM

OIM refers to data, job, and abstract roles as simply 'roles.' Role-naming conventions
allow you to distinguish between role types in OIM pages.
Demonstration Scope
Use the Manage Job Roles task to access Oracle Identify Manager and view different
types of roles.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Search for and launch the Manage Job Roles task.
Location: Oracle Identity Manager - Self Service page

Welcome tab
3. Under the Roles heading, click Advanced Search - Roles.
Location: Advanced Search: Roles page
4. In the Display Name (Begins With) field, enter H and click Search.
Information
The Search Results display both data roles and job roles. Job roles, such as
Human Resource Specialist, do not display a dash in their names. The roles with
a dash, such as HR Specialist - View All, are data roles.
Fusion role-naming conventions append _JOB at the end of a job role name and
_DATA at the end of a data role name. The internal name is created based on
the Display Name and the _JOB or _DATA suffix to distinguish between the role
types.
5. Click the Human Resource Manager job role in the Search Results.
Information
Note that the Role Category Name is HCM - Job Roles.
6. Return to the Advanced Search - Roles tab, and open the HR Analyst - View
All data role.
Information
The Role Category Name for all data roles is automatically set to Default.
7. Return to the Advanced Search - Roles tab.
8. In the Display Name (Begins With) field, enter Employee and click Search.
Information
Employee is a predefined abstract role. Abstract role names should have
_ABSTRACT at the end of the role name.
9. Click the Employee role in the Search Results.
Information
The Role Category Name is HCM - Abstract Roles.
Demonstration: Using OIM to Manage Roles

Viewing and managing job roles is an important part of HCM security management.
Oracle Identity Manager is used to create and manage HCM job roles.
Demonstration Scope
This demonstration looks at the data roles assigned to an existing user and shows the
job roles that are inherited by those data roles. It also demonstrates how to search for a
role and display a list of all users assigned to that role.
Demonstration Steps
Start Here
Curtis.Feitty)
If the OIM window is still open from the previous demonstration, return to the Welcome
tab and start with Step 3 below.
Review the Roles Assigned to a User
1. Search for and select the Manage Job Roles task.
Location: Oracle Identify Manager - Self Service page, Welcome tab

Welcome tab
Information
From this page, you can create new job roles, as you will see in Activity 3.
3. Click Advanced Search - Users.
4. In the Display Name field, search for Curtis Feitty, then click his name in the
Search Results.
5. Select the Roles tab to view the roles assigned to this user.
Information
This page shows all roles assigned to Curtis, including data roles, abstract roles,
and job roles (if any).
6. Click on a data role, such as Benefits Administrator - View All, and click Open.
7. Click the Hierarchy tab.
Information
Here you can see that the Benefits Administrator - View All data role inherits the
Benefits Administrator job role.
8. Click the Members tab to see all the users assigned to this data role.
9. Return to the Welcome tab, and select Advanced Search - Roles.
10. Search for the Payroll Manager job role, and then open it.
Information
Note that the attribute information and the tabs displayed for the job role are the
same as for the data role you just explored. Remember that in OIM, the term role
refers collectively to job, abstract, and data roles; the role category name, such
as HCM - Job Roles, identifies both the role type and the Oracle Fusion
Application where the role is used.
11. Click the Hierarchy tab.
Information
This job role inherits several roles, including the Functional Setups User abstract
role and the Payroll Administrator job role.
Note: When you are creating a job role, you can use this tab to add one or more
parent roles from which to inherit permissions. This is useful if you are creating a
manager job role that performs all the functions that an administrator job
performs, plus more. In this case, you would add the administrator job role as a
parent role to the manager job role.
This role hierarchy is also visible in APM, as you will see later.
12. Click the Members tab.
Information
This is useful if you need to quickly determine which users are assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect Role because
users are not directly assigned the Payroll Manager job role. They inherit it via a
data role that is based on the Payroll Administrator job role.
Important Note on Using OIM and APM

Do not use OIM t o create data roles for HCM users; data roles should only be
created using the Manage Data Role and Security Profiles task. The reason for this
will become clear later when we look closely at security policies.
OIM and APM are not specific to Oracle Fusion Applications; they can be used
independently of Fusion applications. These middleware products provide capabilities
that Oracle Fusion Application users do not need to use for HCM setup and, in fact,
should NOT use. The only tasks that users should perform in OIM and APM are those
identified on the Setup Tools and Task page in lesson 5.
Oracle Identity Manager (OIM)
 Create Implementation Users

 Create Data Role for Implementation Users
 Revoke Data Role from Implementation Users
 Provision Roles to Implementation Users
 Manage Job Roles (Create job and abstract roles, reset user passwords)
Note: In on-premise implementations, users can define custom password and

username policies using OIM and directly update LDAP using command line tools. In
the Cloud, you cannot perform these tasks yourselves. You are required to an SR with
Cloud Ops.
Authorization Policy Manager (APM)
 Manage Duties (View and manage role hierarchies, security policies, and
permission grants)
 Do not create new resource types, resources, entitlements, or authorization

policies.
Note: You would only create new resources, entitlements, or authorization

policies if you were building extensions to Fusion HCM, such as new ADF pages
or new ESS programs. HCM cloud customers cannot build these extensions.
 Do not manually modify data security policies, except to add custom duty roles.
Demonstration: Using APM to View Duty Roles

Managing duty roles is an important part of security management. Implementers may
be required to create new duty roles if the predefined ones do not meet the needs of the
enterprise. Authorization Policy Manager is used to manage duty roles and associated
security policies.
Demonstration Scope
This demonstration uses the Manage Duties task to look at existing data and job roles.
It demonstrates how to view the duties associated with job roles and where to go if you
need to add or remove duties from a role.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Search for and launch the Manage Duties task.
Information
You are now viewing the Authorization Policy Manager (APM) user interface.
2. In the Application Name section, select hcm.
3. Under the Search and Create heading, click Search - External Roles.
Note: Remember that job roles, data roles, and abstract roles are all referred to
as external roles in APM.
Location: Search - External Roles page
4. In the Display Name field, enter Benefits Administrator - View All, and click
Search.
5. Select the Benefits Administrator - View All role in the Search Results, and
click Open Role.
6. Select the External Role Hierarchy tab.
Information
This page shows the job role (Benefits Administrator) inherited by the Benefits
Admin - View All data role.
7. Click the Application Role Mapping tab.
8. Expand the hcm folder in the Display Name column.
Information
The Benefits Administrator - View All (HCM) role shown here is a special type of
application role that was automatically generated when the Benefits
Administrator - View All data role was created. This is explained in more detail in
the HCM Security Deep Dive section later in the lesson.
9. Return to the Search External Roles tab.
10. In the Display Name field, enter Benefits Administrator and click Search.
11. Select the Benefits Administrator job role in the Search Results, and click
Open Role.
12. Click the Application Role Mapping tab, and open the hcm folder.
Information
Here you can see all of the duty roles associated with the Benefits Administrator
job role. From this page, you can map additional application roles (duties) to this
job role, as you will see in the next activity.
You have demonstrated how to use APM to view and manage job roles.
Regenerating Roles
You must regenerate a data role if you make any changes to the role hierarchy that
underlies the data role (such as the duties inherited by the job role that is inherited by
the data role).
You must regenerate an abstract role if you make any changes to its role hierarchy .
Regenerating a role causes all its data security policies to be updated based on these
changes.
To regenerate a data or abstract role:
1. Launch the Manage Data Role and Security Profiles task in the Setup and
Maintenance work area.
2. Search for the role that needs to be regenerated.
3. Select the role in the Search Results, and click Edit.
Information
A flow is initiated (the same one you saw when you created a data role in the
previous activity) that allows you to view the security criteria and all assigned
security profiles.
4. Click Review, and then click Submit.
Information
When you click Submit, the security profiles assigned to the role are used to
generate the data security policies for that role.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple roles, you would have to run this
task (and click Assign) for each role.
Instructor Note: Regeneration of Data Roles

An enhancement request (ER) has been logged for a data role regeneration process
that will be more efficient.
You can demo the regeneration of a single data role, but it's actually as simple as
finding the role and pressing a few buttons. A later activity will include this as a task.
Student Activity: Creating a New Job Role

Background
A custom job role is needed because the predefined job role has duties associated with
it that the enterprise does not want to grant to their users. The new job role will have
only three duties: Department Management Duty, Approve Transactions Duty, and
Human Resources Tree Administration Duty.
Requirements
practice.
Activity Scope
Instructor Note: Notes on Activity 3
Running the Synch Process

If all students in the class share the same environment, the instructor should run the
Retrieve Latest LDAP Changes process (rather than having the individual students run
it). Tell students that they should complete the first subtask, Create a New Job Role,
and then stop. When all students have completed this subtask, the instructor should run
(and demo) the steps in the subtask, Synchronize Roles between LDAP and HCM.
When the synch process has successfully completed, students can resume with the
next subtask, Assign Duties to Your Job Role.
The synchronization process may take several minutes to complete. You can continue
clicking the Refresh button until the Status changes to Succeeded. During that time, you
can explain that the following factors impact the length of time it takes for the process to
complete:
• the number of users, roles, and grant records in Fusion

• the number of users, roles, and grants under the distinguished name (dn) search
base in LDAP
• the number of records that are out of synch
Troubleshooting Information
Regarding the troubleshooting note on Step 13 in subtask Assign Duties to Your Job
Role: When searching for the second duty role, the search results may show only the
first duty role, no matter what search criteria you enter. To resolve this issue, you must
close the Map Application Roles to External Role window, return to the Search External
Roles tab, open the duty role again, and conduct a new search.
Activity 3: Creating a New Job Role

In this activity you will create a new job role, retrieve the role information from LDAP
(synchronize between OIM and HCM), and then add three duty roles to the new job
role. This job role will be authorized to manage departments and department trees only.
Start Here
Oracle Fusion Applications Sign On page
Create New Job Role
2. Navigate to the Setup and Maintenance work area, Overview page, All Tasks
tab.
3. Search for and launch the Manage Job Roles task.
Location: Oracle Identify Manager Self-Service page, Welcome tab

Welcome tab
5. Under the Roles heading, click Create Role.
Location: Create Role page
6. In the Name field, enter XX_DEPT_ADMIN_JOB.
7. In the Display Name field, enter XX Dept Admin Job Role.
8. In the Role Category Name field, search and select HCM - Job Roles.
9. Click Save.
10. Close the OIM browser window.
Information
You are returned to the Oracle Fusion Applications Setup and Maintenance work
area
Synchronize Roles between LDAP and HCM
After creating a new job role, you must run the following synchronization process so that
the job role is available to HCM tasks and UI pages, such as Manage Data Role and
Security Profiles.
Note: Only one user can run the process at a time. If you are sharing an environment
with someone else, you can run the Retrieve Latest LDAP Changes once to
synchronize all of the job roles to HCM. If all students are sharing an environment, then
the instructor should perform this task when all students are ready.
1. Navigate to the Scheduled Processes work area (under Tools).
Location: Scheduled Processes Overview page
2. If the Search Results displays a row for the Retrieve Latest LDAP Changes
process where the Status is Succeeded, select the row and click Resubmit,
then confirm. Skip to step 10.
If the process is listed with a status of Running, wait until it has completed
successfully, and then resubmit as described above. (Click the Refresh icon
button periodically to display the updated status.)
If the process is not listed, continue with the next step.
3. Click Schedule New Process.
Location: Schedule New Process window
4. Open the Name LOV and click the Search link at the bottom of the LOV list.
Location: Search and Select: Name window
5. In the Name field, enter Retrieve and click Search.
6. In the search results, select the Retrieve Latest LDAP Changes process and
click OK.
7. Click OK to dismiss the Schedule New Process window.
Location: Process Details page
8. Click Submit.
9. Click OK to confirm, and then click Close.
Location: Scheduled Processes page
10. Click the Refresh icon button.
Information
You can see the status of the process. It usually completes very quickly. While
this process is running, you can continue with the next step.
Assign Duties to Your Job Role
1. Navigate to the Setup and Maintenance work area, and launch the Manage
Duties task.
Location: Oracle Entitlements Server Authorization Management page,

Home tab
Note: This step is important. If you do not select hcm, you will not be able to
search for the HCM roles.
3. Under the Search and Create heading, click Search - External Roles.
4. In the Display Name field, search for the job role (XX Dept Admin Job Role)
you created earlier.
5. Select the role in the Search Results, and click the Open Role button.
6. Click the Application Role Mapping tab.
7. Click the + Map icon button.
Location: Map Application Roles to External Role page
8. In the Application field, select hcm.
9. In the Display Name field, enter Department Management Duty and click
Search.
10. Select the role in the Search Results, and click Map Roles.
Information
The selected role is listed under the hcm folder on the Application Role Mapping
tab.
13. In the Display Name field, enter Approve Transactions Duty and click Search.
Troubleshooting Note
When searching for the second duty role, the search results may show only the
first duty role. To resolve this issue, close the Map Application Roles to External
Role tab, return to the Search External Roles tab, open the duty role again, and
conduct a new search.
17. In the Display Name field, enter Human Resources Tree Administration Duty
and click Search. (If the search fails to return this duty role, see the
troubleshooting note in step 13.)
Information
You should now have 3 application roles (duties) in the hcm folder on the
Application Role Mapping tab.
19. Close the Authorization Management browser window.
Information
You are returned to the Oracle Fusion Applications window, Setup and
Maintenance work area. (As with the OIM window, you can leave the APM
window open if you plan to return; just don't sign out.)
You have now created a job role with three assigned duty roles.
Student Activity: Creating a Data Role for New Job

Role and Assigning to User
Background
After creating a new role, you typically create a mapping rule that defines criteria for
how the role can be provisioned to users. You can then assign the role to users who fit
those criteria.
Requirements
practice.
 You must have successfully created a new user (Security.UserXX) in Activity 2.
 You must have successfully created a role-provisioning rule (XX Generic

Mapping Rule) in Activity 2.
 You must have successfully created a job role (XX Dept Admin Job Role) in
Activity 3.
Activity Scope
Activity 4: Creating a New Data Role and Assigning to

User
In this activity you create a new data role that inherits the XX Dept Admin job role you
created in Activity 3. You also add the role to the role-provisioning rule you created in
Activity 2. Finally, you add the new role to the user you created in Activity 2.
Start Here
Curtis.Feitty)
Create a New Data Role for the Custom Job Role
1. Search for and launch the Manage Data Role and Security Profiles task.
Information
You used this task in Activity 1 to create a data role, so you should be familiar
with the screens and the process.
3. In the Data Role field, enter XX Dept Admin - View All.
4. In the Job Role field, search for and select the custom job role you created (XX
Dept Admin Job Role).
Information
If you can't find the job role you created earlier, make sure that the
synchronization process completed successfully. Also, make sure you selected
HCM - Job Roles as the Role Category when you created the job role. If you
accepted the default role category during creation, you won't be able to find the
job role here.
5. Click Next.
6. In the Organization Security Profile field, select View All Organizations.
7. Click Next, click Review, and then click Submit.
8. Click Done.
Add the Data Role to the Existing Mapping Rule

You can add the new role to your existing mapping rule.
1. In the Setup and Maintenance work area, launch the Manage HCM Role
Provisioning Rules task.
2. Search for the XX Generic Mapping Rule you created in Activity 2.
3. Select the rule in the Search Results, and click the Edit icon button.
Location: Edit Role Mapping page
4. In the Associated Roles section, click the Add Row (+) icon button.
5. Search for and select the new XX Dept Admin - View All data role. (Don't select
the job role.)
6. Deselect the Autoprovision option, and select the Requestable option.
Information
If you do not select Requestable, you won't be able to assign this role to users.
7. Click Save and Close, and then click OK to confirm.
8. Click Done.
Add the Role to Your New User
Users task.
2. Search for the user you created in Activity 2 (enter the last name in the
Keywords field and click the Search icon button).
3. Click the user name in the Search Results.
Location: Edit User page
4. In the Roles section, click Add Role.
Location: Add Role window
5. Search for the XX Dept Admin - View All data role you created earlier in this
activity.
Note: If you cannot find the role you created, make sure that:
- You created a mapping rule for the role

- You selected the Requestable option for the role mapping
- The user's assignment information matches the mapping criteria
(We didn't set any criteria in our generic mapping rule, so that should not be a
problem.)
6. Select the role and click OK.
7. In the Current Roles section, select the XX HR Spec Data role you assigned to
this user earlier, and click the X (Remove) icon button, then confirm.
9. Click Done.
Verify Security Setup
1. Sign out, and sign back on as the user you created (Security.UserXX) and
whose password you reset.
2. On the Navigator menu under Workforce Management, select Workforce

Structures.
3. Verify that only the Manage Departments and Manage Department Trees
tasks are visible under Organizations. You should no longer be able to see the
HR Specialist menu options.
4. Sign out.
Instructor Note: Troubleshooting Activity 4

Troubleshooting Activity 4
If students are still seeing the full set of HR Specialist menu entries, ask them to
navigate to the My Account and check which roles their user has assigned. Their user
might have more roles than they are expecting. For example, their user might have
been automatically provisioned data roles based on HR Specialist from an earlier
activity if someone has inadvertently created automatic role-provisioning rules.
Managing Job Roles and Abstract Roles Review

Question 1
Which tool is used to create job roles?
1. Oracle Authorization Policy Manager (APM)

2. Oracle Identify Manager (OIM)
3. Oracle Fusion Functional Setup Manager (FSM)

Question 2
To manage duty role hierarchies, you use:
1. Oracle Fusion HCM

2. Oracle Fusion Middleware Authorization Policy Manager (APM)
3. Oracle Identity Management (OIM)

Question 3
A(n) ____ role in Oracle Fusion HCM is implemented as an application role in APM?
1. abstract
2. job
3. data
4. duty
Managing Job Roles and Abstract Roles Questions

and Answers
Which tool is used to create job roles?
2. Oracle Identify Manager (OIM)
To manage duty-role hierarchies, you use:

2. Oracle Fusion Middleware Authorization Policy Manager (APM)
A(n) ____ role in Oracle Fusion HCM is implemented as an application role in

APM?
4. duty
‎Lesson 7: HCM Security Deep Dive
Lesson 7: HCM Security Deep Dive

Instructor Note: Deep Dive Target Audience
The content in this lesson gets a little technical. It is intended primarily for implementers
who want to understand how data and functional security policies work. The information
in this lesson will help students understand what they see when they use the
Authorization Policy Manager (APM) to manage duties and security policies. It will also
help students understand why they must regenerate data roles after making a change to
the role hierarchy for a job or abstract role -- a step that is often omitted (and often
causes some confusion) during security setup.
If your class consists of mostly functional users, you may choose to omit this section.
Alternatively, you can allow functional users to take a break while you present this
section. Another option would be to present the activity (duty role creation) as a
demonstration, and talk through the steps rather than asking students to complete them.
If, at the beginning of this section, students become confused about data security
policies, tell them that it should become clearer as we dig deeper into the technical
details and they see how the pieces fit together. The demonstration and activity should
also help them understand the various components and their relationships.
Duty Roles in Detail

HCM duty roles typically have function security privileges and data security policies. In
the duty role pictured below:
 The Promote Worker function security privilege secures access to the Promote
Worker page.
 One data security policy determines which people can be promoted.
 Another data security policy determines which positions the person can be
promoted into.
Function Security Privileges

Looking at the function security privilege in more detail, you can see that the privilege is
securing a number of resources, or code artifacts, that comprise the worker promotion
page.
Instructor Note: Read-Only Roles

Read-Only Roles
A very small number of read-only pages are delivered under the Human Resource
Analyst role. Other pages can be configured as read-only by customizing them to hide
the Save or Submit buttons based on the user's current role.
We are actively working on improving support for read-only in a future release.
Data Security Policy Components

A data security policy comprises:
 a role
 a data security privilege
 a business object
 a condition
Data security policies are represented in the Security Reference Manuals in the
following format:
<Role> can <verb> <business object> <condition> using <data security

privilege>
For example, the two data security policies in our current example would be
represented as follows:
 Human Resource Specialist can promote Person for people in their person
security profile using Promote Worker Data
 Human Resource Specialist can choose Position for positions in their

position security profile using Choosing Position Data
Note: Data security policies are published at the level of a job or abstract role,
and they take into account the duty roles that are inherited by the job and
abstract roles. This makes them more readable, as it can be difficult to
understand a data security policy if presented at the level of a duty role.
Data Security Policies

Looking at the data security policies for the worker promotion duty role, you can see that
the two policies are implemented as rows in a table called FND_GRANTS.
The conditions for duty role data security policies are usually implemented as 1=2
predicates. (A predicate is an SQL expression that evaluates to TRUE or FALSE. The
predicate is automatically added to the Where clause of any Select statements that are
issued within the Oracle Fusion HCM pages.)
The 1=2 predicate, which evaluates to FALSE, means that the Worker Promotion Duty
role, when viewed in isolation, has no access to data. The Human Resource Specialist
job role inherits this duty role, which means that it cannot actually promote anyone.
Data access is usually determined by FND_GRANTS rows that are generated for the
data roles to which users are assigned (as you will see later). This is why data roles
are so important!
Data Security - Application Role Creation

When you create an HR Specialist – View All data role on top of the HR Specialist job
role, several things happen.
First, a set of three new application roles is created: one for HCM, one for FSCM,
and one for CRM.
These application roles have names that are derived from the data role name.
Data Security - FND_GRANTS Generation

Next, FND_GRANTS data are generated for each of these application roles.
The FND_GRANTS generated for the new application roles are similar to the
FND_GRANTS for the original duty role, except:
 The role name references the data role, not the job role.
 The predicate value is 1=1, meaning that no restrictions are applied when the
HCM application page selects it from the database.
In the simplified example below, the 1=1 predicate is taken from View All person and
position security profiles assigned to the data role.
Data Security - Data Role Creation

Finally, the data role is created.
The application roles and the security policies (FND_GRANTS) that were generated
earlier are linked to the data role. (All three application roles are linked, although only
one is pictured here.)
The data role is linked to the Human Resource Specialist job role. However, it is the
security policies inherited by the data role that provide access to the data.
Note: A predicate of 1=1 is the simplest of examples, used only in View All profiles. In
reality, most predicates are more complicated. For example, the predicate for the View
Own Record person security profile is shown below:
EXISTS ((SELECT 1 from PER_PERSONS P WHERE ROWNUM>0 AND

P.PERSON_ID=&TABLE_ALIAS.PERSON_ID AND ( P.PERSON_ID=(SELECT
U.PERSON_ID FROM PER_USERS U WHERE
U.USER_GUID=FND_GLOBAL.USER_GUID ) )) UNION ALL SELECT 1 FROM
PER_CONTACT_RELSHIPS_F R WHERE TRUNC(SYSDATE) BETWEEN
R.EFFECTIVE_START_DATE AND R.EFFECTIVE_END_DATE AND
R.CONTACT_PERSON_ID=&TABLE_ALIAS.PERSON_ID AND NOT EXISTS(SELECT
1 FROM PER_PERIODS_OF_SERVICE PS WHERE
PS.PERSON_ID=R.CONTACT_PERSON_ID) AND EXISTS ((SELECT 1 from
PER_PERSONS P WHERE ROWNUM>0 AND P.PERSON_ID=R.PERSON_ID AND (
P.PERSON_ID=(SELECT U.PERSON_ID FROM PER_USERS U WHERE
U.USER_GUID=FND_GLOBAL.USER_GUID ) ))))
Data Security in Action
When an HCM application page issues a Select statement to retrieve data from the
database, it makes a data security privilege check by calling a data security API,
passing the following information:
 The name of the database table in which to find the data. In our example, the
table name is PER_ALL_ASSIGNMENTS_M.
 The data security privilege name. In our example, this is

PER_PROMOTE_WORKER_DATA (taken from the FUNCTION_NAME in the
FND_GRANTS row).
The data security code looks in the FND_GRANTS table for all rows that match any of
the user's roles, the table name, and the data security privilege name.
 If it finds no matches, no data is returned.
 If it finds one match, the predicate for that FND_GRANTS row is used to filter the
data that is returned. (If the predicate is 1=2, no data is returned.)
 If it finds more than one match, the predicates are OR'd together. (If either is
TRUE, then the result evaluates to TRUE).
In our example of a View All data role, two predicates would be returned: 1=1 and 1=2.
When OR'd together, the end result is that the page can select data from the
assignment table with no restrictions applied.
Demonstration: Viewing Security Policies

Viewing the security policies associated with duty roles can help you understand an
important part of the HCM security model.
Demonstration Scope
Use the Manage Duties task in the Setup and Maintenance work area to access APM,
where you can view duties and their associated data and function security policies.
Demonstration Steps
Start Here
Login screen
1. Log in as HCM_IMPL.
Duties task.
Location: Authorization Management page
4. Select Search under Application Roles.
Information
Remember that duty roles are referred to as application roles in APM.
Location: Role Catalog page
5. In the Display Name field, enter Worker Promotion Duty and click Search.
6. In the Search Results, select the Worker Promotion Duty role and click the
Open icon button.
Viewing Functional Security Policies
1. Click Find Policies in the upper-right-hand corner of the screen, and then select
Default Policy Domain.
2. Review the policies listed on the Functional Policies tab.
Information
This role has only one function security policy: Policy for Worker Promotion Duty.
It controls access to this function from the Oracle Fusion HCM menus and work
areas.
3. To view the code artifacts that are secured using this function security policy, go
back to the Home tab (but don't close this tab).
4. Select hcm in the Application Name field, and then click Search under
Entitlements.
Location: Search Entitlements page
Note: Remember that, in APM terminology, an entitlement equates to an Oracle

Fusion Applications function security privilege.
5. In the Display Name field, enter Promote Worker and click Search.
6. Select the Promote Worker entitlement in the Search Results, and click the
Open icon button.
Information
The code artifacts that are secured against this entitlement are shown in the
Resources section of the page.
7. Return to the Search Authorization Policy tab. (The Worker Promotion Duty
role should still be displayed.)
Viewing Data Security Policies in APM
1. Select the Data Security tab, and review the data security policies for this role.
Information
This role has several data security policies: Choose Department, Choose
Position, Promote Worker, and so on. These policies provide access to all of the
different types of data that a user must view, select, or manage when performing
the Worker Promotion Duty.
As you can see, managing data security policies can be very complex. However,
if you use the delivered duty roles as building blocks when defining custom job
roles in HCM, then security policies are generated automatically for you. You do
not need to manage them manually in APM.
2. In the right-hand corner of the Actions column header, click the Sort
Descending icon button to resort the column.
Information
This just makes it easier to find the role, as the list is very long.
3. Select the Promote Worker row, and click the Edit icon button.
Location: Data Security Policy: Edit page
4. Select the Rule tab.
Information
This tab shows the condition for the privilege. When expanded, the condition is:
Access the person assignment for table PER_ALL_ASSIGNMENTS_M for

persons and assignments in their person and assignment security profile.
This tab does not show the SQL predicate. To view the SQL predicate, you must
navigate to the data security policy from a different direction.
5. Return to the Home tab, and click Search - Policies under the Search and
Create heading.
Location: Search Policies tab
6. Click the Database Resource button at the top of this tab.
Location: Manage Database Resources and Policies page
7. In the Display Name field, enter Person Work Terms Assignment and click
Search.
Information
The Search Results lists all of the data security policies for the
PER_ALL_ASSIGNMENTS_M database table.
8. In the PER_ALL_ASSIGNMENTS_M: Policies Details section, click the Detach

button.
Location: Detached Table page
Note: Detaching the table makes it easier to browse and navigate, and allows
you to view the SQL predicate in the condition.
9. Right-click the Role column header, and select Sort > Descending.
10. Scroll down to the PER_WORKER_PROMOTION_DUTY role (there are two

rows), and select the row with the Description: Worker promotion duty can
search worker... (The Policy column for this role displays Grant on Person
Assignment.)
11. Click the Edit icon button.
Location: Edit Data Security: PER_ALL_ASSIGNMENTS_M page
12. Select the Condition tab.
Information
Note the SQL predicate for the condition in the first row. The other conditions on
the Conditions tab are generated from security profiles. The condition Display
Name includes the security profile name.
13. Select the first condition, and click the Edit icon button.
Information
You can view the full condition details here. Note the SQL Predicate value of
1=2, as discussed previously.
IMPORTANT!
Don't edit the conditions! The conditions for HCM data security policies are
generated automatically from security profiles and should not be changed.
14. Click Cancel.
15. Close the APM browser window and return to the Oracle Fusion Applications
window.
Creating a BI Publisher Report to View Data Security Policies
You can also use BI Publisher to generate a list of all data security policies that match a
set of criteria. This method requires a little setup, but once you've performed those
steps, you can run the report as needed. Follow these steps to create a data model, and
then create a report using that data model.
Note:
Make sure you are logged in as hcm_impl. Curtis Feitty does not have adequate
privileges to perform these steps.
Create the Data Model
1. On the Navigator menu under Tools, select Reports and Analytics.
Location: Reports and Analytics page, Search tab
2. In the left panel, click the Browse Catalog icon button.
Location: Catalog page
3. In the Catalog page toolbar, click the New icon button and then select Data
Model under Published Reporting.
Location: Untitled page, Diagram tab
4. On the Diagram tab, click the New Data Set icon button, and then select SQL
Query.
Location: New Data Set - SQL Query window
5. In the Name field, enter XX_FND_GRANTS.
6. In the Data Source field, select ApplicationDB_FSCM.
7. In the SQL Query field, enter the following Select statement:
select
g.role_name,
o.obj_name,
f.function_name data_security_privilege,
i.display_name condition_name,
i.predicate
from
fusion.fnd_menus m
, fusion.fnd_menu_entries me
, fusion.fnd_form_functions_vl f
, fusion.fnd_objects_vl o
, fusion.fnd_object_instance_sets_vl i
, fusion.fnd_grants g
, fusion.fnd_appl_taxonomy p
, fusion.fnd_appl_taxonomy pf
, fusion.fnd_appl_taxonomy_hierarchy h
where g.object_id = o.object_id
and f.object_id = o.object_id
and g.menu_id = m.menu_id
and m.menu_id = me.menu_id
and me.function_id = f.function_id
and g.module_id = p.module_id
and h.target_module_id = pf.module_id
and h.source_module_id = p.module_id
and i.instance_set_id (+) = g.instance_set_id
and pf.module_name = 'HCM'
8. Click OK.
Information
Two dialog boxes appear: Global Level Functions and G_1.
9. In the G_1 box, click the Menu icon button in the box header and select
Properties.
Location: Edit Properties window
10. Change the Group Name and Display Name to XX_FND_GRANTS, and click
OK.
11. Select the Data tab, and then click View.
Information
After processing completes, the tree view for your data model appears.
12. Click Save as Sample Data, and click OK to confirm.
13. In the menu bar at the top of the page, click the Save icon button.
Location: Save As window
14. In the Name field, enter XX_FND_GRANTS_DM.
15. Click OK.
Create a Report using the Data Model
1. In the menu bar at the top of the page, click the Create Report icon button.
Location: Create Report page
2. Verify that Use Data Model is selected and the XX_FND_GRANTS_DM data
model appears in the Data Model field.
3. Verify that Guide Me is selected, and click Next.
4. On the Create Report page, select Landscape and Table.
5. Click Next.
6. Click on each of the five attributes in the Data Source panel on the left, and drag
to the [Drop Fields Here] panel on the right.
7. Deselect Show Grand Totals Row.
8. Click Next.
9. Select View Report and click Finish.
10. Save the report in MyFolders using the name XX_FND_GRANTS_REP.
11. Click OK.
Information
The report displays all data security privileges matching the Select criteria. (If an
error occurs, click Refresh.)
Define a Filter
You can adjust the filter settings for the report to search for particular type of security
privilege.
1. With the XX_FND_GRANTS_REP open, click the Actions icon button in the top-
right corner of the page and select Edit Report.
2. Click the Edit link under the report graphic.
3. Click in the first row of the Role Name column.
Information
The Table tab appears.
4. Click the Filter icon button in the Table tab toolbar.
Location: Filter page
5. In the Data Field field, select DATA_SECURITY_PRIVILEGE.
6. In the Operator field, select is equal to.
7. In the Value field, enter PER_PROMOTE_WORKER_DATA.
8. Click OK.
Information
You may see "No Data Found: /DATA_DS...." in the sample report output. This
does not indicate a problem.
It just means that the sample data that you saved for the report does not include
any FND_GRANTS rows with
the PER_PROMOTE_WORKER_DATA privilege.
9. Click the Save As icon button.
10. In the Layout Name field, enter XX_FILTERED_FND_GRANTS_REP and click

Save.
11. Click Return.
12. Click View Report, and then click the tab for the filtered report.
Information
The report should display a row for each PER_PROMOTE_WORKER_DATA
privilege.
You have demonstrated how to view security policies using BI Publisher.
Security Deep Dive Review Question 1

If you make changes to a job role or any of its duty roles, you must:
1. Delete all data roles based on the job role and recreate them
2. Regenerate all the data roles that inherit the job role
3. Reassign security profiles to all data roles that inherit the job role
Security Deep Dive Review Question 2

A data security policy consists of:
1. A role and a privilege

2. A business object and a condition
3. All of the above
Security Deep Dive Questions and Answers

If you make changes to a job role or any of its duty roles, what must you do:
2. Regenerate all the data roles that inherit the job role
OR
3. Reassign security profiles to all data roles that inherit the job role
It is the process of reassigning security profiles (using the Manage Data Role and
Security Profiles task and the Assign action) that regenerates the data roles and
associated security privileges and policies. The reason that #3 also applies is because if
you add new duty roles to a job role, that could require additional security profiles to be
assigned to the data role.
A data security policy consists of:

3. All of the above
‎Lesson 8: Managing Duty Roles
Lesson 8: Managing Duty Roles

Student Activity: Creating a Custom Duty Role

Background
A new duty role is required because the predefined duty role has more function security
privileges and data security policies than you want the role to have in your enterprise.
Requirements
practice.
 You must have successfully created a job role (XX Dept Admin) in Activity 3.
Activity Scope
Activity 5: Creating a Custom Duty Role

In this activity, you create a custom duty role, using a predefined role as a reference.
You add data and function security policies to the role and then add the new duty role to
the job role you created in Activity 3. Finally, you generate the data security policies for
the roles that inherit this new duty.
Start Here
Curtis.Feitty)
Create the New Duty Role
1. Search for and launch the Manage Duties task.
3. Under the Application Roles heading, click New.
4. In the Display Name field, enter XX Department Duty.
5. In the Role Name field, enter XX_DEPT_DUTY.
6. Click Save.
Add Function Security Privileges to the Role
1. Click the Create Policy button in the top-right corner of the tab, and select
Location: Untitled page
2. In the Display Name field, enter XX Policy for XX Department Duty.
Information
Predefined security polices use the naming format: Policy for <duty role name>.
3. In the Name field, enter XX_DEPT_DUTY_POL.
4. In the Targets section, click the Add Targets (+) icon button.
Location: Search Targets page
Information
APM uses generic security terminology. In this context, a target is a function
security privilege, and a principal is a role. Thus, when a target is granted to the
principal, it means that the function security privilege is granted to the duty role.
5. In the Display Name (Starts With) field, enter Manage Department, and click
Search.
6. Select Manage Department, and click the Add Selected button (located above
the search results).
Information
The security privilege is added to the Selected Targets list.
7. Click Add Targets (at the bottom of the page), and then click Save.
Information
You have now added the Manage Department function security privilege to your
duty role.
Add Data Security Policies to the Duty Role
1. Return to the Home tab, and click Search under Application Roles.
Location: Role Catalog page
2. In the Display Name field, enter Department Management Duty and click
Search.
Information
This is the predefined duty role you will use as a reference for your custom duty
role. You want to find the data security policies assigned to that role and add
your role to them.
3. Select the role in the Search Results, and click the Open icon button.
Location: Department Management Duty page
4. In the upper-right-hand corner of the page, click Find Policies and select
5. In the Policies for: Department Management Duty section, select the Data
Security tab.
Information
There are three data security policies for this role.
6. Select the first data security policy.
7. Click the Edit icon button.
8. Select the Roles tab, and click the Add icon button.
Location: Select and Add: Roles page
9. Search for your new duty role. (Enter XX_DEPT_DUTY in the Role Name field,
select hcm as the Application, and then click Search.)
10. Select the XX Department Duty role, and click OK.
Information
You have now created a copy of this data security policy against your custom
duty role.
11. Click Save, and click OK to dismiss the confirmation window.
Location: Search Authorization Policies tab (which displays the Department

Management Duty role).
12. Select the second security policy on the Data Security tab, and repeat steps 7-
11.
13. Select the third (and last) security policy, and repeat steps 7-11 again.
Information
You have now created copies of these three data security policies against your
custom duty role. The duty role is complete. Take a moment now to verify that all
policies were added.
14. Return to the Home tab.
15. Select hcm in the Application Name field, and select Search under Application
Roles.
16. Search for the duty role (Display Name: XX Department Duty) and open it from
the Search Results.
17. Click Find Policies, and select Default Policy Domain.
Information
You should see one policy on the Functional Policies tab and three on the Data
Security tab.
18. Return to the Home tab.
Assign the New Duty Role to a Job Role
1. Select hcm for the Application Name, and select Search - External Roles
under the Search and Create heading.
2. Search for the XX Dept Admin Job Role you created in Activity 3.
3. Select the job role in the Search Results, and click Open Role.
4. Select the Application Role Mapping tab.
5. Remove the predefined Department Management Duty role. (Open the hcm
folder, select the role, click the Remove Roles icon button, and then confirm.)
6. Add your custom XX Department Duty role. (Click + Map, select hcm, search
for the XX Department Duty duty role, select it, and click Map Roles.)
Information
The job role now has three duties: your custom department duty role, the
Approve Transaction Duty role, and the Human Resources Tree Administration
Duty.
Generate the Data Security Policies for the Roles that Inherit this Duty Role
1. Return to Oracle Fusion Applications and navigate to the Setup and

Maintenance work area.
2. Launch the Manage Data Role and Security Profiles task.
3. Search for your XX Dept Admin - View All data role, and then click Edit.
4. Proceed through the pages in the flow until you get to the Review page, and then
click Submit.
Information
Although you did not make any changes to the data role, you must run this task
to regenerate its security policies because you changed the job role that the data
role inherits.
Note: Security policies are regenerated only for the selected role. If you needed
to regenerate data security policies for multiple data roles, you would have to run
this task (and click Edit) for each role.
5. Click Done.
Verify Your Provisioning
1. Sign out and sign back in as the user you created earlier (Security.UserXX).
2. Navigate to the Workforce Structures work area.
3. Verify that you can only see the Manage Departments task under
Organizations in the Workforce Structures work area.
4. Sign out.
‎Lesson 9: Tips for Implementing HCM Security
Lesson 9: Tips for Implementing HCM Security

Resilience to Change
Resilience to change refers to the amount of change a system can undergo and still
operate properly within expected parameters. When this concept is applied to HCM
security management, you can see that the security model is quite robust when you
make changes to higher level objects, such as job roles. The deeper you go into the
hierarchy, the more careful you must be when making changes.
Now that you've seen the types of changes you can make, you should consider the level
of resilience associated with each type:
Most Robust
 Creating custom job roles and using existing duty roles as building blocks
Less Robust - Requires More Testing to Ensure Expected Results
 Creating custom duty roles and assigning function and data security policies
As demonstrated earlier, function and data security policies work together to

provide users with the access they need to do their job. If you create a duty role
and do not configure both types of policies correctly, the duty role will not operate
properly. Testing is required to verify expected results. The more you change and
the deeper your changes go in the hierarchy, the more testing is required and the
more complex the testing becomes.
Least Robust - Not Recommended
 Creating new resource types, resources, entitlements (function security

privileges), or authorization policies
 Manually modifying data security policies, except for adding custom duty roles
Note: It should not be necessary to create your own data security policies. When
you are creating custom duty roles, the predefined security policies should be
adequate for your needs.
Impersonation
User Impersonation
The user impersonation feature is disabled for HCM Cloud customers. It can be enabled
on request, but Oracle does not recommend its use by HCM Cloud customers. User
impersonation potentially allows the proxy user uncontrolled access to the personal data
of the user they are impersonating; the proxy user gets all of that user's roles, which is
particularly dangerous if a customer is implementing employee self-service.
Advanced Tip: Minimizing the Number of Data Roles

Consider that Mitch, David, and Linda are HR representatives for employees based in
different business units. They all perform the same job, but access different sets of data.
One way to set up security for this scenario would be to create four different data roles,
each with its own static security profile, as shown here:
Note: In this example, access to HR data is secured by business unit. However, it could
be based on legal employer, department, or any level within the organization.
Dynamic Security Profiles and Areas of Responsibility

Another approach would be to use the Areas of Responsibility feature to define the
location that each HR representative is responsible for and then create a dynamic
security profile that restricts data access based on the defined areas of responsibility.
Using dynamic security profiles and areas of responsibility, you need just two data
roles:
Defining Areas of Responsibility

To define the area of responsibility for Mitch Blum in our scenario, select USA1
Business Unit from the Business Unit field on the Create Area of Responsibility
page.
Workforce Management > Person Management > Manage Areas of Responsibility >
Manage Areas of Responsibility page > Create Area of Responsibility page
_______________________________________________________
Define areas of responsibility for the other two HR specialists, David and Linda, in the
same way. For David, you must create two areas of responsibility records, one for
USA2 Business Unit and another for USA Health Business Unit.
Creating a Dynamic Security Profile

After defining areas of responsibility for all HR representatives, create a person security
profile. In the Custom Criteria section of the Create Person Security Profile page,
enter an SQL fragment that grants each HR representative access only to the person
records within the location defined in their Areas of Responsibility.
The figure below shows where the SQL fragment is entered:
Manage Person Security Profile > Manage Person Security Profiles page > Create
Person Security Profile
_______________________________________________________
To secure person records by business unit, you would enter an SQL fragment similar to
the following:
EXISTS
(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M A
WHERE A.ASSIGNMENT_TYPE IN('E','C','N','P')
AND A.EFFECTIVE_LATEST_CHANGE='Y'
AND TRUNC(SYSDATE) BETWEEN
LEAST(TRUNC(SYSDATE),A.EFFECTIVE_START_DATE) AND
A.EFFECTIVE_END_DATE
AND A.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND EXISTS
(SELECT 1
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE A.BUSINESS_UNIT_ID=B.BUSINESS_UNIT_ID
AND C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'
AND trunc(sysdate) between B.START_DATE and nvl(B.END_DATE,sysdate)))
TIP: If, by using this feature, you reduce the number of data roles down to one, you
could assign the security profiles directly to the job role (rather than creating a data
role). However, assigning security profiles directly to job roles only works if the areas of
responsibility criteria provide users with all the data access they need. In our scenario,
we want to provide some users with View All access and others with more restricted
access based on areas of responsibility. Therefore, we need two data roles: one that
uses areas of responsibility criteria and one that has a View All security profile. Both of
these data roles would be based on the same job role.
Student Activity: Defining a Dynamic Data Role

Background
Using the Areas of Responsibility feature and defining custom criteria in a security
profile provides another way of defining data security.
Requirements
practice.
 You must have successfully created a user in Activity 2 (Security.UserXX).
Activity Scope
1. Define areas of responsibility for the user.
2. Create a security profile and add an SQL fragment in the Custom Criteria section
that defines security based on a user's areas of responsibility.
Activity 6: Defining a Dynamic Data Role

In this activity, you add areas of responsibility to the user you created earlier. Then you
create a security profile with custom criteria that uses areas of responsibility to define
data security.
Start Here
Login page
Define Areas of Responsibility
1. Log in as curtis.feitty.
2. On the Navigator menu under Workforce Management, select Person

Management.
3. Search for the user you created earlier. (Enter the last name in the Keywords
field and click Search.)
4. Click the user's name in the Search Results.
Location: Manage Person page
5. In the Tasks panel, click Manage Areas of Responsibility.
Location: Manage Areas of Responsibility page
6. In the Assigned Areas of Responsibility section toolbar, click the Create icon
button.
Location: Create Area of Responsibility page
7. In the Responsibility Name field, enter US1 BU Area.
8. In the Responsibility Type field, select Human resources representative.
9. In the From Date field, select the first day of the current month.
10. In the Business Unit field, search for and select US1 Business Unit.
11. Click Submit.
12. Click Yes to confirm, and then click OK to dismiss the confirmation window.
13. Click Done.
Create Security Profile and Define Custom Criteria
1. In the Setup and Maintenance work area, launch the Manage Person Security
Profiles task.
Location: Manage Person Security Profiles page
Location: Create Person Security Profile page
3. In the Name field, enter XX Access by Areas of Responsibility.
4. In the Custom Criteria section, select the Secure by Custom Criteria option.
5. Enter the following SQL fragment in the text box:
EXISTS
(SELECT 1 FROM PER_ALL_ASSIGNMENTS_M A
WHERE A.ASSIGNMENT_TYPE IN('E','C','N','P')
AND A.EFFECTIVE_LATEST_CHANGE='Y'
AND TRUNC(SYSDATE) BETWEEN
LEAST(TRUNC(SYSDATE),A.EFFECTIVE_START_DATE) AND
A.EFFECTIVE_END_DATE
AND A.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND EXISTS
(SELECT 1
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE A.BUSINESS_UNIT_ID=B.BUSINESS_UNIT_ID
AND C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'
AND trunc(sysdate) between B.START_DATE and nvl(B.END_DATE,sysdate)))
Information
This fragment restricts access to persons based on the responsibility type,
business unit, and effective date defined in the user's areas of responsibility as
well as the effective date of the worker's assignment record.
6. Click Save and Close, and then click Yes to confirm.
7. Click Done.
Define Dynamic Data Role

In this task, you create a data role that uses the dynamic security profile you just
created.
1. In the Setup and Maintenance work area, launch the Manage Data Role and
Security Profiles task.
Location: Create Data Role page
3. In the Data Role field, enter XX HR Rep Dynamic Data.
4. In the Job Role field, select Human Resource Specialist.
5. Click Next.
6. In the Person section, select the XX Access by Areas of Responsibility profile

you created earlier.
7. In all other sections, select one of the View All profiles.
8. Click Next, then click Review, and finally Submit.
Add Role to Existing Role Mapping Rule
Rather than create a new mapping rule, you can add the new role to your existing
mapping rule.
1. In the Setup and Maintenance work area, launch the Manage HCM Role
Provisioning Rules task.
2. Search for the XX Generic Mapping Rule you created in Activity 2.
3. Select the rule in the Search Results, and click the Edit icon button.
Location: Edit Role Mapping page
4. In the Associated Roles section, click the Add (+) icon button.
5. Search for and select the data role you just created (XX HR Rep Dynamic Data).
6. Deselect the Autoprovision option, and select the Requestable option.
Information
If you do not select Requestable, you won't be able to assign this role to users.
7. Click Save and Close, and then click OK to confirm.
8. Click Done.
Assign the Data Role to the User

In this task, you assign the dynamic data role to your user.
1. On the Navigator menu under Manager Resources, select Manage Users.
Location: Manage Users page
2. Search for your user (by first or last name) and then select the user in the Search
Results.
3. In the Roles section, click Add Role.
4. Select the XX HR Rep Dynamic Data role.
5. In the Current Roles section, select the XX Dept Admin - View All role you
assigned earlier and click the X icon to remove it. (If you previously assigned any
other roles, remove those too so the user has only the Employee role and the
new dynamic one you just requested.)
Verify Security
While logged in as curtis.feitty, search for users in US1 Business Unit and in business
units outside the US. Then sign out and sign back in as your new user and verify that
you can only see users in US1 Business Unit.
1. On the Navigator menu under Workforce Management, select Person

Management.
2. Click Advanced.
3. Click Add Fields and select Business Unit.
4. In the Name field, enter John.
5. In the Business Unit field, search for and select US1 Business Unit and
click Search.
Information
You should see several names in the Search Results.
6. In the Business Unit field, select Australia Business Unit and click Search.
Information
You should see several names in the Search Results.
7. Sign out and sign back in as your user (Security.UserXX).
Information
Remember to use the password you reset in Activity 2. (The activity suggested
using xYz456AA.)
8. Repeat steps 1-6 above, and verify that you can only see people in the US1
Business Unit.
Information
You should not see any people in the Australia Business Unit (or any other
business unit).
Lesson Review Questions

Lesson Review Question 1
Answer the question below given the information in the following scenario:
 An enterprise needs to create a custom employee role, because the predefined

employee abstract role allows access to several cards in the Person Gallery that
the enterprise wants to hide. The customer wants the new employee role to have
access only to the Person Gallery function and the Change Marital Status action.
They should only be able to see their own employee information.
After planning your customization, which of the following tasks would you perform first:
1. Create a custom abstract role

2. Create custom duty roles
3. Remove duty roles from the predefined abstract role


After creating a new abstract role, you must synchronize data between LDAP and HCM
before you can:
1. Add duties to the abstract role

2. Create a mapping rule for the abstract role
3. Assign the abstract role to a user
4. All of the above except 1


Which predefined person security profile could be used for this new employee role:
1. View Own Record

2. View All Workers
3. View Manager Hierarchy


Which public person security profile could be used for this new employee role:
1. View Own Record

2. View All Workers
3. View Manager Hierarchy
Lesson Questions and Answers

After planning your customization, which of the following tasks would you
perform first:
1. Create a custom abstract role
After creating a new abstract role, you must synchronize data between LDAP and
HCM before you can:
4. All of the above except 1
Which predefined person security profile could be used for this new employee
role:
1. View Own Record
Which public person security profile could be used for this new employee role:
2. View All Workers or View Own Record.
Use the latter if you do not want to allow employees to browse the Person Gallery for
other employees.
‎Lesson 10: Security and HCM Reporting
Lesson 10: Security and HCM Reporting

OTBI Security
Oracle Fusion Transactional Business Intelligence (OTBI) is a real time, self-service
reporting solution offered to all Oracle® Fusion application users with valid roles to
create ad hoc analyses and analyze them for daily decision-making. With Oracle BI EE
as the standard Oracle query and reporting tool, Oracle Business Intelligence Answers,
and Oracle BI Dashboard end-user tools, business users can perform current state
analysis of their business applications.
Constructed queries are executed in real-time against the transactional schema

supported by a layer of view objects. View objects are critical in transactional business
intelligence. View objects represent facts and dimensions, implement applications data
security, and handle multilanguage support.
Subject areas are functionally secured using Fusion duty roles. The duty roles that grant
access to subject areas use the nomenclature of:
xx Transaction Analysis Duty, where xx is a group of similar objects. For example,
Workforce Transaction Analysis Duty.
They can be found under the obi application in APM. The following screen shot shows
the duty roles in APM:
Predefined HCM roles can access subject areas as follows:
 Benefit Manager: Can access all Benefits subject areas

 Compensation Manager: Can access all Compensation subject areas
 HR Analyst: Can access Goals, Workforce Management, Workforce
Performance, Workforce Profiles, and Talent Review subject areas
 Line Manager: Can access all Workforce Management subject areas
 Payroll Manager: Can access all Payroll subject areas
Analyses will not work if the user does not have access to all the subject areas in the
report.
BI Catalog folders are functionally secured using Fusion duty roles. The duty roles that
secure access to the BI catalog folders are the same duty roles that secure access to
the subject areas. So, if a user has a role that inherits Workforce Transaction Analysis
Duty, then he can access the Workforce Management folder in the BI catalog and the
Workforce Management subject areas
Predefined HCM roles can access OTBI folders as follows:
 Benefit Manager: Can access OTBI Benefits folders
 Compensation Manager: can access OTBI Compensation folders

 HR Analyst: Can access BIP Goals, BIP Performance, BIP Profiles, OTBI
Career, and OTBI Workforce Management folders
 Line Manager: Can access BIP Compensation, BIP Workforce Management,
OTBI Workforce Management, and many OBIA folders
 Payroll Manager: Can access OTBI and OBIA Payroll folders
Analyses are secured based on the folders in which they are stored.
If you have not secured BI reports using the report privileges, then by default they are
secured at the folder level. You can set permissions against folders and reports in OBI
for Application Roles, Catalog Groups or Users. You can set permissions to Read,
Execute, Write, Delete, Change Permissions, Set Ownership, Run Publisher Report,
Schedule Publisher Report and View Publisher Output.
Data Security
The data that is returned in OTBI reports is secured in a similar way to how data is
returned in Fusion HCM pages, meaning that access is granted by the roles that are
linked to security profiles.
Each of the (xx) Transaction Analysis Duty roles that grants access to subject areas and
BI Catalog folders inherits one or more (xx) Reporting Data Duty role. These are the
duty roles that grant access to the data. The reporting data duty roles are found under
the hcm application in APM.
If you create custom job roles that have access to OTBI reports, you must give your job
roles both the obi version of the transaction analysis duty roles and the hcm version of
the transaction analysis duty role so that your job role has both the function and data
security access needed to run the reports. For example, if you want your custom role to
have access to the workforce transaction analysis subject areas, ensure that it inherits
the following duty roles:
 Workforce Transaction Analysis Duty under the obi application
 Workforce Transaction Analysis Duty under the hcm application
The following figure is an example of the security for the seeded Line Manager role:
The arrows indicate inheritance. For example, the Workforce Transaction Analysis Duty
inherits Workforce Reporting Data Duty (thereby providing access to person and
assignment data), the Workforce Structures Reporting Data Duty (thereby providing
access to workforce structures), Absence Management Reporting Data Duty (providing
access to absence data), and finally Business Intelligence Authoring Duty (providing
access to various features in Oracle Business Intelligence Answers.)
OBIEE Security
BI roles apply to both BI Publisher and OTBI. They grant access to functionality within
BI, for example, the ability to run or author reports. Users need one or more of these
roles in addition to the roles that grant access to reports, subject areas, BI catalog
folders, and Fusion HCM data.
BI roles include:
 BI Consumer: Enables you to run BI reports.
 BI Author: Enables you to create and edit reports.
 BI Administrator: Enables you to perform administrative tasks such as creating

and editing dashboards and modifying security permissions for reports, folders,
and so on.
 BI Publisher Data Model Developer: Enables you to create and edit BI

Publisher data models.
The BI Administrator role is a super-user role. While Oracle HCM Cloud Service
customers can add this role to a user, Oracle recommends that this is done only in a
test environment. None of the predefined HCM roles have BI Administrator access.
The BI Administrator role inherits the BI Author role, which inherits the BI Consumer
role, so users who can author reports can also run them. You can configure custom
roles that have the ability to run reports, (via BI Consumer) but not author them.
The OTBI Transaction Analysis duty roles that are delivered with Fusion HCM inherit
the BI Author role. Therefore, any users with these roles are authorized to create and
edit OTBI reports, as well as run reports.
BI Publisher Data Model Developer role is inherited by the Application Developer role,
which is inherited by the Application Implementation Consultant role. So, users with
either of these predefined roles are able to manage BIP data models.
Demonstration: Viewing Security-Related Roles and

Permissions
Viewing reporting-related roles and permissions can help you understand how OTBI
security works.
Demonstration Scope
Use the Manage Duties task in the Setup and Maintenance work area to view the
Transaction Analysis duty roles inherited by the Human Resource Analyst predefined
role.
Use the Reports and Analytics task to access the BI Catalog and view the permissions
associated with sample OTBI reports.
Demonstration Steps
Start Here
Curtis.Feitty)
1. Launch the Manage Duties task.
3. Click Search - External Roles.
4. In the Display Name field, enter Human Resource Analyst and click Search.
5. In the Search Results, select the Human Resource Analyst role and click
Open Role.
Location: Human Resource Analyst page
6. Select the Application Role Mapping tab
7. Expand the hcm folder.
Information
Note the various Transaction Analysis Duty roles inherited by this predefined
role.
8. Expand the Absence Management Transaction Analysis Duty role.
Information
You can see two roles: Absence Management Reporting Data Duty and
Workforce Structures Reporting Data Duty.
9. Collapse the hcm folder, and expand the obi folder.
Information
Note the Transaction Analysis Duty roles here as well.
10. Expand the Absence Management Transaction Analysis Duty role.
11. Expand the BI Author Role.
Information
Note the BI Consumer Role under the author role.
13. Sign out.
Viewing Permissions for OTBI Reports in the BI Catalog
1. Sign in as HCM_IMPL (same password as Curtis.Feitty).
2. On the Navigator menu under Tools, select Reports and Analytics.
Location: Reports and Analytics page
3. In the panel on the left, click the Browse Catalog icon button.
Location: Catalog page
4. In the Folders panel, expand Shared Folders.
5. Expand the Human Capital Management folder, and then expand the Payroll
folder.
6. Click on the Transaction Analysis Samples folder to open it.
Information
A list of reports appears in the center panel.
7. Under Costing Reports in the center pane, click More and then select
Permissions.
Location: Permissions window
Information
Scroll down to see the complete list of permissions, which includes the BI
Administrator Role.
8. Click Cancel.
9. Return to the Oracle Fusion Applications window and sign out.
BI Publisher
BI Publisher is a set of tools that allows you to create highly formatted reports based on
data models. With BI Publisher, you can:
 Author, manage and deliver documents

 Create interactive management reports
 Create highly formatted, customer facing documents
 Create government forms
 Create EFT documents
Some reporting tools combine the data model, layout, and translation into one report
file, requiring Business Intelligence (BI) administrators to maintain multiple copies of the
same report to support minor changes.
BI Publisher separates the data model, layout, and translation, which means that BI
reports can be:
 Generated and consumed in many output formats, such as PDF, and EXCEL
 Scheduled for delivery to e-mail, printers, and so on
 Printed in different languages by adding translation files
 Burst and scheduled to be delivered to many recipients
BI Publisher can be found from BI Composer or from the BI Catalog by clicking

Create>Report.
BI Publisher Security
In conceptual terms, BI catalog folders that contain BI Publisher reports are secured
using duty roles. These duty roles are not the same as those that secure OTBI subject
areas and folders.
Individual BI Publisher reports are secured using function security privileges that are
granted to these duty roles.
For example, the Payroll Register Report is in the Payroll Calculations folder. The report
is secured using a privilege called Run Payroll Register Report, and this privilege is
granted to Payroll Distribution Calculation Management Duty. The Payroll Calculations
folder is secured using this duty role.
The way this is actually implemented in reality is slightly different because BI security
works slightly differently than regular Fusion Applications security. The key difference is
that BI security supports application roles, but it does not support privileges. So, we
implement the privileges that secure BI Publisher reports as application roles.
In the preceding example, the privilege Run Payroll Register Report is implemented as
an application role called Run Payroll Register Report (OBI), which is inherited by
another application role called Payroll Distribution Calculation Management Duty OBI.
You can view this role inheritance under the obi application in APM:
As discussed in the Security lesson, Fusion Applications duty roles are implemented in
Fusion Middleware as application roles. Function security privileges are implemented as
Entitlements in APM.
In BI, the function security privileges are also implemented as application roles, and the
privilege to duty role grant is implemented as a parent-child relationship in the
application role hierarchy, meaning that the duty role is the parent application role and
the privilege is the child application role.
You can distinguish between application roles that implement duty roles and application
roles that implement privileges by looking at the role names. Application roles that
implement duty roles have names ending with _DUTY_OBI and application roles that
implement privileges have names ending with _PRIV_OBI.
If you have access to the Permissions link in the BI Catalog, these application roles are
visible there. You must have the BI Administrator role to view permissions for the
seeded folders and reports.
BI Publisher Data Security and Secured List Views

When you access data using a BI Publisher data model that uses an SQL Query as the
data source, you have two options:
1. Select directly from a database table, in which case the data you return is not
subject to data security restrictions. Note that because BI Publisher allows you to
create data models on unsecured data, you should minimize the number of users
who have access to create data models.
2. Join to a secured list view in your select statements, in which case the data
returned will be determined by the security profiles that are assigned to the roles
of the user who is running the report.
The following tables show, for each table, the secured list view, the data security
privilege that is needed to report on data in the table (if accessed via the secured list
view) and the duty role that has the security privilege.
Note: PER_JOBS_F, PER_LOCATIONS and PER_GRADES_F are not currently

secured. The secured list views and privileges for these three tables are not currently
used.
You can find the list of secured views in Oracle Enterprise Repository (OER)
(type=View; Logical Business Area=HCM). You can access OER using the following
URL: https://fusionappsoer.oracle.com/oer/ and sign in with your Oracle ID.
BI Publisher and PII Data

Personally identifiable information (PII) tables are secured at the database level using
virtual private database (VPD) policies. Only authorized users can report on data in PII
tables, and this restriction also applies to BI Publisher reports. The Fusion HCM tables
that are protected in this way are:
 PER_ADDRESSES_F
 PER_DRIVERS_LICENSES
 PER_EMAIL_ADDRESSES (work e-mail not protected)
 PER_NATIONAL_IDENTIFIERS
 PER_PASSPORTS
 PER_PHONES (work phone not protected)
 PER_VISAS_PERMITS_F
The data in these tables is protected using data security privileges that are granted via
duty roles in the usual way.
This table lists the protected PII tables and the associated privileges that should be
used to report on data in these PII tables:
All of the above privileges are accessible using the Workforce Reporting Data Duty duty
role.
‎Lesson 11: Course Highlights
Lesson 11: Course Highlights

In this course, you learned about:
 Roles and Role-Based Security

 Security Profiles and Data Roles
 Users and Role Provisioning
 HCM Security Data Stores and User Interfaces for Managing Security
 Managing Job Roles and Abstract Roles
 Managing Duty Roles
 Security and HCM Reporting
Lesson Details
Roles and Role-Based Security
Security in Oracle Fusion Applications is role-based, where roles control who can do
what on which data. Oracle Fusion Applications defines four types of roles:
 Abstract roles
 Data roles
 Job roles
 Duty roles
Security Profiles and Data Roles

Most Oracle Fusion HCM data is secured by means of HCM security profiles. A security
profile identifies a set of data of a single type, for example, you could create security
profiles to identify all workers in department HCM US. HCM security profiles are an
Oracle Fusion HCM feature; they are not used by other Oracle Fusion Applications.
This figure shows the process of creating new data roles and security profiles:
Users and Role Provisioning
 User Provisioning: Oracle Fusion Applications are tightly integrated with Oracle
Identity Management (OIM). When you hire a worker, a user account can be
created automatically for that worker in the OIM Identity store.
 Roles Provisioning: Abstract and data roles must be provisioned to users so that
they can access the functions and data that enable them to perform their jobs.
The process of assigning roles to users is known as role provisioning.
HCM Security Data Stores and User Interfaces for Managing Security
Three applications provide the user interfaces for managing HCM security:
 Oracle Fusion HCM - Functional Setup Manager

 Oracle Identify Manager (OIM)
 Authorization Policy Manager (APM)
Managing Job Roles and Abstract Roles
This figure shows the process of creating a new job role:
Managing Duty Roles
This figure shows the process of creating a new duty role:
Security and HCM Reporting
The data that is returned in OTBI reports is secured in a similar way to how data is
returned in Fusion HCM pages, meaning that access is granted by the roles that are
linked to security profiles.
BI catalog folders that contain BI Publisher reports are secured using duty roles.
Individual BI Publisher reports are secured using function security privileges that are
granted to these duty roles. BI security works slightly differently than regular Fusion
Applications security. The key difference is that BI security supports application roles,
but it does not support privileges. So, the privileges that secure BI Publisher reports are
implemented as application roles.
‎Lesson 12: References
Lesson 12: References

 For a mapping of duties and privileges to roles across all offerings, see Mapping
Of Roles, Duties and Privileges in Fusion Applications (Doc ID 1460486.1)
on My Oracle Support (MOS).
 For information about how duty roles and privileges map to top-level menus, see
Mapping Of Duty Roles To Top Level Menu Entries in Fusion Applications
(Doc ID 1459828.1) on MOS.
 For descriptions of all the predefined data that is included in the security
reference implementation for HCM, see Oracle Fusion Applications Human
Capital Management Security Reference Manual available from the Oracle
Fusion Applications Help and from docs.oracle.com/cloud.
 For information about the common roles required to set up and administer an
offering, see Oracle Fusion Applications Common Security Reference
Manual available from the Oracle Fusion Applications Help and from
docs.oracle.com/cloud.
 For information on security hardening, see Oracle Fusion Applications

Security Hardening Guide available from docs.oracle.com.
‎Lesson 13: Appendix
Lesson 13: Appendix

Single Sign-On
What is Single Sign-On?
Single sign-on allows a user to log in once and access multiple applications. It can be
enabled via Federation Servers that know which identity links to which applications.
In this scenario, there may be one or more on-premise applications and an on-premise
Identity Provider, while Oracle Fusion Applications reside in the Cloud. When the user
signs on, the Identity Provider authenticates the user and authorizes them for access to
all of their applications. The user does not need to re-login to access Fusion
applications.
Components of single sign-on are described in the slides that follow.
Single Sign-On Components

Federated Identity
A federated identity is the means of linking a person's electronic identity and attributes,
stored across multiple distinct identity management systems
A federation server is a software component that provides users with Single Sign-On
access to systems and applications located across organizational boundaries.
LDAP
 LDAP stands for Lightweight Directory Access Protocol
 LDAP is a Directory Service with a standardized hierarchical structure, optimized

for lookups
 Active Directory (AD) is Microsoft’s implementation of LDAP
 Oracle Internet Directory (OID) is Oracle’s implementation of LDAP
Virtual Directory
A technology that provides a consolidated view of user identity and related

information across different identity systems without having to migrate users into a
single enterprise directory infrastructure.
 Applies to on-premise systems only, not to SaaS customers
SAML 2.0
 SAML stands for Security Assertion Markup Language
 SAML 2.0 is an XML-based protocol that uses security tokens containing identify
assertions to pass information about an end user from one IAM system to
another.
 SAML is the standard for exchanging authentication and authorization

information between security domains and is used to enable single sign-on.
How it Works
Here's how the single sign-on process works:
1. User attempts to access Oracle Fusion Applications.
2. The request is redirected via Webgate and OAM Server to the On-Premise
Federation Server for authentication.
3. If authenticated, a SAML token is returned with a NameId.
4. The Name Id is matched to the Fusion user ID, providing the appropriate
authorizations and allowing the appropriate application pages to be served up.
Technical View
This diagram shows a detailed technical view of the single sign-on process.
Single Sign-on Terminology

Oracle Fusion Applications Identity & Access Management (IAM) Solution comprises:
 Oracle Internet Directory (OID) – Standards-based LDAP directory that

leverages the scalability, high availability and security features of the Oracle
database.
 Oracle Identity Manager (OIM) – Enterprise identity management system that

automatically manages users' access privileges within enterprise IT resources.
 Oracle Identity Federation (OIF) – Enterprise-level solution for secure identity

information exchange between partners.
 Oracle Access Manager (OAM) – Provides the core functionality of Web Single
Sign On (SSO), authentication, authorization, centralized policy administration
and agent management, real-time session management, and auditing.
Worker Service – Fusion HCM service that customers can call to create employees
and Fusion IAM users.
File-Based Loader (FBL) – A tool provided by HCM to integrate your HCM data into
Fusion HCM.
Spreadsheet Upload – An integration scheme provided by HCM that enables a one-
time upload of employee data.
Implementation User – An implementation user exists only in Fusion IAM, not in the
Fusion Applications tables. A Fusion Applications user exists in both Fusion IAM and
the shared HCM tables.
Active Directory Federation Server (ADFS) – Provides single sign-on access to

systems and applications located across organizational boundaries using a claims-
based access control authorization model to maintain application security and
implement federated identity.
Single Sign-On Patterns

Single Sign-On Prerequisites
To enable single sign-on between existing on-premise applications and Oracle Fusion
Applications, you must have one of the following in place:
 If your Oracle Fusion Applications are on the cloud (SaaS), users must exist in
both domains (Fusion Applications and on-premise applications).
 If your Oracle Fusion Applications are on-premise, users must either exist in both
domains or Virtual Directory must be enabled so users exist virtually in the
Fusion Domain.
Fusion HCM SaaS - Scenario 1

This figure illustrates single sign-on through Federation, where onboarding is done in
Fusion HCM SaaS. User data extracts are performed to synchronize identities between
Oracle Fusion HCM and the Active Directory.
In this scenario, Oracle Fusion Global Human Resources is being implemented. Once
existing employees are loaded into Oracle Fusion HCM, all new users will be onboarded
to Oracle Fusion HCM SaaS first and then their details will be synchronized to the on-
premise directory. SSO will be enabled via the Federation.
Employee Sync SaaS to On-Premise Identity Provider
Scenario: Employee onboarding is performed in the cloud. The synchronization

direction is from SaaS to your On-Premise Identity Provider (IdP).
Use the UserDetailsSystemExtract, a BI Publisher Report, from HCM to:
 Reformat the fields in accordance with the requirements of your On-Premise

Identity Provider (IdP).
 Specify the output method, such as email or posting to an sftp site
 Specify the output format, such as xml, pdf, excel, or flat file
 Upload to your On-Premise IdP.
Note: This BI Publisher Report contains the Fusion user ID that can be imported into
the on-premise IdP and then used in the on-premise Federation Server’s SAML
assertion.
To extract user data from Oracle Fusion Cloud Services and load the data into your
local LDAP directory, complete the following steps:
1. Configure your Oracle Fusion Cloud Services to periodically generate the

UserDetailsSystemExtract BI Publisher report. Publish this report to your
content server.
2. Download the user data extract file.
3. Convert the user data extract file into a format that can be loaded into your local
LDAP directory. You can use tools provided by your LDAP vendor. Load this data
into your local LDAP directory.
Oracle Fusion Cloud Services generate user data extracts in XML format. The
data extract is a full dump of identity information. The extract contains the last
update timestamp (COMPOSITE_LAST_UPDATE_DATE), which can be used by
your custom transformation logic to determine if the record has changed since
the processing of the previous extract.
Note: Extracting delta or subsets of user data is currently not supported. You can
extract the user data for Oracle Fusion Cloud Services
only if:
- You have a pre-defined data role as the Human Capital Management
Administrator.
- You must run the UserDetailsSystemExtract report as a user with unrestricted

access to the workers in Fusion HCM.
For more information, see Oracle Support Document 1513123.1, Configuring Identity
Synchronization in Oracle Fusion Cloud Services, at:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1513123.1
(https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1513123.1)
Fusion HCM SaaS - Scenario 2
This figure illustrates single sign-on through Federation, where onboarding is done in an
existing on-premise application and synchronization of employees to Oracle Fusion
HCM is performed using File Based Loader (FBL) integration. This is an example of co-
existence, whereby Oracle EBS co-exists with an Oracle Fusion Applications product
such as Oracle Fusion HCM Talent.
In this scenario, provisioning users in your on-premise environment creates new users
in your local LDAP directory. This process is termed as onboarding. First, you must
extract the user data from your local user directory and transfer the data into a format
that is supported by Oracle Fusion Cloud Services. Then, you load the transferred data
into Oracle Fusion Cloud Services.
Employee Sync On-Premise to Fusion Applications (HCM)
Scenario: Employee onboarding is performed on premise. The synchronization

direction is from your On-Premise Identify Provider (IdP) to HCM Oracle Fusion
applications in SaaS.
The following options exist for synchronization:
 Spreadsheet Loader
 File Based Loader (FBL)
To extract user data from your local LDAP directory and load the data into Oracle
Fusion Cloud Services, complete the following steps:
1. Extract the newly created user data from your local LDAP directory to a file by
using tools provided by your LDAP vendor.
2. Convert this user data file into a format that is delivered and supported by Oracle
Fusion Cloud Services. You can use tools provided by your LDAP vendor.
3. Load this data into Oracle Fusion Cloud Services using FBL or the Spreadsheet
Loader.
For details on configuring identify synchronization, see Oracle Support Document

1513123.1, Configuring Identity Synchronization in Oracle Fusion Cloud Services, at:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1513123.1
(https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1513123.1)
Implementation Scenarios
SSO via Federated Identity for SaaS
All scenarios represent single sign-on through Federated Identity for SaaS.
Prerequisites
 Each employee that needs access to the SaaS application must already exist in
the cloud. (Existing employees must be synchronized.)
 SAML 2.0 Federation Protocol is required.
 SAML 2.0 browser artifact SSO profile is required.
 The SAML 2.0 assertion NameId must contain either the user's email address or
the user's Fusion user ID.
Implementation Notes
Only authentication is necessary; authorization details from Fusion IAM will be used,
based on the identity asserted.
To implement this scenario, customers will need to submit a Service Request (SR) for
SSO enablement. The SR will walk them step-by-step through the process.
Process documentation for this scenario is available on My Oracle Support. (See Co-
Existence and SSO: The SSO Enablement Process for Public Cloud Customers,
Doc ID 1477245.1, at:
https://mosemp.us.oracle.com/epmos/faces/DocumentDisplay?id=1477245.1)
SSO via Federated Identity Plus OVD
For on-premise installations, you can use Oracle Virtual Directory to link Fusion
employees with existing users, rather than synchronizing identities.
For details on setting up and configuring Oracle Virtual Directory, refer to the standard
product documentation.
For more information, see Installing and Configuring Oracle Virtual Directory at:
http://docs.oracle.com/cd/E15523_01/install.1111/e12002/ovd.htm
SSO References
 Co-Existence and SSO: Overview and Implementation

My Oracle Support (http://support.oracle.com) Doc Id: 1477248.1
 Co-Existence and SSO: The SSO Enablement Process for Public Cloud
Customers on Release 5
My Oracle Support Doc Id:1477245.1
 Single Sign On (SSO) FAQ

My Oracle Support Doc Id:1245339.1
 Fusion Applications Technology: Master Note on Fusion Federation

My Oracle Support Doc Id: 1484345.1
 SaaS SSO Using Identity Federation eSeminar (You can take the training
online or download the slides.)
Link: http://oukc.oracle.com/static09/opn/login/?t=checkusercookies%7Cr=-
1%7Cc=1222182178
See also the Additional Resources page at the beginning of this course.

Fusion Applications HCM Security Rel 8 Instructor Guide PTS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fusion Applications HCM Security Rel 8 Instructor Guide PTS

Uploaded by

Copyright:

Available Formats

Fusion Applications: HCM

Course Code: D83523GC20

Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using

U.S. GOVERNMENT RIGHTS

Lesson 2: Security Overview .......................................................5

Lesson 3: Security Profiles and Data Roles ...............................30

Lesson 4: User and Role Provisioning .......................................72

Lesson 7: HCM Security Deep Dive ..........................................180

Lesson 8: Managing Duty Roles ...............................................206

Lesson 10: Security and HCM Reporting ...................................235

Lesson 12: References .............................................................259

Lesson 1: Course Overview

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 1

 Describe the key features of Oracle Fusion Applications security

2 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Fusion Applications: HCM Security Ed 2 Student Guide (this guide)

Additional Recommended Resources:

 Getting Started with Oracle Cloud

Related Oracle University Courses:

 Fusion Applications: Security Fundamentals

For additional course information, search education.oracle.com

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 3

There are no activities for this lesson

4 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Lesson 2: Security Overview

In the figure below, Julie Brown has three roles:

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 5

Instructor Note: Roles Assigned to Users

6 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Role-Based Access Control

 Who is a role assigned to a user.

 What is a function that users with the role can perform.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 7

Predefined HCM Roles

8 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Human Resource Specialist is a job role that inherits a number of duties.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 9

Data Role Inheritance

10 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

User Role Inheritance

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 11

 Abstract Roles represent a worker's role in the enterprise, independently of the

12 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Role Inheritance Example

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 13

 One data security policy determines which people can be promoted.

14 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Instructor Note: Details Will Come Later

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 15

Security Component Terminology Comparison

16 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Prior to implementation, you must:

 Identify the jobs that people have in your enterprise.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 17

Customizing Security for Your Needs

18 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Instructor Note: Currently No Way to Copy Roles

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 19

Instructor Note: Demo Timing

Approximate Demonstration Timing: 6 minutes

20 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Demonstration: Function Security in Action

1. Log in as Curtis.Feitty, using the password provided to you by the instructor.