ORACLE HCM CLOUD SECURITY

HCM SECURITY BASICS

Every person who wants to access the fusion application must have a User account. Every User
account will be associated with some roles and based on the roles, person (user) can access the
fusion application. And if a person who has a user account but not associated with any roles then he
cant access the fusion application.
Note:
No Role No access

ROLE BASED SECURITY MODEL

Employee and Line Manager Roles are called as Abstract Role and Human Resource Specialist Role is
called as HCM Data Role or Data Role.

We can find this data roles in other modules also like finance Data role etc. But HCM Data roles are
different from other Data roles.
Note:
Every User should have at least one Data Role & one Abstract Role.

ROLE TYPES
Oracle Applications Uses 5 types of Roles for Security Management
Data Roles:
Hcm Data Role is a combination of Function Security and Data Security.
Function Security is used to grant the access to the pages.
Ex: HR Specialist needs to access his functional pages like Hiring, Promotion and Transfer Pages.
By Function Security HR specialist will get access to the pages.
Function Security is a combination of Job Role, Duty Role and Aggregate Privileges.

Abstract Roles: Is a Role which gives access to ESS, MSS and Person Search or Employee Directory
(we can search for other employees who are working in our organization).
3 Abstract Roles are defined by oracle they are,
Employee Abstract Role
Line manager Abstract Role
Contingent worker Abstract Role

Job Roles: Job Role will tell what person you are.
Every user needs to be associated with Job role.

Aggregate Privileges will tell us what the user can do.

Duty Roles: Duty role will tell us what the user can do.

Note:
Data Roles are not delivered by Oracle. (The first challenge in implementation project is to
create Data Role to the user by considering the remaining roles and security profiles.)
One Data Role will have only one Job role. (one to one mapping)
Abstract Role, Job roles, Aggregate Privileges and Duty roles are delivered. We cannot create
and modify Aggregate privileges whereas we can create and customize Abstract Role, Job
roles and Duty roles

Duty Role VS Aggregate Privileges

Under Duty role and Aggregate privileges we can find two more items like Function Security
Privileges and Data security Policies.
Function security Privileges and Data security Policies together will give the capability to duty role or
aggregate privileges to perform a particular Task.
Aggregate Privileges contain one Function Security privilege and multiple Data Security policies
whereas Duty Role will have multiple Function Security privilege and multiple Data Security policies.

Data Security: Data Security will come from Security Profiles.

By security profile the user 1 can access the data of Vision Corporation and user 2 access the data of
vision securities
SECURITY PROFILES OVERVIEW
Most HCM data is secured by means of HCM Security profiles.
A security profile identifies a set of data of a single type, such as persons or organizations.
Ex:We could create security profiles to identify
- all workers in Dept HCM us
- The legal employer vision corp USA1
- Business units USA 1 and USA2
we can assign security profiles to data roles and abstract roles.

HCM SECURITY PROFILE TYPES

We can create HCM security profiles for the following HCM business object

Person (managed)
Person (public)
Organization
Position
Legislative Data Group
Country
Document Type
Payroll
Payroll Flow

Above all are called as Scurried objects. A secured object will not be accessed by a user until we
create a security profile and give access to that particular user.
Generally View all Specific Security profiles are delivered by Oracle. If we want to create Security
profiles then we need to go to specific task like, Mange Person Security profile or Manage
Organization Security Profile etc.
Generally in real time Person (public) is defined as View All Security profile as the employee in the
organization is allowed to collaborate with all the employees in the organization.
USER ACCOUNTS
Without user account we cannot associate roles to the person or user.
TO create user accounts, we need to
- configure Oracle HCM Cloud security to create user accounts for new workers automatically.
User Accounts are maintained in OIM (Oracle Identity Management) which is a part of LDAP (Light
weight Directory Access Protocol) Store which is a part of Middle Ware.
- use "Manage Users" Task.(This approach is not recommended once implementation is done).
When we want to create a user for testing then we use Manage Users.
- use "Create Implementation Users" Task to create Implementation users.

Difference between Implementation User and Worker

For implementation user, the record is maintained in user tables only whereas for workers the
record is maintained in both user and person tables.
A implementation user can not access ESS and MSS.

Enterprise Level Settings for User Account Creation

To Configure the below options use Manage Enterprise HCM Information task in the Setup and
maintenance Work Area.
The following Enterprise level options control aspects of User Management,
- User Account Creation
- Send user name and password
- User account maintenance
- Alternate contact E-Mail Address
- Default user name Format

Note:

The person who is having IT security Manager Role and access to OIM can reset the password when
required.

We can access data roles, delivered job roles and delivered abstract roles form OIM.

Authorization policy manager only will give access to the duty roles.

CREATING DATA ROLES

Use the "Assign Security Profiles to Role" Task to manage Data Roles and Assign Security Profiles to
them.

USER AND ROLE PROVISIONING

By default, users have no access to functions and data. To enable this access, we must provision
roles to users.
We can initiate the provisioning and revoking of roles from the following flows,
- Hire an Employee
- Promote Worker
- Transfer Worker
Users can request certain roles for themselves.
Line Managers and HR specialist can request roles for and revoke roles from the people that they
manage.
All role provisioning is controlled by Role-Provisioning rules, also known as Role Mappings.

ROLE PROVISIONING OPTIONS

When defining Role Provisioning rules on the "Create Role Mapping Page" we have 3 provisioning
options,
- AutoProvision
- Requestable
- Self-Requestable

RUNNING USER ROLE SYNCHRONIZATION PROCESSES IN FUSION

LDAP Role Create and Update Reconciliation

LDAP Role Delete Reconciliation
LDAP Role Hierarchy Reconciliation
LDAP Role Membership Reconciliation
LDAP User Create and Update Reconciliation
LDAP User Delete Reconciliation