Oracle Human Capital Management Cloud Security Upgrade Guide

Oracle Human Capital Management Cloud
Security Upgrade Guide

Release 12
ORACLE WHITE PAPER | MARCH 2017
Table of Contents
Introduction to the Security Upgrade Guide 4
What to Do Before the Upgrade 5
Identify Customizations Made to the Simplified Reference Role Model 5
Role Hierarchy Customizations 6
Role Customizations 9
Privilege Customizations 15
Resource Customizations 16
Customizations in the OBI Stripe 17
References to Customized Roles 17
What Happens During the Upgrade 18
How Roles Are Migrated to Release 12 18
Enterprise Roles, Application Roles, and the Simplified Reference Role Model 18
Upgrade of Simplified Reference Role Model Predefined Roles to Release 12 23
Upgrade of Simplified Reference Role Model Custom Roles to Release 12 25
Upgrade of HCM Data Roles to Release 12 26
Upgrade of BI Roles to Release 12 27
Upgrade of Release 9 Roles to Release 12 30
Special Cases 32
New, Updated, and Deleted Roles and Privileges 36
Deleted Aggregate Privileges 36
Renamed Roles 36
Roles with Changed Role Categories 36
1 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

New Roles 37
New Aggregate Privileges 37
Role-Hierarchy Changes 38
Function Security Privileges Granted to Roles 40
New Function Security Privileges 42
Deleted Function Security Privileges 43
Renamed Function Security Privileges 43
Function Security Privileges Removed from Roles 44
Role Codes on the Assign Security Profiles to Role Pages 45
What to Do After the Upgrade 47
Run Required Processes 47
Run Retrieve Latest LDAP Changes 47
Run Import User and Role Application Security Data 48
End Scheduling of Retrieve Latest LDAP Changes 48
Validate User Lifecycle Settings 49
Using the Security Console 49
Verify Password Expiration Duration 50
Verify Password Expiration Warning Duration 51
Verify Password Complexity Rules 52
Verify User-Name Generation Rules 53
Configure Notification Templates 55
Configure Forgot Password Flow 57
Update Custom Roles for Oracle Fusion Goal Management 60

New Function Security Privilege 61
Removed Function Security Privilege 61
Function Security Privileges No Longer Used 61
Update Custom Roles for Oracle Fusion Profile Management 63
Removed Function Security Privilege 64
Remove Access to Workforce Reputation Management 65
Appendix: Updating Custom Job or Abstract Roles 67
Identifying and Regenerating HCM Data Roles 70

Introduction to the Security Upgrade Guide
This document describes the security-upgrade process for customers upgrading from Oracle HCM
Cloud Release 11 to Oracle HCM Cloud Release 12. It includes these sections:
» What to Do Before the Upgrade

» Identify Customizations Made to the Simplified Reference Role Model
» What Happens During the Upgrade
» How Roles Are Migrated to Release 12
» New, Updated, and Deleted Roles and Privileges
» Role Codes on the Assign Security Profiles to Role Pages
» What to Do After the Upgrade
» Run Required Processes
» Validate User Lifecycle Settings
» Update Custom Roles for Oracle Fusion Goal Management
» Update Custom Roles for Oracle Fusion Profile Management
» Remove Access to Workforce Reputation Management

What to Do Before the Upgrade
When your Oracle Fusion Applications Cloud environment is upgraded to Release 12, predefined roles that are
shipped with the Simplified Reference Role Model will be locked down (made read-only). Prior to this locking down,
the Release 12 settings are applied to these predefined roles and their associated privileges. Any customizations to
those roles and privileges will be removed. These steps ensure safe future upgrades to predefined roles, since the
possibility of conflict with customer-introduced changes to these roles is now eliminated.
Most Oracle Fusion Applications Cloud customers make no customizations to predefined roles and are therefore
unaffected by these changes. However, as a precaution, and before your Oracle Fusion Applications Cloud
environment is upgraded to Release 12, you must identify any customizations that you have made to the Simplified
Reference Role model. If you identify these customizations before the upgrade, then you can create custom roles,
as appropriate, to preserve your customizations. This section provides instructions for these tasks.
Identify Customizations Made to the Simplified Reference Role Model

Use the Security Customization Report to identify customizations that have been made to the Simplified
Reference Role Model before your environment is upgraded to Release 12.
Important Note: You must have the IT Security Manager job role to run this report. If you first implemented Oracle
HCM Cloud in Release 9 or earlier, then you may still be using the Release 9 version of the IT Security Manager job
role, which cannot run the Security Customization Report. To confirm, search for the IT Security Manager job role in
Authorization Policy Manager and review its inherited duty roles. If the names of those duty roles end with the word
Duty, then you are using the Release 9 version of the role. In this case, migrate your IT Security Manager job role to
the Simplified Reference Role Model.
Follow these steps to run the report:

1. Select Navigator - Tools - Scheduled Processes to open the Scheduled Processes work area.
2. In the Scheduled Processes work area, click Schedule New Process.
3. In the Schedule New Process dialog box, search for and select Security Customization Report. Click
OK.
4. In the Process Details dialog box, leave the Show Parameters option deselected.
5. Set the Stripe parameter to HCM.
6. Click Submit to run the report.
The report generates two zip files:
» A file, security_diff_report.zip, containing the report output
» A diagnostics file
The file security_diff_report.zip contains a file named hcm-production-base-delta.xlsx. Open the
xlsx file using Microsoft Excel and review the information on these tabs.
» Role Hierarchy Customizations (Sheet 1)
» Role Customizations (Sheet 2)
» Privilege Customizations (Sheet 3)
» Resource Customizations (Sheet 4)
If a tab shows no results, then no customizations of that type were detected and you do not need to take any action.
This document describes the contents of each tab. It also identifies the actions that you must take before your
environment is upgraded to Release 12.

Role Hierarchy Customizations
The Role Hierarchy Customizations tab shows:
» Roles Added to Reference Role Hierarchy

» Roles Removed from Reference Role hierarchy
Figure 1-1 shows an example of the Role Hierarchy Customizations tab.
Figure 1-1. Role Hierarchy Customizations
This sample output indicates that a role ORA_PER_PERSON_VIEW_DUTY has been added to
ORA_PAY_PAYROLL_PERSON_LEVEL_ADMINISTRATION_DUTY, and a role
PER_APPROVAL_NOTIFICATION_DUTY has been added to ORA_PER_EMPLOYEE_ABSTRACT.
These customizations will be removed when your environment is upgraded to Release 12.
To preserve these customizations, you must:

1. Create custom copies of each of the job and abstract roles that inherit the roles that are shown in the
report. If the role that has been customized is a job or abstract role, then perform a shallow copy of the job
or abstract role. Perform a deep copy of the job or abstract role if it inherits a duty role that has been
customized.
2. Create data roles on top of any new custom job roles, and assign security profiles to any new custom
abstract roles.
3. Assign the new data roles and custom abstract roles to users. Revoke the existing data roles and abstract
roles that these new roles are replacing. If any of your roles is provisioned automatically, then modify the
provisioning rules so that they refer to the new roles.
Do this before you are upgraded to Release 12.
Note: If the Role Hierarchy Customizations tab identifies child roles beginning with the characters ORA_FBI or FBI_,
then you may have made changes in the OBI application stripe. See the section Customizations in the OBI Stripe on
page 17 for instructions on how to proceed for those roles. For more information about customizations in the OBI
stripe, see the topic How Reporting Data is Secured: Explained in the Release 11 Securing Oracle HCM Cloud
guide on the Oracle Help Center.
Identifying the Job and Abstract Roles That Need to Be Copied
Use the Application Role Hierarchy tab in Authorization Policy Manager to identify the job and abstract roles that are
impacted by your customizations. Follow these steps:
1. Sign in to Oracle HCM Cloud with IT Security Manager privileges.
2. On the home page, click Setup and Maintenance.
3. In the Setup and Maintenance work area, search for and select the Manage Duties task.
4. In the search results, click Go to Task. The Oracle Entitlements Server Authorization Management page
opens.

5. On the Home tab of the Authorization Management page, select hcm in the Application Name section and
click Search under Application Roles.
Figure 1-2. Search for Application Roles on the Authorization Management Page
The Role Catalog page opens.

6. In the Role Name field, enter the name of the parent role listed in the customization report and click
Search. For example, enter ORA_PAY_PAYROLL_PERSON_LEVEL_ADMINISTRATION_DUTY.

Figure 1-3. The Role Catalog Page
7. Select the role in the Search Results section and click Open. The relevant role page opens.
8. On the Application Role Hierarchy tab of the role page, click Is Inherited By.
Figure 1-4. The Application Role Hierarchy Tab
The parent roles that inherit ORA_PAY_PAYROLL_PERSON_LEVEL_ADMINISTRATION_DUTY are listed.

9. Move up the role hierarchy until you reach a job role or an abstract role. These roles have names that end
with _JOB or _ABSTRACT, as appropriate. For example, ORA_PAY_PAYROLL_MANAGER_JOB or
ORA_PAY_PAYROLL_ADMINISTRATOR_JOB.
In this example, you need to create custom copies of both ORA_PAY_PAYROLL_MANAGER_JOB and
ORA_PAY_PAYROLL_ADMINISTRATOR_JOB.
The steps for copying a job role are explained in the Customizing Security chapter of the Release 11 guide Securing
Oracle HCM Cloud on the Oracle Help Center.
Role Customizations
The Role Customizations tab shows:
» Privileges Granted to Reference Roles

» Privileges Removed from Reference Roles
» Custom Function Security Policies Granted to Reference Roles
» Privilege Grants from Page Integration Wizard
» Resources Granted to Reference Roles
» Resources Removed from Reference Roles
» Reference Roles Modified
» Reference Roles Deleted
» Role Categories Added for Reference Roles
» Role Categories Removed from Reference Roles
» Reference Role Categories Deleted
The sections Privileges Granted to Reference Roles and Custom Function Security Policies Granted to Reference
Roles both cover the addition of function security privileges to reference roles. They are reported separately
because two ways exist of making this type of customization using Authorization Policy Manager.
Custom Function Security Policies Granted to Reference Roles
Figure 1-5 shows an example of the Role Customizations tab.
Figure 1-5. Custom Function Security Policies Granted to Reference Roles
Custom function security policies are granted to reference roles using Authorization Policy Manager. In this sample
output, a custom policy called View Required Learning for Employee has been added to the reference Employee
role.
You need to find the function security privileges that are granted to this custom policy and grant them to a custom
Employee role. Follow these steps:
1. Sign in to Oracle HCM Cloud with IT Security Manager privileges.
2. On the home page, click Setup and Maintenance.
3. In the Setup and Maintenance work area, search for and select the Manage Duties task.
4. In the search results, click Go to Task. The Oracle Entitlements Server Authorization Management page
opens.
5. On the Home tab of the Authorization Management page, select hcm in the Application Name section and
click Search under Authorization Policies.

Figure 1-6. Search for Authorization Policies on the Authorization Management Page
The Search Authorization Policies tab opens.

6. On the Search Authorization Policies tab, select Application Roles and Starts With.
7. In the Role Name field, enter the name of the role to which the custom policy has been added and click
Search. For example, enter ORA_PER_EMPLOYEE_ABSTRACT.

Figure 1-7. Search for Policies
The Targets column shows View Required Learning. This target is the name of the function security privilege that is
granted to this custom policy.
Create a copy of the customized reference Employee role. Create a shallow copy if the customized role is an
abstract or job role. Create a deep copy if the customized role is a duty role inherited by the abstract or job role. The
steps for copying an abstract or job role are explained in the Customizing Security chapter of the Release 11 guide
Securing Oracle HCM on the Oracle Help Center.
Privileges Granted to Reference Roles
Figure 1-8. Privileges Granted to Reference Roles
Function security privileges that are reported in the Privileges Granted to Reference Roles section of the report are
granted to the reference role via the default function security policy that is delivered as part of the reference role
definition. This policy has a name in the form Policy for <role display name>. For example, Policy for Human Capital
Management Integration Specialist. The default policy appears first in the list of function security policies for a role in
Authorization Policy Manager.

Figure 1-9. Reviewing Function Security Privileges Added to the Default Policy
You can see the function security privilege that was added to the Human Capital Management Integration Specialist
reference role by clicking More... or Open on the Functional Policies tab.
Create a copy of the customized Human Capital Management Integration Specialist reference role. Create a shallow
copy if the customized role is an abstract or job role. Create a deep copy if the customized role is a duty role
inherited by the abstract or job role. The steps for copying a job role are explained in the Customizing Security
chapter of the Release 11 guide Securing Oracle HCM Cloud on the Oracle Help Center.
Privileges Removed from Reference Roles
Figure 1-10. Privileges Removed from Reference Roles
Function security privileges that are reported in the Privileges Removed from Reference Roles section of the report
have been removed from the default function security policy that is delivered as part of the reference role definition.
This policy has a name in the form Policy for <role display name>. For example, Policy for Employee. The default
policy appears first in the list of function security policies for a role in Authorization Policy Manager.
In the example report output, some privileges have been removed from
ORA_HRT_WORKFORCE_PROFILE_WORKER_DUTY and from ORA_PER_EMPLOYEE_ABSTRACT.

ORA_PER_EMPLOYEE_ABSTRACT is the reference Employee role. Create a shallow copy of this role. The steps
for copying an abstract role are explained in the Customizing Security chapter of the Release 11 guide Securing
Oracle HCM Cloud on the Oracle Help Center.
ORA_HRT_WORKFORCE_PROFILE_WORKER_DUTY is a duty role. You must identify the reference job and
abstract roles that inherit this duty role and make deep copies of those roles. Follow the steps described in the Role
Hierarchy Customizations section of this document to identify the job and abstract roles that inherit this duty role.
Privilege Grants from Page Integration
Figure 1-11. Privilege Grants from Page Integration
Page Integration privilege grants are generated by the Page Integration user interface and have privilege codes
starting with EXTN. The privilege codes also contain the page name.
These privilege grants will be removed when your environment is upgraded to Release 12.
To preserve these customizations, you must create custom copies of each of the job and abstract roles that inherit
the roles that are shown in the report. Recreate your page definitions using the Page Integration user interface, and
secure them against a custom copy of the role that is identified in the report. Do this before you are upgraded to
Release 12.
The sample output in Figure 1-11 indicates that four pages have been created using the Page Integration user
interface, and all four have been secured against the ORA_PER_EMPLOYEE_ABSTRACT role.
Create a shallow copy of the customized reference Employee role and recreate your page definitions using the Page
Integration user interface so that they reference your custom Employee role. The steps for copying an abstract role
are explained in the Customizing Security chapter of the Release 11 guide Securing Oracle HCM Cloud on the
Oracle Help Center. You must ensure that you copy both the FSCM and HCM versions of the Employee role to
ensure that your custom role will be available in the Application Roles list of values on the Page Integration user
interface.
Resources Granted to Reference Roles
Figure 1-12. Resources Granted to Reference Roles
Resources should not be granted directly to roles. Any resources that were granted to reference roles in Release 11
are removed in Release 12.
In Release 12, HCM REST resources are granted to reference privileges, which are granted to reference job roles.
Review the Release 12 REST API documentation on the Oracle Help Center at https://docs.oracle.com/en/ for
information about how HCM REST APIs are secured in Release 12.
If you are granting resources other than REST resources to reference roles, then contact Oracle to discuss your
requirements.

Resources Removed from Reference Roles
Figure 1-13. Resources Removed from Reference Roles
Resources should not be granted directly to roles.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
Reference Roles Modified
If display names or descriptions of reference roles have been customized, then the display names and descriptions
will be reset to factory settings when you upgrade to Release 12.
Reference Roles Deleted
If reference roles have been deleted, then the roles will be reinstated when you upgrade to Release 12 if the roles
are part of the Release 12 Simplified Reference Role Model.
Role Categories Added for Reference Roles
If reference role categories have been changed, then the role categories will be reset to factory settings when you
upgrade to Release 12 if the roles are part of the Release 12 Simplified Reference Role Model.
Role Categories Removed from Reference Roles
If reference role categories have been changed, then the role categories will be reset to factory settings when you
upgrade to Release 12 if the roles are part of the Release 12 Simplified Reference Role Model.
Reference Roles Deleted
If reference roles have been deleted, then the roles will be reinstated when you upgrade to Release 12 if the roles
are part of the Release 12 Simplified Reference Role Model.
Reference Role Categories Deleted
If reference role categories have been deleted, then the role categories will be reinstated when you upgrade to
Release 12.

Privilege Customizations
The Privilege Customizations tab shows:
» Resources Added to Reference Privileges
» Resources Removed from Reference Privileges
» Reference Privileges Modified
» Reference Privileges Deleted
The privileges reported here are function security privileges. They are called Entitlements in Authorization Policy
Manager. The information in this section of the report is for information only.
Oracle does not recommend that reference privileges be modified. However, in some situations we have provided
workarounds to bugs that involve the addition or removal of resources from reference privileges. These bugs should
be fixed in Release 12, and the workarounds should no longer be necessary.
In Release 12, you cannot modify reference function security privileges, nor can you create custom function security
privileges.
Resources Added to Reference Privileges
Figure 1-14. Resources Added to Reference Privileges
If resources have been added to reference privileges, then the resource permission grants will be reset to factory
settings when you upgrade to Release 12.
If you are happy for these customizations to be reset during the upgrade, then no action is necessary. If you are
unsure why the customizations in this section of the report were made, then contact Oracle for guidance.
Resources Removed from Reference Privileges
Figure 1-15. Resources Removed from Reference Privileges
If resources have been removed from reference privileges, then the resource permission grants will be reset to
factory settings when you upgrade to Release 12.
If you are happy for these customizations to be reset during the upgrade, then no action is necessary. If you are
unsure why the customizations in this section of the report were made, then contact Oracle for guidance.
Reference Privileges Modified
Figure 1-16. Reference Privileges Modified

If privilege display names or descriptions have been modified, then the privilege definitions will be reset to factory
settings when you upgrade to Release 12.
Reference Privileges Deleted
Figure 1-17. Reference Privileges Deleted
If privileges have been deleted, then the privileges will be reinstated if they are part of the Release 12 Simplified
Reference Role Model when you upgrade to Release 12.
Resource Customizations
The Privilege Customizations tab shows:
» Reference Resources Modified

» Reference Resources Deleted
» Resource Types Modified
» Resource Types Deleted
Oracle does not recommend that resources be modified. You cannot customize resources in Release 12.
Reference Resources Modified
Figure 1-18. Reference Resources Modified
If resources have been modified, then the resource definitions will be reset to factory settings when you upgrade to
Release 12.
Reference Resources Deleted
Figure 1-19. Reference Resources Deleted
If resources have been deleted, then the resources will be reinstated if they are part of the Release 12 Simplified
Reference Role Model when you upgrade to Release 12.

Resource Types Modified
If resource types have been modified, then the resource type definitions will be reset to factory settings when you
upgrade to Release 12.
Resource Types Deleted
If resource types have been deleted, then the resource type definitions will be reinstated if they are part of the
Release 12 Simplified Reference Role Model when you are upgrade to Release 12.
Customizations in the OBI Stripe

The Security Customization Report does not currently report on role customizations made in the OBI stripe. In
addition, when you copy a role to create a custom role, the contents of the OBI stripe are not copied. If you have
made customizations to a predefined role in the OBI stripe, then you must:
1. Manually create a copy of the relevant application job or abstract role in the OBI stripe.
2. Link the copy of the application role to the relevant custom enterprise role.
References to Customized Roles

If you create a custom version of a role that is referred to in an approval rule or page composer expression, then you
must update those references to refer to the new role.

What Happens During the Upgrade
This section:
» Describes how both predefined and custom roles are migrated to Release 12.
» Identifies roles and privileges that are added, updated, or deleted during the upgrade to Release 12.
How Roles Are Migrated to Release 12
Enterprise Roles, Application Roles, and the Simplified Reference Role Model
Before Release 12, two types of roles existed:
» Enterprise roles
» Application roles
You created enterprise roles in Oracle Identity Manager and application roles in Authorization Policy Manager. You
could also create both types of roles on the Security Console. You set Role Source to External role for an
enterprise role and Application role for an application role.
Figure 2-1. Selecting the Role Source on the Release 11 Security Console
The Simplified Reference Role Model was introduced in Release 10. In Releases 10 and 11, each predefined job
and abstract role in the Simplified Reference Role Model was represented as two separate roles: an enterprise job
role (the EJR) and an application job role (the AJR). The EJR inherited the AJR. Predefined AJRs were
distinguishable from predefined EJRs by the ORA_ prefix of the AJR role code. In addition, AJR role names on the
Security Console had the suffix (Application role).
For example, this is how the predefined Benefits Specialist job role appeared in Release 11.

Figure 2-2. The Release 11 Benefits Specialist Enterprise and Application Roles in the Security Console Search Results
Figure 2-3. The Release 11 Benefits Specialist Enterprise and Application Roles in the Security Console Visualizer

Figure 2-4. The Release 11 Benefits Specialist Application Role Expanded in the Security Console Visualizer
If you were initially provisioned with Oracle HCM Cloud Release 9 or earlier, then you may not be using the
Simplified Reference Role Model. You may still be using the predefined Benefits Specialist role that was delivered in
Release 9, for example. In that case, your predefined Benefits Specialist job role looks like this:

Figure 2-5. The Release 9 Predefined Benefits Specialist Job Role
If you have not yet migrated your predefined Release 9 roles to the Simplified Reference Role Model, then you will
have two versions of each of the predefined job and abstract roles in Release 11, as shown in Figure 2-6. The role
on the left is the role that was delivered in Release 9. This role is the EJR. It inherits the duty roles that were
delivered in Release 9. The role on the right is the role that was first delivered in Release 10. This role is the AJR. It
inherits the duty roles and aggregate privileges that were first delivered in Release 10.

Figure 2-6. The Simplified Reference Role Model
To migrate a Release 9 job role to the Simplified Reference Role Model in Release 10 or 11, you remove the child
duty roles from the enterprise job role (EJR) on the left, and hook the application job role (AJR) on the right up to the
EJR on the left.
If you have not already done so, and you want to migrate your Release 9 roles to the Simplified Reference Role
Model before you upgrade to Release 12, then follow the instructions in the Release 10 HCM Security Upgrade
Guide. The instructions in the Release 10 HCM Security Upgrade Guide apply to Oracle HCM Cloud Releases 10
and 11. They do not apply to Oracle HCM Cloud Release 12.
Note that you are not required to migrate all of your Release 9 roles to the Simplified Reference Role Model before
you upgrade to Release 12. However, you must migrate your IT Security Manager job role to the Simplified
Reference Role Model before running the Security Customization Report during your Release 12 preupgrade
activities.
Your old Release 9 roles will continue to work after your upgrade to Release 12. However, as was the case in
Releases 10 and 11, if you are still using predefined job roles that were delivered in Release 9, then you will not get

access automatically to new features delivered in Release 10 and later if those features are secured using new
privileges and duty roles.
For example, the Release 9 version of the IT Security Manager job role does not have full access to the Security
Customization Report that was delivered in the Release 11 February Quarterly Update Bundle. Therefore, you will
need to migrate your IT Security Manager job role to the Simplified Reference Role Model before attempting to run
the Security Customization Report. We recommend that all Oracle HCM Cloud customers run this report as part of
their Release 12 upgrade preparations.
Upgrade of Simplified Reference Role Model Predefined Roles to Release 12

Enterprise roles (EJRs) are not used by Oracle HCM Cloud Release 12. When your environment is upgraded to
Release 12:
» EJRs that have not been customized are collapsed into their AJRs.
» EJRs that have been customized are migrated to the policy store as application roles with the same role code and
name. The AJRs are kept separate from the EJRs.
» The enterprise roles that implement HCM data roles are migrated to the policy store as application roles with the
same role code and name. The migrated HCM data roles continue to inherit the same roles as before.
User role assignments are also migrated. Following the upgrade, users who were assigned to customized,
predefined enterprise roles are assigned to application roles with the same role code and name as the old enterprise
roles. If an EJR has been collapsed into an AJR, then users who were previously assigned to the EJR will now be
assigned to the AJR, which will have an ORA_ prefix.
As mentioned earlier, if you are using the Simplified Reference Role Model, then your predefined Benefits Specialist
job role is represented as two separate roles:
» BEN_BENEFITS_SPECIALIST_JOB, which is the EJR

» ORA_BEN_BENEFITS_SPECIALIST_JOB, which is the AJR
When you look at the migrated Benefits Specialist job role in Release 12, you will see just one role. The EJR has
been collapsed into the AJR, resulting in a simpler role structure.
As you can see in Figure 2-7, since this role is a predefined role, it is colored pink and it inherits privileges,
aggregate privileges, and duty roles.

Figure 2-7. The Benefits Specialist Job Role After Upgrade to Release 12
The Benefits Specialist job role inherits roles from the hcm and obi application stripes.
In Release 12, all of the roles, aggregate privileges, and function security privileges that are directly inherited by the
Benefits Specialist AJR are shown in a single, consolidated view on the Security Console. Therefore, you will see
both hcm and obi roles. If hcm and obi roles and aggregate privileges have the same display names, then you will
see what may appear to be duplicates in the Visualizer. For example, in the Benefits Specialist role shown in Figure
2-7, you can see two Benefits Elections, Benefits Enrollment Maintenance, and Person Management roles and two
Manage Fast Formula aggregate privileges.
In Figure 2-8, the hcm roles and privileges have been highlighted in yellow and the obi roles and privileges have
been highlighted in green.
Figure 2-8. HCM and OBI Roles and Privileges

Roles and aggregate privileges that have the same names have different role codes. If you switch to the tabular
view, then you can see the role codes. A role-code suffix of _OBI indicates that this role is in the obi application
stripe.
Figure 2-9. Tabular View of the Release 12 Benefits Specialist Job Role Showing Role Codes
Upgrade of Simplified Reference Role Model Custom Roles to Release 12

If you customized a predefined EJR before upgrading to Release 12, then the EJR is treated as a custom role and is
not collapsed into the AJR. That is, the role structure prior to the Release 12 upgrade is preserved.
In the example shown in Figure 2-10, you can see that the Human Resource Manager EJR still exists and is colored
green. It inherits the Human Resource Manager AJR, which is pink.
It also inherits a Human Resource Analyst AJR (also pink). Before the upgrade to Release 12, the Human
Resource Analyst AJR had been hooked up to the Human Resource Manager EJR. This is the EJR customization.
Figure 2-10. Customizations to the Predefined Human Resource Manager EJR
Customizations to predefined EJRs are preserved when you upgrade to Release 12. Customizations to other
security artifacts that form part of the Simplified Reference Role Model, such as AJRs, duty roles, aggregate
privileges, function security privileges, resources, and data security policies are reset to factory settings during the
upgrade.

If you created a new custom job role in Release 11 and the custom EJR has the same role code as the custom AJR,
then the EJR and AJR will be collapsed during the upgrade and you will see only one role following the upgrade.
If the role codes of custom EJRs and AJRs are different, then no collapsing occurs, even if the role names are the
same. In this scenario, you will see two roles with the same name, and you will need to use the role codes to
distinguish between the roles.
Upgrade of HCM Data Roles to Release 12

HCM data roles are treated as custom roles. Below is an example of a data role called JT2 JT HR Spec View All,
which was based on a custom job role called JT2 Human Resource Specialist. This data role was created in
Release 11 using the HCM Data Roles UI.
The HCM Data Roles UI generated three new application roles in Release 11:
Role Name Application Stripe
JT2 JT HR Spec View All (HCM) hcm
JT2 JT HR Spec View All (FSCM) fscm
JT2 JT HR Spec View All (CRM) crm
The data security policies for the data role that were generated by the HCM Data Roles UI were created against the
three application roles listed above.
Following the upgrade to Release 12, the structure of the custom data role is preserved and the hcm, fscm, and
crm application roles that were generated by the HCM Data Roles UI are shown in a single, consolidated view on
the Security Console. The data security policies are still against the three application roles that were generated by
the HCM Data Roles UI.
Figure 2-11. Upgrade of HCM Data Roles to Release12

If you regenerate the JT2 JT HR Spec View All data role after upgrading to Release 12, then the three child
application roles are preserved. However, the data security policies for the data role are deleted from these
application roles and are generated instead against the JT2 JT HR Spec View All data role.
When new HCM data roles are created using the HCM Data Roles UI in Release 12, the data security policies are
generated against the data role itself, and child application roles are no longer created.
Upgrade of BI Roles to Release 12

Oracle HCM Cloud delivers pairs of Transaction Analysis Duty roles for use with OTBI. For example:
Role Code Role Name Application Stripe
FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY Compensation Transaction Analysis Duty obi
ORA_FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM Compensation Transaction Analysis hcm
In Release 11, the Compensation Analyst EJR (CMP_COMPENSATION_ANALYST_JOB) inherits two enterprise
roles, Transactional Business Intelligence Worker and Business Intelligence Applications Worker.
These roles are visible when you view the hcm application stripe on the Security Console, together with a
Compensation Analyst AJR (ORA_CMP_COMPENSATION_ANALYST_JOB).
Figure 2-12. The Compensation Analyst EJR on the Release 11 Security Console
The Compensation Analyst AJR (ORA_CMP_COMPENSATION_ANALYST_JOB) inherits the hcm duty role
Compensation Transaction Analysis (FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM).

Figure 2-13. The Compensation Analyst AJR on the Release 11 Security Console in the HCM Stripe
In the obi application stripe, the Compensation Analyst EJR (CMP_COMPENSATION_ANALYST_JOB) inherits the
obi duty role Compensation Transaction Analysis Duty
(FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY). It also inherits a BI Author application role.
Because Transactional Business Intelligence Worker and Business Intelligence Applications Worker are enterprise
roles, they show up as children of the Compensation Analyst EJR in both the hcm and the obi views on the Security
Console. However, the application roles that these BI enterprise roles inherit are both obi application roles, and they
are visible only when you view the obi stripe on the Security Console.
Figure 2-14. The Compensation Analyst AJR on the Release 11 Security Console in the OBI Stripe

Figure 2-15. The Compensation Analyst AJR Expanded on the Release 11 Security Console in the OBI Stripe
During the upgrade to Release 12, the Compensation Analyst EJR is collapsed into the AJR and the obi and hcm
roles are all inherited directly by the single Compensation Analyst role. All roles are now visible in one view, and the
role structure is much simpler.
Figure 2-16. The Compensation Analyst Job Role After the Upgrade to Release 12
Transactional Business Intelligence Worker and Business Intelligence Applications Worker are colored green
because they are no longer delivered in Release 12. They are treated as custom roles immediately following the
upgrade to Release 12. After the first Release 12 Quarterly Update Bundle is applied, these roles should be deleted
and the Transaction Analysis Duty and Business Intelligence Applications Analysis Duty roles should be inherited
directly by the Compensation Analyst job role.

Figure 2-17. The Release 12 Compensation Analyst Job Role After the Upgrade Showing Inheritance of BI Roles
Upgrade of Release 9 Roles to Release 12

If you did not migrate your job roles to the Simplified Reference Role Model, then the two separate job-role
hierarchies are retained when you upgrade to Release 12. If you look at an upgraded role on the Security Console in
Release 12, then you will see something like the example shown in Figure 2-18. This example shows the
PER_HUMAN_RESOURCE_SPECIALIST_JOB role that was delivered in Release 9. It inherits the duty roles that it
inherited prior to the upgrade to Release 12. The roles are colored green to signify that they are custom roles. They
are not subject to factory reset, and any customizations that you may have made to these roles before upgrading to
Release 12 will be preserved. Customizations to predefined privileges and resources, however, will be reset by the
upgrade.
Figure 2-18. The Release 9 Human Resource Specialist Job Role After the Upgrade to Release 12

The ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB role shown in Figure 2-19 is the AJR that was delivered
in Release 10. It is colored pink to signify that it is a predefined role. It inherits privileges and aggregate privileges. It
does not inherit any (green) custom roles. It is not inherited by the PER_HUMAN_RESOURCE_SPECIALIST_JOB
EJR.
Figure 2-19. The Release 10 Human Resource Specialist AJR After the Upgrade to Release 12
The section Upgrade of BI Roles to Release 12 of this guide explains that Oracle HCM Cloud delivers pairs of
Transaction Analysis duty roles for use with OTBI. In Release 9, these roles had the same role names but different
role codes. For example:
Role Code Role Name Application Stripe
FBI_GOAL_MANAGEMENT_TRANSACTION_ANALYSIS_DUTY Goal Management Transaction Analysis Duty obi
FBI_GOAL_MANAGEMENT_TRANSACTION_ANALYSIS_DUTY_HCM Goal Management Transaction Analysis Duty hcm
The transaction analysis duty roles that were delivered in the obi application stripe in Release 9 are still delivered as
reference roles in Release 12. The transaction analysis duty roles that were delivered in the hcm application stripe
in Release 9 are no longer delivered as reference roles in Release 12. They were replaced by new ORA_ roles
when the Simplified Reference Role Model was introduced in Release 10. Consequently, when a predefined
Release 9 role that inherits transaction analysis duty roles is upgraded to Release 12, the obi roles are colored pink
and the hcm roles are colored green.
For example, the predefined Release 9 Human Resource Analyst job role inherits several of these OTBI duty roles:

Figure 2-20. OTBI Duty Roles Inherited by the Release 9 Human Resource Analyst Job Role
Special Cases
Predefined Release 9 EJR Inherits New AJR After Upgrade to Release 12
This case affects only those customers who were initially provisioned with Oracle HCM Cloud Release 9 or earlier
and have not migrated their predefined Release 9 roles to the Simplified Reference Role Model.
Predefined Release 9 job roles that have not been migrated to the Simplified Reference Role Model should not
inherit any AJRs. AJRs were first delivered in Release 10, and those that were delivered in Release 10 were
delivered orphaned when customers upgraded from Release 9 to Release 10. They were not automatically hooked
up to any EJRs. However, during the upgrades to Release 11 and Release 12, some Release 9 EJRs inherit new
AJRs in non-hcm application stripes. The AJRs in these application stripes were new in Release 11 or Release 12
and were automatically hooked up to the EJRs during the Release 11 and Release 12 upgrades. One HCM job role
that is affected by this upgrade behavior is the Human Resource Analyst job role. Following the upgrade to Release
12, the Human Resource Analyst EJR could be displayed as shown in Figure 2-21.
Figure 2-21. The Release 9 Human Resource Analyst Job Role After Upgrade to Release 12

The PER_HUMAN_RESOURCE_ANALYST EJR inherits the child roles that it inherited before the upgrade to
Release 12. One of these roles is an ORA_PER_HUMAN_RESOURCE_ANALYST AJR that was introduced during
the upgrade to Release 11. It is very likely that you did not notice this after your upgrade to Release 11, as it was
visible only if you looked under the fscm application stripe in Authorization Policy Manager or set the Security
Console to point to the fscm application stripe.
In Release 12, the Security Console shows all application stripes in a single view. Therefore, this newly introduced
AJR is now more visible.
If you expand the AJR, you see that it inherits one aggregate privilege:
Figure 2-22. Expanding the Newly Introduced Human Resource Analyst AJR
If you look at the details of the Human Resource Analyst AJR by right clicking and selecting Edit, then you see that
the role code is ORA_PER_HUMAN_RESOURCE_ANALYST_JOB. If you switch to the tabular view of the role
hierarchy and enter ORA_PER_HUMAN_RESOURCE_ANALYST at the top of the Inherited by Role Code
column, then you can see that the Access Person Gallery aggregate privilege that is granted to this AJR has a role
code of ORA_PER_WORKER_GALLERY_SEARCH_DUTY_FSCM. The _FSCM suffix indicates that this
aggregate privilege is in the fscm application stripe.
Figure 2-23. Tabular View of the Roles Inherited by the Human Resource Analyst Job Role in the FSCM Stripe
If you search for the ORA_PER_WORKER_GALLERY_SEARCH_DUTY_FSCM aggregate privilege and select

Show: Privileges in the tabular view, then you can see that this aggregate privilege has no function security

privilege grants. The addition of this AJR with its ORA_PER_WORKER_GALLERY_SEARCH_DUTY_FSCM
aggregate privilege does not affect the functionality of the predefined Release 9 Human Resource Analyst job role.
Figure 2-24. Tabular View of the Access Person Gallery Aggregate Privilege
Oracle HCM Cloud Release 9 EJRs that may have gained AJRs during the Release 11 upgrade are:
EJR Role Code Application Stripe
PER_HUMAN_RESOURCE_ANALYST_JOB fscm
ASE_IT_AUDITOR_JOB fscm
Oracle HCM Cloud Release 9 EJRs that may have gained AJRs during the Release 12 upgrade are:
EJR Role Code Application Stripe
ASM_APPLICATION_IMPLEMENTATION_CONSULTANT_JOB appsdiag, OracleBPMComposerRolesApp, b2bui
BEN_BENEFITS_MANAGER_JOB crm
BEN_BENEFITS_SPECIALIST_JOB crm
PER_CONTINGENT_WORKER_ABSTRACT soa-infra, IDCCS
PER_EMPLOYEE_ABSTRACT soa-infra, IDCCS
PER_HUMAN_RESOURCE_ANALYST_JOB crm
PER_RECRUITING_ADMINISTRATOR_JOB fscm
Set Focus on an AJR That Has Been Added to a Predefined Release 9 EJR
Figure 2-25 shows an example of a predefined Employee EJR that has been upgraded to Release 12. An AJR has
been added (colored pink). It inherits Attachments User and BPM Worklist Internal Role application roles from the
IDCCS and soa-infra application stripes.

Figure 2-25. Predefined Employee EJR After Upgrade to Release 12
If you select Set as Focus on this Employee AJR, then the Security Console shows the AJR and its inherited roles
from all application stripes. The Security Console always shows a consolidated view of an AJR across all application
stripes when you set focus on, search for, or edit an AJR.
Figure 2-26. Focus on the Employee AJR

New, Updated, and Deleted Roles and Privileges
This section identifies new, updated, and deleted roles and privileges in Oracle HCM Cloud Release 12. These
changes are applied during the upgrade to Release 12.
Deleted Aggregate Privileges

These aggregate privileges are deleted during the upgrade to Release 12. No action is required.
TABLE 2-1. AGGREGATE PRIVILEGES DELETED DURING THE UPGRADE TO RELEASE 12
Aggregate Privilege Name Aggregate Privilege Code
Process Absence Certifications ORA_ANC_ABSENCE_CERTIFICATION_PROCESSING_DUTY
View Portrait Career Planning Card ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
View Portrait Development and Growth Card ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
View Portrait Experience and Qualifications Card ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
Manage Learning Content ORA_WLF_MANAGE_LEARNING_CONTENT
Manage Learning Prescriptions ORA_WLF_MANAGE_LEARNING_PRESCRIPTIONS
View Learning Content ORA_WLF_VIEW_LEARNING_CONTENT
View Learning Content Required Viewing ORA_WLF_VIEW_LEARNING_CONTENT_REQUIRED_VIEWING
View Learning Content Viewing History ORA_WLF_VIEW_LEARNING_CONTENT_VIEWING_HISTORY
View Learning Prescriptions ORA_WLF_VIEW_LEARNING_PRESCRIPTIONS
View Shared Learning Content ORA_WLF_VIEW_SHARED_LEARNING_CONTENT
Renamed Roles
These roles are renamed during the upgrade to Release 12. No action is required.
TABLE 2-2. ROLES RENAMED DURING THE UPGRADE TO RELEASE 12
Old Role Name New Role Name Role Code
Manage Workforce Compensation by Line Manager Workforce ORA_CMP_LINE_MANAGER_WORKFORCE_COMPENSATION

Line Manager Compensation Management _MANAGEMENT_DUTY
Manage Workforce Compensation Workforce Compensation Act as Proxy ORA_CMP_MANAGE_WORKFORCE_COMPENSATINO_WHEN

When Acting as Proxy _ACTING_AS_PROXY
Worker Prediction Reporting View Workforce Predictions as Line ORA_HWP_WORKER_PREDICTION_REPORTING_DUTY

Manager
Payroll Coordinator Payroll Interface Coordinator ORA_HRY_PAYROLL_COORDINATOR_JOB
View Published Learning Content View Published Learning ORA_WLF_VIEW_PUBLISHED_LEARNING_CONTENT
Manage HCM Extract Definition HCM Extract Definition ORA_PER_HCM_EXTRACT_DEFINITION_DUTY
Roles with Changed Role Categories

The role categories of these roles are changed during the upgrade to Release 12. You can make custom versions of
roles whose category is now HCM_DUTY, if required.

TABLE 2-3. ROLE CATEGORIES CHANGED DURING THE UPGRADE TO RELEASE 12
Role Code Old Role Category New Role Category
ORA_CMP_LINE_MANAGER_WORKFORCE_COMPENSATION_MANAGEMENT_DUTY AGGREGATE HCM_DUTY
ORA_CMP_MANAGE_WORKFORCE_COMPENSATINO_WHEN_ACTING_AS_PROXY AGGREGATE HCM_DUTY
ORA_HRX_W4_UPDATE_DUTY AGGREGATE HCM_DUTY
ORA_HWP_WORKER_PREDICTION_REPORTING_DUTY HCM_DUTY AGGREGATE
ORA_HXT_TIME_CARD_ENTRY_WORKER_DUTY AGGREGATE HCM_DUTY
ORA_PER_HCM_EXTRACT_DEFINITION_DUTY AGGREGATE HCM_DUTY
ORA_PER_MANAGE_USER_AND_ROLES_DUTY AGGREGATE HCM_DUTY
ORA_PER_USER_NAME_CREATION_AND_LINKING_DUTY AGGREGATE HCM_DUTY
ORA_PER_USER_ROLE_MANAGEMENT_DUTY AGGREGATE HCM_DUTY
New Roles
These roles are new in Release 12.
TABLE 2-4. NEW ROLES IN RELEASE 12
Role Name Role Code Role Category
Workforce Profile Content Type Data ORA_HRT_WORKFORCE_PROFILE_CONTENT_TYPE_DSPS HCM_DUTY

Security Policies
Canadian Employee ORA_HRX_CA_EMPLOYEE_DUTY HCM_DUTY
Workforce Confidential Viewing ORA_PER_WORKFORCE_CONFIDENTIAL_VIEWING_DUTY HCM_DUTY
New Aggregate Privileges

These aggregate privileges are new in Release 12.
TABLE 2- 5. NEW AGGREGATE PRIVILEGES IN RELEASE 12
Role Name Role Code
View Performance Summary ORA_HRA_VIEW_PERFORMANCE_SUMMARY
Edit Person Career Planning ORA_HRT_EDIT_PERSON_CAREER_PLANNING
Edit Person Skills and Qualifications ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
View Person Career Planning ORA_HRT_VIEW_PERSON_CAREER_PLANNING
View Person Skills and Qualifications ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
Manage Mexican SDI Factor Tables ORA_HRX_MX_MANAGE_SDI_FACTOR_TABLES
Manage Worker Time Processing Profile ORA_HXT_MANAGE_WORKER_CORE_PROCESSING_SETUP_PROFILE
Manage Worker Time Entry Setup Profile ORA_HXT_MANAGE_WORKER_TIME_ENTRY_SETUP_PROFILE
Manage Person Disability by Worker ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER
Manage Joined Learning by Learner ORA_WLF_MANAGE_JOINED_LEARNING_BY_LEARNER
Manage Joined Learning by Manager ORA_WLF_MANAGE_JOINED_LEARNING_BY_MANAGER

Role Name Role Code
Manage Learning Assignment ORA_WLF_MANAGE_LEARNING_ASSIGNMENT
Manage Learning Community Assignment ORA_WLF_MANAGE_LEARNING_COMMUNITY_ASSIGNMENT
Manage Learning Video ORA_WLF_MANAGE_LEARNING_VIDEO
Manage Required Learning by Manager ORA_WLF_MANAGE_REQUIRED_LEARNING_BY_MANAGER
Manage Learning Tutorial ORA_WLF_MANAGE_TUTORIAL
Moderate User Generated Content ORA_WLF_MODERATE_USER_GENERATED_CONTENT
View Learning Assignment ORA_WLF_VIEW_LEARNING_ASSIGNMENT
View Recommended Learning ORA_WLF_VIEW_RECOMMENDED_LEARNING
View Required Learning ORA_WLF_VIEW_REQUIRED_LEARNING
View User Learning History ORA_WLF_VIEW_USER_LEARNING_HISTORY
View What to Learn ORA_WLF_VIEW_WHAT_TO_LEARN
Role-Hierarchy Changes
The child roles in Table 2-6, some of which are new in Release 12, are added to the specified parent role in Release
12. If you have made custom versions of the parent roles, then you may want to apply these changes to your
custom roles.
TABLE 2-6. ROLE HIERARCHY ADDITIONS IN RELEASE 12
Parent Role Code Child Role Code
ORA_HRA_PERFORMANCE_MGT_HR_SPECIALIST_DUTY ORA_HRA_VIEW_PERFORMANCE_SUMMARY
ORA_HRA_PERFORMANCE_MGT_LINE_MANAGER_DUTY ORA_HRA_VIEW_PERFORMANCE_SUMMARY
ORA_HRA_PERFORMANCE_MGT_WORKER_DUTY ORA_HRA_VIEW_PERFORMANCE_SUMMARY
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION ORA_HXT_MANAGE_WORKER_CORE_PROCESSING_SETUP_PR
_ADMINISTRATOR_JOB OFILE
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION ORA_HXT_MANAGE_WORKER_TIME_ENTRY_SETUP_PROFILE
_ADMINISTRATOR_JOB
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB ORA_HXT_MANAGE_WORKER_CORE_PROCESSING_SETUP_PR
OFILE
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB ORA_HXT_MANAGE_WORKER_TIME_ENTRY_SETUP_PROFILE
ORA_HXT_TIME_AND_LABOR_MANAGER_JOB ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB
ORA_PAY_COMMON_HCM_IMPLEMENTION_DUTY ORA_PAY_ELEMENT_ENTRY_MANAGEMENT_DUTY
ORA_PAY_OUTBOUND_INTERFACE_DUTY ORA_PAY_ADMINISTRATION_WA_MANAGEMENT_DUTY
ORA_PAY_PAYROLL_CALC_VALIDATION_BALANCE_ADMINI ORA_PAY_PAYROLL_PERSON_LEVEL_ADMINISTRATION_DUTY
STRATION_DUTY
ORA_PAY_PAYROLL_IMPLEMENTATION_DUTY ORA_PAY_ELEMENT_ENTRY_MANAGEMENT_DUTY
ORA_PAY_PAYROLL_IMPLEMENTATION_VIEW_DUTY ORA_PAY_FAST_FORMULA_MANAGEMENT_DUTY

ORA_PAY_PAYROLL_MANAGER_JOB ORA_PAY_PAYROLL_ADMINISTRATOR_JOB
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRX_CA_EMPLOYEE_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER
ORA_PER_HUMAN_RESOURCE_ANALYST_JOB ORA_PER_WORKFORCE_CONFIDENTIAL_VIEWING_DUTY
ORA_PER_HUMAN_RESOURCE_MANAGER_JOB ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
The child roles in Table 2-7 are removed from their parent roles during the upgrade to Release 12. If you have made
custom versions of the parent roles, then you may want to apply these changes to your custom roles.
TABLE 2-7. ROLE-HIERARCHY DELETIONS IN RELEASE 12
ORA_HMO_WORKFORCE_MODEL_PLAN_EDIT_DUTY ORA_HWP_WORKER_PREDICTION_REPORTING_DUTY
ORA_HMO_WORKFORCE_MODEL_PLAN_MANAGEMENT_DUTY ORA_HWP_WORKER_PREDICTION_REPORTING_DUTY
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY

ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_ANC_ABSENCE_CERTIFICATION_PROCESSING_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
Function Security Privileges Granted to Roles

These function security privileges, some of which are new in Release 12, are granted to the specified roles during
the upgrade to Release 12. If you have made custom versions of the relevant roles, then you may want to apply
these changes to your custom roles.
TABLE 2-8. FUNCTION SECURITY PRIVILEGES ADDED TO EXISTING ROLES IN RELEASE 12
Role Code Privilege Code
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_CREATE_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_DELETE_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_EDIT_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_ENABLE_DATABASE_RESOURCE_MGMT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_PASSWORD_EXPIRY_ESS_JOB_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_VIEW_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_AUDIT_REPORT_ACCESS_DETAILS_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_ROLE_DEF_UPDATES_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_ROLE_USER_MEMBERSHIP_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_USER_ACCOUNT_DEF_CHANGES_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_USER_ROLE_MEMBERSHIP_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_VIEW_USER_ACCOUNT_PRIV
ORA_BEN_BENEFITS_ADMINISTRATOR_JOB EHW_MANAGE_WELLNESS_PROGRAM_PRIV
ORA_BEN_BENEFITS_ADMINISTRATOR_JOB EHW_MANAGE_WELLNESS_TRACKING_SERVICE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_BENEFIT_COVERAGE_CHARGES_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_BENEFIT_MAINTENANCE_BATCH_REPORTING_
PRIV

ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_BENEFITS_EXTRACT_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_REOPEN_LIFE_EVENTS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RECORD_BENEFIT_COVERAGE_PAYMENTS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RESTART_ACTION_ITEM_CLOSURE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RESTART_DEFAULT_BENEFITS_ENROLLMENT_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RESTART_ENROLLMENT_CLOSURE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_ASSIGN_LIFE_PROCESS_PRIV_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_BACKOUT_LIFE_EVENTS_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_BENEFIT_BILLING_PROCESSES_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_CLOSE_ENROLLMENTS_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_DEFAULT_ENROLLMENT_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_LIFE_EVENT_PARTICIPATION_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_ABSENCE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_LIFE_EVENT_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_SCHEDULED_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_SELECTION_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_TEMPORAL_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_UNRESTRICTED_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_UNRESTRICTED_RECAL
CULATE_PRIV
ORA_CMP_COMPENSATION_ADMINISTRATOR_JOB FND_APP_MANAGE_APPLICATION_MESSAGE_PRIV
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_A ANC_MANAGE_LEAVE_AGREEMENTS_PRIV
DMINISTRATOR_JOB
ORA_HRX_CA_EMPLOYEE_DUTY HRX_UPDATE_CA_TD1_PRIV
ORA_HRY_PAYROLL_COORDINATOR_JOB PAY_CALC_RATE_PRIV
ORA_PAY_PAYROLL_MANAGER_JOB ANC_SCHEDULE_ACCRUAL_PROCESS_PRIV
ORA_PAY_PAYROLL_MANAGER_JOB PAY_CALC_RATE_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT HWR_WRSA_USER_PRIV
ORA_PER_EMPLOYEE_ABSTRACT EHW_MANAGE_MY_WELLNESS_PRIV
ORA_PER_EMPLOYEE_ABSTRACT FND_RECORD_AND_VIEW_ISSUE_PRIV
ORA_PER_EMPLOYEE_ABSTRACT HWR_WRSA_USER_PRIV
ORA_PER_HUMAN_RESOURCE_ANALYST_JOB PER_VIEW_ASSIGNMENT_RESPONSIBILITY_PRIV
ORA_PER_HUMAN_RESOURCE_ANALYST_JOB PER_VIEW_RESPONSIBILITY_ASSIGNMENT_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ANC_MANAGE_LEAVE_AGREEMENTS_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB HRT_RUN_TALENT_PROFILE_SUMMARY_REPORT_PRIV

ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_CORRECT_INVALID_SUPERVISOR_RELATIONSHIPS_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_MAINTAIN_ASSIGNMENT_RESPONSIBILITY_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_MANAGE_ASSIGNMENT_RESPONSIBILITY_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT CMP_APPROVE_INDIVIDUAL_COMPENSATION_AWARD_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT CMP_APPROVE_SALARY_UPDATES_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT HRT_RUN_TALENT_PROFILE_SUMMARY_REPORT_PRIV
ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER PER_MANAGE_PERSON_DISABILITY_BY_WORKER_PRIV
ORA_PER_PENDING_WORKER_HIRE_DUTY PER_CORRECT_ERRORED_PENDING_WORKER_PRIV
New Function Security Privileges

These function security privileges are new in Release 12.
TABLE 2-9. NEW FUNCTION SECURITY PRIVILEGES IN RELEASE 12
Privilege Name Privilege Code
Manage Leave Agreements ANC_MANAGE_LEAVE_AGREEMENTS_PRIV
Administer SSO ASE_ADMINISTER_SSO_PRIV
Run Audit Report Access Details Report ASE_AUDIT_REPORT_ACCESS_DETAILS_REPORT_PRIV
Create User Account ASE_CREATE_USER_ACCOUNT_PRIV
Delete User Account ASE_DELETE_USER_ACCOUNT_PRIV
Edit User Account ASE_EDIT_USER_ACCOUNT_PRIV
Enable Database Resource Management ASE_ENABLE_DATABASE_RESOURCE_MGMT_PRIV
Manage Active Directory Integration ASE_MANAGE_ACTIVE_DIRECTORY_INTEGRATION_PRIV
Run Password Expiry Job ASE_PASSWORD_EXPIRY_ESS_JOB_PRIV
Use REST Service – Application Security Bridge for Active ASE_REST_SERVICE_ACCESS_ACTIVE_DIRECTORY_HEARTBEAT_PRIV

Directory Heartbeat
Use REST Service – Identity Integration ASE_REST_SERVICE_ACCESS_IDENTITY_INTEGRATION_PRIV
Run Role Definition Updates Audit Report ASE_ROLE_DEF_UPDATES_AUDIT_REPORT_PRIV
Run Role User Membership Audit Report ASE_ROLE_USER_MEMBERSHIP_AUDIT_REPORT_PRIV
Run User Account Definition Updates Audit Report ASE_USER_ACCOUNT_DEF_CHANGES_AUDIT_REPORT_PRIV
Run User Password Changes Audit Report ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV
Run User Role Membership Audit Report ASE_USER_ROLE_MEMBERSHIP_AUDIT_REPORT_PRIV
View User Account ASE_VIEW_USER_ACCOUNT_PRIV
Manage Benefit Coverage Charges BEN_MANAGE_BENEFIT_COVERAGE_CHARGES_PRIV
Record Benefit Coverage Payments BEN_RECORD_BENEFIT_COVERAGE_PAYMENTS_PRIV
Run Benefit Billing Processes BEN_RUN_BENEFIT_BILLING_PROCESSES_PRIV

Approve Individual Compensation Award CMP_APPROVE_INDIVIDUAL_COMPENSATION_AWARD_PRIV
Approve Salary Updates CMP_APPROVE_SALARY_UPDATES_PRIV
Use REST Service – Wellness Connector Push EHW_REST_SERVICE_ACCESS_WELLNESS_CONNECTOR_PUSH_PRIV
Record and View Issue FND_RECORD_AND_VIEW_ISSUE_PRIV
View Version Information FND_VIEW_VERSION_INFORMATION_PRIV
Use REST Service – HCM Semantic Search HRC_REST_SERVICE_ACCESS_SEMSEARCH_PRIV
Run Talent Profile Summary Report HRT_RUN_TALENT_PROFILE_SUMMARY_REPORT_PRIV
Manage Canadian Personal Tax Credits HRX_UPDATE_CA_TD1_PRIV
Manage Volunteering Configuration HWR_MANAGE_VOLUNTEERING_CONFIG_PRIV
Manage Volunteering HWR_MANAGE_VOLUNTEERING_PRIV
Workforce Reputation Subscription User HWR_WRSA_USER_PRIV
Calculate HCM Rates PAY_CALC_RATE_PRIV
Correct Oracle Taleo Recruiting Candidate Import Errors PER_CORRECT_ERRORED_PENDING_WORKER_PRIV
Run Reassign Pending Approvals for Terminations and PER_CORRECT_INVALID_SUPERVISOR_RELATIONSHIPS_PRIV

Correct Invalid Supervisor Assignments Process
User REST Service - Employees PER_REST_SERVICE_ACCESS_EMPS_PRIV
Run Employment Integrity Checks PER_RUN_EMP_INTEGRITY_CHECKS_PRIV
Access Learn WLF_ACCESS_LEARN_PRIV
Access Learning Administration WLF_ACCESS_LEARNING_ADMINISTRATION_PRIV
Manage eLearning Content WLF_MANAGE_ELEARNING_CONTENT_PRIV
View My Team Learning Assignment WLF_VIEW_MYTEAM_LEARNING_ASSIGNMENT_PRIV
Deleted Function Security Privileges

These function security privileges are deleted during the upgrade to Release 12. No action is required.
TABLE 2-10. FUNCTION SECURITY PRIVILEGES DELETED DURING THE UPGRADE TO RELEASE 12
Use REST Service – Employees List PER_REST_SERVICE_ACCESS_EMPLOYEES_PRIV
Use REST Service – Employee Details PER_REST_SERVICE_ACCESS_EMPLOYEES_ID_PRIV
Use REST Service – Employee Assignments PER_REST_SERVICE_ACCESS_EMPLOYEES_ID_ASSIGNMENTS_PRIV
Renamed Function Security Privileges

These function security privileges are renamed during the upgrade to Release 12. No action is required.

TABLE 2-11. FUNCTION SECURITY PRIVILEGES RENAMED DURING THE UPGRADE TO RELEASE 12
Old Privilege Name New Privilege Name Privilege Code
Run UK Pensions Automatic Enrolment Run UK Pensions Automatic Enrollment HRX_RUN_UK_PENSIONS_AUTOMATIC_ENROL

Assessment Process Assessment Process MENT_ASSESSMENT_PROCESS_PRIV
View Worker Prediction View Workforce Predictions as Line Manager HWP_VIEW_WORKER_PREDICTION_PRIV
View Payroll Prepayment Results View Payroll Payment Results PAY_VIEW_PAYROLL_PAYMENT_RESULT_PRIV
Function Security Privileges Removed from Roles

These function security privileges are removed from the roles shown in this table during the upgrade to Release 12.
If you have made custom versions of the relevant roles, then you may want to apply these changes to your custom
roles.
TABLE 2-12. FUNCTION SECURITY PRIVILEGES REMOVED FROM JOB, ABSTRACT, AND DUTY ROLES
Role Code Code of Removed Privilege
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI HWM_ANALYZE_TIME_RULE_PROCESSING_DETAILS_PRIV
ON_ADMINISTRATOR_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI HXT_MANAGE_WORKER_TIME_ENTRY_PROFILES_PRIV
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI HXT_MANAGE_WORKER_TIME_PROCESSING_PROFILES_PRIV
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI PER_COPY_PERSONAL_DATA_TO_LDAP_PRIV
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI PER_SEND_USER_NAME_REQUEST_PRIV
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATI PER_REST_SERVICE_ACCESS_EMPLOYEES_PRIV
ON_SPECIALIST_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATI PER_REST_SERVICE_ACCESS_TALENT_PROFILES_PRIV
ON_SPECIALIST_JOB
ORA_HRG_GOAL_MGT_HR_SPECIALIST_DUTY HRG_MANAGE_DEVELOPMENT_GOAL_OF_OTHERS_PRIV
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB HXT_MANAGE_WORKER_TIME_ENTRY_PROFILES_PRIV
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB HXT_MANAGE_WORKER_TIME_PROCESSING_PROFILES_PRIV
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB PAY_MANAGE_HCM_BUSINESS_RULE_PRIV
ORA_PAY_COMMON_IMPLEMENTION_DUTY PAY_MANAGE_PAYROLL_ELEMENT_ENTRY_PRIV
ORA_PAY_PAYROLL_CALC_VALIDATION_BALANCE_ADMI PAY_PROCESS_INDIVIDUAL_PAYROLL_BALANCE_ADJUSTMENTS_
NISTRATION_DUTY PRIV
ORA_PAY_PAYROLL_IMPLEMENTATION_DUTY PAY_MANAGE_PAYROLL_ELEMENT_ENTRY_PRIV
ORA_PAY_PAYROLL_IMPLEMENTATION_VIEW_DUTY PAY_MANAGE_HCM_BUSINESS_RULE_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT HRT_FUSE_PERFORMANCE_AND_CAREER_PLANNING_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT PER_MANAGE_PERSON_DOCUMENTATION_PRIV

Role Code Code of Removed Privilege
ORA_PER_CONTINGENT_WORKER_ABSTRACT PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
ORA_PER_EMPLOYEE_ABSTRACT HRT_FUSE_PERFORMANCE_AND_CAREER_PLANNING_PRIV
ORA_PER_EMPLOYEE_ABSTRACT PER_MANAGE_PERSON_DOCUMENTATION_PRIV
ORA_PER_EMPLOYEE_ABSTRACT PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB CMP_VIEW_COMPENSATION_HISTORY_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB HRA_VIEW_WORKER_PERFORMANCE_MANAGEMENT_DOCUMENT
_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_COPY_PERSONAL_DATA_TO_LDAP_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_SEND_USER_NAME_REQUEST_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT CMP_VIEW_COMPENSATION_HISTORY_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT PER_COPY_PERSONAL_DATA_TO_LDAP_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT PER_SEND_USER_NAME_REQUEST_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
Role Codes on the Assign Security Profiles to Role Pages

After the upgrade to Release 12 completes, you will notice that role codes now appear on Assign Security Profiles to
Role pages. For example, you can include role codes as search parameters, and the role code (also known as the
Common Role Name) appears in the search results:
Figure 2-27. Role Code on the Manage Data Roles and Security Profiles Page
Having the role code visible enables you to identify roles correctly before you include them in data roles. During the
upgrade to Release 12, the enterprise job role (EJR) and application job role (AJR) are merged to provide one
application job role. However, this merging does not occur:

» For predefined roles, if you customized the EJR
» For custom roles, if the role codes of the EJR and AJR are different, even if their role names are the same.
In this case, both roles may appear in search results. You can differentiate them by their role codes.
If you select a role to include in a data role when a data role already exists for a job role with the same job role name
but a different code, then a warning message appears. This message is to ensure that you select the correct job
role.

What to Do After the Upgrade
This section identifies tasks that you must perform once the upgrade to Release 12 is complete. These are:
» Run Required Processes

» Validate User Lifecycle Settings
» Update Custom Roles for Oracle Fusion Goal Management
» Update Custom Roles for Oracle Fusion Profile Management
» Remove Access to Workforce Reputation Management
Run Required Processes

Before you can use the Security Console in your upgraded environment, you must run these two processes in the
following order:
1. Retrieve Latest LDAP Changes
2. Import User and Role Application Security Data
Note: Retrieve Latest LDAP Changes must complete successfully before you run Import User and Role Application
Security Data. Do not run these processes in parallel.
You must have IT Security Manager privileges to run these processes.
Run Retrieve Latest LDAP Changes

Follow these steps:
1. Select Navigator - Tools - Scheduled Processes to open the Scheduled Processes work area.
2. Click Schedule New Process. The Schedule New Process dialog box opens.
3. In the Name field, search for and select the Retrieve Latest LDAP Changes process.
4. Click OK to close the Schedule New Process dialog box.
5. In the Process Details dialog box, click Submit.
Figure 3-1. Submitting Retrieve Latest LDAP Changes

6. Click OK to close the confirmation message.
7. On the Scheduled Processes page, click the Refresh icon to update the process status.

Figure 3-2. Successful Completion of Retrieve Latest LDAP Changes
Once the Retrieve Latest LDAP Changes process completes successfully, you can run the next process.
Run Import User and Role Application Security Data

Follow these steps:
1. In the Scheduled Processes work area, click Schedule New Process. The Schedule New Process
dialog box opens.
2. In the Name field, search for and select the Import User and Role Application Security Data process.
3. Click OK to close the Schedule New Process dialog box.
4. In the Process Details dialog box, click Submit.
Figure 3-3. Submitting the Import User and Role Application Security Data Process
6. On the Scheduled Processes page, click the Refresh icon to update the process status. Once the Import
User and Role Application Security Data process completes successfully, you can continue with the post-
upgrade tasks.
End Scheduling of Retrieve Latest LDAP Changes

If the Retrieve Latest LDAP Changes process is scheduled to run in your environment, then you are recommended
to end the scheduling. From Release 12, you no longer need to run Retrieve Latest LDAP Changes regularly. You
can run the process if you become aware of data-integrity issues, for example, but otherwise the process is not
required.

Validate User Lifecycle Settings
In Release 12 (R12), Oracle Fusion Applications Security enables security administrators to manage the entire user
lifecycle through the Security Console. They can customize how notifications are generated and sent for various
user lifecycle events, including user-account creation and password management. Administrators can also tailor
user-name and password generation by choosing from a list of shipped policies.
After the upgrade to R12 is completed, security administrators must review the setup of user lifecycle management
in the Security Console. The following activities must be undertaken:
1. Verify password expiration duration.

2. Verify password expiration warning duration.
3. Verify password complexity rules.
4. Verify user-name generation rules.
5. Configure notification templates.
6. Configure forgot-password flow.
All of these activities must be performed on the Security Console.
Note: Activities 1, 2, and 3 are not required if you have set up Single Sign-On (SSO) federation with an external
Identity Provider (IdP).
Using the Security Console

Prior to R12, security administration functions were distributed across Oracle Identity Management (OIM) and
Authorization Policy Manager (APM). In R12, these functions are delivered through a single interface – the Security
Console. OIM and APM are no longer available in R12.
All tasks listed below must be performed through the Security Console, which may be accessed in the following
ways:
» Use the Manage Job Roles task in the Setup and Maintenance work area.
» Select Navigator - Tools - Security Console.
Users must be assigned the IT Security Manager Role to access security console.

Figure 3-4. Accessing the Security Console
Verify Password Expiration Duration

This step is not required if you have set up federated Single Sign-On (SSO) with your Identity Provider.
Starting in Release 12, the Security Console can be used to manage password expiration. Upon upgrade to R12,
each user’s password creation date will be set to the day of upgrade, and the password expiration date will be set to
90 days from the password creation date.
Any custom expiration duration requested through an Oracle Service Request, as defined in MOS Doc ID
2081847.1, will also be reset to 90 days.
Example: if upgrade occurs on DAY 1, then the password expiration date will be set to DAY 1+90.
What Needs to Be Done?
After upgrading to R12, go to the Security Console > Administration > General tab. Under Password Policy, set the
Days Before Password Expiration value to the required duration (in days).

Figure 3-5. Setting Days Before Password Expiration
Verify Password Expiration Warning Duration

This step is not required if you have set up federated Single Sign-On (SSO) with your Identity Provider.
Starting in R12, the Security Console can be used to manage the password-expiration warning.
Upon upgrade to R12, each user’s password expiration warning date will be set to 80 days from the upgrade date
(that is, 10 days before the password expiration date, based on the default value of 90 days set for password
expiration).
Any custom password warning duration, requested through an Oracle Service Request, will also be reset to the
default value of 80 days from the upgrade date.
Example: if upgrade occurs on DAY 1, then the password expiration will be DAY 1 + 90 and the password expiration
warning date will be set to DAY 1 + 80 (that is, 10 days before the default password expiration date set on upgrade).
A password expiration warning will be enabled on upgrade. If the password expiration warning was disabled through
an Oracle Service Request, then this will be overridden.
After upgrading to R12, go to the Security Console > Administration -> General tab. Under Password Policy, set the
Days Before Password Expiry Warning value to the required duration (in days).

Figure 3-6. Setting Days Before Password Expiry Warning
You can also disable the password expiration warning or customize the notification template associated with the
password expiration warning. Go to Security Console > Administration > Notifications. Select the active template
associated with the Password expiry warning event and deselect the Enabled check box.
Figure 3-7. Disabling the Password Expiration Warning
Verify Password Complexity Rules

This step is not required if you have set up Single Sign-On (SSO) federation with your Identity Provider.
Starting in R12, you can use the Security Console to specify the complexity of generated passwords by choosing
from a list of predefined policies. Once you upgrade to R12, the predefined Simple password-complexity rule will be
selected by default. That is, the password must be at least 8 characters long and contain at least 1 digit.
Any custom password complexity policy requested through an Oracle Service Request, as defined in MOS Doc ID
2081847.1, will also be reset to Simple.

After upgrading to R12, go to the Security Console > Administration > General tab and choose one of the three
password policies:
» Simple: Minimum of 8 characters, of which 1 must be a number
» Complex: Minimum of 8 characters, of which 1 must be uppercase and 1 must be a number
» Very Complex: Minimum of 8 characters, of which 1 must be uppercase, 1 must be a number, and 1 must be a
special character
Figure 3-8. Setting Password Complexity
Verify User-Name Generation Rules

Starting in R12, user-name generation rules will be managed on the Security Console. The Manage Enterprise HCM
Information page (shown in Figure 3-6) can no longer be used to manage these rules.

Figure 3-9. The Release 11 Manage Enterprise HCM Information Page
The user-name rule Defined by Oracle Identity Management is not available in R12. Table 3-1 describes how user-
name generation rules are mapped in R12.
TABLE 3-1. MAPPING OF USER-NAME GENERATION RULES
User-Name Generation Rule Before Upgrade to R12 User-Name Generation Rule After Upgrade to R12
None E-Mail
Party Number Party Number
Person Number Person Number
Defined by Oracle Identity Management E-Mail
Any customization (through a Service Request) to user-name generation rules in OIM using Defined by Oracle
Identity Management will be reset to E-Mail.
After upgrade to R12, go to the Security Console > Administration > General tab. Under User Preferences, select
one of the four user-name generation rules:
» FirstName.LastName
» E-Mail
» FLastName (first-name initial plus last name)
» Person or party number

Figure 3-10. Selecting the User-Name Generation Rule
Configure Notification Templates

Starting in R12, notifications for new-hire and password events (forgot password, password expiration, password
expiration warning, and password reset confirmation) must be managed on the Security Console.
Table 3-2 describes how the existing R11 notification templates (set up in Oracle Identity Management – OIM) are
mapped to R12 templates.
TABLE 3-2. MAPPING OF NOTIFICATION TEMPLATES
R12 Predefined Template Pre-R12 OIM Template
New Account Template Create User Self Service Notification
Password Expiry Warning Template Password Warning Notification
Password Expiration Template Password Expired Notification
Forgot User Name Template
Password Reset Template Reset Password
Password Generated Template Generated Password Notification
Password Reset Confirmation Template
New Account Manager Template
If customizations to the OIM templates were requested through a Service Request, then they will be preserved and
migrated to the corresponding R12 templates during upgrade. If all notification templates were disabled through a
Service Request, then all R12 templates will also be disabled.

After upgrade to R12, go to Security Console > Administration > Notifications.
Disable All Notifications
To disable all notifications, deselect Enable notifications under Notification Preferences. Customers who have set
up Single Sign-On (SSO) federation with an external Identity Provider (IdP) must disable all notifications, since the
user lifecycle events are managed by the IdP.
Figure 3-11. Disabling All Notifications
Disable Specific Notification Templates
Customers may want to enable or disable specific templates.
Go to the Security Console > Administration > Notifications tab. Click the name of the template to be disabled.
Figure 3-12. Selecting the Template to Disable
Disable the template for the event by deselecting the Enabled check box, as shown in Figure 3-10.

Figure 3-13. Disabling a Selected Template
Repeat these steps for all templates for a given event.
Notifications to the Alternate Contact E-Mail Address
Starting in R12, the Alternate Contact E-Mail Address on the Manage Enterprise HCM Information page will not be
available.
Figure 3-14. Alternate Contact E-Mail Address
After upgrade to R12, go to the Security Console > Administration > Notifications tab. Manage templates as
described in Configure Notification Templates.
Configure Forgot Password Flow

Before R12, when users clicked the Forgot password link on the login page, they were directed to an Oracle
Identity Manager screen that displayed a set of challenge questions.

Figure 3-15. Oracle identity Manager Challenge Questions
Starting in R12, these challenge questions are replaced by an e-mail that is sent to the user’s primary e-mail
address. This e-mail contains a notification message with a password-reset link. This reset link contains a token that
is, by default, valid for 4 hours from the time it was requested. In addition, the link cannot be reused once it has been
used to reset the password. See the sample notification in Figure 3-13.
Figure 3-16. Sample Password-Reset Notification
Configure Password Reset Token Expiration
Go to Security Console > Administration > General and set the Hours Before Password Reset Token Expiration
value.

Figure 3-17. Setting the Value of Hours Before Password Reset Token Expiration
Manage Password Reset Notification Templates
Follow these steps:

1. Go to Security Console > Administration > Notifications.
2. Select the template named Password Reset Template.
3. Select or deselect the Enable check box, as appropriate.
Figure 3-18. Managing the Password Reset Notification Template

Update Custom Roles for Oracle Fusion Goal Management
In Oracle HCM Cloud Release 12:
» New aggregate privileges are defined.
» A new function security privilege is defined.
» An existing function security privilege is removed from the Line Manager role.
» Some function security privileges are no longer used.
This section describes each of the changes and the roles that they affect. If you are using the predefined versions of
the affected job and abstract roles, then no action is necessary. However, if you are using custom versions of the
predefined roles, then you need to apply these changes to your roles. Instructions for updating your custom roles
are provided on page 67.
Note: Whether you are using the predefined or custom versions of the affected roles, you must regenerate
associated data roles. You must also regenerate any affected abstract role to which security profiles are assigned.
How to regenerate roles is described on page 71.
Tip: Identify all changes that you want to apply to a single custom role (for example, custom line manager) and
make all of those changes at once before performing role regeneration.

Three new aggregate privileges are introduced in Release 12. This table identifies the new privileges and the
predefined job and abstract roles that inherit them.
TABLE 3-3. NEW AGGREGATE PRIVILEGES FOR GOAL MANAGEMENT
Aggregate Privilege Job or Abstract Role
Manage Performance Goal by Worker Employee

ORA_HRG_MANAGE_PERFORMANCE_GOAL_BY_WORKER Contingent Worker
Manage Performance Goal by Manager Line Manager

ORA_HRG_MANAGE_PERFORMANCE_GOAL_BY_MANAGER
Manage Performance Goal by HR Human Resource Specialist

ORA_HRG_MANAGE_PERFORMANCE_GOAL_BY_HR
The new aggregate privileges secure access to the following application resources and data:
TABLE 3-4. RESOURCES SECURED BY THE NEW AGGREGATE PRIVILEGES FOR GOAL MANAGEMENT
Aggregate Privilege Secured Page or Feature Secured Application Data
Manage Performance Goal by Worker My Goals page Worker’s own performance goals
Manage Performance Goal by Manager My Team Goals page Performance goals for a line
Search Person feature on the My Organization panel manager’s subordinates
My Organization feature on the Search panel
Manage Performance Goal by HR Administer Goals page Performance goals for the workers in a
Mass Assign Goals page Human Resource Specialist’s person
security profile
Manage Goal Plans page
Manage Goal Plan Sets page

Note: These aggregate privileges also secure access to the content on the Goals tab of the Person Spotlight page.
Add these aggregate privileges to custom versions of the relevant job and abstract roles.
New Function Security Privilege

This table identifies the new function security privilege and the predefined job and abstract roles to which it is
granted. This function security privilege secures access to Notifications features for Goal Management users.
TABLE 3-5. NEW FUNCTION SECURITY PRIVILEGE FOR GOAL MANAGEMENT
Function Security Privilege Job or Abstract Role
Manage Goal Management Notifications Employee

HRG_GOAL_MANAGEMENT_NOTIFICATIONS_PRIV Contingent Worker
Line Manager
Executive Manager
You may want to grant this privilege to custom versions of relevant job and abstract roles.
Removed Function Security Privilege

This table identifies the function security privilege that has been removed from the predefined Line Manager role. It
secures access to the My Organization Goals page, which is used to set up and distribute organization goals. This
function security privilege was intended for executive users only. It remains granted to the predefined Executive
Manager job role.
TABLE 3-6. FUNCTION SECURITY PRIVILEGE REMOVED FROM LINE MANAGER
Manage Performance Goal for Organization Line Manager

HRG_MANAGE_PERFORMANCE_GOAL_FOR_ORGANIZATION_PRIV
If this function security privilege is granted to a custom line manager role, then you need to remove it.
Function Security Privileges No Longer Used

Although they are still delivered in Release 12, several function security privileges are no longer used in Goal
Management. This table identifies the function security privileges and the aggregate privileges that replace them.
TABLE 3-7. UNUSED FUNCTION SECURITY PRIVILEGES IN GOAL MANAGEMENT
Function Security Privilege Aggregate Privilege
Generate Performance Goal Plan Manage Performance Goal by HR

HRG_GENERATE_PERFORMANCE_GOAL_PLAN_PRIV
Manage Performance Goal Process Manage Performance Goal by HR

HRG_MANAGE_PERFORMANCE_GOAL_PROCESS_PRIV
Assign Performance Goal to Groups of Workers Manage Performance Goal by HR

HRG_ASSIGN_PERFORMANCE_GOAL_TO_GROUPS_OF_WORKERS_PRIV
Manage Performance Goal of All Workers Manage Performance Goal by HR

HRG_MANAGER_PERFORMANCE_GOAL_OF_ALL_WORKERS_PRIV
Manage Performance Goal of Others Manage Performance Goal by Manager

HRG_MANAGE_PERFORMANCE_GOAL_OF_OTHERS_PRIV

Function Security Privilege Aggregate Privilege
View Performance Goal N/A

HRG_VIEW_PERFORMANCE_GOAL_PRIV
Update Goals Status to Overdue Mass Process N/A

HRG_UPDATE_GOALS_STATUS_TO_OVERDUE_MASS_PROCESS_PRIV
If these function security privileges are granted to any of your custom roles, then we recommend that you remove
them because they are no longer used. They will be deleted in a future release of Oracle HCM Cloud.

Update Custom Roles for Oracle Fusion Profile Management
In Oracle HCM Cloud Release 12:
» New aggregate privileges are defined.
» An existing function security privilege is removed from the Employee and Contingent Worker roles.
This section describes each of the changes and the roles that they affect. If you are using the predefined versions of
the affected job and abstract roles, then no action is necessary. However, if you are using custom versions of the
predefined roles, then you need to apply these changes to your roles. Instructions for updating your custom roles
are provided on page 67.
Note: Whether you are using the predefined or custom versions of the affected roles, you must regenerate
associated data roles. You must also regenerate any affected abstract role to which security profiles are assigned.
How to regenerate roles is described on page 70.
Tip: Identify all changes that you want to apply to a single custom role (for example, custom line manager) and
make all of those changes at once before performing role regeneration.

Four new aggregate privileges are introduced in Release 12. This table identifies the new privileges and the
predefined job and abstract roles that inherit them.
TABLE 3-8. NEW AGGREGATE PRIVILEGES FOR PROFILE MANAGEMENT
Aggregate Privilege Job or Abstract Role
View Person Skills and Qualifications Employee

ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS Contingent Worker
Line Manager
Human Resource Specialist
Edit Person Skills and Qualifications Employee

ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS Contingent Worker
Line Manager
View Person Career Planning Employee

ORA_HRT_VIEW_PERSON_CAREER_PLANNING Contingent Worker
Line Manager
Edit Person Career Planning Employee

ORA_HRT_EDIT_PERSON_CAREER_PLANNING Contingent Worker
Line Manager

The new aggregate privileges secure access to the following application resources and data:
TABLE 3-9. RESOURCES SECURED BY THE NEW AGGREGATE PRIVILEGES FOR PROFILE MANAGEMENT
Aggregate Privilege Secured Page Secured Application Data
View Person Skills and Qualifications View Skills and Qualifications page Workers and assignments in a public
person security profile
Edit Person Skills and Qualifications Edit Skills and Qualifications page The user’s own information (when
granted to Employee or Contingent
Worker roles)
Subordinates in a person security
profile (when granted to a Line
Manager role)
Workers in a person security profile
(when granted to a Human Resource
Specialist role)
View Person Career Planning View Career Planning page Workers and assignments in a public
person security profile (when granted
to Employee or Contingent Worker
roles)
Edit Person Career Planning Edit Career Planning page The user’s own information
Subordinates in a person security
profile (when granted to a Line
Manager role)
Workers in a person security profile
(when granted to a Human Resource
Specialist role)
Note: These aggregate privileges also secure access to the content on the Skills and Qualifications and Career
Planning tabs of the Person Spotlight page.
Add these aggregate privileges to custom versions of the relevant job and abstract roles.
Removed Function Security Privilege

This table identifies the function security privilege that has been removed from the predefined Employee and
Contingent Worker roles.
TABLE 3-10. FUNCTION SECURITY PRIVILEGE REMOVED FROM EMPLOYEE AND CONTINGENT WORKER
Access FUSE Performance and Career Planning Page Employee

HRT_FUSE_PERFORMANCE_AND_CAREER_PLANNING Contingent Worker
If this function security privilege is granted to a custom employee or contingent worker role, then you need to
remove it.

Remove Access to Workforce Reputation Management
If you modified predefined Workforce Reputation Management privileges to remove access to Workforce Reputation
Management in Release 11 or earlier, then your privilege customizations will be reset during the upgrade to Release
12. The privileges are:
» Manage Reputation Overview (HWR_REPUTATION_DASHBOARD_EE_PRIV)

» Manage Workforce Reputation Administration
(HWR_MANAGE_WORKFORCE_REPUTATION_ADMINISTRATION_PRIV)
To remove access to Workforce Reputation Management after upgrading to Release 12, follow these instructions.
All specified chapters and help topics can be found in the Release 12 guide Securing Oracle HCM Cloud at
https://docs.oracle.com.
1. Make custom versions of the job and abstract roles identified in Table 3-11, if you have not already done
so. Perform a shallow copy. Follow the instructions in the help topic Copying Job or Abstract Roles:
Procedure in the Customizing Security chapter.
2. Remove relevant function security privileges from your custom versions of the affected roles. Follow the
instructions in the help topic Editing Custom Job or Abstract Roles: Procedure in the Customizing Security
chapter. Table 3-11 identifies the affected job and abstract roles and the function security privileges to
remove:
TABLE 3-11. WORKFORCE REPUTATION MANAGEMENT FUNCTION SECURITY PRIVILEGES TO REMOVE
Function Security Privilege to Remove Job or Abstract Role
Manage Reputation Overview Employee

HWR_REPUTATION_DASHBOARD_EE_PRIV Contingent Worker
View Team Reputation Scores Analytic View Line Manager

HWR_REPUTATION_SCORE_ANALYTIC_MGR_PRIV
Manage Workforce Reputation Administration Human Capital Management Application

HWR_MANAGE_WORKFORCE_REPUTATION_ADMINISTRATION_PRIV Administrator
3. If you have existing HCM data roles that inherit the predefined Human Capital Management Application
Administrator job role, then create new HCM data roles to inherit your custom version of the job role, as
appropriate. For information, see the HCM Data Roles and Security Profiles chapter.
4. Assign security profiles to your custom abstract roles, as appropriate. See the help topic Assigning
Security Profiles to Job and Abstract Roles: Procedure in the HCM Data Roles and Security Profiles
chapter.
5. Assign any new HCM data roles and custom abstract roles to users and revoke existing versions of the
roles. Edit role mappings, as appropriate, to replace existing and predefined roles with new and custom
versions. For information, see the Provisioning Roles to Application Users chapter.
If you already have a custom version of any of the affected roles, then you can:
1. Remove the specified function security privileges from your existing custom roles.
2. Regenerate any HCM data role or custom abstract role to which security profiles are assigned. See the
help topic Regenerating HCM Data Roles: Procedure in the Customizing Security chapter.

Appendix: Updating Custom Job or Abstract Roles
This appendix describes how to update your custom job or abstract roles to implement Release 12 security
changes. For example, you may need to add new aggregate privileges introduced by Oracle Fusion Goal
Management or Oracle Fusion Profile Management.
Opening Your Custom Role on the Security Console
Follow these steps:

1. Sign in with IT Security Manager privileges.
2. Select Navigator - Tools - Security Console.
3. On the Roles tab of the Security Console, search for and select your custom role.
4. In the search results, click the down arrow for the selected role and select Edit Role.
Figure A-1. Editing a Custom Role on the Security Console

5. On the Edit Role: Basic Information page, click Next.
Adding and Removing Function Security Privileges
On the Edit Role: Functional Security Policies page, any function security privileges granted directly to the role
appear.
To remove a privilege from the role, select the privilege and click the Delete icon.
To add a privilege to the role:

1. Click Add Function Security Policy.

2. In the Add Function Security Policy dialog box, search for and select a privilege. For example, search
for and select the Manage Goal Management Notifications function security privilege.
3. Click Add Privilege to Role.
Figure A-2. Adding a Function Security Privilege to a Custom Role

5. Repeat from step 2 for additional function security privileges.
6. Close the Add Function Security Policy dialog box.
7. Click Next.
Managing Data Security Policies
If you are editing a custom job or abstract role, then you make no changes to the data security policies. Click Next.
Adding Aggregate Privileges
The Edit Role: Role Hierarchy page shows the job or abstract role and its inherited aggregate privileges and duty
roles. You can switch between tabular and graphical displays, as required.
To add aggregate privileges, follow these steps:

1. Click the Add Role icon or button.
2. In the Add Role Membership dialog box, search for and select the aggregate privilege to add. For
example, search for and select the Manage Performance Goal by Manager or View Person Career
Planning aggregate privilege.
3. Click Add Role Membership.

Figure A-3. Adding an Aggregate Privilege to a Custom Role
5. Repeat from step 2 for additional aggregate privileges.
6. Close the Add Role Membership dialog box. The Edit Role: Role Hierarchy page shows the updated role
hierarchy.
7. Click Next until you reach the Edit Role: Summary and Impact Report page.
Reviewing and Saving the Role
Review the summary of changes and click Back to make any corrections.

Figure A-4. Reviewing the Summary of Changes on the Summary and Impact Report Page
When your changes are complete:

1. Click Save and Close to save the role.
When all changes that affect a custom job or abstract role are complete, you must regenerate any HCM data role
that inherits the custom role. See the instructions in Identifying and Regenerating HCM Data Roles.
Identifying and Regenerating HCM Data Roles

You must regenerate HCM data roles that inherit updated job roles. The job roles may be predefined or custom. You
must:
1. Identify all HCM data roles that inherit updated job roles.
2. Regenerate all affected HCM data roles.
You also need to follow the instructions in Regenerating HCM Data Roles for both predefined and custom abstract
roles, but only if security profiles are assigned directly to them.
Identifying HCM Data Roles to Regenerate
Follow these steps:

1. Sign in with IT Security Manager privileges.
2. Select Navigator - Tools - Security Console.
3. On the Roles tab of the Security Console, search for and select the updated job role. Note: Switch to the
tabular view if you are seeing the graphical view by default.
4. Set Expand toward to Users. This option displays the level of the hierarchy above the specified job role.
In the Role Name column, you can see the names of all data roles that inherit the job role.

5. Make a note of the HCM data roles that inherit the job role. These are the HCM data roles that you need to
regenerate.
Regenerating HCM Data Roles
To regenerate a data or abstract role:

1. Select Navigator - Setup and Maintenance to open the Setup and Maintenance work area.
2. Search for and select the Assign Security Profiles to Role task.
3. On the Manage Data Roles and Security Profiles page, search for the data or abstract role.
4. Select the role in the search results and click Edit.
5. On the Edit Data Role: Role Details page, click Next.
6. On the Edit Data Role: Security Criteria page, click Review.
7. On the Edit Data Roles: Review page, click Submit.
This procedure automatically regenerates the role’s data security policies based on the security profiles assigned to
the role.

Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200
CONNECT W ITH US
blogs.oracle.com/oracle
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
twitter.com/oracle means, electronic or mechanical, for any purpose, without our prior written permission.
oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116
Oracle HCM Cloud Security Upgrade Guide Release 12

March 2017

Oracle Human Capital Management Cloud Security Upgrade Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Human Capital Management Cloud Security Upgrade Guide

Uploaded by

Copyright:

Available Formats

Oracle Human Capital Management Cloud

Security Upgrade Guide

Introduction to the Security Upgrade Guide 4

What to Do Before the Upgrade 5

Identify Customizations Made to the Simplified Reference Role Model 5

Role Hierarchy Customizations 6

Customizations in the OBI Stripe 17

References to Customized Roles 17

What Happens During the Upgrade 18

How Roles Are Migrated to Release 12 18

Upgrade of Simplified Reference Role Model Predefined Roles to Release 12 23

Upgrade of Simplified Reference Role Model Custom Roles to Release 12 25

Upgrade of HCM Data Roles to Release 12 26

Upgrade of BI Roles to Release 12 27

Upgrade of Release 9 Roles to Release 12 30

New, Updated, and Deleted Roles and Privileges 36

Deleted Aggregate Privileges 36

Roles with Changed Role Categories 36

1 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

New Aggregate Privileges 37

Function Security Privileges Granted to Roles 40

New Function Security Privileges 42

Deleted Function Security Privileges 43

Renamed Function Security Privileges 43

Function Security Privileges Removed from Roles 44

Role Codes on the Assign Security Profiles to Role Pages 45

What to Do After the Upgrade 47

Run Required Processes 47

Run Retrieve Latest LDAP Changes 47

Run Import User and Role Application Security Data 48

End Scheduling of Retrieve Latest LDAP Changes 48

Validate User Lifecycle Settings 49

Using the Security Console 49

Verify Password Expiration Duration 50

Verify Password Expiration Warning Duration 51

Verify Password Complexity Rules 52

Verify User-Name Generation Rules 53

Configure Notification Templates 55

Configure Forgot Password Flow 57

Update Custom Roles for Oracle Fusion Goal Management 60

2 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

New Function Security Privilege 61

Removed Function Security Privilege 61

Function Security Privileges No Longer Used 61

Update Custom Roles for Oracle Fusion Profile Management 63

New Aggregate Privileges 63

Removed Function Security Privilege 64

Remove Access to Workforce Reputation Management 65

Appendix: Updating Custom Job or Abstract Roles 67

Identifying and Regenerating HCM Data Roles 70

3 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

» What to Do Before the Upgrade

4 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

Identify Customizations Made to the Simplified Reference Role Model

Follow these steps to run the report:

5 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

» Roles Added to Reference Role Hierarchy

Figure 1-1. Role Hierarchy Customizations

To preserve these customizations, you must:

Identifying the Job and Abstract Roles That Need to Be Copied

6 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12

The Role Catalog page opens.

7 | ORACLE HCM CLOUD SECURITY UPGRADE GUIDE RELEASE 12