Professional Documents
Culture Documents
Oracle Human Capital Management Cloud Security Upgrade Guide
Oracle Human Capital Management Cloud Security Upgrade Guide
Role Customizations 9
Privilege Customizations 15
Resource Customizations 16
Enterprise Roles, Application Roles, and the Simplified Reference Role Model 18
Special Cases 32
Renamed Roles 36
Role-Hierarchy Changes 38
Most Oracle Fusion Applications Cloud customers make no customizations to predefined roles and are therefore
unaffected by these changes. However, as a precaution, and before your Oracle Fusion Applications Cloud
environment is upgraded to Release 12, you must identify any customizations that you have made to the Simplified
Reference Role model. If you identify these customizations before the upgrade, then you can create custom roles,
as appropriate, to preserve your customizations. This section provides instructions for these tasks.
Important Note: You must have the IT Security Manager job role to run this report. If you first implemented Oracle
HCM Cloud in Release 9 or earlier, then you may still be using the Release 9 version of the IT Security Manager job
role, which cannot run the Security Customization Report. To confirm, search for the IT Security Manager job role in
Authorization Policy Manager and review its inherited duty roles. If the names of those duty roles end with the word
Duty, then you are using the Release 9 version of the role. In this case, migrate your IT Security Manager job role to
the Simplified Reference Role Model.
This document describes the contents of each tab. It also identifies the actions that you must take before your
environment is upgraded to Release 12.
This sample output indicates that a role ORA_PER_PERSON_VIEW_DUTY has been added to
ORA_PAY_PAYROLL_PERSON_LEVEL_ADMINISTRATION_DUTY, and a role
PER_APPROVAL_NOTIFICATION_DUTY has been added to ORA_PER_EMPLOYEE_ABSTRACT.
These customizations will be removed when your environment is upgraded to Release 12.
Note: If the Role Hierarchy Customizations tab identifies child roles beginning with the characters ORA_FBI or FBI_,
then you may have made changes in the OBI application stripe. See the section Customizations in the OBI Stripe on
page 17 for instructions on how to proceed for those roles. For more information about customizations in the OBI
stripe, see the topic How Reporting Data is Secured: Explained in the Release 11 Securing Oracle HCM Cloud
guide on the Oracle Help Center.
Use the Application Role Hierarchy tab in Authorization Policy Manager to identify the job and abstract roles that are
impacted by your customizations. Follow these steps:
1. Sign in to Oracle HCM Cloud with IT Security Manager privileges.
2. On the home page, click Setup and Maintenance.
3. In the Setup and Maintenance work area, search for and select the Manage Duties task.
4. In the search results, click Go to Task. The Oracle Entitlements Server Authorization Management page
opens.
Figure 1-2. Search for Application Roles on the Authorization Management Page
The steps for copying a job role are explained in the Customizing Security chapter of the Release 11 guide Securing
Oracle HCM Cloud on the Oracle Help Center.
Role Customizations
The Role Customizations tab shows:
Custom function security policies are granted to reference roles using Authorization Policy Manager. In this sample
output, a custom policy called View Required Learning for Employee has been added to the reference Employee
role.
You need to find the function security privileges that are granted to this custom policy and grant them to a custom
Employee role. Follow these steps:
1. Sign in to Oracle HCM Cloud with IT Security Manager privileges.
2. On the home page, click Setup and Maintenance.
3. In the Setup and Maintenance work area, search for and select the Manage Duties task.
4. In the search results, click Go to Task. The Oracle Entitlements Server Authorization Management page
opens.
5. On the Home tab of the Authorization Management page, select hcm in the Application Name section and
click Search under Authorization Policies.
The Targets column shows View Required Learning. This target is the name of the function security privilege that is
granted to this custom policy.
Create a copy of the customized reference Employee role. Create a shallow copy if the customized role is an
abstract or job role. Create a deep copy if the customized role is a duty role inherited by the abstract or job role. The
steps for copying an abstract or job role are explained in the Customizing Security chapter of the Release 11 guide
Securing Oracle HCM on the Oracle Help Center.
Function security privileges that are reported in the Privileges Granted to Reference Roles section of the report are
granted to the reference role via the default function security policy that is delivered as part of the reference role
definition. This policy has a name in the form Policy for <role display name>. For example, Policy for Human Capital
Management Integration Specialist. The default policy appears first in the list of function security policies for a role in
Authorization Policy Manager.
You can see the function security privilege that was added to the Human Capital Management Integration Specialist
reference role by clicking More... or Open on the Functional Policies tab.
Create a copy of the customized Human Capital Management Integration Specialist reference role. Create a shallow
copy if the customized role is an abstract or job role. Create a deep copy if the customized role is a duty role
inherited by the abstract or job role. The steps for copying a job role are explained in the Customizing Security
chapter of the Release 11 guide Securing Oracle HCM Cloud on the Oracle Help Center.
Function security privileges that are reported in the Privileges Removed from Reference Roles section of the report
have been removed from the default function security policy that is delivered as part of the reference role definition.
This policy has a name in the form Policy for <role display name>. For example, Policy for Employee. The default
policy appears first in the list of function security policies for a role in Authorization Policy Manager.
In the example report output, some privileges have been removed from
ORA_HRT_WORKFORCE_PROFILE_WORKER_DUTY and from ORA_PER_EMPLOYEE_ABSTRACT.
ORA_HRT_WORKFORCE_PROFILE_WORKER_DUTY is a duty role. You must identify the reference job and
abstract roles that inherit this duty role and make deep copies of those roles. Follow the steps described in the Role
Hierarchy Customizations section of this document to identify the job and abstract roles that inherit this duty role.
Page Integration privilege grants are generated by the Page Integration user interface and have privilege codes
starting with EXTN. The privilege codes also contain the page name.
These privilege grants will be removed when your environment is upgraded to Release 12.
To preserve these customizations, you must create custom copies of each of the job and abstract roles that inherit
the roles that are shown in the report. Recreate your page definitions using the Page Integration user interface, and
secure them against a custom copy of the role that is identified in the report. Do this before you are upgraded to
Release 12.
The sample output in Figure 1-11 indicates that four pages have been created using the Page Integration user
interface, and all four have been secured against the ORA_PER_EMPLOYEE_ABSTRACT role.
Create a shallow copy of the customized reference Employee role and recreate your page definitions using the Page
Integration user interface so that they reference your custom Employee role. The steps for copying an abstract role
are explained in the Customizing Security chapter of the Release 11 guide Securing Oracle HCM Cloud on the
Oracle Help Center. You must ensure that you copy both the FSCM and HCM versions of the Employee role to
ensure that your custom role will be available in the Application Roles list of values on the Page Integration user
interface.
Resources should not be granted directly to roles. Any resources that were granted to reference roles in Release 11
are removed in Release 12.
In Release 12, HCM REST resources are granted to reference privileges, which are granted to reference job roles.
Review the Release 12 REST API documentation on the Oracle Help Center at https://docs.oracle.com/en/ for
information about how HCM REST APIs are secured in Release 12.
If you are granting resources other than REST resources to reference roles, then contact Oracle to discuss your
requirements.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If display names or descriptions of reference roles have been customized, then the display names and descriptions
will be reset to factory settings when you upgrade to Release 12.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If reference roles have been deleted, then the roles will be reinstated when you upgrade to Release 12 if the roles
are part of the Release 12 Simplified Reference Role Model.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If reference role categories have been changed, then the role categories will be reset to factory settings when you
upgrade to Release 12 if the roles are part of the Release 12 Simplified Reference Role Model.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If reference role categories have been changed, then the role categories will be reset to factory settings when you
upgrade to Release 12 if the roles are part of the Release 12 Simplified Reference Role Model.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If reference roles have been deleted, then the roles will be reinstated when you upgrade to Release 12 if the roles
are part of the Release 12 Simplified Reference Role Model.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If reference role categories have been deleted, then the role categories will be reinstated when you upgrade to
Release 12.
Privilege Customizations
The Privilege Customizations tab shows:
» Resources Added to Reference Privileges
» Resources Removed from Reference Privileges
» Reference Privileges Modified
» Reference Privileges Deleted
The privileges reported here are function security privileges. They are called Entitlements in Authorization Policy
Manager. The information in this section of the report is for information only.
Oracle does not recommend that reference privileges be modified. However, in some situations we have provided
workarounds to bugs that involve the addition or removal of resources from reference privileges. These bugs should
be fixed in Release 12, and the workarounds should no longer be necessary.
In Release 12, you cannot modify reference function security privileges, nor can you create custom function security
privileges.
If resources have been added to reference privileges, then the resource permission grants will be reset to factory
settings when you upgrade to Release 12.
If you are happy for these customizations to be reset during the upgrade, then no action is necessary. If you are
unsure why the customizations in this section of the report were made, then contact Oracle for guidance.
If resources have been removed from reference privileges, then the resource permission grants will be reset to
factory settings when you upgrade to Release 12.
If you are happy for these customizations to be reset during the upgrade, then no action is necessary. If you are
unsure why the customizations in this section of the report were made, then contact Oracle for guidance.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If privileges have been deleted, then the privileges will be reinstated if they are part of the Release 12 Simplified
Reference Role Model when you upgrade to Release 12.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
Resource Customizations
The Privilege Customizations tab shows:
If resources have been modified, then the resource definitions will be reset to factory settings when you upgrade to
Release 12.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If resources have been deleted, then the resources will be reinstated if they are part of the Release 12 Simplified
Reference Role Model when you upgrade to Release 12.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If resource types have been modified, then the resource type definitions will be reset to factory settings when you
upgrade to Release 12.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
If resource types have been deleted, then the resource type definitions will be reinstated if they are part of the
Release 12 Simplified Reference Role Model when you are upgrade to Release 12.
Any customizations that are reported in this section of the report are for information only. You do not need to take
any actions before your upgrade to Release 12.
» Describes how both predefined and custom roles are migrated to Release 12.
» Identifies roles and privileges that are added, updated, or deleted during the upgrade to Release 12.
Enterprise Roles, Application Roles, and the Simplified Reference Role Model
Before Release 12, two types of roles existed:
» Enterprise roles
» Application roles
You created enterprise roles in Oracle Identity Manager and application roles in Authorization Policy Manager. You
could also create both types of roles on the Security Console. You set Role Source to External role for an
enterprise role and Application role for an application role.
Figure 2-1. Selecting the Role Source on the Release 11 Security Console
The Simplified Reference Role Model was introduced in Release 10. In Releases 10 and 11, each predefined job
and abstract role in the Simplified Reference Role Model was represented as two separate roles: an enterprise job
role (the EJR) and an application job role (the AJR). The EJR inherited the AJR. Predefined AJRs were
distinguishable from predefined EJRs by the ORA_ prefix of the AJR role code. In addition, AJR role names on the
Security Console had the suffix (Application role).
For example, this is how the predefined Benefits Specialist job role appeared in Release 11.
Figure 2-3. The Release 11 Benefits Specialist Enterprise and Application Roles in the Security Console Visualizer
If you were initially provisioned with Oracle HCM Cloud Release 9 or earlier, then you may not be using the
Simplified Reference Role Model. You may still be using the predefined Benefits Specialist role that was delivered in
Release 9, for example. In that case, your predefined Benefits Specialist job role looks like this:
If you have not yet migrated your predefined Release 9 roles to the Simplified Reference Role Model, then you will
have two versions of each of the predefined job and abstract roles in Release 11, as shown in Figure 2-6. The role
on the left is the role that was delivered in Release 9. This role is the EJR. It inherits the duty roles that were
delivered in Release 9. The role on the right is the role that was first delivered in Release 10. This role is the AJR. It
inherits the duty roles and aggregate privileges that were first delivered in Release 10.
To migrate a Release 9 job role to the Simplified Reference Role Model in Release 10 or 11, you remove the child
duty roles from the enterprise job role (EJR) on the left, and hook the application job role (AJR) on the right up to the
EJR on the left.
If you have not already done so, and you want to migrate your Release 9 roles to the Simplified Reference Role
Model before you upgrade to Release 12, then follow the instructions in the Release 10 HCM Security Upgrade
Guide. The instructions in the Release 10 HCM Security Upgrade Guide apply to Oracle HCM Cloud Releases 10
and 11. They do not apply to Oracle HCM Cloud Release 12.
Note that you are not required to migrate all of your Release 9 roles to the Simplified Reference Role Model before
you upgrade to Release 12. However, you must migrate your IT Security Manager job role to the Simplified
Reference Role Model before running the Security Customization Report during your Release 12 preupgrade
activities.
Your old Release 9 roles will continue to work after your upgrade to Release 12. However, as was the case in
Releases 10 and 11, if you are still using predefined job roles that were delivered in Release 9, then you will not get
For example, the Release 9 version of the IT Security Manager job role does not have full access to the Security
Customization Report that was delivered in the Release 11 February Quarterly Update Bundle. Therefore, you will
need to migrate your IT Security Manager job role to the Simplified Reference Role Model before attempting to run
the Security Customization Report. We recommend that all Oracle HCM Cloud customers run this report as part of
their Release 12 upgrade preparations.
As mentioned earlier, if you are using the Simplified Reference Role Model, then your predefined Benefits Specialist
job role is represented as two separate roles:
As you can see in Figure 2-7, since this role is a predefined role, it is colored pink and it inherits privileges,
aggregate privileges, and duty roles.
The Benefits Specialist job role inherits roles from the hcm and obi application stripes.
In Release 12, all of the roles, aggregate privileges, and function security privileges that are directly inherited by the
Benefits Specialist AJR are shown in a single, consolidated view on the Security Console. Therefore, you will see
both hcm and obi roles. If hcm and obi roles and aggregate privileges have the same display names, then you will
see what may appear to be duplicates in the Visualizer. For example, in the Benefits Specialist role shown in Figure
2-7, you can see two Benefits Elections, Benefits Enrollment Maintenance, and Person Management roles and two
Manage Fast Formula aggregate privileges.
In Figure 2-8, the hcm roles and privileges have been highlighted in yellow and the obi roles and privileges have
been highlighted in green.
Figure 2-9. Tabular View of the Release 12 Benefits Specialist Job Role Showing Role Codes
In the example shown in Figure 2-10, you can see that the Human Resource Manager EJR still exists and is colored
green. It inherits the Human Resource Manager AJR, which is pink.
It also inherits a Human Resource Analyst AJR (also pink). Before the upgrade to Release 12, the Human
Resource Analyst AJR had been hooked up to the Human Resource Manager EJR. This is the EJR customization.
Customizations to predefined EJRs are preserved when you upgrade to Release 12. Customizations to other
security artifacts that form part of the Simplified Reference Role Model, such as AJRs, duty roles, aggregate
privileges, function security privileges, resources, and data security policies are reset to factory settings during the
upgrade.
If the role codes of custom EJRs and AJRs are different, then no collapsing occurs, even if the role names are the
same. In this scenario, you will see two roles with the same name, and you will need to use the role codes to
distinguish between the roles.
The HCM Data Roles UI generated three new application roles in Release 11:
The data security policies for the data role that were generated by the HCM Data Roles UI were created against the
three application roles listed above.
Following the upgrade to Release 12, the structure of the custom data role is preserved and the hcm, fscm, and
crm application roles that were generated by the HCM Data Roles UI are shown in a single, consolidated view on
the Security Console. The data security policies are still against the three application roles that were generated by
the HCM Data Roles UI.
When new HCM data roles are created using the HCM Data Roles UI in Release 12, the data security policies are
generated against the data role itself, and child application roles are no longer created.
In Release 11, the Compensation Analyst EJR (CMP_COMPENSATION_ANALYST_JOB) inherits two enterprise
roles, Transactional Business Intelligence Worker and Business Intelligence Applications Worker.
These roles are visible when you view the hcm application stripe on the Security Console, together with a
Compensation Analyst AJR (ORA_CMP_COMPENSATION_ANALYST_JOB).
Figure 2-12. The Compensation Analyst EJR on the Release 11 Security Console
The Compensation Analyst AJR (ORA_CMP_COMPENSATION_ANALYST_JOB) inherits the hcm duty role
Compensation Transaction Analysis (FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM).
In the obi application stripe, the Compensation Analyst EJR (CMP_COMPENSATION_ANALYST_JOB) inherits the
obi duty role Compensation Transaction Analysis Duty
(FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY). It also inherits a BI Author application role.
Because Transactional Business Intelligence Worker and Business Intelligence Applications Worker are enterprise
roles, they show up as children of the Compensation Analyst EJR in both the hcm and the obi views on the Security
Console. However, the application roles that these BI enterprise roles inherit are both obi application roles, and they
are visible only when you view the obi stripe on the Security Console.
Figure 2-14. The Compensation Analyst AJR on the Release 11 Security Console in the OBI Stripe
During the upgrade to Release 12, the Compensation Analyst EJR is collapsed into the AJR and the obi and hcm
roles are all inherited directly by the single Compensation Analyst role. All roles are now visible in one view, and the
role structure is much simpler.
Figure 2-16. The Compensation Analyst Job Role After the Upgrade to Release 12
Transactional Business Intelligence Worker and Business Intelligence Applications Worker are colored green
because they are no longer delivered in Release 12. They are treated as custom roles immediately following the
upgrade to Release 12. After the first Release 12 Quarterly Update Bundle is applied, these roles should be deleted
and the Transaction Analysis Duty and Business Intelligence Applications Analysis Duty roles should be inherited
directly by the Compensation Analyst job role.
Figure 2-18. The Release 9 Human Resource Specialist Job Role After the Upgrade to Release 12
Figure 2-19. The Release 10 Human Resource Specialist AJR After the Upgrade to Release 12
The section Upgrade of BI Roles to Release 12 of this guide explains that Oracle HCM Cloud delivers pairs of
Transaction Analysis duty roles for use with OTBI. In Release 9, these roles had the same role names but different
role codes. For example:
The transaction analysis duty roles that were delivered in the obi application stripe in Release 9 are still delivered as
reference roles in Release 12. The transaction analysis duty roles that were delivered in the hcm application stripe
in Release 9 are no longer delivered as reference roles in Release 12. They were replaced by new ORA_ roles
when the Simplified Reference Role Model was introduced in Release 10. Consequently, when a predefined
Release 9 role that inherits transaction analysis duty roles is upgraded to Release 12, the obi roles are colored pink
and the hcm roles are colored green.
For example, the predefined Release 9 Human Resource Analyst job role inherits several of these OTBI duty roles:
Special Cases
Predefined Release 9 EJR Inherits New AJR After Upgrade to Release 12
This case affects only those customers who were initially provisioned with Oracle HCM Cloud Release 9 or earlier
and have not migrated their predefined Release 9 roles to the Simplified Reference Role Model.
Predefined Release 9 job roles that have not been migrated to the Simplified Reference Role Model should not
inherit any AJRs. AJRs were first delivered in Release 10, and those that were delivered in Release 10 were
delivered orphaned when customers upgraded from Release 9 to Release 10. They were not automatically hooked
up to any EJRs. However, during the upgrades to Release 11 and Release 12, some Release 9 EJRs inherit new
AJRs in non-hcm application stripes. The AJRs in these application stripes were new in Release 11 or Release 12
and were automatically hooked up to the EJRs during the Release 11 and Release 12 upgrades. One HCM job role
that is affected by this upgrade behavior is the Human Resource Analyst job role. Following the upgrade to Release
12, the Human Resource Analyst EJR could be displayed as shown in Figure 2-21.
Figure 2-21. The Release 9 Human Resource Analyst Job Role After Upgrade to Release 12
In Release 12, the Security Console shows all application stripes in a single view. Therefore, this newly introduced
AJR is now more visible.
If you expand the AJR, you see that it inherits one aggregate privilege:
Figure 2-22. Expanding the Newly Introduced Human Resource Analyst AJR
If you look at the details of the Human Resource Analyst AJR by right clicking and selecting Edit, then you see that
the role code is ORA_PER_HUMAN_RESOURCE_ANALYST_JOB. If you switch to the tabular view of the role
hierarchy and enter ORA_PER_HUMAN_RESOURCE_ANALYST at the top of the Inherited by Role Code
column, then you can see that the Access Person Gallery aggregate privilege that is granted to this AJR has a role
code of ORA_PER_WORKER_GALLERY_SEARCH_DUTY_FSCM. The _FSCM suffix indicates that this
aggregate privilege is in the fscm application stripe.
Figure 2-23. Tabular View of the Roles Inherited by the Human Resource Analyst Job Role in the FSCM Stripe
Figure 2-24. Tabular View of the Access Person Gallery Aggregate Privilege
Oracle HCM Cloud Release 9 EJRs that may have gained AJRs during the Release 11 upgrade are:
PER_HUMAN_RESOURCE_ANALYST_JOB fscm
ASE_IT_AUDITOR_JOB fscm
Oracle HCM Cloud Release 9 EJRs that may have gained AJRs during the Release 12 upgrade are:
BEN_BENEFITS_MANAGER_JOB crm
BEN_BENEFITS_SPECIALIST_JOB crm
PER_HUMAN_RESOURCE_ANALYST_JOB crm
PER_RECRUITING_ADMINISTRATOR_JOB fscm
Set Focus on an AJR That Has Been Added to a Predefined Release 9 EJR
Figure 2-25 shows an example of a predefined Employee EJR that has been upgraded to Release 12. An AJR has
been added (colored pink). It inherits Attachments User and BPM Worklist Internal Role application roles from the
IDCCS and soa-infra application stripes.
If you select Set as Focus on this Employee AJR, then the Security Console shows the AJR and its inherited roles
from all application stripes. The Security Console always shows a consolidated view of an AJR across all application
stripes when you set focus on, search for, or edit an AJR.
Renamed Roles
These roles are renamed during the upgrade to Release 12. No action is required.
New Roles
These roles are new in Release 12.
Role-Hierarchy Changes
The child roles in Table 2-6, some of which are new in Release 12, are added to the specified parent role in Release
12. If you have made custom versions of the parent roles, then you may want to apply these changes to your
custom roles.
ORA_HRA_PERFORMANCE_MGT_HR_SPECIALIST_DUTY ORA_HRA_VIEW_PERFORMANCE_SUMMARY
ORA_HRA_PERFORMANCE_MGT_LINE_MANAGER_DUTY ORA_HRA_VIEW_PERFORMANCE_SUMMARY
ORA_HRA_PERFORMANCE_MGT_WORKER_DUTY ORA_HRA_VIEW_PERFORMANCE_SUMMARY
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION ORA_HXT_MANAGE_WORKER_CORE_PROCESSING_SETUP_PR
_ADMINISTRATOR_JOB OFILE
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION ORA_HXT_MANAGE_WORKER_TIME_ENTRY_SETUP_PROFILE
_ADMINISTRATOR_JOB
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB ORA_HXT_MANAGE_WORKER_CORE_PROCESSING_SETUP_PR
OFILE
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB ORA_HXT_MANAGE_WORKER_TIME_ENTRY_SETUP_PROFILE
ORA_HXT_TIME_AND_LABOR_MANAGER_JOB ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB
ORA_PAY_COMMON_HCM_IMPLEMENTION_DUTY ORA_PAY_ELEMENT_ENTRY_MANAGEMENT_DUTY
ORA_PAY_OUTBOUND_INTERFACE_DUTY ORA_PAY_ADMINISTRATION_WA_MANAGEMENT_DUTY
ORA_PAY_PAYROLL_CALC_VALIDATION_BALANCE_ADMINI ORA_PAY_PAYROLL_PERSON_LEVEL_ADMINISTRATION_DUTY
STRATION_DUTY
ORA_PAY_PAYROLL_IMPLEMENTATION_DUTY ORA_PAY_ELEMENT_ENTRY_MANAGEMENT_DUTY
ORA_PAY_PAYROLL_IMPLEMENTATION_VIEW_DUTY ORA_PAY_FAST_FORMULA_MANAGEMENT_DUTY
ORA_PAY_PAYROLL_MANAGER_JOB ORA_PAY_PAYROLL_ADMINISTRATOR_JOB
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRX_CA_EMPLOYEE_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER
ORA_PER_HUMAN_RESOURCE_ANALYST_JOB ORA_PER_WORKFORCE_CONFIDENTIAL_VIEWING_DUTY
ORA_PER_HUMAN_RESOURCE_MANAGER_JOB ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_EDIT_PERSON_CAREER_PLANNING
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_EDIT_PERSON_SKILLS_AND_QUALIFICATIONS
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_VIEW_PERSON_CAREER_PLANNING
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_VIEW_PERSON_SKILLS_AND_QUALIFICATIONS
The child roles in Table 2-7 are removed from their parent roles during the upgrade to Release 12. If you have made
custom versions of the parent roles, then you may want to apply these changes to your custom roles.
ORA_HMO_WORKFORCE_MODEL_PLAN_EDIT_DUTY ORA_HWP_WORKER_PREDICTION_REPORTING_DUTY
ORA_HMO_WORKFORCE_MODEL_PLAN_MANAGEMENT_DUTY ORA_HWP_WORKER_PREDICTION_REPORTING_DUTY
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_CONTINGENT_WORKER_ABSTRACT ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_EMPLOYEE_ABSTRACT ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_ANC_ABSENCE_CERTIFICATION_PROCESSING_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_PORTRAIT_CAREER_PLANNING_DUTY
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_PORTRAIT_DEV_GROWTH_DUTY
ORA_PER_LINE_MANAGER_ABSTRACT ORA_HRT_PORTRAIT_EXP_QUALIFICATIONS_DUTY
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_CREATE_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_DELETE_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_EDIT_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_ENABLE_DATABASE_RESOURCE_MGMT_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_PASSWORD_EXPIRY_ESS_JOB_PRIV
ORA_ASE_SECURITY_MANAGEMENT_DUTY ASE_VIEW_USER_ACCOUNT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_AUDIT_REPORT_ACCESS_DETAILS_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_ROLE_DEF_UPDATES_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_ROLE_USER_MEMBERSHIP_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_USER_ACCOUNT_DEF_CHANGES_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_USER_ROLE_MEMBERSHIP_AUDIT_REPORT_PRIV
ORA_ASE_SECURITY_REPORTING_DUTY ASE_VIEW_USER_ACCOUNT_PRIV
ORA_BEN_BENEFITS_ADMINISTRATOR_JOB EHW_MANAGE_WELLNESS_PROGRAM_PRIV
ORA_BEN_BENEFITS_ADMINISTRATOR_JOB EHW_MANAGE_WELLNESS_TRACKING_SERVICE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_BENEFIT_COVERAGE_CHARGES_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_BENEFIT_MAINTENANCE_BATCH_REPORTING_
PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_BENEFITS_EXTRACT_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_MANAGE_REOPEN_LIFE_EVENTS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RECORD_BENEFIT_COVERAGE_PAYMENTS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RESTART_ACTION_ITEM_CLOSURE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RESTART_DEFAULT_BENEFITS_ENROLLMENT_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RESTART_ENROLLMENT_CLOSURE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_ASSIGN_LIFE_PROCESS_PRIV_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_BACKOUT_LIFE_EVENTS_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_BENEFIT_BILLING_PROCESSES_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_CLOSE_ENROLLMENTS_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_DEFAULT_ENROLLMENT_PROCESS_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_LIFE_EVENT_PARTICIPATION_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_ABSENCE_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_LIFE_EVENT_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_SCHEDULED_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_SELECTION_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_TEMPORAL_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_UNRESTRICTED_PRIV
ORA_BEN_BENEFITS_ENROLLMENT_MAINTENANCE_DUTY BEN_RUN_PARTICIPATION_PROCESS_UNRESTRICTED_RECAL
CULATE_PRIV
ORA_CMP_COMPENSATION_ADMINISTRATOR_JOB FND_APP_MANAGE_APPLICATION_MESSAGE_PRIV
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_A ANC_MANAGE_LEAVE_AGREEMENTS_PRIV
DMINISTRATOR_JOB
ORA_HRX_CA_EMPLOYEE_DUTY HRX_UPDATE_CA_TD1_PRIV
ORA_HRY_PAYROLL_COORDINATOR_JOB PAY_CALC_RATE_PRIV
ORA_PAY_PAYROLL_MANAGER_JOB ANC_SCHEDULE_ACCRUAL_PROCESS_PRIV
ORA_PAY_PAYROLL_MANAGER_JOB PAY_CALC_RATE_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT HWR_WRSA_USER_PRIV
ORA_PER_EMPLOYEE_ABSTRACT EHW_MANAGE_MY_WELLNESS_PRIV
ORA_PER_EMPLOYEE_ABSTRACT FND_RECORD_AND_VIEW_ISSUE_PRIV
ORA_PER_EMPLOYEE_ABSTRACT HWR_WRSA_USER_PRIV
ORA_PER_HUMAN_RESOURCE_ANALYST_JOB PER_VIEW_ASSIGNMENT_RESPONSIBILITY_PRIV
ORA_PER_HUMAN_RESOURCE_ANALYST_JOB PER_VIEW_RESPONSIBILITY_ASSIGNMENT_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB ANC_MANAGE_LEAVE_AGREEMENTS_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB HRT_RUN_TALENT_PROFILE_SUMMARY_REPORT_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_CORRECT_INVALID_SUPERVISOR_RELATIONSHIPS_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_MAINTAIN_ASSIGNMENT_RESPONSIBILITY_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_MANAGE_ASSIGNMENT_RESPONSIBILITY_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT CMP_APPROVE_INDIVIDUAL_COMPENSATION_AWARD_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT CMP_APPROVE_SALARY_UPDATES_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT HRT_RUN_TALENT_PROFILE_SUMMARY_REPORT_PRIV
ORA_PER_MANAGE_PERSON_DISABILITY_BY_WORKER PER_MANAGE_PERSON_DISABILITY_BY_WORKER_PRIV
ORA_PER_PENDING_WORKER_HIRE_DUTY PER_CORRECT_ERRORED_PENDING_WORKER_PRIV
TABLE 2-10. FUNCTION SECURITY PRIVILEGES DELETED DURING THE UPGRADE TO RELEASE 12
TABLE 2-12. FUNCTION SECURITY PRIVILEGES REMOVED FROM JOB, ABSTRACT, AND DUTY ROLES
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI HWM_ANALYZE_TIME_RULE_PROCESSING_DETAILS_PRIV
ON_ADMINISTRATOR_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI HXT_MANAGE_WORKER_TIME_ENTRY_PROFILES_PRIV
ON_ADMINISTRATOR_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI HXT_MANAGE_WORKER_TIME_PROCESSING_PROFILES_PRIV
ON_ADMINISTRATOR_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI PER_COPY_PERSONAL_DATA_TO_LDAP_PRIV
ON_ADMINISTRATOR_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATI PER_SEND_USER_NAME_REQUEST_PRIV
ON_ADMINISTRATOR_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATI PER_REST_SERVICE_ACCESS_EMPLOYEES_PRIV
ON_SPECIALIST_JOB
ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATI PER_REST_SERVICE_ACCESS_TALENT_PROFILES_PRIV
ON_SPECIALIST_JOB
ORA_HRG_GOAL_MGT_HR_SPECIALIST_DUTY HRG_MANAGE_DEVELOPMENT_GOAL_OF_OTHERS_PRIV
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB HXT_MANAGE_WORKER_TIME_ENTRY_PROFILES_PRIV
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB HXT_MANAGE_WORKER_TIME_PROCESSING_PROFILES_PRIV
ORA_HXT_TIME_AND_LABOR_ADMINISTRATOR_JOB PAY_MANAGE_HCM_BUSINESS_RULE_PRIV
ORA_PAY_COMMON_IMPLEMENTION_DUTY PAY_MANAGE_PAYROLL_ELEMENT_ENTRY_PRIV
ORA_PAY_PAYROLL_CALC_VALIDATION_BALANCE_ADMI PAY_PROCESS_INDIVIDUAL_PAYROLL_BALANCE_ADJUSTMENTS_
NISTRATION_DUTY PRIV
ORA_PAY_PAYROLL_IMPLEMENTATION_DUTY PAY_MANAGE_PAYROLL_ELEMENT_ENTRY_PRIV
ORA_PAY_PAYROLL_IMPLEMENTATION_VIEW_DUTY PAY_MANAGE_HCM_BUSINESS_RULE_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT HRT_FUSE_PERFORMANCE_AND_CAREER_PLANNING_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT PER_MANAGE_PERSON_DOCUMENTATION_PRIV
ORA_PER_CONTINGENT_WORKER_ABSTRACT PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
ORA_PER_EMPLOYEE_ABSTRACT HRT_FUSE_PERFORMANCE_AND_CAREER_PLANNING_PRIV
ORA_PER_EMPLOYEE_ABSTRACT PER_MANAGE_PERSON_DOCUMENTATION_PRIV
ORA_PER_EMPLOYEE_ABSTRACT PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB CMP_VIEW_COMPENSATION_HISTORY_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB HRA_VIEW_WORKER_PERFORMANCE_MANAGEMENT_DOCUMENT
_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_COPY_PERSONAL_DATA_TO_LDAP_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_SEND_USER_NAME_REQUEST_PRIV
ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT CMP_VIEW_COMPENSATION_HISTORY_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT PER_COPY_PERSONAL_DATA_TO_LDAP_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT PER_SEND_USER_NAME_REQUEST_PRIV
ORA_PER_LINE_MANAGER_ABSTRACT PER_VIEW_PERSON_GALLERY_PORTRAIT_PRIV
Figure 2-27. Role Code on the Manage Data Roles and Security Profiles Page
Having the role code visible enables you to identify roles correctly before you include them in data roles. During the
upgrade to Release 12, the enterprise job role (EJR) and application job role (AJR) are merged to provide one
application job role. However, this merging does not occur:
If you select a role to include in a data role when a data role already exists for a job role with the same job role name
but a different code, then a warning message appears. This message is to ensure that you select the correct job
role.
Once the Retrieve Latest LDAP Changes process completes successfully, you can run the next process.
Figure 3-3. Submitting the Import User and Role Application Security Data Process
5. Click OK to close the confirmation message.
6. On the Scheduled Processes page, click the Refresh icon to update the process status. Once the Import
User and Role Application Security Data process completes successfully, you can continue with the post-
upgrade tasks.
After the upgrade to R12 is completed, security administrators must review the setup of user lifecycle management
in the Security Console. The following activities must be undertaken:
Note: Activities 1, 2, and 3 are not required if you have set up Single Sign-On (SSO) federation with an external
Identity Provider (IdP).
All tasks listed below must be performed through the Security Console, which may be accessed in the following
ways:
» Use the Manage Job Roles task in the Setup and Maintenance work area.
» Select Navigator - Tools - Security Console.
Users must be assigned the IT Security Manager Role to access security console.
Starting in Release 12, the Security Console can be used to manage password expiration. Upon upgrade to R12,
each user’s password creation date will be set to the day of upgrade, and the password expiration date will be set to
90 days from the password creation date.
Any custom expiration duration requested through an Oracle Service Request, as defined in MOS Doc ID
2081847.1, will also be reset to 90 days.
Example: if upgrade occurs on DAY 1, then the password expiration date will be set to DAY 1+90.
After upgrading to R12, go to the Security Console > Administration > General tab. Under Password Policy, set the
Days Before Password Expiration value to the required duration (in days).
Starting in R12, the Security Console can be used to manage the password-expiration warning.
Upon upgrade to R12, each user’s password expiration warning date will be set to 80 days from the upgrade date
(that is, 10 days before the password expiration date, based on the default value of 90 days set for password
expiration).
Any custom password warning duration, requested through an Oracle Service Request, will also be reset to the
default value of 80 days from the upgrade date.
Example: if upgrade occurs on DAY 1, then the password expiration will be DAY 1 + 90 and the password expiration
warning date will be set to DAY 1 + 80 (that is, 10 days before the default password expiration date set on upgrade).
A password expiration warning will be enabled on upgrade. If the password expiration warning was disabled through
an Oracle Service Request, then this will be overridden.
After upgrading to R12, go to the Security Console > Administration -> General tab. Under Password Policy, set the
Days Before Password Expiry Warning value to the required duration (in days).
You can also disable the password expiration warning or customize the notification template associated with the
password expiration warning. Go to Security Console > Administration > Notifications. Select the active template
associated with the Password expiry warning event and deselect the Enabled check box.
Starting in R12, you can use the Security Console to specify the complexity of generated passwords by choosing
from a list of predefined policies. Once you upgrade to R12, the predefined Simple password-complexity rule will be
selected by default. That is, the password must be at least 8 characters long and contain at least 1 digit.
Any custom password complexity policy requested through an Oracle Service Request, as defined in MOS Doc ID
2081847.1, will also be reset to Simple.
After upgrading to R12, go to the Security Console > Administration > General tab and choose one of the three
password policies:
» Simple: Minimum of 8 characters, of which 1 must be a number
» Complex: Minimum of 8 characters, of which 1 must be uppercase and 1 must be a number
» Very Complex: Minimum of 8 characters, of which 1 must be uppercase, 1 must be a number, and 1 must be a
special character
The user-name rule Defined by Oracle Identity Management is not available in R12. Table 3-1 describes how user-
name generation rules are mapped in R12.
User-Name Generation Rule Before Upgrade to R12 User-Name Generation Rule After Upgrade to R12
None E-Mail
Any customization (through a Service Request) to user-name generation rules in OIM using Defined by Oracle
Identity Management will be reset to E-Mail.
What Needs to Be Done?
After upgrade to R12, go to the Security Console > Administration > General tab. Under User Preferences, select
one of the four user-name generation rules:
» FirstName.LastName
» E-Mail
» FLastName (first-name initial plus last name)
» Person or party number
Table 3-2 describes how the existing R11 notification templates (set up in Oracle Identity Management – OIM) are
mapped to R12 templates.
If customizations to the OIM templates were requested through a Service Request, then they will be preserved and
migrated to the corresponding R12 templates during upgrade. If all notification templates were disabled through a
Service Request, then all R12 templates will also be disabled.
To disable all notifications, deselect Enable notifications under Notification Preferences. Customers who have set
up Single Sign-On (SSO) federation with an external Identity Provider (IdP) must disable all notifications, since the
user lifecycle events are managed by the IdP.
Go to the Security Console > Administration > Notifications tab. Click the name of the template to be disabled.
Disable the template for the event by deselecting the Enabled check box, as shown in Figure 3-10.
Starting in R12, the Alternate Contact E-Mail Address on the Manage Enterprise HCM Information page will not be
available.
After upgrade to R12, go to the Security Console > Administration > Notifications tab. Manage templates as
described in Configure Notification Templates.
Starting in R12, these challenge questions are replaced by an e-mail that is sent to the user’s primary e-mail
address. This e-mail contains a notification message with a password-reset link. This reset link contains a token that
is, by default, valid for 4 hours from the time it was requested. In addition, the link cannot be reused once it has been
used to reset the password. See the sample notification in Figure 3-13.
Go to Security Console > Administration > General and set the Hours Before Password Reset Token Expiration
value.
Note: Whether you are using the predefined or custom versions of the affected roles, you must regenerate
associated data roles. You must also regenerate any affected abstract role to which security profiles are assigned.
How to regenerate roles is described on page 71.
Tip: Identify all changes that you want to apply to a single custom role (for example, custom line manager) and
make all of those changes at once before performing role regeneration.
The new aggregate privileges secure access to the following application resources and data:
TABLE 3-4. RESOURCES SECURED BY THE NEW AGGREGATE PRIVILEGES FOR GOAL MANAGEMENT
Manage Performance Goal by Worker My Goals page Worker’s own performance goals
Manage Performance Goal by Manager My Team Goals page Performance goals for a line
Search Person feature on the My Organization panel manager’s subordinates
Manage Performance Goal by HR Administer Goals page Performance goals for the workers in a
Mass Assign Goals page Human Resource Specialist’s person
security profile
Manage Goal Plans page
Manage Goal Plan Sets page
Add these aggregate privileges to custom versions of the relevant job and abstract roles.
You may want to grant this privilege to custom versions of relevant job and abstract roles.
If this function security privilege is granted to a custom line manager role, then you need to remove it.
If these function security privileges are granted to any of your custom roles, then we recommend that you remove
them because they are no longer used. They will be deleted in a future release of Oracle HCM Cloud.
Note: Whether you are using the predefined or custom versions of the affected roles, you must regenerate
associated data roles. You must also regenerate any affected abstract role to which security profiles are assigned.
How to regenerate roles is described on page 70.
Tip: Identify all changes that you want to apply to a single custom role (for example, custom line manager) and
make all of those changes at once before performing role regeneration.
TABLE 3-9. RESOURCES SECURED BY THE NEW AGGREGATE PRIVILEGES FOR PROFILE MANAGEMENT
View Person Skills and Qualifications View Skills and Qualifications page Workers and assignments in a public
person security profile
Edit Person Skills and Qualifications Edit Skills and Qualifications page The user’s own information (when
granted to Employee or Contingent
Worker roles)
Subordinates in a person security
profile (when granted to a Line
Manager role)
Workers in a person security profile
(when granted to a Human Resource
Specialist role)
View Person Career Planning View Career Planning page Workers and assignments in a public
person security profile (when granted
to Employee or Contingent Worker
roles)
Edit Person Career Planning Edit Career Planning page The user’s own information
Subordinates in a person security
profile (when granted to a Line
Manager role)
Workers in a person security profile
(when granted to a Human Resource
Specialist role)
Note: These aggregate privileges also secure access to the content on the Skills and Qualifications and Career
Planning tabs of the Person Spotlight page.
Add these aggregate privileges to custom versions of the relevant job and abstract roles.
TABLE 3-10. FUNCTION SECURITY PRIVILEGE REMOVED FROM EMPLOYEE AND CONTINGENT WORKER
If this function security privilege is granted to a custom employee or contingent worker role, then you need to
remove it.
1. Make custom versions of the job and abstract roles identified in Table 3-11, if you have not already done
so. Perform a shallow copy. Follow the instructions in the help topic Copying Job or Abstract Roles:
Procedure in the Customizing Security chapter.
2. Remove relevant function security privileges from your custom versions of the affected roles. Follow the
instructions in the help topic Editing Custom Job or Abstract Roles: Procedure in the Customizing Security
chapter. Table 3-11 identifies the affected job and abstract roles and the function security privileges to
remove:
3. If you have existing HCM data roles that inherit the predefined Human Capital Management Application
Administrator job role, then create new HCM data roles to inherit your custom version of the job role, as
appropriate. For information, see the HCM Data Roles and Security Profiles chapter.
4. Assign security profiles to your custom abstract roles, as appropriate. See the help topic Assigning
Security Profiles to Job and Abstract Roles: Procedure in the HCM Data Roles and Security Profiles
chapter.
5. Assign any new HCM data roles and custom abstract roles to users and revoke existing versions of the
roles. Edit role mappings, as appropriate, to replace existing and predefined roles with new and custom
versions. For information, see the Provisioning Roles to Application Users chapter.
If you already have a custom version of any of the affected roles, then you can:
1. Remove the specified function security privileges from your existing custom roles.
2. Regenerate any HCM data role or custom abstract role to which security profiles are assigned. See the
help topic Regenerating HCM Data Roles: Procedure in the Customizing Security chapter.
On the Edit Role: Functional Security Policies page, any function security privileges granted directly to the role
appear.
To remove a privilege from the role, select the privilege and click the Delete icon.
If you are editing a custom job or abstract role, then you make no changes to the data security policies. Click Next.
The Edit Role: Role Hierarchy page shows the job or abstract role and its inherited aggregate privileges and duty
roles. You can switch between tabular and graphical displays, as required.
Review the summary of changes and click Back to make any corrections.
CONNECT W ITH US
blogs.oracle.com/oracle
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
twitter.com/oracle means, electronic or mechanical, for any purpose, without our prior written permission.
oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116