Scribd Logo
Upload

Welcome to Scribd!

  • Fusion HCM Technical Trainng Security

    Uploaded by

    priyanka
    55 views35 pages
    This document provides an overview of security concepts and configuration in Oracle Fusion HCM. It discusses role-based access control and the different types of roles including data roles, abstract roles, job roles, and duty roles. It describes features of the Security Console for managing roles. The document provides an example of creating a custom Line Manager role and removing specific actions and links from roles. It also discusses running the Retrieve Latest LDAP Changes process to make new custom roles available in Oracle HCM Cloud.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of security concepts and configuration in Oracle Fusion HCM. It discusses role-based access control and the different types of roles including data roles, abstract roles, job roles, and duty roles. It describes features of the Security Console for managing roles. The document provides an example of creating a custom Line Manager role and removing specific actions and links from roles. It also discusses running the Retrieve Latest LDAP Changes process to make new custom roles available in Oracle HCM Cloud.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    55 views35 pages

    Fusion HCM Technical Trainng Security

    Uploaded by

    priyanka
    This document provides an overview of security concepts and configuration in Oracle Fusion HCM. It discusses role-based access control and the different types of roles including data roles, abstract roles, job roles, and duty roles. It describes features of the Security Console for managing roles. The document provides an example of creating a custom Line Manager role and removing specific actions and links from roles. It also discusses running the Retrieve Latest LDAP Changes process to make new custom roles available in Oracle HCM Cloud.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 35

    ERPWebTutor confidential

    Fusion HCM Technical Training –


    Security Overview
    An ERPWebTutor Presentation

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Agenda
    • Fusion HCM Security Concept
    • Security Console – Features
    • Create custom roles in Security Console
    • Security Profiles
    • HCM Data Roles
    • Role Provisioning

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Role Based Access Control (RBAC)

    Role-based access control (RBAC) is a method of regulating access to the


    resources based on the roles of individual users within an enterprise. In this
    context, access is the ability of an individual user to perform a specific task,
    such as view, create, or modify data. Roles are defined according to job
    competency, authority, and responsibility within the enterprise.

    Security Model

    • Users gain access to functions and data within the applications through
    roles.
    • All of a user’s roles are active concurrently.
    • Users don’t need to select a specific role when they log in.

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Role-based security in Oracle Fusion HCM


    controls WHO can perform WHAT on
    WHICH data

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Role Types
    Oracle Fusion Applications use the following types of roles for security management:
    Data Roles, Abstract Roles, Job Roles, Duty Roles, Aggregative Privileges

    Abstract roles represent an employee’s role in the enterprise, independently of the job that
    the worker is hired to do. Three abstract roles are delivered with Oracle Fusion HCM. These
    are the Employee, Line Manager, and Contingent Worker. You can create custom abstract
    roles. You assign abstract roles directly to users.

    Job roles align with the job that a worker is hired to perform. (e.g. Human Resource
    Analyst). You can create custom job roles. Typically, you include job roles in data roles and
    assign those data roles to users.

    Data role is a combination of an employee’s job and the data instances that users with the
    role need access to. They aren’t delivered as part of the Security Reference Implementation
    but are always locally defined. They are assigned directly to users.

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Role Types
    Duty roles align with the individual duties that users perform as part of their job. Grant
    access to work areas, dashboards, task flows, application pages, reports, batch programs
    and so on. May carry both function and data security grants. Inherited by job and abstract
    roles, and can also be inherited by other duty roles. Delivered as part of the Security
    Reference Implementation, and can be used as building blocks for custom job and abstract
    roles. Not assigned directly to users.

    Aggregate Privileges An aggregate privilege is a predefined role that combines a single


    function security privilege with related data security policies. You should not create, copy
    or edit aggregate privileges, but you should use them as the building blocks for custom
    roles. They are inherited directly by application job roles and application abstract roles only.
    Aggregate privileges do not inherit other roles.

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Hierarchy - Visual Representation

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Predefined HCM Roles

    For details see: Security Reference for Oracle HCM Cloud


    (http://docs.oracle.com/cloud/latest/common/OAWPM/)

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Console
    • Introduced in Release 9
    • Significant improvements in
    Release 10 and 11
    • Starting from Release 12, it is
    the only means of managing
    roles. Completely replacing
    Authorization Policy Manager
    (APM)
    • Typically, you copy a predefined
    role and use it as a model for a
    custom role
    • Simulate the Navigator for a
    user or role

    IT Security Manager roles is required to access the Security Console


    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com
    ERPWebTutor confidential

    Security Console – Features


    Assisted Search

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Console – Features


    Visualization

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Console – Features


    Navigator Simulation

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Console – Features


    Role Comparison

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Console – Features


    Role Copy

    • All seeded roles start with ORA_


    • Seeded roles have been locked down and cannot be modified any more

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Console – Features


    To identify all users who have a specific role

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example – Create Custom Line Manager Role


    In this example we will create a Custom Line Manager role. Also Line Managers should not
    be able to Hire or Terminate employees.

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example – Create Custom Line Manager Role

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example – Create Custom Line Manager Role

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example – Create Custom Line Manager Role

    Removing the Terminate Action – This will be done using Page Customization

    • Step 1: Activate a Sandbox

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example – Create Custom Line Manager Role

    • Step 2: Navigate to My Team and go to Customize Pages (set the appropriate


    level at which you want to customize
    • Step 3: Click on the next to the name of any direct reports

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example – Create Custom Line Manager Role

    • Step 4: Click on the Configure Actions


    • Step 5: Select the Personal and Employment and deselect the checkbox next to
    the Terminate action

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Removing links from Structures

    • Easier way to remove access rather than removing duties/privileges from the
    role
    Example: Client wants to remove
    Competition and Reputation links as
    they are not leveraging those
    functionalities in phase 1

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Removing links from Structures


    Example: Client wants to remove Competition and Reputation links as they are not leveraging those functionalities in
    phase 1

    Solution: This can be easily accomplished by removing the links from the structure using a sandbox. Find the item and
    set the visible to No

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Removing links from Structures

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Running Retrieve Latest LDAP Changes


    After creating a custom job role or abstract role on the Security Console, you must run the
    Retrieve Latest LDAP Changes process. This process makes the role available in Oracle HCM
    Cloud.
    Note: Once implementation is complete, you're recommended to schedule Retrieve Latest
    LDAP Changes to run daily. If the process is scheduled when you create a custom job or
    abstract role, then you can wait for the process to complete its daily run or you can run it
    ad-hoc.
    Once the process completes successfully, you can select your custom role in Oracle HCM
    Cloud UIs, such as Manage Data Roles and Security Profiles.

    Note: From Release 12, this is scheduled in the background by Oracle.

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Security Profiles
    You can create HCM security profiles for the following HCM business objects:
    • Person (managed) - identifies people you can perform actions against
    • Person (public) - identifies people you can search for in the worker directory
    • Organization
    • Position
    • LDG - Legislative Data Group
    • Country
    • Document Type
    • Payroll
    • Payroll Flow

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Predefined HCM Security Profiles


    You can include the predefined security profiles in any HCM data role, but you can't edit
    them.

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example - Data Roles


    In this example we will set up the data role for our custom Line Manager role

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Example - Data Roles for custom Line Manager

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Role Provisioning
    Role provisioning is based on Fusion HCM flows. You can initiate the automatic
    provisioning and revoking of roles from within the following flows:
    • Hire an Employee
    • Promote Worker
    • Transfer Worker

    Task Name: Manage HCM Role Provisioning Rules

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Role Provisioning

    Options:
    Delegation Allowed – users who have the role or can provision it can delegate it to other
    users
    Requestable – managers and HR Specialists can assign the role manually
    Self-requestable – users can request the role for themselves
    Autoprovision – role is assigned automatically to users who satisfy the conditions

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com


    ERPWebTutor confidential

    Thank you

    Visit us at www.erpwebtutor.com

    ERPWebTutor – Virtually a live tutor with you visit us at www.erpwebtutor.com

    You might also like