1

Securing HCM Cloud

Ramakanth Bhuthpur
Principal Product Manager
Product Development

1
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and
prospects are “forward-looking statements” and are subject to material risks and uncertainties. A
detailed discussion of these factors and other risks that affect our business is contained in Oracle’s
Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K
and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on
Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as
of September 2019 and Oracle undertakes no duty to update any statement in light of new
information or future events.

2 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Agenda

• Oracle HCM Cloud Overview

• Security Management
• Use Case Scenarios
• Securing Reports & Analytics
• Important New Features & References

3 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Security Management
Role Types

Directly assign Create new / Inherits other

Role Type Delivered
to user custom roles roles
Data role    
Abstract role    
Job role *   
Duty role    
Aggregate privilege    

4 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Security Management
RBAC & Roles Inheritance
User
Lindsay.Allen

Security Profile Data Role Abstract Role Security Profile

US Business Human Resource Employee View Own Record
Unit Specialist – US BU

Function Sec. Privilege Job Role

Manage Absence Human Resource
Reason Specialist

Aggregate Duty Role

Privilege Function Sec. Privilege
Function Sec. Aggregate Duty Role Time and
Access Time Work Area
Privilege Privilege Person View Payslip Labor Worker
Enter Salary Details Manage Salaries Management

Duty Role Function Sec.

Worker Time Card Privilege
Duty Role Aggregate Privilege
Entry Create Time Card
View Person View Person National
Address Data Only Identifier

5 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Security Management
Data Security

Security Profiles can be assigned to: Security Profiles:

• Data roles • Person (managed)
Job roles (inherited by data roles) provide • Person (public)
function access • Organization
+
Security profiles provide data access • Position
• LDG
• Job roles (but not recommended, since
• Country
users with same job typically have different
data scope requirements) • Document Type
• Payroll, Payroll Flow
• Abstract roles
• Transaction
• Job Requisition
6 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material
Use Case Scenario 1: Line Manager w/o Salary access

Use Case:
• Large manufacturing customer has a centralized team for managing Compensation
functions and Salary data of all Employees.
• Line Managers & HR Specialists should not have access to Employee’s Salary data.

Solution:
• Create copy of the seeded roles Line Manager & Human Resource Specialist.
• Remove the privileges & roles related to Salary & Compensation in the
copied/custom role.

7 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Use Case Scenario 1: Line Manager w/o Salary access
Best Practices

• Do not create custom role from scratch.

• Copy Top Role is recommended, to avoid creating unnecessary duplicates of inherited roles.

Copy Top Role: Copy Top Role and Inherited Roles:

Abstract Role Shallow Copy New Abstract Role Abstract Role Deep Copy New Abstract Role
Line Manager Line Manager Copy Line Manager Line Manager Copy

Aggregate Privilege Aggregate Privilege

View Compensation View Compensation
History History

Duty Role Duty Role New Duty Role

Employee Hire Employee Hire Employee Hire Copy

Duty Role Duty Role New Duty Role

Goal Management Goal Management Goal Management
Line Manager Line Manager Line Manager Copy
8 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material
Use Case Scenario 2: Automatic provisioning of Roles

Use Case: Roles should be provisioned automatically to users based on employment

changes like:
• When pending worker is converted to Employee, Employee role should be assigned
automatically, so that Employee can start onboarding activities without any delay.
• When Employee moves from Individual contributor role to Manager role, Line
manager role should be assigned without manual intervention, so that Manager gets
access to records of direct & indirect reports.

Solution:
• Configure role provisioning rules. Autoprovision setting.
• Autoprovision Roles for all Users process.

9 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Use Case Scenario 3: AOR to secure Person Records

Use Case: Multi-national customer has decentralized HR functions so has 100+ HR

Specialists for different regions. Creating & maintaining 100s of security profiles &
data roles based on different locations is a significant overhead.

Solution:
• Define Areas of Responsibility for HR Specialists.
• Define Person Security profile based on AOR & attach it in data role.

HR Specialist for HR Specialist for HR Specialist for HR Specialist for HR Specialist for
Users USA Canada India UK Australia

Person Security Profile Data Role

Based on AOR HR Specialist - Location-based

Job Role
Human Resource Specialist
10 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material
Use Case Scenario 4: Assignment-Level Security

Use Cases:
1. With Person-Level security, user having access to Person has access to all their
assignments. This may be data breach for some customers and may cause legal
issues.
2. Line manager should see only those Worker assignments which report to them,
should not see additional assignments the Worker has.
3. HR Specialist should access worker assignments only within their responsibility
scope.

Solution: Assignment-Level Security

11 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Use Case Scenario 4: Assignment-Level Security
Implementation Steps

• Pre-requisite: Enable Responsive pages *

• Enable Profile option ORA_PER_ASSIGNMENT_LEVEL_DATA_SECURITY_ENABLED

• Run Job set Regenerate Data Security Profiles and Grants

• If using Custom criteria in Person Security Profile: Manually review each and change if needed

• If using Employment Contracts, run the process Migrate Employment Data, in mode Enhance
contract data to enable it's use in the responsive UI

12 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Use Case Scenario 4: Assignment-Level Security
Tips & More Resources

Assignment-Level Security training replays:

• Presentation: Day 1 & Day 2
• Q&A: Day 3

Whitepapers in Doc 2700661.1 :

• Implementing Assignment-Level Security in HCM
• Custom Criteria Changes for Implementing Assignment-Level Security

Release Readiness

13 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Use Case Scenario 5: Access based on IP Address

Use Case: Use Case:

• Customer doesn’t want to expose the • If user is accessing the application from an IP
application outside of the defined address that is in approved list, they should
perimeter. be granted access to both public & private
• When trying to access application from roles.
an IP address that is not in the whitelist, • If user is accessing the application from an IP
users shouldn’t even get to the address that is not in approved list, they
application sign-in page. should be granted access to public roles only.

Solution: Solution:
• IP Whitelisting. • Location Based Access Control.
• Submit SR for IP Whitelisting entitlement. • All setups in the application itself.

14 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Securing Reports & Analytics

OTBI BI Publisher
• Data access: Restricted by Security profiles • Data access in SQL data model:
— For full access: Core/unsecured tables

• Subject Areas access: Granted by duty roles — For data restricted by Security profiles: Secured
*Transaction Analysis* List Views

• Catalog folders & reports: Secured using the • Catalog folders & reports: Secured using
same duty roles that secure Subject Areas & function security privileges & also BI Roles
also BI Roles

BI Roles:
BI Consumer Role, BI Author Role, BI Administrator Role, BI Publisher Data Model Developer

15 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Important new features in recent Updates
21A:
• Assignment-Level Security: Further enhancements (Absence Management, Document Records,
Global HR OTBI Reporting, Performance etc.) provided this 2nd feature release of multi-phased
release.

Refer Release
20D: Readiness for
comprehensive list
• Assignment-Level Security
• New job set Regenerate Data Security Profiles and Grants

16 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

Important References

• All White Papers for Fusion Applications HCM (Doc 1504483.1)

• Using Dynamic Security Profiles (Doc 1950731.1)
• Security FAQ (Doc 1383852.1)
• Fusion Security: Using SCIM REST API (Doc 2346455.1)
• How to Create and Maintain a Custom Role in HCM Cloud? (Doc 2681357.1)
• Upgrading Applications Security in Oracle HCM Cloud (Doc 2023523.1)
• Generating a User and Role Access Audit Report for a User (Doc 2661786.1)
• Difference Between IP Whitelisting and LBAC (Doc 2615294.1)
• Working Effectively With Oracle Support - Best Practices (Doc 166650.1)

17 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material

18 Confidential – © 2020 Oracle Internal/Restricted/Highly Restricted: PTT Created Material