First, we're going to describe the key features of a role-based security model.

And secondly, we're going

to understand and explain role inheritance.

So while role-based security model uses role-based access control or RBAC, and is a way of restricting
system access to authorized users, RBAC is an international standard signed on by all of the signatories of
the united nations and it has a follow on or a standard in the United States as part of that. The
international committee for information technology standards or INCITS is INCIT 3592012.

Users are assigned roles through which they gain access to functions and data within the application.

Each role is a collection of permissions for the users to perform specific tasks. The users acquire
permissions to perform tasks via the roles they've been provisioned.

When a user signs on, all of the user's roles are active concurrently which means they don't have to
select a role when they sign in and they're all active for use.

So let's take a look of an example of the role-based security model.

Here we see Julie Brown, an employee of the vision corporation and also a manager with direct reports.
When she signs in, she acquires access to three roles, and all three roles are active concurrently.
The functions and data that she can access are determined by the combination of roles for which she is
assigned. Almost every worker will have multiple roles. Don't try to create a single all encompassing type
of role. Remember the roles all work together and they're all functional when the user signs in.

As an employee, Julie has access to employee functions and data through the employee abstract role so
that she can take care of herself. (ESS)

As a line manager, Julie has access to line manager functions and data because she has also been
provisioned the role of line manager. (MSS)

And as a human resource specialist, Julie has access to the HR specialist functions and relevant data, and
that role will be a data role. (Admin)

And for Julie, it confines her data to anything having to do with the enterprise vision operations. If there
are other parts of the vision corporation, she can't see them because her data security doesn't provide
for that. We'll talk in much more detail later about data security.

So when role-based access control, the roles determine which data and what functions the person who
has these roles can perform.

The roles listed here are just some examples. So

 who is the user that is assigned to the role?

 What is a function that users with a role can perform?
 And which data is the set of data that users with this role can access when performing this
function.

In Oracle HCM Cloud, which data is defined using security profiles if that data is secured? If the role
provisioned is line manager then the person who has that role can create performance documents for
workers in their reporting hierarchies. They can only take care of the direct or indirect reports. They can't
do anything for another manager staff.
If the role is employee, then whoever has that role can view their pay slip but only for themselves.
They're restricted from looking at any other pay slip other than the ones that belong to them.

If the role is a payroll manager's role, then that role allows the payroll manager to report on payroll
balances but only for specified payrolls.

And a human resource specialist can transfer employees but only for people in their specified
organizations, only for people that they are directly responsible for. The data won't allow them to step
outside of that boundary. Again, when you think of a role and what it's providing, you think of a who,
what, and which data.

Does provide predefined roles which we call the security reference implementation. You can review the
details of any Oracle provided role in the security reference manuals available in the Oracle Document
Library. We'll take a look at that later.

You'll see that the roles that are provided for human capital management are directly associated with
human capital management.

Although Oracle does provide some of what are called common roles such as application administrator,
IT security manager, and project team member. In the security environment, these are roles that reach
across offering boundaries. And those roles have the ability to move from human capital management to
ERP or sales cloud and then back.

A user can fulfill different roles across applications if they require multitasking capabilities. And it allows
them to do this because they have the provisioned roles to work in different cloud offerings.
A note on predefined roles with subscription impact. There's a very important idea that we'll discuss
quite a few more times, and that's that we don't necessarily want you to use the Oracle provided
security roles directly in your day-to-day operations. We would rather you create custom roles based
upon the seeded roles.

While there are a variety of reasons for this, one of the main reasons is that these predefined roles that
we're giving you will have a subscription impact. You'll be giving your users access to privileges that you
may not want them to have and that they may never use. But it's going to show up on your subscription
and affect your subscription consumption.
Role inheritance is key to Oracle HCM Cloud security.

A job role is what gives user the access to the functions and data that the user needs in order to do their
job.

That inheritance hierarchy is made up of aggregate privileges, duty roles, and function privileges, all of
the parts that are below the job role that would be provisioned.

 Aggregate privileges are single privilege with a data access needed to perform that privilege.
 A duty role allows a worker to perform one duty of their job. Now, there may be many parts to
that duty role so the duty role can inherit function privileges and aggregate privileges as well
as other duty roles if necessary.

This figure shows an extract from the hierarchy of the human resource specialist job role which inherits a
mix of aggregate privileges and duty roles.

For example, the person management duty inherits the person address view duty and the person
national identifier view duty. This is just a small sample of what a role inheritance hierarchy looks like.
We'll talk a lot more about this throughout the rest of the course.

The data role inheritance is accomplished through the combination of a job role and a security profile
or a set of security profiles.

In this figure,

 human resource specialist vision corporation

 human resource specialist vision services
are data roles that inherit the human resource specialist job role. This job role gives the data roles access
to the tasks that an HR specialist needs to perform.

The security profiles that are assigned to the data roles provide that access.

Notice the human resource specialist vision corporation and human resource specialist vision services
both use the same job role, but they each have different security profiles. So even though they're
performing the same tasks, they're looking at different data.

There's no way a person with a vision corporation human resource specialist can do any functionality at
all in vision services or vice versa.

So now we're going to put a couple of users into the picture. David East is going to be provisioned the
role of human resource specialist vision services, which means he can perform all of the functions you
see here but only for people working in vision services.

Lindsay Allen has the role provisioned human resource specialist vision corporation so she has access to
the same functions as David East. But Lindsey's security is restricted to vision corporation. So Lindsey
cannot do work for David, and David cannot do work for Lindsey even though they have the same job
role because they're data limited by the security profiles.

When individual users are assigned to data roles, they inherit the data and function security associated
with those roles. Again, this flowchart shows a simplified example. But in reality, job roles inherit many
aggregate privileges and duty roles.
So in summary, security is role based. This is across the cloud applications not just for human capital
management. Roles control who can do what and on which data.

Users are assigned roles through which they gain access to functions and data within the applications.
Again, these roles are across the board in any offering in cloud applications.

Business of job roles, duty roles, aggregate privileges and privileges is universal although the
implementations are different.

Oracle HCM Cloud implemented role-based access control differently than ERP, and sales cloud
implemented it differently from the other two. But the idea of role- based access control is universal
across the cloud applications

When individual users are assigned to data roles in HCM, they inherit the data and function security
associated with those roles so that they can perform those tasks that are part of their job duties, which
they get through inherited job roles that are in their provisioned data roles.

Now, this completes our overview. And we'll get into a lot more details as we go through the rest of the
class.