FSM - Security Profiles
FSM - Security Profiles
FSM - Security Profiles
Ramesh Pillai
Roles in Fusion ApplicationsRole-Based Access Control
Security in Oracle Fusion Applications is role-based, where roles control WHO can
do WHAT on WHICH data.
Users are assigned roles, through which they gain access to functions and data.
Users can have any number of roles
•Employee
•Contingent Worker
•Benefits Manager, Benefits Administrator, Benefit Specialist
•Compensation Manager, Compensation Administrator, Compensation Specialist
•Human Resource Manager, Analyst, Specialist and VP
•Line Manger
•Payroll Manager, Administrator
We make experts - http://apps2fusion.com
Role Types
Oracle Fusion HCM defines four types of roles:
–Abstract Role: This role categorizes the roles for reference implementation. It
inherits duty role but does not contain security policies. For example: Employee,
Manager, etc.
–Job Role: This role defines a specific job an employee is responsible for. An
employee may have many job roles. It may require the data role to control the
actions of the respective objects. For example: Benefits Manager, Accounts
Receivable Specialist, etc.
–Data Role: This role defines access to the data within a specific duty. Who can do
what on which set of data? The possible actions are read, update, delete, and
manage. Only duty roles hold explicit entitlement to the data. These entitlements
control the privileges such as in a user interface that can see specific screens,
buttons, data columns, and other artifacts.
–Duty Role: This role defines a set of tasks. It is the most granular form of a role.
The job and abstract roles inherit duty roles. The data security policies are specified
to duty roles to control actions on all respective objects.
–Auto Provision: roles are provisioned by default for the qualified users.
–Requestable: roles can be provisioned to the users by other users.
–Self Requestable: roles can be provisioned on request by user itself.
Unless you grant access to these objects, users cannot access them
We can include security profiles in other security profiles. For example, you can include an
organization security profile:
-Person security profile, to secure person records by department, business unit, or legal
employer
-Position security profile, to secure positions by department or business unit
One security profile inherits the data instance set defined by another.
Users need access to positions because they either manage position definitions or
perform tasks where lists of positions are presented to them
We can identify positions by any combination of :
–Position Hierarchy
–Department
–Business Unit
–Position Name
To identify the departments and business units, we select existing organization
security profiles: the position security profile inherits the data instance sets of the
selected organization security profiles.
Go to Manage Position Security Profile > Manage Position Security Profiles page >
Create Position Security Profile to create it.
We make experts - http://apps2fusion.com
Position Security Profile
A document type security profile includes criteria that identify one or more
locally defined document types.
Users need access to document types because they either manage the
definitions of those document types or need to access instances of those
document types in the person records to which they have access.
We identify one or more document types by :
– name
– indicate whether to include or exclude those document types
•HCM security profiles are reusable. During implementation, create HCM security
profiles for standard sets of business objects in the enterprise, such as all legal
employers, all workers in a legal employer, all positions in a position hierarchy, and
individual legislative data groups.
•Define a naming scheme that identifies clearly the set of business objects in the
security profile's data instance set, such as HCM US Departments or US Marketing
Positions. Security profile names must be unique in the enterprise for the security
profile type.
Oracle Identity Management also stores the definitions of abstract, job, and data
roles, and holds information about roles provisioned to users.
Most changes to user and role information are shared automatically by Oracle
Fusion Human Capital Management (Oracle Fusion HCM) and Oracle Identity
Management. No action is necessary to make this exchange of information happen.
However, we must run the processes Send Pending LDAP Requests and Retrieve
Latest LDAP Changes to manage some types of information exchange between
Oracle Fusion HCM and Oracle Identity Management.
We make experts - http://apps2fusion.com
Synchronizing with Oracle Identity Management
Send Pending LDAP Requests: Sends bulk requests and future-dated requests that
are now active to Oracle Identity Management. The response to each request from
Oracle Identity Management to Oracle Fusion HCM indicates transaction status (for
example, Completed)
Retrieve Latest LDAP Changes: Requests updates from Oracle Identity Management
that may not have arrived automatically because of a failure or error, for example.