Fusion HCM Security
Fusion HCM Security
Oracle Fusion Security is designed on the concept of RBAC (Role Based Access Control). It is an approach to restrict access to authorized users. It defines who can do what on which set of data. RBAC normalizes the access to function and data through roles rather than providing the access directly to users. Access to system resources is only possible through the roles assigned to users. Roles provide access to functions and data so that user can perform their job-related activities.
To understand security, we need to understand how roles work. If we talk about Oracle Fusion Security, there are the following types of roles that are in existence:
- Abstract Role
- Job Role
- Data Role
- Aggregate Privileges and Duties
You may also like…Ultimate Security and Privacy Solution
Abstract roles represent a worker’s role in the enterprise. This role is independent of the job that you hire the worker to perform. This role differentiates the worker’s in the organization. This role points out that who is working on the company payroll and who is not, also the one who is working on company payroll falls in which category i.e. Employee or Manager. There are already predefined abstract roles in the application and we can also create custom abstract roles. Predefined abstract roles that come with the application are as follows:
Employee, Line Manager, and Contingent Worker.
Abstract role is the type of enterprise role that is not specific to a job.
Job roles represent the job that employee is hired to perform. By looking at the role names, we can tell about the job of the employee. There are already predefined job roles in the application and we can also create custom job roles. Some examples of job role are as follows:
Benefits Administrator, Benefits Manager, Compensation Administrator, Compensation Manager, Payroll Administrator, Payroll Manager etc.
By looking at role names we can predict employees specific job in the enterprise. These roles define a specific job an employee is responsible for in the organization.
Data roles are the combination of a worker’s job and the data that the worker is authorized to access. From the name, itself it is clear that these roles provide access to data. These roles define the data instance on which the job can be performed. Without the data instance, the worker cannot access any data from the system.
Let’s take an example to understand this better. Suppose one user is having a data role Payroll Manager US then here the user has a specific job, Payroll Manager and the user has access to US data. Here the user can view and manage payroll tasks only for US employees and not for other countries. Similarly, if some other user is having a role Payroll Manager UK then that user can perform payroll related activities only for UK data and not for any other country.
These roles define a set of tasks which are necessary and are performed by users as part of their job. Duty roles provide access to the application functions. These roles cannot be assigned directly to users instead these are aligned with other job and abstract roles and are provided indirectly to users. Duty roles are building blocks of RBAC concept.
You may also like…Download Instagram Image on Your Smartphone
Data security articulate the security requirement “Who can do What on Which set of data,” where ‘Which set of data’ is an entire business object set. By default, users are denied access to all data and with the help of data security, we make data available to users. In Oracle Fusion application, we can define data security through data security profiles. A Security Profile is a set of criteria that identifies one or more business objects of a single type.
We can include security profiles in HCM data roles to identify the data that users can access. Following tables lists the security profiles that can be built in Oracle Fusion application:
|Security Profile Type||Purpose|
|Person Security Profile||A person security profile identifies persons against whom the actions can be performed|
|Organization Security Profile||An organization security profile identifies organizations by at least one of organization hierarchy (either generic hierarchy or department hierarchy), organization classification (Division, Legal Entity, Department, and Tax Reporting unit), and organization list|
|Position Security Profile||Secure profiles by means of Position Hierarchy, Department, and BU|
|Legislative Data Group Security Profile||A Legislative Data Group security profile identifies LDG's against which actions can be performed|
|Country Security Profile||A country security profile identifies countries against which actions can be performed|
|Document Type Security Profile||Secure profiles against various document types|
|Payroll Security Profile||A payroll security profile identifies payroll against which the action can be performed|
|Payroll Flow Security Flow||Secure profiles by means of payroll flow|
Role Provisioning is the way in which application users can acquire roles. We can provision roles to users based on some criteria. For example, we can provide an abstract role Employee to all users as soon as they join the enterprise. If we want to provision a role to users, we need to define a certain relationship, called Role Mapping, between the role and some select conditions. Provisioning can be done for all types of roles by using role mappings.
When an employee gets hired in the system, only User ID and Password are allotted by default. To give access to function and data in the application, roles need to be provided to the user. This can be done through Role Provisioning. There are three ways through which this can be done:
- Auto Provision: Roles are provided automatically
- Requestable: Roles can be given by other users
- Self Requestable: User can request itself