R12 Security Deep Dive For Partners (27 June 2017)

R12 Security Deep Dive for HCM Cloud
Partner Workshop
John Thuringer, Senior Architect, HCM Cloud Development
June 2017
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole discretion of Oracle.
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 2
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Program Agenda
2 Demo
5 After the upgrade
7 Labs
R12 Security Themes
Simplified user experience for the IT Security Manager
Easy integration with Identity & Access (IDM/IAM) Systems
Upgrade safe reference role model
Enhanced set of self service capabilities
Simplified experience for the IT Security Manager
Use Security Console for all tasks

User Account Management
Role Management
Edit, Copy, Compare, Simulate
Functional and Data Security Policies
Role Hierarchy Management
User Name / Password policies
User Lifecycle Management
Certificate Management
APM and OIM are retired
Simplified experience for the IT Security Manager
Upgrade-safe reference role model
Pre-defined roles are protected
Cannot customize shipped policies
Can add data security policies
Privileges and resources are
protected
Allows safe upgrades to these
artifacts
No conflicts with customer changes
Easier adoption of future security
enhancements
User Account Management
Create new user accounts

Manage accounts that were
automatically created
Employees, Contingent Workers
Supplier Contacts
Partner Contacts
Assign / Revoke roles to users
Program Agenda
1 Release 12 security
2 Demo
5 After the upgrade
6
Optimizing performance
7
Labs
Program Agenda
1 Release 12 security
2 Demo
5 After the upgrade
7 Labs
Factory shipped roles
Release 9 Release 10
Factory Reset
Release 11 Release 12 - After Factory Reset

Functional Security Reset
Privileges
Resources
Aggregate Privileges

EJR EJR
Role Memberships
New Data Security policies
ID Store ID Store
Policy Store Policy Store

retained
ORA_AJR ORA_AJR
P D P D
P D D
Seeded Custom
Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Customized HCM roles
Description Customizations to factory shipped roles will be reset during Release 12
upgrade
Impact Low
Solution Identify the customizations that should be preserved by running the Security
Customization Report.
Copy the customized roles and assign the new custom roles to users.
Who Customers
When Before Upgrade to Release 12
HCM Webcast HCM - Release 12 Security Pre-upgrade Planning for HCM Customers
(31 Jan 2017)
Customized CX, ERP, SCM roles
upgrade
Solution Customized roles have been automatically copied by Oracle
Who Oracle + customers
When Before Upgrade to Release 12 February 2017
CX Webcast CX - Release 12 Security Deep Dive for Oracle Sales Cloud Customers with
(26 Jan 2017) Pre-upgrade Effort
ERP/SCM Webcast ERP / SCM - R12 Security Deep Dive for ERP Customers with Pre-upgrade
(1 Feb 2017) Effort
Customized common roles : FND, ASM roles
upgrade
Impact Very low
Solution Oracle will contact affected customers with guidance on how to handle
customizations to these roles
When Before Upgrade to Release 12
Security Customization Report
Availability Release 11 February 2017 Quarterly Update Bundle (PB14)
Documentation Release 12 Security Upgrade Guide for HCM
Customization report example output
Support Process for R12 Security Customization Report (HCM)
Raise an SR
Use Problem Type: HCM Security (for HCM related issues)
Upload the Security Customization Report Output file to the SR
For example : hcm-production-base-delta.xlsx
1 SR per pod
Support have access to development resources
Depending on the issue Oracle may organize an OWC
FAQs published in MOS : Doc ID 2228180.1
Program Agenda
2 Demo
5 After the upgrade
7 Labs
Enterprise Roles and Application Roles
Before Release 12
Enterprise roles
Created in OIM and security console
Application roles
Created in APM and security console
Simplified reference role model

Introduced in Release 10
Each predefined job and abstract role was represented as
An enterprise job role (EJR)
An application job role (AJR)
Simplified Reference Role Model
Release 9 Release 10
Release 10/11 Job Role
Release 9 Job Role
Upgrade of Simplified Reference Roles (R10/11)
No enterprise roles in Release 12
EJRs that have not been customized are collapsed into their AJRs
EJRs no longer exist
Same role hierarchy under AJR
Customized EJRs converted to application roles
Same role name
Same role code
Same role hierarchy
HCM data roles converted to application roles
Same role name
Same role code
Same role hierarchy
EJR collapsed into AJR (no customizations to EJR)
Consolidated view of hcm and obi roles
Customized EJR not collapsed into AJR
HCM Data Roles (before Release 12)
Data role : JT2 JT HR Spec View All
Based on : JT2 Human Resource Specialist job role
Data security policies generated against child application roles
Role Name Application Stripe

JT2 JT HR Spec View All (HCM) hcm
JT2 JT HR Spec View All (FSCM) fscm
JT2 JT HR Spec View All (CRM) crm
HCM Data Role (after upgrade to Release 12)
HCM Data Roles (Release 12)
hcm/fscm/crm child roles preserved during upgrade
Data security policies still stored under the child roles after upgrade
New HCM data roles
Just one role created
No hcm/fscm/crm child roles
Data security policies generated against the single HCM data role
Regenerate upgraded HCM data role
hcm/fscm/crm child roles preserved
Data security policies generated against the top level HCM data role
Data security policies removed from hcm/fscm/crm child roles
HCM Abstract Roles (before Release 12)
Abstract role: Employee
Data security policies generated against child application roles
Role Name Application Stripe

Employee (HCM) hcm
Employee (FSCM) fscm
Employee (CRM) crm
HCM Abstract Roles (Release 12)
Deep Copy Upgraded Employee Role
Shallow Copy Upgraded Employee Role dont do it!!
Copying HCM Abstract Roles (Release 12)
Revoke security profiles before copying abstract roles
Upgrade of Predefined Release 9 Roles
If predefined roles not migrated to Simplified Reference Role Model...
Treated as custom roles
Same role names
Same role codes
Same role hierarchy
Colored green
Human Resource Specialist EJR (Release 9->12)
Human Resource Specialist AJR (Release 9->12)
Roles that have OTBI access
Compensation Analyst job role inherits these roles...
Role Code Role Name Application Stripe
FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY Compensation Transaction Analysis obi
Duty
ORA_FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM Compensation Transaction Analysis hcm (Rel 10/11/12)
FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM Compensation Transaction Analysis hcm (Rel 9)
Duty
Compensation Analyst job role also inherits these BI enterprise roles...

Transactional Business Intelligence Worker
Business Intelligence Applications Worker
Compensation Analyst EJR (Release 11)
Compensation Analyst AJR (Release 11)
Compensation Analyst (Release 12)
Program Agenda
2 Demo
5 After the upgrade
7 Labs
After the upgrade
Run processes
Retrieve Latest LDAP Changes
Import User and Role Application Security Data
End scheduling of Retrieve Latest LDAP Changes
Much tighter integration between HCM and policy store in Release 12
No need to run any processes after creating or updating role definitions in security console
Validate User Lifecycle Settings

Update custom roles
Oracle Fusion Goal Management
Oracle Fusion Profile Management
Security Upgrade Guide for HCM
Program Agenda
2 Demo
5 After the upgrade
7 Labs
Optimizing Person Security Performance
Traditional approach to data role design can lead to large numbers of
data roles
Maintenance overhead
Can lead to serious performance issues

Performance Concerns
Many Users + Many Different Roles
All/Many users report performance issues
Searches take increased time
Navigation between pages takes longer
Jerky behaviour (worked in the morning, but not in the afternoon, works for one
but not for another and then little later vice versa)
One User + Many Roles

Some users report performance issues
Searches take increased time
Navigation between pages takes longer
Specific reports fail , timeout or raise a PGA size exceeded error

Performance Concerns
Problems arising from a large number of data roles and security profiles.
All users slow
performance,
Many Users High Number Frequent Hard Slow upon first
use
Different Roles of Distinct SQLs Parsing
Specific user
slow
1 User Long Parse performance
Large SQL OTBI Reports
Many Roles Times fail to run

Performance Concerns Hard Parsing
The database has to parse SQL and determine the most optimal path for
executing it. This is referred to as an execution plan and it retains these
in a cache.
Each time the database encounters a new SQL statement, the first parse
is referred to as a hard parse. The first execution takes longer than
subsequent reruns of the same SQL.

Performance Concerns Frequent Hard Parsing
A Person Security Profile => Distinct SQL WHERE clause.
When a large number of professional users log in, each with their own
distinct person security profiles, the number of distinct SQLs hitting the
database can grow very quickly.
This can cause the database to flush out the least recently used SQLs
from its cache. As users log on, log off and log on again - it gives rise to an
increase in the number of hard parses.
This can have an overall negative performance impact on ALL users of the
system.
Performance Concerns Long Hard Parse Times
A Person Security Profile => Distinct SQL WHERE clause.
A single user that has been assigned a large number of roles can spawn
very large SQL statements as a result of multiple clauses being ANDed
together.
Large SQLs suffer from 2 main performance problems

Long Parse Times
Sub-Optimal Execution Plans due to increased SQL complexity

Recommendations
Based on our experience with large customers:
Reduce the number of Person Security Profiles and Data Roles

Use Areas of Responsibility to achieve this reduction.
Uncheck the Include Related Contacts option on Person Security

Alternative way to access and manage contacts for employees available
Optimize custom SQL criteria to reference as few tables as possible

Data Security and AoR
Security Policies.
HR Admin-A can manage people in country UK
HR Admin-B can manage people in country France
HR Admin-C can manage people in country Germany
ROLE OBJECT CONDITION
Data Role Person Security Profile

The number of roles and profiles can grow very quickly in a large company.

Data Security How does AOR help?
Data Security Policies.
HR Admin-A can manage people in country UK
HR Admin-B can manage people in country France
HR Admin-C can manage people in country Germany
with AoR we can instead, replace all of the above with

HR Admin can manage people in any country in their AoR
1 Data Role 1 Person Security Profile

Set up AoR based data security in Release 11 using custom
SQL
EXISTS
(SELECT 1
FROM PER_ALL_ASSIGNMENTS_M ASG
,PER_ASG_RESPONSIBILITIES RES
WHERE ASG.ASSIGNMENT_TYPE IN('E','C','N','P')
AND ASG.EFFECTIVE_LATEST_CHANGE='Y'
AND SYSDATE BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
AND SYSDATE BETWEEN RES.START_DATE AND NVL(RES.END_DATE,SYSDATE)
AND ASG.PERSON_ID=&TABLE_ALIAS.PERSON_ID
AND RES.PERSON_ID=(SELECT HRC_SESSION_UTIL.GET_USER_PERSONID FROM DUAL)
AND RES.RESPONSIBILITY_TYPE='HR_REP'
AND ASG.LEGISLATION_CODE=RES.COUNTRY )

Person Security Profiles support Areas of Responsibility in
Release 12
Simplify person security profiles
No need for custom SQL
Select
Responsibility Type
Scope of Responsiblity
Include Related Contacts
Removed from the person security profile
pages for new person security profiles
In existing person security profiles, the
option continues to appear only if it is
currently selected
Users who can view a worker in the
Manage Person work area and access the
Contacts tab can see the workers
contacts, provided that the contacts are
not also workers. If a contact is a worker,
then access to the contacts details is
secured by person security profile
Program Agenda
2 Demo
5 After the upgrade
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 76

R12 Security Deep Dive For Partners (27 June 2017)

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

R12 Security Deep Dive For Partners (27 June 2017)

Загружено:

Авторское право:

Доступные форматы

R12 Security Deep Dive for HCM Cloud

John Thuringer, Senior Architect, HCM Cloud Development

Use Security Console for all tasks

Create new user accounts

Release 11 Release 12 - After Factory Reset

Policy Store Policy Store

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

When Before Upgrade to Release 12

Solution Customized roles have been automatically copied by Oracle

Who Oracle + customers

When Before Upgrade to Release 12 February 2017

Impact Very low

When Before Upgrade to Release 12

Documentation Release 12 Security Upgrade Guide for HCM

Simplified reference role model

Role Name Application Stripe

Role Name Application Stripe

Revoke security profiles before copying abstract roles

Compensation Analyst job role also inherits these BI enterprise roles...

Validate User Lifecycle Settings

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

One User + Many Roles

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Large SQLs suffer from 2 main performance problems

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Reduce the number of Person Security Profiles and Data Roles

Uncheck the Include Related Contacts option on Person Security

Optimize custom SQL criteria to reference as few tables as possible

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

ROLE OBJECT CONDITION

Data Role Person Security Profile

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

with AoR we can instead, replace all of the above with

1 Data Role 1 Person Security Profile

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Вам также может понравиться