05.release8 Security Version

Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 2

Oracle Online Training Materials – Usage Agreement
Use of the information, documents and online training courses (collectively, “Materials”) found on this area of the Site constitutes agreement with the following terms and conditions (as
well as those set forth in the Purpose and Disclaimer sections below):
1. Oracle is pleased to allow its business partner (“Partner”) to download the Materials found on this area of the Site. The Materials provided on or through this area of the Site are
confidential to Oracle and protected by intellectual property laws, and provided to Partner under and pursuant to the terms, conditions and restrictions of Partner’s agreement with
Oracle to participate in the applicable beta program pertaining to the Software (as defined below) (“Beta Trial License Agreement”), as well as any additional terms, conditions and
restrictions set forth in any area of this Site or in any Materials provided on or through this Site. In the event of any conflict or inconsistency between the terms, conditions and
restrictions set forth in the Beta Trial License Agreement and those set forth in any area of this Site on in any Materials provided on or through this Site, the former shall have
precedence with respect to Partner’s access and use of the Site and Materials, provided, however, that notwithstanding anything to the contrary in the Beta Trial License Agreement,
Partner will restrict access to and disclosure of Materials only to its employees who require access to Materials in connection with the Beta Trial License Agreement.
2. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
3. Oracle disclaims any warranties or representations as to the accuracy or completeness of any Materials. Materials are provided "as is" without warranty of any kind, either express,
implied or statutory, including without limitation the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, accuracy, timeliness and non-infringement
of third-party rights. The information contained herein is subject to change without notice.
4. Under no circumstances shall Oracle be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of these Materials. As a
condition of use of the Materials, Partner agrees to indemnify Oracle from and against any and all actions, claims, losses, damages, liabilities and expenses (including reasonable
attorneys' fees) arising out of Partner’s use of the Materials.
4
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Purpose:
This document provides an overview of features and enhancements included in pre-release Oracle Fusion Applications 1.0 and applicable updates (the
“Software”). It is intended solely for use in connection with the internal pre-production evaluation and testing of the Software. As stated above, this
document is confidential to Oracle and may not be used for training, promotion, or sales to customers or other partners or third parties.
Disclaimer:
This document is for informational purposes only and is intended solely for use in connection with the internal pre-production evaluation and testing of the
Software. This is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development,
release, and timing of any features or functionality, and inclusion or not thereof in the commercially available version of the Software, if any, is always at Oracle’s
sole discretion. This document is not considered part of the applicable program documentation.
Due to the nature of the product architecture, it may not be possible to safely include all features described in this document without risking significant
destabilization of the code
5
Agenda
• Security Overview
• Security Profiles and Data Roles
• User and Role Provisioning <Insert Picture Here>
• HCM Security Management Data Stores

• Managing Job Roles and Abstract Roles
• HCM Security Deep Dive
• Managing Duty Roles
• Tips for Implementing HCM Security
• Security and HCM Reporting
• Customization
• References
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Cloud security
• Where are my data located?
– Can I determine where my data are physically stored?
– Which legislation is applicable to my data?
• How easy do I get access to my data?

– When I would like to export data for reporting, etc.
– When I want to switch SaaS providers
• Who has access to my data?

– What measures does the provider take to prevent internal fraude?
– Which audit options do I have to control management of my data?
• How safe is the access control?

– What identity management method is being used?
– Can I use my own Identity Management solution with your SaaS solution?
• How are my data segregated from others?

– What segregation method & technology is being used?
– Do you use proven encryption methods for my data?

Authentication vs. Authorization
1. Authentication
The process of verifying that you are who you claim to be
– applied to Users, Automated Agents or Web Services
– credentials are checked at login
– access is then granted or denied
2. Authorization
The process of granting or revoking a privilege to interact with one or more protected system resources.
The ‘system resource’ could be a data object like opportunities or contacts or clinical information, or functional objects
like menus, pages, workflows, buttons, reports, dashboards, tasks, jobs, web services etc.

Fusion Security
Security – What is Fusion Security
• Answers the question of Who Can Do What & Who Can Do What
on Which Set of Data
• Translates to Function Security and Data Security
• Function Security – Who Can Do What
 As Human Resources Specialist you can manage employees
• Data Security – Who Can Do What on Which Data
 As Human Resource Specialist for the North American Region you can
manage employees only in North America

Role Based Access Control Model
• In Fusion applications, authorization is based on the industry standard access control model called Role Based Access
Control (RBAC).
• RBAC is a proven model for large-scale authorization
• RBAC provides a valuable level of abstraction to promote security administration at a business enterprise level rather than
at the user identity level in older access control models.

Role Based Access
• Access to system resources is granted to users through the roles assigned
to them, not to the users directly. Roles provide access to functions and
data.
11 Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Job Posting FA Job Def Screen
Job Title  Job Role All Duties assigned under Job

Role
1
3
2
4 4
1
2
Line in Job Description  Duty 3
4
4

Enterprise Role (External Role)
• Job Role
• Determines the high-level job function in your organization
• Can be associated with one or more users
• Can span various application pillars like HCM, SCM, CRM
• Cannot be directly associated to privileges
• Example : Sales Representative, Marketing Manager, Customer Data Steward
• Abstract Role
• Associated with one or more users, irrespective of their job function
• Cannot be directly associated to privileges
• Example : Employee, Contingent Worker, Resource
• Data Role
• Enterprise Role (usually a Job Role) that is restricted to a pre-defined data set. The data set can be a Business Unit, Department, Legal
Employer, or a particular dimension of data based on Human Capital Management (HCM) security profiles, such as employees who work
in departments in a particular country, line of business, or division.
• Dynamically generated by the application based on Data Role Templates
• Can inherit abstract, job roles or other data roles, and are granted explicit access to data.
• Generally not used with Fusion CRM, but they are often used in Fusion HCM.
• Example: A job role might give view access to the functions needed to access invoices, but a data role that inherits the job role gives view
access to the invoices data within a business unit, such as the data role Accounts Payable Manager - US

Role Based Access Control Definitions
• User
A user is a human being. The concept of a user can include machines, networks, or intelligent autonomous agents.
• Role
A role is a job function within the context of your organization that permits you to access the protected artifacts of your
organization. For example, sales representative, operations manager, doctor, teller, administrator etc., are common job
roles.
• Privilege (or Entitlement)
A collection of one or more permissions. A permission is an approval to perform an operation on one or more RBAC
protected system resources like a menu, task flow, a page in the user interface, web service, report, batch job, or any piece
of code that performs some function for the user.
A privilege is a Fusion-specific RBAC component that has been introduced to provide a level of abstraction to simply the
administration of permissions in Fusion applications.

Types of Roles in Fusion
Job Role
Enterprise Role
Abstract Role
External Role
Role Data Role
Application Role Duty Role

Fusion RBAC – Transparent and Fined Grained
Job Role
What is your Job?
Duty Role
“What would you say you do Area of the System
here?”
Privileges
How exactly do you get that Specific Task flow
done?
Return to Security Index Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Role Based Access Control
User
Charles Watson
Role Role Role

Human Resource Specialist – Vision Operations Employee Line Manager
Access is via Roles

Doris is hired…
For doing what all employees do

•Expense Reports
• Purchase Requisitioner
For doing the job she was hired for..
Data Roles Procurement Procurement

Manager - US Manager - Germany
Abstract Expense Reports
Job Role
Procurement
Roles Manager
Duty Duty Roles Enter Expenses Submit Expenses

Buyer Mgt PO Changes
Roles Duty Duty

US Security Profile EMEA Security Profile APAC Security Profile
Benefits Administrator Benefits Administrator Benefits Administrator

Data Roles - US - EMEA - APAC
Benefits
Job Roles Administrator
Person
Benefits Setup
Duty Roles Configuration
Duty
Duty
Privileges: Function Manage HR Manage Benefit

Manage Person
& Data Security Type
Name Format Eligibility
Policies (Data) Profile

Role Inheritance
Employee
Employee
Absence Payroll View
Worker Duty
Recording Duty Payslip View Duty
Gallery Access Expense Entry Talent Worker

Duty Duty Duty

Role Inheritence
Anna.morris
Employee security
profiles Employee
Employee
Absence Payroll View
Worker Duty
Recording Duty Payslip View Duty
Gallery Access Expense Entry Talent Worker

Duty Duty Duty

Role Inheritance
Anna.morris David.east
Human Resource Human Resource

Vision Corporation Vision Services
Specialist – Vision Specialist – Vision
security profiles security profiles
Corporation Services
Human Resource
Specialist
Absence Worker
Users and Roles
Management Duty Administration
Processing Duty
Duty
Worker
Person HCM Document
Employment
Management Duty Management Duty
Maintenance Duty

Security Reference Implementation
• Seeded “common denominator” Implementation
• Starting point to make changes.
• Manuals for each product describe details.
• Manuals Accessible via OER.
• Excel spreadsheet format of “Roles, Duties & Privileges” available via
Metalink Note 1460486.1
• Menu to privilege mapping currently available as a spreadsheet via
Metalink Note 1459828.1
• Both these spreadsheets will also be available via OER shortly.

Fusion Security Reference Implementation
• Reference implementation is about securing fusion applications out of

the box
• Implementation is about security with least privileges
• Reference implementation has
– ~280 job roles
– ~660 data roles
– ~1700 duty roles
– ~4300 privileges

Predefined Job Roles in HCM
 Benefits Administrator
 Benefits Manager
 Benefits Specialist
 Compensation Administrator
 Compensation Analyst
 Compensation Manager
 Compensation Specialist
 Contingent Worker
 Employee
 Human Capital Management Application Administrator
 Human Resource Analyst
 Human Resource Manager
 Human Resource Specialist
 Human Resource VP
 Line Manager
 Payroll Administrator
 Payroll Manager

Predefined Abstract Roles in HCM
Predfined Abstract Roles (Partial List)
Contingent Worker
Employee
Line Manager

Jobs, Duties and Privileges

Agenda

• Customization
• References
Data Roles
Job role is a cookie cutter to generate data roles.
If Job Role has access to the “Loaf”, it’s “generated data roles” have access to “one
slice”.
Eg: Procurement Manager vs Procurement

Manager US
For the “Reference Implementation” each Product decides on the “slicing criteria” or
dimension for each job role. Dimension is an attribute of the data for that job role, like
Business Unit.
Example – Purchase Orders by Business Unit

Data Security
• HCM users access HCM data via roles to which security profiles are
assigned
• Abstract roles
– Employee, contingent worker, line manager
• Data roles
– Created by customers
– Inherit job roles
– Example: Human Resource Specialist – Vision Operations

Security profiles & Data Role Template
• Security Profile--HCM
– Security profiles define data sets
– Security profiles are defined by customers
– Security profiles are assigned to roles that are directly assigned to users
– Several different types of security profile in Fusion
• Person
• Organization
• Position
• Country
• Legislative data group
• Document type
• Payroll
• Data Role Template

Data Security – Security profile: Demo

Security profiles
• Use areas of responsibility to reduce number of security profiles and data roles
• Example: Secure by location...
&TABLE_ALIAS.PERSON_ID IN
(SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M A

WHERE A.LOCATION_ID IN
(SELECT B.LOCATION_ID
FROM PER_ASG_RESPONSIBILITIES B,
PER_USERS C
WHERE C.USER_GUID = FND_GLOBAL.USER_GUID
AND C.PERSON_ID = B.PERSON_ID
AND B.RESPONSIBILITY_TYPE = 'HR_REP'))

Fusion Security
Anna.morris David.east
Data Vision Corporation

Human Resource Human Resource
Vision Services
Specialist – Vision Specialist – Vision
Security security profiles
Corporation Services
security profiles
Human Resource
Specialist
Function Absence Users and Roles

Worker
Management Duty Administration
Security Processing Duty
Duty
Worker
Person HCM Document
Employment
Management Duty Management Duty
Maintenance Duty

Data Roles and Security Profiles
Examples of Custom Criteria
• Restrict by person born before 01-JAN-1990

– &TABLE_ALIAS.PERSON_ID IN (SELECT PERSON_ID FROM PER_PERSONS WHERE DATE_OF_BIRTH < TO_DATE('01-JAN-1990',
'DD-MON-YYYY'))
• Restrict by specific Assignment DFF and Location Code

– &TABLE_ALIAS.PERSON_ID IN (SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M A, HR_LOCATIONS_ALL B WHERE
A.ASSIGNMENT_TYPE = 'E' AND TRUNC(SYSDATE) BETWEEN A.EFFECTIVE_START_DATE AND A.EFFECTIVE_END_DATE AND
A.ASS_ATTRIBUTE1 = 'Green' AND A.LOCATION_ID = B.LOCATION_ID AND TRUNC(SYSDATE) BETWEEN
B.EFFECTIVE_START_DATE AND B.EFFECTIVE_END_DATE AND B.LOCATION_CODE = 'PB_LOC_HQ4')

Assigning Security Profiles to Existing Roles
–To assign security profiles to an existing role, use the Manage Data Roles
and Security Profiles task. Search for and select the role for editing. On
the Assign Data Role: Role Details page, click Next to display the Assign
HCM Data Role: Select Security Criteria page. This page shows the types
of security profiles currently used by the selected role.

Agenda

• Customization
• References
User creation
• Create Person
• Create User
• Import users
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 38
User account provisioning
• User accounts are created automatically when workers are hired

• User accounts can be automatically revoked when workers are terminated
in HR
• User passwords can be reset from within HR

Manage Role Provisioning Rules
• Setup rules that will trigger automatic enterprise role provisioning
for users
• Leverage Resource Role as criterion

• Create one mapping per resource role
• Example : Human Resource Manager – View All, Line Manager, Employee
• Add Resource Abstract Role mapping

Manage Role Provisioning Rules Provision Roles to Existing
5 Users
1 Give it a name
2 Select Resource Role
3 Add new Security Role
4 Select Security Role

Role & User provisioning in Fusion HCM
New employee receives login details

Automatic New Hire
Manager receives login details if employee e-mail address does not exist
Autoprovision Change
Termination Grant and evoke user roles

Automatic role determination
New employee receives login details

Requestable New Hire
Manual Manager receives login details if employee e-mail address does not exist
Change
Termination Manual role determination Grant and evoke user roles
Role is added
Self Requestable Request t access

Provisioning roles to users
• Role provisioning built into HR flows
– New hire flow
– Promote flow
– Transfer flow
• Users can self-request new roles
• Line managers and HR specialists can request new roles and revoke existing
roles from people they manage/administer

User Account Provisioning
• User accounts are created automatically when workers are hired
• Line managers and HR specialists can request user accounts for workers
that do not yet have one
– Search for existing user
– Create new user
• User accounts can be automatically revoked within the Termination flow

Demo – User creation and Role Provisioning
Role Delegation
• Role delegation is the assignment of a role from the current owner of the role, known as
the delegator, to another user, known as the proxy. The delegation can be either for a
specified period or indefinite.
• You can delegate roles to any user whose details you can access by means of a public
person security profile. This profile typically determines who you can search for in the
Person Gallery.
• When you delegate a role, the proxy user can perform all tasks associated with the
delegated role on the relevant data instance set. For example, you may have a line
manager role that enables you to manage absence records for your reports. If you
delegate that role, then the proxy can also manage the absence records of your reports.
You do not lose the role while it is delegated.
• The proxy user signs in to Oracle Fusion HCM using his or her own user name, but has
additional function and data privileges associated with the delegated role.
Which Roles Can I Delegate?
• You can delegate any role that you have currently, provided that:
– The role is enabled for delegation.
– The assignment that qualifies you for the role does not have a future-dated termination. For example,
if you try to delegate a role today and the assignment that matches the role-mapping conditions (as
defined in the role's role-provisioning rule) has a future-dated end date, then you can't delegate the
role.
• You can also delegate any role that you can provision to other users, provided that the
role is enabled for delegation. Such roles are defined as Requestable in a role mapping
for which you satisfy the role-mapping conditions. By delegating rather than
provisioning roles to a user, you can:
– Specify a limited period for the delegation.
– Enable the proxy to access the data that you can access.
Ending Role Delegation
• If you specify an end date when you delegate a role, the delegation ends on
that date. The request to end the role delegation is sent to OIM by the
Send Pending LDAP Requests process on the delegation-end date.
• You can enter or update an end date at any time during the delegation
period. If you enter today’s date, the delegation ends immediately.
• Role delegation ends before the specified end date if the proxy user’s
assignment is terminated.
Delegation notes:
• When you include a delegatable role in a role mapping, users who qualify
for the role can delegate it if they have the role themselves or if the
Requestable option is selected for the role.

Delegation notes:
• When you delegate a role, you may want also to delegate any associated
approval tasks. You can delegate roles without also delegating approvals,
and vice versa.
•
• Use the Approvals Delegated to Others tab on the Roles and Approvals
Delegated to Others section of the My Account page to delegate
approvals.

General use notes:
• Requestable. Enables users, such as line managers and human resource
specialists, to provision roles manually to other users. Users retain roles
that are provisioned to them manually until either all their work
relationships are terminated or the roles are deprovisioned
manually. Managers can set this option using the Manage User Account
action in the Person Gallery. HR Specialists can set this option using the
Manage User Account task in the Person Management work area.

Cont:
• Self-Requestable. Enables users to request roles for themselves. Users
retain roles that they request for themselves manually until either all their
work relationships are terminated or the roles are deprovisioned manually.
Workers can request roles using the Manage User Account action in the
Person Gallery or by selecting Navigator>My Information> My Account.

Read only mode:
• It operates at the USER level, not ROLE level, and when activated, the user is not able to save any changes to the db.
• This feature is intended to be used in very specific situations, eg.
1) An external auditor is given read-only access to the system
2) A support analyst is given read-only access to the system
• It's implemented via a new user level profile option called FND_READ_ONLY_MODE.
Set it from the Manage Administrator Profile Values page, launched from FSM...
• Manage Administrator Profile Values
Specify profile option settings and values to control application behavior.

Cont.:

Agenda

• Customization
• References
Role Management Tools
OIM • Oracle Identity Manager

• Create Enterprise Roles
• Authorization Policy Manager (console for Entitlement Server)
APM • Create, Modify Duty Roles

• Create Policies
• Setup, Modify Role Hierarchies
• Oracle Fusion Human Resource Management Application
HCM • Create Role Provisioning rules

• Create Users and provision roles
• Create Data Role
Tools Used to Perform Security Tasks
• Fusion HCM
– Create Users (mapped to HR people)
– Provision Roles to Users
– Revoke Roles from Users
– Revoke User Accounts (on termination)
– Create Data Roles
– Manage Security Profiles
– Assign Security Profiles to Roles
– Manage Role Provisioning Rules
– Synchronize Data between HR and LDAP

Tools Used to Perform Security Tasks
• Oracle Identity Management (OIM)
– Create Implementation Users (not mapped to HR people)
– Provision Roles to Implementation Users
– Manage Job Roles
• Authorization Policy Manager (APM)

– Manage Duties
– View Role Hierarchies
– Manage Role Hierarchies
– View Permission Grants
– View Data Security Policies

Fusion HCM Security – what’s stored where?
LDAP
Identity Store
Store
Identity OIM Policy Store APM (Function security policies)
XML Generated from Design
Engineering Deliverables
Database
Target Type
Role Enterprise Role Permission Task Flow Page
Enterprise Job
User Grant File
role Web Center View Object
Abstract
Permission Set
Data
Application Role Target

( Secured Resource )
Duty
Permission Class
Action
Role Hierarchy
( Secured Operation )
Retrieve Latest LDAP

changes
HCM user/role tables Applcore Grants tables Fusion Apps database

(Data security policies)
tables

Fusion Apps, OIM and APM Terminology
Fusion Applications OIM APM
Data Role (enterprise Role) Role External role
Job Role(enterprise Role) Role External role

Abstract Role(enterprise Role) Role External role
Duty Role Application role (HCM duty roles are under the hcm application)
Function security privilege Entitlement/Permission set
Secured code artifact (eg Resource

service, ADF taskflow, batch
program)
Database table Database resource

Data security privilege Action

Demonstration: Using APM and OIM
Agenda

• Customization
• References
Function Security
Worker Promotion Duty
(Duty Role)
Promote Worker
Promote Worker Data / Choose Position Data /
(Function Security Person Assignment / Position / condition
Privilege) condition
(Data Security Policy)
(Data Security Policy)

Function Security Worker Promotion Duty
(Duty Role)
Promote Worker
(Function Security
Privilege)

Data Security
Human Resource Specialist

Data Security
Human Resource Specialist – View All (HCM)

PER_HUMAN_RESOURCE_SPECIALIST_VIEW_ALL_DATA_HCM
Human Resource Specialist – View All (FSCM)

PER_HUMAN_RESOURCE_SPECIALIST_VIEW_ALL_DATA_FSCM
Human Resource Specialist – View All (CRM)

PER_HUMAN_RESOURCE_SPECIALIST_VIEW_ALL_DATA_CRM

Data Security


Data Security

Person security profile
Position security profile

Data Security
Human Resource Specialist – View All (Data role)


Agenda

• References
Fusion Security At Run Time
BI & Reporting Security
• Fusion Apps BI uses the same security infrastructure as FA
– BI can also use same Identity Store, Policy Store and APM for policy management
as other fusion application components
– SSO enabled

OTBI Security
• Subject areas are functionally secured using Fusion duty roles. The duty
roles that grant access to subject areas use the nomenclature of:
– xx Transaction Analysis Duty, where xx is a group of similar objects. For example,
Workforce Transaction Analysis Duty.
– They can be found under the obi application in APM.
• Folders and Analysis are secured with Application Roles found in OBI
Application in APM
• BIEE features are secured using Application Roles found in OBI
Data Security
• The data that is returned in OTBI reports is secured in a similar way to how data is returned in Fusion
HCM pages, meaning that access is granted by the roles that are linked to security profiles.
• Each of the (xx) Transaction Analysis Duty roles that grants access to subject areas and BI Catalog folders
inherits one or more (xx) Reporting Data Duty role. These are the duty roles that grant access to the data.
The reporting data duty roles are found under the hcm application in APM.
• If you create custom job roles that have access to OTBI reports, you must give your job roles both the obi
version of the transaction analysis duty roles and the hcm version of the transaction analysis duty role
so that your job role has both the function and data security access needed to run the reports. For
example, if you want your custom role to have access to the workforce transaction analysis subject
areas, ensure that it inherits the following duty roles:
– Workforce Transaction Analysis Duty under the obi application
– Workforce Transaction Analysis Duty(HCM) under the hcm application
OBIEE Security
• BI roles apply to both BI Publisher and OTBI. They grant access to functionality within BI,
for example, the ability to run or author reports. Users need one or more of these roles
in addition to the roles that grant access to reports, subject areas, BI catalog folders,
and Fusion HCM data.
• BI roles include:
– BI Consumer: Enables you to run BI reports.
– BI Author: Enables you to create and edit reports.
– BI Administrator: Enables you to perform administrative tasks such as creating and editing dashboards and modifying security
permissions for reports, folders, and so on.
– BI Publisher Data Model Developer: Enables you to create and edit BI Publisher data models.
BI Publisher Security
• In conceptual terms, BI catalog folders that contain BI Publisher reports are secured using duty roles.
These duty roles are not the same as those that secure OTBI subject areas and folders.
• Individual BI Publisher reports are secured using function security privileges that are granted to these
duty roles.
• For example, the Payroll Register Report is in the Payroll Calculations folder. The report is secured using a
privilege called Run Payroll Register Report, and this privilege is granted to Payroll Distribution Calculation
Management Duty. The Payroll Calculations folder is secured using this duty role.
• The way this is actually implemented in reality is slightly different because BI security works slightly
differently than regular Fusion Applications security. The key difference is that BI security supports
application roles, but it does not support privileges. So, we implement the privileges that secure BI
Publisher reports as application roles.
• In the preceding example, the privilege Run Payroll Register Report is implemented as an application role
called Run Payroll Register Report (OBI), which is inherited by another application role called Payroll
Distribution Calculation Management Duty OBI.
BI Publisher Data Security and Secured List Views
• When you access data using a BI Publisher data model that uses an SQL
Query as the data source, you have two options:
1. Select directly from a database table, in which case the data you return is not subject to data security
restrictions. Note that because BI Publisher allows you to create data models on unsecured data, you
should minimize the number of users who have access to create data models.
2. Join to a secured list view in your select statements, in which case the data returned will be
determined by the security profiles that are assigned to the roles of the user who is running the report.
• The tables in the student guide show, for each table, the secured list view,
the data security privilege that is needed to report on data in the table (if
accessed via the secured list view) and the duty role that has the security
privilege.
Program Agenda with Highlight
1 Introduction to Reference Implementation

2 Job Role Customization
3 Duty Role Customization

7
Reference Implementation
Enterprise Roles
• Includes Job and Abstract Roles

– Job roles typically represent the jobs users are hired into. For Eg:
• Accounts Payable Specialist
• Payroll Manager
– Abstract roles typically contain common functionality irrespective of job role. For Eg:
• Employee – Gives ability to log expense reports, manage personal information.. Etc
• Line Manager – Gives access to reportee’s information
User User
Employee Accounts Payable Specialist Employee Line Manager Payroll Manager

7
Duty Roles
• Duty Roles are a grouping of entitlements

• Duty Roles can inherit other Duty Roles
• Duty Roles are inherited by Enterprise Roles
• Duty Roles are never granted to Users Directly
Entitlements
Run Global Third Party Balances Summary
Accounts Payable Manager Common Country Third Report
Party Reporting Duty Run Global Third Party Account Balance
Accounts Payable Specialist Report
Run Global Journals and Third Party Report
Run Global Subledger Detail Journal Report

8
Accounts Payable Manager

8
Terminology
External Role/Enterprise Role (OIM)

Data Role
Data Security Policy
Accounts Payable Manager – North America
Where BU=Vision Operations
Job role Abstract Object=Invoices - EXPLICIT
Accounts Payable Manager Employee
Application Role (APM)

Duty Role Duty Role
Payables Invoice Processing Duty Party Information Inquiry Duty
Entitlement, Target (APM) Data Security Policy

Privilege Privilege Can View Trading Community Person
Manage Payables Invoice Modify Payables Invoice Tax Drivers for all organizations in the enterprise -
IMPLICIT

8


8
Job Role Customization
Best Practice
1. Always create Custom Job and Abstract roles.

– Custom roles ensure upgrades will not overwrite customizations
– Custom roles are created using OIM.
2. Grant seeded Duty roles to Custom roles using APM.

8
Example – Step 1
• Create custom role using OIM similar to seeded role.

• Navigation: Setup and Maintenance -> Manage Job Roles

8
Example – Step 1
• Create custom role and copy the hierarchy from seeded role
Seeded Job Role Custom Job Role

8
Example – Step 2
• Grant seeded Duty roles to Custom roles using APM

• Navigation: Setup and Maintenance -> Manage Duties

Example – Step 2
• Grant all top level duty roles of the seeded job to custom job role in APM
• Steps:
1. Open seeded job role in APM
2. Open each top level duty role
3. Go to “External Role Mapping” tab
4. Add custom job role
5. Repeat for all the top level duty roles in all applications ( aka Policy Stripes)

Example – Step 2
Open Seeded Job Role in

APM
Go to Application Role
Mapping
Applications ( aka Policy

Stripes )
Top level duty roles

Example – Step 2
Open Top Level Duty Role
Go to External Role Mapping
Add custom job role
Custom job role added
• Repeat the same for every top level duty role in all policy stripes



9
Duty Role Customization
Best Practice
Option 1: Modify seeded duty directly

– Pros
• Easy to customize
• Upgrade will not overwrite customization
– Cons
• Reference to seeded role definition is lost. Restoration from a mistake is difficult (*)
• Users will automatically get new functionality with no opportunity to positively accept or reject
• Potential risk with Oracle support
(*) This risk can be mitigated by:

1. Installing User and Role Access Audit Report
2. Take back up of each role definition into a csv file before modification
9
Best Practice
Option 2: Create custom duty

– Pros
• Reference to seeded role definition is not lost. Restoration from a mistake is easy.
• Upgrade will not automatically grant new functionality
• Customers will can evaluate new functionality delivered in seeded roles before updating custom
roles
– Cons
• Creation of custom duty role is complicated and error prone
• Role copy feature not available until release 10

9
Option 1: Modify Seeded Duty Role
Open Custom Job Role in

APM
Go to Application Role
Mapping
Select Seeded
Duty
Open Seeded
Duty

Option 1: Modify Seeded Duty Role
Seeded Duty
Opened
Find Seeded
Policies

Option 1: Modify Seeded Duty - Functional Policies
Seeded Policies
Open Functional
Policies
Add or Remove Entitlements to seeded policies as

required

Option 1: Modify Seeded Duty – Data Security
Seeded Data Security
Create New
Data Policy
Edit Seeded
Data Policy
End Data
Seeded Data
Policy

Summary
Best Practice
1. Always create custom job and abstract roles

2. Use Seeded Duty roles to grant authorizations to custom roles
3. If seeded duty roles need to be customized:
1. Option 1: ( Easy but with minimum risks )
1. Take csv backup for reference and error recovery
2. Modify seeded function policies
3. End Date seeded data policies
4. Create custom data policies
2. Option 2: ( Hard but no risks )
1. Create custom duty role

9
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Agenda

• References
Additional information
• Oracle Fusion Applications Help provides a library of information:
– Filter on Product = Customer Relationship Management
– Search for keywords (security, security guide, job role)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential
Additional information
• 1. Access the Oracle Cloud Learning Center at docs.oracle.com/cloud.

• 2. Under Oracle Applications Cloud Services, click Human Capital
Management.
• 3. Click the Books tab.
• 4. Click Security Reference for Oracle HCM Cloud.
• appsconnect.custhelp.com
• Securing Oracle HCM Cloud
Additional topic:
• Customizing Security for Your Needs
Q&A

05.release8 Security Version

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

05.release8 Security Version

Загружено:

Авторское право:

Доступные форматы

Safe Harbor Statement

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 2

• HCM Security Management Data Stores

• How easy do I get access to my data?

• Who has access to my data?

• How safe is the access control?

• How are my data segregated from others?

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

– applied to Users, Automated Agents or Web Services

– credentials are checked at login

– access is then granted or denied

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

• RBAC is a proven model for large-scale authorization

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

11 Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Job Title  Job Role All Duties assigned under Job

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Role Data Role

Application Role Duty Role

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Role Role Role

Access is via Roles

17 Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

For doing what all employees do

Data Roles Procurement Procurement

Duty Duty Roles Enter Expenses Submit Expenses

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Benefits Administrator Benefits Administrator Benefits Administrator

Privileges: Function Manage HR Manage Benefit

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Gallery Access Expense Entry Talent Worker

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Gallery Access Expense Entry Talent Worker

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Human Resource Human Resource

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

23 Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

• Reference implementation is about securing fusion applications out of

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

 Human Capital Management Application Administrator

 Human Resource Analyst

 Human Resource Manager

 Human Resource Specialist

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

• HCM Security Management Data Stores

Eg: Procurement Manager vs Procurement

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 29

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

(SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_M A

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Data Vision Corporation

Function Absence Users and Roles

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Examples of Custom Criteria

• Restrict by person born before 01-JAN-1990

• Restrict by specific Assignment DFF and Location Code