Slide 1*
Narration:
Hello and Welcome to Fusion HCM Security Specialist Lesson 1.
The topic covered in this lesson is Security Profiles and Data
Roles.
Instructor notes:
NA
*
The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon
in making purchasing decisions.
The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.
Safe Harbor Statement
Narration:
On the screen is Oracle’s Safe Harbor Statement, please take a
moment to review.
Instructor notes:
NA
*
1 - *
Use of this Site (“Site”) or Materials constitutes agreement with
the following terms and conditions:
1. Oracle Corporation (“Oracle”) is pleased to allow its business
partner (“Partner”) to download and copy the information,
documents, and the online training courses (collectively,
“Materials") found on this Site. The use of the Materials is
restricted to the non-commercial, internal training of the
Partner’s employees only. The Materials may not be used for
training, promotion, or sales to customers or other partners or
third parties.
2. All the Materials are trademarks of Oracle and are proprietary
information of Oracle. Partner or other third party at no time has
any right to resell, redistribute or create derivative works from
the Materials.
3. Oracle disclaims any warranties or representations as to the
accuracy or completeness of any Materials. Materials are
provided "as is" without warranty of any kind, either express or
implied, including without limitation warranties of
merchantability, fitness for a particular purpose, and
non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized
Delivery Partner be liable for any loss, damage, liability or
expense incurred or suffered which is claimed to have resulted from
use of this Site of Materials. As a condition of use of the
Materials, Partner agrees to indemnify Oracle from and against any
and all actions, claims, losses, damages, liabilities and expenses
(including reasonable attorneys' fees) arising out of Partner’s use
of the Materials.
5. Reference materials including but not limited to those
identified in the Boot Camp manifest can not be redistributed in
any format without Oracle written consent.
Oracle Training Materials – Usage Agreement
Narration:
On the screen is Oracle’s Usage Agreement, please take a moment to
review.
Instructor notes:
NA
*
Predefined HCM security profiles
Narration:
Data security through security profiles
Predefined HCM security profiles
Instructor Notes:
The agenda items are the section titles
*
Learning Objectives
At the end of this lesson you should be able to:
Explain data security through security profiles
Use predefined HCM security profiles
Explain approaches to creating Data Roles
Narration:
Explain data security through security profiles
Use predefined HCM security profiles
Explain approaches to creating Data Roles
Instructor Notes:
fy11 app grid awareness trainingfinal.ppt
*
*
Narration:
Section 1 of this presentation explains data security through
security profiles.
In this section we will cover the following objectives:
Security Profiles Overview
Security Profiles Example
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Security profiles are defined by customers
Security profiles are assigned to roles that are directly assigned
to users
Narration:
Security Profile: Overview
Most Oracle Fusion HCM data are secured by means of HCM security
profiles. A security profile identifies a set of data of a single
type, such as persons or organizations.
They are defined by customers, and are assigned to data roles,
abstract roles and job roles.
Instructor note:
NA
*
Person
Organization
Position
Country
*
*
What is your Job?
Data Role and Security Profiles
Organization
Position
Countries
Payroll
Narration:
Before moving ahead, let us spend few minutes on how fusion
security is designed.
Legacy systems such as PeopleSoft, E-Business Suite and SAP
assigned system resources [i.e. functions and data] directly to
users. The time and effort required to provisioning and
de-provisioning users was so arduous it could be measured in Full
Time Equivalents (FTE). Furthermore, for larger companies was
dynamic user communities they were exposed to increased risk of
non-compliance with SOX regulations due to Separation of Duty (SoD)
conflicts and violations. Finally, there was of the ever present
issue of orphan user accounts; Accounts in the LDAP store with no
associated active employee record.
To address these issues Fusion uses Role-Based Access Control
(RBAC) to control users access. Now system resources are assigned
to roles, which are granted to users. RBAC is also particularly
well suited to Separation of Duty (SoD) requirements, which ensure
that two or more people must be involved in authorizing critical
operations.
Fusion uses four Role types; Abstract, Data, Job and Duty.
Function security controls access to user interfaces and actions
needed to perform the tasks of a job.
Data security controls access to data.
So, Can I create a new duty role?
Yes, but this should only be necessary if you have extended your
Oracle Fusion Applications with new duties involving custom objects
or functions that must be secured.
Job roles group users in adherence to the principle of least
privilege by granting access only in support of the duties likely
to be performed.
Duty roles may carry both function and data security grants. Duty
roles are self-contained and pluggable into any existing or new job
or abstract role thus avoiding the introduction of definition
conflicts in the owning application.
Fusion Data Security defines the set of data a user can access via
their role.
As shown in the figure:
Data roles always inherit job roles.
The job roles provide the function security access, while the
security profiles assigned to the data role provide access to the
data required to perform the duties of the job.
Job , duty, abstract roles will be explained in details in a
separate lesson.
Instructor note:
*
*
Now, let us understand Security Profiles using an example.
In the following example, Tim Thompson and Patricia Smith are both
human resource specialists, Tim in US Marketing and Patricia in US
Sales. Each has a data role that inherits the job role Human
Resource Specialist and the duty roles appropriate to that job
role. Therefore, Tim and Patricia can perform the same functions
and see the same entries in the Navigator, work area Tasks panes,
and menus. However, each user accesses different sets of data,
which are identified in separate sets of security profiles.
Instructor note:
NA
*
Narration:
Section 2 of this presentation discusses about Predefined HCM
security profiles.
In this section we will cover the following objective:
Predefined HCM security profiles
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
View Manager Hierarchy
All person records in the signed-on user’s manager hierarchy
View All Workers
All person records of people who have a work relationship
View All Organizations
All legislative data groups
All workforce business processes
View All People
View Own Record
View Manager Hierarchy
View All Workers
View All Organizations
View All Positions
View All Countries
Instructor note:
NA
*
Edit or delete the predefined security profiles
Create a custom security profile that provides access to all seeded
objects; you must use the appropriate predefined View All security
profile instead
Narration:
You cannot edit or delete the predefined security profiles.
Also, you cannot create a custom security profile that provides
access to all seeded objects; instead you must use the appropriate
predefined View All security profile
Instructor note:
NA
*
Narration:
Section 3 of this presentation discusses about the various
approaches to creating Data Roles.
In this section we will cover the following objectives:
Approaches to creating Data Roles
Assign Security Profiles to existing role
Assign Security Profiles to new data role
Security Profiles Best Practices
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Approaches to creating Data Roles
Give employees access to their own records, the person records of
their emergency contacts, beneficiaries, and dependents, and all
public-person records
Assign relevant HCM security profiles directly to the employee
abstract role
Give managers access to the person records of direct and indirect
reports. Assign relevant HCM security profiles directly to the line
manager abstract role
For individual job roles, determine whether all users with that job
role access the same HCM business object instances
Narration:
Give employees access to their own records, the person records of
their emergency contacts, beneficiaries, and dependents, and all
public-person records.
Assign relevant HCM security profiles directly to the employee
abstract role.
Give managers access to the person records of direct and indirect
reports. Assign relevant HCM security profiles directly to the line
manager abstract role.
For individual job roles, determine whether all users with that job
role access the same HCM business object instances. In this
scenario, you do not need to create a data role; you can simply
assign the security profiles to the job role.
Instructor note:
NA
*
Narration:
Let us look at the steps of assigning Security profiles to an
existing role in Fusion application.
To assign security profiles to an existing role, use the Manage HCM
Data Role page.
Search for the role to which you want to assign security profiles,
and press the Assign button.
In this example, we are assigning security profiles to the Line
Manager role.
Instructor note:
NA
*
Narration:
The next page in the flow shows the types of security profiles that
are used by the chosen role.
You can see here that both public person and person security
profiles are shown. The person security profile is used to control
which people the line manager can perform line manager actions
against. The public person security profile is used to control
which people the line manager can see in person gallery.
In this page you can select the security profiles you want to
assign to the role, or you can indicate that you want to create new
security profiles.
Instructor note:
NA
*
Narration:
The next set of pages in the flow take you through each of the
security profiles in turn. If an existing security profile has been
selected, that security profile will be shown. If you indicated in
previous page-Security Criteria that you want to create a new
security profile, then you define the new security profile in this
page. You cannot modify existing security profiles from this
flow.
Here is the organization security profile.
Instructor note:
NA
*
Narration:
Instructor note:
NA
*
Narration:
This page shows you the person security profile. Notice that it is
securing access to people using the manager hierarchy.
Instructor note:
NA
*
Narration:
Now we are at public person security profile page. Since in
Security Criteria train stop- create new person Security profile
option was selected, hence in this page, you have to define the
properties of new person security profile.
Notice that it is securing access to all employees and all
contingent workers. These are the people who the line manager will
be able to see in Person Gallery.
Instructor note:
NA
*
Narration:
Instructor note:
NA
*
Narration:
Finally, an opportunity to review what has been entered earlier in
the flow. When you hit the Submit button, data security policy data
is created for the line manager role.
This covers the process of assigning security profiles to an
existing role. In next slide we will look at the steps of assigning
security profile to a new role.
Instructor note:
NA
*
Narration:
You use the Manage HCM Data Role page to create a new data role.
This time, instead of searching for an existing role, you press the
Create button.
Instructor note:
NA
*
Narration:
Next, you choose the job role on which this new data role will be
based. And you enter the name of the new data role.
Instructor note:
NA
*
Narration:
You are then taken to the same sequence of pages that were shown
earlier when assigning security profiles to the Line Manager role.
Notice that this time the types of security profiles shown here are
slightly different than before. This is because this data role,
which will be based on the Human Resource Specialist job role, will
be accessing different data to the Line Manager, and different
types of security profiles are needed to implement data security
for this Human Resource Specialist-based data role.
Instructor note:
NA
*
Security Profiles Best Practices
HCM security profiles are reusable and modular. Once you create a
security profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other
security profiles in a person security profile.
Use the predefined security profiles wherever appropriate.
Security profile names must be unique in the enterprise for the
security profile type.
Narration:
The following recommendations apply to all types of HCM security
profiles:
HCM security profiles are reusable and modular. Once you create a
security profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other
security profiles in a person security profile. For example, you
might define an organization security profile that allows access to
a particular business unit. You can then reference the organization
security profile in a person security profile to provide access to
people who are assigned to that business unit.
Use the predefined security profiles wherever appropriate.
Define a naming scheme that identifies clearly the set of business
objects in the security profile's data instance set, such as HCM US
Departments or US Marketing Positions. Security profile names must
be unique in the enterprise for the security profile type.
Instructor note:
NA
*
Approaches to creating Data Roles
Narration:
Approaches to creating Data Roles
Instructor notes:
*
*
Let us do a review of the module
*
Key Points
Security profiles are assigned to roles that are directly assigned
to users
User can not edit or delete the predefined security profiles
User can not create a custom security profile that provides access
to all seeded objects
Assign relevant HCM security profiles directly to the employee and
line manager abstract role
Narration:
Now that we have completed this lesson, let’s take a look at the
key points. Please take a moment to review.
Security profiles are assigned to roles that are directly assigned
to users
User can not edit or delete the predefined security profiles
User can not create a custom security profile that provides access
to all objects
Assign relevant HCM security profiles directly to the employee and
line manager abstract role
Instructor notes:
*
*
1 - *
And by this, we conclude Fusion HCM Security Specialist Lesson 1.
Thank you.
*