Transcript
Slide 1*
Narration:
Hello and Welcome to Fusion HCM Security Specialist Lesson 1.
The topic covered in this lesson is Security Profiles and Data Roles.
Instructor notes:
NA
*
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor Statement
Narration:
On the screen is Oracle’s Safe Harbor Statement, please take a moment to review.
Instructor notes:
NA
*
1 - *
Use of this Site (“Site”) or Materials constitutes agreement with the following terms and conditions:
1. Oracle Corporation (“Oracle”) is pleased to allow its business partner (“Partner”) to download and copy the information, documents, and the online training courses (collectively, “Materials") found on this Site. The use of the Materials is restricted to the non-commercial, internal training of the Partner’s employees only. The Materials may not be used for training, promotion, or sales to customers or other partners or third parties.
2. All the Materials are trademarks of Oracle and are proprietary information of Oracle. Partner or other third party at no time has any right to resell, redistribute or create derivative works from the Materials.
3. Oracle disclaims any warranties or representations as to the accuracy or completeness of any Materials.  Materials are provided "as is" without warranty of any kind, either express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, and non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized Delivery Partner be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this Site of Materials. As a condition of use of the Materials, Partner agrees to indemnify Oracle from and against any and all actions, claims, losses, damages, liabilities and expenses (including reasonable attorneys' fees) arising out of Partner’s use of the Materials.
5. Reference materials including but not limited to those identified in the Boot Camp manifest can not be redistributed in any format without Oracle written consent.
Oracle Training Materials – Usage Agreement
Narration:
On the screen is Oracle’s Usage Agreement, please take a moment to review.
Instructor notes:
NA
*
Predefined HCM security profiles
Narration:
Data security through security profiles
Predefined HCM security profiles
Instructor Notes:
The agenda items are the section titles
*
Learning Objectives
At the end of this lesson you should be able to:
Explain data security through security profiles
Use predefined HCM security profiles
Explain approaches to creating Data Roles
Narration:
Explain data security through security profiles
Use predefined HCM security profiles
Explain approaches to creating Data Roles
Instructor Notes:
fy11 app grid awareness trainingfinal.ppt
*
*
Narration:
Section 1 of this presentation explains data security through security profiles.
In this section we will cover the following objectives:
Security Profiles Overview
Security Profiles Example
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content in the section must relate to the objectives.
*
Security profiles are defined by customers
Security profiles are assigned to roles that are directly assigned to users
Narration:
Security Profile: Overview
Most Oracle Fusion HCM data are secured by means of HCM security profiles. A security profile identifies a set of data of a single type, such as persons or organizations.
They are defined by customers, and are assigned to data roles, abstract roles and job roles.
Instructor note:
NA
*
Person
Organization
Position
Country
*
*
What is your Job?
Data Role and Security Profiles
Organization
Position
Countries
Payroll
Narration:
Before moving ahead, let us spend few minutes on how fusion security is designed.
Legacy systems such as PeopleSoft, E-Business Suite and SAP assigned system resources [i.e. functions and data] directly to users. The time and effort required to provisioning and de-provisioning users was so arduous it could be measured in Full Time Equivalents (FTE). Furthermore, for larger companies was dynamic user communities they were exposed to increased risk of non-compliance with SOX regulations due to Separation of Duty (SoD) conflicts and violations. Finally, there was of the ever present issue of orphan user accounts; Accounts in the LDAP store with no associated active employee record.
To address these issues Fusion uses Role-Based Access Control (RBAC) to control users access. Now system resources are assigned to roles, which are granted to users. RBAC is also particularly well suited to Separation of Duty (SoD) requirements, which ensure that two or more people must be involved in authorizing critical operations.
Fusion uses four Role types; Abstract, Data, Job and Duty.
Function security controls access to user interfaces and actions needed to perform the tasks of a job.
Data security controls access to data.
So, Can I create a new duty role?
Yes, but this should only be necessary if you have extended your Oracle Fusion Applications with new duties involving custom objects or functions that must be secured.
Job roles group users in adherence to the principle of least privilege by granting access only in support of the duties likely to be performed.
Duty roles may carry both function and data security grants. Duty roles are self-contained and pluggable into any existing or new job or abstract role thus avoiding the introduction of definition conflicts in the owning application.
Fusion Data Security defines the set of data a user can access via their role.
As shown in the figure:
Data roles always inherit job roles.
The job roles provide the function security access, while the security profiles assigned to the data role provide access to the data required to perform the duties of the job.
Job , duty, abstract roles will be explained in details in a separate lesson.
Instructor note:
*
*
Now, let us understand Security Profiles using an example.
 
In the following example, Tim Thompson and Patricia Smith are both human resource specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that inherits the job role Human Resource Specialist and the duty roles appropriate to that job role. Therefore, Tim and Patricia can perform the same functions and see the same entries in the Navigator, work area Tasks panes, and menus. However, each user accesses different sets of data, which are identified in separate sets of security profiles.
Instructor note:
NA
*
Narration:
Section 2 of this presentation discusses about Predefined HCM security profiles.
In this section we will cover the following objective:
Predefined HCM security profiles
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content in the section must relate to the objectives.
*
View Manager Hierarchy
All person records in the signed-on user’s manager hierarchy
View All Workers
All person records of people who have a work relationship
View All Organizations
All legislative data groups
All workforce business processes
View All People
View Own Record
View Manager Hierarchy
View All Workers
View All Organizations
View All Positions
View All Countries
Instructor note:
NA
*
Edit or delete the predefined security profiles
Create a custom security profile that provides access to all seeded objects; you must use the appropriate predefined View All security profile instead
Narration:
You cannot edit or delete the predefined security profiles.
Also, you cannot create a custom security profile that provides access to all seeded objects; instead you must use the appropriate predefined View All security profile
Instructor note:
NA
*
Narration:
Section 3 of this presentation discusses about the various approaches to creating Data Roles.
In this section we will cover the following objectives:
Approaches to creating Data Roles
Assign Security Profiles to existing role
Assign Security Profiles to new data role
Security Profiles Best Practices
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content in the section must relate to the objectives.
*
Approaches to creating Data Roles
Give employees access to their own records, the person records of their emergency contacts, beneficiaries, and dependents, and all public-person records
Assign relevant HCM security profiles directly to the employee abstract role 
Give managers access to the person records of direct and indirect reports. Assign relevant HCM security profiles directly to the line manager abstract role  
For individual job roles, determine whether all users with that job role access the same HCM business object instances
Narration:
Give employees access to their own records, the person records of their emergency contacts, beneficiaries, and dependents, and all public-person records.
Assign relevant HCM security profiles directly to the employee abstract role. 
Give managers access to the person records of direct and indirect reports. Assign relevant HCM security profiles directly to the line manager abstract role.  
For individual job roles, determine whether all users with that job role access the same HCM business object instances. In this scenario, you do not need to create a data role; you can simply assign the security profiles to the job role.
Instructor note:
NA
*
Narration:
Let us look at the steps of assigning Security profiles to an existing role in Fusion application.
To assign security profiles to an existing role, use the Manage HCM Data Role page.
Search for the role to which you want to assign security profiles, and press the Assign button.
In this example, we are assigning security profiles to the Line Manager role.
Instructor note:
NA
*
Narration:
The next page in the flow shows the types of security profiles that are used by the chosen role.
You can see here that both public person and person security profiles are shown. The person security profile is used to control which people the line manager can perform line manager actions against. The public person security profile is used to control which people the line manager can see in person gallery.
In this page you can select the security profiles you want to assign to the role, or you can indicate that you want to create new security profiles.
Instructor note:
NA
*
Narration:
The next set of pages in the flow take you through each of the security profiles in turn. If an existing security profile has been selected, that security profile will be shown. If you indicated in previous page-Security Criteria that you want to create a new security profile, then you define the new security profile in this page. You cannot modify existing security profiles from this flow.
Here is the organization security profile.
Instructor note:
NA
*
Narration:
Instructor note:
NA
*
Narration:
This page shows you the person security profile. Notice that it is securing access to people using the manager hierarchy.
Instructor note:
NA
*
Narration:
Now we are at public person security profile page. Since in Security Criteria train stop- create new person Security profile option was selected, hence in this page, you have to define the properties of new person security profile.
Notice that it is securing access to all employees and all contingent workers. These are the people who the line manager will be able to see in Person Gallery.
Instructor note:
NA
*
Narration:
Instructor note:
NA
*
Narration:
Finally, an opportunity to review what has been entered earlier in the flow. When you hit the Submit button, data security policy data is created for the line manager role.
This covers the process of assigning security profiles to an existing role. In next slide we will look at the steps of assigning security profile to a new role.
Instructor note:
NA
*
Narration:
You use the Manage HCM Data Role page to create a new data role. This time, instead of searching for an existing role, you press the Create button.
Instructor note:
NA
*
Narration:
Next, you choose the job role on which this new data role will be based. And you enter the name of the new data role.
Instructor note:
NA
*
Narration:
You are then taken to the same sequence of pages that were shown earlier when assigning security profiles to the Line Manager role. Notice that this time the types of security profiles shown here are slightly different than before. This is because this data role, which will be based on the Human Resource Specialist job role, will be accessing different data to the Line Manager, and different types of security profiles are needed to implement data security for this Human Resource Specialist-based data role.
Instructor note:
NA
*
Security Profiles Best Practices
HCM security profiles are reusable and modular. Once you create a security profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other security profiles in a person security profile.
Use the predefined security profiles wherever appropriate.
Security profile names must be unique in the enterprise for the security profile type.
Narration:
 
The following recommendations apply to all types of HCM security profiles:
HCM security profiles are reusable and modular. Once you create a security profile, you can assign it to multiple data roles.
You can reference organization, position, payroll, and other security profiles in a person security profile. For example, you might define an organization security profile that allows access to a particular business unit. You can then reference the organization security profile in a person security profile to provide access to people who are assigned to that business unit.
Use the predefined security profiles wherever appropriate.
Define a naming scheme that identifies clearly the set of business objects in the security profile's data instance set, such as HCM US Departments or US Marketing Positions. Security profile names must be unique in the enterprise for the security profile type.
Instructor note:
NA
*
Approaches to creating Data Roles
Narration:
Approaches to creating Data Roles
Instructor notes:
*
*
Let us do a review of the module
*
Key Points
Security profiles are assigned to roles that are directly assigned to users
User can not edit or delete the predefined security profiles
User can not create a custom security profile that provides access to all seeded objects
Assign relevant HCM security profiles directly to the employee and line manager abstract role
Narration:
Now that we have completed this lesson, let’s take a look at the key points. Please take a moment to review.
Security profiles are assigned to roles that are directly assigned to users
User can not edit or delete the predefined security profiles
User can not create a custom security profile that provides access to all objects
Assign relevant HCM security profiles directly to the employee and line manager abstract role
Instructor notes:
*
*
1 - *
And by this, we conclude Fusion HCM Security Specialist Lesson 1. Thank you.
*

Top Related