fusion hcm security specialist lesson 3 v1.0

46
For Oracle employees and authorized partners only. Do not distribute to third parties. © 2013 Oracle Corporation – Proprietary and Confidential 1 1 - 1

Upload: navin-kumar

Post on 11-Nov-2015

18 views

Category:

Documents


0 download

DESCRIPTION

HCM Security Presentation1

TRANSCRIPT

Slide 1*
Narration:
Hello & Welcome to Fusion HCM Security Specialist Lesson 3.
The topic covered in this lesson is Job Roles and Duty Roles.
Instructor notes:
NA
*
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor Statement
Narration:
On the screen is Oracle’s Safe Harbor Statement, please take a moment to review.
Instructor notes:
NA
*
1 - *
Use of this Site (“Site”) or Materials constitutes agreement with the following terms and conditions:
1. Oracle Corporation (“Oracle”) is pleased to allow its business partner (“Partner”) to download and copy the information, documents, and the online training courses (collectively, “Materials") found on this Site. The use of the Materials is restricted to the non-commercial, internal training of the Partner’s employees only. The Materials may not be used for training, promotion, or sales to customers or other partners or third parties.
2. All the Materials are trademarks of Oracle and are proprietary information of Oracle. Partner or other third party at no time has any right to resell, redistribute or create derivative works from the Materials.
3. Oracle disclaims any warranties or representations as to the accuracy or completeness of any Materials.  Materials are provided "as is" without warranty of any kind, either express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, and non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized Delivery Partner be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this Site of Materials. As a condition of use of the Materials, Partner agrees to indemnify Oracle from and against any and all actions, claims, losses, damages, liabilities and expenses (including reasonable attorneys' fees) arising out of Partner’s use of the Materials.
5. Reference materials including but not limited to those identified in the Boot Camp manifest can not be redistributed in any format without Oracle written consent.
Oracle Training Materials – Usage Agreement
Narration:
On the screen is Oracle’s Usage Agreement, please take a moment to review.
Instructor notes:
NA
*
Regenerating data roles
Job Roles and Duty Roles
HCM security management data stores
Regenerating data roles
The agenda items are the section titles
*
Learning Objectives
At the end of this lesson you should be able to:
Describe Job Roles and Duty Roles
Understand HCM security management data stores
Explain regenerating data roles
Narration:
At the end of this lesson you should be able to:
Describe Job Roles and Duty Roles
Understand HCM security management data stores
Explain regenerating data roles
Development note: The objectives come from the Standard Structure Design document
fy11 app grid awareness trainingfinal.ppt
*
*
Narration:
Section 1 of this presentation describes Job Roles and Duty Roles.
In this section we will cover the following objectives:
Fusion Applications Security Model
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content in the section must relate to the objectives.
*
Narration:
The Fusion Applications Security Model is a Role Based Access Control model. Users are assigned roles, and it is through these roles that they gain access to functions and data within Fusion Applications.
In this example, Anna Riles has roles of employee, line manager and Human Resource Specialist. As you can see, it is possible to users to have more than one role, and when they sign on to Fusion Applications, all of their roles are active concurrently. In Fusion, the functions and data that a user can access come from a combination of the roles to which they are assigned.
Instructor notes:
1.bin
*
Who
What
Employees
For specified payrolls
Human Resource Specialists
Can transfer employees
For specified countries
Role-based security in Oracle Fusion Applications controls who can do what on which data. 
Who is a role assigned to a user.
What is a function that users with the role can perform.
Which Data is the set of data that users with this role can access when performing this function. In Oracle Fusion HCM, "Which Data" is defined using security profiles.
For example:
Line Managers can create performance document for workers in their reporting hierarchy
Employees can view payslip for themselves
Payroll Managers can report payroll balances for specified payrolls
And Human Resource specialists can transfer employees for specified countries
Instructor notes:
*
*
e.g. HRSpecialist_ViewAll, Payroll Administrator US Dept1 etc
Assigned directly to the users
e.g. Employee, Line Manager and Contingent Worker
Not assigned directly to the users
e.g. Payroll Administrator , Compensation Analyst etc
Not assigned directly to the users
Security privileges attached – functional privileges and data privileges
*
Narration:
There are a number of different types of security roles within Fusion Applications.
Abstract roles are not related to jobs. They are provisioned to users independently of the jobs into which they are hired.
Data roles are assigned directly to the users. For ex: HR Specialist.
Job roles represent the jobs into which users are hired.
In Fusion HCM, users are directly assigned to abstract roles, but they are not directly assigned to job roles.
Both job roles and abstract roles inherit duty roles. It is the duty roles that are granted function security privileges.
Instructor notes:
NA
*
Abstract Role
Abstract roles define a worker's role in the enterprise independently of the job that the worker is hired to do.
Narration:
Abstract roles define a worker's role in the enterprise independently of the job that the worker is hired to do. These abstract roles are predefined in Oracle Fusion HCM and are directly assigned to the users, so that they can manage the standard functions like managing their own information and searching the worker’s directory.
In this example, user Linda Swift has employee and line manager abstract role.
Features:
Usually created in LDAP; can also be created in Oracle Identify Manager (OIM)
Referred to as External roles
Normally assigned by the system (based on user attributes)
Can also be provisioned to a user on request
Instructor Notes:
*
*
Data Role
Data role allows a user to access a set of workers/organizations for a given task
Narration:
Data role allows a user to access a set of workers/organizations for a given task.
In this example- user Lindsay Allen has been assigned a duty role of Payroll Administrator which means he will be able to access workers of US country only.
Data roles are covered in details in Lesson 1 of Fusion HCM Security Specialist
Instructor notes:
*
*
Narration:
Security profiles are used to create data roles
In the following example, Tim Thompson and Patricia Smith are both human resource specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that inherits the job role Human Resource Specialist and the duty roles appropriate to that job role. Therefore, Tim and Patricia can perform the same functions and see the same entries in the Navigator, work area Tasks panes, and menus. However, each user accesses different sets of data, which are identified in separate sets of security profiles
Security Profiles are covered in details in Lesson 1 of Fusion HCM Security Specialist
Instructor notes:
*
*
Job Role
A job role provides the access to a set of tasks that a worker is hired to perform
Narration:
Job roles are assigned indirectly. We include the job role in the data role and then assign the data role to the user. They control the functions the user performs on the UI.
For example, Human Resource Analyst, Payroll Manager, Human Resources VP etc. In this figure, Lindsay Allen has Payroll Administrator Job role.
Features
Job Roles are attached to Duty Roles in APM (APM-Authorization Policy Manager)
Job Roles may inherit Abstract roles, other Job Roles in OIM (Oracle Identify Manager)
Usually created in LDAP; can also be created in OIM
It is considered as External role in APM / OIM – Enterprise Role
Instructor notes:
*
*
Duty Role
A duty role represent the individual duties that users with those job or abstract roles can perform. Duty roles are inherited by job and abstract roles; they can also be inherited by other duty roles
Narration:
Duty roles are assigned indirectly. They are the building blocks of all the roles.
In this example, Lindsay Allen has My Portrait Area Navigation Duty and Payroll Selection Duty roles
Features:
Defined in Authorization Policy Manager as Application Roles
Security privileges are granted to Duty Roles via Authorization Policy Manager
Duty Roles are mapped to Job Roles in Authorization Policy Manager
Cannot be provisioned to a user on request
Instructor notes:
*
*
This worked example is using a delivered job role.
Here are the job and abstract roles that we deliver with Fusion HCM.
Instructor notes:
*
*
Narration:
Each job and abstract role inherits a number of duty roles. This slide shows the duty roles that are inherited by the Benefits Administrator job role.
Instructor notes:
*
*
Narration:
Here are the function security privileges that are granted to the Benefits Enrollment Maintenance Duty, which is inherited by the Benefits Administrator job role.
Instructor notes:
*
*
Narration:
And here are some of the data security policies that are carried by the Benefits Administrator job role.
Tying these back to “WHO can do WHAT on WHICH set of data”, “Benefits Administrator” is the WHO, “manage electable choice” is the WHAT and “for people and assignments in their person and assignment security profile” is the WHICH set of data.
Instructor notes:
*
*
Narration:
Let us look at how Job roles and duty roles are defined in the Fusion system.
Oracle Identify Manager is used to create and manage HCM job roles.
This figure and the following few slides explain the data roles assigned to an existing user and shows the job roles that are inherited by those data roles. It also demonstrates how to search for a role and display a list of all users assigned to that role.
In Oracle Identify Manager - Delegated Administration page > search for user- Curtis Feitty
Select the Roles tab to view the roles assigned to this user.
Instructor note:
NA
*
Narration:
This page shows all roles assigned to Curtis, including data roles, abstract roles, and job roles (if any).
Click on a data role, such as Benefits Admin - View All, and click Open.
Instructor note:
NA
*
NA
*
Narration:
Here you can see that the Benefits Admin - View All data role inherits the Benefits Administrator job role.
Click the Members tab to see all the users assigned to this data role.
Instructor note:
NA
*
Narration:
This is useful if you need to quickly determine which users are assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect Role because users are not directly assigned the Payroll Manager job role. They inherit it via a data role that is based on the Payroll Administrator job role.
Return to the Oracle Fusion Applications window.
Next we will look at managing Duty roles
Instructor note:
OIM allows users to create several different types of roles. However, OIM should not be used to create data roles for HCM users; data roles should only be created using the Manage Data Role and Security Privileges task, as will become clear later when we look closely at security policies.
 
Provision Roles to Implementation Users
Manage Job Roles (Create job and abstract roles, reset user passwords)
Authorization Policy Manager (APM)
Manage Duties (View and manage role hierarchies, security policies, and permission grants)
Do not create new resource types, resources, entitlements, or authorization policies.
Do not manually modify data security policies, except to add custom duty roles.
*
*
*
Narration:
Authorization Policy Manager is used to manage duty roles and associated security policies.
This figure and the following few slides explain how the Manage Duties task is used to look at existing data and job roles. It demonstrates how to view the duties associated with job roles and where to go if you need to add or remove duties from a role
In this page, you are viewing the Authorization Policy Manager (APM) user interface.
In the Application Name section, select hcm & search for Application Role-Benefits Reporting Data Duty
Instructor notes:
NA
*
*
*
Narration:
You are now viewing Benefits Reporting Data Duty Role. Click on Application Role Hierarchy
Instructor notes:
NA
*
*
*
Narration:
Duty role might inherit more duty roles. For ex: In the above diagram benefits reporting data duty contains another duty role called benefits enrollment maintenance duty.
Instructor notes:
NA
*
*
*
Narration:
In external role mapping page- purpose is to highlight which job roles (here Human Resource Specialist) contain benefits reporting Data Duty. There can be more than one job role inheriting this same duty role.
Instructor notes:
NA
*
*
*
Narration:
Another way of looking at the duty roles , and which job roles inherit them can be done through Role Catalog work area. For ex: In the above diagram, Benefits Reporting Data Duty is contained within two job roles (Directly or indirectly)
Benefits Manager
Difference between Role Catalog & External Role Mapping tab is:
Role Catalog shows you indirect association of duty role to all job roles
Whereas External role mapping tab showing only direct associaltion of duty role to all job roles.
Instructor notes:
NA
*
*
*
Select the External Role Hierarchy tab
This page shows all the job roles inherited by the Benefits Manager data role
Click the Application Role Mapping tab.
Instructor notes:
NA
*
*
*
Instructor notes:
NA
*
*
*
Narration:
Here you can see all of the duty roles associated with the Benefits Manager job role. From this page, you can map additional application roles (duties) to this job role by using Map icon.
Instructor notes:
NA
*
*
*
Narration:
In the above diagram, make sure you select the application as hcm before you search the application roles. Application roles and duty roles are same.
Select multiple duty roles/application roles and click on Map roles button to add them to the hierarchy.
Instructor notes:
NA
*
Narration:
Let us recap what we have learnt till now on various types of roles.
In reality, abstract and job roles inherit many duty roles. The following figure shows a simplified example
 
 
The HCM security model supports several different types of security profiles, each used to control access to a different type of data.
Instructor notes:
NA
*
Compensation managers are responsible for researching, establishing, and maintaining a company's pay system. In performing this significant function, the compensation manager has to research and understand the current and upcoming competitive markets for employee pay and benefits.
They must find ways to ensure that pay rates are fair and equitable to retain and recruit employees.
A compensation manager, in a larger organization, is often assisted by staff specialists. They may conduct salary surveys to see how their pay rates compare with those of other companies.
They may also work with established online sites that specialize in compensation to do market comparisons of pay by region, number of employees, and job responsibilities.
Instructor notes:
*
*
1
2
3
4
Narration:
These job descriptions of Compensation Manager can be mapped to Fusion Roles in this fashion.
The four job descriptions discussed in previous slide are mapped to privileges which in turn are mapped to Duty roles and Job roles.
Instructor notes:
*
*
Hailie is provisioned with the Compensation Manager role…
…plus the Employee and Line Manager Abstract Roles
US Compensation Manager Data Role
US Organizations
Narration:
After mapping the Compensation manager’s job descriptions to Fusion Security Model, let us see how our new Compensation Manager appears in Fusion, called Hailie.
Hailie is provisioned with Compensation Manager Job role which inherits Compensation duty roles
She also has Employee & line manager abstract roles with associated duty roles.
Finally, she has US compensation manager data role that consists of following types of security profiles:
US Organizations
*
*
Narration:
Section 2 of this presentation explains HCM security management data stores.
In this section we will cover the following objective:
Understand HCM security management data stores
Instructor Notes:
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content in the section must relate to the objectives.
*
Narration:
This figure shows where security data, managed by different Oracle applications, is stored and shared.
Key Points
OIM Identify Store
OIM maintains user accounts in the Oracle Fusion Applications Identity Store. It stores the definitions of abstract, job, and data roles (enterprise roles in OIM), and holds information about roles provisioned to users.
Job and abstract roles created in OIM must be synchronized so that the new role names and other attributes are available to Oracle Fusion HCM.
You cannot view duty roles in OIM, only in APM.
APM Policy Store                           
Duty roles are created in APM and stored in the Policy Store, along with function security policies.
The Policy Store holds copies of users and enterprise roles stored in the Identify Store.
Duty roles do not have to be synchronized with HCM.
Fusion Application Database Tables
These tables store data security policies, HCM role-provisioning rules, security profiles, part of the data role definitions, and copies of the job and abstract roles.
Instructor note:
NA
*
Section 3 of this presentation discusses about regenerating data roles.
In this section we will cover the following objective:
Explain regenerating data roles
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content in the section must relate to the objectives.
*
Regenerating Data Roles
Regenerate a data role if you make any changes to the role hierarchy that underlies the data role
Narration:
 
 
 
To regenerate a data or abstract role:
Launch the Manage Data Role and Security Profiles task in the Setup and Maintenance work area.
Search for the role that needs to be regenerated.
Select the role in the Search Results, and click Assign.
Information 
A flow is initiated (the same one you saw when you created a data role in the previous activity) that allows you to view the security criteria and all assigned security profiles. 
Click Review, and then click Submit.
Information 
When you click Submit, the security profiles assigned to the role are used to generate the data security policies for that role.
Note: Security policies are regenerated only for the selected role. If you needed to regenerate data security policies for multiple roles, you would have to run this task (and click Assign) for each role.
Instructor note:
NA
*
Different types of roles and how they are defined
Managing Job Roles and Duty Roles
Understanding of HCM security management data stores
Regenerating data roles
Different types of roles and how they are defined
Managing Job Roles and Duty Roles
Understanding of HCM security management data stores
Regenerating data roles
*
*
Lets do a review of the module
*
Job roles represent the jobs into which users are hired
Users are directly assigned to abstract roles, but they are not directly assigned to job roles
Abstract and job roles inherit many duty roles
Oracle Identity Manager (OIM) maintains user accounts in the Oracle Fusion Applications Identity Store
Duty roles are created in Authorization Policy Manager (APM) and stored in the Policy Store, along with function security policies
Regenerating a role causes all its data security policies to be updated based on changes to its role hierarchy
Narration:
Now that we have completed this lesson, let’s take a look at the key points. Please take a moment to review.
Job roles represent the jobs into which users are hired
Users are directly assigned to abstract roles, but they are not directly assigned to job roles
Abstract and job roles inherit many duty roles
OIM maintains user accounts in the Oracle Fusion Applications Identity Store
Duty roles are created in APM and stored in the Policy Store, along with function security policies
Regenerating a role causes all its data security policies to be updated based on changes to its role hierarchy
Instructor notes:
*
*
1 - *
And that brings to an end of Fusion HCM Security Specialist Lesson. Thank you
*