Slide 1*
Narration:
Hello & Welcome to Fusion HCM Security Specialist Lesson
3.
The topic covered in this lesson is Job Roles and Duty Roles.
Instructor notes:
NA
*
The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon
in making purchasing decisions.
The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.
Safe Harbor Statement
Narration:
On the screen is Oracle’s Safe Harbor Statement, please take a
moment to review.
Instructor notes:
NA
*
1 - *
Use of this Site (“Site”) or Materials constitutes agreement with
the following terms and conditions:
1. Oracle Corporation (“Oracle”) is pleased to allow its business
partner (“Partner”) to download and copy the information,
documents, and the online training courses (collectively,
“Materials") found on this Site. The use of the Materials is
restricted to the non-commercial, internal training of the
Partner’s employees only. The Materials may not be used for
training, promotion, or sales to customers or other partners or
third parties.
2. All the Materials are trademarks of Oracle and are proprietary
information of Oracle. Partner or other third party at no time has
any right to resell, redistribute or create derivative works from
the Materials.
3. Oracle disclaims any warranties or representations as to the
accuracy or completeness of any Materials. Materials are
provided "as is" without warranty of any kind, either express or
implied, including without limitation warranties of
merchantability, fitness for a particular purpose, and
non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized
Delivery Partner be liable for any loss, damage, liability or
expense incurred or suffered which is claimed to have resulted from
use of this Site of Materials. As a condition of use of the
Materials, Partner agrees to indemnify Oracle from and against any
and all actions, claims, losses, damages, liabilities and expenses
(including reasonable attorneys' fees) arising out of Partner’s use
of the Materials.
5. Reference materials including but not limited to those
identified in the Boot Camp manifest can not be redistributed in
any format without Oracle written consent.
Oracle Training Materials – Usage Agreement
Narration:
On the screen is Oracle’s Usage Agreement, please take a moment to
review.
Instructor notes:
NA
*
Regenerating data roles
Job Roles and Duty Roles
HCM security management data stores
Regenerating data roles
The agenda items are the section titles
*
Learning Objectives
At the end of this lesson you should be able to:
Describe Job Roles and Duty Roles
Understand HCM security management data stores
Explain regenerating data roles
Narration:
At the end of this lesson you should be able to:
Describe Job Roles and Duty Roles
Understand HCM security management data stores
Explain regenerating data roles
Development note: The objectives come from the Standard Structure
Design document
fy11 app grid awareness trainingfinal.ppt
*
*
Narration:
Section 1 of this presentation describes Job Roles and Duty
Roles.
In this section we will cover the following objectives:
Fusion Applications Security Model
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Narration:
The Fusion Applications Security Model is a Role Based Access
Control model. Users are assigned roles, and it is through these
roles that they gain access to functions and data within Fusion
Applications.
In this example, Anna Riles has roles of employee, line manager and
Human Resource Specialist. As you can see, it is possible to users
to have more than one role, and when they sign on to Fusion
Applications, all of their roles are active concurrently. In
Fusion, the functions and data that a user can access come from a
combination of the roles to which they are assigned.
Instructor notes:
1.bin
*
Who
What
Employees
For specified payrolls
Human Resource Specialists
Can transfer employees
For specified countries
Role-based security in Oracle Fusion Applications controls who can
do what on which data.
Who is a role assigned to a user.
What is a function that users with the role can perform.
Which Data is the set of data that users with this role can
access when performing this function. In Oracle Fusion HCM, "Which
Data" is defined using security profiles.
For example:
Line Managers can create performance document for workers in their
reporting hierarchy
Employees can view payslip for themselves
Payroll Managers can report payroll balances for specified
payrolls
And Human Resource specialists can transfer employees for specified
countries
Instructor notes:
*
*
e.g. HRSpecialist_ViewAll, Payroll Administrator US Dept1 etc
Assigned directly to the users
e.g. Employee, Line Manager and Contingent Worker
Not assigned directly to the users
e.g. Payroll Administrator , Compensation Analyst etc
Not assigned directly to the users
Security privileges attached – functional privileges and data
privileges
*
Narration:
There are a number of different types of security roles within
Fusion Applications.
Abstract roles are not related to jobs. They are provisioned to
users independently of the jobs into which they are hired.
Data roles are assigned directly to the users. For ex: HR
Specialist.
Job roles represent the jobs into which users are hired.
In Fusion HCM, users are directly assigned to abstract roles, but
they are not directly assigned to job roles.
Both job roles and abstract roles inherit duty roles. It is the
duty roles that are granted function security privileges.
Instructor notes:
NA
*
Abstract Role
Abstract roles define a worker's role in the enterprise
independently of the job that the worker is hired to do.
Narration:
Abstract roles define a worker's role in the enterprise
independently of the job that the worker is hired to do. These
abstract roles are predefined in Oracle Fusion HCM and are directly
assigned to the users, so that they can manage the standard
functions like managing their own information and searching the
worker’s directory.
In this example, user Linda Swift has employee and line manager
abstract role.
Features:
Usually created in LDAP; can also be created in Oracle Identify
Manager (OIM)
Referred to as External roles
Normally assigned by the system (based on user attributes)
Can also be provisioned to a user on request
Instructor Notes:
*
*
Data Role
Data role allows a user to access a set of workers/organizations
for a given task
Narration:
Data role allows a user to access a set of workers/organizations
for a given task.
In this example- user Lindsay Allen has been assigned a duty role
of Payroll Administrator which means he will be able to access
workers of US country only.
Data roles are covered in details in Lesson 1 of Fusion HCM
Security Specialist
Instructor notes:
*
*
Narration:
Security profiles are used to create data roles
In the following example, Tim Thompson and Patricia Smith are both
human resource specialists, Tim in US Marketing and Patricia in US
Sales. Each has a data role that inherits the job role Human
Resource Specialist and the duty roles appropriate to that job
role. Therefore, Tim and Patricia can perform the same functions
and see the same entries in the Navigator, work area Tasks panes,
and menus. However, each user accesses different sets of data,
which are identified in separate sets of security profiles
Security Profiles are covered in details in Lesson 1 of Fusion HCM
Security Specialist
Instructor notes:
*
*
Job Role
A job role provides the access to a set of tasks that a worker is
hired to perform
Narration:
Job roles are assigned indirectly. We include the job role in the
data role and then assign the data role to the user. They control
the functions the user performs on the UI.
For example, Human Resource Analyst, Payroll Manager, Human
Resources VP etc. In this figure, Lindsay Allen has Payroll
Administrator Job role.
Features
Job Roles are attached to Duty Roles in APM (APM-Authorization
Policy Manager)
Job Roles may inherit Abstract roles, other Job Roles in OIM
(Oracle Identify Manager)
Usually created in LDAP; can also be created in OIM
It is considered as External role in APM / OIM – Enterprise
Role
Instructor notes:
*
*
Duty Role
A duty role represent the individual duties that users with those
job or abstract roles can perform. Duty roles are inherited by job
and abstract roles; they can also be inherited by other duty
roles
Narration:
Duty roles are assigned indirectly. They are the building blocks of
all the roles.
In this example, Lindsay Allen has My Portrait Area Navigation Duty
and Payroll Selection Duty roles
Features:
Defined in Authorization Policy Manager as Application Roles
Security privileges are granted to Duty Roles via Authorization
Policy Manager
Duty Roles are mapped to Job Roles in Authorization Policy
Manager
Cannot be provisioned to a user on request
Instructor notes:
*
*
This worked example is using a delivered job role.
Here are the job and abstract roles that we deliver with Fusion
HCM.
Instructor notes:
*
*
Narration:
Each job and abstract role inherits a number of duty roles. This
slide shows the duty roles that are inherited by the Benefits
Administrator job role.
Instructor notes:
*
*
Narration:
Here are the function security privileges that are granted to the
Benefits Enrollment Maintenance Duty, which is inherited by the
Benefits Administrator job role.
Instructor notes:
*
*
Narration:
And here are some of the data security policies that are carried by
the Benefits Administrator job role.
Tying these back to “WHO can do WHAT on WHICH set of data”,
“Benefits Administrator” is the WHO, “manage electable choice” is
the WHAT and “for people and assignments in their person and
assignment security profile” is the WHICH set of data.
Instructor notes:
*
*
Narration:
Let us look at how Job roles and duty roles are defined in the
Fusion system.
Oracle Identify Manager is used to create and manage HCM job
roles.
This figure and the following few slides explain the data roles
assigned to an existing user and shows the job roles that are
inherited by those data roles. It also demonstrates how to search
for a role and display a list of all users assigned to that
role.
In Oracle Identify Manager - Delegated Administration page >
search for user- Curtis Feitty
Select the Roles tab to view the roles assigned to this user.
Instructor note:
NA
*
Narration:
This page shows all roles assigned to Curtis, including data roles,
abstract roles, and job roles (if any).
Click on a data role, such as Benefits Admin - View All, and click
Open.
Instructor note:
NA
*
NA
*
Narration:
Here you can see that the Benefits Admin - View All data role
inherits the Benefits Administrator job role.
Click the Members tab to see all the users assigned to this data
role.
Instructor note:
NA
*
Narration:
This is useful if you need to quickly determine which users are
assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect
Role because users are not directly assigned the Payroll Manager
job role. They inherit it via a data role that is based on the
Payroll Administrator job role.
Return to the Oracle Fusion Applications window.
Next we will look at managing Duty roles
Instructor note:
OIM allows users to create several different types of roles.
However, OIM should not be used to create data roles for HCM users;
data roles should only be created using the Manage Data Role and
Security Privileges task, as will become clear later when we look
closely at security policies.
Provision Roles to Implementation Users
Manage Job Roles (Create job and abstract roles, reset user
passwords)
Authorization Policy Manager (APM)
Manage Duties (View and manage role hierarchies, security policies,
and permission grants)
Do not create new resource types, resources, entitlements, or
authorization policies.
Do not manually modify data security policies, except to add custom
duty roles.
*
*
*
Narration:
Authorization Policy Manager is used to manage duty roles and
associated security policies.
This figure and the following few slides explain how the Manage
Duties task is used to look at existing data and job roles. It
demonstrates how to view the duties associated with job roles and
where to go if you need to add or remove duties from a role
In this page, you are viewing the Authorization Policy Manager
(APM) user interface.
In the Application Name section, select hcm & search for
Application Role-Benefits Reporting Data Duty
Instructor notes:
NA
*
*
*
Narration:
You are now viewing Benefits Reporting Data Duty Role. Click on
Application Role Hierarchy
Instructor notes:
NA
*
*
*
Narration:
Duty role might inherit more duty roles. For ex: In the above
diagram benefits reporting data duty contains another duty role
called benefits enrollment maintenance duty.
Instructor notes:
NA
*
*
*
Narration:
In external role mapping page- purpose is to highlight which job
roles (here Human Resource Specialist) contain benefits reporting
Data Duty. There can be more than one job role inheriting this same
duty role.
Instructor notes:
NA
*
*
*
Narration:
Another way of looking at the duty roles , and which job roles
inherit them can be done through Role Catalog work area. For ex: In
the above diagram, Benefits Reporting Data Duty is contained within
two job roles (Directly or indirectly)
Benefits Manager
Difference between Role Catalog & External Role Mapping tab
is:
Role Catalog shows you indirect association of duty role to all job
roles
Whereas External role mapping tab showing only direct associaltion
of duty role to all job roles.
Instructor notes:
NA
*
*
*
Select the External Role Hierarchy tab
This page shows all the job roles inherited by the Benefits Manager
data role
Click the Application Role Mapping tab.
Instructor notes:
NA
*
*
*
Instructor notes:
NA
*
*
*
Narration:
Here you can see all of the duty roles associated with the Benefits
Manager job role. From this page, you can map additional
application roles (duties) to this job role by using Map
icon.
Instructor notes:
NA
*
*
*
Narration:
In the above diagram, make sure you select the application as hcm
before you search the application roles. Application roles and duty
roles are same.
Select multiple duty roles/application roles and click on Map roles
button to add them to the hierarchy.
Instructor notes:
NA
*
Narration:
Let us recap what we have learnt till now on various types of
roles.
In reality, abstract and job roles inherit many duty roles. The
following figure shows a simplified example
The HCM security model supports several different types of security
profiles, each used to control access to a different type of
data.
Instructor notes:
NA
*
Compensation managers are responsible for researching,
establishing, and maintaining a company's pay system. In performing
this significant function, the compensation manager has to research
and understand the current and upcoming competitive markets for
employee pay and benefits.
They must find ways to ensure that pay rates are fair and equitable
to retain and recruit employees.
A compensation manager, in a larger organization, is often assisted
by staff specialists. They may conduct salary surveys to see how
their pay rates compare with those of other companies.
They may also work with established online sites that specialize in
compensation to do market comparisons of pay by region, number of
employees, and job responsibilities.
Instructor notes:
*
*
1
2
3
4
Narration:
These job descriptions of Compensation Manager can be mapped to
Fusion Roles in this fashion.
The four job descriptions discussed in previous slide are mapped to
privileges which in turn are mapped to Duty roles and Job
roles.
Instructor notes:
*
*
Hailie is provisioned with the Compensation Manager role…
…plus the Employee and Line Manager Abstract Roles
US Compensation Manager Data Role
US Organizations
Narration:
After mapping the Compensation manager’s job descriptions to Fusion
Security Model, let us see how our new Compensation Manager appears
in Fusion, called Hailie.
Hailie is provisioned with Compensation Manager Job role which
inherits Compensation duty roles
She also has Employee & line manager abstract roles with
associated duty roles.
Finally, she has US compensation manager data role that consists of
following types of security profiles:
US Organizations
*
*
Narration:
Section 2 of this presentation explains HCM security management
data stores.
In this section we will cover the following objective:
Understand HCM security management data stores
Instructor Notes:
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Narration:
This figure shows where security data, managed by different Oracle
applications, is stored and shared.
Key Points
OIM Identify Store
OIM maintains user accounts in the Oracle Fusion Applications
Identity Store. It stores the definitions of abstract, job, and
data roles (enterprise roles in OIM), and holds information about
roles provisioned to users.
Job and abstract roles created in OIM must be synchronized so that
the new role names and other attributes are available to Oracle
Fusion HCM.
You cannot view duty roles in OIM, only in APM.
APM Policy
Store
Duty roles are created in APM and stored in the Policy Store, along
with function security policies.
The Policy Store holds copies of users and enterprise roles stored
in the Identify Store.
Duty roles do not have to be synchronized with HCM.
Fusion Application Database Tables
These tables store data security policies, HCM role-provisioning
rules, security profiles, part of the data role definitions, and
copies of the job and abstract roles.
Instructor note:
NA
*
Section 3 of this presentation discusses about regenerating data
roles.
In this section we will cover the following objective:
Explain regenerating data roles
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Regenerating Data Roles
Regenerate a data role if you make any changes to the role
hierarchy that underlies the data role
Narration:
To regenerate a data or abstract role:
Launch the Manage Data Role and Security Profiles task in the Setup
and Maintenance work area.
Search for the role that needs to be regenerated.
Select the role in the Search Results, and click Assign.
Information
A flow is initiated (the same one you saw when you created a data
role in the previous activity) that allows you to view the security
criteria and all assigned security profiles.
Click Review, and then click Submit.
Information
When you click Submit, the security profiles assigned to the role
are used to generate the data security policies for that
role.
Note: Security policies are regenerated only for the selected role.
If you needed to regenerate data security policies for multiple
roles, you would have to run this task (and click Assign) for each
role.
Instructor note:
NA
*
Different types of roles and how they are defined
Managing Job Roles and Duty Roles
Understanding of HCM security management data stores
Regenerating data roles
Different types of roles and how they are defined
Managing Job Roles and Duty Roles
Understanding of HCM security management data stores
Regenerating data roles
*
*
Lets do a review of the module
*
Job roles represent the jobs into which users are hired
Users are directly assigned to abstract roles, but they are not
directly assigned to job roles
Abstract and job roles inherit many duty roles
Oracle Identity Manager (OIM) maintains user accounts in the Oracle
Fusion Applications Identity Store
Duty roles are created in Authorization Policy Manager (APM) and
stored in the Policy Store, along with function security
policies
Regenerating a role causes all its data security policies to be
updated based on changes to its role hierarchy
Narration:
Now that we have completed this lesson, let’s take a look at the
key points. Please take a moment to review.
Job roles represent the jobs into which users are hired
Users are directly assigned to abstract roles, but they are not
directly assigned to job roles
Abstract and job roles inherit many duty roles
OIM maintains user accounts in the Oracle Fusion Applications
Identity Store
Duty roles are created in APM and stored in the Policy Store, along
with function security policies
Regenerating a role causes all its data security policies to be
updated based on changes to its role hierarchy
Instructor notes:
*
*
1 - *
And that brings to an end of Fusion HCM Security Specialist Lesson.
Thank you
*