Fusion Role Based Security Model

8/19/2019 Fusion Role Based Security Model

1/13

Fusion Role Based Security Model

Oracle Fusion Applications use a role based access-control security

model. Where users are assigned roles through which they gain access to functions and data within the

applications. Unlike Oracle Ebiz user do not need to select different responsibilities once they log in all roles

are acti!e concurrently i.e users do not ha!e to select any role when they sign in.

"ole based security in Oracle Fusion Application controls WHO can do WHAT on WHICH data. For e#ample$

A line manager %who& can promote %what& an employee %which&. 'his is also e#plained in the table below.Who What Which Data

Employee Can see payslip His own

Line Manager Can Transfer/terminate A worker from his team

HR Can give promotion Employees from a particular organization

Understand with an examle

At the beginning it sounds confusing but once you get the basic its easier

and con!enient same as your responsibilities and functions in Ebiz. 'o understand it better lets put a

hypothetical business re(uirement in-front of us.

Re!uirement " 'here is a )ecurity in chief %lets say *r. )ecurity& responsible for taking care of all

security measurements in your organization. +e needs to be gi!en authority to terminate any employee caught

!iolating security guidelines. ,n oracle terminology he needs to be gi!en a new role to be able to terminate any

employee within your organization.

ow the function to terminate employee is already a!ailable with few seeded roles like *anager and +"

)pecialist but you can not assign them to *r. )ecurity as using the seeded role *anager/ he would be able to

terminate only people falling under the manager hierarchy. 0ou cannot also assign another seeded role +r

)pecialist/ to *r )ecurity as it comes with many other powerful things along with 'ermination.

)o the only option is to create a new custom role only for terminating employees and assign it to *r )ecurity. ,n

the ne#t steps we will see how can this be done.

Setu Stes


2/13

ow we know that we ha!e to create a new role but what would be the

type of role as oracle fusion deli!ers four different types of role. )o lets talk about different roles a!ailable in

fusion before we login to application and start setting things up.

Oracle Fusion Applications uses four types of roles for security management which are gi!en below. 'he first

three roles can be assigned to user directly. 'hese roles also inherit some or other roles.

#ata Roles

1ata roles are combination of worker2s 3ob and the data instances on which 3obs can be performed. For

e#ample a data role $ayroll Administrator $ayroll UScombines a 3ob %4ayroll Administrator& with a data

instance %4ayroll U)&. As 3ob is the one factor it inherits 5ob "ole and for the data we attached a security profile with it %will be e#plained later&

%o& Roles

5ob role aligns with the 3ob that a worker is hired to perform. +uman "esource Analyst and 4ayroll *anager

are e#amples of predefined 3ob roles. 'ypically you include 3ob roles in data roles and assign those data roles to

users. 'he ,' )ecurity *anager and Application ,mplementation 6onsultant 3ob roles are e#ceptions because

they are not considered +6* 3ob roles and do not restrict data using +6* security profiles.

A&stract Roles

Abstract roles represent a worker2s role in the enterprise independently of the 3ob that the worker is hired to

do. 'here are three seeded abstract roles deli!ered with Oracle Fusion +6*. 'hese are the Employee 7ine

*anager and 6ontingent Worker roles. Abstract roles are assigned to user automatically when some e!ent

occurs like +ire an employee 'erminate an employee or 4romote an employee.

#uty Roles

1ata "ole aligns with the indi!idual duties that users perform as part of their 3ob but not assigned to user

directly. 'his role also grants access to work areas dashboards task flows application pages reports batch

programs and so on. 1uty roles are inherited by 3ob and abstract roles and can also be inherited by other duty

roles. eedless to say we can create custom role also if needed.

Below dia'ram shows how some o( the role inherits other


3/13

#ata Security Throu'h Security $ro(iles

8efore we start our setup steps there is one more important topic to discuss )ecurity 4rofiles. A security profile

identifies a set of data of a single type such as persons or organizations for e#ample $ All workers in

department +6* U). We can assign security profiles to$

• 1ata roles

• Abstract roles

• 5ob roles

We can create +6* security profiles for the following +6* business ob3ects %can be changed with future

releases&

• 4erson

• Organization

• 4osition

• 7egislati!e 1ata 9roup

• 6ountry

• 1ocument 'ype


4/13

• 4ayroll

• 4ayroll Flow

Okay enough theory so by now we know that for our re(uirement we ha!e to create a 1ata "ole to assign user

and that 1ata role should inherit a 3ob role which e!entually inherit a duty role. We also need to create a

security profile to restrict organization and attached with 1ata role. +ere are the steps:

Ste )* " Create a %o& Role

'o create a 3ob role search for the task *anage 5ob "oles/ and click on the 9o to 'ask. 'his will open up a new

window %O,* $ Oracle ,dentity *anager&

+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ; )earch for ame Mana'e %o&

Roles

6lick on the link Administration top right corner. 0ou will see a welcome page. 6lick on 6reate role %

& under Roles- And enter details as gi!en below. Once done click on sa!e and close the window.

• ame $


5/13

Ste ). " Ma #uty role with %o& role

From the abo!e diagram and e#planation we know that a 5ob "ole must inherit a 1uty "ole. )o to link a duty

role with the 3ob role we ha!e created %A!i 'erminate Worker& search for the task *anage 1uties/ and click on

9o to 'ask

+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ; )earch for ame Mana'e #uties

Once again this will open a new window %A4* $ Authorization 4olicy *anager&. 6lick?select hcm from

application name and then click on )earch e#ternal "oles under search and create.

+ote $ All roles defined in the Oracle ,dentity *anager %O,*& are considered as E#ternal roles in Authorization

4olicy *anager %A4*&


6/13

ow in the ne#t page search for the role %A!i 'erminate Worker& we created in O,*. ,n the search result section

select the 5ob "ole and click on Open "ole/. 0ou will see following screen.


7/13

On the abo!e page click on Application "ole *apping/ tab and click on /Maicon. ,t will bring a pop-up.

)elect hcm as application and search for the role Worker 'ermination 1uty/ ,n the search reselct section click

on the result and than click on Ma Roles- ow we ha!e successfully mapped the duty role with our 3ob role.'his duty role will help us to terminate the worker.

0ou must be wondering how did , know that , ha!e to add only Worker 'ermination 1uty/ duty role with the

3ob role to gi!e termination access do we need to remember all these duty roles@ Answer is O. 0ou can

download the mapping from oracle note *apping Of "oles 1uties and 4ri!ileges in Fusion Applications %1oc

,1 BCDBC.&

Ste )0 " Run the rocess 1Retrie,e 2atest 2#A$ Chan'es3

+a,i'ation $ a!igator ; 'ools ; )cheduled 4rocess

ow run the process "etrie!e 7atest 71A4 6hanges/. We need to run this program to synchronize roles

between 71A4 and +6*. After successful run our 3ob role will be a!ailable to +6*. Once the program statusis succeeded we can mo!e to ne#t step.

+ote $ 4lease see the post )cheduling a 4rocess in oracle Fusion to get an idea how process are schedules in

Fusion application.

Ste )4 " Create Security $ro(ile 5Otional6

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21http://iavinash.com/scheduling-process-fusion/http://iavinash.com/scheduling-process-fusion/http://iavinash.com/scheduling-process-fusion/http://iavinash.com/scheduling-process-fusion/https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21


8/13

+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ;)earch for *anage 4erson )ecurity

4rofile

As we know we can attach security profile with 1ata role to gi!e access on particular set of data. ,f you do not

create any security profile you can select the iew All/ option when creating 1ata role. ,n this e#ample we will

create a security profile based on 4erson )ecurity profile.

'o create a security profile search for the task *anage 4erson )ecurity 4rofile/ and click on 9o to task icon. Anew page will appear in the search result section click on Create icon.

On the Create $erson Security $ro(ile page. 9i!e it a name and select the check bo# Secure &y 2e'al

emloyer- From the list select the legal employer for which you want *r )ecurity to gi!e access to terminate

worker. Once done click on Sa,e and close. 6lick 7es if when you recei!e warning.

Ste )4 " Create a #ata Role

+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ;)earch for Assi'n Security

$ro(iles to Role

)earch for the task Assign )ecurity 4rofiles to "ole/ and click on 9o to task. A new page will appear. ,n thesearch result section click on Create icon.

First gi!e you data role a name and select the 5ob role that you create before. Once done click on +ext.


9/13

,n the ne#t guided process select the security profile that you had created earlier. Once done click on +ext

+OT8 $ ,f you did not follow the pre!ious steps you can still create a security profile from here or 3ust select the

iew All from the list.

e#t screen will show all security profiles associated with this data role. 6lick on+ext again which will bring

the "e!iew 4age. "e!iew it once and once satisfied click on Su&mit-

Ste )9 " Create Role $ro,isionin' Rule

+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ; )earch for ame Mana'e Role

$ro,isionin' Rules

Using the role pro!isioning rule we add an e#tra layer of security and can define which role will be a!ailable to

which set of users. Using this we can also set rules to automatically assign a role to users if predefined

conditions are met.

)earch for the task Mana'e Role $ro,isionin' Rules/ and click on :o to tas; . ,n the ne#t page clickon Create under the search result section. 9i!e a mapping name select 6onditions %left blank in this e#ample&

and in the associated role section select the data role we ha!e created. 4lease ensure re(uestable check bo# is

selected and Autopro!ision is unchecked. 6lick on )a,e and Close-

+ote $ ,f you notice 1elegation Allowed/ option is disabled because when we created our data role %step DB&

we did not select 1elegation Allowed/ check bo#. We will discuss about role pro!isioning in details in some

other topic.


10/13

Ste )< " Assi'n #ata Role to user

ow you 1ata role is ready. 0ou can assign this to any person. 'here are different ways you can assign a role touser either through O,* or from task *anage Users/. We are assuming you are already aware aout this steps.

,n the below image 1ata "ole was assigned through Oracle ,dentity *anager. 0ou can see *r. )ecurity has two

roles Employee %abstract "ole& and A!i 'erminate Worker > Operation U) Only

Ste )= " >alidate the #ata Role Assi'ned to user


11/13

+a,i'ation $ a!igator ; 4erson 9allery ; )earch for person

'o !alidate the 1ata "ole *r. )ecurity will login to application.

a!igate to 4erson gallery and search for any worker. At left hand side under the Action menu he will see theoption to terminate worker.

0ou can go through the post 6onfigure and 6ustomize Appro!al "ules in Oracle Fusion/ to see how an

appro!al can be customized for termination.

Additional Resource (or Fusion Role Based Security

, hope you will also like to check following oracle notes.

• *apping Of "oles 1uties and 4ri!ileges in Fusion Applications %1oc ,1 BCDBC.&

• *apping Of 1uty "oles 'o 'op 7e!el *enu Entries in Fusion Applications %1oc ,1 BGHI.&

+ope this article was of any help for you. 0ou can let me know your thought by commenting in the comment

section or?and by gi!ing your re!iew. 0ou can also ask any (uestion if you ha!e any in ourforum.

Share this"

n Fusion security we will encounter following "oles$

• 1uty "ole

• 5ob "ole

• Abstract "ole

• 1ata "ole

• 1ata Access )et

7et us understand the abo!e roles one by one in practical terms.

. #uty Roles" 1ata "ole is also known as Application "ole. 7et2s say a manager has a

duty of creating in!oices appro!ing in!oices or creating 3ournals. 'he duty of creating

?appro!ing in!oices ?3ournals are called 1uty "oles.

.

I. %o& Roles" 5ob roles are also known as E#ternal "ole. 'hese roles are created in

Authorization 4olicy *anager %A4*&. E#amples of these roles are 4ayable Accounts

*anager 6hief Financial *anager Finance 6ontroller etc. arious duties will be assigned

to a 5ob role. ,n other words a 5ob role must ha!e duty role. For instance 4ayable Accounts

*anager will ha!e duty of creating in!oices appro!ing in!oices running payment batch

http://iavinash.com/approval-rules-and-workflow-oracle-fusion/https://support.oracle.com/https://support.oracle.com/http://ask.iavinash.com/http://ask.iavinash.com/http://ask.iavinash.com/http://ask.iavinash.com/http://iavinash.com/approval-rules-and-workflow-oracle-fusion/https://support.oracle.com/https://support.oracle.com/http://ask.iavinash.com/http://ask.iavinash.com/


12/13

etc.

.

J. A&stract Roles" When an employee is hired by a company by default he should get

a role-Employee and in case of 6ontractor he should get a role- 6ontingent worker. 'he

functions which are assigned to them are known as Abstract "ole.

.

B. #ata Roles" As per business need if we don2t want UK ledger to be accessed by the

user in U) organisation we take the help of data role which needs to be assigned selecti!ely.

When we create ledger or business unit system will automatically create 3ob role with

ha!ing access to data role. When a 3ob role when attached with a data role the 3ob role

created is confined to that particular ledger or business unit. Once it is done the 3ob role gets

the access to data it can perform re(uired function related to data.

.

G. #ata Access Set" 1ata access set is mainly related to ledger data. 7et2s say within a

ledger we ha!e multiple balancing segments. On business interest we don2t want to gi!e the

access of 6ompany D to the user ha!ing access to 6ompany DI. ,n order to do so we ha!e to

create few data access policies. 'his in turn will create a data role. ,n other words when we

create a ledger by default it creates a role which has an access to the entire ledger. +owe!er

with data access set we can restrict the access to a particular balancing segment.

8elow is the pictorial representation of !arious roles discussed abo!e-


13/13

Documents

Fusion Role Based Security Model