R12 Security Workshop

Labs

June 2017

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal
Labs

1 Review Compensation Analyst role

2 Remove access to Fixed Assets
3 Remove access to Expense Entry from Employee
4 Restrict HR Specialist access to workers in Australia BU
5 Create custom HR Specialist role

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 2
1- Review Compensation Analyst role
Launch security console
Enter "Compensation" in search field
Apply filter so that only job roles are returned
Select "Compensation Analyst" role
Switch to visualizer view
Find the Import privileges that are granted to the role
Find the roles that inherit Compensation Analyst job role
Find the users who are granted Compensation Analyst job role

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 3
1- Review Compensation Analyst role
Switch to Tabular View
Enter "Compensation" in search field
Find the Import privileges that are granted to the role
Find the roles that inherit Compensation Analyst job role
Find the users who are granted Compensation Analyst job role
Export Compensation Analyst role hierarchy to excel
Export Compensation Analyst privilege grants to excel

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 4
2 - Remove access to Fixed Assets
Search for any role
Use Simulate Navigator to find the duty role(s) that grant access to
Fixed Assets Assets
Fixed Assets Asset Inquiry
Find the job role that inherits these duty roles
Your Student.Testxxx is granted this job role
Remove this job role from your user using security console
Verify that your user no longer has this job role using Manage User Account
Log off and log back on to confirm Fixed Assets is no longer accessible

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 5
3 - Remove access to Expense Entry from Employee
Search for Employee abstract role
Use Simulate Navigator to find the duty role that grants access to
About Me - Expenses
Edit ORA_PER_EMPLOYEE_ABSTRACT
Try to remove Expense Entry role
Confirm you cannot, because ORA_PER_EMPLOYEE_ABSTRACT is a predefined role

Copy ORA_PER_EMPLOYEE_ABSTRACT to a custom role

Use Copy Top Role
Remove Expense Entry role in Role Hierarchy trainstop of Role Copy flow

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 6
3 - Remove access to Expense Entry from Employee
Monitor progress of Role Copy process in Admin / Role Copy Status
When role copy has completed, search for your copied Employee role
Confirm it is green and child roles are pink
Use Compare Role to compare your role with
ORA_PER_EMPLOYEE_ABSTRACT
Use Manage Data Role and Security Profiles to assign security profiles to
your custom employee role
Use security console to remove Employee role from your user, and replace
with your custom employee role
Log off and log back on to confirm Expense Entry is no longer accessible
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 7
4 - Restrict HR Specialist access to workers in Australia BU
Go to Person Management Work Area
Search for people with names beginning Student
You should see the Student users
Find the Student users business unit (Australia BU)
Repeat for people with names beginning Chris
You should see several Chris Fisher rows returned
Find Chris Fishers business unit (OracleFusionCoE)

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 8
4 - Restrict HR Specialist access to workers in Australia BU
Stay in Person Management work area
Search for your Student person
Launch the Manage Areas of Responsibility UI
Create an AOR assignment for your person
Responsibility type = Human resources representative
Business Unit = Australia BU

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 9
4 - Restrict HR Specialist access to workers in Australia BU
Create a new Person security profile:
Secure by AOR
Responsibility Type = Human resources representative
Scope of Responsibility = Business Unit
Preview what your user can see using the simulated person search
Preview sql predicate
Save the security profile
Create a data role on top of Human Resource Specialist job role, using your
person security profile

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 10
4 - Restrict HR Specialist access to workers in Australia BU
Launch security console
Remove the three View All data roles from your user
CoE_HR_Specialist_All
CoE_Payroll_Admin_All
CoE_Comp_Spec_All
Assign your HR Specialist data role to your user
Log off and log back on, go to Person Management Work Area
Confirm you can see Student users (Australia BU)
Confirm you cannot see Chris Fisher users (OracleFusionCoE BU)

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 11
5 - Create custom HR Specialist role
Launch security console
Create a new job role
Function security policies trainstop
Add Manage Person Work Area function security privilege
Skip Data security policies trainstop
Role Hierarchy trainstop
Add Person Management duty role (ORA_PER_PERSON_MANAGEMENT_DUTY)
Create data role on top of your custom HR Spec role - use your person
security profile

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 12
5 - Create custom HR Specialist role
Revoke the Human Resource Specialist data role from your user
Grant the new data role
Log off and log back on to confirm your custom HR Specialist role has
access to just Manage Person

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 13
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 14