Main menu

Dec
28

Fusion Applications Security Console makes your 4

life easier

Intro

Security is the most complex and important requirement that is considered by

all customers. It gets even more important in the cloud environment. In this
post I’d like to share my experience about Fusion Applications security
concepts and a new tool (Security Console) that helps users to setup access
to the system easier.

To tell the truth I was a little bit confused when I started to learn Fusion
Applications Security concepts and found out that identity and access
management subsystem is external and separated from business application.
In the most all old ERP applications I have worked with security was
incorporated in a system core (SAP HCM, Oracle E-Business Suite). But there
were also new web applications that had a dedicated security subsystem.
Those systems like Taleo, Hyperion were based on a Service-Oriented
Architecture (SOA).
Privacy & Cookies:
LaterThis site uses
I realized cookies.
that By continuing
it makes sense andtoa use this website,
dedicated youmodel
security agree to their use.
is optimal
To find out more, including how to control cookies, see here: Cookie Policy
for SOA applications. That’s why oracle development team brought this
approach in Fusion Applications. It also confirms oracle’s statement that
Close and accept
Oracle Fusion Applications combine the best of the Oracle business
applications Oracle currently provides.
 Fusion Applications Security Concepts

Fusion Applications Security is designed based on Role-Based Access Control

(RBAC). It is an approach to restricting access to authorized users. Oracle
Fusion Applications uses four types of roles for security management:

Data Roles
Abstract Roles
Job Roles
Duty Roles

Data role is a combination of a employee’s job and the data instances that
users with the role need to access. They aren’t delivered as part of the
Security Reference Implementation but are always locally defined. They are
assigned directly to users.

Abstract roles represent a employee’s role in the enterprise, independently

of the job that the worker is hired to do. Three abstract roles are delivered
with Oracle Fusion HCM. These are the Employee, Line Manager, and
Contingent Worker roles. You can create custom abstract roles. You assign
abstract roles directly to users.

Job roles align with the job that a worker is hired to perform. (e.g. Human
Resource Analyst). You can create custom job roles. Typically, you include job
roles in data roles and assign those data roles to users.

Duty roles:

Align with the individual duties that users perform as part of their job.
Grant access to work areas, dashboards, task flows, application pages,
reports, batch programs, and so on.
May carry both function and data security grants.
Are inherited by job and abstract roles, and can also be inherited by
other duty roles.
Are delivered as part of the Security Reference Implementation, and
can be used as building blocks of custom job and abstract roles.
Are not assigned directly to users.

Data Security Policies

Each data security policy combines:

Thesite
Privacy & Cookies: This role to which
uses the
cookies. Bydata security
continuing to policy
use thisiswebsite,
granted.you agree to their use.
A business
To find out more, including how toobject that’s
control being
cookies, seeaccessed. (e.g.
here: Cookie HR_ALL_POSITIONS_F
Policy
table)
Close and accept
The condition, if any, that controls access to specific instances of the
business object. Conditions are usually specified for resources that you
 secure using HCM security profiles. Otherwise, business object
instances can be identified by key values.
A data security privilege that defines permitted actions on the data

Function Security Privileges secure the code resources that make up the
relevant pages, such as the Manage Jobs and Manage Positions pages. Some
user interfaces aren’t subject to data security, so some function security
privileges have no equivalent data security policy.

The following table shows security component terminology comparison with

Oracle E-Business Suite:

Fusion Applications E-Business Suite

Data Role, Abstract Role Responsibility

Job Role Top-Level Menu

Duty Role Submenu

Privilege Form Function

Technical Implementation of Functional Roles

The above functional roles are technically implemented as Enterprise and

Applications roles. The Abstract, Job and Data roles are called Enterprise roles
and the Duty role is called Application role.

Fusion Applications implements the security using the Oracle Identity

Management (IDM) subsystem. The IDM subsystem consists of Identity store
and Policy store . The Enterprise and Applications roles are implemented y in
Identity and Policy stores respectively.

Enterprise Roles

Across all Fusion Applications, Abstract, Job and Data roles are mapped to
Enterprise roles . These roles are stored in the Identity Store. They are
managed through OIM and Identity Administration tools. This tool includes the
following capabilities with respect to Enterprise role management:

Create Fusion Applications Implementation Users

Provision Roles to Implementation Users
Manage
Privacy & Cookies: This Abstract,
site uses Job
cookies. Byand Data roles
continuing including
to use the job
this website, youhierarchy
agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Release 10 Simplified Reference Role Model Close and accept

 In fact previous security model (Before Release 10) was very complicated.
There were too many duty roles associated to a Job Role and it was very
difficult to customize job roles. Although Security Console has been released
in Release 9 there was difficult to use it with old security model. Starting with
Release 10, you receive a new, simplified reference role for each predefined
job and abstract role that existed in the previous release. Also Oracle strictly
recommends to upgrade your Fusion Applications instance to the Simplified
Reference Role Model before migration to upcoming Release 11. Fore details
please see the following MOS Note: Upgrading Applications Security in
Oracle HCM Cloud Release 10 (Doc ID 2023523.1)

The main benefit of the simplified reference role model is that it has fewer
role levels. It’s a flatter model.
On the following screenshots you can see the role Line Manager before and
after upgrade:

Before:

After:

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept

After updating Job, Abstract roles you should:

 1. Update Security Profiles, connected with updated roles
2. Run the process Import User and Role Application Security Data –
process copies the data from LDAP to Fusion HCM Security Console
tables.

You shouldn’t customize reference roles after upgrade. You should use
Security Console instead to make copy from reference roles and then provide
needed customization.

Security Console

The Security Console is a single administrative interface, available from the

springboard on the simplified user interface, from where you can:

Create custom job and abstract roles.

Copy and edit job, abstract, and duty roles.
Compare roles of all types to identify differences.
View the roles assigned to a user, and identify users who have a specific
role.
Review role hierarchies.
Review the Navigator menu and work-area task-pane entries for a user
or role.
Manage X.509 and PGP certificates.

Before start to use Security Console within HCM module you have to complete
two setup steps:

1. Set profile options ASE_WORKING_APP_STRIPE = hcm (hcm is

default, so you can leave it blank), ASE_ROLE_MGMT_PREF = Yes.
2. Schedule the process Import User and Role Application Security
Data (recommended to run periodically at least 2 times a day).

I try to stick to the following rules when I create custom Job or Abstract Roles
within Security Console:

1. Find a proper model

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept

 2. Make a copy from a Duty Role

3. Customize a copy according to the requirements

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept

 4. Create a custom Job or Abstract Role and assign the Duty created in the
previous step

5. Assign a new role to a user

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept

 6. Run Retrieve latest LDAP Changes Process

7. Create needed Security Profiles and Assign to a custom role

8. Check a user and make corrections if needed

Hope this helps.

I would like to wish you a Merry Christmas and Happy New Year!!!

And remember:
“If you have an apple and I have an apple and we exchange these
apples then you and I will still each have one apple. But if you have
an idea and I have an idea and we exchange these ideas, then each of
us will have two ideas.” ~ George Bernard Shaw

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
Kind Regards,
To find out more, including how to control cookies, see here: Cookie Policy

Volodymyr Close and accept

 Advertisements

Google Fi
Seamlessly switch between
multiple 4G LTE networks - Bring
your phone to Google Fi.

REPORT THIS AD

REPORT THIS AD

Share this:

 Twitter  Facebook  Google

Like

Be the first to like this.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
Related
Close and accept
 HCM Data Loader Oracle Fusion HCM The Top 10 Most
automation examples Cloud Security Valuable Features of
In "Oracle Fusion Essentials course Fusion HCM Release
Applications" In "Oracle Fusion 10 (IMHO)
Applications" In "Oracle Fusion
Applications"

Posted in Oracle Fusion Applications

Tagged Fusion Applications, Fusion HCM, HCM Cloud, Security, Security Console

4 THOUGHTS ON “FUSION APPLICATIONS SECURITY CONSOLE MAKES YOUR

LIFE EASIER”

SridharS
— MARCH 6, 2016 AT 1:23 AM

Wonderful article, thanks a lot for sharing it.

Reply

Manish Verma
— MARCH 15, 2017 AT 10:34 AM

Can i do the same with PO or Expense in Rel 11?

Reply

Volodymyr Faranosov
— MARCH 15, 2017 AT 10:36 AM

Yes you can

Reply

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept

Kuntal
 — MAY 1, 2017 AT 12:38 AM

Hi Volodymyr,
I wanted to understand the user identity and role data synchronization
process.
Does this mean that when a user is created in HCM it can be automatically
created in the on prem identity management system/ LDAP directory such as
MS Active Directory? If not what LDAP server is being to referred in the
documentatins. If it is the on prem LDAP (OID / AD) where is the
configuration done to make sure that a bi directional synchronization of user
identities and roles can achieved which us one of the key requirements for
Single Sign to work.
Cheers,
Kuntal

Reply

Leave a Reply

Enter your comment here...

← Introduction to Oracle HCM An Introduction to the REST APIs

Cloud ATOM Feeds in Oracle HCM Cloud →

ARCHIVES

December 2015

M T W T F S S

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31

« Nov Jan »
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
PAGES

About Close and accept

Oracle HCM Cloud Remote Project Assistance Services
 TOPICS

Oracle BI Oracle E-Business Suite Oracle Fusion

Applications Oracle HCM Cloud Taleo Uncategorized

INFO

Register
Log in
Entries RSS
Comments RSS
WordPress.com
Advertisements

REPORT THIS AD

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept

 Create a free website or blog at WordPress.com.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Close and accept