Data role is combination of Function Security and Data Security.
In other words it is combination of workers job and the data instances that user with this role need to access.
Function Security: When user login to instance what function or task user can perform and to perform those activities what user interfaces he need access to.
Data Security: Once user gets into particular user interface then data security determines what legal entity, job, grades, organizations and people information user has access to.
These Data Roles needs to be created and assigned to user, through these Data Roles user get access to Function Security and Data Security.
There are only 3 abstract roles and those are
We can assign these roles to employee and contingent worker and abstract roles giver access to self service pages (employee, line manager, Contingent) and they can perform only activities related to self service. In other words they can perform any activity with respect to business.
For example if we want employee to perform payroll administrator and if we only give him Employee abstract role then he will not be able to perform payroll administrator role until we give him payroll administrator data role.
In nutshell we hire a person to perform certain activities and alone Abstract role will not meet any purpose and we need to assigned user a required Data Role to perform those activities.
Bare minimum user must have access to 1 Abstract Role and 1 Data Role.
Job Roles, Duty Roles and Aggregate Privileges:
Functional Security part of Data Role is controlled by Job Role, Aggregate Privileges and Duty Roles.
Job role will give access to specific activities. For example payroll administrator is a Job Role.
For example HR Specialist is a job role, being HR specialist he will be able to perform HR specialist related activities.
Job role will give what activities will be perform by user thereby the functional security part is controlled.
Alone Job role will not be sufficient for example if we created a person with HR specialist job role, a HR specialist can hire people, transfer people, can promote people, can terminate people so as it gives full access to person where as we only want to give him access to hire and terminate people and should NOT promote or transfer people. In this case Duty role and Aggregate
Privilege can help.
In above scenario we can give a person access only hire and terminate duty role.
In HCM cloud everything performed by user is a duty. For example hire, terminate, location change, viewing a pay slip.
In hierarchy Data role consists of Job roles and Job role consists of duty roles and aggregate privileges.
Aggregate privilege is also a type of Duty role but there is slight difference. Aggregate privilege gives access to single user interface where as Duty role give access to multiple pages.
For example if person have access to person management work area (where person management is Duty role) it gives access to multiple information including employee hiring page whereas Aggregate privilege gives access directly to employee hiring page.
Duty role inherits multiple aggregate privileges along with some more Duty roles.
Aggregate privileges are fixed by Oracle or delivered by Oracle we cannot modify or delete or create them.
We can create custom duty roles, custom abstract roles and Data roles are NOT delivered and we have to create Data roles.
Data roles are not delivered, only abstract roles, job roles, duty roles and aggregate privileges are delivered.
In above example Lindsey and David have same access as Human Resource Specialist but both are having different data access because of security profile.
David East can access data related to Vision Services organization.
Lindsey Allen can access data related to Vision Corporation.
Security Profile can control what data access you have.
In above example both Data roles use same Job roles and Duty role combinations.
This person has access to so many roles, let’s see where these roles are listed for the user.
About Me→ My Account
Login as another user
Oracle has delivered one – one security profile for each of above HCM object.
These delivered security profiles are “View All” security profiles for that HCM object.
To See Security Profile you may use task “Manage Security Profiles”
View All security profile is delivered by Oracle
Practically there is no restriction to “View All” security profile
If we are creating a data role let’s say “XX Payroll Data Role” and assign “View All Payrolls” security profile to this data role and then assign this data role to user “A” then user A can access all payroll in the enterprise for example “India Payroll”, “US Payroll”, “Weekly”, “Monthly”, “BI-Weekly” payroll etc.
If requirement is to assign “India Payroll” to user A and “US Payroll to user B then we need to create 2 different security profiles and assign to each data roles assigned to users.
Creating Security Profiles for Weekly Payroll
Use “Manage Security Profile” task then select “Manage Payroll Security Profile” and then click on (+) sign
Give Security Profile Name and select payroll name.
To View “View All Organization Security Profile”
Use “Manage Security Profile” task then select “Manage Organization Security Profiles” and search name as View
With this profile option user will have access to all organizations (department, legal entity etc) in the enterprise.
Creating Organization Security Profile
Use “Manage Security Profiles” task and select “Manage Organization Security Profiles” and then select (+) sign
You can build organization security by organization hierarchy or using Organization Classification like Division, department or legal entity.
User of Data Role should not have access to “Organizational Development US” and “Human Resources US” Department.
Making Changes to already in-use security profile
Using security profile edit functionality any additional requirements or any change in requirement can be met.
Any changes to security profile or data role are available to the user upon next logoff and login.
In Fusion cloud we do not need to run any specific refresh process or job to reflect the changes.
Manage Person Security Profile Task
Select “Manage Person Security Profile” then click (+) sign to create person security profile.
Here we do not need to select Country name, we can select country name when we actually assign the security profile to data group and data group to user.
How to create Data Role
Query “Assign Security Profile to Role” task
Select (+) to create data role
Give “Data Role” name and “Job Role” name then click on Next
Select appropriate security profile
Additional Capability: Creating Security Profile on Data Role creation page
Create Data Role – Continue
Click on Submit then it submits few backend processes and then creates a Data Role.