Oracle Cloud HCM Security Overview

Oracle Cloud HCM Security Overview

Data Roles:

  1. Data role is combination of Function Security and Data Security.
  2. In other words it is combination of workers job and the data instances that user with this role need to access.
  3. Function Security: When user login to instance what function or task user can perform and to perform those activities what user interfaces he need access to.
  4. Data Security: Once user gets into particular user interface then data security determines what legal entity, job, grades, organizations and people information user has access to.
  5. These Data Roles needs to be created and assigned to user, through these Data Roles user get access to Function Security and Data Security.

Abstract Roles:

  1. There are only 3 abstract roles and those are
  1. Employee
  2. Line Manager
  3. Contingent Worker
  1. We can assign these roles to employee and contingent worker and abstract roles giver access to self service pages (employee, line manager, Contingent) and they can perform only activities related to self service. In other words they can perform any activity with respect to business.  
  2. For example if we want employee to perform payroll administrator and if we only give him Employee  abstract role then he will not be able to perform payroll administrator role until we give him payroll administrator data role.
  3. In nutshell we hire a person to perform certain activities and alone Abstract role will not meet any purpose and we need to assigned user a required Data Role to perform those activities.
  4. Bare minimum user must have access to 1 Abstract Role and 1 Data Role.


Job Roles, Duty Roles and Aggregate Privileges:

  1. Functional Security part of Data Role is controlled by Job Role, Aggregate Privileges and Duty Roles.
  2. Job role will give access to specific activities. For example payroll administrator is a Job Role.  
  3. For example HR Specialist is a job role, being HR specialist he will be able to perform HR specialist related activities.
  4. Job role will give what activities will be perform by user thereby the functional security part is controlled.
  5. Alone Job role will not be sufficient for example if we created a person with HR specialist job role, a HR specialist can hire people, transfer people, can promote people, can terminate people so as it gives full access to person where as we only want to give him access to hire and terminate people and should NOT promote or transfer people. In this case Duty role and Aggregate

Privilege can help.  

  1. In above scenario we can give a person access only hire and terminate duty role.
  2. In HCM cloud everything performed by user is a duty. For example hire, terminate, location change, viewing a pay slip.
  3. In hierarchy Data role consists of Job roles and Job role consists of duty roles and aggregate privileges.
  4. Aggregate privilege is also a type of Duty role but there is slight difference. Aggregate privilege gives access to single user interface where as Duty role give access to multiple pages.
  5. For example if person have access to person management work area (where person management is Duty role) it gives access to multiple information including employee hiring page whereas Aggregate privilege gives access directly to employee hiring page.
  6. Duty role inherits multiple aggregate privileges along with some more Duty roles.
  1. Aggregate privileges are fixed by Oracle or delivered by Oracle we cannot modify or delete or create them.
  2. We can create custom duty roles, custom abstract roles and Data roles are NOT delivered and we have to create Data roles.
  3. Data roles are not delivered, only abstract roles, job roles, duty roles and aggregate privileges are delivered.

Security Profile:

  1. In above example Lindsey and David have same access as Human Resource Specialist but both are having different data access because of security profile.
  2. David East can access data related to Vision Services organization.
  3. Lindsey Allen can access data related to Vision Corporation.
  4. Security Profile can control what data access you have.  
  5. In above example both Data roles use same Job roles and Duty role combinations.


This person has access to so many roles, let’s see where these roles are listed for the user.

About Me→ My Account

Current Roles

Login as another user

  1. Oracle has delivered one – one security profile for each of above HCM object.
  2. These delivered security profiles are “View All” security profiles for that HCM object.

To See Security Profile you may use task “Manage Security Profiles”

  1. View All security profile is delivered by Oracle

  1. Practically there is no restriction to “View All” security profile
  2. If we are creating a data role let’s say “XX Payroll Data Role” and assign “View All Payrolls” security profile to this data role and then assign this data role to user “A” then user A can access all payroll in the enterprise for example “India Payroll”, “US Payroll”, “Weekly”, “Monthly”, “BI-Weekly” payroll etc.
  3. If requirement is to assign “India Payroll” to user A and “US Payroll to user B then we need to create 2 different security profiles and assign to each data roles assigned to users.

Creating Security Profiles for Weekly Payroll

  1. Use “Manage Security Profile” task then select “Manage Payroll Security Profile” and then click on (+) sign

  1. Give Security Profile Name and select payroll name.

To View “View All Organization Security Profile”

  1. Use “Manage Security Profile” task then select “Manage Organization Security Profiles” and search name as View

  1. With this profile option user will have access to all organizations (department, legal entity etc) in the enterprise.

Creating Organization Security Profile

  1. Use “Manage Security Profiles” task and select “Manage Organization Security Profiles” and then select (+) sign

  1. You can build organization security by organization hierarchy or using Organization Classification like Division, department or legal entity.


User of Data Role should not have access to “Organizational Development US” and “Human Resources US” Department.

Making Changes to already in-use security profile

  1. Using security profile edit functionality any additional requirements or any change in requirement can be met.
  2. Any changes to security profile or data role are available to the user upon next logoff and login.
  3. In Fusion cloud we do not need to run any specific refresh process or job to reflect the changes.

Manage Person Security Profile Task

  1. Select “Manage Person Security Profile” then click (+) sign to create person security profile.

  1. Here we do not need to select Country name, we can select country name when we actually assign the security profile to data group and data group to user.  

How to create Data Role

  1. Query “Assign Security Profile to Role” task

  1. Select (+) to create data role

  1. Give “Data Role” name and “Job Role” name then click on Next

  1. Select appropriate security profile

Additional Capability: Creating Security Profile on Data Role creation page

Create Data Role – Continue

  1. Click on Submit then it submits few backend processes and then creates a Data Role.
  1. Data Roles will be successfully created

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s