Fusion HCM Generic


1. Role Types
2. Security Profile
3. Creation of Data Role and assign Security profile to Data Role
4. Role Provisioning
5. Creation of Employee user to test custom Data role
6. Creation of Implementation user
7. Creation of Implementation project

1. Role Types

Data Role Abstract Role Job Role Duty Role Aggregate Privileges

Data role = Function security + Data security

Function security: Access to UI and tasks/ activities which a user can perform. Ex: Accessing hiring page

Data security: Data which user can access to perform the activity. Ex: Accessing data in hiring page like specific LE’s, Locations, Grades..means this user can hire in India, not in U.K, can hire consultants not Managers

We have 3 standard abstract roles:

i) Employee – Able to access self-service page

ii) Line Manager – Able to access his sub-ordinates info as well

iii) Contingent worker

Function security is controlled by Job role. Gives access to specific UI & activities. Ex: Hiring a person who has HR Specialist activity. Here HR specialist is Job role and he will be able to perform all HR related activities like Hire, Terminate, Transfer, Promotion.

Job roles can be copied and customized.

HR specialist job role can restrict few activities like a person can only hire and terminate bit cannot transfer or promote. Can access hire/ terminate page.

Any activity performed by user in Fusion is duty. Like hiring, terminating, promotion, transfer, address change, viewing pay slip…

Similar to Duty role but the difference is this directly gives access to single page and duty roles gives access to multiple pages. Ex: Directly going to hiring page.

We cannot edit, delete or create Aggregate privileges.

Similar to Responsibility in EBS   Similar to Menu in EBS Similar to Sub-Menus & Functions in EBS Similar to Sub-Menus & Functions in EBS
­­   ↓
Data Role – Security Profile
­   ↓
Job Role
­   |→Duty Role
­   |→Aggregate Privileges
User (ABC)
­­   ↓
Data Role (HR Specialist Vision Operations) – Security Profile(Vision Operations. Here ABC user can access only Vision Operations data)
­   ↓
Job Role (HR Specialist)
­   |→Duty Role (Person Management) 
­   |→Aggregate Privileges (Absence Management)

2. Security Profile
• A security profile identifies a set of data of a single entity (person or organization).
• Security profile can be assigned to data role and abstract role.
• Security profile concept exists only in HCM module not in other module (Financials..)

You can create security profiles for the following HCM object types:
• Person
­   · Managed person – Person whom we are going to manage
­   · Public person – Employee directory: We can search other employee details (view only)
• Organization
• Position
• Legislative data group (LDG)
• Country
• Document type
• Payroll
• Payroll flow

Predefined HCM Security Profiles

Security Profile Name Security Profile Type Data Instance Set
View All People Person All person records in the enterprise
View Own Record Person The signed-in user’s own person record and the person records of that user’s contacts
View Manager Hierarchy Person The signed-in user’s line manager hierarchy
View All Workers Person The person records of all people with currently active or suspended assignments in the enterprise
View All Organizations Organization All organizations in the enterprise
View All Positions Position All positions in the enterprise
View All Legislative Data Groups LDG All LDGs in the enterprise
View All Countries Country All countries in the FND_TERRITORIES table
View All Document Types Document Type All custom document types in the enterprise
View All Payrolls Payroll All payrolls in the enterprise
View All Flows Payroll Flow All payroll flows in the enterprise

Creation of Security profile
a) In FSM page search for task ‘Manage%Security%Profile’
Select ‘Manage Payroll Security Profile’ >> Create

Save and Close >> Done

b) Select ‘Manage Organization Security Profile’ >> Create
Since the classification is Department, user can access all departments except two since we have excluded from organization list.
Select the Include future organizations option in case users want to access future-dated organizations.

Save and Close >> Done

c) Select ‘Manage Person Security Profile’ >> Create
In case you select ‘Secure by Global Name Range’,  user will be able to access employee data whose last name starting letter will be in that range. Here we selected Country as scope of responsibility.

Save and Close >> Done

3. Creation of Data Role and assign Security profile to Data Role
In FSM page, search for task ‘Assign Security Profiles to Role’ >> Create >> Data Role: Tata HR Specialist Data Role; Job Role: Human Resource Specialist (Select code which starts with PER_); Role Description: Tata HR Specialist Data Role >> Next >> Above we have created Payroll, Organization & Person Security profile so select them.

Oracle® Human Capital Management Cloud Security Reference – In this pdf document we get list of all duty roles and aggregate privileges assigned to Job role

Click on Review >> Submit >> Search for your role and ensure the status is Completed.

4. Role Provisioning
Assigning roles (Data or Abstract) to user is known as ‘Role Provisioning’. Data role, Abstract role and in some exceptions we can assign Job role (Ex: Application Implementation Consultant (Access to FSM page), IT Security Manager (Security related activities)) as well directly to user but Duty role and Aggregate privileges can never be assigned directly to user.

We can initiate the provisioning and revoking of roles within following flows:
i) Hire an Employee
ii) Promote Worker
iii) Transfer Worker

Role provisioning is controlled by role-provisioning rules, also known as role mappings. We have three role-provisioning rules:
i) Autoprovision – Automatically assign roles to user based on few setups. Ex: When an employee gets hired or gets promoted or transferred, roles will be assigned automatically to user.
ii) Requestable – You may authorize/ designate few people to assign roles to other users who request to access that role.
iii) Self-Requestable – Assigning role oneself.

Creation of Role provisioning
Login to cloud application >> Click on user name >> Setup and Maintenance (FSM Page) >> Tasks >> Search >> Search for task ‘Manage Role Provisioning Rules’ >> Create

Here we can include conditions as well. If Legal Employer is Tata Legal Entity, Business Unit is Tata Business Unit, Department is Sales & so on, then Autoprovision this role to user. In above case, all new users will be assigned ‘Tata HR Specialist Data Role’ since its autoprovisioned. In real time this should not be case since we do not want to assign this role to all users. So select Requestable (Line Managers will approve request) and Save and Close.

5. Creation of Employee user to test custom Data role
In FSM page search for task ‘Manage Users’ >> Create

Click on Autoprovision Roles >> Expand Role Requests >> Create >> Search ‘Tata HR Specialist Data Role’ your role >> Ok >> Save and Close

In ‘Manage Person Security Profile’ we have selected the responsibility type as ‘Human Resources Representative’ and the scope of responsibility as Country. Now we will assign Country to our User(SRIKANTH.ROLE)
Navigation: My Workforce or My Client Groups >> Person Management >> Search your employee user name >> Open >> Tasks >> Manage Areas of Responsibility >> Create

SRIKANTH.ROLE is HR representative in UK. Click on Submit.

Now create password for SRIKANTH.ROLE and verify data role assigned to this user.

Tools >> Security Console >> Users >> Search for your user >> Here we can see two roles have been assigned to user >> Click on Reset Password >> Select ‘Manually change the password’ >> Enter new password >> Reset Password.

Sign out from existing user and login with new user (SRIKANTH.ROLE)
Go to My Workforce or My Client Groups >> Person Management.
In Manage Organization Security Profile, we have excluded two departments (Organizational Development UK and Human Resources UK). So we should not see in list.
Click on Advanced >> In Department search with above two departments. We should not see these values.

6. Creation of Implementation user
In FSM page, tasks, search for task ‘Create Implementation Users’ or Tools >> Security Console >> Users >> Add User Account

Save and Close

7. Creation of Implementation project
Go to ‘Cloud General Ledger’ page and search for ‘Create Implementation Project by selecting Offerings/ Options’ – Tata Implementation Project

Add Compensation Management, Workforce Deployment and Workforce Development offerings to Tata Implementation Project