Tuesday, 22 May 2018

Fusion HCM Roles

A role is some kind of privilege that you can assign to the user allowing them to perform certain type actions in the application.

Role-Based Access Control

Role-based security in Oracle Fusion Applications controls who can do what on which data.

Role Types: 

Oracle Human Capital Management Cloud (Oracle HCM Cloud) defines five types of roles:

Data roles

Abstract roles

Job roles

Aggregate privileges

Duty roles

Data Roles
Data roles combine a worker's job and the data that users with the job must access. For example, the HCM data role Country Human Resource Specialist combines a job (human resource specialist) with a data scope (country). You define the data scope of a data role in one or more HCM security profiles. HCM data roles aren't part of the security reference implementation. You define all HCM data roles locally and assign them directly to users.

Abstract Roles

Abstract roles represent a worker's role in the enterprise independently of the job that you hire the worker to do. Three abstract roles are predefined in Oracle HCM Cloud:


Contingent Worker

Line Manager

You can also create abstract roles. All workers are likely to have at least one abstract role. Their abstract roles enable users to access standard functions, such as managing their own information and searching the worker directory. You assign abstract roles directly to users.

Job Roles
Job roles represent the job that you hire a worker to perform. Human Resource Analyst and Payroll Manager are examples of predefined job roles. You can also create job roles. Typically, you include job roles in data roles and assign those data roles to users. The IT Security Manager and Application Implementation Consultant predefined job roles are exceptions to this general rule because they're not considered HCM job roles. Also, you don't define their data scope in HCM security profiles.

Aggregate Privileges

Aggregate privileges combine the functional privilege for an individual task or duty with the relevant data security policies. The functional privileges that aggregate privileges provide may grant access to task flows, application pages, work areas, reports, batch programs, and so on. Job and abstract roles inherit aggregate privileges directly. Aggregate privileges don't inherit other roles. All aggregate privileges are predefined and you can't edit them. Although you can't create aggregate privileges, you can include the predefined aggregate privileges in custom job and abstract roles. You don't assign aggregate privileges directly to users.

Duty Roles
Each predefined duty role represents a logical grouping of privileges that you may want to copy and edit. Duty roles differ from aggregate privileges as follows:

They include multiple function security privileges.

They can inherit aggregate privileges and other duty roles.

You can create duty roles.

Job and abstract roles may inherit duty roles either directly or indirectly. You can include predefined and custom duty roles in custom job and abstract roles. You don't assign duty roles directly to users.

Written By: Duggireddy Narendra