Oracle Fusion Roles
In this article we will learn how can we customize a seeded fusion HCM role and amend the same to meet your business requirement. Along the way we will also learn the various basic concepts around oracle fusion role based security. I’m sure you have gone though my previous article Oracle Fusion Role Based Security Demystified, which gives you basic idea about fusion role based security. In that article we created a custom role from scratch but in this article we will utilize the new futures of fusion from release 12 and directly copy a seeded abstract role and customize to meet our requirement.
Learn with Example – Fusion Role
As we do in our every article we will try to lean with an example. Assume that you have a business requirement where you do not want to allow your employees to update their own photo. Only HR Specialist should be able to update employee’s photo, probably at the time of joining.
If you are not aware, through the seeded abstract role “Employee”, employees can change their own photo. However, as per the business requirement this should not happen.
Now to accomplish this, ideally we need to create a new custom role where we do not add the option to manage photo. But there is an easier way. What we can do is copy the seeded role and just remove the functionality that allows to update photo. That will save a lot of time.
In the screen below you see two images (before and after). In the first image employee can click on the photo to change it, where “Update Photo” option is available but in the second image that “Update Photo” option is not available.
Steps to accomplish this you will need to follow below steps
Step 1 : Login as IT Security Manager and copy the abstract role
Navigation : Tool » Security Console » Search for the abstract role “Employee”
To make a copy for the role you will need to be on Security Console page. Make sure you have Application Implantation Consultant and IT Security Manager role for the same. Once you are on that page, search for the seeded abstract role “Employee” as shown in the image below.
Under the search result click on the “Action” button available under the role name and click on “Copy Role” and then select “Copy top role and inherit roles”, as shown in the image below.
Now you are on a copy role page. On this page change the role name to “Avi Employee” and role code to “AVI_PER_EMPLOYEE_ABSTRACT”, as shown in the image below.
After that click on Next, Next until you reach to last train stop “Summary and Impact Report”.
Now click on Submit. You will also receive a confirmation that process has been submitted.
Once you click on the Submit button it submits a program in the background to make the copy. To see if the process has been completed or not, please click on the “Administration” tab and then click on “Role Copy Status”, as shown in the image below.
Step 2 : Edit the copied role to exclude manage photo access
Navigation : Tool » Security Console » Search for the copied role “Avi Employee”
At this moment we have copied a seeded role and created the custom role but this role still has access to manage photo. Our next step would be to find out that role and remove from our copied role that is “Avi Employee”. To do that search our custom role “Avi Employee”, click on that and then click on “Action” tab and click on “Edit Role”
Once again we have to follow the same train stops we went through earlier. If we wanted we could have removed the unwanted roles at that time only but the suggested approach is to first create the copy and then remove or add roles.
Click on Next, Next until you reach to “Data Security Policies” train stop.
On this screen you search for the privilege “Manage Person Image” and then under column “Condition” you click on the “Actions”. You will see the option to “Remove Data Security Policy”. Click on that, you will get confirmation, click on on that too.
And repeat the step for all occurrence of “Manage Person Image”.
Once you have deleted all “Manage Person Image” privileges, click on next and you will be at “Role Hierarchy” train stop. On this screen search for the role “Manage Person Image” and delete the same.
Click on Next, Next until you reach to “Summary and Impact Report”, click on Submit button.
Step 3 : Attach security profile with fusion custom role
Navigation : Setup and Maintenance » Search for task “Manage Data role and security profiles” » Search for role “Avi Employee”
This is the time that we attach security profiles with our custom abstract role. The process is simple. We will assign all the seeded security profile only. If you want to learn more about security profile, you can go through the previous article Oracle Fusion Role Based Security Demystified.
To attach the security profile search search our custom role “Avi Employee” and in the search result section click on the “Edit” icon.
Now you will on “Edit Data Role: Role Details” page. CLick on Next to move on “Security Criteria” train stop.
On this page assign default security profiles with all security profiles, as follows
- Position security profile : View all positions
- Person security profile : View All People
- Country Security Profile : View all countries.
- Document Type security profile : View all document types
- LDG security profile : View all legislative data groups.
- Person Security profile : View own record
After that click on Next and then Review and then Submit.
Step 4 : Attach the custom role to employee.
Navigation : Setup and Maintenance » Security Console » Search for user account and attach role
Now our custom role is ready to assign employees. To assign a role to an employee navigate to security console page and search the employee. Click on Edit button and then click on “Add Role”, attach the role “Avi Employe” and then save the changes.
Step 5 : Verify the custom role “Avi Employee”
Navigation : Login » About Me » Skills and Qualifications » Click on More icon » Update Photo
We have created custom role and attached the same with an user, now its time to check the role is working as per the business requirement or not. There are different navigation, places an employee can change their photos. We will follow the quickest way that is About Me –> Skills and Qualifications –> Click on More icon (i)
As you see the image below there is no option to change photo for employee. That means our custom role is working as expected.
Additional Useful information and resources
For any reason if you cannot remove the data security privilege as mentioned in the step 2, please navigate to security console and edit the “Enable edit of data security policies” as shown in the image below.
Hope you have enjoyed this article and learned something new. If you have any question you can ask in the forum
