Becoming a Fusion HCM Security Specialist
Next up in the ‘hit list’ of topics on the way to specialisation is the Security Specialist. Fusion Security was designed with Role Based Access Control (RBAC) at its heart, allowing separation of duties for Sarbanes Oxley compliance easier to achieve, so that should make it easier to pick up, given my history of PeopleSoft. Let’s dive in …
There are a number of different role types in Fusion. My first impression is that it’s conceptually similar to PeopleSoft in a number of ways, with different terminology and a bit more flexibility (in that you can group roles within other roles). I believe it’s really quite different from EBS and responsibilities however.
These are roles such as Employee, Line Manager or Contingent Worker. Access is applied to an Abstract Role by adding Duty Roles. They are assigned directly to the user and are mostly independent of the job that the user performs. The ones that you’ll typically need are delivered, however you can create custom Abstract Roles.
Next you have Data Roles. These give you access to pages and govern the data that you can view once you have entered a page. The page access is applied by adding Job Roles (defined below) to the Data Role, and data access is applied to a Data Role by adding Security Profiles (defined below). Again, these are assigned directly to a user account.
These are somewhat analogous to Permission Lists in PeopleSoft, in that they are the building blocks with govern at a fairly low level the permissions required to perform a specific duty (eg. hire an employee). A duty role can contain a data role (which would then grant access to data within the functional pages that it has allowed access to). These are not assigned directly to a user account. Duty Roles can contain other Duty Roles.
Job Roles are ‘higher up’ containers for Duty Roles (eg. Payroll Administrator). These are not assigned directly to a user. Many of the ones that you’ll typically need are delivered, however you can create custom Job Roles.
Security profiles are analogous to data security in the PeopleSoft world. There are 8 types of Security Profile (Person, Organisation, Position, Country, Legislative Data Group, Document Type, Payroll and Payroll Flow) and a host of predelivered Security Profiles. These cannot be deleted or amended, but new Security Profiles can be created.
If you have a Job Role that needs to be given to just one person or group you can apply the Security Profile to the Job Role. If the Job Role needs to be assigned to more than one person or group (and each needs to see different data) then you need to create Data Roles (these Data Roles will have the same Job Role, but different Security Profiles – so they can accomplish the same tasks but on different sets of data).
As in PeopleSoft with Dynamic Roles, within Fusion there is functionality to automatically assign and remove roles against users based upon certain criteria (eg. job, position, grade, location). This can apply to assignment of data, job or abstract roles. Typically this would be triggered during hire/leaver/promotion processes, however it can also be run manually.
Roles can be attained via the automated process, or can be requested (either by a user’s manager) or even self-requested.
Where are the Roles Stored?
The final question is ‘where is the data behind these security objects stored in Fusion?’
Oracle Identity Manager (OIM) maintains user accounts in the Fusion Applications Identity Store.
Duty Roles are created in Authorisation Policy Manager (APM) and stored in the Policy Store.