Fusion Security Features – 1 good, 1 bad

Posted on Updated on

In the last week I’ve discovered two features of HCM Cloud security that I’d not encountered before – one is a bit of a pain, at least until you know how to work around it, and the other could be pretty useful but it’s tucked away in a counter-intuitive place.

Here’s the detail:

The Bad – Expression Language not Resolving User Roles

We encountered a situation where the visibility of a springboard tile was being controlled by a piece of Expression Language, however it wasn’t working like it should – the user had the role required but the tile was not displayed.

The EL was something like this:

and we’d performed the following checks:

  • Double checked I’ve assigned the role to the user
  • Made sure we’d used the Job role in the EL
  • Run the security jobs (Retrieve LDAP, Import User and Data, Send LDAP)
  • Regenerated the data role
  • Logged out and cleared the browser cache

however the tile was still not displaying.

After a bit of research I was grateful to find this post on Cloud Customer Connect by Ashish Harbhajanka. It explains that if the pillar portion of the URL displays a different value to the type of Job Role you’ve defined, it may fail to resolve it. This is what was happening in our situation, the URL contained ‘fscmUI’ e.g.

https:/[POD URL]

however our role was an HCM Job role, and thus the EL was failing to resolve it correctly.

The solution – which is also documented in DocID 2444823.1 on MOS – is to amend the URL or to add a Common Duty Role.

The Good – Simulate User

Most people know with the ‘Security Console – Roles tab’ you can simulate the Navigator based on the permissions granted by an individual role. This isn’t particularly helpful if a user has many roles however – how do you find out which roles are granting access to a tile that you’re trying to hide? You’d have to go through each role in turn.

Within the ‘Security Console – Users tab’ you can call up all the roles a user has, but you’re not able simulate the Navigator so that doesn’t help either.

The trick is to go back in to the Roles tab and search for a User – which is completely counter-intuitive – but if you change the default selections of the checkboxes the search works. Then you can simulate the entire navigator for a user across all roles.

Here’s a 30 second walkthrough: