Security Rules

Security Overview
Defining which records and information users can access is fundamental to HRMS security. As part of your implementation plan, you identify who will use Oracle HRMS, what information they require, and how they use it. You can control a user's access to database elements such as records, fields, forms, and functions, and you can also control a user's access to other user records and data. All Oracle Applications users access the system through a responsibility that is linked to a security group and a security profile. The responsibility is the primary means of defining security. The security group determines which business group the user can access. The security profile determines which records (related to organizations, positions and payrolls) the user can access within the business group. For example, you can restrict a manager's security permissions so that the manager can only access the person records for those employees and workers within a supervisor hierarchy. This restriction enables secure, reliable data access and ensures that only people with the correct permissions can access personal data. Within a business group you can control:

Who the user can access, using security profiles. You can restrict access by: o organization hierarchy o position hierarchy o supervisor hierarchy o payroll o supervisor assignment You can also restrict access to specific person types, for example, employees, applicants, contingent workers, and, if you are using iRecruitment, candidates. You can also create your own custom restrictions and combine them with the standard restrictions.

Security Models
Oracle HRMS provides two different security models which enable you to set up security specifically for your enterprise: Standard HRMS security and Security Groups Enabled security (formerly called Cross Business Group Responsibility Security). Note: If you want to set up security for employees who can access the database, but do not change database information. A further option exists which enables users to simultaneously view selected fields from all business groups in your organization regardless of the security model.

Standard Security Model

Standard HRMS security restricts access to your enterprise's records and data. To set up Standard HRMS Security, you first create responsibilities and then define the windows, menus items, workflows, data and records the user can access. The System Administrator then assigns users to as many of these responsibilities as is required to complete their business tasks. If you are using Standard HRMS Security, you must ensure that the Enable Multiple Security Groups profile option is set to the default value No. You must then create a security profile for each distinct security grouping of employees your enterprise requires. You then create a responsibility for each user type you require, for example HR Manager, Branch Manager and Salesperson, and link the security profile and responsibility to a business group. These three elements create a security grouping to which you assign employees.

Defining a Security Profile

You can define security profiles in the Security Profile window (to give access to a single business group) or the Global Security Profile window (to allow users to access records from more than one business group). To define a security profile 1. Enter a name for the security profile. 2. If you are using the Security Profile window, select a business group. Users will have access only to records within this business group. This does not need to be the business group associated with your responsibility. If you are using the Global Security Profile window, users will have security access to records from all business groups, subject to other restrictions you set up.

3. If you want reporting users to be able to use this security profile, select the Reporting User name for the ID set up by the database administrator (this option is not available when setting up Global Security).

Applying Restrictions by Person Type

4. You can choose to apply the security restrictions you set up to employees, applicants, contingent workers, contacts, candidates or any combination of these. Note: You can only restrict access to candidates if you have iRecruitment installed. If you do not have iRecruitment, the application uses the default setting of All for the View Candidates box. For example:
o o o

If you want the security restrictions to apply to employees, select Restricted from the View Employees box. To ignore the security restrictions for employees and allow access to all employees, select All from the View Employees box. To prevent access to any employee records, even if the other security restrictions allow access, select None from the View Employees box.

You can set the View Applicants, View Contingent Workers, and, if you have iRecruitment, View Candidates, options independently, giving different security access to employees, applicants, contingent workers, and candidates using the same security profile. For contacts, or other people of person type Other, you can choose one of two options:
o o

All: Access is unrestricted, so that all people of type Other are visible to the security profile Restricted: The profile restricts access to contacts to those people who are related to employees, applicants, or contingent workers who are visible within the security profile. If you can see the record of an employee, applicant, or contingent worker, you can also see the records of people of type Other specified as related to them (using the Contact Relationship field). All people of type Other who are unrelated to any employee, applicant, or contingent worker are also visible to the security profile.

Restricting Access by Individual Assignment

Select the Restrict on Individual Assignments option to build security hierarchies based on a person's individual assignments. Oracle HRMS builds the security hierarchy and assesses each individual assignment. The hierarchies generated by the security process will then only contain the particular assignments to which the manager has

access. If you do not select this option, a manager who can see one assignment for a person can see all other assignments.

Restricting Access by Organization

In the Organization Security tabbed region:

To restrict by organization list, select the Secure organizations by organization hierarchy and/or organization list option in the Security Type poplist. Select the organizations in the Organization Name field, and choose the Include option button. To restrict by organization hierarchy, select the Secure organizations by organization hierarchy and/or organization list option. Select an organization hierarchy, and a top organization. Select the Include Top Organization option if you want to allow access to this organization. If you are using user-based security, you can choose to use the organization linked to a person's assignment as the top organization by selecting the corresponding option. The security process identifies the organization linked to the user's assignment when the user logs on (or when the Security List Maintenance process is run). If required, you can add organizations not in the hierarchy to the list, by selecting the organizations in the Organization Name field and choosing the Include option button. You can also remove specific organizations from the selected hierarchy by selecting an organization in the Organization Name field and choosing the Exclude option button.

Restricting Access by Custom Security

In the Custom Security tabbed region, select the custom restriction option. The options are as follows:

No custom security Restrict the people visible to this profile The Security List Maintenance process is the basis for this type of custom security. The security data is held in a static list.

Restrict the people visible to each user using this profile Oracle HRMS assesses the custom security when the user signs on. In addition, the custom security code can include references to user specific variables, for example, fnd_profile.value() and fnd_global.employee_id.

 Enter a valid SQL WHERE clause fragment to select a group of records. For example, to add a restriction that assignments must be based in either London or Paris, add the following SQL fragment:
ASSIGNMENT.location_id in (select LOC.location_id from hr_locations_all LOC where LOC.location_code in ('London','Paris'))

Alternatively, you could create custom code to use user-specific variables. The following example illustrates the use of user-specific variables: In this example, the custom code creates a rule whereby a user can display employees or contingent workers whose last name begins with the same letter as their own. The security profile is called "Same first letter of last name".
substr(person.last_name,1,1) = (select substr(i.last_name,1,1) from per_all_people_f i where i.person_id = fnd_global.employee_id and trunc(sysdate) between i.effective_start_date and i.effective_end_date)

Note: In addition, the View Employees or View Contingent Workers option is set to Restricted, and the "Restrict the people visible to each using this profile" option is set on the Custom Security tab. If the clause is valid, it is automatically incorporated in an SQL select statement that the system generates to restrict access to records, based on the restrictions you have set up in the other tabbed regions. The list of employees, contingent workers, and applicants specified by these other restrictions is therefore further restricted by the custom restriction. The clause fits into the system-generated statement in the following way (this statement is not visible on screen):
select 1 from per_all_assignments_f ASSIGNMENT, per_all_people_f PERSON, per_person_type_usages_f PERSON_TYPE where ASSIGNMENT.assignment_id=:asg_id and:effective_date betweeen ASSIGNMENT.effective_start_date and ASSIGNMENT.effective_end_date and PERSON.person_id=ASSIGNMENT.person_id and :effective_date between PERSON.effective_start_date and PERSON.effective_end_date and PERSON.person_id=PERSON_TYPE.person.id and :effective_date between PERSON_TYPE.effective_start_date and PERSON_TYPE.effective_end_date and {your custom where clause fragment goes here}

Important: Custom restrictions directly restrict employees, contingent workers, and applicants only; you cannot create custom restrictions on people with a system person type of Other. However, if you add custom restrictions on employees, contingent workers, or applicants, related people with a system person type of Other are restricted according to the setting of the "View Contacts" option.

Assigning Security Profiles

Use the Assign Security Profile window to link user names, and security profiles to responsibilities. Only use this window if you are using Security Groups Enabled security (formerly called Cross Business Group Responsibility security). Important: When using Security Groups Enabled security even if you have linked a user to a responsibility using the User window, you must still link your user to responsibility and security profile using the HRMS Assign Security Profile window. If you do not use the Assign Security Profile window, HRMS uses the default view-all security profile for the Business Group and the user will see all records for the Business Group. The Assign Security Profile window is an essential part of setting up and maintaining HRMS security for Security Groups Enabled security. You must use this window to update your security profile assignment. Any changes entered for the security profile assignment are also shown on the User window. However, if you end date a user's responsibility using the User window, this is not shown on the Assign Security Profile window. When you navigate to the Assign Security Profile window, the Find Security Profile Assignments window displays automatically. Select New to create a new assignment. For information about querying existing security profile assignments To assign a new security profile 1. Enter the user name you want to link to a responsibility. 2. Enter the application and responsibility you want to link to the user. 3. To assign a local security profile, select a business group to assign to the user's responsibility. The local security profile for the business group is automatically entered when you click in the Security Profile field. 4. To assign a global security profile, first select the security profile to assign to the user's responsibility, then select a business group. Note: If you enter a value in the Business Group field first, the list of security profiles is filtered and does not display security profiles for any other business groups.

You can link more than one security profile to a responsibility as long as the user is different. 5. Enter the time period of security profile assignment. You must enter a start date. Optionally, enter an end date if you want the security profile assignment to end on a particular date. 6. Save the security profile assignment.

Running the Security List Maintenance Process

You run the Security List Maintenance process to update the lists of organizations, positions, employees and applicants that security profiles can access. You should run this process regularly, for example nightly, to take account of changes made during the day.