Role Provisioning and Delegation

About a month ago I wrote an article about security improvements in Oracle HCM Cloud Release 10. You can review it here: https://volodymyrfar.wordpress.com/2015/12/28/fusion-applications-security-console-makes-your-life-easier/

Oracle does all the best to simplify security maintenance in Oracle HCM Cloud and I presume that in upcoming Release 11 we will see incredibly improvements in security implementation. The main idea is to provide simplified UI to get rid of getting to know technical implementation of roles, duties, policies, privileges, etc.

In this post I would like to show two additional security features that can be useful during implementation of security processes:

  • Role Provisioning
  • Role Delegation

Role Provisioning

Roles can be provisioned manually or automatically.
Power users such as line managers and human resource specialists can provision roles manually to other users. Users also can request roles for themselves.
To achieve full automation you can use Role Provisioning Rules to create conditions that allow automatically assign needed roles.
Within Oracle HCM Cloud, the Role Mapping is the mechanism used both to automatically grant the correct roles to users, and to restrict who has access to request roles for themselves or assign roles to others. Any role that will be provisioned to your users, must be defined in a role mapping definition.

FSM Task: Manage HCM Role Provisioning

 

From my point of view for achieving more flexibility I would extend list of conditions with Fast Formula or at least with Areas of Responsibility (AOR).

Auto-provisioning of roles will occur whenever an employee is hired, terminated, or any of their employment data is changed. If a past or present-dated change is made, the roles will be auto-provisioned as of today. If a future-dated change is made, the roles will be auto-provisioned when that future date arrives.
It’s recommended to run Autoprovision Roles for All Users ESS job after creating or editing role mappings and after loading person records in bulk.

This is a very process intensive task, so you would be best advised to plan to create your role mappings carefully. That’s why I would advise to add Test Run parameter to the process to make sure that all conditions are correctly defined before production run.

Please note that the Apply Autoprovisioning button was removed from the Role Mappings page to avoid problems with performance.

Role Delegation

Although the User Impersonation feature (known as Proxies) can still be enabled in Oracle HCM Cloud, Oracle doesn’t recommend to use it. User impersonation allows a proxy user uncontrolled access to the personal data of the impersonated user. The proxy user acquires all of that user’s roles, which is dangerous if you use employee self-service.
In the following pictures you can see what the Proxy User feature looks like:

Proxy Setup:

 

Act as:

 

 

But instead, Oracle recommends using Role Delegation. This feature allows you to delegate individual roles to named users for a specified period.
You can delegate roles in the Roles and Approvals Delegated to Others section on the Manage User Account page. On the home page, select About Me – My Account.

By default, delegation isn’t enabled for any predefined HCM job or abstract role. You can change the delegation setting of any predefined HCM role, except the Employee and Contingent Worker abstract roles. You can also enable delegation for HCM data roles, custom job roles, and custom abstract roles.

FSM Task: Manage Data Role and Security Profiles

You can delegate both roles and approvals for certain users for a special period:

Approval Delegation Rules:

In the following screenshot you can see My Account page of the Proxy User:

And finally you can see that proxy user has received delegated roles:

Hope this helps.

Best regards,
Volodymyr

0 responses on "Role Provisioning and Delegation"

Leave a Message

top
ERPWebTutor
2011-2017, All rights reserved © A part of the Orison Consulting Group
PO Box 16014 San Juan Puerto Rico 00908
Email: [email protected]
Terms of Use
Contact Us
close slider

Contact