Oracle HCM Cloud R11 Security Demonstration Scripts_activity.pdf

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Appendix A: Instructor Demonstrations ORACLE HCM CLOUD R11 SECURITY DEMONSTRATION SCRIPTS.DOC
Effective 02/01/15 Page 1 of 44 Rev 1
Appendix A: Instructor
Demonstrations

Instructor Demonstrations: Overview
Distribution
Job Title*
Ownership
The Job Title [list@YourCompany.com?Subject=Appendix A: Instructor Demonstrations:
D88709GC11_Demos_AppA] is responsible for ensuring this document is necessary, reflects
actual practice, and supports corporate policy.
Practices Overview
These demonstrations show various HCM Security tasks.
Prerequisites
Throughout this class use the Mozilla Firefox browser to access the application.

Instructor Demonstration L2-1: Function Security in Action
Demonstration Overview
As an Oracle Fusion Applications user, you access functions through the roles that have been
assigned to you. In this demonstration, you show how function security secures user access to
dashboards, work areas, and work-area task-pane contents.
Demonstration Assumptions
 Time: 5 minutes
Demonstration Tasks
Sign In and Navigate
1. Sign in as user Curtis.Feitty.
2. Click the Navigator icon in the global area of the home page.
Review Navigator Contents
1. Review the contents of the Navigator menu that are available to Curtis Feitty.
Information: Function security is used to secure the Navigator menu. Each menu entry
corresponds to a work area or dashboard, and each of these is secured with a function
security privilege. The function security privileges that are granted to the user (through his
or her roles) control the menu entries that the user can see.

2. Select Workforce Structures under My Workforce.
Information:
Function security also secures the task panel (available on the right side of the page) for a
work area. Each of the task panel entries corresponds to a task flow, which is secured with
a function security privilege. The function security privileges that are granted to the user
(through his or her roles) control the task pane entries that the user can see.
Review User Roles
1. On the Home page, select About Me > My Account.
Location: Manage User Account page
2. Scroll down to the Current Roles section.
Information:
Curtis is assigned a great many roles, which is useful for testing (and for training courses
like this). He has functional manager roles, as well as IT Security Manager. In the real
world, few users would have this many different and powerful roles.
3. Sign out, and then sign back in as Mitch.Blum.
Information:
To sign out, click Curtis Feitty in the menu bar and then click Sign Out.
4. On the Navigator menu, notice that Mitch does not have access to the Workforce
Structures option or many other options that appear on Curtis's menu.
5. On the home page, select About Me > My Account.
6. Scroll down to the Current Roles section to view Mitch's assigned roles.

Information:
Mitch has fewer roles than Curtis does. Mitch's roles do not give him access to the
Workforce Structures function, so it does not appear on his menu.
7. Sign out.
You have demonstrated how to view menu options and tasks managed by function security.

Instructor Demonstration L2-2: Data Security in Action
As an Oracle Fusion Applications user, you access data via the roles that have been assigned
to you. In this demonstration, you show the data available for viewing by different users based
on their assigned roles.
 Time: 5 minutes
Demonstration Tasks
1. Sign in as user Jack.Fisher.
Information:
This user has employee and line manager roles. He also has several direct reports.
2. Select Directory on the home page.
Review Directory Listings and Associated Actions
1. Click the Isolate icon ( ) at the top of Jack Fisher.
Information: When you look at your own directory listing, the actions that are available in
the Actions menu are controlled using data security. The actions that you can perform
include actions such as Change Marital Status (under Personal and Employment), but do
not include actions such as Promote.
2. Use the dots and scroll icons at the bottom of the listing to see cards with additional
employment information.
3. Select the Restore icon ( ) to show the management reporting hierarchy.
4. Click the listing of Jack's manager, Linda Swift.
Information: When an employee views his or her manager's listing, only publicly available
information appears. No HR actions are available. Data security controls access to data
that you can view for other people. A public person security profile controls the people that
a user can search for in the directory. Once a user has selected a person, data security
controls the directory cards that can be seen for that person and the actions that can be
performed against them. For example, for your direct report you can view salary and
performance information. But for your manager you cannot.
5. Hover your mouse over the point at the bottom of Jack's box on the chart and click the
Show icon (+) to display Jack's direct reports.
6. Click the Actions menu on Mark Winterling.
Information: In the Actions section of Mark’s listing, you can see the functions available to
Jack. Under Personal and Employment, he can promote, terminate, or transfer Mark. Under
other menu items he can manage salary and compensation, and manage absence records
for Mark.
7. Sign out and sign back in as Curtis.Feitty.

8. Navigate to the directory, and search for Linda Swift. (Click the Search icon in the upper
right, and enter Linda's name in the Keywords field, click Search, and then click Swift,
Linda in the search results. Click the View in Organization Chart icon ( ).)
Information: When viewing Linda in the directory, Curtis can see more cards and has more
actions than Jack does. This is because Curtis has the HR Specialist - View All role, which
allows him a greater level of access.
You have demonstrated how to view application pages managed by data security and noted the
differences that result from provisioned roles.

Instructor Demonstration L3-1: Managing Data Roles and Security
Profiles
During security setup, you create data roles and assign security profiles to them. In this
demonstration, you use the Assign Security Profiles to Role task to demonstrate the process of
creating a data role and assigning security profiles to it.
 Time: 10 minutes
Demonstration Tasks
1. Ensure that you are signed in as Curtis.Feitty.
2. Navigate to the Setup and Maintenance work area.
3. In the Search field, enter Assign Security Profiles to Role and click Search.
4. In the search results, click the Assign Security Profiles to Role task.
Create a Data Role
1. In the Search Results section toolbar of the Manage Data Roles and Security Profiles page,
click Create.
Location: Create Data Role: Select Role page
2. In the Data Role field, enter XX HR Specialist Vision, where XX represents your initials.
3. In the Job Role field, search for and select Human Resource Specialist.
Information:
A data role is always associated with a job role, from which it inherits privileges.
The Delegation Allowed field is covered in the Role Delegation section later in this class.
You can leave this option deselected.
4. Click Next.
Location: Create Data Role: Security Criteria page
Information:
Here you select the security criteria for the role. For each secured business object that the
job role needs to access, a section appears on this page. To identify data set instances for
each business object, you can either select an existing security profile or create a new
security profile.
Note: Any security profiles that you create while defining the data role exist independently
of the data role and can be reused.

Select or Create Security Profiles
1. In the Organization section, select the predefined View All Organizations organization
profile.
2. In the Person section, select the Create New hyperlink at the bottom of the Person
Security Profile list of values.
3. In the Name field, enter XX Person Security Profile Vision.
4. Select the Secure by Global Name Range option.
5. For all other sections, select any one of the predefined View All security profiles.
6. Click Next.
Location: Assign Security Profiles to Role: Organization Security Profile page
Information:
This is the first of a series of pages for defining security profiles. Since you need to create
only a Person profile, you could skip to the Person page now by clicking Person in the
process train at the top of the page. However, for this demonstration, we will review each
page to see the criteria associated with each business object. Key points about each profile
type are included in the pages following this demonstration.
7. Click Next, noting the security criteria on each page, until you reach the Person train stop.
Location: Assign Security Profiles to Role: Person Security Profile page
Note: In the Global Name Range section, the Secure by Global Name Range option is
selected based on your previous entry (Step 4).
8. In the Global Name Range section, enter A in the From Person Name field, and enter L in
the To Person Name field.
Information:
These criteria limit access to persons whose global list names are in the range A through L.
9. To view the remaining security profile pages, continue clicking Next until you reach the
Review page.
10. Click Submit. The role may take a few seconds to create.
Location: Manage Data Roles and Security Profiles page
Information:
After submitting, it is a good idea to verify that the new role was successfully created and
profiles were assigned.
Verify the Role
1. Search for the data role you just created. (Enter XX HR Specialist Vision in the Role field,
and click Search.)
2. In the search results, verify that the Security Profiles Assigned column for your role
displays a green checkmark.
3. Click Done.
At this point, you have created a new data role and assigned the necessary security profiles.

Instructor Demonstration L4-1: Using the Manage Users Task to
Create HR Users
The Manage Users task provides a quick alternative to the New Hire process, which requires
more information to be entered for each person. In this demonstration, you use the Manage
Users task to create a new user. The user will be mapped to an HR person.
Note: You can skip this demo if you prefer, as the students will create a user using the
Manage Users task in Practice 5-1.
 Time: 7 minutes
Demonstration Tasks
2. Ensure that you are in the Setup and Maintenance work area.
3. Search for and launch the Manage Users task.
Information:
You can also access this task on the home page by selecting My Team > Manage Users.
Location: Manage Users (Search Person) page.
Create Application User
1. In the Search Results section toolbar, click the Create icon button.
Location: Create User page
2. In the First Name and Last Name fields, enter your own first and last names (or any name
you choose).
3. In the E-Mail field, enter XX@dummy.com.
4. In the User Name field, enter XX_TEST_USER.
5. Deselect the Send user name and password option.
6. In the Person Type field, select Employee.
Information:
The Employment Information section expands to display additional fields.
7. In the Legal Employer field, select US1 Legal Entity.
8. In the Business Unit field, search for and select US1 Business Unit.

9. In the Roles section, click the Autoprovision Roles button.
Information:
The application reviews all enterprise role provisioning rules and automatically provisions
the appropriate ones based on this user's employment information. In this environment, the
Employee abstract role is automatically provisioned to users whose Person Type is
Employee. Role provisioning is covered in detail in Lesson 5.
10. Click the Add Role button to assign a role to the user manually.
Location: Add Role dialog box
11. Search for the data role that you created in Practice 3-1 (XX HR Spec Data). If you (as
instructor) did not perform Practice 3-1, then try to search for the data role that you created
in the demonstration in Lesson 3 (XX HR Specialist Vision). (You won’t find it, see note
below).
Note: You will not be able to find the data role because it is not yet available for
provisioning to a user. You must create a role-provisioning rule for the role before you can
assign it to a user. You will see how to do that in your next practice. Close the Search
dialog box and return to the Create User page.
12. Click Save and Close.
13. Click Done.
Location: Overview page in the Setup and Maintenance work area
You have now demonstrated the user-creation process.

Instructor Demonstration L4-2: Creating Implementation Users
During implementation, you must create at least one initial implementation user and give that
user the ability to create other users and access other implementation tasks. During this
demonstration, you show how to create an implementation user directly in Oracle Identity
Manager and assign the IT Security Manager and Application Implementation Consultant roles
to the user.
Note: When you create an implementation user, no person record is created. Only a user
account is created. Use the Manage Users task or the New Hire flows to create both a user
account and a person record that are automatically linked.
 Time: 7 minutes
Demonstration Tasks
3. Search for and launch the Create Implementation Users task.
Location: Oracle Identity Manager - Self Service page
Note: This task takes you automatically to the Oracle Identity Manager (OIM) application.
OIM will be discussed in detail later in this class.
Create an Implementation User and Assign Roles in OIM
1. Click the Administration link in the top-right corner of the page.
Location: Welcome to Identity Manager Delegated Administration page
2. Under the Users heading, click Create User.
3. Enter names in the First Name and Last Name fields.
Information:
You can use any names you like here as this user is not referenced later in the lesson.
4. In the Organization field, search for and select Xellerate Users.
5. In the User Type field, select Non Worker.
6. Enter a User Login, such as XX_IMPLEMENTATION_USER.
7. In the Password field, enter aBc123XX.
8. Enter the password again to confirm.
9. Click Save.
10. Click the Roles tab.

11. Click Assign.
12. Enter IT in the Display Name Begins With field, and click Search.
13. Select IT Security Manager in the search results, and click Add.
14. Click Assign.
15. Enter Application Implementation in the Display Name Begins With field, and click
Search.
16. Select Application Implementation Consultant in the search results, and click Add.
Verify Role Provisioning
1. Return to the Welcome tab, and click Advanced Search - Roles.
Location: Advanced Search: Roles page
2. Enter IT in the Display Name Begins With field, and click Search.
3. Click IT Security Manager in the search results.
4. On the IT Security Manager page, select the Members tab.
5. Confirm that your user name is in the list of All Members and Direct Members.
Information:
The implementation user that you created is not an Indirect Member, because the IT
Security Manager role was assigned directly, not through a role hierarchy or another role
that inherits the IT Security Manager role.
6. Return to the Advanced Search - Roles tab, and search for the Application
Implementation Consultant role.
7. Click Application Implementation Consultant in the search results.
8. Select the Members tab.
9. Verify that your user is listed as a member for this role too.
10. Close the OIM browser window, and return to the Oracle Fusion Applications Setup and
Maintenance work area. (Do not sign out; just close the browser window.)

Instructor Demonstration L4-3: Reporting on Users
In this demonstration, you run the User Role Membership Report process to report on the role
memberships of users who have at least one assignment in the Recruitment US department.
 Time: 5 minutes
Demonstration Tasks
2. Select Navigator > More > Tools > Scheduled Processes.
Location: Scheduled Processes work area
Run the User Role Membership Report
1. In the Search Results section, click Schedule New Process.
2. In the Schedule New Process dialog box, search for and select the User Role Membership
Report process and click OK.
Location: Process Details dialog box
3. In the Department field, search for the Recruitment US department.
Note: You may need to use the scroll bars to move horizontally to see the Search and OK
buttons.
4. In the search results, select Recruitment US and click OK.
5. In the Process Details dialog box, click Submit.
6. Click OK to close the Confirmation message.
7. Close the Process Details dialog box.
View the User Role Membership Report
1. In the Search Results section of the Scheduled Processes page, click the Refresh icon.
2. When the status of the User Role Membership Report process is Succeeded, select it to
display its details.
3. In the Log and Output section of the details, select the (1 more…) link.
Location: Attachments dialog box
Information:
The Attachments dialog box lists two files, the User Role Membership Report file and a
diagnostics file.
4. Click the UserRoleMemberships zip file and save it to your desktop.
5. Click OK to close the Attachments dialog box.

6. On your desktop, extract the contents of the UserRoleMembership zip file.
7. Double-click the extracted UserRoleMembership CSV file to open it.
8. Increase the width of columns A through E to make the contents easier to read.
Information:
The report shows the parameters that you specified, followed by the user details for each
user in the specified population. The user details include the user name, first and last
names, user status, department, location, and role memberships.
9. Close the report file.
10. Return to the Oracle HCM Cloud home page.

Instructor Demonstration L5-1: Delegating the Line Manager Role
Line managers can delegate the duties associated with their line manager role if they are not
able to perform them for any reason. In this demonstration, you perform the following tasks to
show how to delegate a role and verify successful delegation:
1. Create a person security profile that provides a proxy user with access to both his or her
own manager hierarchy and the delegator’s manager hierarchy.
2. Assign the new security profile to the line manager role, and verify that the line manager
role is enabled for delegation.
Information:
This change will apply to all line managers in the enterprise.
3. Sign in as Jack Fisher, and delegate the line manager role to Matt Wagner, who is a peer
and a line manager. Make the delegation immediate.
4. Sign in as Matt Wagner, and verify that you can perform line manager duties on Jack’s
direct reports.
5. Sign in as Jack Fisher, and end the delegation.
Demonstration Tasks
3. Search for and launch the Manage Person Security Profile task.
Create the Person Security Profile
1. On the Manage Person Security Profiles page, click the Create icon button.
2. In the Name field, enter View Manager Hierarchy-Both_XX.
3. In the Manager Hierarchy section, select the Secure by Manager Hierarchy option.
4. In the Hierarchy Content field, select Both.
5. Click Save and Close. (Click Yes to close the warning message.)
6. Click Done.

Assign the New Security Profile to the Line Manager Role
1. On the Setup and Maintenance page, search for and launch the Assign Security Profiles
to Role task.
Location: Manage Data Roles and Security Profiles page
2. In the Role field, enter Line Manager and click Search.
3. In the Search Results section, select the Line Manager role and click the Edit icon button.
Location: Assign Data Role: Role Details page
4. Select the Delegation Allowed option.
5. Click Next.
Location: Assign Data Role: Security Criteria page
6. In the Person section, select the View Manager Hierarchy-Both_XX security profile in the
Person Security Profile field.
7. Click Review and then Submit.
Delegate the Line Manager Role
1. Sign out and sign back in as Jack.Fisher.
3. In the Roles and Approvals Delegated to Others section, click the Create icon button on the
Roles Delegated to Others tab.
4. In the Role Name field, search for and select the Line Manager role.
5. In the Start Date field, enter today’s date and leave the End Date field blank.
6. In the Delegated To field, search for and select Matt Wagner.
7. On the Manage User Account page, click Save and then click OK to confirm.
Information:
When the role request is sent to OIM, the request appears in the Role Requests in the Last
30 Days section of the proxy's My Account page. When the role request succeeds, the role
appears in both the Roles Delegated to Me section and the Current Roles section of the
proxy's My Account page. Proxy users can delete current and future-dated delegated roles
from the Roles Delegated to Me section.
Verify the Role Delegation
1. Sign out and sign back in as Matt.Wagner.
3. Verify that the delegated role is listed in the Roles Delegated to Me section.
4. On the Navigator menu, select Directory. (Click Yes to close any warning that appears.)
5. On the Directory page, click the Show icon on Jack.Fisher.
Information:
As you can see, Mark Winterling’s manager is Jack Fisher. However, Matt can now perform

all line manager duties listed under the Actions menu for Mark. If you logged in as Jack
Fisher, you would see that Jack still has all the line manager privileges as well.
End the Role Delegation
1. Sign out and sign back in as Jack.Fisher.
3. In the Roles and Approvals Delegated to Others section, enter today's date in the End Date
field to end the delegation.
4. Click Save, and click OK to confirm.
5. Sign out.

Instructor Demonstration L6-1: Using OIM to View and Manage Roles
Use the Manage Job Roles task to access Oracle Identity Manager (OIM) and view data, job,
and abstract roles. OIM refers to data, job, and abstract roles simply as roles. Role-naming
conventions allow you to distinguish between role types in OIM pages.
Managing job roles is an important part of HCM security management. You can use either the
Security Console or OIM to create and manage HCM job roles. In this demonstration, you use
OIM.
This demonstration looks at the data roles assigned to an existing user and shows the job roles
that are inherited by those data roles. It also demonstrates how to search for a role and display
a list of all users assigned to that role.
Demonstration Tasks
3. Search for and launch the Manage Job Roles task.
Location: Oracle Identity Manager - Self Service page
Review Roles in Oracle Identity Manager
1. Click the Administration link in the top-right corner of the page.
Location: Oracle Identity Manager - Delegated Administration page, Welcome tab
2. Under the Roles heading, click Advanced Search - Roles.
Location: Advanced Search: Roles page
3. In the Display Name (Begins With) field, enter H and click Search.
Information:
The search results include both data roles and job roles. Job roles, such as Human
Resource Specialist, do not display a dash in their display names. The roles with a dash,
such as HR Specialist - View All, are data roles.
The Oracle Fusion role-naming convention is to append _JOB at the end of a job role name
and _DATA at the end of a data role name. The internal name is created based on the
Display Name and uses the _JOB or _DATA suffix to distinguish between the role types.
4. Click the Human Resource Manager job role in the search results.
Information:
Note that the Role Category Name is HCM - Job Roles.

5. Return to the Advanced Search - Roles tab, and open the HR Analyst - View All data role.
Information:
The Role Category Name for all data roles is automatically set to Default.
6. Return to the Advanced Search - Roles tab.
7. In the Display Name (Begins With) field, enter Employee and click Search.
Information:
Employee is a predefined abstract role. Abstract role names have _ABSTRACT at the end
of the role name.
8. Click the Employee role in the search results.
Information:
The Role Category Name is HCM - Abstract Roles.
Review the Roles Assigned to a User
1. On the Welcome tab, click Advanced Search - Users.
2. In the Display Name field, search for Curtis Feitty, then click his name in the search
results.

3. Select the Roles tab to view the roles assigned to this user.
Information:
This page shows all roles assigned to Curtis, including data roles, abstract roles, and job
roles (if any).
4. Click on a data role, such as Benefits Administrator - View All, and click Open.

5. Click the Hierarchy tab.
Information:
Here you can see the Benefits Administrator job role inherited by the Benefits Administrator
- View All data role.
6. Click the Members tab to see all the users assigned to this data role.
7. Return to the Welcome tab, and select Advanced Search - Roles.
8. Search for the Payroll Manager job role, and then open it.
Information:
Note that the attribute information and the tabs displayed for the job role are the same as
for the data role you just explored. Remember that in OIM, the term role refers collectively
to job, abstract, and data roles. The role category name, such as HCM - Job Roles,
identifies both the role type and the Oracle Fusion Application where the role is used.

9. Click the Hierarchy tab.
Information:
This job role inherits several roles, including the Functional Setups User abstract role and
the Payroll Administrator job role.
Note: When you are creating a job role, you can use this tab to add one or more parent
roles from which to inherit permissions. This is useful if you are creating a manager job role
that performs all the functions that an administrator job performs, plus more. In this case,
you would add the administrator job role as a parent role to the manager job role.
This role hierarchy is also visible in APM, as you will see later.
10. Click the Members tab.
Information:
This is useful if you need to determine quickly which users are assigned to a role.
Note: On this tab, the Member Type (for most members) is Indirect Role because users are

not directly assigned the Payroll Manager job role. They inherit it via a data role that is
based on the Payroll Manager job role.
11. You can close the Oracle Identity Manager tab and return to the Oracle Fusion Applications
window.

Instructor Demonstration L6-2: Using APM to View Duty Roles and
Aggregate Privileges
This demonstration uses the Manage Duties task to look at existing data and job roles. It
demonstrates how to view the duty roles and aggregate privileges associated with job roles and
where to go if you need to add them to or remove them from a role.
Managing duty roles is an important part of security management. Implementers may be
required to create new duty roles if the predefined ones do not meet the needs of the enterprise.
Authorization Policy Manager can be used to manage duty roles and associated security
policies.
Demonstration Tasks

3. Search for and launch the Manage Duties task.
Information:
You are now viewing the Authorization Policy Manager (APM) user interface.
Reviewing a Data Role
1. In the Application Name section, select hcm.
2. Under the Search and Create heading, click Search - External Roles.
Location: Search - External Roles page
Note: Remember that job roles, data roles, and abstract roles are all referred to as external
roles in APM. Job roles and abstract roles inherit an application role with the same name.
3. In the Display Name field, enter Benefits Administrator - View All, and click Search.
4. Select the Benefits Administrator - View All role in the search results, and click Open
Role.

5. Click on the External Role Hierarchy tab.
Information:
The External Role Hierarchy tab shows the job role (Benefits Administrator) inherited by the
Benefits Admin - View All data role.
6. Click the Application Role Mapping tab.
7. Expand the hcm folder in the Display Name column.
Information:
The Benefits Administrator - View All (HCM) role shown here is a special type of application
role that was automatically generated when the Benefits Administrator - View All data role
was created. This is explained in more detail in the HCM Security Deep Dive lesson later in
the course.

Reviewing a Job Role
1. Return to the Search External Roles tab.
2. In the Display Name field, enter Benefits Administrator and click Search.
3. Select the Benefits Administrator job role in the search results, and click Open Role.
4. Click the Application Role Mapping tab, open the hcm folder, and expand the Benefits
Administrator application role.
Information:
Here you can see all of the aggregate privileges and duty roles associated with the
Benefits Administrator job role. From this page, you can map additional application roles
(duty roles and aggregate privileges) to this job role.
5. You can close the Authorization Management tab and return to the Oracle Fusion
Applications window.
You have demonstrated how to use APM to view and manage job roles.

Instructor Demonstration L7-1: Running the Import User and Role
Application Security Data Process
In this demonstration, you will run the process that populates the Applications Security data
tables with latest updates from Oracle Identity Management (OIM) and Authorization Policy
Manager (APM), thereby ensuring that OIM, APM, and Oracle HCM Cloud are synchronized.
Customers are recommended to schedule this process (Import User and Role Application
Security Data) to run daily. As the process is not scheduled in the training environment, we run
it at the start of Lesson 7 to ensure that the security data stores are synchronized.
 Time: 5 minutes. The process itself may take 10 to 15 minutes to complete, depending
on the volume of changes since it last ran.
Demonstration Tasks
1. Sign in as Curtis Feitty.
2. Select Navigator > More > Tools > Scheduled Processes.
Location: Scheduled Processes work area
Run the Process
1. In the Scheduled Processes work area, click Schedule New Process.
2. In the Schedule New Process dialog box, search for and select Import User and Role
Application Security Data.
3. In the Process Details dialog box, click Submit.
4. Click OK to close the Confirmation dialog box.
5. In the Scheduled Processes work area, click the Refresh icon button in the Search Results
section.
Information:
You can click the button at intervals to update the process status. When the process status
is Succeeded, the Applications Security data tables are updated with latest information
from OIM and APM.
You can continue with the lesson while the process is running.
6. When the process status is Succeeded, sign out.

Instructor Demonstration L8-1: Copying a Predefined Abstract Role
In this demonstration, you will copy a predefined abstract role and edit the copied role. The
demonstration shows how to copy the Employee application role in the hcm, crm, and fscm
application stripes and add the copies to a newly created Employee external role. It also shows
how to add the predefined Employee application role in the obi application stripe to your newly
created Employee external role. Finally, it shows how to edit the copied hcm application role.
 On the Administration tab of the Security Console, the default Role Name Suffix is
Copy and the default Role Code Suffix is _COPY. No default role prefix values are
specified.
 The current application stripe is hcm.
Demonstration Tasks
1. Sign in as Curtis.Feitty.
2. On the home page, select Tools > Security Console.
Location: Security Console Roles tab.
Copy the Employee Application Role
1. In the Search field, enter Employee and click Search.
2. Click Refine to open the Refine Search Results dialog box, select Abstract Roles, and
click OK.
3. In the search results, select the predefined Employee (Application role)
(ORA_PER_EMPLOYEE_ABSTRACT).
4. In the role visualization, select the Employee (Application role) node (at the center of the
visualization), right-click, and select Copy Role.
5. In the Copy Options dialog box, leave Copy top role selected.
Information:
Membership is added to the inherited duty roles for your copy of the application role. The
duty roles themselves are not copied.
6. Click Copy Role.
Location: Copy Role: Basic Information page
Information:
The Role Name and Role Code values for the copied role have been constructed
automatically using the name and code from the source role with any default prefix and
suffix values.

7. In the Role Name field, enter your identifier (XX) at the start of the role name value to give
the role name XXEmployeeCopy.
8. In the Role Code field, enter your identifier and an underscore (XX_) at the start of the role
code value to give the role code XX_PER_EMPLOYEE_ABSTRACT_COPY.
9. Click the Summary and Impact Report train stop.
Location: Copy Role: Summary and Impact Report page
10. Click Submit and Close.
12. You can review the progress of the copy on the Administration tab if you wish. You can
continue before the copy status is Complete.
Create the Employee External Role
1. On the Roles tab, click Create Role.
Location: Create Role: Basic Information page
2. Enter these values:
Field Value
Role Name XXEmployeeCopy
Role Code XX_PER_EMPLOYEE_ABSTRACT_COPY_EXT
Role Source External role
Role Category HCM - Abstract Roles
3. Click the Role Hierarchy train stop.
Location: Create Role: Role Hierarchy page
4. Click Add Role.
5. In the Add Role Membership dialog box, search for and select the XXEmployeeCopy
(Application role) that you just created.
6. Click Add Role Membership.
8. Close the Add Role Membership dialog box.
Information:
The role visualization shows the updated role hierarchy.
Location: Create Role: Summary and Impact Report page

Information:
You have created the single external role with one application role (for hcm) to which you
will now add equivalent application roles in the crm, fscm, and obi application stripes.
Change the Application Stripe
1. Click the user ID, then, on the Settings and Actions menu, select Setup and Maintenance.
2. On the Setup and Maintenance page, search for and launch the Manage Administrator
Profile Values task.
Location: Manage Administrator Profile Values page
3. In the Search section, set Application to Applications Security.
4. Click Search.
5. In the search results, select ASE_WORKING_APP_STRIPE.
6. In the Profile Values table, set the Profile Value for CURTIS_FEITTY to crm.
8. Select Navigator > Tools > Security Console.
Copy the Employee Application Role in the CRM Application Stripe
Follow the steps in the Copy the Employee Application Role section to copy the employee
application role in the CRM application stripe.
Note: Make you Role Code unique by adding _CRM as a suffix.
Add the Copied CRM Employee Application Role to the External Role
1. On the Security Console, search for and select the XXEmployeeCopy external role.
2. In the role visualization, select XXEmployeeCopy, right-click, and select Edit Role.
Location: Edit Role: Basic Information page
Location: Edit Role: Role Hierarchy page
4. Click Add Role.
5. In the Add Role dialog box, search for and select the role XXEmployeeCopy (Application
role).
Information:
As you are working in the CRM application stripe, the CRM role is returned in the search
results.
Information:

Location: Edit Role: Summary and Impact Report page.
Instructor Note: You may need to reload the page in the web browser to get the security
console to refresh correctly.
Copy the Application Role in the FSCM Application Stripe
1. Change the application stripe to FSCM. Follow the steps in the Change the Application
Stripe section.
2. Copy the application role in the FSCM application stripe. Follow the steps in the Copy the
Employee Application Role section.
Note: Make you Role Code unique by adding _FSCM as a suffix.
3. Add the copied FSCM application role to the external role. Follow the steps in the Add the
Copied CRM Role to the External Role section.
Add the Predefined Application Role in the OBI Application Stripe
1. Change the application stripe to OBI. Follow the steps in the Change the Application
Stripe section.
2. On the Security Console, search for and select the XXEmployeeCopy external role.
3. In the role visualization, select XXEmployeeCopy, right-click, and select Edit Role.
Location:
Edit Role: Basic Information page
Location:
Edit Role: Role Hierarchy page
5. Click Add Role.
6. In the Add Role dialog box, search for and select the predefined Employee (Application
role) with the role code ORA_PER_EMPLOYEE_ABSTRACT.
Information:
The predefined OBI Employee application role is returned. By adding rather than copying
the predefined role, you are adding membership to the existing role for your custom
XXEmployeeCopy external role.
Information

Location: Edit Role: Summary and Impact Report page
Change the Application Stripe Back to HCM
Follow the steps in the Change the Application Stripe section to change the working
application stripe back to HCM.
Edit the Copied HCM Application Role
1. Select Home > Tools > Security Console.
2. Search for and select the XXEmployeeCopy (Application role) role.
3. In the role visualization, notice the many duty roles and aggregate privileges that this role
inherits. Role names appear on hover.
Information:
The duty roles and aggregate privileges are those of the source application role. None of
the duty roles was copied because you performed a shallow copy, not a deep copy. You
can remove any of these inherited roles, but you cannot edit them without affecting other
roles that inherit them.
4. In the role visualization, select XXEmployeeCopy (Application role) (at the center of the
visualization), right-click, and select Edit Role.
Location: Edit Role: Basic Information page
6. In the role visualization, select any aggregate privilege (A), right-click, select Delete, and
then click OK to close the Confirmation dialog box. Repeat this step to remove additional
aggregate privileges if you wish.
7. Select any duty role (R), right-click, and select Delete. Click OK to close the Confirmation
dialog box. Repeat this step to remove additional duty roles if you wish.
Information:
Most editing of copied roles will be of this type: removing inherited aggregate privileges and
duty roles or adding new aggregate privileges and duty roles on the Edit Role: Role
Hierarchy page.
Location: Edit Role: Summary and Impact Report page
Information:
On this page, you can review the summary of roles added and removed.
Review Your New Role In Authorization Policy Manager
Information
In APM, you can see all application stripes at once.

1. On the Settings and Actions menu, click Setup and Maintenance.
2. On the All Tasks tab of the Overview page, search for and select the Manage Duties task.
Location: Authorization Management Home tab
4. Under the Search and Create heading, click Search - External Roles.
Location: Search – External Roles page
5. In the Display Name field, enter XXEmployeeCopy.
6. Click Search.
7. In the search results, select XXEmployeeCopy and click Open Role.
Location: XXEmployeeCopy page
8. Click the Application Role Mapping tab.
Information:
You see four folders, one for each of hcm, crm, obi, and fscm.
9. Expand each top-level folder.
Information:
You see an XXEmployeeCopy application role in each of the hcm, crm, and fscm folders.
These are the application roles that you copied separately and added to your external role.
In the obi folder, you see the predefined Employee application role.
10. Expand the Employee application role and each XXEmployeeCopy application role in turn
to show its inherited aggregate privileges and duty roles. Most appear under the hcm
folder.
11. Close the APM tab.
12. Sign out.

Instructor Demonstration L9-1: Viewing Security Policies
Viewing the security policies associated with aggregate privileges and duty roles can help you
understand an important part of the HCM security model.
Use the Manage Duties task in the Setup and Maintenance work area to access APM, where
you can view the Promote Worker aggregate privilege and its associated data and function
security policies.
Demonstration Tasks
1. Sign in as hcm_impl1.
2. Navigate to the Setup and Maintenance work area, and search for and launch the Manage
Duties task.
Location: Authorization Management page
4. Select Search under Application Roles.
Information:
Remember that aggregate privileges and duty roles are referred to as application roles in
APM.
Location: Role Catalog page
Search for the Aggregate Privilege
1. In the Display Name field, enter Promote Worker and click Search.
Note:
Delete any values that appear by default in other search fields before clicking Search.
2. In the search results, select the Promote Worker aggregate privilege and click the Open
icon.

Viewing Functional Security Policies
1. In the top-right corner of the screen, click Find Policies > Default Policy Domain.
2. Review the policies listed on the Functional Policies tab.
Information:
This role has only one function security policy: Policy for Promote Worker. It controls
access to this function from the Oracle HCM Cloud menus and work areas.
3. To view the code artifacts that are secured using this function security policy, go back to the
Home tab (but do not close this tab).
4. Select hcm in the Application Name field, and then click Search under Entitlements.
Location: Search Entitlements page
Note: Remember that, in APM terminology, an entitlement equates to an Oracle Fusion
Applications function security privilege.
5. In the Display Name field, enter Promote Worker and click Search.

6. Select the Promote Worker entitlement (PER_PROMOTE_WORKER_PRIV) in the search
results, and click the Open icon.
Information:
The code artifacts that are secured against this entitlement are shown in the Resources
section of the page.
7. Return to the Search Authorization Policy tab. (The Promote Worker aggregate privilege
should still be displayed.)

Viewing Data Security Policies in APM
1. Select the Data Security tab, and review the data security policies for this aggregate
privilege.
Information:
This aggregate privilege has two data security policies, Search Worker and Promote
Worker. These policies provide access to all of the different types of data that a user must
view, select, or manage when performing the Promote Worker function.
If you use the delivered aggregate privileges and duty roles as building blocks when
defining custom job roles in HCM, then security policies are generated automatically for
you. You do not need to manage them manually in APM.
2. Select the Promote Worker row, and click the Edit icon button.
Location: Data Security Policy: Edit page
3. Select the Rule tab.
Information:
This tab shows the condition for the privilege. When expanded, the condition is:
Access the person assignment for table PER_ALL_ASSIGNMENTS_M for persons and
assignments in their person and assignment security profile.
This tab does not show the SQL predicate. To view the SQL predicate, you must navigate
to the data security policy from a different direction.
4. Return to the Home tab, and click Search - Policies under the Search and Create heading.
Location: Search Policies tab
5. Click the Database Resource button at the top of this tab.
Location: Manage Database Resources and Policies page

6. In the Display Name field, enter Person Work Terms Assignment and click Search.
Information:
The search results list all of the data security policies for the PER_ALL_ASSIGNMENTS_M
data base table
7. In the PER_ALL_ASSIGNMENTS_M: Policies Details section, click the Detach button.
Location: Detached Table page
Note: Detaching the table makes it easier to browse and navigate, and allows you to view
the SQL predicate in the condition.
8. Right-click the Role column header, and select Sort > Descending.
9. Scroll down to the ORA_PER_WORKER_PROMOTION_DUTY role (there are two rows),
and select the row with the Description: Promote worker can search worker... (The Policy
column for this role displays Grant on Person Assignment.)
10. Click the Edit icon button.
Location: Edit Data Security: PER_ALL_ASSIGNMENTS_M page
11. Select the Condition tab.
Information:
Note the SQL predicate for the condition in the first row. The other conditions on the
Conditions tab are generated from security profiles. The condition Display Name includes
the security profile name.

12. Select one of the conditions, and click the Edit icon button.
Information:
You can view the full condition details here. Note the SQL Predicate value, as discussed
previously.
Important: Do not edit the conditions! The conditions for HCM data security policies are
generated automatically from security profiles and should not be changed.
13. Click Cancel.
14. Close the Oracle Entitlements Server: Authorization Policy Manager tab and return to the
Oracle Fusion Applications window.

Instructor Demonstration L11-1: Viewing Reporting-Related Roles and
Permissions
Viewing reporting-related roles and permissions can help you understand how OTBI security
works.
In this demonstration, you use the Manage Duties task in the Setup and Maintenance work
area to view the Transaction Analysis duty roles that are inherited by the Human Resource
Analyst predefined role. You then perform the same tasks on the Security Console. For this type
of task, where you need to work in multiple application stripes, APM may be the better choice.
In the Reports and Analytics work area, you access the BI Catalog and view the permissions
associated with sample OTBI reports.
Demonstration Tasks
2. Ensure that you are on the Setup and Maintenance page.
3. Search for and launch the Manage Duties task.
Location: Authorization Management page
View Transaction Analysis Duty Roles of the Human Resource Analyst Role in
APM
2. Click Search - External Roles.
Location: Search - External Roles page
3. In the Display Name field, enter Human Resource Analyst and click Search.
4. In the search results, select the Human Resource Analyst role and click Open Role.
Location: Human Resource Analyst page
5. Select the Application Role Mapping tab
6. Expand the hcm folder, then the Human Resource Analyst application role.
Information:
Note the various Transaction Analysis duty roles inherited by this predefined role. Each of
these roles is granted one or more data security policies that provide access to reporting
data.
7. Select the Absence Management Transaction Analysis duty role and click Find Policies
on the Application Role Mapping tab.
8. On the Search Authorization Policies tab, in the Policies for section, click the Data Security
tab to see data security policies granted to this role.

9. On the Human Resource Analyst tab, collapse the hcm folder, and expand the obi folder.
Information:
Note the Transaction Analysis Duty roles here.
10. Expand the Absence Management Transaction Analysis Duty role.
Information:
Note the BI Consumer Role under the author role.
11. Return to the Oracle Fusion Applications window.
View Transaction Analysis Duty Roles of the Human Resource Analyst Role on
the Security Console
2. On the Security Console, search for and select the Human Resource Analyst (Application
role) (ORA_PER_HUMAN_RESOURCE_ANALYST_JOB).
Information:
The Human Resource Analyst application role inherits many privileges (P), aggregate
privileges (A), and duty roles (R). Zoom in to see the identifying letters. Hover on the roles
(green circles) to see examples of Transaction Analysis duty roles.
3. When you find the Absence Management Transaction Analysis duty role, select it, right-
click, and select Set as Focus to make this role the focus of the Visualization.
4. Select the Absence Management Transaction Analysis duty role, right-click, and select
Edit Role.
Information:
Selecting Edit Role enables you to see the role details, but you should not edit the role.
5. On the Edit Role: Basic Information page, select the Data Security Policies train stop.
Information:
Here you can see the data security policies for this role. These policies are the reporting
policies that you viewed in APM.
6. Click Cancel.
7. On the Settings and Actions menu, click Setup and Maintenance.
8. Search for and launch the Manage Administrator Profile Values task.
9. On the Manage Administrator Profile Values page, set the Application value to
Applications Security and click Search.
10. In the search results, select ASE_WORKING_APP_STRIPE.
11. In the Profile Values section, set the value for CURTIS_FEITTY to obi.
14. Search for and select the Human Resource Analyst job role
(PER_HUMAN_RESOURCE_ANALYST_JOB).
15. In the role visualization, scroll in to display role names.

16. Select the Absence Management Transaction Analysis Duty role, double click the role to
show the BI Consumer role.
17. Set the working application stripe back to hcm for CURTIS.FEITTY.
18. Sign out.
View Permissions for OTBI Reports in the BI Catalog
1. Sign in as hcm_impl1 (use the same password as Curtis.Feitty).
2. On the home page, select Tools > Reports and Analytics.
Location: Reports and Analytics page
3. In the panel on the left, click the Browse Catalog icon.
Location: Catalog page
4. In the Folders panel, expand Shared Folders.
5. Expand the Human Capital Management folder, and then expand the Payroll folder.
6. Click on the Transactional Analysis Samples folder to open it.
Information:
A list of reports appears in the center panel.
7. Under Costing Reports in the center pane, click More and then select Permissions.
Location: Permissions dialog box
Information:
Scroll down if necessary to see the complete list of permissions, which includes the BI
Administrator Role.
8. Click Cancel.
9. Return to the Oracle Fusion Applications window and sign out.

Oracle HCM Cloud R11 Security Demonstration Scripts_activity.pdf

More Related Content

Similar to Oracle HCM Cloud R11 Security Demonstration Scripts_activity.pdf (20)

Recently uploaded (20)

Oracle HCM Cloud R11 Security Demonstration Scripts_activity.pdf