Tuesday, July 21, 2009

Global Security Profiles

Overview:
Security profiles are one of the most key functions of Oracle HCM suite. Security profile controls access to people records, when user logins to HCM applications. Security profiles can be created based on Organizations, Locations, and many other attributes of person record to define the access. Once the security profile is created, it is attached to a responsibility to enforce the security access. You can access security profile forms under "Security" section of Super HRMS Manager responsibility as show below.



Traditionally, users had option to create local security profiles only. That means, when user creates a security profile that automatically restricts people access to one business group only. With this method, you have to create atlease one security profile for each business group to complete the security setup. As shown below, if you have manufacturing people in Columbia & Sweden business groups, you have to create two security profiles to provide access to employees from both business groups.

Once these security profiles are created, user needs to attach these security profiles to both Sweden & Columbia HR responsibilities.

This method is fine as long as you have one or two business groups. As number of business groups increase, maintanance of security profiles becomes complicated due to high number of security profiles. If you need to make slight change to one (such as manufacturing group as shown above) security setup, you need to find these security profiles in all business groups and make the necessary changes to keep these profiles in sync. This becomes adminstrative nightmare as number of business groups and profiles increase.

To mitigate the administration effort, Oracle introduced global security profiles. Using this option, you can create one security profile which spans across all business groups or more than one business group, thus reducing the number of security profiles. For above given example, instead of creating security profiles for Sweden & Columbia, you can create one global security profile as shown below.

Once global security profile is created, user can attach the same global security profile to both Sweden & Columbia responsibilities. With this we reduced number of security profiles to one, which represents complete manufacturing division across all business groups.

One thing i would like to clarify is that, using global security profiles does not reduce the number of responsibilities, it only reduces the number of security profiles. User still needs to create one responsibility for each business group so that user can access people from each business group. Even though global security profile contains people from more than one business group, when user access the data in HR application using specific responsibility, he/she can only access people from business group which is attached to the responsibility.

Reporting:

If you are using Discoverer or custom reports for end user reporting, with some customization you can take advantage of global security profiles to report across multiple business groups. Normally to run reports in multiple business groups, user needs to switch responsibilities to run the report in each business group, extract the data, and combine it to complete the report for analysis or printing. With global security profiles, you can eliminate the issue with some customization on reporting side to make end user life easier.

Final Thoughts:

Following are some high level advantages of global security profiles:

  1. Reduce number of security profiles
  2. Simplify changes to security profiles
  3. Accomodate global reporting across business groups

Hope this article is useful. Your feedback is most welcome.





4 comments:

  1. Anonymous4:45 AM

    thanks for sharing...this is very helpful article.

    ReplyDelete
  2. Anonymous4:53 AM

    Useful

    ReplyDelete
  3. Anonymous2:22 AM

    very useful, thanks much!

    ReplyDelete
  4. Aashish Rao5:53 PM

    Could you please explain how the responsibility will be linked to a business group to restrict data access only to that BG as we set the HR:SECURITY PROFILE to a global profile value at responsibility level

    ReplyDelete