Applications Security

Get Involved. Join the Conversation.

Comments

  • Gangi Redd M

    My issue has been resolved after removeing below priviliges.

    ORA_CMP_CORRECT_WORKER_SALARY;

    ORA_CMP_DELETE_WORKER_LATEST_SALARY

    ; ORA_CMP_VIEW_FUTURE_SALARY_CHANGES;

    Manage Salaries & Change Salary

     

    Regards

  • Prashant Kumar

    Hi Gangi,

    You can hide these Actions from Structure Page.

     

    Nav: Navigator> Configuration >> Structure >> Click on Tab (i.e. About Me) >> Quick Action Tab >> Under Compensation >> Quick Action (i.e. Change Salary)

     

    Regards,

    Prashant

  • Pankaj Tyagi

    Thanks for a quick answer Kishore!

    We have used this way but the report which comes out is not user friendly. You can not have a report with userID, when was the role assigned, when was a role removed. This is more of a commentary of when was the roles added and removed from a given user.

  • Kishore Padala

    When ever custom role was changed (i.e. an application role was removed or added), an user lost access or gained unexpected access etc. and you want to know who did that.

    Then enable audit report in fusion application, so you will know who and when made the security changes.
       
    Please be aware, this audit function will only record changes made from fusion application (include security console), it will not track changes made outside of fusion application (i.e. OIM console)

    For more information please refer to :
    How to Audit Security Customization (Role Creation, Role Modification) in Fusion Application (Doc ID 2175861.1)

  • Linda Chirash

    Thanks, Yanna.  That's helpful.

    The reason I've seen it work with just the job role assigned is that the users who get this role (typically HRIS/HR Technology teams) also have the HR Specialist role which gives them the person access, and have the employee role which gives them access to Directory.  I can see how someone might not want the HCM Application Administrator to access the user name in Person Management to modify it, so not having the data role could help with this. 

    Appreciate the insights!

    Linda

  • Yanna Autry

    Hi Linda,

    You could potentially assign the role directly to the End User, but if they need access to an area that requires data access, they may potentially not be able to access or complete any necessary administrative tasks. 

    There are privileges on the role that allow the end user to view people date in some capacity --in organizations that may have more than one data group in the same system and multiple HCM Application Administrators, this allows the Security Administrator to limit the End user using other Data Roles as needed, but for organizations that don't have multiple data groups, the View All is a simple and easy seeded Data Role to provide full access.

    A couple potential examples of things they would not be able to do without some kind of Data Role:

    • View Public Person (Impacts Directory information) -- They would be able to view the directory interface itself, but if the End User wanted to edit/customize/view what is displayed for a Public Person, they would not be able to because they did not have Data access. 
    • Edit User Name -- This is done on the employee record and without access to data they would not be able to fix/correct/change the user name.

    Depending on what the organization is expecting the role to do will determine whether the associated Data Role is ultimately needed or not. If at any point they need to look at people data, the data role will be required. 

    ~Yanna

  • Alexey Shtrakhov

    Here is the template for this report: UserNamesByService.xdoz

    It shoud produce you the image something like this:
    You can then expand these branches and see users who are responsible for the count...

     

    Pivot.xpt (2KB)
  • Joshua Vincent

    You would restrict privileges so that only manage questionnaires is available in setup and maintenance from the task drawer --> search. In this way, they do not have access to other functions (they will appear 'grayed out' in setup and maintenance search results).

    But this is not ideal. The enhancement request should be the creation of a direct link and access to manage questionnaires from Learning Administration console, even if this is merely a deep link to the same setup and maintenance task. All common functions of the Learning Administrator should be performed from the same work region; navigating to setup and maintenance to perform and ordinary task creates a poor user experience.

    This request is similar to existing and delivered functionality in Oracle Cloud for procurement, where certain procurement roles show "Manage Procurement Agents" in the functional work area's task drawer, taking the user to the same screen that would be accessed from Setup and Maintenance for the same task by users who are system administrators and not the functional role holder.

  • Joshua Vincent

    I think this is the best solution, with proper HCM job / position structure, the HCM Role Provision Rules can automatically provision roles (and data security), and automatically deprovision when the rule's assignment criteria are no longer met. With the above comments about audit of role assignments, if you have a good HCM structure and use role auto provisioning, you should build your report to only examine manually assigned roles, rather than automatically provisioned roles. In this way, you are not burdened by looking at all role assignments, but only those which were not done by rule, predicated by you creating rules that will not generate impermissible role pairings (SOD).

  • Kalimuthu Vellaichamy
    • posted via email reply August 8, 2019
    • Permalink
    Thanks a lot Rick , will check the document which you have shared.
    
  • Rick Aldridge

    Hi Kalimuthu,

    Please take a look at IP Whitelist for Web Service Calls Initiated by Oracle Cloud Applications (Doc ID 1903739.1).  You may just need to whitelist CIDR block of IP addresses for the applicable data center your environment exist in.

    However, unless there is specific functionality that exists to configure a call out to a web service you expose, you might need OIC.  We have found that OIC is the only mechanism to subscribe to business events....which can then call anything you expose from on-premise.

    Thanks!

    Rick

  • Indu Kumari

    Hi Mandeep,

     

    No, We are not using batch amount.

    currently, even the simple rule 1=1 is not working.

     

    Thanks,

    Indu

  • MandeepKGupta

    Indu,

    Are you using batch amount in the rule?

    Please review:

    Approval Of Manual Journals Failing With Error FUN-720337 (Doc ID 1946873.1)
    Customer RecommendedWhen Approval GL Journal For Posing, Error Occurred. (Doc ID 2469731.1)

    Thanks.

  • Indu Kumari

    Hi Mandeep,

    Thanks for the reply.

    none of the workers have duplicate users still we are getting the issue.

    We are not using supervisor hierarchy in our approval. We are using approval group.

    Thanks,

    Indu

     

  • MandeepKGupta

    Hi Indu,

    All the users you have listed are seeded users. Can you please check if any of the workers have duplicate users? Also, I have found one MOS note, which might be helpful. Please check if not checked earlier:

    Journal Approval Error "The record Supervisor does not exist" The supervisor or Job level does not exist. (FUN-720337) (Doc ID 2513292.1) 

    Thanks.