When you use the Security Groups Enabled security model (formerly called Cross Business Group Responsibility security), a security group is automatically created for each business group when you run the Enable Multiple Security Group Process. Because security groups are tied to business groups by set up, partitioning data using this method is the same as partitioning data by business group. See: Setting Up Security Groups Enabled security.
Attention: Security groups are only used if you have set up your enterprise using the Security Groups Enabled security model.
Security groups are the key component in Security Groups Enabled security. They enable you to set up one responsibility and link this to a number of different business groups.
Before you can start using this security model you ensure that HRMS is set up to use security groups. To do this you set the Enable Security Groups profile option to Yes and run the Enable Multiple Security Group process.
Attention: You can change from Standard HRMS security to Security Groups Enabled security, however, you cannot switch from Security Groups Enabled security back to Standard HRMS security. See: Updating the Security Model.
Once you have set up your enterprise to use security groups, Oracle HRMS automatically creates a security group when you set up a business group. The security group has the same name as the business group. For example, if you create a business group called UK Headquarters, Oracle HRMS automatically creates a security group called UK Headquarters. The Setup Business Group, however, uses the predefined security group Standard.
Note: If you change the name of your business group, the security group name is not updated. To make the maintenance of your security setup easier, Oracle recommends that you leave the names of the security groups the same as the business groups from which they are created.
Using the Assign Security Profile window you link the user, responsibility and business group to a security profile. By entering a business group you are automatically linking the responsibility to the security group.
You then log on using the responsibility and security group pairing. As security groups are automatically linked to a business group, you can then view and manage the records for that business group.
When you log on, Oracle HRMS displays all the pairings you have created between business groups and responsibilities. You could have the same responsibility listed twice with different security groups and therefore business groups. By looking at the security group you can select the correct responsibility for the business group you want to access.
To ensure the integrity of your business data, you can only view records for one business group at any time. To view records from a different business group you must switch to an alternative responsibility and business group pairing.
Attention: Security groups are automatically created for you when you use Oracle HRMS. Do not use the System Administrator's Security Groups window to add security groups as these will not be linked to your business groups.
When you first enable security groups and run the Enable Multiple Security Groups concurrent process, the process creates two sets of records for existing user/responsibility pairs:
For each responsibility connected to a user it creates a record linking the user, the responsibility and the Standard security group.
For each HRMS responsibility connected to a user it creates a record linking the user, the responsibility, the security group associated with the business group, and the security profile.
If you are updating from Standard security, there may be many such records. For each existing user responsibility with a security group value of 'Standard', you need to decide whether or not the user requires access to the responsibility. Users who may need to update global lookup codes need access to the Standard security group.
In most cases, users will not require access to the Standard security group. In this case, enter an end date to remove access to the responsibility. This reduces the number of responsibilities the user sees on logging in, and prevents users from accidentally entering data into the wrong business group.
Note: By default, the Standard security group is associated with the Setup business group.
For example, if your user is set up with a responsibility called US Federal HQ, you could link this to:
East Region Processing (Business Group)
Operations Manager (Security Profile)
Using the same responsibility (US Federal HQ), you could also link to a different Business Group:
West Region Processing (Business Group)
Services Manager (Security Profile)
Therefore, using just one responsibility (US Federal HQ), you can access two Business Groups (East and West Region Processing).
When the Business Group East Region Processing was set up, a security group East Region Processing would automatically have been created. When you linked the Business Group to the user's responsibility, the security group East Region Processing would also be linked.
To view the records for Business Group East Region Processing you would select the US Federal HQ responsibility and the East Region Processing security group.
If you then wanted to view the records for the West Region Processing Business Group you would switch responsibility and security group pairing, selecting the same responsibility (US Federal HQ) and the different security group West Region Processing.
Warning: You can only categorize information by security groups if you are using Security Groups Enabled security.
You can categorize the following information within your enterprise using security groups:
Lookups
Using the Application Utilities Lookups window you can set up lookups specifically for a security group. These lookups are only available to users who access the business group associated with the security group.
Concurrent Programs
Using the Concurrent Parameters Program window you can enter a security group against a concurrent program, this creates a specific list of concurrent programs for a security group and therefore business group. When a user selects a concurrent program using the Submit Request window, they can select from the concurrent programs for their business group.
Note: You do not have to enter a security group against all the concurrent programs. Concurrent programs which are not linked to a security group display for all security groups/business groups.
The application supports secure user view and cross-business group functionality for the following:
RPA and NPA Reports
Mass Actions
See: Mass Action Overview
Position Descriptions
Future Dated RPAs concurrent process
Central Personnel Data File (CPDF) reports, including CPDF Dynamics, Status, and OCT reports as well as the Monthly Report of Federal Civilian Employment (SF-113A) report.
See: Central Personnel Data File Report, Standard Form 113-A Monthly Report of Federal Civilian Employment
The responsibility you choose at login determines what information you can view and update and what reports and processes you can run. If your login's responsibility and associated business group has a security profile assigned to it (a secure view), the application filters the information.
For example, when you create a mass action, the application filters the Selection Criteria list of values for organizations, positions, and hierarchies. It also filters the information that can be displayed and updated in the Preview window and for the Final execution.
Additionally, when you save a mass action or position description, the application stores the business group ID attached to your login's responsibility. From then on, only users with the same business group ID can access and retrieve the mass action, and run reports and processes for it.
Use the following guidelines when choosing a responsibility. Choose:
Secure view responsibility to access and update mass actions and position descriptions, and to run only processes and reports created in that secure view responsibility
Non-secure responsibility to access and update mass actions and position descriptions, and to run all processes and reports
If you have cross-business group functionality set up, the application includes the values for all business groups. If you are running reports or concurrent processes, the processes or reports run across all business groups. If you do not have cross-business group functionality set up, the application bases your lists of values and access to reports and processes on your current login's business group and your associated secure view.