The following description gives an overview of the standard security mechanisms used in Oracle HRMS and discusses how they relate to Oracle SSHR.
A responsibility combines low-level elements of user access configuration to control which functions the user can access (User Access to Functions) and on whom they can perform these actions (see User Access to People).
You define SSHR responsibilities in the same way as you define responsibilities for Oracle HRMS applications.
Note: When you define your responsibilities, make sure they are available from Oracle Self-Service Web Applications.
See: Responsibilities
As an administrator, you can view a list of all owned responsibilities using the Responsibility Ownership functionality in SSHR. This functionality enables you to display a list of people with access to each of your owned responsibilities and revoke access to the responsibilities if appropriate.
The primary users of SSHR can be divided into two main groups: managers and employees (non-managers).
Employees (non-managers)
Employees and workers can only access their own employee records.
Managers
Managers can process the records for other employees and workers after selecting them from the Enter Process page. In the Enter Process page the manager can switch between View as:
Hierarchy
This view presents a hierarchical view of the employees and workers reporting to the current user. This view is based on either the supervisor or supervisor assignment hierarchy but can be configured to use the position hierarchy by setting the profile option HR: Self-Service Display Position Hierarchy to Yes.
For more information on supervisor hierarchies, see Security Profiles by Supervisor Hierarchy
Note: Although Oracle recommend using either a position or supervisor-based hierarchy, you can set up other security structures in Oracle HRMS if you prefer.
My List
This view contains a user-defined list of people for quick reference.
Note: If the profile option HR:Expand Role of Contingent Worker is set to Yes, contingent workers will be able to manage other employees.
The Enter Process page enables managers to perform a basic search for any employee within the underlying security profile. Alternatively managers can access the Advanced Search page to apply more detailed search criteria.
The manager can process employees and workers in the resulting list directly or add them to My List for future reference.
Note: You can extend the security profile for managers by enabling the Release Employee Information function.
Some functions enable managers and HR Professionals to search for ex-employees and terminated employees.
See:
This extended search functionality is controlled by a function parameter.
See: Menu Function Parameter Descriptions
You can control user access to the People Search functions by excluding certain functions if required, for example, you can hide the Person Search function so that managers can only process the records for the employees and workers displayed in their hierarchy.
See: Defining User Access and Menus
You can also control how managers search for employees and workers by assigning profile options. For example, you can apply the HR: Cross Business Group profile option to enable managers to search across business groups. If you then set the HR: Restrict Transactions Across Legislations in SSHR profile to Yes, the names of the employees and workers in other legislations will be disabled.
SSHR uses security profiles to control a user's access to person records. For example, a security profile can give a manager access to the records for all the employees and workers in the department.
See: Security Profiles
Employees (non-managers) and contingent workers
You can use the default View All security profile for the corresponding business group for the employee (non-manager) responsibilities because the employee functions restrict the user to accessing only their own record.
Managers
If you allow your managers to access the Search functions, you must create suitable security profiles. For most SSHR managers, the most appropriate security profile is a profile based on a supervisor hierarchy. This type of security profile dynamically generates a list of available employees and workers based on either the supervisor hierarchy or the supervisor assignment hierarchy (starting with the current user). The advantage of using a profile of this type is that you can set up a single security profile and use it for multiple users. To activate supervisor security, select either the Restrict by Supervisor (person-based) option or the Restrict by Supervisor (assignment-based) option in the Security Profile window. In this case, the manager can see the records for the persons with at least one assignment for which they are the supervisor and the manager can also see the direct reports for this person.
See: Security Profiles by Supervisor Hierarchy
You can choose to build your supervisor hierarchy based on individual assignments. This means that your SSHR manager can only view and update a person's record if the manager is the supervisor for the specific assignment.
See: Assignment-Level Security
Multiple Assignments
If you wish to enable your managers to view and update multiple assignments for employees and workers, you can use the HR:Enable Multiple Assignments in SSHR system profile to allow this.
Note: If you are using assignment-based security, you must enable this profile option.
If the profile is set to No, managers can only view and update primary assignments. If the profile is set to Yes, managers can view and update only the assignments that are reporting to them through the security hierarchy.
Note: In the Security Profile window, on the User-Based Security tab, select the Primary Assignments Only check box to restrict managers to viewing and updating primary assignment information only.
See: Defining a Security Profile
Alternatively, you can choose to disable the Search functions for an SSHR manager responsibility. In this case, you can assign the View All security profile to the users.
You can supplement the list of people who appear in a security profile by enabling the Release Information function. With this function, users can allow other users (who are outside of the security profile) to access their records. Similarly, managers can use the Release Information to allow a second manager (who is outside of the security profile) to access the records for one of their employees.
To illustrate a typical use of this function, imagine that an employee wants to transfer to another organization. The new manager may need to review the employee's absence history before the transfer can take place. However, this manager may be outside the employee's current business group and would therefore, be restricted by HRMS security access. The manager cannot access the employee's data from a Person Search because of the defined security profiles. With the Release Information function, the employee granting access can search for the manager's name across all organizations and business groups and grant access to that person. This enables the manager to view the employee's absence history. However, you must ensure that the manager has a responsibility that satisfies the following conditions:
includes appropriate manager functions, for example, My Employee Information.
is associated with a security profile which has the "Allow Granted Access" check box flagged.
If you want managers in your enterprise to have the same privileges for granted employees as for other employees who work for them, you can simply enable the "Allow Granted Access" option on the security profile they use with their main Manager Self Service responsibility. Alternatively, you may choose to limit managers' capabilities with respect to granted employees. For example, you may restrict managers to selected views and not allow them to use functions such as Termination. To do this, disable the "Allow Granted Access" check box for the main security profile and enable the check box for a separate security profile with a reduced set of functions.
See: Release Information
You control user access to specific functions using function security. Functions are attached to menus which are then attached to responsibilities.
The traditional navigation path for SSHR users is to select a function, for example, Personal Information or Change Manager, directly from a user menu. From SSHR 4.2, SSHR supports this approach but also introduces a new navigation path which uses the Actions pages.
Instead of selecting a specific function from the menu, the user selects either the Personal Actions function (for employees and workers) or the Manager Actions function (for managers). SSHR displays a context-sensitive list of available functions.
Personal Actions
The Actions page displays a list of available functions for the employee or worker. To generate this context-sensitive list, SSHR takes the submenu defined in the HR: Personal Actions Menu profile option and excludes any legislation-specific functions that do match the legislation code of the user's business group.
Manager Actions
The manager is first presented with the Enter Process page from which they can select an employee assignment. They will then proceed to the Actions page which displays a list of functions available for the selected employee or worker. SSHR derives the list of functions by taking the submenu defined in the HR: Manager Actions Menu profile option and excluding any legislation-specific functions that do not match the legislation code of the selected person's business group.
Note: If the manager first selected their own record, the submenu is derived using the HR: Personal Actions Menu profile option.
Managers
When a user selects a manager function directly from the menu, they are first presented with the Enter Process page. From this page, they can select an employee for processing. The user is then taken, via the Effective Date page, to the corresponding web page for the function.
Note: Data security starts after the user has selected a person. If the function is specific to a legislation other than the legislation to which the selected person belongs, an error message is displayed.
Other Employees
When a user selects an employee function directly from the menu they are taken, via the Effective Date page if appropriate, to the corresponding web page for the function.
Note: Data security is checked after the user has selected a function. If the function is specific to a legislation other than the legislation to which the user belongs, an error message is displayed.
Workflow administrators can monitor all workflow transactions across the business areas in an enterprise. Now, depending on your business requirements, you can restrict a workflow administrator's access to specific workflow transactions using the HR Self Service Selected Person ID Instance Set. This object instance set uses security profiles to identify the data that workflow administrators can access. For example, you can use this feature to restrict an administrator's access to workflow transactions in a specific organization hierarchy or a business group. Similarly, you can restrict a human resources manager to view only HR transactions and a payroll executive to view only payroll transactions.
See: Restricting Access to Workflow Transactions
Most SSHR functions are global and can be used on employees in any legislation. However, some functions are legislation-specific and must be restricted to employees in the corresponding legislation.
SSHR uses FND Data Security to enforce this restriction. A data security object has been defined on the combination of person and legislation and data security menus have been created for predefined functions. There is one data security menu for global functions and one for each legislation code. The predefined functions are associated with either the global data security menu or with one or more of the country-specific data security menus as appropriate.
Data security grants have been predefined associating each data security menu with the appropriate legislation code (or with all legislation codes in the case of the global menu). The effect of each grant is to enable the functions attached to the corresponding data security menu for people in business groups having the corresponding legislation code.
For example, a function on the global data security menu may be used with any employee but a function that is only on the US data security menu may be used only with employees in a US business group.
In addition to the data security menus that are available for predefined functions, there is a similar set of data security menus to which you can attach your custom functions. The data security grants are already in place.
See: Data Security Menus
You define SSHR users in the same way as you define users for Oracle HRMS applications.
See: Users Window
However, the Person field of the Users window is particularly important for SSHR as it acts as the link between the professional forms interface and SSHR. It ensures that the user name is linked to the correct person records. For example, if you were to create a user and assign an SSHR responsibility to this user, the correct employee records would only be displayed in SSHR if the user's name is entered in the Person field.
See: Responsibilities
The New User Registration functions enable new users to register their own details and create their own users for SSHR. You can also add a user hook which generates the user name when the user clicks a button on the web page.
You can enable the New User Registration functions for both employees and non-employees. The non-employee registration form is usually used in conjunction with Advanced Benefits.
You apply user profiles to control how the SSHR application runs. You can set profile options at site level, application level, responsibility level, and user level. The individual profile options are specified in the sections on each module.
See: User Profiles
You can control which functions employees, workers, and managers can access by adding or removing functions from the user menus. For example, you could restrict employee access to the Termination function by only including it in the Manager menu.
See: Defining User Access and Menus
SSHR users access their notifications using one of the following methods:
Using the Home page Worklist
Using the Workflow User Web Applications responsibility
Using the All Actions Awaiting My Attention function from the Manager, Professional, Employee or Worker responsibilities.
As an E-mail sent to the user's inbox
If in your enterprise, the WF: Enable Worklist Global Header profile option is setup, then a Worklist Header appears on each of the Oracle SSHR OAF application pages to enable users to navigate to notifications from OAF pages. However, users may experience security issues while accessing notifications from the Worklist Header if HRMS security is implemented using the HRMS security framework and the HR:Business Group and HR: Security Profile options are setup. To prevent access issues, you must disable the WF: Enable Worklist Global Header profile option for all Oracle SSHR predefined and custom responsibilities. Users must access notifications using any of the methods discussed above rather than from the Worklist Header.