In this article we will look into the Data Role and how to create it.
Table of Contents
What is Data Role?
HCM data roles combine a job role with the data that users with the role must access. You identify the data in security profiles. As data roles are specific to the enterprise, no predefined HCM data roles exist. We need to explicitly create them for each job role to provide data access.
Pre-requisites
- IT Security Manager role is required to set up the data role
- Security Profiles need to created before creating a data role
How to create Data Role?
When we create an HCM data role, we include a job role for which we need to provide data access. The secured HCM object types that the job role accesses are identified automatically, and sections for the appropriate security profiles appear on the next screen.
For example, if you select the job role, Human Resource Analyst, then sections for mange person, public person, organization, position, LDG, document type, and payroll flow appear. You select or create security profiles for those object types in the HCM data role.
If you select a job role that doesn’t access objects secured by security profiles, then you can’t create an HCM data role for that Job Role.
Note: Even though we can add data access to Job Role, it is highly not recommended by Oracle. We need to add data access only for the Abstract Roles like Employee, Line Manager etc.
Navigate to Setup and Maintenance and search for the task “Manage Data Role and Security Profiles“
Click on Create
Provide the Job Role for which you want to create the Data Role and provide the Data Role Name which would be a combination of Job Role concatenated with a short description of the data access.
Click on Next.
In the next step we will get an option to select the Security Profiles based on the privileges that are to be secured in the Job Role.
By default, Oracle delivers View All security profiles for all objects. If there is a specific need for a different profile, that needs to be created before creating the data role or can be created from the security profile screen.
Once we enter all security profiles, click review and then finally submit. It should take a minute to generate all security policies for this data role.
We can verify it by searching the role name on the search screen.
Then we are good to assign this role to users and they should be able to get the required data access.
Things to keep in mind
Even though this data role can be accessed from the Security console, it is not recommended to edit the data role from the security console as the next Regenerate Data Security Grants process would override those changes directly done in the security console.
If you have done any changes to the job role in the role hierarchy it is recommended to regenerate the data roles by manually opening the data role, clicking review, and submit so that the regenerate process runs only for the specific data role.
If you like the content, please follow us on LinkedIn, Facebook, and Twitter to get updated with the latest content.
