Security Profiles in Oracle HRMS Payroll
Prerequisites
- If you want to associate a reporting user with the new security profile, the ORACLE database administrator must create a new reporting user ORACLE ID. The system administrator must register the new ORACLE IDs with the Application Object Library.
Usage
Security profiles are used to limit users to see restricted information. There are many options provided by Oracle to meet your requirement.
1) Organization Security
One can limit the display of information by organization. For instance, you want to show only the employees of "Production" department to a user A.
2) Position Security
One can limit information by using position hierarchy or by specifying the top position. Default is "View all positions".
3) Payroll Security
Default is "View all Payrolls". But you can restrict the information by selecting any payroll from LOV.
4) Supervisor Security
Information can be limited by using Supervisor information on employee assignment.
5) Miscellaneous Security
An Oracle User can be selected or can be excluded by Exclude User Check-box.
6) Custom Security
if scenario could not be fulfilled by standard functionality, we can also write custom code to limit the information.
Lets explain the above using an example.
One can limit the display of information by organization. For instance, you want to show only the employees of "Production" department to a user A.
2) Position Security
One can limit information by using position hierarchy or by specifying the top position. Default is "View all positions".
3) Payroll Security
Default is "View all Payrolls". But you can restrict the information by selecting any payroll from LOV.
4) Supervisor Security
Information can be limited by using Supervisor information on employee assignment.
5) Miscellaneous Security
An Oracle User can be selected or can be excluded by Exclude User Check-box.
6) Custom Security
if scenario could not be fulfilled by standard functionality, we can also write custom code to limit the information.
Lets explain the above using an example.
Example
1) Organization Security
In the example, you want to limit information to only "01-Hierarchy".
Screenshot 1
Screenshot 1
So lets create a security profile.
Navigation:- Global HRMS Manager --> Security --> Profile
Navigation:- Global HRMS Manager --> Security --> Profile
- Name: Give a proper Name
- Security Type: Secure organization by organization hierarchy and/or by organization list.
- Specify Top Organization: As highlighted in Screenshot 1. Select 01-TOP.
- Include Top Organization: Check if you want to include top organization in the information.
- Exclude Business Group: Check if you want to exclude business group from the information.
- Classification: You can specifically include/exclude any classification from list of values according to your requirement.
2) Position Security
3) Payroll Security
4) Supervisor Security
5) Custom Security
After having created the profile and assigned it to the user, you need to run "Security List Maintenance" concurrent program for changes to take effect. Check
How to assign Security profile to a user
How to run Security List Maintenance Concurrent Program
Your feedback is very important. Leave a comment for any query.
Hi,
ReplyDeleteCan you please tell me how to write custom code to restrict employees from viewing supervisor details.
thanks
I have written a code like below:
ReplyDeleteASSIGNMENT.PERSON_ID
IN
(SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
PER_ALL_ASSIGNMENTS_F PF,
PAY_PEOPLE_GROUPS PG
WHERE PAF.PERSON_ID=PF.PERSON_ID
AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
AND PAF.EFFECTIVE_END_DATE
AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
AND PAF.PERSON_TYPE_ID=2
AND PG.SEGMENT2 <>4)
But its not working..I am able to see all the details
Hi anusha,
DeleteFirst thing is not to use :effective_date, use sysdate instead.
Your requirement is not clear to me. As per my understanding, each employee has a separate username and has access to employees data. Any employee should not be able to find his supervisor in people--》Enter and maintain search screen. Kindly clarify.
Regards,
Waqas
Hi Waqas,
ReplyDeleteI am defining a new security profile for our peoject. Where employees should not be able to see principlas data. and principals can see the employees data. From the above query when I gave PG.SEGMENT2 =8, I am not able to see supervisors data, and supervisors also not able to view my data.
But my requirement is supevisors can see my data.
so what can be changed in the above query..Please let me know if you are still not clear..
Thanks
Anusha.
When I gave sysdate, its showing error like "0RA-01745 : invalid host or bind variable name".
ReplyDeletewhen I gave pg.segment1=8 I am not able to view principals data, and supervisors also not able to view.
When I gave pg.segment1 in(8,2), I am able to view all the details including principal.
What is difference between 2 stmts.I just added 2.
Please help me what condition I need to use to restrict employees from viewing principals data.
Thanks,
Anusha.
Hi,
DeleteI think you need to pass pg.segment2 dynamically. Get this value using a subquery by passing person id as fnd_profile.value('per_person_id'). It will generate person list at user login time. In custom security tab, select the option 'visible to each other' which has longest text in it. Cant remeber the exact name.
Hi,
ReplyDeleteI have used fn_profile.value)per_person_id to get person id's..but how can I pass pg.segment2 dynamically..
Custom security I setup the below:
ReplyDelete"restrict the people visible to each user using this profile"
Hi Anusha,
DeleteKindly use this query. I hope your problem would be resolved.
ASSIGNMENT.PERSON_ID
IN
(SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
PER_ALL_ASSIGNMENTS_F PF,
PAY_PEOPLE_GROUPS PG
WHERE PAF.PERSON_ID=PF.PERSON_ID
AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
AND PAF.EFFECTIVE_END_DATE
AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
AND PAF.PERSON_TYPE_ID=2
AND PG.SEGMENT2 =
(select pg.segment2 from per_assignments_f paf ,pay_people_groups ppg
where PAF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
and paf.person_id = FND_GLOBAL.EMPLOYEE_ID)
)
HI Waqas,
ReplyDeleteThanks for the above query. But when I use this query, its not showing my details, but I am able to see all the details of others.
Can you please let me know if I need to change anything in the above query.
Thanks,
Anusha.
I am using, custom security as "Restrict the people visible to this profile"
ReplyDeleteViwe employees, contingent workers, applicants,contacts and candidates ads "all"
Organization security :View all organizations
Specify top organization
Position security : View all positions
Specify top position
Payroll security :checked include
Supervisor security :
No super visor security
Miscelleneous security : Exclude user.
These are the setups I am using.
Kindly re-clarify your requirement.
DeleteI need to restrict employees from viewing supervisor details that is who have PG.SEGMENT=4.
ReplyDelete4 will be for principal status and 8,2 will be for employees
I can see my details and the other emploee details, but I cant see supervisor details, (pg.segmnt2=4)and super visor can see oour details..
DeletePls let me know if you are still not clear with my requirement..
Thanks.
Cant see only direct supervisor or the complete hierarchy uptil highest position? I have a solution to exclude direct supervisor. Kindly further clarify.
DeleteNeed to restrict all the supervisors
ReplyDeleteIf you have all the supervisors filled on assignment screen, then you can exclude all the supervisors using query. I will send the query
DeleteThanks
ReplyDeletecan you please send the query, i will try.
ReplyDeleteHi Anusha,
DeleteIf you have your supervisor hierarchy filled in your system, use the following query. It will exclude all the supervisors from user's access. List of employees will be generated at login time dynamically.
Use it in custom tab with "Restrcit people visible to each other using this profile"
PERSON.PERSON_ID NOT IN
(SELECT DISTINCT person_id
FROM per_all_people_f
WHERE person_id IN (
SELECT paf.person_id
FROM per_all_assignments_f paf
START WITH paf.person_id = FND_GLOBAL.EMPLOYEE_ID
AND paf.primary_flag = 'Y'
AND :EFFECTIVE_DATE
BETWEEN paf.effective_start_date
AND paf.effective_end_date
CONNECT BY PRIOR paf.supervisor_id = paf.person_id
AND paf.primary_flag = 'Y'
)
AND PERSON_ID <> FND_GLOBAL.EMPLOYEE_ID
AND :EFFECTIVE_DATE BETWEEN effective_start_date AND effective_end_date)
Let me know if it worked or not.
Regards,
Waqas
Hi Waqas,
ReplyDeleteThanks a lot for your query.I tried the above query but still not working. It will restrict me from viewing the others details for the first time. But ehn I close the window and click on torch btuoon and search, I am able to see all the details.And I am not sure about the supervisor hierarchy in my system, how can I check that.
Thanks,
Anusha.
Hi Waqaa,
ReplyDeleteCan you please let me know if there is any other solution for this.
Thanks,
Anusha.
Hi Anusha,
DeleteSupervisor hierarchy means supervisor selected on assignment screen. This hierarchy goes up to the highest position. The query which i provided will exclude all the employees who the user is reporting to, and so on.
hmm, yeah there is supervisor hierarchy in my system, But but not sure why its not working..:(
ReplyDeleteHI Waqas,
ReplyDeleteThe security profile is working now..I have given:
Restrict the people visible to each user
View employees : Restricted
View workers : Restricted
View contacts: Restricted
and the query as
ASSIGNMENT.PERSON_ID IN (SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_F PAAF, PAY_PEOPLE_GROUPS PPG
WHERE PAAF.PEOPLE_GROUP_ID = PPG.PEOPLE_GROUP_ID
and PPG.SEGMENT2 <>'4'
AND SYSDATE BETWEEN PAAF.EFFECTIVE_START_DATE AND PAAF.EFFECTIVE_END_DATE
AND PAAF.ASSIGNMENT_TYPE <> 'B'
AND SYSDATE BETWEEN PPG.START_DATE_ACTIVE AND NVL(PPG.END_DATE_ACTIVE, SYSDATE +1))
but we need to bounce the system every time we do a change.
Thanks for all your help.
Thanks
Anusha.
hello,
ReplyDeleteI have tried setting up my security profile but it does work after I have done all that is require. below is the custom security code I wrote to limit employees per location.
assignment.location_ID=(select location_ID from HR_Locations_All
where location_code='Tamale')
This comment has been removed by the author.
ReplyDeleteHello thanks for the tutorial on security is quite enlighten. I have a requirement which I need clarification on how to setup the security profile. In the organization I work to be precise a public sector, there is requirement that mandated specific agency to have access to particular employee payroll information such as grade level. One of this agency will only have access to employees with grade level 1-6 and the other can only have access to grade level 7 -17. How do I setup the security to enable this
ReplyDelete