Security Profiles in Oracle HRMS Payroll

Prerequisites

      If you want to associate a reporting user with the new security profile, the ORACLE database administrator must create a new reporting user ORACLE ID. The system administrator must register the new ORACLE IDs with the Application Object Library.

Usage

Security profiles are used to limit users to see restricted information. There are many options provided by Oracle to meet your requirement.


1) Organization Security

One can limit the display of information by organization. For instance, you want to show only the employees of "Production" department to a user A.

2) Position Security

One can limit information by using position hierarchy or by specifying the top position. Default is "View all positions".

3) Payroll Security

Default is "View all Payrolls". But you can restrict the information by selecting any payroll from LOV.

4) Supervisor Security

Information can be limited by using Supervisor information on employee assignment.

5) Miscellaneous Security

An Oracle User can be selected or can be excluded by Exclude User Check-box.

6) Custom Security

if scenario could not be fulfilled by standard functionality, we can also write custom code to limit the information.

Lets explain the above using an example.

Example

1) Organization Security

In the example, you want to limit information to only "01-Hierarchy".

Screenshot 1

Security Profiles in Oracle HRMS Payroll


So lets create a security profile.

Navigation:- Global HRMS Manager --> Security --> Profile


Security Profiles in Oracle HRMS Payroll

Security Profile Navigation



  • Name: Give a proper Name
  • Security Type: Secure organization by organization hierarchy and/or by organization list.
  • Specify Top Organization: As highlighted in Screenshot 1. Select 01-TOP.
  • Include Top Organization: Check if you want to include top organization in the information.
  • Exclude Business Group: Check if you want to exclude business group from the information.
  • Classification: You can specifically include/exclude any classification from list of values according to your requirement.

2) Position Security
3) Payroll Security
4) Supervisor Security
5) Custom Security


After having created the profile and assigned it to the user, you need to run "Security List Maintenance" concurrent program for changes to take effect. Check

How to assign Security profile to a user

How to run Security List Maintenance Concurrent Program

Your feedback is very important. Leave a comment for any query.






28 comments:

  1. Hi,

    Can you please tell me how to write custom code to restrict employees from viewing supervisor details.

    thanks

    ReplyDelete
  2. I have written a code like below:
    ASSIGNMENT.PERSON_ID
    IN
    (SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
    PER_ALL_ASSIGNMENTS_F PF,
    PAY_PEOPLE_GROUPS PG
    WHERE PAF.PERSON_ID=PF.PERSON_ID
    AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
    AND PAF.EFFECTIVE_END_DATE
    AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
    AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
    AND PAF.PERSON_TYPE_ID=2
    AND PG.SEGMENT2 <>4)
    But its not working..I am able to see all the details

    ReplyDelete
    Replies
    1. Hi anusha,
      First thing is not to use :effective_date, use sysdate instead.
      Your requirement is not clear to me. As per my understanding, each employee has a separate username and has access to employees data. Any employee should not be able to find his supervisor in people--》Enter and maintain search screen. Kindly clarify.

      Regards,
      Waqas

      Delete
  3. Hi Waqas,
    I am defining a new security profile for our peoject. Where employees should not be able to see principlas data. and principals can see the employees data. From the above query when I gave PG.SEGMENT2 =8, I am not able to see supervisors data, and supervisors also not able to view my data.
    But my requirement is supevisors can see my data.

    so what can be changed in the above query..Please let me know if you are still not clear..
    Thanks
    Anusha.

    ReplyDelete
  4. When I gave sysdate, its showing error like "0RA-01745 : invalid host or bind variable name".

    when I gave pg.segment1=8 I am not able to view principals data, and supervisors also not able to view.
    When I gave pg.segment1 in(8,2), I am able to view all the details including principal.
    What is difference between 2 stmts.I just added 2.
    Please help me what condition I need to use to restrict employees from viewing principals data.
    Thanks,
    Anusha.

    ReplyDelete
    Replies
    1. Hi,
      I think you need to pass pg.segment2 dynamically. Get this value using a subquery by passing person id as fnd_profile.value('per_person_id'). It will generate person list at user login time. In custom security tab, select the option 'visible to each other' which has longest text in it. Cant remeber the exact name.

      Delete
  5. Hi,
    I have used fn_profile.value)per_person_id to get person id's..but how can I pass pg.segment2 dynamically..

    ReplyDelete
  6. Custom security I setup the below:
    "restrict the people visible to each user using this profile"

    ReplyDelete
    Replies
    1. Hi Anusha,

      Kindly use this query. I hope your problem would be resolved.

      ASSIGNMENT.PERSON_ID
      IN
      (SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
      PER_ALL_ASSIGNMENTS_F PF,
      PAY_PEOPLE_GROUPS PG
      WHERE PAF.PERSON_ID=PF.PERSON_ID
      AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
      AND PAF.EFFECTIVE_END_DATE
      AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
      AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
      AND PAF.PERSON_TYPE_ID=2
      AND PG.SEGMENT2 =
      (select pg.segment2 from per_assignments_f paf ,pay_people_groups ppg
      where PAF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
      AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
      and paf.person_id = FND_GLOBAL.EMPLOYEE_ID)
      )

      Delete
  7. HI Waqas,

    Thanks for the above query. But when I use this query, its not showing my details, but I am able to see all the details of others.
    Can you please let me know if I need to change anything in the above query.

    Thanks,
    Anusha.

    ReplyDelete
  8. I am using, custom security as "Restrict the people visible to this profile"
    Viwe employees, contingent workers, applicants,contacts and candidates ads "all"

    Organization security :View all organizations
    Specify top organization
    Position security : View all positions
    Specify top position
    Payroll security :checked include
    Supervisor security :
    No super visor security
    Miscelleneous security : Exclude user.

    These are the setups I am using.

    ReplyDelete
  9. I need to restrict employees from viewing supervisor details that is who have PG.SEGMENT=4.
    4 will be for principal status and 8,2 will be for employees

    ReplyDelete
    Replies
    1. I can see my details and the other emploee details, but I cant see supervisor details, (pg.segmnt2=4)and super visor can see oour details..
      Pls let me know if you are still not clear with my requirement..
      Thanks.

      Delete
    2. Cant see only direct supervisor or the complete hierarchy uptil highest position? I have a solution to exclude direct supervisor. Kindly further clarify.

      Delete
  10. Need to restrict all the supervisors

    ReplyDelete
    Replies
    1. If you have all the supervisors filled on assignment screen, then you can exclude all the supervisors using query. I will send the query

      Delete
  11. can you please send the query, i will try.

    ReplyDelete
    Replies
    1. Hi Anusha,

      If you have your supervisor hierarchy filled in your system, use the following query. It will exclude all the supervisors from user's access. List of employees will be generated at login time dynamically.

      Use it in custom tab with "Restrcit people visible to each other using this profile"

      PERSON.PERSON_ID NOT IN
      (SELECT DISTINCT person_id
      FROM per_all_people_f
      WHERE person_id IN (
      SELECT paf.person_id
      FROM per_all_assignments_f paf
      START WITH paf.person_id = FND_GLOBAL.EMPLOYEE_ID
      AND paf.primary_flag = 'Y'
      AND :EFFECTIVE_DATE
      BETWEEN paf.effective_start_date
      AND paf.effective_end_date
      CONNECT BY PRIOR paf.supervisor_id = paf.person_id
      AND paf.primary_flag = 'Y'
      )
      AND PERSON_ID <> FND_GLOBAL.EMPLOYEE_ID
      AND :EFFECTIVE_DATE BETWEEN effective_start_date AND effective_end_date)

      Let me know if it worked or not.

      Regards,
      Waqas

      Delete
  12. Hi Waqas,

    Thanks a lot for your query.I tried the above query but still not working. It will restrict me from viewing the others details for the first time. But ehn I close the window and click on torch btuoon and search, I am able to see all the details.And I am not sure about the supervisor hierarchy in my system, how can I check that.

    Thanks,
    Anusha.

    ReplyDelete
  13. Hi Waqaa,

    Can you please let me know if there is any other solution for this.

    Thanks,
    Anusha.

    ReplyDelete
    Replies
    1. Hi Anusha,

      Supervisor hierarchy means supervisor selected on assignment screen. This hierarchy goes up to the highest position. The query which i provided will exclude all the employees who the user is reporting to, and so on.

      Delete
  14. hmm, yeah there is supervisor hierarchy in my system, But but not sure why its not working..:(

    ReplyDelete
  15. HI Waqas,

    The security profile is working now..I have given:
    Restrict the people visible to each user
    View employees : Restricted
    View workers : Restricted
    View contacts: Restricted
    and the query as

    ASSIGNMENT.PERSON_ID IN (SELECT PERSON_ID FROM PER_ALL_ASSIGNMENTS_F PAAF, PAY_PEOPLE_GROUPS PPG
    WHERE PAAF.PEOPLE_GROUP_ID = PPG.PEOPLE_GROUP_ID
    and PPG.SEGMENT2 <>'4'
    AND SYSDATE BETWEEN PAAF.EFFECTIVE_START_DATE AND PAAF.EFFECTIVE_END_DATE
    AND PAAF.ASSIGNMENT_TYPE <> 'B'
    AND SYSDATE BETWEEN PPG.START_DATE_ACTIVE AND NVL(PPG.END_DATE_ACTIVE, SYSDATE +1))
    but we need to bounce the system every time we do a change.

    Thanks for all your help.

    Thanks
    Anusha.

    ReplyDelete
  16. hello,
    I have tried setting up my security profile but it does work after I have done all that is require. below is the custom security code I wrote to limit employees per location.

    assignment.location_ID=(select location_ID from HR_Locations_All
    where location_code='Tamale')

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. Hello thanks for the tutorial on security is quite enlighten. I have a requirement which I need clarification on how to setup the security profile. In the organization I work to be precise a public sector, there is requirement that mandated specific agency to have access to particular employee payroll information such as grade level. One of this agency will only have access to employees with grade level 1-6 and the other can only have access to grade level 7 -17. How do I setup the security to enable this

    ReplyDelete