For more information, see: Security Profiles for Supervisor Security, page 144.

Select either the person-based or assignment-based option and enter the

number of levels of access you want to allow the supervisor to see in the
Maximum Hierarchy Levels box (or leave the field blank to allow access to all
levels). Note: When you set up security based on supervisor hierarchies, you
can choose to generate the list of employees visible to a user at the start of
the session (user-based security). For supervisors with a large number of
subordinates (for example, at higher management levels) leaving the
Maximum Hierarchy Levels box blank may result in a delay in generating the
list. You can improve performance by limiting the number of hierarchy levels
a supervisor can access or by using the Static List functionality. For more
information, see: Static Lists, page 1-35. Alternatively, for the highest levels
of management, consider setting up security using organization hierarchies.
12. If you are using person-based supervisor security, you can choose
whether to display multiple assignments in the supervisor hierarchy. By
default, the Primary Assignments Only option is not selected, which gives
users access to people who report to them in any assignment. If you only
want to give users access to people who report to them in their primary
assignment, select this option.
Miscellaneous Restrictions 13. The list of people whose records are accessible
using a security profile can change with the user name of the person who
logs in (if you are using user-based security). If you want the application to
evaluate permissions based on a specific person (and not vary depending on
the user name of the person who logs in) enter a name in the Named User
field. For example, to set up supervisor-based security for reporting users who
do not have any association with employees, enter the name of a person at
the required supervisory level. To prevent users from seeing their own
records, check the Exclude User check box (if you have entered a name in the
Named User box, users will be prevented from seeing the records of the
named user rather than their own records). Note: This functionality is not
supported in Self-Service Human Resources (SSHR).
Restricting Access by Custom Security 14. In the Custom Security tabbed
region, select the custom restriction option. The
1-54 Oracle Human Resources Management Systems Configuring,
Reporting, and System Administration Guide
options are as follows: No custom security
Restrict the people visible to this profile The Security List Maintenance
process is the basis for this type of custom security. The security data is held
in a static list.

 Restrict the people visible to each user using this profile Oracle HRMS
assesses the custom security when the user signs on. In addition, the custom
security code can include references to user specific variables, for example,
fnd_profile.value() and fnd_global.employee_id.
15. Enter a valid SQL WHERE clause fragment to select a group of records.
For example, to add a restriction that assignments must be based in either
London or Paris, add the following SQL fragment: ASSIGNMENT.location_id in
(select LOC.location_id
from hr_locations_all LOC
where
LOC.location_code
in ('London','Paris')) Alternatively, you could create
custom code to use user-specific variables. The following example illustrates
the use of user-specific variables: In this example, the custom code creates a
rule whereby a user can display employees or contingent workers whose last
name begins with the same letter as their own. The security profile is called
"Same first letter of last name". substr(person.last_name,1,1) = (select
substr(i.last_name,1,1) from per_all_people_f i where i.person_id =
fnd_global.employee_id and trunc(sysdate) between i.effective_start_date
and i.effective_end_date) Note: In addition, the View Employees or View
Contingent Workers option is set to Restricted, and the "Restrict the people
visible to each using this profile" option is set on the Custom Security tab.
If the clause is valid, it is automatically incorporated in an SQL select
statement that the system generates to restrict access to records, based on
the restrictions you have set up in the other tabbed regions. The list of
employees, contingent workers, and applicants specified by these other
restrictions is therefore further restricted by the custom restriction. The
clause fits into the system-generated statement in the following way (this
statement is not visible on screen):
Security Rules

1-55

select 1 from per_all_assignments_f ASSIGNMENT, per_all_people_f PERSON,

per_person_type_usages_f PERSON_TYPE where
ASSIGNMENT.assignment_id=:asg_id and:effective_date betweeen
ASSIGNMENT.effective_start_date and ASSIGNMENT.effective_end_date and
PERSON.person_id=ASSIGNMENT.person_id and :effective_date between
PERSON.effective_start_date and PERSON.effective_end_date and
PERSON.person_id=PERSON_TYPE.person.id and :effective_date between
PERSON_TYPE.effective_start_date and PERSON_TYPE.effective_end_date
and {your custom where clause fragment goes here} Important: Custom
restrictions directly restrict employees, contingent workers, and applicants
only; you cannot create custom restrictions on people with a system person
type of Other. However, if you add custom restrictions on employees,
contingent workers, or applicants, related people with a system person type
of Other are restricted according to the setting of the "View Contacts" option.

16. Choose the Verify button to check that the clause you have entered is
valid. If it is invalid, an error message appears explaining the reasons.
Using Static Lists 17. Static lists enable you to assess security periodically
and store the data. You add users to the static list and their security
permissions are evaluated when the Security List Maintenance process is run.
Oracle HRMS stores the permissions for quick retrieval when the user logs on
and freezes the permissions until you run the Security List Maintenance
process again. To specify which users to include in a static list, enter the user
ID in the field.
18. To include a specific user or group of users in the next Security List
Maintenance run, select the Process in Next Run option for those users.
19. Save your work.
What's Next
When you have modified or created new security profiles, it may be
necessary to run security processes to activate your changes. See: Security
Processes, page 1-17 See: Running the Security List Maintenance Process,
page 1-58
1-56 Oracle Human Resources Management Systems Configuring,
Reporting, and System Administration Guide
Assigning Security Profiles Use the Assign Security Profile window to link user
names, and security profiles to responsibilities. Only use this window if you
are using Security Groups Enabled security (formerly called Cross Business
Group Responsibility security). Important: When using Security Groups
Enabled security even if you have linked a user to a responsibility using the
User window, you must still link your user to responsibility and security profile
using the HRMS Assign Security Profile window. If you do not use the Assign
Security Profile window, HRMS uses the default view-all security profile for the
Business Group and the user will see all records for the Business Group.
The Assign Security Profile window is an essential part of setting up and
maintaining HRMS security for Security Groups Enabled security. You must
use this window to update your security profile assignment. Any changes
entered for the security profile assignment are also shown on the User
window. However, if you end date a user's responsibility using the User
window, this is not shown on the Assign Security Profile window. When you
navigate to the Assign Security Profile window, the Find Security Profile
Assignments window displays automatically. Select New to create a new
assignment. For information about querying existing security profile
assignments, see Using the Find Security Profile Assignment window, page 1-

57.
To assign a new security profile: 1. Enter the user name you want to link to a
responsibility.
2. Enter the application and responsibility you want to link to the user.
3. To assign a local security profile, select a business group to assign to the
user's responsibility. The local security profile for the business group is
automatically entered when you click in the Security Profile field.
4. To assign a global security profile, first select the security profile to assign
to the user's responsibility, thenselect a business group. Note: If you enter a
value in the Business Group field first, the list of security profiles is filtered
and does not display security profiles for any other business groups.
You can link more than one security profile to a responsibility as long as the
user is different.
Security Rules

1-57

5. Enter the time period of security profile assignment. You must enter a start
date. Optionally, enter an end date if you want the security profile
assignment to end on a particular date.
6. Save the security profile assignment.
To end a security profile assignment: You cannot delete security profile
assignments. If a user no longer needs an assignment you must enter an end
date. 1. Query the security profile assignment you want to end.
2. Enter an end date. The user cannot use this responsibility, Business Group
and security profile from this date.
Using the Find Security Profile Assignment window This window enables you
to search for security profile assignments that have already been set up. You
only use security profile assignments if you are setting up Security Groups
Enabled security. If you want to set up a new security profile assignment
select the New button. For more information on setting up new security
profile assignments, see Assigning Security Profiles, page 1-56. Note: When
you navigate to the Assign Security Profiles window, the Find Security Profile
Assignment window automatically displays.
To query a security profile assignment: 1. Enter a full or partial query on one,
a selection or several of the following: User name
Application

 Responsibility
Business group
Security profile
Note: If you enter a value in either the Business Group or the Security Profile
field, any value entered in the other field is blanked