1/14/2017 Document394083.

UnderstandingandUsingHRMSSecurityinOracleHRMS(DocID394083.1)

UnderstandingandUsingHRMSSecurityinOracle
HRMS

Product:OracleHumanResourcesMinimumVersion:11.5.10.2

AnOracleWhitePaper

Abstract
UnderstandingandUsingHRMSSecurityinOracleHRMS

DocumentHistory

Author:SteveCooper
CreateDate:04OCT2006

OtherInformation:

TableofContents

1.Overview/KeyComponents
a)Introduction
b)SecurityProfile
c)SecurityListMaintenance
d)SecurityModels
e)ReportingUsers
f)FinancialsandManufacturing
2.TheSecurityProfile
a)OrganizationSecurity
b)PositionSecurity
c)PayrollSecurity
d)SupervisorSecurity
e)MiscellaneousSecurity
f)CustomSecurity
g)StaticLists/UserBasedSecurity
h)AssignmentLevelSecurity
i)GlobalSecurityProfiles
3.Technicalevaluation
a)StaticLists
b)SecureViews
4.TroubleshootingProblems
a)CheckSetup
b)HRMSSecurityandDatetrack
c)UserBasedorDynamicSecuritygivesaccesstoActiveAssignmentsonly
d)PerformanceIssues
e)GenerateSecureUsererrors
f)SecurityListMaintenanceerrors

1.Overview

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 1/13
1/14/2017 Document394083.1

ThepurposeofthispaperistointroduceanddescribethekeycomponentsofHRMSSecurity,toprovidea
technicalanalysistoenableabetterunderstandingoftheprocessesinvolved,andtogivepointersastowhy
HRMSSecuritymightnotbeworkingasdesired.ForamoredetailedexaminationofhowtosetupSecurity
Rulesforyourenterprise,pleaserefertothemanualOracleHRMSConfiguring,ReportingandSystem
AdministrationGuide.

a)Introduction

UsersofOracleHRMSaccessthesystemviaaresponsibilitythatislinkedtoasecuritygroupandasecurity
profile.IntheStandardHRMSSecuritymodel,whenabusinessgroupiscreatedaViewAllsecurityprofileis
created,andasecuritygroupof0(Standard)isautomaticallyassigned.Whensecuritygroupsareenabled,a
newsecuritygroupgetscreatedforeachbusinessgroup,andtheassociationofasecuritygrouptoasecurity
profileisdeterminedbythebusinessgroup.

ExampleQuerysusingStandardSecurityGroup

selectsecurity_group_id,
security_group_name
fromfnd_security_groups_vl
wheresecurity_group_id=0;

selectname,
business_group_id
fromper_business_groups
wheresecurity_group_id=0

HRUsersaccessingthesystemviaformscanonlyviewdatafromonebusinessgroupatatime,sobeforeany
securityruleshavebeensetup,HRdataisalreadybeingrestrictedbybusinessgroup.However,the
"HR:CrossBusinessGroup"profileoptiondoesallowcertainfieldstobeusedaccrossbusinessgroupswhen
set.Forexample,Supervisor.

ManagersaccessingsystemusingSelfServiceHRcan,ifrequired,seedirectreportsacrossbusinessgroups
(seeGlobalSecurityProfiles).

HRMSSecurityallowsyoutofurtherrestrictaccesstodatabasedoncriteriayoudefineinasecurityprofile.

b)SecurityProfile

TheSecurityprofileisthemeansbywhichyoudeterminewhatusersofthesystemhaveaccesstowhatdata.
Itdetermineswhichtypeofperson'srecordsareavailable.Forinstance,Applicants,Employees,Contingent
WorkersorContacts.

Youthendeterminewhichworkstructuresorothercriteriayouwanttousetorestrictaccess.Forexample,a
particularHRAdministratormayonlybegivenaccesstoemployeesinorganizationswithinaspecificregion,
andonlyaseniorPayrollclerkwouldbeallowedaccesstoemployeesintheDirector'spayroll.

Thecriteriayoucanusetoidentifytheserecordsare

InternalOrganizationsandOrganizationHierarchies
PositionsandPositionHierarchies
Payrolls
SupervisorsandSupervisorHierarchies
Customrestrictions
Assignments

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 2/13
1/14/2017 Document394083.1

Thesecurityprofilewillbediscussedinmoredetailinthenextsection.

c)SecurityListMaintenance

OracleHRMSenforcesit'ssecurityrulesbyusingsecureviewswhichcallasecurityfunction(seeTechnical
Evaluation)thatworksoutaccessbasedonwhetherthesecurityprofileisdynamicorusesstaticlists.The
staticlistsofpeople,organizations,payrolls,andpositionsareindexedagainsteachsecurityprofile.Theyare
maintainedbyaconcurrentprocesscalledSecurityListMaintenancewhichisusuallyrunovernighttoensure
thatanychangesduringthedaythatwouldaffecttheavailabilityofaperson'srecordi.e.organization,is
reflectedinallsecureresponsibilitiesthefollowingday.

Pleasenoteifsecurityprofileisdynamicandnotstatic,SecurityListMaintenanceneednotberun.Dynamicor
userbasedprofilesareSupervisor,userbasedOrganizationandPositionsecurity,customsecurityusingthe
'Restrictthepeoplevisibletoeachuserusingthisprofile'option,orAssignmentLevelSecurity.

d)SecurityModels

TherearetwoSecurityModels.StandardHRMSSecurityandSecurityGroups.

Inessencethisjustamountstohowthesecurityprofilethatyouhavedefinedismadeavailabletotheend
userwhowillbeusingit.

StandardHRMSsecurityisthetraditionalmethod.YouDefineasecurityprofile,andyoudefinearesponsibility
forusebyapplicationusers.Thetwoarelinkedbyassigningtheprofileoption,HR:SecurityProfilewiththe
valueoftherelevantsecurityprofile,totheresponsibility.It'saonetoonerelationship.Tohaveaccessto
othersecurityprofiles,youwouldneedtocreateanewresponsibility.

SecurityGroupsontheotherhandofferameanswherebyyoucanreusearesponsibilityandassignitto
differentsecurityprofilesindifferentbusinessgroupsifrequired.YounolongerusetheHR:SecurityProfile
profileoption,asaccesstothesecurityprofileisgrantedbytheform,AssignSecurityProfile.Whenyoulogon
tothesystemyouwillseethesameresponsibilitynamebutpairedagainstdifferentsecuritygroups(security
profileandbusinessgroup).

ToenablesecuritygroupsyousettheprofileoptionEnableSecurityGroupstoYes,andruntheconcurrent
processEnableMultipleSecurityGroups.Thiswillcreateapairofrecordsforeachexistingresponsibility.One
associatedwiththeStandardsecuritygroupwhichistheSetupBusinessGroupbydefault,andonewiththe
definedbusinessgroup.ItisrecommendedtoenddatetheresponsibilityassociatedwiththeStandard
businessgrouptocutdownonthelistofresponsibilitiesavailabletotheuser.However,itshouldbe
understoodthatthoseusersusingtheSecurityGroupsmodelwhowishtoupdateGlobalLookupcodes,must
doitusingtheStandardsecuritygroup.

AnimportantconsiderationalsoisthatonceSecurityGroupshavebeenenabled,youcannotreturntothe
StandardHRMSSecuritymodel.

TheprofileoptionEnableSecurityGroupsshouldbesetatApplicationlevelasNonHRMSapplicationsdonot
supportmultiplesecuritygroups.SharedHRalwaysusesStandardSecurity.

Thetypeofenterprisesthatwouldbenefitfromsecuritygroupswouldbemultinationals,andservicecentres
usingmultiplebusinessgroupsandsecurityprofiles.

e)ReportingUsers

TheReportinguserisanoftenmisunderstoodaspectofHRMSSecurity.Thepurposeistoallowreadonly
accesstotheHRdatabasebyreportingtoolslikesqlplusanddiscoverer,butstillusingthesecureviews.Todo
thisitisnecessarytocreateanalternativeoracleidtoAPPSwhichiswhatthestandardOracleApplicationse
BusinessSuiteuses.Youthenneedtocreatethesecurityprofileandassociatethenewreportingoracleuser
toit.OncethathasbeendoneyouruntheGenerateSecureUserprocesswhichGrantsthe

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 3/13
1/14/2017 Document394083.1

HR_REPORTING_USERroletotheREPORTING_ORACLE_USERNAMEspecifiedinthesecurityprofile.The
HR_REPORTING_USERrolealreadyhasselectorreadonlypermissionstoalltheHRobjects.

f)FinancialsandManufacturing

CertainFinancialandManufacturingbusinessviewsarerestrictedbyOperatingUnit.Theymakeuseofthe
functionHR_SECURITY.SHOW_BIS_RECORD,andinordertosecurebyoperatingunit,usersarerequiredto

a)Createasecurityprofilewiththesecuritytypes

SecureOrganizationsbySingleOperatingUnitor
SecureOrganizationsbyOperatingUnitandinventoryorganizations.

b)setprofileoptionMO:SecurityProfile

SecurityListMaintenanceneednotberunforprofilescreatedusingthesetwosecuritytypesastheyare
dynamic.SecurityListMaintenancewillnotincludethemintheLOVastheORG_SECURITY_MODEisOUand
OU_INVrespectivelyandexcluded.

InProcurementIntelligence,asecurityprofileshouldbesetupusinganOrganizationHierarchyofOperating
Unitsand,beingstaticbased,requiresSecurityListMaintenancetoberun.

SeetheOracleEBusinessSuiteMultipleOrganizationsImplementationGuideforinformationaboutsetting
upsecurityprofilesinFinancialsandManufacturing.

SeealsoNote316829.1.

InOracleAssets,userscansetupSecuritybyBookbyhavinganorganizationhierarchyofAsset
Organizations,definingasecurityprofilewithanentrypointintothehierarchy,RunningSecurityList
Maintenance,andsettingtheFA:SecurityProfileontheresponsibilitywithrestrictedaccess.

2.TheSecurityProfile

ThedeterminingfactorsofwhatdataisallowedtobeaccessedbyaUser/Responsibilityaredefinedinthe
Securityprofile.

Youdecidewhatpersontypesareavailabletotheprofile,whetherindividualassignmentsarerestricted,and
whatworkstructuresorothercriteriatousetoevaluateaccessibility.

PersonTypes

OntheSecurityProfile,youdecideoneachofthefollowingpersontypeswhethertoViewAllofthem,toView
Noneofthem,ortohavethemRestrictedaccordingtothecriterialaidoutintheprofile:

Employees
ContingentWorkers
Applicants
Contacts
Candidates

Exceptionsarethat'None'optionisnotavailableforContacts,and'Restricted'isnotavailableforCandidates.

Youcanuseanyofthefollowingcriteriatorestrictaccessibilitytodata,oracombinationofeach.

a)OrganizationSecurity

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 4/13
1/14/2017 Document394083.1

YoucaneitheruseanOrganizationHierarchytodetermineaccess,oryoucanspecifyalistoforganizationsto
whomtheuserhasaccess.

FortheListmethod,simplyselecttheSecuritytype,'SecureOrganizationsbyorganizationhierarchyand/or
organizationlist'option.ThenselecteachoftheOrganizationsintheOrganizationNamefieldyouwantthe
profiletohaveaccessto.Theincludecheckboxisautomaticallychecked.

FortheHierarchymethod,youselecttheSecuritytype,'SecureOrganizationsbyorganizationhierarchyand/or
organizationlist'asbefore.ThenyouchooseyourOrganizationHierarchy.Thenextstepistodetermineat
whichentrypointintothehierarchy,accessstarts.ThiscaneitherbebyspecifyingtheTopOrganization,or
allowingthetoporganizationtobedecidedbytheassignmentoftheuserwhoisaccessingtheprofile.Youcan
alsoincludeorganizationsnotinthehierarchyintheOrganizationNamefield,orexcludeorganizationsinthe
hierarchy.Thebusinessgroupcanalsobeexcluded,ascanthetoporganizationifrequired.

b)PositionSecurity

PositionsecurityusesaPositionHierarchy,andtheentrypointtodeterminewhereaccessstartscanbebased
onthespecifiedTopPosition,oritcanbetakenfromtheassignmentoftheuserwhoisaccessingtheprofile.
TopPositioncanbeexcludedifrequired.

c)PayrollSecurity

Ifrestrictionbypayrollisrequired,themainthingtoconsideristheefficiencyofthedefinition.Forinstance,if
accesstomostpayrollsarerequired,uncheckViewAllPayrollsanduncheckIncludecheckbox,thenspecify
payrollstobeexcluded.

Togiveaccesstoasmallnumber,uncheckViewAllPayrollsandcheckIncludecheckbox,thenspecify
payrollstobeincluded.

d)SupervisorSecurity

ThistypeofsecurityprofileisbasedonaSupervisorHierarchywhichbydefaultisbuiltupdynamicallywhen
theuserlogson.

ItcanbePersonbasedinthattheuser/managerhasaccesstoALLtheassignmentsofapersonwhoreports
tohim,andthosethatreporttohissubordinate.ThePrimaryAssignmentsOnlycheckboxisuncheckedby
default.

ItcanalsobeAssignmentbased,whichwouldbeusedinconjunctionwithAssignmentLevelSecurity.(see
below).Inthiscasetheuser/managercanonlyaccessthespecificassignmentthatreportstohimandthe
directreportofthisassignment.

Supervisorsecuritycancauseanoverheadwhenloggingontothesystem.Optionsforimprovingperformance
wouldbetorestrictthenumberofHierarchyLevelstogodownorusingaStaticListwhichwouldcreatethe
supervisorhierarchywhenSecurityListMaintenanceisrun(seeStaticLists)

Rememberthattheuser/managerisidentifiedasanemployeeintheDefineUserformintheSystem
Administrator.

iRecruitmentusessupervisorhierarchiestocontrolrecruiterandmanageraccesstovacancyinformation.You
cansetupasupervisorbasedprofilewhichrestrictsmanagersandrecruiterstoviewingonlythosevacancies
thataremanagedbypeoplereportingintothem.

e)MiscellaneousSecurity

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 5/13
1/14/2017 Document394083.1

AccessibilitytorecordsdependsontheUserNameusedtologin,ifthisisauserbasedsecurityprofile.In
otherwords,ifthisisaSupervisorSecurityprofile,oriftheentrypointintothehierarchyofanOrganization
orPositionbasedprofileisdeterminedbytheassignmentoftheuserloggingin.

However,thiscanbebypassed,andtheprofilecanalwaysusethesameuser,nomatterwhologsin,by
specifyingthenameoftheuserontheMiscellaneoustab.

UsetheExcludeUsercheckboxtodenyaccesstotheuser'sownrecords,ortherecordsoftheNamedUserif
specified.OptionnotavailableinSSHR.

f)CustomSecurity

UserscanwritetheirowncodetorestrictaccessintheCustomSecuritytab.Youcanchooseto'Restrictthe
Peoplevisibletotheprofile'whichusesSecurityListMaintenancetostorethedatainastaticlist,or'Restrict
thepeoplevisibletoeachuserusingthisprofile'whichisuserbasedsecurityandevaluatesaccesswhenthe
usersignson.

Theuserwritesa'where'clausefragmentwhichisverified,andincorporatedintothefollowingselect
statementtoworkoutaccessibility:

select1
fromper_all_assignments_fASSIGNMENT,
per_all_people_fPERSON,
per_person_type_usages_fPERSON_TYPE
whereASSIGNMENT.assignment_id=:asg_id
and:effective_datebetweenASSIGNMENT.effective_start_date
andASSIGNMENT.effective_end_date
andPERSON.person_id=ASSIGNMENT.person_id
and:effective_datebetweenPERSON.effective_start_date
andPERSON.effective_end_date
andPERSON.person_id=PERSON_TYPE.person_id
and:effective_datebetweenPERSON_TYPE.effective_start_date
andPERSON_TYPE.effective_end_date
and(CUSTOMCODEGOESHERE)

Atypicalpieceofcustomcodemightlooklikethis

ASSIGNMENT.location_idin(selectLOC.location_id
fromhr_locations_allLOC
whereLOC.location_code
in('London','Paris'))

Howeverbesuretoforcecharacterstringstouppercaseascustomrestrictedtextisnotcasesensitivecurrently.s

Theabovecustomcodeshouldthereforeberewrittenas

ASSIGNMENT.location_idin(selectLOC.location_id
fromhr_locations_allLOC
whereUPPER(LOC.location_code)IN(UPPER('London'),UPPER('Paris')))

PleasenotealsothatthereisanissueusingthePERSON_TYPEaliasinthecustomcodewhichresultsinthe
followingerror

APPPER289835:AnSQLerrorwasfoundinyourcustomrestriction.
Theerroris`ORA904:`PERSON_TYPE.PERSON_TYPE_ID:Invalididentifier.Correcttheerrorbeforecontinuing

Formoreinformationseebug9622337

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 6/13
1/14/2017 Document394083.1

g)StaticLists/UserBasedSecurity

SecurityProfileswhichdetermineavailabilitybasedontheusersuchasSupervisorSecurity,userbased
OrganizationandPositionsecurityorcustomsecurityusingthe'Restrictthepeoplevisibletoeachuserusing
thisprofile'option,areevaluatedatthepointofloggingin,whichasmentionedpreviouslycanleadto
performanceoverheadsonsomesystems.UsingStaticlistsinconjunctionwiththeseprofilescaneliminate
thatoverhead.YoucanspecifytherelevantusersontheStaticListtab,andthepermissionswillbestored
whentheSecurityListMaintenanceprogramisrunnotwhenloggingon.

PriortoR12thereisalimitationtouserbasedsecurity,inthatitdoesn'tallowaccesstoexemployeeswitha
FinalProcessDate.FromR12.1thereisaprofileoptioncalledHR:ExEmployeeSecurityProfile.Setthe
ProfiletoYestoincludeExEmployees,ExApplicants,andExContingentWorkers,orNotoretainoriginal
functionality.Doesn'tapplytoSupervisorSecurity.SeeBug5612905(NOTavailableasaoneoff)

h)AssignmentLevelSecurity

Traditionally,accessibilitytodatainOracleHRMSthroughsecurityprofileswaspersonbased.Soifaperson
hadmultipleassignmentstheprofileonlyhadtohaveaccesstooneassignmenttoallowaccesstoall.

Thiswasnotrestrictiveenough,andfromOracleHRMSFamilyPackHanewfeaturewasintroducedtoallow
restrictionbasedonindividualassignment.ThereisacheckboxcalledRestrictonIndividualAssignmenton
thesecurityprofiledefinition.

ThisinvokedAssignmentLevelSecurityinSSHRbutonlyin3formsintheProfessionalUserInterface(PUI)in
OracleHRMSFamilyPackH,OracleHRMSFamilyPackI,andOracleHRMSFamilyPackJ.Theformswere

PERWSHRG(CombinedPerson/Assignment)
PERWSEMA(FastpathAssignment)
PERWSQHM(PeopleManagement)

andhadtohaveaparameteraddedtotheirfunctiondefinitioninSystemAdministrator.Theparameterwas
SECURE_ON_INDIVIDUAL_ASG='YES'.

FromOracleHRMS11iFamilyPackK,thisparameterhasbeenremovedandthelistofPUIformsthatsupport
assignmentlevelsecurityhasbeenextended.

AswithUserBasedsecurity,however,restrictingbyassignmentisworkedoutdynamicallywhichhasthe
limitationofnotgivingaccesstoexemployeeswithaFinalProcessDate.seeabove.

i)GlobalSecurityProfiles

Itispossibletosetupsecurityprofileswherebyemployeescanbeaccessedacrossdifferentbusinessgroups.
Thismaybeforavarietyofreasons:

1)NonHRMSuserswhodonotwantdatatoberestrictedbyBusinessGroup
whentheydefineGlobalSecurityprofiles
2)InSelfServiceHRMS,whereManagersusingSupervisorhierarchyhaveaccess
todirectreportsacrossbusinessgroups.
3)InR12ProfessionalHR,PeopleManagementcannowbeusedwithaGlobal
Securityprofile.IfaGlobalSecurityProfileislinkedtotheresponsibility
userscanchoosethebusinessgroupontheFindscreentoquerycrossbusiness
groups.Recordscanbeupdatedandsecondaryassignmentscreated,howevernew
employeesarecreatedinthedefaultbusinessgroupsetbytheHR:BusinessGroup
profileoptionorinAssignSecurityProfilesformdependingifStandardsecurity
orsecuritygroupsareused.Allotherformsaccessedusingtheresponsibility

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 7/13
1/14/2017 Document394083.1
usetheGlobalSecurityprofiletoo,butarelimitedtousingthedefault
businessgroup.

Itmayalsobeasimpledevicetoconsolidatesecurityprofiles.Aprofilecouldincludeorganizationsacross
businessgroups,butwhenattachedtoonebusinessgroupintheProfessionalUserinterface,onlythe
employeesinthatbusinessgrouparevisible.

Ifaccessacrossbusinessgroupsisrequired,aGlobalSecurityProfilemustbecreatedinNavigate>Security
>GlobalSecurityProfile.PayrollandPositionsecurityisnotavailableinGlobalSecurityprofiles.Neitheris
ReportingUseraccess.TheGlobalSecurityProfileisidentifiableashavinganullbusiness_group_idonthe
tablePER_SECURITY_PROFILES.

3.TechnicalEvaluation

AccesstodataviaOracleHRMSisprovidedbyviews.Themajorityoftheseviewsrestrictthedataavailable
toauser/responsibilitybyjoiningwithcacheddatawhichholdsinformationaboutwhatpeoplecanbeviewed
bywhatsecurityprofile.Thecacheddataiseitherloadedfromthestaticlistsordynamicallyatlogontime.

a)StaticLists

Thelistsare

PER_PERSON_LIST
PER_ASSIGNMENT_LIST(notcurrentlyinuse)
PER_ORGANIZATION_LIST
PER_POSITION_LIST
PAY_PAYROLL_LIST

TheselistsareclearedandrefreshedbytheSecurityListMaintenanceprogram.AsAssignment_level_security
iscurrentlyonlydynamic,thestaticlistPER_ASSIGNMENT_LISTisnotyetused.

b)SecureViews

TheSecureViews,forexamplePER_PEOPLE_F,includeacalltothefunctionHR_SECURITY.SHOW_PERSON
whichreturnsTRUEifthepersonrecordisvisibletothissecurityprofile,otherwiseFALSE.Otherviewswhich
aresecuremaynotdirectlycallthisfunction,butquerysecureviewslikePER_PEOPLE_F.

HR_SECURITY.SHOW_PERSONdetermineswhetherthesecurityprofileisstaticordynamic,andevaluates
accessaccordingly.

Aspreviouslymentioned,forFinancialandManufacturingusers,manybusinessviewssuchas
PABG_CUSTOMERSandPOBG_STD_PURCHASE_ORDERScallthefunctionHR_SECURITY.SHOW_BIS_RECORD
whichsecuresdataaccordingtothesecurityprofilereferencedbyMO:SecurityProfileprofileoption.

HereisascriptthatcanbeusedtorunqueriesonHRsecureviewsinsqlplus.

FirstlygetthevaluesoftheidsinanglebracketsbydoingHelp>DiagnosticsExamineinaformafter
logginginusingtheresponsibilityforthesecureuser.

e.g.BLOCK$PROFILES$
FIELDUSER_ID
VALUE

thensubstituteinthevalues.

Thescriptcountstherecordsavailabletothisuser/responsibilityinthesecureviewsandbasetablesfor
personandassignment.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 8/13
1/14/2017 Document394083.1
SETSERVEROUTON

DECLARE
l_per_allNUMBER:=0;
l_per_secNUMBER:=0;
l_asg_allNUMBER:=0;
l_asg_secNUMBER:=0;

BEGIN

fnd_global.apps_initialize(,,,);

SELECTcount(*)
INTOl_asg_all
FROMper_all_assignments_f
WHEREbusiness_group_id=;

SELECTcount(*)
INTOl_per_all
FROMper_all_people_f
WHEREbusiness_group_id=;

SELECTcount(*)
INTOl_per_sec
FROMper_people_f;

SELECTcount(*)
INTOl_asg_sec
FROMper_assignments_f;

dbms_output.put_line('Perall:'||to_char(l_per_all));
dbms_output.put_line('Persec:'||to_char(l_per_sec));
dbms_output.put_line('Asgall:'||to_char(l_asg_all));
dbms_output.put_line('Asgsec:'||to_char(l_asg_sec));

END;
/

4.TroubleshootingProblems

a)CheckSetup

Mostsecurityproblemsareusuallytodowiththefactthatthesecurityprofileinquestionisnotworkingas
expectedinthatitisgivingaccesstothewrongdata.

Thefollowingchecklistcanhelptoidentifywhythismightbe.

1.RunSecurityDiagnosticstoverifysecuritysetup

IntroducedinFamilyPackK,andagoodplacetostartyourinvestigation.UsingtheOracleDiagnostics
functionality,youcanrunSecurityDiagnosticstoevaluateanddebugyoursecuritysetupforOracleHRMS.The
testscheckthatyoursecuritysetupiscorrectforyourrequirementsandidentifycommonissuesandproblem
areas.

Thetestsproducethefollowingreporttypes:

oSummarySummaryofallsecurityprofilesusedinyoursetup

oDetailDetailedinformationonthesecurityprofileassignedtoagiven
responsibility.

oUsageUsageinformationonthesecurityprofileassignedtoagiven
responsibility,forexample,whichresponsibilitiesusethe
securityprofile.

oAccessListoforganizations,payrolls,positions,andoptionally,
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 9/13
1/14/2017 Document394083.1
personassignments,anamedusercanaccessusingagiven
responsibility.

oExceptionListofsecurityprofilesdefinedinthesystemwhosesetupis
treatedasanexceptionintheHRMSSecuritymodel.

See:MetalinkNote#305644.1(HumanResources(HRMS):SecurityProfileSetupDiagnosticTest)

2.Istheresponsibilityaccessingthecorrectsecurityprofile?

Establishthesecurity_profile_idoftheSecurityprofileinquestionbyrunningthefollowinginsqlplus:

setlinesize180
selectsecurity_profile_id,
substr(security_profile_name,1,40)
fromper_security_profiles;

thenlogontotheapplicationusingyoursecureresponsibility,andnavigatetoEnterandMaintainPeople(PUI
only).DoHelp>Diagnostics>Examineandenterthefollowing:

BLOCK$PROFILES$
FIELDPER_SECURITY_PROFILE_ID
VALUE

CheckwhethertheiddisplayedagainstVALUEistheonethatrelatestoyoursecurityprofile.

IfthisisnotthecasethenifStandardHRMSSecurity,youhavenotsettheprofileoptionHR:SecurityProfileat
thecorrectlevelor,ifSecurityGroupsareenabledyouhavenotusedtheAssignSecurityProfileformtolink
thesecurityprofiletoyouruser/responsibility.

3.Checkthatthesecurityprofileissetupcorrectly?

Forstaticlistsecurity,theacidtestiswhetherthepersontowhomaccessisexpectedappearsonthetable
PER_PERSON_LIST.

selectperson_id
fromper_person_list
wheresecurity_profile_id=&security_profile_id

Ifnorow,theneithertheprogramSecurityListMaintenancehasn'tbeenrun,ortherulesforthisprofiledo
notallowaccesstothisperson.

Iftheydoappearthentherecordshouldbevisible.

ForSupervisorsecurity,accessisdeterminedbytheuserlogginginandwhichassignmentsreportintohim.

Doestheuserwhoisloggingonhaveanemployeeattached?

selectemployee_idfromfnd_userwhereuser_name=&user

Pleasenotethatthesupervisorsetupcanyielddifferentresultsdependingontherules.i.e.whetherperson
basedorassignmentbasedandwhetherRestrictonindividualassignmentcheckboxisset.SeetheOracle
HRMSConfiguring,ReportingandSystemAdministrationGuideforfurtherexplanation.

Foruserbased,Organizationandpositionsecurity,theentrypointintothehierarchiesisdeterminedbythe
primaryassignmentoftheuserloggingin.

Forcustomsecurity,thesqlthatgivesaccesscanbevalidatedbyappendingthecustomsqltothestemcode
specifiedinsection1).

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 10/13
1/14/2017 Document394083.1

4.Checkthedata

Inparticularchecktheassignmentdataofanidentifiedpersontoseeifthecriteriausedfordeterminingthe
securityruleisvalidforthisperson.

5.Checkpatchlevel

ThelatestHRMSSecurityRUPis4643909whichrequiresFamilyPackForabove.

b)HRMSSecurityandDatetrack

Accesstopeople'srecordsviaHRMSSecurityisestablished

a)ForStaticlists,bythedefinedcriteriaontheeffective
dateonwhichSecurityListMaintenanceisrun.
b)Foruserbasedsecurity,bythedefinedcriteriaatSYSDATE.

AccessibilityisNOTreevaluatedwhendatetracking.

Thiscanhavedifferenteffectswhenusersdatetrackforwardorbackdependingonthesecurityprofileand
theperson'semploymenthistory.

Whenasecurityprofileisdefined,accessibilitytopersontypescanbeRestricted,AllorNone.

Accessibilityisgoverned

a) byhavingarowonthesecurepersonlistifthepersonhasa
person_typethatisRestrictedonthesecurityprofile.
b) Bynothavingarowonthesecurepersonlistifthepersononly
hasaperson_typethatisAllontheSecurityprofile.Eligibility
istakenforgrantedinthiscase.

Thiscanleadtodifferentresultsiftherehavebeenmultiplepersontypechanges.Forexample

SecurityProfilePersonTypeTest
ViewEmployeesRestricted
ViewContingentWorkersAll
RestrictedtoallpeopleintheHumanResourcesorganization.

Scenario1

PersonisanEmployeeintheSalesorganization,andnotvisibletothisprofile.On1stMay,theorganizationoftheemployeeis
changedtoHumanResourcesandheisnowvisiblebecausewhenthesecurelistwascalculatedeitheratsysdateoreffective
dateoftheSecurityListMaintenanceprogram,hewasanEmployee,andintheHumanResourcesorganization,andarowwas
insertedontothesecurepersonlistaccordingtocasea)above.

Datetrackingtobeforethe1stMaywhenthepersonwasinSalesdoesnotremoveaccessibilityeventhoughtheprofileexcludes
himasaccessibiltyisNOTreevaluated.

Scenario2

PersonisanEmployeeintheHumanResourcesorganization,visibletothisprofile.Heisterminatedandbecomesanexemployee
on30thApril.On1stJunehebecomesaContingentWorkerintheHumanResourcesorganizationandisvisiblebythisprofile.

Datetrackingtobefore30thAprildoesnotretainaccessibilityhowever,becausewhenthesecurelistwaslastcalculatedeither
atsysdateortheeffectivedateoftheSecurityListMaintenanceprogram,hewasnotanEmployee,andarowwasn'tinsertedon
thesecurepersonlistaccordingtocaseb)above,astheprofileisViewAllonContingentWorkers.Eventhoughtheprofile
includeshimatthedate,whenhewasanemployee,accessibiltyisNOTreevaluated,soheisnotvisible.

c)Priorto12.06UserBasedordynamicsecuritygivesaccesstoActiveassignmentsonly

Exemployees(ifbeyondFinalProcessDate),Exapplicant,andExContingentworkersarenotvisiblebecausetheywonthavean
activeassignmentonsysdate.Inordertoseethistypeofperson,youwillneedtodefineasecurityprofileusingstaticsecurity
andrunSecurityListMaintenanceforCurrentandTerminatedpeople.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 11/13
1/14/2017 Document394083.1

Contactsarealsonotvisibleusingdynamicsecurity.

Thesameappliestoassignmentlevelsecuritywhichcurrentlyworksoutassignmentaccessibiltydynamicallyonly.

Torecap,userbasedordynamicsecurityincludes

SupervisorSecurity
UserbasedOrganizationandPositionsecuritywheretoporganizationisdeterminedbyassignmentofuserloggingon.
Customsecurityusingthe'Restrictthepeoplevisibletoeachuserusingthisprofile'option.
Assignmentlevelsecurity.

Rememberalsothatifasecurityprofilehasbeencreatedwithnorestrictionsatall.i.e.isViewAll.Thiswillalsobeevaluated
dynamically.Considerthecasewhereauserhascreatedaprofiletoviewallemployeesandexemployeesonly.Thiswillbe
evaluateddynamicallyandfilteroutexemployeeswhichisnotwhattheuserrequires.Toresolvethattheywouldneedtoforce
theprofiletobestatic.TodothistheycouldenterrestrictionundertheCustomtab.Choose"RestrictthePeoplevisibletothis
profile"andenter1=1inwhereclause.ThenrunSecurityListMaintenance

N.B.FromR12.06theoptiontoincludetheEXpersontypesinuserbasedordynamicsecurityprofilesisprovidedbysettingthe
profileoption,HRExEmployeeSecurityProfile'toYes.FromR12.1theprofilewasrenamedtoHR:AccessNonCurrentEmployee
Data.Doesn'tapplytoSupervisorSecurity,andContactsarestillexcluded.SettoNotoretainoriginalfunctionalityofrestricting
toActiveassignmentsonly.<>(Notavailableasaoneoffpatch).

d)PerformanceIssues

Themostcommonplacestoseeperformancedegradationwouldbeatlogontimewhenadynamicsecurityprofileisbeing
processed,orwhilstrunningSecurityListMaintenancetomaintainthestaticlists.

Pleasetakenoteofthefollowingpatches:

4643909LatestHRMSSecurityRUP(FamilyPackForabove)
4444325SecurityListMaintenanceperformanceissue(FPJ)
5214715SecurityListMaintenanceperformanceissue(FPK)
4932555Dynamicsecuritycausingperformanceproblem(FPK)

n.b.alltheaboveareincludedinFPKRUP1(5055050)

Anotherareatocheckispossiblepoorlyperformingcustomsqlinthecustomtabofthesecurityprofiledefinition.Neveruse
secureviewsincustomcode.Alsobewareofcausingfulltablescansonassignment.

ThinkabouthowyouuseandscheduleSecurityListMaintenance.Itcanberunmultithreadednow.CallingthePERSLMprocess
manytimesforsingleprofilescontinuallyhitsthepersonandassignmenttables.Runningmultithreadedaccessesthepersonand
assignmenttableslesstimes,andgivesbetterperformanceinglobalimplementations.

AlsoconsiderseparatingSLMrunsforcurrentandterminatedemployees.

e)GenerateSecureUsererrors

Theproblemwiththisprogramisthaton99%ofoccasions,theusershouldn'tberunningitatall.Itwouldbebetternamedas
GenerateSecureReportingUser,asitsimplygrantstheHR_REPORTING_USERroletoanOracleuserotherthanAPPSwhichis
usedforreportingpurposesonly.

Thereisnoneedtorunthisprogramifyouarejustdefiningnormalsecurityprofilestorestrictuseraccesstodatausingthe
standardOracleHRMSApplicationformsandhtmlinterfaces.

Thefollowingsqlcanberuntocheckwhetheranyreportingoracleusershavebeenusedonsecurityprofiles.

selectsecurity_profile_id,
security_profile_name,
reporting_oracle_username
fromper_security_profiles
wherereporting_oracle_usernameISNOTNULL;

Ifnoreportingusers,DONOTrunthisprogram.

f)SecurityListMaintenanceerrors

IftheSecurityListMaintenanceprogramhaserroredout,thenonoccasionitmaybenecessarytofurtherdebugitbyrunning
PYUPIP.ThefollowingstepsshouldbetakentogetaPYUPIPtracebasedonFPKPatchlevel.Changeparametersasappropriate.
Ifonadifferentpatchinglevel,itmaybenecessarytoaddorremovesomeparameters:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 12/13
1/14/2017 Document394083.1

1.LogintotheSQLPLUS
2.Setserveroutputon
3.spoolpyupip.out
4.Executethefollowing

BEGIN
hr_utility.set_trace_options('TRACE_DEST:DBMS_OUTPUT');
hr_utility.trace_on;
pay_pyucslis_pkg.generate_lists(
p_effective_date=>trunc(sysdate)
,p_generation_scope=>'ALL_PROFILES'
,p_business_group_id=>NULL
,p_security_profile_id=>NULL
,p_security_profile_name=>NULL
,p_who_to_process=>'ALL'CurrentandTerminatedpeople
,p_user_id=>NULL
,p_static_user_processing=>'ALL_STATIC'
);
hr_utility.trace_off;
Exception
whenothersthen
dbms_output.put_line(sqlerrm);
hr_utility.trace_off;
END;

5.spooloff

RelatedDocuments

OracleHRMSConfiguring,ReportingandSystemAdministrationGuideChapter1

Copyright2003Oracle.Allrightsreserved.OracleisaregisteredtrademarkofOracle.Variousproductandservicenames
referencedhereinmaybetrademarksofOracle.Allotherproductandservicenamesmentionedmaybetrademarksoftheir
respectiveowners.

Disclaimer:Thisdocumentisprovidedforinformationpurposesonlyandthecontentshereofaresubjecttochangewithout
notice.Oracledoesnotwarrantthatthisdocumentiserrorfree,nordoesitprovideanyotherwarrantiesorconditions,whether
expressedorallyorimpliedinlaw,includingimpliedwarrantiesandconditionsofmerchantabilityorfitnessforaparticular
purpose.Oraclespecificallydisclaimsanyliabilitywithrespecttothisdocumentandnocontractualobligationsareformedeither
directlyorindirectlybythisdocument.Thisdocumentmaynotbereproducedortransmittedinanyformorbyanymeans,
electronicormechanical,foranypurpose,withoutthepriorwrittenpermissionofOracle.

REFERENCES

BUG:5612905EXTENDUSERBASEDSECURITYTOINCLUDEEXEMPLOYEES
BUG:9622337CUSTOMSECURITYPROFILEISNOTACCEPTINGPERSON_TYPEALIASINTHECUSTOMQUERY
NOTE:316829.1NoDataFoundInProcurementDBIReports:MissingSecuritySetup
NOTE:965961.1CustomSecurityCodeSegmentDoesNotReturnExpectedResultsWhenRestrictingbyLocation

Didn'tfindwhatyouarelookingfor?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=qorgu1y9x_117&id=394083.1 13/13