Job is general one, whereas Position is specific term to its role and responsibilities.

JOB: MANAGER (generic term), SOFTWARE DEVELOPER POSITION: Finance Manager, HR Manager, Junior SOFTWARE ENGINEER, (this is position which is specific to the role to be played. Q2) What are the difference between extra information type (EIT) and special information type (SIT)? EIT and SIT Both are provided by Oracle to Capture Extra Information. Basic differences would be EIT is similar like a DFF and also defined using DFF Definition Screen. SIT is KFF and defined using Personal Analysis KFF Definition screen. SIT generally used at Person Level, EIT can be defined at PERSON, ASSIGNMENT, CONTACT, ELEMENT, LOCATION and JOB LEVEL. There are 2 columns date_to and date_from in SIT while no such columns are there in EIT. Q3) Tell me the name of important Key Flex-Fields (KFFs) in Oracle HRMS? Job KFF, Grade KFF, People Group KFF, Position KFF, Cost Allocation KFF, Comptence KFF Q4) List of some Important Tables in HRMS Per_all_people_F, per_person_types, per_person_type_usages, per_addresses, Per_all_assignments_f, per_jobs, per_job_Definitions, per_grades, per_grade_definitions, hr_all_positions, hr_all_position_definitions, hr_all_locations, pay_all_payrolls_F, pay_element_entries_F,

pay_elements_links_F, Q5) What is the difference between both SECURED VIEWS and NON SECURED VIEWS? 1.Secured views display information only for the current period 2.Unsecured views is used to get the information from the entire rows Q6) Define APIs and use in Oracle HRMS? APIs are used in HR to insert the data into the Base tables. As its very secured system, the user does not have the facilit y to copy the data directly into the Base tables. When we write the inbound interfaces / use WebAdI, the systems will use the APIs to store the data into system. The API are published by oracle with number of parameters. The different types of parameters are IN / INOUT / OUT of these parameters few are mandatory, without which the process wont complete. Generally when we use API we give data FOR : Object Version Number, Effective Date, P_Validate HR_EMOYEE_api example: hr_employee_api.create_employee hr_organization_api Example: hr_organization_api.create_organization hr_assignment_api Q7) What are processing types of element? Elements are nothing but the components of the salary. For Example: Basic Salary, House Allowance, Transport Earning, Bonus, Loan Recovery etc. There are 2 types of Processing 1. Recurring: if an entry of this element applies in every period until the entry is ended 2. Non Recurring: if an entry applies in one pay period only. Q8) What are termination roles of an element? Termination Rules of an Element: a).Actual Termination: For a nonrecurring element, select Actual Termination if you want the entries to close down at the end of the pay period in which the employee leaves. .Final Close: if you want the entries to stay open beyond the employees leaving date so that you can continue to pay the emp loyee. c).The Last Standard Process date defaults to the last day of the pay period in which the employee is terminated, but you can set it to a later period when you terminate an employee. Q9) What is costing? Costing: Recording the costs of an assignment for accounting or reporting purposes, Using Oracle Payroll, you can calculate and transfer costing information to your general ledger and into systems for project management or labor distribution. Q10) What are 2 modes of date track in Oracle APPS?

There are two Date Track modes are as follow: *Update *Correction Q11) Can a job has multiple positions? Job is generic. Yes a job can have multiple positions. Q12) Can you call PL/SQL Package functions from within a Fast Formula? Yes you can >how do we do this? There is a Define Function screen in HR. In this screen you will register the PL/SQL as External Function. Q13) Can we want to pass a parameter PAYROLL_ID to this external PL/SQL Function, how do we do it? The Define Function screen has a button named Context Usage. This button opens up a window in which you can register the parameters. Q14) How do you debug a Fast Formula? You can create a message variable in Fast Formula. This message variable must also be registered as a Formula Result ( In Formula Result Rule w indow). Q15) What are the various levels where you can Set up Payroll Costing Accounts?Which levels take the highest precedence? Element Entry => Highest Assignment => Second Highest Organization => Third Highest Element Link => Fourth Highest Payroll => Fifth Highest Q16) Technically speaking, how do you know from tables that an Employee has been terminated? (a) The Person_Type_ID in PER_PERSON_TYPE_USAGES_F will correspond to System Person Type EX_EMP ( A record gets created in table PER_PERIODS_OF_SERVICE with Actual_Termination_date being not null Q17) How can you make Employee Number generation Automated based on business rule etc? Use Fast Formula. Q18) What is the difference between per_people_f and per_all_people_f? PER_PEOPLE_F is a secured view on top of PER_ALL_PEOPLE_F. The secure view uses an API hr_security.show_person. This API internally checks for an entry in table PER_PERSON_LIST for the logged in persons security profile. A concurrent program named Securit y List Maintainence program will insert records in PER_PERSON_LIST. Q19) If you do personalization at both FUNCTION level and Responsibility level, which personalization has higher precedence? Responsibility level. Responsibility level will override FUNCTION level personalizations.

Q20) Say you have done a lot of Personalizations to Self Service Screens. But all these Personalizations were done in DEVELO PMENT environment. How will you migrate these personalizations to PRODUCTION environment? Before 11.5.7Use AKLOAD This is a java program given by Oracle. This is the only way you can script it. In DEV you will do AKLOAD DOWNLOAD ( & other parameters) In PRD you will do AKLOAD UPLOAD ( & other parameters) On or after 11.5.10 Use responsibility Functional Administrator, then click on Personalization Tab, and then click on Import/Export. Next select the documents to be exported. Go to the UNIX box and tar the personalizations into a .tar file. On the Production environment unzip this tar file in location as entered in profile FND: Personalization Document Root Path. Setting up of this profile is mandatory or else Oracle Framework wouldnt know where to search for the files to be imported. Q21) How to restrict iRecruitment external visitors to access only responsibilities on the external server? Set the Server Trust Level for the server to External, Set the Trust Level of the iRecruitment external responsibilities to External too. Q22) Is SSHR a dependency for iRecruitment? iRecruitment has no dependence on SSHR Q23) Does iRecruitment support Candidate Qualifying Questionnaires where the candidate must answer vacancy -specific questions correctly prior to submitting an application? iRecruitment currently does not support this function, For now this can be achieved by having a set of simple questions using flexfield to get those responses and a user hook to validate them as part of the apply process. Q24) Do we track vacancy history? iRecruitment does not track changes to the vacancy. If changes to a field are to be traced use the Audit capability in APPs. Second Part: What are the minimum classifications to create a Business Group? (i) Business Group (ii) GRE/Legal Entity (iii) HR Organization What are the Pre-Requisites for creating a Business Group? (i) Value Sets (ii) Key Flexfields (iii) Location

What is the use of HR Organization? If we want to assign the employee information to a Business Group then we need to have HR Organization classification under a Business Group. What is People Group? (i) It is a Flexible area for holding user-defined assignment data. (ii) Data can be used for Grouping sets of assignment together. (iii) People group can be used for Element eligibility. (iv) This information is used by the Payroll Run. (v) The data will be held in PAY_PEOPLE_GROUPS. (vi) GROUP_NAME field holds the concatenation of Segment data. What is the KFF structure for SIT? Personal Analysis Flexfields. What is the DFF structure for EIT? (i) Extra Person Information (ii) Assignment Extra Information (iii) Extra Location Information (iv) Extra Position Information (v) Extra Job Information (vi) Organization Developer DF How to enable EIT? Switch Responsibility to Human Resources, Vision Enterprises Double click on Security Click on Information Types Create your own Information Types under your Responsibility Name. How to enable SIT? Switch Responsibility to Human Resources, Vision Enterprises Double click on Other Definitions Click on Special Information Types What is the use of Date Track? 1) It is used to maintain the record history by creating a new record when the date track mode is UPDATE and override on the existing record when the Data track mode is CORRECTION. 2) The value of the Data Track record depends on the date.

3) Tables ending with _F are date track tables. 4) To control data tracked rows, every Date Track table must include Effective_start_date & Effective_end_date. 5) The Effective_Start_Date indicates when the record inserted. 6) The Effective_End_Date indicates when the record updated or deleted. What is the use of Object Version Number? 1) It is used to capture the latest record from the data base table. 2) When a row is inserted its number is set to 1. 3) If any updates performed on the row then the OVN is incremented. 4) Every API has the OVN parameter. 5) For create API this parameter is defined as an OUT parameter. 6) For update API this parameter is defined as an IN OUT parameter. 7) The APIs use it to check a row has been updated by another user, to prevent overwriting their changes. What is the Element? It is a Data Structure which is used to hold information for both Human Resources and Payroll. In Human Resources elements may represents compensation types including Earnings such as Salary, Hourly Wages and Bonuses. In Payroll, elements constitute all the items in the Payroll run process. What are the Classification Priorities? (i) Information (ii) Non-Payroll (iii) Earnings (iv) Pre-Tax Deductions (v) Tax Deductions (vi) Employer Tax (vii) Voluntary Deductions (viii) In Voluntary Deductions What the Element can represent? Earnings > such as Salary, Wages & Bonuses Benefits > such as employee stock & pension plans Non-Payroll items > such as Expenses Absences from work Voluntary and In-Voluntary deductions

Employer Taxes and other Liabilities. What are the pre-defined Elements? UK Payroll legislation provides many predefined elements Tax National Insurance (Employee/Employer) Court Orders These Elements cannot be modified. What are the Element Entry Concepts? Recurring Recurring Entries can exists over many Payroll periods Non-Recurring Non-Recurring Entries are valid for single Payroll period only. What are the types of Element Entry? There are four types Normal Entry Override Entry Additional Entry Adjustment Entry Additive Adjustment Replacement Adjustment Balance Adjustment How can we add a new input value to an existing Element? We can add an additional input values to an existing Element if the element has not been processed in a Payroll run and the Effective data is the same date of creation of the Element. What is the use of ID_FLEX_NUM? It is used to define the Structure Definition. The Structure Definition is held in FND_ID_FLEX_STRUCTURES The Structure Segment Definition is held in FND_ID_FLEX_SEGMENTS What is the Element Link? Links identify one or more assignment components that must be included in an employees assignment for them to be eligible.El ements can, but they dont have to, be linked by: Organization GroupJob PositionGrade LocationEmployment Category (i.e., Fulltime -Regular, Part-time-Regular) Payroll Salary Basis What is API?

 API is packaged procedure which can be used as an entry point into Application. The advantage of using an API is we can enter new information or alter the existing data without manual enters the information into the Application. APIs allow users to maintain HRMS information without using Oracle Application forms. How do i use an API to upload the data? API package contains many procedures to insert/update/delete the application data. The API is not executed on its own, the API must be called or executed by other pl/sql program. The API package should never be modified for custom use, if modified Oracle will not be able to support them. None of the HRMS APIs issue commit, the calling module should manage the commit of the transaction. How do i identify the Package name and version of the API? SELECT text FROM all_source WHERE name like HR_EMPLOYEE_API% AND text LIKE %Header%; Where can i find information on an API and its parameters? Review the package header file for the particular API file (.pkh). What is Object version number and how do I assign values for it in an API? Object Version number is an assigned number to a row in a database table. When a new row inserted its number is set to 1 If any updates performed on the row then the Object version number is incremented. Every API has the p_object_version_number control parameters. For create APIs this parameter is defined as an OUT parameter the API assigns the Object version number to be 1 for row inserts. For update APIs the parameter is defined as IN OUT, for update API the object version number is mandatory. When the HR_7155_OBJECT_LOCKED raised? The current value of object_version_number must be passed in the API call and it is compared to the version on the row in the table. If the versions are different then the HR_7155_OBJECT_LOCKED is raised. What is the p_validate control parameter? Every API has a p_validate control parameter. When the parameter is set to FALSE then all the business function validation is performed. If every thing is validated then row can be inserted/updated/deleted. If p_validate is set to TRUE then only the actual operation is validated.

A savepoint is issued at the start of the call and a rollback is done at the end of the call. Can I use an API on an application table on which an event-based alert is defined? No, if an event-based alert defined on an application table then the API will give error. To run API the alert has to be disabled and re-enabled after the API has been executed. What is the difference between an API and a publicly callable API? An API is an alternative entry for data to be insert/update/delete from the application. The Oracle HRMS Publicly callable APIs engage in validation in the same manner as the forms do with in the application. Validation is performed in terms of data integrity, insuring that data relationship exist properly between related tables. Validation is also performed against business functionality as the application form would enforce it. Therefore, only publicly callable APIs should be used to insert/update and delete data from the application.

Understanding and Using HRMS Security in Oracle HRMS

Understanding and Using HRMS Security in Oracle HRMS Product:Oracle Human Resources Minimum Version:11.5.9

An Oracle White Paper Abstract

Understanding and Using HRMS Security in Oracle HRMS

Document History
Author : Steve Cooper Create Date : 04-OCT-2006 Last Update Date : 18-JUN-2008 Expiration Date : Other Information :

Table of Contents
1. Overview/Key Components a) Introduction b) Security Profile c) Security List Maintenance d) Security Models e) Reporting Users f) Financials and Manufacturing The Security Profile a) Organization Security b) Position Security c) Payroll Security d) Supervisor Security e) Miscellaneous Security f) Custom Security g) Static Lists/User-Based Security h) Assignment Level Security i) Global Security Profiles Technical evaluation a) Static Lists b) Secure Views Troubleshooting Problems a) Check Setup b) HRMS Security and Datetrack c) User-Based or Dynamic Security gives access to Active Assignments only d) Performance Issues e) Generate Secure User errors f) Security List Maintenance errors

2.

3.

4.

1. Overview

The purpose of this paper is to introduce and describe the key components of HRMS Security, to provide a technical analysis to enable a better understanding of the processes involved, and to give pointers as to why HRMS Security might not be working as desired. For a more detailed examination of how to set up Security Rules for your enterprise, please refer to the manual Oracle HRMS Configuring, Reporting and System Administration Guide.
a) Introduction

Users of Oracle HRMS access the system via a responsibility that is linked to a security group and a security profile. In the Standard HRMS Security model, when a business group is created a View All

security profile is created ,and a security group of 0 (Standard) is automatically assigned. When security groups are enabled, a new security group gets created for each business group, and the association of a security group to a security profile is determined by the business group.
Example Querys using Standard Security Group select security_group_id, security_group_name from fnd_security_groups_vl where security_group_id=0;

select name, business_group_id from per_business_groups where security_group_id=0

HR Users accessing the system via forms can only view data from one business group at a time,so before any security rules have been set up, HR data is already being restricted by business group. However, the "HR:Cross Business Group" profile option does allow certain fields to be used accross business groups when set. For example, Supervisor. Managers accessing system using Self Service HR can, if required, see direct reports accross business groups (see Global Security Profiles). HRMS Security allows you to further restrict access to data based on criteria you define in a security profile.
b) Security Profile

The Security profile is the means by which you determine what users of the system have access to what data. It determines which type of person's records are available. For instance, Applicants,Employees,Contingent Workers or Contacts. You then determine which work structures or other criteria you want to use to restrict access. For

example, a particular HR Adminstrator may only be given access to employees in organizations within a specific region, and only a senior Payroll clerk would be allowed access to employees in the Director's payroll. The criteria you can use to identify these records are Internal Organizations and Organization Hierarchies Positions and Position Hierarchies Payrolls Supervisors and Supervisor Hierarchies Custom restrictions Assignments The security profile will be discussed in more detail in the next section.
c) Security List Maintenance

Oracle HRMS enforces it's security rules by using secure views which call a security function (see Technical Evaluation) that works out access based on whether the security profile is dynamic or uses static lists. The static lists of people,organizations,payrolls,and positions are indexed against each security profile. They are maintained by a concurrent process called Security List Maintenance which is usually run overnight to ensure that any changes during the day that would affect the availablity of a person's record i.e. organization, is reflected in all secure responsibilities the following day. Please note if security profile is dynamic and not static, Security List Maintenance need not be run. Dynamic or user-based profiles are Supervisor, user-based Organization and Position security, custom security using the 'Restrict the people visible to each user using this profile' option, or Assignment Level Security.
d) Security Models

There are two Security Models. Standard HRMS Security and Security Groups.

In essence this just amounts to how the security profile that you have defined is made available to the end user who will be using it. Standard HRMS security is the traditional method. You Define a security profile, and you define a responsibility for use by application users. The two are linked by assigning the profile option,HR:Security Profile with the value of the relevant security profile, to the responsibility. It's a one to one relationship. To have access to other security profiles, you would need to create a new responsibility. Security Groups on the other hand offer a means whereby you can reuse a responsibility and assign it to different security profiles in different business groups if required. You no longer use the HR:Security Profile profile option, as access to the security profile is granted by the form, Assign Security Profile. When you log on to the system you will see the same responsibility name but paired against different security groups (security profile and business group). To enable security groups you set the profile option Enable Security Groups to Yes, and run the concurrent process Enable Multiple Security Groups. This will create a pair of records for each existing responsibilty. One associated with the Standard security group which is the Setup Business Group by default, and one with the defined business group. It is recommended to end date the responsibilty associated with the Standard business group to cut down on the list of responsibilities available to the user. However, it should be understood that those users using the Security Groups model who wish to update Global Lookup codes, must do it using the Standard security group. An important consideration also is that once Security Groups have been enabled, you cannot return to the Standard HRMS Security model. The profile option Enable Security Groups should be set at Application level as Non HRMS applications do not support multiple security groups. Shared HR always uses Standard Security. The type of enterprises that would benefit from security groups would be multi-nationals, and service centres using multiple business groups and security profiles.

e) Reporting Users

The Reporting user is an often misunderstood aspect of HRMS Security. The purpose is to allow read-only access to the HR database by reporting tools like sqlplus and discoverer, but still using the secure views. To do this it is necessary to create an alternative oracle id to APPS which is what the standard Oracle Applications eBusiness Suite uses. You then need to create the security profile and associate the new reporting oracle user to it. Once that has been done you run the Generate Secure User process which Grants the HR_REPORTING_USER role to the REPORTING_ORACLE_USERNAME specified in the security profile. The HR_REPORTING_USER role already has select or read only permissions to all the HR objects.
f) Financials and Manufacturing

Certain Financial and Manufacturing business views are restricted by Operating Unit. They make use of the function HR_SECURITY.SHOW_BIS_RECORD, and in order to secure by operating unit, users are required to a) Create a security profile with the security types Secure Organizations by Single Operating Unit or Secure Organizations by Operating Unit and inventory organizations. b) set profile option MO:Security Profile Security List Maintenance need not be run for profiles created using these two security types as they are dynamic. Security List Maintenance will not include them in the LOV as the ORG_SECURITY_MODE is OU and OU_INV respectively and excluded. In Procurement Intelligence, a security profile should be set up using an Organization Hierarchy of Operating Units and, being static based, requires Security List Maintenance to be run. See the Oracle E-Business Suite Multiple Organizations Implementation Guide for information about setting up security profiles in Financials and Manufacturing.

See also Note 316829.1. In Oracle Assets, users can set up Security by Book by having an organization hierarchy of Asset Organizations, defining a security profile with an entry point into the hierarchy,Running Security List Maintenance, and setting the FA:Security Profile on the responsibility with restricted access.
2. The Security Profile

The determining factors of what data is allowed to be accessed by a User/Responsibility are defined in the Security profile. You decide what person types are available to the profile, whether individual assignments are restricted, and what work structures or other criteria to use to evaluate accessibility. Person Types On the Security Profile, you decide on each of the following person types whether to View All of them, to View None of them, or to have them Restricted according to the criteria laid out in the profile: Employees Contingent Workers Applicants Contacts Candidates Exceptions are that 'None' option is not available for Contacts, and 'Restricted' is not available for Candidates. You can use any of the following criteria to restrict accessibility to data, or a combination of each.
a) Organization Security

You can either use an Organization Hierarchy to determine access, or you can specify a list of organizations to whom the user has access. For the List method, simply select the Security type,'Secure Organizations by organization hierarchy and/or organization list' option. Then select each of the Organizations in the Oragnization Name field you want the profile to have access to. The include checkbox is automatically checked. For the Hierarchy method, you select the Security type,'Secure Organizations by organization hierarchy and/or organization list' as before. Then you choose your Organization Hierarchy. The next step is to determine at which entry point into the hierarchy , access starts. This can either be by specifying the Top Organization, or allowing the top organization to be decided by the assignment of the user who is accessing the profile. You can also include organizations not in the hierarchy in the Organization Name field, or exclude organizations in the hierarchy. The business group can also be excluded, as can the top organization if required.
b) Position Security

Position security uses a Position Hierachy, and the entry point to determine where access starts can be based on the specified Top Position, or it can be taken from the assignment of the user who is accessing the profile. Top Position can be excluded if required.
c) Payroll Security

If restriction by payroll is required, the main thing to consider is the efficiency of the definition. For instance, if access to most payrolls are required, uncheck View All Payrolls and uncheck Include check box, then specify payrolls to be excluded. To give access to a small number, uncheck View All Payrolls and check Include check box, then specify payrolls to be included.
d) Supervisor Security

This type of security profile is based on a Supervisor Hierarchy which by default is built up dynamically when the user logs on. It can be Person based in that the user/manager has access to ALL the assignments of a person

who reports to him, and those that report to his subordinate. The Primary Assignments Only checkbox is unchecked by default. It can also be Assignment based, which would be used in conjunction with Assignment-Level Security.(see below). In this case the user/manager can only access the specific assignment that reports to him and the direct report of this assignment. Supervisor security can cause an overhead when logging on to the system. Options for improving performance would be to restrict the number of Hierarchy Levels to go down or using a Static List which would create the supervisor hierarchy when Security List Maintenance is run (see Static Lists) Remember that the user/manager is identified as an employee in the Define User form in the System Administrator. iRecruitment uses supervisor hierarchies to control recruiter and manager access to vacancy information. You can set up a supervisor-based profile which restricts managers and recruiters to viewing only those vacancies that are managed by people reporting in to them.
e) Miscellaneous Security

Accessibility to records depends on the User Name used to log in, if this is a user based security profile. In other words , if this is a Supervisor Security profile, or if the entry point into the hierarchy of an Organization or Position based profile is determined by the assignment of the user logging in. However,this can be bypassed, and the profile can always use the same user, no matter who logs in, by specifying the name of the user on the Miscellaneous tab. Use the Exclude User check box to deny access to the user's own records, or the records of the Named User if specified. Option not available in SSHR.
f) Custom Security

Users can write their own code to restrict access in the Custom Security tab. You can choose to 'Restrict the People visible to the profile' which uses Security List Maintenance to store the data in a

static list, or 'Restrict the people visible to each user using this profile' which is user-based security and evaluates access when the user signs on. The user writes a 'where' clause fragment which is verified, and incorporated into the following select statement to work out accessibility:
select 1 from per_all_assignments_f ASSIGNMENT, per_all_people_f PERSON, per_person_type_usages_f PERSON_TYPE where ASSIGNMENT.assignment_id = :asg_id and :effective_date between ASSIGNMENT.effective_start_date and ASSIGNMENT.effective_end_date and PERSON.person_id = ASSIGNMENT.person_id and :effective_date between PERSON.effective_start_date and PERSON.effective_end_date and PERSON.person_id = PERSON_TYPE.person_id and :effective_date between PERSON_TYPE.effective_start_date and PERSON_TYPE.effective_end_date and (CUSTOM CODE GOES HERE)

A typical piece of custom code might look like this

ASSIGNMENT.location_id in (select LOC.location_id from hr_locations_all LOC where LOC.location_code in ('London','Paris')) However be sure to force character strings to upper case as custom restricted text is not case sensitive currently. see Note 965961.1. The above custom code should therefore be rewritten as ASSIGNMENT.location_id in (select LOC.location_id from hr_locations_all LOC where UPPER(LOC.location_code) IN (UPPER('London'),UPPER('Paris')))

Please note also that there is an issue using the PERSON_TYPE alias in the custom code which results in the following error
APP-PER-289835: An SQL error was found in your custom restriction. The error is `ORA-904: `PERSON_TYPE.PERSON_TYPE_ID:Invalid identifier. continuing Correct the error before

For more information see bug 9622337

g) Static Lists/User-Based Security

Security Profiles which determine availability based on the user such as Supervisor Security, userbased Organization and Position security or custom security using the 'Restrict the people visible to each user using this profile' option, are evaluated at the point of logging in, which as mentioned previously can lead to performance overheads on some systems. Using Static lists in conjunction with these profiles can eliminate that overhead. You can specify the relevant users on the Static List tab, and the permissions will be stored when the Security List Maintenance program is run not when logging on. Prior to R12 there is a limitation to user-based security, in that it doesn't allow access to exemployees with a Final Process Date. From R12.1 there is a profile option called HR: Ex-Employee Security Profile. Set the Profile to Yes to include Ex-Employees, Ex-Applicants, and Ex-Contingent Workers ,or No to retain original functionality. Doesn't apply to Supervisor Security. See Bug 5612905 (NOT available as a one-off)
h) Assignment Level Security

Traditionally, accessibility to data in Oracle HRMS through security profiles was person based. So if a person had multiple assignments the profile only had to have access to one assignment to allow access to all. This was not restrictive enough, and from Oracle HRMS Family Pack H a new feature was introduced to allow restriction based on individual assignment. There is a checkbox called Restict on Individual Assignment on the security profile definition.

This invoked Assignment Level Security in SSHR but only in 3 forms in the Professional User Interface (PUI) in Oracle HRMS Family Pack H, Oracle HRMS Family Pack I, and Oracle HRMS Family Pack J. The forms were
PERWSHRG (Combined Person / Assignment) PERWSEMA (Fastpath Assignment) PERWSQHM (People Management)

and had to have a parameter added to their function definition in System Administrator. The parameter was SECURE_ON_INDIVIDUAL_ASG='YES'. From Oracle HRMS Family Pack K, this parameter has been removed and the list of PUI forms that support assignment-level security has been extended. As with User-Based security, however, restricting by assignment is worked out dynamically which has the limitation of not giving access to ex-employees with a Final Process Date. see above.
i) Global Security Profiles

It is possible to setup security profiles whereby employees can be accessed accross different business groups. This may be for a variety of reasons:
1) Non HRMS users who do not want data to be restricted by Business Group when they define Global Security profiles 2) In Self Service HRMS, where Managers using Supervisor hierarchy have access to direct reports accross business groups. 3) In R12 Professional HR, People Management can now be used with a Global Security profile. If a Global Security Profile is linked to the responsibility users can choose the business group on the Find screen to query cross business groups. Records can be updated and secondary assignments created, however new employees are created in the default business group set by the HR:Business Group profile option or in Assign Security Profiles form depending if Standard security or security groups are used. All other forms accessed using the responsibility use the Global Security profile too, but are limited to using the default

business group.

It may also be a simple device to consolidate security profiles. A profile could include organizations accross business groups, but when attached to one business group in the Professional User interface, only the employees in that business group are visible. If access accross business groups is required, a Global Security Profile must be created in Navigate >Security -> Global Security Profile. Payroll and Position security is not available in Global Security profiles. Neither is Reporting User access. The Global Security Profile is identifiable as having a null business_group_id on the table PER_SECURITY_PROFILES.
3. Technical Evaluation

Access to data via Oracle HRMS is provided by views. The majority of these views restrict the data available to a user/responsibilty by joining with cached data which holds information about what people can be viewed by what security profile. The cached data is either loaded from the static lists or dynamically at logon time.
a) Static Lists

The lists are PER_PERSON_LIST PER_ASSIGNMENT_LIST (not currently in use) PER_ORGANIZATION_LIST PER_POSITION_LIST PAY_PAYROLL_LIST These lists are cleared and refreshed by the Security List Maintenance program. As Assignment_level_security is currently only dynamic, the static list PER_ASSIGNMENT_LIST is not yet used.
b) Secure Views

The Secure Views,for example PER_PEOPLE_F, include a call to the function HR_SECURITY.SHOW_PERSON which returns TRUE if the person record is visible to this security profile, otherwise FALSE. Other views which are secure may not directly call this function, but query

secure views like PER_PEOPLE_F. HR_SECURITY.SHOW_PERSON determines whether the security profile is static or dynamic, and evaluates access accordingly. As previously mentioned , for Financial and Manufacturing users, many business views such as PABG_CUSTOMERS and POBG_STD_PURCHASE_ORDERS call the function HR_SECURITY.SHOW_BIS_RECORD which secures data according to the security profile referenced by MO:Security Profile profile option. Here is a script that can be used to run queries on HR secure views in sqlplus. Firstly get the values of the ids in angle brackets by doing Help -> Diagnostics - Examine in a form after logging in using the responsibility for the secure user.
e.g. BLOCK - $PROFILES$ FIELD - USER_ID VALUE -

then substitute in the values. The script counts the records available to this user/responsibility in the secure views and base tables for person and assignment.
SET SERVEROUT ON DECLARE l_per_all NUMBER := 0; l_per_sec NUMBER := 0; l_asg_all NUMBER := 0; l_asg_sec NUMBER := 0; BEGIN fnd_global.apps_initialize(, , , ); SELECT count(*) INTO l_asg_all FROM per_all_assignments_f

WHERE business_group_id = ; SELECT count(*) INTO l_per_all FROM per_all_people_f WHERE business_group_id = ; SELECT count(*) INTO l_per_sec FROM per_people_f; SELECT count(*) INTO l_asg_sec FROM per_assignments_f; dbms_output.put_line('Per dbms_output.put_line('Per dbms_output.put_line('Asg dbms_output.put_line('Asg END; / 4. Troubleshooting Problems a) Check Setup all: sec: all: sec: ' ' ' ' || || || || to_char(l_per_all)); to_char(l_per_sec)); to_char(l_asg_all)); to_char(l_asg_sec));

Most security problems are usually to do with the fact that the security profile in question is not working as expected in that it is giving access to the wrong data. The following check list can help to identify why this might be. 1. Run Security Diagnostics to verify security setup Introduced in Family Pack K, and a good place to start your investigation. Using the Oracle Diagnostics functionality, you can run Security Diagnostics to evaluate and debug your security setup for Oracle HRMS. The tests check that your security setup is correct for your requirements and identify common issues and problem areas.
The tests produce the following report types:

o Summary o Detail o Usage

- Summary of all security profiles used in your setup - Detailed information on the security profile assigned to a given responsibility. - Usage information on the security profile assigned to a given responsibility, for example, which responsibilities use the security profile. - List of organizations, payrolls, positions, and optionally, person assignments, a named user can access using a given responsibility.

o Access

o Exception - List of security profiles defined in the system whose set up is treated as an exception in the HRMS Security model.

See: Metalink Note #305644.1 (Human Resources (HRMS): Security Profile Setup Diagnostic Test) 2. Is the responsibility accessing the correct security profile? Establish the security_profile_id of the Security profile in question by running the following in sqlplus:
set linesize 180 select security_profile_id, substr(security_profile_name,1,40) from per_security_profiles;

then logon to the application using your secure responsibility, and navigate to Enter and Maintain People (PUI only). Do Help -> Diagnostics -> Examine and enter the following:
BLOCK - $PROFILES$ FIELD - PER_SECURITY_PROFILE_ID VALUE -

Check whether the id displayed against VALUE is the one that relates to your security profile. If this is not the case then if Standard HRMS Security, you have not set the profile option

HR:Security Profile at the correct level or, if Security Groups are enabled you have not used the Assign Security Profile form to link the security profile to your user/responsibility. 3. Check that the security profile is set up correctly? For static list security, the acid test is whether the person to whom access is expected appears on the table PER_PERSON_LIST.
select person_id from per_person_list where security_profile_id=&security_profile_id

If no row, then either the program Security List Maintenance hasn't been run, or the rules for this profile do not allow access to this person. If they do appear then the record should be visible. For Supervisor security, access is determined by the user logging in and which assignments report into him. Does the user who is logging on have an employee attached? select employee_id from fnd_user where user_name = &user Please note that the supervisor set up can yield different results depending on the rules. i.e. whether person based or assignment based and whether Restrict on individual assignment check box is set. See the Oracle HRMS Configuring, Reporting and System Administration Guide for further explanation. For user-based, Organization and position security, the entry point into the hierarchies is determined by the primary assignment of the user logging in. For custom security, the sql that gives access can be validated by appending the custom sql to the

stem code specified in section 1). 4. Check the data In particular check the assignment data of an identified person to see if the criteria used for determining the security rule is valid for this person. 5. Check patch level The latest HRMS Security RUP is 4643909 which requires Family Pack F or above.
b) HRMS Security and Datetrack

Access to people's records via HRMS Security is established

a) For Static lists, by the defined criteria on the effective date on which Security List Maintenance is run. b) For user-based security, by the defined criteria at SYSDATE.

Accessibility is NOT re-evaluated when datetracking. This can have different effects when users datetrack forward or back depending on the security profile and the person's employment history. When a security profile is defined, accessibility to person types can be Restricted, All or None. Accessibility is governed
a) b) by having a row on the secure person list if the person has a person_type that is Restricted on the security profile. By not having a row on the secure person list if the person only has a person_type that is All on the Security profile. Eligibility is taken for granted in this case.

This can lead to different results if there have been multiple person type changes. For example Security Profile - Person Type Test View Employees - Restricted

View Contingent Workers - All Restricted to all people in the Human Resources organization. Scenario 1
Person is an Employee in the Sales organization, and not visible to this profile. On 1st May, the organization of the employee is changed to Human Resources and he is now visible because when the secure list was calculated either at sysdate or effective date of the Security List Maintenance program, he was an Employee, and in the Human Resources organization, and a row was inserted onto the secure person list according to case a) above. Datetracking to before the 1st May when the person was in Sales does not remove accessibility even though the profile excludes him as accessibilty is NOT re-evaluated. Scenario 2 Person is an Employee in the Human Resources organization, visible to this profile. He is terminated and becomes an ex-employee on 30th April. On 1st June he becomes a Contingent Worker in the Human Resources organization and is visible by this profile. Datetracking to before 30th April does not retain accessibility however, because when the secure list was last calculated either at sysdate or the effective date of the Security List Maintenance program, he was not an Employee, and a row wasn't inserted on the secure person list according to case b) above ,as the profile is View All on Contingent Workers. Even though the profile includes him at the date, when he was an employee, accessibilty is NOT re-evaluated, so he is not visible.

c) Prior to 12.06 User-Based or dynamic security gives access to Active assignments only
Ex-employees (if beyond Final Process Date), Ex-applicant, and Ex-Contingent workers are not visible because they wont have an active assignment on sysdate. In order to see this type of person, you will need to define a security profile using static security and run Security List Maintenance for Current and Terminated people. Contacts are also not visible using dynamic security. The same applies to assignment-level-security which currently works out assignment accessibilty dynamically only. To recap, user-based or dynamic security includes Supervisor Security User-based Organization and Position security where top organization is determined by assignment of user logging on. Custom security using the 'Restrict the people visible to each user using this profile' option. Assignment-level-security. Remember also that if a security profile has been created with no restrictions at all. i.e. is View All. This will also be evaluated dynamically. Consider the case where a user has created a profile to view all employees and ex-employees only. This will be evaluated dynamically and filter out exemployees which is not what the user requires. To resolve that they would need to force the profile to be static. To do this they could enter restriction under the Custom tab. Choose "Restrict the People visible to this profile" and enter 1=1 in where clause. Then run Security List Maintenance N.B. From R12.06 the option to include the EX person types in user-based or dynamic security profiles is provided by setting the profile

option, HR Ex-Employee Security Profile' to Yes. From R12.1 the profile was renamed to HR: Access Non-Current Employee Data. Doesn't apply to Supervisor Security, and Contacts are still excluded. Set to No to retain original functionality of restricting to Active assignments only. <> (Not available as a one-off patch).

d) Performance Issues

The most common places to see performance degradation would be at logon time when a dynamic security profile is being processed, or whilst running Security List Maintenance to maintain the static lists. Please take note of the following patches: 4643909 4444325 5214715 4932555 Latest HRMS Security RUP (Family Pack F or above) Security List Maintenance performance issue (FP J) Security List Maintenance performance issue (FP K) Dynamic security causing performance problem (FP K)

n.b. all the above are included in FP K RUP1 (5055050) Another area to check is possible poorly performing custom sql in the custom tab of the security profile definition. Never use secure views in custom code. Also beware of causing full-table scans on assignment. Think about how you use and schedule Security List Maintenance. It can be run multi-threaded now. Calling the PERSLM process many times for single profiles continually hits the person and assignment tables. Running multi-threaded accesses the person and assignment tables less times, and gives better performance in global implementations. Also consider separating SLM runs for current and terminated employees.

e) Generate Secure User errors

The problem with this program is that on 99% of occasions, the user shouldn't be running it at all. It would be better named as Generate Secure Reporting User, as it simply grants the HR_REPORTING_USER role to an Oracle user other than APPS which is used for reporting purposes only. There is no need to run this program if you are just defining normal security profiles to restrict user access to data using the standard Oracle HRMS Application forms and html interfaces. The following sql can be run to check whether any reporting oracle users have been used on security profiles.

select security_profile_id, security_profile_name, reporting_oracle_username from per_security_profiles where reporting_oracle_username IS NOT NULL;
If no reporting users, DO NOT run this program.

f) Security List Maintenance errors

If the Security List Maintenance program has errored out, then on occasion it may be necessary to further debug it by running PYUPIP. The following steps should be taken to get a PYUPIP trace based on FP K Patch level. Change parameters as appropriate. If on a different patching level, it may be necessary to add or remove some parameters:

1. Login to the SQLPLUS

2. Set serveroutput on 3. spool pyupip.out 4. Execute the following BEGIN hr_utility.set_trace_options ('TRACE_DEST:DBMS_OUTPUT'); hr_utility.trace_on; pay_pyucslis_pkg.generate_lists( p_effective_date => trunc(sysdate) ,p_generation_scope => 'ALL_PROFILES' ,p_business_group_id => NULL ,p_security_profile_id => NULL ,p_security_profile_name => NULL ,p_who_to_process => 'ALL' -- Current and Terminated people ,p_user_id => NULL ,p_static_user_processing => 'ALL_STATIC' ); hr_utility.trace_off; Exception when others then dbms_output.put_line(sqlerrm); hr_utility.trace_off; END;

Security Profile usage in Oracle HRMS

POSTED BY ABHIJIT RAY AUGUST 20, 2013 LEAVE A COMMENT FILED UNDER APP-PER-52803, APP-PER-52928, ASSIGN SECURITY PROFILE, HR: SECURITY PROFILE, HR:BUSINESS GROUP, HR:USER TYPE,SECURITY GROUPS, SETUP BUSINESS GROUP

The security profile determines which applicant, employee, contingent worker and other person type records are available to holders of the responsibility the profile is linked to.

This is a very effective way of restricting access to employee records on responsibilities/users. The security profile determines which applicant, employee, contingent worker and other person type records are available to holders of the responsibility the profile is linked to.

If

you

are

using

HRMS

Standard

security,

you

link

security

profile

to

one

responsibility

using

the HR:Security

Profile profile

option.

If you are using Security Groups Enabled security, you link a security profile to the users responsibility and business group using theAssign Security Profile window. You can also link more than one security profile to a responsibility, as long as the user is different. This saves you setting up a new responsibility for each security profile you use.

Note: If you are using the Security Groups Enabled security model you must not use the HR:Security Profile profile option. This is automatically set up when you assign security profiles using the Assign Security Profile window.

Here is how security profile is created and used.

Step 1: Create a security profile Responsibility: Global HRMS Manager

Navigation: Security > Profile

By default Oracle provides a security profile named, Setup Business Group.

Note: Setup Business Group is also a business group given by Oracle to allow us to install business groups. This is because business groups are created in HRMS responsibilities and a HRMS responsibility cannot exist without being assigned to a business group. Therefore the default HR responsibility, Global HRMS Manager, is assigned a business group, Setup Business Group, and the same security profile until it is changed. We shall create security profile as shown below

Save and close the form

Step 2: Assign the security profile to the responsibility

Responsibility: System Administrator

Navigation: Profile > System

Query for profile options,

HR: Security Profile

HR:User Type

This profile option is optional

HR:Business Group

Business group of the responsibility

Important: 1. The business groups in the profile option, HR:Business Group, and the Security Profile should match else we shall get the following error.

1.

When Standard HRMS Security is used you will get the following error when trying to access the Assign Security Profiles form from the menu.

Important notes from Oracle: Restricting Access to Records You set up a security profile by identifying records of employees, applicants, contingent workers, and candidates in the system which you want users to be able to access. You identify the records by selecting work structures or other criteria in the application to which employees, applicants, contingent workers, or candidates are attached. For example, you could give users access only to the records of employees, applicants, contingent workers, or candidates in a single organization.

You can also create restrictions on records with a person type of Other. This includes contacts for employees or applicants, and any other people with a person type in the category of Other. You do this using the View Contacts option. You can combine different types of restriction to create a set of rules giving exactly the security access permissions you require.

When you create a business group a view-all security profile is automatically created. This has the same name as the business group. The security profile provides access to all employee, contingent worker, and

applicant records in the business group. The system administrator links this view-all profile to users who are setting up the system. They in turn can set up security for other users. The criteria you can use to identify records are:

Internal organizations and organization hierarchies Positions and position hierarchies Payrolls Supervisors and supervisor hierarchies Custom restrictions Assignments

Tip: Oracle recommends that you use either a supervisor or position hierarchy for Self-Service Human Resources (SSHR).