Friday Jul 10, 2015

Data Masking in Release 10 Fusion Applications

In Release 10 of Fusion Applications, Oracle Data Masking for Fusion HCM Security Cloud Service is offered as an optional subscription service for Fusion HCM Cloud customers.

Data masking, also known as data scrambling or data anonymization, is the process of obscuring sensitive information copied from a production database with realistic, scrubbed data based on masking rules, to a test or non-production database. Data masking is ideal for any situation where confidential or regulated data needs to be shared with non-production users who need access to the original data, but not necessarily to every column of every table. Examples of non-production users include internal application developers or external business partners, such as offshore testing companies, suppliers or customers.

Customers can submit a data masking service request as part of a production-to-test (P2T) refresh request. Personally Identifiable Information (PII) data are removed or masked in the Applications schema, and removed from temporary tables, interface tables and audit shadow tables including workflow notifications. In addition, links to attachments are removed, thus removing access to these attachments from the user interfaces. Data masking is run after the environment refresh and released to customers after the masking process is complete.

Data Masking in Release 10 Fusion Applications

Data Masking in Release 10 of Fusion Applications is designed to mask specific sensitive personal data or PII attributes. Different masking rules are applied for these attributes to ensure the masked data does not fail validation when the same is queried in Fusion Applications user interfaces. PII attributes covered by data masking are:

  • Person Name
  • Person Telephone Number
  • Date of Birth
  • Date of Death
  • Country / Town / Region of Birth
  • Address
  • Bank Account Name
  • Bank Account Number
  • Credit Card Number
  • Instant Messaging / Email Address
  • Passport Number, Visa or Work Permit details
  • Tax Registration Number or National Taxpayer Identifier

Customers are strongly encouraged to use the principle of least privilege when granting users access to a masked database by restricting the access privileges. Users should be granted only those privileges that are necessary to complete their work.

There are some scenarios that are not addressed by the Oracle Data Masking for Fusion HCM Security Cloud Service.

  • Underlying identities are not masked in the Fusion schema; therefore, it is possible to associate internal database IDs with identities and infer those identities in the masked database.
  • User login accounts are not masked; therefore, certain formats such as firstname.lastname may reveal identities in the masked database.
  • Other sensitive information, such as compensation, performance and benefits are not masked.
  • Running Payroll on a masked database may not fetch valid results as any PII attributes related to payroll calculation are scrambled.

Tuesday Jun 25, 2013

Fusion HCM SaaS – Integration

Fusion HCM SaaS – Integration

A typical implementation pattern we’re seeing with Fusion Apps early adopters is implementing a few Fusion HCM applications that bring the most benefit to their company with the least disruption to existing programs and interfaces. Very often this ends up being Fusion Goals & Performance, Talent, Compensation or Benefits, often with Taleo for recruiting. The implementation picture looks like what you see below:


Here, you can see that all the “downstream integrations” from the On-Premise Core HR, are unaffected because the master for employee data is still your On-Premise Core HR system – all updates and new hires are made here (although they may be fed in from Taleo to start with).

As a second phase when customers migrate Core HR to Fusion HCM, they have to come up with a strategy to manage integrations to all their downstream applications that require employee details. For customers coming from EBS HR, a short term strategy that allows for minimal impact, is to extract employee data from Fusion (Via HCM Extract), and load the shared EBS HR tables (which are part of an EBS Financials install anyways), and let your downstream integrations continue to function based on this data as shown below.


If you are not coming from EBS HR and there are license implications, you may want to consider:

  1. Creating an On-Premise warehouse for extracting data from Fusion Apps.
  2. Leveraging Fusion Apps Web Services (available to SaaS customers starting R7) to directly retrieve/write data to Fusion Apps.

Integration Tools

File Based Loader

This is the primary mechanism for loading HCM data (both initial load and incremental updates) into Fusion HCM. Employee & related data can be uploaded into Fusion HCM using File Based Loader.

Note that ability to schedule File Based Loader to run on a pre-defined schedule will be available as a patch on top of Rel 5.

Hr2Hr has been deprecated in favor of File Based Loader, but for existing customers using Hr2Hr, here are some sample scripts that show how to get more informative error messages. They can be run by creating data model sql queries in BI Publisher. The scripts currently have hard coded values for request id and loader batch id, which your developer will need to update to the correct values for you. The BI Publisher Training Session recorded on Apr 18th is available here (under "Recordings"). This will enable a somewhat technical resource to create a data model sql query.

Links to Documentation & Traning
Reference documentation for File Based Loader on docs.oracle.com

FBL 1.1 MOS Doc Id 1533860.1

Sample demo data files for File Based Loader

HCM SaaS Integrations ppt and recording.

EBS api's

Loading Information into EBS Full or Shared HCM

This could be candidate information being loaded from Taleo into EBS or  Employee information being loaded from Fusion HCM into an EBS shared HR install (for downstream applications & EBS Financials).

Oracle HRMS Product Family Publicly Callable Business Process APIs (A Reference Consolidation) [ID 216838.1]
This is a guide to the EBS R12 Integration Repository accessible from an EBS instance.

EBS HRMS Publicly Callable Business Process APIs in Release 11i & 12 [ID 121964.1]

Fusion HCM Extract

Fusion HCM Extract is the primary mechanism used to extract employee information from Fusion HCM.

Refer to the "Configure Identity Sync" doc on MOS  for additional mechanisms.

Additional documentation (you'll need an oracle.com account to access)
HCM Extracts User Guides (Rel 4 & 5)

HCM Extract Entity/Attributes (Rel 5)

HCM Extract User Guide (Rel 5)

If you don’t have an oracle.com account, download the zipped HCM Extract Rel 5 Docs (Click on File --> Download on next screen).

View Training Recordings on Fusion HCM Extract

Benefits Extract

To setup the benefits extract, refer to the following guide.
Page 2-15 of the User Documentation describes how to use the benefits extract.

Benefit enrollments can also be uploaded into Fusion Benefits. Instructions are here along with a sample upload file.

However, if the defined benefits extract does not meet your requirements, you can use BI Publisher (Link to BI Publisher presentation recording from Apr 18th) to create your own version of Benefits extract. You can start with the data model query underlying the benefits extract.

Payroll Interface

Fusion Payroll Interface enables you to capture personal payroll information, such as earnings and deductions, along with other data from Oracle Fusion Human Capital Management, and send that information to a third-party payroll provider.

Documentation:
Payroll interface guide
Sample file
DBI's used for the payroll interface

Fusion HCM Integration Patterns

Wednesday Mar 27, 2013

Managing Workflow Notifications in Fusion Apps – An Example

This article illustrates an example of a system administrator viewing and taking action on SOA Human Workflow notifications generated by a composite process that underlies a Fusion Apps HCM Task. As part of the privileges granted by their enterprise role, the administrator is able for example to reassign, suspend, or withdraw the requested action in the task.

What is a Human Workflow?

Human Workflow is the component of Oracle’s SOA suite that allows humans to interact with a process. For example a manager might need to approve a purchase order or an expense report prior to the transaction (issuing a purchase order or reimbursement of expenses) being completed or perhaps to reassign a task they are unable to complete. In addition to allowing users of an application to interact with its processes, the capabilities of the Human Workflow include full task lifecycle management through the ability to reroute tasks, escalate them, and providing deadlines by which they must be completed, in addition to the presentation of tasks to the concerned user through the BPM Worklist application or other channels such as email.


The Task and its Rules

In our example we will use a Fusion HCM Transaction example to illustrate how a transaction is routed and what actions an administrator can take on that transaction.

The Table below lists Fusion Core HCM transactions that are enabled for approvals.

Seeded Approvals (Include 2 Levels of Supervisor chain)

Seeded Auto-Approved

Transfer

Manage Salary (typically configured to require approval)

Promotion

Manage Compensation (typically configured to require approval)

Change Manager

Share Information (requires approval by worker)

Change Location

Change Marital Status

Change Working Hours

Create Employment Terms

Terminate Work Relationship

Manage Employment

Hire an Employee

Manage Grades

Add a Non-worker

Manage Grade Ladders

Add a Contingent Worker

Manage Grade Rates

Add a Pending Worker

Manage Jobs

Create Work Relationship

Manage Locations

Manage Work Schedule Assignment

Manage Organizations

Manage Absence Records (1 level)

Manage Person

Manage Document Record (1 level)

Manage Positions

Submit Performance Document(1 level)


Add Goal (1 level)


Table 1.Fusion HCM Transactions


Let us start by looking at the Promotion Task and the rules associated with that task.

Figure 1 shows the composite process that handles the HCM Promotion task. This composite consists of several SOA components and includes the services and references in Figure 2.

2.tiff

Figure 1.Deployed Promotion Approvals Composite processes.

3.tiff

Figure2. Components of the Promotion Approval Composite

In Figure 3 below, the rule defined reads as follows: For the promotion process and for all cases (the condition 1=1 being always true) build the approval list based on the supervisory hierarchy and process the transaction two levels above the approver, starting with the approver’s manager and stopping with the user “douglas.mcneil” who happens to also be the CEO and the top node in the hierarchy.

Figure3. BPM Task Configuration Rules

The Administrator’s privileges

In Fusion Applications the ability to access functions across products is controlled by functional privileges granted to a user through APM (Access Provisioning Manager). The application role that allows an administrator to view all human tasks is “BPM Workflow System Admin Role”. Several of the seeded roles in the reference implementation inherit this duty. The table below shows the hierarchy for the Human Capital Management Application Administrator.

Level

Display Name

Role Name

Description

Inherited by

1

Human Capital Management Application Administrator

HRC_HUMAN_CAPITAL_

MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB

Configures the Oracle Fusion Global Human Resources application and has access to all duty roles necessary to implement the Compensation, Workforce Deployment, and Workforce Development offerings.


2

BPM Workflow System Admin Role

BPMWorkflowAdmin

This role grants a user the privilege to perform administrative actions in the workflow functionality via the worklist UI. A user in this role will be able to view all tasks in the system, recover errored (incorrectly assigned) tasks, create approval groups and edit task configuration / rules DT@RT UI (both AMX functionality) This is a business administrator type role. This role is granted to SOAAdmin.

1

Table 2.Seeded Roles that provide access to all Tasks in the Worklist application

4.tiff

Figure4. Role hierarchy assigned to the administrator for the example in this document

The HCM Transaction

At the conclusion of a performance evaluation cycle, a manager determines that an employee is a candidate for a promotion. The Manager initiates the request from the Manager Resources Dashboard. The necessary adjustments are made to the employee’s Job, and Compensation details and the transaction is submitted.

7.tiff

Figure5a. Supervisory Hierarchy: Donald Alexander reports to Douglas McNeil

8.tiff

Figure5b. Supervisory Hierarchy: Stella Marcus reports to Donald Alexander

9.tiff

Figure5c. Supervisory Hierarchy: Jaime Gregg reports to Stella Marcus

Figures 5a, 5b, 5c show three levels in the supervisory hierarchy, the transaction we will use in our example below will be submitted for employee Jamie Gregg, and will be submitted by Stella Marcus her manager. Based on the approval rules we had defined earlier this promotion request will be routed to the next two levels in the hierarchy in sequence to Donald Alexander then Douglas McNeil.

The manager selects the Promote Action from the employee’s card in the Org chart

10.tiff

Figure6. The Manager Selects the Promote Action from the Org Chart.

The Manager Completes the promotion request and reviews the details prior to submission. The approval list is built in the last step of the transaction as illustrated in Figure 7a and 7b below.

11.tiff

Figure7a. There last step in the transaction is the review of the request prior to submission

12.tiff

Figure7b. The Approval list built in the last step of the transaction prior to submission.

Initiated transactions generate an instance of the composite process discussed earlier (see Figure 8 below) , and are available to the participants and administrator. The instance also retains the status and history of the transactions during its lifecycle and after completion.

13.tiff

Figure 8. TheTask instance in the Worklist of the Manager

After submission, the manager can review the initiated task and amend it by adding attachments or comments as seen in Figure 9 below.

Figure 9. Comments and Attachments added to the request

The Notification

Based on the rules applicable to the promotion transaction we discussed earlier, the process sends a request for approval to the manager of the requestor. However let us assume that Donald Alexander the manager of Stella Marcus and the the first of the two approvers is not available to take an action on the request. Stella makes a request via the comments field to have the administrator to skip the current stage and forward the request to the next approver.

The Administrator Action

The administrator Kyle Bailey searches for transactions assigned to Donald Alexander (Figure 10) and can perform the actions listed in Figure 11 namely skip the current assignment, suspend , withdraw or reassign the request to a different user .

16.tiff

Figure 10. Administrator queries tasks assigned to Donald Alexander

17.tiff

Figure 11. Actions an administrator can take on an assigned task

After reassignment of the task by the administrator to the next approver, Douglas McNeil can now see the Task in their worklist.

19.tiff

Figure 12. Worklist of the user to whom the task was reassigned

All changes made to to a task instance remain with the task and are viewable by all users who have access to that task namely the participants in the transaction (the approvers) and the administrator. A completed task with a full history of task actions and the participants who made them is shown in Figure 13 below.

20.tiff

Figure 13.Completed Task

References

Oracle® Fusion Middleware Developer's Guide for Oracle SOA Suite11g Release 1 (11.1.1) Part Number E10224-05 -- Chapter 27


Oracle SOA Suite Components



About

This blog shares with the broader Fusion Applications community instructional material in the areas of Enterprise Structures, Extensibility, Integration and Security with the a focus on implementation. This blog is updated by the Fusion Applications Functional Architecture organization.

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today