Security Offerings in Oracle Fusion HCM Analytics

When it comes to personnel data, trust is essential. Employees rely on their organizations to safeguard personally identifiable information (PII), trusting their HR departments and managers to keep the data private. If employee data were to be leaked or viewed by unauthorized individuals, that would undermine employee trust and leave the organization vulnerable to liabilities. Oracle Fusion HCM Analytics provides an array of fine-grained controls that enable administrators to provide security and protect trust, ensuring data can’t be accessed by unauthorized individuals outside the organization and, even beyond that, by establishing internal data privacy controls.

Upholding data privacy standards depends heavily on the ability to restrict within the organization who can access which data. While some super users might have wide-reaching access to view across multiple business units, ideally most are limited to only the business units for which they’re directly responsible. Restricting the number of people who can access data  allows organizations to help mitigate the risk of data being unintentionally viewed.

New Security Features for Securing Access to Data and Objects 

In previous releases of Oracle Fusion Analytics Warehouse (FAW), users could control security with out-of-the-box data roles.

Common examples of uses for data roles include permitting line managers to access their supervisory hierarchy-based data; enabling HR users to see complete organizational data or data restricted based on business unit, legal employer, and department; and restricting a user from accessing their own records.

In the latest release, FAW grants users more fine-grained control over data by allowing the configuration of custom data roles and custom security that expands the out-of-the-box capabilities. Also, ‘country context’ has been added to the out-of-the-box contexts offering. With custom data roles and custom security features, data security can be applied on custom subject areas; and on any filter criteria such as exclude access to X grade, access based on bargaining unit, exclude access to HR department data, and similar.

Even as the number of out-of-the-box duty roles are expanding, some users need the flexibility to create their own roles. In the latest release, administrators can create custom duty roles that can restrict access to custom subject areas created through the extensibility framework and can restrict access to any facts and dimensions in existing subject areas. By creating custom data roles, administrators can then restrict access to different facts and dimensions in the subject area based on any attributes not available with the out-of-the-box security context and can assign that data role to the user. 

In the latest release, licensed groups are added. A user must be assigned to one of the predefined licensed groups to obtain access to FAW. System roles such as author and consumer are wired deep within new licensed groups – FAW Licensed HCM Consumer and FAW Licensed HCM Author. Licensed groups are provided for other functional pillars such as ERP (FAW Licensed ERP Consumer and FAW Licensed ERP Author) and for administrators (such as Service Admin and Security Admin).

Let’s explore a number of key functions and tasks within the latest release.

Guided Tour of Security Control for FAW

Accessing the Console

From the FAW Home page, click the main navigation menu (the hamburger icon) and select Console.

Not all users can access the Console. Only those with the appropriate permissions can view the security controls section. For complete information on this topic, see the product documentation.

On the Console, note the following tabs:

1. Users
   1. Assign users to groups.
   2. Add users to FAW from IDCS.
   3. Assign security values to workers.
   4. Copy security assignments from one user to another user.
2. Groups
   1. Create custom groups.
   2. Add or revoke application roles from out-of-the-box job groups and custom job groups.
   3. Assign authenticated users to groups.
3. Application Roles
   1. Add or revoke application roles from out-of-the-box job groups and custom job groups.
   2. Create custom application roles such as data and duty roles.
4. Security Assignments
   1. Add or revoke security values from users.
5. History
   1. Show the history of all transactions.

Users 

To add a user from the Users tab, click Add User.

Click Create a New User.

Add the new user’s details. You can easily use the person’s email address as their user name.

Assigning Users to Licensed Groups

All IDCS users are visible from the users’ page. 

This is also the place to add users to Licensed Groups.

Groups

• View, add, and update various data or duty roles to any of the out-of-the-box job groups.
• Create custom job groups and assign or revoke application roles.

• Assign or revoke users to any job groups from this tab.

Application Roles

• From the Application Roles tab, create application roles (data and duty roles).
• Assign and revoke application roles to out-of-the-box job groups and custom job groups.
• All the licensed groups are immutable; you can’t assign application roles to these licensed groups.

You can add to multiple groups by selecting one from the list. If you select multiple groups, then the Show Selected Only option displays only those groups selected in the current operation.

Add Security Assignments

Within the Security Assignments tab, you can assign security values to users. You can filter through context, making it easier and faster to specify the values. 

Clicking Manage Users opens the dialog for adding users. Users must have their business data roles given to them before they can be assigned new security values.

View History

Display the History tab to view audit logs of all actions that have been made through the Security console. This important feature helps to ensure compliance.

Security and Extensibility

In the latest release, FAW allows the creation of custom data and duty roles to implement data and object security.

• Create a custom application role (either a data role or duty role).

• After configuring a custom application role in the Security console, use the semantic model extensions to:
  • Specify objects secured by the custom duty roles.
  • Specify dimensions and facts secured by the custom data roles.

• Configure object permissions to be used with custom duty roles created for restricting access to the complete subject area or various objects (such as facts and dimensions) within the subject area.

• Select Subject area from the Select object drop-down list.
• Select Duty roles and set up permissions.

• Review your changes.

• Publish the changes:
  • Select None-Unpublish from the Uses Extension or Security Configurations drop-down list to reset the semantic model to its predefined settings.

• Configure data security:
  • Learn how to configure custom data security in FAW in nine steps here. 

• Configure filters for various facts and dimensions. You can secure subject areas; presentation tables and columns at the hierarchy level; and logical tables and columns at the logical level.

• Use functional groups:

Looking Ahead for FAW Security

While there's currently no automated data security syncing between FAW and Oracle Cloud HCM, in future releases the process of assigning security values will become simpler. Administrators will be able to perform mass uploads of user information from a Microsoft Excel file with their specified security values.

With more fine-grained controls, FAW is taking the next step to give organizations the ability to fine-tune security to meet their specific needs. With greater extensibility for customization, an even simpler interface for managing security, and more out-of-the-box duty roles included, FAW is making it easier to take control of your security without compromising efficiency.

Schedule a meeting today to talk the Oracle Analytics product team and learn more about how you can implement secure people analytics for your organization.