Setting Up Custom Human Resource Analyst and Line Manager Data Security Access

With Inputs from,

Sreebhushan Shivapuram, Consulting Member Technical Staff, Software Development.

This article describes how to configure data security access for an HR Analyst and a Line Manager. The principle of this solution is to replace the standard data security roles provided by Oracle Fusion Analytics Warehouse (FAW) with custom data security roles that can be combined. One role provides access to all data. Another role provides access only to line manager data. 

The primary use case to create two separate custom data security roles is to provide larger data access to the line manager rather than only their supervisory hierarchy. The pre-built data roles of Line Manager Data Security and HCM View All Data grant the most restrictive data access. To grant users the least restrictive data access, despite them being assigned to the Line Manager Data Security role, you must create two separate custom data roles, without any functional group or without using the same functional group.

The following image illustrates the workflow for setting up the least restrictive data access:

The following section contains step-by-step instructions with required code snippets to grant users the least restrictive data access:

1. In the FAW Console, select Security, then Application Roles. Create two custom data security roles: Custom HR Analyst View All and Custom Line Manager.

2. In the FAW Console, select Semantic Model Extensions, select Security Configurations and create a data security step for each role. 

• Create a data security filter based on the logical object for “Dim – Worker” and for each fact table that needs to be secured. Each time that new pipeline modules are activated, the corresponding fact tables must be secured in this screen.
• For each of these security filters for both roles, ensure that you specify the exact same name as Functional Group. Being part of the same functional group is the process that creates an “OR” statement between the two conditions when a user has both roles.
• For the role that gives access to all data, define the security filter as 1=1.

• For the role that restricts data for the line manager, define the security filter as "Core"."Dim - Manager Security"." Manager Identifier"=VALUEOF(NQ_SESSION."HCM_PERSON_ID")

• Publish the model including all security configuration.
• In the FAW Console, select Security, then Groups, and select the group used for the Line Manager (the pre-built Line Manager group and any custom group used for Line Managers). Remove the mapping with the standard data security role HCM Line Manager Data Security and instead add the mapping to the Custom Line Manager data security role.
• Similarly for any group that needs to have access to all data (such as “Human Resource Analyst”), remove the pre-built data security role HCM View All Data Security and add the Custom HR Analyst View All data security role.
• In this example, you grant Line Manager All data Access. Similarly, if the line managers need to be granted access to their own supervisory organization data with additional access to a business Unit / Legal Employer / Country / Department, you must set up two separate custom data roles:
  • Custom Line Manager Data Security.
  • Custom Business Unit / Legal employer / Country / Department data security: If you use Area Of Responsibility to grant such access in Oracle Fusion Cloud HCM, then follow all steps mentioned in this article -Setting up Custom Security Use Cases in Fusion HCM Analytics
  • Use the following sample SQL code to create the session variable step described in the previously mentioned article.

SELECT DISTINCT 'FAW_AOR_SESSION_VAR', BUSINESS_UNIT_ID /*Select required AOR attributes*/

FROM dw_asg_responsibility_d a, dw_user_person_d b

WHERE a.person_id = b.person_id

             AND UPPER(b.username) = UPPER(':USER') /*Logged In User*/

            AND a.status = 'Active'

             AND sysdate BETWEEN a.start_date AND a.end_date

            AND RESPONSIBILITY_TYPE = 'HR_REP' /*Update AOR Type based on AOR Data*/

To validate the setup, assign user ANNA.HOLM to the Custom Line Manager and Custom HR Analyst groups along with the FAW Licensed system group. When user ANNA.HOLM accesses FAW and runs a query on Headcount, she can see "All data" instead of seeing her own supervisory organization data with the pre-built Line Manager Data Security and HCM View All Data Security roles.

Call to Action

This article describes setting up custom data security in Fusion HCM Analytics, for granting users larger data access than their supervisory organization. By following theses instructions, you can set up a custom Line Manager data security role and a custom data role granting all data access. Use the sample code snippets for cases where line managers have access to additional Business Units / Legal Employers / Countries / Departments or any other AOR attribute governed via Area Of Responsibility in Oracle Cloud HCM.