Overview
Oracle Cloud HCM has several batch jobs in Global HR, Compensation, Payroll, Benefits, Talent, etc. which are secured based on the seeded security model. But what if you have a business requirement to customize access at job level? For e.g., User1 can run only 10 jobs vs User2 can run only 5 jobs vs User3 should not be able to run any job. This article will help you in answering this question…
There are two ways to customize the access:
- Global Access– Access to Scheduled Processes UI
- Job Access– User is allowed/restricted to run specific job(s)
Global Access
This method will control access to Tools > Scheduled Processes page. It can be implemented for a requirement to restrict users from running all jobs.
Functional privilege Manage Scheduled Processes (FND_MANAGE_SCHEDULED_PROCESSES_PRIV) controls access to this page. To allow or restrict users from accessing this page, identify roles with this functional privilege and add or remove them from user profile, respectively.
Use Tools > Security Console to identify roles with this functional privilege:
Job Access
This method will control access to specific ESS job available from Tools > Scheduled Processes page.
Follow below steps to apply restrictions on user profile for a specific ESS job
- Identify Job Definition Name for the ESS job
- Identify Privileges needed to run this job definition
- Identify Roles that have these privileges assigned
- Perform action on User profile based on below scenarios
- Allow Job run – Assign at least one Role found in Step #3 to the User
- Restrict Job run – Revoke all Roles found in Step #3 from User
For e.g., for ESS job Synchronize Person Assignments from Position, job definition name is SynchronizeManagerHierarchyJob.
To restrict a user from running this ESS job, remove all the roles below from their user profile:
| # |
Job Definition Name |
Privilege Name |
Role Name |
Inherited By Roles |
| 1 |
SynchronizeManagerHierarchyJob |
Synchronize Line Manager Hierarchy |
Human Capital Management Application Administrator |
Application Implementation Consultant |
| Human Resource Specialist |
Human Resource Manager |
Reference
Job Definition Name
Use Setup and Maintenance > Task > Manage Enterprise Scheduler Job Definitions and Job Sets to identify job definition name:
Roles
Use below SQL query to find roles with access to ESS job:
Select Distinct
fpe.code perm_code
, fp.name priv_name
, fr.role_name
, fr.code role_code
, fr.role_type_code
, fr.is_seeded
, fr.staged
, (Select listagg(arv.role_name, ', ') Within Group (Order By arv.role_name)
From fusion.ase_role_role_mbr arrm
, fusion.ase_role_vl arv
Where arv.role_id = arrm.child_role_id
And sysdate Between nvl(arrm.effective_start_date, sysdate) And nvl(arrm.effective_end_Date, sysdate)
And sysdate Between nvl(arv.effective_start_date, sysdate) And nvl(arv.effective_end_Date, sysdate)
Connect By Prior arrm.child_role_id = arrm.parent_role_id
Start With arrm.parent_role_id = fr.role_id
) inherited_by_roles
, fr.role_id
From fusion.ase_privilege_vl fp
, fusion.ase_permission_vl fpe
, fusion.ase_priv_role_mbr fpr
, fusion.ase_role_vl fr
Where fpe.privilege_id = fp.privilege_id
And fpr.privilege_id = fp.privilege_id
And fr.role_id = fpr.role_id
And sysdate Between nvl(fp.effective_start_date, sysdate) And nvl(fp.effective_end_Date, sysdate)
And sysdate Between nvl(fpe.effective_start_date, sysdate) And nvl(fpe.effective_end_Date, sysdate)
And sysdate Between nvl(fpr.effective_start_date, sysdate) And nvl(fpr.effective_end_Date, sysdate)
And sysdate Between nvl(fr.effective_start_date, sysdate) And nvl(fr.effective_end_Date, sysdate)
And upper(fpe.code) Like '%' || upper(:p_perm_code) -- 'SynchronizeManagerHierarchyJob'
Order
By fpe.code
, fp.name
, fr.role_name
;