AN INTRODUCTION TO ORACLE FUSION

HCM SECURITY

Role-Based Security
In Oracle Fusion Applications, users have roles through which they gain access to
functions and data. Users can have any number of roles.

When Jayashree signs in to Oracle Fusion Human Capital Management (Oracle Fusion
HCM), she doesn't have to select a role. All of these roles are active concurrently.
The functions and data that Jayashree can access are determined by this combination
of roles.
• As an employee, Jayashree can access employee functions and data.
• As a line manager, Jayashree can access line-manager functions and data.
• As a human resource specialist (HR specialist), Jayashree can access HR specialist
functions and data.

Role-Based Access Control

Role-based security in Oracle Fusion Applications controls who can do what on which
data.
In role-based
access:

For Example

Predefined HCM Roles:

Many job and abstract roles are predefined in Oracle Fusion Human Capital
Management (Oracle Fusion HCM). This list shows the main predefined HCM roles:
• Benefits Administrator
• Benefits Manager
• Benefits Specialist
• Compensation Administrator
• Compensation Analyst
• Compensation Manager
• Compensation Specialist
• Contingent Worker
• Employee
• Human Capital Management Application Administrator
• Human Resource Analyst
• Human Resource Manager
• Human Resource Specialist
• Human Resource VP
• Line Manager
• Payroll Administrator
• Payroll Manager
These predefined roles are part of the Oracle Fusion HCM Security Reference
Implementation. The Security Reference Implementation is a predefined set of security
definitions that you can use as supplied.
Also included in the Security Reference Implementation are roles that are common to all
Oracle Fusion applications, such as:
• Application Implementation Consultant
• IT Security Manager
You can include the predefined roles in HCM data roles, for example. Typically, you
assign the Employee, Contingent Worker, and Line Manager abstract roles directly to
users.

Role Types:
Oracle Fusion Human Capital Management (Oracle Fusion HCM) defines four types of
roles:
• Abstract roles
• Data roles
• Job roles
• Duty roles

Abstract Roles
Abstract roles represent a worker's role in the enterprise independently of the job that
you hire the worker to do. Three abstract roles are predefined in Oracle Fusion HCM:
• Employee
• Contingent worker
• Line manager
You can also create custom abstract roles. All workers are likely to have at least one
abstract role through which they access standard functions, such as managing
their own information and searching the worker directory.
You assign abstract roles directly to users.

Data Roles
Data roles combine a worker's job and the data that users with the job must access. For
example, the HCM data role Payroll Administrator Payroll US combines a job (Payroll
Administrator) with a data scope (Payroll US).
You define all HCM data roles locally and assign them directly to users.
Jayashree is an employee and a payroll administrator for Fusion Corporation. She has
the Employee Abstract Role and the locally defined HCM Data Role - Payroll
Administrator Payroll US.

Job Roles
A job role is the job that a worker is hired to perform. For example, Human Resource
Analyst, Payroll Manager, Human Resources VP, and Cash Manager are all examples
of job roles. Many job roles are predefined in Oracle Fusion Applications; you can also
create job roles if necessary.
You do not assign job roles directly to users. Instead, you include job roles in
HCM data roles, and assign those data roles to users.
In this example, Jayashree’s locally defined HCM Data Role Payroll Administrator
Payroll US inherits the predefined Job Role Payroll Administrator.

Duty Roles
Duty roles are the building blocks of abstract and job roles: they represent the individual
duties that users with those job or abstract roles can perform.
Duty roles are inherited by job and abstract roles; they can also be inherited by
other duty roles.
You do not assign duty roles directly to users.
This figure shows an example duty role for each of Jayashree’s abstract and job roles.
In reality, abstract and job roles inherit many duty roles.
Duty roles grant access to work areas, dashboards, task flows, user-interface pages,
reports, batch programs, and so on; therefore, they determine the functions that a user
can perform. Duty roles also control the actions that a user can perform in a UI page.
For example, Jayashree can navigate to her own Portrait in the Person Gallery and edit
her own contact details thanks to the duty roles inherited by her Employee abstract role.
The entries that a user sees in the Navigator, in the Tasks pane of a work area, and in
menus are determined by duty roles; differences between users are accounted for by
differences in the duty roles that they inherit.

Role Inheritance:
Each role is a hierarchy of other roles:
• HCM data roles inherit job or abstract roles.
• Job and abstract roles inherit duty roles.
• Duty roles can inherit other duty roles.
In addition, when you assign data and abstract roles to users, they inherit the data and
function security associated with those roles.

Predefined Security
Oracle Fusion Applications provides a comprehensive set of predefined security data
known as the Security Reference Implementation.
The Security Reference Implementation includes predefined:
• Abstract roles
• Job roles
• Duty roles
• Data role templates
• HCM security profiles
HCM Security Profiles
Most Oracle Fusion HCM data is secured by means of HCM security profiles. HCM
security profiles are an Oracle Fusion HCM feature; they are not used by other Oracle
Fusion Applications. A security profile identifies a set of data of a single type, such as
persons or organizations. For example, you could create security profiles to identify:
 All workers in department HCM US
 The legal employer InFusion Corp USA1
 Business units USA1 and USA2
You assign security profiles to abstract and data roles to identify the data instances that
users with those abstract and data roles can access.

Security Profiles in HCM Data Roles

In the following example, Tim Thompson and Patricia Smith are both human resource
specialists, Tim in US Marketing and Patricia in US Sales. Each has a data role that
inherits the job role Human Resource Specialist and the duty roles appropriate to that
job role. Therefore, Tim and Patricia can perform the same functions and see the same
entries in the Navigator, work-area Tasks panes, and menus. However, each user
accesses different sets of data, which are identified in separate sets of security profiles.
Note: If Tim and Patricia could access the same sets of data, you could create one
HCM data role rather than two and assign that HCM data role to both users.

Data Role Templates

Data role templates are the second of two ways of creating data roles (the first being
HCM data roles). Data role templates secure access to reference data sets and are
used by most Oracle Fusion Applications.
Data role templates contain rules for the generation of data roles and are predefined.
Each data role created using a data role template combines a single job role and a
single reference data set.
Oracle Fusion HCM makes limited use of data role templates. In Oracle Fusion HCM,
you use data role templates to secure access to reference data sets for departments,
jobs, grades, locations, and performance document templates. If you need to provide a
job role (such as Human Capital Management Application Administrator) with access to
all of these business objects, then you generate separate data roles for each
combination of the job role and a business-object reference data set.
My next article covers the topic of Provisioning Roles to Application Users

ROLES IN FUSION APPLICATIONS

There are various types of roles in Fusion Applications. This can get confusing at the
very first glance, and the reader may find it complex when reading the Oracle
Documentation. However, once understood the merit of each role type, you will then
begin to appreciate the elegance of the design in Fusion Applications. To begin with,
one must realise that Fusion Apps leverages Fusion Middleware's weblogic component.
Therefore all the technology components defined in this article get deployed into
Weblogic Server of fusion middleware.

Firstly, what is a role?

A role is some kind of privilege that you can assign to the user allowing them to perform
certain type actions in the application.
As you can see from above, the role only allows you to grant some privilege, it does not
stop you from doing something.

For reader familiar with Oracle EBS, we can assign responsibilities to the users. The
responsibilities consist of menu’s that reference a function. After granting the
responsibility, you can set exclusions from the responsibility too.
However in Fusion Applications, you can not set the exclusions from a user. You can
only say this user can do x, y & z things in the application.

Let us walk through the different types of roles in Fusion Applications

Duty Roles
These are also known as Application Roles. These are the granular duties performed by
the individuals. Examples are Invoice Creation Duty, Invoice Approval Duty, GL Journal
Entry Duty, GL Journal Approval Duty, GL Journal Posting Duty etc. It is like saying to a
new staff that you can perform xyz duties within your job or it is your duty to perform x y
z things in your organization. The name of this role has the suffix _DUTY. The duty role
provides access to screens, reports & dashboards via privileges and provide
access to data behind the screens using data security.

Job roles
These are also known as Enterprise roles. These roles get mapped to one or more duty
roles, because a person that takes a job in a company, then they are meant to perform
several duties. For example, a HR Recruiter Job will have a duty to scan resumes
submitted and place an offer to the individual. The name of this role has the suffix
_JOB. Some examples are Account Payables Manager Job, General Ledger
Accounting Manager Job etc. Job roles are also referred to as external roles.

Abstract Roles
These are also known as Enterprise roles. These roles are associated with a user
irrespective of the Job they perform within an enterprise. Therefore abstract roles are at
a higher level spanning various jobs, and hence their name abstract. Examples are
Employee Role, Temporary Staff role etc. An organization might decide to automatically
assign an Expense Entry Duty Role to all the Employees, and likewise may decide to
auto provision Timesheet Entry Duty Role to all the contract workers. Job roles can
inherit abstract roles, for example a Human Resource Administrator job role can inherit
the Employee abstract role because it is likely that an HR Administrator will be an
Employee of the company, and thus should automatically have access to entering
timesheets and claiming expenses. Similar to job roles, the abstract roles are also
referred to as external roles.
Data Roles
This will be discussed in a separate article.

Concept of Roles In Oracle Fusion

We all know that in oracle EBS we provide access to any person through responsibility
and in the responsibility we provide access to variuos reports, forms, Menus etc, so that
an user can get acess to specific module/application, but in fusion, this concept is totally
gone. In fusion, Oracle came with a new concept i.e role in place of responsibility.
Oracle fusion application use role based access control Security (RBAC) model where
users are assigned roles through which they gain access to functions and data with in
the applications.
Example - Accounts Payable Manager, Accounts Payable Supervisor
Roles are assigned to user with respect to their position. It can be categorized into
different types.
Role Types:
Job Role
Duty Role
Abstract role
Privileges
Job Role - It represents specific jobs or positions within an organization. Job role is a
collection of duty roles that allow a person to perform Specific Job functions. Job role
represent the job that you hire a worker to perform. It can be directly assigned to user.
Example -
Accounts Payable Manager - Manages Accounts Payable department and personnel.
Overrides exceptions, analyzes Oracle Fusion Payables balances, and submits income
tax and withholding reports to meet regulatory requirements.
Accounts Payable Supervisor - Oversees the activities of Accounts Payables
Specialists. Initiates and manages pay runs. Resolves nondata entry holds.

Duty Role - Duty roles are made up of different privileges within the oracle
ERP cloud to perform specific actions within the business process.

Example -

 Payables Payment Processing - Manages Oracle Fusion Payables

payments.
 Payables Invoice Creation - Creates invoices using standard user
interface or spreadsheet.

N.B - Duty role can't be directly assigned to a user instead assigned to job
role and job role can be assigned to user/employee.

Privileges - It determines what functionality an user can able to access &

execute on their screen. Privileges are the old "function" concept of Oracle
EBS. Oracle report access also comes under privileges. In EBS, we gives
access to Reports by Request group to assign the request group to
responsibilities. But in Fusion, we cannot create Request groups. We create
privileges for that and then assign to this in roles.

Example -

 Search Supplier
 View Purchase Order
 Create payable Invoice
 Validate payable invoice
 Initiate payable invoice approval task flow
Here in this pic, Accounts Payable Supervisor is a job role which can be
assigned to user which is collection of various duty role and privileges.
Privileges can be directly assigned to job role or it can be assigned to duty
role, but only job role can be assigned to user. Its very much similar to R12
where menu is collection of several sub-menu and functions.

Abstract Role - Abstract role represents a worker's role in the enterprise

Independently of the job that you hire the work to do. Their abstract roles
enable users to access standard functions, such as managing their own
information and searching the worker directory. You assign abstract roles
directly to users. These are for HCM, examples are employee, contingent
worker, and line manager.

Example -

 Employee - User can see payslip of his own. Enter timecard etc
 Line Manager - Can transfer/terminate employees.

Role based security in oracle fusion application controls WHO can do WHAT
on WHICH data for example -
 1. A line manager (WHO) can promote (WHAT) an employee (WHICH).
2. An employee (WHO) can see payslip (WHAT) of his own (WHICH).
3. An accounts payable specialist (WHO) can enter invoices, match
invoices to correct PO or receipts (WHAT) of certain business unit
(WHICH).

An user can be assigned any seeded role provided by oracle, and can be
customized if seeded roles doesn't meet their requirement.

Fusion Role Based Security Model

Oracle Fusion Applications use a role

based access-control security model. Where users are assigned roles
through which they gain access to functions and data within the
applications. Unlike Oracle Ebiz user do not need to select different
responsibilities once they log in, all roles are active concurrently i.e
users do not have to select any role when they sign in.
Role based security in Oracle Fusion Application controls WHO can
do WHAT on WHICH data. For example: A line manager (who) can
promote (what) an employee (which). This is also explained in the
table below.

Who What Which Data

Employee Can see payslip His own

Line Manager Can Transfer/terminate A worker from his team

 HR Can give promotion Employees from a particular organization

Understand with an example

At the beginning it sounds confusing but once

you get the basic its easier and convenient same as your
responsibilities and functions in Ebiz. To understand it better lets put a
hypothetical business requirement in-front of us.
Requirement : There is a Security in chief (lets say Mr. Security) responsible for
taking care of all security measurements in your organization. He needs to be given
authority to terminate any employee caught violating security guidelines. In oracle
terminology he needs to be given a new role to be able to terminate any employee
within your organization.

Now the function to terminate employee is already available with few

seeded roles like Manager and HR Specialist but you can not assign
them to Mr. Security as using the seeded role “Manager” he would be
able to terminate only people falling under the manager hierarchy. You
cannot also assign another seeded role “Hr Specialist” to Mr Security
as it comes with many other powerful things along with Termination.

So the only option is to create a new custom role only for terminating
employees and assign it to Mr Security. In the next steps we will see
how can this be done.

Setup Steps
 Now we know that we have to create a new
role but what would be the type of role as oracle fusion delivers four
different types of role. So lets talk about different roles available in
fusion before we login to application and start setting things up.
Oracle Fusion Applications uses four types of roles for security
management, which are given below. The first three roles can be
assigned to user directly. These roles also inherit some or other roles.

Data Roles
Data roles are combination of worker’s job and the data instances on
which jobs can be performed. For example, a data role Payroll
Administrator Payroll US combines a job (Payroll Administrator) with
a data instance (Payroll US). As job is the one factor it inherits Job Role
and for the data, we attached a security profile with it (will be
explained later)

Job Roles
Job role aligns with the job that a worker is hired to perform. Human
Resource Analyst and Payroll Manager are examples of predefined job
roles. Typically, you include job roles in data roles and assign those
data roles to users. The IT Security Manager and Application
Implementation Consultant job roles are exceptions, because they are
not considered HCM job roles and do not restrict data using HCM
security profiles.
Abstract Roles
Abstract roles represent a worker’s role in the enterprise,
independently of the job that the worker is hired to do. There are three
seeded abstract roles delivered with Oracle Fusion HCM. These are the
Employee, Line Manager, and Contingent Worker roles. Abstract roles
are assigned to user automatically when some event occurs like Hire
an employee, Terminate an employee or Promote an employee.

Duty Roles
Data Role aligns with the individual duties that users perform as part of
their job but not assigned to user directly. This role also grants
access to work areas, dashboards, task flows, application
pages, reports, batch programs, and so on. Duty roles are
inherited by job and abstract roles, and can also be inherited by other
duty roles. Needless to say we can create custom role also, if needed.

Below diagram shows how some of the role inherits other

Data Security Through Security Profiles
Before we start our setup steps there is one more important topic to
discuss, Security Profiles. A security profile identifies a set of data of a
single type, such as persons or organizations, for example : All workers
in department HCM US. We can assign security profiles to:

 Data roles
 Abstract roles
 Job roles

We can create HCM security profiles for the following HCM business
objects (can be changed with future releases)

 Person
  Organization
 Position
 Legislative Data Group
 Country
 Document Type
 Payroll
 Payroll Flow

Okay, enough theory, so by now we know that for our requirement we

have to create a Data Role to assign user and that Data role should
inherit a job role, which eventually inherit a duty role. We also need to
create a security profile to restrict organization and attached with Data
role. Here are the steps…

Step 01 : Create a Job Role

To create a job role search for the task “Manage Job Roles” and click
on the Go to Task. This will open up a new window (OIM : Oracle
Identity Manager)

Navigation : Navigator » Tools » Setup and Maintenance » All Tasks

Tab » Search for Name Manage Job Roles
Click on the link Administration, top right corner. You will see a
welcome page. Click on Create role ( ) under Roles. And
enter details as given below. Once done click on save and close the
window.
 Name : <Unique Name>
 Display Name : <Unique Display Name>
 Role Category Name : HCM – Job Roles

Step 02 : Map Duty role with Job role

From the above diagram and explanation we know that a Job Role
must inherit a Duty Role. So to link a duty role with the job role we
have created (Avi Terminate Worker), search for the task “Manage
Duties” and click on Go to Task

Navigation : Navigator » Tools » Setup and Maintenance » All Tasks

Tab » Search for Name Manage Duties
Once again this will open a new window (APM : Authorization Policy
Manager). Click/select hcm from application name and then click on
Search external Roles under search and create.
Note : All roles defined in the Oracle Identity Manager (OIM) are
considered as External roles in Authorization Policy Manager (APM)
Now in the next page search for the role (Avi Terminate Worker) we
created in OIM. In the search result section select the Job Role and click
on “Open Role”. You will see following screen.

On the above page click on “Application Role Mapping” tab and click
on +Map icon. It will bring a pop-up. Select hcm as application and
search for the role “Worker Termination Duty” In the search reselct
section click on the result and than click on Map Roles. Now we have
successfully mapped the duty role with our job role. This duty role will
help us to terminate the worker.
You must be wondering how did I know that I have to add only “Worker Termination
Duty” duty role with the job role to give termination access, do we need to
remember all these duty roles? Answer is NO. You can download the mapping from
oracle note “Mapping Of Roles, Duties and Privileges in Fusion Applications (Doc ID
1460486.1)“

Step 03 : Run the process “Retrieve Latest LDAP

Changes”
Navigation : Navigator » Tools » Scheduled Process
Now run the process “Retrieve Latest LDAP Changes”. We need to run
this program to synchronize roles between LDAP and HCM. After
successful run our job role will be available to HCM. Once the program
status is succeeded we can move to next step.
Note : Please see the post Scheduling a Process in oracle Fusion to get
an idea how process are schedules in Fusion application.

Step 04 : Create Security Profile (Optional)

Navigation : Navigator » Tools » Setup and Maintenance » All Tasks
Tab »Search for Manage Person Security Profile
As we know we can attach security profile with Data role to give access
on particular set of data. If you do not create any security profile you
can select the “View All” option when creating Data role. In this
example we will create a security profile based on Person Security
profile.

To create a security profile search for the task “Manage Person

Security Profile” and click on Go to task icon. A new page will appear,
in the search result section click on Create icon.
On the Create Person Security Profile page. Give it a name and
select the check box Secure by Legal employer. From the list select
the legal employer for which you want Mr Security to give access to
terminate worker. Once done click on Save and close. Click Yes if
when you receive warning.

Step 04 : Create a Data Role

Navigation : Navigator » Tools » Setup and Maintenance » All Tasks
Tab »Search for Assign Security Profiles to Role
Search for the task “Assign Security Profiles to Role” and click on Go to
task. A new page will appear. In the search result section click
on Create icon.
First give you data role a name and select the Job role that you create
before. Once done click on Next.
In the next guided process select the security profile that you had
created earlier. Once done click on Next
NOTE : If you did not follow the previous steps you can still create a
security profile from here or just select the View All from the list.

Next screen will show all security profiles associated with this data
role. Click on Next again, which will bring the Review Page. Review it
once and once satisfied click on Submit.

Step 06 : Create Role Provisioning Rule

Navigation : Navigator » Tools » Setup and Maintenance » All Tasks
Tab » Search for Name Manage Role Provisioning Rules
Using the role provisioning rule we add an extra layer of security and
can define which role will be available to which set of users. Using this
we can also set rules to automatically assign a role to users if
predefined conditions are met.

Search for the task “Manage Role Provisioning Rules” and click
on Go to task. In the next page click on Create under the search
result section. Give a mapping name, select Conditions (left blank in
this example) and in the associated role section select the data role we
have created. Please ensure requestable check box is selected and
Autoprovision is unchecked. Click on Save and Close.
Note : If you notice “Delegation Allowed” option is disabled
because when we created our data role (step 04) we did not select
“Delegation Allowed” check box. We will discuss about role
provisioning in details in some other topic.

Step 07 : Assign Data Role to user

Now you Data role is ready. You can assign this to any person. There
are different ways you can assign a role to user, either through OIM or
from task “Manage Users”. We are assuming you are already aware
aout this steps. In the below image Data Role was assigned through
Oracle Identity Manager. You can see Mr. Security has two roles
Employee (abstract Role) and Avi Terminate Worker – Operation US
Only
Step 08 : Validate the Data Role Assigned to user
Navigation : Navigator » Person Gallery » Search for person

To validate the Data Role Mr. Security will

login to application. Navigate to Person gallery and search for any
worker. At left hand side under the Action menu he will see the option
to terminate worker.

ROLE CONCEPT IN
ORACLE FUSION
APPLICATIONS
Role Based Access Control (RBAC)
An organisation needs to control who can do what on which
functions or sets of data under what conditions. The who is a
user here. A user's access is based on the definition of the
roles provisioned (assigned) to the user. Access is defined as
entitlement, which consists of privileges. The what are the
abstract operations or entitlement. The which represents the
resources being accessed.
RBAC normalizes access to functions and data through user
roles rather than only users. User access is based on the
definition of the roles provisioned to the user. The roles are
defined at functional and technical levels. The functional level
is the business definition that is used by business users and
the technical level is the implementation of roles using Oracle
Technology.
RBAC is based on the following concepts:
1. Role assignment - A subject can exercise permission
only if the subject has selected or been assigned a
role.
2. Role authorization - A subject’s active role must be
authorized for the subject. With rule mentioned
above, this rule ensures that users can take on only
roles for which they are authorized.
3. Permission authorization - A subject can exercise a
permission only if the permission is authorized for the
subject’s active role. With rules 1 and 2, this rule
ensures that users can exercise only permissions for
which they are authorized.
Basically security in Fusion Application is based on Role
Based Access Control (RBAC) In Fusion Applications, the
RBAC implementation is based on abstract, job, duty, and
data roles that work together to control access to functions
and data. The definitions of these functional roles are as
follows:

ABSTRACT ROLE
This role categorizes the roles for reference implementation.
It inherits duty role but does not contain security policies. For
example: Employee, Manager, etc.

JOB ROLE
This role defines a specific job an employee is responsible for.
An employee may have many job roles. It may require the
data role to control the actions of the respective objects. For
example: Benefits Manager, Accounts Receivable Specialist,
etc.

DATA ROLE
This role defines access to the data within a specific duty.
Who can do what on which set of data? The possible actions
are read, update, delete, and manage. Only duty roles hold
explicit entitlement to the data. These entitlements control
the privileges such as in a user interface that can see specific
screens, buttons, data columns, and other artifacts.

DUTY ROLE
This role defines a set of tasks. It is the most granular form of
a role. The job and abstract roles inherit duty roles. The data
security policies are specified to duty roles to control actions
on all respective objects. Duty Role is the most granular form
of role where mainly security policies are attached and they
are implemented as application role in Authorization Policy
Manager (APM)
Below diagram from the “Oracle Fusion Applications Security
Guide” shows relationships between these roles:
Functional roles are technically implemented as Enterprise
and Applications roles. The Abstract, Job and Data roles are
called Enterprise roles and the Duty role is called Application
role.

ENTERPRISE ROLES
Across all Fusion Applications, Abstract, Job and Data roles
are mapped to Enterprise roles. These roles are stored in the
Identity Store. They are managed through OIM and Identity
Administration tools. This tool includes the following
capabilities with respect to Enterprise role management:
 Create Fusion Applications Implementation Users
 Provision Roles to Implementation Users
 Manage Abstract, Job and Data roles including the
job hierarchy
These roles can also be viewed from ODSM (Oracle Directory
Services Manager) console.

APPLICATIONS ROLES
A “Duty Role” is mapped to Application Roles and is stored in
the Policy Store. An application role is supplied by a single
application or pillar of applications. The application policies
are managed through “Authorization Policy Manager” (APM).
APM is a graphical interface that simplifies the creation,
configuration, and administration of application policies.
Applications Authorization Policy Manager (APM) refers to
enterprise roles as external roles.

HOW ALL THESE ROLES

AND SECURITY
POLICIES/PRIVILEGES
WORK TOGETHER?
Fusion Applications seeds all the relevant roles, though they
can be modified and customized based on the business
requirements. Lets also understand the functional and data
security policies.

FUNCTIONAL SECURITY
POLICES
Function security consists of privileges granted to a user by
means of the user’s membership in a role, to control access
to a page or a specific widget or functionality/operation within
a page. A function security policy consists of privileges
assigned to duty roles and those duty roles assigned to a job
or abstract role. Function security policies are defined in the
Authorization Policy Manager (APM).

DATA SECURITY
POLICIES
Data security policies articulate the security requirement
“Who can do What on Which set of data,” where ‘Which set of
data’ is an entire object or an object instance or object
instance set and ‘What’ is the object entitlement. By default,
users are denied access to all data. Data security makes data
available to users by the following means.
 Policies that define grants available through
provisioned roles
 Policies defined in the application code
A privilege is a single, real world action on a single business
object. The possible actions are read, update, delete, and
manage. If these privileges are not specified on a duty or
data role, then all actions on the respective objects within a
page, including services, screens, and flows, and typically
used in control of the main menu (specified by function
policy) are allowed.
Enterprise roles provide access to data through data security
policies defined for the inherited application roles. When we
provision a job role to a user, the job role implicitly limits data
access based on the data security policies of the inherited
duty roles. When you provision a data role to a user, the data
role explicitly limits the data access of the inherited job role
to a dimension of data.
When setting up the enterprise with structures such as
business units, data roles are automatically generated that
inherit job roles based on data role templates.
In order to see the Fusion Application seeded Roles, follow
below navigation-
Login with your user and navigate to Functional setup
Manager and search for Role Template-
When you click on Goto Task, you will taken to Oracle
Entitlement server as shown below-
Click on Search Role Template as shown in the screenshot-

Search for General Ledger Template for Ledger and click on

Open button and you will see below screen