There was a requirement to provide a particular BU user to access to other BU PO's for approval. Normally such kinds of requirement always happen in today's complex business model . To implement this requirement a best we can do it is to use of new profile option which was introduced in Oracle 11i called HR: Cross Business Group , which need to switched on (i.e. set to "Yes") can be used .This new profile option makes it possible for Oracle Application users to view and modify certain specific areas of data across all business groups.
From 11.5.9 onward in HRMS there are two Security Models as:
- Standard HRMS Security
- Security Groups
The first one is Standard HRMS security which normally requires defining a security profile, and defining a responsibility for use by application users, whereas security groups means whereby you can reuse a responsibility and assign it to different security profiles in different business groups if required.
Typically Multi-national Companies would be benefited from security as they normally have concept of service centres using multiple business groups and security profiles.
The good and bad in new Security Group Model
The Standard Security Model on Oracle HRMS forces a responsibility to be tied to only one business group/security profile. This means that when new business groups are added a brand new set of responsibilities must be set up for the business group, even if the new set of responsibilities is identical in every respect to existing responsibilities assigned to another business group.
The new security group model can cut down dramatically on the number of responsibilities required as it allows responsibilities to be reused by many different business groups.
Here are the key points of how the new security group functionality works.
- Every time a business group is created a new security group of the same name is also created.
- Security profiles are defined the same way they are now. There is no change in this functionality.
- Form Assign Security Profile is activated under the new security model. This form allows a user to be linked to a security profile, responsibility, security group (business group) combination.
- Profile option HR: Business Group is no longer set manually for HRMS responsibilities. This profile option will be set dynamically when a user selects a responsibility/security group combination at logon.
- Profile option HR: Security Profile is no longer set manually for HRMS responsibilities. This profile option will be set dynamically when a user selects a responsibility/security group combination at logon.
- The \Security\User Define Screen in the System Administrator responsibility is no longer user to assign HRMS responsibilities to users as this is now done in the new Assign Security Profile screen.
Please note, that although it is possible in the new security group model to access many business groups through the same responsibility, because of the way users are now assigned to responsibility/security group combinations, an HRMS user can only access the data in one business group at any one time.This can be best understood in next section.
Overview of Standard Security Model versus new Security Group Model
Lets try to understand by a simple diagram below, what is here is 3 BU defined in global instance representing three BU X-Singapore, X- Australia and third one X-UK. The simple diagram below shows the difference in responsibility set-ups associated with each model.
In the standard security model when a user logs on or decides to change responsibility the list of responsibility names they have access to are presented to them to select from. In the security group model when a user logs on or decides to change responsibility the list of responsibility names and the associated security group (i.e. business group) assigned to the user are presented to the user to select from. This difference can be best described as:
3 steps away to switching to the new security model
The steps required to switch to the new security model are as follows;
- Profile option HR: Cross Business Group should be set to "Yes".
- Profile option Enable Security Groups must be set to "Service Bureau"
- Concurrent request Enable Multiple Security Groups must be run.
Not to Forget
Once the new security model is switched on, it cannot be switched off.
- Enhancements in Oracle HRMS Security in R11.5: Note:202478.1
- How Does the Cross Business Group Profile Option Impact the Application :Note:224822.1
- Understanding and Using HRMS Security in Oracle HRMS :Note:394083.1
Other related post in Security
- Know the â€œSecurity by Bookâ€ in Fixed Asset 
- Understanding Security in : Oracle Financials and Manufacturing 
- MOAC : From Multi-Orgâ€¦.To Multi-Access