- OracleApps Epicenter - http://www.oracleappshub.com -

Let’s Talk About ‘Security Groups’ functionality available within Oracle HRMS

There was a requirement to provide a particular BU user to access to other BU PO's for approval. Normally such kinds of requirement always happen in today's complex business model . To implement this requirement a best we can do it is to use of new profile option which was introduced in Oracle 11i called HR: Cross Business Group , which need to switched on (i.e. set to "Yes") can be used .This new profile option makes it possible for Oracle Application users to view and modify certain specific areas of data across all business groups.

From 11.5.9 onward in HRMS there are two Security Models as:

The first one is Standard HRMS security which normally requires defining a security profile, and defining a responsibility for use by application users, whereas security groups means whereby you can reuse a responsibility and assign it to different security profiles in different business groups if required.

Typically Multi-national Companies would be benefited from security as they normally have concept of service centres using multiple business groups and security profiles.

The good and bad in new Security Group Model

The Standard Security Model on Oracle HRMS forces a responsibility to be tied to only one business group/security profile. This means that when new business groups are added a brand new set of responsibilities must be set up for the business group, even if the new set of responsibilities is identical in every respect to existing responsibilities assigned to another business group.

The new security group model can cut down dramatically on the number of responsibilities required as it allows responsibilities to be reused by many different business groups.

Here are the key points of how the new security group functionality works.

  • Every time a business group is created a new security group of the same name is also created.
  • Security profiles are defined the same way they are now. There is no change in this functionality.
  • Form Assign Security Profile is activated under the new security model. This form allows a user to be linked to a security profile, responsibility, security group (business group) combination.
  • Profile option HR: Business Group is no longer set manually for HRMS responsibilities. This profile option will be set dynamically when a user selects a responsibility/security group combination at logon.
  • Profile option HR: Security Profile is no longer set manually for HRMS responsibilities. This profile option will be set dynamically when a user selects a responsibility/security group combination at logon.
  • The \Security\User Define Screen in the System Administrator responsibility is no longer user to assign HRMS responsibilities to users as this is now done in the new Assign Security Profile screen.

Please note, that although it is possible in the new security group model to access many business groups through the same responsibility, because of the way users are now assigned to responsibility/security group combinations, an HRMS user can only access the data in one business group at any one time.This can be best understood in next section.

Overview of Standard Security Model versus new Security Group Model

Lets try to understand by a simple diagram below, what is here is 3 BU defined in global instance representing three BU X-Singapore, X- Australia and third one X-UK. The simple diagram below shows the difference in responsibility set-ups associated with each model.

In the standard security model when a user logs on or decides to change responsibility the list of responsibility names they have access to are presented to them to select from. In the security group model when a user logs on or decides to change responsibility the list of responsibility names and the associated security group (i.e. business group) assigned to the user are presented to the user to select from. This difference can be best described as:

3 steps away to switching to the new security model

The steps required to switch to the new security model are as follows;

  • Profile option HR: Cross Business Group should be set to "Yes".
  • Profile option Enable Security Groups must be set to "Service Bureau"
  • Concurrent request Enable Multiple Security Groups must be run.

Not to Forget

Once the new security model is switched on, it cannot be switched off.

Suggested Reading

Other related post in Security

6 Comments (Open | Close)

6 Comments To "Let’s Talk About ‘Security Groups’ functionality available within Oracle HRMS"

#1 Comment By Tapash Ray On December 26, 2007 @ 3:28 pm

Although HR: Cross Business Group can be used to approve POs from another OU, there still is a issue with Drop Ship orders, where purchase release cannot be done for a DS order from a different OU, this is because the BG_id is being fetched from financial options set in procurement for each OU.


#2 Comment By Sanjit Anand On December 27, 2007 @ 7:07 am

thanks tapas, for your remark for Drop shipment

#3 Comment By Rao On January 23, 2008 @ 1:12 pm

I think the names of responsibilities in the diagram are little confusing. in the old model, may be you should call the responsibility names some thing like US HR Manager, AUS HR manager,JPN HR manager .. that will give good understanding to the people, how they can eliminate 6 differrent responsibilities in the new model.

#4 Pingback By “Business Group” in EBS On February 22, 2008 @ 12:21 am

[…] Business Group security model in HRMS you can secure data and processes by id of the Business Group. However, in HRMS, the Business Group […]

#5 Comment By Oracle ERP Training On May 18, 2009 @ 12:30 am

Nice and precise article on Oracle HR security.

#6 Comment By Stalin On December 14, 2010 @ 3:38 am

Nice article. Appreiciating your effort.