Creation of custom security profile

Similar Messages

• How to restrict employees from accessing managers data using custom security profile

  Hi,
  I am using custom security profile for restricting the employees from accessing supervisors details(PG.SEGMENT2=4). I have written the custom code as below :
  Responsibility :US Super HRMS Manager
  ASSIGNMENT.PERSON_ID
  IN
  (SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
  PER_ALL_ASSIGNMENTS_F PF,
  PAY_PEOPLE_GROUPS PG,
  PER_PERSON_TYPE_USAGES_F PPU,
  FND_USER FNU
  WHERE PAF.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
  AND PAF.EFFECTIVE_END_DATE
  AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
  AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
  AND PPU.PERSON_ID=PAF.PERSON_ID
  AND PPU.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PPU.EFFECTIVE_START_daTE AND PPU.EFFECTIVE_END_DATE
  AND PAF.PERSON_ID=FNU.EMPLOYEE_ID
  AND PAF.PERSON_TYPE_ID =2
  AND PPU.PERSON_TYPE_ID
  IN(2,62)
  and PAF.person_id = FND_PROFILE.value('user_id')
  AND PG.SEGMENT2=8)
  and using "restrict the people visible to each other using this profile".
  I have assigned the security profile to HR user responsibility
  But when I query the supervisor name in HR User responsibility , it is not restricting me from viewing supervisor details.
  When I query for first time, its restricting me to view others details, but when I close that click on torch button and try searching, its allowing me to access manages details.
  Can any one please let me know what setups need to be done for restricting employees from viewing supervisors data.
  I have gone through the document "Understanding and Using HRMS Security in Oracle HRMS" but didn't got any idea.
  Please suggest.
  Thanks & Regards,
  Anusha.

  Hi All ,
  i solved the problem by using event 01 of header view and using the table "Extract" .
  Regards,
  Neha

• List of Employees through custom security profile - SSHR

  Hi,
  A coordinator sitting in a region required access to all those employees who are coming in his region. This thing has been done and tested in PUI using custom security profile but can we give the same access to coordinator at Self service level, so that it can view employee detail and take necessary actions against employee.
  Thanks
  Ayaz

  You can indeed use the same Security Profile to control access through Self Service. In Self Service, you will need to use the Simple or Advanced Search to find these people because the default hierarchy that is displayed won't render.
  Often it is useful to add a personalization message to the Search region so that the users know to find people this way, eg:
  "To find employees in your region, please enter their Last Name in the Search box and hit Enter."

• How to make Custom Discoverer workbook use Custom Security profile of Apps

  We use Discoverer in Oracle Apps setup. We have added Custom security in our HR People Form of Apps.
  This Custom Security restricts one HR Emplpoyee not view other HR employee record except for himself/herself. Also maintining that they should be able to view all other employee's records.
  The following code was put under the Security Profile Form -- > Custom Security Tab
  exists (select 1
  from per_jobs b
  where ASSIGNMENT.job_id = b.job_id
  and (b.name not like '%HR%')
  and (b.name not like '%Human%')
  and ASSIGNMENT.assignment_number is not null
  union
  select 1
  from fnd_user fu
  where fu.user_name = fnd_global.user_name
  and fu.employee_id = PERSON.person_id
  and ASSIGNMENT.assignment_number is not null)
  Above security profile works fine for HR People Form.
  However, It does not work for our Discoverer Workbooks. I found a note on Metalink 422841.1 which talks about leveraging the Custom Security of Apps in Discoverer Report. I read it, but did not get much clue.
  Can Anyone help.
  Thanks

  Hi,
  If you want to use custom HR security with Discoverer you have to ensure that the correct security filters are applied when the Discoverer reports are run. These filters can use the supplied HR_SECURITY package or you can develop your own conditions using table lookups or functions. To get the filters applied to your reports you have a number of options:
  1. Build the security into custom folders using additional conditions
  2. Use custom database views in Discoverer and build the security into the views
  3. Use mandatory conditions in you Discoverer folders using either a function call or database contexts set at login time
  4. Use VPD (Virtual Private Database)
  I am not sure which of these options you are using to implement your HR security in Discoverer. The last option, VPD, is the most flexible and can give the best performance but maybe it is more complex to set up.
  Rod West

• Importing custom created security profiles from a .csv or .xls document

  Hi Experts,
  We have a prerequisite where we need to create custome security profiles as per the requirement.
  These security profiles I have created in an excel sheet and wish to import it in the server.
  The reason behind creating the security profiles through excel sheet is that in the future we will be working on a new server. So instead of doing any rework we can directly import from this excel sheet.
  For creating a security profiles through an excel sheet, I have mentioned the following things in the excel sheet.
  1. In a "eso_security_profiles" i have mentioned the profile name,description,internal ID, etc..
  DISPLAY_NAME       DOCUMENT_DESCRIPTION    INTERNAL_NAME     CATEGORY  COLLAB_PROFILE    INTERNAL_TYPE     RESTRICTED
  DISPLAY_NAME:Category Manager    
  DOCUMENT_DESCRIPTION   : This profile is for the user who has full rights only at project business document but cannot approve and have no access rights to the master data
  INTERNAL_NAME  :  fci.profile.doc.category_manager
  CATEGORY  :   BUYSIDE     
  COLLAB_PROFILE    :   TRUE     
  INTERNAL_TYPE     :   
  RESTRICTED   :  
  2. And in the "eso_security_rights" I have mentioned the access rights as per requirement.
  RESOURCE        SECURITY_PROFILE                               ALLOW_PERMISSIONS       DENY_PERMISSIONS
  rfx.RFXDoc        fci.profile.doc.wft_category_manager     ODP_READ
  Please give some inputs on this. Am not sure if what I have done is the right way.
  Thanks.
  Vaishali.

  Hi Vaishali,
  I understand that you need these security profiles in another server going forward. I would suggest another way around rather.
  Please create the Security profiles in SAP Sourcing itself, then export the OMA file. When you move into another server please import this OMA file. This will serve the purpose of having the new security profiles in the new server.
  If you are modifing something in the workbook, then you should carefully review field details. As I am not sure which version of SAP Sourcing and details of workbook, so I would suggest the above way to try out.
  Hope this helps
  Thanks
  Jagamohan

• Custom secure views report is not restricting the data

  Hi,
  I have created few custom secure views reports and in which I have used the per_people_f , per_assignments_f secure views but when I am running this report from different responsibilities like (US Resp, UK Resp) it is producing the same number of records. From US resp it should produce the US employees and from UK it should produce the UK employees but this is not happening currently.it is a simple sql script which I registered as sql*plus executable.
  Can any one suggest if I am missing some thing? Urgent help would be appreciated.
  Thanks,
  Ashish

  Pl post details of OS, database and EBS versions. How have you implemented security ? What kind of concurrent program are you using ? Pl provide details. Also see these MOS Docs
  How To Enable Hr Security on Custom Reports?          (Doc ID 369345.1)
  Understanding and Using HRMS Security in Oracle HRMS          (Doc ID 394083.1)
  Need Custom Security Profile To Restrict Based On Employees Organization          (Doc ID 445142.1)
  HTH
  Srini

• Mapping Apps security profiles in Discoverer

  Hello
  We wish to implement a 2-tiered security architecture. We already have the 1st tier in place in Disco Admin by assigning specific Business Areas to responsibilities.
  However, we also want to use the Apps custom Security Profiles to restrict access to tables and views through Discoverer Admin.
  How can this be implemented? Any examples would be most welcome.
  Thanks
  Sanjib Manna
  Oracle Practice
  IBM Business Consulting

  You can use the following query to look for all the security profiles. You can join the hr_operating_units to fnd_profile_option_values.level_value to get the desired result.
  SELECT psp.security_profile_name,
         psp.security_profile_id,
         hou.NAME,
         hou.organization_id
    FROM per_security_profiles psp,
         per_security_organizations pso,
         hr_operating_units hou
  WHERE pso.security_profile_id = psp.security_profile_id
     AND pso.organization_id = hou.organization_id;Additionally, you can also have a look at the below MOS docs.
  How To Check If a Profile Option Is Set In Oracle Applications? [ID 470102.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To List E-Business Suite Profile Option Values For All Levels Using SQLPlus [ID 201945.1]
  Script To List The Values Of A Profile Option At All Levels [ID 803587.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To Find All Users With A Particular Profile Option Set? [ID 367926.1]
  How to Change Profile Option Value Without Forms? [ID 943710.1]
  Cheers,
  ND
  Use the "helpful" or "correct" buttons to award points to replies.

• OMA: Security Profiles

  Hi,
  I am trying to migrate the Custom Security Profiles from one system to another.
  When I create the OMA package and import the same in another system, only the security profile name is getting exported and none of its content is getting exported i.e the controls I have ' SET' in the role are coming as ' NOT SET' in the new environment.
  What is going wrong.
  Regards,
  Pankaj

  I guess ACL is not available in Single SRM Object because selecting a single ACL would not be very useful and also ACLs are associated with a Security Profile. You would have to use the Object List and write your own custom OML query or use the Dataset option which will export all. If Dataset option suits your needs, that would be the easiest.
  Or another option would be to use the workbook approach. You could look at the security_rights tab on the enterprise workbook from Resource Guide as a reference.
  Vikram

• Security Profile Not Working

  Hi,
  I want to restrict persons records based on their assignment - organizations.
  Approach 1:
  For this i have created a new custom security profile in Organizatin Security tab
  Security Type : Secure organizations by organization hierarchy and / or org list
  Organization Hierarchy : <gave our primary reporting here>
  selected radio button - use the org on the users's assingemnts as the top org
  In the next block under organization name, gave org 1 and selected Include radio button and next 5 orgs (org 2 to org 6 ) and choosed Exclude radio button (Classification column left blank for all orgs).
  Assigned this Security profile to resposbility (for HR:Security profile)
  When i login to this responsbility and query in enter & maintain form; I am able to see all persons belong to org 2 to org 6; My expectation i should see only those persons whose assignment has org 1;
  Approach 2:
  I have created one more new security profile (in the custom security tab); selected Restrict the people visible to this profile , and gave in command box
  ASSIGNMENT.organization_id = 100 (org id 100 is for Org 1)
  and assigned this to responsbility; When i login to this resp , my expectaion is it will show only persons who assignments having org1. But it shows all other persons, whose assignment having differents orgs (org 2 to org 6)
  In both the above two approaches, I am not getting what i am looking for.
  I have even ran Secuirty List Maintanence program also
  I am doing some thing wrong? Please help on this?
  We are on 11.5.10
  Thanks!!

  Hi
  Is this still aproblem or has Gaurav sorted it out for you. His explanation looks like it will solve the problem, but there might also be a problem in the coding of the custom code. You should be able to achieve what you want without the custom code, by using the organisation tab instead.
  Regards
  Tim

• Security Profile with Assignment-level Security limitations

  Hi, We are on an R12 installation, and have a security profile based on Organization Hierarchy (With Assignment-Level Security - i.e. 'Restrict on Individual Assignments' checkbox is ticked); this is based on a specific organisation as the 'Top Org' rather than the User's own Assignment.
  The profile option "HR: Access Non-Current Employee Data" is set to 'Yes', but the security profile still restricts access to Future-Dated Assignments and Ended Assignments. Is this expected behaviour, and is the only solution to develop a Custom security profile, and is this even feasible (to replicate organisation hierarchy security using SQL in the custom security tab), or would we have to use a different criteria, such as Payroll?
  Regards, Chris

  Further investigation reveals this is a limitation of the product - within security, the selection criteria which determines which individuals (or assignments) is handled seperately to Assignment-level security (i.e. whether individual assignments are restricted), it is not possible to get around this issue even using custom security, as that does not give one the power to determine how individual assignments are handled. Thus if assignment-level security is implemented, the user cannot see Ended or Future-Dated assignments, even if the profile option "HR: Access Non-Current Employee Data" is set to 'Yes'.
  The only workaround we have found for this is to:
  a) remove assignment-level security, and
  b) ensure that where an employee has multiple assignments that cross security groups, this individual is set up twice, as two separate employees.

• Assign Security Profile window

  I saw this question on a HCM list. I also need to get an answer for this:
  "We have multiple security groups enabled. I have some custom security
  profiles that I need to assign to employees. According to Oracle Support, I
  need to use the Assign Security Profile window(Security List Maintenance
  wont do the job) and do this for EACH employee which is obviously a
  monstrous task.
  They did say though that I could use Web ADI to do this but obviously they
  wouldn't say how since its a consulting issue :)
  Has anyone used Web ADI for this purpose or if there any other workarounds
  that you could share?"
  Thanks.

  Ramsys, could you please elaborate? I have no idea of Wendi integrator nor did I find usage info for this on Metalink. What is the API that we could use for this?
  Thanks for your time

• 11.5.9 - Security profile

  Hi,
  A HR user is having full access to view employees from all organization, but now, we have to exclude one of the department, so tht this user should not view employees from the excluded department (say 'Development' org).
  Is it possible to do it without creating a new responsibility (because only one user is going to use this) ? Can we do it thru custom security profile (restict this user to view employees from all departments except 'Development' department).?
  Thanks in advance.

  In later releases you have 'User-based' security which would allow you write a Custom Restriction that does something like:
  ((fnd_profile.value('USER_NAME') = 'ONE_USER' and ASSIGNMENT.organization_id <> 123) OR fnd_profile.value('USER_NAME') <> 'ONE_USER')
  However, in 11.5.9 user-based custom security doesn't exist so I think you're out of luck.
  If you're enabled Multiple Security Groups - and it sounds like you haven't - you assignment Responsibilities and Security Profiles to individual users, rather than assigning Security Profiles to Responsibilities. With Multiple Security Groups you could simply create a new Security Profile for this one user and assign that.
  However, if you don't have Multiple Security Groups - and I don't recommend you implement it for this because it has many implications - then it's a new responsibility I'm afraid.

• SQL Query in Custom Security when creating Security Profile

  Hello all,
  I've created a security profile with Custom security and provided a simple query in Custom Security tab-
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  Custom security option is "Restrict the people visible to each user using this profile"
  I am not able to see the record as expected.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to each user using this profile", I am able to see the record.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to this profile", I am able to see the record after running PERSLM and same is in PER_PERSON_LISTS.
  Am I correct in checking with FND_GLOBAL.EMPLOYEE_ID?
  (This was mentioned in system administrator guide :
  "+Oracle HRMS assesses the custom security when the user signs on. In addition, the custom security code can include references to user specific variables, for example, fnd_profile.value() and fnd_global.employee_id.+"
  docs.oracle.com/cd/E18727_01/doc.121/e13509/T2096T2098.htm).
  I have tried with FND_GLOBAL.USER_ID / FND_PROFILE.VALUE('USER_ID') / :ASG_ID (seeded query has a join with this bind variable) - not happening.
  I've given options as below :
  Employees = None
  Contingent Worker = Restricted
  Applicant = None
  Contacts = All
  Candidates = All
  All other options - Defaulted
  Thanks,
  Sumanth

  Resolved this - One cannot see self's employee record in the form for which this is setup.
  Hence the below query though correct in syntax did not show any data.
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  My original requirement was that all employees belonging to one's Organization should be displayed, and this is working fine with an updated query for the same.
  Thanks,
  Sumanth

• Export - custom queries and reports, and security profiles

  We would like to keep a copy of our customizations to the application. 
  There are ways to import queries, reports and profiles into the app.  Is there any way to export the following to something like a CSV file for the following:
  - custom queries (all tabs)
  - custom reports (all tabs)
  - security profiles (custom and out of box u2013 all access rights)
  Thanks,
  Jerry

  Jerry,
  There are no standard queries that extract security profiles, Query Groups, Reports or Query Defintiions from the system. 
  However you can build custom queries that support this functionality.  During an implementation project I created some custom queries which allowed you to extract these objects for documenting purposes  We likely could supply these to you through SAP Consulting.  Please reach out to your SAP rep and have them Contact Me.  I have created some instruction that explain how to create these.
  Regards,
  James

• Creation of a Marketing Profile Set based on the standard CRM_MKTTG_BP_BIRTHDATE Infoset thru the WebUI Segment Builder

  Objective: Creation of a Marketing Profile Set based on the standard CRM_MKTTG_BP_BIRTHDATE Infoset thru the WebUI Segment Builder.
  Problems: Standard CRM_MKTTG_BP_BIRTHDATE Infoset DOES NEVER RETURN ANY RESULTS on the segmentation builder of the WebUI client (no matter the filter you specify).
  Other cases:  However if we create a new Data source with data "Extraction from Query" (transaction RS02) based on this standard CRM_MKTTG_BP_BIRTHDATE Infoset and we test the functionality using transaction RSA3, IT DOES RETURN RESULTS (using the same filters as in the segmentation builder)! Of course the segmentation builder works with other attribute lists.
  NEW: IF WE DON’T ESPECIFY ANY SEGMENTATION BASE IN THE PROFILE GROUP, IT DOES RETURN RESULTS!!! (GO TO THE END OF THE DOCUMENT FOR DETAILS)
  Steps followed:
  Review Standard Infoset CRM_MKTTG_BP_BIRTHDATE (Transaction SQ02).Review Data Reading Program code: do we have to change the standard code? We have only remove the "BREAK-POINT" statement.
  Creation of a Data source based on the standard CRM_MKTTG_BP_BIRTHDATE Infoset (Transaction CRMD_MKTDS).
  Creation of an Attribute List based on that standard Data source and selection the Birth date as a filter in the Attribute list (Transaction CRMD_MKTDS).
  On the segment builder of the WebUI set any filter (Example: “TODAY”).
  Steps in detail:
  Review Standard Infoset CRM_MKTTG_BP_BIRTHDATE
  SQ02.
  (Image deleted)
  Review Data Reading Program code (Code attached)
  (Image deleted)
  Creation of a Data source based on the standard CRM_MKTTG_BP_BIRTHDATE Infoset
  Data source: Transaction: SPRO – Customer Relationship Management - Marketing – Segmentation - Maintain Data Sources and Attribute Lists: CRMD_MKTDS
  Create Data Source
  (Image deleted)
  Infoset: CRM_MKTTG_BP_BIRTHDATE.
  Business Partner Field: CRMT_MKTTG_IS_BIRTHDATE-PARTNER_GUID
  (Image deleted)
  Result:
  (Image deleted)
  Attribute List
  Creation of the Attribute List
  (Image deleted)
  Assign Data Source:
  (Image deleted)
  Selection of the Birth date as a filter in the Attribute list:
  (Image deleted)
  Result:
  (Image deleted)
  Segment builder of the WebUI:
  Access to WebUI with marketing role.
  Create Segment:
  Creation of Profile Set
  Graphical modeler
  Create Filter: We have already tried many different filters (we already seen notes referring to this matter).
  Example1: “today”
  Count target group. Here I would like to stand out that once you click on the “Count” option, immediately it shows 0 results. In other words, it doesn’t process any information. With other attribute lists it takes some time to process, no matter the filter or the attribute list you use. However if we create a new Data source with data "Extraction from Query" (transaction RS02) based on this standard CRM_MKTTG_BP_BIRTHDATE Infoset and we test the functionality using transaction RSA3, IT DOES RETURN RESULTS (with “today” filter and other)! So it seems that the problem has to do with the segment builder, not the Infoset.
  Result: it never return any results no matter the filter you specify.
  Other cases:
  Creation of a new Data source with data "Extraction from Query" where you enter the name of your new query
  Creation of a Data source based on the standard CRM_MKTTG_BP_BIRTHDATE Infoset
  Standard Infoset CRM_MKTTG_BP_BIRTHDATE:
  We fill the form and select “Extraction from Query”:
  Press SAVE and define which fields will be available for selection and which of them will be visible.
  RSA3: Extractor checker in order to test the Data source:
  We specify the Data source:
  IT DOES RETURN RESULTS:
  ALV Grid:
  NEW: It seems that it has to do with the Segmentation Basis selected in the creation of a Profile Set, because if we do not select any, it does return results. But we need to create this Profile Set based on a particular Segmentation Basis called BS Usuarios Registrados.
  Segment builder – Profile Set of the WebUISegmentation Basis: we leave it in blanc.
  Graphical modeler
  Create Filter: We have already tried many different filters (we already seen notes referring to this matter).
  Example1: “today”
  Count target group.
  Result: IT DOES RETURN RESULTS!!! àConclusion: the problem is the Segmentation Basis
  Define Segmentation Basis:
  Transaction: SPRO – Customer Relationship Management - Marketing – Segmentation – Classic Segmentation - Define Segmentation Basis.BS Usuarios Registrados:
  Define Reports for Creating Segmentation Bases
  Transaction: SPRO – Customer Relationship Management - Marketing – Segmentation – Classic Segmentation - Define Reports for Creating Segmentation BasesZMK_UTL_MGR_SITES_UREG
  Define Usage for Segments:
  Transacción: SPRO – Customer Relationship Management - Marketing – Segmentation – General Settings - Define Usage for Segments.ZBS_UR à02 Segmentatión Basis
  Attribute List:Category:
  There is no Category 02 Segmentatión Basis!!! Why?? Why is not posible to select Category 02 Segmentation Basis in the creation of the Attribute List???
  Usage ID
  NEW: It seems that it has to do with the Segmentation Basis selected in the creation of a Profile Set, because if we do not select any, it does return results. But we need to create this Profile Set based on a particular Segmentation Basis called BS Usuarios Registrados. Why is not posible to select Category 02 Segmentation Basis in the creation of the Attribute List???

  It seems that the standard Infoset doesn’t work by itself with Segmentation Basis. Two SAP notes have been applied and a new Field Group has been added to the Infoset (in order to distint the Segmentation Base).
  CRMT_MKTTG_IS_BIRTHDATE-MGRGUID
  1966298: MGR_GUID is not populated correctly to infoset read program
  2007687:Segmentation InfoSet queries saved with incorrect Master Group
  For that reason we had to create a new Infoset based on the standard CRMT_MKTTG_IS_BIRTHDATE, but adding this new Field MGRGUID to the Group Fields.
  Issue solved