Manage Access to Data Based on Business Groups
NoetixViews for Oracle Human Resources, Oracle Advanced Benefits, Oracle Payroll, and Oracle Time and Labor provide configurable access to data in Oracle Human Resources Management System (HRMS). The About Access to HRMS Data topic in this section discusses about the support for data security based on business groups and security profiles in NoetixViews, and the Define Security Based on Business Groups topic discusses about how to customize security settings for the Noetix query users based on the business groups and security profiles.
About Access to HRMS Data
In NoetixViews, Noetix query users can access data from the Noetix views for Advanced Benefits, Human Resources, Payroll, and Time and Labor based on the roles and row-level security assigned to them. The standard and global forms of views for these modules allow users to access employee data based on business groups and security profiles. For the data in the views of these modules, row-level security is determined based on the organizational unit and application-specific securities assigned to the Noetix query users in Oracle E-Business Suite. The organizational unit security controls the Noetix query users' access to the business groups defined in Oracle E-Business Suite. The application-specific security is applied over the organizational unit security based on the security profiles to further restrict the Noetix query users' access to the business groups. However, for the global form of the views, NoetixViews provides a functionality to override the organizational unit and application-specific securities of the Noetix query users to customize their access to business groups.
Noetix Views for Human Resources
The Noetix views for Human Resources are of two types: standard and global. Standard views for Human Resources return data for a single business group, and a Noetix role is generated for each detected business group. In contrast, global views for Human Resources provide access to all detected business groups in an instance of Oracle E-Business Suite and can be accessed through a single set of roles. Global views support multiple key flexfield structures, whereas standard views support only single key flexfield structure and will have columns for returning individual segment values corresponding to each structure. In a global view that uses multiple key flexfield structures set up with multiple segments, by default, the following key flexfield columns are generated:
A column to return the concatenated segment values corresponding to the flexfield structure used.
A column to return the key flexfield primary key column value for the corresponding concatenated segment values of the structure.
A column to return the concatenated name of the key flexfield segments for the corresponding structure. This column has the suffix Segment Name List in the column label.
A column to return the name of the key flexfield structure used in the global view. This column has the suffix Structure Name in the column label.
A Z$ column to join to the key flexfield view. The Z$ column will have the name of the key flexfield view in the suffix.
The only exception to this is the special information type (SIT) views in which each view is tied to only one structure. Therefore, in these views, key flexfield columns are generated based on one of the following conditions:
If the key flexfield is restricted to use only a single structure set up with multiple segments, by default, the following columns are generated:
A column to return the concatenated segment values corresponding to the flexfield structure used.
Columns for returning individual segment values corresponding to the structure.
If the key flexfield is restricted to use only a single structure set up with single segment, by default, the following column is generated:
A column to return the individual segment value of the structure.
NOTE: In the views for Payroll, Advanced Benefits, and Time and Labor, columns for the supported key flexfields are generated in the same manner as in the views for Human Resources.
Noetix Roles for Human Resources
NoetixViews uses database roles to group related views and simplify security administration. A Noetix query user who is granted a role can then query all views in that role.
For standard views, the following roles are generated for each detected business group:
HR HUMAN RESOURCES: Includes views that return nonconfidential data, confidential data (except for salary data), and data for extra information types (EITs)and special information types (SITs). Human Resources supervisors and those who require broad access to Human Resources data should be granted this role.
HR MANAGER: Includes views that return nonconfidential data and confidential data (except for salary data). Managers who require limited access to Human Resources data should be granted this role.
HR SALARY MANAGER: Includes views that return confidential salary data.
HR EXTRA INFO TYPES: Includes views that return data for EITs.
HR SPECIAL INFO TYPES: Includes views that return data for SITs.
HR USER: Includes views that return nonconfidential data.
For global views, only one set of these roles with the default, configurable prefix of HRG0 will be generated.
Security Policies in Views for HRMS
The Noetix views for Advanced Benefits, Human Resources, Payroll, and Time and Labor support the following kinds of security policies:
-
Application-Specific Security of Human Resources: This security policy is the default for Noetix query users of the Oracle E-Business Suite Authenticated User (Type A) and Oracle E-Business Suite Authenticated Responsibility (Type R) types. For more information on users and roles, seeAbout Noetix Query Users and Roles.
For these users, application-specific security is applied when no changes are made on the Business Group tab of the <Noetix query user> Properties dialog box of the Noetix Views Administrator (NoetixViews Administrator).
This security policy applies employee data and business group restrictions on Noetix query users that are similar to the restrictions applied on users in Human Resources. Employee data restrictions are always determined by the security profile or global security profile applied to the Noetix query users during logon.
For standard views, the business group is hard-coded in the view and cannot be changed or overridden. The security profile defined for the Noetix query users of the Oracle E-Business Suite Authenticated User (Type A) and Oracle E-Business Suite Authenticated Responsibility (Type R) types in Oracle E-Business Suite will determine their access to data in standard views. For Noetix query users of the Database User (Type U) and Noetix System Administration User (Type N) types, the security profiles will apply only if the query users are also defined in Human Resources as reporting users for the security profiles.For more information on users and roles, seeAbout Noetix Query Users and Roles.
The security profiles cannot be overridden in standard views.
For
global views, the business group is determined by the security model and
security profile or global security profile applied to the Noetix query
users during logon. If the Standard Human Resources Management System
security model is used in Human Resources, the business group assigned
to the security profile is used or the business group assigned to the
responsibility during logon with the global security profile is used.
If the Security Groups Enabled security model is used, the business group
is indicated by the security group used during logon. Irrespective of
the security model, application-specific security of Human Resources will
result in access to a single business group in the global views. For Noetix
query users of the Database User (Type U) and Noetix System Administration
User (Type N) types, application-specific security of Human Resources
will apply in the global views only when these users are also specified
as reporting users for security profiles in Human Resources. In such cases,
access to employee data will be determined by the security profiles to
which the reporting users are assigned.
For information on security profiles, global security profiles, responsibilities,
and security groups, see the Oracle documentation.
Custom Security: Custom security is established when the application-specific security of Human Resources is overridden through settings on the Business Group tab of the <Noetix query user> Properties dialog box. Through custom security, you can override the employee data restrictions of security profiles and global security profiles, allow access to all business groups within the organization hierarchy of a global security profile, and create custom lists of accessible business groups. For all global views for Advanced Benefits, Human Resources, Payroll, and Time and Labor, the list of accessible business groups can be modified.
The following table indicates how the settings in Human Resources and on the Business Group tab of the <Noetix query user> Properties dialog box collectively secure data in global views for Advanced Benefits, Human Resources, Payroll, and Time and Labor:
For information about how to define security based on business groups in global views for Advanced Benefits, Human Resources, Payroll, and Time and Labor, see Define Security Based on Business Groups.
The following table lists the Noetix views pertaining to Advanced Benefits for which the data is filtered by the security profiles established in Human Resources. The security profiles can be overridden in only the global form of these views.
View name |
Human Resources security profile applied at: |
BEN COBRA Beneficiaries (Available for only United States legislation) |
Person and Assignment levels |
BEN Elig Elec Enrollments |
Person and Assignment levels |
BEN Emp Dependents |
Person level |
BEN Life Evnt Workflow |
Person and Assignment levels |
BEN Payroll Ben Costs |
Person level |
BEN Potential Life Evnts |
Person and Assignment levels |
BEN Ptpnt Benefit Costs |
Person and Assignment levels |
BEN Ptpnt Communications |
Person and Assignment levels |
BEN Ptpnt Court Orders |
Person and Assignment levels |
BEN Ptpnt Electabilities |
Person and Assignment levels |
BEN Ptpnt Eligibilities |
Person and Assignment levels |
BEN Ptpnt Enroll Actions |
Person and Assignment levels |
BEN Ptpnt Enrollments |
Person and Assignment levels |
BEN Ptpnt Flex Credits |
Person and Assignment levels |
BEN Ptpnt Flex Spending |
Person and Assignment levels |
BEN Ptpnt Life Events |
Person and Assignment levels |
BEN Ptpnt Mthly Premiums |
Person and Assignment levels |
The following table lists the Noetix views pertaining to Human Resources for which the data is filtered by the security profiles established in Human Resources. The security profiles can be overridden in only the global form of these views.
View name |
Human Resources security profile applied at: |
HR Accural Pln Hist |
Any level |
HR Address Hist |
Person and Organization levels |
HR AP 1099 Payments (Available for only United States legislation) |
Person level |
HR Applicant Hist |
Person, Assignment, and Vacancy levels |
HR Ben Elig Info |
Position, Person, and Assignment levels |
HR Budgets |
Position level |
HR Carrier Asg Hist |
Security level |
HR COBRA Prem Stat (Available for only United States legislation) |
Person level |
HR COBRA Track (Available only for United States legislation) |
Person level |
HR Contact Hist |
Person level |
HR Contingent Worker Info |
Person and Assignment levels |
HR EI Academic Rank |
Person level |
HR EI Asg Ben Derived |
Person level |
HR EI Asg Federal |
Person level |
HR EI Asg Locality |
Person level |
HR EI Asg Types |
Position, Person, and Assignment levels |
HR EI GHR Probations |
Person level |
HR EI GHR Sep Retire |
Person level |
HR EI Job Types |
Any level |
HR EI Loc Types |
Any level |
HR EI Per Types |
Person level |
HR EI Pos Types |
Any level |
HR EI US Add Details (Available for only United States legislation) |
Person level |
HR EI US Passport Dtls (Available for only United States legislation) |
Person level |
HR EI US Visa Dtls (Available for only United States legislation) |
Person level |
HR Element Links |
Person, Organization, and Payroll level |
HR Emp Absence Hist |
Person and Assignment levels |
HR Emp ADA Info (Available for only United States legislation) |
Person level |
HR Emp Asg Details |
Person and Assignment levels |
HR Emp Assign Costs |
Organization, Person, and Assignment levels |
HR Emp Assign Costs Hist |
Person and Assignment levels |
HR Emp Assign Hist |
Person and Assignment levels |
HR Emp Ben Health |
Person and Assignment levels |
HR Emp Ben Others |
Person and Assignment levels |
HR Emp Beneficiary |
Person level |
HR Emp Element Entry Vals |
Person and Assignment levels |
HR Emp Emergency |
Person and Assignment levels |
HR Emp Ethnic Info (Available for only United States legislation) |
Person and Assignment levels |
HR Emp Headcnt Hist |
Person and Assignment levels |
HR Emp Headcounts |
Person and Assignment levels |
HR Emp Info |
Person and Assignment levels |
HR Emp LOS |
Person and Assignment levels |
HR Emp Reviews |
Person and Assignment levels |
HR Emp Sal Analysis |
Person and Assignment levels |
HR Emp Sal Hist |
Person and Assignment levels |
HR Emp Sal Pro Current |
Person and Assignment levels |
HR Emp Sal Pro Hist |
Person and Assignment levels |
HR Emp Tax Details (Available for only United States legislation) |
Person level |
HR Emp Terms Hist |
Person and Assignment levels |
HR Emp Total Comp |
Person and Assignment levels |
HR Emp Veteran Info (Available for only United States legislation) |
Person and Assignment levels |
HR Emp Work Hist |
Person and Assignment levels |
HR Emp Xfers Hist |
Person and Assignment levels |
HR New Hire Hist |
Organization, Person, and Assignment levels |
HR Oth Headcnt Hist |
Person and Assignment levels |
HR Pay Scales |
Any level |
HR People Grp Hist |
Person and Assignment levels |
HR Person Hist |
Person and Assignment levels |
HR Phones Hist |
Person level |
HR Pos Hierarchies |
Position level |
HR Pos Requirements |
Position level |
HR Req Vac Track |
Position and Vacancy levels |
HR Schools Attended |
Any level |
HR SI Type |
Person level |
HR Turnover Hist |
Organization, Person, and Assignment levels |
HR Vac Job Match |
Position and Vacancy levels |
HR Vac Pos Match |
Person, Position, and Vacancy levels |
HR Accrual Pln Hist |
Any level |
HR Address Hist |
Person and Organization levels |
The following table lists the Noetix views pertaining to Payroll for which the data is filtered by the security profiles established in Human Resources. The security profiles can be overridden in only the global form of these views.
View name |
Human Resources security profile applied at: |
PAY Accruals (Available for all legislaÂtion except for Australia) |
Person and Assignment levels |
PAY Check Register |
Payroll, Person, and Assignment levels |
PAY Costing Analysis |
Payroll, Person, and Assignment levels |
PAY Costing Details |
Organization level |
PAY Costing Summary |
Organization level |
PAY Custom Balances (Available for all legislations except for Australia and United Kingdom) |
Payroll, Person, and Assignment levels |
PAY Deductions Owed |
Payroll, Person, and Assignment levels |
PAY Emp Not Paid |
Payroll, Person, and Assignment levels |
PAY Emp Not Paid Vg |
Payroll, Person, and Assignment levels |
PAY Gre Totals (Available for only United States legislation) |
Organization level |
PAY Gross And Net Balances |
Payroll, Person, and Assignment levels |
PAY Gross To Net Summary |
Organization level |
PAY Hours By Cost Center |
Organization level |
PAY Invalid Addresses (Available for only United States legislation) |
Person level |
PAY Payment Methods |
Person and Assignment levels |
PAY Payment Register |
Payroll, Person, and Assignment levels |
PAY Payroll Activities |
Payroll, Person, and Assignment levels |
PAY Payroll Audit |
Payroll, Person, and Assignment levels |
PAY Payroll Messages |
Organization, Payroll, Person, and AssignÂment levels |
PAY Payroll Proc Summary |
Payroll level |
PAY Run Results |
Payroll, Person, and Assignment levels |
PAY Tax Balances (Available for all legislations except for Australia and United Kingdom) |
Payroll, Person, and Assignment levels |
PAY Third Party Balances (ApplicaÂble for only Canadian legislation) |
Payroll, Person, and Assignment levels |
PAY Third Party Register |
Payroll, Person, and Assignment levels |
PAY Void Payments |
Payroll, Person, and Assignment levels |
PAY US Payroll Register (available for only United States legislation) |
Payroll, Person, and Assignment levels |
PAY US W2 Register (available for only United States legislation) |
Payroll, Person, and Assignment levels |
The following table lists the Noetix views pertaining to Time and Labor for which the data is filtered by the security profiles established in Human Resources. The security profiles can be overridden in only the global form of these views.
View name |
Human Resources security profile applied at: |
HXC All Assignment Hist |
Person and Assignment levels |
HXC All Person Hist |
Person level |
HXC Assignment Time Info |
Person and Assignment levels |
HXC BEE Batch Headers |
Organization level |
HXC BEE Batch Lines |
Person and Assignment levels |
HXC BEE Error Messages |
Organization level |
HXC PUI Latest Timecards |
Person and Assignment levels |
HXC PUI Missing Timecards |
Person and Assignment levels |
HXC PUI Time Entry Errors |
Person level |
HXC PUI Timecard History |
Person and Assignment levels |
HXC SS Latest Timecards |
Person and Assignment levels |
HXC SS Missing Timecards |
Person and Assignment levels |
HXC SS Time Category Hours |
Person level |
HXC SS Timecard Action Hist |
Person and Assignment levels |
HXC SS Timecard History |
Person and Assignment levels |
HXC Timecard Summary |
Person and Assignment levels |
Define Security Based on Business Groups
In NoetixViews Administrator, use the Business Group tab to control access to data in global Noetix views for Advanced Benefits, Human Resources, Payroll, and Time and Labor based on business groups for a Noetix query user.
The Business Group tab will be available only if:
You have purchased the global form of Noetix views for at least one of the following Oracle
E-Business Suite modules:Advanced Benefits
Human Resources
Payroll
Time and Labor
You are not modifying the Oracle Administrative Database User (Type O).
IMPORTANT: When assigning row-level security to Noetix query users using the Business Group tab, the following points should be noted:
For allowing Noetix query users to view data from the Noetix views for the selected Oracle application, appropriate roles corresponding to the selected business groups should be assigned to the users.
In Oracle Discoverer and Noetix WebQuery, user authentication based on the roles and row-level security settings similar to Oracle E-Business Suite is supported. For information, see About Data Security in NoetixViews.
In Oracle Business Intelligence (Oracle BI), SAP BusinessObjects, and IBM Cognos Business Intelligence (Cognos BI), user authentication based on the roles and row-level security settings is supported for only the Oracle E-Business Suite Authenticated User (Type A) type Noetix query users if the query users are mapped to the users registered in these BI tools. For information, see Applying Row-level Security to BI Tool Users.
To control access to data in Noetix views based on business groups
On the Noetix Query User Maintenance tab of the Security Manager dialog box, select the user for whom you want to customize access to data. For information about creating or modifying a user account, see Create a Noetix Query User Account or Modify a Noetix Query User Account. Click Edit. The <Noetix query user> Properties dialog box appears. If you are creating Noetix query users for the first time, skip this step, and go to step 2.
Click the Business Group tab.
In the Application list, click an application name. The options are Benefits, HR, Payroll, and Time and Labor. After you select the application, the corresponding settings appear in the Settings for the <application name> application section.
-
Select or clear the Enforce Oracle HR security profile processing check box. When the check box is selected, the following options for global security profiles are available:
-
the business group specified by the user's login session: This option is the default for Noetix query users of the Oracle E-Business Suite Authenticated User (Type A) and Oracle E-Business Suite Authenticated Responsibility (Type R) types. For more information on users and roles, see About Noetix Query Users and Roles.
This option ensures that even if the Noetix query user's logon credentials in Oracle E-Business Suite include a global security profile, data will be returned for only the business group derived from these credentials. In other words, data will not be returned for other business groups that are encompassed by the global security profile. Thus, this option provides the same level of security that is present in Oracle E-Business Suite.
all business groups included in the global security profile: This option ensures that data will be returned for business groups encompassed by the Noetix query user's global security profile as long as they are also displayed in the Assigned Business Groups list. This option enables the Noetix query user to access data from multiple business groups through a global view for Advanced Benefits, Human Resources, Payroll, and Time and Labor with the row-level restrictions specified by the global security profile.
-
Regardless of the option you choose, you need to ensure that the business groups you want the Noetix query user to access with the row-level restrictions applied in Human Resources are also in the Assigned Business Groups list.
If you do not want to filter data according to the security profiles of the Noetix query user, clear the Enforce Oracle HR security profile processing check box, and proceed with the next step.
IMPORTANT: The Enforce Oracle HR security profile processing check box is available for Noetix query users of the Database User (Type U) and Noetix System Administration User (Type N) types only if they are also set up as the reporting users for security profiles.
For more information on users and roles, see About Noetix Query Users and Roles
In the Settings for the <application name> application section, select one of the following options:
Derive from Oracle EBS: Click this option to grant access to business groups based on the Noetix query user's security settings in Human Resources. This option is available only if the Noetix query user is of the Oracle E-Business Suite Authenticated User (Type A) or Oracle E-Business Suite Authenticated Responsibility (Type R) type. For more information on users and roles, see About Noetix Query Users and Roles.
This is also the default option for these users. These business groups will appear in the Assigned Business Groups list and cannot be modified. When the Standard HRMS security model is used, the list is determined by the values of the HR:Business Group profile option for all responsibilities assigned to the Noetix query user. In the case of the Security Groups Enabled security model, the list is determined by the security groups assigned to the Noetix query user of the Oracle E-Business Suite Authenticated User (Type A) type. If the Noetix query user is of the Oracle E-Business Suite Authenticated Responsibility (Type R) type, the list will be empty. Go to step 7 to save the changes.
NOTE: If multiple users are selected, the Assigned Business Groups list will display the "<multiple users selected>" text for this option.
Custom: Click this option to grant access to a custom list of business groups. After you select this option, the Add button will be available. By default, this option is selected for users of the Noetix System Administration User (Type N) and Database User (Type U) types. For information about specifying a custom list of business groups, see step 6.
All: Click this option to grant access to all the business groups that are available in Human Resources. The business groups are displayed in the Assigned Business Groups list. When this option is selected, the data on the list cannot be modified. Go to step 7 to save the changes.
If the data access privileges
of the Oracle E-Business Suite Authenticated User (Type A) type, Oracle
E-Business Suite Authenticated Responsibility (Type R) type, and reporting
users change in Oracle E-Business Suite or if row-level
security changes have been made in Oracle E-Business Suite, click
Refresh Security ()
on the toolbar of the NoetixViews Administrator to update the changes
in NoetixViews. For more information, see Refresh
Security for Noetix Query Users.
NOTE: When you click the Refresh Security button, a message is displayed stating that the process of refreshing the security may take some time.
-
To specify a custom list of business groups, do the following:
Click Add. The Add Business Groups dialog box displays the list of business groups that are available in Human Resources and that are yet to be added to the Assigned Business Groups list.
The following columns and options are available in the Add Business Groups dialog box:
Show only current user’s Oracle EBS-derived access: Allows you to view only the business groups that are accessible to the Oracle E-Business Suite Authenticated User (Type A) or Oracle E-Business Suite Authenticated Responsibility (Type R) type user in the selected Oracle application. If you do not select this check box, you can see all the business groups available in the selected Oracle application. This check box is available for only the Oracle E-Business Suite Authenticated User (Type A) type or Oracle E-Business Suite Authenticated Responsibility (Type R) type users.
Name: Indicates the name of the business group.
ID: Indicates the ID of the business group.
Legislation Name: Indicates the legislation name corresponding to the business group.
Legislation Code: Indicates the legislation code corresponding to the legislation.
Affected Noetix Roles: Indicates the Noetix roles that have access to the views corresponding to the business group.
EBS-Derived: Indicates whether the user can access the business group in the selected Oracle application.
Click a column title to sort the business groups by the entity represented by the column.
NOTE: You need to scroll to the right to see all the information in a row. The width of columns in the list can be adjusted to see more if required. Select the line between columns in the header, and drag it to the required position. Also, you can resize the height and width of the dialog box by dragging the sides of the dialog box.
Select the check boxes corresponding to the business groups that you want to assign to the Noetix query user. To select all the business groups, click Select All.
Click OK. You return to the Business Group tab with the selected business groups displayed in the Assigned Business Groups list.
NOTE: You need to scroll to the right to see all the information in a row. The width of columns in the list can be adjusted to see more if required. Select the line between columns in the header, and drag it to the required position.
To remove a business group from the Assigned Business Groups list, select the business group, and click Remove. To select multiple business groups, press CTRL, and click the business groups.
Important: IMPORTANT: If application-specific security of Human Resources is applied, data will be returned with row-level security for only those business groups that are in the Assigned Business Groups list and that are also accessible to the Noetix query user in Human Resources. If application-specific security of Human Resources is not applied, data will be returned without row-level security for the business groups in the Assigned Business Groups list.