Equivalent Security Setup in Oracle Fusion Applications for EBS Global Security Profile

1. Key Differences: EBS vs. Fusion Security Models

To understand the equivalent process in Oracle Fusion Applications, let’s contrast the key concepts and mechanisms:

EBS Security Model (R12.2)

• Business Group: Represents a high-level organizational entity (e.g., a company or division) that partitions HR data (e.g., employees, jobs, organizations). Each Business Group has its own set of HR data and is tied to a legislation code.
• Operating Unit: A lower-level entity under a Business Group, used to partition transaction data for subledger modules (e.g., Payables, Receivables).
• Global Security Profile:
  • Defined in the Global Security Profile form (HRMS Manager > Security > Global Security Profile).
  • Restricts HR data access to a specific Business Group (e.g., “MyCompany_BG”) by setting Business Group = “MyCompany_BG”, Security Type = Global, and including only “MyCompany_BG” in Organization Security.
  • Assigned to responsibilities via HR: Security Profile to limit access to the Business Group’s HR data.
• MOAC Security Profile:
  • Defined in the Security Profile form (System Administrator > Security > Security Profile).
  • Restricts transaction data access to specific Operating Units (e.g., “MyCompany_OU”).
  • Assigned via MO: Security Profile to responsibilities.
  • No automatic creation when an Operating Unit is created, requiring manual setup.
• Access Control: Uses responsibilities (e.g., “A_HR”, “A_AP”) assigned to users, with profile options (HR: Security Profile, HR: Business Group, MO: Security Profile, MO: Operating Unit) to control access.
• System Administrator: Typically has global access by leaving HR: Security Profile and MO: Security Profile null or set to profiles including all Business Groups and Operating Units.

Fusion Security Model

• No Business Group: Fusion does not use Business Groups. Instead, it uses Business Units (for transactional data like Financials, Procurement) and HCM Security Profiles (for HR data like employees, positions). These structures partition data similarly to Business Groups and Operating Units in EBS.
• Business Unit: A partitioning mechanism for transactional data, equivalent to an Operating Unit in EBS. Business Units are defined for modules like Financials, HCM, or Procurement and are associated with specific data sets (e.g., invoices for a US business unit).
• HCM Security Profile: A mechanism to restrict HR data access (e.g., person records, positions) based on criteria like departments, locations, or organizations, replacing the Global Security Profile in EBS.
• Role-Based Access Control (RBAC):
  • Access is granted through roles assigned to users, not responsibilities.
  • Roles include:
    • Abstract Roles: For general access (e.g., Employee, Manager), not tied to specific jobs.
    • Job Roles: For specific job functions (e.g., Accounts Payable Manager, HR Specialist), similar to EBS responsibilities.
    • Duty Roles: Granular entitlements to perform actions (e.g., Process Payables Invoices), inherited by Job or Data Roles.
    • Data Roles: Combine Job Roles with specific data access (e.g., Accounts Payable Manager – US, restricting access to a US Business Unit’s data).
  • Roles are provisioned via Oracle Identity Manager (OIM) or the Security Console in Fusion.
• Data Security Policies: Define granular access to data (e.g., view invoices for a Business Unit) and are associated with roles. Stored in Oracle Fusion Data Security (FND_GRANTS).
• Function Security Policies: Control access to application functions (e.g., pages, tasks), stored in the LDAP policy store.
• Authorization Policy Manager (APM): A tool to manage Duty Roles, Data Role templates, and Data Security Policies, replacing the Security Profile forms in EBS.
• System Administrator Equivalent: Typically the IT Security Manager or Application Implementation Consultant role, provisioned with broad access to manage users, roles, and enterprise structures across all Business Units and HCM data.

Key Contrast

• EBS: Uses Business Groups and Operating Units with Global Security Profiles and MOAC Security Profiles assigned to responsibilities to partition HR and transactional data.
• Fusion: Uses Business Units and HCM Security Profiles with Data Roles and HCM Security Profiles assigned to users via RBAC to partition transactional and HR data. No Business Group concept; Business Units and HCM Security Profiles serve similar partitioning purposes.
• Security Profile Creation:
  • In EBS, creating an Operating Unit does not create an MOAC Security Profile, requiring manual setup. Similarly, creating a Business Group requires a manual Global Security Profile.
  • In Fusion, creating a Business Unit does not automatically create a Data Role or HCM Security Profile, but Data Role Templates can automatically generate Data Roles for Business Units when configured, simplifying the process compared to EBS.

2. Equivalent Goal in Fusion

In EBS, your goal is to isolate Business Group A (e.g., “MyCompany_BG”) and its Operating Units (e.g., “MyCompany_OU”) using a Global Security Profile (“MyCompany_BG_Security”) for HR data and an MOAC Security Profile (“A_MOAC_Security”) for transactional data, restricting access to authorized users (e.g., via responsibilities “A_HR”, “A_AP”) and the System Administrator. In Fusion, the equivalent goal is to:

• Isolate HR Data: Restrict access to HR data (e.g., employees, positions) for a specific organizational scope (e.g., a department, location, or all HR data for your company), equivalent to Business Group A’s HR data.
• Isolate Transactional Data: Restrict access to transactional data (e.g., invoices, purchase orders) for a specific Business Unit (e.g., “US_BU”), equivalent to Business Group A’s Operating Units.
• Authorized Users: Grant access only to users with appropriate roles (e.g., HR Specialist, Accounts Payable Manager) for your company’s data.
• System Administrator: Ensure broad access for administrative users (e.g., IT Security Manager) to manage all data across the enterprise.

3. Equivalent Mechanisms in Fusion

In Oracle Fusion Applications, the Global Security Profile (for HR data) and MOAC Security Profile (for transactional data) are replaced by:

• HCM Security Profiles:
  • Purpose: Restrict access to HR data (e.g., person records, positions, departments), equivalent to the Global Security Profile in EBS.
  • Scope: Define access based on criteria like organizations, departments, positions, or locations, replacing the Business Group concept.
  • Assignment: Used in Data Roles or directly in security configurations to limit HR data access.
  • Example: An HCM Security Profile named “MyCompany_HCM_Security” restricts access to employees in a specific organization (e.g., “MyCompany_Org”), equivalent to Business Group A.
• Data Roles:
  • Purpose: Restrict access to transactional data for specific Business Units or other data dimensions (e.g., ledgers, projects), equivalent to the MOAC Security Profile in EBS.
  • Structure: Data Roles inherit Job Roles (e.g., Accounts Payable Manager) and add data access restrictions (e.g., for a US Business Unit).
  • Generation: Can be generated automatically using Data Role Templates when Business Units are created, unlike EBS where MOAC Security Profiles are not auto-created.
  • Example: A Data Role named “Accounts Payable Manager – US_BU” restricts access to invoices in the “US_BU” Business Unit, equivalent to “MyCompany_OU”.
• Data Role Templates:
  • Purpose: Automate the creation of Data Roles for Business Units or other dimensions, reducing manual effort compared to EBS’s manual MOAC Security Profile creation.
  • Configuration: Define templates in APM to generate Data Roles based on Business Units, ledgers, or other criteria.
  • Example: A template generates “Accounts Payable Manager – US_BU” and “Accounts Payable Manager – UK_BU” when new Business Units are created.
• Role Provisioning:
  • Purpose: Assign roles (Abstract, Job, Data) to users via Oracle Identity Manager (OIM) or the Security Console, replacing EBS’s responsibility assignments.
  • Tools: Use OIM for user and role management, APM for policy management, and the Security Console for role provisioning and mapping.

4. Steps to Set Up Security in Fusion (Equivalent to EBS)

To achieve the equivalent of isolating Business Group A and its Operating Units in Oracle Fusion Applications, follow these steps to configure HCM Security Profiles (for HR data) and Data Roles (for transactional data). These steps assume you’ve already set up enterprise structures (e.g., Business Units, organizations) in Fusion.

Step 1: Create an HCM Security Profile for HR Data (Equivalent to Global Security Profile)

In EBS, the Global Security Profile (“MyCompany_BG_Security”) restricts HR data to Business Group A. In Fusion, an HCM Security Profile restricts HR data to a specific organizational scope (e.g., “MyCompany_Org”).

1. Log in to Fusion Applications:
   • Use a user with the HCM Application Administrator or IT Security Manager role (equivalent to EBS System Administrator).
   • Access the Setup and Maintenance work area (Navigator > Setup and Maintenance).
2. Navigate to the Manage HCM Security Profiles Task:
   • In Setup and Maintenance, search for the task: Manage HCM Security Profiles.
   • Path: Setup: Workforce Deployment > Manage HCM Security Profiles.
3. Create a New HCM Security Profile:
   • Click Create to define a new HCM Security Profile.
   • Enter the following details:
     • Name: A unique name (e.g., “MyCompany_HCM_Security”).
     • Security Type: Typically Person Security Profile (for employee data) or Organization Security Profile (for organizational data).
     • Organization Access:
       • Select Restrict by Organization.
       • Include the organization representing your company (e.g., “MyCompany_Org”), equivalent to Business Group A.
       • Exclude other organizations (e.g., those representing Business Group B).
     • Other Criteria (optional):
       • Restrict by department, location, or position if needed. For Business Group-level isolation, including the top-level organization (e.g., “MyCompany_Org”) is sufficient.
     • Scope: Ensure the profile covers all relevant HR objects (e.g., Person, Position, Job) for your company’s data.
   • Save the HCM Security Profile.
4. Assign the HCM Security Profile:
   • HCM Security Profiles are typically assigned to Data Roles or used in Data Security Policies (see Step 2).
   • For HR-specific roles (e.g., HR Specialist), the HCM Security Profile is linked to a Data Role to restrict access to “MyCompany_Org” data.

Step 2: Create a Data Role for Transactional Data (Equivalent to MOAC Security Profile)

In EBS, the MOAC Security Profile (“A_MOAC_Security”) restricts transactional data to Operating Units (e.g., “MyCompany_OU”). In Fusion, a Data Role restricts transactional data to Business Units (e.g., “US_BU”). Unlike EBS, where no MOAC Security Profile is created automatically, Fusion’s Data Role Templates can auto-generate Data Roles for new Business Units.

1. Define a Data Role Template (Optional, for Automation):
   • If you want Data Roles to be generated automatically for Business Units (unlike EBS’s manual process):
   • Navigate to Setup and Maintenance > Manage Data Role and Security Profiles.
   • Create a Data Role Template:
     • Name: e.g., “MyCompany_Data_Role_Template”.
     • Base Job Roles: Select relevant Job Roles (e.g., Accounts Payable Manager, HR Specialist).
     • Dimension: Select Business Unit (or other dimensions like Ledger, Project).
     • Naming Rule: Define a naming convention (e.g., “{Job Role} – {Business Unit}”).
     • Data Security Policies: Specify policies to restrict access to the Business Unit’s data (e.g., view invoices for “US_BU”).
   • Save and apply the template.
   • When a new Business Unit (e.g., “US_BU”) is created, the template generates Data Roles (e.g., “Accounts Payable Manager – US_BU”).
   • Note: If you don’t use a template, you can manually create Data Roles (see below).
2. Create a Data Role Manually:
   • Navigate to Setup and Maintenance > Manage Data Roles and Security Profiles.
   • Click Create to define a new Data Role.
   • Enter the following details:
     • Name: e.g., “Accounts Payable Manager – US_BU”.
     • Job Role: Select the base Job Role (e.g., Accounts Payable Manager).
     • Business Unit Access:
       • Include the Business Unit representing your company (e.g., “US_BU”), equivalent to “MyCompany_OU”.
       • Exclude other Business Units (e.g., “UK_BU”).
     • HCM Security Profile (for HR-related Data Roles):
       • Link the “MyCompany_HCM_Security” profile to restrict HR data access.
     • Data Security Policies:
       • Add policies to grant actions (e.g., View, Update) on specific objects (e.g., Invoices, Purchase Orders) for “US_BU”.
       • Example: Grant “View Invoice” on invoices where Business Unit = US_BU.
   • Save the Data Role.
3. Use Authorization Policy Manager (APM) for Advanced Configuration:
   • If custom Data Security Policies are needed:
   • Access APM via OIM or Setup and Maintenance > Manage Data Security Policies.
   • Define policies to restrict access to specific data sets (e.g., invoices for “US_BU”).
   • Associate policies with the Data Role.

Step 3: Provision Roles to Users

In EBS, responsibilities are assigned to users via System Administrator > Security > User > Define. In Fusion, roles are provisioned via OIM or the Security Console.

1. Access the Security Console:
   • Navigate to Navigator > Tools > Security Console.
   • Alternatively, use OIM (Setup and Maintenance > Manage Users and Roles).
2. Create or Update Users:
   • If users don’t exist, create them in OIM:
     • Path: OIM > Users > Create User.
     • Enter user details (e.g., username, email).
   • For existing users, search for the user in the Security Console or OIM.
3. Assign Roles:
   • For authorized users (equivalent to EBS “A_HR”, “A_AP” responsibilities):
     • Assign Abstract Roles (e.g., Employee, Manager) for general access.
     • Assign Job Roles (e.g., HR Specialist, Accounts Payable Manager) for functional access.
     • Assign Data Roles (e.g., “Accounts Payable Manager – US_BU”, “HR Specialist – MyCompany_Org”) to restrict data access.
     • Link the HCM Security Profile (“MyCompany_HCM_Security”) to HR-related Data Roles.
   • For the System Administrator (equivalent to EBS System Administrator):
     • Assign the IT Security Manager or Application Implementation Consultant role.
     • Ensure these roles inherit broad access to all Business Units and HCM data (e.g., via a View All Data Role or no data restrictions).
   • Save and submit the role provisioning request.

Step 4: Synchronize and Validate Security

1. Synchronize LDAP:
   • Run the Retrieve Latest LDAP Changes process (Setup and Maintenance > Run Diagnostics) to synchronize role assignments with the LDAP store.
   • This ensures role provisioning is applied.
2. Run Security Processes:
   • Run Import User and Role Application Security Data (Setup and Maintenance > Manage Security Tasks) to apply security policies.
   • This is equivalent to EBS’s Security List Maintenance program.
3. Verify Access:
   • Log in as an authorized user (e.g., with “HR Specialist – MyCompany_Org”):
     • Verify access to HR data for “MyCompany_Org” (e.g., employees in Navigator > My Team).
     • Confirm no access to other organizations or Business Units.
   • Log in as an authorized user (e.g., with “Accounts Payable Manager – US_BU”):
     • Verify access to transactional data for “US_BU” (e.g., invoices in Navigator > Payables).
     • Confirm no access to other Business Units (e.g., “UK_BU”).
   • Log in as the IT Security Manager:
     • Verify access to all Business Units and HCM data for administrative tasks.

Step 5: Audit and Monitor

• Use Oracle Business Intelligence (BI) Publisher reports to audit role assignments and data access (Navigator > Reports and Analytics).
• Enable Audit Setup (Setup and Maintenance > Manage Audit Policies) to track user access, similar to EBS’s AuditTrail.
• Periodically review roles in the Security Console to ensure no unauthorized access to your company’s data.

5. Contrasting EBS and Fusion Processes

Aspect	EBS (Global Security Profile & MOAC Security Profile)	Fusion (HCM Security Profile & Data Role)
Organizational Structure	Business Group (HR data), Operating Unit (transactional data).	Business Unit (transactional data), Organization/Department (HR data via HCM Security Profile).
Security Mechanism	Global Security Profile (HR data), MOAC Security Profile (transactional data).	HCM Security Profile (HR data), Data Role (transactional data).
Automatic Creation	No automatic creation for Global or MOAC Security Profiles when Business Groups or Operating Units are created.	No automatic HCM Security Profile; Data Roles can be auto-generated via Data Role Templates for Business Units.
Configuration Tool	Global Security Profile form, Security Profile form.	Setup and Maintenance, Security Console, APM, OIM.
Access Assignment	Responsibilities assigned via User Define form; profile options (HR: Security Profile, MO: Security Profile).	Roles provisioned via Security Console or OIM; linked to HCM Security Profiles and Data Security Policies.
Data Restriction	Business Group (HR), Operating Unit (transactions).	Organization (HR via HCM Security Profile), Business Unit (transactions via Data Role).
System Administrator	Null or global HR: Security Profile/MO: Security Profile for broad access.	IT Security Manager or Application Implementation Consultant role with View All or unrestricted access.
Maintenance	Run Security List Maintenance, Multiple Organization Setup Validation Report.	Run Retrieve Latest LDAP Changes, Import User and Role Application Security Data.

6. Addressing the Absence of Business Groups in Fusion

In EBS, Business Groups partition HR data at a high level (e.g., by company or legislation). Fusion eliminates Business Groups, replacing them with:

• Organizations/Departments: Defined in the HCM module to represent organizational hierarchies (e.g., “MyCompany_Org”). HCM Security Profiles restrict access to these organizations, mimicking the Business Group’s HR data isolation.
• Business Units: Defined for transactional modules (e.g., Financials, Procurement) to partition data like Operating Units. Data Roles restrict access to specific Business Units.
• HCM Security Profiles: Provide granular control over HR data, allowing restrictions by organization, department, location, or other criteria, replacing the Business Group’s role in EBS.

For your goal of isolating Business Group A:

• HR Data: Use an HCM Security Profile (e.g., “MyCompany_HCM_Security”) to restrict access to “MyCompany_Org”, equivalent to “MyCompany_BG”.
• Transactional Data: Use a Data Role (e.g., “Accounts Payable Manager – US_BU”) to restrict access to “US_BU”, equivalent to “MyCompany_OU”.

7. Example for Your Requirement

To isolate your company’s data (equivalent to Business Group A and its Operating Units) in Fusion:

1. Define Enterprise Structures:
   • Create an organization (e.g., “MyCompany_Org”) in HCM (Setup and Maintenance > Manage Organization Structures).
   • Create a Business Unit (e.g., “US_BU”) in Financials or Procurement (Setup and Maintenance > Manage Business Units).
2. Create HCM Security Profile:
   • Path: Setup and Maintenance > Manage HCM Security Profiles.
   • Name: “MyCompany_HCM_Security”.
   • Type: Person Security Profile.
   • Organization: Include “MyCompany_Org”.
   • Save.
3. Create Data Role Template (Optional):
   • Path: Setup and Maintenance > Manage Data Role and Security Profiles.
   • Name: “MyCompany_Data_Role_Template”.
   • Base Roles: HR Specialist, Accounts Payable Manager.
   • Dimension: Business Unit.
   • Values: “US_BU” (and others as needed).
   • Apply to generate Data Roles (e.g., “Accounts Payable Manager – US_BU”).
4. Create Data Role Manually:
   • Path: Setup and Maintenance > Manage Data Roles and Security Profiles.
   • Name: “Accounts Payable Manager – US_BU”.
   • Job Role: Accounts Payable Manager.
   • Business Unit: “US_BU”.
   • HCM Security Profile: “MyCompany_HCM_Security” (if HR-related).
   • Save.
5. Provision Roles:
   • In Security Console:
     • For authorized users:
       • Assign HR Specialist – MyCompany_Org (links to “MyCompany_HCM_Security”).
       • Assign Accounts Payable Manager – US_BU.
     • For IT Security Manager:
       • Assign IT Security Manager or Application Implementation Consultant with View All access.
   • Submit provisioning requests.
6. Run Security Processes:
   • Run Retrieve Latest LDAP Changes.
   • Run Import User and Role Application Security Data.
7. Verify Isolation:
   • HR user: Access only “MyCompany_Org” employees.
   • AP user: Access only “US_BU” invoices.
   • IT Security Manager: Access all organizations and Business Units.
   • Other users (e.g., for “UK_BU”): No access to “MyCompany_Org” or “US_BU”.

8. Additional Considerations

• Data Role Templates:
  • Unlike EBS, where MOAC Security Profiles are manual, Fusion’s Data Role Templates automate Data Role creation for new Business Units, reducing setup effort.
  • Configure templates early to streamline security for new Business Units.
• Predefined Roles:
  • Fusion provides predefined roles (e.g., Accounts Payable Manager, HR Specialist) in the Security Reference Implementation. Customize these via APM or Security Console to fit your needs.
• Segregation of Duties:
  • Fusion includes predefined Segregation of Duties policies to prevent conflicts (e.g., a user approving and recording transactions). Review these in APM to ensure compliance.
• Audit and Reporting:
  • Use BI Publisher reports to audit role assignments and access, similar to EBS’s AuditTrail.
  • Monitor security via Security Console > Role Analytics.
• System Administrator Access:
  • The IT Security Manager role in Fusion is equivalent to EBS’s System Administrator, providing broad access to manage users, roles, and data. Ensure it’s provisioned appropriately.

9. Summary

• EBS: Uses Global Security Profile to restrict HR data to Business Group A and MOAC Security Profile for Operating Units, manually created as they’re not auto-generated.
• Fusion: Uses HCM Security Profile to restrict HR data to an organization (e.g., “MyCompany_Org”) and Data Roles for Business Units (e.g., “US_BU”). Data Roles can be auto-generated via Data Role Templates, unlike EBS.
• Steps in Fusion:
  • Create HCM Security Profile (“MyCompany_HCM_Security”) for HR data.
  • Create Data Role (“Accounts Payable Manager – US_BU”) or use Data Role Template for transactional data.
  • Provision roles via Security Console or OIM.
  • Run security synchronization processes.
• Isolation:
  • Restrict HR data to “MyCompany_Org” and transactional data to “US_BU” for authorized users.
  • Grant IT Security Manager broad access, equivalent to EBS System Administrator.
  • Exclude other organizations/Business Units from unauthorized users’ roles.
• No Business Group: Replaced by Organizations (for HR) and Business Units (for transactions), with HCM Security Profiles and Data Roles providing equivalent isolation.