HCM/ERP Cloud Release 12 - Security Console

Oracle Cloud Applications Release 12 included many new areas of functionality.  One in particular has had a major impact (positive) on those of us who implement the product for our customers.   This feature is called the  "Security Console".

Since the earliest releases of Oracle Cloud, the security has been managed by the Fusion Middleware products Oracle Identity Manager (OIM) and Oracle Authorization Policy Manager (APM).  Whilst extremely powerful tools for managing user accounts and role based access, the tools required a level of knowledge beyond standard application configuration.  They were also displayed through a separate UI to the main applications and configuration of security rules involved using multiple screens and UIs.

Leading up to Release 12, Oracle have done a lot of work to transition onto a tool called the "Security Console".  This tool is embedded in the application and is intended as a "one-stop shop" for security configuration.   By Release 12, this transition is virtually complete.

Now, the Security Console allows us to see the holistic view of all aspects of functional and data security using a visual tool.   We can focus on parts of the security configuration and drill down towards detailed privileges or up towards users.  The Security Console includes functionality to copy roles and create custom versions, to add/remove functional data data privileges and to view detailed analytics about roles and role usage.

This image shows a typical view of roles in the Security Console, complete with colour coding to indicate what type of role each role is (seeded or custom), and to distinguish between roles, privileges and users.



It has simplified the management of users and roles into a single UI and is a great advance for implementors and system administrators alike.

Oracle HCM World 2017

Oracle HCM World 2017

I've just returned from Oracle HCM World 2017 in Boston, MA.   This year, we saw many customer stories about their journeys to the cloud.   This is a real sign of the scale of adoption of Oracle's Cloud applications.

Many of the customers were global, with implementations spanning over 100 countries.

Another indication of the way in which Oracle Cloud applications are moving was the increasing number of multi-pillar implementations (e.g. ERP+HCM).

Another theme, dear to my heart, was how many times we heard that it was really important to use a partner who understood the product in depth.  I couldn't agree more!   We at Certus Solutions pride ourselves on being such a partner.

I'll write a fuller account later, but for the short term just wanted to share some initial highlights.

HCM Cloud Release 12

HCM Cloud Release 12

We've been waiting for this release for some time now.   At least the documentation is now available and we can see what's new and what's changing.   I've held off writing this post until we had our pod upgraded, but in the interests of sharing information to the wider HCM Cloud Community, I've decided to make some comments now before we've got our hands on it.  Consequently, I won't be sharing any screenshots.   However, example screens can be seen on the various Oracle Cloud information portals.   I particularly recommend Customer Connect  and the Cloud Readiness pages.

One big area of impact is around security.   There are many enhancements to the security console.  More of this later.

Many other changes tidy up some of the HCM processes.

I'm not going to cover all changes, but here are a few of the more interesting ones:

New Hire Process

It will now be possible to add multiple managers and manage subordinates during the hire process.   Up to now, the hire was one process and then a second process was needed to update the new hire via the Person Management workarea.

Duplicate Person Check

This has now been made more configurable.   For example, you can now configure the rules which determine which set of data is checked to determine for duplication.  Before R12, you could only switch the standard duplicate check on or off.

Manager Changing Hours

In R12, when a manager uses the change hours process, they can optionally also change the salary.   This is useful because the salary is often impacted by changing hours.  Now it doesn't need to be 2 transactions or handed off to HR.

Applications Security

Now this is where I think the biggest changes are going to occur.

We've had the Security Console for several releases now.   Up to this point, it's bee useful for visualising the role structures and hierarchy and for (limited) creation and copying of roles.

From R12, it's going to include many new features.

Reference Role Model

It's always been good practice to use the 'out of the box' roles as a reference and if you needed to tailor them to your own requirements, for example removing or adding some seeded duty roles to a job role then you should make a custom copy.  However, this wasn't enforced because the seeded reference roles were not protected.

In R12, the seeded roles are locked down and cannot be edited.   This will force implementors to make custom roles and therefore avoid any potential conflicts if Oracle ever change the seeded roles.   It also allows the seeded roles to be used as a reference against your 'custom' changes.

N.B.   There are some pre-upgrade checks you will need to do to prepare for this!

User Account Maintenance

This is now going to be part of the Security Console.  So, administrators can use the Security Console to manage users rather than navigate to OIM.

Userid and Password Policies

Because the users can now be managed via the Security Console, the policies for their formats and validation is also being made available for configuration.  Previously, this would require a request to Cloud Services.   The policies look as if they will be somewhat limited in choice and it remains to be seen what will happen if a customer says "I want this format which is  not available - how do I enforce it?".

If you had previously submitted an SR to request a 'custom' policy, you should review whether this policy is still valid.   There is a document on MoS (My Oracle Support) to help (Doc Id 2023523.1) 

Role Visualisation

Staying with the Security Console enhancements, the visualisation of roles will be simplified.   I have yet to see how this works, but I welcome any simplification.   The idea of visualising roles was great, but as soon as you start having roles with dozens of subordinate roles the whole visualisation loses its appeal and looks very messy.

you will also be able to search for roles within a hierarchy to quickly locate where they are.  Very useful in a complex structure.

You will also be able to define custom notification templates for messages assocaited with user management.   I'm not sure yet if this extends to other notifications.

Active Directory

Integration between AD and OIM is often a requirement we see in implementation projects.  In R12 there will be a built in synchronization job, controlled via the Security Console.

New Security Profiles

Previously, you could use an Area of Responsibility (AOR) in a person security profile by including custom SQL code.   From R12, this is simplified and there is a new security profile type for AOR.   However, be careful with it as it may conflict with other person related security rules such as 'show me people with surnames beginning A-K'.

One neat feature which stood out to me is the ability to see the impact of the security profile you have just configured.   You will be able to see how many people (and who they are) who will be returned by the security profile.

You will also be able to include areas of responsibility in the Role Provisioning Rules configuration.

HCM Spreadsheet Loaders

By popular demand, spreadsheet loaders are back!   But, they are implemented as add-ons to Excel.  They will have somre 'configurability'.  At the time of writing, I've not had enough time to investigate this fully, so maybe another post soon with some more details is in order.


Conclusion

All said, this looks like a release full of useful enhancements.  But, when will it hit the streets??