Custom Roles
Custom roles can be used to control access to specific features and functions within the system, and they can be customized to fit the specific needs of an organization. For example, an administrator might create a custom role that allows a user to view and edit employee records, but not to delete them.
These are the roles that I recommend you assign to your user - Custom roles. Of course, there should be more, but I believe this is the bare minimum required to begin your implementation tasks.
I decided to duplicate one standard role and associate it with some Functions and Role hierarchy to grant permission to some features (LACLS, BPM, DFF, Lookups, and so on).
To create a copy role, select the Role Name / Code: Employee / ORA PER EMPLOYEE ABSTRACT.
How to Select the Best Roles to Begin Setups?Privilege
Financials Administration for Brazil
ORA_JL_BRAZIL_CONFIGURATION_ADMINISTRATION_DUTY
Security Policy || Privilege
Configure Brazil country specific functionality for Financials.
Fiscal Document Generation
ORA_JG_FISCAL_DOCUMENT_GENERATION_DUTY
Security Policy || Privilege
Control the ability to submit, print and void fiscal documents.
Payables Management for Brazil
ORA_JL_AP_BRAZIL_MANAGEMENT_DUTY
Security Policy || Privilege
Allows the import and management of Payables collection documents and bank returns as per Brazil country specific requirements.
Receivables Management for Brazil
ORA_JL_AR_BRAZIL_MANAGEMENT_DUTY
Security Policy || Privilege
Allows the creation and management of Receivables collection documents for Brazil country specific requirements.
Geography Administration
ORA_GEO_ADMIN_DUTY
Security Policy || Privilege
Grants privileges to set up geographies
Edit Approval Rules in Oracle BPM Worklist
POR_EDIT_APPROVAL_RULES_IN_BPM_WORKLIST_PRIV (Obsolete 22A)
Security Policy || Privilege to Role
Allows users to edit approval rules in Oracle Business Process Management Worklist Application after using the Oracle Procurement Manage Approvals to edit rules.
Run File Import Scheduler
ZCA_RUN_FILE_IMPORT_SCHEDULER_PRIV (Obsolete 22A)
Security Policy || Privilege to Role
Allows scheduling and monitoring the process that schedules file import activities.
Set Up File Import Activity
ZCA_SET_UP_FILE_IMPORT_ACTIVITY_PRIV (Obsolete 22A)
Security Policy || Privilege to Role
Allows creating and maintaining import activities that contain process criteria, file mapping, and schedule to import external files containing business objects, such as customers and contacts, into staging tables.
Set Up File Import Object and Mapping
ZCA_SET_UP_FILE_IMPORT_OBJECT_AND_MAPPING_PRIV (Obsolete 22A)
Security Policy || Privilege to Role
Allows reviewing and registering business objects, such as sales leads and opportunities, intended for import from external files. Also allows creating and maintaining maps of external source file columns to target staging table columns for use in importing those business objects, such as sales leads, customers, contacts, and sales catalogs.
Capture Tax Authority Return Manually
JG_FDG_CAPTURE_TAX_AUTHORITY_RETURN_MANUALLY_PRIV
Security Policy || Privilege to Role
Allows manual capture of tax authority return, which determines the approval or rejection of the fiscal document.
Manage Application Standard Lookup
FND_APP_MANAGE_STANDARD_LOOKUP_PRIV
Security Policy || Privilege to Role
Manage sub-type entities stored in the Application Standard Lookup Values entity. Lookup Types are lists of values such as "Days of the Week" or "Yes/No" which can be used to validate columns values.
Manage Application Flexfield Value Set
FND_APP_MANAGE_FLEXFIELD_VALUE_SET_PRIV
Security Policy || Privilege to Role
Allows management of value sets to validate the content of a flexfield segment. Value sets provide declarative validation for use in applications flexfield attributes and key segments.
Manage Application Descriptive Flexfield
FND_APP_MANAGE_DESCRIPTIVE_FLEXFIELD_PRIV
Security Policy || Privilege to Role
Allows management of application descriptive flexfields.
Set Issue Recording Advanced Options
FND_SET_ISSUE_RECORDING_ADVANCED_OPTIONS_PRIV
Security Policy || Privilege to Role
Allows update of advanced options when recording an issue.
Record and View Issue
FND_RECORD_AND_VIEW_ISSUE_PRIV
Security Policy || Privilege to Role
Allows update of advanced options when recording an issue.
Submit Purchasing Document Online Bypassing Approval
PO_BYPASS_PURCHASE_ORDER_APPROVAL_ONLINE_PRIV
Security Policy || Privilege to Role
Restricted feature that allows procurement agents to bypass approvals when creating purchase orders or agreements online. Do not use in production environments.
BPM Workflow All Domains Administrator Role
BPMWorkflowAllDomainsAdmin
Role Hierarchy || Role Membership
Administer the BPM tasks for all domains and their workflow processes.
BPM Workflow Financials Administrator
BPMWorkflowFINAdmin
Role Hierarchy || Role Membership
Administer the BPM tasks for Financials workflow processes.
BPM Admin Role
BPMProcessAdmin
Role Hierarchy || Role Membership
BPM application admin role, has full privilege for performing any operations including security related.
BPM Workflow System Admin Role
BPMWorkflowAdmin
Role Hierarchy || Role Membership
BPM Workflow Administrator Application Role.
Don't forget to finish the custom rule and the task "Manage Data Role and Security Profiles" as well.
Because there will be no data access, these positions can be combined into a single role. This will simplify the access control procedure and reduce the system's complexity. This strategy will help increase system security by reducing the number of roles with access to sensitive data.
Don't forget to run these jobs after you've finished registering these roles to synchronize your access:
Retrieve Latest LDAP Changes
Import User and Role Application Security Data
Send Pending LDAP Requests
Send Personal Data for Multiple Users to LDAP
Retrieve Latest LDAP Changes
It is critical that all User Account information be synced with the Cloud application from the LDAP directory; otherwise, you will encounter the issue of not seeing Roles and user accounts in the application.
Import User and Role Application Security Data
Is a key step for system security. This process imports user and role data from LDAP to the Fusion HCM Security Console tables. It creates a privilege with the job name preceded by "RUN_", which is crucial for allowing users to execute specific jobs from the Scheduled Processes interface. Moreover, it's recommended to run this process periodically, at least twice a day, to ensure the latest changes in LDAP are reflected in the system, maintaining security data integrity and access control policies effectiveness.
Send Pending LDAP Requests
Help with many important functions in the Cloud Application, such as creating, suspending, and reactivating user accounts.
Send Personal Data for Multiple Users to LDAP
All Users: The process sends personal information for all users to the Identity Store, regardless of whether the information has changed since the last time it was sent.
Changed users only: The process only sends personal information that has changed since the last time the information was sent to the Identity Store (regardless of how they were sent). This is the standard-setting.
More details into "Securing Sales and Fusion Service":
Last updated