Security Sets and Security Access Types

A security set is a grouping of data that is being secured. The sets differ by the origin of the transaction security data.
Security access types are ways of securing the data within a security set. Each security set has a number of security access types that you can choose to enable. 

Security Set
Security Access Types
PPLJOB
(People with Jobs)
  • Job Department Tree (001)
  • Job Location (002)
  • Job Business Unit (003)
  • Job Company (004)
  • Job Reg Region (005)
  • Job Salary Grade (014)
  • Person Organization (015)
  • Job - Deptid - non Tree (025)
  • Job - Company/Paygroup (032)
PPLUSF
(People with USF Jobs)
  • US Federal Department Tree (016)
  • US Federal Location (017)
  • US Federal Company (018)
  • US Federal Business Unit (019)
  • US Federal Salary Grade (020)
PPLPOI
(POI without Jobs)
  • POI Business Unit (006)
  • POI Location (007)
  • POI Institution (008)
  • Person of Interest (009)
DEPT
(Departments)
  • Departments by Tree (021)
  • Departments - non Tree (022)
  • Departments by Setid (023)
RSOPN
(Job Openings)
  • RS Company (010)
  • RS Business Unit (011)
  • RS Dept Id (012)
  • RS Location (013)
  • Recruiting Team (031)

Note: Security administrators can only assign data permission using the security access types that are enabled.
Posted by 1 comment:

HCM Security Process Flow


To set up HCM data permission:
  1. Set up permission lists in the PeopleTools pages.
  2. Set the security installation settings on the Security Installation Settings component.
  3. Review security sets on the Security Set Table component.
  4. Enable security access types on the Security Access Type component.
  5. Assign data permission to permission lists:
    • If you are using security tree-based security access types, set up a security tree, assign data permission on the Security by Dept Tree component, and refresh SJT_CLASS_ALL.
    • If you are using non-tree based security access types, assign data permission on the Security by Permission List component.
  6. Assign permission lists to users (by way of roles if you are using role-based permission lists or directly to the user profile if you are using row security permission lists).
  7. Refresh SJT_OPR_CLS.
 Refreshing SJT Tables
  • Nightly SJT Refresh Process (SCRTY_SJTDLY): Update the SJT Transaction records to capture effective dated entries that have just become current.
  • Refresh Trans. SJT tables (SCRTY_SJTUPD): Refresh the Transaction side Security Join Tables.
  • Refresh SJT_CLASS_ALL (SCRTY_CLSUPD): Refresh the Operator Security Join Table.
  • Refresh SJT_OPR_CLS (SCRTY_OPRCLS): Refresh the Security Join Table that contains the Operator and Classid data. 
Posted by 2 comments:

HCM Security: Core Security Views

 Components Storing All Person Types (* Includes Future Dated Rows)
Type
Security View
Rows Returned
*Component search view
PERALL_SEC_SRCH
One row per EMPLID and distinct search items.
SQR view
PERALL_SEC_SQR
One row per EMPLID.
Query view
PERALL_SEC_QRY
One row per EMPLID.

Components Storing People With Jobs 
Type
Security View
Rows Returned
*Component search view
PERS_SRCH_GBL
One row per EMPLID and EMPL_RCD combination, effective date, and distinct search items.
*Component search view
PERS_SRCH_EMP
One row per EMPLID for employees only.
Component search view
PERS_SRCH_CURR
One row per EMPLID.
SQR view
FAST_SQR_SEC_VW
One row per EMPLID.
Query view
PERS_SRCH_QRY
One row per EMPLID.
Prompt view
EMPL_ACTV_SRCH
One row per EMPLID for people with current, active (as of the system date) job records.
Prompt view
WORKER_PROMPT
One row per EMPLID for employees and contingent workers with current, active (as of the effective date of the component) job records.

Components Storing People With Potentially More Than One Job Data Record
Type
Security View
Rows Returned
*Component search view
EMPLMT_SRCH_GBL
One row per EMPLID and EMPL_RCD combination, effective date, and distinct search items.
*Component search view
EMPLMT_SRCH_EMP
One row per EMPLID and EMPL_RCD combination for employees only.
*SQR View
FAST_SQRFUT_SEC
One row per EMPLID.
SQR view
FAST_SQR_SEC_VW
One row per EMPLID and EMPL_RCD combination.
Query view
EMPLMT_SRCH_QRY
One row per EMPLID and EMPL_RCD combination.
Prompt view
PERJOB_PROMPT
One row per EMPLID for people with current, active (as of the effective date of the component) job records.

 Components Storing People Without Jobs
Type
Security View
Rows Returned
Component search view
POI_SEC_SRCH
One row per EMPLID, POI_TYPE and distinct search items.
SQR view
POI_SEC_SQR
One row per EMPLID and POI_TYPE.
Query view
POI_SEC_QRY
One row per EMPLID and POI_TYPE.
Posted by 3 comments:

HCM Security: Data Security

Data permission is controlled using Transaction Security Data and User Security Data. 

Transaction Security Data
Certain transaction fields on a transaction data row are used to secure access to that row. The data in these fields is called transaction security data. 
When the value of the transaction security data matches the value that a user can access (user security data), the system makes the entire row of data available to the user.

Data Type
Transaction Component & Record
Fields Available for Transaction Security Data
Departments
Departments component (DEPARTMENT_TBL)
Record: PS_ DEPT_TBL
  • SetID
  • Department
Job openings
Job Opening page (HRS_JO_360)
Record: PS_HRS_JOB_OPENING
  • Company
  • Business Unit
  • DeptID
  • Location
Employees
Contingent workers
POIs with jobs
Add Employment Instance component (JOB_DATA_EMP)
Add Contingent Worker Instance component (JOB_DATA_CWR)
Add POI Instance component (JOB_DATA_POI)
Job Data component (JOB_DATA)
Record: PS_JOB
  • Organizational Relationship (employee, contingent worker, or POI)
  • Regulatory Region
  • Company
  • Business Unit
  • Department
  • Location
  • Salary Plan
  • Pay Group (for customers using Payroll for North America)
POIs without jobs
Add a POI Relationship component (PERS_POI_ADD)
Maintain a Person's POI Reltn component (PERS_POI_MAINTAIN)
Record: PS_ PER_POI_SCRTY
  • POI Type
  • POI Type and Business Unit
  • POI Type and Institution
  • POI Type and Company

Note: If a person is created without a job data record or POI type record, the system will save the person as a POI without job with a POI Type of Unknown. 
Only users with data permission access to unknown POIs can access their data and create either a job data or POI type record for them.


User Security Data
User security data enables the system to ensure that users have access only to that which you have granted them access. Data permission is granted to row security (tree-based) permission lists (ROWSECCLASS) and regular (role-based) permission lists (CLASSID).
Note: When you add a permission list to the Security by Dept. Tree component, the system saves it as ROWSECCLASS. Row Security Permission List is assigned to users on the Row Security field (User Profile – General page).
Note: You can use the same permission list as a row security permission list and a role-based permission list by adding it to both the Security by Dept Tree component and Security by Permission List component and then adding them to the user on the User Profile - General page and by way of roles.

Data Type
Security Page
Record
Row security permission lists
Security by Dept Tree page
SCRTY_TBL_DEPT
Role-based permission lists
Security by Permission List page
SJT_CLASS
Permission lists assigned to roles
Roles - Permission Lists page
PSROLECLASS
Roles assigned to users
User Profile - Roles page
PSROLEUSER
Row security permission lists assigned to users
User Profile - General page
PSOPRDEFN

Note: Data from PSROLECLASS, PSROLEUSER, and PSOPRDEFN is loaded into SJT_OPR_CLS either automatically by the system, when you enable the USER_PROFILE and ROLE_MAINT messages, or when Refresh SJT_OPR_CLS process is run. 
Also, data from SCRTY_TBL_DEPT and SJT_CLASS is loaded into SJT_CLASS_ALL when Refresh SJT_CLASS_ALL process is run.
Posted by 1 comment:
Subscribe to: Comments (Atom)