Oracle HCM Cloud: How to hide full/part of Social Security Number (SSN)

Seeded Human Resources Analyst/Specialist/Manager roles include the following data security policy to get access to manage employee social security number. Hiding full/part of it is most common ask among Oracle HCM Cloud user community. Oracle already have an enhancement request for this ask (Bug 21534753). This blog post will explain steps to do this.


Removing the following data security policies from a copy of seeded role will remove access to manage field. 

Things get complicated, when it needs to show part of it, say for example, last 4 digits of Social for verification purposes.

This requirement can be achived by following these simple steps.

Step#1) 

a) Create a Sandbox, navigate to “Manage Person” page, select “Edit pages” option which is available in “Settings and Actions” and select “Site Level” and click OK. Navigate to the seeded filed in Task Flow and edit the field component to uncheck “Show Component” checkbox as shown below.

b) If the requirement is to show last 4 digits of Social for specific roles, then do not uncheck directly, but use the following EL expression to conditionally not show this field for specific roles.

#{!securityContext.userInRole['CUSTOM_ROLE1,CUSTOM_ROLE2']}

Step#2)

a) Click “+” icon and select Components -> HTML Markup and select Add. Click edit output text and add the following script in “Value” area. Adjust all other properties as needed to match desired look and feel.

<p id="nidCustom"></p>

<script>
var is = "#{row.bindings.NationalIdentifierType.items[row.bindings.NationalIdentifierType.inputValue].label}" + ": XXX-XX-" + "#{row.NationalIdentifierNumber}".slice(-4);
document.getElementById("nidCustom").innerHTML = is;
</script>

b) If you choose to conditionally set this component field in Step#1a, then make sure to edit “Show Component” for this region to show only for specific roles as shown below.

#{securityContext.userInRole['CUSTOM_ROLE1,CUSTOM_ROLE2']}

Hope you find this useful, comment below to let me know.

Regards
Suresh

Oracle HCM Cloud: How to Mass update Work Email Addresses and User Names Format

This is my first blog post on Oracle HCM Cloud related topics. Hope you continue to find them useful. Use comments section below to let me know. 😊

When a new hire is created, or Employee records are converted for the 1^st time using HCM Data Loader (HDL), username creation is based on the settings in Security Console -> Administration -> General tab.

In this screenshot, username creation is set to automatic in the format FirstName.LastName. This setting is applicable to all channels including employee conversions using HDL, hiring a pending worker, entering a new hire record or creating new hire using REST API. Changing this setting to “Email” will mean username format creation by using work email address or personal email address in case of missing work email or FirstName.LastName in case of no email address. This behavior is for future records and existing username formats will remain as they are.

This blog post explains the steps involved in changing the username format from FirstName.LastName to Email format both for existing records. A typical business use case for doing this would be, while enabling Active Directory Bridge (also known as AD bridge) to match user name formats in Enterprise Active Directory. Another use case would be, for Security Administrators to bulk update missing work email addresses and clean up usernames without reassigning the existing roles.

Step1) Obvious step, change the email format to the desired.

Step2) Identify and prepare the list of employees to update using OTBI report with subject area “Workforce Management – Person Real Time”

Step3) Use HDL to update the work email addresses on employee records, using the following columns

UserKey Apporach:

File Name: Worker.dat

METADATA|PersonEmail|SourceSystemOwner|SourceSystemId|PersonId(SourceSystemId)|DateFrom|DateTo|EmailType|EmailAddress|PrimaryFlag

MERGE|PersonEmail|HR_DATA|111111_EMAIL_W1|111111|2018/01/01|4712/12/31|W1|work.email1@enterprise.com|Y

MERGE|PersonEmail|HR_DATA|222222_EMAIL_W1|222222|2017/01/01|4712/12/31|W1|work.email2@enterprise.com|Y

MERGE|PersonEmail|HR_DATA|333333_EMAIL_W1|333333|2016/01/01|4712/12/31|W1|work.email3@enterprise.com|Y

SourceSystemId - Use the format from original loads (format used during initial conversions). If you are not sure about this format, try GUID approach as described below.
PersonId(SourceSystemId) - use “Employee Number” 
DateFrom - use “Enterprise hire Date”

GUID Approach:
If you above format is coming out as error similar to "A parent for this record was not found", try this GUID method to locate the exact records.

METADATA|PersonEmail|EmailAddressId|PersonId|DateFrom|DateTo|EmailType|EmailAddress|PrimaryFlag

MERGE|PersonEmail|HR_DATA|300097545|4005984513|2018/01/01|4712/12/31|W1|work.email1@enterprise.com|Y

MERGE|PersonEmail|HR_DATA|300785431|4005391594|2017/01/01|4712/12/31|W1|work.email2@enterprise.com|Y


MERGE|PersonEmail|HR_DATA|300037898|4005788205|2016/01/01|4712/12/31|W1|work.email3@enterprise.com|Y

Alternate Approach:
Well, that isn't helping either? Try Spreadsheet loader by creating a new spreadsheet template using My Client Groups -> Data Exchange -> tasks -> Manage Spreadsheet Templates area.

Business Object: Worker
Supported Action: Create and update

Select the following columns:

Preview template to download excel and enter details:
Note - "Date From" here is enterprise hire date.

Step4) Use HDL to submit request to update user name

File Name: User.dat

METADATA|User|PersonNumber|Username|CredentialsEmailSent

MERGE|User|111111|work.email1@enterprise.com|Y

MERGE|User|222222|work.email2@enterprise.com|Y

MERGE|User|333333|work.email3@enterprise.com|Y

Step5) Submit a scheduled job “Send Pending LDAP Requests” from Navigator -> Scheduled Processes -> Schedule New Process

EBS: Learning Management: How to setup learner access to restrict courses specific to Managers

Major organizations do offer courses specific to managers, to help them align with their learning path goals. Allowing such courses to be viewed and enrolled by managers only, is an extremely desirable feature of OLM. This desirable functionality, not only stream lines the enrollment process but also saves time for instructors and admins to filter/reject the enrollments that are not managers. Unfortunately, OLM don’t directly support this functionality. This article will discuss a workaround to meet such a business need.

"Learner Access" is a feature of Oracle E-Business Suite Learning Management module, that allows the users to restrict the courses/offerings/classes for targeted groups. Another cool feature of Learner access is, it inherits down in hierarchy, for example, you can choose to inherit restriction for all classes of an offering by just setting up learner access at offer level. Definition of Learner Group may include "Assignment", "Learner", "Eligibility Profile" and "Learner Group" itself.

Assignment/Learner - This option enables you to pre-define a static list and offer courses for a specific set: Suitable to meet requirements like.... courses for executive board members etc...

Learner Group - This option enables reusability of existing groups: Best to meet multiple restrictions together like, courses offered specially for department 101 and full-time staff. 

Eligibility Profile - This option offers greater flexibility to define eligibility based on majority of fields related to personal, employment and derived factors.

OLM version of "Eligibility Profile" form has a lot of restrictions, despite the fact that it uses the same form as Advanced Benefits (OAB) and Performance Management (OPM) modules. For example, it won't allow to write a custom rule based on Fast Formula and include it in learner access eligibility profile. This enhancement is acknowledged by Oracle and documented as part of Note 1640607.1

Fortunately, this form, does include "Assignment set" option. This option can be used as a workaround and code any custom requirement in assignment set formula by writing new package using PL/SQL. Following picture try to summarize how this can be done.

Step1) "Assignment Set" defined based on a "Criteria", internally generates a Fast Formula. We will leverage this functionality and create an assignment set first and edit the generated formula later. Create assignment set using any HRMS manager responsibility and add a dummy criterion, as shown below in "Criteria" tab and click on "Generate" button. Make sure assignment set name doesn't include any spaces to avoid potential errors.

Step2) Navigate to Total Compensation -> Basic -> Fast Formula and open "Formula Functions" form and create a new function with the details as shown below. Also add the contexts "assignment_id" and "date_earned"

Step3) Navigate to Total Compensation -> Basic -> Fast Formula and open "Write Formula" and search with the assignment set name created in Step-1. A formula should have already created with the same name. Click Edit and copy paste the following code.

INPUTS are INCLUDE_FLAG (text)

INCLUDE_FLAG = XX_is_valid_manager()

RETURN INCLUDE_FLAG

Step4) Now write PL/SQL code to match your custom requirement. Here is a code snippet for checking the manager in Supervisor hierarchy for our example.

Step5) Define an eligibility Profile based on this assignment set, by navigating to Learning Administrator -> Learning Administration -> Maintain Eligibility profiles

Step6) Define a learner group based on this eligibility profile, by navigating to Learning Administrator -> Setup Administration -> Groups -> Learner Groups and define a new one or edit existing to add eligibility profile created in previous step. Your learner group is now ready, use it wherever you need. You may need to click “Process Eligibility profiles for Learner Group” button before using it, which will execute the FF and identify the managers. You may also review the identified managers from “View Members” on eligibility profile page.

My colleagues Anand, Jason and I together discovered this solution. 😊

Do you find this topic useful? Comment below to let me know.

Thanks

Suresh

EBS iRecruitment: Disable Vacancy Editing for Hiring Managers

Majority of organizations go through 1-level or 2-level approval process before publishing the vacancies/requisitions in external websites and job portals. Once applicants start applying for vacancy, hiring managers/recruiters take over and manage application details/statuses. And there is no need to edit vacancy details once it is published. Have you ever wanted to disable vacancy edit options for hiring managers? Well, you are not alone, many of them wish the same and you will know how after reading this article.

First thought to address such a requirement, is to try using OA page personalizations to hide the update buttons and icons. Well, if you take this road, you will soon realize, it may not be a good idea.

Vacancy in iRecruitment module can be edited at couple of different places, one using the pencil icon after searching for vacancy and another using "update" button upon clicking on vacancy name.

Seeded functionality of vacancy update options is based on function security and works on SPEL syntax as shown below. i.e OA page at runtime, checks the function availability "IRC_VAC_DETS_EDIT" and enable/disable vacancy update options.

Here is a simple trick to do this. Navigate to System Administrator -> Security -> Responsibility -> Define screen and query for your responsibility and add a new entry in "Menu Exclusions" sub tab at the bottom section of the form.

Exclusion Type: Function

Exclude Functions:

- Irc CM Home Page Create Vacancy

- Irc Vacancy Details – Create

- Irc Vacancy Details - Edit

You might have to clear global cache from Functional Admin for this change to take immediate affect. This is how pages looks like after adding exclusions.

Is this helpful? Comment below to let me know.

Thanks

Suresh

EBS iRecruitment: How to restrict application search and view for specific responsibility

It’s very common for businesses to show or hide applications for certain responsibilities. This may be due to data security/privacy concerns OR to enable role separations in larger organizations. For example, a typical organizational practice for hiring managers to access qualified applications ONLY and hide dis-qualified/active applications, whereas, recruiters can view and manage all applications. This blog post will discuss how to address such requirements in iRecruitment.

Basics First:

Let's say, a candidate is registered and applied for open vacancies in iRecruitment portal. His/her personal details will be stored on person record of type "Applicant" and assignment is created for tracking application details such as application status - say change from active application to qualified or hire or rejection or work preferences or questionnaire responses. Application details can also be visible in core forms, using person form -> Others button -> Applications.

Seeded assignment statuses may not always be sufficient for organizational needs and new statuses are created using "Assignment Statuses" screen. Multiple user statuses can be mapped to one external or system status. External statuses are visible to applicants, whereas system statuses are used by iRec to enable certain features.

Just for our discussion today, let's assume the following statuses.

 And assume a test applicant, who applied for 3 different vacant positions. One of the applications is qualified, second one is disqualified and third one is still under consideration.

Approach-1: Restriction based on Security Profile

Hiring manager for asset specialist vacancy in the above example, should be able to see the applicant's details/work preferences/questionnaire responses for this vacancy ONLY and don't need to know about the other 2 applications. Security Profile can be used to apply this restriction. This approach will completely hide the application info from vacancy search and view candidate details page (applications sub tab).

• To activate security profile, the following profile options should be set first.

Profile Option	Value	Level
HR: Enable RTM Security	No	Responsibility
IRC: Show Applications	Restrict On Assignment Security	Responsibility
HR: Security Profile	Select the security profile from the list	Responsibility

•  Next, navigate to HRMS Manager -> Security -> Profile form and create a new/edit existing security profile as per options shown below. Don't forget to select "Restrict" applicants and check the box that says, "Restrict on Individual Assignments".

  

      ASSIGNMENT.assignment_status_type_id in

          (SELECT irc.assignment_status_type_id

           FROM irc_assignment_statuses  irc,

                per_assignment_status_types past

           WHERE irc.assignment_id = ASSIGNMENT.assignment_id

             AND irc.assignment_status_type_id = past.assignment_status_type_id

             AND UPPER(past.user_status) NOT IN ('ACTIVE APPLICATION', 'APPLICANT NOT QUALIFIED')

             AND assignment_status_id =

                   (SELECT MAX(assignment_status_id)

                    FROM irc_assignment_statuses

                    WHERE assignment_id = irc.assignment_id) )

If the additional clause in "Custom Security" tab is valid, it is automatically incorporated in a SQL select statement that system generates to restrict access to records, based on the restrictions you have set up in the other tabbed regions. The list of employees, contingent workers, and applicants specified by these other restrictions is therefore further restricted by the custom restriction. The clause fits into the system-generated statement in the following way (this statement is not visible on screen):

SELECT

    1

FROM

    per_all_assignments_f ASSIGNMENT,

    per_all_people_f PERSON,

    per_person_type_usages_f PERSON_TYPE

WHERE

    assignment.assignment_id =:asg_id

    AND :effective_date BETWEEN ASSIGNMENT.effective_start_date

           AND ASSIGNMENT.effective_end_date

      AND PERSON.person_id=ASSIGNMENT.person_id

      AND :effective_date BETWEEN PERSON.effective_start_date

           AND PERSON.effective_end_date

      AND PERSON.person_id=PERSON_TYPE.person.id

    AND :effective_date BETWEEN PERSON_TYPE.effective_start_date

            AND PERSON_TYPE.effective_end_date

    AND {your custom where clause fragment goes here}

• Run the program "Security List Maintenance" for this specific security profile

Security Profile should be activated now. Screenshot of candidate details page before restriction.

Candidate details page after restriction

Approach-2: Restriction by modifying seeded instance set

This method can be used to restrict the view/search on "Applications by Vacancy" page. It won't work for restricting in Candidate Details page.

iRec has a seeded grant that includes object instance set "Instance set to Restrict Applicant Search". This can be changed to add predicate condition using "Functional Developer" -> Security -> Objects and query for "Object to Restrict Applicant Search", go to "Object Instance Sets" sub tab.

(

    (fnd_global.RESP_NAME = 'IRC Hiring Manager'

        AND

     HR_GENERAL.get_user_status(&TABLE_ALIAS.assignment_status_type_id) in ('Applicant Qualified')

    )

    OR

    (fnd_global.RESP_NAME <> 'IRC Hiring Manager'

     AND

    &TABLE_ALIAS.PER_SYSTEM_STATUS in ('ACTIVE_APL','TERM_APL','OFFER','INTERVIEW1','INTERVIEW2','ACCEPTED','ACTIVE_ASSIGN')

    )

)

Note that, this predicate condition applies to all IRC responsibilities, so be sure to write an if-else kind of restriction as shown above. Lastly, assign this grant to the required responsibility/user to activate this restriction.

Do you find this post useful? Comment down below to let me know.

References:

394083.1 - Understanding and Using HRMS Security in Oracle HRMS

1668082.1 - Oracle iRec: Creating Data Filters for Applicant Search based on the Assignment System Status

Oracle EBS Browser Support Update for Mozilla Firefox

Mozilla Firefox browser has been my favorite for years on my Windows Laptop. It simply works the way it is supposed to and almost never had a problem. It also worked seamlessly with EBS Forms and I am sure thousands of EBS users also loved using it. Well, you know what I am about to say, Firefox officially ended support for Netscape Plugin API (NPAPI) plugins starting Version 52.0.

This is not a good news for a lot for EBS Forms users. Forms are based on NPAPIs – an application programming interface that allows plugins to be developed for web browsers.

Well, by following these steps in article, you can continue to use EBS Forms in Firefox. This method is least recommended because it will ask you to downgrade your browser version and disable automatic updates.

First, uninstall the browser from your machine. You may do this from “Add and remove programs”

Next, download firefox Version 51.0.1 from this link. This is the official browser version before V52, excluding the nightly builds. It's a direct link from mozilla archives, so you can trust the download. Remember to download 32-bit version of installer, even if your machine is 64-bit. Only 32-bit JREs are supported to work with Oracle Forms.

Verify the version, once you are done.

The very first thing to do after installing, is to disable automatic updates. Go to Options -> Advanced -> Update and select “Never Check for Updates (not recommended: security risk)” option. That’s it, you are all set. Hope you rediscover the good old days. ☺

Leave a comment to tell me, if it works for you as well.