Introduction
Person Security Profile in Oracle Fusion HCM is one of the most critical configurations in controlling data security and access management within the Human Capital Management module. In any real-time implementation, one of the first concerns from business stakeholders is: “Who can see which employee data?”
From my consulting experience across multiple Oracle Fusion HCM (26A) implementations, Person Security Profiles play a central role in ensuring data privacy, compliance (like GDPR), and role-based access control.
Whether you’re implementing Core HR, Absence Management, Payroll, or Talent modules, understanding Person Security Profiles is not optional—it is foundational to system security design.
What is Person Security Profile in Oracle Fusion?
A Person Security Profile defines which person records a user can access in Oracle Fusion HCM.
It works in combination with:
Data Roles
Job Roles
HCM Data Security Policies
In simple terms:
A Person Security Profile answers the question:
“Which employees (persons) can this user see in the system?”
Example
HR Manager → Can see employees in their Business Unit
Line Manager → Can see only direct and indirect reports
Payroll Admin → Can see all employees in a Legal Employer
Key Features of Person Security Profiles
1. Flexible Data Access Control
Control access by:
Business Unit
Legal Employer
Department
Position
Supervisor hierarchy
2. Secure by Design
Supports row-level security
Prevents unauthorized access to sensitive employee data
3. Predefined & Custom Profiles
Oracle provides predefined profiles
Consultants can create custom profiles based on business needs
4. Integration with Roles
Used within Data Roles
Attached to users via security provisioning
5. Supports Advanced Filtering
Use:
Person Types (Employee, Contingent Worker)
Assignment Status
Custom SQL predicates (advanced use cases)
Real-World Business Use Cases
Use Case 1: HR Business Partner Access Control
Scenario:
An HRBP should only access employees within their assigned Business Unit.
Solution:
Create Person Security Profile filtered by Business Unit
Assign it via Data Role
Use Case 2: Manager Hierarchy Access
Scenario:
Managers should see only their reporting employees.
Solution:
Use “Manager Hierarchy” access option
Automatically restrict access based on reporting structure
Use Case 3: Payroll Processing Security
Scenario:
Payroll team should access only employees of a specific Legal Employer.
Solution:
Create Person Security Profile based on Legal Employer
Assign it to Payroll Data Role
Configuration Overview
Before creating a Person Security Profile, ensure the following setups are completed:
| Setup Area | Description |
|---|---|
| Enterprise Structure | Business Units, Legal Employers defined |
| Workforce Structures | Departments, Positions |
| Person Records | Employees loaded |
| Security Roles | Job Roles created |
| Data Roles | Required for assigning security |
Step-by-Step Configuration in Oracle Fusion
Step 1 – Navigate to Person Security Profile Task
Navigation:
Navigator → Setup and Maintenance →
Search: Manage Person Security Profiles
Step 2 – Create Person Security Profile
Click Create
Enter:
Name: HR_BU1_Profile
Description: Access to BU1 employees
Step 3 – Select Secure By Options
Choose how to restrict access:
Common Options:
Business Unit
Legal Employer
Department
Manager Hierarchy
Example:
Secure by: Business Unit
Business Unit: Vision Operations
Step 4 – Include/Exclude Criteria
You can refine access further:
Person Type: Employee
Assignment Status: Active
Step 5 – Advanced Criteria (Optional)
Use SQL-based filtering for complex scenarios.
Example:
Filter employees based on custom attribute
⚠️ Tip: Use advanced filters carefully—can impact performance.
Step 6 – Save and Close
Click Save and Close
Your Person Security Profile is now created.
Step 7 – Assign to Data Role
Navigation:
Navigator → Setup and Maintenance →
Task: Manage Data Roles and Security Profiles
Steps:
Create Data Role
Attach:
Job Role
Person Security Profile
Assign to user
Testing the Setup
After configuration, always validate.
Step 1 – Login as Test User
Use a user assigned with the new Data Role.
Step 2 – Navigate to Person Management
Navigator → My Client Groups → Person Management
Step 3 – Search Employees
Test Cases:
| Scenario | Expected Result |
|---|---|
| Employee within BU | Visible |
| Employee outside BU | Not visible |
| Inactive employee | Based on filter |
Step 4 – Validate Security
Check:
Person search results
Assignment details access
Absence, payroll visibility
Common Implementation Challenges
1. Users Seeing No Data
Cause:
Incorrect security profile assignment
Fix:
Validate Data Role mapping
2. Overexposed Data
Cause:
Using “All People” access unintentionally
Fix:
Restrict filters properly
3. Performance Issues
Cause:
Complex SQL predicates
Fix:
Optimize filters and avoid unnecessary conditions
4. Incorrect Manager Hierarchy
Cause:
Supervisor hierarchy not properly defined
Fix:
Validate line manager assignments
Best Practices from Real Implementations
1. Always Use Least Privilege Principle
Give only required access—never full access by default.
2. Use Naming Conventions
Example:
PS_BU_HR_INDIA
PS_LE_PAYROLL_US
This helps in maintenance and audits.
3. Avoid Overusing “All Workers”
Use only when absolutely necessary (e.g., system admin roles).
4. Test with Multiple Scenarios
Test:
Different users
Different roles
Edge cases
5. Document Security Design
Maintain:
Security matrix
Role mapping
Access definitions
This is critical during audits.
Summary
Person Security Profiles in Oracle Fusion HCM are the backbone of data security and access control.
In real-world projects, improper configuration can lead to:
Data leaks
Compliance issues
Business disruptions
When implemented correctly, they ensure:
Secure access
Role-based visibility
Compliance with global data regulations
As a consultant, mastering this topic will significantly improve your ability to design secure and scalable HCM solutions.
Frequently Asked Questions (FAQs)
1. What is the difference between Person Security Profile and Data Role?
Person Security Profile → Defines which employees can be accessed
Data Role → Combines job role + security profiles and assigns access to users
2. Can we restrict access based on Department?
Yes. You can configure Person Security Profile using Department as a filter.
3. What happens if no Person Security Profile is assigned?
User will either:
See no data
ORGet access based on default/global profile (depending on role)
Oracle Documentation Reference
For deeper understanding, refer to Oracle’s official documentation:
https://docs.oracle.com/en/cloud/saas/human-resources/26a/index.html