Wednesday, August 15, 2018

Ya Gotta Water The Garden

With his love
And his carin'
He puts his life
Into beauty sharin'
And his children
Are his flowers
There to give us peace
In quiet hours

And I'll do anything I got to do
Cut my hair and shine my shoes
And keep on singin' the blues
If I can stay here in Johnny's garden

                         - From "Johnny's Garden" by Stephen Stills

We're getting down into the weeds today...

Every gardener knows; once you plant a garden, you need to invest time in energy in maintenance so that your garden will flourish.  Weeding, fertilizing, watering, trimming, amending the soil... it takes carefully planned time and effort.

It's the same concept when you start to extend and customize packaged software.  It's not building the extension or customization that represents the big investment.  It's the maintenance as new versions and updates of that packaged software roll out.

I'm living this right now.  As many of you readers already know, the Oracle HCM Cloud team rolled out the latest update (18B) last weekend to the first wave of customers in their stage pods.  And I've been spending most of my energy this week helping many of those customers work through issues that relate to custom security roles.  We give users the ability to create custom security roles.  And many customers take advantage of this functionality.  But what I often find is that maintenance is a substantial stumbling block.  This mostly crops up like "I can't count the number of fuzzy navels in my workforce anymore.  I could before last weekend, but it's been broken since the update was applied."  I ask if it works when using an account with a seeded security role rather than a custom security role.  And, more often than not, the answer is "yes".  Which takes us back to the idea that those custom security roles need maintenance.
Very often, when we roll out updates to Oracle HCM Cloud applications, the updates include new functionality.  And part of offering that new functionality is securing it, so that only those authorized to use the functionality and see the data have access.  And this often shows up in the form of new security privileges of some type.  And, because the architecture is very intertwined, existing functionality is also affected.  

When we introduce new security privileges, we typically add those new privileges to the seeded roles as appropriate (new Payroll security privileges get applied to the Payroll Manager role... that sort of thing).  But what we can't do, because we can't anticipate every custom role every user might create, is match and add these new security privileges to custom roles.  So users have to add these new privileges to the custom roles on their own.  It's part of maintaining custom roles.  Just like maintaining a garden, custom security roles (much like all extensions and customizations) need maintenance in order to continue working effectively.

Maintaining those custom security roles can become important when we role out a bushel basket of new privileges necessary to secure new functionality.  And that's definitely the case as we've moved from R12 to R13 in the HCM Cloud.  Lots of new stuff, which in turn means lots of new security.  So there has been a significant bit of maintenance for custom security roles as we've progressed through 17D, 18A and now 18B.  Which means customers need to plan their security maintenance and execute on that plan.  Fortunately, Oracle has a guide to help customers plan out and execute that maintenance.  

Most gardeners have some type of reference book they rely on:  The Farmer's Almanac, a regional gardening guide, or something similar.  And we offer something similar for customers maintaining custom security roles.  Oracle Support Document ID 2023523.1, "Upgrading Applications Security in Oracle HCM Cloud" includes an R13 Upgrade Security Guide that walks you through all the new security privileges, what they do, and which seeded role includes each new privilege as part of the update (which give readers a clue on how to apply the new privileges to their custom roles).  It even includes a set of appendices showing the reader how to do what needs to be done.  Highly recommended reading.

So today's message:  just like maintaining a flourishing garden, so must HCM Cloud customers maintain their extensions and customizations.  Security roles are just one example, although a pertinent one because I've been dealing with it all week.  

Maintenance is easy when you do it consistently.  And it keeps the garden in good shape.  Read the gardening book and do what it says when it says to do it.  Read the Security Upgrade Guide and do what it says when it says to do it.  And your garden will flourish.

Something to share on this topic?  Plant your seeds in the comments.

No comments: