A user logs into Oracle Fusion and cannot see the menu items, pages, or functions they need. Maybe the Navigator is missing the “Payables” work area entirely. Maybe they can see the page but get an “Insufficient Privileges” error when they try to do anything. Maybe they had access yesterday and it disappeared after a quarterly update. Whatever the specific symptom, the root cause is always the same: the user’s security configuration does not grant them the access they need.

Oracle Fusion uses a fundamentally different security model than Oracle EBS. There are no “responsibilities” in the EBS sense. Instead, Fusion uses a role-based access control (RBAC) model with multiple layers: abstract roles, job roles, duty roles, data security policies, and HCM security profiles. When any layer is misconfigured, the user loses access. Here is how to diagnose and fix each layer.

Step 1: Verify the User Account Is Active

Before diving into role configuration, confirm the basics. Navigate to Security Console (Navigator > Tools > Security Console) and search for the user.

  • Is the user account active? If the account is locked or suspended, the user can log in but will have severely restricted access. Check the account status and unlock if necessary.
  • Is the user linked to a person record? In Oracle Fusion, user accounts are linked to HCM person records. If the link is broken (which can happen during data migration or after certain HCM transactions), the user account will not inherit role assignments that are provisioned through HCM.
  • Is the person record active in HCM? If the employee was terminated or their assignment ended, their user account may have been automatically deactivated or their roles may have been automatically removed by the role provisioning process.

Step 2: Check Role Provisioning

Oracle Fusion provisions roles to users through two mechanisms: manual role assignment in Security Console and automatic role provisioning based on HCM job/position assignments. Both mechanisms must be working correctly.

Manual role assignment

In Security Console, open the user’s record and check the Roles tab. You will see a list of all roles directly assigned to the user. Verify that the role the user needs is in this list. If it is not, add it. But before you add it manually, check whether it should be provisioned automatically—manual assignments are harder to maintain and can be overwritten by automatic provisioning.

Automatic role provisioning

Oracle Fusion can automatically provision roles based on the user’s HCM assignment attributes: job, position, department, business unit, legal entity, or any combination. This is configured through role provisioning rules in Setup and Maintenance.

  1. Navigate to Setup and Maintenance > search for “Manage Role Provisioning Rules.”
  2. Find the rule that should provision the missing role. Verify that the rule conditions match the user’s HCM assignment. For example, if the rule says “provision Accounts Payable Manager role when Job = AP Manager,” check that the user’s HCM assignment has exactly that job.
  3. If the rule is correct but the role was not provisioned, run the “Retrieve Latest LDAP Changes” and “Run User and Roles Synchronization Process” scheduled processes. These processes synchronize role assignments between HCM and the identity store.

Common provisioning failures

  • Provisioning rule not active. The rule exists but is in “Draft” or “Inactive” status. It must be “Active” to provision roles.
  • HCM assignment attribute mismatch. The user’s job code in HCM does not exactly match the job code in the provisioning rule. Even a slight difference (trailing space, different case) will prevent matching.
  • Multiple assignments. The user has multiple HCM assignments (e.g., primary and secondary), and the provisioning rule evaluates the wrong one. Provisioning rules evaluate the primary assignment by default unless configured otherwise.
  • Synchronization process not running. The role synchronization scheduled processes are not running on a regular schedule. Roles assigned through HCM will not be reflected in the user’s login session until synchronization completes.

Step 3: Verify Data Security Policies

Having the correct role is necessary but not sufficient. The role must also include the correct data security policies that grant access to the specific data the user needs to see. This is the most common point of confusion for teams migrating from Oracle EBS, where responsibilities provided both functional and data access in a single assignment.

In Oracle Fusion, a user might have the “Accounts Payable Invoice Supervisor” role but still not be able to see invoices for a specific business unit. The role grants functional access (the ability to use AP Invoice pages), but data security policies control which business unit’s invoices are visible.

How to check data security

  1. In Security Console, open the role that the user has. Navigate to the Data Security Policies tab.
  2. Check which data security policies are attached. Look for policies that reference the data dimension the user is missing access to (business unit, ledger, legal entity, inventory organization, etc.).
  3. Verify that the policy grants access to the correct values. For example, a policy might grant access to “Business Unit = US Operations” but the user needs access to “Business Unit = EMEA Operations.”

Common data security issues

  • Data role not assigned. Oracle Fusion uses “data roles” that combine a job role with specific data security grants. If the user has the job role but not the corresponding data role, they have functional access but no data access. Check for data roles in Security Console > Users > [user] > Roles.
  • Business unit not assigned to the user. For many Oracle Fusion modules, users must be explicitly assigned to business units through the Manage Data Access for Users setup task. Without this assignment, data security policies that reference “assigned business units” return no data.
  • Set-based access not configured. Oracle Fusion uses reference data sets to control which lookup values, payment terms, and other shared data are visible by business unit. If the user’s business unit is not included in the correct reference data set, they may see the page but not be able to select necessary values from dropdowns.

Step 4: Check HCM Security Profiles

For HCM, Payroll, and Workforce Management modules, Oracle Fusion uses HCM security profiles to control which person records a user can see. This is a separate security layer on top of roles and data security policies.

  • Person security profile — Controls which employee records the user can see. A manager might only see their direct reports. An HR generalist might see all employees in their department. If the profile is too restrictive, the user cannot see the records they need.
  • Organization security profile — Controls which organizations (departments, legal entities) are visible to the user. If the user’s organization security profile does not include the organization they need to access, pages that filter by organization will show nothing.
  • Position security profile — Controls which positions are visible for workforce management tasks.
  • Country security profile — Controls which legislations (countries) the user can access for localized features.

How to fix

Navigate to Setup and Maintenance > Manage Data Role and Security Profiles. Find the data role assigned to the user and check which security profiles are attached. Verify that each profile includes the correct organizations, persons, positions, and countries. If the profile needs to be expanded, modify it and then run the “Run User and Roles Synchronization Process” to propagate the changes.

Step 5: Role Hierarchy Issues

Oracle Fusion roles are hierarchical. A job role (like “Accounts Payable Manager”) inherits duty roles, which in turn inherit privilege roles. If a quarterly Oracle Cloud update modifies the seeded role hierarchy—adding new duty roles or restructuring existing ones—custom roles that were copied from the seeded roles will not automatically inherit these changes.

Post-update access issues

If users lost access after an Oracle Cloud quarterly update, check whether the organization uses custom-copied roles. Compare the custom role’s duty role hierarchy to the current seeded role’s hierarchy. Any new duty roles added by Oracle in the update will be present in the seeded role but missing from the custom copy. You need to manually add the new duty roles to the custom role.

This is a recurring maintenance burden that many organizations do not anticipate. Every quarterly update potentially requires a review of custom role hierarchies.

When to Get Expert Help

Oracle Fusion’s security model is powerful but complex. A single user access issue can involve role provisioning, data security, HCM security profiles, and role hierarchy all at once. If access issues are widespread—affecting multiple users or multiple modules—or if they recur after every quarterly update, the security design itself likely needs restructuring. A Stabilization Sprint can audit the security configuration, fix immediate access issues, and establish a sustainable security model that survives quarterly updates. Typical turnaround for security remediation is 1–2 weeks.