One of the most confusing aspects of Oracle Fusion reporting is that the same SQL query can return different results for different users. A report that works perfectly for one analyst may return fewer rows - or even no rows at all - for another user with a different security configuration.
This behavior is not caused by SQL errors. It is the result of Oracle Fusion's security architecture, which enforces access control through multiple layers including Functional Roles, Data Roles, HCM Security Profiles, and database-level row filtering mechanisms.
Understanding Oracle Fusion HCM Security, Oracle Fusion Data Roles, Oracle Fusion Security Profiles, and Oracle Fusion Row-Level Security is essential when building BI Publisher reports, validating OTBI results, or developing Oracle Fusion SQL across Finance, HCM, Procurement, and SCM modules.
Oracle Fusion protects what end users can access through application screens and standard reports. It does not necessarily control what report developers, BI analysts, or SQL developers can query during report development.
This guide covers both layers: how Oracle Fusion's native security model works - and how FusionLens SQL adds a dedicated governance layer at the SQL development environment itself, filling a gap Oracle's native tools do not address.
Why Security Matters in Oracle Fusion SQL
Oracle Fusion is a multi-tenant SaaS platform designed to protect sensitive business and employee information. Unlike traditional on-premise Oracle environments, Fusion does not rely solely on application menus and responsibilities - security is enforced directly at the data access layer.
- Two users may run the same report and receive different row counts
- Sensitive columns may return null or masked values even when rows are visible
- A report can return zero rows despite valid SQL and correct joins
- OTBI and BI Publisher may return different row counts for the same data
Understanding these behaviors helps developers avoid spending hours troubleshooting SQL that is actually working correctly - and prevents inadvertent data exposure in production reports.
The Four Security Layers in Oracle Fusion
Functional Roles determine what actions a user can perform - which work areas, screens, and report types they can access. Examples: Accounts Payable Manager, Procurement Buyer, HR Specialist, Compensation Manager. Without the right Functional Role, a user cannot access the BI Publisher report or OTBI subject area at all.
Data Roles determine which business data records a user can access. A Functional Role grants access to a screen; a Data Role scopes the data within that screen. An HR Manager role assigned to US Business Unit only sees only US employees - even when running the same query as an HR Manager assigned globally. Examples: US HR Manager, EMEA Procurement Analyst, Finance Manager – Business Unit A.
HCM Security Profiles are heavily used in Oracle Fusion HCM to define exactly which workers, departments, locations, legal employers, and business units a user can access. A Person Security Profile can scope access to workers in a specific country, within a business unit, belonging to a legal employer, or within a management hierarchy. Security Profiles are the primary reason why HR reports often return fewer rows than expected.
Oracle Fusion applies row-level security policies automatically at the database level. Based on the user's Data Role and Security Profile configuration, Fusion dynamically restricts which rows are returned - without any visible change to the SQL itself. The same query, same table, different users:
| User | Accessible Employees |
|---|---|
| HR Administrator | All employees |
| Department Manager | Employees in their reporting hierarchy |
| Payroll Specialist | Employees assigned to their payroll groups |
| Procurement User | No employee records |
Why Reports Sometimes Return No Data
One of the most common Oracle Fusion support requests is: "The SQL works for me but returns zero rows for another user." This is almost always caused by a missing Data Role or incorrectly scoped Security Profile - not a SQL error.
SELECT
person_number,
person_id
FROM
per_all_people_f
WHERE
TRUNC(SYSDATE) BETWEEN effective_start_date
AND effective_end_date
This SQL is valid. But depending on security assignments, User A may see 15,000 workers, User B may see 250, and User C may see zero. The difference is always security context - not SQL design.
Troubleshooting checklist when a report returns no data: (1) Verify the user's Data Role assignments. (2) Check their Security Profile scope - Legal Employer, Business Unit, or Person type. (3) Compare with an administrator account. (4) Confirm effective-date filters are correct. (5) Test with the actual intended report user, not the developer account.
Sensitive Data Access in Oracle Fusion
Some information requires additional privileges beyond standard Data Roles. A user may be able to see an employee record while still being restricted from viewing salary or payroll information.
| Area | Examples |
|---|---|
| Personal Information | Date of Birth, National Identifier |
| Compensation | Salary Amounts, Bonus Data |
| Payroll | Payroll Results, Net Pay |
| Banking | Supplier Bank Accounts, Employee Banking Details |
| Financial Data | Certain Ledger or Cost Allocation Information |
Common HCM Tables Affected by Security
| Table | Typical Security Considerations |
|---|---|
| PER_ALL_PEOPLE_F | Person-level visibility; date_of_birth and national_identifier require PII access |
| PER_PERSON_NAMES_F | Worker visibility scoped by Person Security Profile |
| PER_ALL_ASSIGNMENTS_M | Assignment visibility scoped by Business Unit or Legal Employer |
| CMP_SALARY | Compensation restrictions - Compensation Manager or Payroll Data Role required |
| PAY_RUN_RESULT_VALUES | Payroll restrictions - requires Payroll Data Role and LDG Security Profile |
| PER_PERIODS_OF_SERVICE | Employment history visibility scoped by Person Security Profile |
Why OTBI and BI Publisher Sometimes Show Different Results
This is one of the most misunderstood Oracle Fusion reporting scenarios. OTBI and BI Publisher can show different row counts for the same business data - and the reason is security context, not SQL design.
- Runs as the logged-in end user
- Automatically applies subject area security
- Applies Security Profiles and Data Role filters
- Same report = different rows per user
- PII columns masked based on user role
- May run under a service account or apply user-specific security - depends on report configuration
- Row-level security behaviour varies: some deployments inherit user context, others use a shared account
- Developer is responsible for understanding and validating the active security model
- Results may match or differ from OTBI - always validate with end-user accounts
- PII columns unmasked unless SQL explicitly masks them
Important: Depending on the report configuration and security model, BI Publisher may execute under a service account context or apply user-specific security filters. Results can therefore differ from OTBI and should always be validated using the intended end-user security profile.
Common mistake: A developer tests a BI Publisher report using their own account and sees full salary data. The report is deployed to HR Business Partners who expect to see only their own employees. Because the effective execution context has broader access, every user sees the same full dataset. Row-level scoping must be built explicitly into the SQL or verified in the data model security settings.
FusionLens SQL: Security at the SQL Development Layer
Oracle Fusion's native security governs what end users can access through application screens, OTBI analyses, and BI Publisher report outputs. But it does not govern what a developer or analyst can query when they have direct SQL access to the Oracle Fusion data model.
In a standard development environment, a developer with access to the OTBI Compensation subject area can build an analysis that exposes salary amounts. A BI Publisher developer using a privileged service account can query CMP_SALARY directly and see every salary record in the result set. These scenarios exist within Oracle's documented security model - but they may conflict with your organisation's data governance policies.
FusionLens SQL adds a security governance layer at the SQL development tool itself - independent of and in addition to the Oracle Fusion security model.
Administrators define masking rules that automatically apply to query results for specific user groups. A rule can ensure that salary_amount always returns **** for analyst-level users - regardless of what the underlying SQL returns from Oracle. The query executes normally; the sensitive column value is intercepted before it reaches the user.
Administrators can block specific user groups from querying certain Oracle Fusion tables entirely. If an analyst group should not access payroll data, any attempt to include PAY_RUN_RESULT_VALUES in a query is denied at the FusionLens SQL layer - even if the user's Oracle database credentials would otherwise permit it.
Real-World Example: Protecting Salary Data During Report Development
A developer has access to the OTBI Compensation subject area. Company policy states they must not see actual salary values during report development - but Oracle Fusion itself permits the query.
SELECT
person_number,
salary_amount
FROM
cmp_salary
WHERE
TRUNC(SYSDATE) BETWEEN effective_start_date
AND effective_end_date
Real-World Example: Table Access Control
A Finance analyst attempts to query a payroll results table. Their Oracle database credentials would permit the query. FusionLens SQL intercepts it before it reaches the database.
SELECT * FROM pay_run_result_values WHERE ROWNUM <= 10
PAY_RUN_RESULT_VALUES is restricted for the current user group (Finance Analyst). Contact your FusionLens SQL administrator to request access to this table.
Summary: how FusionLens SQL governance applies across roles
| User Type | CMP_SALARY.salary_amount | PAY_RUN_RESULT_VALUES |
|---|---|---|
| Admin | Full value returned | Accessible |
| HR Analyst | **** (masked) | Accessible (masked columns) |
| Finance Analyst | **** (masked) | Blocked |
| Procurement User | Blocked | Blocked |
Oracle OTBI and BI Publisher provide extensive access control capabilities, but they are primarily designed around report consumption and application security. They do not provide a dedicated SQL-development governance layer that can centrally mask query results or block table access during query authoring. FusionLens SQL addresses this gap directly.
How Oracle Fusion Security Affects SQL Development
The most common security confusion Oracle Fusion developers encounter is this: the same query returns different row counts depending on where and as whom it is executed. This is not a SQL error - it is security working as designed.
Consider this example:
SELECT COUNT(*)
FROM per_all_people_f
WHERE TRUNC(SYSDATE)
BETWEEN effective_start_date
AND effective_end_date
The 9,650 missing rows are not a bug. The end user's security configuration limits visibility to their assigned scope. The reasons are always one or more of the following:
- Person Security Profile - limits the worker population visible to this user
- Data Role - restricts access to a specific Business Unit, Legal Employer, or Country
- Legal Employer Scope - the user's Data Role covers only workers in certain legal entities
- Business Unit Scope - assignment-level visibility is filtered by Business Unit assignment
Security Concepts Every Oracle Fusion SQL Developer Should Know
| Concept | The question it answers | SQL impact |
|---|---|---|
| Functional Role | What can the user do? | Controls which screens, subject areas, and report types are accessible. No Functional Role = no access to the report at all. |
| Data Role | Which data can the user see? | Scopes the rows returned - by Business Unit, Legal Employer, or Country. A missing Data Role is the most common cause of zero-row results. |
| Security Profile | Which workers, organizations, or BUs can the user access? | HCM-specific. Person, Organization, Position, and LDG Security Profiles narrow row visibility within the scope already set by the Data Role. |
| Row-Level Security | Which rows does the database return? | Enforced at the database layer via row filtering policies. The SQL is unchanged - Oracle Fusion silently adds row filters based on the session context. These policies are managed by Oracle Fusion and are generally not visible or configurable by report developers. |
Building Security-Aware BI Publisher Reports
Before deploying a report, validate it using accounts with different security profiles. These validation queries help confirm what each user type can actually see.
Query 1 - Worker Population Validation
Run this as each intended report user to confirm how many workers their security context exposes. A zero result means the Person Security Profile is missing or incorrectly scoped.
SELECT
COUNT(*) AS worker_count
FROM
per_all_people_f p
WHERE
TRUNC(SYSDATE) BETWEEN p.effective_start_date
AND p.effective_end_date
Query 2 - Active Assignment Validation
Validates how many active assignments are visible. Compare results across HR Administrator, Business Unit Manager, and a restricted HR role to understand the security boundary.
SELECT
COUNT(*) AS active_assignments
FROM
per_all_assignments_m a
WHERE
a.primary_flag = 'Y'
AND TRUNC(SYSDATE) BETWEEN a.effective_start_date
AND a.effective_end_date
Query 3 - Salary Visibility Validation
If Compensation users can see results but HR users cannot, the issue is a missing Compensation Data Role - not a SQL problem. Depending on the security configuration, salary records may be hidden entirely, filtered from the result set, or returned with restricted values for users without the Compensation Manager or Payroll Data Role.
SELECT
assignment_id,
salary_amount,
annual_salary
FROM
cmp_salary
WHERE
TRUNC(SYSDATE) BETWEEN effective_start_date
AND effective_end_date
Note: Compensation tables are among the least standardized areas across Oracle Fusion releases. The effective-dating pattern can vary - some environments use date_to IS NULL for current records, others use the BETWEEN pattern shown above. Always validate the effective-dating convention in your own environment before using queries in production.
Query 4 - Masking PII Columns in BI Publisher SQL
Even when a user is authorized to access a row, reports shared beyond HR may need to mask PII. Apply masking directly in SQL so the data model layer controls exposure - not the report layout layer.
SELECT
person_number,
full_name,
REGEXP_REPLACE(
national_identifier,
'.(?=.{4})',
'*'
) AS masked_national_id
FROM
per_people_legislative_f
WHERE
TRUNC(SYSDATE) BETWEEN effective_start_date
AND effective_end_date
Output example: *******1234 - reduces PII exposure in exported Excel or CSV reports without restricting the row itself.
Security Beyond HCM: Finance and Procurement
Oracle Fusion SQL security is not limited to worker data. Finance and Procurement modules apply their own Data Role and security scoping mechanisms - and the same principle applies: two users running the same query may see entirely different result sets.
Finance reporting access in Oracle Fusion is commonly scoped through:
- Ledger - GL journal and balance visibility is filtered by assigned Ledger
- Data Access Sets - define which ledgers and balancing segments a Finance user can query
- Business Unit - AP, AR, and Cash Management rows scoped by Business Unit assignment
- Legal Entity - Subledger Accounting entries scoped by Legal Entity
Two Finance users running the same GL query may see different journals depending on their assigned Oracle Fusion Data Access Set.
Oracle Fusion Procurement Data Roles frequently restrict access by:
- Business Unit - purchase orders visible only within an assigned Business Unit
- Procurement Organization - requisition and PO visibility scoped to procurement org
- Purchasing Document Ownership - buyers may only see their own PO lines
- Supplier Access Scope - supplier-facing roles restrict the supplier list visible in queries
A Procurement Analyst may see only the purchase orders belonging to their Business Unit even when querying the same PO tables as another user.
The Oracle Fusion security model is consistent across modules: a Data Role defines the scope, and database-level row filtering enforces it. Whether you are querying GL_JE_LINES, AP_INVOICES_ALL, PO_HEADERS_ALL, or PER_ALL_PEOPLE_F - always validate results using the intended end-user's security context, not an administrator account.
Oracle Fusion Tables Commonly Restricted by Security Policies
The following tables are frequently subject to Data Role restrictions, Security Profile scoping, or column-level sensitivity requirements. Developers who query these tables directly should expect result sets to vary significantly based on the executing user's security context.
| Module | Table | Common Security Restriction |
|---|---|---|
| HCM | PER_ALL_PEOPLE_F | Person Security Profile scopes visible worker population; date_of_birth and national_identifier require PII access |
| HCM | PER_PERSON_NAMES_F | Person Security Profile; worker visibility scoped by Legal Employer or Business Unit |
| HCM | PER_ALL_ASSIGNMENTS_M | Assignment visibility scoped by Business Unit or Legal Employer Data Role |
| Compensation | CMP_SALARY | Compensation Manager or Payroll Data Role required; salary_amount is column-level sensitive |
| Payroll | PAY_RUN_RESULT_VALUES | Payroll Data Role and LDG Security Profile required; commonly blocked outside Payroll team |
| Procurement | PO_HEADERS_ALL | Procurement Business Unit Data Role; document ownership may further restrict visible PO lines |
| Finance | GL_JE_LINES | Ledger and Data Access Set scoping; visible journals vary by assigned Ledger and Balancing Segment |
| Finance | AP_INVOICES_ALL | Business Unit Data Role; supplier access scope may restrict visible invoice records |
Security Best Practices for Oracle Fusion SQL Reports
- Test reports using real business-user accounts
- Validate row counts across different security roles
- Document which Data Roles are required for each report
- Mask PII columns in SQL when reports are broadly distributed
- Verify Security Profile assignments during UAT
- Assuming all users should see the same row counts
- Exposing salary or payroll data without role-based validation
- Using administrator accounts as the only test users
- Comparing OTBI and BI Publisher results without considering security context
- Assuming a zero-row result means the SQL is incorrect