I’m evaluating access control models for our compensation planning implementation in Oracle HCM Cloud 23c. We’re a multi-national organization with 15,000+ employees across 40 countries, and we’re hitting significant challenges with role explosion in our current RBAC setup.
Currently, we have 250+ compensation roles to handle different combinations of country, business unit, compensation plan type, and approval levels. Every time we add a new country or restructure business units, we need to create 5-10 new roles and update security policies. This is becoming unmaintainable.
I’m considering switching to attribute-based access control (ABAC) where access decisions are based on user attributes (location, job level, department) and resource attributes (compensation plan region, confidentiality level) rather than pre-defined roles. This could dramatically reduce our role count and provide more flexible multi-tenant access isolation.
Has anyone implemented ABAC for compensation planning in Oracle HCM Cloud? What are the trade-offs between role-based and attribute-based models for large, complex organizations? How do you handle dynamic role assignment when organizational structures change frequently?
We faced similar role explosion issues with a global manufacturing client. They had 180+ compensation roles before we redesigned their security model. The key insight is that pure RBAC doesn’t scale well for matrix organizations with multiple access dimensions. We implemented a hybrid approach: base roles for common access patterns (Compensation Manager, Compensation Analyst) combined with data security policies that use attribute-based rules. This reduced their role count to 25 while maintaining granular access control. The attribute-based policies evaluate user and data attributes at runtime to determine access, which is exactly what you need for dynamic organizational structures.
I’m interested in the multi-tenant access isolation aspect. We’re a holding company with multiple operating companies sharing an HCM instance. Each company needs strict isolation for compensation data. With RBAC, we’ve created separate role hierarchies for each company, which means 4x role proliferation. Can ABAC handle this scenario where access rules need to enforce complete data separation between tenants while still allowing corporate-level users to access all tenants?
Conditional access with ABAC works well, but you need to plan your attribute taxonomy carefully. Define clear attribute categories: organizational attributes (division, country, business unit), role attributes (job level, function, seniority), and data classification attributes (confidentiality level, compensation plan type). Then build your policies using combinations of these attributes. For dynamic role assignment when org structures change, ABAC is far superior because you’re not reassigning roles - you’re updating attributes that flow from your HR system of record. When an employee moves divisions, their division attribute updates automatically, and ABAC policies immediately reflect the new access rights.
That’s exactly our scenario too. We have three major business divisions that need complete compensation data isolation, but our global CHRO needs visibility across all divisions. With RBAC, we’ve had to create division-specific roles at every level. I’m hoping ABAC can handle this with policies like ‘allow access if user.division = resource.division OR user.role = Global_CHRO’. Has anyone successfully implemented this kind of conditional access?