AI beyond HRMS. Meet DelveAnt, our AI-native CRM for modern sales teams. Get Early Access for FREE
Found 1078 results.
AI beyond HRMS. Meet DelveAnt, our AI-native CRM for modern sales teams. Get Early Access for FREE
Discover how AI-powered HR solutions are transforming workforces – join us in London to enhance employee
experience and drive business growth. Register now!
Enhance security with location-based access control by restricting system access based on user location, reducing risks and improving compliance.
In today’s increasingly distributed and hybrid work environment, organizations face significant challenges in ensuring that sensitive HR data remains accessible only to authorized personnel—and only from secure, trusted network locations. Oracle HCM Cloud addresses this challenge through its Location Based Access Control (LBAC) feature, a robust security mechanism that governs user access to tasks and data by cross referencing user roles with registered computer IP addresses.
This blog post provides an in depth exploration of LBAC in Oracle HCM Cloud: what it is, why it matters, how it works, how to enable and manage it, and how it maps to real world business use cases. Whether you are an IT Security Manager, an HCM Functional Consultant, or an organizational decision maker, this guide will equip you with the knowledge needed to implement LBAC effectively and confidently.
Location Based Access Control (LBAC) is a security feature within Oracle HCM Cloud that restricts or grants user access to application tasks and data based on two core factors:
The user’s assigned role within the Oracle HCM Cloud system.
The IP address of the computer from which the user is signing in.
When LBAC is activated, Oracle HCM Cloud cross validates the user’s login origin (their computer’s IP address) against a pre-configured allowlist of registered IP addresses. Users accessing the system from a registered, trusted IP address receive full role-based access to all permitted tasks and data. Users accessing from an unregistered or untrusted IP address are limited to generic, non-role specific tasks effectively preventing them from performing sensitive operations.
This creates a layered security model that goes beyond standard username and password authentication. Even if a user’s credentials are compromised, an unauthorized party attempting to log in from an unregistered network location will be denied access to any privileged functionality.
The primary purpose of LBAC in Oracle HCM Cloud is to establish network perimeter aware access governance for enterprise HR systems. Organizations increasingly store sensitive employee data including payroll, performance records, benefits information, and personal identification data within HCM systems. Protecting this data from unauthorized access is not merely a best practice, it is a regulatory and ethical imperative.
The following table summarizes the key business benefits that organizations realize when implementing LBAC within Oracle HCM Cloud:
LBAC in Oracle HCM Cloud operates through a combination of registered IP addresses and public role designations. Together, these two mechanisms define the access policies that govern every user login attempt.
Administrators configure a list of trusted IP addresses representing office computers, corporate network gateways, or VPN endpoints within the Security Console. These form the IP Address Allowlist. Users signing in from any IP address on this list are operating from a trusted location and receive full role based access.
IPv4 addresses are supported, and ranges can be specified using CIDR notation (e.g., 192.168.10.0/24). The allowlist supports a range suffix up to /32.
Certain roles can be marked as “public,” meaning that users assigned those roles can access all associated tasks from any IP address registered or unregistered. This is particularly useful for roles assigned to pending workers, external learners, contractors, or integration users who cannot be expected to connect from a registered network.
Importantly, the IT Security Manager role should always be made public when LBAC is enabled, ensuring that security administrators retain access to the Security Console even in recovery scenarios.
Prior to activating Location Based Access Control, administrators must ensure the following conditions are in place to prevent accidental lockouts and maintain recoverability:
Required Role: The administering user must hold the IT Security Manager role.
Valid Email Address: A valid, accessible email address must be configured for the administrator account. This is used for lockout recovery notifications.
Notification Template: The administrator must be added to the user category for which the ORA Administration Activity Request Template notification is enabled.
IP Allowlist Readiness: Compile and validate the complete list of office/corporate IP addresses to be registered before activating the feature.
Step 1: Activate the Profile Option.
By default, the Location Based Access tab is hidden in the Security Console Administration page.
Fig1. (Security Console)
Fig.2(Administration)
Before you can configure LBAC, you must first make it visible by updating the relevant profile option.
Navigate to Setup and Maintenance > Manage Administrator Profile Values.
Fig.3 (Setup and maintenance)
Search for the profile option: Enable Access to Location Based Access Control.
Set the profile value to Yes at the site level
Save the changes.
Fig.4 (Administration Profiles)
Step 2: Configure Location Based Access in Security Console
Navigate to Navigator > Tools > Security Console.
On the Administration page, click the Location Based Access tab.
Select the Enable Location Based Access checkbox to activate the feature.
In the IP Address Allowlist text box, enter one or more trusted IP addresses separated by commas.
Click Save, then review and confirm the confirmation message by clicking OK.
Fig.5 (Location Based Access)
Disabling Location Based Access Control
To disable LBAC, navigate to the Location Based Access tab in the Security Console and deselect the Enable Location Based Access checkbox. Upon deactivation:
All existing IP addresses in the allowlist are retained in a read only state for future reference.
Users regain access according to their standard role based permissions, irrespective of their login IP address.
Administrators can re enable LBAC at any time and add or remove IP addresses from the allowlist as needed.
Connect with us for End-to-End Implementation, Enhancement, Updates, and Support for Oracle HCM.
Read MoreThis website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
