Applications Common Implementation Guide
11g Release 1 (11.1.2)
Part Number E20360-02
This chapter contains the following:
Initial Security Administration: Critical Choices
Initial security administration is performed by an administrative user who is created and provisioned with the IT Security Manager role.
The Oracle Fusion Applications installation process creates a super user account, which is available for signing into Oracle Fusion Applications to create a user provisioned with the IT Security Manager role.
Initial security administration primarily establishes at least one implementation user. The IT security manager must provision the initial implementation user with sufficient access to set up the enterprise, including provisioning of the Application Implementation Consultant role to the implementation users.
Perform the following tasks to establish implementation users with appropriate access.
Create implementation users.
Create a data role for performing Human Capital Management (HCM) setup steps.
Create a data role for implementation users.
Provision roles to implementation users.
Create one or more implementation users by performing the Create Implementation Users task in Oracle Identity Management (OIM). An implementation user must exist to set up the enterprise in Oracle Fusion Applications.
User and user account information is stored in the Lightweight Directory Access Protocol (LDAP) store. The implementation user does not need to be associated with a person in Human Resources (HR).
In the security reference implementation, the IT Security Manager job role hierarchy includes the User Management Duty role, which is entitled to create and manage users (the entitlement is Manage User Principal). This entitlement provides the access necessary to perform the Create Implementation Users task in OIM.
No predefined roles exist in the Oracle Fusion Applications security reference implementation to access the data necessary for setting up the HCM structures of the enterprise.
Setting up the HCM structures includes the following.
HR structures, such as establishing job and position structures
Departments and organization trees
Facilities and inventory organizations
HCM security profiles
These setup tasks are commonly done by application implementation consultants with administrator access, for example an HCM Application Administrator View All data role.
Administrator and implementation roles of the Oracle Fusion Applications security reference implementation are defined to access all other elements of the enterprise that need to be set up, such as the following.
Reference data sharing
Legal jurisdictions and authorities
Chart of accounts for enterprise structures
Accounting configurations for enterprise structures
Create a Human Capital Management Application Administrator View All data role.
This data role is based on the Human Capital Management Application Administrator job role and extends that role with unrestricted access to data in the secured objects that the role is authorized to access. Users assigned to this data role can perform all of the HCM setup steps.
Once an implementation user with a View All data role has completed HCM security setup, it may be prudent to revoke the role and provision it only when specific HCM security setup changes are necessary. A View All data role grants broad access to all business units, reference data sets, and so on. Security setup in other offerings are not data security enabled and do not require a View All data role for enterprise setup.
In the security reference implementation, the IT Security Manager job role hierarchy includes the Data Role Management Duty role, which is entitled to create a data role for Human Capital Management Application Administrator (the entitlement is Manage HCM Data Role). This entitlement provides the access necessary to perform the Create Data Role for Implementation Users task in Oracle Fusion Global Human Resources.
Provision the implementation user with one or more roles by performing the Provision Roles to Implementation Users task in Oracle Identity Manager (OIM).
For example, assign a role to the implementation user that provides the access necessary for setting up the enterprise, such as an HCM Application Administrator View All data role. Depending on the implementation, provision the predefined Applications Implementation Consultant role or a product family-specific administrator role, such as the predefined Financials Applications Administrator, to the implementation user. These predefined roles are available for selection in OIM.
In the security reference implementation, the IT Security Manager job role hierarchy includes the Identity User Administrators and Role Administrators roles, which entitle you to provision users with roles. This entitlement provides the access necessary to perform the Provision Roles to Implementation Users task in OIM.