Browser version script Skip Headers

Oracle® Fusion Applications Coexistence for HCM Implementation Guide
11g Release 1 (11.1.3)
Part Number E20378-01
Go to contents  page
Contents
Go to Previous  page
Previous
Go to previous page
Next

18 Define Users for Human Capital Management for Coexistence

This chapter contains the following:

Role Provisioning and Deprovisioning: Explained

Role Mappings: Explained

Role Mappings: Examples

Creating Users and Provisioning Roles for HCM Coexistence: Explained

Synchronization of User and Role Information with Oracle Identity Management: How It Is Processed

Role Provisioning and Deprovisioning: Explained

A user's access to data and functions depends on the user's roles: users have one or more roles that enable them to perform the tasks required by their jobs or positions. Roles must be provisioned to users; otherwise, users have no access to data or functions.

Role Provisioning Methods

Roles can be provisioned to users:

For both automatic and manual role provisioning, you create a role mapping to identify when a user becomes eligible for a role.

Oracle Identity Management (OIM) can be configured to notify users when their roles change; notifications are not issued by default.

Role Types

Data roles, abstract roles, and job roles can be provisioned to users. Roles available for provisioning include predefined roles, HCM data roles, and roles created using OIM.

Automatic Role Provisioning

A role is provisioned to a user automatically when at least one of the user's assignments satisfies the conditions specified in the relevant role-mapping definition. The provisioning occurs when the assignment is either created or updated. For example, when a person is promoted to a management position, the line manager role is provisioned automatically to the person if an appropriate role mapping exists. Any change to a person's assignment causes the person's automatically provisioned roles to be reviewed and updated as necessary.

Role Deprovisioning

Automatically provisioned roles are deprovisioned automatically as soon as a user no longer satisfies the role-mapping conditions. For example, a line manager role that is provisioned to a user automatically is deprovisioned automatically when the user ceases to be a line manager.

Automatically provisioned roles can be deprovisioned manually at any time.

Manually provisioned roles are deprovisioned automatically only when all of the user's work relationships are terminated; in all other circumstances, users retain manually provisioned roles until they are deprovisioned manually.

Changes to Assignment Managers

When a person's line manager is changed, the roles of both new and previous line managers are updated as necessary. For example, if the person's new line manager now satisfies the conditions in the role mapping for the line manager role, and the role is one that is eligible for autoprovisioning, then that role is provisioned automatically to the new line manager. Similarly, if the previous line manager no longer satisfies the conditions for the line manager role, then that role is deprovisioned automatically.

Roles at Termination

When a work relationship is terminated, all automatically provisioned roles for which the user does not qualify in other work relationships are deprovisioned automatically. Manually provisioned roles are deprovisioned automatically only if the user has no other work relationships; otherwise, the user retains all manually provisioned roles until they are deprovisioned manually.

Automatic deprovisioning can occur either as soon as the termination is submitted or approved or on the day after the termination date. The user who is terminating the work relationship selects the appropriate deprovisioning date.

Role mappings can provision roles to users automatically at termination. For example, the locally defined roles Retiree and Beneficiary could be provisioned to users at termination based on assignment status and person type values.

If a termination is later reversed, roles that were deprovisioned automatically at termination are reinstated and post-termination roles are deprovisioned automatically.

Date-Effective Changes to Assignments

Automatic role provisioning and deprovisioning are based on current data. For a future-dated transaction, such as a future promotion, role changes are identified and role provisioning occurs on the day the changes take effect, not when the change is entered. The process Send Pending LDAP Requests identifies future-dated transactions and manages role provisioning and deprovisioning at the appropriate time. Note that such role-provisioning changes are effective as of the system date; therefore, a delay of up to 24 hours may occur before users in other time zones acquire the access for which they now qualify.

Role Mappings: Explained

User access to data and functions is determined by abstract, job, and data roles, which are provisioned to users either automatically or manually. To enable a role to be provisioned to users, you define a relationship, known as a mapping, between the role and a set of conditions, typically assignment attributes such as department, job, and system person type. In a role mapping, you can select any role stored in the Lightweight Directory Access Protocol (LDAP) directory, including Oracle Fusion Applications predefined roles, roles created in Oracle Identity Management (OIM), and HCM data roles.

The role mapping can support:

Automatic Provisioning of Roles to Users

A role is provisioned to a user automatically if:

For example, for the HCM data role Sales Manager Finance Department, you could select the Autoprovision option and specify the following conditions.


Attribute

Value

Department

Finance Department

Job

Sales Manager

Assignment Status

Active

The HCM data role Sales Manager Finance Department is provisioned automatically to users with at least one assignment that satisfies all of these conditions.

Automatic role provisioning occurs as soon as the user is confirmed to satisfy the role-mapping conditions, which can be when the user's assignment is either created or updated. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.

Note

The automatic provisioning of roles to users is effectively a request to OIM to provision the role. OIM may reject the request if it violates segregation-of-duties rules or fails a custom OIM approval process.

Manual Provisioning of Roles to Users

Users such as human resource (HR) specialists and line managers can provision roles manually to other users; you create a role mapping to identify roles that can be provisioned in this way.

Users can provision a role to other users if:

For example, for the HCM data role Quality Assurance Team Leader, you could select the Requestable option and specify the following conditions.


Attribute

Value

Manager with Reports

Yes

Assignment Status

Active

Any user with at least one assignment that satisfies both of these conditions can provision the role Quality Assurance Team Leader manually to other users, who are typically direct and indirect reports.

If the user's assignment subsequently changes, there is no automatic effect on roles provisioned by this user to others; they retain manually provisioned roles until either all of their work relationships are terminated or the roles are manually deprovisioned.

Role Requests from Users

Users can request roles when reviewing their own account information; you create a role mapping to identify roles that users can request for themselves.

Users can request a role if:

For example, for the Expenses Reporting role you could select the Self-requestable option and specify the following conditions.


Attribute

Value

Department

ABC Department

System Person Type

Employee

Assignment Status

Active

Any user with at least one assignment that satisfies all of these conditions can request the role. The user acquires the role either immediately or, if approval is required, once the request is approved. Self-requested roles are classified as manually provisioned.

If the user's assignment subsequently changes, there is no automatic effect on self-requested roles. Users retain manually provisioned roles until either all of their work relationships are terminated or the roles are manually deprovisioned.

Immediate Provisioning of Roles

When you create a role mapping, you can apply autoprovisioning from the role mapping itself.

In this case, all assignments and role mappings in the enterprise are reviewed. Roles are:

Immediate autoprovisioning from the role mapping enables bulk automatic provisioning of roles to a group of users who are identified by the role-mapping conditions. For example, if you create a new department after a merger, you can provision relevant roles to all users in the new department by applying autoprovisioning immediately.

To provision roles immediately to a single user, the user's line manager or an HR specialist can autoprovision roles from that user's account.

Role-Mapping Names

The names of role mappings must be unique in the enterprise. You are recommended to devise a naming scheme that reveals the scope of each role mapping. For example:


Name

Description

Autoprovisioned Roles Sales Department

Mapping includes all roles provisioned automatically to anyone in the sales department

Benefits Specialist Autoprovisioned

Mapping defines the conditions for autoprovisioning the Benefits Specialist role

Line Manager Requestable Roles

Mapping includes all roles that a line manager can provision manually to direct and indirect reports

Role Mappings: Examples

Roles must be provisioned to users explicitly, either automatically or manually; no role is provisioned to a user by default. This topic provides some examples of typical role mappings to support automatic and manual role provisioning.

Creating a Role Mapping for Employees

You want all employees in your enterprise to have the Employee role automatically when they are hired. In addition, employees must be able to request the Expenses Reporting role when they need to claim expenses. Few employees will need this role, so you decide not to provision it automatically to all employees.

You create a role mapping called All Employees and enter the following conditions.


Attribute

Value

System Person Type

Employee

Assignment Status

Active

In the role mapping you include the:

You could create a similar role mapping for contingent workers called All Contingent Workers, where you would set the system person type to contingent worker.

Note

If the Employee and Contingent Worker roles are provisioned automatically, pending workers acquire them when their periods of employment or placements start. If they need roles before then, you create a separate role mapping for the pending worker system person type.

Creating a Role Mapping for Line Managers

Any type of worker can be a line manager in the sales business unit. You create a role mapping called Line Manager Sales BU and enter the following conditions.


Attribute

Value

Business Unit

Sales

Assignment Status

Active

Manager with Reports

Yes

You include the Line Manager role and select the Autoprovision option. This role mapping ensures that the Line Manager role is provisioned automatically to any worker with at least one assignment that matches the role-mapping conditions.

In the same role mapping, you could include roles that line managers in this business unit can provision manually to other users by selecting the roles and marking them as requestable. Similarly, if line managers can request roles for themselves, you could include those in the same role mapping and mark them as self-requestable.

Creating a Role Mapping for Retirees

Retirees in your enterprise need a limited amount of system access to manage their retirement accounts. You create a role mapping called All Retirees and enter the following conditions.


Attribute

Value

System Person Type

Retiree

Assignment Status

Inactive

You include the locally defined role Retiree in the role mapping and select the Autoprovision option. When at least one of a worker's assignments satisfies the role-mapping conditions, the Retiree role is provisioned to that worker automatically.

Creating a Role Mapping for Sales Managers

Grade 6 sales managers in the sales department need the Sales Manager role. In addition, sales managers need to be able to provision the Sales Associate role to other workers. You create a role mapping called Sales Managers Sales Department and enter the following conditions.


Attribute

Value

Department

Sales

Job

Sales manager

Grade

6

Assignment Status

Active

In the role mapping, you include the:

Creating Users and Provisioning Roles for HCM Coexistence: Explained

A user is created automatically for each worker record that you load into Oracle Fusion from your source application. User accounts are created and maintained in a Lightweight Directory Access Protocol (LDAP) directory local to Oracle Fusion by Oracle Identity Management (OIM). You must work with your service provider to configure items such as identity policy and password policy in OIM. Users have a user name and password that are specific to their use of Oracle Fusion applications.

The process for creating users and provisioning roles to them varies according to whether you are performing an initial or incremental data load.

Creating Users and Provisioning Roles for an Initial Data Load

To create users and provision roles to them during the initial data load, you:

  1. Create the role provisioning rules required by your enterprise.

    User access to functions and data is determined entirely by the roles that users have, and roles must be provisioned to users. To manage both automatic and manual provisioning of roles to users, you create role mappings. For example, you create role mappings to provision abstract roles, such as employee and line manager, automatically to all employees and line managers. If you create data roles for particular job roles, you must create role mappings to manage the provisioning of those roles to eligible users. A typical user has multiple roles. To create role mappings, you perform the Manage HCM Role Provisioning Rules task.

    Note

    If your initial data load includes large volumes of person and employment data, you are recommended to perform step 1 (this step) after step 3.

  2. Load person and employment data.

    For the initial data load, you perform the Oracle Fusion Functional Setup Manager task Load HCM Data for Coexistence.

  3. Run the Send Pending LDAP Requests process.

    This process sends bulk requests to OIM to create, suspend, and re-enable user accounts, as appropriate.

  4. Apply autoprovisioning, using the Manage Role Mappings task, to assign all roles with the Autoprovision option selected to eligible workers.

  5. Manually assign roles, as appropriate.

    Roles identified in your role provisioning rules as Requestable can be assigned to other workers by managers and human resource specialists who satisfy the role mapping conditions. Workers who satisfy the role mapping conditions can request for themselves roles identified in your role provisioning rules as Self-requestable.

Creating Users and Provisioning Roles for an Incremental Data Load

When you load person and employment data after the initial data load, the process for managing users and role provisioning is as follows:

  1. Update role provisioning rules, if necessary.

    The role mappings that you created for the initial data load may be sufficient; however, you are recommended to validate the existing mappings and make any changes before you perform an incremental data load.

  2. Load person and employment data using the Load HCM Data task in the Data Exchange work area.

  3. Run the Send Pending LDAP Requests process.

    You can schedule this process to run automatically. For example, you could schedule this process to run daily.

  4. Manually assign requestable roles, as appropriate.

Synchronization of User and Role Information with Oracle Identity Management: How It Is Processed

Oracle Identity Management (OIM) maintains Lightweight Directory Access Protocol (LDAP) user accounts for users of Oracle Fusion Applications. OIM also stores the definitions of abstract, job, and data roles, and holds information about roles provisioned to users.

Most changes to user and role information are shared automatically and instantly by Oracle Fusion Human Capital Management (HCM) and OIM. In addition, two scheduled processes, Send Pending LDAP Requests and Retrieve Latest LDAP Changes, manage information exchange between Oracle Fusion HCM and OIM in some circumstances.

The two-way relationship between Oracle
Fusion HCM and OIM

Settings That Affect Synchronization of User and Role Information

You are recommended to run the Send Pending LDAP Requests process at least daily to ensure that future-dated changes are identified and processed as soon as they take effect. Retrieve Latest LDAP Changes can also run daily, or less frequently if you prefer. For example, if you know that a failure has occurred between OIM and Oracle Fusion HCM, then you can run Retrieve Latest LDAP Changes to ensure that user and role information is synchronized.

When processing bulk requests, the batch size that you specify for the Send Pending LDAP Requests process is the number of requests to be processed in a single batch. For example, if you specify a batch size of 25, 16 batches of requests will be created and processed in parallel if there are 400 requests to be processed.

How Synchronization of User and Role Information Is Managed

Synchronization of most user and role information between Oracle Fusion HCM and OIM occurs automatically. However, when you run Send Pending LDAP Requests to process future-dated or bulk requests, it sends to OIM:

The process Retrieve Latest LDAP Changes sends to Oracle Fusion HCM:

The values of the following person attributes are sent to OIM automatically whenever a person record is created and whenever any of these attributes is subsequently updated.

No personally identifiable information (PII) is sent from Oracle Fusion HCM to OIM.