Applications Customer Data Management Implementation Guide
11g Release 1 (11.1.3)
Part Number E20433-03
This chapter contains the following:
Initial Security Administration: Critical Choices
Initial security administration establishes at least one implementation user. The Installation Super User creates security administrators such as an IT security manager. The IT security manager provisions initial implementation users with sufficient access to set up the enterprise.
Perform the following tasks to establish security administrators and implementation users with appropriate access.
Prepare to create implementation users
Provision the IT Security Manager job role
Create security administrators
Create implementation users
Create implementation project managers
Create implementation users for enterprise structure setup
Provision roles to implementation users
Create a user for Functional Setup Manager environment validation
By default, the IT Security Manager job role is not entitled to manage users and roles in Oracle Identity Manager.
The following procedure provisions the IT Security Manager with roles that carry the entitlement needed for creating implementation users.
Sign in to Oracle Identity Manager (OIM) using the OIM Administrator user name and password.
The default user name of the OIM Administrator is
xelsysadm. Your enterprise, however, may have
chosen another user name and password for the OIM Administrator. If
you do not know the correct user name and password, contact your OIM
system administrator. For more information on OIM, see the Oracle
Fusion Middleware Enterprise Deployment Guide for Oracle Identity
Management (Oracle Fusion Applications Edition).
Open the IT Security Manager job role's attributes and use the Hierarchy tab to add the System Administrators role in the OIM Roles category using the Add action.
Create one or more users for security administration.
Before creating security administration users, be sure you have performed the Run User and Roles Synchronization Process task.
Sign in to Oracle Fusion Applications using the Installation Super User's user name and password.
The Oracle Fusion Applications installation process creates an Installation Super User account. This super user has broad access to Oracle Fusion Middleware and Oracle Fusion Applications administration. Due to this broad access, your enterprise needs users dedicated to managing users and applications security, such as an IT security manager user.
Perform the Create Implementation Users task. The integrated Oracle Identity Manager pages appear.
Click the Create User task.
For details about User Management Tasks, see the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.
Create an IT security manager or administrator user.
Open the new user's attributes and use the Roles tab to provision the IT Security Manager role using the Assign action.
Implementation project managers are responsible for managing an Oracle Fusion Applications implementation. At least one user must be provisioned with one of the following roles for an Oracle Fusion Applications implementation to begin.
Application Implementation Manager
Application Implementation Consultant
User and user account information is stored in the Lightweight Directory Access Protocol (LDAP) store. An implementation project manager or user does not need to be associated with a person in Human Resources (HR).
Sign in to Oracle Fusion Applications using the IT security manager's or administrator's user name and password.
Create and provision the implementation project manager user by performing the Create Implementation Users task.
Open the new user's attributes and use the Roles tab to provision the following roles using the Assign action.
Application Implementation Manager
Application Implementation Consultant
For additional information about which roles to provision implementation managers with, see the Oracle Fusion Applications Information Technology Management, Implement Applications Guide. See the Oracle Fusion Applications Security Reference Manuals for information about the predefined Oracle Fusion Applications roles.
An implementation user must exist to set up the enterprise in Oracle Fusion Applications.
Sign in to Oracle Fusion Applications using the IT security manager's or security administrator's user name and password.
Create an implementation user by performing the Create Implementation Users task.
Provision the implementation user with the Application Implementation Consultant role.
Create a data role for implementation users that grants access to data in secured objects required for performing HCM setup steps so that the enterprise can be set up with Human Resources (HR) structures.
Perform the Create Data Role for Implementation Users task.
In the Manage HCM Data Roles page, click the Create Data Role icon.
Create a View All data role, such as a "Human Capital Management Application Administrator View All" data role with the Human Capital Management Application Administrator as the base job role.
This data role is based on the Human Capital Management Application Administrator job role and extends that role with unrestricted access to data in the secured objects that the role is authorized to access. Users assigned to this data role can perform all of the HCM setup steps.
Grant access to all data for all the security profiles.
Click Submit in the Review tab.
Provision the implementation user who will set up HCM with this View All data role by performing the Provision Roles to Implementation Users task.
Provision the View All data role only when HCM setup or setup changes are necessary. A View All data role grants broad access to all business units, reference data sets, and so on. Once an implementation user with a View All data role has completed HCM setup, it may be prudent to revoke the role by performing the Revoke Data Role from Implementation Users task. Security setup in other offerings are not data security enabled and do not require a View All data role for enterprise setup. Setup of business units, accounting structures, reference data sets, and so on does not require creation of an HCM administrator data role.
Once the first implementation project begins and the enterprise work structure is set up, use standard user and security management processes such as the Manage Users task to create and manage additional users. Do not use the Create Implementation Users task after your enterprise has been set up. For more information about the Manage Users task, see the Define Security chapter in the Oracle Fusion Applications Common Implementation Guide.
Provision the implementation user with one or more roles by performing the Provision Roles to Implementation Users task.
For example, depending on the implementation, provision the predefined Applications Implementation Consultant role or a product family-specific administrator role, such as the predefined Financials Applications Administrator, to implementation users.
Before implementation project managers start to plan and implement Fusion Applications offerings, validate that the Functional Setup Manager (FSM) environment is installed properly. As the Installation Super User, create a user provisioned with the Application Implementation Consultant role.
Once the environment validation tests are complete, revoke the Application Implementation Consultant role from the user if the user's regular duties do not require this entitlement, or remove the user.
For the complete list of privileges carried by the Application Implementation Consultant role entitlement, see the Oracle Fusion Applications Common Security Reference Manual.
For additional information about the predefined Oracle Fusion Applications roles, see the Oracle Fusion Applications Security Reference Manuals.