Oracle Cloud Learning Center


3 Common Applications Configuration: Define Implementation Users

This button toggles the Table of Contents floating window

 

This chapter contains the following:

Initial Security Administration: Critical Choices

Initial Security Administration: Worked Example

Initial Security Administration: Critical Choices

After installation and provisioning, and before setting up enterprise structures and implementing projects, you must establish required entitlement for the super user account and at least one implementation user to proceed with the implementation. Once initial enterprise structure setup is complete, additional users may be created through processes available in Human Capital Management (HCM).

Initial security administration consists of the following.

  • Preparing the IT Security Manager job role

  • Synchronizing users and roles from Lightweight Directory Access Protocol (LDAP) with HCM

  • Creating implementation users

  • Optionally creating data roles for implementation users

  • Provisioning implementation users with roles

Once the first implementation project begins and the enterprise work structure is set up, use standard user and security management processes such as the Manage Users task to create and manage additional users. Do not use the Create Implementation Users task after your enterprise has been set up.

Preparing the IT Security Manager Job Role

Initially the super user is not provisioned to manage users and roles.

You must add the following Oracle Identity Management (OIM) roles to the IT Security Manager job role's role hierarchy to enable the super user to create one or more initial implementation users.

  • Identity User Administrators

  • Role Administrators

Additionally, you must assign the Xellerate Users organization to the IT Security Manager role.

Synchronizing Users and Roles from LDAP

After configuring an offering and setting up the task lists for implementation, the Run User and Roles Synchronization Process task is available to the super user for synchronizing users and roles in the LDAP store with Oracle Fusion Human Capital Management (HCM).

Defining Initial Implementation Users

The super user is provisioned with roles that provide broad access to Oracle Fusion Middleware and Oracle Fusion Applications administration, and is not suitable as an implementation user in most enterprises. The super user should define at least one implementation user, which consists of creating the user account and provisioning it with at least the Application Implementation Consultant and Application Implementation Manager job roles.

As a security guideline, define an IT security manager user who in turn defines one or more implementation users to set up enterprise structures. The IT security manager users can provision the implementation user with the Application Implementation Consultant role, which entitles access to all enterprise structures. Or the IT security manager can create a data role that restricts access to enterprise structures of a specific product and provisioning that role.

Depending on the size of your implementation team, you may only need a single implementation user for security administration, implementation project management, enterprise structures setup, and application implementation. That single user must then be provisioned with all indicated roles, and therefore broad access.

Creating Implementation Users

The super user creates one or more implementation users by performing the Create Implementation Users task.

Note

This initial implementation user is a user account created in Oracle Identity Management only, specifically for setting up enterprise structures, and is not related to a real person or identity such as a user defined in HCM.

Creating Data Roles for Implementation Users

As an alternative to provisioning an implementation user with the Application Implementation Consultant role to access all enterprise structures, you may need implementation users with access restricted to enterprise structures for specific products. In this case, use the Create Data Roles for Implementation Users task to create a data role based on a job role with less broad access, such as the HCM Application Administrator job role.

Provisioning Roles to Implementation Users

After creating an implementation user, you must provision the user with one or more roles by performing the Provision Roles to Implementation Users task.

For example, assign a role to the implementation user that provides the access necessary for setting up the enterprise. Depending on need, provision to the implementation user the predefined Applications Implementation Consultant role or a product family-specific administrator data role, such as a data role based on the predefined Financials Applications Administrator.

Caution

The Application Implementation Consultant has broad access. It is a very useful role for experimentation or setting up a pilot environment, but may not be suitable for implementation users in a full implementation project.

Initial Security Administration: Worked Example

This example illustrates initial security administration after having installed and provisioned an Oracle Fusion Applications environment.

In Oracle Fusion Applications, you manage users and security through Oracle Fusion Human Capital Management (HCM) user management flows, which are included in each of the offering task lists. However, the HCM task flows require that enterprise structures have been set up, and yet to add users who can set up enterprise structures you need to have set up HCM. Therefore, you need to create one or more initial implementation users who are responsible for providing the following.

  • Users and their applications security management

  • Implementation project management

  • Initial enterprise structures management

The following table summarizes key decisions for this scenario.


Decision

In this Example

How to sign in to Oracle Fusion Applications for the first time

Use the super user account that was created when installing and provisioning Oracle Fusion Applications (for example, FAADMIN).

How to ensure that the roles and users in the Lightweight Directory Access Protocol (LDAP) store match what is available for selection when defining implementation users

Perform the Run User and Roles Synchronization Process task.

How to create a first implementation user

Prepare the IT Security Manager job role for user and role management so the super user and any other user provisioned with the IT Security Manager job role can manage users and roles.

How to establish security administration users

Define an IT security manager user provisioned with the IT Security Manager job role.

How to establish an implementation user with access to set up enterprise structures

Define an implementation user provisioned with the Application Implementation Consultant job role.

You create an initial implementation user by performing the following tasks.

  1. The Oracle Identity Management System Administrator user provisions the IT Security Manager job role with roles for user and role management.

  2. The Oracle Fusion Applications super user synchronizes LDAP users with HCM user management so that users can be provisioned with roles through HCM.

  3. The Oracle Fusion Applications super user performs the Create Implementation Users task to create one or more IT security manager and administrator users provisioned with security administrative entitlement.

  4. The IT Security Manager user signs in to Oracle Fusion Applications and performs the Create Implementation Users task to create implementation managers and users.

  5. The IT Security Manager user provisions implementation users for enterprise structure setup.

Note

The following tasks assume that the super user has configured an offering and set up task lists. When not following a task flow within an activity, you can find tasks in Navigator > Tools > Setup and Maintenance > All Tasks. Search for the task and click its Go to Task icon in the search results.

Preparing the IT Security Manager Role

The super user that was created when installing and provisioning Oracle Fusion Applications (for example, FAADMIN), or the initial administrator user provided by Oracle for Oracle Cloud Application Services, has all necessary access for implementing Oracle Fusion Applications and administering security. This access is provided by the following roles:

  • Application Implementation Consultant

  • IT Security Manager

Neither of these roles provides access needed for creating and managing Oracle Fusion Applications users. Therefore, you must add the following two OIM roles to the IT Security Manager role:

  • Identity User Administrators

  • Role Administrators

The following procedure is prerequisite to an IT security manager or administrator creating an initial one or more implementation users.

  1. While signed into Oracle Identity Manager as the OIM System Administrator user, click the Administration link in the upper right of the Oracle Identity Manager.

    This accesses the Welcome to Identity Manager Delegated Administration menu.

  2. In the Roles list of tasks, click Advanced Search - Roles. Search for the Identity Users Administrators role by entering the role name in Display Name and clicking Search.

    In the Search Results, click the role's Display Name.

  3. On the Hierarchy tab, select Inherits From and click Add.
  4. In the Add Parent Role to: IDENTITY USER ADMINISTRATORS window, select the role category: Common - Job Roles and add the IT Security Manager.

    Click the arrow icon to show the list of available roles. Select IT Security Manager and move it to the Roles to Add list. Click Save.

  5. Search for the Role Administrators role, and repeat steps 1 to 4 to add that role to the IT Security Manager role's role inheritance.
  6. Assign the IT Security Manager role to the Xellerate Users organization.
    1. In the Welcome to Identity Manager Delegated Administration menu (see step 1, above), in the Organizations list of tasks, click Advanced Search - Organizations.

    2. Search for the Xellerate Users organization by entering Xellerate Users in Display Name and clicking Search.

    3. In the Search Results, click the organization's Display Name. The Xellerate Users page appears.

    4. Click the Administrative Roles link in the row of links above the Xellerate Users.

    5. In Filter By Role Name of the Details window, enter the following string:

      *IT_SECURITY_MANAGER*

      Click Find.

    6. Enable Read, Write, Delete, and Assign.

    7. Click Assign.

    8. Click Confirm.

Synchronizing Users and Roles from LDAP

Lightweight Directory Access Protocol (LDAP) must be synchronized with HCM user management so that users can be provisioned with roles through HCM.

  1. Sign in to Oracle Fusion Applications using the super user's user name (for example FAADMIN) and password.

    If you do not know the super user name and password, check with your system administrator or the person who installed Oracle Fusion Applications. For more information about account creation in Oracle Fusion Applications provisioning, see the Oracle Fusion Applications Installation Guide.

  2. Perform the Run User and Roles Synchronization Process task by clicking Submit in the Process Details page.

    The Retrieve Latest LDAP Changes process takes some time to complete the first time it is run.

  3. Monitor completion of the Retrieve Latest LDAP Changes process from Navigator > Tools > Scheduled Processes before continuing with creating implementation users.

Defining an IT Security Manager User

The super user has broad access to Oracle Fusion Middleware and Oracle Fusion Applications administration. Due to this broad access, your enterprise needs users dedicated to managing users and applications security, such as an IT security manager user.

  1. While signed in as the Oracle Fusion Applications super user, access the Create Implementation Users task and create an IT security manager.

    The Oracle Identity Manager appears.

  2. Click Create User.

    For details, see the Creating Users section in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

  3. Provide the following attributes:

    Attribute

    Value

    Example

    Last name

    <any valid string>

    Smith

    Organization

    Xellerate Users

    N/A

    User type

    Non Worker

    N/A

    User login

    <any valid string>

    IT_SECURITY_MANAGER

    Login password

    <any valid string>

    SeKur1TyPa$$w0Rd

    Note

    In Oracle Fusion Applications, an implementation user is a user account created in OIM only, specifically for implementation tasks, and is not related to a real person or identity such as a user defined in HCM.

  4. Click Save.
  5. On the Roles tab in the IT_SECURITY_MANAGER user creation task flow, click Assign.
  6. In the Add Role window, search for the IT Security Manager role and click Add.

Defining an Implementation User for Enterprise Structures Setup

  1. Sign in to Oracle Fusion Applications using the IT security manager user's name and password.
  2. Create and provision an implementation user using the same task flow as for creating the IT security manager user in the previous section, except provision the following roles.
    • Application Implementation Manager

    • Application Implementation Consultant

    Note

    For an implementation to begin, at least one user must be provisioned with the Application Implementation Manager role, and another or the same user must be provisioned with the Application Implementation Consultant role. The Application Implementation Consultant has broad access to set up all enterprise structures.


Previous Page Next Page

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices