6Creating and Managing Application Users

This chapter contains the following:

Creating Users

Create Users

During implementation, you can use the Create User task to create test application users. By default, this task creates a minimal person record and a user account. After implementation, you should use the Hire an Employee task to create application users. The Create User task isn't recommended after implementation is complete. This topic describes how to create a test user using the Create User task.

Sign in and follow these steps:

  1. Select Navigator > My Team > Users and Roles to open the Search Person page.

  2. In the Search Results section, click the Create icon.

    The Create User page opens.

Completing Personal Details

  1. Enter the user's name.

  2. In the E-Mail field, enter the user's primary work e-mail.

  3. In the Hire Date field, enter the hire date for a worker. For other types of users, enter a user start date. You can't edit this date after you create the user.

Completing User Details

You can enter a user name for the user. If you leave the User Name field blank, then the user name follows the enterprise default user-name format.

Setting User Notification Preferences

The Send user name and password option controls whether a notification containing the new user's sign-in details is sent when the account is created. This option is enabled only if notifications are enabled on the Security Console and an appropriate notification template exists. For example, if the predefined notification template New Account Template is enabled, then a notification is sent to the new user. If you deselect this option, then you can send the e-mail later by running the Send User Name and Password E-Mail Notifications process. An appropriate notification template must be enabled at that time.

Completing Employment Information

  1. Select a Person Type value.

  2. Select Legal Employer and Business Unit values.

Adding Roles

  1. Click Autoprovision Roles. Any roles for which the user qualifies automatically, based on the information that you have entered so far, appear in the Role Requests table.

  2. To provision a role manually to the user, click Add Role. The Add Role dialog box opens.

  3. Search for and select the role. The role must appear in a role mapping for which you satisfy the role-mapping conditions and where the Requestable option is selected for the role.

    The role appears in the Role Requests region with the status Add requested. The role request is created when you click Save and Close.

    Repeat steps 2 and 3 for additional roles.

  4. Click Save and Close.

  5. Click Done.

You can import workers from legacy applications to Oracle Fusion Applications using the Import Worker Users task . You can access this task from the Setup and Maintenance work area. By enabling you to bulk-load existing data, this task is an efficient way of creating and enabling users of Oracle Fusion Applications.

The Import Worker Users Process

Importing worker users is a two-stage process:

  1. When you perform the Import Worker Users task, the Initiate Spreadsheet Load page opens. On the Initiate Spreadsheet Load page, you generate and complete the Create Worker spreadsheet. You must map your data to the spreadsheet columns and provide all required attributes. Once the spreadsheet is complete, you click Upload in the spreadsheet to import the data to the Load Batch Data stage tables.

  2. As the upload process imports valid data rows to the Load Batch Data stage tables, the Load Batch Data process runs automatically. Load Batch Data is a generic utility for loading data to Oracle Fusion Human Capital Management from external sources. This process loads data from the Load Batch Data stage tables to the Oracle Fusion application tables.

User-Account Creation

The application creates Oracle Fusion user accounts automatically for imported workers.

By default, user account names and passwords are sent automatically to users when their accounts are created. This default action may have been changed at enterprise level, as follows:

  • You can disable notifications for all user life cycle events.

  • You can disable notifications for the New User Created and New Account Create Manager events.

Role Provisioning

Once user accounts exist, roles are provisioned to users automatically in accordance with current role-provisioning rules. For example, current rules could provision the employee abstract role to every worker. Role provisioning occurs automatically and cannot be disabled for the enterprise.

Import Users in Bulk Using a Spreadsheet

This example shows how to import worker users from legacy applications to Oracle Fusion Applications.

The following table summarizes key decisions for this task.

Decisions to Consider In This Example

What's my spreadsheet name?

You can define your own naming convention. In this example, the name is selected to make identifying the spreadsheet contents easy.

WorkersMMDDYYBatchnn.xlsx

For example, Workers042713Batch01.xlsx.

What's my batch name?

You can define your own batch name, which must be unique.

Workers042713Batchnn

Summary of the Tasks

Import worker users by:

  1. Selecting the Import Worker Users task

  2. Creating the spreadsheet

  3. Entering worker data in the spreadsheet

  4. Importing worker data and correcting import errors

  5. Reviewing and correcting load errors

Prerequisites

Before you can complete this task, you must have:

  1. Installed the desktop client Oracle ADF Desktop Integration Add-in for Excel

  2. Enabled the Trust Center setting Trust access to the VBA project object model in Microsoft Excel

Selecting the Import Worker Users Task

  1. On the Overview page of the Setup and Maintenance work area, click the All Tasks tab.

  2. In the Search region, complete the fields as shown in this table.

    Field Name

    Search

    Task

    Name

    Import Worker Users

  3. Click Search.

  4. In the search results, click Go to Task for the task Import Worker Users.

    The Initiate Spreadsheet Load page opens.

    Alternatively, you can select the Import Worker Users task from an implementation project.

Creating the Spreadsheet

  1. On the Initiate Spreadsheet Load page, find the entry for Create Worker in the list of business objects.

    Create Worker appears after other business objects such as departments, locations, and jobs. You must create those business objects before worker users, regardless of how you create them.

  2. Click Create Spreadsheet for the Create Worker entry.

  3. When prompted, save the spreadsheet locally using the name Workers042713Batch01.xlsx.

  4. When prompted, sign in to Oracle Fusion Applications using your Oracle Fusion user name and password.

Entering Worker Data in the Spreadsheet

  1. In the Batch Name field of the spreadsheet Workers042713Batch01.xlsx, replace the default batch name with the batch name Workers042713Batch01.

  2. If your data includes flexfields, then click Configure Flexfield to configure flexfield data. Otherwise, go to step 5 of this task.

  3. In the Configure Flexfield window, select an attribute value and click OK.

  4. See the Flexfields Reference tab for information about the configured flexfield.

  5. Enter worker data in the spreadsheet.

    Ensure that you provide any required values and follow instructions in the spreadsheet for creating rows.

Importing Worker Data and Correcting Import Errors

Use the default values except where indicated.

  1. In the workers spreadsheet, click Upload.

  2. In the Upload Options window, click OK.

    As each row of data uploads to the Load Batch Data stage tables, its status updates.

  3. When uploading completes, identify any spreadsheet rows with the status Insert Failed, which indicates that the row didn't import to the stage tables.

  4. For any row that failed, double-click the status value to display a description of the error.

  5. Correct any import errors and click Upload again to import the remaining rows to the same batch.

    As rows import successfully to the stage tables, the data loads automatically to the application tables.

Reviewing and Correcting Load Errors

  1. In the spreadsheet, click Refresh to display latest load status.

    Any errors that occur during the load process appear in the spreadsheet.

  2. Correct any load errors in the spreadsheet.

  3. Repeat this process from Importing Worker Data and Correcting Import Errors until all spreadsheet rows both import and load successfully.

  4. Close the spreadsheet.

    To load a second batch of worker users on the same date, increment the batch number in the spreadsheet and batch names (for example, Workers042713Batch02).

Inactive Users Report

Run the Inactive Users Report process to identify users who haven't signed in for a specified period.

To run the report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the Import User Login History process.

    Note: Whenever you run the Inactive Users Report process, you must first run the Import User Login History process. This process imports information that the Inactive Users Report process uses to identify inactive users. You're recommended to schedule Import User Login History to run daily.
  3. When the Import User Login History process completes, search for and select the Inactive Users Report process.

  4. In the Process Details dialog box, set parameters to identify one or more users.

  5. Click Submit.

Inactive Users Report Parameters

All parameters except Days Since Last Activity are optional.

User Name Begins With

Enter one or more characters.

First Name Begins With

Enter one or more characters.

Last Name Begins With

Enter one or more characters.

Department

Enter the department from the user's primary assignment.

Location

Enter the location from the user's primary assignment.

Days Since Last Activity

Enter the number of days since the user last signed in. Use this parameter to specify the meaning of the term inactive user in your enterprise. Use other parameters to filter the results.

This value is required and is 30 by default. This value identifies users who haven't signed in during the last 30 or more days.

Last Activity Start Date

Specify the start date of a period in which the last activity must fall.

Last Activity End Date

Specify the end date of a period in which the last activity must fall.

Viewing the Report

The process produces an Inactive_Users_List_processID.xml file and a Diagnostics_processID.zip file.

The report includes the following details for each user who satisfies the report parameters:

  • Number of days since the user was last active

  • Date of last activity

  • User name

  • First and last names

  • Assignment department

  • Assignment location

  • City and country

  • Report time stamp

Note: The information in the report relating to the user's latest activity isn't based solely on actions performed by the user in the UI. Actions performed on behalf of the user, which create user sessions, also affect these values. For example, running processes, making web service requests, and running batch processes are interpreted as user activity.

Managing Users

Manage User Accounts

Human resource specialists (HR specialists) can manage user accounts for users whose records they can access. This topic describes how to update a user account.

To access the user account page for a person:

  1. Open the Person Management work area.

  2. On the Search Person page, search for the person whose account you're updating.

  3. In the search results, select the person and select Actions > Personal and Employment > Manage User Account. The Manage User Account page opens.

Manage User Roles

To add a role:

  1. Click Add Role.

    The Add Role dialog box opens.

  2. In the Role Name field, search for the role that you want to add.

  3. In the search results, select the role and click OK.

    The role appears in the Role Requests region with the status Add Requested.

  4. Click Save.

To remove a role from any section of this page:

  1. Select the role and click Remove.

  2. In the Warning dialog box, click Yes to continue.

  3. Click Save.

Clicking Save sends requests to add or remove roles to your LDAP directory server. Requests appear in the Role Requests in the Last 30 Days section. Once provisioned, roles appear in the Current Roles section.

To update a user's roles automatically, select Actions > Autoprovision Roles. This action applies to roles for which the Autoprovision option is selected in all current role mappings. The user immediately:

  • Acquires any role for which he or she qualifies but doesn't currently have

  • Loses any role for which he or she no longer qualifies

You're recommended to autoprovision roles for individual users if you know that additional or updated role mappings exist that affect those users.

Copy Personal Data to LDAP

By default, changes to personal data, such as person name and phone, are copied to your LDAP directory periodically. To copy any changes immediately:

  1. Select Actions > Copy Personal Data to LDAP.

  2. In the Copy Personal Data to LDAP dialog box, click Overwrite LDAP.

Reset Passwords

To reset a user's password:

  1. Select Actions > Reset Password.

  2. In the Warning dialog box, click Yes to continue.

    This action sends a notification containing a reset-password link to the user's work email.

    Note: A notification template for the password-reset event must exist and be enabled for the user's user category. Otherwise, no notification is sent.

Edit User Names

To edit a user name:

  1. Select Actions > Edit User Name.

  2. In the Update User Name dialog box, enter the user name and click OK. The maximum length of the user name is 80 characters.

  3. Click Save.

This action sends the updated user name to your LDAP directory. Once the request is processed, the user can sign in using the updated name. As the user receives no automatic notification of the change, you're recommended to send the details to the user.

Tip: Users can add roles, autoprovision roles, and copy their personal data to LDAP by selecting Navigator > Me > Roles and Delegations. Line managers can add, remove, and autoprovision roles and copy personal data to LDAP for their reports from the Directory or by selecting Navigator > My Team > Users and Roles.

By default, user names are generated automatically in the format specified for the default user category when you create a person record. Users who have the human resource specialist (HR specialist) role can change user names for existing HCM users whose records they can access. This topic describes the automatic generation of user names and explains how to change an existing user name.

User Names When Creating Users

You create an HCM user by selecting a task, such as Hire an Employee, in the New Person work area. The user name is generated automatically in the format specified for the default user category. This table summarizes the effects of the available formats for Oracle HCM Cloud users.

User-Name Format Description

Email

The worker's work email is the user name. If you don't enter the work email when hiring the worker, then it can be entered later on the Security Console. This format is used by default. A different default format can be selected on the Security Console.

FirstName.LastName

The user name is the worker's first and last names separated by a single period.

FLastName

The user name is the worker's last name prefixed with the initial of the worker's first name.

Person number

If your enterprise uses manual numbering, then any number that you enter becomes the user name. Otherwise, the number is generated automatically and you can't edit it. The automatically generated number becomes the user name.

Note: If the default user-name rule fails, then a system user name can be generated. The option to generate a system user name is enabled by default but can be disabled on the Security Console.

Existing User Names

HR specialists can change an existing user name on the Manage User Account page.

To change a worker's user name:

  1. Search for and select the worker in the Person Management work area.

  2. For the selected worker, select Actions > Personal and Employment > Manage User Account.

  3. On the Manage User Account page, select Actions > Edit User Name.

The updated name, which can be in any format, is sent automatically to your LDAP directory server. The maximum length of the user name is 80 characters.

Tip: When you change an existing user name, the user's password and roles remain the same. However, the user receives no automatic notification of the change. Therefore, you're recommended to send details of the updated user name to the user.

Why You Send Personal Data to LDAP

User accounts for users of Oracle Fusion Applications are maintained on your LDAP directory server. By default, Oracle HCM Cloud sends some personal information about users to the LDAP directory. This information includes the person number, person name, phone, and manager of the person's primary assignment. HCM Cloud shares these details to ensure that user-account information matches the information about users in HCM Cloud.

This topic describes how and when you can send personal information explicitly to your LDAP directory.

Bulk Creation of Users

After loading person records using HCM Data Loader, for example, you run the Send Pending LDAP Requests process. This process sends bulk requests for user accounts to the LDAP directory.

When you load person records in bulk, the order in which they're created is undefined. Therefore, a person's record may exist before the record for his or her manager. In such cases, the Send Pending LDAP Requests process includes no manager details for the person in the user-account request. The LDAP directory information therefore differs from the information that HCM Cloud holds for the person. To correct any differences between these versions of personal details, you run the Send Personal Data for Multiple Users to LDAP process.

The Send Personal Data for Multiple Users to LDAP Process

Send Personal Data for Multiple Users to LDAP updates the LDAP directory information to match information held by HCM Cloud. You run the process for either all users or changed users only, as described in this table.

User Population Description

All users

The process sends personal details for all users to the LDAP directory, regardless of whether they have changed since personal details were last sent.

Changed users only

The process sends only personal details that have changed since details were last sent to the LDAP directory (regardless of how they were sent). This option is the default setting.

Note: If User Account Maintenance is set to No for the enterprise, then the process doesn't run.

The process doesn't apply to party users.

You must have the Human Capital Management Application Administrator job role to run this process.

The Copy Personal Data to LDAP Action

Users can copy their own personal data to the LDAP directory from the Manage User Account page. Human resource specialists and line managers can also perform this action for users whose records they can access. By default, personal data changes are copied periodically to the LDAP directory. However, this action is available for copying changes immediately, if necessary.

This topic describes the Process User Account Request action, which may appear on the Manage User Account page for users who have no user account.

The Process User Account Request Action

The Process User Account Request action is available when the status of the worker's user account is either Requested or Failed. These values indicate that the account request hasn't completed.

Selecting this action submits the request again. Once the request completes successfully, the account becomes available to the user. Depending on your enterprise setup, the user may receive an email containing the user name and password.

Role Provisioning

Any roles that the user will have appear in the Roles section of the Manage User Account page. You can add or remove roles before selecting the Process User Account Request action. If you make changes to roles, then you must click Save.

The Send Pending LDAP Requests Process

The Process User Account Request action has the same effect as the Send Pending LDAP Requests process. If Send Pending LDAP Requests runs automatically at intervals, then you can wait for that process to run if you prefer. Using the Process User Account Request action, you can submit user-account requests immediately for individual workers.

How User Accounts Are Suspended

By default, user accounts are suspended automatically when a user has no roles. This automatic suspension of user accounts is controlled by the User Account Maintenance enterprise option. Human resource (HR) specialists can also suspend a user account manually, if necessary. This topic describes how automatic account suspension and reactivation occur. It also explains how to suspend a user account manually.

Automatic Suspension of User Accounts

When you terminate a work relationship:

  • The user loses any automatically provisioned roles for which he or she no longer qualifies. This deprovisioning is automatic.

  • If the user has no other active work relationships, then the user also loses manually provisioned roles. These are:

    • Roles that he or she requested

    • Roles that another user, such as a line manager, provisioned to the user

    If the user has other, active work relationships, then he or she keeps any manually provisioned roles.

When terminating a work relationship, you specify whether the user is to lose roles on the termination date or on the day following termination.

A terminated worker's user account is suspended automatically at termination only if he or she has no roles. Users can acquire roles automatically at termination, if an appropriate role mapping exists. In this case, the user account remains active.

Automatic Reactivation of User Accounts

User accounts are reactivated automatically when you reverse a termination or rehire a worker. If you reverse the termination of a work relationship, then:

  • The user regains any role that he or she lost automatically at termination. For example, if the user automatically lost roles that had been provisioned manually, then those roles are reinstated.

    Note: If you removed any roles from the user manually at termination, then you must restore them to the user manually, if required.
  • The user loses any role that he or she acquired automatically at termination.

  • If the user account was suspended automatically at termination, then it's automatically reactivated.

The autoprovisioning process runs automatically when you reverse a termination. Therefore, the user's roles are updated automatically as specified by current role mappings.

When you rehire a worker, the user account is reactivated automatically and roles are provisioned automatically as specified by current role mappings. In all other cases, you must reactivate suspended user accounts manually on the Edit User page.

Tip: Authorized users can also manage user account status directly on the Security Console.

Manual Suspension of User Accounts

To suspend a user account manually, HR specialists follow these steps:

  1. Select Navigator > My Team > Users and Roles.

  2. Search for and select the user to open the Edit User page.

  3. In the User Details section of the Edit User page, set the Active value to Inactive. You can reactivate the account by setting the Active value back to Active.

  4. Click Save and Close.

Note: Role provisioning isn't affected by the manual suspension and reactivation of user accounts. For example, when you reactivate a user account manually, the user's autoprovisioned roles aren't updated unless you click Autoprovision Roles on the Edit User page. Similarly, a suspended user account isn't reactivated when you click Autoprovision Roles. You must explicitly reactivate the user account first.

IT security managers can lock user accounts on the Security Console. Locking a user account on the Security Console or setting it to Inactive on the Edit User page prevents the user from signing in.

User Details System Extract Report Parameters

The Oracle BI Publisher User Details System Extract Report includes details of Oracle Fusion Applications user accounts. This topic describes the report parameters. Run the report in the Reports and Analytics work area.

Parameters

User Population

Enter one of the values shown in this table to identify user accounts to include in the report.

Value Description

HCM

User accounts with an associated HCM person record.

TCA

User accounts with an associated party record.

LDAP

Accounts for users in the PER_USERS table who have no person number or party ID. Implementation users are in this category.

ALL

HCM, TCA, and LDAP user accounts.

From Date

Accounts for HCM and LDAP users that exist on or after this date appear in the report. If you specify no From Date value, then the report includes accounts with any creation date, subject only to any To Date value.

From and to dates don't apply to the TCA user population. The report includes all TCA users if you include them in the report's user population.

To Date

Accounts for HCM and LDAP users that exist on or before this date appear in the report. If you specify no To Date value, then the report includes accounts with any creation date, subject only to any From Date value.

From and to dates don't apply to the TCA user population. The report includes all TCA users if you include them in the report's user population.

User Active Status

Enter one of the values shown in this table to identify the user-account status.

Value Description

A

Include active accounts, which belong to users with current roles.

I

Include inactive accounts, which belong to users with no current roles.

All

Include both active and inactive user accounts.

User Details System Extract Report

The Oracle BI Publisher User Details System Extract Report includes details of Oracle Fusion Applications user accounts. This topic describes the report contents.

Run the report in the Reports and Analytics work area.

Report Results

The report is an XML-formatted file where user accounts are grouped by type, as follows:

  • Group 1 (G_1) includes HCM user accounts.

  • Group 2 (G_2) includes TCA party user accounts.

  • Group 3 (G_3) includes LDAP user accounts.

The information in the extract varies with the account type.

HCM User Accounts
Business Unit Name

The business unit from the primary work relationship.

Composite Last Update Date

The date when any one of a number of values, including assignment managers, location, job, and person type, was last updated.

Department

The department from the primary assignment.

Worker Type

The worker type from the user's primary work relationship.

Generation Qualifier

The user's name suffix (for example, Jr., Sr., or III).

Hire Date

The enterprise hire date.

Role Name

A list of roles currently provisioned to workers whose work relationships are all terminated. This value appears for active user accounts only.

Title

The job title from the user's primary assignment.

TCA User Accounts
Organizations

A resource group.

Roles

A list of job, abstract, and data roles provisioned to the user.

Managers

The manager of a resource group.

LDAP User Accounts
Start Date

The account's start date.

Created By

The user name of the user who created the account.

FAQs for Creating and Managing Application Users

User names are generated automatically in the format specified on the Security Console for the user category. The default format is the worker's primary work email, but this value can be overridden for each user category. For example, your enterprise may use person number as the default user name for the default user category.

Why did some roles appear automatically?

In a role mapping:

  • The conditions specified for the role match the user's assignment attributes, such as job.

  • The role has the Autoprovision option selected.

How can I create a user?

If you want to create application users, access the Manage Users task. When the Search Person page appears, click the New icon in Search Results grid. The Create User page appears for you to fill in and save.

If you use the HCM pages to upload workers, hire employees, or add contingent workers, you also automatically create application users and identities.

When you create a new user, it automatically triggers role provisioning requests based on role provisioning rules.

The role-provisioning process reviews the user's assignments against all current role mappings.

The user immediately:

  • Acquires any role for which he or she qualifies but doesn't have

  • Loses any role for which he or she no longer qualifies

You're recommended to autoprovision roles to individual users on the Manage User Account page when new or changed role mappings exist. Otherwise, no automatic updating of roles occurs until you next update the user's assignments.

Why is the user losing roles automatically?

The user acquired these roles automatically based on his or her assignment information. Changes to the user's assignments mean that the user is no longer eligible for these roles. Therefore, the roles no longer appear.

If a deprovisioned role is one that you can provision manually to users, then you can reassign the role to the user, if appropriate.

You can provision a role if a role mapping exists for the role, the Requestable option is selected for the role in the role mapping, and at least one of your assignments satisfies the role-mapping conditions. Otherwise, you can't provision the role to other users.

The user loses the access to functions and data that the removed role was providing exclusively. The user becomes aware of the change when he or she next signs in.

If the user acquired the role automatically, then future updates to the user's assignments may mean that the user acquires the role again.

The updated user name is sent to your LDAP directory for processing when you click Save on the Manage User Account or Edit User page. The account status remains Active, and the user's roles and password are unaffected. As the user isn't notified automatically of the change, you're recommended to notify the user.

Only human resource specialists can edit user names.

The user name and password go to the work email of the user or user's line manager, if any. Notification templates for this event must exist and be enabled.

You can send these details once only for any user. If you deselect this option on the Manage User Account or Create User page, then you can send the details later. To do this, run the Send User Name and Password Email Notifications process.

A notification containing a reset-password link is sent to the user's work email. If the user has no work email, then the notification is sent to the user's line manager. Notification templates for this event must exist and be enabled.

How can I notify users of their user names and passwords?

You can run the Send User Name and Password Email Notifications process in the Scheduled Processes work area. For users for whom you haven't so far requested an email, this process sends out user names and reset-password links. The email goes to the work email of the user or the user's line manager. You can send the user name and password once only to any user. A notification template for this event must exist and be enabled.