4Implementation Users

This chapter contains the following:

The implementation or setup users are typically different from the Oracle Applications Cloud application users. They are usually not part of Oracle Applications Cloud organization. So, you don't assign them any product-specific task or let them view product-specific data. But, you must assign them the required privileges to complete the application setup. You can assign these privileges through role assignment.

The initial user can do all the setup tasks and security tasks such as, resetting passwords and granting additional privileges to self and to others. After you sign in for the first time, create additional implementation users with the same setup privileges as that of the initial user. You can also restrict the privileges of these implementation users based on your setup needs.

You can assign job roles and abstract roles to users using the Security Console. Here are the roles that you can assign to the setup users:

  • Application Diagnostic Administrator

  • Application Implementation Consultant

  • Employee

  • IT Security Manager

Note: The Application Implementation Consultant abstract role has unrestricted access to a large amount of data. So, assign this role to only those implementation users who do a wide range of implementation tasks and handle the setup data across environments. For users who must do specific implementation tasks, you can assign other administrator roles, such as the Financial Applications Administrator role.

If required, you can provide the same setup permissions to users that are part of your organization. You can also create administrative users with limited permissions. These users can configure product-specific settings and perform other related setup tasks.

Overview of ERP Implementation Users

As the service administrator for the Oracle ERP Cloud service, you're sent sign-in details when your environments are provisioned. This topic summarizes how to access the service for the first time and set up implementation users to perform the implementation. You must complete these steps before you release the environment to your implementation team.

Tip: Create implementation users in the test environment first. Migrate your implementation to the production environment only after you have validated it. With this approach, the implementation team can learn how to implement security before setting up application users in the production environment.

Signing In to the Oracle ERP Cloud Service

The service activation mail from Oracle provides the service URLs, user name, and temporary password for the test or production environment. Refer to the e-mail for the environment that you're setting up. The Identity Domain value is the environment name. For example, ERPA could be the production environment and ERPA-TEST could be the test environment.

Sign in to the test or production Oracle ERP Cloud service using the service home URL from the service activation mail. The URL ends with either AtkHomePageWelcome or FuseWelcome.

When you first sign in, use the password in the service activation mail. You're prompted to change the password and answer some challenge questions. Make a note of the new password. You must use it for subsequent access to the service.

Don't share your sign-in details with other users.

Creating Implementation Users

This table summarizes the process of creating implementation users and assigning roles to them.

Step Task or Activity Description

1

Create Implementation Users

The Application Implementation Consultant user may be your only implementation user. However, you can create the implementation users TechAdmin and ERPUser, and assign the required job roles to them if you need these implementation users and they don't already exist in your environment.

You don't associate named workers with these users at this time because your service isn't yet configured to onboard users in the integrated HCM core. As your implementation progresses, you may decide to replace these users or change their definitions.

2

Run User and Roles Synchronization Process

Run the process Retrieve Latest LDAP Changes to copy changes to users and their assigned roles to Oracle Fusion Human Capital Management (Oracle Fusion HCM).

3

Assign Security Profiles to Abstract Roles

Enable basic data access for the predefined Employee, Contingent Worker, and Line Manager abstract roles.

4

Create a Generic Role Mapping for the Roles

Enable the roles created in step 3 to be provisioned to implementation users.

5

Assign Abstract Role and Data Access to the Implementation User

Assign the implementation user with the roles that enable functional implementation to proceed.

6

Verify Implementation User Access

Confirm that the implementation user can access the functions enabled by the assigned roles.

Once these steps are complete, you're recommended to reset the service administrator sign-in details.

The User Accounts page of the Security Console provides summaries of user accounts that you select to review. For each account, it always provides:

  • The user's login, first name, and last name, in a User column.

  • Whether the account is active, whether it's locked, and the user's password-expiration date, in a Status column.

It may also provide:

  • Associated worker information, if the user account was created in conjunction with a worker record in Human Capital Management. This may include person number, manager, job title, and business unit.

  • Party information, if the user account was created in conjunction with a party record created in CRM. This may include party number and party usage.

The User Accounts page also serves as a gateway to account-management actions you can complete. These include:

  • Reviewing details of, editing, or deleting existing accounts.

  • Adding new accounts.

  • Locking accounts.

  • Resetting users' passwords.

To begin working with user accounts:

  1. Select the Users tab in the Security Console.

  2. In a Search field, select any combination of user states and enter at least three characters.

    The search returns user accounts at the states you selected, whose login, first name, or last name begins with the characters you entered.

Note: On the Security Console, you can't search for users who have APPID in their user name.

To review full details for an existing account, search for it in the User Accounts page and click its user login in the User column. This opens a User Account Details page.

These details always include:

  • User information, which consists of user, first, and last name values, and an email.

  • Account information, which includes the user's password-expiration date, whether the account is active, and whether it's locked.

  • A table listing the roles assigned to the user, including whether they're autoprovisioned or assignable. A role is assignable if it can be delegated to another user.

The page may also include an Associated Worker Information region or an Associated Party Information region. The former appears only if the user account is related to a worker record in Human Capital Management, and the latter if the user account is related to a party record in CRM.

To edit these details, click Edit in the User Account Details page. Be aware, however:

  • You can edit values only in the User Information, Account Information, and Roles regions.

  • Even in those regions, you can edit some fields only if the user isn't associated with a worker or a party. If not, for example, you can modify the First Name and Last Name values in the User Information region. But if the user is associated with a worker, you would manage these values in Human Capital Management. They would be grayed out in this Edit User Details page.

  • In the Roles table, Autoprovisioned check boxes are set automatically, and you can't modify the settings. The box is checked if the user obtained the role through autoprovisioning, and cleared if the role was manually assigned. You can modify the Assignable setting for existing roles.

Note: You can edit the User Name in the Edit User Account Details page. You can update the user name irrespective of whether this account is linked to a worker record in HCM or not. All the conditions that apply for creating a user name applies while updating it. The user name can be in any format and up to a maximum length of 80 characters.

Click Add Autoprovisioned Roles to add any roles for which the user is eligible. Or, to add roles manually, click Add Role. Search for roles you want to add, select them, and click Add Role Membership.

You can also delete roles. Click the x icon in the row for the role, and then respond to the confirmation message.

The user accounts that you add in the Security Console are used for implementation users. Usually, an implementation user sets up Oracle Human Capital Management Cloud (HCM). Then, you can use HCM to create accounts for application users.

Follow these steps to add a user account in the Security Console:

  1. In the Security Console, click the Users tab.

  2. On the User Accounts page, click the Add User Account button.

  3. From the Associated Person Type list, select Worker to link this account to a worker record in HCM. Otherwise, leave it as None.

  4. In the Account Information section, change the default settings if you don't want the account to be active or unlocked.

  5. Fill in the User Information section.

    • Select the user category that you want to associate the user with. The user category includes a password policy and a rule that determines how the user name is automatically generated.

    • Enter the user's first name only if the rule from the selected user category makes use of the first name or the first name initial to generate user names.

    • Enter a password that conforms to the password policy from the selected user category.

  6. In the Roles section, click the Add Role button.

  7. Search for the role that you want to assign to the user and the click Add Role Membership button. The role is added to the list of existing roles.

  8. Repeat the previous step to add more roles if required, or just click Done.

  9. Click the Add Auto-Provisioned Roles button to add any roles that the user is eligible for, based on role provisioning rules. If nothing happens, that means there aren't any roles to autoprovision.

  10. In the Roles table, click the Assignable check box for any role that can be delegated to another user. The Auto-Provisioned column displays a tick mark if the user has roles that were assigned through autoprovisioning.

  11. Click the Delete icon to unassign any role.

  12. Click Save and Close.

Use the Security Console to assign a specific role to an existing user. Or, remove roles that were already assigned to the user.

  1. In the Security Console, click the Users tab.

  2. Search for and select the user you want to assign roles to.

  3. On the User Account Details page, click the Edit button.

  4. In the Roles section, click the Add Role button.

  5. Search for the role that you want to assign to the user and the click Add Role Membership button. The role is added to the list of existing roles.

  6. Repeat the previous step to add more roles if required, or just click Done.

  7. Click the Add Auto-Provisioned Roles button to add any roles that the user is eligible for, based on role provisioning rules. If nothing happens, that means there aren't any roles to autoprovision.

  8. In the Roles table, click the Assignable check box for any role that can be delegated to another user. The Auto-Provisioned column displays a tick mark if the user has roles that were assigned through autoprovisioning.

  9. Click the Delete icon to unassign any role.

  10. Click Save and Close.

Reset Passwords

Use the Security Console to reset other users' passwords. The new password must conform to the password policy from the user category that's assigned to the user.

  1. In the Security Console, click the Users tab.

  2. On the User Accounts page, search for the user whose password you want to change.

  3. In the Action drop-down list for the user, select Reset Password. Or, you can click the display name and then click the Reset Password button on the User Account Details page.

  4. In the Reset Password dialog box, select whether to generate the password automatically or change it manually. For a manual change, enter a new password.

    Note: If you don't see the manual reset option, go to the user category assigned to the user and select the Administrator can manually reset password check box.
  5. Click Reset Password.

An email is sent to the user with the new password.

Delete User Accounts

An administrator may use the Security Console to delete users' accounts.

  1. Open the User Accounts page and search for the user whose account you want to delete.

  2. In the user's row, click the Action icon, then Delete.

  3. Respond Yes to a confirmation message.

Get User Sign-in Sign-out Information

You can get the last seven days of user sign-in sign-out information using a setting available on the Add User Account page in Security Console. To view the setting, you must enable a profile option. You can access the sign-in sign-out information through REST APIs.

Here's how you enable the profile option:

  1. In the Setup and Maintenance work area, open the task Manage Administrator Profile Values.

  2. Search the following Profile Option Code:

    ASE_ADVANCED_USER_MANAGEMENT_SETTING

  3. In the Profile Value drop-down list, select Yes.

  4. Click Save and Close.

Note: The audit data is available for seven days.

The profile option is enabled. On the Add User Account page in Security Console, the setting to get user sign-in sign-out information appears now in the Advanced Information section.

On the Security Console, click Users. On the User Accounts page, click Add User Account and select Enable Administration Access for Sign In-Sign Out Audit REST API. You can enable this option on the User Account Details Edit page too.

Users may receive Email notifications of user-account events, such as account creation or password expiration. These notifications are generated from a set of templates, each of which specifies an event. A template generates a message to a user when that user is involved in the event tied to the template.

You can enable or disable templates, edit templates, or create templates to replace existing ones. There are 16 events, and a predefined template exists for each event. You can enable only one template linked to a given event at a time.

Here's how you can create a template:

  1. Click the User Categories tab in the Security Console.

  2. Select a user category and on the User Category Information page, click the Notifications tab.

  3. Click the Edit button to make changes.

    Ensure that the Enable Notifications check box is selected.

  4. Click Add Template.

  5. Specify a name and description for the template.

  6. Select Enabled to use the template immediately. If selected, template that had been enabled for the event which you select, is automatically disabled.

  7. Select an Event from the corresponding drop-down list.

    The values for Message Subject and Message are copied from an already-configured template for which the same event is selected.

  8. Update the Message Subject and Message as required.

    Note: The message text includes tokens which are replaced in runtime by literal values appropriate for a given user or account.
  9. Click Save and Close.

To edit a template, select it from the templates listed in the Notification Templates table. Then follow the same process as you would to create a template. You can't modify the event selected for a template that has been saved. You cam only enable or disable an individual template when you edit it.

Note: You can't edit or delete predefined templates that begin with the prefix name ORA. You also can't modify the message subject or the message. However, you can only enable or disable the predefined templates.

You can delete the templates you created. Select the template row in the table and click Delete.

Here's the table that lists the tokens that you can use in the message text for a template:

Token Meaning Events

${userLoginId}

The user name of the person whose account is being created or modified.

  • Forgot user name

  • Password expired

  • Password reset confirmation

${firstName}

The given name of the person whose account is being created or modified.

  • Administration activity location based access disabled confirmation

  • Administration activity requested

  • Administration activity single sign-on disabled confirmation

  • Expiring external IDP signing certificate

  • Expiring service provider encryption certificate

  • Expiring service provider signing certificate

  • Forgot user name

  • New account created - manager

  • New user created

  • Password expired

  • Password expiry warning

  • Password generated

  • Password reset

  • Password reset - manager

  • Password reset confirmation

  • Password reset confirmation - manager

${lastName}

The surname of the person whose account is being created or modified.

  • Administration activity location based access disabled confirmation

  • Administration activity requested

  • Administration activity single sign-on disabled confirmation

  • Expiring external IDP signing certificate

  • Expiring service provider encryption certificate

  • Expiring service provider signing certificate

  • Forgot user name

  • New account created - manager

  • New user created

  • Password expired

  • Password expiry warning

  • Password generated

  • Password reset

  • Password reset - manager

  • Password reset confirmation

  • Password reset confirmation - manager

${managerFirstName}

The given name of the person who manages the person whose account is being created or modified.

  • New account created - manager

  • Password reset confirmation - manager

  • Password reset - manager

${managerLastName}

The surname of the person who manages the person whose account is being created or modified.

  • New account created - manager

  • Password reset confirmation - manager

  • Password reset - manager

${loginUrl}

The web address to sign in to Oracle Cloud. The user can sign in and use the Preferences page to change a password that's about to expire. Or, without signing in, the user can engage a forgot-password procedure to change a password that has already expired.

  • Expiring external IDP signing certificate

  • Password expired

  • Password expiry warning

${resetUrl}

A one-time web address expressly for the purpose of resetting a password, used in the Password Generated, Password Reset, New Account, and New Account Manager templates.

  • New account created - manager

  • New user created

  • Password generated

  • Password reset

  • Password reset - manager

${CRLFX}

Insert line break.

All events

${SP4}

Insert four spaces.

All events

${adminActivityUrl}

A URL of the page in which an administrator initiates an administration activity.

Administration activity requested

${providerName}

The name of an external Identity Provider.

Expiring external IDP signing certificate

${signingCertDN}

The signing certificate of an external Identity Provider.

Expiring external IDP signing certificate

${signingCertExpiration}

The expiration date of the external Identity Provider signing certificate or of the service provider signing certificate.

  • Expiring external IDP signing certificate

  • Expiring service provider signing certificate

${encryptionCertExpiration}

The expiration date of the Service Provider encryption certificate.

Expiring service provider encryption certificate

${adminFirstName}

The given name of the person who has administrator rights.

  • Administration activity location based access disabled confirmation

  • Administration activity single sign-on disabled confirmation

${adminLastName}

The surname of the person who has administrator rights.

  • Administration activity location based access disabled confirmation

  • Administration activity single sign-on disabled confirmation

Synchronize User and Role Information

You run the process Retrieve Latest LDAP Changes once during implementation. This process copies data from the LDAP directory to the Oracle Fusion Applications Security tables. Thereafter, the data is synchronized automatically. To run this process, perform the task Run User and Roles Synchronization Process as described in this topic.

Run the Retrieve Latest LDAP Changes Process

Follow these steps:

  1. Sign in to your Oracle Applications Cloud service environment as the service administrator.

  2. In the Setup and Maintenance work area, go to the following for your offering:

    • Functional Area: Initial Users

    • Task: Run User and Roles Synchronization Process

  3. On the process submission page for the Retrieve Latest LDAP Changes process:

    1. Click Submit.

    2. Click OK to close the confirmation message.

Reset the Cloud Service Administrator Sign-In Details

After setting up your implementation users, you can reset the service administrator sign-in details for your Oracle Applications Cloud service. You reset these details to avoid problems later when you're loaded to the service as an employee. This topic describes how to reset the service administrator sign-in details.

Sign in to your Oracle Applications Cloud service using the TechAdmin user name and password and follow these steps:

  1. In the Setup and Maintenance work area, go to the following:

    • Functional Area: Initial Users

    • Task: Create Implementation Users

  2. On the User Accounts page of the Security Console, search for your service administrator user name, which is typically your email. Your service activation mail contains this value.

  3. In the search results, click your service administrator user name to open the User Account Details page.

  4. Click Edit.

  5. Change the User Name value to ServiceAdmin.

  6. Delete any value in the First Name field.

  7. Change the value in the Last Name field to ServiceAdmin.

  8. Delete the value in the Email field.

  9. Click Save and Close.

  10. Sign out of your Oracle Applications Cloud service.

After making these changes, you use the user name ServiceAdmin when signing in as the service administrator.

User Categories

You can categorize and segregate users based on the various functional and operational requirements. A user category provides you with an option to group a set of users such that the specified settings apply to everyone in that group. Typical scenarios in which you may want to group users are:

  • Users have different preferences in receiving automated notifications from the Security Console. For example, employees of your organization using the organization's single sign-on don't require notifications from the Security Console about creating new users, password expiry, or password reset. However, the suppliers of your organization who aren't using the organization's single sign-on, must receive such notifications from the Security Console.

  • You have built an external application for a group of users using the REST APIs of Oracle Fusion Applications. You intend to redirect this user group to the external application when using the Security Console to reset passwords or create new users.

On the Security Console page, click the User Category tab. You can perform the following tasks:

  • Segregate users into categories

  • Specify Next URL

  • Set user preferences

  • Define password policy

  • Enable notifications

Segregate Users into Categories

Create user categories and add existing users to them. All existing users are automatically assigned to the Default user category unless otherwise specified. You may create more categories depending upon your requirement and assign users to those categories.

Note: You can assign a user to only one category.

Specify Next URL

Specify a URL to redirect your users to a website or an application instead of going back to the Sign In page, whenever they reset their password. For example, a user places a password reset request and receives an Email for resetting the password. After the new password is authenticated, the user can be directed to a website or application. If nothing is specified, the user is directed to Oracle Applications Cloud Sign In page. You can specify only one URL per user category.

Set User Preferences

Select the format of the User Name, the value that identifies a user when signed in. It is generated automatically in the format you select. Options include first and last name delimited by a period, email address, first-name initial and full last name, and person or party number. Select the check box Generate system user name when generation rule fails to enable the automatic generation of User Name values if the selected generation rule can't be implemented.

Define Password Policy

Determine the number of days a password remains valid. Set the number of days before expiration that a user receives a warning to reset the password. You can define the period in which a user must respond to a notification to reset the password (Hours Before Password Reset Token Expiration). Select a password format and determine whether a previous password may be reused. You may decide whether to permit an administrator to manually modify passwords in the Reset Password dialog box, available from a given user's record on the Users tab. This option applies only to the manual-reset capability. An administrator can always use the Reset Password dialog box to initiate the automatic reset of a user's password.

Enable Notifications

Notifications are enabled by default, but you can disable them if required. You can also enable or disable notifications separately for each user category. If users belonging to a specific category don't want to receive any notification, you can disable notifications for all life cycle events. Alternatively, if users want to receive notifications only for some events, you can selectively enable the functionality for those events.

Notifications are sent for a set of predefined events. To trigger a notification, you must create a notification template and map it to the required event. Depending on the requirement, you can add or delete a template that's mapped to a particular event.

Note: You can't edit or delete predefined notification templates that begin with the prefix ORA. You can only enable or disable them. However, you can update or delete the user-defined templates.

User Category feature supports both SCIM protocol and HCM Data Loader for performing any bulk updates.

Using the Security Console, you can add existing users to an existing user category or create a new category and add them. When you create new users, they're automatically assigned to the default category. At a later point, you can edit the user account and update the user category. You can assign a user to only one category.

Note: If you're creating new users using Security Console, you can also assign a user category at the time of creation.

You can add users to a user category in three different ways:

  • Create a user category and add users to it

  • Add users to an existing user category

  • Specify the user category for an existing user

Note: You can create and delete a user category only using the Security Console. Once the required user categories are available in the application, you can use them in SCIM REST APIs and data loaders. You can't rename a user category.

Adding Users to a New User Category

To create a user category and add users:

  1. On the Security Console, click User Categories > Create.

  2. Click Edit, specify the user category details, and click Save and Close.

  3. Click the Users tab and click Edit.

  4. On the Users Category: Users page, click Add.

  5. In the Add Users dialog box, search for and select the user, and click Add.

  6. Repeat adding users until you have added the required users and click Done.

  7. Click Done on each page until you return to the User Categories page.

Adding Users to an Existing User Category

To add users to an existing user category:

  1. On the Security Console, click User Categories and click an existing user category to open it.

  2. Click the Users tab and click Edit.

  3. On the Users Category: Users page, click Add.

  4. On the Add Users dialog box, search for and select the user, and click Add.

  5. Repeat adding users until you have added the required users and click Done.

  6. Click Done on each page until you return to the User Categories page.

Specifying the User Category for an Existing User

To add an existing user to a user category:

  1. On the Security Console, click Users.

  2. Search for and select the user for whom you want to specify the user category.

  3. On the User Account Details page, click Edit.

  4. In the User Information section, select the User Category. The Default user category remains set for a user until you change it.

  5. Click Save and Close.

  6. On the User Account Details page, click Done.

You can delete user categories if you don't require them. However, you must ensure that no user is associated with that user category. Otherwise, you can't proceed with the delete task. On the User Categories page, click the X icon in the row to delete the user category.

Use this task if you want to direct your users to another application or a website instead of the Oracle Applications Cloud sign in page, after they reset the password. Using the Security Console, you can specify the URL of the application or the website to which the users can be directed.

  1. On the Security Console, click User Category.

  2. Select the user category and on the User Category: Details page, click Edit.

  3. Specify the URL in the Next URL field and click Save and Close.

When users of that user category successfully reset their password, they're automatically redirected to the specified application or the web page instead of the Oracle Applications Cloud sign in page.

Using the Security Console, you can determine whether to turn notifications on or off for the users.

  1. On the Security Console, click User Categories and from the list, select the specific user category.

  2. Click the Notifications tab and click Edit.

  3. Select the Enable Notifications check box to enable notifications for all users of that user category. To disable notifications, deselect the check box.

  4. Click Done.

To determine which notifications to send, you have to enable the notification template for each required event.