Autoprovisioning
Autoprovisioning is the automatic allocation or removal of user roles. It occurs for individual users when you create or update assignments. You can also apply autoprovisioning explicitly for the enterprise using the Autoprovision Roles for All Users process.
Roles That Autoprovisioning Affects
Autoprovisioning applies only to roles that have the Autoprovision option enabled in a role mapping.
It doesn't apply to roles without the Autoprovision option enabled.
The Autoprovision Roles for All Users Process
The Autoprovision Roles for All Users process compares all current user assignments with all current role mappings.
-
Users with at least one assignment that matches the conditions in a role mapping and who don't currently have the associated roles acquire those roles.
-
Users who currently have the roles but no longer satisfy the associated role-mapping conditions lose those roles.
When a user has no roles, his or her user account is also suspended automatically by default.
The process creates requests immediately to add or remove roles. These requests are processed by the Send Pending LDAP Requests process. When running Autoprovision Roles for All Users, you can specify when role requests are to be processed. You can either process them immediately or defer them as a batch to the next run of the Send Pending LDAP Requests process. Deferring the processing is better for performance, especially when thousands of role requests may be generated. Set the Process Generated Role Requests parameter to No to defer the processing. If you process the requests immediately, then Autoprovision Roles for All Users produces a report identifying the LDAP request ranges that were generated. Requests are processed on their effective dates.
When to Run the Process
You're recommended to run Autoprovision Roles for All Users after creating or editing role mappings. You may also have to run it after loading person records in bulk if you request user accounts for those records. If an appropriate role mapping exists before the load, then this process isn't necessary. Otherwise, you must run it to provision roles to new users loaded in bulk. Avoid running the process more than once in any day. Otherwise, the number of role requests that the process generates may slow the provisioning process. Only one instance of the process can run at a time.
Options for the Process
When processing a large number of requests, you can enable bulk mode for this process to improve performance. In the bulk mode, the process groups all users for the same role into one request, and assigns multiple users to single role at once. In the default non-bulk mode, one user is assigned to a role at a time.
- In the Setup and Maintenance work area, search and open the task Manage Profile Options.
- In the Search Results section, click the + (New) icon.
- On the Create Profile Option page, enter the following
values:
- Profile Option Code = PER_AUTO_PROVISION_ROLES_ENABLE_BULK
- Profile Display Name = PER_AUTO_PROVISION_ROLES_ENABLE_BULK
- Application = Global Human Resources
- Module = Users
- Start Date = <Today's date>
- On the Manage Profile Options page, select the Enabled and Updateable check boxes for Site Level. Click Save and Close.
- In the Setup and Maintenance work area, search and open the Manage Administrator Profile Values task.
- Search for the profile option code PER_AUTO_PROVISION_ROLES_ENABLE_BULK. In the Profile Value text box, enter 'Y'. Note that this value is for one-time use, and you need to reset the value again for the next run of the process. Click Save and Close.
You can enable multithreading for the process by setting the profile option ORA_PER_AUTO_PROVISION_ROLES_ENABLE_MULTITHREADING to 'Y'. This creates child jobs, which help in improving the performance.
For more information, see the topic Best Practices for User and Role Provisioning in HCM.
Autoprovisioning for Individual Users
You can apply autoprovisioning for individual users on the Manage User Account page.