12Creating Application Users

This chapter contains the following:

Options for Creating HCM Application Users

When you create person records in Oracle HCM Cloud, user accounts can be created automatically. The User and Role Provisioning options control whether user accounts are created and maintained automatically. You set these options for the enterprise during implementation using the Manage Enterprise HCM Information task.

Some enterprises use applications other than Oracle HCM Cloud to manage user and role provisioning. In this case, you set the User and Role Provisioning options to prevent automatic creation of user accounts. Oracle HCM Cloud user accounts don't provide access to other enterprise applications.

Creating Person Records

You can create person records:

  • Individually, using tasks such as Hire an Employee

  • By uploading them in bulk, using HCM Data Loader

During implementation, you can also use the Create User task to create individual application users with basic person records for test purposes. However, after implementation, you use tasks such as Hire an Employee and Add a Contingent Worker. These tasks are functionally rich and create the employment information required for Oracle HCM Cloud implementations. Don't use Create User, which is intended primarily for Oracle Fusion Applications customers who aren't implementing Oracle HCM Cloud.

Uploading Workers Using HCM Data Loader

To load workers using HCM Data Loader, use the Import and Load Data task in the Data Exchange work area. The enterprise option User Account Creation controls whether user accounts are created for all workers by default. You can prevent user accounts from being created for individual workers by setting the GeneratedUserAccountFlag attribute of the User Information component to N. If you're creating user accounts for uploaded workers, then you can provide a user name in the uploaded data. This value overrides the default user-name format for the default user category. You run the process Send Pending LDAP Requests to send bulk user-account requests for processing.

Note: If appropriate role mappings don't exist when you load new workers, then user accounts are created but no roles are provisioned. User accounts without roles are automatically suspended when Send Pending LDAP Requests completes. To avoid this suspension, always create a role mapping for the workers you're loading before you load them. Having the recommended role mapping to provision abstract roles automatically to employees, contingent workers, and line managers is sufficient in most cases.

Create Oracle HCM Cloud Users Using the New Person Tasks

Once the initial implementation of Oracle HCM Cloud is complete, person records can be created

  • Individually, using tasks such as Hire an Employee in the New Person work area

  • In bulk, by uploading person records using HCM Data Loader

This topic summarizes how to create person records using the Hire an Employee task, with emphasis on any steps that affect user and role provisioning.

Hire an Employee: User-Name Values

You must have the Human Resource Specialist job role to hire an employee as described here. Follow these steps:

  1. Open the New Person work area.

  2. On the Tasks panel tab, select the Hire an Employee task. The Hire an Employee: Identification page opens.

  3. If the Person Number value is Generated automatically, then the number is generated on approval of the hire. If the field is blank, then you can enter a person number.

    The user name is the person number if the generation rule for user names, as specified on the Security Console, is Person or party number.

    Tip: New users belong to the default user category. Therefore, the default user-name format is the format defined for the default user category. You can add the user to a different user category after the user account exists.
  4. You enter the person's first and last names. Other names are optional. The user name is based on the person's first and last names if the generation rule for user names in the default user category is either FirstName.LastName or FLastName.

  5. Click Next. The Hire an Employee: Person Information page opens.

  6. A user can have only one work email. If you enter no work email when you create the person record, then an authorized user can enter it later on the Security Console. You can't add it directly to the person record later. After the person record exists, the email is managed on the Security Console.

    The user name is the work email if the generation rule for user names in the default user category is Email.

  7. Click Next.

Hire an Employee: Roles

The Hire an Employee: Employment Information page opens. Many assignment details, including assignment status and job, may occur as conditions in role mappings. For example, users may acquire a role automatically if their grade matches that in the associated role mapping.

  1. Click Next. The Hire an Employee: Compensation and Other Information page opens.

    Any roles for which the employee qualifies automatically appear in the Role Requests region of the page.

  2. To add roles manually, click Add Role. The Add Role dialog box opens.

  3. Search for and select the role. A role that you can provision appears in a role mapping where you satisfy the conditions and the Requestable option is selected for the role.

    The selected role appears in the Role Requests region with the status Add requested. Repeat steps 2 and 3 for additional roles.

  4. Click Next. On the Hire an Employee: Review page, click Submit.

    This action:

    • Submits the Hire an Employee transaction for approval

    • Creates a request to create the user account and provision the requested roles, on approval of the hire

    Note: User-account and role-provisioning requests are processed only if processing is enabled for the enterprise.

The user is notified of his or her sign-in details if an appropriate notification template is enabled for the default user category.

Create Oracle HCM Cloud Users Using the Create User Task

During implementation, you can use the Create User task to create test application users. By default, this task creates a minimal person record and a user account. After implementation, you use tasks such as Hire an Employee to create application users. The Create User task isn't recommended after implementation is complete. This topic describes how to create a test user using the Create User task.

Sign in and follow these steps:

  1. Select Navigator > My Team > Users and Roles to open the Search Person page.

  2. In the Search Results section, click the Create icon.

    The Create User page opens.

Enter Personal Details

Follow these steps:

  1. Enter the user's name.

  2. In the Email field, enter the user's primary work email.

    Tip: If email validation is enabled, then a warning appears if the email already exists.
  3. In the Hire Date field, enter the hire date for a worker. For other types of users, enter a user start date. You can't edit this date after the user exists.

Enter User Details

You can either create a user account or link an existing, standalone user account.

To create a user account, you select Enter user name. If you leave the User Name field blank, then the user name is generated automatically in the enterprise default format. In this case, automatic creation of user accounts must be enabled for the enterprise. If you enter a user name, then that name is used if valid.

Alternatively, you may have created a standalone user account on the Security Console or using SCIM (REST) APIs. These types of user accounts aren't linked to person records. To link such an account to the new person record:

  1. Select Link user account.

  2. Click the Link icon to open the Link User Account dialog box.

  3. In the Link User Account dialog box, search for and select the user account. Accounts that are already linked to person records don't appear here. The account can be in any status. Its status isn't changed when you link it.

  4. Click OK to link the account.

Tip: On the Edit User page, you can edit the user details and link a different user account, if required. The link to the existing user account is removed automatically.

Set User Notification Preferences

The Send user name and password option controls whether a notification containing the new user's sign-in details is sent when the account is created. This option is enabled only if:

  • Notifications are enabled for the default user category on the Security Console.

  • An appropriate notification template exists.

For example, if the predefined New Account Template notification template is enabled for the default user category, then a notification is sent to the user.

If you deselect this option, then you can send the notification later by running the Send User Name and Password Email Notifications process. The notification is sent to the user's work email. If the user has no work email, then the notification is sent to the user's line manager. Appropriate notification templates must be enabled at that time.

Enter Employment Information

Follow these steps:

  1. Select a Person Type value.

  2. Select Legal Employer and Business Unit values.

Add Roles

Follow these steps:

  1. Click Autoprovision Roles. Any roles for which the user qualifies automatically, based on the information that you have entered so far, appear in the Role Requests table.

    Note: If you linked an existing user account, then any roles that were already assigned externally and manually to the account appear in the Roles section. When you click Autoprovision Roles, the user's entitlement to those roles is reviewed. If the user doesn't qualify for the roles, based on the employment information entered so far, then their removal is requested.
  2. To provision a role manually to the user, click the Add Role icon. The Add Role dialog box opens.

  3. Search for and select the role. The role must appear in a role mapping for which you satisfy the role-mapping conditions and where the Requestable option is selected for the role.

    The selected role appears in the Role Requests region with the status Add requested. The role request is created when you click Save and Close.

    Repeat steps 2 and 3 for additional roles.

  4. Click Save and Close.

  5. Click Done.

Enable Validation of Work Email for Users and Roles

You can enable validation of the email that you enter on the Create User and Edit User pages. When validation is enabled, a warning message appears if you enter a duplicate value. The message provides the name, the user name, or both of the email owner. Having this warning enables you to enter a unique email before saving. Validation of the email on the Create User and Edit User pages is disabled by default. This topic explains how to enable validation of the email value on the Create User and Edit User pages.

Enable Email Validation

To enable validation, you set the profile option, PER_MANAGE_USERS_EMAIL_VALIDATION.

To set the profile option, follow these steps:

  1. In the Setup and Maintenance work area, use the Manage Administrator Profile Values task.

  2. On the Manage Administrator Profile Values page, enter PER_MANAGE_USERS_EMAIL_VALIDATION in the Profile Option Code field and click Search.

  3. In the Profile Values section of the search results, enter Y in the Profile Value field.

  4. Click Save and Close.

Note: When validation of the work email is enabled, it applies to the Create User and Edit User pages. It doesn't apply to user accounts that you manage on the Security Console.

FAQs for Creating Application Users

When you create a person record, a user account is created automatically if automatic creation of accounts is enabled. If a user account isn't created automatically, then an authorized user can create it on the Security Console or using SCIM (REST) APIs. You can link the account to the person record using the Manage User Account or Create User page.

How can I create a user account for an existing worker?

On the Manage User Account page, select Create User Account. Update account details, if appropriate, and click Save. Once the request is processed successfully, the account becomes available.

If automatic creation of accounts is disabled, then you can't use the Create User Account action. Instead, authorized users can create user accounts on the Security Console.

User names are generated automatically in the format specified on the Security Console for the user category. The default format is the worker's primary work email, but this value can be overridden for each user category. For example, your enterprise may use person number as the default user name for the default user category.