11Preparing for Application Users

This chapter contains the following:

Overview of Preparing for HCM Application Users

During implementation, you prepare your Oracle HCM Cloud service for application users. Decisions made during this phase determine how you manage users by default. Most such decisions can be overridden. However, for efficient user management, you're recommended to configure your environment to both reflect enterprise policy and support most or all users.

Some key decisions and tasks are explained in this chapter and introduced in this table.

Decision or Task Topic

Whether user accounts are created automatically for application users

User Account Creation Option: Explained

How role provisioning is managed

User Account Role Provisioning Option: Explained

Whether user accounts are maintained automatically

User Account Maintenance Option: Explained

Whether user accounts are created for terminated workers that you load in bulk

User Account Creation for Terminated Workers Option: Explained

Ensuring that the Employee, Contingent Worker, and Line Manager abstract roles are provisioned automatically

Provisioning Abstract Roles to Users Automatically: Procedure

Some decisions affecting application users were made when the Security Console was set up. These decisions include:

  • How user names are formed by default

  • How passwords are formed and when they expire

  • How users are notified of their sign-in details and password events, such as expiration warnings

You may want to review these settings for each user category on the Security Console before creating application users.

This topic introduces the user and role-provisioning options, which control the default management of some user-account features. To set these options, perform the Manage Enterprise HCM Information task in the Workforce Structures functional area for your offering. You can edit these values as necessary and specify an effective start date for changed values.

User Account Creation

The User Account Creation option controls:

  • Whether user accounts are created automatically when you create a person, user, or party record

  • The automatic provisioning of roles to users at account creation

    Note: User accounts without roles are suspended automatically. Therefore, roles are provisioned automatically at account creation to avoid this automatic suspension.

The User Account Creation option may be of interest if:

  • Some workers don't need access to Oracle Applications Cloud.

  • Your existing provisioning infrastructure creates user accounts, and you plan to integrate it with Oracle Applications Cloud.

User Account Role Provisioning

After a user account exists, users both acquire and lose roles as specified by current role-provisioning rules. For example, managers may provision roles to users manually, and the termination process may remove roles from users automatically. You can control role provisioning by setting the User Account Role Provisioning option.

Note: Roles that you provision to users directly on the Security Console aren't affected by this option.

User Account Maintenance

The User Account Maintenance option controls whether user accounts are suspended and reactivated automatically. By default, a user's account is suspended automatically when the user is terminated and reactivated automatically if the user is rehired.

User Account Creation for Terminated Workers

The User Account Creation for Terminated Workers option controls whether user-account requests for terminated workers are processed or suppressed. This option takes effect when you run the Send Pending LDAP Requests process.

User Account Creation Option

The User Account Creation option controls whether user accounts are created automatically when you create a person or party record. Use the Manage Enterprise HCM Information task to set this option.

This table describes the User Account Creation option values.

Value Description

Both person and party users

User accounts are created automatically for both person and party users.

This value is the default value.

Party users only

User accounts are created automatically for party users only.

User accounts aren't created automatically when you create person records. Instead, account requests are held in the LDAP requests table, where they're identified as suppressed. They're not processed.

None

User accounts aren't created automatically.

All user account requests are held in the LDAP requests table, where they're identified as suppressed. They're not processed.

If user accounts are created automatically, then role provisioning also occurs automatically, as specified by current role mappings when the accounts are created. If user accounts aren't created automatically, then role requests are held in the LDAP requests table, where they're identified as suppressed. They aren't processed.

If you disable the automatic creation of user accounts for some or all users, then you can:

  • Create user accounts individually on the Security Console.

  • Link existing user accounts to person and party records using the Manage User Account or Manage Users task.

Alternatively, you can use an external provisioning infrastructure to create and manage user accounts. In this case, you're responsible for managing the interface with Oracle Applications Cloud, including any user-account-related updates.

User Account Role Provisioning Option

Existing users both acquire and lose roles as specified by current role-provisioning rules. For example, users may request some roles for themselves and acquire others automatically. All provisioning changes are role requests that are processed by default. You can control what happens to role requests by setting the User Account Role Provisioning option. Use the Manage Enterprise HCM Information task to set this option.

This table describes the User Account Role Provisioning option values.

Value Description

Both person and party users

Role provisioning and deprovisioning occur for both person and party users.

This value is the default value.

Party users only

Role provisioning and deprovisioning occur for party users only.

For person users, role requests are held in the LDAP requests table, where they're identified as suppressed. They're not processed.

None

For both person and party users, role requests are held in the LDAP requests table, where they're identified as suppressed. They're not processed.

Note: When a user account is created, roles may be provisioned to it automatically based on current role-provisioning rules. This provisioning occurs because user accounts without roles are suspended automatically. Automatic creation of user accounts and the associated role provisioning are controlled by the User Account Creation option.

User Account Maintenance Option

By default, a user's account is suspended automatically when the user has no roles. This situation occurs typically at termination. The user account is reactivated automatically if you reverse the termination or rehire the worker. The User Account Maintenance option controls these actions. Use the Manage Enterprise HCM Information task to set this option.

This table describes the User Account Maintenance option values.

Value Description

Both person and party users

User accounts are maintained automatically for both person and party users.

This value is the default value.

Party users only

User accounts are maintained automatically for party users only.

For person users, account-maintenance requests are held in the LDAP requests table, where they're identified as suppressed. They're not processed.

Select this value if you manage accounts for person users in some other way.

None

For both person and party users, account-maintenance requests are held in the LDAP requests table, where they're identified as suppressed. They're not processed.

Select this value if you manage accounts for both person and party users in some other way.

User Account Creation for Terminated Workers Option

The User Account Creation for Terminated Workers option controls whether user accounts are created for terminated workers. It applies only when you run Send Pending LDAP Requests. Typically, you run Send Pending LDAP Requests after loading workers in bulk using HCM Data Loader, for example. This option doesn't apply to workers created in the user interface unless they're future-dated. Use the Manage Enterprise HCM Information task to set this option.

This table describes the User Account Creation for Terminated Workers option values.

Value Description

No (or not set)

User-account requests generated for terminated workers are suppressed when you run Send Pending LDAP Requests.

Yes

User-account requests generated for terminated workers are processed when you run Send Pending LDAP Requests.

This option determines whether user-account requests for terminated workers are processed or suppressed. A user-account request is generated for a worker created by bulk upload only if:

  • The User Account Creation enterprise option is set to Both person and party users.

  • The GeneratedUserAccountFlag attribute for the Worker object isn't set to N.

Otherwise, user-account requests for workers are suppressed and User Account Creation for Terminated Workers has no effect.

Set the User and Role Provisioning Options

The user and role provisioning options control the creation and maintenance of user accounts for the enterprise. This procedure explains how to set these options. To create and maintain Oracle Applications Cloud user accounts automatically for all users, you can use the default settings.

Follow these steps:

  1. In the Setup and Maintenance work area, go to the following for your offering:

    • Functional Area: Workforce Structures

    • Task: Manage Enterprise HCM Information

  2. On the Enterprise page, select Edit > Update.

  3. In the Update Enterprise dialog box, enter the effective date of any changes and click OK. The Edit Enterprise page opens.

  4. Scroll down to the User and Role Provisioning Information section.

  5. Set the User Account Options, as appropriate. The User Account Options are:

    • User Account Creation

    • User Account Role Provisioning

    • User Account Maintenance

    • User Account Creation for Terminated Workers

    These options are independent of each other. For example, you can set User Account Creation to None and User Account Role Provisioning to Yes.

  6. Click Submit to save your changes.

  7. Click OK to close the Confirmation dialog box.

Provision Abstract Roles to Users Automatically

Provisioning the Employee, Contingent Worker, and Line Manager abstract roles automatically to users is efficient, as most users have at least one of these roles. It also ensures that users have basic access to functions and data when they first sign in. This topic explains how to set up automatic role provisioning during implementation using the Manage Role Provisioning Rules task.

Provision the Employee Role Automatically to Employees

Follow these steps:

  1. Sign in as the TechAdmin user or another user with the IT Security Manager job role or privileges.

  2. In the Setup and Maintenance work area, go to the following for your offering:

    • Functional Area: Users and Security

    • Task: Manage Role Provisioning Rules

  3. In the Search Results section of the Manage Role Mappings page, click the Create icon. The Create Role Mapping page opens.

  4. In the Mapping Name field enter Employee.

  5. Complete the fields in the Conditions section of the Create Role Mapping page as shown in the following table.

    Field Value

    System Person Type

    Employee

    HR Assignment Status

    Active

  6. In the Associated Roles section of the Create Role Mapping page, add a row.

  7. In the Role Name field of the Associated Roles section, click Search.

  8. In the Search and Select dialog box, enter Employee in the Role Name field and click Search.

  9. Select Employee in the search results and click OK.

  10. If Autoprovision isn't selected automatically, then select it. Ensure that the Requestable and Self-Requestable options aren't selected.

  11. Click Save and Close.

Provision the Contingent Worker Role Automatically to Contingent Workers

Repeat the steps in Provisioning the Employee Role Automatically to Employees, with the following changes:

  • In step 4, enter Contingent Worker as the mapping name.

  • In step 5, set System Person Type to Contingent Worker.

  • In steps 8 and 9, search for and select the Contingent Worker role.

Provision the Line Manager Role Automatically to Line Managers

Follow these steps:

  1. In the Search Results section of the Manage Role Mappings page, click the Create icon. The Create Role Mapping page opens.

  2. In the Mapping Name field enter Line Manager.

  3. Complete the fields in the Conditions section of the Create Role Mapping page as shown in the following table.

    Field Value

    System Person Type

    Employee

    HR Assignment Status

    Active

    Manager with Reports

    Yes

    Tip: Setting Manager with Reports to Yes is the same as setting Manager Type to Line Manager. You don't need both values.
  4. In the Associated Roles section of the Create Role Mapping page, add a row.

  5. In the Role Name field of the Associated Roles section, click Search.

  6. In the Search and Select dialog box, enter Line Manager in the Role Name field and click Search.

  7. Select Line Manager in the search results and click OK.

  8. If Autoprovision isn't selected automatically, then select it. Ensure that the Requestable and Self-Requestable options aren't selected.

  9. Click Save and Close.

  10. On the Manage Role Mappings page, click Done.

To provision the line manager role automatically to contingent workers, follow these steps to create an additional role mapping. In step 2, use a unique mapping name (for example, Contingent Worker Line Manager). In step 3, set System Person Type to Contingent Worker.

FAQs for Preparing for Application Users

Can I implement single sign-on in the cloud?

Yes. Single sign-on enables users to sign in once but access multiple applications, including Oracle Human Capital Management Cloud.

Submit a service request for implementation of single sign-on. For more information, see Oracle Applications Cloud Service Entitlements (2004494.1) on My Oracle Support at https://support.oracle.com.