6Setting Up Applications Security

This chapter contains the following:

Overview of Applications Security Setup Tasks

During implementation the TechAdmin user, who has the IT Security Manager job role, performs the tasks in the Initial Users functional area. This topic introduces some of these tasks. They're described in more detail in this chapter.

Manage Applications Security Preferences

This task opens the Administration tab of the Security Console.

On the General subtab of the Security Console Administration tab, you:

  • Specify for how long certificates remain valid by default. Certificates establish keys for the encryption and decryption of data that Oracle HCM Cloud exchanges with other applications.

  • Specify how often a warning appears to remind Security Console users to import latest user and role information.

On the Roles subtab of the Security Console Administration tab, you:

  • Specify default prefix and suffix values for copied roles.

  • Specify a limit to the number of nodes that can appear in graphical representations of roles on the Roles tab of the Security Console.

  • Specify whether hierarchies on the Roles tab appear in graphical or tabular format by default.

On the Bridge for Active Directory subtab of the Security Console Administration tab, you configure the bridge for Microsoft Active Directory.

On the User Categories tab of the Security Console, you:

  • Create user categories.

  • Add users to user categories.

  • Specify the default format of user names for the user category.

  • Manage the password policy for the user category.

  • Manage the notification of user and password events to users in a selected user category.

  • Create notification templates for a selected user category.

Import Users and Roles into Application Security

This task runs a process that initializes and maintains the Oracle Fusion Applications Security tables. You're recommended to schedule this process to run daily. You must also run this process after every release update.

Import User Login History

This task runs a process that imports the history of user access to Oracle Fusion Applications. This information is required by the Inactive Users Report.

User-Name Formats

During implementation, you specify the default format of user names for the default user category. This topic describes the available formats. To select a format, you perform the Manage Applications Security Preferences task, which opens the Administration page of the Security Console. Click the User Categories tab and click the name of the default user category to open it. Click Edit on the Details subtab to edit the user-name format. You can change the format for any user category at any time.

Available User-Name Formats

This table describes the available user-name formats.

User-Name Format Description

Email

The work email (or party email, for party users) is the user name. For example, the user name for john.smith@example.com is john.smith@example.com. To make duplicate names unique, a number is added. For example, john.smith2@example.com may be used if john.smith@example.com and john.smith1@example.com already exist.

Email is the default format.

FirstName.LastName

The user name is the worker's first and last names separated by a single period. For example, the user name for John Frank Smith is john.smith. To make duplicate names unique, either the user's middle name or a random character is used. For example, John Smith's user name could be john.frank.smith or john.x.smith.

FLastName

The user name is the worker's last name prefixed with the initial of the worker's first name. For example, the user name for John Smith is jsmith.

Person or party number

The party number or person number is the user name. If your enterprise uses manual person numbering, then any number that's entered during the hiring process becomes the user name. Otherwise, the number is generated automatically and can't be edited. The automatically generated number becomes the user name. For example, if John Smith's person number is 987654, then the user name is 987654.

If you select a different user-name rule, then click Save. The change takes effect immediately.

System User Names

The selected user-name rule may fail. For example, a person's party number, person number, or email may not be available when the user account is requested. In this case, a system user name is generated by applying these options in the following order until a unique user name is defined:

  1. Email

  2. FirstName.LastName

  3. If only the last name is available, then a random character is prefixed to the last name.

The Security Console option Generate system user name when generation rule fails controls whether a system user name is generated. You can disable this option. In this case, an error is raised if the user name can't be generated in the selected format.

Tip: If a system user name is generated, then it can be edited later to specify a preferred value.

Editing User Names

Human resource (HR) specialists and line managers can enter user names in any format to override default user names when hiring workers. HR specialists can also edit user names for individual users on the Edit User and Manage User Account pages. The maximum length of the user name is 80 characters.

Work Email

The line manager or HR specialist may omit the work email when hiring the worker. In this case, the email can't be added later by editing the worker details. However, you can edit the user on the Security Console and enter the email there. To use work email as the user name after a different user name has been generated, edit the existing user name.

Password Policy

During implementation, you set the password policy for the default user category. This topic describes the available options. To set the password policy, you perform the Manage Applications Security Preferences task, which opens the Administration page of the Security Console. Click the User Categories tab and click the name of the default category to open it. Click Edit on the Password Policy subtab to edit the policy. You can change the password policy for any user category at any time.

Password Policy Options

This table describes the available options for setting password policy.

Password-Policy Option Description Default Value

Days Before Password Expiration

Specifies the number of days for which a password remains valid. After this period, users must reset their passwords. By default, users whose passwords expire must follow the Forgot Password process.

90

Days Before Password Expiry Warning

Specifies when a user is notified that a password is about to expire. By default, users are prompted to sign in and change their passwords. This value must be equal to or less than the value of the Days Before Password Expiration option.

80

Note: This value is 10 for new installations from Update 18B.

Hours Before Password Reset Token Expiration

When users request a password reset, they're sent a password-reset link. This option specifies how long a reset-password link remains active. If the link expires before the password is reset, then reset must be requested again. You can enter any value between 1 and 9999.

4

Password Complexity

Specifies whether passwords must be simple, complex, or very complex. Password validation rules identify passwords that fail the selected complexity test.

Simple

Disallow last password

Select to ensure that the new password is different from the last password.

If the user requests password reset by selecting Settings and Actions > Set Preferences > Password, then this option determines whether the last password can be reused. However, when a user's password expires, the user can reuse the last password. This option doesn't affect password reuse after expiry.

No

Administrator can manually reset password

Passwords can be either generated automatically or reset manually by the IT Security Manager or IT Auditor. Select this option to allow user passwords to be reset manually. All passwords, whether reset manually or generated automatically, must satisfy the current complexity rule.

Yes

Note: Users are notified of password events only if appropriate notification templates are enabled for their user categories. The predefined notification templates for these events are Password Expiry Warning Template, Password Expiration Template, and Password Reset Template.

Password Expiry Report

The Password Expiry Report sends the password-expiration-warning and password-expired notifications. You must schedule the Password Expiry Report to run daily. To schedule the report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. In the Schedule Process dialog box, search for and select the Password Expiry Report process.

  3. Click OK.

  4. In the Process Details dialog box, click Advanced.

  5. On the Schedule tab, set Run to Using a schedule.

  6. Select a Frequency value. For example, select Daily.

  7. Select a start date and time.

  8. Click Submit.

Role Preferences

During implementation, you set default role preferences for the enterprise. This topic describes the role preferences and their effects. To set role preferences, you perform the Manage Applications Security Preferences task, which opens the General subtab of the Security Console Administration page. Click the Roles subtab of the Administration page. You can also set role preferences at any time on the Security Console.

Copied-Role Names

To create roles, you're recommended to copy predefined roles and edit the copied roles. When you copy a predefined role:

  • The ORA_ prefix, which identifies predefined roles, is removed automatically from the role code of the copied role.

  • The enterprise prefix and suffix values are added automatically to the role name and code of the copied role.

You specify enterprise prefix and suffix values on the Roles subtab of the Security Console Administration tab. By default:

  • Prefix values are blank.

  • The role-name suffix is Custom.

  • The role-code suffix is _CUSTOM.

For example, if you copy the Benefits Administrator job role (ORA_BEN_BENEFITS_ADMINISTRATOR_JOB), then the default name and code of the copied role are:

  • Benefits Administrator Custom

  • BEN_BENEFITS_ADMINISTRATOR_JOB_CUSTOM

You can supply prefix values and change the suffix values, as required. If you change these values, then click Save. The changes take effect immediately.

Graph Nodes and Default Views

On the Roles tab of the Security Console, you can display role hierarchies. By default, these hierarchies appear in tabular format. To use graphical format by default, deselect the Enable default table view option on the Roles subtab of the Security Console Administration tab.

When role hierarchies appear on the Roles tab, the number of nodes can be very high. To limit the number of nodes in the graphical view, set the Graph Node Limit option on the Roles subtab of the Security Console Administration tab. When you display a role hierarchy with more nodes than the specified limit, you're recommended to switch to the tabular format.

User Categories: Explained

You can categorize and segregate users based on the various functional and operational requirements. A user category provides you with an option to group a set of users such that the specified settings apply to everyone in that group. Typical scenarios in which you may want to group users are:

  • Users belong to different organizations within an enterprise and each organization follows a different user management policy.

  • Practices related to resetting passwords are not uniform across users.

  • Users have different preferences in receiving automated notifications for various tasks they perform in the application.

On the Security Console page, click the User Category tab. You can perform the following tasks:

  • Segregate users into categories

  • Specify Next URL

  • Enable notifications

Segregate Users into Categories

Create user categories and add existing users to them. All existing users are automatically assigned to the Default user category unless otherwise specified. You may create more categories depending upon your requirement and assign users to those categories.

Note: You can assign a user to only one category.

Specify Next URL

Specify a URL to redirect your users to a website or an application instead of going back to the Sign In page, whenever they reset their password. For example, a user places a password reset request and receives an Email for resetting the password. After the new password is authenticated, the user can be directed to a website or application. If nothing is specified, the user is directed to Oracle Applications Cloud Sign In page. You can specify only one URL per user category.

Enable Notifications

By default, notifications are enabled but you can enable or disable the sending of notifications to users, based on their preferences. To achieve this, you can enable or disable notifications separately for each user category. If users belonging to a specific category don't want to receive any notification, you can disable notifications for all life cycle events. Alternatively, if users want to receive notifications only for some events, you can selectively enable the functionality for those events.

Notifications are sent for a set of predefined events. To trigger a notification, you must create a notification template and map it to the required event. Depending on the requirement, you can add or delete a template that is mapped to a particular event.

Note: You can't edit or delete predefined notification templates that begin with the prefix ORA. You can only enable or disable them. However, you can update or delete the user-defined templates.

User Category feature supports both SCIM protocol and HCM Data Loader for performing any bulk updates.

Add Users to a User Category

Using the Security Console, you can add existing users to an existing user category or create a new category and add them. When you create new users, they're automatically assigned to the default category. At a later point, you can edit the user account and update the user category. You can assign a user to only one category.

Note: If you're creating new users using Security Console, you can also assign a user category at the time of creation.

You can add users to a user category in three different ways:

  • Create a user category and add users to it

  • Add users to an existing user category

  • Specify the user category for an existing user

Note: You can create and delete a user category only using the Security Console. Once the required user categories are available in the application, you can use them in SCIM REST APIs and data loaders. You can't rename a user category.

Adding Users to a New User Category

To create a user category and add users:

  1. On the Security Console, click User Categories > Create.

  2. Click Edit, specify the user category details, and click Save and Close.

  3. Click the Users tab and click Edit.

  4. On the Users Category: Users page, click Add.

  5. In the Add Users dialog box, search for and select the user, and click Add.

  6. Repeat adding users until you have added the required users and click Done.

  7. Click Done on each page until you return to the User Categories page.

Adding Users to an Existing User Category

To add users to an existing user category:

  1. On the Security Console, click User Categories and click an existing user category to open it.

  2. Click the Users tab and click Edit.

  3. On the Users Category: Users page, click Add.

  4. On the Add Users dialog box, search for and select the user, and click Add.

  5. Repeat adding users until you have added the required users and click Done.

  6. Click Done on each page until you return to the User Categories page.

Specifying the User Category for an Existing User

To add an existing user to a user category:

  1. On the Security Console, click Users.

  2. Search for and select the user for whom you want to specify the user category.

  3. On the User Account Details page, click Edit.

  4. In the User Information section, select the User Category. The Default user category remains set for a user until you change it.

  5. Click Save and Close.

  6. On the User Account Details page, click Done.

You can delete user categories if you don't require them. However, you must ensure that no user is associated with that user category. Otherwise, you can't proceed with the delete task. On the User Categories page, click the X icon in the row to delete the user category.

User-Name and Password Notifications

By default, users in all user categories are notified automatically of changes to their user accounts and passwords. These notifications are based on notification templates. Many templates are predefined, and you can create templates for any user category. During implementation, you identify the notifications that you plan to use for each user category and disable any that aren't needed. This topic introduces the predefined notification templates and explains how to enable and disable notifications.

Predefined Notification Templates

This table describes the predefined notification templates. Each template is associated with a predefined event. For example, the Password Reset Template is associated with the password-reset event. You can see these notification templates and their associated events on the User Category: Notifications page of the Security Console for a user category.

Notification Template Description

Password Expiry Warning Template

Warns the user that a password is expiring soon and provides instructions for resetting the password

Password Expiration Template

Notifies the user that a password has expired and provides instructions for resetting the password

Forgot User Name Template

Sends the user name to a user who requested the reminder

Password Generated Template

Notifies the user that a password has been generated automatically and provides instructions for resetting the password

Password Reset Template

Sends a reset-password link to a user who performed the Reset Password action on the My Account page

Password Reset Confirmation Template

Notifies the user when a password has been reset

Password Reset Manager Template

Sends a reset-password link to the manager of a user who performed the Reset Password action on the My Account page

Password Reset Manager Confirmation Template

Notifies the user's manager when a user's password has been reset

New Account Template

Notifies a user when a user account is created and provides a reset-password link

New Account Manager Template

Notifies the user's manager when a user account is created

When you create a user category, it's associated automatically with the predefined notification templates, which are all enabled.

You can't edit the predefined templates. However, you can create templates and disable the predefined versions. Each predefined event can be associated with only one enabled notification template at a time.

Enabling and Disabling Notifications

For any notification to be sent to the users in a user category, notifications in general must be enabled for the user category. Ensure that the Enable notifications option on the User Category: Notifications page is selected. When notifications are enabled, you can disable specific templates. For example, if you disable the New Account Template, then users in the relevant user category aren't notified when their accounts are created. Other notifications continue to be sent.

To disable a template:

  1. Click Edit on the User Category: Notifications page.

  2. In edit mode, click the template name.

  3. In the template dialog box, deselect the Enabled option.

  4. Click Save and Close.

Create a Notification Template

Predefined notification templates exist for events related to the user-account life cycle, such as user-account creation and password reset. When templates are enabled, users are notified automatically of events that affect them. To provide your own notifications, you create notification templates. This topic explains how to create a notification template for a user category.

Follow these steps:

  1. Open the Security Console and click the User Categories tab.

  2. On the User Categories page, click the name of the relevant user category.

  3. On the User Categories: Details page, click the Notifications subtab.

  4. On the User Category: Notifications page, click Edit.

  5. Click Add Template.

  6. In the Add Notification Template dialog box:

    1. Enter the template name.

    2. In the Event field, select a value. The predefined content for the selected event appears automatically in the Message Subject and Message Text fields. Tokens in the message text are replaced automatically in generated notifications with values specific to the user.

    3. Update the Message Subject field, as required. The text that you enter here appears in the subject line of the notification email.

    4. Update the message text, as required.

      This table shows the tokens supported in the message text.

      Token Meaning Events

      userLoginId

      User name

      • Forgot user name

      • Password expired

      • Password reset confirmation

      firstName

      User's first name

      All events

      lastName

      User's last name

      All events

      managerFirstName

      Manager's first name

      • New account created - manager

      • Password reset confirmation - manager

      • Password reset - manager

      managerLastName

      Manager's last name

      • New account created - manager

      • Password reset confirmation - manager

      • Password reset - manager

      loginURL

      URL where the user can sign in

      • Expiring external IDP signing certificate

      • Password expired

      • Password expiry warning

      resetURL

      URL where the user can reset his or her password

      • New account created - manager

      • New user created

      • Password generated

      • Password reset

      • Password reset - manager

      CRLFX

      New line

      All events

      SP4

      Four spaces

      All events

      adminActivityUrl

      URL where an administrator initiates an administration activity

      Administration activity requested

      providerName

      External identity provider

      Expiring external IDP signing certificate

      signingCertDN

      Signing certificate

      Expiring external IDP signing certificate

      signingCertExpiration

      Signing certificate expiration date

      • Expiring external IDP signing certificate

      • Expiring service provider signing certificate

      encryptionCertExpiration

      Encryption certificate expiration date

      Expiring service provider encryption certificate

      adminFirstName

      Administrator's first name

      • Administration activity location based access disabled confirmation

      • Administration activity single sign-on disabled confirmation

      adminLastName

      Administrator's last name

      • Administration activity location based access disabled confirmation

      • Administration activity single sign-on disabled confirmation

    5. To enable the template, select the Enabled option.

    6. Click Save and Close.

  7. Click Save on the User Category: Notifications page.

Note: When you enable an added template for a predefined event, the predefined template for the same event is automatically disabled.

Schedule the Import User and Role Application Security Data Process

You must run the Import User and Role Application Security Data process to set up and maintain the Security Console. During implementation, you perform the Import Users and Roles into Application Security task to run this process. It copies users, roles, privileges, and data security policies from the LDAP directory, policy store, and Applications Core Grants schema to Oracle Fusion Applications Security tables. Having this information in the Oracle Fusion Applications Security tables makes the assisted search feature of the Security Console fast and reliable. After the process runs to completion for the first time, you're recommended to schedule Import User and Role Application Security Data to run daily. This topic describes how to schedule the process.

Note: Whenever you run the process, it copies only those changes that were made since it last ran.

Schedule the Process

Follow these steps to schedule the Import User and Role Application Security Data process:

  1. Open the Scheduled Processes work area.

  2. In the Search Results section of the Overview page, click Schedule New Process.

  3. In the Schedule New Process dialog box, search for and select the Import User and Role Application Security Data process.

  4. Click OK.

  5. In the Process Details dialog box, click Advanced.

  6. On the Schedule tab, set Run to Using a schedule.

  7. Set Frequency to Daily and Every to 1.

  8. Enter start and end dates and times. The start time should be after any daily run of the Send Pending LDAP Requests process completes.

  9. Click Submit.

  10. Click OK to close the confirmation message.

Review Synchronization Process Preferences

On the General subtab of the Security Console Administration tab, you can set the Synchronization Process Preferences option. This option controls how frequently you're reminded to run the Import User and Role Application Security Data process. By default, the warning appears if the process hasn't run successfully in the last 6 hours. If you schedule the process to run daily, then you may want to increment this option to a value greater than 24.

Schedule the Import User Login History Process

During implementation, you perform the Import User Login History task in the Setup and Maintenance work area. This task runs a process that imports information about user access to Oracle Fusion Applications to the Oracle Fusion Applications Security tables. This information is required by the Inactive Users Report, which reports on users who have been inactive for a specified period. After you perform Import User Login History for the first time, you're recommended to schedule it to run daily. In this way, you can ensure that the Inactive Users Report is up to date.

Schedule the Process

Follow these steps:

  1. Open the Scheduled Processes work area.

  2. In the Search Results section of the Overview page, click Schedule New Process.

  3. In the Schedule New Process dialog box, search for and select the Import User Login History process.

  4. Click OK.

  5. In the Process Details dialog box, click Advanced.

  6. On the Schedule tab, set Run to Using a schedule.

  7. Set Frequency to Daily and Every to 1.

  8. Enter start and end dates and times.

  9. Click Submit.

  10. Click OK to close the Confirmation message.

Why You Run the Send Pending LDAP Requests Process

You're recommended to run the Send Pending LDAP Requests process daily to send future-dated and bulk requests to your LDAP directory server. Schedule the process in the Scheduled Processes work area. This topic describes the purpose of Send Pending LDAP Requests.

Send Pending LDAP Requests sends the following items to the LDAP directory:

  • Requests to create, suspend, and reactivate user accounts.

    • When you create a person record for a worker, a user-account request is generated automatically.

    • When a person has no roles and no current work relationships, a request to suspend the user account is generated automatically.

    • A request to reactivate a suspended user account is generated automatically if you rehire a terminated worker.

    The process sends these requests to the LDAP directory unless the automatic creation and management of user accounts are disabled for the enterprise.

  • Work emails.

    If you include work emails when you create person records, then the process sends those emails to the LDAP directory.

  • Role provisioning and deprovisioning requests.

    The process sends these requests to the LDAP directory unless automatic role provisioning is disabled for the enterprise.

  • Changes to person attributes for individual users.

    The process sends this information to the LDAP directory unless the automatic management of user accounts is disabled for the enterprise.

  • Information about HCM data roles, which originate in Oracle HCM Cloud.

Note: All of these items are sent to the LDAP directory automatically unless they're either future-dated or generated by bulk data upload. You run the process Send Pending LDAP Requests to send future-dated and bulk requests to the LDAP directory.

Only one instance of Send Pending LDAP Requests can run at a time.

Schedule the Send Pending LDAP Requests Process

The Send Pending LDAP Requests process sends bulk requests and future-dated requests that are now active to your LDAP directory. You're recommended to schedule the Send Pending LDAP Requests process to run daily. This procedure explains how to schedule the process.

Note: Schedule the process only when your implementation is complete. After you schedule the process you can't run it on an as-needed basis, which may be necessary during implementation.

Schedule the Process

Follow these steps:

  1. Open the Scheduled Processes work area.

  2. Click Schedule New Process in the Search Results section of the Overview page.

  3. In the Schedule New Process dialog box, search for and select the Send Pending LDAP Requests process.

  4. In the Process Details dialog box, set User Type to identify the types of users to be processed. Values are Person, Party, and All. You're recommended to leave User Type set to All.

  5. The Batch Size field specifies the number of requests in a single batch. For example, if 400 requests exist and you set Batch Size to 25, then the process creates 16 batches of requests to process in parallel.

    The value A, which means that the batch size is calculated automatically, is recommended.

  6. Click Advanced.

  7. On the Schedule tab, set Run to Using a schedule.

  8. In the Frequency field, select Daily.

  9. Enter the start and end dates and times.

  10. Click Submit.

Run Retrieve Latest LDAP Changes

Information about users and roles in your LDAP directory is available automatically to Oracle Cloud Applications. However, in specific circumstances you're recommended to run the Retrieve Latest LDAP Changes process. This topic describes when and how to run Retrieve Latest LDAP Changes.

You run Retrieve Latest LDAP Changes if you believe data-integrity or synchronization issues may have occurred between Oracle Cloud Applications and your LDAP directory server. For example, you may notice differences between roles on the Security Console and roles on the Create Role Mapping page. You're also recommended to run this process after any release update.

Run the Process

Sign in with the IT Security Manager job role and follow these steps:

  1. Open the Scheduled Processes work area.

  2. Click Schedule New Process in the Search Results section of the Overview page.

    The Schedule New Process dialog box opens.

  3. In the Name field, search for and select the Retrieve Latest LDAP Changes process.

  4. Click OK to close the Schedule New Process dialog box.

  5. In the Process Details dialog box, click Submit.

  6. Click OK, then Close.

  7. On the Scheduled Processes page, click the Refresh icon.

    Repeat this step periodically until the process completes.

Note: Only one instance of Retrieve Latest LDAP Changes can run at a time.