15Reporting on Application Users and Roles

This chapter contains the following:

Run the User Details System Extract Report

The Oracle BI Publisher User Details System Extract Report includes details of selected Oracle Fusion Applications user accounts. To run this report, you must have a data role providing view-all access to person records for the Human Capital Management Application Administrator job role.

To run the report:

  1. In the Contents pane of the Reports and Analytics work area, select Shared Folders > Human Capital Management > Workforce Management > Human Resources Dashboard.

  2. Select the User Details System Extract report.

  3. In the report window, click More.

  4. On the Oracle Business Intelligence page for the report, select either Open to run the report immediately or More > Schedule to schedule the report.

User Details System Extract Report Parameters

The Oracle BI Publisher User Details System Extract Report includes details of Oracle Fusion Applications user accounts. This topic describes the report parameters. Run the report in the Reports and Analytics work area.

Parameters

User Population

Enter one of the values shown in this table to identify user accounts to include in the report.

Value Description

HCM

User accounts with an associated HCM person record.

TCA

User accounts with an associated party record.

LDAP

Accounts for users in the PER_USERS table who have no person number or party ID. Implementation users are in this category.

ALL

HCM, TCA, and LDAP user accounts.

From Date

Accounts for HCM and LDAP users that exist on or after this date appear in the report. If you specify no From Date value, then the report includes accounts with any creation date, subject only to any To Date value.

From and to dates don't apply to the TCA user population. The report includes all TCA users if you include them in the report's user population.

To Date

Accounts for HCM and LDAP users that exist on or before this date appear in the report. If you specify no To Date value, then the report includes accounts with any creation date, subject only to any From Date value.

From and to dates don't apply to the TCA user population. The report includes all TCA users if you include them in the report's user population.

User Active Status

Enter one of the values shown in this table to identify the user-account status.

Value Description

A

Include active accounts, which belong to users with current roles.

I

Include inactive accounts, which belong to users with no current roles.

All

Include both active and inactive user accounts.

User Details System Extract Report

The Oracle BI Publisher User Details System Extract Report includes details of Oracle Fusion Applications user accounts. This topic describes the report contents.

Run the report in the Reports and Analytics work area.

Report Results

The report is an XML-formatted file where user accounts are grouped by type, as follows:

  • Group 1 (G_1) includes HCM user accounts.

  • Group 2 (G_2) includes TCA party user accounts.

  • Group 3 (G_3) includes LDAP user accounts.

The information in the extract varies with the account type.

HCM User Accounts

Business Unit Name

The business unit from the primary work relationship.

Composite Last Update Date

The date when any one of a number of values, including assignment managers, location, job, and person type, was last updated.

Department

The department from the primary assignment.

Worker Type

The worker type from the user's primary work relationship.

Generation Qualifier

The user's name suffix (for example, Jr., Sr., or III).

Hire Date

The enterprise hire date.

Role Name

A list of roles currently provisioned to workers whose work relationships are all terminated. This value appears for active user accounts only.

Title

The job title from the user's primary assignment.

TCA User Accounts

Organizations

A resource group.

Roles

A list of job, abstract, and data roles provisioned to the user.

Managers

The manager of a resource group.

LDAP User Accounts

Start Date

The account's start date.

Created By

The user name of the user who created the account.

Person User Information Reports

This topic describes the Person User Dashboard and Person User Information Oracle Business Intelligence Publisher reports. Use these reports to extract the history of a specified Oracle HCM Cloud user account. To run the reports, you must inherit the ORA_PER_MANAGE_USER_AND_ROLES_DUTY_OBI duty role. Several predefined job roles, including IT Security Manager and Human Resource Specialist, inherit this duty role.

To run the reports:

  1. Open the Reports and Analytics work area.

  2. Select All Folders > Shared Folders > Human Capital Management > Workforce Management > Human Resources Dashboard.

Both reports appear in the Human Resources Dashboard folder.

Running the Person User Information Reports

Use the Person User Dashboard report to display user account information, specifically the person ID, of a specified user. Follow these steps:

  1. Click the Person User Dashboard entry.

  2. On the Person User Summary page, complete the parameters shown in this table to filter the report and click Apply.

    Parameter Description

    Display Name

    The user's display name, for example, John Gorman

    Last Name

    The user's last name, for example, Gorman

    Start Date

    The user's start date. Users with start dates equal to or later than this date may appear in the report.

  3. When you have identified the user of interest, copy the person ID from the Person User Information table in the report. You use this person ID in the Person User Information report.

Use the Person User Information report to display the detailed history of a specified user account. Follow these steps:

  1. In the Human Resources Dashboard folder, click Person User Information.

  2. On the Person User Detail page, complete either or both of the parameters shown in this table and click Apply:

    Parameter Description

    Start Date

    The user's start date. Users with start dates equal to or later than this date may appear in the report.

    Person ID

    The person ID copied from the Person User Dashboard report.

The report output includes:

  • Person information

  • User history

  • Assigned roles and details of the associated role mappings

  • Role delegation details

  • LDAP request details

  • Work relationship and assignment information

To save either of the reports to a spreadsheet, select Actions > Export > Excel

User History Report

This topic describes the User History report, which extracts and formats the history of a specified Oracle HCM Cloud user account. Oracle Support may ask you to run this report to help diagnose user-related errors. To run the report, you must inherit the ORA_PER_MANAGE_USER_AND_ROLES_DUTY_OBI (Manage Users) duty role. Several predefined job roles, including IT Security Manager and Human Resource Specialist, inherit this duty role.

Follow these steps to run the report.

  1. Select Navigator > My Team > Users and Roles.

  2. On the Search Person page, search for the person of interest.

  3. In the search results, click the person name to open the Edit User page.

  4. On the Edit User page, click Print User History. In the User History dialog box, you can review the report.

    You can either print the report or download a PDF file by clicking relevant icons in the User History dialog box.

  5. Click Cancel to close the User History dialog box.

Tip: You don't have to view the report. You can select Print User History > Download to download the PDF file. The file name is in the format <person ID>_UserHistory.pdf.

This report is identical to the Person User Information report, which authorized users can run in the Reports and Analytics work area.

Report Contents

For the selected user, the report includes:

  • Person information

  • User history

  • Provisioned roles and details of any associated role mappings

  • Role delegation details

  • LDAP request details

  • Work relationship and assignment information

View Role Information Using Security Dashboard

As an IT Security Manager, you can use the Security Dashboard to get a snapshot of the security roles and how those roles are provisioned in the Oracle Cloud Applications. The information is sorted by role category and you can view details such as data security policy, function security policy, and users associated with a role. You can also perform a reverse search on a data security policy or a function security policy and view the associated roles.

You can search for roles using the Role Overview page. You can view the count of the roles which includes the inherited roles, data security policies, and function security policies on this page. Clicking the number in a tile on this page takes you to the corresponding page in the Role Dashboard. You can view role details either on the Role Overview page of the Security Dashboard or the Role Dashboard.

You can view role information such as the directly assigned function security policies and data security policies, roles assigned to users, directly assigned roles, and inherited roles list using the Role Dashboard. Clicking any role-related link on a page of the Security Dashboard takes you to the relevant page in the Role Dashboard. You can export the role information to a spreadsheet. The information on each tab is exported to a sheet in the spreadsheet. This dashboard supports a print-friendly view for a single role.

Here are the steps to view the Security Dashboard:

  1. In the Reports and Analytics work area, click Browse Catalog.

  2. On the Oracle BI page, open Shared Folders > Security > Transaction Analysis Samples > Security Dashboard.

    All pages of the dashboard are listed.

  3. To view the Role Category Overview page, click Open.

    The page displays the number of roles in each role category in both tabular and graphical formats.

  4. In the Number of Roles column, click the numeral value to view the role-related details.

  5. Click View Role to view the role-specific information in the Role Dashboard.

LDAP Request Information Reports

This topic describes the LDAP Request Dashboard and LDAP Request Information reports. Use these reports to extract information about the status of LDAP requests. To run the reports, you must have the IT Security Manager job role.

To run the reports:

  1. Open the Reports and Analytics work area.

  2. In the Contents pane, select Shared Folders > Human Capital Management > Workforce Management > Human Resources Dashboard.

Both reports appear in the Human Resources Dashboard folder.

Running the LDAP Request Information Reports

Use the LDAP Request Dashboard report to display summaries of requests in specified categories. Follow these steps:

  1. In the Human Resources Dashboard folder, click LDAP Request Dashboard > More. The Oracle Business Intelligence Catalog page opens.

  2. Find the LDAP Request Dashboard entry on the Business Intelligence Catalog page and click Open to open the report.

  3. On the LDAP Request Dashboard page, complete the parameters shown in this table to filter the report and click Apply.

    Parameter Description

    Within the Last N Days

    Enter a number of days. The report includes LDAP requests updated within the specified period.

    Request Type

    Select an LDAP request type. The value can be one of Create, Update, Suspend, Activate, UserRoles, Terminate, and All.

    Request Status

    Select an LDAP request status. The value can be one of Complete, Faulted, In Progress, Request, Part Complete, Suppressed, Rejected, Consolidated, and All.

The report output includes:

  • A summary of the enterprise settings for user-account creation and maintenance.

  • Numbers of LDAP requests by status and type in both tabular and graphical formats.

  • A summary table showing, for each request type, its status, equivalent user status, any error codes and descriptions, and the number of requests. All values are for the specified period.

You can refresh the report to update it as requests are processed.

Use the LDAP Request Information report to review details of the LDAP requests in the LDAP requests table in Oracle HCM Cloud. Follow these steps:

  1. In the Human Resources Dashboard folder, click LDAP Request Information > More. The Oracle Business Intelligence Catalog page opens.

  2. Find the LDAP Request Information entry on the Business Intelligence Catalog page and click Open to open the report.

  3. On the LDAP Request Information page, complete the parameters shown in this table to filter the report and click Apply.

    Parameter Description

    Within the Last N Days

    Enter a number of days. The report includes LDAP requests updated within the specified period.

    Request Type

    Select an LDAP request type. The value can be one of Create, Update, Suspend, Activate, UserRoles, Terminate, and All.

    Request Status

    Select an LDAP request status. The value can be one of Complete, Faulted, In Progress, Request, Part Complete, Suppressed, Rejected, Consolidated, and All.

The report includes a table showing for each request:

  • The request date and type

  • Whether the request is active

  • The request status and its equivalent user status

  • Error codes and descriptions, if appropriate

  • Requested user names, if any

  • The person to whom the request relates

  • When the request was created and last updated

To save either of the reports to a spreadsheet, select Actions > Export > Excel.

Inactive Users Report

Run the Inactive Users Report process to identify users who haven't signed in for a specified period.

To run the report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the Import User Login History process.

    Note: Whenever you run the Inactive Users Report process, you must first run the Import User Login History process. This process imports information that the Inactive Users Report process uses to identify inactive users. You're recommended to schedule Import User Login History to run daily.
  3. When the Import User Login History process completes, search for and select the Inactive Users Report process.

  4. In the Process Details dialog box, set parameters to identify one or more users.

  5. Click Submit.

Inactive Users Report Parameters

All parameters except Days Since Last Activity are optional.

User Name Begins With

Enter one or more characters.

First Name Begins With

Enter one or more characters.

Last Name Begins With

Enter one or more characters.

Department

Enter the department from the user's primary assignment.

Location

Enter the location from the user's primary assignment.

Days Since Last Activity

Enter the number of days since the user last signed in. Use this parameter to specify the meaning of the term inactive user in your enterprise. Use other parameters to filter the results.

This value is required and is 30 by default. This value identifies users who haven't signed in during the last 30 or more days.

Last Activity Start Date

Specify the start date of a period in which the last activity must fall.

Last Activity End Date

Specify the end date of a period in which the last activity must fall.

Viewing the Report

The process produces an Inactive_Users_List_processID.xml file and a Diagnostics_processID.zip file.

The report includes the following details for each user who satisfies the report parameters:

  • Number of days since the user was last active

  • Date of last activity

  • User name

  • First and last names

  • Assignment department

  • Assignment location

  • City and country

  • Report time stamp

Note: The information in the report relating to the user's latest activity isn't based solely on actions performed by the user in the UI. Actions performed on behalf of the user, which create user sessions, also affect these values. For example, running processes, making web service requests, and running batch processes are interpreted as user activity.

User Role Membership Report

The User Role Membership Report lists role memberships for specified users.

To run the report process:

  1. Open the Scheduled Processes work area.

  2. Search for and select the User Role Membership Report process.

User Role Membership Report Parameters

You can specify any combination of the following parameters to identify the users whose role memberships are to appear in the report.

Note: The report may take a while to complete if you run it for all users, depending on the number of users and their roles.
User Name Begins With

Enter one or more characters of the user name.

First Name Begins With

Enter one or more characters from the user's first name.

Last Name Begins With

Enter one or more characters from the user's last name.

Department

Enter the department from the user's primary assignment.

Location

Enter the location from the user's primary assignment.

Viewing the Report

The process produces a UserRoleMemberships_processID_CSV.zip file and a Diagnostics_processID.zip file. The UserRoleMemberships_processID_CSV.zip file contains the report output in CSV format. The report shows the parameters that you specified, followed by the user details for each user in the specified population. The user details include the user name, first and last names, user status, department, location, and role memberships.

User and Role Access Audit Report

The User and Role Access Audit Report provides details of the function and data security privileges granted to specified users or roles. This information is equivalent to the information that you can see for a user or role on the Security Console. This report is based on data in the Applications Security tables, which you populate by running the Import User and Role Application Security Data process.

To run the User and Role Access Audit Report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the User and Role Access Audit Report process.

  3. In the Process Details dialog box, set parameters and click Submit.

  4. Click OK to close the confirmation message.

User and Role Access Audit Report Parameters

Population Type

Set this parameter to one of these values to run the report for one user, one role, multiple users, or all roles.

  • All roles

  • Multiple users

  • Role name

  • User name

User Name

Search for and select the user name of a single user.

This field is enabled only when Population Type is User name.

Role Name

Search for and select the name of a single aggregate privilege or data, job, abstract, or duty role.

This field is enabled only when Population Type is Role name.

From User Name Starting With

Enter one or more characters from the start of the first user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

To User Name Starting With

Enter one or more characters from the start of the last user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

User Role Name Starts With

Enter one or more characters from the start of a role name.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users and roles.

Data Security Policies

Select Data Security Policies to view the data security report for any population. If you leave the option deselected, then only the function security report is generated.

Note: If you don't need the data security report, then leave the option deselected to reduce the report processing time.
Debug

Select Debug to include the role GUID in the report. The role GUID is used to troubleshoot. Select this option only when requested to do so by Oracle Support.

Viewing the Report Results

The report produces either one or two .zip files, depending on the parameters you select. When you select Data Security Policies, two .zip files are generated, one for data security policies and one for functional security policies in a hierarchical format.

The file names are in the following format: [FILE_PREFIX]_[PROCESS_ID]_[DATE]_[TIME]_[FILE_SUFFIX]. The file prefix depends on the specified Population Type value.

This table shows the file prefix values for each report type.

Report Type File Prefix

User name

USER_NAME

Role name

ROLE_NAME

Multiple users

MULTIPLE_USERS

All roles

ALL_ROLES

This table shows the file suffix, file format, and file contents for each report type.

Report Type File Suffix File Format File Contents

Any

DataSec

CSV

Data security policies. The .zip file contains one file for all users or roles. The data security policies file is generated only when Data Security Policies is selected.

Note: Extract the data security policies only when necessary, as generating this report is time consuming.

Any

Hierarchical

CSV

Functional security policies in a hierarchical format. The .zip file contains one file for each user or role.

  • Multiple users

  • All roles

CSV

CSV

Functional security policies in a comma-separated, tabular format.

The process also produces a .zip file containing a diagnostic log.

For example, if you report on a job role at 13.30 on 17 December 2015 with process ID 201547 and the Data Security Policies option selected, then the report files are:

  • ROLE_NAME_201547_12-17-2015_13-30-00_DataSec.zip

  • ROLE_NAME_201547_12-17-2015_13-30-00_Hierarchical.zip

  • Diagnostic.zip

User Password Changes Audit Report

This report identifies users whose passwords were changed in a specified period. You must have the ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV function security privilege to run this report. The predefined IT Security Manager job role has this privilege by default.

To run the User Password Changes Audit Report:

  1. Open the Scheduled Processes work area.

  2. Click Schedule New Process.

  3. Search for and select the User Password Changes Audit Report process.

  4. In the Process Details dialog box, set parameters and click Submit.

  5. Click OK to close the confirmation message.

User Password Changes Audit Report Parameters

Search Type

Specify whether the report is for all users, a single, named user, or a subset of users identified by a name pattern that you specify.

User Name

Search for and select the user on whom you want to report. This field is enabled only when Search Type is set to Single user.

User Name Pattern

Enter one or more characters that appear in the user names on which you want to report. For example, you could report on all users whose user names begin with the characters SAL by entering SAL%. This field is enabled only when Search Type is set to User name pattern.

Start Date

Select the start date of the period during which password changes occurred. Changes made before this date don't appear in the report.

To Date

Select the end date of the period during which password changes occurred. Changes made after this date don't appear in the report.

Sort By

Specify how the report output is sorted. The report can be organized by either user name or the date when the password was changed.

Viewing the Report Results

The report produces these files:

  • UserPasswordUpdateReport.csv

  • UserPasswordUpdateReport.xml

  • Diagnostics_[process ID].log

For each user whose password changed in the specified period, the report includes:

  • The user name.

  • The first and last names of the user.

  • The user name of the person who changed the password.

  • How the password was changed:

    • ADMIN means that the change was made for the user by a line manager or the IT Security manager, for example.

    • SELF_SERVICE means that the user made the change by setting preferences or requesting a password reset, for example.

    • FORGOT_PASSWORD means that the user clicked the Forgot Password link when signing in.

  • The date and time of the change.

View Locked Users and Unlock Users

A user gets locked in the application either on entering incorrect password for multiple times or if the application hasn't been accessed for a certain period of time. The locked users report provides the list of locked users for both these scenarios.

You can get a list of locked users using the Locked Users scheduled process. You can then manually unlock the users using the Security Console. Only an administration user with the IT Security Manager job role can run the locked users report.

View Locked Users

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search and select the Locked Users process and click OK.

  3. In the Process Details dialog box, click Submit.

  4. Click OK in the confirmation message dialog box.

  5. Click Succeeded for the selected Locked Users report.

  6. In the Log and Output section, click Attachment to download the report spreadsheet.

    The spreadsheet shows the list of users who are locked.

The Locked Users spreadsheet contains the following two tabs:

  • LOCKED_USERS_<RequestID> - This tab contains the list of locked and active users who can't sign in to the application because of locked status.

  • LOCKED_AND_INACTIVE_USERS_<RequestID> - This tab contains list of locked and inactive users who can't sign in to the application because of locked and inactive status.

Unlock Users

  1. On the Security Console, click Users.

  2. From the Search drop down list, select Locked Users and click the search icon.

    All the locked users are displayed.

  3. Click the display name of a user to view the details.

  4. Click Edit.

  5. In the Account Information section, deselect Locked.

  6. Click Save and Close.

  7. Click Done.

    The user is unlocked and can sign in to the application.

FAQs for Reporting on Application Users and Roles

Can I extract details of all Oracle Fusion Applications users?

Yes. The Oracle BI Publisher report User Details System Extract provides details of user accounts. For example, you can produce a report showing all user accounts, inactive user accounts, or accounts created between specified dates.

To run the report, you need a data role that provides view-all access to person records for the Human Capital Management Application Administrator job role.

How can I find out which roles a user has?

Search for and select the user on the Roles tab of the Security Console. In the visualization area, you can see the user's role hierarchy in tabular or graphical format.

Alternatively, you can run the User Role Membership Report for one or more users.