Creating Implementation Users (Chapter 2) 20C

HCM Implementation Users

Implementation users:

Manage the implementation of Oracle Human Capital Management Cloud (Oracle HCM Cloud).
Administer application users and security, both during and after implementation.
Set up basic enterprise structures.

Implementation users have the necessary access for both initial implementation of the Oracle HCM Cloud service and its ongoing maintenance. You're recommended to create at least one implementation user.

How Implementation Users Differ from Application Users

Thanks to job roles such as Application Implementation Consultant, implementation users have unrestricted access to large amounts of data. However, the need for this level of access is temporary. After implementation, both application users and administrators can perform their tasks using less powerful roles. For an implementation user, only a user account exists. No person record exists in Oracle HCM Cloud.

Who Creates Implementation Users?

The Oracle HCM Cloud service administrator creates initial implementation users.

Recommended Implementation Users

You're recommended to create the implementation users shown in this table to ensure segregation of critical duties.

Implementation User	Description
TechAdmin	Performs technical setup duties, including security setup. This user is intended for technical superusers.
HCMUser	Performs functional setup duties. This user is intended for users who are performing the Oracle HCM Cloud implementation steps.

Additional implementation users may be useful, depending on the size of the enterprise and the structure of the implementation team. For example:

An application implementation manager can assign implementation tasks to other implementation users. This implementation user has the Application Implementation Manager job role.
A product family application administrator can perform implementation tasks for a specific product. This approach may be of interest if you're implementing multiple Oracle Fusion products and want an implementor for each product.

Tip: The Human Capital Management Application Administrator job role can access only HCM setup tasks. The Application Implementation Consultant job role can access all Oracle Fusion Applications setup tasks.

Overview of Creating HCM Implementation Users

As the service administrator for the Oracle HCM Cloud service, you're sent sign-in details when your environments are provisioned. This topic summarizes how to access the service for the first time and set up implementation users to perform the implementation. You must complete these steps before you release the environment to your implementation team.

You're recommended to create implementation users in the test environment first. Migrate your implementation to the production environment only after you have validated it. With this approach, the implementation team can learn how to implement security before setting up application users in the production environment.

Accessing the Oracle HCM Cloud Service

The welcome or service-activation email from Oracle provides the service URLs, user name, and temporary password for the test or production environment. Refer to the email for the environment that you're setting up. The Identity Domain value is the environment name. For example, HCMA could be the production environment and HCMA-TEST could be the test environment.

Sign in to the test or production Oracle HCM Cloud service using the service home URL from the welcome or service-activation email. The URL ends with either AtkHomePageWelcome or HcmFusionHome.

When you sign in for the first time, use the password from the welcome or service-activation email. You're prompted to change the password. Make a note of the new password, which is the service administrator password for subsequent access to the service. You're recommended not to share your sign-in details with other users.

Creating Implementation Users

This table summarizes the process of creating implementation users and assigning roles to them.

Step	Task or Activity	Description
1	Run User and Roles Synchronization Process	You run the process Retrieve Latest LDAP Changes to copy data from your LDAP directory server to Oracle HCM Cloud.
2	Import Users and Roles into Application Security	You perform this task to initialize the Oracle Fusion Applications Security tables.
3	Create Implementation Users	You create the TechAdmin and HCMUser implementation users and assign required job roles to them if these users don't already exist in your environment. You don't associate named workers with these users because your Oracle HCM Cloud service isn't yet configured to onboard workers. As your implementation progresses, you may decide to replace these users or change their definitions. However, these two are required initially.
4	Create Data Roles for Implementation Users	To enable implementation users to access HCM data, you create the following data roles: HRAnalyst_ViewAll HCMApplicationAdministrator_ViewAll HR_Specialist_ViewAll You create additional data roles if you have licensed the Oracle Fusion Workforce Compensation Cloud Service or the Oracle Fusion Global Payroll Cloud Service.
5	Assign Security Profiles to Abstract Roles	Enable basic data access for the predefined Employee, Contingent Worker, and Line Manager abstract roles. You perform this task at this stage of the implementation so that implementation users with abstract roles have the required data access. However, all application users with abstract roles also benefit from this step.
6	Create a Generic Role Mapping for HCM Data Roles	Enable the HCM data roles created in step 4 to be provisioned to implementation users.
7	Assign Abstract and Data Roles to the HCMUser Implementation User	Assign roles to the HCMUser implementation user that enable functional implementation to proceed.
8	Verify HCMUser Access	Confirm that the HCMUser implementation user can access the functions enabled by the assigned roles.

Reset your service administrator password after completing these steps.

Synchronize User and Role Information

You run the process Retrieve Latest LDAP Changes once during implementation. This process copies data from the LDAP directory to the Oracle Fusion Applications Security tables. Thereafter, the data is synchronized automatically. To run this process, perform the task Run User and Roles Synchronization Process as described in this topic.

Run the Retrieve Latest LDAP Changes Process

Follow these steps:

Sign in to your Oracle Applications Cloud service environment as the service administrator.
In the Setup and Maintenance work area, go to the following for your offering:
- Functional Area: Initial Users
- Task: Run User and Roles Synchronization Process
On the process submission page for the Retrieve Latest LDAP Changes process:
1. Click Submit.
2. Click OK to close the confirmation message.

Import Users and Roles into Applications Security

To implement security, you must use the Security Console. Before you can use the Security Console, you must initialize the Oracle Fusion Applications Security tables with existing user and role information. To initialize these tables, you perform the Import Users and Roles into Application Security task. This topic describes how to perform this task.

Run the Import User and Role Application Security Data Process

Sign in as the Oracle HCM Cloud service administrator and follow these steps:

In the Setup and Maintenance work area, go to the following for your offering:
- Functional Area: Initial Users
- Task: Import Users and Roles into Application Security
On the Import Users and Roles into Application Security page, click Submit.

The Import User and Role Application Security Data process starts. When the process completes, you can use the Security Console.

Note: You're recommended to schedule this process to run daily after your implementation users exist.

Create the TechAdmin Implementation User

This topic describes how to create the TechAdmin implementation user and assign roles to the user.

Create the TechAdmin Implementation User

Sign in as the Oracle HCM Cloud service administrator and follow these steps:

In the Setup and Maintenance work area, go to the following:
- Functional Area: Initial Users
- Task: Create Implementation Users
On the User Accounts page of the Security Console, click Add User Account.

Complete the fields on the Add User Account page as shown in the following table.

Field	Value
Associated Person Type	None
User Category	DEFAULT
Last Name	TechAdmin
Email	A valid email for the user
User Name	TechAdmin
Password	Any value that complies with the password policy

To view the password policy, click the Help icon by the Password field.

Note: Make a note of the password. The user who first signs in as TechAdmin must change the password.

Leave the Active option selected.

Assign Roles to TechAdmin

To assign job roles to the TechAdmin implementation user, follow these steps:

In the Roles section of the Add User Account page, click Add Role.
In the Add Role Membership dialog box, search for the IT Security Manager job role.
In the search results, select the role and click Add Role Membership.
Click OK to close the Confirmation dialog box.
Repeat from step 2 to add each of the following job roles to the TechAdmin user:
- Application Implementation Consultant
- Application Diagnostics Administrator
- Application Diagnostics Advanced User
Four job roles now appear in the Roles section of the Add User Account page.
Click Save and Close.

Note: Application Implementation Consultant is a powerful role that has unrestricted access to a large amount of data. Once the implementation is complete, you're recommended to revoke this role from all users using the Revoke Data Role from Implementation Users task. For ongoing maintenance of Oracle HCM Cloud setup data, use a less powerful role. For example, use an HCM data role based on the Human Capital Management Application Administrator role.

Create the HCMUser Implementation User

This topic explains how to create the HCMUser implementation user and assign roles to the user.

Create the HCMUser Implementation User

Sign in as the Oracle HCM Cloud service administrator and follow these steps:

In the Setup and Maintenance work area, go to the following:
- Functional Area: Initial Users
- Task: Create Implementation Users
On the User Accounts page of the Security Console, click Add User Account.

Complete the fields on the Add User Account page as shown in the following table.

Field	Value
Associated Person Type	None
User Category	DEFAULT
Last Name	HCMUser
Email	A valid email for the user
User Name	HCMUser
Password	Any value that complies with the password policy

To view the password policy, click the Help icon by the Password field.

Note: Make a note of the password. The user who first signs in as HCMUser must change the password.

Leave the Active option selected.

Assign Roles to HCMUser

To assign job roles to the HCMUser implementation user, follow these steps:

In the Roles section of the Add User Account page, click Add Role.
In the Add Role Membership dialog box, search for the Application Administrator job role.
In the search results, select the role and click Add Role Membership.
Click OK to close the Confirmation dialog box.
Repeat from step 2 to add each of the following job roles to the HCMUser user:
- Application Implementation Consultant
- Application Diagnostics Regular User
- Application Diagnostics Viewer
Four job roles now appear in the Roles section of the Add User Account page.
Click Save and Close.

Note: Application Implementation Consultant is a powerful role that has unrestricted access to a large amount of data. Once the implementation is complete, you're recommended to revoke this role from all users using the Revoke Data Role from Implementation Users task. For ongoing maintenance of Oracle HCM Cloud setup data, use a less powerful role. For example, use an HCM data role based on the Human Capital Management Application Administrator role.