Introduction
The Human Capital Management Integration Specialist job role is often granted to users who are responsible for bulk-loading data into the Oracle HCM Cloud. However, this role grants access to additional tools, including HCM Extracts and all REST APIs, so it's recommended that you instead create custom roles and grant just the HCM Data Loader (HDL) functionality required.
There are typically two user types for accessing HCM Data Loader:
- Integration specialist users who are responsible for defining data files, initiating bulk-loads, and monitoring existing integrations. This user type needs access to the HCM Data Loader tasks within the application.
- External integration users responsible for pushing data into the Oracle HCM Cloud only. 
					Used by inbound integrations to upload files and initiate HCM Data Loader. These users shouldn't have access to the application or to monitor uploads other than the ones they've initiated. This tutorial explains how to grant access to the HCM Data Loader REST API for this purpose. 
Business Object Access
HCM Data Loader provides the ability to restrict which business objects your users can bulk-load data with. By default, these two features are disabled but it's recommended that you enable them and configure custom roles to have just the HDL access required and only for the business objects needed:- Configure Business Object Access 
					When enabled, you can configure the individual business objects and product areas a role can bulk-load data with. 
- Restrict Access to Security Related Business Objects
					When enabled, an additional function security privilege is required to bulk-load data to any of the objects that load security-related data. Currently that includes all objects within these product areas: Product Area Business Objects Global HR - Areas of Responsibility - Areas of Responsibility
 Global HR - Security - Legislative Data Group Security Profile
- Organization Security Profile
- Country Security Profile
- Position Security Profile
- Document Type Security Profile
- Exclusion Rule
- Person Security Profile
 Global HR - Users - Delegated Role
- User
 Recruiting - Security - Job Requisition Security Profile
 Talent Management - Security - Talent Pool Security Profile
 Tip: You can identify which objects are secured with the functional security privilege by using the View Business Objects task. Objects that are secured have a Bulk Loading Secured value of Yes.
 
WARNING:
When HCM Data Loader is submitted using the Initiate HCM Data Loader payroll flow task to upload files generated by HCM Extracts, or the Initiate Data Loader payroll flow task to upload files generated by transformation formulae, the submitting user is elevated and the session user context is lost. It's therefore not possible to evaluate the security configuration of that user. Your existing payroll flow tasks will fail to initiate HDL with these security features enabled. From release 24A you can update your payroll flow patterns to use the new payroll flow task which submits HDL as the session user:- Run HCM Data Loader to upload HCM Extracts generated files.
- Run Data Loader Process to upload files generated by transformation formulae.
To configure the HCM Extracts flow refer to the tutorial Initiate HCM Data Loader for HCM Extract Generated Files.
Tip:
Links to all HDL tutorials are available from the HCM Data Loader - Oracle by Example Tutorials topic in Cloud Customer Connect.
File Encryption
You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server.
Tip:
HCM Data Loader can only process files that exist in the hcm$/dataload$/import$ account. Files that you upload locally using the Import File functionality in the Import and Load Data task are first uploaded here before being processed.WARNING:
Any user with access to the hcm$/dataload$/import$ account can download and read any file on that account, regardless of who created it.For HDL to decrypt your files you must encrypt them with the public fusion-key PGP key for the environment you're loading your file to.
The final task in this tutorial takes you through the steps to generate the fusion-key PGP certificate and extract the public key, which you'll use to encrypt your files.
				
				
				
Objectives
In this tutorial, you will:
- Understand how to enable the HCM Data Loader security related features.
- Configure custom roles to grant access to HCM Data Loader.
- Configure business object access for your custom roles.
- Generate the fusion-key certificate and extract the public key.
Prerequisites
To complete the steps in this tutorial, you'll need:
- Access to the Security Console to create custom roles and extract the file encryption key.
- Access to Setup and Maintenance.
					Grant this role hierarchy if your role doesn't already have access: Role Name Role Code Functional Setups User ORA_ASM_FUNCTIONAL_SETUPS_USER_ABSTRACT 
- Access to the Configure HCM Data Loader task to enable the HCM Data Load security features.
					You require this function security privilege to access the task: Function Security Privilege Name Code Manage Configuration of HCM Data Loader HRC_MANAGE_CONFIGURATION_HCM_DATA_LOADER_PRIV 
- Access to the HCM Data Loader Business Object Access task to configure which business objects a role can bulk load data with.
					This role hierarchies provide this access: Role Name Role Code Manage HCM Data Loader Business Object Access HRC_MANAGE_HDL_BO_ACCESS_PRIV 
Task 1: Enable Security Related Functionality
In this step you'll learn how to enable the features that allow you to restrict access to the business objects your users can bulk-load data with.
Note:
Enabling these enhancements does not impact HCM Spreadsheet Data Loader.To enable these security features you'll need to log into the application with a user that has Configure HCM Data Loader task access (see Prerequisites for how to grant this.)
Enable Configuration of Role-Based Business Object Access
Once enabled your custom HCM Data Loader roles need to have business object access configured. You can configure your custom roles with their business object access before enabling this feature.
Note:
Users with the Human Capital Management Integration Specialist job role will continue to have HCM Data Loader access. This role is preconfigured to access all business objects.- Navigate to My Enterprise > Setup and Maintenance.
- Select the HCM Data Loader functional area.
- Click the Configure HCM Data Loader task.
- Search for the Enable Configuration of Role-Based Business Object Access parameter.
- Set the Override to Yes.
- Click Save.
 
					 
					Additionally, you'll need to provide access to the HCM Data Loader Business Object Access task to configure the business objects your roles can use HCM Data Loader with (see Prerequisites for how to grant this).
				
				
				
Restrict Access to Security Related Business Objects
Once enabled, users require the Load HCM Security Data function security privilege to bulk-load data with the security related objects.
Caution:
Enabling this feature will prohibit users with the Human Capital Management Integration Specialist job role from using security related business objects too. You'll need to create custom roles to provide access to bulk-load security related data once this capability is enabled.- Access the Configure HCM Data Loader task as described above.
- Search for the Restrict Access to Security Related Business Objects parameter.
- Set the Override to Yes.
- Click Save.
Task 2: Grant HCM Data Loader Access
In this step you'll create custom roles for accessing HCM Data Loader functionality.
Integration Specialist Access
This role will provide access to the following functionality:
- The View Business Objects task to review business object details and generate METADATA files.
- The Import and Load Data task to submit files for import and load and monitor status of all data sets.
- The Recent File Loads task to review recent data set status on any device.
- The Delete Stage Table Data task to maintain stage tables.
- The ability to import and export files for HCM Data Loader on the Oracle WebCenter Content server.
To grant this access:
- Log into the application with Security Console access.
- Navigate to Tools > Security Console.
- Click Create Role.
- Specify a Role Name and provide a unique role code.
- Specify a Role Category of HCM - Job Role.
- Click Next to navigate to the Role Hierarchy page. Add these hierarchies:
- Save your changes.
Tip:
The business objects that a role can use are granted directly to this job role. Consider naming each role for the objects it will provide access to. For example, HCM Data Loader - All Objects, HCM Data Loader - Setup or HCM Data Loader - Recruiting.| Role Name | Role Code | Grants Access To | 
|---|---|---|
| HCM Data Load | ORA_HRC_HCM_DATA_LOAD_DUTY | HCM Data Loader tasks within the Data Exchange work area. | 
| Upload data for Human Capital Management file based Import | HCM_DATALOADER_IMPORT_RWD | The hcm/dataloader/import directory on the Oracle WebCenter Content server. | 
| Download data from Human Capital Management file based Export | HCM_DATALOADER_EXPORT_RWD | The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files. | 
Additionally, if the role is to be assigned access to any of the business objects that load security related data, this function security privilege is needed:
| Role Name | Role Code | Grants Access To | 
|---|---|---|
| Load HCM Security Data | HRC_LOAD_HCM_SECURITY_DATA_PRIV | Security related HCM Data Loader business objects. | 
You can now configure the business objects this role can load data with.
				
				
REST Access
For external users defined for inbound integrations, such as for use by a third-party payroll backfeed integration, grant access to the dataLoadDataSets REST resource.
- Log into the application with Security Console access.
- Navigate to Tools > Security Console.
- Click Create Role.
- Specify a Role Name and provide a unique role code.
- Click Next to navigate to the Role Hierarchy page. Add these hierarchies:
- Save your changes.
Tip:
The business objects that a role can use are granted directly to this job role. Consider naming the role for its integration, such as HDL Payroll Backfeed.| Role Name | Role Code | Grants Access To | 
|---|---|---|
| Use REST Service - Data Load Data Sets | ORA_HRC_REST_SERVICE_ACCESS_DATA_LOAD_DATA_SETS | The dataLoadDataSets REST API for initiating HDL and HSDL and monitoring data set status. | 
| Upload data for Human Capital Management file based import | HCM_DATALOADER_IMPORT_RWD | The hcm/dataloader/import directory on the Oracle WebCenter Content server. | 
Additionally, if you want this role to have access to the REST custom actions that delete the staging table data for the data sets created by the role, add these privileges:
| Function Security Privilege | Privilege Code | Secures Custom Action | 
|---|---|---|
| Delete HCM Data Loader Data Set Using REST Service | HRC_DELETE_HDL_DATA_SET_USING_REST | deleteDataSet | 
| Delete HCM Spreadsheet Data Loader Data Set Using REST Service | HRC_DELETE_HSDL_DATA_SET_USING_REST | deleteSpreadsheetDataSet | 
You can now configure the business objects this role can load data with.
Task 3: Configure Business Object Access
In this step you'll configure the business objects a role can bulk-load data with using HCM Data Loader.
- Log into the application with a user who has access to the HCM Data Loader Business Object Access task (see Prerequisites for how to grant this).
- Navigate to My Enterprise > Setup and Maintenance.
- Select the HCM Data Loader functional area.
- Click HCM Data Loader Business Object Access.
- In the Job and Abstract Roles table, search for and select your custom role.
- Click the Assign dropdown.
- Select one of the following options:
- Assign Individual Business Objects
- Assign All Business Objects in a Product Area
- Assign All Unrestricted Business Objects
- Assign All Business Objects, Including Security-Related Objects
- Search and select the business objects in the Search and Select Business Objects dialog box.
- Click Add to add the selected business objects to the role. An entry appears in the Assigned Business Objects section for each of the selected business objects.
- Select the product area in the Select Product Area dialog box.
- Click Add. A single entry appears for the product area in the Assigned Business Objects section.
- A warning message appears to indicate that users with this role can bulk-load data with any business object that doesn't load security-related data.
- Click Add to close the warning and continue. A single entry appears for all unrestricted business objects in the Assigned Business Objects section.
- A warning message appears to indicate that users with this role will be able to use the security-related objects only if they have the Load HCM Security Data function security privilege.
- Click Add to close the warning and continue. A single entry appears for all business objects in the Assigned Business Objects section.
- Click Save.
Tip:
The Assigned Business Objects table header is automatically updated to include the role name. 
					If you select Assign Individual Business Objects, then:
If you select Assign All Business Objects in a Product Area, then:
If you select Assign All Unrestricted Business Objects, then:
If you select Assign All Business Objects, Including Security-Related Objects then:
Task 4: Create Common HCM Data Loader Custom Roles
This step explains how to create the following custom roles:
- An Integration Specialist administrator role capable of loading data for any object and monitoring all data sets.
- An Integration Specialist role with restricted business object access.
- An external integration role restricted to loading payroll backfeed data with visibility of only the data sets they've submitted.
Integration Specialist - Unrestricted
- Use the Security Console to create a custom HCM Data Loader - Unrestricted role.
- Grant this function security privilege:
					Role Name Role Code Grants Access To Load HCM Security Data HRC_LOAD_HCM_SECURITY_DATA_PRIV Security related HCM Data Loader business objects. 
- Grant these role hierarchies:
- Save the custom role.
- Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
- Search for and select the HCM Data Loader - Unrestricted role.
- Click the Assign dropdown and select Assign All Business Objects, Including Security-Related Objects.
- Click Add to close the warning message.
- Save your changes. You can now assign this role to users who should be able to bulk-load data with any HCM Data Loader business object.
| Role Name | Role Code | Grants Access To | 
|---|---|---|
| HCM Data Load | ORA_HRC_HCM_DATA_LOAD_DUTY | HCM Data Loader tasks within the Data Exchange work area. | 
| Upload data for Human Capital Management file based Import | HCM_DATALOADER_IMPORT_RWD | The hcm/dataloader/import directory on the Oracle WebCenter Content server. | 
| Download data from Human Capital Management file based Export | HCM_DATALOADER_EXPORT_RWD | The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files. | 
Integration Specialist - Restricted
- Use the Security Console to create a custom HCM Data Loader - {objects} role, replacing {objects} with a description of the business objects the role will have access to use, such as HCM Data Loader - Work Structures, or HCM Data Loader - Recruiting
- Grant these role hierarchies:
- Save the custom role.
- Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
- Search for and select your custom role.
- Use the Assign dropdown on the Assigned Business Objects table toolbar to assign access to the HCM Data Loader business objects and product areas users with this role should be able to use.
- Save your changes. You can now assign this role to users who should be able to bulk-load data with the HCM Data Loader business objects configured.
| Role Name | Role Code | Grants Access To | 
|---|---|---|
| HCM Data Load | ORA_HRC_HCM_DATA_LOAD_DUTY | HCM Data Loader tasks within the Data Exchange work area. | 
| Upload data for Human Capital Management file based Import | HCM_DATALOADER_IMPORT_RWD | The hcm/dataloader/import directory on the Oracle WebCenter Content server. | 
| Download data from Human Capital Management file based Export | HCM_DATALOADER_EXPORT_RWD | The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files. | 
Tip:
If the list of business objects this role can access will include objects that load security related data, also grant the Load HCM Security Data function security privilege.External User - Integration Specific
In this step you'll create an external user to initiate the Payroll Backfeed integration. This user will be given to the provider who supplies the data and initiates the integration.
- Use the Security Console to create a custom External Payroll Backfeed role.
- Grant these role hierarchies:
- Save the custom role.
- Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
- Search for and select your custom role.
- Click Assign dropdown on the Assigned Business Objects table toolbar.
- Search for and assign the business objects the integration will be updating:
					- Document Record
- Payroll Interface Inbound Record
- Third Party Payroll Interface Error
 
- Save your changes. You can now assign this role to the user account provided to your third-party payroll provider to upload payroll backfeed data.
Tip:
Use any name that describes the integration the user provides access for.| Role Name | Role Code | Grants Access To | 
|---|---|---|
| Use REST Service - Data Load Data Sets | ORA_HRC_REST_SERVICE_ACCESS_DATA_LOAD_DATA_SETS | The dataLoadDataSets REST API for initiating HDL and HSDL and monitoring data set status. | 
| Upload data for Human Capital Management file based import | HCM_DATALOADER_IMPORT_RWD | The hcm/dataloader/import directory on the Oracle WebCenter Content server. | 
Task 5: Generate a PGP Key Pair for Encrypting HDL Files
You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server. Any user with access to the HCM Data Loader import account can download and read any file on that account, regardless of who created it.
HCM Data Loader decrypts files using the private fusion-key PGP key, so you need to generate this on your Oracle Cloud environment before loading encrypted files. You encrypt your files with the fusion-key public key.
In this step you'll generate the fusion-key PGP key pair and extract the public key.
- Sign into Oracle HCM Cloud with the IT Security Manager job role or privileges.
- Navigate to Tools > Security Console.
- Click the Certificates tab.
- Review the certificates that already exist. If the fusion-key certificate already exists, you can skip to the Extract the Public Key section. Otherwise, follow the steps to generate the fusion-key certificate.
Generate the fusion-key Certificate
- Click Generate to open the Generate dialog.
- Select a Certificate Type of PGP and specify these values:
- Click Save and Close. A confirmation message will appear, close it.
 
					| Field | Value | 
|---|---|
| Alias | fusion-key | 
| Passphrase | Enter a passphrase for the private key. This passphrase is needed when you edit, delete, or download the private key. | 
| Key Type | RSA | 
| Key Length | Select either 1024 or 2048. | 
| Encryption Algorithm | Select the encryption algorithm to use | 
Note:
You must use the fusion-key alias for HCM Data Loader to decrypt your files encrypted with this key. 
					Your certificate will be displayed.
					
					 
					
				
Extract the Public Key
- Click the Action choice menu button for the fusion-key record.
- Click Export > Public Key.
The fusion-key_pub.asc file will be downloaded. Save it to your desktop.
Tip:
For more information refer to the Set up Encryption for File Transfer topic.Related Links
Help Topics- How You Enable Access to HCM Data Loader
- How You Configure HCM Data Loader Business Object Access
- Set up Encryption for File Transfer
Refer to this Cloud Customer Connect topic for links to the latest Oracle By Example tutorials for HDL and HSDL:
Acknowledgements
- Authors - Ema Johnson (Senior Principal Product Manager)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Configure Access to HCM Data Loader
F91164-05
August 2024