Introduction
Cloud HCM provides a capability to extract data from HCM using underlying new generation BOSS/Spectra platform. This tutorial describes security configuration that is a prerequisite for extracting data.
Objectives
Upon completing this tutorial, you will understand how to:
- Configure an HCM job role for data extraction
- Configure an OAuth client application to programmatically extract data using API calls
Task 1: Prepare an HCM Job Role
In order to access data in the hierarchy of Worker-related objects, certain Permission Groups have to be added to a new or existing HCM job role.
Follow the steps below to ensure appropriate data access.
- Go to Setup and Maintenance
- Search for Manage Administrator Profile Values and enter this task
- Search for the profile value by profile option code ORA_ASE_SAS_INTEGRATION_ENABLED
- Set its value to Yes at the Site level
- Save the profile value
- Go to Tools → Security Console
- Create or edit a role of role category HCM - Job Roles
- Click Enable Permission Groups and confirm
- Go to the Permission Groups train stop
- Click Add Permission Group
- Search for
boss_execute_AsyncDataExtraction_OraBatchJobDefinition
and select it - Click Add Selected Permission Groups
- Close the popup window
- Go to the Role Hierarchy train stop
- Click Roles and Permission Groups
- Click Add Role
- Make sure Duty roles option is selected
- Search for
ORA_DR_PER_WORKER_EXTRACT_DUTY
and select it - Click Add Role Membership
- Close the popup window
- Go to the Summary train stop
- Review the changes and save them
Task 2: Create an Application
Spectra APIs can only be accessed by confidential applications that use OAuth 2.0. You'll need to define one in Oracle Identity Cloud Service (IDCS).
- Log into the IDCS Admin Console and navigate to the given pod's identity domain
- Click Integrated applications
- Click Add application
- Select Confidential Application and click Launch workflow
- Provide Name (e.g. Extracts Application)
- Click Next
- Select Configure this application as a client now
- Choose Allowed grant types as Client credentials and JWT assertion
- Choose Client type as Confidential
- Choose Allowed operations as On behalf of
- Enable Bypass consent
- Select Add resources
- Click Add scope, then search and select following scopes
- Oracle SaaS Batch Cloud Service
- Oracle Boss Cloud (Spectra)
- Click Add
- Click Next
- Click Finish
- Select the newly created application and activate it by clicking Activate and Activate application
- In your application details, find the Client ID and Client secret that will be used to generate access tokens
Task 3: Assign the Role to the Application
Now it's time to assign the role from step #1 to the application from step #2.
- Go to Tools → Security Console
- Click Application Extensions
- Find your application in the Custom OAuth Client Applications section and click its name
- Click Roles
- Click Add
- Search for your role and select it
- Click Add
- Click Done
Task 4: Obtain a Token
Here's how you can obtain a token to extract data using Spectra services.
URL | {{idcsUrl}}/oauth2/v1/token |
---|---|
HTTP method | POST |
Authorization |
Basic auth with clientId and clientSecret
|
Content-Type header | application/x-www-form-urlencoded |
Request body |
URL-encoded For accessing grant_type=client_credentials&scope=urn:opc:resource:fusion:{{pod}}:boss/ For accessing grant_type=client_credentials&scope=urn:opc:resource:fusion:{{pod}}:saas-batch/ |
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Configure Security for Extracing Data from HCM Using Spectra Services
G38642-02
July 2025