Introduction

The Human Capital Management Integration Specialist job role is often granted to users who are responsible for bulk-loading data into the Oracle HCM Cloud. However, this role grants access to additional tools, including HCM Extracts and all REST APIs, so it's recommended that you instead create custom roles and grant just the HCM Data Loader (HDL) functionality required.

There are typically two user types for accessing HCM Data Loader:

  • Integration specialist users who are responsible for defining data files, initiating bulk-loads, and monitoring existing integrations. This user type needs access to the HCM Data Loader tasks within the application.
  • External integration users responsible for pushing data into the Oracle HCM Cloud only.

    Used by inbound integrations to upload files and initiate HCM Data Loader. These users shouldn't have access to the application or to monitor uploads other than the ones they've initiated. This tutorial explains how to grant access to the HCM Data Loader REST API for this purpose.

Business Object Access

HCM Data Loader provides the ability to restrict which business objects your users can bulk-load data with. By default, these two features are disabled but it's recommended that you enable them and configure custom roles to have just the HDL access required and only for the business objects needed:
  • Configure Business Object Access

    When enabled, you can configure the individual business objects and product areas a role can bulk-load data with.

  • Restrict Access to Security Related Business Objects

    When enabled, an additional function security privilege is required to bulk-load data to any of the objects that load security-related data. Currently that includes all objects within these product areas:

    Product Area Business Objects
    Global HR - Areas of Responsibility
    • Areas of Responsibility
    • Areas of Responsibility Templates
    Global HR - Security
    • Legislative Data Group Security Profile
    • Organization Security Profile
    • Country Security Profile
    • Position Security Profile
    • Document Type Security Profile
    • Exclusion Rule
    • Person Security Profile
    Global HR - Users
    • Delegated Role
    • User
    Recruiting - Security
    • Job Requisition Security Profile
    Talent Management - Security
    • Talent Pool Security Profile

    Tip:

    You can identify which objects are secured with the functional security privilege by using the View Business Objects task. Objects that are secured have a Bulk Loading Secured value of Yes.

WARNING:

When HCM Data Loader is submitted using the Initiate HCM Data Loader payroll flow task to upload files generated by HCM Extracts, or the Initiate Data Loader payroll flow task to upload files generated by transformation formulae, the submitting user is elevated and the session user context is lost. It's therefore not possible to evaluate the security configuration of that user. Your existing payroll flow tasks will fail to initiate HDL with these security features enabled. Update your payroll flow patterns to use the new payroll flow tasks which submit HDL as the session user:
  • Run HCM Data Loader to upload HCM Extracts generated files.
  • Run Data Loader Process to upload files generated by transformation formulae.

To configure the HCM Extracts flow refer to the tutorial Initiate HCM Data Loader for HCM Extract Generated Files.


File Encryption

You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server.

HCM Data Loader can only process files that exist in the hcm$/dataload$/import$ account on the Oracle WebCenter. Files that you upload locally using the Import File functionality in the Import and Load Data task are first uploaded here before being processed.

WARNING:

Any user with access to the hcm$/dataload$/import$ account can download and read any file on that account, regardless of who created it.

For HDL to decrypt your files you must encrypt them with the public fusion-key PGP key for the environment you're loading your file to.

The final task in this tutorial takes you through the steps to generate the fusion-key PGP certificate and extract the public key, which you'll use to encrypt your files.

Objectives

In this tutorial, you will:

  • Understand how to enable the HCM Data Loader security related features.
  • Configure custom roles to grant access to HCM Data Loader.
  • Configure business object access for your custom roles.
  • Generate the fusion-key certificate and extract the public key.

Prerequisites

To complete the steps in this tutorial, you'll need:

  • Access to the Security Console to create custom roles and extract the file encryption key.
  • Access to the Configure HCM Data Loader task to enable the HCM Data Load security features.

    You require this function security privilege to access the task:

    Function Security Privilege Name Code
    Manage Configuration of HCM Data Loader HRC_MANAGE_CONFIGURATION_HCM_DATA_LOADER_PRIV
  • Access to the HCM Data Loader Business Object Access task to configure which business objects a role can bulk load data with.

    This role hierarchies provide this access:

    Role Name Role Code
    Manage HCM Data Loader Business Object Access HRC_MANAGE_HDL_BO_ACCESS_PRIV

Note:

This tutorial assumes you have enabled Redwood. Access the Release 25A version of this tutorial for the navigation and screenshots if this isn't the case.

Task 1: Enable Security Related Functionality

In this step, you'll learn how to enable the features that allow you to restrict access to the business objects your users can bulk-load data with.

Note:

Enabling these enhancements does not impact HCM Spreadsheet Data Loader.

To enable these security features you'll need to log into the application with a user that has Configure HCM Data Loader task access (see Prerequisites for how to grant this.)

Enable Configuration of Role-Based Business Object Access

Once enabled your custom HCM Data Loader roles need to have business object access configured. You can configure your custom roles with their business object access before enabling this feature, using the HCM Data Loader Business Objects Access task.

Note:

Users with the Human Capital Management Integration Specialist job role will continue to have HCM Data Loader access. This role is preconfigured to access all business objects.
  1. Navigate to My Client Groups > Data Exchange.
  2. Click the Configure HCM Data Loader task.
  3. Select the Configure HCM Data Loader task from the HCM Data Loader functional area

  4. On the HCM Data Loader Parameters tab, search for the Enable Configuration of Role-Based Business Object Access parameter.
  5. Set Override to Yes for the Enable Configuration of Role-Based Business Object Access parameter

  6. Set the Override Value to Yes and save.

Restrict Access to Security Related Business Objects

Once enabled, users require the Load HCM Security Data function security privilege to bulk-load data with the security related objects.

Caution:

Enabling this feature will prohibit users with the Human Capital Management Integration Specialist job role from using security related business objects too. You'll need to create custom roles to provide access to bulk-load security related data once this capability is enabled.
  1. Access the Configure HCM Data Loader task from the Data Exchange work area.
  2. Search for the Restrict Access to Security Related Business Objects parameter on the HCM Data Loader Parameters tab.
  3. Set the Override Value to Yes and save.


Task 2: Grant HCM Data Loader Access

In this step you'll create custom roles for accessing HCM Data Loader functionality.

Integration Specialist Access

This role will provide access to the following functionality:

  • The View Business Objects task to review business object details and generate METADATA files.
  • The Import and Load Data task to submit files for import and load and monitor status of all data sets.
  • The Recent File Loads task to review recent data set status on any device.
  • The Delete Stage Table Data task to maintain stage tables.
  • The ability to import and export files for HCM Data Loader on the Oracle WebCenter Content server.

To grant this access:

  1. Log into the application with Security Console access.
  2. Navigate to Tools > Security Console.
  3. Click Create Role.
  4. Specify a Role Name and provide a unique role code.
  5. Tip:

    The business objects that a role can use are granted directly to this job role. Consider naming each role for the objects it will provide access to. For example, HCM Data Loader - All Objects, HCM Data Loader - Setup or HCM Data Loader - Recruiting.
  6. Specify a Role Category of HCM - Job Role.
  7. Click Next to navigate to the Role Hierarchy page. Add these hierarchies:
  8. Role Name Role Code Grants Access To
    HCM Data Load ORA_HRC_HCM_DATA_LOAD_DUTY HCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based Import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based Export HCM_DATALOADER_EXPORT_RWD The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.

    Additionally, if the role is to be assigned access to any of the business objects that load security related data, this function security privilege is needed:

    Role Name Role Code Grants Access To
    Load HCM Security Data HRC_LOAD_HCM_SECURITY_DATA_PRIV Security related HCM Data Loader business objects.

  9. Save your changes.

You can now configure the business objects this role can load data with. See Task 3.

REST Access

For external users defined for inbound integrations, such as for use by a third-party payroll backfeed integration, grant access to the dataLoadDataSets REST resource.

  1. Log into the application with Security Console access.
  2. Navigate to Tools > Security Console.
  3. Click Create Role.
  4. Specify a Role Name and provide a unique role code.
  5. Tip:

    The business objects that a role can use are granted directly to this job role. Consider naming the role for its integration, such as HDL Payroll Backfeed.
  6. Navigate to the Role Hierarchy page. Add these hierarchies:
  7. Role Name Role Code Grants Access To
    Use REST Service - Data Load Data Sets ORA_HRC_REST_SERVICE_ACCESS_DATA_LOAD_DATA_SETS The dataLoadDataSets REST API for initiating bulk-loading and monitoring data set status.
    Upload data for Human Capital Management file based import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.

  8. The custom action to submit HDL is individually secured so that access to the REST service can be given for initiating HSDL without users of the role automatically having permission to initiate HDL. To grant access to initiate HDL add this function security privilege:
  9. Function Security Privilege Privilege Code Secures Custom Action
    Create HCM Data Loader Data Set Using REST Service HRC_CREATE_FILE_DATA_SET_USING_REST createFileDataSet

  10. Additionally, if you want this role to have access to the REST custom actions that delete the staging table data for the data sets created by the role, add these privileges:
  11. Function Security Privilege Privilege Code Secures Custom Action
    Delete HCM Data Loader Data Set Using REST Service HRC_DELETE_HDL_DATA_SET_USING_REST deleteDataSet
    Delete HCM Spreadsheet Data Loader Data Set Using REST Service HRC_DELETE_HSDL_DATA_SET_USING_REST deleteSpreadsheetDataSet

  12. Save your changes.
  13. You can now configure the business objects this role can load data with.


Task 3: Configure Business Object Access

In this step you'll configure the business objects a role can bulk-load data with using HCM Data Loader.

  1. Log into the application with a user who has access to the HCM Data Loader Business Object Access task (see Prerequisites for how to grant this).
  2. Navigate to My Client Groups > Data Exchange.
  3. Click HCM Data Loader Business Object Access.
  4. Search for your custom role and click the Edit action button.
  5. Click Assign

    You're navigated to the View Assigned Business Objects page where you can review the business objects and product areas users of this role can bulk-load data with.

  6. Click the Assign button.
  7. Click Assign

  8. Select one of the following options:
    • Assign Individual Business Objects
    • Assign Business Objects by Product Area
    • Assign All Unrestricted Business Objects
    • Assign All Business Objects, Including Security-Related Objects

    Assign Individual Business Objects

    If you select Assign Individual Business Objects, you're navigated to the Assign Individual Business Objects page.

    • Search for business objects using the search bar and filters.
    • Check the checkbox against a business object to add it to the role.
    • Click Assign

      Tip:

      The Assigned by Product Area column indicates if the business object is already available to the role via a product area mapping.
    • Click Save.
    • An entry will be created in the Assigned Business Objects table for each of the selected business objects.
      Click Assign

    Assign Business Objects by Product Area

    If you select Assign All Business Objects in a Product Area, then you're navigated to the Assign Business Objects by Product Areas page.

    • Search for the product area using the search bar.
    • Click Assign

    • Click the Edit action button. This opens the Business Objects Within the Product Area panel, which allows you to review the objects the role will be able to bulk-load data with by assigning this product area to the role.
    • Click Assign

    • Deselect any business objects that shouldn't be available for bulk-loading data using this role.
    • Tip:

      The Assigned column indicates if the business object is already available to the role via an individual business object mapping.
    • Click Save
    • You'll be navigated back to the Assign Business Objects by Product Areas page where you can review the product area mapping and assign other product areas to the Role
      Click Assign

    • Return to the View Assigned Business Objects page to review and configure the role's mappings.
    • Click Assign

      Tip:

      You can configure the business objects available in an existing product area mapping by clicking the Edit button against the product area.

    Assign All Unrestricted Business Objects

    If you select Assign All Unrestricted Business Objects a confirmation message appears to explain that users with this role can bulk-load data with any business object that doesn't load security-related data.

    • Click Assign to close the warning and continue. A single entry appears for all unrestricted business objects in the Assigned Business Objects table.
    • Click Assign

    Assign All Business Objects

    If you select Assign All Business Objects, Including Security-Related Objects a confirmation message appears to explain that users with this role will be able to use the security-related objects only if they have the Load HCM Security Data function security privilege.

    • Click Assign to close the warning and continue. A single entry appears for all business objects in the Assigned Business Objects section.
    • Click Assign


Task 4: Create Common HCM Data Loader Custom Roles

This step explains how to create the following custom roles:

  • An Integration Specialist administrator role capable of loading data for any object and monitoring all data sets.
  • An Integration Specialist role with restricted business object access.
  • An external integration role restricted to loading payroll backfeed data using the REST API with visibility of only the data sets they've submitted.

Integration Specialist - Unrestricted

  1. Use the Security Console to create a custom HCM Data Loader - Unrestricted role.
  2. Grant this function security privilege:
    Role Name Role Code Grants Access To
    Load HCM Security Data HRC_LOAD_HCM_SECURITY_DATA_PRIV Security related HCM Data Loader business objects.
  3. Grant these role hierarchies:
  4. Role Name Role Code Grants Access To
    HCM Data Load ORA_HRC_HCM_DATA_LOAD_DUTY HCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based Import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based Export HCM_DATALOADER_EXPORT_RWD The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.
  5. Save the custom role.
  6. Navigate to the HCM Data Loader Business Object Access task in the Data Exchange work area.
  7. Search for the HCM Data Loader - Unrestricted role.
  8. Click the Edit action button against the role to access the View Assigned Business Objects page.
  9. Click the Assign dropdown button and select Assign All Business Objects, Including Security-Related Objects.
  10. Click Assign to close the confirmation message.
  11. You can now assign this role to users who should be able to bulk-load data with any HCM Data Loader business object.

Integration Specialist - Restricted

  1. Use the Security Console to create a custom HCM Data Loader - {objects} role, replacing {objects} with a description of the business objects the role will have access to use, such as HCM Data Loader - Work Structures, or HCM Data Loader - Recruiting
  2. Grant these role hierarchies:
  3. Role Name Role Code Grants Access To
    HCM Data Load ORA_HRC_HCM_DATA_LOAD_DUTY HCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based Import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based Export HCM_DATALOADER_EXPORT_RWD The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.

    Tip:

    If the list of business objects this role can access will include objects that load security related data, also grant the Load HCM Security Data function security privilege.
  4. Save the custom role.
  5. Navigate to the HCM Data Loader Business Object Access task in the Data Exchange work area.
  6. Search for your custom role.
  7. Click the Edit action button against the role to access the View Assigned Business Objects page.
  8. Use the Assign dropdown button to assign the individual business objects and product areas the role can bulk-load data with.
  9. You can now assign this role to users who should be able to bulk-load data with the HCM Data Loader business objects configured.

External User - Integration Specific

In this step you'll create an external user to initiate the Payroll Backfeed integration. This user will be given to the provider who supplies the data and initiates the integration.

  1. Use the Security Console to create a custom External Payroll Backfeed role.
  2. Tip:

    Use any name that describes the integration the user provides access for.
  3. Grant these role hierarchies:
  4. Role Name Role Code Grants Access To
    Use REST Service - Data Load Data Sets ORA_HRC_REST_SERVICE_ACCESS_DATA_LOAD_DATA_SETS The dataLoadDataSets REST API for initiating HDL and HSDL and monitoring data set status.
    Upload data for Human Capital Management file based import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.

  5. Save the custom role.
  6. Navigate to the HCM Data Loader Business Object Access task in the Data Exchange work area.
  7. Search for your custom role.
  8. Click the Edit action button against the role to access the View Assigned Business Objects page.
  9. Click the Assign dropdown button and select Assign Individual Business Objects.
  10. Search for and select the business objects the integration will be updating:
    • Document Record
    • Payroll Interface Inbound Record
    • Third Party Payroll Interface Error
  11. Save your changes.
  12. You can now assign this role to the user account provided to your third-party payroll provider to upload payroll backfeed data.


Task 5: Generate a PGP Key Pair for Encrypting HDL Files

You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server. Any user with access to the HCM Data Loader import account can download and read any file on that account, regardless of who created it.

HCM Data Loader decrypts files using the private fusion-key PGP key, so you need to generate this on your Oracle Cloud environment before loading encrypted files. You encrypt your files with the fusion-key public key.

In this step you'll generate the fusion-key PGP key pair and extract the public key.

  1. Sign into Oracle HCM Cloud with the IT Security Manager job role or privileges.
  2. Navigate to Tools > Security Console.
  3. Click the Certificates tab.
  4. Review the certificates that already exist. If the fusion-key certificate already exists, you can skip to the Extract the Public Key section. Otherwise, follow the steps to generate the fusion-key certificate.

Generate the fusion-key Certificate

  1. Click Generate to open the Generate dialog.
  2. Click the Generate page level button.

  3. Select a Certificate Type of PGP and specify these values:
  4. Field Value
    Alias fusion-key
    Passphrase Enter a passphrase for the private key. This passphrase is needed when you edit, delete, or download the private key.
    Key Type RSA
    Key Length Select either 1024 or 2048.
    Encryption Algorithm Select the encryption algorithm to use

    Note:

    You must use the fusion-key alias for HCM Data Loader to decrypt your files encrypted with this key.
    Example of the fusion-key attribute values

  5. Click Save and Close. A confirmation message will appear, close it.
  6. Your certificate will be displayed.

    The certificates page now displays the generated fusion-key

Extract the Public Key

  1. Click the Action choice menu button for the fusion-key record.
  2. Click Export > Public Key.
  3. The fusion-key_pub.asc file will be downloaded. Save it to your desktop.

Tip:

For more information refer to the Set up Encryption for File Transfer topic.

Help Topics Tutorials

Refer to this Cloud Customer Connect topic for links to the latest Oracle By Example tutorials for HDL and HSDL:

Acknowledgements

  • Authors - Ema Johnson (Senior Principal Product Manager)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.