Managing Implementation Users
This topic describes the tasks associated with the initial users of the implementation team.
Implementation Users
The initial user can perform all the necessary setup tasks. She can also perform security tasks, including resetting passwords and the granting of additional privileges to herself and to others. After you sign in the first time, you can create additional implementation users with the same broad setup privileges that Oracle provides to the initial user. If you prefer, you can restrict the privileges of these implementation users based on your own setup needs.
The setup or implementation users are typically different from the Oracle Applications Cloud application users. For example:
Setup users are usually not part of your Oracle Applications Cloud organization.
You don't assign them product-specific work or make it possible for them to view product-specific data.
You do, however, have to give them the necessary privileges they require to complete application setup. You provide these privileges through role assignment.
Your application includes several types of roles. A job role, such as the IT Security Manager role, corresponds to a specific job that a person does in the organization. An abstract role, such as the Employee role, corresponds to general categories of people in an organization. You assign both types of roles to users in the security console. For the setup users, these roles are:
Application Diagnostic Administrator
Application Implementation Consultant
Employee
IT Security Manager
There is nothing to stop you from providing the same setup permissions to users that are part of the organization, if you need to. Highly privileged implementation users are not the only users who can do setup. You can create administrative users who don't have such broad permissions, yet can configure product-specific structures and perform other related setup tasks
Managing User Accounts
The User Accounts page of the Security Console provides summaries of user accounts that you select to review. For each account, it always provides:
The user's login, first name, and last name, in a User column.
Whether the account is active, whether it is locked, and the user's password-expiration date, in a Status column.
It may also provide:
Associated worker information, if the user account was created in conjunction with a worker record in Human Capital Management. This may include person number, manager, job title, and business unit.
Party information, if the user account was created in conjunction with a party record created in CRM. This may include party number and party usage.
The User Accounts page also serves as a gateway to account-management actions you can complete. These include:
Reviewing details of, editing, or deleting existing accounts.
Adding new accounts.
Locking accounts.
Resetting users' passwords.
To begin working with user accounts:
Select the Users tab in the Security Console.
In a Search field, select any combination of user states and enter at least three characters.
The search returns user accounts at the states you selected, whose login, first name, or last name begins with the characters you entered.
Reviewing and Editing User Accounts
To review full details for an existing account, search for it in the User Accounts page and click its user login in the User column. This opens a User Account Details page.
These details always include:
User information, which consists of user, first, and last name values, and an e-mail address. It also includes an external identifier if one has been created. This is an external-system identifier, such as a single sign-on account ID if single sign-on is enabled.
Account information, which comprises the user's password-expiration date, whether the account is active, and whether it is locked.
A table listing the roles assigned to the user, including whether they are autoprovisioned or assignable. A role is assignable if it can be delegated to another user.
The page may also include an Associated Worker Information region or an Associated Party Information region. The former appears only if the user account is related to a worker record in Human Capital Management, and the latter if the user account is related to a party record in CRM.
To edit these details, click Edit in the User Account Details page. Be aware, however:
You can edit values only in the User Information, Account Information, and Roles regions.
Even in those regions, you can edit some fields only if the user is not associated with a worker or a party. If not, for example, you can modify the First Name and Last Name values in the User Information region. But if the user is associated with a worker, you would manage these values in Human Capital Management. They would be grayed out in this Edit User Details page.
In the Roles table, Autoprovisioned check boxes are set automatically, and you cannot modify the settings. The box is checked if the user obtained the role through autoprovisioning, and cleared if the role was manually assigned. You can modify the Assignable setting for existing roles.
Click Add Autoprovisioned Roles to add any roles for which the user is eligible. Or, to add roles manually, click Add Role. Search for roles you want to add, select them, and click Add Role Membership.
You can also delete roles. Click the x icon in the row for the role, and then respond Yes to a confirmation message.
Adding User Accounts
The ability to add user accounts in the Security Console is intended for the creation of implementation users. The expectation is that an implementation user would set up Oracle Permitting and Licensing. Once the implementation users are set up, the offering can then be configured to add the end users. For Oracle Permitting and Licensing, the end users are created using:
Agency Staff page for the agency employees, such as permit technicians, building inspectors, and so on.
Self registration page for external users, such as residents applying for permits, planning applications, and so on.
To add a user account in the Security Console:
Select the Users tab in the Security Console to open the User Accounts page.
Click the Add User Account button.
Select a value for Associated Person Type: Worker if this account is to be linked to a worker record in HCM, or None if not.
By default, the account is set to be active and unlocked in the Account Information area. Typically these values are appropriate, but you may modify them.
Select the User Category with which you want to associate the user.
Note: If you are not sure which user category to select, you may leave it unchanged. All new users are automatically assigned to the Default user category.
Enter name, e-mail, and password values in the User Information region as per the following guidance.
You need not enter a User Name value. It is generated automatically according to the user-name-generation rule selected in the General Administration page.
The First Name value is not required. However, you are expected to enter one if the selected user-name-generation rule makes use of the first name or the first-name initial.
The Password value must conform to the password policy established in the General Administration page. The Confirm Password value must match the Password value.
An external identifier is the user's ID in another system, such as a single sign-on account ID if single sign-on is enabled.
Click Add Autoprovisioned Roles, to assign roles for which role-provisioning rules make the user eligible.
Click Add Roles to assign other roles. Search for roles you want to assign, select them, then click Add Role Membership. Select Done when you are finished.
In the Roles table, select Assignable for any role that can be delegated to another user.
Click Save and Close.
Resetting Passwords
An administrator may use the Security Console to reset other users' passwords. That action triggers an e-mail notification to each user, informing him or her of the new password.
A new password must conform to your password policy. You establish this policy in the General Administration page. The page in which you reset the password displays the policy.
To reset a password:
In the User Accounts page, search for the user whose password you want to change.
In that user's row, click the Action icon, then Reset Password.
As an alternative, open the user's account for editing: click the User Login value in the User Accounts page, then Edit in a User Account Details page. In that page, select Reset Password.
In a Reset Password dialog, select whether to generate the password automatically or change it manually. For a manual change, also enter a new password value and a confirmation value, which must match the new value.
Note: The option to reset a password to an automatically generated value is always available. For the manual-reset option to be available, an "Administrator can manually reset password" option must be selected on the General Administration page.
Click the Reset Password button.
Locking and Unlocking User Accounts
An administrator may use the Security Console to lock users' accounts. When an account is locked, its user cannot sign in. He or she must either use the "forgot password" flow to reset the password or contact the help desk to have the account unlocked.
You can lock a user account in either of two ways. In either case, open the User Accounts page and search for the user whose account you want to lock.
To complete the first procedure:
In the user's row, click the Action icon, then Lock Account.
Respond Yes to a confirmation message.
To complete the second procedure:
Open the user's account for editing: click the User Login value in the User Accounts page, then Edit in a User Account Details page.
In the Edit User Account page, select the Locked check box in the Account Information region.
Select Save and Close.
You can unlock the account only from the Edit User Account page, by clearing the Locked check box.
Deleting User Accounts
An administrator may use the Security Console to delete users' accounts.
Open the User Accounts page and search for the user whose account you want to delete.
In the user's row, click the Action icon, then Delete.
Respond Yes to a confirmation message.
Defining Notification Templates
Users may receive Email notifications of user-account events, such as account creation or password expiration. These notifications are generated from a set of templates, each of which specifies an event. A template generates a message to a user when that user is involved in the event tied to the template.
To work with templates, click the User Categories tab in the Security Console. Then select a user category and on the User Category: Details page, click the Notifications tab. You must click the Edit button to make any changes.
There are eight events, and a predefined template exists for each event. Only one template linked to a given event can be enabled at a time. To use notification templates, ensure that notifications are enabled. To do that, select the Enable Notifications check box in the Notification Preferences region.
Even so, you can enable or disable templates, edit them, or create templates to replace existing ones. To create a template:
On the User Category: Notifications page, click Add Template.
Enter a name for the template and, optionally, a description.
Select an event. When you do, values for Message Subject and Message are copied from an already-configured template for which the same event is selected.
Edit the message subject, message text, or both. Note that message text may include tokens, which are replaced in runtime by literal values appropriate for a given user or account.
Select the Enabled check box to use the template immediately. If you do, the application automatically disables the template that had been enabled for that event. Or, leave the check box cleared to hold the template in reserve.
Click Save and Close.
To edit a template, select it from the templates listed in the Notification Templates table. Then follow essentially the same process as you would to create a template. Note, however, that you cannot modify the event selected for a template that has been saved. You may enable or disable an individual template by selecting or clearing its Enabled check box as you edit it.
You can delete the templates you created. Select the template row in the table and click Delete.
The following table lists the tokens you can use in the message text for a template
|
Token |
Meaning |
|---|---|
|
${userLoginId} |
The user name of the person whose account is being created or modified. |
|
${firstName} |
The given name of the person whose account is being created or modified. |
|
${lastName} |
The surname of the person whose account is being created or modified. |
|
${managerFirstName} |
The given name of the person who manages the person whose account is being created or modified. |
|
${managerLastName} |
The surname of the person who manages the person whose account is being created or modified. |
|
${loginUrl} |
The web address to sign in to Oracle Cloud. The user can sign in and use the Preferences page to change a password that is about to expire. Or, without signing in, the user can engage a forgot-password procedure to change a password that has already expired. |
|
${resetUrl} |
A one-time web address expressly for the purpose of resetting a password, used in the Password Generated, Password Reset, New Account, and New Account Manager templates. |
|
${CRLFX} |
Insert line break. |
|
${SP4} |
Insert four spaces. |
Synchronizing User and Role Information
You run the process Retrieve Latest LDAP Changes once during implementation. This process copies data from the LDAP directory to the Oracle Fusion Applications Security tables. Thereafter, the data is synchronized automatically. To run this process, perform the task Run User and Roles Synchronization Process as described in this topic.
Follow these steps:
Sign in to your Oracle Applications Cloud service environment as the service administrator.
Select Navigator Others Setup and Maintenance to open the Setup and Maintenance work area.
In the Setup and Maintenance work area, select the Run User and Roles Synchronization Process task in the Initial Users functional area.
The process submission page for the Retrieve Latest LDAP Changes process opens.
Click Submit.
Click OK to close the confirmation message.
Resetting the Cloud Service Administrator Sign-In Details
Once you have set up your implementation users, you can reset the service administrator sign-in details for your Oracle Applications Cloud service. You reset these details to avoid problems later when you're loaded to the service as an employee. This topic describes how to reset the service administrator sign-in details.
Sign in to your Oracle Applications Cloud service using the TechAdmin user name and password and follow these steps:
In the Setup and Maintenance work area, select the Create Implementation Users task in the Initial Users functional area.
The User Accounts page of the Security Console opens.
Search for your service administrator user name, which is typically your email. Your service activation mail contains this value.
In the search results, click your service administrator user name to open the User Account Details page.
Click Edit.
Change the User Name value to ServiceAdmin.
Delete any value in the First Name field.
Change the value in the Last Name field to ServiceAdmin.
Delete the value in the Email field.
Click Save and Close.
Sign out of your Oracle Applications Cloud service.
After making these changes, you use the user name ServiceAdmin when signing in as the service administrator.
Managing User Categories
You can categorize and segregate users based on the various functional and operational requirements. A user category provides you with an option to group a set of users such that the specified settings apply to everyone in that group. Typical scenarios in which you may want to group users are:
Users have different preferences in receiving automated notifications from the Security Console. For example, employees of your organization using the organization's single sign-on don't require notifications from the Security Console about creating new users, password expiry, or password reset. However, the suppliers of your organization who aren't using the organization's single sign-on, must receive such notifications from the Security Console.
You have built an external application for a group of users using the REST APIs of Oracle Fusion Applications. You intend to redirect this user group to the external application when using the Security Console to reset passwords or create new users.
On the Security Console page, click the User Category tab. You can perform the following tasks:
|
Task |
Description |
|---|---|
|
Segregate users into categories |
Create user categories and add existing users to them. All existing users are automatically assigned to the Default user category unless otherwise specified. You may create more categories depending upon your requirement and assign users to those categories. Note: You can assign a user
to only one category.
|
|
Specify Next URL |
Specify a URL to redirect your users to a website or an application instead of going back to the Sign In page, whenever they reset their password. For example, a user places a password reset request and receives an Email for resetting the password. After the new password is authenticated, the user can be directed to a website or application. If nothing is specified, the user is directed to Oracle Applications Cloud Sign In page. You can specify only one URL per user category. |
|
Enable notifications |
Notifications are enabled by default, but you can disable them if required. You can also enable or disable notifications separately for each user category. If users belonging to a specific category don't want to receive any notification, you can disable notifications for all life cycle events. Alternatively, if users want to receive notifications only for some events, you can selectively enable the functionality for those events. Notifications are sent for a set of predefined events. To trigger a notification, you must create a notification template and map it to the required event. Depending on the requirement, you can add or delete a template that is mapped to a particular event. Note: You can't edit or delete
predefined notification templates that begin with the prefix ORA.
You can only enable or disable them. However, you can update or delete
the user-defined templates.
User Category feature supports both SCIM protocol and HCM Data Loader for performing any bulk updates. |
Using the Security Console, you can add existing users to an existing user category or create a new category and add them. When you create new users, they are automatically assigned to the default category. At a later point, you can edit the user account and update the user category. You can assign a user to only one category.
Note: If you are creating new users using Security Console, you can also assign a user category at the time of creation.
You can add users to a user category in three different ways:
Create a user category and add users to it
Add users to an existing user category
Specify the user category for an existing user
Note: You can create and delete a user category only using the Security Console. Once the required user categories are available in the application, you can use them in SCIM REST APIs and data loaders. You can't rename a user category.
Adding Users to a New User Category
To create a user category and add users:
On the Security Console, click User Categories Create.
Click Edit, specify the user category details, and click Save and Close.
Click the Users tab and click Edit.
On the Users Category: Users page, click Add.
In the Add Users dialog box, search for and select the user, and click Add.
Repeat adding users until you have added the required users and click Done.
Click Done on each page until you return to the User Categories page.
Adding Users to an Existing User Category
To add users to an existing user category:
On the Security Console, click User Categories and click an existing user category to open it.
Click the Users tab and click Edit.
On the Users Category: Users page, click Add.
On the Add Users dialog box, search for and select the user, and click Add.
Repeat adding users until you have added the required users and click Done.
Click Done on each page until you return to the User Categories page.
Specifying the User Category for an Existing User
To add an existing user to a user category:
On the Security Console, click Users.
Search for and select the user for whom you want to specify the user category.
On the User Account Details page, click Edit.
In the User Information section, select the User Category. The Default user category remains set for a user until you change it.
Click Save and Close.
On the User Account Details page, click Done.
You can delete user categories if you don't require them. However, you must ensure that no user is associated with that user category. Otherwise, you can't proceed with the delete task. On the User Categories page, click the X icon in the row to delete the user category.
Managing Notifications
Using the Security Console, you can determine whether to turn notifications on or off for the users.
On the Security Console, click User Categories and from the list, select the specific user category.
Click the Notifications tab and click Edit.
Select the Enable Notifications check box to enable notifications for all users of that user category. To disable notifications, deselect the check box.
Click Done.
To determine which notifications to send, you have to enable the notification template for each required event.