15User Management

This chapter contains the following:

Overview of Managing Users

Once you create users and provision them with access to the application, there are various user management tasks you have to perform on an on-going basis. Here are examples of some of the tasks you might have to do:

  • Assigning different resource roles to users when they change jobs within the organization or are promoted

  • Terminating user accounts when users leave the organization

  • Acting as a proxy for users so you can troubleshoot issues

This chapter describes how to perform these and other user management tasks using the sales application UI. But you can also use file import functionality to perform user management tasks such as:

  • Making changes to employee resource information, for example, name or email address

  • Enabling or disabling user accounts

  • Making promotion, demotion, or transfer updates for an employee resource

For additional information, see the chapter about importing resource data in the guide Understanding Import and Export Management for CX Sales and B2B Service at http://docs.oracle.com.

Change a User's Email Address

Use the Users tab in the Security Console work area to change email addresses for sales users. If you're updating their email addresses, then you can also use the same import process you use to create them.

  1. Navigate to the Security Console.

  2. Click the Users tab.

  3. Search for the user using one of the following:

    • First or last name, but not both

    • User name

  4. Click the user name link.

  5. On the User Account Details window, click Edit.

  6. In the Edit User Account window, edit the email address.

    Note: Don't edit any of the other information available on the Edit User Account page. Use the Manage Users task instead.
  7. Click Save and Close.

Get User Sign-in Sign-out Information

You can get the last seven days of user sign-in sign-out information using a setting available on the Add User Account page in Security Console. To view the setting, you must enable a profile option. You can access the sign-in sign-out information through REST APIs.

Here's how you enable the profile option:

  1. In the Setup and Maintenance work area, open the task Manage Administrator Profile Values.

  2. Search the following Profile Option Code:


  3. In the Profile Value drop-down list, select Yes.

  4. Click Save and Close.

Note: The audit data is available for seven days.

The profile option is enabled. On the Add User Account page in Security Console, the setting to get user sign-in sign-out information appears now in the Advanced Information section.

On the Security Console, click Users. On the User Accounts page, click Add User Account and select Enable Administration Access for Sign In-Sign Out Audit REST API. You can enable this option on the User Account Details Edit page too.

Change User Names

User names are automatically generated in the enterprise default format when you create a new user if you don't manually specify a user name. The default format is the user's email address, but you can change this value. For example, you might choose to use first name.last name as the default format. You can also manually override an individual user's existing user name, if necessary.

Caution: Although you can change the user name of an existing user, changing it isn't a good idea. Changing the user name requires extra setup for Oracle BI Answers. Oracle BI Answers, the embedded reporting tool for building and modifying reports, creates a separate GUID from the user name when you create a user. If you change the user name, then you must update the BI Answers GUID by running the Rename Accounts Self-Service utility. You can download the utility from My Oracle Support article Oracle Fusion BI: Self-Service Forget Accounts and Rename Accounts Tools (Doc ID 2635720.1). If you used the user name in any script, then you must update that script as well.

To change an existing user name, sign in to the application as a setup user, then perform these steps.

  1. Select Navigator > My Team > Users and Roles to open the Search Person page.

    You can also search for the Manage Users task in the Setup and Maintenance work area.

  2. Search for and select the user whose user name you want to change.

    The Edit User page for the user opens.

  3. In the User Details region, enter the new user name in the User Name field.

    You can enter the user name in any format you choose.

  4. Click Save and Close.

    The updated name is sent automatically to your LDAP directory server.

    The user's password and roles remain the same.

When you change an existing user name on the Edit User page, the user doesn't receive an automatic notification of the change. So it's a good idea to send details of the updated user name directly to the user.

Change User Resource Roles When Job Assignments Change

If an employee takes on a different role within the company, for example, if the employee is promoted, then you must update the resource role assigned to the employee. Changing the resource role assigned to an employee involves these steps:

  • Assigning the user a new resource role that corresponds to the new assignment, for example, Sales Manager.

  • Setting an end date for the old resource role, for example, Salesperson.

If the employee's new role also involves a change in the user's resource organization, for example, if the user is promoted to a management role from a non-management role, you must also change the user's organization membership.

You can make changes to role assignments using either the resource import management functionality or using the Sales UI. Although importing changes takes care of many tasks that you have to perform manually in the UI, if you're updating resource role information for an individual user, then using the UI can be more efficient.

These steps describe how to update role information in the UI for a user who's promoted from a sales representative role to a sales manager role.

  1. Sign in to the application as the sales administrator or as a setup user.

  2. Select Navigator > My Team > Users and Roles to open the Search Person page.

  3. Search for and select the user who's being promoted. The Edit User page for the user opens.

  4. In the Resource Information region, do the following:

    1. In the Resource Role field, add the new resource role for the user, for example, Sales Manager.

    2. In the Reporting Manager field, update the user's manager.

    3. In the Organization field, specify the user's resource organization.

      You must create a resource organization for every manager in your Sales organization. If you haven't created a resource organization for the new manager, then you can create one by clicking the Create link from the end of the Organization list. The Create Organization dialog box is displayed allowing you to enter a new organization name.

    4. To automatically provision any roles provided by the new resource role you just assigned the user, click the Autoprovision Roles button in the Resource Information section.

    5. Click Save and Close.

  5. Set an end date for the user's old resource role using these steps:

    1. Form the Navigator menu, select Directory > Resource Directory.

    2. In the Tasks area of the Resource Directory page, select View Resources.

    3. On the View Resources page, search for and select the user.

      The Resource page for the user opens.

      Note that the user is assigned the new resource organization you previously created.

    4. Click the Roles tab, and in the Roles list, select the current role assigned to the user, for example, Salesperson, and enter an end date in the To Date field.

      The value you enter is the date the user's assignment in the current role ends.

    5. Click Save and Close.

Note: When you promote a user from one management position to another, for example, from a Sales Manager role to a Sales VP role, then the resource hierarchy is maintained provided that the promoted user's resource organization doesn't change. So any users who reported to the Sales Manager continue to report to the same individual when that individual is promoted to the Sales VP role. If the promoted user's resource organization does change upon the promotion, the user's reports must be reassigned to a new manager.

For information about changing role assignments using the resource import management functionality, see the topic about importing resource data in the Understanding Import and Export Management for CX Sales and B2B Service guide.

Terminate User Accounts

This topic describes how you can terminate a user account when an employee leaves your company. You can't delete a sales user account using the Security Console. But when an employee leaves your company, you can suspend the user account by completing these steps in the Manage Users and Manage Resources work areas:

  1. Do either one of these tasks:

    • Inactivate the user's account.

    • Remove the user's roles.

  2. Set an end date for the resource.

The process outlined in this topic applies if you're using only Oracle CX Sales and B2B Service. If your company also uses Oracle HCM Cloud, then a different process applies.

Note: When you deactivate a user account, the user record isn't deleted from the application. You can still view a deactivated user's record in the Manage Users work area.

Inactivating a User Account

When an employee leaves your company, in most cases it's best practice to inactivate the user account. Inactivating the user's account prevents the user from being able to log in to the application.

These are the steps to inactivate a user account.

  1. Select Navigator > My Team > Users and Roles to open the Search Person page.

  2. On the Search Person page, search for and select the user whose account you want to inactivate. The Edit User page for the user opens.

  3. In the User Details section, in the Active field, select Inactive.

  4. Click Save and Close.

Removing Roles from a User

Instead of inactivating a user account, you can remove some or all of the roles assigned to the user. You might want to do this if you want to keep some roles active. For example, maybe you want to keep the user account valid to allow the user access to specific pages you have created.

These are the steps to selectively remove roles from a user.

  1. Navigate to the Search Person page as described in the previous task.

  2. Search for and select the user whose roles you want to remove.

    The Edit User page for the user opens.

  3. In the Current Roles section, select the role you want to remove, then click the Remove icon. Repeat this process for each role assigned to the user that you want to remove.

  4. Click Save and Close.

Setting an End Date for the Resource

After you have either inactivated a user account or removed the roles assigned to a user account, you must set an end date for the resource (user) as described in this topic.

Note: You can also set the end date for an employee in the Resource Directory which you can access from the Navigator menu.

These are the steps to set the end date for a user.

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Sales

    • Functional Area: Users and Security

    • Task: Manage Resources

  2. On the Manage Resources page, search for and select the resource you want to edit. The Resource page for the individual opens.

  3. With the Organization tab selected, select the Edit option from the Actions menu.

    The Edit Organization Membership page opens.

  4. In the To Date field, enter the date the individual is leaving the company.

  5. Click Save and Close.

When the end date you specify for a resource arrives, this is what happens:

  • The terminated employee is no longer available in the application so can no longer be newly associated with any Sales objects, such as sales account, territory, lead, and opportunity. The user's association with Sales objects made before the end date aren't automatically removed but you can remove them manually.

  • Resource roles for the individual are deprovisioned.

  • If the terminated individual had any reports, they're reassigned to his or her manager.

Impersonation and Proxy Users

Privileges Required by Proxy Users

You can use the impersonation functionality in the sales application to designate another user as a proxy to sign in to the application and perform tasks on your behalf. For example, a channel manager might want to sign in to the Partner Portal as a partner user to resolve a query relating to the UI pages or data.

Channel managers don't require a partner user's permission to impersonate the partner user. To implement impersonation in all other cases, however:

  • The user must explicitly designate another user as his or her proxy.

  • The designated user must have the privileges required to act as a proxy.

Impersonate User Privilege

You can select a user to act as your proxy only if the user has the privilege required to be a proxy, that is, the Impersonate User privilege. The following job roles are assigned the Impersonate User privilege by default; therefore, users assigned these job roles can act as proxies for other users:

  • Channel Account Manager

  • Channel Operations Manager

You can enable other groups of users to act as proxies by creating a copy of the job role assigned to the users and adding the Impersonate User privilege to the copied custom role.

Note: When deciding whether or not to assign the Impersonate User privilege to an additional job role, be aware that a proxy user can access all the same data and tasks as the user they impersonate.

Configure Impersonation Auditing

The impersonation functionality allows users to temporarily designate another user as a proxy to sign in to the application on their behalf. A proxy user has the same privileges as the impersonated user and has access to all of the impersonated user's personal data. By default, therefore, auditing of proxy user sessions is enabled, even when auditing is disabled for the application. An audit record tracks the user name of the proxy and any transactions performed.

Auditing of proxy sessions is recommended but, if appropriate for your environment, you can disable impersonation auditing by changing the default value of the site-level profile option Audit Impersonation Transaction Enabled.

Note: A number of database tables aren't enabled for impersonation transaction auditing. If impersonation auditing is enabled, proxy users can't save transactions that result in changes to the data in those tables. If the administrator disables impersonation auditing using the Audit Impersonation Transaction Enabled profile option, proxy users can change the data in any tables, whether or not the tables are enabled for impersonation auditing.

For additional information about auditing in the sales application, including information about the objects that can be enabled for auditing, see the Implementing Sales guide on Oracle Help Center at http://docs.oracle.com/.

Configuring Impersonation Auditing

The following procedure describes how to enable or disable impersonation auditing functionality by changing the value of the Audit Impersonation Transaction Enabled profile option.

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Sales

    • Functional Area: Sales Foundation

    • Task: Manage Administrator Profile Values

  2. On the Manage Administrator Profile Values page, in the Search: Profile Option section, enter Audit Impersonation Transaction Enabled in the Profile Display Name field.

  3. Click Search.

  4. In the Search Results list, select FND_AUDIT_IMPERSONATION_TRANSACTIONS.

  5. In the FND_AUDIT_IMPERSONATION_TRANSACTIONS: Profile Values section, select the Site Profile level and et the value of the Profile Value field to either Yes or No.

  6. Click Save and Close.

Provide Read-Only Access for Individual Users

Some users may need read-only access to Oracle CX Sales and B2B Service applications. For example:

  • A service representative must replicate a user's transaction without saving any changes.

  • An auditor reviews application data for regulatory reasons but isn't authorized to change anything.

Read-only access is controlled by the Read Only Mode (FND_READ_ONLY_MODE) profile option. This topic describes how to set Read Only Mode to all Oracle CX applications for specific users.

Set the Read Only Mode Profile Option

To enable read-only mode for a user:

  1. In the Setup and Maintenance work area, use the Manage Administrator Profile Values task.

  2. In the Search section of the Manage Administrator Profile Values page, enter FND_READ_ONLY_MODE in the Profile Option Code field and click Search.

  3. In the FND_READ_ONLY_MODE: Profile Values section of the page, click the New icon.

  4. In the new row of the profile values table:

    1. Set Profile Level to User.

    2. In the User Name field, search for and select the user.

    3. Set Profile Value to Enabled to activate read-only access for the selected user.

  5. Click Save and Close.

When the user next signs in, a page banner reminds the user that read-only mode is in effect. The user can edit values in the application but can't update or save any changes they make.

FAQs for Managing Users

How are the records of a terminated employee reassigned?

After you terminate an employee in the application, the assignment process automatically excludes the terminated user when it runs again. But you have to manually handle other reassignments, for example, replacing the terminated user with another user on the territory team or sales account team. For specific types of records, such as lead records or opportunity records, you can also use the Mass Transfer tool to transfer records from a terminated resource to another resource.

Can I reactivate a terminated employee record?

Yes. Once you specify an end date for a resource, you can't reverse it in the application. But the former employee's record remains in the application so you can again identify that person as a resource if the person is rehired. After identifying the person, you must assign roles and an organization again.

How can I notify users of their user names and passwords?

You can run the Send User Name and Password Email Notifications process in the Scheduled Processes work area. For users for whom you haven't so far requested an email, this process sends out user names and reset-password links. The email goes to the work email of the user or the user's line manager. You can send the user name and password once only to any user. A notification template for this event must exist and be enabled.