6Creating and Managing Application Users

This chapter contains the following:

Creating Users

Create Users

During implementation, you can use the Create User task to create test application users. By default, this task creates a minimal person record and a user account. After implementation, you should use the Hire an Employee task to create application users. The Create User task isn't recommended after implementation is complete. This topic describes how to create a test user using the Create User task.

Sign in and follow these steps:

  1. Select Navigator > My Team > Users and Roles to open the Search Person page.

  2. In the Search Results section, click the Create icon.

    The Create User page opens.

Completing Personal Details

  1. Enter the user's name.

  2. In the E-Mail field, enter the user's primary work e-mail.

  3. In the Hire Date field, enter the hire date for a worker. For other types of users, enter a user start date. You can't edit this date after you create the user.

Completing User Details

You can enter a user name for the user. If you leave the User Name field blank, then the user name follows the enterprise default user-name format.

Setting User Notification Preferences

The Send user name and password option controls whether a notification containing the new user's sign-in details is sent when the account is created. This option is enabled only if notifications are enabled on the Security Console and an appropriate notification template exists. For example, if the predefined notification template New Account Template is enabled, then a notification is sent to the new user. If you deselect this option, then you can send the e-mail later by running the Send User Name and Password E-Mail Notifications process. An appropriate notification template must be enabled at that time.

Completing Employment Information

  1. Select a Person Type value.

  2. Select Legal Employer and Business Unit values.

Adding Roles

  1. Click Autoprovision Roles. Any roles for which the user qualifies automatically, based on the information that you have entered so far, appear in the Role Requests table.

  2. To provision a role manually to the user, click Add Role. The Add Role dialog box opens.

  3. Search for and select the role. The role must appear in a role mapping for which you satisfy the role-mapping conditions and where the Requestable option is selected for the role.

    The role appears in the Role Requests region with the status Add requested. The role request is created when you click Save and Close.

    Repeat steps 2 and 3 for additional roles.

  4. Click Save and Close.

  5. Click Done.

Inactive Users Report

Run the Inactive Users Report process to identify users who haven't signed in for a specified period.

To run the report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the Import User Login History process.

    Note: Whenever you run the Inactive Users Report process, you must first run the Import User Login History process. This process imports information that the Inactive Users Report process uses to identify inactive users. You're recommended to schedule Import User Login History to run daily.
  3. When the Import User Login History process completes, search for and select the Inactive Users Report process.

  4. In the Process Details dialog box, set parameters to identify one or more users.

  5. Click Submit.

Inactive Users Report Parameters

All parameters except Days Since Last Activity are optional.

User Name Begins With

Enter one or more characters.

First Name Begins With

Enter one or more characters.

Last Name Begins With

Enter one or more characters.

Department

Enter the department from the user's primary assignment.

Location

Enter the location from the user's primary assignment.

Days Since Last Activity

Enter the number of days since the user last signed in. Use this parameter to specify the meaning of the term inactive user in your enterprise. Use other parameters to filter the results.

This value is required and is 30 by default. This value identifies users who haven't signed in during the last 30 or more days.

Last Activity Start Date

Specify the start date of a period in which the last activity must fall.

Last Activity End Date

Specify the end date of a period in which the last activity must fall.

Viewing the Report

The process produces an Inactive_Users_List_processID.xml file and a Diagnostics_processID.zip file.

The report includes the following details for each user who satisfies the report parameters:

  • Number of days since the user was last active

  • Date of last activity

  • User name

  • First and last names

  • Assignment department

  • Assignment location

  • City and country

  • Report time stamp

Note: The information in the report relating to the user's latest activity isn't based solely on actions performed by the user in the UI. Actions performed on behalf of the user, which create user sessions, also affect these values. For example, running processes, making web service requests, and running batch processes are interpreted as user activity.

Managing Users

Manage User Accounts

Human resource specialists (HR specialists) can manage user accounts for users whose records they can access. This topic describes how to update a user account.

To access the user account page for a person:

  1. Open the Person Management work area.

  2. On the Search Person page, search for the person whose account you're updating.

  3. In the search results, select the person and select Actions > Personal and Employment > Manage User Account. The Manage User Account page opens.

Manage User Roles

To add a role:

  1. Click Add Role.

    The Add Role dialog box opens.

  2. In the Role Name field, search for the role that you want to add.

  3. In the search results, select the role and click OK.

    The role appears in the Role Requests region with the status Add Requested.

  4. Click Save.

To remove a role from any section of this page:

  1. Select the role and click Remove.

  2. In the Warning dialog box, click Yes to continue.

  3. Click Save.

Clicking Save sends requests to add or remove roles to your LDAP directory server. Requests appear in the Role Requests in the Last 30 Days section. Once provisioned, roles appear in the Current Roles section.

To update a user's roles automatically, select Actions > Autoprovision Roles. This action applies to roles for which the Autoprovision option is selected in all current role mappings. The user immediately:

  • Acquires any role for which he or she qualifies but doesn't currently have

  • Loses any role for which he or she no longer qualifies

You're recommended to autoprovision roles for individual users if you know that additional or updated role mappings exist that affect those users.

Copy Personal Data to LDAP

By default, changes to personal data, such as person name and phone, are copied to your LDAP directory periodically. To copy any changes immediately:

  1. Select Actions > Copy Personal Data to LDAP.

  2. In the Copy Personal Data to LDAP dialog box, click Overwrite LDAP.

Reset Passwords

To reset a user's password:

  1. Select Actions > Reset Password.

  2. In the Warning dialog box, click Yes to continue.

    This action sends a notification containing a reset-password link to the user's work email.

    Note: A notification template for the password-reset event must exist and be enabled for the user's user category. Otherwise, no notification is sent.

Edit User Names

To edit a user name:

  1. Select Actions > Edit User Name.

  2. In the Update User Name dialog box, enter the user name and click OK. The maximum length of the user name is 80 characters.

  3. Click Save.

This action sends the updated user name to your LDAP directory. Once the request is processed, the user can sign in using the updated name. As the user receives no automatic notification of the change, you're recommended to send the details to the user.

Tip: Users can add roles, autoprovision roles, and copy their personal data to LDAP by selecting Navigator > Me > Roles and Delegations. Line managers can add, remove, and autoprovision roles and copy personal data to LDAP for their reports from the Directory or by selecting Navigator > My Team > Users and Roles.

By default, user names are generated automatically in the format specified for the default user category when you create a person record. Users who have the human resource specialist (HR specialist) role can change user names for existing HCM users whose records they can access. This topic describes the automatic generation of user names and explains how to change an existing user name.

User Names When Creating Users

You create an HCM user by selecting a task, such as Hire an Employee, in the New Person work area. The user name is generated automatically in the format specified for the default user category. This table summarizes the effects of the available formats for Oracle HCM Cloud users.

User-Name Format Description

Email

The worker's work email is the user name. If you don't enter the work email when hiring the worker, then it can be entered later on the Security Console. This format is used by default. A different default format can be selected on the Security Console.

FirstName.LastName

The user name is the worker's first and last names separated by a single period.

FLastName

The user name is the worker's last name prefixed with the initial of the worker's first name.

Person number

If your enterprise uses manual numbering, then any number that you enter becomes the user name. Otherwise, the number is generated automatically and you can't edit it. The automatically generated number becomes the user name.

Note: If the default user-name rule fails, then a system user name can be generated. The option to generate a system user name is enabled by default but can be disabled on the Security Console.

Existing User Names

HR specialists can change an existing user name on the Manage User Account page.

To change a worker's user name:

  1. Search for and select the worker in the Person Management work area.

  2. For the selected worker, select Actions > Personal and Employment > Manage User Account.

  3. On the Manage User Account page, select Actions > Edit User Name.

The updated name, which can be in any format, is sent automatically to your LDAP directory server. The maximum length of the user name is 80 characters.

Tip: When you change an existing user name, the user's password and roles remain the same. However, the user receives no automatic notification of the change. Therefore, you're recommended to send details of the updated user name to the user.

Why You Send Personal Data to LDAP

User accounts for users of Oracle Fusion Applications are maintained on your LDAP directory server. By default, Oracle HCM Cloud sends some personal information about users to the LDAP directory. This information includes the person number, person name, phone, and manager of the person's primary assignment. HCM Cloud shares these details to ensure that user-account information matches the information about users in HCM Cloud.

This topic describes how and when you can send personal information explicitly to your LDAP directory.

Bulk Creation of Users

After loading person records using HCM Data Loader, for example, you run the Send Pending LDAP Requests process. This process sends bulk requests for user accounts to the LDAP directory.

When you load person records in bulk, the order in which they're created is undefined. Therefore, a person's record may exist before the record for his or her manager. In such cases, the Send Pending LDAP Requests process includes no manager details for the person in the user-account request. The LDAP directory information therefore differs from the information that HCM Cloud holds for the person. To correct any differences between these versions of personal details, you run the Send Personal Data for Multiple Users to LDAP process.

The Send Personal Data for Multiple Users to LDAP Process

Send Personal Data for Multiple Users to LDAP updates the LDAP directory information to match information held by HCM Cloud. You run the process for either all users or changed users only, as described in this table.

User Population Description

All users

The process sends personal details for all users to the LDAP directory, regardless of whether they have changed since personal details were last sent.

Changed users only

The process sends only personal details that have changed since details were last sent to the LDAP directory (regardless of how they were sent). This option is the default setting.

Note: If User Account Maintenance is set to No for the enterprise, then the process doesn't run.

The process doesn't apply to party users.

You must have the Human Capital Management Application Administrator job role to run this process.

The Copy Personal Data to LDAP Action

Users can copy their own personal data to the LDAP directory from the Manage User Account page. Human resource specialists and line managers can also perform this action for users whose records they can access. By default, personal data changes are copied periodically to the LDAP directory. However, this action is available for copying changes immediately, if necessary.

This topic describes the Process User Account Request action, which may appear on the Manage User Account page for users who have no user account.

The Process User Account Request Action

The Process User Account Request action is available when the status of the worker's user account is either Requested or Failed. These values indicate that the account request hasn't completed.

Selecting this action submits the request again. Once the request completes successfully, the account becomes available to the user. Depending on your enterprise setup, the user may receive an email containing the user name and password.

Role Provisioning

Any roles that the user will have appear in the Roles section of the Manage User Account page. You can add or remove roles before selecting the Process User Account Request action. If you make changes to roles, then you must click Save.

The Send Pending LDAP Requests Process

The Process User Account Request action has the same effect as the Send Pending LDAP Requests process. If Send Pending LDAP Requests runs automatically at intervals, then you can wait for that process to run if you prefer. Using the Process User Account Request action, you can submit user-account requests immediately for individual workers.

How User Accounts Are Suspended

By default, user accounts are suspended automatically when a user has no roles. This automatic suspension of user accounts is controlled by the User Account Maintenance enterprise option. Human resource (HR) specialists can also suspend a user account manually, if necessary. This topic describes how automatic account suspension and reactivation occur. It also explains how to suspend a user account manually.

Automatic Suspension of User Accounts

When you terminate a work relationship:

  • The user loses any automatically provisioned roles for which he or she no longer qualifies. This deprovisioning is automatic.

  • If the user has no other active work relationships, then the user also loses manually provisioned roles. These are:

    • Roles that he or she requested

    • Roles that another user, such as a line manager, provisioned to the user

    If the user has other, active work relationships, then he or she keeps any manually provisioned roles.

When terminating a work relationship, you specify whether the user is to lose roles on the termination date or on the day following termination.

A terminated worker's user account is suspended automatically at termination only if he or she has no roles. Users can acquire roles automatically at termination, if an appropriate role mapping exists. In this case, the user account remains active.

Automatic Reactivation of User Accounts

User accounts are reactivated automatically when you reverse a termination or rehire a worker. If you reverse the termination of a work relationship, then:

  • The user regains any role that he or she lost automatically at termination. For example, if the user automatically lost roles that had been provisioned manually, then those roles are reinstated.

    Note: If you removed any roles from the user manually at termination, then you must restore them to the user manually, if required.
  • The user loses any role that he or she acquired automatically at termination.

  • If the user account was suspended automatically at termination, then it's automatically reactivated.

The autoprovisioning process runs automatically when you reverse a termination. Therefore, the user's roles are updated automatically as specified by current role mappings.

When you rehire a worker, the user account is reactivated automatically and roles are provisioned automatically as specified by current role mappings. In all other cases, you must reactivate suspended user accounts manually on the Edit User page.

Tip: Authorized users can also manage user account status directly on the Security Console.

Manual Suspension of User Accounts

To suspend a user account manually, HR specialists follow these steps:

  1. Select Navigator > My Team > Users and Roles.

  2. Search for and select the user to open the Edit User page.

  3. In the User Details section of the Edit User page, set the Active value to Inactive. You can reactivate the account by setting the Active value back to Active.

  4. Click Save and Close.

Note: Role provisioning isn't affected by the manual suspension and reactivation of user accounts. For example, when you reactivate a user account manually, the user's autoprovisioned roles aren't updated unless you click Autoprovision Roles on the Edit User page. Similarly, a suspended user account isn't reactivated when you click Autoprovision Roles. You must explicitly reactivate the user account first.

IT security managers can lock user accounts on the Security Console. Locking a user account on the Security Console or setting it to Inactive on the Edit User page prevents the user from signing in.

User Details System Extract Report Parameters

The Oracle BI Publisher User Details System Extract Report includes details of Oracle Fusion Applications user accounts. This topic describes the report parameters. Run the report in the Reports and Analytics work area.

Parameters

User Population

Enter one of the values shown in this table to identify user accounts to include in the report.

Value Description

HCM

User accounts with an associated HCM person record.

TCA

User accounts with an associated party record.

LDAP

Accounts for users in the PER_USERS table who have no person number or party ID. Implementation users are in this category.

ALL

HCM, TCA, and LDAP user accounts.

From Date

Accounts for HCM and LDAP users that exist on or after this date appear in the report. If you specify no From Date value, then the report includes accounts with any creation date, subject only to any To Date value.

From and to dates don't apply to the TCA user population. The report includes all TCA users if you include them in the report's user population.

To Date

Accounts for HCM and LDAP users that exist on or before this date appear in the report. If you specify no To Date value, then the report includes accounts with any creation date, subject only to any From Date value.

From and to dates don't apply to the TCA user population. The report includes all TCA users if you include them in the report's user population.

User Active Status

Enter one of the values shown in this table to identify the user-account status.

Value Description

A

Include active accounts, which belong to users with current roles.

I

Include inactive accounts, which belong to users with no current roles.

All

Include both active and inactive user accounts.

User Details System Extract Report

The Oracle BI Publisher User Details System Extract Report includes details of Oracle Fusion Applications user accounts. This topic describes the report contents.

Run the report in the Reports and Analytics work area.

Report Results

The report is an XML-formatted file where user accounts are grouped by type, as follows:

  • Group 1 (G_1) includes HCM user accounts.

  • Group 2 (G_2) includes TCA party user accounts.

  • Group 3 (G_3) includes LDAP user accounts.

The information in the extract varies with the account type.

HCM User Accounts
Business Unit Name

The business unit from the primary work relationship.

Composite Last Update Date

The date when any one of a number of values, including assignment managers, location, job, and person type, was last updated.

Department

The department from the primary assignment.

Worker Type

The worker type from the user's primary work relationship.

Generation Qualifier

The user's name suffix (for example, Jr., Sr., or III).

Hire Date

The enterprise hire date.

Role Name

A list of roles currently provisioned to workers whose work relationships are all terminated. This value appears for active user accounts only.

Title

The job title from the user's primary assignment.

TCA User Accounts
Organizations

A resource group.

Roles

A list of job, abstract, and data roles provisioned to the user.

Managers

The manager of a resource group.

LDAP User Accounts
Start Date

The account's start date.

Created By

The user name of the user who created the account.

View Locked Users and Unlock Users

A user gets locked in the application either on entering incorrect password for multiple times or if the application hasn't been accessed for a certain period of time. The locked users report provides the list of locked users for both these scenarios.

You can get a list of locked users using the Locked Users scheduled process. You can then manually unlock the users using the Security Console. Only an administration user with the IT Security Manager job role can run the locked users report.

View Locked Users

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search and select the Locked Users process and click OK.

  3. In the Process Details dialog box, click Submit.

  4. Click OK in the confirmation message dialog box.

  5. Click Succeeded for the selected Locked Users report.

  6. In the Log and Output section, click Attachment to download the report spreadsheet.

    The spreadsheet shows the list of users who are locked.

The Locked Users spreadsheet contains the following two tabs:

  • LOCKED_USERS_<RequestID> - This tab contains the list of locked and active users who can't sign in to the application because of locked status.

  • LOCKED_AND_INACTIVE_USERS_<RequestID> - This tab contains list of locked and inactive users who can't sign in to the application because of locked and inactive status.

Unlock Users

  1. On the Security Console, click Users.

  2. From the Search drop down list, select Locked Users and click the search icon.

    All the locked users are displayed.

  3. Click the display name of a user to view the details.

  4. Click Edit.

  5. In the Account Information section, deselect Locked.

  6. Click Save and Close.

  7. Click Done.

    The user is unlocked and can sign in to the application.

FAQs for Creating and Managing Application Users

User names are generated automatically in the format specified on the Security Console for the user category. The default format is the worker's primary work email, but this value can be overridden for each user category. For example, your enterprise may use person number as the default user name for the default user category.

Why did some roles appear automatically?

In a role mapping:

  • The conditions specified for the role match the user's assignment attributes, such as job.

  • The role has the Autoprovision option selected.

How can I create a user?

If you want to create application users, access the Manage Users task. When the Search Person page appears, click the New icon in Search Results grid. The Create User page appears for you to fill in and save.

If you use the HCM pages to upload workers, hire employees, or add contingent workers, you also automatically create application users and identities.

When you create a new user, it automatically triggers role provisioning requests based on role provisioning rules.

The role-provisioning process reviews the user's assignments against all current role mappings.

The user immediately:

  • Acquires any role for which he or she qualifies but doesn't have

  • Loses any role for which he or she no longer qualifies

You're recommended to autoprovision roles to individual users on the Manage User Account page when new or changed role mappings exist. Otherwise, no automatic updating of roles occurs until you next update the user's assignments.

Why is the user losing roles automatically?

The user acquired these roles automatically based on his or her assignment information. Changes to the user's assignments mean that the user is no longer eligible for these roles. Therefore, the roles no longer appear.

If a deprovisioned role is one that you can provision manually to users, then you can reassign the role to the user, if appropriate.

You can provision a role if a role mapping exists for the role, the Requestable option is selected for the role in the role mapping, and at least one of your assignments satisfies the role-mapping conditions. Otherwise, you can't provision the role to other users.

The user loses the access to functions and data that the removed role was providing exclusively. The user becomes aware of the change when he or she next signs in.

If the user acquired the role automatically, then future updates to the user's assignments may mean that the user acquires the role again.

The updated user name is sent to your LDAP directory for processing when you click Save on the Manage User Account or Edit User page. The account status remains Active, and the user's roles and password are unaffected. As the user isn't notified automatically of the change, you're recommended to notify the user.

Only human resource specialists can edit user names.

The user name and password go to the work email of the user or user's line manager, if any. Notification templates for this event must exist and be enabled.

You can send these details once only for any user. If you deselect this option on the Manage User Account or Create User page, then you can send the details later. To do this, run the Send User Name and Password Email Notifications process.

How can I notify users of their user names and passwords?

You can run the Send User Name and Password Email Notifications process in the Scheduled Processes work area. For users for whom you haven't so far requested an email, this process sends out user names and reset-password links. The email goes to the work email of the user or the user's line manager. You can send the user name and password once only to any user. A notification template for this event must exist and be enabled.