Introduction

The Human Capital Management Integration Specialist job role is often granted to users who are responsible for bulk-loading data into the Oracle HCM Cloud. However, this role grants access to additional tools, including HCM Extracts and all REST APIs, so it's recommended that you instead create custom roles and grant just the HCM Data Loader (HDL) functionality required.

Business Object Access

From release 23D HCM Data Loader provides the ability to restrict which business objects your users can bulk-load data with. By default, these two features are disabled but it's recommended that you enable them and configure custom roles to have just the HDL access required and only for the business objects needed:
  • Configure Business Object Access

    When enabled, you can configure the individual business objects and product areas a role can bulk-load data with.

  • Restrict Access to Security Related Business Objects

    When enabled, an additional function security privilege is required to bulk-load data to any of the objects that load security-related data. Currently that includes all objects within these product areas:

    Product Area Business Objects
    Global HR - Areas of Responsibility
    • Areas of Responsibility
    Global HR - Security
    • Legislative Data Group Security Profile
    • Organization Security Profile
    • Country Security Profile
    • Position Security Profile
    • Document Type Security Profile
    • Exclusion Rule
    • Person Security Profile
    Global HR - Users
    • Delegated Role
    • User
    Recruiting - Security
    • Job Requisition Security Profile
    Talent Management - Security
    • Talent Pool Security Profile

    Tip:

    You can identify which objects are secured with the functional security privilege by using the View Business Objects task. Objects that are secured have a Bulk Loading Secured value of Yes.

WARNING:

When HCM Data Loader is submitted using the Initiate HCM Data Loader payroll flow task to upload files generated by HCM Extracts, or the Initiate Data Loader payroll flow task to upload files generated by transformation formulae the submitting user is elevated and the session user context is lost. It's therefore not possible to evaluate the security configuration of that user. Your existing payroll flow tasks will fail to initiate HDL with these security features enabled. From release 24A you can update your payroll flow patterns to use the new payroll flow task which submits HDL as the session user:
  • Run HCM Data Loader to upload HCM Extracts generated files.
  • Run Data Loader Process to upload files generated by transformation formulae.

To configure the HCM Extracts flow refer to the tutorial Initiate HCM Data Loader for HCM Extract Generated Files.


Objectives

In this tutorial, you will:

  • Understand how to enable the HCM Data Loader security related features.
  • Configure custom roles to grant access to HCM Data Loader.
  • Configure business object access for your custom roles.

Prerequisites

To complete the steps in this tutorial, you'll need:

  • Access to the Security Console to create custom roles.
  • Access to Setup and Maintenance.

    Grant this role hierarchy if your role doesn't already have access:

    Role Name Role Code
    Functional Setups User ORA_ASM_FUNCTIONAL_SETUPS_USER_ABSTRACT

  • Access to the Configure HCM Data Loader task to enable the HCM Data Load security features.

    You require this function security privilege to access the task:

    Function Security Privilege Name Code
    Manage Configuration of HCM Data Loader HRC_MANAGE_CONFIGURATION_HCM_DATA_LOADER_PRIV

  • Access to the HCM Data Loader Business Object Access task to configure which business objects a role can bulk load data with.

    This role hierarchies provide this access:

    Role Name Role Code
    Manage HCM Data Loader Business Object Access HRC_MANAGE_HDL_BO_ACCESS_PRIV


Task 1: Enable Security Related Functionality

In this step you'll learn how to enable the features that allow you to restrict access to the business objects your users can bulk-load data with.

Note:

Enabling these enhancements does not impact HCM Spreadsheet Data Loader. Refer to the tutorial Configure Access to HCM Spreadsheet Data Loader (HSDL).

To enable these security features you'll need to log into the application with a user that has Configure HCM Data Loader task access (see Prerequisites for how to grant this.)

Enable Configuration of Role-Based Business Object Access

Once enabled your custom HCM Data Loader roles need to have business object access configured. You can configure your custom roles with their business object access before enabling this feature.

Note:

Users with the Human Capital Management Integration Specialist job role will continue to have HCM Data Loader access. This role is preconfigured to access all business objects.
  1. Navigate to My Enterprise > Setup and Maintenance.
  2. Select the HCM Data Loader functional area.
  3. Click the Configure HCM Data Loader task.
    4. Select the Configure HCM Data Loader task from the HCM Data Loader functional area

  4. Search for the Enable Configuration of Role-Based Business Object Access parameter.
    5. Set Override to Yes for the Enable Configuration of Role-Based Business Object Access parameter

  5. Set the Override to Yes.
  6. Click Save.

Additionally, you'll need to provide access to the HCM Data Loader Business Object Access task to configure the business objects your roles can use HCM Data Loader with (see Prerequisites for how to grant this).

Restrict Access to Security Related Business Objects

Once enabled, users require the Load HCM Security Data function security privilege to bulk-load data with the security related objects.

Caution:

Enabling this feature will prohibit users with the Human Capital Management Integration Specialist job role from using security related business objects too. You'll need to create custom roles to provide access to bulk-load security related data once this capability is enabled.
  1. Access the Configure HCM Data Loader task as described above.
  2. Search for the Restrict Access to Security Related Business Objects parameter.
  3. Set the Override to Yes.
  4. Click Save.


Task 2: Grant HCM Data Loader Access

In this step you'll create custom roles for accessing HCM Data Loader functionality.

Integration Specialist Access

This role will provide access to the following functionality:

  • The View Business Objects task to review business object details and generate METADATA files.
  • The Import and Load Data task to submit files for import and load and monitor status of all data sets.
  • The Recent File Loads task to review recent data set status on any device.
  • The Delete Stage Table Data task to maintain stage tables.
  • The ability to import and export files for HCM Data Loader on the Oracle WebCenter Content server.

To grant this access:

  1. Log into the application with Security Console access.
  2. Navigate to Tools > Security Console.
  3. Click Create Role.
  4. Specify a Role Name and provide a unique role code.

    5. Tip:

    The business objects that a role can use are granted directly to this job role. Consider naming each role for the objects it will provide access to. For example, HCM Data Loader - All Objects, HCM Data Loader - Setup or HCM Data Loader - Recruiting.
  5. Specify a Role Category of HCM - Job Role.
  6. Click Next to navigate to the Role Hierarchy page. Add these hierarchies:
    7. Role Name Role Code Grants Access To
    HCM Data Load ORA_HRC_HCM_DATA_LOAD_DUTY HCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based Import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based Export HCM_DATALOADER_EXPORT_RWD The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.

    Additionally, if the role is to be assigned access to any of the business objects that load security related data, this function security privilege is needed:

    Role Name Role Code Grants Access To
    Load HCM Security Data HRC_LOAD_HCM_SECURITY_DATA_PRIV Security related HCM Data Loader business objects.

  7. Save your changes.

You can now configure the business objects this role can load data with.


Task 3: Configure Business Object Access

In this step you'll configure the business objects a role can bulk-load data with using HCM Data Loader.

  1. Log into the application with a user who has access to the HCM Data Loader Business Object Access task (see Prerequisites for how to grant this).
  2. Navigate to My Enterprise > Setup and Maintenance.
  3. Select the HCM Data Loader functional area.
  4. Click HCM Data Loader Business Object Access.
  5. In the Job and Abstract Roles table, search for and select your custom role.

    6. Tip:

    The Assigned Business Objects table header is automatically updated to include the role name.
  6. Click the Assign dropdown.
    7. Click Assign

  7. Select one of the following options:
    • Assign Individual Business Objects
    • Assign All Business Objects in a Product Area
    • Assign All Unrestricted Business Objects
    • Assign All Business Objects, Including Security-Related Objects

    If you select Assign Individual Business Objects, then:

    • Search and select the business objects in the Search and Select Business Objects dialog box.
    • Click Add to add the selected business objects to the role. An entry appears in the Assigned Business Objects section for each of the selected business objects.

    If you select Assign All Business Objects in a Product Area, then:

    • Select the product area in the Select Product Area dialog box.
    • Click Add. A single entry appears for the product area in the Assigned Business Objects section.

    If you select Assign All Unrestricted Business Objects, then:

    • A warning message appears to indicate that users with this role can bulk-load data with any business object that doesn't load security-related data.
    • Click Add to close the warning and continue. A single entry appears for all unrestricted business objects in the Assigned Business Objects section.

    If you select Assign All Business Objects, Including Security-Related Objects then:

    • A warning message appears to indicate that users with this role will be able to use the security-related objects only if they have the Load HCM Security Data function security privilege.
    • Click Add to close the warning and continue. A single entry appears for all business objects in the Assigned Business Objects section.
  8. Click Save.


Task 4: Create Common HCM Data Loader Custom Roles

This step explains how to create the following custom roles:

  • An Integration Specialist administrator role capable of loading data for any object.
  • An Integration Specialist role with restricted business object access.

HCM Data Loader - Unrestricted

  1. Use the Security Console to create a custom HCM Data Loader - Unrestricted role.
  2. Grant this function security privilege:
    Role Name Role Code Grants Access To
    Load HCM Security Data HRC_LOAD_HCM_SECURITY_DATA_PRIV Security related HCM Data Loader business objects.
  3. Grant these role hierarchies:
    4. Role Name Role Code Grants Access To
    HCM Data Load ORA_HRC_HCM_DATA_LOAD_DUTY HCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based Import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based Export HCM_DATALOADER_EXPORT_RWD The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.
  4. Save the custom role.
  5. Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
  6. Search for and select the HCM Data Loader - Unrestricted role.
  7. Click the Assign dropdown and select Assign All Business Objects, Including Security-Related Objects.
  8. Click Add to close the warning message.
  9. Save your changes. You can now assign this role to users who should be able to bulk-load data with any HCM Data Loader business object.

HCM Data Loader - Restricted

  1. Use the Security Console to create a custom HCM Data Loader - {objects} role, replacing {objects} with a description of the business objects the role will have access to use, such as HCM Data Loader - Work Structures, or HCM Data Loader - Recruiting
  2. Grant these role hierarchies:
    3. Role Name Role Code Grants Access To
    HCM Data Load ORA_HRC_HCM_DATA_LOAD_DUTY HCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based Import HCM_DATALOADER_IMPORT_RWD The hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based Export HCM_DATALOADER_EXPORT_RWD The hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.

    Tip:

    If the list of business objects this role can access will include objects that load security related data, also grant the Load HCM Security Data function security privilege.
  3. Save the custom role.
  4. Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
  5. Search for and select your custom role.
  6. Use the Assign dropdown on the Assigned Business Objects table toolbar to assign access to the HCM Data Loader business objects and product areas users with this role should be able to use.
  7. Save your changes. You can now assign this role to users who should be able to bulk-load data with the HCM Data Loader business objects configured.

Acknowledgements

  • Authors - Ema Johnson (Senior Principal Product Manager)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.