User Configuration

7 User Configuration

Purpose: This chapter describes the screens you use to create or change users in Order Administration, and set options such as the user’s default company and authority level.

Administrator user accounts: Only a limited number of user accounts should have authority to the Work with Users (WUSR) menu option. This authority should be limited to one or two user accounts.

In this chapter:

Oracle Identity Authentication (IDCS or OCI IAM)

Purpose: The Oracle Identity Cloud Service integration enables you to use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) for password authentication.

User authentication: The system uses IDCS or OCI IAM when you select the Sign In option at the login screen for access to Order Administration.

See Create Order Administration Users for information on creating and configuring users.

Authentication for users across applications: Ordinarily you would use a single instance of IDCS or OCI IAM to support authentication for all Oracle omni-channel applications that you use. For example, if you use Order Broker Cloud Service and Oracle Retail Customer Engagement Cloud Service in addition to Order Administration, you can set up users in a single instance of IDCS or OCI IAM for authentication in all three products.

Note:

You also need to complete the required configuration within each product for each user so they can login in and use the product.

Can’t sign in? If you click the Can’t sign in? link on the login screen you advance to a screen where you can enter your IDCS or OCI IAM user ID and submit a password reset request to IDCS or OCI IAM. IDCS or OCI IAM sends an email with a link to reset your password.

Create Order Administration Users

About User Authentication

The system uses IDCS or OCI IAM for password authentication for both Order Administration screens and for OMS Modern View.

Creating Order Administration Users

Import users from IDCS or OCI IAM: Use the SYNCUSR periodic function to import user records from IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) into Order Administration using the steps described below. Note that a user is also created at initial login if the user record is assigned the OMCS_Admin or OMCS_User role in IDCS or OCI IAM.

1. Configure the default user template (DEFAULTCSU).

About the DEFAULTCSU user: This user is used as the template when the periodic function creates additional users in Order Administration, and does not represent an actual user who can log into Order Administration.

The DEFAULTCSU user is created automatically when the application starts or when you first run the SYNCUSR periodic function.

Default settings: The DEFAULTCSU user is initially created with the following settings:

User = DEFAULTCSU
Name = Default Cloud Service User
Default Menu = HOME
Default Authority = Exclude
User Rank = 9
Advanced Commands = N
Status = Enabled
Locale = English
Date Format = MMDDYY
Log Use = Y
Fast Path = Y
Company Authority = None
Feature Authority = None
Menu Option Authority = None

The DEFAULTCSU user is simply a template for creating additional users and cannot log into Order Administration.

Adjust the configuration of the DEFAULTCSU user in Order Administration as needed, including any additional settings, including company, menu option, and feature authority, that should be assigned to additional users when the periodic function creates them in Order Administration.

Note:

It is important to configure the DEFAULTCSU user before creating actual user records in IDCS or OCI IAM or importing them into Order Administration, so that you correctly create actual user records based on your requirements. Until you configure the DEFAULTCSU user, you should not use it to create actual user records. See Work with Users (WUSR) for more information.

Multiple groups of users: You can modify the configuration of the DEFAULTCSU user if you will import multiple groups of users into Order Administration. For example, you could first configure the DEFAULTCSU user with just order entry and maintenance authority, import a group of users, and then reconfigure the DEFAULTCSU user with different authority for the next group of users.

2. Create the user records in IDCS or OCI IAM:

Typically, you first create a user group in IDCS or OCI IAM and specify the role for the assignment for that group. For instance, assign the OMS_USERS group to the OMCS_User role, but optionally create additional groups with different role assignments.
If the user record in IDCS or OCI IAM is assigned the OMCS_User role, the user record will be created in Order Administration with the authority defined for the DEFAULTCSU user.
If a user record in IDCS or OCI IAM is assigned the OMCS_Admin role, the user record will be created in Order Administration with full administrative authority. The user’s default authority will be set to ALLOW, the rank will be set to 1, and the user will have authority to all jobs and companies, as well as being able to see order volume totals at the About screen.

Limitations on user ID: Since this is a 10-position field in Order Administration, if the user ID from IDCS or OCI IAM is longer than 10 positions, it is truncated to 10. If there is already a user record in Order Administration with that 10-position, ID, then the user ID for the new record is set to the first 9 positions and a different tenth, numeric character so that the new user ID is unique.

Order Administration does not support a user ID that includes an @ sign, so if this character is included in the first 10 positions of the user ID passed from IDCS or OCI IAM, it is removed. For example, if the user ID passed from IDCS or OCI IAM is USER@EXAMPLE, the user ID created in Order Administration is USEREXAMPL, which includes the first 10 positions of the IDCS or OCI IAM user name, excluding the @ sign.

3. Run the SYNCUSR function to create user records in Order Administration based on the DEFAULTCSU template and the IDCS or OCI IAM user records:

Note:

It is not necessary to use the periodic function to create users, since users are automatically created in Order Administration at initial login, as described below. However, using the periodic function enables you to quickly create batches of users.

The users are created in Order Administration as follows:

Settings from DEFAULTCSU: Depending on the roles assigned in IDCS or OCI IAM:

OMCS_User role: If the user record in IDCS or OCI IAM is assigned the OMCS_User role, the user is created in Order Administration with the authority and settings from the DEFAULTCSU user record.
OMCS_Admin role: If the user record in IDCS or OCI IAM is assigned the OMCS_Admin role, the user is created in Order Administration using the settings from the DEFAULTCSU user, but with full authority: the authority level is set to ALLOW, the Rank is set to 1, and the user has authority to all jobs and all companies.

User records in IDCS or OCI IAM are imported into Order Administration only if they are assigned one of the above roles. For example, a user assigned only to Customer Engagement is not imported into Order Administration.

Data from the IDCS or OCI IAM user record:

User ID. See the discussion above for restrictions on mapping the user ID into Order Administration.
Name
Email address
Cloud service user ID

The function does not update existing user records. To update a user record after initial creation in Order Administration, use the Work with Users (WUSR) menu option.

Optionally, create multiple batches of users with different settings: You can create additional batches of users with different authority by:

Configuring the DEFAULTCSU user with the required authority for the first batch, such as with authority to customer service menu options only.
Creating the user records in IDCS or OCI IAM and run the SYNCUSR function.
Updating the settings for the DEFAULTCSU user with different settings, such as providing additional authority to monitor system administration.
Creating the additional user records in IDCS or OCI IAM and run the SYNCUSR function.

Creating users in groups: You can use the following process in IDCS or OCI IAM to create users and control their attributes through group assignment, using the application record in IDCS or OCI IAM for Order Administration. The application record typically has a Name such as RGBU_OMCS_<ENV>_APPID, where ENV represents the environment.

Create one or more groups to use for assignment of roles to users. For example, create an oms_users group to use for creation of regular users, and an oms_admin group to use for creation of admin users. Assign the group to the appropriate application role in IDCS or OCI IAM: either OMCS_Admin or OMCS_User.
Create each user in IDCS or OCI IAM, specifying the user’s first name, last name, user name, and email address.

About defining the user name in IDCS or OCI IAM:
- The user name be cannot be more than 256 positions.
  - Assign each group to the Order Administration application in IDCS or OCI IAM.
  - Assign or reset the password for each user in IDCS or OCI IAM. This triggers an email to the email address specified for the user, who can log in using either the user name defined in IDCS or OCI IAM.
  Note:
  If the user logs in after configuration in IDCS or OCI IAM, this creates the user record in Order Administration; otherwise, the record is created through the import job, described below.

Creation of new users only: The SYNCUSR function does not update existing user records in Order Administration based on any changes in IDCS or OCI IAM; it only creates new user records.

The assignment of the OMCS_User or OMCS_Admin roles in IDCS or OCI IAM is not required for any users that were already created in Order Administration. These IDCS or OCI IAM roles are used only for creation of the user record in Order Administration based on the data in IDCS or OCI IAM.

Scheduling the SYNCUSR function: To keep user records in sync, the SYNCUSR function should be scheduled to run at least daily, or more often depending on your business requirements.

Security Scenarios

Oracle recommends you follow rules similar to both of the following scenarios when you are setting up users.

Scenario 1: Seasonal help:Your Order Entry operators require access to the Order Entry Menu only (not Buyer’s or System Administrator’s menus, for example). You also want them to have access to only some of the features on that menu (entering orders, but not maintaining them, and not working with batch totals, for example).

One method to control authority for these users would be to set their default authority to EXCLUDE and create a menu with only the specific menu options these users will require. When you use the steps described under Create Order Administration Users to create a new user, select this menu as the Default menu, and leave the Fast path option deselected.

Scenario 2: Prompt feature: Some users do not require the ability to create a code or value when they click the arrow next to a field to prompt for existing values.

When you click the arrow, a window opens, displaying the available codes or values for the field. Many of these windows include the option to create a new value. However, you may not want the create option available to all users. In this case, use the Menu Option Auth option in Work with Users to assign an authority level (*ALLOW, *DISPLAY, *EXCLUDE) for specific menu options.

For example, to restrict the ability to create a source code while in Order Entry:

Select More > Menu Option Auth in Work with Users (WUSR).
Locate Work With Source Codes (WSRC).
Assign the *DISPLAY authority level to the Work with Source Codes menu option.

The user will still be able to prompt on the Source field in Order Entry, but will not be able to create a source code by selecting Create in the pop-up window, or anywhere else in the system.

For security, set most users’ default authority to Exclude, and allow authority to the specific menu options required for their jobs.

Change User Screen (WUSR)

Purpose: Use this screen to work with a user in Order Administration. When you use this screen, it updates the required information in the User record as well as the information available through the Change User screen under Advanced Commands. This screen also allows you to assign this user to a user class, if user classes have been created in the Setting Up User Classes (WUCL) menu option.

Creating users: You cannot create users through the Work with Users menu option, and the information displayed on this screen is set initially through the creation process described under Create Order Administration Users; however, you can use this screen to update an existing user record in Order Administration.

How to display this screen: Select Change for a user on the Work with Users screen (WUSR).

Field	Description
User	The code that identifies the user to the system. The user ID determines the user's access to menus, menu options, companies, features and user-defined functions. From the user ID defined in IDCS or OCI IAM. Since this is a 10-position field in Order Administration, if the user ID from IDCS or OCI IAM is longer than 10 positions, it is truncated to 10. If there is already a user record in Order Administration with that 10-position, ID, then the user ID for the new record is set to the first 9 positions and a different tenth character so that the new user ID is unique. Alphanumeric, 10 positions; display-only.
Name	The user's full name. This name is displayed on reports and screens that support the full user name, such as the announcements area on the menu screen. From the user name defined in IDCS or OCI IAM. Alphanumeric, 30 positions; required.
User Class	The user class to which this user belongs. A user class is a logical grouping of users (for example, all order entry operators). Authority to companies and menu options can be assigned at the user class level. The system checks the user's authority at the user level first, before checking the user class authority. Validated against the User Class table (WUCL). Alphanumeric, 10 positions; optional.
Locale	The locale assigned to the user, identifying the user’s language for screens and reports. Available locales are: English French German Italian Spanish The locale defined in the DEFAULT_LOCALE property initially defaults, but you can override it. When the locale is changed for a user, it is necessary for the user to log out and then log back in for the change to take effect. See: Regional Settings for an overview. Where are Date Formats Applied? for more information on which date format the system uses in different areas of the application. Where are Number Format Applied? for more information on the decimal and thousand separators the system uses in different areas of the application. Note: If any content is not supported in the user’s selected locale, the screen displays the English text. Required.
Date Format	The date format assigned to the user, identifying the format of the date displayed for the user on screens. The date format defined in the DEFAULT_DATE_FORMAT property initially defaults, but you can override it. Valid values are: DDMMYY = The default date format for the user is DDMMYY; for example, if the date is December 25 2021, the date displays as 251221. MMDDYY = The default date format for the user is MMDDYY; for example, if the date is December 25 2021, the date displays as 122521. YYMMDD = The default date format for the user is YYMMDD; for example, if the date is December 25 2021, the date displays as 211225. See Regional Settings for an overview and see Where are Date formats Applied? for more information on the date format that displays for different areas of the application. Required.
Default Menu	The name of the menu to appear when the user signs on to the system. Validated against the Menu table (WOPT). Note: Menus can include options available in Classic View, Modern View, or both Classic View and Modern View. Since Modern View does not have a Fast path option, most Modern View options are available to the user only if they are included in the user’s Default menu or one of its sub-menus. If a user does not have a Default menu assigned here, the only options available in Modern View will be those in the left-hand navigation panel, provided the user has the required authority. Alphanumeric, 10 positions; optional.
Default Company	The code that indicates the company where the user advances automatically when signing on to the system. Validated against the Company table (WCMP). Note: After initial user creation, you cannot assign a default company without first using the Work with Company Authority Screen to assign the user authority to the company. Numeric, 3 positions; optional.
Default Authority	The authority level assigned to this user. The authority level determines the user's access to menu options. If this field is set to: Allow = The user has universal access to all menu options. Exclude (default) = The user does not have universal access all menu options. Use this setting for most users. Authority applies globally throughout the system unless you restrict or allow access to individual menu options. See the Work with Menu Option Authority Screen Required.
Log Use	Controls whether the system tracks the menu options selected by this user and the number of times they were selected. If this field is: Selected = The system tracks the menu options selected by the user. See the Display User Option History Screen. Unselected = The system does not track the menu options selected.
Security Administrator	Indicates whether this user is a security administrator. Assign this authority to users only if they require it for their job functions. If this field is: Selected = The user has authority to maintain the System Control table, users, user authorities, and menus. Unselected = The user does not have the authority to maintain the system control table, users, user authorities, and menus.
Fast Path	Indicates whether the user is allowed to use the system's Fast Path feature. The Fast Path feature allows the user to enter an option name in the Fast path field or a short menu name in the Menu field to access an option directly. If you select this field, the Fast path and Menu fields appear at the top of a menu for this user. Valid values are: Selected = The user has access to the Fast path and Menu fields. Unselected = The Fast path and Menu fields are not available to the user.
User Rank	Set this field to: 1 if the user also has the All jobs flag is selected, the user also has access to other users’ documents and forms at the Document Management and Form Management screens, as well as being able to see order volume totals at the About screen. Note: Assign this authority only to those users whose responsibilities require it. Note: A User Rank of 1 is required in order for the user to display the contents in the Log column at the Job Management screen, including the logs written for the user’s own submitted jobs. Otherwise, the window displays a message: Not Available. Any value from 2 to 9 if the user should be able to have access to the documents and forms of other users (through the My Docs and My Forms options) only if those users share the same rank assignment and the All jobs flag is selected. For example, a user assigned to rank 5 has access to the forms of other users who are also assigned to rank 5.
All Jobs	If this flag is: Selected = The user can see and has authority to all other users’ jobs. If this flag is selected and the User rank is: 1: The user has access to all other users’ documents and forms. 2 through 9: The user has access to the documents and forms of other users of the same rank. Note: Assign this authority only to those users whose responsibilities require it. Unselected = The user can see and has authority only to the jobs, documents, and forms associated with the user’s own user ID.
Advanced Commands	If this flag is: Selected = The user has authority to the Advanced Commands option through My Docs, My Forms, or My Jobs. Note: Assign this authority only to those users whose responsibilities require it. Unselected = The user does not have authority to the Advanced Commands option through My Docs, My Forms, or My Jobs.
Cloud Service User ID	Defines the user name in IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management). If the User Name in IDCS or OCI IAM does not match the User ID in Order Administration, the system uses the Order Administration cloud service user ID to match a user profile in IDCS or OCI IAM. Alphanumeric, 80 positions; display-only.
Modern View at Initial Login	Select this flag to have the user advance directly to Modern View when first logging into Order Administration. Otherwise, leave this flag unselected to have the user advance to Order Administration Classic View. Regardless of the setting of this flag, users can still advance between Modern View and Order Administration Classic View.
Email Address	The user’s email address. Used for workflow management. When you enter an email address, the system verifies that: there is an @ sign and a period (.) there is some text before the @ sign there is some text between the @ sign and the period there is some text after the period Note: The system confirms that your entry meets certain minimum formatting requirements, but not that it represents a valid, active email address. The user email address is defined in the User Extended table. Workflow management: If you use workflow management, the system sends Tickler Notification emails to the assigned to user/group using the email address defined for the user in the User Extended table; see the online help for an overview on workflow management and setup. Alphanumeric, 50 positions; optional.
CTI User	Indicates whether the user has access to any of the screens in order entry related to computer telephony integration (CTI), including the Customer Selection screen. Not currently implemented.
CTI User Type	Indicates the type of calls this user can work with. Not currently implemented.
CTI Phone Extension	The user's telephone extension number. Not currently implemented.
CTI Default Screen	Indicates whether the user advances automatically to the Customer Selection screen in order entry, or only when the screen “pops” because of an incoming call. Not currently implemented.
CTI Access Code	A code used by an external order call center to access and establish a connection with Order Administration. Not currently implemented.
Status	Set this field to: ENABLED if the user should be able to use Order Administration. DISABLED if the user should not be able to use Order Administration. The Status of a user ID is stored in the Users table and indicates whether a user ID is ENABLED or DISABLED. Log in to Order Administration using another user ID and advance to Work with User Records (WUSR) to re-enable a user. About authority: The default authority assigned to this user either allows or excludes this user from system-wide access to menu options. To allow or exclude authority to specific menu options, see the Work with Menu Option Authority screen in the online help.

Managing Inactive Users

For security, disable user accounts that are inactive for 180 days, and delete user accounts that are inactive for 270 days. Oracle staff can identify the length of time when a user has been inactive by querying the Users table in your Order Administration database and selecting records based on the date and time recorded in the eventParam_3 field. After you have identified the inactive users, you can use Working with User Records (WUSR) to select users and either disable their accounts or delete them as needed. You also need to use IDCS or OCI IAM to remove the OMCS_Admin or OMCS_User role to prevent the users from being recreated automatically the next time you run the synchronization process to create users in Order Administration.