User Configuration

4 User Configuration

Purpose: This chapter describes the screens you use to create or change users in Order Management System, and set options such as the user’s default company and authority level.

Modern View: The same user IDs and passwords enable access to the OMS Modern View, including the Contact Center module.

Administrator user accounts: Only a limited number of user accounts should have authority to the Work with Users (WUSR) menu option. This authority should be limited to one or two user accounts.

Web service authentication: See the Oracle Retail Omnichannel Web Service Authentication Configuration Guide on My Oracle Support (2728265.1) for web service authentication configuration instructions.

In this chapter:

Setting Up User Authentication

Purpose: IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) is required for password authentication.

User authentication: The system uses IDCS or OCI IAM for password authentication for both Order Management System screens and for OMS Modern View:

When you select the Sign In option on the login screen to authenticate the Order Management System user ID and password.
When an inbound web service message is received requiring web service authentication.

See Create Order Management System Users for information on creating and configuring users.

Can’t sign in? If you click the Can’t sign in? link on the login screen you advance to a screen where you can enter your IDCS or OCI IAM user ID and submit a password reset request to IDCS or OCI IAM. IDCS or OCI IAM sends an email with a link to reset your password.

If the Order Management System User ID does not match the User Name in IDCS or OCI IAM, enter the IDCS or OCI IAM User Name as the user’s Cloud Service User ID in Work with Users.

Invalid user? If a user clicks the Can’t sign in? link on the initial login screen, but the user ID entered at this screen is not actually associated with a valid, active user in IDCS or OCI IAM with a valid email address, the message still indicates that the email will be generated; however, no email is generated in this situation.

Create Order Management System Users

Enable IDCS or OCI IAM

The IDCS_ENABLED property in the Work with Cloud Properties (CPRP) menu option defines authentication through IDCS or OCI IAM. This property is set to true for Order Management System releases 17.1 or later.

User authentication: The system uses IDCS or OCI IAM for password authentication for both Order Management System screens and for OMS Modern View:

When you select the Sign In option on the login screen to authenticate the Order Management System user ID and password.
When an inbound web service message is received requiring web service authentication.

Note:

Once you change this property to true, the setting can no longer be changed. If you need to change this setting back to false, you must contact your support representative to disable IDCS or OCI IAM.
Before upgrading to a release where IDCS or OCI IAM is required, make sure your admin user and other users in Order Management System are set up in IDCS or OCI IAM and match the exact format of the user name.
When defining a user ID in IDCS or OCI IAM, the user ID is NOT case-sensitive.
When this setting is true, the system no longer creates records in the Password Audit table to track when a user's password is changed. Printing the Password Change report through the Print User Security Audit Reports (PUSA) menu option will generate a blank report.
When this setting is true, multi-factor authentication is not available through Order Management System. It is possible to use IDCS or OCI IAM to set up multi-factor authentication.
When this setting is true, the User Control option is not available through Advanced Commands.

Authentication for users across applications: Ordinarily you would use a single instance of IDCS or OCI IAM to support authentication for all Oracle omni-channel applications that you use. For example, if you use Order Broker Cloud Service and Oracle Retail Customer Engagement Cloud Service in addition to Order Management System, you can set up users in a single instance of IDCS or OCI IAM for authentication in all three products.

Note:

You also need to complete the required configuration within each product for each user so they can login in and use the product.

Web service authentication: See Setting Up Web Service Authentication in the online help for more information on setting up web service authentication using either basic or OAuth.

Creating Order Management System Users

Import users from IDCS or OCI IAM: Use the SYNCUSR periodic function to import user records from IDCS or OCI IAM into Order Management System in a multi-step process:

1. Configure the default user template (DEFAULTCSU).

About the DEFAULTCSU user: This user is used as the template when the periodic function creates additional users in Order Management System, and does not represent an actual user who can log into Order Management System.

The DEFAULTCSU user is created automatically when you enable IDCS or OCI IAM and restart the service, or when you first run the SYNCUSR periodic function.

Default settings: The DEFAULTCSU user is initially created with the following settings:

User = DEFAULTCSU
Name = Default Cloud Service User
Default Menu = HOME
Default Authority = Exclude
User Rank = 9
Advanced Commands = N
Status = Enabled
Locale = English
Date Format = MMDDYY
Log Use = Y
Fast Path = Y
Company Authority = None
Feature Authority = None
Menu Option Authority = None

The DEFAULTCSU user is simply a template for creating additional users and cannot log into Order Management System.

Adjust the configuration of the DEFAULTCSU user in Order Management System as needed, including any additional settings, including company, menu option, and feature authority, that should be assigned to additional users when the periodic function creates them in Order Management System.

It is important to configure the DEFAULTCSU user before creating actual user records in IDCS or OCI IAM or importing them into Order Management System, so that you correctly create actual user records based on your requirements.

2. Create the user records in IDCS or OCI IAM:

If the user record in IDCS or OCI IAM is assigned the OMCS_User role, the user record will be created in Order Management System with default authority.
If the user record in IDCS or OCI IAM is assigned the OMCS_Admin role, the user record will be created in Order Management System with full administrative authority. The default authority will be set to ALLOW, the rank will be set to 1, and the user will have authority to all jobs and companies, as well as being able to see order volume totals at the About screen.
Typically, you first create a user group in IDCS or OCI IAM and specify the role for the assignment for that group. For instance, assign the OMS_USERS group to the OMCS_User role, but optionally create additional groups with different role assignments.

Limitations on user ID: Since this is a 10-position field in Order Management System, if the user ID from IDCS or OCI IAM is longer than 10 positions, it is truncated to 10. If there is already a user record in Order Management System with that 10-position, ID, then the user ID for the new record is set to the first 9 positions and a different tenth, numeric character so that the new user ID is unique.

Order Management System does not support a user ID that includes an @ sign, so if this character is included in the first 10 positions of the user ID passed from IDCS or OCI IAM, it is removed. For example, if the user ID passed from IDCS or OCI IAM is USER@EXAMPLE, the user ID created in Order Management System is USEREXAMPL, which includes the first 10 positions of the IDCS or OCI IAM user name, excluding the @ sign.

3. Run the SYNCUSR function to create user records in Order Management System based on the DEFAULTCSU template and the IDCS or OCI IAM user records:

Note:

It is not necessary to use the periodic function to create users, since users are automatically created in Order Management System at initial login, as described below. However, using the periodic function enables you to quickly create batches of users.

The users are created in Order Management System as follows:

Settings from DEFAULTCSU: Depending on the roles assigned in IDCS or OCI IAM:

OMS_User role: If the user record in IDCS or OCI IAM is assigned the OMS_User role, the user is created in Order Management System with the authority and settings from the DEFAULTCSU user record.
OMS_Admin role: If the user record in IDCS or OCI IAM is assigned the OMS_Admin role, the user is created in Order Management System using the settings from the DEFAULTCSU user, but with full authority: the authority level is set to ALLOW, the Rank is set to 1, and the user has authority to all jobs and all companies.

User records in IDCS or OCI IAM are imported into Order Management System only if they are assigned one of the above roles. For example, a user assigned only to Customer Engagement is not imported into Order Management System.

Data from the IDCS or OCI IAM user record:

User ID. See the discussion above for restrictions on mapping the user ID into Order Management System.
Name
Email address
Cloud service user ID

The function does not update existing user records. To update a user record after initial creation in Order Management System, use the Work with Users (WUSR) menu option.

Optionally, create multiple batches of users with different settings: You can create additional batches of users with different authority by:

Configuring the DEFAULTCSU user with the required authority for the first batch, such as with authority to customer service menu options only.
Creating the user records in IDCS or OCI IAM and run the SYNCUSR function.
Updating the settings for the DEFAULTCSU user with different settings, such as providing additional authority to monitor system administration.
Creating the additional user records in IDCS or OCI IAM and run the SYNCUSR function.

Creating users at login: If a user exists in IDCS or OCI IAM with role-based authority for Order Management System, but does not already exist in Order Management System attempts to log into Order Management System, the user is created in Order Management System automatically with the current settings for the DEFAULTCSU user and the data from the IDCS or OCI IAM user record, as described above.

Creation of new users only: The SYNCUSR function does not update existing user records in Order Management System based on any changes in IDCS or OCI IAM; it only creates new user records.

The assignment of the OMS_User or OMS_Admin roles in IDCS or OCI IAM is not required for any users that were already created in Order Management System. These IDCS or OCI IAM roles are used only for creation of the user record in Order Management System based on the data in IDCS or OCI IAM.

Scheduling the SYNCUSR function: To keep user records in sync, the SYNCUSR function should be scheduled to run at least daily, or more often depending on your business requirements.

Security Scenarios

Oracle recommends you follow rules similar to both of the following scenarios when you are setting up users.

Scenario 1: Seasonal help:Your Order Entry operators require access to the Order Entry Menu only (not Buyer’s or System Administrator’s menus, for example). You also want them to have access to only some of the features on that menu (entering orders, but not maintaining them, and not working with batch totals, for example).

One method to control authority for these users would be to set their default authority to EXCLUDE and create a menu with only the specific menu options these users will require. When you use the steps described under Create Order Management System Users to create a new user, select this menu as the Default menu, and leave the Fast path option deselected.

Scenario 2: Prompt feature: Some users do not require the ability to create a code or value when they click the arrow next to a field to prompt for existing values.

When you click the arrow, a window opens, displaying the available codes or values for the field. Many of these windows include the option to create a new value. However, you may not want the create option available to all users. In this case, use the Menu Option Auth option in Work with Users to assign an authority level (*ALLOW, *DISPLAY, *EXCLUDE) for specific menu options.

For example, to restrict the ability to create a source code while in Order Entry:

Select More > Menu Option Auth in Work with Users (WUSR).
Locate Work With Source Codes (WSRC).
Assign the *DISPLAY authority level to the Work with Source Codes menu option.

The user will still be able to prompt on the Source field in Order Entry, but will not be able to create a source code by selecting Create in the pop-up window, or anywhere else in the system.

For security, set most users’ default authority to Exclude, and allow authority to the specific menu options required for their jobs.

Change User Screen (WUSR)

Purpose: Use this screen to work with a user in Order Management System. When you use this screen, it updates the required information in the User record as well as the information available through the Change User screen under Advanced Commands. This screen also allows you to assign this user to a user class, if user classes have been created in the Setting Up User Classes (WUCL) menu option.

Creating users: You cannot create users through the Work with Users menu option, and the information displayed on this screen is set initially through the creation process described under Create Order Management System Users; however, you can use this screen to update an existing user record in Order Management System.

How to display this screen: Select Change for a user on the Work with Users screen (WUSR).

Field	Description
User	The code that identifies the user to the system. The user ID determines the user's access to menus, menu options, companies, features and user-defined functions. From the user ID defined in IDCS or OCI IAM. Since this is a 10-position field in Order Management System, if the user ID from IDCS or OCI IAM is longer than 10 positions, it is truncated to 10. If there is already a user record in Order Management System with that 10-position, ID, then the user ID for the new record is set to the first 9 positions and a different tenth character so that the new user ID is unique. Alphanumeric, 10 positions; display-only.
Name	The user's full name. This name is displayed on reports and screens that support the full user name, such as the announcements area on the menu screen. From the user name defined in IDCS or OCI IAM. Alphanumeric, 30 positions; required.
User Class	The user class to which this user belongs. A user class is a logical grouping of users (for example, all order entry operators). Authority to companies and menu options can be assigned at the user class level. The system checks the user's authority at the user level first, before checking the user class authority. Validated against the User Class table (WUCL). Alphanumeric, 10 positions; optional.
Locale	The locale assigned to the user, identifying the user’s language for screens and reports. Available locales are: English French German Italian Spanish The locale defined in the DEFAULT_LOCALE property initially defaults, but you can override it. When the locale is changed for a user, it is necessary for the user to log out and then log back in for the change to take effect. See: Regional Settings for an overview. Where are Date Formats Applied? for more information on which date format the system uses in different areas of the application. Where are Number Format Applied? for more information on the decimal and thousand separators the system uses in different areas of the application. Note: If any content is not supported in the user’s selected locale, the screen displays the English text. Required.
Date Format	The date format assigned to the user, identifying the format of the date displayed for the user on screens. The date format defined in the DEFAULT_DATE_FORMAT property initially defaults, but you can override it. Valid values are: DDMMYY = The default date format for the user is DDMMYY; for example, if the date is December 25 2021, the date displays as 251221. MMDDYY = The default date format for the user is MMDDYY; for example, if the date is December 25 2021, the date displays as 122521. YYMMDD = The default date format for the user is YYMMDD; for example, if the date is December 25 2021, the date displays as 211225. See Regional Settings for an overview and see Where are Date formats Applied? for more information on the date format that displays for different areas of the application. Required.
Default Menu	The name of the menu to appear when the user signs on to the system. Validated against the Menu table (WOPT). Note: Menus can include options available in Classic View, Modern View, or both Classic View and Modern View. Since Modern View does not have a Fast path option, most Modern View options are available to the user only if they are included in the user’s Default menu or one of its sub-menus. If a user does not have a Default menu assigned here, the only options available in Modern View will be those in the left-hand navigation panel, provided the user has the required authority. Alphanumeric, 10 positions; optional.
Default Company	The code that indicates the company where the user advances automatically when signing on to the system. Validated against the Company table (WCMP). Note: When you first create a user, the system assigns the user authority to the company you enter here, and displays a message indicating that the authority was granted. After initial user creation, you cannot assign a default company without first using the Work with Company Authority Screen to assign the user authority to the company. Numeric, 3 positions; optional.
Default Authority	The authority level assigned to this user. The authority level determines the user's access to menu options. If this field is set to: Allow = The user has universal access to all menu options. Exclude (default) = The user does not have universal access all menu options. Use this setting for most users. Authority applies globally throughout the system unless you restrict or allow access to individual menu options. See the Work with Menu Option Authority Screen Required.
Log Use	Controls whether the system tracks the menu options selected by this user and the number of times they were selected. If this field is: Selected = The system tracks the menu options selected by the user. See the Display User Option History Screen. Unselected = The system does not track the menu options selected.
Security Administrator	Indicates whether this user is a security administrator. Assign this authority to users only if they require it for their job functions. If this field is: Selected = The user has authority to maintain the System Control table, users, user authorities, and menus. Unselected = The user does not have the authority to maintain the system control table, users, user authorities, and menus.
Fast Path	Indicates whether the user is allowed to use the system's Fast Path feature. The Fast Path feature allows the user to enter an option name in the Fast path field or a short menu name in the Menu field to access an option directly. If you select this field, the Fast path and Menu fields appear at the top of a menu for this user. Valid values are: Selected = The user has access to the Fast path and Menu fields. Unselected = The Fast path and Menu fields are not available to the user.
User Rank	Set this field to: 1 if the user also has the All jobs flag is selected, the user also has access to other users’ documents and forms at the Document Management and Form Management screens, as well as being able to see order volume totals at the About screen. Note: Assign this authority only to those users whose responsibilities require it. Note: A User Rank of 1 is required in order for the user to display the contents in the Log column at the Job Management screen, including the logs written for the user’s own submitted jobs. Otherwise, the window displays a message: Not Available. Any value from 2 to 9 if the user should be able to have access to the documents and forms of other users (through the My Docs and My Forms options) only if those users share the same rank assignment and the All jobs flag is selected. For example, a user assigned to rank 5 has access to the forms of other users who are also assigned to rank 5.
All Jobs	If this flag is: Selected = The user can see and has authority to all other users’ jobs. If this flag is selected and the User rank is: 1: The user has access to all other users’ documents and forms. 2 through 9: The user has access to the documents and forms of other users of the same rank. Note: Assign this authority only to those users whose responsibilities require it. Unselected = The user can see and has authority only to the jobs, documents, and forms associated with the user’s own user ID.
Advanced Commands	If this flag is: Selected = The user has authority to the Advanced Commands option through My Docs, My Forms, or My Jobs. Note: Assign this authority only to those users whose responsibilities require it. Unselected = The user does not have authority to the Advanced Commands option through My Docs, My Forms, or My Jobs.
Cloud Service User ID	Defines the user name in Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). If the User Name in IDCS or OCI IAM does not match the User ID in Order Management System, the system uses the Order Management System cloud service user ID to match a user profile in IDCS or OCI IAM. Alphanumeric, 80 positions; display-only.
Modern View at Initial Login	Select this flag to have the user advance directly to OMS Modern View when first logging into Order Management System. Otherwise, leave this flag unselected to have the user advance to Order Management System Classic View. Regardless of the setting of this flag, users can still advance between Modern View and Order Management System Classic View.
Email Address	The user’s email address. Used for workflow management. When you enter an email address, the system verifies that: there is an @ sign and a period (.) there is some text before the @ sign there is some text between the @ sign and the period there is some text after the period Note: The system confirms that your entry meets certain minimum formatting requirements, but not that it represents a valid, active email address. The user email address is defined in the User Extended table. Workflow management: If you use workflow management, the system sends Tickler Notification emails to the assigned to user/group using the email address defined for the user in the User Extended table; see the online help for an overview on workflow management and setup. Alphanumeric, 50 positions; optional.
CTI User	Indicates whether the user has access to any of the screens in order entry related to computer telephony integration (CTI), including the Customer Selection screen. Not currently implemented.
CTI User Type	Indicates the type of calls this user can work with. Not currently implemented.
CTI Phone Extension	The user's telephone extension number. Not currently implemented.
CTI Default Screen	Indicates whether the user advances automatically to the Customer Selection screen in order entry, or only when the screen “pops” because of an incoming call. Not currently implemented.
CTI Access Code	A code used by an external order call center to access and establish a connection with Order Management System. Not currently implemented.
Status	Set this field to: ENABLED if the user should be able to use Order Management System. DISABLED if the user should not be able to use Order Management System. The Status of a user ID is stored in the Users table and indicates whether a user ID is ENABLED or DISABLED. Log in to Order Management System using another user ID and advance to Work with User Records (WUSR) to re-enable a user. Note: After you re-enable a user ID, the user ID remains disabled until the Lockout Duration specified in the User Lockout options in WebLogic has passed. See Protecting User Accounts in the Configuring Security for a WebLogic Domain section of the Oracle WebLogic Server documentation for more information: http://docs.oracle.com/cd/E24329_01/web.1211/e24422/domain.htm#SECMG402 About authority: The default authority assigned to this user either allows or excludes this user from system-wide access to menu options. To allow or exclude authority to specific menu options, see the Work with Menu Option Authority screen in the online help.

Managing Inactive Users

For security, disable user accounts that are inactive for 180 days, and delete user accounts that are inactive for 270 days. Oracle staff can identify the length of time when a user has been inactive by querying the Users table in your Order Management System database and selecting records based on the date and time recorded in the eventParam_3 field. After you have identified the inactive users, you can use Working with User Records (WUSR) to select users and either disable their accounts or delete them as needed.