Introduction

Cloud HCM provides a capability to extract data from HCM using underlying new generation BOSS/Spectra platform. This tutorial describes security configuration that is a prerequisite for extracting data.

Objectives

Upon completing this tutorial, you will understand how to:

  • Configure an HCM job role for data extraction
  • Configure an OAuth client application to programmatically extract data using API calls

Task 1: Prepare an HCM Job Role

In order to access data in the hierarchy of Worker-related objects, certain Permission Groups have to be added to a new or existing HCM job role.

Follow the steps below to ensure appropriate data access.

  1. Go to Setup and Maintenance
    1. Search for Manage Administrator Profile Values and enter this task
    2. Search for the profile value by profile option code ORA_ASE_SAS_INTEGRATION_ENABLED
    3. Set its value to Yes at the Site level
    4. Save the profile value
  2. Go to Tools → Security Console
    1. Create or edit a role of role category HCM - Job Roles
    2. Click Enable Permission Groups and confirm
    3. Go to the Permission Groups train stop
      1. Click Add Permission Group
      2. Search for boss_execute_AsyncDataExtraction_OraBatchJobDefinition and select it
      3. Click Add Selected Permission Groups
      4. Close the popup window
    4. Still in the Permission Groups train stop
      1. Click Add Permission Group
      2. Search for oraHcmHrCoreEmployment_Worker_read and select it
      3. Click Add Selected Permission Groups
      4. Close the popup window
      5. Select the newly added read:Worker permission group
      6. Select Security Views tab in the Details section below
      7. Click Add Security Views
      8. Select desired security view, e.g. AllRowsAllFields
      9. Click Add Security View
      10. Close the popup window
    5. Go to the Role Hierarchy train stop
      1. Click Roles and Permission Groups
      2. Click Add Role
      3. Make sure Duty roles option is selected
      4. Search for ORA_DR_PER_WORKER_EXTRACT_DUTY and select it
      5. Click Add Role Membership
      6. Close the popup window
    6. Go to the Summary train stop
    7. Review the changes and save them

Task 2: Create an Application

Spectra APIs can only be accessed by confidential applications that use OAuth 2.0. You'll need to define one in Oracle Identity Cloud Service (IDCS).

  1. Log into the IDCS Admin Console and navigate to the given pod's identity domain
  2. Click Integrated applications
  3. Click Add application
  4. Select Confidential Application and click Launch workflow
  5. Provide Name (e.g. Extracts Application)
  6. Click Submit
  7. Select OAuth configuration tab and click Edit OAuth configuration
  8. Select Configure this application as a client now
  9. Choose Allowed grant types as Client credentials and JWT assertion
  10. Choose Client type as Confidential
  11. Choose Allowed operations as On behalf of
  12. Enable Bypass consent
  13. Select Add resources
  14. Click Add scope, then search, select and add following scopes
    • Oracle SaaS Batch Cloud Service
    • Oracle Boss Cloud (Spectra)
  15. Click Submit
  16. To activate the newly created application expand Actions dropdown, select Activate action and confirm it
  17. In your application details, find the Client ID and Client secret that will be used to generate access tokens

Task 3: Assign the Role to the Application

Now it's time to assign the role from step #1 to the application from step #2.

  1. Go to Tools → Security Console
  2. Click Application Extensions
  3. Find your application in the Custom OAuth Client Applications section and click its name
  4. Click Roles
  5. Click Add
  6. Search for your role and select it
  7. Click Add
  8. Click Done

In order to access Applications Extensions, you must have ASE_ADMINISTER_APP_EXTENSIONS_PRIV privilege.

Task 4: Obtain a Token

Here's how you can obtain a token to extract data using Spectra services.

URL {{idcsUrl}}/oauth2/v1/token
HTTP method POST
Authorization Basic auth with clientId and clientSecret
Content-Type header application/x-www-form-urlencoded
Request body

URL-encoded

For accessing /api/boss endpoints

grant_type=client_credentials&scope=urn:opc:resource:fusion:{{pod}}:boss/

For accessing /api/saas-batch endpoints

grant_type=client_credentials&scope=urn:opc:resource:fusion:{{pod}}:saas-batch/

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.