Introduction

Cloud HCM provides a capability to extract data from HCM using new generation platform with read-only data store. This tutorial describes security configuration that is a prerequisite for extracting data.

Objectives

Upon completing this tutorial, you will understand how to:

  • Configure an HCM job role for data extraction
  • Configure an OAuth client application to programmatically extract data using API calls

Task 1: Prepare an HCM Job Role

In order to access data in the hierarchy of Worker-related objects, certain Permission Groups have to be added to a new or existing HCM job role.

Follow the steps below to ensure appropriate data access.

  1. Go to Setup and Maintenance
    1. Search for Manage Administrator Profile Values and enter this task
    2. Search for the profile value by profile option code ORA_ASE_SAS_INTEGRATION_ENABLED
    3. Set its value to Yes at the Site level
    4. Save the profile value
  2. Go to Tools → Security Console
    1. Create or edit a role of role category HCM - Job Roles
    2. Click Enable Permission Groups and confirm
    3. Go to the Permission Groups train stop
      1. Click Add Permission Group
      2. Search for boss_execute_AsyncDataExtraction_OraBatchJobDefinition and select it
      3. Click Add Selected Permission Groups
      4. Close the popup window
    4. Go to the Role Hierarchy train stop
      1. Click Roles and Permission Groups
      2. Click Add Role
      3. Make sure Duty roles option is selected
      4. Below are extraction duty roles available as of release 26A. For each of the duty roles, search for it, select it and click Add Role Membership. This default approach grants access to all extractable objects in HCM. You can fine-tune the data security as needed, based on your specific requirements.
        • ORA_DR_HRC_OBJ_CHANGES_EXTRACTION_DUTY
        • ORA_DR_PER_WORK_STRUCTURES_EXTRACT_DUTY
        • ORA_DR_PER_WORKER_DETAILS_EXTRACT_DUTY
        • ORA_DR_PER_WORKER_EMPLOYMENT_EXTRACT_DUTY
        • ORA_DR_PER_WORKER_PII_EXTRACT_DUTY
        • ORA_DR_PER_WORKER_SENSITIVE_DETAILS_EXTRACT_DUTY
      5. Close the popup window
    5. Go to the Summary train stop
    6. Review the changes and save them

Task 2: Create an Application

The APIs can only be accessed by confidential applications that use OAuth 2.0. You'll need to define one in Oracle Identity Cloud Service (IDCS).

  1. Log into the IDCS Admin Console and navigate to the given pod's identity domain
  2. Click Integrated applications
  3. Click Add application
  4. Select Confidential Application and click Launch workflow
  5. Provide Name (e.g. Extracts Application)
  6. Click Submit
  7. Select OAuth configuration tab and click Edit OAuth configuration
  8. Select Configure this application as a client now
  9. Choose Allowed grant types as Client credentials and JWT assertion
  10. Choose Client type as Trusted
  11. To allow client authentication using JWT assertion (recommended for production environments) click Import certificate
    1. Provide an alias for your certificate
    2. Upload the certificate
    3. Click Import
  12. Choose Allowed operations as On behalf of
  13. Enable Bypass consent
  14. Select Add resources
  15. Click Add scope, then search, select and add following scopes
    • Oracle SaaS Batch Cloud Service
    • Oracle Boss Cloud (Spectra)
  16. Click Submit
  17. To activate the newly created application expand Actions dropdown, select Activate action and confirm it
  18. In your application details, find the Client ID and Client secret that will be used to generate access tokens

Task 3: Assign the Role to the Application

Now it's time to assign the role from step #1 to the application from step #2.

  1. Go to Tools → Security Console
  2. Click Application Extensions
  3. Find your application in the Custom OAuth Client Applications section and click its name
  4. Click Roles
  5. Click Add
  6. Search for your role and select it
  7. Click Add
  8. Click Done

In order to access Applications Extensions, you must have ASE_ADMINISTER_APP_EXTENSIONS_PRIV privilege.

Task 4: Obtain a Token

Here's how you can obtain a token to use the APIs.

URL {{idcsUrl}}/oauth2/v1/token
HTTP method POST
Content-Type header application/x-www-form-urlencoded
Request body

URL-encoded

For accessing /api/boss endpoints

grant_type=client_credentials&scope=urn:opc:resource:fusion:{{pod}}:boss/

For accessing /api/saas-batch endpoints

grant_type=client_credentials&scope=urn:opc:resource:fusion:{{pod}}:saas-batch/
Authentication

You can use basic authentication or JWT assertion to authenticate the client.

To use basic authentication, use standard Authorization header with Base64-encoded clientId:clientSecret

Alternatively, to use JWT assertion, pass the following additional URL-encoded parameters in the request body

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={{clientAssertion}}

The client assertion must be a valid Base64-encoded JWT assertion signed with the private key matching your public certificate uploaded in IDCS, with the following structure.

Header

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "{{certificateAlias}}"
}

Payload

{
  "sub": "{{clientId}}",
  "jti": "{{uuid}}",
  "iat": {{iat}},
  "exp": {{exp}},
  "iss": "{{clientId}}",
  "aud": [ "https://identity.oraclecloud.com/" ]
}

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.