Cloud Security: User Provisioning to Fusion Applications Cloud

Introduction

The notion of a user is the most common reason for misunderstanding and confusion. When we mention a user, we often think of the person who is allowed to use an application. However, nearly every application has a different user structure implemented. The challenge is to find a common ground for these differing user structures and a way to provision them, i.e. push the user information, into the applications.

In today’s connected and integrated world, enterprises usually maintain a single user identity store for all users and their passwords (often referred to as an Enterprise Identity Store). Combined with a state of the art Federated Single Sign-on technique like SAML 2.0 or OpenID Connect, this Enterprise Identity Store acts as the Identity Provider for all connected services, also known as Service Providers.

A successful authentication in a Federated SSO scenario happens at the Identity Provider and the issued token will be used by the Service Provider to “link” the authenticated user to a user identity stored at the Service Provider.

This article explains how Enterprise Identity Store users, which have been provisioned to Fusion Applications Cloud, are turned into users that have the required permissions to behave as expected.

Background

In Oracle Fusion Applications Cloud Applications, a user consists of a User Account and a related Worker or Person structure. The User Account is required for a successful login while the Worker or Person structures tell Fusion Applications Cloud what the User is authorized to do.

Recreating Enterprise Identities in Fusion Applications Cloud manually, for example by hiring a person, can lead to duplicate or misspelled entries and should be avoided. To ensure that Enterprise Identities are configured correctly in Fusion Applications Cloud, they should be provisioned to Fusion Applications Cloud automatically. However, this provisioning of an Enterprise Identity only creates a User Account and does not create any of the related structures. As a result the Enterprise User might be able to log into Fusion Applications Cloud but has no permissions to do anything useful.

The Process

To allow Enterprise Users to use Fusion Applications Cloud with the related role assignments, these Enterprise Users must be provisioned first and the Fusion Applications Cloud structures must be created and linked to the related User Account. This process has these steps:

  1. 1. Provision the User Identity
  2. 2. Create the Worker or Person structure
  3. 3. Link the Worker or Person structure to the User Account

The next sections show these steps in detail.

User Name Generation Rule

Before we delve into the steps in detail, we take a quick look at the User name Generation Rule. By default, Fusion Applications Cloud creates the user account structure as instructed by the User Name Generation Rule which defines how the user name is created. It allows the following user name generation schemes:

  • Firstname.Lastname
  • E-Mail address
  • FLastname
  • Person or Party Number

To avoid name conflicts, Fusion Applications Cloud can also be instructed to create a unique name. The Generation Rule can be configured in the Fusion Applications Cloud Security Console (see picture).

However, when provisioning users from Enterprise Identity Stores, the Generate system name when generation rule fails may be turned off in order to prevent duplicate User Account creation for the same user.

Step 1: Provisioning the User

To provision a user into Fusion Applications Cloud many options are available:

  • Fusion Applications Cloud Active Directory Bridge
  • Oracle Identity Manager Fusion Applications Cloud Applications Connector
  • IDCS Fusion Applications Cloud Cloud template
  • Custom code

All of these options use the Fusion Applications Cloud SCIM API to provision the Enterprise User to Fusion Applications Cloud. This will create the User Account structure in Fusion Applications Cloud, which creates the minimal user information required to successfully complete the Federate SSO login flow.

When user provisioning has been completed for an Enterprise User, this user can start using Fusion Applications Cloud, but no permissions are granted to this user and Fusion Applications Cloud cannot be used in the intended way.

Steps 2 and 3: Hiring a Person And Link to a User Account

The second step is to create the Worker or Person structure. To do this we simply hire a person. Once a Person has been hired, Fusion Applications Cloud will use the User Name Creation Rule to create a new User Account structure. If this process finds a User Account structure without a person id or party id, and the user name matches the User Name Generation Rule, the Worker structure and the User Account structure will be linked together to form a complete structure.

Hiring a Person can be done manually through the Fusion Applications Cloud UI or in batch mode through the Fusion Applications Cloud services. The next sections explain these steps for UI or Batch mode in detail.

UI mode

The UI mode is a common way to create a Fusion Applications Cloud Worker structure. This is normally done by Human Resources personnel.

  1. 1. Sign in to Fusion Applications Cloud with an account that has a role that allows you to create Persons
  2. 2. Click on the Navigator
  3. 3. Click on New Person (you might find it under My Workforce)
  4. 4. Click on the panel drawer on the right
  5. 5. Click on Hire an Employee
  6. 6. Hire a new Employee
    1. 1. Complete the required fields for Identification. Enter Hire Date, Hire Action, Hire Reason, Legal Employer. Also enter Last Name, First Name. Next enter any other mandatory fields configured in your environment. Click Next.
    2. 2. Complete the required fields for Person Information. Enter Home Address and any other mandatory fields configured in your environment. Click Next.
    3. 3. Fill the required fields for Employment Information. Enter Business Unit, Assignment Status, Assignment Information. Enter any other mandatory fields configured in your environment
    4. 4. Enter the required Compensation and other Information and click Next
    5. 5. Review the entered information and click Next
    6. 6. Click Submit
    7. 7. Click Yes on the Warning popup
    8. 8. Click OK at the Confirmation popup

Batch mode

Note: The values used in the HDL below are fictous and do not show any real world values. To create a working HDL code based on this sample, real, implementation-specific, values must be used!

To create a Fusion Applications Cloud Worker structure in batch mode, an HCM Data Loader (HDL) file structure must be used:

  1. 1. Create an HDL file called Worker.dat to load a worker. The sample below shows the structure of the file and must be tailored to match the data set up on your environment.
    METADATA|Worker|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonNumber|StartDate|DateOfBirth|ActionCode
    MERGE|Worker|HCM_SAMPLE-001|SSID1_P_SAMPLE304WRKR_1|2017/01/27|4712/12/31|P_SAMPLE304WRKR_1|2017/01/27|1970/01/01|HIRE
     
    METADATA|PersonName|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonId(SourceSystemId)|NameType|LegislationCode|Title|LastName|FirstName|MiddleNames
    MERGE|PersonName|HCM_SAMPLE-001|SSID1_P_SAMPLE304PN_1|2017/01/27|4712/12/31|SSID1_P_SAMPLE304WRKR_1|GLOBAL|US|MR.|Lastname|Firstname|X
     
    METADATA|PersonLegislativeData|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonId(SourceSystemId)|LegislationCode|Sex|MaritalStatus
    MERGE|PersonLegislativeData|HCM_SAMPLE-001|SSID1_P_SAMPLE304PLD_1|2017/01/27|4712/12/31|SSID1_P_SAMPLE304WRKR_1|US|M|M
      
    METADATA|WorkRelationship|SourceSystemOwner|SourceSystemId|PersonId(SourceSystemId)|LegalEmployerName|DateStart|WorkerType|PrimaryFlag
    MERGE|WorkRelationship|HCM_SAMPLE-001|SSID1_P_SAMPLE304WR_1|SSID1_P_SAMPLE304WRKR_1|Lastname-6-HX1|2017/01/27|E|Y
      
    METADATA|WorkTerms|SourceSystemOwner|SourceSystemId|PeriodOfServiceId(SourceSystemId)|ActionCode|EffectiveStartDate|EffectiveEndDate|EffectiveSequence|EffectiveLatestChange|AssignmentName|AssignmentNumber|PrimaryWorkTermsFlag
    MERGE|WorkTerms|HCM_SAMPLE-001|SSID1_P_SAMPLE304WT_1|SSID1_P_SAMPLE304WR_1|HIRE|2017/01/27|4712/12/31|1|Y|P_SAMPLE304_WTNM_1|P_SAMPLE304_WTNUM_1|Y
     
    METADATA|Assignment|SourceSystemOwner|SourceSystemId|ActionCode|EffectiveStartDate|EffectiveEndDate|EffectiveSequence|EffectiveLatestChange|WorkTermsAssignmentId(SourceSystemId)|AssignmentName|AssignmentNumber|AssignmentStatusTypeCode|PersonTypeCode|BusinessUnitShortCode|PrimaryAssignmentFlag
    MERGE|Assignment|HCM_SAMPLE-001|SSID1_P_SAMPLE304A_1|HIRE|2017/01/27|4712/12/31|1|Y|SSID1_P_SAMPLE304WT_1|P_SAMPLE304_AN_1|P_SAMPLE304_ANUM_1|ACTIVE_PROCESS|Employee|HDL_BU_SET1|Y
     
    METADATA|PersonUserInformation|PersonNumber|UserName|GeneratedUserAccountFlag|UsernameMatchingFlag
    MERGE|PersonUserInformation|P_SAMPLE304WRKR_1|Firstname.Lastname|Y|Y
    

    In the file, we instruct HDL to link the person to an already existing user account that has been provisioned before. The actual linking is done by setting the UserNameMatchingFlag field to Y.

    METADATA|PersonUserInformation|PersonNumber|UserName|GeneratedUserAccountFlag|UsernameMatchingFlag
    MERGE|PersonUserInformation|P_SAMPLE304WRKR_1|Firstname.Lastname|Y|Y
    
  2. 2. Create a file called Worker.zip by compressing Worker.dat to ZIP format.
  3. 3. Sign in to Fusion Applications Cloud with an account that has a role that allows you to access HDL (e.g. Human Capital Management Integration Specialist).
  4. 4. Click on the Navigator.
  5. 5. Click on Data Exchange.
  6. 6. From the panel drawer on the right, click on Import and Load Data.
  7. 7. Click on Import File. Click on Import Local File. Click on Choose File. Select Worker.zip from your local directory. Click Submit.
  8. 8. Click Submit. Click OK on the Confirmation.
  9. 9. Wait for the job to be completed. You can click Refresh to get latest status.
  10. 10. Click on the Navigator icon. Click on Scheduled Processes. Click Schedule New Process.
  11. 11. Search for Send Pending LDAP Requests:
    • 1. Select and click OK.
    • 2. Click Submit on the Process Details window.
  12. 12. Repeat the above step and run Update Person Search Keywords.
Note: To upload and process an HDL file the Fusion SOAP Service HCMDataLoader can be used, too. Service details are available in Fusion in the Developer Connect screen.

Manual User Account and Person Linking

There are use cases that revoke a User Account from Fusion Applications Cloud for a defined time. Revoking a User Account just removes the User Account from Fusion Applications Cloud, the related Worker or Person structure will not be modified, i.e. all details and role assignements are still present. But it cannot be used by any user because the User Account is missing.

To relink an existing user account follow these steps:

  1. 1. Click on the Navigator icon.
  2. 2. Click on Person Management.
  3. 3. Search for the newly created employee.
  4. 4. View detail for the employee. Click on the panel drawer and select Manage User Account.
  5. 5. Click on the Actions menu. Select Create User Account.
  6. 6. Click Link User Account. Select Search in the pop up window.
  7. 7. Search for the user account that was provisioned. Select this account.
  8. 8. Click OK. Click OK.
  9. 9. Click Save. Click Yes on the Warning message box. The account and associated roles are now linked to this person.
  10. 10. Click Done. Click Yes on the Warning message box.

Summary

User provisioning to Fusion Applications Cloud is a complex task and requires a thorough process planing to be done right. However, when this process is in place, it is very powerful and speeds up User onboarding and improves your business processes.

References

Add Your Comment