In Fusion Applications, users are not directly assigned access to individual functions and data. Instead, access is provided through roles. Roles group users for a specific purpose and define their access privileges.
During the provisioning and installation of Fusion Application, a Super User (FAADMIN, by default) is setup with the following roles, to administer the underlying technical stack (Fusion Middleware) and to act as a Functional Setup Manager.
- Application Implementation Consultant
- IT Security Manager
Though this super user can be used for Oracle Fusion functional implementation, as a sound security practice, the functional implementation tasks are carried out by one or more special users called, “Implementation Users”. The initial implementation user is created by the super user and will be responsible for subsequent
- User Creation and their Security Management.
- Implementation Project Management.
- Enterprise Structure creation and management. This provides the foundation for HCM Task flows to manage the Users and their security.
- Completing the functional setup.
In order to create an implementation user, the following activities need to be performed.
- Prepare the user Super User for User Management and Control.
- Prepare IT Security Manager Role for User and Role Management.
This post will provide details on how to accomplish the above tasks.
Please note that this procedure needs to be done for BARE METAL Installation. However for OVM template based installations these steps have been already done as a part of the template creation. The below details can be also used to validate any OVM template installation to ensure the correct users and roles are present.
(The tasks discussed in this post are applicable to all Fusion Application up through release 11.1.5. However this is subject to change in future releases with/without any notice).
The next step after completing the installation of FA is to
start the common implementation, consisting of a series of tasks shown below.
This blog is limited to explaining the first 2 tasks in the above diagram.
Preparing Oracle Fusion Applications Super User for User Management and Configuration
Preparing IT Security Manager Role for User and Role Management
Kindly refer to Getting Started with Fusion Applications : Common Implementation document for further details
- FA install is successfully completed. Any RUP install are done and successfully completed.
- URLs for Oracle FA and OIM are available.
- OIM system administrator user and Super User (FAAdmin or weblogic_fa or user defined) credentials.
During the provisioning and installation of Oracle Fusion Application a super user is created by default (FAAdmin or weblogi_fa etc as provided during the installation). However the email id for this super user may not be setup correctly during the provisioning and installation. The first task is to make sure the super user has a valid email id as it is mandatory for User management and configuration. This can be done in a couple of ways
a. Command Line (Linux)
b. Graphical User Interface (ODSM)
Command Line Interface
Open a new Terminal.
Using Vi editor or gedit, create an ldif file with the following contents (sample.ldif). I had stored this file along with other property file in the following directory /u01/fastage/prop_files
dn: cn=weblogic_fa, cn=users, dc=mycompany, dc=com changetype: modify replace: mail mail: valid e-mail_address
Note that the super user in this case is "weblogic_fa".
$> export MW_HOME=/u01/app/oracle/product/fmw $>export ORACLE_HOME=$MW_HOME/idm
$> $ORACLE_HOME/bin/ldapmodify -h idstore.mycompany.com -p 389 -D cn=orcladmin -w Welcome1 -f $HOME/prop_files/superuseremail.ldif
Note we use the directory administrator "orcladmin" to effect the email changes to the super user "weblogic_fa".
- Make sure that the command is run without any errors.
- Since you have chosen the command line interface for this task, you may skip the GUI Interface section detailed below and proceed to the Reconciliation detailed after it.
Log into ODSM using OIM administrator (xelsysadmn).
Run the reconciliation to synch LDAP with OIM.
6. Launch the OIM URL and use the OIM system administrator user name and password to sign in.
7. Click the Advanced link in the upper right of the interface.
a. Click Search Scheduled Jobs in the System Management tasks.
b. Enter LDAP User Create and Update Full Reconciliation in the Search Scheduled Jobs field.
c. Select the job in the search results.
The super user created during the installation and provisioning can implement the Oracle Fusion application and administer security. However, it does not have roles to create and manage Oracle Fusion Application users. Hence for the IT Security Manager role we add the following OIM roles.
Note: If you plan to implement your project entirely while signed in as the super user and do not plan to create additional users, then you can skip this step. In reality there would be multiple Fusion Application Users created for various transactions and you
most likely need to perform this step.
2. Click on Administration in the upper right of the interface
a. Search for the IT Security Manager role, and select the role name in the search results.
b. From the Hierarchy tab, click on Inherits From.
c. Click on Add.
d. Select the role category: OIM Roles and click the find arrow.
e. Select IDENTITY USER ADMINISTRATORS & ROLE ADMINISTRATORS (ctrl + click) and move them to the Add Role list.
f. Click Save. This enables the IT Security Manager with both the roles (Identity user Administrator & Role Administrators) to IT Security Manger.
3. ALTERNATE for the above task # 2
You may just add SYSTEMADMINISTRATORS role which Inherits from both the roles Identity user Administrator & Role Administrators) to IT SECURITY MANAGER role
4. Return to the Welcome to Identity Manager Delegated Administration page,
The Super User is now prepared with the correct Roles for Fusion Application implementation. You may continue with the rest of the tasks creating the implementation users, defining the structures and completing the functional setup.