Beruflich Dokumente
Kultur Dokumente
May 2014
Disclaimer
The following is intended to outline our general product direction. It is intended for information purposes
only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracles products remains at the sole discretion
of Oracle.
Overview ........................................................................................... 2
Overview: Setting up Required Implementation Users ....................... 3
Introduction.................................................................................... 3
Create Implementation Users in Oracle Identity Manager (OIM) .... 5
Synch Fusion HCM with Oracle Identity Manager (OIM) .............. 11
Create Data Roles in Fusion HCM ............................................... 13
Assign Security Profiles to Abstract Roles ................................... 19
Define Role Mapping Definitions for Abstract Roles in Fusion HCM21
Create Generic Role Mapping Definitions for HCM Data Roles in Fusion HCM
.................................................................................................... 25
Assign Abstract and Data Roles to HCMUser in Oracle Identity Manager (OIM)
& Change Service Administrator User Login ................................ 27
Verify HCMUser (Functional Implementation) User Login ............ 32
Overview: Resetting your HCM SFTP Server Password .................. 34
Log on to the Oracle Cloud User Interface to Access the Identity Management
Console ....................................................................................... 35
Change the SFTP User Password ............................................... 38
Validate Your SFTP Server Login ................................................ 42
Overview
This document provides instructions for Service Administrators of the HCM Cloud Service (or their
delegates) to achieve two very important objectives in the implementation lifecycle:
Setting up key implementation users and security profiles, required for both the initial
implementation of the HCM Cloud Service and its ongoing maintenance, enhancement, and use
over time.
Reset your Secure File Transfer Protocol (SFTP) password, required for managing certain
inbound and outbound interfaces. Examples are the outbound HCM System Extract transactions
and the Oracle Transactional Business Intelligence (OTBI) content.
Both of these activities should be set up in order to begin using implementing your HCM Cloud
Service. As identified in this document, the need to perform these tasks is initiated when you receive
e-mail notifications from Oracle that your environments have been provisioned and are available for
use.
OIM Admin: The user provided to access Oracle Identity Management (OIM) through the HCM
Cloud Service for key security-related functions.
Technical Admin: The user provided to access the HCM Cloud Service to perform key technical
duties, including setup and security-related functions within the HCM Cloud Service.
Functional Admin: The user provided to access the HCM Cloud Service to perform key functional
duties, including setup functions.
Note that you will not be assigning real people to these users at this time because the HCM Cloud
Service is not yet configured to support onboarding of workers. As you move forward with your
implementation and set up your security configurations, you may choose to replace these initial
implementation users or revise their definitions. For now, you should set up these three users exactly
as defined in this document.
This document provides step-by-step directions for setting up these users. Depending upon your
specific role with the HCM Cloud Service implementation and the level of familiarity you have with
navigating the Service, you may wish to work with a key implementation resource (e.g., your project
manager or a delegate) to perform the tasks documented here. Oracle recommends that you log on
initially and NOT share your Service Administrator log on credentials with anybody else.
Some general information about the implementation user setup described in this document follows:
1. Oracle recommends that you set up your implementation users in the Test environment first and
migrate the setups to Production after they have been tested and validated. This also allows your
project team to better understand the design and implementation details of security within the HCM
Cloud service in a Test environment prior to establishing users in the Production environment.
2. All of the security setup you perform as directed by this document can be changed later.
3. Be sure to make a note of the passwords and challenge questions you create for the users created in
this document.
4. Check off each step as you complete it and be sure to follow these instructions exactly as
documented.
What you will need for this step: The service activation notification you received from Oracle which
identifies Service URLs and Username/temporary password for the environment (Test or Production)
for which you are setting up implementation users. Make sure you use the correct email for the
environment you are setting up. The Identity Domain is the environment name. For example:
HCMA would be the production environment and HCMA-TEST would be the Test Environment.
Setup Steps:
5. Log on to the HCM Cloud Service for the environment in which you are doing setup, using the
Service Home URL provided to you in the service activation notification from Oracle Cloud. The
URL ends with AtkHomePageWelcome or HcmFusionHome. Use your Service Administrator
Username which is also identified in your service activation notification. The password will either
be:
a.
The password identified in the service activation notification, if this is your first time
accessing the HCM Cloud Service; or
b. The new password you provided the first time you accessed the HCM Cloud Service.
Note: The Username you log on with in this first step is yours as the Service Administrator and should
not be shared with anyone else.
6. If this is the first time you are accessing the HCM Cloud Service, you will be required to change your
Enter a new password, following the password policy guidelines on the screen.
a.
From the Fusion Navigator (located at the upper-left of the screen), go to Tools >
Setup & Maintenance.
b. Click the down arrow next to the left of the word Tasks and search for Create
Implementation Users.
Select the Administration menu (located at the top right of the page) and Select
Create User.
e.
f.
Set User Login = OIMAdmin and Password/Confirm Password = any value you
choose, as long as it complies with the password policy; if it does not, you will be
asked to provide a different password.
g.
Make a note of the assigned password. This user will be prompted to change the
password when they login to Fusion Applications the first time.
i.
After saving, youll notice a set of tabs across the top of the page.
j.
k.
Click the
icon to assign job roles. Search and add the following role: IT
Security Manager: Provides general systems IT security access.
l.
m. Close the OIMAdmin user window with the Close Single Tab option.
8. Create the TechAdmin user using the Create User option from the Administrative menu.
a.
Set User Login = TechAdmin and Password/Confirm Password = any value you
choose, as long as it complies with the password policy. If it does not, you will be
asked to provide a different password.
d. Make a note of the assigned password. This user will be prompted to change the
password when he logs in to Fusion Applications for the first time.
e.
f.
After saving, youll notice that a set of tabs across the top of the page for the user
appears:
g.
h. Click the
roles:
icon to assign job roles. Search for and add the following
i.
9. Create the HCMUser user using the Create User option from the Administrative menu.
a.
Set User Login = HCMUser and Password/Confirm Password = any value you
choose, as long as it complies with the password policy; if it does not, you will be
asked to provide a different password.
d. Make a note of the assigned password. This user will be prompted to change the
password when they login to Fusion Applications the first time.
e.
f.
g.
After saving, youll notice that a set of tabs across the top of the page for the user
appears:
10
Click the
roles:
icon to assign job roles. Search for and add the following
j.
k.
Enter a new password, following the password policy guidelines on the screen.
Make a note of your new password; this will be the TechAdmin password for all
further access to the environment in which you are currently doing setup. Also,
make a note of the challenge questions and answers; they will be necessary in the
event the password for this user is forgotten.
11
6. From the Process Details page, Click the Submit button and close this window.
12
Security Profiles.
a.
b. On the Data Role page, set Data Role = HRAnalyst_ViewAll and set Job Role =
Human Resource Analyst.
c.
13
e.
f.
g.
h. Verify that the status is "Complete". This means the data role was created correctly
in HCM and OIM.
If you do not see that the status is Complete, go no further. Instead, contact
Oracle Support and describe what you are doing; CloudOps will resolve the
underlying problem for you and you can continue.
5. Create the HCMApplicationAdministrator_ViewAll data role.
a.
14
e.
f.
Click the Submit button. Search for the HCM data role you just created.
g.
Verify that the status is "Complete". This means the data role was created correctly
in HCM and OIM.
a.
b. On the Data Role page, set Data Role name = HRSpecialist_ViewAll and set Job
Role = Human Resource Specialist.
c.
e.
f.
g.
Verify that the status is "Complete". This means the data role was created correctly
in HCM and OIM.
7. If you have licensed the Fusion Workforce Compensation Cloud Service, create
15
a.
b. On the Data Role page, set Data Role name = CompensationAdmin_ViewAll and
set Job Role = Compensation Administrator.
c.
e.
f.
g.
Verify that the status is "Complete". This means the data role was created correctly
in HCM and OIM.
On the Data Role page, set Data Role name = CompensationMgr_ViewAll and set
Job Role = Compensation Manager.
j.
k.
l.
16
Service, create PayrollAdmin_ViewAll and PayrollMgr_ViewAll data roles. If not, skip to the next
step.
a.
b. On the Data Role page, set Data Role name = PayrollAdmin_ViewAll and set Job
Role = Payroll Administrator.
c.
e.
f.
g.
Verify that the status is "Complete". This means the data role was created correctly
in HCM and OIM.
17
i.
On the Data Role page, set Data Role name = PayrollMgr_ViewAll and set Job Role
= Payroll Manager.
j.
k.
l.
18
Security profiles.
a.
a.
19
c.
a.
20
Provisioning Rules.
a.
21
e.
Set Role Name (at bottom) = Employee (click the + icon to add this Role Name;
search on Employee and select the existing Employee Role Name)
f.
g.
5. Define role mapping definition for the Line Manager abstract role.
a.
22
e.
f.
Set Role Name (at bottom) = Line Manager (Click the + icon to add this Role
Name; search on Line Manager and select the existing Line Manager Role Name)
g.
a.
23
e.
Set Role Name (at bottom) = Contingent Worker (Click the + icon to add this
Role Name; search on Contingent Worker and select the existing Contingent
Worker Role Name)
f.
g.
24
Create Generic Role Mapping Definitions for HCM Data Roles in Fusion HCM
Summary: This activity defines the eligibility criteria for assigning the HCM data roles you previously
created to users. The following setup creates reasonable, start-point definitions of how Fusion security
enforces eligibility when these roles are requested for users. As you move forward in your production
security set up, your team can changes these initial setups.
What you will need for this step: N/A
Setup Steps:
1. From the previous step, you should still be logged in as the TechAdmin user.
2. From the Fusion Navigator, go to Tools > Setup & Maintenance.
3. Click the down arrow next to the left of the word Tasks and search for Manage HCM Role
Provisioning Rules.
icon, choosing the down arrow, and searching on each data role. For each, select the Requestable
check box, do not select Self-requestable, and uncheck Autoprovision.
a.
HRAnalyst_ViewAll (mandatory)
b. HCMApplicationAdministrator_ViewAll (mandatory)
c.
HRSpecialist_ViewAll (mandatory)
f.
g.
h. Click the Save and Close button to save this role mapping definition
8. Click the Save and Close button to save this role mapping definition.
25
26
Assign Abstract and Data Roles to HCMUser in Oracle Identity Manager (OIM) &
Change Service Administrator User Login
Summary: This activity assigns abstract roles (i.e., Employee, Line Manager, and Contingent Worker)
and the data roles you previously created to HCMUser. Other important delivered roles (e.g.,
Application Implementation Consultant, Application Administrator) were assigned to the HCMUser
user when you created it previously. The following setup creates reasonable, start-point definitions.
As you move forward in your production security set up, your team can changes these initial setups.
What you will need for this step: OIMAdmin password.
Setup Steps:
1. Log on to the HCM Cloud Service environment using the OIMAdmin Username and the password
you will be required to change your password and answer some challenge questions.
a.
Enter a new password, following the password policy guidelines on the screen.
This will be the OIM Admin password for all further access to Oracle Cloud
Services. Also, make a note of the challenge questions and answers; they will be
necessary in the event the password for this user is forgotten.
27
4. From the Fusion Navigator (located at the upper-left of the screen), go to Tools > Setup &
Maintenance.
5. Click the down arrow next to the left of the word Tasks and search for Create Implementation
Users.
7. Under the Users section, select the Advanced Search Users option.
8. Search User Login Begins With HCMUser.
9. From the search results, select HCMUser by clicking on the Display Name link. Go to the Roles
tab. The following roles should already appear on the list of roles because you set these up when
you created the HCMUser user earlier: All Users, Application Administrator, Application
Diagnostics Regular User, Application Diagnostics Viewer, and Application Implementation
Consultant.
10. Click the Assign
28
11. Click the Search button without providing any search criteria to see the list of all available roles.
12. Select each row you wish to assign to the HCMUser from the search results and then press the
b. Select all of the data roles you previously created; this may include some or all of the
following, depending upon which Cloud Services you have licensed:
HRSpecialist_ViewAll
HRAnalyst_ViewAll
HCMApplicationAdministrator_ViewAll
CompensationAdmin_ViewAll
CompensationMgr_ViewAll
PayrollAdmin_ViewAll
PayrollMgr_ViewAll
13. HCMUser will now have 10 - 15 data roles, depending upon which Cloud Services you have
licensed. The sample below shows all 15 data roles. Confirm that you have assigned the data roles
correctly. If you need to remove a role because you selected it incorrectly, select the role and press
the Revoke button.
14. Close the OIMAdmin user window with the Close Single Tab option
29
15. Reset your Service Administrator logon credentials for the HCM Cloud Service. The following
steps are necessary to avoid later problems in your implementation when you, the Service
Administrator, are loaded into the HCM Cloud Service as an employee. Note that you must use the
User Login = ServiceAdmin for all future access to the HCM Cloud Service when acting in the
Service Administrator role; you will no longer be using the User Login your received in the service
activation notification.
a.
Under the Users section, select the Advanced Search Users option.
b. Search User Login Begins With <your Service Administrator User Login this is
typically your email address>. This is the User Login you received in the service
activation notification. Note that the User Login information in the sample below
will not match your User Login.
c.
From the search results, select your Service Administrator User Login by clicking on
the Display Name link; this brings up the OIM page for maintaining users.
30
e.
f.
g.
31
Enter a new password, following the password policy guidelines on the screen.
Make a note of your new password; this will be the HCMUser password for all
further access to the environment in which you are currently doing setup. Also,
make a note of the challenge questions and answers; they will be necessary in the
event the password for this user is forgotten.
a.
32
b. For Compensation customers, verify the Compensation and My Info > Total Comp
Statement appears.
c.
For Payroll/Payroll Interface customers, verify that the Payroll menu appears.
33
34
Log on to the Oracle Cloud User Interface to Access the Identity Management
Console
Summary: This activity logs you, the Service Administrator, on to the Oracle Cloud UI where you
will change the temporary password that was provided to you when you received the service activation
notification. Note that your Service Administrator Username is the same for both the HCM Cloud
Service Application and the Oracle Cloud UI when your environments are initially provisioned, but
these are two separate applications which do NOT share the same passwords unless you choose to
make them the same.
What you will need for this step: Service Administrator Username and password, your Identity
Domain, and the MyServices Administration URL. This information is contained in the Welcome to
the Cloud email notification.
Setup Steps:
1. Log on to the MyServices Administration site. The URL for this site is identified in the service
The password identified in the service activation notification, if this is your first time
accessing the Oracle Cloud UI; or
b. The new password you were required to provide, if you have accessed the Oracle
Cloud UI before and changed the temporary password. If this is the case, skip to the
Change the SFTP User Password section below.
Note: The Username you log on with in this first step is yours, the Service Administrator. As with all
Usernames and passwords, it is a best-practice to not share your log on credentials with anyone else.
35
2. As this is the first time you are accessing the Oracle Cloud UI, you will be required to change your
Enter a new password, following the password policy guidelines on the screen.
36
37
2. Make a note of the following information from the page: Service SFTP Host & Port and HCM
38
3. Select the Security button at the upper right of the page and then select the SFTP Users tab.
39
4. Find the HCM SFTP User Name you noted above, select the icon to its right, and then select Reset
Password.
6. Press Save in the confirmation dialog box to commit your new HCM Service SFTP User Name
password. If the password you entered does not conform to the user name password policy, correct
it and save again.
40
41
a.
Set FTP Password = <password for your HCM Service SFTP user from
previous step>
2. Verify that you successfully logged in and that you see the E_1 directory and the ftp_inbox link.
3. Open E_1 and verify that you see the ftp_inbox directory (also linked to from the link one level
up).
42
Release 7 and 8
May 2014
This document is provided for information purposes only, and the contents hereof are subject to change without notice. This
document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This
document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our
prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Worldwide Inquiries:
Phone: +1.650.506.7000
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
Fax: +1.650.506.7200
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113
oracle.com