Professional Documents
Culture Documents
Capital Management
Cloud
HCM Cloud Security: Best Practices for Running User and Role
Provisioning Processes
DISCLAIMER
This document is for informational purposes only and is intended solely to assist you in planning for
the implementation and upgrade of the product features described. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described in this document
remains at the sole discretion of Oracle.
Overview ...................................................................................................... 4
Scenarios..................................................................................................... 5
Scenario 4: Manual Update of Employee’s Manager, First Name, Last Name, or Email ............. 6
Scenario 5: Bulk Update of Employee’s Manager, First Name, Last Name, or Email .................. 6
Scenario 7: You Manually Added Job Roles to a Person in the Application ................................ 7
Scenario 8: Workers Were Loaded With HCM Data Loader with Suppressed User Account
Creation ....................................................................................................................................... 7
Scenario 9: User Accounts Were Created for Existing Person Records using HCM Data Loader8
The purpose of this white paper is to identify the processes used for user
and role provisioning in Oracle HCM Cloud. This paper then presents
various scenarios to explain how these processes should be used.
Send Pending LDAP Requests. This process sends to the LDAP directory the requests related to
user account provisioning as well as the requests for adding and removing user roles.
You typically use this to process the provisioning requests created by bulk processes as well as to
process future dated requests.
Autoprovision Roles for All Users. This process evaluates all users in the system against the role
provisioning rules.
This process may have heavy performance impact on your environment if you run it regularly. You
should run this process occasionally, only when role-provisioning rules are added or updated.
Send Personal Data for Multiple Users to LDAP. This process synchronizes changes performed
in bulk on Oracle HCM Cloud person records with the LDAP directory records. The following fields
are synchronized: First Name, Last Name, Email, and Manager.
You typically run this process after loading person data in bulk. You can also run this process to
update the manager hierarchy in the LDAP directory.
Retrieve Latest LDAP Changes. This job updates the Oracle Cloud Applications Security tables
with data coming from the LDAP directory.
You should run this process once after the product update is completed. For example, after you
upgrade from 18C to 19A.
Please make sure your schedule allows time for the process to complete before you schedule another
provisioning process.
New Hires are loaded by using HCM Data Loader to import the Worker.dat file.
User Account requests are created automatically for each imported person.
After completing the import of New Hires using HCM Data Loader, run the Send Pending LDAP
Requests process once.
This job will send all pending user account create requests from the Oracle HCM Cloud to the LDAP
directory.
After loading Workers with HCM Data Loader, do not schedule the following jobs:
– Run the Autoprovision Roles for All Users process once with default parameters.
This job will evaluate every user in the system, including active and inactive users, and will update
role memberships according to updated role autoprovisioning rules.
– This is the only situation when you should run this process in a production environment.
Existing user accounts were not evaluated against new role provisioning rules.
It is critical to avoid this situation! All role-provisioning rules should be created before the workers
are loaded in bulk, at a minimum the Employee role rule must be created.
– The Autoprovision Roles for All Users process once with default parameters.
This job will evaluate EVERY user in the system, including active and inactive users and will
update role memberships according to updated role auto provisioning rules.
Scenario 4: Manual Update of Employee’s Manager, First Name, Last Name, or Email
You have a short list of employees and you are going use the application to update one of the
following fields:
– First Name
– Last Name
– Manager
Nothing. This HR transaction does not require any user provisioning related activities.
Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.
Scenario 5: Bulk Update of Employee’s Manager, First Name, Last Name, or Email
You are going to update the following employee (Worker) fields in bulk, using HCM Data Loader:
– First Name
– Last Name
– Manager
You are not sure if this change requires additional user related actions.
After importing the updated worker information using HCM Data Loader:
– Run the Send Personal Data for Multiple Users to LDAP process once.
This job will update the LDAP records with person profile changes completed by the HCM Data
Loader import. Make sure to run the job in “Changed” mode as opposed to “All Users” mode.
– Run the Send Pending LDAP Requests process only when email was updated; this will keep the
LDAP directory in sync.
Nothing. This HR transaction automatically executes action to evaluate this employee against the
role autoprovisioning rules. If any changes are required in this employee’s role memberships, they
will be automatically completed when you save your HR transaction.
Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.
You are not sure if there is anything else to do with the LDAP directory.
Nothing. This HR transaction automatically processes pending LDAP requests for the selected
employee.
Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.
Scenario 8: Workers Were Loaded With HCM Data Loader with Suppressed User Account
Creation
Workers were loaded with suppressed user account creation (GeneratedUserAccountFlag = N).
Nothing. Imported Workers are not expected to have user accounts; there is no need to run any
extra LDAP related processes.
Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.
Scenario 9: User Accounts Were Created for Existing Person Records using HCM Data Loader
Workers were loaded without creating user accounts.
You are going to create user accounts for existing workers in bulk by using HCM Data Loader to
import the properly prepared User.dat file. You are also assigning some manual roles to new user
accounts using this same method.
You are concerned about autoprovisioning roles and you don’t know if you should do anything else
with LDAP processes.
After completing the import of the User.dat file using HCM Data Loader, run the Send Pending
LDAP Requests process once.
This job will send all pending user account and role assignment requests from Oracle HCM Cloud to
the LDAP directory. Every new user account will also be evaluated against the autoprovisioning
rules during the creation process.
After loading user account requests with HCM Data Loader, do not schedule the following
processes:
HOW
PROCESS PURPOSE OFTEN NOTES
Send Pending Bulk processing of user Daily This job should be scheduled at least
LDAP Requests and role provisioning Ad Hoc once per day to handle any bulk or
requests. future-dated user or role provisioning
requests.
This job should also be run after
loading workers or users in bulk using
HCM Data Loader.
Send Personal Reconciles personal Ad Hoc This job is only needed after
Data for Multiple information changes in Rarely changing personal data (name,
Users to LDAP Oracle HCM Cloud with manager, email) via a bulk process
LDAP directory such as HCM Data Loader imports.
This job should be scheduled to run
once after the bulk load is complete.
Retrieve Latest Updates Oracle HCM Very rarely Never expected to be used frequently
LDAP Changes Cloud person records with on daily basis.
data coming from LDAP
directory.
Worldwide Headquarters
500 Oracle Parkway, Redwood Shores, CA 94065 USA
Worldwide Inquiries
TELE + 1.650.506.7000 + 1.800.ORACLE1
FAX + 1.650.506.7200
oracle.com
CONNECT W ITH US
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at oracle.com/contact.
Copyright © 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks
of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0419
White Paper Oracle Human Capital Management CloudUser and role provisioning processes used in HCM Cloud security.HCM Cloud Security: Best
Practices for Running User and Role Provisioning ProcessesHcm Cloud Security: Best Practices For Running User And Role Provisioning Processes
April 2019April 2019