Oracle Human

Capital Management
Cloud
HCM Cloud Security: Best Practices for Running User and Role
Provisioning Processes

WHITE PAPER / APRIL 17, 2019

.

DISCLAIMER
This document is for informational purposes only and is intended solely to assist you in planning for
the implementation and upgrade of the product features described. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described in this document
remains at the sole discretion of Oracle.

2 W HITE PAPER / Oracle Human Capital Management Cloud

TABLE OF CONTENTS

Overview ...................................................................................................... 4

User and Role Provisioning Processes........................................................ 4

Scheduling the Processes ........................................................................... 4

Scenarios..................................................................................................... 5

Scenario 1: Importing New Hires Using HCM Data Loader ......................................................... 5

Scenario 2: Changes in Manage Role Provisioning Rules in your Organization ......................... 5

Scenario 3: Workers Were Imported Before Autoprovisioning Mappings in Manage Role

Provisioning Rules Were Created................................................................................................ 6

Scenario 4: Manual Update of Employee’s Manager, First Name, Last Name, or Email ............. 6

Scenario 5: Bulk Update of Employee’s Manager, First Name, Last Name, or Email .................. 6

Scenario 6: Manual Update of Employee’s Assignment Location ................................................ 7

Scenario 7: You Manually Added Job Roles to a Person in the Application ................................ 7

Scenario 8: Workers Were Loaded With HCM Data Loader with Suppressed User Account
Creation ....................................................................................................................................... 7

Scenario 9: User Accounts Were Created for Existing Person Records using HCM Data Loader8

Overview of User and Role Provisioning Processes .................................... 9

3 W HITE PAPER / Oracle Human Capital Management Cloud

OVERVIEW

The purpose of this white paper is to identify the processes used for user
and role provisioning in Oracle HCM Cloud. This paper then presents
various scenarios to explain how these processes should be used.

Understanding the proper execution of these processes is extremely

important for maintaining a streamlined and clutter-free provisioning
process. The guidelines below will help you support stability in your
environment and manage resources responsibly.

USER AND ROLE PROVISIONING PROCESSES

In the area of user and role provisioning we can identify the following processes:

 Send Pending LDAP Requests. This process sends to the LDAP directory the requests related to
user account provisioning as well as the requests for adding and removing user roles.
You typically use this to process the provisioning requests created by bulk processes as well as to
process future dated requests.

 Autoprovision Roles for All Users. This process evaluates all users in the system against the role
provisioning rules.
This process may have heavy performance impact on your environment if you run it regularly. You
should run this process occasionally, only when role-provisioning rules are added or updated.

 Send Personal Data for Multiple Users to LDAP. This process synchronizes changes performed
in bulk on Oracle HCM Cloud person records with the LDAP directory records. The following fields
are synchronized: First Name, Last Name, Email, and Manager.
You typically run this process after loading person data in bulk. You can also run this process to
update the manager hierarchy in the LDAP directory.

 Retrieve Latest LDAP Changes. This job updates the Oracle Cloud Applications Security tables
with data coming from the LDAP directory.
You should run this process once after the product update is completed. For example, after you
upgrade from 18C to 19A.

SCHEDULING THE PROCESSES

You should run one user and role provisioning process at a time. These processes should not overlap.

Please make sure your schedule allows time for the process to complete before you schedule another
provisioning process.

4 W HITE PAPER / Oracle Human Capital Management Cloud

SCENARIOS
Some of these processes could put the performance of your environment at risk. This is why it is
strongly recommended that you familiarize yourself with the following scenarios to better understand
the nature of the user and role provisioning processes. These will help you recognize the context of
various situations you may experience, and will help you understand how to use the provisioning
processes depending on the situation.

Scenario 1: Importing New Hires Using HCM Data Loader

 The User Account Creation option on the Manage HCM Enterprise Information page is set to Both
person and party users. This setting ensures that the user account is automatically generated
when each worker is imported.

 New Hires are loaded by using HCM Data Loader to import the Worker.dat file.

 User Account requests are created automatically for each imported person.

What you should do next:

 After completing the import of New Hires using HCM Data Loader, run the Send Pending LDAP
Requests process once.

This job will send all pending user account create requests from the Oracle HCM Cloud to the LDAP
directory.

What you should not do:

 After loading Workers with HCM Data Loader, do not schedule the following jobs:

– Autoprovision Roles for All Users

– Retrieve Latest LDAP Changes

– Copy Personal Data for All Users to LDAP.

Scenario 2: Changes in Manage Role Provisioning Rules in your Organization

 Your organization is making changes to Manage Role Provisioning Rules by adding new role-
provisioning rules, or by updating existing role provisioning rules. These changes may impact how
the roles should be assigned to new or existing users.

What you should do next:

 After the update of autoprovisioning mapping is completed:

– Run the Autoprovision Roles for All Users process once with default parameters.

This job will evaluate every user in the system, including active and inactive users, and will update
role memberships according to updated role autoprovisioning rules.

– This is the only situation when you should run this process in a production environment.

5 W HITE PAPER / Oracle Human Capital Management Cloud

Scenario 3: Workers Were Imported Before Autoprovisioning Mappings in Manage Role
Provisioning Rules Were Created
 Your organization imported workers and created user accounts for them without first creating role
provisioning rules using the Manage Role Provisioning Rules task.

 Existing user accounts were not evaluated against new role provisioning rules.

What you should do next:

 It is critical to avoid this situation! All role-provisioning rules should be created before the workers
are loaded in bulk, at a minimum the Employee role rule must be created.

 After the roles provisioning rules are created, run:

– The Autoprovision Roles for All Users process once with default parameters.
This job will evaluate EVERY user in the system, including active and inactive users and will
update role memberships according to updated role auto provisioning rules.

Scenario 4: Manual Update of Employee’s Manager, First Name, Last Name, or Email
 You have a short list of employees and you are going use the application to update one of the
following fields:

– First Name

– Last Name

– Email

– Manager

What you should do next:

 Nothing. This HR transaction does not require any user provisioning related activities.

What you should not do:

 Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.

Scenario 5: Bulk Update of Employee’s Manager, First Name, Last Name, or Email
 You are going to update the following employee (Worker) fields in bulk, using HCM Data Loader:

– First Name

– Last Name

– Email

– Manager

 You are not sure if this change requires additional user related actions.

6 W HITE PAPER / Oracle Human Capital Management Cloud

What you should do next:

 After importing the updated worker information using HCM Data Loader:

– Run the Send Personal Data for Multiple Users to LDAP process once.

This job will update the LDAP records with person profile changes completed by the HCM Data
Loader import. Make sure to run the job in “Changed” mode as opposed to “All Users” mode.

– Run the Send Pending LDAP Requests process only when email was updated; this will keep the
LDAP directory in sync.

Scenario 6: Manual Update of Employee’s Assignment Location

 You have an employee who changed job location. You are going to update his assignment location
using the application interface.

 Changing the employee’s location may affect his role assignment.

What you should do next:

 Nothing. This HR transaction automatically executes action to evaluate this employee against the
role autoprovisioning rules. If any changes are required in this employee’s role memberships, they
will be automatically completed when you save your HR transaction.

What you should not do:

 Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.

Scenario 7: You Manually Added Job Roles to a Person in the Application

 You were asked to add job roles to the selected employee manually, using the application interface.

 You are not sure if there is anything else to do with the LDAP directory.

What you should do next:

 Nothing. This HR transaction automatically processes pending LDAP requests for the selected
employee.

What you should not do:

 Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.

Scenario 8: Workers Were Loaded With HCM Data Loader with Suppressed User Account
Creation
 Workers were loaded with suppressed user account creation (GeneratedUserAccountFlag = N).

7 W HITE PAPER / Oracle Human Capital Management Cloud

 You are not sure if there is anything else to do with LDAP directory.

What you should do next:

 Nothing. Imported Workers are not expected to have user accounts; there is no need to run any
extra LDAP related processes.

What you should not do:

 Do not run or schedule any of the user and role provisioning processes after this HR transaction is
completed.

Scenario 9: User Accounts Were Created for Existing Person Records using HCM Data Loader
 Workers were loaded without creating user accounts.

 You are going to create user accounts for existing workers in bulk by using HCM Data Loader to
import the properly prepared User.dat file. You are also assigning some manual roles to new user
accounts using this same method.

 You are concerned about autoprovisioning roles and you don’t know if you should do anything else
with LDAP processes.

What you should do next:

 After completing the import of the User.dat file using HCM Data Loader, run the Send Pending
LDAP Requests process once.
This job will send all pending user account and role assignment requests from Oracle HCM Cloud to
the LDAP directory. Every new user account will also be evaluated against the autoprovisioning
rules during the creation process.

What you should not do:

 After loading user account requests with HCM Data Loader, do not schedule the following
processes:

– Autoprovision Roles for All Users

– Retrieve Latest LDAP Changes

– Copy Personal Data for All Users to LDAP.

8 W HITE PAPER / Oracle Human Capital Management Cloud

OVERVIEW OF USER AND ROLE PROVISIONING PROCESSES
PROCESS PURPOSE
Send Pending Bulk processing of user
LDAP Requests and role provisioning
requests.
Autoprovision Evaluates roles
Roles for All Users membership for all users,
including inactive.
Send Personal Reconciles personal
Data for Multiple information changes in
Users to LDAP Oracle HCM Cloud with
LDAP directory
Retrieve Latest Updates Oracle HCM
LDAP Changes Cloud person records with
data coming from LDAP
directory.
9 W HITE PAPER / Oracle Human Capital Management Cloud
HOW
OFTEN NOTES
Daily  This job should be scheduled at least
Ad Hoc once per day to handle any bulk or
future-dated user or role provisioning
requests.
 This job should also be run after
loading workers or users in bulk using
HCM Data Loader.
Ad Hoc  Should be run only when role
Rarely mapping rules have been added or
changed, and these rules apply to the
entire user population.
 This job does not need to be regularly
scheduled as automatic role
provisioning happens as part of user
creation.
 Never expected to be used frequently
on daily basis.
Ad Hoc  This job is only needed after
Rarely changing personal data (name,
manager, email) via a bulk process
such as HCM Data Loader imports.
 This job should be scheduled to run
once after the bulk load is complete.
Very rarely  Never expected to be used frequently
on daily basis.
10 W HITE PAPER / Oracle Human Capital Management Cloud
ORACLE CORPORATION

Worldwide Headquarters
500 Oracle Parkway, Redwood Shores, CA 94065 USA

Worldwide Inquiries
TELE + 1.650.506.7000 + 1.800.ORACLE1
FAX + 1.650.506.7200
oracle.com

CONNECT W ITH US
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at oracle.com/contact.

blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks
of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0419
White Paper Oracle Human Capital Management CloudUser and role provisioning processes used in HCM Cloud security.HCM Cloud Security: Best
Practices for Running User and Role Provisioning ProcessesHcm Cloud Security: Best Practices For Running User And Role Provisioning Processes
April 2019April 2019