Slide 1*
Hello & Welcome to Fusion HCM Security Specialist Lesson
2
The topic covered in this lesson is User and Role Provisioning
.
Instructor notes:
NA
*
The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon
in making purchasing decisions.
The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.
Safe Harbor Statement
Narration:
On the screen is Oracle’s Safe Harbor Statement, please take a
moment to review.
Instructor notes:
NA
*
1 - *
Use of this Site (“Site”) or Materials constitutes agreement with
the following terms and conditions:
1. Oracle Corporation (“Oracle”) is pleased to allow its business
partner (“Partner”) to download and copy the information,
documents, and the online training courses (collectively,
“Materials") found on this Site. The use of the Materials is
restricted to the non-commercial, internal training of the
Partner’s employees only. The Materials may not be used for
training, promotion, or sales to customers or other partners or
third parties.
2. All the Materials are trademarks of Oracle and are proprietary
information of Oracle. Partner or other third party at no time has
any right to resell, redistribute or create derivative works from
the Materials.
3. Oracle disclaims any warranties or representations as to the
accuracy or completeness of any Materials. Materials are
provided "as is" without warranty of any kind, either express or
implied, including without limitation warranties of
merchantability, fitness for a particular purpose, and
non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized
Delivery Partner be liable for any loss, damage, liability or
expense incurred or suffered which is claimed to have resulted from
use of this Site of Materials. As a condition of use of the
Materials, Partner agrees to indemnify Oracle from and against any
and all actions, claims, losses, damages, liabilities and expenses
(including reasonable attorneys' fees) arising out of Partner’s use
of the Materials.
5. Reference materials including but not limited to those
identified in the Boot Camp manifest can not be redistributed in
any format without Oracle written consent.
Oracle Training Materials – Usage Agreement
Narration:
On the screen is Oracle’s Usage Agreement, please take a moment to
review.
Instructor notes:
NA
*
Narration:
User account provisioning
Instructor Notes:
The agenda items are the section titles
*
Learning Objectives
At the end of this lesson you should be able to:
Explain user account provisioning
Narration:
At the end of this lesson you should be able to:
Explain user account provisioning
Instructor Notes:
Development note: The objectives come from the Standard Structure
Design document
fy11 app grid awareness trainingfinal.ppt
*
*
User Account Creation and Maintenance Scenarios
User Account Creation
User Account Maintenance
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
The customer plans to create new users within Oracle Fusion HCM on
an ongoing basis.
The customer maintains a set of users in an on-premise LDAP that
connects to multiple applications using Single Sign-On (SSO).
The customer, typically a very large company, has its own user
account and role-provisioning system.
User Account Creation and Maintenance Scenarios
User Account Provisioning
Narration:
A customer's approach to account creation and maintenance for
Oracle Fusion HCM users depends on their existing user base,
whether or not their users are shared among multiple applications,
and whether they plan to use Oracle Fusion HCM to handle their
ongoing user account management needs. There are several possible
scenarios, such as:
The customer plans to create new users within Oracle Fusion HCM on
an ongoing basis- In this scenario, Oracle Fusion HCM operates as a
standalone system, and HCM users are not shared with other
applications in the enterprise.
The customer maintains a set of users in an on-premise LDAP that
connects to multiple applications using Single Sign-On (SSO).
The customer, typically a very large company, has its own user
account and role-provisioning system.
This lesson focuses on the first of the three scenarios-User
Account Provisioning
Instructor note:
*
*
Automatically provisioned using Oracle
to create implementation users
User Account Creation
Narration:
User Account provisioning can be broadly categorized into User
Account Creation & User Account Maintenance.
In User Account creation
You can configure Oracle Fusion HCM to create user accounts
automatically when workers are hired using the New Hire
flow.
You can also create user accounts using the Manage Users task. This
is a quicker way of getting employees into the system than using
the New Hire flow.
Note: Once an implementation is complete, HCM users do not
typically use the Manage Users task; they use the New Hire flows,
which are more functionally rich.
During initial implementation, user accounts are typically migrated
to Oracle Fusion Applications using batch processes. Once you have
implemented Oracle Fusion Applications, user accounts can be
automatically provisioned using Oracle Fusion HCM
tasks.
Use the Create Implementation Users task to create implementation
users. Users created with this task are not mapped to an HR Person
Type, such as Employee or Contingent Worker. However, you can map
an implementation user to an employee later.
Instructor note:
NA
*
User passwords can be reset from with in HR UIs.
(Manage Job Roles & Manage User Account task)
Line managers and HR specialists can request
user accounts for workers that do not yet have one
Using the Manage Users task and
Manage User Account task
In User Account Maintenance
User accounts can be maintained using the Manage Users task in the
Setup and Maintenance work area and the Manage User Account task in
the Person Management work area.
User accounts can be automatically revoked when workers are
terminated (based on account provisioning rules).
User passwords can be reset using the Manage Job Roles task in the
Setup and Maintenance work area and the Manage User Account task in
the Person Management work area.
Line managers and HR specialists can request user accounts for
workers that do not yet have one
Instructor note:
NA
*
Narration:
This is Manage User Account page accessed through Person Management
by HR Specialist.
You have option to Copy Personal Data to LDAP. In this, User
accounts are automatically created and maintained in a LDAP
directory by Oracle Identity Management (OIM). OIM holds some
personal information about users, such as name, work phone number,
and work location address. When you create or update personal
information in HCM, it is copied automatically to OIM to ensure
that Oracle Fusion HCM and OIM hold the same information about a
user. If you make a change to a person's information that you want
to send immediately to OIM, you can copy personal data to LDAP.
This action is optional.
In Autoprovision Roles, When you auto provision roles to a user,
the user's assignments are reviewed automatically against all
current role mappings. if the user is eligible for the role but
does not have it, it is immediately provisioned. If the user is no
longer eligible for a role but still has it, it is immediately
de-provisioned.
This role eligibility is part of Role Provisioning features &
will be discussed in next section.
Instructor note:
*
*
In this section we will cover the following objectives:
Role-Provisioning: Overview
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Hire an Employee
Users can self-request new roles
Line managers and HR specialists can request new roles and revoke
existing roles from people they manage/administer
Narration:
Role provisioning is built into Oracle Fusion HR flows. You can
initiate the provisioning and revoking of roles from within the
following flows:
Hire an Employee
Promote Worker
Transfer Worker
We will show how role provisioning is integrated into the Hire an
Employee flow in the last section of this lesson.
Users can self-request new roles if role mapping rules have been
defined and the user meets the specified criteria.
Note: By default, users have no access to functions and data. To
enable users to access functions and data, you must provision roles
to them
Instructor note:
NA
*
Define Role-Provisioning Rules
Role-provisioning rules determine the roles that a user should have
based on their HR assignments.
Role-provisioning rules define an association between a set of
conditions (typically assignment attribute values) and one or more
job, abstract, and data roles
Narration:
NA
*
Narration:
In this page you can define role provisioning rules. Use the Manage
HCM Role Provisioning Rules task in the Setup and Maintenance work
area to create and manage role-provisioning rules.
In this example, any employee who works for Vision Corporation, and
is assigned the job of HR010.HR Specialist will automatically be
given the Human Resource Specialist – Vision Operations data
role.
If the user subsequently transfers to a different job, they will
automatically lose this role.
Consider these Key Points:
Use the Conditions area to define the conditions that must be met
for the mapping to apply.
Use the Associated Roles section to add one or more existing roles
to the mapping rule.
Use the checkboxes (described in detail in the next slide) to
determine whether a given role can be assigned automatically,
manually, or by user request. Note that the Auto Provision option
is selected by default; you must deselect it if you do not want the
role to be automatically provisioned.
Instructor note:
NA
*
Narration:
When defining role-provisioning rules on the Create Role Mapping
page, you have several provisioning options:
Auto Provision-Provisions roles automatically to all eligible users
when at least one of their assignments is either created or updated
and satisfies the role-mapping conditions.
An automatically provisioned role is de-provisioned automatically
when the user’s assignments cease to satisfy the role-mapping
conditions.
Requestable- Enables users, such as line managers and human
resource specialists, to provision roles manually to other users.
Users retain roles that are provisioned to them manually until
either all their work relationships are terminated or the roles are
de-provisioned manually.
Note: The criteria defined in the Conditions section must be
satisfied by the user who is provisioning the role to other users,
not by the users who are receiving the role.
Self-Requestable- Enables users to request roles for
themselves. Users retain roles that they request for themselves
manually until either all their work relationships are terminated
or the roles are de-provisioned manually.
Apply Auto Provisioning- Provisions roles to users immediately,
rather than waiting until the role is provisioned automatically or
requested manually.
When you click this button, all assignments and role mappings in
the enterprise are reviewed and any necessary provisioning and
de-provisioning of roles occurs immediately. You can also perform
auto provisioning from an individual user's account, in which case
only that user’s assignments are reviewed and any necessary
provisioning and de-provisioning of roles for that user occur
immediately.
Instructor note:
NA
*
Predefined Role-Provisioning Rules
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Automatically provisions the Line Manager role
Defines all predefined View All data roles as Requestable (manually
provisioned)
Automatically provisions the Employee role
Automatically provisions the Contingent Worker role
Employee
The following role-provisioning rules are predefined for HCM Cloud
environments:
Employee- Automatically provisions the Employee role
Contingent Worker- Automatically provisions the Contingent Worker
role
Line Manager- Automatically provisions the Line Manager
role
Requestable Roles- Defines all predefined View All data roles as
Requestable (manually provisioned)
Instructor note:
NA
*
Narration:
Section 4 of this presentation explains integration with new hire
flow.
In this section we will cover the following objectives:
Integration with New Hire Flow
Self-service role request
Role-Provisioning Best Practices
Each section relates to the Agenda items.
You can teach more than one objective in the section. All content
in the section must relate to the objectives.
*
Narration:
To meet the conditions defined in the role mapping example on the
Defining Role Provisioning Rules page, an employee would need to
work for InFusion Corp USA1 and be assigned the job of HR010.HR
Specialist. You specify the employee's legal employer on the
Identification page of the Hire an Employee flow, as shown in this
figure:
Manager Resources > New Person > Hire an Employee >
Identification page
Instructor note:
NA
*
Narration:
You specify the employee's job on the Employment Information page
of the Hire an Employee flow, as shown in this figure:
Manager Resources > New Person > Hire an Employee >
Identification page > Person Information page > Employment
Information page
Instructor note:
NA
*
Narration:
The Roles page of the flow shows the roles that will be
automatically provisioned to the employee based on the selected
job, along with the Employee abstract role:
Manager Resources > New Person > Hire an Employee >
Identification page > Person Information page > Employment
Information page>Roles Page
Instructor note:
NA
*
Narration:
Here we show how Amy Wong can manage her user account information
in LDAP, from within the Person Gallery. Select the Manage User
Account action from the Actions menu.
Instructor note:
NA
*
Auto Provision Roles
Narration:
In this page she can request additional roles for herself by
clicking on Add Role button.
Roles are marked as self-requestable on the Manage Role Mappings
page which is explained earlier.
Using this page, Amy can click on Copy personal data to LDAP action
which will open a new window. This window is shown in next
slide.
Instructor note:
NA
*
*
Narration:
On this page, Amy can check to see whether her user account data is
up to date in LDAP. If it is not up to date she can initiate an
HR-LDAP synchronization request for her user account. Identity data
is pushed from HR to LDAP.
Identity data for HR people is periodically synchronized to LDAP
using an ESS process called SEND PENDING LDAP REQUESTS.
Instructor note:
NA
*
Role-Provisioning Best Practices
Determine the roles that all workers of a particular type must
have, and create role mappings to provision those roles
automatically
Determine the roles that all line managers must have, and create
role mappings to provision those roles automatically
Determine the roles that only some workers of a particular type
will need, and autoprovision the roles if possible
Narration:
During implementation, consider the following approaches to role
provisioning:
Determine the roles that all workers of a particular type must
have, and create role mappings to provision those roles
automatically.
For example, to ensure that all employees have the employee role,
create a role mapping to autoprovision the role to eligible
users.
Determine the roles that all line managers must have, and create
role mappings to provision those roles automatically.
For example, if all line managers must have both the line manager
role and a locally defined Expenses Manager role, then create a
role mapping to autoprovision both of those roles to eligible
users.
Note: Automatic role-provisioning rules for employee and line
manager roles are predefined for Cloud HCM customers.
Determine the roles that only some workers of a particular type
will need, and autoprovision the roles if possible.
For example, some human resource specialists may also need the
benefits analyst role. If you can autoprovision those roles based
on specific conditions, then create role mappings to provision
those roles automatically. Otherwise, decide whether workers can
request those roles for themselves or whether they must be
provisioned by other users, such as line managers, and create the
appropriate role mappings.
Instructor note:
NA
*
Remember that:
Automatic role provisioning is a time-saver and recommended for
standard roles, such as abstract roles. It is highly efficient for
mass role provisioning.
A single role mapping definition can be used to manage multiple
roles and a mix of provisioning strategies, provided that the role
mapping conditions are the same in all cases
Narration:
Remember that:
Automatic role provisioning is a time-saver and recommended for
standard roles, such as abstract roles. It is highly efficient for
mass role provisioning.
A single role mapping definition can be used to manage multiple
roles and a mix of provisioning strategies, provided that the role
mapping conditions are the same in all cases
Instructor note:
NA
*
Describing role-provisioning rules and its best practices
Usage of predefined role-provisioning rules
Integration of role provisioning into new hire flow
Narration:
Describing role-provisioning rules and its best practices
Usage of predefined role-provisioning rules
Integration of role provisioning into new hire flow
Instructor notes:
*
*
Lets do a review of the module
*
User accounts can be automatically provisioned using Oracle Fusion
HCM tasks
User accounts can be automatically revoked within the Termination
flow
Users can self-request new roles
Line managers and HR specialists can request new roles and revoke
existing roles from people they manage/administer
Key Points
Narration:
Now that we have completed this lesson, let’s take a look at the
key points. Please take a moment to review.
User accounts can be automatically provisioned using Oracle Fusion
HCM tasks
User accounts can be automatically revoked within the Termination
flow
Users can self-request new roles
Line managers and HR specialists can request new roles and revoke
existing roles from people they manage/administer
Instructor notes:
*
*
1 - *
And that brings to an end of Fusion HCM Security Specialist Lesson
2
*