In Oracle Fusion HCM, when someone joins an organization, depending upon their grade, position, jobs & reporting line etc we should be able to auto assign them certain roles. For example someone with a Job named “IT Project Manager” should automatically get Manager role. Likewise someone with Position Chief FInancial Officer should automatically get role named Executive. All of these requirements can be very easily implemented in Oracle Fusion HCM using the steps outlined in this article.

This article shows how you can auto provision specific Roles to Employees into Oracle Identity Manager from Fusion HCM.

In this post we will learn how to assign Employee role(which is predefined Abstract role in Fusion Applications) automatically to new hire in Oracle Fusion HCM. In any organization all the employees must have Employee role to access common workarea which is available for all the employees.

In this case we should create a role mapping to auto-provision the role to eligible users rather than assigning role to each employee manually. Also Automatic Role Provisioning is highly efficient when we import employees from the legacy system and we need to bulk update the user roles.

Let’s first understand why we need roles in Oracle Fusion HCM which is a part of Oracle Fusion Applications suite. Fusion Applications security is designed based on Role Based Access Control(RBAC) to restrict access to authorised users. It ensures WHO can do WHAT on WHICH data. RBAC normalizes access to functions and data through user roles rather than only users. User access is based on the definition of the roles provisioned to the user.
In Fusion Applications, the RBAC implementation is based on abstract, job, duty, and data roles that work together to control access to functions and data. The definitions of these functional roles are as follows:

Abstract Role:

This role categorizes the roles for reference implementation. It inherits duty role but does not contain security policies. For example: Employee, Manager, etc.

Job Role:

This role defines a specific job an employee is responsible for. An employee may have many job roles. It may require the data role to control the actions of the respective objects. For example: Benefits Manager, Accounts Receivable Specialist, etc.

Data Role:

This role defines access to the data within a specific duty. Who can do what on which set of data? The possible actions are read, update, delete, and manage. Only duty roles hold explicit entitlement to the data. These entitlements control the privileges such as in a user interface that can see specific screens, buttons, data columns, and other artifacts.

Duty Role:

This role defines a set of tasks. It is the most granular form of a role. The job and abstract roles inherit duty roles. The data security policies are specified to duty roles to control actions on all respective objects.

Oracle Identity Management(OIM) is responsible for provisioning these roles to users. OIM is integrated with Fusion Applications.When we hire a person or create new user, a user account gets created automatically in OIM’s Light Weight Directory Access Protocol(LDAP)..

Why Role Provisioning?

Once we create person record, only user ID and password for that user gets created. The created user has no access to any function and data in the application. So to give the user access to application’s function and data we must provision abstract and data roles to them.

Now there are three ways we can provision roles to users:

1. Auto Provision: roles are  provisioned by default for the qualified users.

2. Requestable: roles can be provisioned to the users by other users.

3. Self Requestable: roles can be provisioned on request by user itself.

These methods are controlled by role mapping

What is role mapping?
Role Mapping is to provision roles to users based on certain conditions. In technical terms it is an association between a set of conditions and one or more job,abstract and data roles.

Steps to create Role Mapping for Auto Provisioning:

Here we will learn how the Employee role can be provisioned automatically to any employee who has an active assignment.

Prerequisite: The user who is creating Role Mapping should have IT Security Manager role assigned to him.

1. Login to Fusion Applications and go to Navigator-> Tools ->Setup & Maintenance

2. Now go to Implementation Projects->click on Project->Expand Workforce Deployment->Manage HCM Role Provisioning Rules. Click on Task icon.

3. Once you click on this task, Manage Role Mapping page appears. Click on create button.

4. In Create Role Mapping UI, provide Mapping Name, From Date. In Conditions section provide Assignment Type as Employee and Assignment Status as Active. In Associated Roles section click Add button and add Employee(PER_EMPLOYEE_ABSTRACT) role from dropdown. and click on Apply Autoprovisioning button in Top.his will ensure all existing user gets Employee role if they have Active Assignment with them. Now click on Save and Close.

5. Now to verify the role provisioning ,hire a new employee from Workforce Management Area. Give all the mandatory details on Identification and Person Information page. On Employment Information page  of new Hire flow provide Term/Assignment details.

6. Now when we go to Roles page ,we can see Employee role has been added automatically for the user.

Arpita Somani

Add comment