Oracle Cloud Infrastructure Documentation

Configure Integration Between Oracle Access Governance and Oracle Fusion Cloud Applications

Prerequisites

Before you install and configure an Oracle Fusion Cloud Applications orchestrated system, you should consider the following pre-requisites and tasks.

Certification

You must certify your Oracle Fusion Cloud Applications system to access Oracle Access Governance. Refer to Certified Components for details of the versions supported.

Enable HCM AtomFeeds for Partial Data Load

To enable incremental data load change for your orchestrated system, enable User Requests HCM Atom Feed in Oracle Fusion Cloud Applications. This is valid only when your orchestrated system is setup either as HCM or Both.

  1. Enable User Requests HCM Atom Feed. See Manage HCM Atom Feeds. The following atom feed collection are used by Oracle Access Governance
    • newhire
    • empupdate
    • empassignment
    • termination
    • cancelworkrelship
    • workrelshipupdate
    For further details, see Employee Feeds.
  2. Configure Partial Data Load settings from the Oracle Access Governance Console. See Configure Partial Data Load Settings.

Create FA HCM Data Roles and Security Profiles

Before configuring your orchestrated system you should setup either an HCM or ERP service account and grant permissions required to integrate with Oracle Access Governance.

To view a list of Default Roles or permissions, see Grant Default Roles or Permissions.

Required Roles:
  • IT Security Manager Job role (ORA_FND_IT_SECURITY_MANAGER_JOB)
  • Human Capital Management Integration Specialist (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATION_SPECIALIST_JOB)
  1. Log in to Oracle Fusion Cloud Applications.
  2. Go to My Enterprise > Setup and Maintenance.
  3. Select Tasks icon located at the right-side of the page.
  4. Select Search and select Manage Data Role and Security Profiles.
  5. Search for Human Capital Management Integration Specialist job role that does not have any security profiles.
  6. Select +Create
    • Enter data role name. For example, <ServiceAccountName>-DataRole.
    • Select Human Capital Management Integration Specialist job to inherit.
    • Select OK.
  7. Select Next.
  8. On the Security Context page, select View All in the list across security profile configurations.
  9. Select Next to review and Submit.
  10. Search for the data role created. Notice that now the Security Profile Assigned column is now selected.
  11. Select Done.

You must create a service account and assign this data role to the service account.

Create a Service Account and Grant Default Roles

The service account should be used when configuring the connection in your orchestrated system. You can set this service user up using default Oracle Fusion Cloud Applications roles and permissions, or using a custom role.

Create a Service Account

You must have the IT Security Manager Job role (ORA_FND_IT_SECURITY_MANAGER_JOB).

  1. Log in to Oracle Fusion Cloud Applications.
  2. From the Navigator, go to Tools > Security Console.
  3. Select Users > Add User Account.
  4. Enter the required fields for User information.
  5. Select Save and Close. Ensure the status is Active.
  6. Select the user and select Edit.

Add Roles to Service Account

  1. Select the Add Role button.
  2. For HCM, assign the default roles one at a time to the account. See Grant Default Roles or Permissions
  3. For ERP, assign the default roles one at a time to the account. See Grant Default Roles or Permissions
    Note

    If you are configuring both HCM and ERP, then you must assign all the default roles for HCM and ERP.
    Note

    You must add the required Look up Types for the Access Request Security Administrator. See Add Lookup Types.
  4. Assign the Data Role created in the previous task. See Create FA HCM Data Roles and Security Profiles.
  5. Select Save and Close.
  6. Search account and verify roles needed are assigned.
  7. Verify the creation of the new service account by logging in.

Grant Permissions Using a Custom Role - Least Privilege Principle

An alternative to using default Oracle Fusion Cloud Applications roles and permissions is to setup a custom role for your service user. This allows you to conform to the principle of least privilege by only configuring the fine-grained privileges required by the service user.

To create your custom role:
  1. Create an Oracle Fusion Cloud Applications role of category Common - Job Roles.
  2. Add the privileges into the function security policies train stop. Refer the list: Grant Privileges.
  3. Add the aggregated privileges as role into the role hierarchy train stop. Refer the list: Grant Privileges Grant Aggregated Privileges.
  4. Grant Data Security Policies for the right data set to the custom role. If you do not grant the right data security policies, some data may not be returned. The API calls will not fail (200 OK), but the count will be 0 if the data security policies are omitted.
  5. Assign the custom role to the Service Account. See Add Role to Service Account.

Run Refresh Access Control Data Job

You must run the Access Control Data Job after configuring the service account. This job runs every hour, by default or you may choose it to run manually. To run the job:
  1. Navigate to ToolsScheduled Processes.
  2. Search Refresh Access Control Data.
  3. Select Schedule New Process.
  4. Select Refresh Access Control Data as job name and enter meaningful description.
  5. Select Full Refresh or Incremental Refresh, as required to run the job.
  6. Select OK.
  7. Select Submit. Copy the process ID number.
  8. Run User and Roles Synchronization Process to retrieve latest users and role definitions. For more information, see Run User and Roles Synchronization Process.

Add Lookup Types for Access Request Security Administrator

The following lookup type permission must be granted for Access Request Security Administrator role type

  1. Log in to Oracle Fusion Cloud Applications.
  2. Go to My Enterprise > Setup and Maintenance.
  3. Select Tasks icon located at the right-side of the page.
  4. Select Search and select Manage Standard Lookups.
  5. Add the new lookup type FUN_DS_OPTIN_OPTIONS by using the following lookup CodeFUN_DS_GET_BOOKCODE.
  6. In the Module list, select Application Core.
  7. In the REST Access Secured list, select Authenticated.
  8. Select Save and Close.

Risk Management Cloud (RMC) Segregation of Duties (SoD) Check

You can evaluate permissions or roles to users within Oracle Fusion Cloud Applications to ensure that permission assignment is valid and doesn't violate SOD checks.

Complete the prerequisites and run mandatory jobs periodically.

User Account Creation & Linking

A user account must have an associated worker information. Verify this, from the Security ConsoleUsers page, a linked account shows Associated Worker Information.

Mandatory Background Jobs

In Oracle Fusion Cloud Applications, after creating or updating the user account, ensure to run the following jobs in the given order:

Verify User Visibility in Risk Management

After running the jobs, verify the results:

  1. Navigate to Risk Management → Setup and Administration → Global User Configuration.
  2. Search for the user for whom you want to run the SOD violations check.

Workflow Configuration

You must attach an approval workflow with an access bundle to process violation checks. If an access bundle has no approval workflow assigned, Oracle Access Governance triggers the SoD violations check but the provisioning proceeds immediately even if potential violations exist. When an approval workflow is attached, Oracle Access Governance pauses the request until the SoD analysis completes.

For more information, see Preventive Segregation of Duties.

Authenticating with OCI OAuth

Use the steps to authenticate Oracle Fusion Cloud Applications using OAuth with Oracle Cloud Infrastructure (OCI) instance to integrate with Oracle Access Governance.

In Oracle Fusion Cloud Applications, create a Service Account and grant permissions required to integrate with Oracle Access Governance.
Access Certificates and Keys

Use a certificate issued by a trusted Certificate Authority (CA) in the PEM format for secure authentication and compatibility, or leverage OCI Certificate Service to generate and manage certificates efficiently.

  1. To create a certificate, refer the steps as explained in Creating a Certificate in OCI IAM.
  2. To retrieve a certificate, ensure that the Identity Domain is configured to issue and sign tokens.
    1. In the Identity & Security, and select Domains.
    2. From the Settings tab, enable Access signing certificate.
  3. In Identity Domain console, navigate to Security > Certificates.
  4. Select on the certificate name to view its details.
  5. Download the certificate in PEM or CER format. This file will be used to validate the signature of OAuth tokens in your application.
Import Certificate as the Trusted Partner Certificate
  1. Navigate to Identity & Security, and select Domains.
  2. Select a compartment where your Oracle Access Governance service instance is located, and then select the domain.
  3. Select the Security tab.
  4. Select Import certificate.
  5. Enter the same alias name that you provided while generating the keystore file certificate alias, and import the .cer file.
  6. Select Import. Ensure correct alias is correct, showing both the SHA-1 Thumbprint and SHA-256 Thumbprint, the Certificate Start Date, and the Certificate End Date
Create an Integrated Confidential Type Application
  1. Navigate to Identity & Security, and select Domains.
  2. Select Domains.
  3. Select the Integrated applications tab.
  4. Select Add application.
  5. Select Confidential Application tile, and then select Launch workflow.
  6. In the Details page, enter the following:
    1. Enter name and description for the confidential application.
    2. Select Submit.
Edit OAuth configurations
  1. Select the OAuth configuration tab.
  2. Select Edit OAuth configuration.
  3. Select Configure this application as a client now.
  4. Select Client Credentials, JWT assertion and Refresh token grant types
  5. Select Trusted as the Client type option.
  6. Import the certificate.
  7. Select On behalf of as the Allowed operations.
  8. Select network perimeter to restrict login attempts to specific IPs or ranges, else select Anywhere.
  9. Under the Token Issuance Policy, select All.
  10. In the Add Scopes section, select the Oracle Fusion Cloud Applications application references.
  11. Select Submit.
  12. Activate the application, select the Actions icon and then select Activate. The status should change from Inactive to Active.

Create an OCI Vault to Store Credentials

Oracle Access Governance uses OCI Vault and Secret Management service to store sensitive values such as passwords, client secrets, and private keys.

Create an Oracle Cloud Infrastructure (OCI) vault, an encryption key, and secrets for Basic Authentication or OAuth credentials.

Ensure you have the required access:
  • Permission to create vaults, keys, and secrets in the target compartment.
  • Permission to use keys to encrypt secrets.
  1. Create a vault.
  2. Create an encryption key when the vault is in active state. See Creating a Master Encryption Key.
  3. From the navigation menu, select Identity & Security, then Secret Management.
  4. Select Create secret.
  5. Select the compartment to create the secret.
  6. Enter meaningful secret name. For example, agcs-fa-oauth.
  7. Select the Vault compartment and Vault name.
  8. Select the Encryption key compartment.
  9. In the Encryption key field, select the key that you created.
  10. Select Manual secret generation.
  11. In the secret contents:
    • For Basic Auth, enter:
      {
  "adminUser": "<your-admin-username>",
  "adminPassword": "<your-admin-password>"
}
    • For OAuth, perform the OAuth prerequisites, and enter the details: 
      {
  "adminUser": "admin@example.com",
  "domainURL": "https://idcs-<tenant>.example.com",
  "clientID": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEv...\n-----END PRIVATE KEY-----\n",
  "alias": "my-signing-key",
  "scope": "urn:opc:idm:__myscopes__"
}
  12. Select Create secret.
  13. Enter the tenancy OCID and secret OCID in the the Integration settings. This generates the required IAM policy on the Console. See OCI Vault Secret OCIDs.
  14. Copy the exact statements in the root compartment of the tenancy where you have created the vault.

Configure

You can establish a connection between Oracle Fusion Cloud Applications and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

The Orchestrated Systems page of the Oracle Access Governance Console is where you start configuration of your orchestrated system.

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu  icon Navigation menu, select Service Administration → Orchestrated Systems .
  2. Select the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of system you would like to integrate with Oracle Access Governance.

You can search for the required system by name using the Search field.

  1. Select Oracle Fusion Cloud Applications .
  2. Select Next.

Add details

Add details such as name, description, and configuration mode.

On the Add Details step of the workflow, enter the details for the orchestrated system:
  1. Enter a name for the system you want to connect to in the Name field.
  2. Enter a description for the system in the Description field.
  3. Decide if this orchestrated system is an authoritative source, and if Oracle Access Governance can manage permissions by setting the following check boxes.
    • This is the authoritative source for my identities

      Select one of the following:

      • Source of identities and their attributes: System acts as a source identities and associated attributes. New identities are created through this option .
      • Source of identity attributes only: System ingests additional identity attributes details and apply to existing identities. This option doesn't ingest or creates new identity records.
    • I want to manage permissions for this system
    The default value in each case is Unselected.
  4. Select Next.
Additionally:
  1. If you're managing permissions with this then an additional checkbox is displayed for Segregation of Duties Checks:
    1. In Oracle Fusion Cloud Applications ensure that a user account is created and linked to the worker's person record. A successfully linked account will display the associated person information in the Security Console under the Users page.
    2. To enable this option for your select Enable Risk Management and Compliance (RMC) integration for separation of duties check

Add Owners

Add primary and additional owners to your orchestrated system to allow them to manage resources.

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.
Note

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
To add owners:
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Account settings

Outline details of how to manage account settings when setting up your orchestrated system including notification settings, and default actions when an identity moves or leaves your organization.

On the Account settings step of the workflow, enter how you want Oracle Access Governance to manage accounts when the system is configured as a managed system:
  1. When a permission is requested and the account doesn't already exist, select this option to create new accounts . This option is selected by default. When selected, Oracle Access Governance creates an account if one doesn't exist when a permission is requested. If you clear this option, permissions are provisioned only for existing accounts in the orchestrated system. If no account exists, the provisioning operation fails.
  2. Select the recipients for notification emails when an account is created. The default recipient is User. If no recipients are selected, notifications aren't sent when accounts are created.
    • User
    • User manager
  3. Configure Existing Accounts
    Note

    You can only set these configurations if allowed by the system administrator. When global account termination settings are enabled, application administrators can't manage account termination settings at the orchestrated-system level.
    1. Select what to do with accounts when early termination begins: Choose the action to perform when an early termination begins. This happens when you need to revoke identity accesses before official termination date.
      • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.
        Note

        If specific orchestrated system doesn't support the action, no action is taken.
      • Disable: Disables all accounts and disables permissions managed by Oracle Access Governance.
        • Delete the permissions for disabled accounts: To ensure zero residual access, select this to delete directly assigned permissions and policy-granted permissions during account disablement.
      • No action: No action is taken when an identity is flagged for early termination by Oracle Access Governance.
    2. Select what to do with accounts on the termination date: Select the action to perform during official termination. This happens when you need to revoke identity accesses on the official termination date.
      • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.
        Note

        If specific orchestrated system doesn't support Delete action, then no action is taken.
      • Disable: Disables all accounts and disables permissions managed by Oracle Access Governance.
        • Delete the permissions for disabled accounts: To ensure zero residual access, select this to delete directly assigned permissions and policy-granted permissions during account disablement.
        Note

        If specific orchestrated system doesn't support the Disable action, then account is deleted.
      • No action: No action is taken on accounts and permissions by Oracle Access Governance.
  4. When an identity leaves your enterprise you must remove access to their accounts.
    Note

    You can only set these configurations if allowed by your system administrator. When global account termination settings are enabled, application administrators cannot manage account termination settings at the orchestrated-system level.

    Select one of the following actions for the account:

    • Delete: Delete all accounts and permissions managed by Oracle Access Governance.
    • Disable: Disable all accounts and mark permissions as inactive.
      • Delete the permissions for disabled accounts: Delete directly assigned and policy-granted permissions during account disablement to ensure zero residual access.
    • No action: Take no action when an identity leaves the organization.
    Note

    These actions are available only if supported by the orchestrated system type. For example, if Delete is not supported, you will only see the Disable and No action options.
  5. When all permissions for an account are removed, for example when an identity moves between departments, you may need to decide what to do with the account. Select one of the following actions, if supported by the orchestrated system type:
    • Delete
    • Disable
    • No action
  6. Manage accounts that aren't created by Access Governance: Select to manage accounts that are created directly in the orchestrated system. With this, you can reconcile existing accounts and manage them from Oracle Access Governance.
Note

If you don't configure the system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.
Note

If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables integrations, then only the notification email destination can be set (User, Usermanager) when creating the orchestrated system. You cannot set the disable/delete rules for movers and leavers. To do this you need to create the orchestrated system, and then update the account settings as described in Configure Orchestrated System Account Settings.

Integration settings

Enter details of the connection to your Oracle Fusion Cloud Applications system.

  1. On the Integration settings step of the workflow, enter the details required to allow Oracle Access Governance to connect to your Oracle Fusion Cloud Applications system.
    Integration settings
    Pre-condition Parameter Name Description
    Application Type
    • Both: If you want to integrate both HCM and ERP within the same orchestrated system
    • Oracle Human Capital Management (HCM)
    • Oracle Enterprise Resource Planning (ERP)
    Mode: Authoritative Source
    • User Account
    • Person
    • Select User Account to ingest identities that represents security identity and have system access to Oracle Fusion Cloud Applications.
    • Select Person to ingest identities containing employment details, such as employee number, work relationships, job code, person record.
    Oracle Fusion Cloud Applications Host Name Host name to access your Oracle Fusion Cloud Applications system. For example, in your URL, the host name is fa-test.example.com
    https://fa-test.example.com:443/fcsUI/faces/FuseWelcome
    Oracle Fusion Cloud Applications Port Enter the port number at which the source Oracle Fusion Cloud Applications system is listening. For example, in the URL, enter port 443
    https://fa-test.example.com:443/fcsUI/faces/FuseWelcome
    Application Type: Both, ERP OAuth: OCI IAM for Authentication Select the checkbox to use OCI IAM for authenticating your Oracle Fusion Cloud Applications instance. Perform the prerequisites for OAuth. See Authenticating with OCI OAuth.
    How do you want to give access to the credentials?
      • From an OCI vault secret: (Recommended) Select this to use OCI Vault for managing and storing credentials.
      • Credentials received and stored in Access Governance: Select this to store credentials within Oracle Access Governance.
    OCI Vault What is the OCI tenancy OCID hosting the vault secret? Enter the tenancy OCID where you have created your vault. See Configuring OCI Vault for Credentials.
    OCI Vault What is the secret OCID for access credentials? Enter the OCI Secret OCID where you have stored credentials. See Configuring OCI Vault for Credentials.

    Note: You must add the displayed IAM policies in the root compartment of the tenancy where your vault is created.
    • Application Type: Both and HCM
    • Mode: Managed System
    		 Areas of Responsibility Select this Areas of Responsibility to ingest AOR as an account attribute when a user account is linked to a person. AOR in Oracle Fusion Cloud Applications defines the scope of a user's functional access.
    Application Type: Both, ERP Do you want to manage Procurement Agent from Access Governance? Select this to manage procurement agent provisioning.

    Note: User must be registered as an employee and must have an associated worker information. The user must have an active predefined roles for procurement.
    • Application Type: Both and HCM
    • Mode: Authoritative Source
    		 Do you want to load additional lookup objects? Enter lookup object name to load additional attributes. For example, enter job.

    Currently, you can load additional attributes for job and location lookup objects. Use inbound transformation to use these system attributes. See Support for Lookup Objects.
  2. Select Test Integration to validate your configuration.
  3. Select Add to create the orchestrated system.

Finish Up

Finish up configuration of your orchestrated system by providing details of whether to perform further customization, or activate and run a data load.

The final step of the workflow is Finish Up.

You are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults

Migrate Oracle Fusion Cloud Applications Credentials to OCI Vault

If you have an existing orchestrated systems, we recommend to use OCI Vault and Secret Management for storing and managing the Oracle Fusion Cloud Applications credentials.

  1. Navigate to the Integration settings page following the instructions given in Configure Orchestrated System Integration Settings.
  2. On the Integration settings page you will see a deprecation warning. Select the Learn more about migrating button.
  3. Complete the necessary prerequisites. See OCI Vault Configuration.
  4. After you have applied your policies, select the Test integration button to check the connection. If you have any errors or messages, review your configuration. You will not be able to complete the migration until the test is successful.
  5. If your connection is confirmed then select the Migrate button to start the migration.
  6. When the migration completes, you will see a message confirming that the integration is now using OCI Vault storage method.

Post Configuration

There are no postinstall steps associated with a Oracle Fusion Cloud Applications system.