Friday Jul 10, 2015

Data Masking in Fusion Applications

In Release 10 of Fusion Applications, Oracle Data Masking for Fusion HCM Security Cloud Service is offered as an optional subscription service for Fusion HCM Cloud customers.  Release 11 extends this to include ERP and Sales Cloud products, masking PII attributes in tables owned by these products.

Data masking, also known as data scrambling or data anonymization, is the process of obscuring sensitive information copied from a production database with realistic, scrubbed data based on masking rules, to a test or non-production database. Data masking is ideal for any situation where confidential or regulated data needs to be shared with non-production users who need access to the original data, but not necessarily to every column of every table. Examples of non-production users include internal application developers or external business partners, such as offshore testing companies, suppliers or customers.

Customers can submit a data masking service request as part of an environment refresh request. Personally Identifiable Information (PII) data are removed or masked in the Applications schema, and removed from temporary tables, interface tables and audit shadow tables including workflow notifications. In addition, links to attachments are removed, thus removing access to these attachments from the user interfaces. Data masking is run after the environment refresh and released to customers after the masking process is complete.

Data Masking in Release 10 Fusion Applications

Data Masking in Release 10 of Fusion Applications is designed to mask specific sensitive personal data or PII attributes. Different masking rules are applied for these attributes to ensure the masked data does not fail validation when the same is queried in Fusion Applications user interfaces. PII attributes covered by data masking are:

  • Person Name
  • Person Telephone Number
  • Date of Birth
  • Date of Death
  • Country / Town / Region of Birth
  • Address
  • Bank Account Number 
  • Credit Card Number
  • Instant Messaging / Email Address
  • Passport Number, Visa or Work Permit details
  • Tax Registration Number or National Taxpayer Identifier

Customers are strongly encouraged to use the principle of least privilege when granting users access to a masked database by restricting the access privileges. Users should be granted only those privileges that are necessary to complete their work.

There are some scenarios that are not addressed by the Oracle Data Masking for Fusion Applications.

  • Underlying identities are not masked in the Fusion schema; therefore, it is possible to associate internal database IDs with identities and infer those identities in the masked database.
  • User login accounts are not masked; therefore, certain formats such as firstname.lastname may reveal identities in the masked database.
  • Other sensitive information, such as compensation, performance and benefits are not masked.
  • Running Payroll on a masked database may not fetch valid results as any PII attributes related to payroll calculation are scrambled.

Ensure you understand the limitations with using masked data before requesting data masking service.  Masking data may not be helpful in certain scenarios which include:

  • Testing payroll calculation or other processes that uses data masked by data masking service
  • Verifying interfaces to downstream systems that require real or original (unmasked) data


More information and references can be found in My Oracle Support (MOS) Doc ID 1534683.1

Tuesday Apr 21, 2015

Connecting With Employee Wellness

Check out the "Connecting with Employee Wellness" article published in the Apr 2015 edition of Profit.

Profit interviewed John Kluchka, senior director of Population Health Solution Design for Optum, and Oracle’s Nigel King, vice president for applications development to understand how wellness technology is being developed and how it's being used.

Tuesday Feb 10, 2015

Introducing Oracle Fusion Applications Security Management Role Optimization

Girish Ananatharaju, Fusion Applications Functional Architecture Principal Product Manager, hosted a Customer Connect webinar in January, 2015, announcing Applications Security Management Role Optimizer, available in Release 9 of Fusion Applications. Role Optimizer will enable security administrators and managers to more effectively control and manage Fusion Application security policies. Over time, an organization's security policies tend to grow increasingly complex due to any number of legitimate business reasons such as changes in the personnel managing the security polices or the addition of duplicate privileges for ease of administration. Role Optimizer helps address these issues by providing an optimized view of the policy store related to Fusion Applications. Role Optimizer generates suggestions to reorganize duty roles based on privilege cluster analysis done on the entire user, job/duty role and privilege data set.

Figure 1: Role Optimizer performs a cluster analysis.

Figure 2: Role Optimizer generates suggestions based on the cluster analysis.

The Role Optimizer feature is delivered as an ESS (Enterprise Scheduler Service) job in Release 9. This job generates reports containing optimized views of privilege associations from which customers can modify the job role hierarchy and associated privileges. Role Optimizer can be executed by users with IT_SECURITY_MANAGER privileges and is available as a value added service with additional subscription fees.

Check out the Customer Connect event (click here) for more information about and a demonstration of Role Optimizer. You can also review product documentation (click here) and the pending U.S. patent application (click here) for additional details on how role optimization is achieved.

Monday Jan 26, 2015

Introduction to Oracle Fusion Applications Security on Applications Customer Connect

At a recent Customer Connect web event, held in January, 2015, Mahesh Sabapathy, Fusion Applications Functional Architecture Senior Architect, presented the launch of Oracle Fusion Applications Security, new in Fusion Applications Release 9. Oracle Fusion Applications Security allows the security administrator to have a single global view of security, shape security to align with business needs and stay ahead of changes. In this presentation, participants learn how the Security Console can assist security administrators:

  • Use a single, simplified and intuitive user-interface to design and modify roles
  • Design roles using copy role and compare roles
  • Find things quickly by performing faceted search across the entire security model
  • See applications menu and task-pane entries authorized to a user or role.

Here is a sampling of some of the content presented during the event.
Figure 1: Visualization shows the Duty Roles and Privileges inherited by the Talent Worker Duty Role

Figure 2: Navigator Simulation allows security administrators to preview menu access for Users and Roles

Check out the Customer Connect event recording (click here) for additional information and a demonstration of the Security Console.

Tuesday Dec 02, 2014

Oracle Attends Symposium on "The New Digital Health Revolution"

In November, 2014, The Tech Museum of Innovation teamed up with KQED to explore the promises and challenges of the coming digital health revolution. KQED’s “Future of You” documentary explores the digital health revolution.

Nigel King, Vice President of Functional Architecture for Fusion Applications, attended the event and met with subject matter experts to explain what Oracle is doing in the wellness space with the soon to be released Oracle Fusion Employee Wellness, part of Oracle HCM's Work Life suite of applications.

Among the symposium's panelists, were:
  • Malay Gandhi, Managing Director of Rock Health, a San Francisco firm that invests in innovative health care start-ups
  • Rachel Kalmar, Data Scientist at Misfit Wearables, a company based in the Bay Area that makes wearable activity trackers, including the Misfit Shine
  • Jeffrey Olgin, Chief of Cardiology at UC San Francisco, who is running the Health eHeart study, the first wireless, all electronic study using wearable devices, smartphones and apps to gather big data from up to a million patients worldwide.

Key takeaways from the symposium include:
  • The data supporting wellness promotion is overwhelming, but not well known. For example, Malay Gandhi quoted a 2002 New England Journal of Medicine study demonstrating that a lifestyle-modification program with the goals of just 7% weight loss and 150 minutes of physical activity per week for 16 weeks reduced the incidence of type 2 diabetes by 58%.
  • The investment community has belief in predictive analytics supporting healthcare scenarios.
  • Fitbit data is being used in court to prove rates of activity after things like traffic accidents. Be very care to whom you entrust your wellness data.
  • The uptake of well devices has tended to be in people that were already active, and the societal benefit remains trapped.
  • There are huge untapped opportunities for wellness tracking devices in the aging population to support aging in place.

The Tech’s Body Metrics exhibition lets visitors experience it for themselves. At the end of the event, attendees were invited to try a variety of wearable monitors measuring everything from attentiveness to heart rate to muscular tension.

At the end of a series of physical and mental exercises, participants are presented with their biometric match. At this event, Nigel discovered his wife may be a secret agent.

For more information on Oracle Fusion Employee Wellness, contact Nigel King at

Friday Nov 21, 2014

Role Customization Best Practices

Fusion Applications Functional Architecture has recorded a Customer Connect webinar to discuss Role Customization Best Practices. This webinar covers the basics of the Fusion Applications Reference Implementation of job roles and duty roles, as well as best practices job role customizations and duty role customizations.

Figure 1: Fusion Applications Reference Implementation of Enterprise Roles and Duty Roles

In general, customers are advised to follow these best practices:
  • Always create custom job and abstract roles
  • Use seeded duty roles to grant authorizations to custom roles
  • If seeded duty roles need to be customized, there are two options:
    • Option 1 - simple; minimal risks
      • Take csv backup for reference and error recovery
      • Modify seeded function policies
      • End Date seeded data policies
      • Create custom data policies
    • Option 2 - difficult; no risks
      • Create custom duty roles

For more information on Role Customization Best Practices including links to the webinar and presentation material, visit the event page on Customer Connect (click here; user account required to access).

Friday Nov 07, 2014

Fusion Applications Security Management Directions Make the Rounds at ISACA and Oracle Open World

Nigel King, Vice President of Functional Architecture for Fusion Applications, continues to spread the word on the how Fusion Applications set the bar on security management for cloud based applications. Following up on an earlier presentation to the San Francisco chapter of ISACA on key security principles (click here), Nigel discussed Fusion Applications' comprehensive security management strategy and solution to sold out room at the 2014 SF ISACA Fall Conference, the premier education event for information technology audit, security, governance, risk and compliance professionals in Northern California.

2014 SF ISACA Fall Conference

At Oracle Open World, Nigel identified key principles of security management, discussed evolving best practices for role design and administration and demonstrated how the activities of an IT security manager are surfaced in Oracle Fusion Applications in the the new Security Console work area -- the one-stop shop for Oracle Fusion Applications security administration.

Security Console - New in Fusion Applications Release 9

Role Optimization provides the intelligence for design better roles

Look for in-depth training on Security Console and Role Optimization to be published by Oracle University in early 2015.

Usability Study for Employee Wellness

New and existing HCM customers have the unique opportunity to participate in a usability study assessing how the management of corporate wellness programs fits into the work of a Benefits Manager. Oracle Fusion Employee Wellness is a work/life feature in Oracle HCM Cloud that will serve employees as well as benefits professionals. It will enable employees to set wellness goals and provide feedback to them on progress toward their goals. Employee Wellness will also provide recommendations to employees on behaviors that can increase their well-being as well as links between their well-being and their work life. Benefits professionals will be able to create games and competitions to foster adoption of and increase participation in wellness programs, enabling employees, benefits providers, and the deploying company to jointly participant and take responsibility for employee well-being.

Employee Wellness - New in Fusion Applications Release 10

The study is being conducted in Oracle's usability lab at its Pleasanton, CA campus and can be conducted remotely for those unable to attend in-person.

For more information on Employee Wellness and participating in the Wellness usability study, contact Nigel King at

Wednesday Jul 02, 2014

Oracle Fusion Applications Cloud Security Takes Center Stage at ISACA

ISACA (previously known as the Information Systems Audit and Control Association) is an independent, nonprofit, global association, engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. In May 2014, Oracle co-hosted an event with the San Francisco Chapter of ISACA at the Oracle Conference Center to discuss audit and security best practices for applications and databases.

Nigel King, Vice President of Functional Architecture for Fusion Applications, delivered a presentation addressing how ten key security principles are implemented in modern cloud-based applications and demonstrated how these principles are adhered to in Fusion Applications. These principles include:
  1. Role Based Access
  2. Account and Role Provisioning Events & Workflows
  3. Enforcement Across Tools and Transformations
  4. Pervasive Privacy Protections
  5. Integration with Governance Risk and Compliance
  6. Transparent Security Policies
  7. Complete Audit of Security Changes
  8. Secure Across the Information Lifecycle
  9. Co-existing with your current Security Infrastructure
  10. Comprehensive Extensible Reference Implementation

Security in Fusion Applications
 Figure 1: Security in Fusion Applications

Paul Needham, Senior Director of Product Management for Oracle Database Security, discussed how Oracle is at the forefront of database security innovation. Among the latest Oracle Security Solution are:
  • Preventative: Transparent data encryption; Redaction of sensitive data displayed; Masking data for non-production use
  • Detective: New conditional auditing framework; Audit, report and alert in real-time; Database activity monitoring and firewall
  • Administrative: Configuration management; Discover use of privileges and roles

Oracle Database Security
Figure 2: Oracle Database Security

Check out both presentations for more information.

Monday Jun 16, 2014

Fusion Applications Release 8 Updates for Oracle Enterprise Repository

Fusion Applications Release 8 Updates for Oracle Enterprise Repository (OER) provides a common catalog of technical information which is targeted to those designing integrations or customizations. Using Fusion Applications OER, customers or integrators can:
  • Locate technical information by product, release, business object or the type of asset for which information is needed
  • Search by name, description or keyword
  • View the specification for any integration asset, most notably services, available in Fusion Applications

Fusion Applications OER also includes other integration asset types such as interface tables and technical information such as data models, tables, views, topology diagrams, lookups, profile options, et cetera.  E-Business Suite users familiar with iRepository or eTRM will recognize the functionality in Fusion Applications OER.

Asset additions and updates for Fusion Applications Release 8 ( were published in March, 2014. New asset types with Release 8 of OER include:

  • Fusion Applications Business Process Models
  • Diagnostic Tests available with Fusion Applications Release 8
  • Details of the events and attributes available for audit when audit is enabled at the 'High', 'Medium', or 'Low' levels for any technology component.  These assets are called Technology Audits.

Find the Fusion Applications Oracle Enterprise Repository by going to

If you are new to OER, scroll down on the homepage to get an overview of OER, or click the Help link on the top right to read about how best to use OER when planning and executing your integration projects.

Monday Mar 24, 2014

Fusion Applications & Audit Vault

In a recent Customer Connect webcast on "Auditing Capabilities in Oracle Applications Cloud" (presentation; replay), questions were raised on how the existing audit functions offered using the Applications Audit Framework (also known as the APPLCORE Audit Framework) can be leveraged to audit the read access or selects made on specific objects and/or entities. While the Applications Audit Framework captures the insert, update or delete operations (also known as DML operations) on Fusion Business Objects, the select and read accesses on these objects can be captured using Oracle Audit Vault.

Oracle Audit Vault

Oracle Audit Vault is a separately licensed security product — certified for Fusion Applications — that gathers auditing information from remote databases and stores it in a single centralized warehouse database. It can help customers to comply with Sarbanes-Oxley (SOX) and other regulations, perform proactive monitoring and mitigate security risks.

Oracle Audit Vault can be of immense value for organizations when their IT policies demand tighter access control to the applications, especially in situations:

  • When every database change must be captured
  • When business objects, not addressed currently by Applications Audit Framework, need to be audited
  • When read access and SELECT statements need to be audited

For more information on Oracle Audit Vault and its capabilities, please review the Oracle Audit Vault Datasheet (click here).

Tuesday Dec 10, 2013

Auditing in Fusion Applications

Release 7 of Fusion Applications provides the much needed functionality of auditing, leveraging the Fusion Middleware auditing capabilities. The functionality provided in this release covers the auditing of various applications business objects and the Fusion middleware components, including the below:

  • Fusion Applications Business Objects
  • Oracle SOA Suite –SOA Metadata Customizations
  • Pages and Business Objects Extensibility
  • BI Publisher – Report request, report execution, etc.

In Release 7, the audit framework provided covers both capturing and reporting the audit events. Business objects or events to be audited can be configured using Manage Audit Policies in Fusion Applications while the reporting on these captured audit events is facilitated using Audit History UI. Users with appropriate roles will be able to configure (Manage Audit Policies with Application Administrator Job Role) and view these reports (Audit History UI with Internal Auditor Job Role).

The following Oracle University sessions provide a detailed overview of the auditing functionality available in Fusion Applications.

  1. Fusion 11g Release 7 ( TOI: Technical Overview of Audit Trail – A technical overview of configuring audit capture and audit reporting
  2. Auditing in Fusion Applications – Provides an overview of auditing the various business objects in Fusion Applications
  3. Security Audit and Reporting in Fusion Applications Release 7 – An overview of the OPSS audit in Fusion Applications

Tuesday Sep 03, 2013

Keeping in Sync - LDAP Reconciliation


This article is intended for Fusion Apps customers either starting out on their implementation or who are facing Lightweight Directory Access Protocol (LDAP) reconciliation issues. The content of this article relates to Release 5 (11.1.5) and later versions of Fusion Apps.

Although focusing on the subject of LDAP (Oracle Internet Directory) Store reconciliation with Oracle Identity Manager (OIM), this entry does also touch on other LDAP reconciliation processes. For wider reading on the topic of Identity Management in Fusion Apps, please refer to Fusion 11g Release 7 ( TOI: IDM in Oracle Cloud and Fusion Applications (Fusion Learning Centre>Release 7> Technology Management>All Products) , or for user creation/employee data flows, refer to this broader article.


Oracle Fusion Applications rely on Oracle Identity Management Products to manage Users, Roles and Permissions. Application users are created by using the Hire Employee task within the Fusion HCM Core application. The Hire Employee task creates User(s) and Role(s) entries in the underlying identity store through Oracle Identity Manager (OIM). It may be Active Directory (AD) or Oracle's Internet Directory (OID) or any combination of those.

Although the users can be managed inside the Fusion HCM application, it is worthwhile to understand the process of synchronizing between HCM, LDAP store and Oracle User and Role entries within OIM to support environment setup & validation.

LDAP Reconciliation

User creation in Fusion Apps is a business process that spans across both Core HCM and OIM. The creation of users happens slightly differently depending on whether the person is uploaded via File Based Loader (FBL) or manually entered in the UI.

  • For Persons loaded via FBL, the username and the status will both show as pending until the ‘Send Pending LDAP Requests’ process is run -- regardless of the hire date. Only those requests of current date or earlier will be picked up. This ‘Send Pending LDAP requests’ will result in new users being created in OIM.

  • For Persons created via the Fusion HCM ‘Manage Users’ UI, if you do not have the ‘Send Pending LDAP Requests’ scheduled then you can use the ‘Copy Data to LDAP’ button. You can only create users where the hire date is the current date, not users with future hire dates.
    • The ‘Copy Data to LDAP’ button on the UI will not work for users that are in a pending status. It only works for users that have been created.
    • If you are creating users manually using the Fusion HCM "Manage Users" screen, and running into issues, you may find this MyOracle Support troubleshooting article useful (Doc ID 1459830.1).

  • Running the above LDAP requests processing results in creation of user records in OIM and, depending on whether a OIM resource is configured with an SMTP server, email notifications are automatically sent (with user name and password) to the user if a valid work email address exists.

  • This process can be done only once so care should be taken not to run the process while the SMTP server is not configured - this would result in the inability to generate email notifications for new user creation. At the same time if the process is run too early and the organization is not ready to start using the system, emails will be generated to users with their credentials and could result in premature use of the system. For further information on enabling email notifications, please review the MyOracle Support article on HCM Cloud Service Definition: E-Mail Notifications (Doc ID: 1534683.1).

  • A copy of the email notification is also sent to the user’s manager. To prevent password notifications being sent to the users "manager", follow the instructions in this MyOracle Support article (Doc ID: 1487978.1).

  • From Release 5, it is possible to suppress user account creation and email notifications if so desired. Likewise, it is possible to suppress the assignment and removal of roles for all users.

Are there other LDAP Synchronization jobs to consider?

In fact the area of LDAP synchronization can be broken down into two areas:

  1. Between Fusion HCM and OIM
  2. Between OIM and the LDAP

Let us first take the flows between Fusion HCM and OIM:

  • Retrieve Latest LDAP Changes’ - Copies users and roles from LDAP to HCM User Management. The process requests from OIM any changes that may not have arrived because of a failure or error.

The section ‘‘Define Synchronization of Users and Roles from LDAP’ of the Oracle® Fusion Applications Common Implementation Guide explains that OIM maintains LDAP user accounts for users of Oracle Fusion Applications. Amongst other things, OIM also stores the definitions of abstract, job, and data roles and holds information about roles provisioned to users.

During an implementation, any existing information about users, roles, and roles provisioned to users must be copied from the LDAP directory to the Oracle Fusion Applications tables. Once the Oracle Fusion Applications tables are initialized with this information, it is maintained automatically.

To perform the initialization, the installation Fusion Apps super user should run the process ‘Retrieve Latest LDAP Changes’ (this is available via the ‘Run User and Roles Synchronization Process task, once an offering has been configured and a set up task list has been created). Once the ‘Retrieve Latest LDAP Changes’ process has been run, users can then be provisioned with roles through HCM. The process name appears as SyncRolesJob which was the process name for ‘Retrieve latest LDAP Changes’ in Fusion Apps 11.1.2 (and earlier versions).

  • Send Pending LDAP Requests’ – This process sends bulk requests and future-dated requests that are now active to OIM to create, suspend, and re-enable user accounts, as appropriate. It also identifies future-dated transactions and manages role provisioning and de-provisioning at the appropriate time.

For further details on how these two programs work, and when to schedule them, please see

Secondly, let’s look at the reconciliation processes between OIM and LDAP. These jobs can be broken down into

a) full reconciliation processes:

    • LDAP User Create and Update Full Reconciliation
    • LDAP User Delete Full Reconciliation (Note: do NOT enable this job)
    • LDAP Role Create and Update Full Reconciliation
    • LDAP Role Hierarchy Full Reconciliation
    • LDAP Role Membership Full Reconciliation
    • LDAP Role Delete Full Reconciliation (Note: do NOT enable this job)

b) and incremental reconciliation processes:

    • LDAP User Create and Update Reconciliation
    • LDAP User Delete Reconciliation
    • LDAP Role Create and Update Reconciliation
    • LDAP Role Hierarchy Reconciliation
    • LDAP Role Membership Reconciliation
    • LDAP Role Delete Reconciliation
    • Fusion Applications Role Category Seeding

The incremental LDAP jobs are not enabled by default, as some prerequisite steps are needed to point these to OID. Note that the actual configuration of integration between Oracle Identity Manager and LDAP is performed while installing Oracle Identity Manager. For further information on how to configure the integration of OIM with LDAP please refer to Configuring the Integration with LDAP in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

MyOracle Support Doc ID 1377101.1 describes how to identify which jobs are currently enabled or disabled in your environment. It also reminds the reader that as part of the installation and configuration of OIM, the LDAP jobs should be run in a particular order.

The full reconciliation jobs, as opposed to the incremental jobs, put a significant load on the OIM CPU (about 40% CPU usage). Hence it is advisable to run these when the system is not being so actively used. Please reference to MyOracle Support Troubleshooting: OIM Out of Sync with LDAP (Doc ID 1467067.1) for guidance and further troubleshooting .

To view all OIM/LDAP reconciliation jobs directly in your system, login to OIM as follows:

    1. Login to OIM console (as the OIM Superuser 'xelsysadmin')
    2. Go to Advanced console
    3. Click Search Scheduled Jobs, use wild card search LDAP*
    4. To submit a job, simply click on, for example, LDAP Role Membership Full Reconciliation job
    5. Click Run Now
      (If the Run Now button is greyed out, then click Disable first to disable scheduling and then you can click Run Now. Also remember to turn scheduling back on by clicking Enable after the job finishes).

What do these LDAP Synchronization jobs do exactly?

In general terms, these jobs ensure that HCM/OIM, and OIM and LDAP are in sync with each other. Without being synchronized, users may not be able to log into Fusion Applications because they are not in the identity store, so credentials cannot be verified. Data roles will not be visible in OIM after generating from the data role template until LDAP reconciliation has taken place.

The system roll-back feature ensures that if OIM cannot make changes correctly, then LDAP will roll back to reflect the same position as OIM. For further details please refer to Provisioning Data From Oracle Identity Manager to LDAP Identity Store.

The "LDAP Scheduled Tasks” link in the Oracle Fusion Middleware Administrator’s Guide for OIM, provides specific descriptions of each LDAP/OIM Reconciliation job. For example, the LDAP User Create and Update Reconciliation job reconciles user updates based on the change log from LDAP. The incremental reconciliation jobs make updates based on change logs. Compare these to the full reconciliation jobs, such as LDAP User Create and Update Full Reconciliation job, that reference all users under the search base (defined in the Directory Server IT resource) to do the reconciliation with the LDAP.

When and how often should I run these LDAP Synchronization jobs?

Retrieve Latest LDAP Changes process is always the first implementation task but can also be run periodically, say daily1, to keep the tables synchronized with subsequent updates to LDAP. For example, if you know that a failure has occurred between OIM and Oracle Fusion HCM, then you can run Retrieve Latest LDAP Changes to ensure that user and role information is synchronized.

It is recommended to run the Send Pending LDAP Requests process at least daily to ensure that future-dated changes are identified and processed as soon as they take effect. For example, you could schedule this process to automatically run daily.

For the LDAP/OIM reconciliation, it is generally recommended to run the full reconciliation (Job Name: LDAP Role Create and Update Full Reconciliation) periodically e.g. monthly, but run the incremental reconciliation (Job Name: LDAP Role Create and Update Reconciliation) more frequently in-between full reconciliations runs e.g. Daily or hourly.

Indeed, MyOracle Support Doc ID 1507370.1 recommends setting the incremental LDAP/OIM reconciliation jobs to run every 5 minutes or even more frequently, depending on your business needs, to avoid issues with asynchronous data from LDAP to OIM.

There are a number of articles on MyOracleSupport that provide guidance on LDAP issues. Generally speaking the cause of these issues are due to the LDAP reconciliation jobs not having been run, or not having been run in the correct order. Below are a few sample issues reported, included here as pointers for those who may be struggling to resolve an issue:

  • User and Role Provisioning - Troubleshooting Guide (Doc ID 1459830.1) Helpful as it walks through a number of issues and how to overcome them.
  • Message "The User Request Is Pending" Displays on the Manager Users-User Details (Doc ID 1409103.1)
  • Out-of-Sync Role Information Prevent User From Seeing Correct Options In Fusion Applications Navigator Menu (Doc ID 1392703.1)
  • Accessing Home Page Tab Getting Intermittent Error: "PER-PER_POTRT_INACTIVE_ASSIGNMENT, can not be accessed." (Doc ID 1492040.1)
  • Fusion Applications - IT Security Manager Role Not Found In Oracle Identity Manager (Doc ID 1377101.1).
  • User Account In Pending Status In HCM Manage User Account Page After HR2HR Load (Doc ID 1571217.1). Highlights that if the creation date for a user is in the future, even after running the ‘Send Pending LDAP Requests process, the user create request only gets processed after reaching this creation date.

And Lastly…

Once you’re up and running and happily synchronizing, please do give a thought to tuning your LDAP Synchronization jobs. Review to the  MyOracle Support articles on Performance Tuning Guidelines and Diagnostics Collection for Oracle Identity Manager (OIM) (Doc ID 1539554.1)  and Tuning Settings For LDAP Reconciliation Between OID And OIM 11g (Doc ID 1534049.1) for more information.

Other useful links

  • Identity Management Forum on MyOracle Support. Get your questions answered, receive OIM updates and more.
  • How to Setup LDAP Sync After Install in OIM 11g (Doc ID 1272682.1) Explains how to setup Oracle Identity Manager (OIM) 11g LDAP sync feature after the product install is done. This article is applicable to OIM version only.
  • How to Create New User from Oracle Identity Management (OIM)? (Doc ID 1384051.1)
  • How To Clean Up User Data In A Fusion Application Environment (Doc ID 1494265.1) Explains how to remove existing user data and reload (for project implementation purposes).
  • How to Validate Fusion Application Users And Roles Using Oracle Identity Manager [Video] (Doc ID 1359326.1)
  • LDAP scripts to assist with troubleshooting Fusion Apps user access related issues (Doc ID 1356241.1)
  • Support also have numerous diagnostic tests available for analyzing where things may have gone wrong. See Fusion Applications Troubleshooting Overview Master Doc ID 109.1. For example,What Diagnostic Tests Are Available For Fusion Human Capital Management (Doc ID 1358207.1) – Steps to run the diagnostic test ‘user and role provisioning diagnostics’ and ‘user and role: user details’.

1 - Overview Chapter of Oracle® Fusion Applications Coexistence for HCM Implementation Guide 11g Release 6 (11.1.6) Part Number E20378-04

Thursday Aug 08, 2013

Reporting on User Roles in Fusion Applications

We often find a need to get a list of enterprise roles assigned to a Fusion Applications user, a need for a simple report. This can also be useful when there is no access to OIM screens, but only a simple read-only access is provided to the Fusion database. Below are certain simple SQL scripts that would assist in getting such a report. These scripts can be run by creating data model queries in BI Publisher if you are accessing a SaaS implementation or directly run in any SQL client if you are in an on-premise setup.

1. The SQL below can be used to get a list of roles assigned to an FA user:

AND a.USERNAME = '&username'

Below is a sample output from the SQL and the screenshot from OIM for the same user (FA user 'FUSION' is used for this example here).

OIM Screenshot for 'FUSION' user is below:

2. Further drill-down of the individual roles can be obtained using the query below which provides the detailed listing of roles inherited by a specific user session. The result from this query would match the results you see when drilling down 'Application Implementation Consultant', 'Employee' and 'IT Security Manager' above.

    WHERE fnd_sessions.user_name = ‘&username’
WHERE rownum<=1
ORDER BY role_name

The same result can also be obtained using the below query:

    WHERE b.USER_NAME = ‘&username’

The above queries, using FND_SESSIONS, will only be valid if the FA user has logged into Fusion Applications at any time (or if there is an active session of this user) and the user's login information exists in this table (not purged by any purge routines).

For a list of duties and privileges assigned to various job (or external) roles, please refer to My Oracle Support Reference Note: 1460486.1 Mapping of Roles, Duties and Privileges in Fusion Applications.

Keep visiting our blog for other useful tips and tricks in Fusion Applications.

Tuesday Jun 25, 2013

Fusion HCM SaaS – Integration

Fusion HCM SaaS – Integration

A typical implementation pattern we’re seeing with Fusion Apps early adopters is implementing a few Fusion HCM applications that bring the most benefit to their company with the least disruption to existing programs and interfaces. Very often this ends up being Fusion Goals & Performance, Talent, Compensation or Benefits, often with Taleo for recruiting. The implementation picture looks like what you see below:

Here, you can see that all the “downstream integrations” from the On-Premise Core HR, are unaffected because the master for employee data is still your On-Premise Core HR system – all updates and new hires are made here (although they may be fed in from Taleo to start with).

As a second phase when customers migrate Core HR to Fusion HCM, they have to come up with a strategy to manage integrations to all their downstream applications that require employee details. For customers coming from EBS HR, a short term strategy that allows for minimal impact, is to extract employee data from Fusion (Via HCM Extract), and load the shared EBS HR tables (which are part of an EBS Financials install anyways), and let your downstream integrations continue to function based on this data as shown below.

If you are not coming from EBS HR and there are license implications, you may want to consider:

  1. Creating an On-Premise warehouse for extracting data from Fusion Apps.
  2. Leveraging Fusion Apps Web Services (available to SaaS customers starting R7) to directly retrieve/write data to Fusion Apps.

Integration Tools

File Based Loader

This is the primary mechanism for loading HCM data (both initial load and incremental updates) into Fusion HCM. Employee & related data can be uploaded into Fusion HCM using File Based Loader.

Note that ability to schedule File Based Loader to run on a pre-defined schedule will be available as a patch on top of Rel 5.

Hr2Hr has been deprecated in favor of File Based Loader, but for existing customers using Hr2Hr, here are some sample scripts that show how to get more informative error messages. They can be run by creating data model sql queries in BI Publisher. The scripts currently have hard coded values for request id and loader batch id, which your developer will need to update to the correct values for you. The BI Publisher Training Session recorded on Apr 18th is available here (under "Recordings"). This will enable a somewhat technical resource to create a data model sql query.

Links to Documentation & Traning
Reference documentation for File Based Loader on

FBL 1.1 MOS Doc Id 1533860.1

Sample demo data files for File Based Loader

HCM SaaS Integrations ppt and recording.

EBS api's

Loading Information into EBS Full or Shared HCM

This could be candidate information being loaded from Taleo into EBS or  Employee information being loaded from Fusion HCM into an EBS shared HR install (for downstream applications & EBS Financials).

Oracle HRMS Product Family Publicly Callable Business Process APIs (A Reference Consolidation) [ID 216838.1]
This is a guide to the EBS R12 Integration Repository accessible from an EBS instance.

EBS HRMS Publicly Callable Business Process APIs in Release 11i & 12 [ID 121964.1]

Fusion HCM Extract

Fusion HCM Extract is the primary mechanism used to extract employee information from Fusion HCM.

Refer to the "Configure Identity Sync" doc on MOS  for additional mechanisms.

Additional documentation (you'll need an account to access)
HCM Extracts User Guides (Rel 4 & 5)

HCM Extract Entity/Attributes (Rel 5)

HCM Extract User Guide (Rel 5)

If you don’t have an account, download the zipped HCM Extract Rel 5 Docs (Click on File --> Download on next screen).

View Training Recordings on Fusion HCM Extract

Benefits Extract

To setup the benefits extract, refer to the following guide.
Page 2-15 of the User Documentation describes how to use the benefits extract.

Benefit enrollments can also be uploaded into Fusion Benefits. Instructions are here along with a sample upload file.

However, if the defined benefits extract does not meet your requirements, you can use BI Publisher (Link to BI Publisher presentation recording from Apr 18th) to create your own version of Benefits extract. You can start with the data model query underlying the benefits extract.

Payroll Interface

Fusion Payroll Interface enables you to capture personal payroll information, such as earnings and deductions, along with other data from Oracle Fusion Human Capital Management, and send that information to a third-party payroll provider.

Payroll interface guide
Sample file
DBI's used for the payroll interface

Fusion HCM Integration Patterns

Wednesday Jun 12, 2013

How to Create A Minimal Enterprise Structure

This article describes a minimal representation of an enterprise
structure to support shared sourcing and procurement services to
requisitioners from multiple companies in multiple divisions and in
multiple countries. The document is targeted at implementation
consultants, particularly those deploying the Fusion Procurement
offering and aims to provide an introduction to the key concepts of
shared services and complement this introduction with a sample
organization representation. In addition to procurement professionals,
financial staff in the deploying enterprise will also need knowledge of
the deployment options and the reasoning behind the selection of a
particular model.

The Concept of Shared Service Centers

Shared Service Centers are corporate level organizations tasked with
conducting common operations that support the core lines of business of
an Enterprise. Technically, companies or other legally recognized
entities literally share the services, and the practice involves sharing
cost, profitability and taxation too. Informally, internal assignment of
services to businesses within an individual company is sometimes called
shared services too. The services provided can be in the areas of Human
Resources Management, Payroll, Subledger Processing, General Accounting,
Inventory Management (bonded warehouses, etc.), and Procurement. The
paper focuses on Procurement Shared Services.
Consolidating procurement services into a single procuring entity that
serves multiple business units within an enterprise could, if properly
implemented, result in the following benefits:
• Increased bargaining power, economies of scale, and cost savings
• Formation of a more focused procurement workforce
• Increase in buyer specialization and better generation of
specifications, and more accurate efficient catalog management
• Centralized and standardized Information deployed across the enterprise
• Centralized processes which could result in the reduction of
redundancy and effort duplication, and a more responsive procurement

For More Details see this white paper on MOS - Setting Up a Minimal Enterprise Structure to Support Procurement Shared Services [ID 1465612.1]

How to customize the user experience in Fusion Apps - Part 1 Composer Security Expressions

Access to resources such as taskflows, regions, buttons, and menus in Fusion Applications is granted by entitlements stored in a policy store and managed through the Authorization Policy Manager (APM).  Users are assigned roles comprised of  a set of entitlements (Oracle makes this quite easy  by providing you with job based seeded roles) authorizing them to  access  only the data and functions neccessary to perform their jobs and no more. On a more granular level it is also possible to control the rendering of certain UI objects by controlling their display attribute at runtime using Page Composer.

An example illustrating a conditional rendering of a Button is outlined below. The condition used in this example is the Role of the authenticated user.

2 Users and 2 Roles

In this example we have two HR Specialists, we want to prevent one of these users from saving Person records.

Figure1 Roles of Louise Beckham

Figure2. Roles of Megan Davis

Customizing the Object

Using Page Composer, the Administartor creates a security condition in Expression Builder. This condition states that the "Save" field on the "Person Management" page will be displayed if and only if the session authenticated user has the PER_HUMAN_RESOURCE_SPECIALIST_VIEW_ALL_DATA role. This happnes to be a role that our user Megan Davis has but that has not been granted to user Louise Beckham.

The statement, written in Expression Language (EL), used in this example is


NB: It is possible to have a include multiple roles as follows: #{securityContext.userInRole['Role 1'||'Role2']}, it is also possible to exclude a role by include a '!' at the beginning of the expression as follows: #{!securityContext.userInRole['Role 1']}

Figure3. Selecting the ADF Object that we want to customize

Figure4. Creating a dynamically calculated attribute value using Expression Builder

Different Display for Different Users

Below is how each of our two users sees the same UI that has now been conditionally customized. We can see the "Save" button displayed on Morgan's UI but not on Louise's.

Figure 5 - .Louise's UI without the Save Button

Figure 6.Megan's UI with the Save Button

Thursday Apr 11, 2013

Fusion Applications Single Sign On - Business User perspective

Common Use Cases & How to implement them (SSO Pilot Website)

The post outlines some of the more prevalent Single Sign On (SSO) use cases Fusion customers are currently using. It also provides an outline of work necessary to enable each of these use cases & links to more detailed technical information.

Case #1: From Corporate Portal

Employees, already authenticated into your corporate portal, should be able to click on the Fusion Apps link and get access without being challenged for their username/password as shown below.

Figure #1: SSO from Corporate Portal

Software you'll need:

Most companies will already have a directory (LDAP) that they are using to store their employees identities. If you already have Single Sign On configured for any of your applications, then you probably already have a "Federation Server" inhouse.

If your federation server is:
  • ADFS (Active Directory Federation Server) 2.0 from Microsoft
  • Oracle Identity Federation 11g
... you're all set.

If it's some other Federation Server capable of issuing a SAML 2.0 token, this is subject to approved by Oracle.

Configuration / Integration Work Needed:

Creating Employees in Fusion Apps: First thing you'll need to plan is how to create your employee identities in Fusion Applications and how to assign them the appropriate roles in Fusion Applications (this is required before Single Sign On will work). For testing purposes, you can just create the users using the Fusion Applications "Manage Users" or "New Person" screens and typing them in. If you're a small company, you can continue to do this for new hires. If you're a large company, refer to the "Employee/Role data flow" page - this might reflect the flow you need. If it does not, let us know.

When creating the employee in Fusion HCM, the value that you enter as the "HCM username", should be a unique value also present in your Federation Server for that employee, as you will need to configure your Federation Server to send this value as the "Name Id" when it issues the SAML token for Fusion Applications to consume. [The "Name Id" is just a unique value that tells Fusion Apps who this user is].

View Co-existence and SSO Presentation for more details.

Configuring your Federation Server & Fusion Applications (Cloud): Then it's simply a matter of doing some configurations in your Federation Server and for Oracle's Cloud Operations team to do some configurations in your Fusion Applications Pod. This part is done via filing a Service Request. The details of all this are available in My Oracle Support under Note 1477248.1.

Embedding URL: Finally you will embed the url into your corporate portal and your authenticated users will be able to click on the Fusion Applications link and be taken directly into Fusion Applications without being challenged again.

Case #2: From a 3rd Party Application

Employees already authenticated to a 3rd party SaaS Application should be able to click on a Fusion Applications URL and access Fusion Applications without being challenged for their username/password.

Figure #2: SSO from 3rd Party Application

Software you'll need:

If your employees are already configured for SSO into the 3rd party Cloud App, then you probably already have all the On-Premise Software needed in place (LDAP & Federation Server). Refer to Corporate Portal page.

Configuration / Integration Work Needed:

Creating Employees in Fusion Applications: Exactly the same as the "Corporate Portal" use case above.

Configuring your Federation Server & Fusion Applications (Cloud): Exactly the same as the "Corporate Portal" use case above. Single Sign On will operate between your On-Premise Identity Provider and Fusion Applications in exactly the same manner, but your end user will experience Fusion Applications embedded within your 3rd party Cloud Application (as long as the 3rd party Cloud Application supports embedding the URL).

Embedding URL: You will embed the URL into the 3rd party Cloud Application and your authenticated users will be able to click on the Fusion Applications link & access Fusion Applications screens without being challenged again.

Case #3: Accessing Fusion HCM & Taleo

Employees authenticated against Fusion Apps via SSO, should be able to access Taleo without being challenged for their username/password.

Figure #3: Accessing Fusion HCM & Taleo

If you wish to Single Sign On into Fusion HCM, you will need to configure that as outlined in the "Corporate Portal" use case above.

Then you follow the configuration steps to get Taleo SSO working with your On-Premise IdP. This includes a step of ensuring that the employees that need to access Taleo are already created in Taleo.

Now once your users are logged into Fusion HCM, they can bring up an additional tab for Taleo and will be automatically logged into Taleo.

Case #4: Access from Home

All the use cases above should also work when the employee logs in from home (outside work network).

Figure #4: Access from Home

Case #5: SSO plus Non-SSO

Some of your employees (contractors etc) or partners are not present in your LDAP and need to be authenticated by Fusion Applications. All the others need to be authenticated via SSO. NOTE: This is supported as of Release 7 only.

Figure #5: SSO plus Non-SSO

As of Release 7, when you click on the Fusion Applications URL, you will be able to choose between SSO authentication and authentication via Fusion Applications. Contractors and Partners can choose to authenticate via Fusion Applications and employees via SSO.

The SSO setup & configuration remains the same as in the "Corporate Portal" use case above.


Co-existence and SSO Presentation
My Oracle Support (MOS) Interlinked documents on Fusion Apps SSO
MOS Note on Configuring Taleo Business Edition

Employee/Role data flow (from SSO Pilot Website)
SSO Pilot Website

Feedback via comments below or email

Wednesday Mar 27, 2013

Managing Workflow Notifications in Fusion Apps – An Example

This article illustrates an example of a system administrator viewing and taking action on SOA Human Workflow notifications generated by a composite process that underlies a Fusion Apps HCM Task. As part of the privileges granted by their enterprise role, the administrator is able for example to reassign, suspend, or withdraw the requested action in the task.

What is a Human Workflow?

Human Workflow is the component of Oracle’s SOA suite that allows humans to interact with a process. For example a manager might need to approve a purchase order or an expense report prior to the transaction (issuing a purchase order or reimbursement of expenses) being completed or perhaps to reassign a task they are unable to complete. In addition to allowing users of an application to interact with its processes, the capabilities of the Human Workflow include full task lifecycle management through the ability to reroute tasks, escalate them, and providing deadlines by which they must be completed, in addition to the presentation of tasks to the concerned user through the BPM Worklist application or other channels such as email.

The Task and its Rules

In our example we will use a Fusion HCM Transaction example to illustrate how a transaction is routed and what actions an administrator can take on that transaction.

The Table below lists Fusion Core HCM transactions that are enabled for approvals.

Seeded Approvals (Include 2 Levels of Supervisor chain)

Seeded Auto-Approved


Manage Salary (typically configured to require approval)


Manage Compensation (typically configured to require approval)

Change Manager

Share Information (requires approval by worker)

Change Location

Change Marital Status

Change Working Hours

Create Employment Terms

Terminate Work Relationship

Manage Employment

Hire an Employee

Manage Grades

Add a Non-worker

Manage Grade Ladders

Add a Contingent Worker

Manage Grade Rates

Add a Pending Worker

Manage Jobs

Create Work Relationship

Manage Locations

Manage Work Schedule Assignment

Manage Organizations

Manage Absence Records (1 level)

Manage Person

Manage Document Record (1 level)

Manage Positions

Submit Performance Document(1 level)

Add Goal (1 level)

Table 1.Fusion HCM Transactions

Let us start by looking at the Promotion Task and the rules associated with that task.

Figure 1 shows the composite process that handles the HCM Promotion task. This composite consists of several SOA components and includes the services and references in Figure 2.


Figure 1.Deployed Promotion Approvals Composite processes.


Figure2. Components of the Promotion Approval Composite

In Figure 3 below, the rule defined reads as follows: For the promotion process and for all cases (the condition 1=1 being always true) build the approval list based on the supervisory hierarchy and process the transaction two levels above the approver, starting with the approver’s manager and stopping with the user “douglas.mcneil” who happens to also be the CEO and the top node in the hierarchy.

Figure3. BPM Task Configuration Rules

The Administrator’s privileges

In Fusion Applications the ability to access functions across products is controlled by functional privileges granted to a user through APM (Access Provisioning Manager). The application role that allows an administrator to view all human tasks is “BPM Workflow System Admin Role”. Several of the seeded roles in the reference implementation inherit this duty. The table below shows the hierarchy for the Human Capital Management Application Administrator.


Display Name

Role Name


Inherited by


Human Capital Management Application Administrator



Configures the Oracle Fusion Global Human Resources application and has access to all duty roles necessary to implement the Compensation, Workforce Deployment, and Workforce Development offerings.


BPM Workflow System Admin Role


This role grants a user the privilege to perform administrative actions in the workflow functionality via the worklist UI. A user in this role will be able to view all tasks in the system, recover errored (incorrectly assigned) tasks, create approval groups and edit task configuration / rules DT@RT UI (both AMX functionality) This is a business administrator type role. This role is granted to SOAAdmin.


Table 2.Seeded Roles that provide access to all Tasks in the Worklist application


Figure4. Role hierarchy assigned to the administrator for the example in this document

The HCM Transaction

At the conclusion of a performance evaluation cycle, a manager determines that an employee is a candidate for a promotion. The Manager initiates the request from the Manager Resources Dashboard. The necessary adjustments are made to the employee’s Job, and Compensation details and the transaction is submitted.


Figure5a. Supervisory Hierarchy: Donald Alexander reports to Douglas McNeil


Figure5b. Supervisory Hierarchy: Stella Marcus reports to Donald Alexander


Figure5c. Supervisory Hierarchy: Jaime Gregg reports to Stella Marcus

Figures 5a, 5b, 5c show three levels in the supervisory hierarchy, the transaction we will use in our example below will be submitted for employee Jamie Gregg, and will be submitted by Stella Marcus her manager. Based on the approval rules we had defined earlier this promotion request will be routed to the next two levels in the hierarchy in sequence to Donald Alexander then Douglas McNeil.

The manager selects the Promote Action from the employee’s card in the Org chart


Figure6. The Manager Selects the Promote Action from the Org Chart.

The Manager Completes the promotion request and reviews the details prior to submission. The approval list is built in the last step of the transaction as illustrated in Figure 7a and 7b below.


Figure7a. There last step in the transaction is the review of the request prior to submission


Figure7b. The Approval list built in the last step of the transaction prior to submission.

Initiated transactions generate an instance of the composite process discussed earlier (see Figure 8 below) , and are available to the participants and administrator. The instance also retains the status and history of the transactions during its lifecycle and after completion.


Figure 8. TheTask instance in the Worklist of the Manager

After submission, the manager can review the initiated task and amend it by adding attachments or comments as seen in Figure 9 below.

Figure 9. Comments and Attachments added to the request

The Notification

Based on the rules applicable to the promotion transaction we discussed earlier, the process sends a request for approval to the manager of the requestor. However let us assume that Donald Alexander the manager of Stella Marcus and the the first of the two approvers is not available to take an action on the request. Stella makes a request via the comments field to have the administrator to skip the current stage and forward the request to the next approver.

The Administrator Action

The administrator Kyle Bailey searches for transactions assigned to Donald Alexander (Figure 10) and can perform the actions listed in Figure 11 namely skip the current assignment, suspend , withdraw or reassign the request to a different user .


Figure 10. Administrator queries tasks assigned to Donald Alexander


Figure 11. Actions an administrator can take on an assigned task

After reassignment of the task by the administrator to the next approver, Douglas McNeil can now see the Task in their worklist.


Figure 12. Worklist of the user to whom the task was reassigned

All changes made to to a task instance remain with the task and are viewable by all users who have access to that task namely the participants in the transaction (the approvers) and the administrator. A completed task with a full history of task actions and the participants who made them is shown in Figure 13 below.


Figure 13.Completed Task


Oracle® Fusion Middleware Developer's Guide for Oracle SOA Suite11g Release 1 (11.1.1) Part Number E10224-05 -- Chapter 27

Oracle SOA Suite Components


This blog shares with the broader Fusion Applications community instructional material in the areas of Enterprise Structures, Extensibility, Integration and Security with the a focus on implementation. This blog is updated by the Fusion Applications Functional Architecture organization.


« June 2016