In-Depth: Synchronizing Oracle HRMS with OID

Editor Jan. 12, 2007 Update:  Oracle Identity Management 10g 10.1.4.0.1 is now certified with the E-Business Suite. 

I've now devoted several articles to managing E-Business Suite users with Oracle Internet Directory 10g.  But what about situations where you need to manage Oracle Human Resources employees in Oracle Internet Directory?  Or create E-Business Suite accounts automatically for new employees?  That's where the Oracle HR Agent comes into the picture.


Oracle HR Agent Screenshot:

Users vs. Employees

For starters, let's distinguish between users and employees:

USER:  An E-Business Suite user is someone who needs to be able to log into Apps.  That user might need to file expense reports, view her payslip, or file purchase requisitions.  All E-Business Suite users have userids and records in the FND_USER repository, and have associated responsibilities that govern what the functions and data that they can access.

EMPLOYEE:  An employee is someone whose information is managed by the Human Resources module in the E-Business Suite.  Oracle Human Resources tracks information like employee numbers, manager hierarchies, and other personally identifiable information like birthdates.

Employees aren't Necessarily Users



Not all employees are users, and vice versa.  For example, a major retailer might use the E-Business Suite's Human Resources modules to manage employee information for their cashiers, but those cashiers may not be authorized to log into the E-Business Suite at all.


When Worlds Overlap

From an organizational standpoint, this distinction makes a lot of sense.  The HR department manages employees, and the IT department manages E-Business Suite accounts. 

But what happens when those worlds overlap?  Following the example above, what about a scenario where the cashiers are permitted to view their payslips via the Self-Service Human Resources module?

In this scenario, the same person would be represented in two places:
  1. In the Human Resources module
  2. In the Apps FND_USER repository
For E-Business Suite environments that aren't integrated with Oracle Internet Directory, user records need to be individually maintained in each location.

Creating Employee Entries in Oracle Internet Directory

It's possible to use the Oracle Internet Directory Human Resources connector to push employee information from Oracle HR to Oracle Internet Directory.

HRMS to OID:

You can export a subset of employee data from Oracle Human Resources into Oracle Internet Directory.  The connector includes both a prepackaged integration profile and an Oracle Human Resources agent that handles communication with Oracle Internet Directory.

You can schedule the Oracle Human Resources connector to run at any time, configuring it to extract incremental changes from the Oracle Human Resources system. You can also set and modify mapping between column names in Oracle Human Resources and attributes in Oracle Internet Directory.

Exportable HR Attributes

There's a long list of HR employee attributes that you can send to Oracle Internet Directory, including:
  • First name, last name
  • Title
  • Sex
  • Date of birth
  • Employee number
  • Email address
  • Others...
Making A Round Trip

If you recall from a previous article, you can synchronize user information between Oracle Internet Directory and the E-Business Suite's FND_USER like this:

OID to FND_USER Sync:

Therefore, it's possible for employee information to make a round-trip like this:

HR to OID to FND_USER:

Not In the Opposite Direction

This architecture would support a business flow where a new employee is registered in E-Business Suite Human Resources by the HR department.  That employee's information is then propagated via Oracle Internet Directory to FND_USER, where an IT administrator grants the appropriate Apps responsibilities to the user.

The opposite direction is not supported.  It is not possible to have an employee created in Oracle HR based upon a new user entry in Oracle Internet Directory.

Useful for You?

I've heard anecdotal reports that this is a common use case, but actual customer sightings of this in the wild have been rare.  If you're using this setup now, or are interested in using this setup, please drop me a line; I'd be very interested in hearing about your requirements.

Related

Comments:

Good point, Francois.  Thanks for noting that.Regards,Steven 

Posted by Steven Chan on August 18, 2006 at 01:00 AM PDT #

I think you should generalize the HR function to work with a registry of 'Persons', not employees.

In the same way that not all users are employees, human resources must manage people working for/within an organization who are not necessarily employees, such as contractors, temporary staff, etc.

It is after all Human Resources, not Corporate Resources. ;-)

--
François Gendron
Senior Orable Applications Consultant
La Société d'Informatique Gendron Inc.
(514) 212-3994

Posted by François Gendron on August 18, 2006 at 01:33 AM PDT #

Steve, We had built a concurrent process that disables fnd_user for employee that had been retired; we'll be testing this solution to replace our custom code. One thing we’re interested too is the possibility to send an alert when an employee has change his assignment cause sometimes this could be a risk if the employee keep the previous responsibilities that give him access to some system options. It would be nice to have this type of alerts too.

Posted by Eduardo on August 19, 2006 at 07:03 AM PDT #

Eduardo,That's an intriguing use-case; I'd be interested to hear how this works out for you.I'll pass on your comment about assignment changes to the HR Agent product management team.  If you'd like to request this functionality formally, I'd recommend filing an enhancement request via a Service Request so that we have a formal record backed by your customer ID, too.Good luck with your implementation.Regards,Steven 

Posted by Steven Chan on August 21, 2006 at 02:56 AM PDT #

Steven,

Does the same apply to suppliers, clients and prospects from Apps table?

I want all the contact info from these different "persons" to be available in the Collaboration Suite email global directory.

Thanks
Andrew

Posted by Andrew on September 19, 2007 at 01:01 AM PDT #

Hi, Andrew,Sorry for the delay in responding.  I've been working through my post-vacation backlog.No, the OID HR Agent doesn't synchronize suppliers, clients, or prospects from the E-Business Suite to Oracle Internet Directory.  I believe that those entities are handled in the TCA tables.  As far as I'm aware, we haven't built any automated capabilities to provision those entities to Oracle Internet Directory.  You may wish to log an enhancement request with details about the business scenario you'd like to be able to support.   Feel free to forward the ER number to me when you've logged it.Good luck with your implementation.Regards,Steven 

Posted by Steven Chan on October 05, 2007 at 04:23 AM PDT #

Steven,

I started to implement this flow, only to find that the OID connector to FND_USER was unable to populate the employee field on FND_USER, and ended up with duplicated records on the HZ tables. This was back on SSO RUP2. Since then we are using a custom component to do this until the OID connectors can provide this.

I dont know how much of this is implemented on the lastest SSO RUPs, but it would be nice to have the FND_USER connector understand that the OID entry belongs to a employee and associate the FND_USER entry to the existing person and person party.

Regards,
Luis

Posted by Luis Freitas on February 20, 2008 at 05:50 AM PST #

Luis,Thanks for your comments.  This sounds more like a bug with the earlier SSO RUP than a functional limitation.  Our OID - FND_USER synchronization provides the option to automatically link OID users with their corresponding FND_USER entries.  The primary requirement for this to work is that the OID and FND_USER userids be the same, after which they'll be linked via the same Global Unique Identifier (GUID).This is documented in Note 261914.1 in more detail.  If you continue to encounter problems with the latest SSO RUP (detailed in Note 233436.1), I'd suggest logging a formal Service Request in Metalink to engage on of our SSO integration specialists.Regards,Steven

Posted by Steven Chan on February 20, 2008 at 06:03 AM PST #

Hi,
Our solution consists of Oracle EBS HR for employee management and Oracle IAM Suite for user management.

The roles on our solution architecture goes like this:
1. HRMS is responsible for PERSON lifcycle
2. OIM (Identity Manager) is responsible for USER lifecycle on various target system e.g. EBS and OID.

Now when trying to implement this all is needed is SSO registration between EBS and OSSO to achieve alos the single sign on. I've tried to use the script TXKRUN.PL -SCRIPT=SETSSOREG -REGISTERSSO=YES to achieve this. The script runs fine and the EBS appears as partner application on OSSO. The problem is that when the script is run no users cannot be created to EBS and ther error: LDAP_WRAPPER_CREATE_USER_FAIL(USER_NAME=FOO) (REASON=ORA-20001: Unable to call fnd_ldap_wrapper.create_user due to the following reason:
OID is not registered correctly. Please contact system administrator.) is thrown. Is there a way to avoid this? My USER creation should be handled by OIM not EBS.

Posted by Markku on September 08, 2008 at 04:19 PM PDT #

Hi, Markku,

1. It's fine to consider OIM the master source-of-truth for user information. OID can receive updates from OIM, which are then pushed down to your EBS environment from OID. This would mean that you configure your EBS-OID integration to propagate changes unidirectionally from OID to EBS only.

2. Your error message strongly implies that the OID-EBS synchronization integration isn't configured properly yet. I would recommend logging a formal Service Request via Metalink against the AOL team; this will get one of our EBS Single Sign-on specialists engaged with this one.

Feel free to drop me an email with your SR # if it gets bogged down in some way.

Regards,
Steven

Posted by Steven Chan on September 10, 2008 at 01:14 AM PDT #

thaks for all yor contributions so far in ameliorating the pains we face at our respective offices.
i would want to know if there is a way where an administrator who logs in as oracle in the oracle data base will have a uniq user id that can be linked to him and also if there is a way of trackling every job done in the data base by the same adfnministrator. i.e, a compreehenssive log of all the activities carried out in the oracle data base

Posted by omon'ice on October 16, 2008 at 01:26 PM PDT #

Hi,

We have a scenario where in we have OID Synchronized with EBS and have to introduce OIM for EBS account provisioning.

Please help me understand:

In this scenario OIM need to create the account in FND_USER table and that will get it synchronised with OID. -Use EBS connector
Or create an account in OID (use OID connector) and get it sync with EBS.

Posted by Venky on January 06, 2009 at 05:35 PM PST #

Hi, Venky,

We're still working on our OIM integration into an environment that already has EBS and OID in place. Until then, I don't have a lot of experience-based (and hence, officially supportable) guidance that I can provide here.

The potentially tricky thing about introducing OIM is to ensure that there are no conflicts with the existing EBS+OID synchronisation.

If you're brave enough to try this in advance of the publication of our best-practices recommendations, then I'd suggest that the choice of OIM connector depends on your current EBS+OID provisioning cardinality.

In other words, if you've currently selected the "EBS to OID" provisioning path, then OIM should push its newly-created users into EBS.

Likewise, if you've currently selected the "OID to EBS" provisioning path, the OIM should push its newly-created users into OID.

Good luck with this integration. Please feel free to share your experiences here or via a private email to me.

Regards,
Steven

Posted by Steven Chan on January 08, 2009 at 04:49 AM PST #

Hi Steven,

Thanks alot for the comment.

Also what is minimum priviledge OIM can have to create and modify accounts in OID and EBS? -apart from sys admin.

Thanks.

Posted by venky on January 08, 2009 at 06:29 PM PST #

Hi, Venky,

As I mentioned, I'm afraid that I don't have a lot of hands-on experience with OIM yet. Until we've published our EBS best practices paper (no ETA yet), your best bet would be to log a formal Service Request via Metalink against the OIM product to get help with this.

Regards,
Steven

Posted by Steven Chan on January 09, 2009 at 02:52 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today