User Account in Oracle Fusion HCM

Configuration for User Account:

1.       Set up for automatic User Account Creation.

Go to FSM --> Manage Enterprise HCM Information -->

This set up will ensure that user accounts are created automatically for person.

1.       User Name generation method.

This set up is done in Security Console.

Go to Tools --> Security Console --> User Categories

This will ensure if work email address is there in the Worker.dat file while loading worker information – this will create user account by default which is same as the person’s work email address. However, this will be pending status as we need to Send Pending LDAP Requests to reflect the user name.

Post successful completion of ESS job “Send Pending LDAP Requests” the user account will be reflected as person’s work email address.

In case there is no work email address provided while loading Worker.dat – the system by default should create user account as “Generate system user name when generation rule fails” is enabled (per Security Console setup). The way this rule works is as following:

The user-name rule which is configured may fail if work email address is not provided while loading the person record. If System User Name configuration is enabled, the user name is generated by applying these options in the following order until a unique user name is defined:

1. Email

2. FirstName.LastName

3. If only the last name is available, then a random character is prefixed to the last name.

So, when work email address is not provided in Worker.dat file, it generates User Account as “First Name. Last Name” when “Send Pending LDAP Request” is complete once Worker file is loaded into Oracle Cloud. If we do not submit this ESS job – the user account is not created and sits in the LDAP tables.

Therefore, post successful load of Worker HDL file, we need to run this ESS job to ensure user name is created. If we do not submit this job and try to update username the HDL import and load process will complete successfully but the result may not be as expected. So, for example, if a person “John Smith” was loaded into Oracle Cloud using HDL without person’s work email address, it will create a request to generate username as “John.Smith” in Identity Store and will be in pending status. Now, if we try to send HDL file to update Username to be “SmithJ”, the import and load process will complete successfully. Once the ESS job to send pending LDAP request is complete, it will create user as “John.Smith” and not “SmithJ” as it was sent first in the queue. Hence, it is important to submit this ESS job post successful completion of Worker load.

Loading User Updates using HCM Data Loader

1. Create a User

To create a user when it does not exist in the system, we need to set attribute GenerateUserAccount as ‘Y’.

METADATA|User|PersonNumber|Username|GenerateUserAccount

MERGE|User|101|John.Smith|Y

2. Update a User

If user account information is already in the system following User.dat template will work which updates the existing User Name.

METADATA|User|PersonNumber|Username|GenerateUserAccount

MERGE|User|101|JohnS|Y

MERGE|User|102|MorrisonA|Y

We can use GenerateUserAccount as ‘Y’ for update as well. However, if we know that there is an user account already created for a person, we do not need to use GenerateUserAccount attribute in the HDL file.

Issues and Workaround

• Username not getting generated automatically.

When we load Worker.dat file into Oracle Cloud where work email address is not provided – it should auto generate the user name as first_name.last_name. Currently, we see issues with auto generation of user name based on the configurations. This happens when we introduce Assignment EIT Information in the Worker.dat file.

Observations:

It works fine when we remove Assignment EIT information from Worker HDL file. There are two attributes on Assignment EIT HDL file which are deprecated post 19B and would require to remove from the HDL file in future release. These attributes are EffectiveLastestChange and EffectiveSequence.

When we keep Assignment EIT Information in the HDL file, the user account is generated when we re-load the same file one more time.

Workaround:

a.  Reprocess the same HDL file one more time and run report to ensure user name is generated by Oracle.

b.  Remove Assignment EIT from the Worker.dat file when we are loading Worker for the first time. Process Assignment EIT information separately.

c. Modify the User.dat template to include attribute “GenerateUserAccount” and set it to be ‘Y’. This will work in both ‘Create’ as well as ‘Update’ mode.

•  Username not getting updated correctly.

The user name is not getting updated despite HDL process completing successfully. Here are the possible reasons for this issue:

a. User name does not exist in the system and we are not sending the information to Oracle Cloud to create this user account for the first time (GenerateUserAccount).
b. User name does not exist in the system but there is a request pending in LDAP. In such cases, the request which is pending with LDAP will take precedence over the username provided in HDL file and upon successful completion of the ESS job “Send Pending LDAP Request”, the one which was pending earlier will get reflected in the User Name. Therefore, we should run this ESS job post successful load of Worker.dat file into Oracle Cloud to avoid this issue.
c. The issue is caused by the fact that a user with the same username filled in the dat file already exists in Identity Store. Username in OID must be unique.

Addendum:

When worker is loaded into Oracle Cloud, data gets inserted in PER_LDAP_USERS and PER_LDAP_REQUESTS table with request_type = ‘REQUEST’. Upon successful completion of “Send Pending LDAP Requests”, the request status changes from ‘REQUEST’ to ‘COMPLETE’ (when request date <= SYSDATE) and PER_USERS table is populated with the user name information.

The key columns on PER_LDAP_REQUESTS are ACTIVE_FLAG and REQUEST_STATUS. When hired via the user interface, the active flag is set to 'Y', and an event is fired to create the user in OIM. The request status changes from 'REQUEST' to 'IN PROGRESS' to 'COMPLETE'. While creating an Employee, if the hire date is today or the past day, the system creates the user account for the employee immediately.

For people with a future hire date the active flag is set to 'N' with a status of 'REQUEST'. The account will be created when the Send Pending LDAP Requests program is processed on or after the Hire Date.

For people loaded via File Loader, rows are created on PER_LDAP_REQUESTS with an active flag of 'B' for batch. These accounts will be created when the Send Pending LDAP Requests process is run.

Once the account is created in OIM and the status is 'COMPLETE', OIM communicates back to Fusion HCM, and records are then created in following tables:

PER_USERS

PER_USER_ROLES

PER_USER_HISTORY

The creation of user accounts can be suppressed by setting the User Account Creation field on the Enterprise to None. In this case a row is created on PER_LDAP_REQUESTS with a status of 'SUPPRESSED'. No account is created.

SQL to get the user name in Oracle HCM (PER_USERS) and Identity Store (PER_LDAP_USERS).

SELECT  PAPF.PERSON_NUMBER,

        PPNF.LAST_NAME,

        PPNF.FIRST_NAME,

        PPNF.DISPLAY_NAME,

        PU.USERNAME,

        PU.ACTIVE_FLAG,

        LDAPU.REQUEST_STATUS,

        LDAPU.USERNAME LDAP_USERNAME,

        LDAPU.REQUEST_TYPE,

        LDAPR.ACTIVE_FLAG LDAP_ACTIVE_FLAG,

        LDAPR.REQUEST_DATE,

        LDAPR.LDAP_REQUEST_ID               

FROM PER_ALL_PEOPLE_F PAPF,

     PER_PERSON_TYPE_USAGES_M PPTUM,

     PER_PERSON_NAMES_F PPNF,

     PER_USERS PU,

     PER_LDAP_REQUESTS LDAPR,

     PER_LDAP_USERS LDAPU

WHERE PAPF.PERSON_ID = PPNF.PERSON_ID

AND ((TRUNC(SYSDATE) BETWEEN PAPF.EFFECTIVE_START_DATE AND PAPF.EFFECTIVE_END_DATE) OR (TRUNC(SYSDATE) < PAPF.EFFECTIVE_START_DATE))

AND ((TRUNC(SYSDATE) BETWEEN PPNF.EFFECTIVE_START_DATE AND PPNF.EFFECTIVE_END_DATE) OR (TRUNC(SYSDATE) < PPNF.EFFECTIVE_START_DATE))

AND PPNF.NAME_TYPE = 'GLOBAL'

AND PU.PERSON_ID(+) = PAPF.PERSON_ID

AND PPTUM.PERSON_ID = PAPF.PERSON_ID

AND PPTUM.EFFECTIVE_LATEST_CHANGE = 'Y'

AND PPTUM.SYSTEM_PERSON_TYPE <> 'CON' -- To exclude Contact

AND ((TRUNC(SYSDATE) BETWEEN PPTUM.EFFECTIVE_START_DATE AND PPTUM.EFFECTIVE_END_DATE) OR (TRUNC(SYSDATE) < PPTUM.EFFECTIVE_START_DATE))

AND LDAPR.REQUESTING_REFERENCE_ID(+) = PAPF.PERSON_ID

AND LDAPR.LDAP_REQUEST_ID = LDAPU.LDAP_REQUEST_ID(+)

ORDER BY PAPF.CREATION_DATE DESC