Configure Integration Between Oracle Access Governance and Oracle Fusion Cloud Applications

Prerequisites

Before you install and configure an Oracle Fusion Cloud Applications orchestrated system, you should consider the following pre-requisites and tasks.

Certification

You must certify your Oracle Fusion Cloud Applications system to access Oracle Access Governance. Refer to Certified Components for details of the versions supported.

Manage Data Roles and Security Profiles

Before configuring your orchestrated system you should setup either an HCM or ERP service account and grant permissions required to integrate with Oracle Access Governance.

You must have the IT Security Manager Job role (ORA_FND_IT_SECURITY_MANAGER_JOB). To view a list of Default Roles or permissions, see Grant Default Roles or Permissions.

  1. Log in to Oracle Fusion Cloud Applications.
  2. Go to My Enterprise > Setup and Maintenance.
  3. Click Tasks icon located at the right-side of the page.
  4. Click Search and select Manage Data Role and Security Profiles.
  5. Search for the desired job role that does not have any security profiles.
  6. Click +Create.
  7. Enter data role name and select the job role to inherit.
  8. Click Next and select View All across security profile configurations.
  9. Click Next to review and Submit.
  10. Search for the data role created. Notice that now the Security Profile Assigned column is now selected.
  11. Click Done.

You must create a service account and assign this data role to the service account.

Create a Service Account and Grant Default Roles

The service account should be used when configuring the connection in your orchestrated system. You can set this service user up using default Oracle Fusion Cloud Applications roles and permissions, or using a custom role.

Create a Service Account

You must have the IT Security Manager Job role (ORA_FND_IT_SECURITY_MANAGER_JOB).

  1. Log in to Oracle Fusion Cloud Applications.
  2. From the Navigator, go to Tools > Security Console
  3. Select Users > Add User Account.
  4. Enter the required fields for User information.
  5. Click Save and Close. Ensure the status is Active.
  6. Select the user and click Edit.

Add Roles to Service Account

  1. Select the Add Role button.
  2. For HCM, assign the default roles one at a time to the account. See Grant Default Roles or Permissions
  3. For ERP, assign the default roles one at a time to the account. See Grant Default Roles or Permissions

    Note:

    If you are configuring both HCM and ERP, then you must assign all the default roles for HCM and ERP.

    Note:

    You must add the required Look up Types for the Access Request Security Administrator. See Add Lookup Types.
  4. Assign the Data Role created in the previous task. See Manage Data Roles and Security Profiles.
  5. Click Save and Close.
  6. Search account and verify roles needed are assigned.
  7. Verify the creation of the new service account by logging in.

Grant Permissions Using a Custom Role

An alternative to using default Oracle Fusion Cloud Applications roles and permissions is to setup a custom role for your service user. This allows you to conform to the principle of least privilege by only configuring the fine-grained privileges required by the service user.

To create your custom role:
  1. Create an Oracle Fusion Cloud Applications role of category Common - Job Roles.
  2. Add the privileges into the function security policies train stop. Refer the list: Grant Privileges.
  3. Add the aggregated privileges as role into the role hierarchy train stop. Refer the list: Grant PrivilegesGrant Aggregated Privileges.
  4. Grant Data Security Policies for the right data set to the custom role. If you do not grant the right data security policies, some data may not be returned. The API calls will not fail (200 OK), but the count will be 0 if the data security policies are omitted.
  5. Assign the custom role to the Service Account. See Add Role to Service Account.

Run Refresh Access Control Data Job

You must run the Access Control Data Job after configuring the service account. This job runs every hour, by default or you may choose it to run manually. To run the job:
  1. Navigate to ToolsScheduled Processes.
  2. Search Refresh Access Control Data.
  3. Select Schedule New Process.
  4. Select Refresh Access Control Data as job name and enter meaningful description.
  5. Select Full Refresh or Incremental Refresh, as required to run the job.
  6. Click OK.
  7. Click Submit. Copy the process ID number.

Add Lookup Types for Access Request Security Administrator

The following lookup type permission must be granted for Access Request Security Administrator role type

  1. Log in to Oracle Fusion Cloud Applications.
  2. Go to My Enterprise > Setup and Maintenance.
  3. Click Tasks icon located at the right-side of the page.
  4. Click Search and select Manage Standard Lookups.
  5. Add the new lookup type FUN_DS_OPTIN_OPTIONS by using the following lookup Code FUN_DS_GET_BOOKCODE.
  6. Click Save and Close.

Risk Management Cloud (RMC) Segregation of Duties (SoD) Check

You can evaluate assign roles to users within Oracle Fusion Cloud Applications to ensure that role assignment is valid and doesn't violate SOD checks.

User Account Creation & Linking

A user account must have an associated worker information. Verify this, from the Security ConsoleUsers page, a linked account shows Associated Worker Information.

Mandatory Background Jobs: After creating or updating the user account, ensure to run the following jobs as the IT Security Manager within Oracle Fusion Cloud Applications:
  • Import User and Role Application Security Data
  • Global User Synchronization
Verify User Visibility in Risk Management
  1. Navigate to Risk Management → Setup and Administration → Global User Configuration.
  2. Search for the user for whom you want to run the SOD violations check.
Workflow Configuration

You must attach an approval workflow with an access bundle to process violation checks. If an access bundle has no approval workflow assigned, Oracle Access Governance triggers the SoD violations check but the provisioning proceeds immediately even if potential violations exist. When an approval workflow is attached, Oracle Access Governance pauses the request until the SoD analysis completes.

For more information, see Preventive Segregation of Duties.

Authenticating with OCI OAuth

Use the steps to authenticate Oracle Fusion Cloud Applications using OAuth with Oracle Cloud Infrastructure (OCI) instance to integrate with Oracle Access Governance.

In Oracle Fusion Cloud Applications, create a Service Account and grant permissions required to integrate with Oracle Access Governance.

Access Certificates and Keys

Use a certificate issued by a trusted Certificate Authority (CA) in the PEM format for secure authentication and compatibility, or leverage OCI Certificate Service to generate and manage certificates efficiently.

  1. To create a certificate, refer the steps as explained in Creating a Certificate in OCI IAM.
  2. To retrieve a certificate, ensure that the Identity Domain is configured to issue and sign tokens.
    1. In the Identity & Security, and click Domains.
    2. From the Settings tab, enable Access signing certificate.
  3. In Identity Domain console, navigate to Security > Certificates.
  4. Click on the certificate name to view its details.
  5. Download the certificate in PEM or CER format. This file will be used to validate the signature of OAuth tokens in your application.

Import Certificate as the Trusted Partner Certificate

  1. Navigate to Identity & Security, and click Domains.
  2. Choose a compartment where your Oracle Access Governance service instance is located, and then select the domain.
  3. Select the Security tab.
  4. Click Import certificate.
  5. Enter the same alias name that you provided while generating the keystore file certificate alias, and import the .cer file.
  6. Click Import. Ensure correct alias is correct, showing both the SHA-1 Thumbprint and SHA-256 Thumbprint, the Certificate Start Date, and the Certificate End Date

Create an Integrated Confidential Type Application

  1. Navigate to Identity & Security, and click Domains.
  2. Select Domains.
  3. Click the Integrated applications tab.
  4. Click Add application.
  5. Select Confidential Application tile, and then click Launch workflow.
  6. In the Details page, enter the following:
    1. Enter name and description for the confidential application.
    2. Click Submit.

Edit OAuth configurations

  1. Select the OAuth configuration tab.
  2. Select Edit OAuth configuration.
  3. Select Configure this application as a client now.
  4. Select Client Credentials, JWT assertion and Refresh token grant types
  5. Choose Trusted as the Client type option.
  6. Import the certificate.
  7. Select On behalf of as the Allowed operations.
  8. Select network perimeter to restrict login attempts to specific IPs or ranges, else select Anywhere.
  9. Under the Token Issuance Policy, select All.
  10. In the Add Scopes section, select the Oracle Fusion Cloud Applications application references.
  11. Click Submit.
  12. Activate the application, click the Actions icon and then select Activate. The status should change from Inactive to Active.

Configure

You can establish a connection between Oracle Fusion Cloud Applications and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

The Orchestrated Systems page of the Oracle Access Governance Console is where you start configuration of your orchestrated system.

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of system you would like to integrate with Oracle Access Governance.

You can search for the required system by name using the Search field.

  1. Select Oracle Fusion Cloud Applications.
  2. Click Next.

Add details

Add details such as name, description, and configuration mode.

On the Add Details step of the workflow, enter the details for the orchestrated system:
  1. Enter a name for the system you want to connect to in the Name field.
  2. Enter a description for the system in the Description field.
  3. Determine if this orchestrated system is an authoritative source, and if Oracle Access Governance can manage permissions by setting the following check boxes.
    • This is the authoritative source for my identities
    • I want to manage permissions for this system
    The default value in each case is Unselected.
  4. If you are managing permissions with this orchestrated system then an additional check box is displayed for Segregation of Duties Checks:
    1. In Oracle Fusion Cloud Applications, ensure that a user account is created and linked to the worker's person record. A successfully linked account will display the associated person information in the Security Console under the Users page.
    2. To enable this option for your orchestrated system select Enable Risk Management and Compliance (RMC) integration for separation of duties check
  5. Click Next.

Add Owners

Add primary and additional owners to your orchestrated system to allow them to manage resources.

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

Note:

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
To add owners:
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Account settings

Outline details of how to manage account settings when setting up your orchestrated system including notification settings, and default actions when an identity moves or leaves your organization.

On the Account settings step of the workflow, enter details of how you would like to manage accounts with Oracle Access Governance when configured as a managed system:
  1. Select to allow Oracle Access Governance to create new accounts when a permission is requested, if the account does not already exist. By default this option is selected meaning that an account will be created if it does not exist, when a permission is requested. If the option is unselected then permissions can only be provisioned where the account already exists in the orchestrated system. If permission is requested where no user exists then the provisioning operation will fail.
  2. Select where and who to send notification emails when an account is created. The default setting is User. You can select one, both, or none of these options. If you select no options then notifications will not be sent when an account is created.
    • User
    • User manager
  3. When an identity leaves your enterprise you should remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action

    Note:

    The options above are only displayed if supported in the orchestrated system type being configured. For example, if Delete is not supported, then you will only see the Disable and No action options.
  4. When all permissions for an account are removed, for example when moving from one department to another, you may need to adjust what accounts the identity has access to. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action

    Note:

    The options above are only displayed if supported in the orchestrated system type being configured. For example, if Delete is not supported, then you will only see the Disable and No action options.
  5. If you want Oracle Access Governance to manage accounts created directly in the orchestrated system you can select the Manage accounts that are not created by Access Governance option. This will reconcile accounts created in the managed system and will allow you to manage them from Oracle Access Governance.

Note:

If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.

Note:

If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables integrations, then only the notification email destination can be set (User, Usermanager) when creating the orchestrated system. You cannot set the disable/delete rules for movers and leavers. To do this you need to create the orchestrated system, and then update the account settings as described in Configure Orchestrated System Account Settings.

Integration settings

Enter details of the connection to your Oracle Fusion Cloud Applications system.

  1. On the Integration settings step of the workflow, enter the details required to allow Oracle Access Governance to connect to your Oracle Fusion Cloud Applications system.

    Table - Integration settings

    Pre-condition Parameter Name Description
      Application Type
    • Both: If you want to integrate both HCM and ERP within the same orchestrated system
    • Oracle Human Capital Management (HCM)
    • Oracle Enterprise Resource Planning (ERP)
    Mode: Authoritative Source
    • User Account
    • Person
    • Choose User Account to ingest identities that represents security identity and have system access to Oracle Fusion Cloud Applications.
    • Choose Person to ingest identities containing employment details, such as employee number, work relationships, job code, person record.
    • Application Type: Both and HCM
    • Mode: Managed System
    Areas of Responsibility Select this Areas of Responsibility to ingest AOR as an account attribute when a user account is linked to a person. AOR in Oracle Fusion Cloud Applications defines the scope of a user's functional access.

    Note:

    You cannot provision AOR through Oracle Access Governance, assignment/reassignment is handled in Oracle Fusion Cloud Applications.
    Application Type: Both, HCM, ERP OAuth: OCI IAM for Authentication Select the check box to use OCI IAM for authenticating your Oracle Fusion Cloud Applications instance. Perform the prerequisites for OAuth. See Authenticating with OCI OAuth.
      Oracle Fusion Cloud Applications Host Name Host name to access your Oracle Fusion Cloud Applications system. For example, in your URL, the host name is fa-test.example.com
    https://fa-test.example.com:443/fcsUI/faces/FuseWelcome
      Oracle Fusion Cloud Applications Port Enter the port number at which the source Oracle Fusion Cloud Applications system is listening. For example, in the URL, enter port 443
    https://fa-test.example.com:443/fcsUI/faces/FuseWelcome
     

    What is the username?

    Oracle Fusion Cloud Applications username.
    Basic Authentication Password/Confirm Password Oracle Fusion Cloud Applications password.
    OAuth Domain URL Enter the OCI IAM Domain URL. To find your Domain URL, see Finding an Identity Domain URL.
    OAuth

    Client ID

    Client ID of the OCI IAM confidential application.
    OAuth

    Client secret

    Client secret of the OCI IAM confidential application .
    OAuth

    Private Key

    Enter the encrypted private key (.pem).
    OAuth

    Certificate Alias

    Enter the certificate alias configured while retrieving and importing a certificate.
    OAuth Resource Scope Select the resource scope available in your confidential application. For example:
    urn:opc:resource:faaas:fa:CBxxxxx:opc:resource:consumer::all
  2. Click Add to create the orchestrated system.

Finish Up

Finish up configuration of your orchestrated system by providing details of whether to perform further customization, or activate and run a data load.

The final step of the workflow is Finish Up.

You are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults

Post Configuration

There are no postinstall steps associated with a Oracle Fusion Cloud Applications system.