Integrate with Oracle Fusion Cloud Applications

Overview: Integrate Oracle Access Governance with Oracle Fusion Cloud Applications

Oracle Access Governance can be integrated with Oracle Fusion Cloud Applications enabling identity orchestration, including on-boarding of identity (user) data, worker information, and provisioning of Oracle Human Capital (HCM) and Oracle Enterprise Resource Planning (ERP) accounts.

Oracle Fusion Cloud Applications provides enterprise Human Capital Management (HCM) and Enterprise Resource Planning (ERP) functionality. Oracle Access Governance supports the following elements within Oracle Fusion Cloud Applications:
  • Oracle Fusion Cloud Applications HCM and Oracle Fusion Cloud Applications ERP as an authoritative (trusted) source of identity information allowing for reconciliation of employees created or modified in Oracle Fusion Cloud Applications.
  • Oracle Fusion Cloud Applications as a Managed System enabling provisioning of HCM and ERP application accounts.

Oracle Fusion Cloud Applications Integration Architecture Overview

The integration of Oracle Fusion Cloud Applications allows for retrieving identity data and transferring the data to Oracle Access Governance. Once a connection is established, you can perform provisioning and remediation tasks which are visible in the Managed System.

Oracle Fusion Cloud Applications works with the Fusion Apps API to gain access to Oracle Fusion Cloud Applications through the REST API endpoints. This allows Oracle Fusion Cloud Applications to perform create, read, update, and delete operations on Oracle Access Governance.
  • If you select the Authoritative Source mode, you can set up a Oracle Fusion Cloud Applications Orchestrated System, which then allows Oracle Access Governance to retrieve identity data from Oracle Fusion Cloud Applications as an authoritative (trusted) source of identity information.
  • If you select the Managed Systems configuration mode, then Oracle Access Governance will allow you to manage HCM and ERP user profile records in Oracle Fusion Cloud Applications. This enables the provisioning of new accounts in Oracle Fusion Cloud Applications from Oracle Access Governance.

Oracle Fusion Cloud Applications Integration Functional Overview

Oracle Fusion Cloud Applications integration supports both Oracle Human Capital (HCM) and Oracle Enterprise Resource Planning (ERP) modules including configuration of the Orchestrated System, user account creation, revocation, change password, and assigning and removal of roles.

Configure Oracle Fusion Cloud Applications Orchestrated System

The first task you need to carry out is to set up and configure Oracle Fusion Cloud Applications Orchestrated System. This gives Oracle Access Governance the details for how to connect to the Oracle Fusion Cloud Applications system from which you want to load data, or manage permissions. Optionally you can configure further elements of the Orchestrated System before running the initial dataload including:

Load Data

After setting up and verifying your Orchestrated System, you can ingest identity and account details from Oracle Fusion Cloud Applications, depending on the configuration mode you have selected, Authoritative Source or Managed System.

Authoritative Source mode consists of user data from the Oracle Fusion Cloud Applications HCM and ERP modules. If the user is new, then a new identity is created in Oracle Access Governance. If the identity already exists in Oracle Access Governance, then any updates initiated in the Oracle Fusion Cloud Applications system is applied.

Managed System mode comprises of user account data and worker information roles from Oracle Fusion Cloud Applications for HCM and ERP. If the account is new, then a new account is created in Oracle Access Governance together with the associated roles, These roles will be created in Oracle Access Governance as permissions. Accounts and permissions loaded from Oracle Fusion Cloud Applications can be managed by Oracle Access Governance. You can remediate permissions associated with a managed system account. If the account only has one permission assigned then remediation of this permission will also result in the revoking of the account.

Create Account

As an Oracle Access Governance user you can request access to resources and roles provided in Request Access .

The following ways allows you to create an user account in Oracle Access Governance:
  • Ingestion of user records as data from Oracle Fusion Cloud Applications.
  • When a role, policy, or access bundle containing Oracle Fusion Cloud Applications roles is assigned to an identity. If you have an identity in Oracle Access Governance then you can request an account by using the Request a new access functionality in the Oracle Access Governance console. If you make an access request for an access bundle, or role, after approval, a provisioning operation is initiated. The provisioning process will, if there is not an existing account managed by Oracle Access Governance, create an account on the Oracle Fusion Cloud Applications instance. If an account managed by Oracle Access Governance already exists, then the Oracle Fusion Cloud Applications roles for that account are updated based on the values in the access bundle.

Change Password

The ability to change an account password is provided by the My Access functionality in Oracle Access Governance Console. If you change the account password in this page, the details will be sent to the Oracle Fusion Cloud Applications instance in the next provisioning operation.

For more details, refer to Change Account Password.

Assign Permissions using Security Context

Oracle Access Governance users can request access to resources and roles provided in Request Access . You can assign permissions to a Oracle Fusion Cloud Applications account using the Request a new access functionality of Oracle Access Governance. This allows you to request an access bundle containing permissions with security details to roles on the Oracle Fusion Cloud Applications system. For details on managing role and policies, see Manage Roles and Manage Policies.

Oracle Access Governance supports the following Security Contexts when integrated with Oracle Fusion Cloud Applications ERP:
  • Business Units
  • Asset Book Value
  • Ledgers or Ledger Sets
  • Reference Data Sets
  • Data Access Sets

When you request an access bundle in Oracle Access Governance for a role, a provisioning operation is initiated which updates the roles in your Oracle Fusion Cloud Applications for the following types of scenarios:

Creating Permission using Security Context during Policy Creation

While creating a policy with Oracle Access Governance for the following use cases:
  • Create a new access bundle that has permission with security context and which is already associated with identity collection for the policy.
  • Create a new access bundle that has permission with security context and which is already associated with identity collection for the policy. This is applicable in situations when the user already has the access bundle assigned with same permission, but with a different security context.

Editing Permission for Removal of Security Context

You can edit the permissions entitlement using Oracle Access Governance for the following cases:
  • Edit the access bundle that have permission with security context to change the security context from permission entitlement which is already associated with an identity collection for the associated policy.
  • Edit the access bundle that have permission with security context to remove security context from permission entitlement which is already associated with identity collection via policy.

Remove Permissions

You can remove permissions with the security context from an account by revoking the permissions from the role, policy or access bundle to which it is assigned.