1. Implementation Guide
  2. Set Up Users and Roles

2 Set Up Users and Roles

Set Up Initial User

Use this topic to set up the initial user for the Launch application.

After you have signed up with your Oracle cloud service, you receive the user name and password for one initial user. The initial user is provisioned with the job roles and privileges necessary to perform many implementation tasks, including creating other users.

Note:

You either do additional set up for the user in the Welcome Email or create another user and then grant administrative privileges to the new user.

You must add the following job roles to the initial user through Security Console. If you need more information about adding roles, see Assign Roles to an Existing User.

Here are the quick steps to adding roles as per your business requirements:

  1. In the Security Console, click the Users tab.

  2. Search and select the user to whom you want to assign these job roles.

    Table 2-1 Job roles of the initial user

    Job Roles Description

    Product Manager

    Manage items and item catalog, and view communications item schema.

    Application Implementation Consultant

    Manage users and roles, functional setups user, resource organization administration, inventory management, and elastic search setup used in the landing pages and its initial ingest.

    Product Data Steward

    Upload data for item import, product hub administration, and item management.

    IT Security Manager

    Perform user and role setup.

    Communications Catalog Administrator

    Manage operations for catalog resources including import, export, and publishing of catalog definitions to run-time applications.

    Product Specialist

    Manage technical portfolio, including creating and managing specifications.

    Marketing Manager

    Manage launch of new product offerings by cloning or reusing existing products, services, and more.

  3. On the User Account Details page, click Edit .

  4. In the Roles section, click Add Role.

  5. Search for the role that you want to assign to the user and then click Add Role Membership.

  6. Repeat the previous step to add more roles, and then click Done.

If you're looking for information on provisioning and activating Oracle Cloud services, adding other users who would manage the services, or about securing your Cloud applications, see Guidelines for Configuring Security in Oracle Applications Cloud.

Launch application uses the role-based access control security model to secure access to application functionality and data. In a role-based access control security model, users are assigned roles, and roles are assigned access privileges to protected system resources. This is what we call as an Application user. In addition, you might want to create a Resource user based on your need to support Offer approvals feature and multiple business units feature based on your organization needs. See Set Up Business Units.

You have two choices:
  • If you are planning to use Offer design time approvals, and/or your organization does want to implement multiple business units today or in the future, you should start with the creation of a resource user to start using the application.
  • If you are not planning to use Offer design time approvals, and/or your organization does not have multiple business units, you can create just the Application user to start using the application. You do not need to create an Organization or a Business Unit or a Resource user.

Create Application Users and Assign Job Roles

Use this topic to set up users in the Launch application based on your requirements.

Create Application Users

Here's the mapping of users and roles that you may create using Security Console. For more information on role mappings and provisioning, see Role Mappings.

Table 2-2 Users and Roles

Create These Users Assign These Roles

Administrator

Communications Catalog Administrator

Product Manager

Communications Catalog Product Manager

Marketing Manager

Communications Marketing Manager

Read-Only Use

Communications Catalog Viewer

Product Specialist

Communications Product Specialist

Create a Resource User

You must create a resource user for the multiple business units and offer approvals to work. You then configure the resource hierarchy so that the approvals traverse up through the hierarchy. Provide Resource Role, Reporting Manager, and Organization (Resource Organization) as additional details. You can select a user organization or create a new resource organization as organization while creating a resource user. See Example of a Sales Resource Hierarchy to configure the resource hierarchy.

Do remember that the approval process would work only when the associated initiative is configured for approvals.

You must add the required job roles to the resource user through the Security Console. If you need more information about adding roles, see Assign Roles to an Existing User.

Synchronize Roles and Privileges

Use this topic to synchronize the roles and privileges with Security Console.

After configuring roles and users, run the Import User and Role Application Security Data scheduled process to synchronize the changes with Security Console. If you have administrator privileges, here are the quick steps to help you get started. For more information on scheduled processes, see Import Roles and Privileges into Security Console.

  1. Go to Navigator > Tools > Scheduled Processes and then click Schedule New Process.

  2. Click Search corresponding to the Name drop-down list.

  3. Under Search and Select, enter Import Users and Role in the Name field and click Search.

  4. From the search result, select Import User and Role Application Security Data and click OK.

  5. Click OK, and then click Submit. It may take a few moments for the process to complete.

Synchronize All Users Between Launch Cloud Service and Customer Experience Industry Framework Identity Management

To synchronize all users between Launch Cloud Service and Industry Framework Identity Management, you need to:

  • Configure the application and define user name suffixes.

  • Test the configuration.

  • Activate the synchronization process.

To configure the application:

  1. Log in to your CX Industry Framework identity domain in your Oracle Cloud Infrastructure account. You can get this link from your welcome email. If you have questions about which tenancy and domain to log in to, contact your Oracle Support team.

  2. Create a new application by selecting Applications in the navigation pane, and then click the Add application button.

  3. Select Application Catalog and then click the Launch app catalog button.

  4. Search for and select the template named Oracle Fusion Applications Release <X>, where the release is 13 or later.

  5. On the Add Oracle Fusion Applications Release screen, complete these fields:

    • Name

    • Description (optional)

    • Application icon (optional)

  6. Click Next.

  7. In the General section, complete these fields using a bogus URL that begins with http:// and ends with .com:

    • Entity ID: http://bogus-url.com

    • Assertion Consumer URL: http://bogus-url.com

  8. Under Additional configurations, complete these fields with the same URL:

    • Single Logout URL: http://bogus-url.com

    • Logout Response URL: http://bogus-url.com

  9. Click Next.

  10. Turn On Enable Provisioning and click Confirm.

  11. In the Configure connectivity section, complete the following fields:

    • Administrator Username: Enter your Fusion applications administrator credentials.

    • Administrator Password: Enter your Fusion applications administrator password.

    • Host Name: Enter the Fusion application URL hostname portion without http://. For example, myFAhostname.oraclecloud.com

    • Port Number: 443

    • SSL Enabled: Select this option.

  12. In the Provisioning Operations section, complete these fields:

    • Authoritative sync: Select this option.

    • Create account: Select this option.

    • Update account: Select this option.

    • Deactivate account: Select this option.

    • Delete account: Deselect this option

  13. Turn on Enable Synchronization.

  14. Scroll up to view the Configure Attribute Mapping section and click the Attribute mapping button.

  15. On the Attribute mapping screen, select the Application to identity domain option.

  16. Locate the row with the User column value set to Federated and modify the source value in the left column to be true where it says false.

  17. Click the Save changes button, which returns you to the previous screen.

  18. In the Configure synchronization section, complete the Synchronization Schedule field with the frequency you want to use for synchronization. The recommended value is Every hour.

  19. Click Finish.

  20. When you are ready to either test the synchronization, or make the synchronization live, Click Activate and continue to the next task.

After you configure the application you need to import users and groups that you want to synchronize, and test the synchronization setup to ensure that the selected application users and groups are being synchronized to the Fusion application identity domain. When you have successfully tested the synchronization, you then activate the process using the instructions in the next task.

To test the synchronization

  1. From where you left off in the previous task, scroll down to the Resources section in the navigation panel and select Import, and then click the Import button.

  2. The message on the screen indicates that the import job has been submitted and is running. Refresh the screen until the Import status changes to Complete.

  3. Go back to the main screen for the Fusion applications identity domain to verify that users were successfully copied from Fusion applications.

  4. In the navigation pane, click Users and Groups respectively to verify:

    • Groups: Verify that the groups you expect to see are available.

    • Users: Verify that the users you expect to see are available and that they are members of the correct groups.

  5. Remove the test results by completing these steps:

    • Deactivate the application created in the previous task.

    • Delete all users and groups that were migrated into Fusion applications identity domain.

  6. Complete the steps in the next task to activate the synchronization process.

To activate the synchronization process:

  1. Log in to your CX Industry Framework identity domain in your Oracle Cloud Infrastructure account. You can get this link from your welcome email. If you have questions about which tenancy and domain to log in to, contact your Oracle Support team.

  2. Select Domains, then click on the domain name.

  3. Select Oracle Cloud Services from the navigation panel and locate the application corresponding to the CXIF instance. The name starts with either CXIF or DX4C, and the description likely reads CXIF IDCS Application. It was created during the CX Industry Framework provisioning process.

  4. Select the application and then, under Resources, select Application roles.

  5. Verify that the application has the following application roles:

    • dx_DX4C_Configuration_Endpoint_Read

    • dx_DX4C_Configuration_Endpoint_Write, and others

  6. Using the steps in the previous task, activate the application and import the users and groups again.

  7. When the import is complete, return to your CX Industry Framework identity domain, select your domain, and then select Groups from the navigation pane. Verify that these groups are displayed:

    • Communications Customer Service Administrator

    • Communications Customer Service Manager

    • Communications Customer Service Representative

  8. Return to the application referenced in step 3, and then select Application roles. The roles beginning with "dx" are displayed.

  9. Assign Groups to the role dx_DX4C_Configuration_Endpoint_Read. To assign the groups, complete these steps for each role:

    1. Click on the action menu and click Assign groups.

    2. Select the three groups listed above that are associated with the utility customer service agent, manager, and administrator, and click Assign.

  10. Once all of the groups are assigned, you have completed the process.

Create Aftermarket Extensibility Administrative User

Use this topic to create an aftermarket extensibility administrative user.

You can now extend the product offering entity by specifying a list of fields to be extended using the Launch user interface. The administrative user for this function can upload the spreadsheet containing the list of fields to be extended. The fields should be simple attributes of type text, number and check box.

For example, if a communications service provider wants to extend the product offering entity, say, SupremoProductOfferingInfo with the additional field partnerBrand and similar other fields, the user with the custom job role Catalog Extension Management Duty Role has the privileges for this extension.

Here's how you can create the user for this role:

  1. In the security console, click Roles.
  2. Click Create role.
  3. Create a CRM job role by entering a unique role name and role code.
  4. Go to the Role Hierarchy tab and search for Catalog Extension.
  5. Select the Catalog Extension Management duty role.
  6. Verify the function security policies listed in the tab.
  7. Ensure that these are configured in the above list:
    • Manage Extensible Object
    • Manage Catalog Extension
    • View Catalog Extension
    • View Extension Tile

    Note:

    The Administer Sandbox privilege must be added manually from Add Function Security Policy even if it's inherited from the Catalog Extension Management duty role.
  8. Click Add Function Security Policy, search for the Administer Sandbox privilege and click Add Privilege to Role.
  9. Go to the Users tab, and click Add User.
  10. Select the user you want to configure the role for.
  11. Click Add user to Role.
  12. Save the job role.