Super User/Role setup for Common Implementation of Fusion Apps

 

Hello Everyone!

This post is about preparing the installed IDM/FA for Common implementation of Fusion Applications (FA).  

 

Please note that this procedure needs to be done for BARE METAL Installation. However for OVM template based installation it has been observed that these steps have been already done as a part of installation. My suggestion for OVM would be to validate these steps and complete any/all of the step(s) as needed.

 

After the installation of FA, an organization starts the common implementation that involves a  series of tasks shown below. 

 

 

This blog is limited to explaining the first 2 tasks in the above diagram. Kindly refer to Getting Started with Fusion Applications : Common Implementation document for  further details.

A little background on why we are doing this.
In Fusion Applications, users along with security are managed by HCM Task flows which require Enterprise structures to be setup.  For setting up these Enterprise structures we need to create specific users in HCM. Initially since there will not be any Enterprise structures, we need to have a Super User who can create appropriate implementation users.

The implementation user created by the super user in turn will be responsible for providing

1. Users and their Security Management.
2. Implementation Project Management.
3. Enterprise Structure creation and management.

As part of our post IDM/FA install, we have to complete  the following two tasks using the OIM system administrator.

1. Preparing Oracle Fusion Applications Super User for User Management and Configuration

    

2. Preparing IT Security Manager Role for User and Role Management

    

 Requirements

 

 Before we begin we have to  make sure the following.

1. FA install is successfully completed. Any RUP install are done and successfully completed.

 

• URLs for Oracle FA and OIM are available.

 

 

• OIM system administrator user and Super User (FAAdmin or weblogic_fa or user defined) credentials.

 

Preparing Oracle Fusion Applications Super User for User Management and Configuration
During the provisioning and installation of Oracle Fusion Application a super user is created by default (FAAdmin or weblogi_fa  etc as provided during the installation). However the email id for this super user may  not be setup correctly during the provisioning and installation. The first task is to make sure the super user has a valid email id as it is mandatory for  User management and configuration.  This could be done in couple of ways

a)      Command Line (Linux)   

Command Line Interface

1. Open a new Terminal.

    

2. Using Vi editor or gedit,  create an ldif file with the following contents (sample.ldif).  I had stored this file along with other property file in the following directory /u01/fastage/prop_files

    

3. In the Oracle Identity management domain (IDM), set  the Oracle Home to point to IDM.

4. Run the ldapmodify command to modify the super user (in this case weblogic_fa) email id.

5. Make sure that the command is run without any errors.

• Run the Reconciliation detailed below (after the GUI Interface for ODSM section)

1. Log into ODSM using OIM administrator (xelsysadmn).

2. Click on “connect to directory” and select OID – OID-SSL  and log in as administrator (cn=orcladmin)

3. Select Data Browser TAB and expand DN “dc=com” which provides the details of the users.

4. Navigate and select the super user “weblogc_fa”.  On the right side pane, you can edit/change the email address.

5. Press APPLY to effect the changes.

Reconciliation

6.      Launch the OIM URL and use the OIM system administrator user name and password to sign in.
7.       Click the Advanced link in the upper right of the interface.

             b.       Enter LDAP User Create and Update Full Reconciliation in the Search Scheduled Jobs field.  

4. Click Run Now to reconcile user updates based on the change log from LDAP.  Scroll down to make sure that the job has run successfully.

• Identity User Administrators, which carries user management entitlement

• Role Administrators, which carries role management entitlement

Note: If you plan to implement your pilot project entirely while signed in as the super user and do not plan to create additional users, then you can skip this step. In reality there would be multiple Fusion Application Users created for various transactions and you are most likely need to perform this step.

1. Sign in to OIM. Launch the OIM URL and use the OIM system administrator user name and password to sign in.

                                a.   Search for the IT Security Manager role, and select the role name in the search results.

                               c.        Click on Add.

                               d.       Select the role category: OIM  Roles and click the find arrow.

                                e.      Select IDENTITY USER ADMINISTRATORS & ROLE ADMINISTRATORS (ctrl + click) and move them to the Add Role list.

3.       ALTERNATE for the above task # 2). You may just add SYSTEMADMINISTRATORS role which Inherits from both the roles Identity user Administrator & Role Administrators)  to IT SECURITY MANAGER role

                           a.        Click the Administrative Roles link in the row of links above the Xellerate Users page.

                                      c.        In the Filter By Role Name field of the Details window, enter *IT_SECURITY_MANAGER*

                                      d.       Click Find.

                                      e.        Enable Read, Write, Delete, and Assign.

                            f.        Click Assign and Confirm.

5. Close the window and sign out.