3/11/2021 Document 1383852.

1
Copyright (c) 2021, Oracle. All rights reserved. Oracle Confidential.

Fusion Applications - Security FAQ (Doc ID 1383852.1)

In this Document

Purpose
Questions and Answers
What are fusion application access URLs ?
Which release of SCIM fusion release 12 use ?
What is the impact to change username ?
What is the different process Retrieve Latest LDAP Changes and Import User and Role Application Security
Data ?
What are the seeded internal users in Fusion Applications ?
Who create the user record in per_users table ?
When creating data role, should we use data role template or task Manage Data Access for Users in fusion release 11 ?
What is the default password expiration period for Fusion Apps Cloud Service users ?
What is policy store, identity store, credential store and key store in fusion application ?
How long the process "Import User And Role Application Security Data" will run ?
How soon will you see the access change after you assign/revoke/modify a role to an user ?
How to get a report that shows all failed login attempts ?
How get a report of locked user ?
How to find User Role Membership Report in fusion release 12 ?
How to provision users/roles to fusion application programmatically ?
How to make sure fusion application does send out email notification ?
How to update an implementation user's username in fusion release 12 ?
How to update an implementation user's Display Name in fusion release 12 ?
How to unlock a user receiving error "Your account is locked. You can unlock your account by going to Forgot Password"
?
How to verify a custom role are not assigned to any user ?
How Customization Set Migration (CSM) tool process data security policy of a custom role or custom application role ?
How to avoid duplicated data security policy ?
How to cancel out of logout operation?
How to find out when is the last time an user changed his password ?
How to terminate active user sessions (or kick out users from fusion application) ?
Why same release 10 or 11 environment have different duty roles (application roles) ?
Why some application roles are missing or look different in fresh installation of release 10 and 11 ?
Why "view all" option is always disabled (gray out) in create personal security profile screen ?
Why HCM web server (such as CreateWorker operation in service /hcmEmploymentCoreWorkerV2/WorkerService) give
garbled output ?
Why Generate grants process takes a very long time ?
Do we have any automated way of migrating only the roles from one instance to another ?
Can fusion application generate separate email for user id and password ?
Can we redirect all email notification from IDM domain to single email address ?
Can fusion application control browser behavior, such as: autocomplete ?
Can customer implement two level approval process in fusion application for operations like role assignment ?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 1/10
3/11/2021 Document 1383852.1

Can customer Inactive \ End Date a Role In Fusion Applications ?

Authors and contributors

References

APPLIES TO:

Oracle Fusion Application Toolkit Cloud Service - Version 11.1.4.0.0 and later
Oracle Fusion Application Toolkit - Version 11.1.4.0.0 and later
Oracle Fusion Applications Common Components - Version 11.1.4.0.0 and later
Oracle Fusion Global Human Resources Cloud Service - Version 11.1.4.0.0 and later
Information in this document applies to any platform.

PURPOSE

To provide answers to common Fusion Applications Security Questions

QUESTIONS AND ANSWERS

What are fusion application access URLs ?

In Fusion Applications release 8 and before, we have classic UI as https://<common domain

host>/homePage/faces/AtkHomePageWelcome

In release 9, we introduced simplified UI:

HCM simplified UI: https://<HCM domain host>/hcmCore/faces/HcmFusionHome

In release 10, we combined simplified UI and classic UI into one home page: https://<common domain
host>/homePage/faces/FuseWelcome

Still support HCM simplified UI as: https://<HCM domain host>/hcmCore/faces/FuseWelcome

In release 13, the home page URL become: https://<FA domain host>/fscmUI/faces/FuseWelcome

In oracle cloud environment, although we do provide URL rewrite to rewrite old URLs into new URLs, recommend
customer to use new URLs for better experience

_______________________________________________________________________________________________________

Which release of SCIM fusion release 12 use ?

fusion application release 12 is using SCIM V2, see here

_______________________________________________________________________________________________________

What is the impact to change username ?

Customer can change user's username from Manage User page (refer KM <Dcoument 1982220.1>), the following are the
impact after username is changed:

1. user will not be able to login BI, need oracle to run a renameAccounts script (refer KM Document 1998643.1

2. scheduled process submitted by the user will remain under old username, probably will fail to execute, you need cancel
those processes and re-submit or re-schedule them
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 2/10
3/11/2021 Document 1383852.1

3. User will lost favorites setting in fusion application under old username

_______________________________________________________________________________________________________

What is the different process Retrieve Latest LDAP Changes and Import User and Role Application Security Data ?

Retrieve Latest LDAP Changes process is in fusion since the beginning, it will copy users and roles information from
identity store and policy store to fusion application's person tables, which will be used by fusion application functions.

Import User and Role Application Security Data process is introduced in fusion release 9, it will copy users and roles
information from identity store and policy store to ASE tables in fusion application database.
security console and fusion application's audit reports (see Document 2210883.1) will use the ASE tables

During user login, authentication and authorization will be done against users and roles data in identity store and policy
store

_______________________________________________________________________________________________________

What are the seeded internal users in Fusion Applications ?

There some internal system users used by different components of fusion application. In newer fusion release, Oracle hide
those users from security console to avoid customer to edit them by mistake.

But customer can still see them in per_users table. some examples are:

oim_write
em_monitoring
FAAdmin
fa_guest
orcladmin
PUBLIC
IDMPolicyROUser
IDMPolicyRWUser
PolicyROUser
PolicyRWUser
IDROUser
IDRWUser
weblogic_idm
oamAdminUser
xelsysadm
FAWService
anonymous
faoperator
APPID users whose name end as _APPID

Most those users are used by program, no human know their password. Except FAADMIN (which has role Application
Implementation Consultant, IT Security Manager) is used by cloud operttion to maintain the cloud environment. fa_guest
(read_only access) is used by oracle support to troubleshoot customer issues.

All those users will not have person_id or party_id, so those users can not access normal fusion application business
functions.

_______________________________________________________________________________________________________

Who create the user record in per_users table ?

In fusion application per_users table, it has a created_by column, which record who create the user record. sometime the
value is anonymous or FUSION_APPS_HCM_SOA_SPML_APPID

when customer hire a employee, the user record will be created in back end first (i.e. OIM/OID), then later on, the user will
be created in fusion database per_users table.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 3/10
3/11/2021 Document 1383852.1

If the user login the system before the user record is created in per_users' table, the system will create a user record in
per_users table and set created_by to anonymous.

There is no anonymous user in ldap server, so customer should not worry about whether anonymous user can login to
fusion or not

FUSION_APPS_HCM_SOA_SPML_APPID is an internal system user, which is used by fusion application to

communicate with back end (OIM/OID). If the employee is hired through
fusion UI, then the created_by will be FUSION_APPS_HCM_SOA_SPML_APPID
In R11 and before, when customer load the user through a batch loader, then run Send Pending LDAP Requests
process, those users' created_by will be FUSION_APPS_HCM_SOA_SPML_APPID.
In R12, this is changed to the user who submit the process Send Pending LDAP Requests

_______________________________________________________________________________________________________

When creating data role, should we use data role template or task Manage Data Access for Users in fusion release 11
?

In fusion release 11, oracle introduce task Manage Data Access for Users(Mainly for financial customer). which provide
similar functionality as data role template, so customer can use either of the two methods to create data role.

In release 12, we retired APM, financial customer need use Manage Data Access for Users

Since fusion release 12, HCM/CRM products already stopped to user data role template, instead, they are using HCM data
role (through task Manage Data Role and Security Profile)

_______________________________________________________________________________________________________

What is the default password expiration period for Fusion Apps Cloud Service users ?

The default password expiration period for users on Fusion Cloud service is 120 days. In release 12, default will be 90
days

_______________________________________________________________________________________________________

What is policy store, identity store, credential store and key store in fusion application ?

The policy store is a repository of system and application-specific policies and roles, Identity Store is a repository for
users. Credential store is repository for internal system users' password, keystore is repository for server's certificates.
See more in here.

_______________________________________________________________________________________________________

How long the process "Import User And Role Application Security Data" will run ?

In fusion release 9, Oracle introduce security console, before you access Security Console for the first time, you need
run "Import User And Role Application Security Data" process to populate users, roles information. Depends on the security
related data you have, the first run of the process could take days. but subsequent run will take less time, as it will only check
the delta change since last run

There will be performance improvement for this process in release 9 Patch Bundle 3

_______________________________________________________________________________________________________

How soon will you see the access change after you assign/revoke/modify a role to an user ?

By default, fusion servers will refresh the cache every 10 minutes, so your user should see the access change 10 minutes
after you assign a role to the user; revoke a role from the user; modify the role assigned to the user. Sometime, due to

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 4/10
3/11/2021 Document 1383852.1

system load, you may experience the delay. You can bounce the weblogic server which serve the pages where you will see the
access changes, to force server refresh the cache.

_______________________________________________________________________________________________________

How to get a report that shows all failed login attempts ?

There is no UI function to get the report.

On premise customer can execute ldapsearch command against fusion application OID server to get the list:

ldapsearch -p 3060 -D cn=orcladmin -w **** -b "cn=<USERNAME>,cn=users,dc=<COMPANYNAME>,dc=com"

"orcllastfailedlogindate=*" uid orcllastfailedlogindate

For cloud customer, due to data security constrain, Oracle cannot provide the data through a SR. Please open enhancement
request in customer connect for this request

_______________________________________________________________________________________________________

How get a report of locked user ?

On premise customer can execute ldapsearch command against fusion application OID server to get the active locked user
list:

ldapsearch -p 3060 -D cn=orcladmin -w **** -b "cn=<USERNAME>,cn=users,dc=<COMPANYNAME>,dc=com"

"&(orclaccountenabled=1)(orcluseraccountlocked=1)" uid > /tmp/users.ldif

For fusion release 11.13.19.07.0 (Update 19C) or higher, customer can run a scheduled process Locked Users to get
locked user list. (see more in Document 2496969.1)

_______________________________________________________________________________________________________

How to find User Role Membership Report in fusion release 12 ?

Oracle introduce the User Role Membership Report in release 10, it continue exist in release 12.

But when you search the process in scheduled process list, you need enter the complete name of "User Role Membership
Report", then click search.

_______________________________________________________________________________________________________

How to provision users/roles to fusion application programmatically ?

It is recommended to use REST API or webservice provided by Fusion HCM. When using webservice provided by OIM or
AD bridge in release 12, users will be created without person information in fusion application and users will not be searchable
in fusion application (see more in document 1574532.1)

_______________________________________________________________________________________________________

How to make sure fusion application does send out email notification ?

When custom load lots of user into fusion application, they want to make sure that all users will receive their login
credential email. But there is fusion application UI to verify it.

For On premise customer, they can go to HCM domain EM to check it:

1. Login to HCM domain EM

2. expand Farm_HCMDomain -> User Messaging Service
3. right click usermessagingserver (soa_server1) -> Message Status
4. Set Maximum Messages Displayed Equals All
5. Click search
6. You can sort the results by Timestamp column to see whether there is email to [email protected]
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 5/10
3/11/2021 Document 1383852.1

Or, check email server log at /var/log/maillog to see whether there is an email to the user

For cloud customer, you need open a SR to oracle to check it, or test the scenario with one user, then roll out the same
procedure for all users.

For fusion release 12+, this become a self service for all customers, see more in Document 2303697.1

_______________________________________________________________________________________________________

How to update an implementation user's username in fusion release 12 ?

In fusion release 12, security console replace OIM and APM, and user's username can not be updated in security console.
for normal fusion users, customer can update user's username in Manage User page

or through HDL, but as implementation user does not have person record and person number, so the only way to update
implementation user's username is to update it in OID and then run Retrieve Latest LDAP

Changes process. Be careful, after the change, the user may lost its role assigned before.

In fusion release 20A, username become editable in security console

_______________________________________________________________________________________________________

How to update an implementation user's Display Name in fusion release 12 ?

In REL12 the user display name is not available in Security Console. Below ER is available for this feature.
ER: Bug 26419137 - OPTION TO THE UPDATE DISPLAY NAME OF IMPLEMENTATION USERS IN SECURITY CONSOLE.

How to unlock a user receiving error "Your account is locked. You can unlock your account by going to Forgot
Password" ?

A locked user can be unlocked in three ways.

1. Reset password by user itself using "Forgot password" option on the error page.
2. Reset password by admin through "Manually change the password" option.
3. By clicking Unlock link on User page in OIM or Security console by admin user.

_______________________________________________________________________________________________________

How to verify a custom role are not assigned to any user ?

Customer can run following query from BI (see document 1910762.1 for steps) :

select ROLE_NAME from PER_ROLES_DN_TL

where ROLE_NAME = "custom role"
and ROLE_ID not in (select distinct role_id from PER_USER_ROLES)

_______________________________________________________________________________________________________

How Customization Set Migration (CSM) tool process data security policy of a custom role or custom application role
? How to avoid duplicated data security policy ?

CSM tool will help you migrate customization from one environment to another. During CSM tool migration:

- data security policies that do not exist in the target environment will be created
- data security policies that already exist in the target environment will be merged with data security polices from the source
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 6/10
3/11/2021 Document 1383852.1

environment
- data security policies directly created in the target environment that don't exist in the source environment are kept

And duplicated security policy for one role could happen, unless the security policies are created from same method
For example, if you create the job roles in target environment with some data security polices, then CSM tool could merge the
same
set of data security policies from source environment.

The way to work around this is:

1. you just create the custom job role and custom application roles without any security policy in target environment,

2. then repeat using customization migration tool

In this way, because all data security policies are created through CSM tool, duplication will be avoided.

PS: the duplicated data security policy for a role will not cause any harm to your environment, and will not impact the system
performance.

_______________________________________________________________________________________________________

How to cancel out of logout operation?

On confirmation page instead of clicking "Confirm button" if you select "Click go to back" then logout will not happens

_______________________________________________________________________________________________________

How to find out when is the last time an user changed his password ?

There is an attribute (pwdchangedtime) in OID, which record user's last password change date. In OIM, we only record
user' password expiration date - USR_PWD_WARN_DATE (which is last password change date + PWR_EXPIRES_AFTER
defined in password policy), but oracle cloud customer do not have direct access to those attributes

In fusion release 12, we will provide User Password Changes Audit Report, which oracle cloud customer will have access
too

_______________________________________________________________________________________________________

How to terminate active user sessions (or kick out users from fusion application) ?

Customer can search and terminate an user's session in OAM console (under System Configuration -> Common
Configuration -> Session Management), and there is button to Delete All User Sessions...

Alternatively, customer can bounce IDM domain OAM server to invalidate all active user sessions

Oracle public cloud customers do not have access to OAM console, they can open a SR to ask Oracle to bounce OAM server
or configure federation SSO with single logout (Global Logout), then logout of the IDP will trigger logout of fusion application

_______________________________________________________________________________________________________

Why same release 10 or 11 environment have different duty roles (application roles) ?

In fusion release 10, oracle introduced simplified role model, and started to treat all release 9 application roles (duty
roles) as custom roles, which means, oracle will not update those release 9 application roles any more and leave them as they
are (as customer may use them). Due to this, you will see more application roles in an upgraded release 10 or 11 environment
than a fresh installed release 10 or 11 environment.

All release 10+ application roles (duty roles) will have a name starting as ORA, this will help you identify whether an
application role is release 9 role or release 10+ role.

Customer can keep using release 9 application roles as custom roles or migrate to release 10+ application roles

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 7/10
3/11/2021 Document 1383852.1

_______________________________________________________________________________________________________

Why some application roles are missing or look different in fresh installation of release 10 and 11 ?

In fusion application release 10, we introduced simplified role model, due to that, some application roles are deprecated
(refer Document 2016990.1 for the list). So those roles are either disappeared or look like empty in fresh installation of fusion
release 10 or 11, as we do not expect new customers will use those application roles.

For the environment upgraded from release 9. you can see still those application roles intact, but they will be treated as
custom application roles going forward.

_______________________________________________________________________________________________________

Why "view all" option is always disabled (gray out) in create personal security profile screen ?

View all' flag signifies if a security profile possesses view all privileges or not. By default one 'view all' version is provided
for each type of
security profile .Since there is no use of having two security profiles having same 'view all ' privileges,'view all' flag is
greyed out for newly created
security profiles .

This flag is still there on 'non view all' security profiles to indicate that a view all option for the new security profile is not
valid since a seeded
version for the same already exists.

This behavior is expected by default.

_______________________________________________________________________________________________________

Why HCM web server (such as CreateWorker operation in service /hcmEmploymentCoreWorkerV2/WorkerService)

give garbled output ?

The output is in zipped binary format, you can unzip it and convert it raw to varchar2

_______________________________________________________________________________________________________

Why Generate grants process takes a very long time ?

This process is expected to run long time (i.e. days), as it has large amount of data to process incrementally.

_______________________________________________________________________________________________________

Do we have any automated way of migrating only the roles from one instance to another ?

Currently we do not have any tool or way to migrate only Roles from one environment to other.
P2T is one option, which copies all the data. or Customization Set Migration tool which migrate customization from one
environment to another

In fusion release 19A, customer can export/import custom roles through Manage Job Roles and Manage Duties tasks
in the Functional Setup Manager

_______________________________________________________________________________________________________

Can fusion application generate separate email for user id and password ?

Right now, the new user creation email notification and password reset email notification contains both user id and
password. Fusion does not have a function to split that email notification into two emails (one contains user id, one contains
password).

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 8/10
3/11/2021 Document 1383852.1

the closest configuration is:

1. customize the new user email template to include userID only
2. customize the password reset email template to include password only

the side effect is: after you create an user in fusion, you need reset this user's password to get two emails, one for user id,
one for password
another side effect is: the new user email will be only sent out once when the user is created. after that, if the user forgot his
userID, you can not trigger an email to send userID any more,
your administrator need manually tell him the userID

In fusion release 12, Oracle stop to generate default password for users. When an user reset password, will get a
password reset URL in an email. so there is no email notification with password in it.

_______________________________________________________________________________________________________

Can we redirect all email notification from IDM domain to single email address ?

No, as of now, there is no such function. we can only redirect all new hire email notification to single email address (see
KM Document 1615501.1), or redirect all workflow notification to single email address (see KM Document 1473706.1)

_______________________________________________________________________________________________________

Can fusion application control browser behavior, such as: autocomplete ?

No, the autoComplete function is not a fusion of application function, it is a browser function, you need disable or
enable it from the browser setting. Or check with Microsoft to see whether you can do it massively in IE

_______________________________________________________________________________________________________

Can customer implement two level approval process in fusion application for operations like role assignment ?

As of now (fusion release 11), the only approval workflow, which can be configured in fusion application, is for user
creation through fusion application UI. Customer need use external approval process, after it is approved, then customer can
use HDL to load the role assignment into fusion application.

Although this can be implemented in OIM, but starting release 12, OIM will not be part of fusion application deployment

_______________________________________________________________________________________________________

Can customer Inactive \ End Date a Role In Fusion Applications ?

Currently there is no functionality in FA to disable any roles Or to end-date a role. However You can make them
unavailable from role provisioning pages (i.e. Manage user accounts page)
You just need to change the role provisioning rules defined for the role and remove the role reference from there. Also this will
trigger automatic role revoking if some users got the role due to the provisioning rule. (see more Document 1538786.1)
_______________________________________________________________________________________________________

Authors and contributors

Jun Ye, Margaret Kinuthia, Lakshmi Reddeppa, VAIBHAV CHOUREY

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 9/10
3/11/2021 Document 1383852.1

REFERENCES

NOTE:1387777.1 - Getting Started with Oracle Fusion Applications: Common Implementation

NOTE:1636126.1 - Fusion Application Security FAQ For Cloud Customer

NOTE:1345860.1 - Overview of SetID - Reference Data Sharing

NOTE:1228035.1 - OIM11g: Sample Code For A Custom Username Generation Policy Plugin Using JDeveloper

Didn't find what you are looking for?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=dz8xvzydi_4&id=1383852.1 10/10