This example will show a case where a user creates a Business Unit but no data roles are created so they have to create and assign them manually. The various stages will be broken down into the following headings:
- Create Basic Business Unit (BU)
- Check if BU Data Roles have been created
- Create Data Roles
- Synchronize Oracle Identity Manager (OIM) with Authorization Policy Manager (APM)
- Assign Data Roles to Login User
- Check Access to BU
Create Basic Business Unit (BU)
After picking the ‘Define Business Units’ task list create Business Unit. Then save and close. Note This user has created a new default set called ‘NC_BU110S’. It will hold any new set_id data used by the BU ‘NC BU110’.
Once the initial BU has been created Business Functions need to be assigned. Assigning functions to a BU should automatically create the related data role. In the above example the user is assigning Receivable functionality to a BU named ‘NC BU110’.
Check if BU Data Roles have been created
Check if the BU is available to pick when configuring the relevant module. In this worked example the user has chosen the receivable functionality. If they cannot pick ‘NC BU110’ when configuring the receivables system options then it’s likely the relevant data role has either not been created or not assigned.
To check if the data role exists log into the Authorization Policy Manager (APM) module. Under the ‘Authorization Management’ tab click on the Search External Roles.
For the basic BU setup there should be two data roles created under the ‘Financial Application Administrator’ role. One will be for the basic BU access and the other for the BU set_id access. In the above case neither role has been created ‘NC BU100’ BU.
For each functionality there will be additional roles required. An example will be shown in the latter steps of this document.
Create Data Roles
To create a data role the user first needs to search and pick the relevant data role template.
There are two templates used for the minimum BU usage these are:
FinancialsFunBusinessUnit = used for basic BU setup
FinancialsFunSetIdFinancialsFunSetId = BU SetId usage
In this example as we have assign receivable functionality there should be 2 additional templates which are:
BillingRevMgtandCustPayment = Basic AR setup
FinancialsArSetIdFinancialsArSetId = AR SetId
Once the correct template is shown the user needs to highlight the required template then click on open.
Once the template has been opened the user can view existing data roles. If they want to create new roles then they need to click on ‘Generate Roles’ as shown above.
Once the ‘Generate Roles’ has completed the user can click on ‘refresh role’ under ‘valid roles’, In the above example it shows a data role for basic BU usage has been successfully created – ‘FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_NC BU110’.
When the FinancialsFunSetIdFinancialsFunSetId template is used it will create set_id data role called ‘FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_NC BU110S’.
As this example is using receivables functionality when the template FinancialsArSetIdFinancialsArSetId is used to generate data roles then all AR roles will have a set_id role created for them. As as shown above.
Synchronize Oracle Identity Manager (OIM) with Authorization Policy Manager (APM)
Once the data roles have been successfully created in APM they then need to be copied over to OIM. To do this you can either run ‘LDAP Role Create and Update Full Reconciliation’ or ‘LDAP Role Create and Update Reconciliation’ program. To run either program you will need to go into OIM and click on the ‘Advance’ icon as shown above.
Once in OIM’s Advance Administration section pick the ‘System Management’ tab then select either of the LDAP reconciliation scheduled jobs. Now double click on the chosen job to open up it’s parameters.
After opening the parameters section of the job click on ‘Run Now’. This will then copy all the successfully created data roles from APM into OIM. The next step will to assign these data roles to a login user.
Assign Data Roles to Login User
When in OIM under the ‘Administration’ tab click on the users ‘Advance Search -Users’ section.
In this example the user would like the login user ‘fin_superuser’ to be able to use the BU ‘NC_BU110’. Therefore they will need to assign these roles to this login user. Once the user has found ‘fin_superuser’ they will need to pick this user in the research results field then click on open.
Once the user is in the required login user. Here it is showing the ‘FIN_SUPERUSER’ tab. Then click on the assign icon to pick which roles you want assigned.
The above example shows the user assigning basic BU access data role for BU ‘NC BU110’ to the login user ‘FIN_SUPERUSER’.
As the user has assigned Receivable functionality to this BU they also need to assign the AR roles ,such as the ‘AR_BILLING_MANAGER’, to this login user.
Check Access to BU
To show the user now has access to the newly created ‘NC BU110’ BU they can go to any AR configuration step to see if this BU is available in the LOV. Here the user has chosen the ‘Receivable Activities’ task.
The data roles have correctly been created and assign as they are now able to pick BU ‘NC BU110’.