Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (2024)

Introduction

The Human Capital Management Integration Specialist job role is often granted to users who are responsible for bulk-loading data into the Oracle HCM Cloud. However, this role grants access to additional tools, including HCM Extracts and all REST APIs, so it's recommended that you instead create custom roles and grant just the HCM Data Loader (HDL) functionality required.

There are typically two user types for accessing HCM Data Loader:

  • Integration specialist users who are responsible for defining data files, initiating bulk-loads, and monitoring existing integrations.This user type needs access to the HCM Data Loader tasks within the application.
  • External integration users responsible for pushing data into the Oracle HCM Cloud only.

    Used by inbound integrations to upload files and initiate HCM Data Loader. These users shouldn't have access to the application or to monitor uploads other than the ones they've initiated. This tutorial explains how to grant access to the HCM Data Loader REST API for this purpose.

Business Object Access

HCM Data Loader provides the ability to restrict which business objects your users can bulk-load data with. By default, these two features are disabled but it's recommended that you enable them and configure custom roles to have just the HDL access required and only for the business objects needed:
  • Configure Business Object Access

    When enabled, you can configure the individual business objects and product areas a role can bulk-load data with.

  • Restrict Access to Security Related Business Objects

    When enabled, an additional function security privilege is required to bulk-load data to any of the objects that load security-related data. Currently that includes all objects within these product areas:

    Product AreaBusiness Objects
    Global HR - Areas of Responsibility
    • Areas of Responsibility
    Global HR - Security
    • Legislative Data Group Security Profile
    • Organization Security Profile
    • Country Security Profile
    • Position Security Profile
    • Document Type Security Profile
    • Exclusion Rule
    • Person Security Profile
    Global HR - Users
    • Delegated Role
    • User
    Recruiting - Security
    • Job Requisition Security Profile
    Talent Management - Security
    • Talent Pool Security Profile

    Tip:

    You can identify which objects are secured with the functional security privilege by using the View Business Objects task. Objects that are secured have a Bulk Loading Secured value of Yes.


WARNING:

When HCM Data Loader is submitted using the Initiate HCM Data Loader payroll flow task to upload files generated by HCM Extracts, or the Initiate Data Loader payroll flow task to upload files generated by transformation formulae, the submitting user is elevated and the session user context is lost. It's therefore not possible to evaluate the security configuration of that user. Your existing payroll flow tasks will fail to initiate HDL with these security features enabled. From release 24A you can update your payroll flow patterns to use the new payroll flow task which submits HDL as the session user:

  • Run HCM Data Loader to upload HCM Extracts generated files.
  • Run Data Loader Process to upload files generated by transformation formulae.

To configure the HCM Extracts flow refer to the tutorial Initiate HCM Data Loader for HCM Extract Generated Files.

Tip:

Links to all HDL tutorials are available from the HCM Data Loader - Oracle by Example Tutorials topic in Cloud Customer Connect.

File Encryption

You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server.

Tip:

HCM Data Loader can only process files that exist in the hcm$/dataload$/import$ account. Files that you upload locally using the Import File functionality in the Import and Load Data task are first uploaded here before being processed.

WARNING:

Any user with access to the hcm$/dataload$/import$ account can download and read any file on that account, regardless of who created it.

For HDL to decrypt your files you must encrypt them with the public fusion-key PGP key for the environment you're loading your file to.

The final task in this tutorial takes you through the steps to generate the fusion-key PGP certificate and extract the public key, which you'll use to encrypt your files.

Objectives

In this tutorial, you will:

  • Understand how to enable the HCM Data Loader security related features.
  • Configure custom roles to grant access to HCM Data Loader.
  • Configure business object access for your custom roles.
  • Generate the fusion-key certificate and extract the public key.

Prerequisites

To complete the steps in this tutorial, you'll need:

  • Access to the Security Console to create custom roles and extract the file encryption key.
  • Access to Setup and Maintenance.

    Grant this role hierarchy if your role doesn't already have access:

    Role NameRole Code
    Functional Setups UserORA_ASM_FUNCTIONAL_SETUPS_USER_ABSTRACT
  • Access to the Configure HCM Data Loader task to enable the HCM Data Load security features.

    You require this function security privilege to access the task:

    Function Security Privilege NameCode
    Manage Configuration of HCM Data LoaderHRC_MANAGE_CONFIGURATION_HCM_DATA_LOADER_PRIV
  • Access to the HCM Data Loader Business Object Access task to configure which business objects a role can bulk load data with.

    This role hierarchies provide this access:

    Role NameRole Code
    Manage HCM Data Loader Business Object AccessHRC_MANAGE_HDL_BO_ACCESS_PRIV

Task 1: Enable Security Related Functionality

In this step you'll learn how to enable the features that allow you to restrict access to the business objects your users can bulk-load data with.

Note:

Enabling these enhancements does not impact HCM Spreadsheet Data Loader.

To enable these security features you'll need to log into the application with a user that has Configure HCM Data Loader task access (see Prerequisites for how to grant this.)

Enable Configuration of Role-Based Business Object Access

Once enabled your custom HCM Data Loader roles need to have business object access configured. You can configure your custom roles with their business object access before enabling this feature.

Note:

Users with the Human Capital Management Integration Specialist job role will continue to have HCM Data Loader access. This role is preconfigured to access all business objects.

  1. Navigate to My Enterprise > Setup and Maintenance.
  2. Select the HCM Data Loader functional area.
  3. Click the Configure HCM Data Loader task.
  4. Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (1)

  5. Search for the Enable Configuration of Role-Based Business Object Access parameter.
  6. Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (2)

  7. Set the Override to Yes.
  8. Click Save.

Additionally, you'll need to provide access to the HCM Data Loader Business Object Access task to configure the business objects your roles can use HCM Data Loader with (see Prerequisites for how to grant this).

Restrict Access to Security Related Business Objects

Once enabled, users require the Load HCM Security Data function security privilege to bulk-load data with the security related objects.

Caution:

Enabling this feature will prohibit users with the Human Capital Management Integration Specialist job role from using security related business objects too. You'll need to create custom roles to provide access to bulk-load security related data once this capability is enabled.

  1. Access the Configure HCM Data Loader task as described above.
  2. Search for the Restrict Access to Security Related Business Objects parameter.
  3. Set the Override to Yes.
  4. Click Save.

Task 2: Grant HCM Data Loader Access

In this step you'll create custom roles for accessing HCM Data Loader functionality.

Integration Specialist Access

This role will provide access to the following functionality:

  • The View Business Objects task to review business object details and generate METADATA files.
  • The Import and Load Data task to submit files for import and load and monitor status of all data sets.
  • The Recent File Loads task to review recent data set status on any device.
  • The Delete Stage Table Data task to maintain stage tables.
  • The ability to import and export files for HCM Data Loader on the Oracle WebCenter Content server.

To grant this access:

  1. Log into the application with Security Console access.
  2. Navigate to Tools > Security Console.
  3. Click Create Role.
  4. Specify a Role Name and provide a unique role code.
  5. Tip:

    The business objects that a role can use are granted directly to this job role. Consider naming each role for the objects it will provide access to. For example, HCM Data Loader - All Objects, HCM Data Loader - Setup or HCM Data Loader - Recruiting.

  6. Specify a Role Category of HCM - Job Role.
  7. Click Next to navigate to the Role Hierarchy page. Add these hierarchies:
  8. Role NameRole CodeGrants Access To
    HCM Data LoadORA_HRC_HCM_DATA_LOAD_DUTYHCM Data Loader tasks within the Data Exchange work area.
    Upload data for Human Capital Management file based ImportHCM_DATALOADER_IMPORT_RWDThe hcm/dataloader/import directory on the Oracle WebCenter Content server.
    Download data from Human Capital Management file based ExportHCM_DATALOADER_EXPORT_RWDThe hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.

    Additionally, if the role is to be assigned access to any of the business objects that load security related data, this function security privilege is needed:

    Role NameRole CodeGrants Access To
    Load HCM Security DataHRC_LOAD_HCM_SECURITY_DATA_PRIVSecurity related HCM Data Loader business objects.

  9. Save your changes.

You can now configure the business objects this role can load data with.

REST Access

For external users defined for inbound integrations, such as for use by a third-party payroll backfeed integration, grant access to the dataLoadDataSets REST resource.

  1. Log into the application with Security Console access.
  2. Navigate to Tools > Security Console.
  3. Click Create Role.
  4. Specify a Role Name and provide a unique role code.
  5. Tip:

    The business objects that a role can use are granted directly to this job role. Consider naming the role for its integration, such as HDL Payroll Backfeed.

  6. Click Next to navigate to the Role Hierarchy page. Add these hierarchies:
  7. Role NameRole CodeGrants Access To
    Use REST Service - Data Load Data SetsORA_HRC_REST_SERVICE_ACCESS_DATA_LOAD_DATA_SETSThe dataLoadDataSets REST API for initiating HDL and HSDL and monitoring data set status.
    Upload data for Human Capital Management file based importHCM_DATALOADER_IMPORT_RWDThe hcm/dataloader/import directory on the Oracle WebCenter Content server.

    Additionally, if you want this role to have access to the REST custom actions that delete the staging table data for the data sets created by the role, add these privileges:

    Function Security PrivilegePrivilege CodeSecures Custom Action
    Delete HCM Data Loader Data Set Using REST ServiceHRC_DELETE_HDL_DATA_SET_USING_RESTdeleteDataSet
    Delete HCM Spreadsheet Data Loader Data Set Using REST ServiceHRC_DELETE_HSDL_DATA_SET_USING_RESTdeleteSpreadsheetDataSet
  8. Save your changes.
  9. You can now configure the business objects this role can load data with.


Task 3: Configure Business Object Access

In this step you'll configure the business objects a role can bulk-load data with using HCM Data Loader.

  1. Log into the application with a user who has access to the HCM Data Loader Business Object Access task (see Prerequisites for how to grant this).
  2. Navigate to My Enterprise > Setup and Maintenance.
  3. Select the HCM Data Loader functional area.
  4. Click HCM Data Loader Business Object Access.
  5. In the Job and Abstract Roles table, search for and select your custom role.
  6. Tip:

    The Assigned Business Objects table header is automatically updated to include the role name.

  7. Click the Assign dropdown.
  8. Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (3)

  9. Select one of the following options:
  • Assign Individual Business Objects
  • Assign All Business Objects in a Product Area
  • Assign All Unrestricted Business Objects
  • Assign All Business Objects, Including Security-Related Objects

If you select Assign Individual Business Objects, then:

  • Search and select the business objects in the Search and Select Business Objects dialog box.
  • Click Add to add the selected business objects to the role. An entry appears in the Assigned Business Objects section for each of the selected business objects.

If you select Assign All Business Objects in a Product Area, then:

  • Select the product area in the Select Product Area dialog box.
  • Click Add. A single entry appears for the product area in the Assigned Business Objects section.

If you select Assign All Unrestricted Business Objects, then:

  • A warning message appears to indicate that users with this role can bulk-load data with any business object that doesn't load security-related data.
  • Click Add to close the warning and continue. A single entry appears for all unrestricted business objects in the Assigned Business Objects section.

If you select Assign All Business Objects, Including Security-Related Objects then:

  • A warning message appears to indicate that users with this role will be able to use the security-related objects only if they have the Load HCM Security Data function security privilege.
  • Click Add to close the warning and continue. A single entry appears for all business objects in the Assigned Business Objects section.
  • Click Save.

  • Task 4: Create Common HCM Data Loader Custom Roles

    This step explains how to create the following custom roles:

    • An Integration Specialist administrator role capable of loading data for any object and monitoring all data sets.
    • An Integration Specialist role with restricted business object access.
    • An external integration role restricted to loading payroll backfeed data with visibility of only the data sets they've submitted.

    Integration Specialist - Unrestricted

    1. Use the Security Console to create a custom HCM Data Loader - Unrestricted role.
    2. Grant this function security privilege:
      Role NameRole CodeGrants Access To
      Load HCM Security DataHRC_LOAD_HCM_SECURITY_DATA_PRIVSecurity related HCM Data Loader business objects.
    3. Grant these role hierarchies:
    4. Role NameRole CodeGrants Access To
      HCM Data LoadORA_HRC_HCM_DATA_LOAD_DUTYHCM Data Loader tasks within the Data Exchange work area.
      Upload data for Human Capital Management file based ImportHCM_DATALOADER_IMPORT_RWDThe hcm/dataloader/import directory on the Oracle WebCenter Content server.
      Download data from Human Capital Management file based ExportHCM_DATALOADER_EXPORT_RWDThe hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.
    5. Save the custom role.
    6. Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
    7. Search for and select the HCM Data Loader - Unrestricted role.
    8. Click the Assign dropdown and select Assign All Business Objects, Including Security-Related Objects.
    9. Click Add to close the warning message.
    10. Save your changes. You can now assign this role to users who should be able to bulk-load data with any HCM Data Loader business object.

    Integration Specialist - Restricted

    1. Use the Security Console to create a custom HCM Data Loader - {objects} role, replacing {objects} with a description of the business objects the role will have access to use, such as HCM Data Loader - Work Structures, or HCM Data Loader - Recruiting
    2. Grant these role hierarchies:
    3. Role NameRole CodeGrants Access To
      HCM Data LoadORA_HRC_HCM_DATA_LOAD_DUTYHCM Data Loader tasks within the Data Exchange work area.
      Upload data for Human Capital Management file based ImportHCM_DATALOADER_IMPORT_RWDThe hcm/dataloader/import directory on the Oracle WebCenter Content server.
      Download data from Human Capital Management file based ExportHCM_DATALOADER_EXPORT_RWDThe hcm/dataloader/export directory on the Oracle WebCenter Content server. Required to export error files.

      Tip:

      If the list of business objects this role can access will include objects that load security related data, also grant the Load HCM Security Data function security privilege.

    4. Save the custom role.
    5. Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
    6. Search for and select your custom role.
    7. Use the Assign dropdown on the Assigned Business Objects table toolbar to assign access to the HCM Data Loader business objects and product areas users with this role should be able to use.
    8. Save your changes. You can now assign this role to users who should be able to bulk-load data with the HCM Data Loader business objects configured.

    External User - Integration Specific

    In this step you'll create an external user to initiate the Payroll Backfeed integration. This user will be given to the provider who supplies the data and initiates the integration.

    1. Use the Security Console to create a custom External Payroll Backfeed role.
    2. Tip:

      Use any name that describes the integration the user provides access for.

    3. Grant these role hierarchies:
    4. Role NameRole CodeGrants Access To
      Use REST Service - Data Load Data SetsORA_HRC_REST_SERVICE_ACCESS_DATA_LOAD_DATA_SETSThe dataLoadDataSets REST API for initiating HDL and HSDL and monitoring data set status.
      Upload data for Human Capital Management file based importHCM_DATALOADER_IMPORT_RWDThe hcm/dataloader/import directory on the Oracle WebCenter Content server.

    5. Save the custom role.
    6. Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance.
    7. Search for and select your custom role.
    8. Click Assign dropdown on the Assigned Business Objects table toolbar.
    9. Search for and assign the business objects the integration will be updating:
      • Document Record
      • Payroll Interface Inbound Record
      • Third Party Payroll Interface Error
    10. Save your changes. You can now assign this role to the user account provided to your third-party payroll provider to upload payroll backfeed data.

    Task 5: Generate a PGP Key Pair for Encrypting HDL Files

    You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server. Any user with access to the HCM Data Loader import account can download and read any file on that account, regardless of who created it.

    HCM Data Loader decrypts files using the private fusion-key PGP key, so you need to generate this on your Oracle Cloud environment before loading encrypted files. You encrypt your files with the fusion-key public key.

    In this step you'll generate the fusion-key PGP key pair and extract the public key.

    1. Sign into Oracle HCM Cloud with the IT Security Manager job role or privileges.
    2. Navigate to Tools > Security Console.
    3. Click the Certificates tab.
    4. Review the certificates that already exist. If the fusion-key certificate already exists, you can skip to the Extract the Public Key section. Otherwise, follow the steps to generate the fusion-key certificate.

    Generate the fusion-key Certificate

    1. Click Generate to open the Generate dialog.
    2. Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (4)

    3. Select a Certificate Type of PGP and specify these values:
    4. FieldValue
      Aliasfusion-key
      PassphraseEnter a passphrase for the private key. This passphrase is needed when you edit, delete, or download the private key.
      Key TypeRSA
      Key LengthSelect either 1024 or 2048.
      Encryption AlgorithmSelect the encryption algorithm to use

      Note:

      You must use the fusion-key alias for HCM Data Loader to decrypt your files encrypted with this key.

      Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (5)

    5. Click Save and Close. A confirmation message will appear, close it.
    6. Your certificate will be displayed.

      Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (6)

    Extract the Public Key

    1. Click the Action choice menu button for the fusion-key record.
    2. Click Export > Public Key.
    3. The fusion-key_pub.asc file will be downloaded. Save it to your desktop.

    Tip:

    For more information refer to the Set up Encryption for File Transfer topic.


    Help Topics
    • How You Enable Access to HCM Data Loader
    • How You Configure HCM Data Loader Business Object Access
    • Set up Encryption for File Transfer
    Tutorials

    Refer to this Cloud Customer Connect topic for links to the latest Oracle By Example tutorials for HDL and HSDL:

    • HCM Data Loader - Oracle by Example Tutorials.

    Acknowledgements

    • Authors - Ema Johnson (Senior Principal Product Manager)

    More Learning Resources

    Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

    For product documentation, visit Oracle Help Center.

    Configure Access to HCM Data Loader (HDL) and Understand HDL Security Options (2024)

    References

    Top Articles
    Peanut Butter Energy Balls (Peanut Butter Banana No Bake Energy Bites) Recipe - The Cookie Rookie®
    How to Do Easy Updos - Gorgeous Going Out (Or Staying In) Hair
    Touchstar Cinemas - Sabal Palms Products
    Rachel Sheherazade Nua
    Indio Mall Eye Doctor
    Goodall Brazier hiring Vice President in Arizona, United States | LinkedIn
    Sdn Wright State 2023
    Jikatabi Thothub
    دانلود فیلم Toc Toc بدون سانسور
    Recruitment Drive/Quick guide
    Champion Enchant Skyblock
    Poochies Liquor Store
    Shaw Centre for the Salish Sea — Eight Arms, Eight Interesting Facts: World Octopus Day
    Swap Shop Elberton Ga
    Sevita Sso Login
    Lake Charles, LA Houses and Single Family Homes For Rent | realtor.com®
    Nissan 300Zx For Sale Craigslist
    How Nora Fatehi Became A Dancing Sensation In Bollywood 
    Skyward New Richmond Wi
    Bobibanking Retail
    Georgia Vehicle Registration Fees Calculator
    Msft Msbill Info
    Myth or Fact: Massage Parlors and How They Play a Role in Trafficking | OUR Rescue
    Kate Spade OUTLET • bis 70%* im Sale | Outletcity Metzingen
    Nantucket Hdc
    Dayz Nyheim Map
    Banette Gen 3 Learnset
    First Lady Nails Patchogue
    Walmart Careers Stocker
    Live Stream Portal
    Rolling-Embers Reviews
    Raya And The Last Dragon Voice Cast: Who's Voicing Each Character
    Match The Criminal To The Weapon
    Meaty Sugar Lump
    Erfahrungen mit Rheumaklinik Bad Aibling, Reha-Klinik, Bayern
    18443168434
    10 Best Laptops for FL Studio in 2023 | Technize
    How To Get Stone Can In Merge Mansion 2022
    Iconnect Seton
    Daftpo
    Roe V. Wade: The Abortion Rights Controversy in American History?second Edition, Revised and Expanded (Landmark Law Cases and American Society) - Taylor, Bob: 9780700617548
    Ma Scratch Tickets Codes
    Kpq News Wenatchee Washington
    Rydell on LinkedIn: STARTING TODAY you no longer have to wait in a long line to get your oil…
    Sacramento Library Overdrive
    Exploring The Craigslist Washington DC Marketplace - A Complete Overview
    Adda Darts
    Big Lots Hours Saturday
    Pastel Pink Facetime Icon
    What Time Does The Chase Bank Close On Saturday
    Eugenics Apush
    Penn Highlands Mon Valley | Penn Highlands Healthcare
    Latest Posts
    Article information

    Author: Nathanael Baumbach

    Last Updated:

    Views: 6174

    Rating: 4.4 / 5 (55 voted)

    Reviews: 94% of readers found this page helpful

    Author information

    Name: Nathanael Baumbach

    Birthday: 1998-12-02

    Address: Apt. 829 751 Glover View, West Orlando, IN 22436

    Phone: +901025288581

    Job: Internal IT Coordinator

    Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

    Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.