Oracle Fusion Cloud
Configuring the Oracle Fusion Cloud integration for Veza Lifecycle Management
Overview
The Veza integration for Oracle Fusion Cloud enables automated user lifecycle management, supporting user provisioning, deprovisioning, and role assignment management through the Oracle SCIM API.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities
✅
DELETE_IDENTITY
Permanently deletes user accounts from Oracle Fusion Cloud
✅
CREATE_ENTITLEMENT
Creates new roles in Oracle Fusion Cloud
✅
SOURCE_OF_IDENTITY
Oracle Fusion Cloud can act as a source system for identity lifecycle policies
❌
This document includes steps to enable the Oracle Fusion Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
Enabling Lifecycle Management for Oracle Fusion Cloud
Prerequisites
You will need administrative access in Veza to configure the integration and appropriate administrative privileges in Oracle Fusion Cloud.
Ensure you have an existing Oracle Fusion Cloud integration in Veza or add a new one for use with Lifecycle Management.
Verify your Oracle Fusion Cloud integration has completed at least one successful extraction.
The Oracle Fusion Cloud service account requires the following permissions for different operations:
SCIM API Permissions:
/hcmRestApi/scim/Users- Full user lifecycle managementGET: Read user by ID or username
POST: Create new users
PATCH: Update user attributes and manage role memberships (ADD/REMOVE operations)
DELETE: Remove users permanently
/hcmRestApi/scim/Groups- Role information accessGET: Read role details and membership information
BI Publisher Permissions:
Execute reports via
/xmlpserver/services/PublicReportService?wsdlAccess to predefined reports in
/Custom/Veza/v2/directory
Configuration Requirements
Enabling the Oracle Fusion Cloud integration in Veza requires:
Your Oracle Fusion instance URL
Service account username with administrative privileges
Service account password for HTTP Basic Authentication
Required BI Publisher Reports
Oracle Fusion Cloud uses predefined BI Publisher reports for extracting role and privilege information. These reports must be accessible at the following paths:
/Custom/Veza/v2/ASE_ROLE_VL.xdo- Application roles/Custom/Veza/v2/ASE_PRIVILEGE_VL.xdo- Privileges/Custom/Veza/v2/ASE_PRIV_ROLE_MBR.xdo- Privilege to role mappings/Custom/Veza/v2/ASE_Role_Role_MBR.xdo- Role hierarchy/Custom/Veza/v2/ERP_USER_ROLES.xdo- User role assignments
Note: These reports are used for metadata extraction only. Lifecycle Management operations use the SCIM API.
Configuration Steps
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Oracle Fusion Cloud integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your Oracle Fusion Cloud data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Oracle Fusion Cloud in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Supported Actions
Oracle Fusion Cloud serves as a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following lifecycle management Actions:
Sync Identities
Primary action for user management (creating or updating users):
Username cannot be changed after creation
Email addresses must be unique
Required attributes must be present (user_name, email)
Display name will default to username if not provided
The following attributes can be synchronized:
Attribute Notes:
The SCIM API uses standard SCIM 2.0 field mappings
Email is stored as the first element in the SCIM emails array
Additional custom attributes beyond these three are not supported
Manage Relationships
The integration supports managing role assignments for users:
Both adding and removing role memberships are supported
Role assignments are managed through the Oracle SCIM API
Available roles are discovered during the extraction process
Role memberships are automatically removed during deprovisioning
Supported Entitlement Types:
OAA.Oracle Fusion Cloud.Role- Oracle Fusion Cloud application roles
Role Management Operations:
List current role assignments for a user
Add role assignments to a user
Remove role assignments from a user
Role creation (as part of entitlement creation)
Deprovision Identity
Deactivates a user account in Oracle Fusion Cloud:
Sets the user's active status to false
The user will no longer be able to log in
User data is retained for audit purposes
Role assignments remain intact but inactive
Deprovisioning Behavior:
User record remains in the system
All role memberships are preserved, but non-functional
The Account can be reactivated by setting the active status back to true
Audit trail is maintained
Delete Identity
Permanently removes a user account from Oracle Fusion Cloud:
Completely deletes the user record
This action is irreversible
All role assignments are removed
Use with caution, as this removes audit history
Deletion Considerations:
Cannot be undone
Removes all user data and history
Should only be used when complete removal is required
Consider deprovisioning instead for most use cases
Create Entitlement
Creates new roles in Oracle Fusion Cloud:
Role creation is supported through the lifecycle management framework
New roles can be created as part of provisioning workflows
Role properties include ID and role name
Role Creation Details:
Roles are created with basic properties (ID, name)
Custom role attributes are not currently supported
Role hierarchy and inheritance must be configured separately
Implementation Notes
SCIM API Integration
Oracle Fusion Cloud lifecycle management uses the SCIM (System for Cross-domain Identity Management) protocol for user management operations. The integration:
Supports SCIM 2.0 standard operations
Handles user creation, update, deactivation, and deletion
Manages role assignments through SCIM relationship operations
Provides error handling for common SCIM response codes
Error Handling
The integration includes comprehensive error handling:
User not found errors are properly detected and reported
Duplicate user creation attempts are handled gracefully
Network and API errors are logged with appropriate context
Validation errors provide clear feedback about missing or invalid attributes
Common Error Scenarios:
404 Not Found: User or role doesn't exist409 Conflict: Duplicate user or constraint violation400 Bad Request: Invalid attribute values or missing required fields401 Unauthorized: Authentication failure403 Forbidden: Insufficient permissions
User Identification
Users in Oracle Fusion Cloud are identified by:
User ID: System-generated unique identifier (uppercase)
Username: User-provided login name (case-sensitive)
Entity ID: Used for LCM operations, automatically converted to uppercase
The integration handles ID case conversion automatically to ensure compatibility with Oracle Fusion Cloud's uppercase ID requirements.
Best Practices
Testing: Always test lifecycle management policies in a non-production environment first
Extraction Schedule: Set an appropriate extraction interval based on your organization's change frequency (recommended: 6-12 hours)
Monitoring: Regularly review the LCM Activity Log for any errors or unexpected behavior
Role Management: Ensure roles are properly configured in Oracle Fusion Cloud before assigning them through LCM
Deprovisioning vs. Deletion: Use deprovisioning for standard offboarding; reserve deletion for special cases
Bulk Operations: When processing multiple users, consider batching to avoid API rate limits
Error Recovery: Implement retry logic for transient failures
Limitations
Username cannot be modified after user creation
Oracle Fusion Cloud cannot currently serve as a source of identity for LCM policies
Custom user attributes beyond the standard SCIM schema are not supported
Bulk operations are processed individually through the SCIM API
Role hierarchy and complex role structures must be managed outside of LCM
Troubleshooting
Common issues and resolutions:
User creation fails with "duplicate" error
Username or email already exists
Verify the username and email are unique in Oracle Fusion Cloud
Role assignment fails
Role doesn't exist or is inactive
Ensure the role exists and is active in Oracle Fusion Cloud
Authentication errors
Invalid credentials or expired password
Verify the service account credentials and permissions
User not found during update
User doesn't exist or ID mismatch
Check if the user exists and the identifier is correct (note: IDs are uppercase)
Extraction fails
Network connectivity or API changes
Check network connectivity and Oracle Fusion Cloud service status
Deprovisioning doesn't disable login
Caching or replication delay
Allow up to 15 minutes for changes to propagate
Debugging Tips
Enable Debug Logging: Turn on debug logs for the integration to see detailed API requests and responses
Check Activity Logs: Review the Lifecycle Management activity logs for specific error messages
Verify Permissions: Use the Oracle Fusion Cloud UI to confirm the service account has the necessary permissions
Test SCIM Endpoints: Use a tool like Postman to test SCIM endpoints directly
Review Extraction Status: Check the last extraction results for any warnings or errors
Additional Resources
Last updated
Was this helpful?