Set up an Oracle Fusion Cloud HCM connector

Capabilities

Resource	Sync	Provision
Accounts
Roles

Account actions

Action	Description
Suspend Account	Disable a user’s login without affecting their HR employment status
Unsuspend Account	Restore a suspended user’s login access
Set Work Email	Set or update the work email address on a user account

Gather Oracle Fusion Cloud HCM credentials

Configuring the connector requires you to pass in credentials generated in Oracle Fusion Cloud HCM. Gather these credentials before you move on. To set up the Oracle Fusion Cloud HCM connector, you’ll need:

Base URL: The complete base URL for your Oracle Fusion Cloud HCM instance REST API, which is formed like https://your-instance.oraclecloud.com.
Username and password: The username and password for an Oracle Fusion Cloud HCM account with access to the Oracle Fusion Cloud HCM REST API.

Permissions for sync (read-only)

The service account must have access to the userAccounts resource. Read access is available via any of the following roles:

Use REST Service - User Accounts (ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS)
Use REST Service - User Accounts as Worker (ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS_AS_WORKER)
Use REST Service - User Accounts as Manager or HR (ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS_AS_MGR_OR_HR)
Human Capital Management Integration Specialist (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATION_SPECIALIST_JOB) — includes the read-only aggregate privilege ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS_RO (Get, Describe only)

Additionally, the account must have permissions to read all users’ data. A Data Role with a security profile scoped to View All People for Person and Public Person must be assigned, either directly to the user or via the user’s role. If the account used to connect does not have this capability, the connector will sync an empty or incomplete list of accounts.

Permissions for provisioning

Provisioning features (role assignment, account creation, and account actions) require additional privileges beyond sync. Oracle’s recommended approach is to create a custom job role that combines the necessary privileges:

Required roles

Role	Code	Purpose
Use REST Service - User Accounts	`ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS`	Grants the `PER_REST_SERVICE_ACCESS_USER_ACCOUNTS_PRIV` function privilege, which covers Get, Post, Patch, Describe, and Delete on the `/userAccounts` endpoint. Required for account creation.
IT Security Manager	`ORA_FND_IT_SECURITY_MANAGER_JOB`	Grants `ASE_REST_SERVICE_ACCESS_IDENTITY_INTEGRATION_PRIV` for SCIM API access (role grant/revoke, suspend/unsuspend, email updates) and `PER_REST_SERVICE_ACCESS_USERS_AND_ROLES_LOVS_PRIV` for role list-of-values lookups.

Recommended setup

Oracle’s authorization tutorial for the User Accounts REST API recommends:

Copy the Human Capital Management Integration Specialist (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATION_SPECIALIST_JOB) job role
Add the following roles to its role hierarchy:
- ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS (full read/write access to userAccounts)
- ORA_FND_IT_SECURITY_MANAGER_JOB (SCIM access and role LOV lookups)
Create a Data Role wrapping the custom job role with appropriate HCM security profiles (View All People, View All Organizations)
Assign the Data Role to the integration service account

The Human Capital Management Integration Specialist role on its own only includes the read-only aggregate privilege (ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS_RO), which covers Get and Describe only. It is not sufficient for provisioning operations (Post, Patch, Delete). You must add the full ORA_PER_REST_SERVICE_ACCESS_USER_ACCOUNTS role to enable account creation.

That’s it! Next, move on to the connector configuration instructions.

Configure the Oracle Fusion Cloud HCM connector

To complete this task, you’ll need:

The Connector Administrator or Super Administrator role in C1
Access to the set of Oracle Fusion Cloud HCM credentials generated by following the instructions above

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by C1.

In C1, navigate to Integrations > Connectors and click Add connector.

Search for Oracle Fusion Cloud HCM and click Add.

Choose how to set up the new Oracle Fusion Cloud HCM connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

Find the Settings area of the page and click Edit.

Enter the credentials you gathered in the previous section.

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

Done. Your Oracle Fusion Cloud HCM connector is now pulling access data into C1.

Follow these instructions to use the Oracle Fusion Cloud HCM connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

Resources

Contact C1’s support team to download the latest version of the connector.

Step 1: Set up a new Oracle Fusion Cloud HCM connector

In C1, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new Oracle Fusion Cloud HCM connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Oracle Fusion Cloud HCM connector deployment:

Secrets configuration

# baton-oracle-fusion-cloud-hcm-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-oracle-fusion-cloud-hcm-secrets
type: Opaque
stringData:
  # C1 credentials
  BATON_CLIENT_ID: <C1 client ID>
  BATON_CLIENT_SECRET: <C1 client secret>
  
  # Oracle Fusion Cloud HCM credentials
  BATON_BASE_URL: <Oracle Fusion Cloud HCM REST API base URL>
  BATON_PASSWORD: <Oracle Fusion Cloud HCM account password>
  BATON_USERNAME: <Oracle Fusion Cloud HCM account username>

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-oracle-fusion-cloud-hcm.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-oracle-fusion-cloud-hcm
  labels:
    app: baton-oracle-fusion-cloud-hcm
spec:
  selector:
    matchLabels:
      app: baton-oracle-fusion-cloud-hcm
  template:
    metadata:
      labels:
        app: baton-oracle-fusion-cloud-hcm
        baton: true
        baton-app: oracle-fusion-cloud-hcm
    spec:
      containers:
      - name: baton-oracle-fusion-cloud-hcm
        image: ghcr.io/conductorone/baton-oracle-fusion-cloud-hcm:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-oracle-fusion-cloud-hcm
        envFrom:
        - secretRef:
            name: baton-oracle-fusion-cloud-hcm-secrets

Step 3: Deploy the connector

Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the Oracle Fusion Cloud HCM connector to. Oracle Fusion Cloud HCM data should be found on the Entitlements and Accounts tabs.

Done. Your Oracle Fusion Cloud HCM connector is now pulling access data into C1.

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

Set up an Oracle Fusion Cloud HCM connector

Capabilities

Account actions

Gather Oracle Fusion Cloud HCM credentials

Permissions for sync (read-only)

Permissions for provisioning

Required roles

Recommended setup

Configure the Oracle Fusion Cloud HCM connector

Resources

Step 1: Set up a new Oracle Fusion Cloud HCM connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

Documentation Index

​Capabilities

​Account actions

​Gather Oracle Fusion Cloud HCM credentials

​Permissions for sync (read-only)

​Permissions for provisioning

​Required roles

​Recommended setup

​Configure the Oracle Fusion Cloud HCM connector

​Resources

​Step 1: Set up a new Oracle Fusion Cloud HCM connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Account actions

Gather Oracle Fusion Cloud HCM credentials

Permissions for sync (read-only)

Permissions for provisioning

Required roles

Recommended setup

Configure the Oracle Fusion Cloud HCM connector

Resources

Step 1: Set up a new Oracle Fusion Cloud HCM connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector