Client Extraction Guide — Oracle Fusion ERP

Oracle Fusion ERP
Data Extraction Guide

Share this guide with your Oracle Cloud Administrator, Security Manager, or Application Implementation Consultant before starting a AuditCore assessment. All extractions described here are read-only and non-disruptive to production operations.

17 export files across 10 domains
Prerequisites SaaS Note User Management Role Management SoD Conflicts Data Security Audit Policies Integration Security Password Policy Financial Controls Patches IDCS / MFA Reports Period Close Intercompany Fixed Assets Approvals API / OAuth Quick Reference Tips
Required Oracle Roles & Access

The following Oracle Cloud roles are needed to complete the data extractions in this guide. A single administrator with all four access levels can complete the full extraction in one session. All operations are read-only — no configuration changes are made.

IT Security Manager

Required for Security Console access: user accounts, role assignments, role hierarchy, and data security policy exports.

Application Implementation Consultant

Required for Setup and Maintenance tasks: audit policies, approval rules, financial controls, and period status exports.

IDCS Admin Console Access

Required to export Oracle Identity Cloud Service (IDCS) settings: password policy, MFA configuration, session timeouts, and OAuth/API registrations.

OIC Administrator

Required for Oracle Integration Cloud: connection list and inbound/outbound integration configuration exports.

All operations are non-disruptive. Every extraction in this guide uses read-only access (Export, View, Inquiry, Search). No data will be modified, deleted, or affected in any way.

Oracle Fusion Cloud is a SaaS platform — some data requires Oracle involvement

Because Oracle Fusion operates as a managed SaaS environment, certain system-level data is not directly accessible through the UI or BI/OTBI reports. This includes: patch and update history (contact your Oracle Customer Success Manager or raise a Service Request on My Oracle Support), certain IDCS tenant-level settings (may require IDCS REST API access or Oracle Support assistance), and advanced AACG conflict data (requires separate Oracle Risk Management Cloud license). Where a file is optional or requires Oracle Support, this is clearly noted on the relevant card below.

User Management User Accounts & Role Assignments — 2 files
1
user_accounts.csv Security Console

Oracle Fusion user account list — active, inactive, and locked accounts with last login dates and organizational attributes.

IT Security Manager or Application Implementation Consultant (read-only)
Primary Navigation Path
Navigator Tools Security Console Users tab Search (leave blank) Export button (top right)
Alternative: Reports & Analytics → Financial Reporting → Create Report using the ASK_USERS_OF_ENTERPRISE LDAP view.
Expected CSV Columns
USER_NAME EMAIL_ADDRESS STATUS ACCOUNT_LOCKED LAST_LOGON_DATE JOB_TITLE DEPARTMENT CREATED_DATE
Step-by-Step Extraction
  1. Open the Oracle Fusion Navigator (hamburger menu, top left).
  2. Go to Tools → Security Console.
  3. Click the Users tab at the top of the Security Console.
  4. Leave the search filter blank to retrieve all users, then click Search.
  5. Click the Export button (top-right of the results grid). Oracle will generate a CSV download.
  6. Save the file as user_accounts.csv.
Large environments (>500 users): Use the OTBI report "User Account Details" located in the Security subject area folder for better performance and pagination control.
2
user_role_assignments.csv OTBI / Security Console

Complete mapping of Oracle Fusion users to their assigned roles — includes role category, assignment dates, and assignment source.

IT Security Manager (bulk export)
Recommended Navigation Path (Bulk)
Reports & Analytics New Report Subject Area: "Security - User and Role Memberships" Add required columns Export to CSV
Individual user: Security Console → Users → select user → Roles tab → Export.
Expected CSV Columns
USER_NAME ROLE_NAME ROLE_CATEGORY START_DATE END_DATE ASSIGNED_BY
Step-by-Step Extraction (OTBI)
  1. Navigate to Reports & Analytics from the Navigator.
  2. Click Create Analysis and select Subject Area: Security - User and Role Memberships.
  3. Add columns: USER_NAME, ROLE_NAME, ROLE_CATEGORY, START_DATE, END_DATE, ASSIGNED_BY.
  4. Remove any filters to capture all role assignments.
  5. Click Results, then Export → Data → CSV Format.
  6. Save the file as user_role_assignments.csv.
Hierarchy depth: Run the "User Role Assignments" duty-level report for full hierarchy penetration — this includes inherited roles from job roles and abstract roles.
Role Management Role Hierarchy — 1 file
3
role_hierarchy.csv Security Console

Oracle Fusion role parent-child hierarchy — maps how job roles, abstract roles, and duty roles are composed from one another.

IT Security Manager
Primary Navigation Path
Security Console Roles tab Search: * Select role Role Hierarchy tab Export
Bulk (all roles): Security Console → Manage Roles → Export All. Also available via OTBI Subject Area "Security - Role Hierarchy".
Expected CSV Columns
PARENT_ROLE CHILD_ROLE ROLE_TYPE DESCRIPTION
Step-by-Step Extraction
  1. Open Security Console → Roles tab.
  2. In the search box enter * (wildcard) and click Search to retrieve all roles.
  3. For a full hierarchy export, navigate to Manage Roles → Export All to download the Oracle Fusion Security Reference in CSV format.
  4. Alternatively, use OTBI with Subject Area "Security - Role Hierarchy" and add columns: PARENT_ROLE, CHILD_ROLE, ROLE_TYPE.
  5. Save the file as role_hierarchy.csv.
Segregation of Duties SoD Conflict Data — 1 file (optional)
4
sod_conflicts.csv Oracle AACG

Pre-computed SoD conflict results from Oracle Advanced Access Controls (AACG) — requires Oracle Risk Management Cloud license.

Oracle Risk Management Cloud access
Navigation Path (if AACG licensed)
Advanced Access Controls Conflicts Export Results
Alternative: Advanced Access Controls → Access Certification → Conflict Summary → Export to Excel.
Expected CSV Columns
USER_NAME CONFLICT_TYPE CONFLICTING_ROLE_A CONFLICTING_ROLE_B CONFLICT_RULE RISK_LEVEL DETECTED_DATE
Step-by-Step Extraction
  1. Log into Oracle Risk Management Cloud (separate from Fusion ERP).
  2. Navigate to Advanced Access Controls → Conflicts.
  3. Leave filters blank or filter to current period, then click Search.
  4. Click Export Results and select CSV format.
  5. Save as sod_conflicts.csv.
This file is optional. Oracle AACG requires a separate Oracle Risk Management Cloud license. If you do not have AACG, skip this file — AuditCore will compute SoD conflicts automatically from your role hierarchy and user role assignment files.
Data Security Data Security Policies — 1 file
5
data_security_policies.csv Security Console

Oracle Fusion data security policy grants — defines which users/roles can access specific business objects and under what conditions.

Application Implementation Consultant
Primary Navigation Path
Security Console Data Security Policies tab Search (leave blank) Export
SQL via HCM Extracts: SELECT POLICY_NAME, OBJECT_NAME, GRANTEE, GRANTEE_TYPE, CONDITION, PRIVILEGE FROM FND_GRANTS JOIN FND_OBJECTS
Expected CSV Columns
POLICY_NAME OBJECT_NAME GRANTEE GRANTEE_TYPE CONDITION PRIVILEGE CREATED_DATE CREATED_BY
Step-by-Step Extraction
  1. Open Security Console from Navigator → Tools.
  2. Click Data Security Policies tab.
  3. Leave all search fields blank and click Search.
  4. Click Export (top-right) to download as CSV.
  5. Save as data_security_policies.csv.
Review carefully: Pay special attention to rows where CONDITION = '1=1' — this indicates an unrestricted (wildcard) data security grant that bypasses row-level security.
Audit & Compliance Audit Policy Configuration — 1 file
6
audit_policies.csv Setup and Maintenance

Oracle Fusion audit policy configuration — which business objects have auditing enabled and which actions (INSERT, UPDATE, DELETE) are captured.

Application Implementation Consultant
Primary Navigation Path
Setup and Maintenance Search: "Manage Audit Policies" Select Business Object Note Enabled status & Actions
Alternative export: Use the "Audit Configuration Report" from Oracle Fusion BI Publisher for a structured CSV output.
Expected CSV Columns
POLICY_NAME OBJECT_NAME ENABLED AUDIT_ACTIONS CREATED_DATE LAST_UPDATED
Step-by-Step Extraction
  1. Navigate to Setup and Maintenance from Navigator.
  2. In the search box, type "Manage Audit Policies" and click the task.
  3. For each major business object (Payables, Procurement, General Ledger, HCM), note the Enabled status and configured Actions.
  4. For a complete export, use BI Publisher → Catalog → Audit Configuration Report to generate a structured CSV output.
  5. Save as audit_policies.csv.
The AUDIT_ACTIONS column should contain semicolon-separated values: INSERT;UPDATE;DELETE. An empty value means no auditing is configured for that object.
Integration Security OIC Connections — 1 file
7
integration_connections.csv Oracle Integration Cloud

Oracle Integration Cloud (OIC) connection inventory — all inbound/outbound integrations with authentication type and ownership.

OIC Administrator or OIC Service User with integration permissions
Primary Navigation Path
Oracle Integration Cloud (OIC) Home Connections Export / Download list
REST API: GET /ic/api/integration/v1/connections — returns JSON that can be converted to CSV.
Expected CSV Columns
CONNECTION_NAME CONNECTION_TYPE AUTH_TYPE OWNER_ACCOUNT LAST_USED_DATE CREATED_DATE STATUS INBOUND_ENABLED
Step-by-Step Extraction
  1. Log into Oracle Integration Cloud (separate URL from Fusion ERP, typically https://[tenant].integration.ocp.oraclecloud.com).
  2. From the Home page, click Connections in the left navigation.
  3. Use the kebab menu (⋮) or the Export option to download the full connection list.
  4. If no direct export exists, use the OIC REST API: GET /ic/api/integration/v1/connections and convert the JSON output to CSV.
  5. Save as integration_connections.csv.
Auth type review: Flag any connections where AUTH_TYPE = BASIC — these use username/password authentication and represent an elevated security risk compared to OAUTH2, CERTIFICATE, or JWT.
Password & Session Policy IDCS Password & Session Settings — 1 file
8
password_policy.csv IDCS Admin Console

Oracle IDCS / Identity Domain password and session configuration — complexity rules, expiry, lockout thresholds, and session timeout.

IDCS Administrator
Primary Navigation Path
IDCS Admin Console Security Password Policy Note all settings
URL: https://[your-tenant].identity.oraclecloud.com/ui/v1/adminconsole — login with your IDCS administrator credentials.
Expected CSV Columns
POLICY_NAME MIN_LENGTH MAX_LENGTH EXPIRY_DAYS REQUIRE_UPPERCASE REQUIRE_LOWERCASE REQUIRE_DIGIT REQUIRE_SPECIAL LOCKOUT_ATTEMPTS LOCKOUT_DURATION_MINS SESSION_TIMEOUT_MINS REUSE_COUNT CREATED_DATE LAST_UPDATED
Step-by-Step Extraction
  1. Open a browser and navigate to your IDCS Admin Console URL: https://[your-tenant].identity.oraclecloud.com/ui/v1/adminconsole.
  2. Log in with your IDCS Administrator credentials.
  3. Click Security in the left sidebar, then Password Policy.
  4. Record all settings (this is typically a manual process — create a single-row CSV).
  5. Also note session timeout from Security → Sessions.
  6. Save as password_policy.csv — this file typically has only one data row.
This file is typically a single-row CSV since Oracle Fusion environments usually have one tenant-wide password policy. If multiple policies exist (e.g., separate policies for admins), include one row per policy.
Financial Controls AME Approval Rules — 1 file
9
financial_controls.csv Setup and Maintenance / AME

Approval Management Engine (AME) approval rules for financial transactions — AP invoices, purchase orders, payments, and expense reports.

Application Implementation Consultant
Primary Navigation Path
Setup and Maintenance Search: "Manage Approval Management Rules" Select Transaction Type Export rules
Alternative: Navigator → Approval Management → Transaction Configuration → select transaction type → Export rules.
Expected CSV Columns
CONTROL_NAME CONTROL_TYPE MODULE ENABLED APPROVAL_REQUIRED APPROVER_ROLE THRESHOLD_AMOUNT CURRENCY LAST_REVIEWED NOTES
Step-by-Step Extraction
  1. Navigate to Setup and Maintenance and search for "Manage Approval Management Rules".
  2. Repeat for each transaction type: Payables (AP), Purchasing (PO), Expenses, and GL Journal.
  3. For each transaction type, export the rules list including thresholds, approver roles, and enabled status.
  4. Combine the exports into a single file with MODULE column to distinguish transaction types.
  5. Save as financial_controls.csv.
System Administration Patch & Update History — 1 file
10
installed_patches.csv My Oracle Support / Oracle CSM

Oracle Fusion patch and update history — CPU security patches, bundle patches, and applied updates with severity and application dates.

Oracle My Oracle Support access or Customer Success Manager contact
Primary Navigation Path
support.oracle.com Patches & Updates Applied Patches for your environment
For SaaS customers: Oracle manages patches automatically. Request patch history from your Oracle Customer Success Manager or raise a Service Request on My Oracle Support.
Expected CSV Columns
PATCH_ID PATCH_TYPE DESCRIPTION SEVERITY RELEASE_DATE APPLIED_DATE STATUS APPLIED_BY
Step-by-Step Extraction
  1. Log into My Oracle Support at support.oracle.com.
  2. Navigate to Patches & Updates → Applied Patches for your environment.
  3. Filter by the past 12–24 months and export to CSV.
  4. Alternatively, email or contact your Oracle Customer Success Manager directly with a request for your quarterly CPU and bundle patch history.
  5. Save as installed_patches.csv.
Oracle SaaS note: For Oracle Fusion Cloud (SaaS), Oracle applies patches automatically on a quarterly schedule (January, April, July, October for CPUs). You may not have direct access to patch details — your Oracle CSM is your primary contact for this data.
Identity & MFA Security IDCS / Identity Domain Configuration — 1 file
11
idcs_config.csv IDCS Admin Console

Oracle IDCS / Identity Domain security settings — MFA configuration, SSO enforcement, local auth status, session timeouts, and self-service reset controls.

IDCS Administrator
Navigation Path
IDCS Admin Console Security MFA Note settings Security → Sessions Note timeout
REST API: GET /admin/v1/PasswordPolicies (password) and GET /admin/v1/Settings (MFA/sessions) for programmatic extraction.
Expected CSV Columns
SETTING_NAME SETTING_VALUE CATEGORY LAST_MODIFIED MODIFIED_BY
Key Settings to Extract
  1. From IDCS Admin Console, navigate to Security → MFA and note: MFA_ENABLED, MFA_REQUIRED_FOR_ADMINS.
  2. Check Security → Sign-On Policies for: SSO_ENFORCED, LOCAL_AUTH_DISABLED.
  3. Under Security → Sessions, note: SESSION_TIMEOUT_MINS, SESSION_IDLE_TIMEOUT_MINS.
  4. Check Security → Self Registration and Security → MFA for: TIME_BASED_ACCESS_ENABLED, SELF_SERVICE_RESET_MFA_REQUIRED.
  5. Compile into a multi-row CSV with one row per setting (SETTING_NAME / SETTING_VALUE format).
  6. Save as idcs_config.csv.
You may need to compile this file manually by visiting multiple IDCS settings pages. Use the SETTING_NAME / SETTING_VALUE row format — one row per configuration item — for maximum compatibility with AuditCore's analysis engine.
Reporting Security BI / OTBI Report Catalog — 1 file
12
report_catalog.csv BI Publisher / OTBI

Oracle BI Publisher and OTBI report catalog — report names, paths, data sources, row-level security status, and PII/financial data indicators.

BI Author or BI Administrator
Primary Navigation Path
Reports & Analytics Browse Catalog /Shared Folders/ Right-click folder Download (catalog XML)
BI Publisher: Navigator → Reports and Analytics → BI Publisher → Catalog → select folder → Export list.
Expected CSV Columns
REPORT_NAME REPORT_PATH REPORT_TYPE DATA_SOURCE ROW_LEVEL_SECURITY ACCESSIBLE_TO SCHEDULED SCHEDULE_OWNER LAST_RUN_DATE CONTAINS_PII CONTAINS_FINANCIAL_DATA CREATED_BY OUTPUT_FORMAT
Step-by-Step Extraction
  1. Navigate to Reports & Analytics → Browse Catalog.
  2. Navigate to /Shared Folders/ in the catalog tree.
  3. Right-click the top-level Shared Folders node and select Download to export catalog XML.
  4. For a flat CSV list, use BI Publisher Administration → Manage Reports to export the report list.
  5. The ROW_LEVEL_SECURITY and CONTAINS_PII columns may need to be manually assessed for each report.
  6. Save as report_catalog.csv.
Period Close Controls GL Period Open/Close Status — 1 file
13
period_status.csv General Ledger

General Ledger period open/close status history — including who opened/closed each period, reopen counts, and post-close adjustments.

General Ledger Manager or Application Implementation Consultant
Primary Navigation Path
General Ledger Period Close Manage Accounting Periods Set Date Range: last 24 months Export to Excel
Alternative: Setup and Maintenance → search "Manage Accounting Periods" → Export.
Expected CSV Columns
LEDGER_NAME PERIOD_NAME PERIOD_STATUS OPENED_BY CLOSED_BY OPEN_DATE CLOSE_DATE REOPEN_COUNT LAST_JOURNAL_DATE ADJUSTMENTS_AFTER_CLOSE PERIOD_YEAR PERIOD_NUM
Step-by-Step Extraction
  1. Navigate to General Ledger → Period Close → Manage Accounting Periods.
  2. Set the date range filter to the last 24 months.
  3. Click Search to retrieve all periods in scope.
  4. Click Export to Excel (Actions menu or top-right button).
  5. Save as period_status.csv.
Key indicator: REOPEN_COUNT > 0 indicates a period was reopened after being closed — a significant audit finding. The ADJUSTMENTS_AFTER_CLOSE column flags any journal entries posted after period close.
Intercompany Controls Intercompany Transaction Log — 1 file
14
intercompany_transactions.csv Intercompany Accounting

Intercompany transaction log — cross-entity transactions with legal entity pairs, approval status, and elimination status.

Intercompany Accountant or General Ledger Manager
Primary Navigation Path
Intercompany Accounting Manage Intercompany Transactions Search (leave blank for recent) Export
Alternative: General Ledger → Journals → Manage Journals → filter by SOURCE = 'Intercompany' → Export.
Expected CSV Columns
TRANSACTION_ID FROM_LEGAL_ENTITY TO_LEGAL_ENTITY FROM_USER TO_USER AMOUNT CURRENCY TRANSACTION_DATE STATUS APPROVAL_STATUS APPROVER RECEIVER_ACKNOWLEDGED ELIMINATION_STATUS PERIOD_NAME
Step-by-Step Extraction
  1. Navigate to Intercompany Accounting → Manage Intercompany Transactions.
  2. Set the date range to the last 12 months for a manageable dataset.
  3. Click Search without additional filters to include all statuses.
  4. Click Export and ensure the ELIMINATION_STATUS column is included in the export.
  5. Save as intercompany_transactions.csv.
Fixed Asset Controls Asset Transaction History — 1 file
15
asset_transactions.csv Fixed Assets

Fixed asset transaction history — additions, retirements, transfers, revaluations, and adjustments with approver details and book values.

Fixed Assets Manager or Asset Accountant
Primary Navigation Path
Fixed Assets Transactions Asset Transactions Date From: 12 months ago Execute Export to Excel
Alternative: Fixed Assets → Inquiry → View Transaction History → Export.
Expected CSV Columns
TRANSACTION_ID ASSET_NUMBER ASSET_DESCRIPTION TRANSACTION_TYPE PERFORMED_BY APPROVED_BY TRANSACTION_DATE BOOK_VALUE COST SALVAGE_VALUE USEFUL_LIFE_MONTHS CATEGORY REVALUATION_AMOUNT STATUS
Step-by-Step Extraction
  1. Navigate to Fixed Assets → Transactions → Asset Transactions.
  2. Set Date From to 12 months ago and Date To to today.
  3. Click Execute to run the query.
  4. Click Export to Excel from the Actions menu.
  5. Save as asset_transactions.csv.
Transaction types: ADD, RETIRE, TRANSFER, REVALUE, ADJUST, PARTIAL_RETIRE, IMPAIR. Pay particular attention to REVALUE and IMPAIR transactions which have direct financial statement impact.
Approval Workflow Controls AME Approval Rules Configuration — 1 file
16
approval_rules.csv AME / Setup and Maintenance

Approval Management Engine (AME) rule configuration — all transaction types, conditions, approver settings, auto-approve flags, and bypass controls.

Application Implementation Consultant
Primary Navigation Path
Setup and Maintenance Search: "Manage Approvals" Select Transaction Type Rules Export
Alternative: Navigator → Approval Management → select Transaction Type → View Rules.
Expected CSV Columns
RULE_ID RULE_NAME TRANSACTION_TYPE CONDITION ACTION_TYPE APPROVER_TYPE APPROVER_VALUE THRESHOLD_AMOUNT CURRENCY AUTO_APPROVE_ENABLED BYPASS_ENABLED LAST_REVIEWED_DATE CREATED_BY STATUS
Step-by-Step Extraction
  1. Navigate to Setup and Maintenance and search for "Manage Approvals".
  2. Export rules for each of the following transaction types: AP_INVOICE, PO_ORDER, EXPENSE_REPORT, JOURNAL_ENTRY, PAYMENT.
  3. For each transaction type, navigate to Rules and click Export.
  4. Combine all transaction type exports into a single file with TRANSACTION_TYPE as a distinguishing column.
  5. Save as approval_rules.csv.
Critical review points: Pay special attention to any rows where AUTO_APPROVE_ENABLED = Y or BYPASS_ENABLED = Y — these represent controls that can be circumvented without human approval.
API & Integration Security OAuth Client / API Registrations — 1 file
17
api_registrations.csv IDCS Admin Console

OAuth client and API registration inventory — all registered applications with grant types, scopes, token expiry, and IP whitelist settings.

IDCS Administrator
Primary Navigation Path
IDCS Admin Console Applications OAuth tab List all OAuth clients Export
REST API: GET /admin/v1/Apps?filter=isOAuthClient eq true — returns all OAuth clients in JSON format.
Expected CSV Columns
CLIENT_ID CLIENT_NAME GRANT_TYPE SCOPES OWNER CREATED_DATE LAST_USED_DATE TOKEN_EXPIRY_MINS REFRESH_TOKEN_ENABLED IP_WHITELIST STATUS
Step-by-Step Extraction
  1. Log into the IDCS Admin Console.
  2. Navigate to Applications in the left sidebar.
  3. Filter to the OAuth tab or filter applications by type to show OAuth clients only.
  4. Export the full list. If no direct export exists, use the REST API: GET /admin/v1/Apps?filter=isOAuthClient eq true and convert JSON to CSV.
  5. Include Oracle Integration Cloud connected apps, third-party API integrations, and any custom OAuth clients.
  6. Save as api_registrations.csv.
Wildcard scopes are high risk: Flag any registrations where SCOPES contains * or urn:opc:resource:consumer::all — these grant unrestricted API access to all Oracle Cloud resources.
Navigation Quick Reference

A consolidated reference showing where to find each module in Oracle Fusion and which export file it produces.

# Oracle Module Navigation Path Output File Required Role
1 Security ConsoleUsers Navigator → Tools → Security Console → Users user_accounts.csv IT Security Manager
2 OTBISecurity Reports Reports & Analytics → Security - User and Role Memberships user_role_assignments.csv IT Security Manager
3 Security ConsoleRoles Security Console → Roles → Manage Roles → Export All role_hierarchy.csv IT Security Manager
4 AACGConflicts Advanced Access Controls → Conflicts → Export Results sod_conflicts.csv Risk Management Cloud access
5 Security ConsoleData Security Security Console → Data Security Policies data_security_policies.csv App Implementation Consultant
6 Setup & Maint.Audit Setup and Maintenance → Manage Audit Policies audit_policies.csv App Implementation Consultant
7 OICConnections Oracle Integration Cloud → Home → Connections integration_connections.csv OIC Administrator
8 IDCSPassword Policy IDCS Admin Console → Security → Password Policy password_policy.csv IDCS Administrator
9 AMEFinancial Setup and Maintenance → Manage Approval Management Rules financial_controls.csv App Implementation Consultant
10 My Oracle Support support.oracle.com → Patches & Updates → Applied Patches installed_patches.csv My Oracle Support / Oracle CSM
11 IDCSSecurity Settings IDCS Admin Console → Security → MFA / Sessions idcs_config.csv IDCS Administrator
12 BI PublisherCatalog Reports & Analytics → Browse Catalog → /Shared Folders/ report_catalog.csv BI Author or Administrator
13 GLPeriod Close General Ledger → Period Close → Manage Accounting Periods period_status.csv GL Manager
14 Intercompany Intercompany Accounting → Manage Intercompany Transactions intercompany_transactions.csv Intercompany Accountant
15 Fixed Assets Fixed Assets → Transactions → Asset Transactions asset_transactions.csv Assets Manager
16 AMEWorkflows Setup and Maintenance → Manage Approvals → Rules approval_rules.csv App Implementation Consultant
17 IDCSOAuth/Apps IDCS Admin Console → Applications → OAuth api_registrations.csv IDCS Administrator
Oracle Fusion — Tips & Common Questions
Accessing Security Console

The Security Console is accessed via Navigator → Tools → Security Console. It is not the same as Setup and Maintenance. If you don't see it, verify your user has the IT Security Manager job role assigned.

IDCS vs. Oracle Fusion Security

Oracle Fusion uses two separate security layers: Fusion Application Security (roles, data grants — managed in Security Console) and IDCS/Identity Domains (authentication, MFA, SSO — managed at [tenant].identity.oraclecloud.com). Files 8, 11, and 17 come from IDCS, not Fusion.

OIC vs. Fusion Integrations

Oracle Integration Cloud (OIC) is a separate product from Oracle Fusion ERP — it has its own URL, admin console, and REST API. File 7 requires OIC access. If your organization does not use OIC, check for native Oracle Fusion web services integrations instead.

AACG Licensing

Oracle Advanced Access Controls (AACG) for SoD analysis requires a separate Oracle Risk Management Cloud license. If you are not licensed for AACG, skip sod_conflicts.csv — AuditCore will compute SoD conflicts from your role hierarchy and user assignments automatically.

Managing Large Exports

For environments with more than 500 users or 10,000+ role assignments, use OTBI reports with date filters or paginated REST API calls rather than the Security Console UI export, which may time out. Consider splitting large exports by ledger, business unit, or date range.

CPU Patch Schedule

Oracle Critical Patch Updates (CPUs) are released quarterly: January, April, July, October. For SaaS customers, Oracle applies these automatically. When populating installed_patches.csv, note that PATCH_TYPE = CPU rows are the most security-relevant.

REST API Access

Several files can be extracted via Oracle's REST APIs. Use curl or Postman with your IDCS OAuth token. The base URL pattern is https://[tenant].fa.us2.oraclecloud.com/fscmRestApi/resources/ for Fusion and https://[tenant].identity.oraclecloud.com/admin/v1/ for IDCS.

Refreshing Your Data

For the most accurate assessment, all exports should be taken within the same 24-hour window. Role assignments and user accounts can change frequently in active environments. Note the extraction timestamp in your file names if possible.

Live Connection — Enterprise Plan Enterprise Plan Feature

The Enterprise plan connects AuditCore directly to Oracle Fusion ERP via REST APIs for real-time assessment. This section explains how to prepare your Oracle Cloud environment.

A
How the Live Connection Works

OAuth 2.0 Client Credentials flow — API-only, read-only

AuditCore connects to Oracle Fusion ERP using the Oracle Fusion REST APIs (version 11.13+) authenticated via OAuth 2.0 Client Credentials flow. No agents or middleware are installed in your Oracle tenant — the connection is API-only and read-only. All API calls use standard Oracle-published REST endpoints.

B
Prerequisites Checklist

Confirm these items before enabling live connection

  • Oracle Fusion Cloud ERP (any current quarterly release)
  • Oracle Identity Cloud Service (IDCS) or Identity Domain access for OAuth app creation
  • IT Security Manager role (for API user) OR Application Implementation Consultant
  • Network: Oracle Fusion Cloud is accessible by default — no firewall changes needed for SaaS
  • For Oracle Fusion on-premise (rare): REST API endpoints must be exposed and accessible
C
Creating the OAuth 2.0 Application in IDCS

IDCS Admin Console → Applications → Confidential Application

  1. Login to IDCS Admin Console: https://[your-tenant].identity.oraclecloud.com/ui/v1/adminconsole
  2. Navigate to Applications → Add Application → Confidential Application
  3. Name: AuditCore Assessment, Description: "Read-only security assessment integration"
  4. Client Configuration → Configure this application as a client now
  5. Grant Types: check Client Credentials only (do NOT enable Implicit or Auth Code)
  6. Allowed Scopes: add urn:opc:resource:consumer::all — then IMMEDIATELY restrict to specific scopes (see below)
  7. Specific scopes to request (minimum required):
    • https://[fusion-host]/fscmRestApi/ — Financials and Security REST APIs
    • https://[fusion-host]/hcmRestApi/ — HCM APIs (if HCM SoD checks required)
  8. IP Allowlist: enter the AuditCore server IP (provided on the Enterprise plan welcome email)
  9. Click Finish → note the Client ID and Client Secret
  10. Activate the application
D
Creating the API User

Oracle Fusion Security Console → Users

  1. In Oracle Fusion Security Console, create a new user: AUDITCORE_API
  2. Assign role: IT Security Manager (ORA_FND_IT_SECURITY_MANAGER_JOB)
    This role provides read access to Security Console, audit policies, and user data. Do NOT assign Application Implementation Consultant — it has write access.
  3. Set a strong password and record it securely — it is used as the OAuth resource owner
  4. Set account expiry to 90 days — renew per engagement
  5. After assessment: lock the account in Security Console → Users → [user] → Lock Account
E
Endpoint & Credential Details to Provide to AuditCore

Securely share these details via the Enterprise plan onboarding form

Field Example Where to Find
Oracle Fusion Host URL https://acme.fa.us2.oraclecloud.com Browser URL when logged into Fusion
IDCS Tenant URL https://idcs-abc123.identity.oraclecloud.com IDCS Admin Console URL
OAuth Client ID abc1234-... IDCS Application → Client ID
OAuth Client Secret •••••• IDCS Application → Show Secret
API Username AUDITCORE_API Created in step D
API Password •••••• Set in step D
F
API Rate Limits

Oracle Fusion REST API throttling — handled automatically on the Enterprise plan

Oracle Fusion REST APIs have rate limits. AuditCore throttles requests to stay within Oracle's limits (typically 1,000 requests/hour for standard tenants). Large environments (>10,000 users) may require an extended assessment window. Enterprise plan includes automatic rate-limit handling and retry logic.

G
Data Accessed via Live Connection

Same data as manual export — accessed in real time via REST API

Security Console (users, roles, data security) IDCS (MFA, password policy, OAuth apps) General Ledger (period status) Fixed Assets (transactions) Intercompany (transactions) AME (approval rules) OIC (integration connections) BI Publisher (report catalog)
Security Note. AuditCore uses OAuth 2.0 Client Credentials — your user passwords are never transmitted to AuditCore servers. Only the Client ID and Client Secret are used for token issuance. All API calls are GET requests — no POST, PUT, PATCH, or DELETE operations are performed. Revoke the OAuth application in IDCS immediately after the assessment.

Data Sensitivity & Handling Notice

The export files described in this guide contain highly sensitive security data including user credentials metadata, role assignments, approval rule thresholds, and system configuration. Handle all extracted files with appropriate care:

  • Transmit files to AuditCore using SFTP or HTTPS only — never via unencrypted email or FTP.
  • Store files in an access-controlled location restricted to the assessment team during the engagement.
  • Delete all extracts from local workstations and shared drives upon completion of the assessment.
  • Do not share extracts with personnel outside the named assessment team without written authorization.
  • These files may be subject to your organization's data classification policy — treat them at minimum as Confidential / Internal Use Only.

AuditCore  —  Oracle Fusion ERP Data Extraction Guide  —  Generated for client distribution. Oracle, Oracle Fusion, Oracle Integration Cloud, and IDCS are trademarks of Oracle Corporation.