OIC - User Access Provisioning & Revocation Between CORS and OPC

Introduction

In enterprise environments, user access management between external systems and Oracle platforms is a common integration requirement. In this use case, we implemented an automated solution using Oracle Integration Cloud to provision and revoke user access between CORS and OPC.

The integration supports two major flows:

OPC to CORS Sync Flow

Scheduled integration

Extracts users, departments, and groups from OPC

Generates files and sends them to SFTP for CORS pickup

CORS to OPC Access Management Flow

REST-based integration

Receives user/group/department details from CORS

Creates users and assigns access in OPC

Returns failed group assignment responses

This architecture helped automate access governance, reduce manual intervention, and improve synchronization accuracy across systems.

Flow 1 – OPC to CORS Synchronization

Requirement

CORS requires periodic synchronization data from OPC containing:

User details

Department mappings

Department-group mappings

Department-group-user mappings

The files need to be generated automatically and placed in an SFTP location for CORS consumption.

Solution Design

We implemented a Scheduled Integration in Oracle Integration Cloud.

High-Level Steps

1. Scheduler triggers the integration periodically
2. OIC calls OPC APIs and retrieves authentication token
3. Fetches: 
• Departments 
• Department and group mappings Department-group-user mappings
4. Generates 3 outbound files
5. Uploads files to OIC SFTP location
6. CORS picks up the files from SFTP

Integration Flow

Step 1 – Scheduler Trigger

<InterfaceNumber>_OPC_CORS_RolesWithUser_extract_Sch

<InterfaceNumber>_OPC_CORS_RolesWithUser_extract

A scheduled orchestration integration was configured to run at defined intervals.

Example:

Every 1 hour

Daily batch sync

Based on business requirement

Step 2 – OPC Authentication

The integration first invokes OPC authentication APIs to retrieve access tokens.

This token is then used for all subsequent OPC REST API calls.

Step 3 – Fetch Department and Group Details

Multiple REST calls were made to OPC APIs:

APIs Used

Get Departments

Get Groups by Department

Get Users by Group and Department

The data was staged and transformed inside OIC.

Fetch dept/ workspace:

Fetch usergroups:

Step 4 – Generate Output Files

Three files were generated:

File

Description

Department File

Contains department details

Department-Group File

Contains group mapping information

Department-Group-User File

Contains user assignment details

Files were generated in CSV format.

Step 5 – Upload Files to SFTP

Using OIC FTP/SFTP Adapter, the files were uploaded to the designated SFTP location.

CORS system then picked up the files for downstream processing.

Benefits of Flow 1

Fully automated synchronization

No manual file preparation

Centralized access data management

Reduced synchronization errors

Easy scalability for future enhancements

Flow 2 – CORS to OPC User Provisioning

Requirement

CORS sends user access requests to OIC.

The integration must:

1. Create users in OPC
2. Assign department access
3. Add users to groups
4. Return failure responses for unsuccessful group assignments

Solution Design

We exposed a REST API from Oracle Integration Cloud for CORS consumption.

The design was modularized using:

One Main Integration

Multiple Child Integrations

This improved reusability and maintainability.

Architecture Overview

Main Integration

The main orchestration integration performs:

Receives REST payload from CORS

Validates incoming request

Calls child integrations

Consolidates responses

Sends failure details back to CORS

<InterfaceNumber>_CORS_OPC_UserRoleProvision_Main

Child Integration 1 – User Creation

This integration handles:

User creation in OPC

User validation

Existing user checks

Error handling

Key Features

Reusable integration

Can be invoked independently

Centralized user onboarding logic

<InterfaceNumber>_CORS_OPC_UserCreation

Integration Flow:

Get the user, workspace and group details grom main > Get Unifer Token > check if user exists using login id  > if user does not exists, create the user > get job status > get opc token > get all opc users > chekc if user exists > if user does not exists , create the user > send the status and message back to Main.

Get feed from main:

Get Unifier Token:

Check if user exists:

Create user in unifier if user does not exist.

Get job status:

Get OPC token:

Get all OPC user:

Check if user exists

Create uset to opc

Child Integration 2 – Group and Department Assignment

This integration performs:

Group assignment

Department mapping

Role association

If any group assignment fails, the integration captures the failure details.

 <InterfaceNumber>_CORS_OPC_AddOrRemoveWorkdpaceAccess

Integration flow:

Receive feed from main > Get OPC token > for each user group - add or remove workspace group access > send status back to main

Feed from main:

For each user group

Add user group

Remove user from group

Failure Handling Mechanism

One important business requirement was to return failed group assignments back to CORS.

Example Failure Scenarios

Group does not exist

Invalid department

User already assigned

OPC API failure

The integration collected all failed records and prepared a consolidated response.

Sample Response Structure

JSON

{

  "status": "PARTIAL_SUCCESS",

  "failedGroups": [

    {

      "user": "ABC123",

      "group": "Finance_Admin",

      "reason": "Group not found"

    }

  ]

}

Key Advantages of the Solution

• Modular Design
• Using child integrations improved:
• Reusability
• Maintainability
• Independent testing
• Better Error Tracking
• Detailed failure responses helped CORS quickly identify provisioning issues.
• Scalable Architecture
• The solution can easily support:
• Additional departments
• More user attributes
• Future access models

Conclusion

This integration solution using Oracle Integration Cloud enabled seamless synchronization and automated user access management between CORS and OPC.

The implementation provided:

• Automated provisioning and revocation
• Secure file-based synchronization
• REST-based onboarding
• Modular child integration architecture
• Detailed failure reporting
• This approach significantly reduced manual effort while improving access governance and operational efficiency across systems.

Reference:

https://docs.oracle.com/en/industries/construction-engineering/primavera-cloud/opcap/op-workspace-removeusersfromgroup-post.html?utm_source=chatgpt.com

OIC - OCI Java function code for RSA Encryption and Decryption

Function Java code:

package com.test.fn;

import java.security.*;

import java.security.spec.*;

import java.util.Base64;

import javax.crypto.Cipher;

import java.util.logging.*;

public class RSAEncryptDecrypt {

    private static final Logger logger = Logger.getLogger(RSAEncryptDecrypt.class.getName());

  public static class Input {

        public String message;

        public String secretKeyBase64;

        public String rsaMode;

        public String actionType; // ENCRYPT or DECRYPT

    }

    public static class Result {

        public String message;

        public String executionInfo;

    }

    public Result handleRequest(Input input) throws Exception {

        logger.log(Level.INFO, "OIC - message:", input.message);

        logger.log(Level.INFO, "OIC - secretKeyBase64:", input.secretKeyBase64);

        logger.log(Level.INFO, "OIC - rsaMode:", input.rsaMode);

        logger.log(Level.INFO, "OIC - actionType:", input.actionType);

        Result result = null;

        if ("DECRYPT".equals(input.actionType)) {

            result = decryptMyMessage(input);

        } else if ("ENCRYPT".equals(input.actionType)) {

            result = encryptMyMessage(input);

        } else {

            result = new Result();

            result.executionInfo = "ERROR: No proper action found , possible value "

                    + "is ENCRYPT or DECRYPT , recieved value:"

                    + input.actionType;

        }

        return result;

    }

// Method to encrypt plaintext using the RSA public key

 public Result encryptMyMessage(Input input) throws Exception {

     Result result = new Result();

     try {

         PublicKey publicKey = loadPublicKey(input.secretKeyBase64);

         Cipher cipher = Cipher.getInstance(input.rsaMode); // RSA encryption scheme

         cipher.init(Cipher.ENCRYPT_MODE, publicKey);

         byte[] encryptedBytes =                cipher.doFinal(input.message.getBytes());

         result.message =                 Base64.getEncoder().encodeToString(encryptedBytes);

         result.executionInfo = "SUCCESS";

     } catch (Exception e) {

         result.executionInfo = e.getMessage();

         logger.log(Level.INFO, "Error Details:", e.getMessage());

     }

     return result; // return as Base64 string

 }

 public Result decryptMyMessage(Input input) throws Exception {

     Result result = new Result();

     try {

         Cipher decryptCipher =

                 Cipher.getInstance(input.rsaMode);

         PrivateKey privateKey =                getPrivateKeyFromString(input.secretKeyBase64);         decryptCipher.init(Cipher.DECRYPT_MODE, privateKey);

         byte[] decryptedBytes =

                 decryptCipher.doFinal(                       Base64.getDecoder().decode(input.message));

         String myDecryptedMsg =

                 new String(decryptedBytes, "UTF-8");

         result.message = myDecryptedMsg;

         result.executionInfo = "SUCCESS";

     } catch (Exception e) {

         result.executionInfo = e.getMessage();

         logger.log(Level.INFO, "Error Details:", e.getMessage());

     }

     return result; // return as Base64 string

 }

// Converts a Base64-encoded public key string to PublicKey object

 public static PublicKey loadPublicKey(String base64PublicKey) throws Exception {

     byte[] keyBytes =            Base64.getDecoder().decode(base64PublicKey);

     X509EncodedKeySpec spec =

             new X509EncodedKeySpec(keyBytes);

     KeyFactory keyFactory =

             KeyFactory.getInstance("RSA");

     return keyFactory.generatePublic(spec);

 }

 // Convert Base64 string to PrivateKey

 public static PrivateKey getPrivateKeyFromString(String base64PrivateKey)

         throws Exception {

     byte[] keyBytes =            Base64.getDecoder().decode(base64PrivateKey);

     PKCS8EncodedKeySpec spec =

             new PKCS8EncodedKeySpec(keyBytes);

     KeyFactory factory =

             KeyFactory.getInstance("RSA");

     return factory.generatePrivate(spec);

 }

}

Java code Screenshots: