Summary and recommendation
Oracle CX Sales exposes two distinct base URL namespaces that must not be mixed: /crmRestApi/resources/latest for CX Sales CRM resources (accounts, opportunities, sales resources), and /hcmRestApi/resources/latest plus /hcmRestApi/scim/ for user and person management. Sending user management requests to the CRM base URL returns 404 errors.
The tenant hostname also varies by data center region (e.g., us2, em2, ap1) and must be confirmed from the Oracle Cloud Console before integration.
Authentication supports Basic Auth (Base64-encoded username:password) and OAuth 2.0 (2-legged or 3-legged JWT via IDCS). For SCIM specifically, Basic Auth is the documented supported method; OAuth 2.0 support for the SCIM endpoint is not consistently documented across releases and should not be assumed.
For stable integrations, pin the API version path (e.g., /resources/11.13.18.05.0/) rather than relying on the 'latest' alias.
Building an identity graph against Oracle CX Sales requires reconciling two separate identifiers: PersonId (the HCM party record) and UserId (the FND_USER account). Many endpoints require one or the other specifically, and confusing them produces 404s.
Full user state - account status, roles, territory memberships, manager hierarchy - is distributed across SCIM, HCM REST, and CRM REST endpoints and must be assembled from multiple calls.
API quick reference
| Has user API | Yes |
| Auth method | Basic Auth (username:password Base64-encoded) or OAuth 2.0 (3-legged or 2-legged JWT) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise (Oracle Fusion Cloud CX Sales v11.12.1.0.0+; SSO prerequisite required) |
Authentication
Auth method: Basic Auth (username:password Base64-encoded) or OAuth 2.0 (3-legged or 2-legged JWT)
Setup steps
- For Basic Auth: encode 'username:password' in Base64 and pass as Authorization: Basic
header. - For OAuth 2.0: register a confidential application in Oracle Identity Cloud Service (IDCS) or Oracle Access Manager.
- Assign the application the required API scopes (e.g., urn:opc:resource:consumer::all or specific Fusion resource scopes).
- Obtain an access token via the IDCS token endpoint: POST https://
.identity.oraclecloud.com/oauth2/v1/token. - Pass the token as Authorization: Bearer
on all API requests. - For SCIM provisioning, Basic Auth is the documented supported method; OAuth 2.0 support for SCIM may vary by release.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| urn:opc:resource:consumer::all | Broad scope granting access to all Oracle Fusion REST resources for the authenticated user. | General REST API access including user/resource management |
| CRM_RESTAPI_ACCESS | Fusion application role granting access to CRM REST API endpoints. | CX Sales resource endpoints (contacts, accounts, opportunities) |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| PersonId | integer | System-generated unique identifier for the person/user record. | auto-generated | read-only | Primary key; used in URL path for individual resource operations. |
| UserId | integer | Unique identifier for the user account linked to the person. | auto-generated | read-only | Distinct from PersonId; references the FND_USER record. |
| Username | string | Login username for the Oracle Fusion user account. | required | optional | Must be unique across the tenant. |
| FirstName | string | User's first name. | required | optional | |
| LastName | string | User's last name. | required | optional | |
| EmailAddress | string | Primary email address of the user. | required | optional | Used for notifications and as alternate login identifier. |
| WorkEmail | string | Work email address (HCM person record). | optional | optional | Stored on the person's contact point record. |
| ActiveFlag | boolean | Indicates whether the user account is active. | optional (defaults to true) | optional | Set to false to deactivate without deleting. |
| StartDate | date (YYYY-MM-DD) | Date from which the user account is valid. | optional | optional | |
| EndDate | date (YYYY-MM-DD) | Date after which the user account expires. | optional | optional | Setting a past date effectively deactivates the account. |
| PersonType | string | Classification of the person (e.g., EMPLOYEE, PARTY). | required | read-only | Determines which HCM flows apply. |
| RoleCode | string | Application role code assigned to the user (e.g., ORA_ZBS_SALES_REPRESENTATIVE). | optional | optional | Roles are managed via the userRoles child resource, not a flat field. |
| ManagerId | integer | PersonId of the user's manager. | optional | optional | Used for sales hierarchy and territory management. |
| BusinessUnitId | integer | Identifier of the business unit the user belongs to. | optional | optional | |
| Language | string | Preferred language code (e.g., 'en', 'fr'). | optional | optional | |
| Timezone | string | User's timezone (e.g., 'America/New_York'). | optional | optional | |
| MobileNumber | string | Mobile phone number of the user. | optional | optional | Stored as a contact point on the person record. |
| CreatedBy | string | Username of the user who created the record. | auto-generated | read-only | |
| LastUpdateDate | datetime (ISO 8601) | Timestamp of the last update to the record. | auto-generated | auto-generated | Useful for delta sync queries using ?q=LastUpdateDate>='timestamp'. |
Core endpoints
List Users (Sales Resources/Persons)
- Method: GET
- URL:
https://<tenant>.fa.us2.oraclecloud.com/crmRestApi/resources/latest/salesPartyResources?fields=PersonId,Username,FirstName,LastName,EmailAddress,ActiveFlag&limit=25&offset=0 - Watch out for: The exact resource name for 'users' in CX Sales context may be salesPartyResources or resourceMembers depending on the module. Verify against your tenant's /crmRestApi/resources/latest endpoint catalog.
Request example
GET /crmRestApi/resources/latest/salesPartyResources?limit=25&offset=0
Authorization: Basic <base64>
Accept: application/json
Response example
{
"items": [
{"PersonId": 100001, "Username": "jdoe", "FirstName": "Jane", "LastName": "Doe", "ActiveFlag": true}
],
"count": 1,
"hasMore": false,
"limit": 25,
"offset": 0
}
Get Single User by PersonId
- Method: GET
- URL:
https://<tenant>.fa.us2.oraclecloud.com/crmRestApi/resources/latest/salesPartyResources/{PersonId} - Watch out for: PersonId is the path parameter, not UserId. Confusing the two returns 404.
Request example
GET /crmRestApi/resources/latest/salesPartyResources/100001
Authorization: Basic <base64>
Accept: application/json
Response example
{
"PersonId": 100001,
"Username": "jdoe",
"FirstName": "Jane",
"LastName": "Doe",
"EmailAddress": "jdoe@example.com",
"ActiveFlag": true
}
Create User (SCIM)
- Method: POST
- URL:
https://<tenant>.fa.us2.oraclecloud.com/hcmRestApi/scim/Users - Watch out for: SCIM endpoint is under /hcmRestApi/scim/, not /crmRestApi/. Basic Auth is the documented auth method for this endpoint. OAuth 2.0 support for SCIM is not consistently documented.
Request example
POST /hcmRestApi/scim/Users
Authorization: Basic <base64>
Content-Type: application/scim+json
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"jdoe","name":{"givenName":"Jane","familyName":"Doe"},
"emails":[{"value":"jdoe@example.com","primary":true}],"active":true}
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "100001",
"userName": "jdoe",
"active": true,
"meta": {"resourceType": "User", "location": "/hcmRestApi/scim/Users/100001"}
}
Update User (SCIM PATCH)
- Method: PATCH
- URL:
https://<tenant>.fa.us2.oraclecloud.com/hcmRestApi/scim/Users/{id} - Watch out for: SCIM PATCH for deactivation sets active=false but does not delete the HCM person record. Full deprovision requires additional steps in Oracle HCM.
Request example
PATCH /hcmRestApi/scim/Users/100001
Authorization: Basic <base64>
Content-Type: application/scim+json
{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{"op":"replace","path":"active","value":false}]}
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "100001",
"userName": "jdoe",
"active": false
}
Get User (SCIM)
- Method: GET
- URL:
https://<tenant>.fa.us2.oraclecloud.com/hcmRestApi/scim/Users/{id} - Watch out for: The SCIM id field maps to the Oracle HCM PersonId. Filter by userName using ?filter=userName eq "jdoe" to look up by username.
Request example
GET /hcmRestApi/scim/Users/100001
Authorization: Basic <base64>
Accept: application/scim+json
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "100001",
"userName": "jdoe",
"name": {"givenName": "Jane", "familyName": "Doe"},
"active": true
}
List SCIM Users with Filter
- Method: GET
- URL:
https://<tenant>.fa.us2.oraclecloud.com/hcmRestApi/scim/Users?filter=userName eq "jdoe"&startIndex=1&count=25 - Watch out for: SCIM filter syntax must be URL-encoded. Not all SCIM filter operators are supported; eq and co are most reliable.
Request example
GET /hcmRestApi/scim/Users?filter=userName+eq+%22jdoe%22&startIndex=1&count=25
Authorization: Basic <base64>
Accept: application/scim+json
Response example
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 25,
"Resources": [{"id": "100001", "userName": "jdoe", "active": true}]
}
Assign Role to User (CRM REST)
- Method: POST
- URL:
https://<tenant>.fa.us2.oraclecloud.com/hcmRestApi/resources/latest/users/{UserId}/child/userRoles - Watch out for: Role codes are Oracle-internal identifiers (ORA_ prefix for seeded roles). Custom roles use tenant-specific codes. SCIM does not support group/role provisioning for CX Sales; use HCM REST for role assignment.
Request example
POST /hcmRestApi/resources/latest/users/100001/child/userRoles
Authorization: Basic <base64>
Content-Type: application/json
{"RoleCode": "ORA_ZBS_SALES_REPRESENTATIVE", "StartDate": "2024-01-01"}
Response example
{
"UserId": 100001,
"RoleCode": "ORA_ZBS_SALES_REPRESENTATIVE",
"StartDate": "2024-01-01",
"ActiveFlag": true
}
Deactivate User (CRM REST PATCH)
- Method: PATCH
- URL:
https://<tenant>.fa.us2.oraclecloud.com/hcmRestApi/resources/latest/users/{UserId} - Watch out for: Setting EndDate to a past date or ActiveFlag=false disables login but retains all CRM data associations. Hard delete of users is not supported via REST API.
Request example
PATCH /hcmRestApi/resources/latest/users/100001
Authorization: Basic <base64>
Content-Type: application/json
{"ActiveFlag": false, "EndDate": "2024-12-31"}
Response example
{
"UserId": 100001,
"Username": "jdoe",
"ActiveFlag": false,
"EndDate": "2024-12-31"
}
Rate limits, pagination, and events
- Rate limits: Oracle Fusion Cloud applies server-side throttling. No publicly documented fixed rate-limit numbers per plan. Concurrent request limits apply per pod/tenant. Requests exceeding limits receive HTTP 503 or 429 responses.
- Rate-limit headers: No
- Retry-After header: No
- Rate-limit notes: Oracle does not publish explicit per-minute rate limits in official docs. Throttling is enforced at the infrastructure level. Recommended practice: implement exponential backoff on 503/429 responses. Batch operations (using batch REST endpoint) are preferred over high-frequency individual calls.
- Pagination method: offset
- Default page size: 25
- Max page size: 500
- Pagination pointer: offset and limit (e.g., ?offset=0&limit=25)
| Plan | Limit | Concurrent |
|---|---|---|
| All Fusion Cloud tenants | Not publicly specified; governed by Oracle Fair Use Policy | 10 |
- Webhooks available: No
- Webhook notes: Oracle CX Sales does not offer native outbound webhooks for user lifecycle events via the standard REST API. Event-driven integration is handled through Oracle Integration Cloud (OIC) or Oracle Business Events (via ADF Business Events framework).
- Alternative event strategy: Use Oracle Integration Cloud (OIC) adapters to subscribe to Fusion business events (e.g., user creation, role assignment) and trigger downstream actions. Alternatively, poll the REST API using LastUpdateDate filter for delta sync.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise (Oracle Fusion Cloud CX Sales v11.12.1.0.0+; SSO prerequisite required)
Endpoint: https://
.fa.us2.oraclecloud.com/hcmRestApi/scim/Users Supported operations: GET /Users (list with filter), GET /Users/{id}, POST /Users (create), PUT /Users/{id} (full replace), PATCH /Users/{id} (partial update, deactivate), DELETE /Users/{id} (supported but may only deactivate)
Limitations:
- Basic Auth is the documented authentication method; OAuth 2.0 for SCIM is not consistently supported across all releases.
- Group provisioning (/Groups endpoint) is not supported; roles must be managed via HCM REST API userRoles child resource.
- SCIM does not provision CX Sales-specific attributes (e.g., sales territory, resource organization); these require separate HCM/CRM REST calls.
- SSO must be configured as a prerequisite for SCIM provisioning to function correctly.
- DELETE via SCIM may deactivate rather than permanently delete the HCM person record.
- Not all SCIM filter operators are supported; complex filters may return errors.
- Tenant URL format varies by data center region (e.g., us2, em2, ap1).
Common scenarios
Provisioning a new sales rep via SCIM is a three-phase operation. First, POST to /hcmRestApi/scim/Users to create the account and capture the returned SCIM id.
Second, POST to /hcmRestApi/resources/latest/users/{UserId}/child/userRoles with the appropriate RoleCode (e. g.
, ORA_ZBS_SALES_REPRESENTATIVE) and a StartDate. Third, if territory-based data access is required, add the user to a sales territory resource pool via /crmRestApi/resources/latest/territories.
SCIM alone does not complete CX Sales provisioning; skipping steps two or three produces a user who can authenticate but sees no CRM data.
Deactivating a departed user via SCIM PATCH (active=false) disables login but does not remove role assignments or territory memberships. These persist on the HCM record and require separate cleanup via HCM REST if the account is ever reactivated or audited. Hard deletion of user records is not supported via REST API or the standard UI.
For delta sync, use the LastUpdateDate filter on /crmRestApi/resources/latest/salesPartyResources with ISO 8601 format including timezone offset (?q=LastUpdateDate>='2024-01-01T00:00:00+00:00'). Pagination uses offset/limit for CRM REST and startIndex/count for SCIM - do not mix parameters across endpoint types. Inactive records may be excluded from delta results by default; add an explicit ActiveFlag filter to capture deactivations.
Provision a new sales rep via SCIM
- POST to /hcmRestApi/scim/Users with userName, name.givenName, name.familyName, emails[0].value, active=true.
- Capture the returned SCIM id (maps to PersonId/UserId).
- POST to /hcmRestApi/resources/latest/users/{UserId}/child/userRoles with RoleCode='ORA_ZBS_SALES_REPRESENTATIVE' and StartDate.
- If territory assignment is needed, use the CRM REST API to add the user to a sales territory resource pool via /crmRestApi/resources/latest/territories.
Watch out for: SCIM alone does not complete CX Sales provisioning. Role and territory assignment require separate HCM/CRM REST calls after SCIM user creation.
Deactivate a departed user
- Look up the user's SCIM id: GET /hcmRestApi/scim/Users?filter=userName eq "jdoe".
- PATCH /hcmRestApi/scim/Users/{id} with Operations: [{op: replace, path: active, value: false}].
- Optionally, PATCH /hcmRestApi/resources/latest/users/{UserId} with EndDate set to today's date to expire the FND_USER account.
- Verify deactivation: GET /hcmRestApi/scim/Users/{id} and confirm active=false.
Watch out for: SCIM deactivation sets active=false on the user account but does not remove role assignments or territory memberships. These persist and may need separate cleanup via HCM REST.
Delta sync: fetch users updated since last run
- Store the timestamp of the last successful sync.
- GET /crmRestApi/resources/latest/salesPartyResources?q=LastUpdateDate>='2024-06-01T00:00:00+00:00'&limit=500&offset=0.
- Iterate through pages using offset increments until hasMore=false.
- For each returned record, compare with local state and apply creates/updates/deactivations as needed.
- Update the stored timestamp to the current run time.
Watch out for: LastUpdateDate filter requires URL-encoded ISO 8601 with timezone offset. Records deleted (deactivated) in Oracle may not appear in delta results if ActiveFlag=false records are excluded by default; add explicit filter: &q=LastUpdateDate>='...' to include inactive records.
Why building this yourself is a trap
Oracle does not publish explicit per-minute rate limits. Throttling is enforced at the infrastructure level under Oracle's Fair Use Policy; exceeded limits return HTTP 503 or 429 with no Retry-After header and no rate-limit headers in the response. Implement exponential backoff on both status codes and prefer the batch REST endpoint over high-frequency individual calls.
SCIM group provisioning (/Groups endpoint) is not supported for CX Sales. Role assignment must go through the HCM REST userRoles child resource, and CX Sales-specific attributes - sales territory, resource organization - are outside SCIM scope entirely and require separate CRM REST calls.
Any identity graph that relies solely on SCIM will be structurally incomplete for this application.
Webhooks are not available natively for user lifecycle events. Event-driven integration requires Oracle Integration Cloud (OIC) adapters subscribed to Fusion business events. Without OIC, the only option for near-real-time sync is polling with a LastUpdateDate filter, which carries the deactivation-visibility caveat noted above.
Automate Oracle CX Sales workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
