Skip Headers
Oracle® Identity Manager Design Console Guide
Release 9.1.0.2

Part Number E14762-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

7 Administering Oracle Identity Manager with the Design Console

This chapter describes how to use the Design Console to administer Oracle Identity Manager. It contains the following topics:

7.1 Overview of Design Control Administration

The Design Console Administration folder provides system administrators with tools for managing Oracle Identity Manager administrative features. This folder contains the following forms:

7.2 Form Information Form

The Form Information form, shown in Figure 7-1, is in the Design Console Administration folder. You use this form to specify the class name, the label that is displayed in the Design Console Explorer, the form type, form icon, and Help to be associated with an Oracle Identity Manager form. You can also use this form to modify the folders and folder items that are displayed in the Design Console Explorer.

Figure 7-1 Form Information Form

Form information form
Description of "Figure 7-1 Form Information Form"

Table 7-1 describes the data fields of this form.

Table 7-1 Fields in the Form Information Form

Field Name Description

Key

The system-generated ID for the form or folder.

Class Name

The name of the class associated with the form or folder. For the forms and folders that are preinstalled with Oracle Identity Manager, this will be a tc class.

Description

The label that is displayed for this form or folder in the Oracle Identity Manager Explorer. For forms of the childform type, this value must include the name of the parent form and adhere to the following naming convention: parent_form_name.child_form_name.

Type

The form type associated with the form or folder. For folders, this must be folder. Valid selections are folder, export, processform, childform, javaform, import, and menuitem.

Graphic Filename

The name of the graphic file that is displayed as an icon next to the form or folder in the Design Console Explorer.

Context Sensitive Help URL

The URL of the online Help topic that is displayed if the user presses F1 when this form is active.


7.2.1 Adding an Oracle Identity Manager Form or Folder

To add an Oracle Identity Manager form or folder:

  1. Go to the Form Information form.

  2. Enter the name of the class that will be used to render the form in the Class Name field.

  3. Enter the label you want to be displayed for the form or folder in the Design Console Explorer in the Description field.

    For forms of type childform, this value must include the name of the parent form and adhere to the following naming convention: parent_form_name.child_form_name.

  4. Select items from the Type box.

    • For folders, select folder.

    • For forms related to export procedures, select export.

    • For forms related to a process, select processform.

    • For tabs that are displayed in other forms, or for forms that are nested within other forms, select childform.

    • For general forms, select javaform.

    • For forms related to import procedures, select import.

    • For menu items associated with the Oracle Identity Manager Administrative and User Console, select menuitem.

      See Also:

      See Oracle Identity Manager Administrative and User Console Guide for more information about Oracle Identity Manager Administrative and User Console
  5. Enter the name of the icon or graphic image file to be used in the Design Console Explorer for the form or folder in the Graphic Filename field.

  6. Enter the URL of the online Help topic for the form in the Context Sensitive Help URL field.

    This file is displayed if the user presses F1 when the form is active.

  7. Click Save.

    The form is added and a system-generated ID for the form or folder is displayed in the Key field.

7.2.2 Modifying the Design Console Explorer

The Design Console Explorer and layout of its folders and folder items can be modified based on different user group levels.

Note:

Click the plus sign (+) to expand a folder and show folder items, or click the minus sign (-) to hide folder items.

The folders and folder items that a user can access are based on the user groups of which the user is a member. For example, suppose the IT DEPARTMENT user group can open the System Configuration form, and the HR DEPARTMENT user group is able to launch the Lookup Definition form. If a user belongs to both user groups, he or she can access the System Configuration form and the Lookup Definition form.

7.3 Lookup Definition Form

A lookup definition represents one of the following:

These items, which contain information pertaining to the text field, lookup field, or box, are known as lookup values. Users can access lookup definitions from one of two locations:

The Lookup Definition form shown in Figure 7-2 is in the Design Console Administration folder. You use this form to create and manage lookup definitions.

Figure 7-2 Lookup Definition Form

Lookup definition form
Description of "Figure 7-2 Lookup Definition Form"

Table 7-2 describes the data fields of the Lookup Definition form.

Table 7-2 Fields of the Lookup Definition Form

Field Name Description

Code

The name of the lookup definition.

Field

The name of the table column of the form or tab from which the text field, lookup field, or box field will be accessible.

Lookup Type/Field Type

These options designate if the lookup definition is to represent a text field, a lookup field, or a box.

If you select the Field Type option, the lookup definition will represent a text field.

If you select the Lookup Type option, the lookup definition is to represent either a lookup field or a box, along with the values that are to be accessible from that lookup field or box.

Note: For forms or tabs that come packaged with Oracle Identity Manager, the lookup definition has already been set as either a lookup field or a box. This cannot be changed. However, you can add or modify the values that are accessible from the lookup field or box.

For forms or tabs that are user defined, the user determines whether the lookup definition represents a lookup field or a box through the Additional Columns tab of the Form Designer form.

For more information about specifying the data type of a lookup definition, see "Additional Columns Tab".

Required

By selecting this check box, the lookup definition is designated as required. As a result, Oracle Identity Manager will not allow the contents of the corresponding form or tab to be saved to the database until the field or box, represented by the lookup definition, is supplied with data.

Group

The name of the Oracle Identity Manager or user-defined form on which the lookup definition is to be displayed.


The following sections describe how to create a lookup definition.

7.3.1 Creating a Lookup Definition

To create a lookup definition:

  1. Open the Lookup Definition form.

  2. In the Code field, enter the name of the lookup definition.

  3. In the Field field, enter the name of the table column of the Oracle Identity Manager or user-created form or tab, from which the text field, lookup field, or box field will be accessible.

  4. If the lookup definition is to represent a lookup field or box, select the Lookup Type option.

    If the lookup definition is to represent a text field, select the Field Type option.

  5. Optional. To save the contents of this form or tab only when the field or box represented by the lookup definition is supplied with data, select the Required check box. Otherwise, go to Step 6.

  6. In the Group field, enter the name of the Oracle Identity Manager or user-defined form on which the lookup definition is displayed.

    You must follow naming conventions for the text you enter into the Code, Field, and Group fields.

    See Also:

    See "Lookup Definition Form" for more information about naming conventions
  7. Click Save.

    The lookup definition is created. The associated text field, lookup field, or box will be displayed in the Oracle Identity Manager or user-defined form or tab you specified.

7.3.2 Lookup Code Information Tab

The Lookup Code Information tab is in the lower half of the Lookup Definition form. You use this tab to create and manage detailed information about the selected lookup definition. This information includes the names, descriptions, language codes, and country codes of a value pertaining to the lookup definition. These items are known as lookup values.

The following procedures show how to create, modify, and delete a lookup value.

7.3.2.1 Creating and Modifying a Lookup Value

To create or modify a lookup value:

Note:

For internationalization purpose, you must provide both a language and country code for a lookup value.

When creating a new lookup definition, you must save it before adding lookup values to it.

  1. Open the Lookup Definition form.

  2. Access a lookup definition.

  3. If you are creating a lookup value, click Add.

    A blank row is displayed in the Lookup Code Information tab.

    If you are modifying a lookup value, select the lookup value that you want to edit.

  4. Add or edit the information in the Code Key field.

    This field contains the name of the lookup value.

    In addition, if the Lookup Type option is selected, this field also represents what is displayed in the lookup field or box once the user makes a selection.

  5. Add or edit the information in the Decode field.

    This field contains a description of the lookup value.

    If the Lookup Type option is selected, this field also represents one of the following:

    • The items that is displayed in a lookup window after the user double-clicks the corresponding lookup field

    • The commands that are to be displayed in the associated box

  6. Add or edit the information in the Language field.

    This field contains a two-character language code for the lookup value.

  7. Add or edit the information in the Country field.

    This field contains the lookup value's two-character country code.

  8. Click Save.

    The lookup value you created or modified now reflects the settings you have entered.

7.3.2.2 Deleting a Lookup Value

To delete a lookup value:

  1. Open the Lookup Definition form.

  2. Search for a lookup definition.

  3. Select the lookup value that you want to remove.

  4. Click Delete. The selected lookup value is deleted.

7.4 User Defined Field Definition Form

You might want to augment the fields that Oracle Identity Manager provides by default. You can create new fields and add them to various Oracle Identity Manager forms. These fields are known as user-defined fields.

User-defined fields are displayed on the User Defined Fields tab of the form that is displayed in the Form Name data field. For example, Figure 7-3 shows an Access Code Number user-defined field added to the User Defined Fields tab of the Organizations form.

The User Defined Field Definition form shown in Figure 7-3 is displayed in the Design Console Administration folder. You use this form to create and manage user-defined fields for the Organizations, Users, Requests, Resource Objects, User Groups, and Form Designer forms.

Figure 7-3 User Defined Field Definition Form

User defined field definition form
Description of "Figure 7-3 User Defined Field Definition Form"

Table 7-3 describes the data fields of the User Defined Field Definition form.

Table 7-3 Fields of the User Defined Field Definition Form

Field Name Description

Form Name

The name of the form that contains the user-defined fields. These fields are displayed in the User Defined Columns tab.

Note: Because the user-defined fields for a user pertain to the user's profile information, they are displayed in the User Profile tab of the Users form.

Description

Additional information about the user-defined field.

Auto Pre-Population

This check box designates if user-defined fields for a form that have prepopulated adapters attached to them will be populated by Oracle Identity Manager or a user.

Select the Auto Pre-Population check box if these fields are populated by Oracle Identity Manager.

Deselect this check box if these fields must be populated by a user by clicking the Pre-Populate button on the toolbar or by manually entering the data.

Note: This setting does not control triggering of the pre-populate adapter. It only determines if the contents resulting from the execution of the adapter are displayed in the associated user-defined field or fields because of Oracle Identity Manager or a user.

For more information about prepopulate adapters, see Oracle Identity Manager Tools Reference.

Note: This check box is relevant only if you have created a user-defined field, and a prepopulate adapter is associated with that field.


The following section describes how to select a target form for user-defined fields.

7.4.1 Selecting the Target Form for a User-Defined Field

To select the target form for a user-defined field:

  1. Open the User Defined Field Definition form.

  2. Double-click the Form Name lookup field.

    From the Lookup window that is displayed, select the Oracle Identity Manager form (Organizational Defaults, Policy History, Group Entitlements, Resource Objects, or Form Designer) that will display the user-defined field you will be creating.

  3. Click Query.

    The form to which you will be adding the user-defined field is selected.

7.4.2 Tabs on the User Defined Field Definition Form

After you start the User Defined Field Definition form and select a target form for the user-defined fields, the tabs of this form become functional.

The User Defined Field Definition form contains the following tabs:

Each of these tabs is covered in greater detail in the sections that follow.

7.4.2.1 User Defined Columns Tab

You use this tab to do the following:

  • Create a user-defined field.

  • Set the variant type, length, and field type for the user-defined field.

  • Specify the order in which the user-defined field is displayed on the User Defined Fields tab of the target form.

    The field's order number determines the order in which a user-defined field is displayed on a form. In Figure 7-4, the Access Code Number user-defined field has an order number of 1, so it is displayed first on the User Defined Fields tab of the Organizations form.

  • Determine if the information that is associated with the user-defined field is encrypted when it is exchanged between the client and the server.

  • Remove a user-defined field.

Figure 7-4 shows the User Defined Columns tab of the User Defined Field Definition Form.

Figure 7-4 User Defined Columns Tab of the User Defined Field Definition Form

User defined columns tab
Description of "Figure 7-4 User Defined Columns Tab of the User Defined Field Definition Form"

The following sections describe how to add a user-defined field to an Oracle Identity Manager form, and remove a user-defined field from an Oracle Identity Manager form.

Adding a User-Defined Field to an Oracle Identity Manager Form

To add a user-defined field:

  1. Click Add.

    The User Defined Fields dialog box is displayed, as shown in Figure 7-5.

    Figure 7-5 User Defined Fields Dialog Box

    User defined fields window
    Description of "Figure 7-5 User Defined Fields Dialog Box"

    Table 7-4 describes the fields in the User Defined Fields dialog box.

    Table 7-4 Fields of the User Defined Fields Dialog Box

    Field Name Description

    Label

    The label for the user-defined field. This label is displayed next to the user-defined field on the User Defined Fields tab of the target form.

    The maximum length for a label is 30 characters.

    Data Type

    From this box, select one of the following data types for the user-defined field:

    • String. A user can enter a series of alphanumeric characters in this field.

    • Date. When a user double-clicks this field, the Date and Time dialog box is displayed.

    • Integer. A user can enter a number without a decimal point (for example, 3) in this user-defined field.

    • Boolean. A user can enter two values into this field: True (1) or False (0).

    • Double. A user can enter a double-precision floating-point number (or a double number) in this field.

    Field Size

    The Field Size text field is enabled only for the String data type.

    In this field, enter the maximum amount of numbers or characters that a user can enter in the field.

    Field Type

    From this box, select one of the following field types for the user-defined field:

    • Text Field. The field is displayed on the User Defined Fields tab of the target form as a text field.

    • Lookup Field. The field is displayed on the User Defined Fields tab of the target form as a lookup field.

    • Combo Box. The field is displayed on the User Defined Fields tab of the target form as a box.

    • Text Area. The field is displayed on the User Defined Fields tab of the target form as a text area.

    • Password Field. The field is displayed on the User Defined Fields tab of the target form as a text field. From this text field, a user can either query for an encrypted password (it is displayed as a series of asterisks [*]), or populate the field with an encrypted password, and save it to the database.

    • Check Box. The field is displayed on the User Defined Fields tab of the target form as a check box.

    • Date Field with Dialog. This field is displayed on the User Defined Fields tab of the target form as a lookup field. Once the user double-clicks this lookup field, a Date & Time window is displayed. Oracle Identity Manager will then populate the data field with the date and time that the user selects from this window.

    Note: The field types that are displayed in this box reflect the data type that is displayed in the Data Type box.

    Column Name

    The name of the user-defined field that is recognized by the database.

    Note: This name consists of a TABLE NAME_UDF_ prefix, followed by the label that is associated with the user-defined field.

    For example, if the Table Name field of the Organizations form is ACT, and the name for the data field is ACN, the name of the user-defined field, which the database recognizes, would be ACT_UDF_ACN.

    Note: The name in Column Name field cannot contain any spaces.

    Default Value

    This value is displayed in a user-defined field on the target form. Oracle recommends that you do not specify default values for passwords and encrypted fields.

    Encrypted

    This check box determines if the information that is displayed in the associated user-defined field is encrypted when it is exchanged between the client and the server.

    Select this check box to encrypt the information displayed in the user-defined field.

    Deselect this check box to not encrypt the information in the user-defined field.

    Sequence

    This field represents the order in which the user-defined field is displayed on the form. For example, if a 2 is displayed in the Sequence field, it is displayed below the user-defined field with a sequence number of 1.


  2. Set the parameters for the user-defined field you are adding to a form, as shown in Figure 7-6.

    Figure 7-6 User Defined Fields Dialog Box - Filled

    User defined fields window
    Description of "Figure 7-6 User Defined Fields Dialog Box - Filled "

    In Figure 7-6, the Access Code Number user-defined field is displayed first on the User Defined Fields tab of the Organizations form. The data type of this field is String, and a user can enter up to 25 characters into it.

  3. From this window, click Save.

  4. Click Close.

    The user-defined field is displayed in the User Defined Columns tab. Once the target form is started, this user-defined field usually is displayed in the User Defined Fields tab of that form. Because the user-defined fields for a user pertain to the user's profile information, they are displayed in the User Profile tab of the Users form.

Removing a User-Defined Field from an Oracle Identity Manager Form

To remove a user-defined field:

  1. Select the desired user-defined field.

  2. Click Delete.

    The user-defined field is removed.

7.4.2.2 Properties Tab

You use this tab to assign properties and property values to the data fields that are displayed on the User Defined Fields tabs of various Oracle Identity Manager forms.

For this example, the User Defined Fields tab of the Requests form displays one data field: Issue Tracking Item. This data field contains the following properties:

  • Required, which determines whether or not the data field must be populated for the Requests form to be saved. The default property value for the Required property is false.

  • Visible Field, which determines whether or not the data field is displayed on the Requests form. The default property value for the Visible Field property is true.

Because the property values for the Required and Visible Field properties are true for this data field, once the Requests form is started, the Issue Tracking Item data field is displayed in the User Defined Fields tab. In addition, this field must be populated for the form to be saved.

Figure 7-7 shows the Properties tab of the User Defined Field Definition form.

Figure 7-7 Properties Tab of the User Defined Field Definition Form

Properties tab
Description of "Figure 7-7 Properties Tab of the User Defined Field Definition Form"

The following section describes how to add and remove a property and property value to a data field.

See Also:

See "Form Designer Form" for more information about how to add a property and property value to a data field, or remove a property and property value from a data field

7.4.2.3 Administrators Tab

Figure 7-8 shows the Administrators tab of the User Defined Field Definition form.

Figure 7-8 Administrators Tab of the User Defined Field Definition Form

Administrators tab
Description of "Figure 7-8 Administrators Tab of the User Defined Field Definition Form"

You use this tab to specify the user groups that have administrative privileges over the current record of the User Defined Field Definition form. The Write and Delete check boxes on this form designate if these administrative groups can modify, delete, or modify and delete information about the current user-defined field (UDF) definition.

The following sections describe how to assign administrative privileges to a user group for a UDF definition, and remove administrative privileges from a user group for a UDF definition.

Assigning Administrative Privileges to a User Group for a UDF Definition

To assign administrative privileges to a user group for a UDF definition:

  1. Click Assign.

    The Assignment dialog box is displayed.

  2. Select the user group, and assign it to the UDF definition.

  3. Click OK.

    The user group is displayed in the Administrators tab.

  4. To enable this user group to view and modify information pertaining to the current definition, double-click the corresponding Write check box. Otherwise, go to Step 5.

  5. To enable this user group to delete information in the current definition, double-click the associated Delete check box. Otherwise, go to Step 6.

  6. Click Save.

    The user group is assigned to the UDF definition.

Removing Administrative Privileges from a User Group for a UDF Definition

To remove administrative privileges:

  1. Select the user group that you want to remove.

  2. Click Delete.

    The user group is removed from the UDF definition. Its members no longer have administrative privileges for the definition.

7.5 System Configuration Form

The System Configuration form, as shown in Figure 7-9, is in the Design Console Administration folder. You use this form to define and set the value of properties that control the actions of Oracle Identity Manager. You can specify the users and user groups that a property value applies to, or you can specify that a property value applies to all users.

Figure 7-9 System Configuration Form

System configuration form
Description of "Figure 7-9 System Configuration Form"

Table 7-5 describes the data fields of this form.

Table 7-5 Fields of the System Configuration Form

Field Name Description

Key

The system-generated ID for one instance of the property definition. There can be more than one instance of a definition, for example, one for system administrators and another for all users.

System

This check box designates if this instance of the property definition applies to all users in Oracle Identity Manager, that is, it is a systemwide instance, or only to selected users and user groups.

Select this check box to apply this setting to all users. The Users and Groups tabs will be grayed out.

Deselect this check box to specify that an instance of the property applies to certain users and groups.

Note: The System check box is grayed out if the Server option is selected.

Client

Client/Server

Server

(Radio buttons)

These options determine if this instance of the property definition applies to the client, the server, or both.

Select the Client option to apply property value only to the client.

Select the Client/Server option to apply the property value to both the client and server.

Select the Server option to apply the property value only to the server. Selecting this option disables the System check box. Systemwide settings do not apply to the server.

Name

The name of the property. This should be an intuitive description of what the property controls. It does not need to be unique.

Keyword

The property's unique ID.

This must be identical for each instance of this property. For example, if you want to set the Record Read Limit property (the maximum number of records a user's query retrieve) differently for two separate users, you must create two instances of this property definition.

Note: For more information about the various properties you can set for the client and server, see "Rule Elements, Variables, Data Types, and System Properties" in Oracle Identity Manager Reference.

Value

The value for this instance of the property definition. This value is applied to the users and groups assigned to this instance of the property unless the System check box is selected, denoting that the instance applies to all users.


The following sections describe how to define instances of property definitions, assign users or groups to these instances, and remove the user or group from this instance.

7.5.1 Creating and Editing an Instance of a Property Definition

To create a new instance or edit an existing instance of a property definition:

  1. Go to the System Configuration form.

  2. If you are creating a new instance of a property definition, then click New on the toolbar.

    Ensure that the values in the Name and Keyword fields are the same for all instances of this property definition, for example, Record Read Limit, XL.READ_LIMIT.

    Note:

    Oracle recommends that you copy these values from the other instances of this property definition to minimize the errors.

    If you are editing an existing instance of a property definition, then query for the property definition.

  3. Select the Client, Client/Server, or Server option.

  4. Determines whether or not you want this instance of the property definition to apply to all users or only to select users and user groups by selecting or deselecting the System check box.

    Note:

    If you selected the Server option in Step 3, then the System check box will be grayed out. If this is the case, then go to Step 5.
  5. Enter the desired value in the Value field.

    This will be the value of the property for this instance of the definition.

  6. Click Save.

    The instance of the property definition is created or modified.

7.5.2 Assigning a User or Group to an Instance of a Property Definition

To assign a user or group to an instance of a property definition:

Note:

If this is a systemwide instance (that is, the System check box is selected), it will be applied to all users and groups. As a result, you do not need to assign it to a particular user or group.
  1. Go to the System Configuration form.

  2. Query for the instance of the property definition you want to assign to a user or group.

    See Also:

    See the "Rule Elements, Variables, Data Types, and System Properties" section in Oracle Identity Manager Reference for more information about how to add a property and property value to a data field, or remove a property and property value from a data field
  3. Select the Client, Client/Server, or Server option, depending on whether the instance of this property definition will apply to the client only, both the client and the server, or just the server.

  4. To assign the property instance to one or more users, click the Users tab. Otherwise, to assign the property instance to one or more user groups, click the Groups tab.

  5. Click Assign.

    The Assignment dialog box is displayed.

  6. Select and assign the desired users or groups and then, click OK.

  7. Click Save.

    The instance of the property definition is assigned to the users or groups you selected in Step 6.

7.5.3 Removing a User or Group from an Instance of a Property Definition

When you remove a user or group from an instance of a property definition, the property is no longer associated with the user or group.

To remove a user or group from an instance of a property definition:

  1. Go to the System Configuration form.

  2. Query for the instance of the property definition from which you want to remove a user or group.

  3. Select the desired or group (from the Users or Groups tabs, respectively).

  4. Click Delete.

    The user or group is removed from the instance of the property definition.

7.6 Remote Manager Form

The Remote Manager is a lightweight network server that enables you to integrate with target systems whose APIs cannot communicate over a network, or that have network awareness but are not secure. The Remote Manager works as a server on the target system, and an Oracle Identity Manager server works as its client. The Oracle Identity Manager server sends a request for the Remote Manager to instantiate the target system APIs on the target system itself, and invokes methods on its behalf.

The Remote Manager form shown in Figure 7-10 is in the Design Console Administration folder. It displays the following:

Figure 7-10 Remote Manager Form

Remote manager form
Description of "Figure 7-10 Remote Manager Form"

For this example, you can define two remote managers that can communicate with Oracle Identity Manager: Australia Server and UKSERVER.

The Australia Server remote manager has an IP address of 215.0.255.192. Although it can handshake with Oracle Identity Manager, because the Running check box is deselected, the remote server is unavailable. Lastly, the IT Resource check box is selected, signifying that this remote manager represents IT resource or resources that can be used by Oracle Identity Manager.

The UKSERVER remote manager has an IP address of 192.168.0.45. Because the Running check box is selected, the remote server is operable. However, because the IT Resource check box is deselected, this remote manager does not represent an IT resource or resources that Oracle Identity Manager can use.

See Also:

See Oracle Identity Manager Tools Reference for information about how the Remote Manager form is used with other Oracle Identity Manager forms

7.7 Password Policies Form

The Password Policies form is in the Design Console Administration/Policies folder. You can use this form to:

Figure 7-11 shows the Password Policies form.

Figure 7-11 Password Policies Form

password policies form
Description of "Figure 7-11 Password Policies Form"

To create a password policy, you must first enter the required values in the following fields of the Password Policies form:

The following sections provide more information about using the Password Policy form:

7.7.1 Creating a Password Policy

To create a password policy:

  1. Open the Password Policies form.

  2. In the Policy Name field, enter the name of the password policy.

  3. In the Policy Description field, enter a short description of the password policy.

  4. Click Save.

Note:

  • A password policy is not applied during the creation of an OIM user through trusted reconciliation.

  • After you create a password policy, it must be supplied with criteria and associated with a resource. To supply your password policy with criteria, use the Policy Rules tab of this form. To associate your password policy with a resource, use the Password Policies Rule tab of the Resource Object form to create a password policy and rule combination that will be evaluated when accounts are created or updated on the resource. The password policy will then be applied when the criteria for the rule are met. Each password policy can be used by multiple resources.

7.7.2 Tabs on the Password Policies Form

The tabs in this form become functional after you create a password policy. The following sections discuss these tabs:

7.7.2.1 Policy Rules Tab

You use the Policy Rules tab to specify criteria for your password policy, for example, the minimum and maximum length of passwords.

You can use either or both of the following methods to set password restrictions:

  • Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.

  • In the Password File field, enter the directory path and name of the password policy file (for example, c:\xellerate\userlimits.txt). This file contains predefined terms that you do not want to be used as passwords. The delimiter specified in the Password File Delimiter field separates these terms.

Figure 7-11 shows the Policy Rules tab of the Password Policies form.

Table 7-6 describes the data fields on the Policy Rules tab. You specify the password policy criteria in these fields.

Note:

If a data field is empty, then passwords do not have to meet the criteria of that field for it to be valid. For example, when the Minimum Numeric Characters data field is blank, Oracle Identity Manager will accept a password, regardless of the number of characters included in it.

Table 7-6 Fields of the Policy Rules Tab of the Password Policies Form

Field Name Description

Minimum Length

The minimum number of characters that a password must contain for the password to be valid.

For example, if you enter 4 in the Minimum Length field, then the password must contain at least four characters.

This field accepts values from 0 to 999.

Expires After Days

The duration in days for which users can use a password.

For example, if you enter 30 in the Expires After Days field, then users must change their passwords by the thirtieth day from when it was created or last modified.

Note: After the number of days specified in the Expires After Days field passes, a message is displayed asking the user to change the password.

This field accepts values from 0 to 999.

Disallow Last Passwords

The frequency at which old passwords can be reused. This policy ensures that users do not change back and forth among a set of common passwords.

For example, if you enter 10 in the Disallow Last Passwords field, then users are allowed to reuse a password only after using 10 unique passwords.

To disable this option, you can enter 0 in the Disallow Last Passwords field.

This field accepts values from 0 to 999.

Minimum Password Age

The duration in days for which users must keep a password before changing it. This is to prevent users from entering a new password and then immediately reverting to the previous password.

For example, if you enter 15 in the Minimum Password Age field, the users cannot change their passwords before 15 days.

This field accepts values from 0 to 999.

Warn After (Days)

The number of days that must pass before a user is notified that the user's password will expire on a designated date.

For example, suppose you enter 30 in the Maximum Password Age field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1.

This field accepts values from 0 to 999.


On the Policy Rules tab of the Password Policies form, you can configure either a complex password or custom password policy. If you select the Complex Password option, then you cannot use the Custom Password option setup and passwords will be evaluated against the complex password criteria that you enter on the Policy Rules tab.

The remaining fields in the Policy Rules tab are discussed in the following sections:

Complex Password

The following are the complex password criteria:

  • The password is at least six characters long. This password length overrides the Minimum Length field if the value entered in the Minimum Length field is less than 6. For example, if you enter 2 in the Minimum Length field, at least six characters will be required for the password because it must have at least six characters according to the complex password criteria.

  • The password must contain characters from at least three of the following five categories:

    • English uppercase characters (A - Z)

    • English lowercase characters (a - z)

    • Base 10 digits (0 - 9)

    • Non-alphanumeric characters (for example: !, $, #, or %)

    • Unicode characters

  • The password cannot contain three or more consecutive characters from the user name.

    When checking against the user's full name, characters such as commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs are treated as delimiters that separate the name into individual character sets. Each character set that has three or more characters is searched in the password. If the character set is present in the password, then the password change is rejected. For example, the name John Richard-Doe is split into three character sets: John, Richard, and Doe. This user cannot have a password that consists of three continuous characters from either John or Richard or Doe anywhere in the password. However, the password can contain the substring d-D because the hyphen (-) is treated as the delimiter between the substrings Richard and Doe. In addition, the search for character sets in the password is not case-sensitive.

Note:

If the user's full name is less than three characters in length, then the password is not checked against it because the rate at which passwords will be rejected is too high.

Custom Policy

If you select the Custom Policy option, then you can set a custom password policy by using the fields listed in Table 7-7.

Table 7-7 Fields of the Policy Rules Tab for Setting Custom Password Policy

Field Name Description

Maximum Length

The maximum number of characters that a password can contain.

For example, if you enter 8 in the Maximum Length field, then a password is not accepted if it has more than eight characters.

This field accepts values from 1 to 999.

Maximum Repeated Characters

The maximum number of times a character can be repeated in a password.

For example, if you enter 2 in the Maximum Repeated Characters field, then a password is not accepted if any character is repeated more than two times. For example, RL112211 would not be a valid password because the character 1 is repeated three times.

Note: In this example, there are four instances of the character 1, which means that it is repeated three times.

This field accepts values from 1 to 999.

Minimum Numeric Characters

The minimum number of digits that a password must contain.

For example, if you enter 1 in the Minimum Numeric Characters field, then a password must contain at least one digit.

This field accepts values from 0 to 999.

Minimum Alphanumeric Characters

The minimum number of letters or digits that a password must contain.

For example, if you enter 6 in the Minimum Alphanumeric Characters field, then a password must contain at least six letters or numbers.

This field accepts values from 0 to 999.

Minimum Unique Characters

The minimum number of nonrepeating characters that a password must contain.

For example, if you enter 1 in the Minimum Unique Characters field, then a password is accepted if at least one character in the password is not repeated. For example, 1a23321 would be a valid password because the character a in the password is not repeated although the remaining characters are repeated.

This field accepts values from 0 to 999.

Minimum Alphabet Characters

The minimum number of letters that a password must contain.

For example, if you enter 2 in the Minimum Alphabet Characters field, then the password is not accepted if it has less than two letters.

This field accepts values from 0 to 999.

Special Characters: Minimum

The minimum number of non-alphanumeric characters (for example, #, %, or &) that a password must contain.

For example, if you enter 1 in the Special Characters: Minimum field, then a password must have at least one non-alphanumeric character.

This field accepts values from 0 to 999.

Special Characters: Maximum

The maximum number of non-alphanumeric characters that a password can contain.

For example, if you enter 3 in the Special Characters: Maximum field, then a password is not accepted if it contains more than three non-alphanumeric characters.

This field accepts values from 1 to 999.

Minimum Uppercase Characters

The minimum number of uppercase letters that a password must contain.

For example, if you enter 8 in the Uppercase Characters: Minimum field, then a password is not accepted if it contains less than eight uppercase letters.

This field accepts values from 0 to 999.

Minimum Lowercase Characters

The minimum number of lowercase letters that a password must contain.

For example, if you enter 8 in the Minimum Lowercase Characters field, then a password is not accepted if it has less than eight lowercase letters.

This field accepts values from 0 to 999.

Unicode Characters: Minimum

The minimum number of Unicode characters that a password must contain.

For example, if you enter 3 in the Unicode Characters: Minimum field, then the password is not accepted if it has less than three Unicode characters.

This field accepts values from 0 to 999.

Unicode Characters: Maximum

The maximum number of Unicode characters that a password can contain.

For example, if you enter 8 in the Unicode Characters: Maximum field, then a password is not accepted if it has more than eight Unicode characters.

This field accepts values from 1 to 999.

Characters Required

The characters that a password must contain.

For example, if you enter x in the Characters Required field, then a password is accepted only if it contains the character x.

The character you specify in the Characters Required field, must be mentioned in the Characters Allowed field.

Characters Not Allowed

The characters that a password must not contain.

For example, if you enter an exclamation point (!) in the Characters Not Allowed field, then a password is not accepted if it contains an exclamation point.

Characters Allowed

The characters that a password can contain.

For example, if you enter the percent sign (%) in the Characters Allowed field, then a password is accepted if it contains a percent sign.

Note: The password is valid if it contains only the characters specified in the Characters Allowed field.

If you specify the same character in the Characters Allowed and Characters Not Allowed fields, then an error message is returned when you create the password policy.

Substrings Not Allowed

A series of consecutive alphanumeric characters that a password must not contain.

For example, if you enter IBM in the Substrings Not Allowed field, then a password is not accepted if it contains the letters I, B, and M, in successive order.

Start With Alphabet

The letters with which a password must begin.

For example, if you specify the character a in the Start With Alphabet field, then a password will be accepted if it starts with the character a.

Disallow User ID

This check box specifies if the user ID will be accepted as the whole password or as part of the password.

When this check box is selected, a password will not be valid if the user ID is entered in the Password field.

If you deselect this check box, then the password will be accepted, even if it contains the user ID.

Disallow First Name

This check box specifies if the user's first name will be accepted as the whole password or as part of the password.

When this check box is selected, a password will not be valid if the user's first name is entered in the Password field.

If you deselect this check box, then the password will be accepted, even if it contains the user's first name.

Disallow Last Name

This check box specifies if the user's last name will be accepted as the whole password or as part of the password.

When this check box is selected, a password will not be valid if the user's last name is entered in the Password field.

If you deselect this check box, then the password is accepted, even if it contains the user's last name.

Password File

The path and name of a file that contains predefined terms, which are not allowed as passwords.

Note: If settings on the Policy Rules tab differ from the specifications in the password file, then Oracle Identity Manager will use the settings on the Policy Rules tab.

Password File Delimiter

The delimiter character used to separate terms in the password file.

For example, if a comma (,) is entered in the Password File Delimiter field, then the terms in the password file will be separated by commas.


On the System Configuration form, you can set the value of the Force Password Change At First Login property, which has the XL.ForcePasswordChangeAtFirstLogin keyword, to True for forcing a user to change the password when the user logs in for the first time. Note that the user is forced to change the password at first logon only when the user is created with the XL.ForcePasswordChangeAtFirstLogin keyword already set to True.

Note:

  • See the "Creating Users" section in the Oracle Identity Manager Administrative and User Console Guide for information about forcing users to change their password at first logon.

  • If the password field is present on a form, the password policy is applied to the resource object to which this form is associated and if the form is displayed in the Administrative and User Console, then the View Password Policies link is displayed in the Administrative and User Console.

Whenever you change the value of the Force Password Change At First Login property, you must restart the server or purge the cache for the change to take effect. For purging the cache, the cache category is ServerCachedProperties.

See Also:

"Purging the Cache" in Oracle Identity Manager Best Practices Guide for information about purging the cache by using the PurgeCache utility

Note:

The default value of the Force Password Change At First Login property is True. To disable this property, set the value to False.

You can attach a process form with one of the Password fields to a resource. If you apply a password policy to the same resource and create an access policy for the resource, then the password entered by the user in the process form is not validated against the password policy rules. This is because when a resource is provisioned to the user, the user must provide the password, which will be validated against the password policy rules applied to the resource.

Setting the Criteria for a Password Policy

To set the criteria for a password policy:

  1. Open the required password policy definition.

  2. Click the Policy Rules tab.

  3. Either enter information into the appropriate fields, or select the required check boxes.

  4. Click Save.

7.7.2.2 Usage Tab

You use this tab to view the rules and resource objects that are associated with the current password policy.

For example, Figure 7-12 shows the Solaris password policy, and the Password Validation Rule have been assigned to the Solaris resource object.

Figure 7-12 shows the Usage tab of the Password Policies form.

Figure 7-12 Usage Tab of the Password Policies Form

Usage tab
Description of "Figure 7-12 Usage Tab of the Password Policies Form"

See Also:

"Password Policies Rule Tab" for more information about the relationship between password policies and resource objects

7.8 Task Scheduler Form

The Task Scheduler form shown in Figure 7-13 is in the Administration/Job Scheduling Tools folder. You use this form to define:

Figure 7-13 Task Scheduler Form

Task scheduler form
Description of "Figure 7-13 Task Scheduler Form"

Note:

As stated earlier, the Task Scheduler form is used to determine when a task is scheduled to be run. However, the Oracle Identity Manager program that triggers the execution of this task is referred to as the scheduler daemon.

Because the scheduler daemon cannot perform its designated function if it is not running, you must verify that is it active.

For more information about modifying the value of a system property, see "System Configuration Form".

Table 7-8 lists and describes the fields of the Task Scheduler form.

Table 7-8 Fields of the Task Scheduler Form

Field Name Description

Scheduled Task

The name of the task that is scheduled to be run.

Class Name

The name of the Java class that executes the scheduled task.

Note: The scheduler daemon triggers the execution of a scheduled task. The Java class actually executes the task.

Status

The task's status. Currently, a scheduled task has four status levels:

  • INACTIVE: The scheduled task ran successfully, and it is set to run again at the date and time specified in the Next Start field.

  • RUNNING: The scheduled task is running.

  • COMPLETED: The scheduled task ran successfully, but it will not run again (the frequency is set to Once).

  • ERROR: An error occurred due to which the task could not be started.

  • FAILED: The scheduled task failed while running.

Max Retries

If the task is not completed, the number of times that Oracle Identity Manager tries to complete the task before assigning a status of ERROR to it.

Disabled

This check box is used to designate whether or not the scheduler daemon triggers a scheduled task.

If this check box is selected, the scheduler daemon does not trigger the task, even when the date and time that is displayed in the Start Time or Next Start Time fields matches the current date and time.

When this check box is deselected, and the date and time that is displayed in the Start Time or Next Start Time fields matches the current date and time, the scheduler daemon triggers the task.

Stop Execution

This check box is used to designate whether or not the scheduler daemon can stop a scheduled task with a status of RUNNING.

If this check box is selected, and the task's status is RUNNING, the scheduler daemon stops the task from being executed. In addition, the task's status changes to INACTIVE.

When this check box is deselected, the scheduler daemon does not stop a task with a status of RUNNING from being executed.

Start Time

The date and time of when the task is scheduled to run for the first time.

Note: If the task is set to be run more than once, the scheduler daemon refers to the date and time that is displayed in the Next Start Time field.

Last Start Time

The latest date and time of when the task started to run.

Last Stop Time

The most recent date and time of when the task stopped running.

Next Start Time

The subsequent date and time of when the task is scheduled to run.

Note: If the task is set to be run only once, the scheduler daemon refers to the date and time that is displayed in the Start Time field.

Daily, Weekly, Monthly, Yearly

These options are used to designate if the task is to be run daily, weekly, monthly, or annually.

If one of these radio buttons is selected, then the scheduler daemon triggers the associated task once a day, week, month, or year, at the date and time specified in the Start Time field.

When all of these radio buttons are cleared, the scheduler daemon does not trigger the associated task on a daily, weekly, monthly, or annual basis.

Recurring Intervals

This option designates that the task is to be run on a fixed, recurring basis.

If this option is selected, then the scheduler daemon triggers the associated task on a recurring basis.

If this option is deselected, then the scheduler daemon does not trigger the associated task on a recurring basis.

Note: If the Recurring Intervals option is selected, you must set the interval by entering a value into the text field below the option, and selecting a unit of measure from the adjacent box.

Once

This option is used to designate that the task is to be run only once.

If this option is selected, the scheduler daemon triggers the associated task once, at the date and time specified in the Start Time field.

When this option is deselected, the scheduler daemon triggers the associated task more than once.


The following sections provide more information about scheduled tasks:

7.8.1 Predefined Scheduled Tasks

Table 7-9 lists the predefined scheduled tasks that are available in this release of Oracle Identity Manager.

Table 7-9 Predefined Scheduled Tasks

Scheduled Task Description User-Configurable Attributes

Password Expiration Task

This scheduled task sends e-mail to users whose password expiration date has passed at the time when the task was run and then updates the USR_PWD_EXPIRED flag on the user profile.

None

Password Warning Task

This scheduled task sends e-mail to users whose password warning date had passed at the time when the task was run and then updates the USR_PWD_WARNED flag on the user profile.

None

User Operations

This scheduled task performs the operation specified by the UserOperation attribute on the user account specified by the UserLogin attribute.

  • UserLogin: User ID of the user account

  • UserOperation: Operation that you want to perform on the user account. The value of this attribute can be ENABLE, DISABLE, or DELETE.

Attestation Grace Period Expiry Checker

This scheduled task delegates the attestation process after the grace period expires.

None

Task Escalation

This scheduled task escalates pending tasks whose escalation time had elapsed at the time when the scheduled task was run.

None

Task Timed Retry

This scheduled task creates a retry task for rejected tasks whose retry time has elapsed and whose retry count was greater than zero.

None

Set User Deprovisioned Date

A deprovisioning date is defined when a user account is created. For users whose deprovisioning date had passed at the time when this schedule task was run, the task sets the deprovisioned date as the current date.

None

Disable User After End Date

An end date is defined when a user account is created. This scheduled task disables user accounts for which the end date had passed the current date at the time when the task is run.

  • Day Max: The maximum number of user accounts that can be disabled by the task in one day, regardless of the number of times the task runs in a given day.

  • Task Max: The maximum number of user accounts that can be disabled in one run of the task.

Set User Provisioned Date

This scheduled task sets the provisioned date to the current date for users for whom all of the following conditions are true:

  • The provisioning date is in the past.

  • The deprovisioned date has not been set.

  • The deprovisioning date has not been reached or is NULL.

The setting of the provisioned date to the current date causes the policies to be evaluated for the users affected by an access policy update. After the evaluation is completed for the users, the usr_policy_update flag is set to NULL.

None

Enable User After Start Date

A start date is set when a user account is created. This scheduled task enables user accounts for which the start date has passed, and the user status is Disabled Until Start Date.

None

Trigger User Provisioning

This scheduled task approves resources that are in the Approved, Waiting To Provision status for all users whose provisioning date had passed when the task was run.

None

Scheduled Provisioning Task

When this scheduled task is run, it triggers scheduled request provisioning processes.

None

Remove Open Tasks

This scheduled task removes information about open tasks and pending approvals (that are older than the specified number of days) from the table that serves as the source for the list displayed in the Administrative and User Console.

Day Limit

Number of days for which information about an open task or pending approval should be retained in the table before the information is deleted

The default value is 60 days.

Remove Group Priority Gaps Task

A priority is assigned to every group that is created in Oracle Identity Manager. When a group is removed, the priority assigned to the next group in the priority list is not advanced automatically. When this scheduled task is run, it resequences group priorities up to the specified priority number. This scheduled task is needed only when you want to ensure that tasks are always assigned to groups with the highest priority.

Max Priority Gap

Priority level up to which the scheduled task must resequence group priority levels

For example, suppose you specified 10 as the value of this attribute. Groups with priority 3 and 7 were removed before the task was run. When the task runs, the priority levels of groups with priority level 4 through 10 are resequenced so that their new priority levels range from 3 through 8.

The default value is 10.

ReSubmit Request Tasks

This scheduled task resubmits requests that are in the REQUEST INITIALIZED state and sends e-mail notifications by using the specified e-mail template.

  • Resubmit requests older than (hours)

    Number of hours that must elapse before a request is resubmitted

  • Email Notification User (userid)

    User account that is to be shown as the sender of the e-mail

  • Email Template (Template Name)

    Template of the e-mail to be sent

Resubmit Reconciliation Event

This scheduled task resubmits reconciliation events whose status remains at Event Received for the time that you specify by using the window attribute.

window

Number of hours for which the task has remained at the Event Received status

Issue Audit Messages Task

This scheduled task fetches audit message details from the aud_jms table and sends a single JMS message for a particular identifier and auditor entry in the aud_jms table. An MDB processes the corresponding audit message.

Max records: Use this attribute to specify the maximum number of audit messages to be processed for a specified scheduled task run. The default value of this attribute is 400.

Initiate Attestation Processes

This scheduled task initiates a call to the Attestation Engine to run attestation processes that are scheduled to run at a time that has passed.

None


7.8.2 Creating a Scheduled Task

In addition to creating a scheduled task, if the task requires attributes, you must set them. Otherwise, the scheduled task is not functional.

When an existing task attribute is no longer relevant, you must remove it from the scheduled task.

The following procedure describes how to create a scheduled task. Later procedures show you how to add an attribute to a scheduled task and remove a task attribute from a scheduled task.

To create a scheduled task:

  1. Go to the Task Scheduler form.

  2. Enter the name of the scheduled task in the Scheduled Task field.

  3. Enter the name of the Java class that executes the scheduled task in the Class Name field.

  4. Enter a number into the Max Retries field. This number represents how many times Oracle Identity Manager tries to complete the task before assigning a status of ERROR to it.

  5. Ensure that the Disabled and Stop Execution check boxes are not selected.

  6. Double-click the Start Time field.

    From the Date & Time window that is displayed, set the date and time that the task is scheduled to run. If you specified that the task is to be executed on a recurring basis (by selecting the Recurring Intervals option), the date and time that is displayed in this field is referenced to determine when next to run the associated task.

  7. Set the scheduling parameters (in the Interval region):

    • To set the task to run on a recurring basis, select the Daily, Weekly, Monthly, or Yearly options.

    • To set the task to run only once, select Once.

    • To set the task to run on a fixed, recurring basis, select Recurring Intervals, set the interval by entering a value into the text field below the option, and then select a unit of measure from the adjacent box.

  8. Click Save.

    The scheduled task is created. In addition, INACTIVE is displayed in the Status field because the task is not currently running. However, once the date and time that you set in Step 6 matches the current date and time, the scheduler daemon triggers the scheduled task.

7.8.2.1 Adding a Task Attribute

To add a task attribute:

  1. Click Add.

  2. In the Attribute Name field, enter the name of the task attribute.

  3. In the Attribute Value field, enter the attribute's value.

  4. From the Toolbar, click Save.

    The task attribute is added to the scheduled task.

7.8.2.2 Removing a Task Attribute

To remove a task attribute:

  1. Select the task attribute that you want to remove.

  2. Click Delete.

    The attribute is removed from the scheduled task.

7.8.3 Deleting a Custom Scheduled Task

To delete a scheduled task:

Note:

You cannot delete internal scheduled tasks, such as Password Expiration Task, that are installed with Oracle Identity Manager.
  1. Go to the Task Scheduler form.

  2. Enter the name of the scheduled task in the Scheduled Task field, and click the binoculars button or press Ctrl+Q. The scheduled task opens in the Task Definition form.

  3. In the Task Definition form, remove existing task attributes by following the instructions in "Removing a Task Attribute".

  4. Click Delete on the toolbar or press Ctrl+D. A warning message displays, informing you that the current record will be deleted.

  5. Click OK to delete the scheduled task.