11 Managing Users

The user management feature in Oracle Identity Manager includes the creation, updation, deletion, enabling and disabling, locking, and unlocking of user accounts. This feature is described in the following sections:

11.1 User Lifecycle

User lifecycle is a term to describe the process flow of how a user entity is created, managed, and terminated in the system based on certain events or time factors.

A user entity goes through various stages in the lifecycle. The stages are non-existent, disabled, active, and deleted. Figure 11-1 depicts the different lifecycle stages, all possible transitions, and the operations that set up those transitions:

Figure 11-1 User Life Cycle

Description of Figure 11-1 follows
Description of "Figure 11-1 User Life Cycle"

There is a possibility of process rules or business requirements being defined for each transition of the user lifecycle. You can use the sample scenarios listed in Table 11-1 to establish the link between user lifecycle transitions and business objectives.

Table 11-1 User Life Cycle and Business Objectives Sample Scenarios

Current State Operation Sample Scenario Process Description

Non-existent

Create

HR enters user profile information for a new hire. If the new hire is not introduced to the system immediately, then HR sets a future start date for the user.

If the start is not a future date then the user is introduced into the system in an Active state.If the Start Date is in future then the create process creates the user in a disabled state.

Disabled

Enable

User's start date is in effect. The system initiates provisioning for the new hire.

User is marked enabled in the system and the user is now able to login and use the system. By default, all necessary memberships and accounts are established as part of the workflow.

Active

Modify

User is promoted to a new position. As a result, HR changes the job title of the user.

New resources are provisioned to the user, and old irrelevant resources are deprovisioned from the user.

Active

Disable

User takes one year sabbatical from the company. HR manually disables the user on the last working day of the user. The user re-joins the company after some period. HR can make the user Active again.

User is marked disabled in the system, and the user is no longer able to login to the system. The disabled users can be made Active again.

Active

Deleted

User retires from the company. HR manually disables the user on the last working day of the user.

User is marked disabled in the system, and the user is no longer able to login to the system. By default, all users' accounts are deprovisioned as part of the workflow.


The following concepts are integral to user lifecycle management:

11.1.1 OIM Account

OIM Account is an abstraction representing a means to be authenticated to access Oracle Identity Manager. In Oracle Identity Manager, the cardinality of relationship between user and OIM account is one-to-one. By default, users are associated with OIM accounts that allows users to access Oracle Identity Manager. However, there may be users who do not need to access Oracle Identity Manager, and therefore, may not be provisioned with an OIM account.

Some user operations, such as lock and unlock, are explicitly account operations. When locking or unlocking a user, you lock or unlock the user's OIM account.

In Oracle Identity Manager, each user has a Design Console Access attribute that controls the OIM account of the user. If the Design Console Access option for a user is selected in the UI, then the user is End-User Administrator. If this option is not selected, then the user is an End-User.

11.1.2 Organization

Organization is a logical container for authorization and permission data. A user in Oracle Identity Manager must belong to one organization only. For detailed information about organizations in Oracle Identity Manager, see Chapter 13, "Managing Organizations".

11.1.3 Role

Oracle Identity Manager provides easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles. Roles are designed to ease the administration of end-user system and schema object privileges. For detailed information about roles, see Chapter 12, "Managing Roles".

11.2 User Entity Definition

Attributes are defined for the user entity in Oracle Identity Manager. You can add your own attributes to the user entity.

For each attribute for a user entity, the following properties are defined in Oracle Identity Manager:

  • Attribute Name: The name of the attribute.

  • Category: All entity attributes are classified into a category. This categorization is used to organize the data in the UI. The category is only for display on the UI and is not used anywhere else. The default categories are:

    • Basic User Information: This category contains basic user attributes such as user first name, user last name, e-mail, manager, organization, and user type.

    • Account Settings: This category contains account-related attributes such as user login, identity status, account status, and global unique identifier (GUID).

    • Account Effective Dates: This category contains account start and end date attributes.

    • Provisioning Dates: This category contains provisioning date and deprovisioning date attributes.

    • Lifecycle : This category shows flags related to User Account such as anuallym locked, locked on , automatically delete on.

      All the attributes in the category are hidden by default so the category is also not visible.

    • System: This category contains the system controlled attributes for the user entity such as created on, password expiration date, password reset attempts, and so on.

    • Other User Attributes: This category contains a list of all the FA and LDAP related attributes.

    • CustomAttributes: This is an empty category where the user can add all the new custom attributes.

    • Preferences: This category contains the attributes related to user preferences. It contains various attributes such as locale, timezone, currency, date format, and so on.

  • Data Type: Indicates the type of data in the attribute. Supported types are Text, Numeric, Date, and Boolean.

  • Properties: For each attribute, the following properties can be defined:

    • Required: Determines whether or not every user in the repository must have a non-null value for this attribute

    • System Controlled: Determines if the value can only be set and edited by the system itself

    • System Can Default: Determines if the value can be set by the system to a default if no value is provided

    • Encrypted: Determines if the value stored in the repository is encrypted. If true, then the value is encrypted but this encrypted value can be decrypted producing the original value. If false, then the value is stored clear, meaning that the stored value is not encrypted.

    • Searchable: Determines if the values can be used in searches

    • Support Bulk Update: Determines if the field can be modified as part of a bulk modification of multiple users. Fields that are expected to be unique to users, such as username, name fields, and password, do not support bulk update. For fields with System Controled=Yes or Unique=Yes, this property can never be set to Yes. For information about setting the properties of an attribute, see "Configuring User Attributes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

    • Display: Determines how the field is displayed in the UI for creating and modifying users. It can have any one of the following values:

      TEXT, TEXTAREA, NUMBER, DOUBLE, CHECKBOX, DATE_ONLY, SECRET, LOV, and ENTITY.

    • Multi-valued: Determines whether the attribute is multi-valued or not. The value of this property is either true or false. Oracle Identity Manager does not support multiple values, and therefore, this property is set to false for all user attributes.

    • Max Size: Indicates the maximum allowed length for the specified attribute.

    • Read Only: Indicates if the attribute has "read-only" permission only or if it is editable.

  • Dependency: The value of some attributes can depend on the value of other attributes. The Dependency property lists the other attributes that this attribute depends on. If any of those attributes are changed, then the auto-generate or pre-populate adapters for this attribute is started.

  • LOV: The list of values (LOV) is provided for a field. You can modify the list of available values if the LOV is marked as configurable. For other LOVs, you cannot add your own values. For some LOVs, the list of values are system defined.

Table 11-2 lists the attributes defined for the user entity in Oracle Identity Manager:

Table 11-2 Attributes Defined for User Entity

Attribute Name Category Type Data Type Properties LOV (Default attributes are in bold)

User Login

Account Settings

Single

Text

Required: Yes

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: Yes

Support Bulk Update: No

NA

First Name

Basic User Information

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Middle Name

Basic User Information

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Last Name

Basic User Information

Single

Text

Required: Yes

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Generation Qualifier

Other User Attribute

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

System LOV (configurable)

Display Name

Basic User Information

Single

Text

Required: No

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Initials

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Description

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

User Type

Basic User Information

Single

Text

Required: Yes

System Can Default: Yes

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

System LOV (Configurable)

Full-Time

Part-Time

Contractor

Employee Number

Other User Attributes

Single

Text

Required: No

System Can Default: Yes

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Organization

Basic User Information

Single

Reference

Required: Yes

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

API-based

Department Number

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Title

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Manager

Basic User Information

Single

Reference

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

API-based

Hire Date

Other User Attributes

Single

Date

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

NA

Start Date

Account Effective Dates

Single

Date

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

End Date

Account Effective Dates

Single

Date

Required: No

System Controlled: No

System Can Default: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

NA

Identity Status

Account Settings

Single

Text

Required: Yes

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

Active

Disabled

Deleted

Disabled Until Start Date

Account Status

Account Settings

Single

Text

Required: Yes

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

Locked/Unlocked

Design Console Access

Basic User Information

Single

Check Box

Required: Yes

System Can Default: Yes

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

True/False

Account Locked

Lifecycle

Single

Boolean

Required: Yes

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Account Locked On

Lifecycle

Single

Date

Required: No

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: No

Unique: No

Support Bulk Update: No

NA

Manually Locked

Lifecycle

Single

Boolean

Required: No

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: No

Unique: No

Support Bulk Update: No

NA

Password

Account Settings

Single

Text

Required: Yes

System Can Default: No

System Controlled: No

Encrypted: Encrypt

Searchable: No

Unique: No

Support Bulk Update: No

NA

Password Generated

Account Settings

Single

Text

Required: No

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: No

Unique: No

Support Bulk Update: No

NA

Email

Basic User Information

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: Yes

Support Bulk Update: No

NA

Home Postal Address

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Postal Address

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Street

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Postal Code

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

PO Box

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Locality Name

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

State

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Country

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Fax

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

House Phone

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Mobile

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Pager

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Phone

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Locale

Preferences

Single

Text

Required: No

System Can Default: Yes

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

System LOV

Language

LDAP Attributes

Single

Text

Required: No

System Can Default: Yes

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

System LOV

Time Zone

Preferences

Single

Text

Required: No

System Can Default: Yes

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

System LOV

UID

Account Settings

Single

Numeric

Required: Yes

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: Yes

Support Bulk Update: No

NA

LDAP Organization

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

LDAP Organization Unit

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

LDAP DN

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Common Name

Other User Attributes

Single

Text

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Provisioning Date

Provisioning Dates

Single

Date

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

NA

De-provisioning Date

Provisioning Dates

Single

Date

Required: No

System Can Default: No

System Controlled: No

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: Yes

NA

Provisioned Date

System

Single

Date

Required: No

System Can Default: No

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

De-provisioned Date

System

Single

Date

Required: No

System Can Default: No

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Login Attempts

System

Single

Numeric

Required: No

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: No

Unique: No

Support Bulk Update: Yes

NA

Automatically Delete On

Lifecycle

Single

Date

Required: No

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: No

Unique: No

Support Bulk Update: No

NA

Created On

System

Single

Date

Required: Yes

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA

Updated On

System

Single

Date

Required: Yes

System Can Default: Yes

System Controlled: Yes

Encrypted: Clear

Searchable: Yes

Unique: No

Support Bulk Update: No

NA


11.3 User Management Tasks

You can perform the following user management tasks in the Oracle Identity Administration:

11.3.1 Searching Users

In Oracle Identity Manager Administration, you can perform the following types of search operations for the user entity:

11.3.1.1 Simple Search

The search operation lets you search user entities based on the search strings that you specify as search attributes. This operation is also referred to as simple search or quick search.

The search feature is described in the following topics:

11.3.1.1.1 Searchable Attributes

The default set of attributes across which search is conducted are:

  • User Login

  • First Name

  • Last Name

  • Display Name

11.3.1.1.2 Search Comparators

The search comparator for the search operation is set to Begins With. The search comparator can be combined with wildcard characters to specify a search condition.

11.3.1.1.3 Search String

Search string is not case-sensitive. Only the asterisk (*) character is supported as a wildcard for the search string. Oracle Identity Manager Administration removes any leading or trailing white spaces from the search string. For performance reasons, any leading occurrences of (*) in the search string are removed.

11.3.1.1.4 Conjunction Operator

The conjunction operator for the search operation is by default set to be OR.

The relationships between the search attributes, search comparator, search string, and conjunction operator is described by using the following query composition formula:

Query begins with ((attribute 1 begins with 'search string') or (attribute 2 begins with 'search string') or …)

For example, if you enter Jo* as a search text, then the search operation forms an internal query where User Name begins with Jo* or First Name begins with Jo* or Last Name begins with Jo*. As a result, all the users whose user name, first name, or last name starts with Jo are displayed.

11.3.1.1.5 Search Results

Result attributes define the set of attributes that are to be returned by the search operation. The actual set of result attributes, however, are determined dynamically based on user's permissions.

Note:

The search results do not include deleted users, which means users with status = Deleted.

The limited search result table shows a subset of the columns of the full search result table. User configuration specifies the columns to display in the search results, and the subset to display in the limited search result table. For more details about configuration management, see "Configuring User Attributes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

The simple search result table displays the Display Name attribute only. Here, the Display Name of all those users whose Display Name, User Login, First Name, or Last Name attribute value equals search text are displayed in the search result.

You can perform sorting and paging of the displayed data in the search results table.

Tip:

When you scroll up or down, the page index changes. Each page contains a fixed set of entries. When page index changes and the next required page is not within the UI, the UI triggers an event. As a response to this event, the result page is displayed.

There are up and down arrows provided on each attribute in the search result table. Clicking the up or down arrow of the attribute provides with the sort attribute and sorting order.

11.3.1.1.6 Operations on Search Results

This section describes the operations that you can perform based on selection of row(s) in the search results table. It is divided into single selection operations and bulk or multiple selection operations.

You can perform the following single selection operations by selecting a user from the search results table:

  • View detail

  • Bulk modify, only if the user status is deleted

  • Enable, only if the user status is enabled

  • Disable, only if the user status is disabled

  • Lock, only if the selected user's account is unlocked

  • Unlock, only if the selected user's account is locked

  • Reset password

  • Delete

You can perform the following bulk or multiple selection operations by selecting multiple users from the search results table:

  • Enable, only if the user status is enabled

  • Disable, only if the user status is disabled

  • Lock, only if the selected user's account is unlocked

  • Unlock, only if the selected user's account is locked

  • Delete

11.3.1.1.7 Performing a Simple Search

To perform a simple search and display the details of the user:

  1. Login to Oracle Identity Manager Administration.

  2. To search users, in the left pane, select Users from the drop-down list.

  3. In the search field, enter a search criterion. You can include wildcard characters (*) in your search criterion.

  4. Click the icon to the right of the search field. The search result is displayed in the left pane that shows the display names of the users that matches the search criterion you specified. Figure 11-2 shows the search results:

    Figure 11-2 Simple Search Result

    Description of Figure 11-2 follows
    Description of "Figure 11-2 Simple Search Result"

11.3.1.2 Advanced Search

The advanced search options are displayed in the right pane of Oracle Identity Manager Administration. The advance search allows you to specify more complex search criteria than the simple search criteria. The results are displayed in search results tables.

The advanced search operation is described in the following sections:

11.3.1.2.1 Advanced Search Page

You specify the search criteria in the Advanced Search page. This page lets you create a search query that consists of multiple criteria. Each criterion consists of:

  • The attribute to search against

  • The search comparator, such as equals and begins with

  • The values to search for

The value can be multiple in the case where the comparator requires two or more values. You can specify multiple search criteria if the comparator requires two or more values, for example, range searches on numeric fields or data ranges on date fields. When you specify multiple search criteria, you must specify the AND or OR conjunction operator for the search operation.

11.3.1.2.2 Search Comparators

The search comparators that the Advanced Search page supports are predefined in Oracle Identity Manager. Each comparator specifies the kind of attribute (data type) it supports, and also the number of input data fields it requires.

Table 11-3 lists the comparators supported by advanced search:

Table 11-3 Advanced Search Comparators

Comparator Field Types Supported

Equals

Text, Date, Numeric, Boolean

Begins With

Text


11.3.1.2.3 Conjunction Operator

The conjunction operators for the search operation are:

  • All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

  • Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

11.3.1.2.4 Searchable Attributes

Searchable attributes define the set of attributes that you can use in the Advanced Search page. While creating the search criteria, you can select the attributes that you want to search against from this base list.

Only a subset of the searchable attributes, called default fields in Table 11-4, is displayed by default in the Advanced Search page. You can add additional searchable attributes to the page by using the Add Fields functionality. Each attribute also specifies the comparators it supports.

Table 11-4 Default Search Attributes

Attribute Comparators Available Default Fields

Display Name

Begins With, Equals

Yes

User Login

Begins With, Equals

Yes

First Name

Begins With, Equals

Yes

Last Name

Begins With, Equals

Yes

Identity Status

Equals, Not Equals

Yes

Organization

Equals, Begins With

Yes

Email

Begins With, Equals

Yes

Start Date

Equal, Before, After, Range

Yes

End Date

Equals, Before, After, Range

Yes


Note:

You can configure the attributes that are searchable in User Management Configuration.

The searchable attributes configured for advanced search must be a subset of the attributes defined for the User Entity that are marked with the Searchable = Yes property.

11.3.1.2.5 Search Results

The search results table is displayed in the same tab as the Advanced Search page so that the user can view the query they searched by along with the search results. The table, being in the right pane, is always displayed as the full search results table.

If your search returns a lot of information, you can hide one or more columns in the search results table. For example, if your table contains 20 columns, you might want to display only the eight most-important columns, so you do not have to keep scrolling through the less important information.

To hide one or more columns, open the Search Results pane, click View, and deselect the columns you want to hide. A status message displays along the bottom of all search tables to identify how many columns are currently hidden in a particular table view. Figure 11-3 shows that the user has hidden three columns.

Figure 11-3 Advanced Search Result with Hidden Columns

Surrounding text describes Figure 11-3 .

The search results does not return deleted users, unless the user explicitly selects the Status attribute in the Advanced Search page and provides a value, Status Equals Deleted. In that case, deleted users will be returned as part of the search results.

11.3.1.2.6 Performing an Advanced Search Operation

To perform an advanced search operation and display the search result:

  1. In the Welcome page of Oracle Identity Manager Administration, under users, click Advanced Search - Users. Alternatively, you can click Administration, and under the Browse tab, click the Advanced Search: Users.

  2. Select All or Any conjunction operator. For information about these operators, see "Conjunction Operator".

  3. Specify a search criteria in the fields. You can include wildcard characters (*) in your search criterion. For performance reasons, initial (prefix) wildcards will be removed. Select the search comparators in the lists adjacent to the fields. See Table 11-3, "Advanced Search Comparators" for information about the advanced search comparators.

    Note:

    The asterix wildcard character (*) search for the Identity Status field returns only the users with Active , Disabled, and Disabled Until Start Date statuses, but not with Deleted status. To search for users with Deleted status, you must enter Deleted in the Identity Status field.

    To add a field in the search criteria, click Add Fields, and then select the field name from the list.

  4. Click Search. The user records that match your search criteria are displayed in the search results table, as shown in Figure 11-4:

    Figure 11-4 Advanced Search Result

    Description of Figure 11-4 follows
    Description of "Figure 11-4 Advanced Search Result"

11.3.2 Creating Users

You can create a new user in Oracle Identity Manager by using the Create User page. You can open this page only if you are authorized to create users as determined by the authorization policy on the Create User privilege on any organization in Oracle Identity Manager.

To create a user:

  1. Login to Oracle Identity Manager Administration.

  2. Open the Create User page. To do so, perform any one of the following:

    • In the Welcome page, under Users, click Create Users.

    • Click the Administration tab on the tool bar, and in the Welcome page, under Users, click Create Users.

    • Click the Search Results tab, and from the Action menu, select Create User.

    • In the Search Results tab, click the Create User icon on the toolbar.

    The Create User page displays input fields for user profile attributes. The attributes that are displayed in the create user page are determined by the configuration of the Create User page in User Management Configuration. In this configuration, each of the attributes defined for the user entity is marked as being available on the Create User page.

    See Also:

    "Configuring User Attributes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for information about configuring the Create User page
  3. Enter details of the user in the Create User page. Table 11-5 describes the fields in the Create User page:

    Table 11-5 Fields in the Create User Page

    Section Field Description

    Basic User Information

    First Name

    First name of the user.

     

    Middle Name

    Middle name of the user.

     

    Last Name

    Last name of the user.

     

    Design Console Access

    The user of OIM User type. It can have one of the two possible values, End-User and End-User Administrator. The OIM User type tells whether or not the user can log in to Oracle Identity Manager Design Console. If the "Design Console Access" check box is selected, the user type will be "End-User Administrator" and the user will have access to design console.

     

    Email

    E-mail address of the user.

     

    Manager

    The reporting manager of the user.

     

    Organization

    The organization to which the user belongs to.

     

    User Type

    The type of employee, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary.

     

    Display Name

    The display name of the user. It can have two values, Localized Display Name and Manage Localizations. You can add the localization languages by clicking on Manage Localizations.

    Account Settings

    User Login

    The user name to be specified for logging in to the Administration Console.

     

    Password

    The password to be specified for logging in to the Administration console.

     

    Confirm Password

    The password to be re-entered for confirmation.

    Account Effective Dates

    Start Date

    The date when the user will be activated in the system.

     

    End Date

    The date when the user will be deactivated in the system.

    Provisioning Dates

    Provisioning Date

    Date when user is getting provisioned into the system.

     

    Deprovisioning Date

    Date when the user is getting deprovisioned from the system.

    Other User Attributes

    Country

    The country where user resides.

     

    Department Number

    The department number of the user.

     

    Common Name

    The common name of the user.

     

    Employee Number

    The employee number of the user.

     

    Fax

    The fax number of the user.

     

    Generation Qualifier

    Whether the user qualifies the generation.

     

    Hire Date

    The hiring date of the user.

     

    Home Phone

    The home phone number of the user.

     

    Locality Name

    The name of the locality where user resides.

     

    Mobile

    The mobile number of the user.

     

    Pager

    The pager number of the user.

     

    Home Postal Address

    The house address of the user.

     

    Postal Address

    The postal address of the user.

     

    Postal Code

    The postal code number of the user's address.

     

    PO Box

    The post box number of the user's address.

     

    State

    The state name of the user.

     

    Street

    The street name where the user resides.

     

    Telephone Number

    The telephone number of the user's residence.

     

    Title

    The title for the user.

     

    Initials

    The initials of the user.


    You can enter attribute values in more than one language in the pages for creating or updating entities, such as users, organizations, and roles.

  4. After you enter the user information, click Save to create the user.

Tip:

Users can be created by any one of the following methods:
  • By using Oracle Identity Administration

  • By self registration

  • By creating a request

  • By using SPML Web service or APIs

For all the above methods, Oracle Identity Manager uses the default password policy or Password Policy against Default Rule. If you want to use a different password policy, then you must attach the new password policy to the default rule by using the Design Console. To do so, see "Managing Password Policies" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

11.3.3 Viewing and Modifying User Information

The view user operation allows you to view detailed user profile information in the User Detail page. You can open this page if you are authorized to view the user's profile as determined by the authorization policy through the View User Details privilege. If you have the authorization to modify the user, then you can modify the user by using this page.

To display user details, perform any of the following:

  • Click the user login link in the search results table for simple search.

  • Select a record in the user search results table for both simple and advanced search, and then select Modify User from the Actions menu. Alternatively, you can click Modify User on the toolbar.

The viewing and modifying operations are described in the following sections:

11.3.3.1 User Details Page

The user details page for the user entity is auto-generated based on configuration and authorization. This page is divided into the following tabs:

11.3.3.1.1 The Attributes Tab

This tab displays the attribute profile that includes details about basic user information, account settings, and other user attributes. You can modify any field to change the attribute profile information, and click Apply.

To eliminate the changes made in this page, click Revert.

11.3.3.1.2 The Roles Tab

This tab displays a list of roles to which the user belongs. You can click each role to display summary information about the role. For each role in the list, it displays the following:

  • Display Name: The name displayed on the UI.

  • Role Name: Name of the role assigned to a user.

  • Role Namespace: Namespace to which the role is assigned.

  • Description: A description of the role.

In the Roles tab, you can assign roles to the user and remove roles from the user. For more details, see "Adding and Removing Roles".

11.3.3.1.3 The Resources Tab

This section displays a list of resources that a user has been provisioned. For each resource in the list, it displays the following:

  • Resource Name: Name of the resource assigned to a user

  • Request ID: If the provisioned instance is associated with a request

  • Service Account: Yes if the account was provisioned as a service account, otherwise No.

  • Description: If any, for the provisioned instance

  • Type: The type of resource

  • Status: The status of the resource such as Provisioned, Enabled, or Disabled

  • Provisioned On: The date when the resource was provisioned to the user

11.3.3.1.4 The Proxies Tab

This tab displays all proxies that are currently set up for the user. For each proxy in the list, it displays the following:

  • Proxy Name: The display name of the proxy user

  • Start Date: The start date for the proxy user

  • End Date: The end date for the proxy user

  • Status: The status of the proxy user

  • Relationship: The relationship of the proxy user with the open user, such as manager

  • Last Updated: The date when the proxy user was last updated

This section also displays the history of proxy information for the user in which the end date is shown. The Current Proxies display the current proxies for the user. The Past Proxies display the proxies history for the user. The Status column is not displayed in the Past Proxies table.

If you select a row in the table that displays proxies information, then a summary information about the proxy is displayed where you can edit the proxy name, relationship with the user, start date, and end date.

The Proxies tab allows you to add proxies to the user and to remove proxies from the user. For information about adding and removing proxies, see "Modifying Proxy Details".

11.3.3.1.5 Direct Reports

This tab displays a read-only table of users for whom the user is set as the manager. In other words, this tab lists the direct reportees of the user. For each user in the table, it displays the following:

  • Display Name

  • User Login

  • Status

  • Organization

If you select a row in the table, then summary information about the direct reportee is displayed at the bottom.

Direct reports allows you to open the user details of the direct reportees. To do so, select a row in the table of direct reportees, and form the Action menu, select Open User. Alternatively, you can click Open User on the toolbar.

11.3.3.1.6 The Requests Tab

This tab displays the requests that are raised for the user. For each request, the following details are displayed:

  • Request ID: An ID to uniquely identify the request

  • Model Name: The request model name

  • Status: Shows the current state of the request

  • Requested By: The requester who raised the request

  • Parent ID: An ID of the parent request, if any, to which the request is a child request

  • Date Requested: The date on which the request is created

See Also:

Chapter 14, "Creating and Searching Requests" for information about requests, request types, and parent and child requests

This tab allows you to open the details of the requests by clicking the request IDs.

11.3.3.2 User Modifications

You can perform administrative user modification tasks from the user details. The modification is broken up across the different tabs in the page that displays user details, which means that modifications done in each tab are independent of each other and must be saved individually. The modifications you can perform in each tab is outlined in the following sections:

11.3.3.2.1 Modifying Attribute Profile

The attribute profile information is displayed in the Attributes tab of the user details page. To modify the attribute profile, edit the fields in the Attributes tab, and click Apply.

11.3.3.2.2 Adding and Removing Roles

To add a role:

  1. In the Roles tab, from the Action menu, select Assign Roles. Alternatively, you can click Assign Roles on the toolbar. The Assign Role to User window is displayed.

  2. From the Search Roles list, select the type of role or role category. The default role categories are OIM Roles and Default. In addition, you can create custom role categories. See "Creating and Managing Role Categories" for detailed information about role categories.

  3. Search can be performed on the following fields:

    • Display Name

    • Name

    • Role Namespace

    Select All or any conjunction operator. For information about these operators, see "Conjunction Operator".

  4. Enter a search criterion in the search field. You can specify the asterix (*) wildcard character in the search criterion. Then, click the search icon. All roles that belong to the category you selected are displayed in the Available Roles list.

  5. Select one or more roles from the Available Roles list (Shift + Click for contiguous row selection and Ctrl + Click for non-contiguous selection). Then click the Move or Move All buttons to move the selected roles to the Roles to Assign list.

    See Also:

    Table 12-5, "Default Roles in Oracle Identity Manager" for information about the default roles in Oracle Identity Manager
  6. Click OK. A confirmation message is displayed and the roles you selected are assigned to the user.

The Roles tab allows you to select one or multiple roles in the list, and then allows you to remove roles. To remove a role:

  1. Select the role or roles that you want to remove.

  2. From the Action menu, select Revoke Roles. Alternatively, you can click Revoke Roles on the toolbar. A message is displayed asking you to confirm.

  3. Click OK. A success message is displayed on the user details page for successful role assignment.

11.3.3.2.3 Adding and Removing Resources

The Resources tab allows you to select one or multiple resources in the list, and then perform various operations, such as adding and removing resources, enabling and disabling resources, and displaying resource details and history.

To add a resource to a user:

  1. In the Resources tab, from the Action menu, select Add. Alternatively, you can click Add Resource on the toolbar. The Provision Resource to User wizard is displayed.

  2. In Step 1: Select a Resource page, select the resource you want to provision.

  3. Click Continue. The Step 2: Verify Resource Selection page is displayed. This page displays the resource that you selected for provisioning to the target user.

  4. Click Continue. The Step 3: Process Data page is displayed.

  5. Enter values in the fields to specify information about the selected resource.

  6. Click Continue. The Step 4: Verify Process Data page is displayed with details about the resource.

    Figure 11-5 shows the Step 4: Verify Process Data page with sample values for the ebusiness Suite User TCA Foundation resource to be provisioned to the user John Doe with user ID JohnD.

    Figure 11-5 Sample Process Data

    Description of Figure 11-5 follows
    Description of "Figure 11-5 Sample Process Data"

  7. If you want to edit any information displayed in this page, click Edit on the top-right corner of the page. The Step 3: Provide Process Data page is displayed that allows you to edit process data. When finished, click Continue to go back to the Step 4: Verify Process Data page.

    After verifying all information, click Continue.

    WARNING:

    Make sure that you verify the process data before clicking Continue. This is because clicking Continue starts provisioning.

  8. Click Continue to start provisioning the selected resource to the user. A message is displayed stating that the provisioning has been started.

To remove a resource from a user:

  1. In the Resources tab, select a resource that you want to remove.

  2. From the Action menu, select Remove Resource. Alternatively, you can click Revoke on the toolbar. A confirmation message is displayed.

  3. Click OK. The resource is removed, and a success message is displayed.

11.3.3.2.4 Enabling and Disabling Resources

A resource can be enabled if the status of the selected resource is Disabled or Provisioned. To enable a resource:

  1. In the Resources tab, select a resource that you want to enable.

  2. From the Action menu, select Enable. A confirmation message is displayed.

  3. Click OK. The resource is enabled, and a success message is displayed.

A resource can be disabled if the status of the selected resource is Enabled. To disable a resource:

  1. In the Resources tab, select a resource that you want to disable.

  2. From the Action menu, select Disable. A confirmation message is displayed.

  3. Click OK. The resource is disabled, and a success message is displayed.

11.3.3.2.5 Displaying Resource Details

To display resource details:

  1. In the Resources tab, select a resource whose details you want to display.

  2. From the Action menu, select Open. A page is displayed with the resource details. You can edit resource details in this page. When finished, click Save.

11.3.3.2.6 Displaying Resource History

To display resource history:

  1. In the Resources tab, select a resource whose history you want to display.

  2. From the Action menu, select Resource History. A page is displayed with the provisioning details of the resource. The details include task name, task details, date assigned, and the user to whom the task is assigned. A retry checbox is also displayed. You must enable this to retry all failed tasks.

11.3.3.2.7 Modifying Proxy Details

The Proxies tab allows you to add a proxy and select one or multiple proxies in the list, and then invoke the following operations:

  • Edit a proxy, only if a single user is selected

  • Remove a proxy

To add a proxy:

  1. In the Proxies tab, from the Action menu, select Add. The Add Proxy dialog box is displayed.

  2. In the Proxy Name field, select an appropriate proxy. Your proxy can be any user. Search for proxy user's name from the search field below the Proxy Name field or select Manager to add your manager as a proxy.

  3. Specify a start date and end date for the proxy to operate on your behalf.

  4. Click OK. A message is displayed asking for confirmation.

  5. Click OK. A confirmation message is displayed stating that the proxy is assigned.

To remove a proxy, select the proxy in the Proxies tab, and click Remove Proxy.

To modify proxy details:

  1. Select a row in the table displaying proxy information. The details of the proxy are displayed at the bottom of the tab.

  2. Edit the fields to modify proxy information.

  3. Click Save.

11.3.3.3 Single User Operations

You can perform user management operations for a single user from the page that displays user details. These operations are:

11.3.3.3.1 Enabling a User

This operation is available only if the user status is Disabled. To enable a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Enable User. Alternatively, you can click the Enable User icon on the toolbar. If the user details page for the user is open, then you can click Enable User on the toolbar. A message box is displayed asking for confirmation.

  3. Click OK to confirm. A confirmation message is displayed stating that the user is enabled.

    If you enable a user from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

11.3.3.3.2 Disabling a User

This operation is available only if the user status is Enabled. To disable a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Disable User. Alternatively, you can click the Disable User icon on the toolbar. If the user details page for the user is open, then you can click Disable User on the toolbar. A message box is displayed asking for confirmation.

  3. Click OK to confirm. A confirmation message is displayed stating that the user is disabled.

    If you disable a user from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

11.3.3.3.3 Locking a User

This operation is available only if the user account is unlocked. To lock a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Lock Account. Alternatively, you can click the Lock Account icon on the toolbar. If the user details page for the user is open, then you can click Lock Account on the toolbar. A message is displayed asking for confirmation.

  3. Click OK. A confirmation message is displayed stating that the user is successfully locked.

    If you lock an account from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

11.3.3.3.4 Unlocking a User

This operation is available only if the user account is locked. To unlock as user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Unlock Account. Alternatively, you can click the Unlock Account icon on the toolbar. If the user details page for the user is open, then you can click Unlock Account on the toolbar. A message is displayed asking for confirmation.

  3. Click OK. A confirmation message is displayed stating that the user is successfully unlocked.

    If you unlock an account from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search result, then the corresponding row in the list is refreshed.

11.3.3.3.5 Resetting the Password for a User

You can reset the password for a user by performing any one of the following:

  • Generate the password manually: You can reset the password of a user manually in instances such as the user has forgotten the password and has called HelpDesk to reset the password quickly. Helpdesk can immediately reset the password manually by entering a password, and the user can login by using the new password. This resolves the issue faster than the user waiting for an e-mail notification.

  • Generate a random password: When a password has to be reset by someone other than the target user, an administrator for example, random password generation is useful so that the person changing the password will not know the new password. A random password can be generated in the following instances:

    • A user has forgotten the password and it needs to be reset.

    • The password has expired. A user has been locked.

    • A user has been locked.

    In such scenarios, when the password is reset, Oracle Identity Manager can automatically generate a new random password that conforms to the given password policy. Also, when the password is reset, the administrator gets an option to check a check box, which when checked will send out an e-mail notifying the user about the password change. This method enables you to generate temporary passwords randomly that cannot be easily guessed by anyone. After you generate the random password, at the next login, the user is prompted to reset the randomly generated password.

To reset the password for a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Reset Password. Alternatively, you can click the Reset Password icon on the toolbar. If the user details page for the user is open, then you can click Reset Password on the toolbar. The Reset Password dialog box is displayed, as shown in Figure 11-6:

    Figure 11-6 The Reset Password Dialog Box

    Description of Figure 11-6 follows
    Description of "Figure 11-6 The Reset Password Dialog Box"

  3. To manually change the user's password:

    1. Select the Manually change the Password option.

    2. In the New Password field, enter the new password that conforms to the password policy that is displayed in the Password Policy section.

      The Password Policy section displays the password policy assigned to the user. This section does not display the password policy if no password policy is defined. For information about password policies, see Section 10.6, "Password Policies Form" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

    3. In the Confirm new password field, re-enter the password.

  4. To generate a random password, select the Auto generate the Password (Randomly generated) option.

  5. Verify that the Email the new password to the user option is selected so that the new password is sent to the user through e-mail.

  6. Click Reset Password. A confirmation message is displayed stating that the password is changed successfully.

Tip:

If the user forgets the password and tries to retrieve it, then the challenge questions are prompted to the user. The user must enter the same answers provided while creating a password. You can configure the challenge questions for the users by using Oracle Identity Manager Design Console.

To configure challenge questions for the user:

  1. Login to Oracle Identity Manager Design Console.

  2. Navigate to Administration, Lookup Definition.

  3. Search for the Lookup for challenge questions, that is, lookup Code = Lookup.WebClient.Questions.

  4. In the Lookup Code Information tab, add questions by entering the appropriate values in the Code Key and Decode fields.

  5. Click Add.

  6. Add this key to the custom resource bundle.

For more information about the Lookup Definition form, see Section 10.3, "Lookup Definition Form" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

11.3.3.3.6 Deleting User

This operation is available only if the user status is not Deleted.

If the user is currently disabled, and the Automatically Delete On attribute is set to a future date, then the disable operation fails, and a message is displayed stating that the user cannot be deleted because it is currently scheduled to be deleted at a future date.

To delete a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Delete User. Alternatively, you can click the Delete User icon on the toolbar. If the user details page for the user is open, then you can click Delete User on the toolbar. A message is displayed asking for confirmation.

  3. Click OK. A confirmation message is displayed stating that the user is successfully deleted.

  4. Click OK to close the message box.

    If you delete a user from the user detail page, then the successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

Sometimes, you might not want a delete operation to immediately delete the user. Instead, you might want a delete operation to disable the user for a predefined period of time, during which the delete operation can be canceled. After that predefined period of time, the user is deleted. This is called a delayed delete.

To configure delayed delete in Oracle Identity Manager, you must define the Period to Delay User Delete configuration property, which specifies the predefined wait period in days to hold on the delete operation. If you do not want to configure delayed delete, then set the value of the Period to Delay User Delete configuration property to 0 or a negative number. After a user is deleted, if you want to disable the user entity with a date counter that specifies the date and time when the user must be permanently deleted, then set the value of the Period to Delay User Delete configuration property to greater than 0.

Note:

To configure delayed delete:
  1. In the Welcome page for Oracle Identity Manager Administration, under System Management, click System Configuration.

  2. In the left pane, search for system properties.

  3. In the search result, select the Period to Delay User Delete property.

  4. Edit the property value to specify a delay period to delete the user.

  5. Save the property.

For more information about system properties, see "Administering System Properties" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

As a result of delayed delete:

  • The disable status is similar to a regular disable operation that prevents the user from logging into Oracle Identity Manager and disables all provisioned resources.

  • When a user is in disabled status, enabling the user cancels the delete operation. The date on which the user will be deleted is displayed on the user profile.

  • If a user stays disabled and the predefined period expires, then the user is deleted at that time.

11.3.3.4 Bulk User Modifications

The bulk operations are performed from the search results for simple and advanced search. You can select multiple users and then select the available option from the Action menu. You can perform the following bulk operations:

  • Enabling users: If all the selected users are in Disabled state

  • Disabling users: If all the selected users are in Enabled state

  • Locking users: If all the selected user are in Unlocked state

  • Unlocking users: If all the selected users are in Locked state

  • Deleting users: If all the selected users are not in Deleted state

Note:

For all the bulk modify operations, you must have the required authorization and you must select multiple users.

You can use the Bulk Modify page to make changes to multiple users at a time. You can open this page if you are authorized to modify users as determined by the authorization policy on the Modify User Profile privilege on any organization in Oracle Identity Manager.

You can open the Bulk Modify page in any one of the following ways:

  • Selecting Bulk Modify from the Action menu in a user search results page, after selecting multiple users

  • Selecting the Bulk Modify icon on the toolbar in a user search results page, after selecting multiple users

Table 11-6 describes the fields in various sections of the Bulk Modify page:

Table 11-6 Fields in the Bulk Modify Page

Section Field Description

Basic User Information

Design Console Access

Design Console Access check box that indicates whether or not the users can login to the Design Console.

 

Manager

The reporting manager of the selected users.

 

Organization

The organization to which the selected users belong.

 

User Type

The type of selected employees, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary.

Account Effective Dates

Start Date

The date when the selected users will be activated in the system.

 

End Date

The date when the selected users will be deactivated in the system.

Provisioning Dates

Provisioning Date

The date when the users are provisioned.

 

Deprovisioning Date

The date when the users are provisioned.


Only those attributes configured as part of the modify operation in user management configuration are displayed as fields in the Bulk Modify page. The attributes displayed are restricted to those defined in the user entity definition with the Support Bulk Update property set to Yes. The attributes are further filtered based on authorization policies that specify the attributes for the selected users that you have privileges to modify.

The permissions are based on OES policy. For instance, if the OES policy mentions that you can modify only the first name for one user and only the last name for another user, based on the users selected, it is possible that you select these names and the attributes to display on the page, results in no fields being allowed. As a result, the Bulk Modify page displays an error message stating that the attributes of the selected users cannot be modified in bulk, and the user selection must be changed.

11.4 User Management Authorization

Run-time security is enforced in the user management service through authorization policies. Each role in Oracle Identity Manager can be associated with one or more such authorization policies. Users that are members of a role are authorized to perform various user tasks based on the privileges granted to the role by its associated authorization policies. Because a user may have many roles, the privileges of a user are the cumulative privileges of his collective roles.

The access controls are implemented in the form of authorization policies that are managed by the Oracle Entitlements Server (OES). These policies define the controls in terms of roles and targets. The target is a combination of privilege, entity, and entity attribute.

See Also:

Chapter 15, "Managing Authorization Policies" for detailed information about authorization policies in Oracle Identity Manager

If a user has multiple roles that have different authorization policies applicable in the same context, then the user's access rights are the cumulative rights across those policies. In other words, if a policy with read permission is granted to a role, and a policy with write permission is granted to another role, then a user with both the roles has read and write permission.

The authorization model is described in the following topics:

11.4.1 Privileges

All authorization privileges are controlled by authorization policies. Oracle Identity Manager explicitly defines privileges that control access rights for performing various operations in the application.

Table 11-7 lists the authorization privileges available in Oracle Identity Manager for the user management feature that and can be assigned to roles as part of an authorization policy definition:

Note:

For the Entity Instance Level, there must be a qualifier that determines over which users the logged in user has the privilege for all the privileges.

Table 11-7 Authorization Privileges for User Management

Privilege Description

Search for Users

You can define this qualifier in terms of organizations, role memberships, or attribute-based rules. For information about defining this qualifier, see Chapter 15, "Managing Authorization Policies".

Note:

  • The "Search for Users" privilege depends on the "View User Details" privilege to determine which attributes can be included in the search results and which attributes can be included in the search criteria for a user search. Consequently, any User Management policy that provides the "Search User" permission should also provide the "View User Details" permission. The "View User Details" permission should include the User Login, Account Status, Identity Status, and Display Name attributes. If you do not provide these attributes, the user might not be fully viewable or editable.

  • To enable users to perform a search based upon an user attribute, you must also configure that attribute as "Searchable" in the user configuration.

There is a default authorization policy for the search operation that decides what the user can search. For information about default authorization policies for user management, see "User Management".

View User Details

This privilege determines if you have the ability to display the User Details page for a user from the search results table.

This privilege supports the following fine-grained controls:

  • Entity Instance Level: The qualifier can be defined in terms of the organization membership and/or the management chain. Refer "Creating an Authorization Policy for User Management" for details on how to define these qualifiers. Refer "Data Constraints" for information about data constraints used in authorization policies for user management.

  • Attribute Level: There must be qualifiers that determine your privilege to view attributes in the User Details page. This qualifier must list all the attributes from the user entity definition that you can view.

Note: The View User Details privilege cannot specify which detail sections can be viewed by the user. This privilege determines whether or not complete user details page with all sections can be viewed. If the user details page can be viewed, then this privilege determines which attributes are displayed in the Attribute Profile of a user.

Modify User Profile

This privilege determines if you have the ability to modify the user profile attributes of a user on the User Details page.

This privilege supports the following fine-grained controls:

  • Entity Instance Level: The qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

  • Attribute Level: There must be qualifiers that determine your privilege to modify attributes in the User Details page. This qualifier must list all the attributes from the user entity definition that you can edit. You must also grant the View User Details privilege for all these attributes.

Provision Resource to User

This privilege determines if you have the ability to provision or deprovision resources to a user on the Resource Profile section of the User Details Page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Modify User Proxy Profile

This privilege determines if you have the ability to modify the user's proxy details on the Proxy Details section of the User Details page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Modify User Status

This privilege determines if you have the ability to enable or disable a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Modify OIM Account Status

This privilege determines if you have the ability to lock or unlock a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Delete User

This privilege determines if you have the ability to delete a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Change Password

This privilege determines if you have the ability to change a user's enterprise password. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Create User

This privilege determines if you have the ability to create users in Oracle Identity Manager. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier must be defined in terms of organizations.

Evaluate Access Policies

This privilege determines if you have the ability to initiate access policy evaluation for a user when necessary.

Note: There is no UI operation to initiate on-demand access policy evaluation.

View User Requests

This privilege determines if you have the ability to view the requests raised for a user.

Change User Password

This privilege determines if you have the ability to change the password of a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.


Note:

The Modify Role Membership permission for role management determines if the user can perform add or remove role operations from the Roles tab of the modify user page. For more information about this permission, see "Managing Authorization for Roles".

11.4.2 Attributes

The read/write permissions for attributes define the actual set of readable or modifiable attributes in the context of the view or modify operation.

11.4.3 Data Constraints

The following data constraints are used in the authorization policies for user management:

  • List of organizations: This limits the scope of the privilege for the assignee to only the organizations listed. Organization membership can be controlled by the Hierarchy Aware option in the authorization policies UI.

    • When the Hierarchy Aware option is set to false, then the scope of the privilege is only to the users that are direct members of the organization. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users that are directly under the Development Center organization.

    • When the Hierarchy Aware option is set to true, then the scope of the privilege is applicable to users who are direct members of the listed organization and the users who are members of any of the sub-organizations of these organizations. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users in all of these organizations.

  • Assignee must be in the same organization: This flag limits the scope of the privilege for the assignee to only the assignee's organization. For example, the organization list in the policy is USA, China, and Canada. If this flag is set and the assignee's organization is USA, then the privilege can be exercised only in the USA organization.

  • Management chain of user: This flag limits the scope of the privilege for the assignee to only the assignee's direct and indirect reports. For example:

    DR1, DR2, and DR3 are direct reports of M1.

    DR1_1, DR1_2, DR1_3, and DR1_4 are direct reports of DR1.

    DR2_1, DR2_2, and DR2_3 are direct reports of DR2.

    DR2_2_1 and DR2_2_2 are direct reports of DR2_2.

    Here, M1 can exercise the privilege on all of DR1, DR2, and DR3 and their direct and indirect reports if the Management Chain of User option is selected.

11.4.4 Authorization with Multiple Policies

When an authorization check is performed for the Search for Users permission, the OES and Oracle Identity Manager layer prepares an authorization result based on the result obtained from OES. There can be multiple authorization policies with each policy having different set of viewable attributes. Collecting all such policies provides a way to determine all viewable attributes for a searched user.

The authorization check for the Search for Users permission returns a list of obligations. This is a list of obligations from each applicable authorization policy. These obligations from multiple policies are combined to get a unified search result.

This section describes how obligations are handled for various user management operations. it contains the following topics:

11.4.4.1 Search Operation Authorization with Multiple Authorization Policies

There can be the following types of obligations for the search operation:

  • List of organizations: The list of organizations can be for direct or indirect organization membership, which is controlled by the Hierarchy Aware data constraint. A special value here can be list of all organizations in Oracle Identity Manager. The logged in user can search only within this set of organizations.

  • Is in the same organization: This obligation means that the logged in user can search for users only in the user's own organization.

  • Is in management hierarchy: This obligation means that the logged in user can search for any users in the user's management hierarchy.

  • Viewable Attributes: This obligation contains the list of authorized viewable attributes. The search operation can be performed only against these attributes.

If there are multiple authorization policies that grant the search privilege to a user, then the search behavior is as follows:

  1. The set of users who can be searched by the logged in user will be the union of set of users on which search privilege is provided by each of these policies.

  2. The set of attributes returned as part of the search results is the union of sets of attributes on which View User Details privilege is granted by each of the these policies.

This is described with the help of the following example:

Policy1 returns the First Name, Last Name, and Middle Name attributes, and Policy2 returns the User Login, User Type, and OIM User Type attributes. When obligations from both the policies are enforced, the returned attribute list is First Name, Last Name, Middle Name, User Login, User Type, and OIM User Type for all users. The policy due to which the user is selected as part of the results is not checked. Therefore, do not configure attributes from the configuration service that might display confidential data in the search results.

In an another example, suppose there are three authorization policies defined for the search operation. The following table lists the details of the sample authorization policies:

Policy Name Entity Name Permissions Data Constraints Assignment
Policy1 User management Search

Modify User Profile. Attributes include First Name, Last Name, and Middle Name

View User Details. Attributes include Display Name, First Name, Last Name, and Middle Name

Users that are members of the Org1 and Org2 organizationsHierarchy Aware (include all Child Organizations) = TRUE Role: Role1

Management Chain of User = FALSE

Assignee must be a member of the User's Organization = TRUE

Policy2 User management Search

Modify User Profile. Attribute includes User Type

View User Details. Attributes include User Login, User Type, and OIM User Type

Users that are members of the Org3 organizationHierarchy Aware (include all Child Organizations) = FALSE Role: Role2

Management Chain of User = FALSE

Assignee must be a member of the User's Organization = FALSE

Policy3 User management Search

Modify User Profile. Attribute includes Designation

View User Details. Attributes include User Login, User Type, OIM User Type, and Designation

All Users Role: Role2

Management Chain of User = TRUE

Assignee must be a member of the User's Organization = FALSE


In this example:

  • Org1 has Org1Child1 and Org1Child2 as child organizations.

  • Org1Child1 has Org1Child1_Child1 as the child organization.

  • Org3 has Org3Child1 and Org3Child2 as child organizations.

Consider the following scenarios:

Scenario I:

User1 has Role1 only and belongs to the Org1Child1 organization. The user can:

  • Search for users who are members of Org1Child1 organization. The search can be performed on the basis of First Name, Last Name, and Middle Name, and Display Name user attributes and also the search result can contain a subset of the set of these attributes.

  • Modify the First Name, Last Name, and Middle Name user attributes from the Org1Child1 organization.

Scenario II:

User2 has Role1 and Role2 and belongs to the Org2 organization. User2 has direct reports DR1 and DR2 belonging to the Org2 organization. The user can:

  • View the User Login, User Type, and OIM User Type user attributes from the Org3 organization because of Policy2.

  • Modify the User Type attribute from the Org3 organization because of Policy2.

  • View the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1.

  • Modify the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1.

  • View the User Login, User Type, OIM User Type, and Designation user attributes of all the user's direct reports because of Policy3.

  • Modify the Designation attribute of all the user's direct reports because of Policy3.

If the user being tried to modify is DR1, then the list of modifiable attributes are First Name, Last Name, Middle Name because of Policy1, and Designation because of Policy3.

The user cannot view, modify, and search users from child organizations of Org3, which are Org3Child1 and Org3Child2.

Based on these scenarios, for the search operation, a union of the viewable attributes from all the three authorization policies are displayed to the user. In other words, the user is able to see User Login, User Type, OIM User Type, First Name, Last Name, Middle Name, Display Name, and Designation attributes in the search results irrespective of the authorization policy. Here, the Designation attribute is displayed not only for DR1 and DR2, who are direct reports of User2, but are displayed for all the users in the results.

11.4.4.2 Modify Operation Authorization with Multiple Authorization Policies

If the logged in user is allowed to modify a user profile as defined by multiple policies, then a union of the set of attributes from individual policies is used for performing the operation. Refer to Scenario II of the "Search Operation Authorization with Multiple Authorization Policies" for the example related to the modify operation in case of multiple applicable authorization policies.

11.5 Username Reservation

A request for creating a user can be raised from Oracle Identity Manager Self Service or Oracle Identity Manager Administration. When the request is submitted, the following scenarios are possible:

  • While the request is pending, another create user request is submitted with the same username. If the second request is approved and the user is created, then the first request, when approved, fails because the username already exists in Oracle Identity Manager.

  • While the request is pending, another user with the same username is directly created in the LDAP identity store. When the create user request is approved, it fails while provisioning the user entity to LDAP because an entry already exists in LDAP with the same username.

To avoid these problems, you can reserve the username in both Oracle Identity Manager and LDAP while the create user request is pending for approval. If a request is created to create a user with the same username, then an error message is displayed and the create user request is not created.

See Also:

"Creating a Request To Create a User" for information about creating requests to create a user

For reserving the username:

  • The USER ATTRIBUTE RESERVATION ENABLED system property must be set to TRUE for the functionality to be enabled. For information about searching and modifying system properties, see "Administering System Properties" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

  • Reservation in LDAP is done only if reservation functionality is enabled, and LDAP is in sync with Oracle Identity Manager database. For information about synchronization between Oracle identity Manager and LDAP identity store, see ""Integration Between LDAP Identity Store and Oracle Identity Manager".

    Note:

    • If LDAP provider is not configured, then the reservation is done only in Oracle Identity Manager.

    • When LDAP synchronization and user attribute reservation features are enabled, it is recommended to enable UID uniqueness in the directory server. Without this, user reservation in the directory does not work properly because while the user is reserved in the reservation container, the user with the same user ID can be created in the user container. This results is user creation failure when Oracle Identity Manager tries to move the user from the reservation container to the user container.

If user attribute reservation is enabled, the reservation happens in two phases:

In the first phase, an entry is created in Oracle Identity Manager database and a user is created in reservation container. This entry in Oracle Identity Manager database is removed after successful creation of user, rejection by approver, or request failure.

In the second phase, in LDAP, on successful creation, the user is moved to the reservation container. In other cases such as rejection by approver or request failure, the user is removed from the reservation container.

After the request-level and operation-level approvals are obtained for the create user request, the username is no longer reserved in the username container in LDAP. The username is moved to the container in which the existing users are stored. The user is also created in Oracle Identity Manager.

This section consists of the following topics:

11.5.1 Enabling and Disabling Username Reservation

The username reservation functionality is enabled by default in Oracle Identity Manager. This is done by keeping the value of the USER ATTRIBUTE RESERVATION ENABLED system property to TRUE. You can verify the value of this system property in the System Configuration section of Oracle Identity Manager Administration.

To disable username reservation:

  1. Log in to the Administration console.

  2. Click System Management.

  3. Click System Configuration.

  4. On the left pane, click the search icon to search for all existing system properties. A list of system properties are displayed in the search results table.

  5. Click User Attribute Reservation Enabled. The System Property Detail page for the selected system property is displayed, as shown in Figure 11-7:

    Figure 11-7 The System Property Detail Page

    Description of Figure 11-7 follows
    Description of "Figure 11-7 The System Property Detail Page"

  6. In the Value field, enter False.

  7. Click Save. The username reservation functionality is disabled.

11.5.2 Configuring the Username Policy

Username Policy is a plugin implementation for username operations such as username generation and username validation. The policies follow Oracle Identity Manager plug-in framework. You can add your own policies by adding new plug-ins and changing the default policies from the System Configuration section in Oracle Identity Administration.

See Also:

"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the plug-in framework

In case of create user request, the plugins are invoked only if the user login is not provided. In such a case, the plugin to be invoked is picked up from the system property, "Default policy for username generation".

Table 11-8 lists the predefined username policies provided by Oracle Identity Manager. In this table, the dollar ($) sign in the username generation indicates random alphabet:

Table 11-8 Predefined Username Policies

Policy Name Expected Information Username Generated

oracle.iam.identity.usermgmt.impl.plugins.EmailUserNamePolicy

E-mail

If e-mail is provided, then e-mail is generated as username.

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstInitialLocalePolicy

First name, last name, and locale

last name + first initial_locale, last name + middle initial + first initial_locale, last name + $ + first initial_locale (all possibilities of single random alphabets), last name + $$ + first initial_locale

oracle.iam.identity.usermgmt.impl.plugins.FirstInitialLastNameLocalePolicy

Firstname, Lastname, Locale

first initial + lastname_locale, first initial + middle initial + first name_locale, first initial + $ + lastname_locale, first initial + $$ + lastname_locale

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstInitialPolicy

Firstname, Lastname

lastname+firstInitial, lastname+middleinitial+firstInitial, lastname+$+firstInitial ( all possibilities of single random alphabets) , lastname+$$+firstInitial

oracle.iam.identity.usermgmt.impl.plugins.FirstInitialLastNamePolicy

Firstname, Lastname

firstInitial+lastname, firstInitial+middleInitial+firstname, firstInitial+$+lastname, firstInitial+$$+lastname

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicy

Firstname, Lastname

lastname.firstname, lastname.middleinitial.firstname, lastname.$.firstname ( all possibilities of single random alphabets) , lastname.$$.firstname

oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicy

Firstname, Lastname

firstname.lastname, firstname.middleinitial.lastname, firstname.$.lastname (all possibilities of single random alphabets) , firstname.$$.lastname

oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy

E-mail

If e-mail is provided, then username is generated based on the e-mail. If e-mail is not available, then it generates username based on firstname and lastname by appending a user domain to it. The user domain is configured as the Default user name domain system property, and the default value is @oracle.com

oracle.iam.identity.usermgmt.impl.plugins.LastNamePolicy,

Lastname

lastname, middle initial + lastname , $ + lastname, $$ + lastname

oracle.iam.identity.usermgmt.impl.plugins.LastNameLocalePolicy

Lastname, Locale

lastname_locale, middle initial + lastname_locale , $ + lastname_locale, $$ + lastname_locale


Values must be provided for all the parameters of the username generation format. If any of the parameters are not provided, then Oracle Identity Manager generates an error. For example, If the firstname.lastname policy is configured and the firstname is not provided, then the error would be "An error occurred while generating the Username. Please provide firstname as expected by the firstname.lastname policy".

The UserManager exposes APIs for username operations. The APIs take the user data as input and return a generated username. The APIs make a call to plug-ins that return the username. This allows you to replace the default policies with custom plug-ins with your implementation for username operations.

Note:

You can plug-in your own username policies by implementing the plug-in interface, as shown:

package oracle.iam.identity.usermgmt.api;
public interface UsernamePolicy {
           public String getUserNameFromPolicy(HashMap<String, String> reqData) throws UserNameGenerationException;
        
          public boolean isUserNameValid(String userName, HashMap<String, String> reqData);
          public String getDescription(Locale locale);
}

This plug-in point is exposed as a kernel plug-in that takes request data as input and returns the username. Each plug-in expects some information and generates username based on that information provided. The policy implementations generate the username, check for its availability, and if the username is not available, then generate other username based on the policy in the order mentioned in Table 11-8, and repeat the procedure. The dollar ($) sign in the username generation indicates random alphabet. If any of the expected information is missing, then the policies generate errors.

The username generation is exposed as public APIs in User Manager. Oracle Identity Manager provides an utility class for accessing the functionality of generating user names. The class that contains utility methods is as shown:

oracle.iam.identity.usermgmt.api.UserManager

This class exposes the following main methods:

//Method that will generate username based on default policy
        public String generateUserName(HashMap<String, String> requestData) 
                                    throws UserNameGenerationException

//Method that will generate username based on policy
        public String generateUserName(String policyID, HashMap requestData)                                    throws UserNameGenerationException

//Method that will check whether username is valid against default policy
        public boolean isUserNameValid(String userName,                          HashMap<String, String> reqData)

//Method that will check whether username is valid against given policy
        public boolean isUserNameValid(String userName, String userNamePolicyPluginID, HashMap<String, String> requestData)

//Method to return all policies (including customer written)
        public List<Map<String, String>> getAllUserNamePolicies(Locale locale)

//Method that will return policy description in given locale
        public String getPolicyDescription(String policyID, Locale locale)

Table 11-9 lists the constants defined in the UserManager class to represent the policy ID of the default username policies:

Table 11-9 Constants Representing Policy IDs

Policy Name Constant

EmailUserNamePolicy

EMAIL_ID_POLICY

LastNameFirstInitialLocalePolicy

FIRSTNAME_LASTNAME_POLICY

FirstInitialLastNameLocalePolicy

LASTNAME_FIRSTNAME_POLICY

LastNameFirstInitialPolicy

FIRSTINITIAL_LASTNAME_POLICY

FirstInitialLastNamePolicy

LASTNAME_FIRSTINITIAL_POLICY

LastNameFirstNamePolicy

FIRSTINITIAL_LASTNAME_LOCALE_POLICY

FirstNameLastNamePolicy

LASTNAME_FIRSTINITIAL_LOCALE_POLICY

DefaultComboPolicy

DEFAULT_COMBO_POLICY

LastNamePolicy

LASTNAME_POLICY

LastNameLocalePolicy

LASTNAME_LOCALE_POLICY


When called to generate username, the policy classes expect the attribute values to be set in a map by using the key constants defined in the oracle.iam.identity.utils class.Constants. This means that a proper parameter value must be passed to call the method by using the appropriate constant defined for it, for example, the FirstName parameter has a constant defined for it.

The default username policy can be configured by using Oracle Identity Manager Administration. To do so:

  1. Navigate to the System Configuration section.

  2. Search for all the system properties.

  3. Click Default policy for username generation. The System Property Detail page for the selected property is displayed, as shown in Figure 11-8:

    Figure 11-8 The Default Username Policy Configuration

    Description of Figure 11-8 follows
    Description of "Figure 11-8 The Default Username Policy Configuration"

    The XL.DefaultUserNameImpl system property is provided for picking up the default policy implementation. By default, it points to the default username policy, which is oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy displayed in the Value field.

  4. In the Value field, enter oracle.iam.identity.usermgmt.impl.plugins.POLICY. Here, POLICY is one of the policy implementations.

    Note:

    All the plug-ins must be registered with Oracle Identity Manager by using the /identity/metadata/plugin.xml file. A sample plugin.xml file is as shown:
    <plugins pluginpoint="oracle.iam.identity.usermgmt.api.UserNamePolicy">        <plugin
    pluginclass="oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicy"
    version="1.0" name="LastNameFirstNamePolicy"/>
    </plugins>
    
  5. Click Save.

11.5.3 Releasing the Username

The username is released in the following scenarios:

  • When the request is approved, and the user is successfully created in Oracle Identity Manager and provisioned to LDAP, and the username from the reserved table is removed. The reserved username is removed after successful user creation after the approvals. The reserved entry in LDAP is removed and the actual user is created.

  • If the request is rejected, then the reserved entry of username in LDAP and Oracle Identity Manager are removed.

  • If the request fails while or before creating a user in Oracle Identity Manager or LDAP, then the reserved username is deleted.