Chapter 3 User and Account Management

This chapter provides information and procedures for creating and managing users from the Waveset Administrator interface.

This information is organized into the following sections:

• The Accounts Area of the Interface

• Creating Users and Working with User Accounts

• Bulk Account Actions

• Managing Account Security and Privileges

• User Self-Discovery

• Anonymous Enrollment

The Accounts Area of the Interface

A user is anyone who holds an Waveset system account. Waveset stores a range of data for each user. Collectively, this information forms a user’s Waveset identity.

The Waveset Accounts / User List page lets you manage Waveset users. To access this area, click Accounts on the Administrator interface menu bar.

The accounts list shows all Waveset user accounts. Accounts are grouped into organizations and virtual organizations, which are represented hierarchically in folders.

You can sort the accounts list by full name (Name), user last name (Last Name), or user first name (First Name). Click the header bar to sort by a column. Clicking the same header bar toggles between ascending and descending sort order. When you sort by full name (the Name column), then all items in the hierarchy, at all levels, are sorted alphabetically.

To expand the hierarchical view and see accounts in an organization, click the triangular indicator next to a folder. Collapse the view by clicking the indicator again.

Actions Lists in the Accounts Area

Use the actions lists (located at the top and bottom of the accounts area, as shown in Actions Lists in the Accounts Area), to perform a range of actions.

Actions list selections are divided among:

• New Actions. Create users, organizations, and directory junctions.

• User Actions. Edit, view, and change status of users; change and reset passwords; delete, enable, disable, unlock, move, update, and rename users; and run a user audit report.

• Organization Actions. Perform a range of organization and user actions.

  

Searching in the Accounts List Area

Use the accounts area search feature to locate users and organizations. Select Organizations or Users from the list, enter one or more characters that the user or organization name starts with in the search area, and then click Search. For more information about searching in the accounts area, see Finding and Viewing User Accounts.

User Account Status

Icons that display next to each user account indicate current, assigned account status. Table 3–1 describes what each icon represents.

In the Manager column, a manager’s user name appears inside parentheses if Waveset cannot find an Waveset account that matches the name listed.

The User Pages (Create/Edit/View)

This section describes the Create User, Edit User, and View User pages that are available in the Administrator interface. Instructions on how to use these pages appear later in this chapter.

This documentation describes the default set of Create User, Edit User, and View User pages that ship with Waveset. To better reflect your business processes or specific administrator capabilities, however, you should create custom user forms specifically for your environment. For more information about customizing the user form, see Chapter 2, Waveset Forms, in Oracle Waveset 8.1.1 Deployment Reference.

• Identity Tab

• Resources Tab

• Roles Tab

• Security Tab

• Delegations Tab

• Attributes Tab

• Compliance Tab

The default Waveset user pages are organized into the following tabs or sections:

• Identity

• Assignments

• Security

• Delegations

• Attributes

• Compliance

Identity Tab

The Identity area defines a user’s account ID, name, contact information, manager, governing organization, and Waveset account password. It also identifies the resources to which the user has access, and the password policy governing each resource account.

For information about setting up account password policies, read the section in this chapter titled Managing Account Security and Privileges.

The following figure illustrates the Identity area of the Create User page.

Figure 3–1 Create User - Identity

Resources Tab

The Resources area provides for the direct assignment of resources and resource groups to a user. Resource exclusions can also be assigned.

Directly assigned resources supplement resources that are indirectly assigned to the user through role assignment. Role assignment profiles a class of users. Roles define user access to resources through indirect assignment.

Roles Tab

The Roles tab is used to assign one or more roles to a user, and manage those role assignments.

See To Assign Roles to a User for information about this tab.

Security Tab

In Waveset terminology, a user who is assigned extended capabilities is an Waveset administrator. Use the Security tab to assign a user administrator privileges.

For more information on using the Security tab to create administrators, see Creating and Managing Administrators.

The Security form consists of the following sections.

• Admin roles. Assigns one or more administrative roles to the user. A role is a specific pairing of capabilities and controlled organizations that facilitates assigning administrative duties to users in a coordinated way.

• Capabilities. Enables rights in the Waveset system. Each Waveset administrator is assigned one or more capabilities, frequently aligned with job responsibilities.

  Capabilities are discussed on Understanding and Managing Capabilities. A list of task-based capabilities with definitions is included in Appendix D, Capabilities Definitions on Appendix D, Capabilities Definitions. This appendix also lists the tabs and subtabs that may be accessed with each capability.

• Controlled organizations. Assigns organizations that this user has rights to manage as an administrator. He can manage objects in the assigned organization and in any organizations below that organization in the hierarchy.

To have administrator capabilities, a user must be assigned at least one Admin role, or one or more capabilities AND one or more controlled organizations. For more information about Waveset administrators, seeUnderstanding Waveset Administration.

• User Form. Specifies the user form that the administrator will use when creating and editing users. If None is selected, the administrator will inherit the user form assigned to his organization.

• View User Form. Specifies the user form that the administrator will use when viewing users. If None is selected, the administrator will inherit the view user form assigned to his organization.

• Account policy. Establishes password and authentication limits.

Delegations Tab

The Delegations tab on the Create User page lets you delegate work items to other users for a specified length of time. For more information about delegating work items, read Delegating Work Items.

Attributes Tab

The Attributes tab on the Create User page defines account attributes associated with assigned resources. Listed attributes are categorized by assigned resource, and differ depending on which resources are assigned.

Compliance Tab

The Compliance tab:

• Lets you select the attestation and remediation forms for the user account.

• Specifies the assigned audit policies for the user account, including those in effect through the user’s Organization assignment. These policy assignments can be changed only by editing the user’s current organization or moving the user to another Organization.

• Indicates the current status of policy scans, violations, and exemptions (as illustrated by the following figure), if applicable for the user account. The information includes the date and time of the last audit policy scan for the selected user.

  

To assign audit policies, move selected policies from the Available Audit Policies list to the Current Audit Policies list.

You can view compliance violations logged for a user for a specific time period, by selecting View Compliance Violation Log from the User Actions list and specifying the range of entries to view.

Creating Users and Working with User Accounts

From the Accounts/User List page in the Administrator interface, you can perform a range of actions on the following system objects:

• Administrators & Users. View, create, edit, move, rename, deprovision, enable, disable, update, unlock, delete, unassign, unlink, and audit.

  For more information about creating and editing administrator accounts, see Understanding Waveset Administration.

• Organizations. Create, edit, refresh, and perform user actions on members of the organization.

  For more information on organizations, see Understanding Waveset Organizations.

• Directory Junctions. Create a hierarchically related set of organizations to mirror a directory resource's actual set of hierarchical containers.

  For more information about directory junctions, see Understanding Directory Junctions and Virtual Organizations.

Enabling Process Diagrams for Use in Waveset

Process diagrams depict the workflow that Waveset follows when it creates or otherwise acts on a user account. When enabled, process diagrams display on the results page or task summary page that is created when Waveset completes the task.

In Waveset version 8.0, process diagrams were disabled for both new and upgrade installations.

Use the following steps to enable process diagrams for use in Waveset.

1. Open the system configuration object for editing by following the procedure on Editing Waveset Configuration Objects.

2. Locate the following XML element.

   <Attribute name=’disableProcessDiagrams’> <Boolean>true</Boolean> </Attribute>

3. Change the true value to false.

4. Click Save.

5. Restart your server (or servers) in order for the change to take effect.

   Process diagrams can also be enabled in the end-user interface, but only if they are first enabled in the Administrator interface using the steps described above. For details, see To Enable Process Diagrams in the End-User Interface.

Creating a User in Waveset

You can create and manage users from the Accounts tab on the Administrator interface menu bar.

1. In the Administrator interface, click Accounts.

2. To create a user in a specific organization, select the organization, then select New User from the New Actions list.

   Otherwise, to create a user account in the Top organization, select New User from the New Actions list.

3. Complete the information in the following tabs or sections.

   • Identity. Name, organization, password, and other details. (See Identity Tab.)

   • Resources. Individual resource and resource group assignments, as well as resource exclusions. (See Resources Tab.)

   • Roles. Role assignments. For information on roles, see Understanding and Managing Roles. See To Assign Roles to a User for instructions on completing the Roles tab.

   • Security. Admin roles, controlled organizations and capabilities. Also, user form settings and account policy. (See Security Tab.)

   • Delegations. Work item delegations. (See Delegations Tab.)

   • Attributes. Specific attributes for assigned resources. (See Attributes Tab.)

   • Compliance. Select attestation and remediation forms for the user account. The compliance area also lets you specify the assigned audit policies for the user account, including those in effect through the user’s organization assignment. Indicates the current status of policy scans, violations, and exemptions, and includes information about the user’s last audit policy scan. (See Attributes Tab.)

     Note that selections available in one area may depend on selections you make in another.

   To better reflect your business processes or specific administrator capabilities, you should customize the user form specifically for your environment. For more information about customizing the user form, see Customizing Forms in Oracle Waveset 8.1.1 Deployment Reference.

4. When you are finished, Save the account.

   You have two options for saving a user account:

   • Save. Saves the user account. If you assign a large number of resources to the account, this process could take some time.

   • Background Save. This process saves a user account as a background task, which allows you to continue working in Waveset. A task status indicator displays on the Accounts page, the Find User Results page, and the Home page, for each save in progress.

     Status indicators, as described in the following table, help you monitor the progress of the save process.

   Status Indicator	Status
   	The save process is in progress.
   	The save process is suspended. Often, this means that the process is waiting for approval.
   	The process completed successfully. This does not mean that the user was successfully saved; rather that the process completed with no errors.
   	The process has not yet started.
   	The process completed with one or more errors.

   By moving your mouse over the user icon that displays within the status indicator, you can see details about the background save process.

   ---

   Note –

   If sunrise is configured, creating a user creates a work item that can be viewed from the Approvals tab. Approving this item overrides the sunrise date and creates the account. Rejecting the item cancels account creation. For more information about configuring sunrise, see Configuring the Sunrise and Sunset Tab.

   ---

Creating Multiple Resource Accounts for a User

Waveset provides the ability to assign multiple resource accounts to a single user. It does this by allowing multiple resource account types or types of accounts to be defined for each resource. Resource account types should be created as needed to match each functional account type on the resource. For example, AIX SuperUser or AIX BusinessAdmin.

Why Assign Multiple Accounts per User per Resource?

In some situations, an Waveset user may require more than one account on a resource. A user can have several different job functions related to the resource. For example, the user can be both a user and administrator of the resource. Best practice suggests using separate accounts for each function. That way, if one account is compromised, the access granted by the other accounts is still secure.

Configuring Types of Accounts

For a resource to support multiple accounts for a single user, the resource account types must first be defined in Waveset. To define resource account types for a resource, use the Resource Wizard. For information, see Managing the Resources List.

You must enable and configure resource account types before assigning them to users.

Assigning Types of Accounts

Once you have defined account types, you can assign them to a resource. Waveset treats each assignment of an account type as a separate account. As a result, each distinct assignment in a role can have different attributes set.

Similar to the single account per resource case, all assignments of a specific type create only one account, regardless of the number of assignments.

Although you can assign users to any number of different types of accounts on a resource, each user can be assigned one account of a given type on a resource. The exception to this rule is the built-in “default” type. Users can have any number of accounts of default type on a resource. It is not recommended that you do this however, as this leads to ambiguity when referencing accounts in forms and views.

Finding and Viewing User Accounts

The Waveset find feature lets you search for user accounts. After you enter and select search parameters, Waveset finds all accounts that match your selections.

To search for accounts, select Accounts -> Find Users from the menu bar. You can search for accounts by using one or more of these search types:

• Account detail (such as user name, email address, or last name, or first name). These choices depend on your institution’s specific Waveset implementation.

• User’s manager. The manager’s user name appears in parentheses if the user name does not match an existing account in Waveset.

• Resource account status. Options include:

  • Disabled. User cannot access any Waveset or assigned resource accounts.

  • Partially Disabled. User cannot access one or more assigned resource accounts.

  • Enabled. User has access to all assigned resource accounts.

• Assigned resource. Options include:

  • Role (see To Find Users Assigned to a Specific Role)

  • Organization

  • Organizational control

  • Capabilities

  • Admin role

• User account status. Options include:

  • Locked. User account is locked because the maximum number of failed password or question login attempts exceeds the maximum allowed.

  • Not Locked. User account access is not restricted.

• Update status. Use this query to search for users for whom all updates have or have not succeeded. Options include:

  • no. User accounts that have not been updated on any resource.

  • some. User accounts that require an update (identified by an exclamation point symbol).

  • all. User accounts that have been updated on all assigned resources (no updates are required).

The search results list shows all accounts that match your search.

From the results page, you can:

• Select user accounts to edit. To edit an account, click it in the search results list; or select it in the list, and then click Edit.

• Perform actions (such as enable, disable, unlock, delete, update, or change/reset passwords) on one or more accounts. To perform an action, select one or more accounts in the search results list, and then click the appropriate action.

• Create user accounts.

  

Editing Users

The information in this section covers viewing, editing, reassigning, and renaming user accounts.

To View User Accounts

Use the View User page and perform the following steps to view account information.

1. In the Administrator interface, click Accounts in the menu.

   The User List page opens.

2. Select the box next to the user whose account you want to view.

3. In the User Actions drop-down menu, select View.

   The View User page displays a subset of the user’s identity, assignments, security, delegations, attributes, and compliance information. The information on the View User page is view-only and cannot be edited.

4. Click Cancel to return to the Accounts list.

To Edit User Accounts

Use the Edit User page and perform the following steps to edit account information.

1. In the Administrator interface, click Accounts in the menu.

2. Select the box next to the user whose account you want to edit.

3. In the User Actions drop-down menu, select Edit.

4. Make and save your changes.

   Waveset displays the Update Resource Accounts page. This page shows resource accounts assigned to the user and the changes that will apply to the account.

5. Select Update All resource accounts to apply changes to all assigned resources, or individually select none, one, or more resource accounts associated with the user to update.

6. Click Save again to complete the edit, or click Return to Edit to make further changes.

   Figure 3–2 Edit User (Update Resource Accounts)

   
   

Reassigning Users to Another Organization

The move action allows you to remove one or more users from one organization and reassign, or move, the users to a new organization. Use the following steps to move a user:

1. In the Administrator interface, click Accounts in the menu.

   The User List page opens.

2. Select the box next to the user (or users) to be moved.

3. In the User Actions drop-down menu, select Move.

   The Change Organization of Users task page opens.

4. Select the organization that you want to reassign the user to and click Launch.

Renaming Users

Typically, renaming an account on a resource is a complex action. Because of this, Waveset provides a separate feature to rename a user’s Waveset account, or one or more resource accounts, that are associated with that user.

To use the rename feature, select a user account in the list, and then select the Rename option from the User Actions list.

The Rename User page allows you to change the user account name, associated resource account names, and resource account attributes associated with the user’s Waveset account.

Some resource types do not support account renaming.

As shown in the following figure, the user has an assigned Active Directory resource.

During the renaming process, you can change:

• Waveset user account name

• Active Directory resource account name

• Active Directory resource attribute (fullname)

  

Updating Resources Associated with an Account

In an update action, Waveset updates the resources that are associated with a user account. Updates performed from the accounts area send any pending changes that were previously made to a user to the resources selected.

This situation may occur if:

• A resource was unavailable when updates were made.

• A change was made to a role or resource group that needed to be pushed to all users assigned to that role or resource group. In this case, you should use the Find User page to search for users, and then select one or more users on which to perform the update action.

When you update the user account, you have the following options:

• Choose whether assigned resource accounts will receive the updated information.

• Update all resource accounts, or select individual accounts from a list.

Updating Resources on a Single User Account

To update a user account, select it in the list, and then select Update from the User Actions list.

On the Update Resource Accounts page, select one or more resources to update, or select Update All resource accounts to update all assigned resource accounts. When finished, click OK to begin the update process. Alternatively, click Save in Background to perform the action as a background process.

A confirmation page confirms the data sent to each resource.

Figure 3–3 illustrates the Update Resource Accounts page.

Figure 3–3 Update Resource Accounts

Updating Resources on Multiple User Accounts

You can update two or more Waveset user accounts at the same time. Select more than one user account in the list, and then select Update from the User Actions list.

When you choose to update multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process updates all resources on all user accounts you select.

Deleting Waveset User Accounts

In Waveset, an Waveset user account is deleted in the same way that a remote resource account is deleted. Follow the steps for deleting a resource account, but instead of selecting a remote resource account for deletion, select the Waveset account.

If a user has outstanding work items, or if a user has outstanding work items that have been delegated to another user, Waveset will not allow the user’s Waveset account to be deleted. The delegated work items either need to be resolved or forwarded to another user before the user’s Waveset account can be deleted.

For more information, see Deleting Resources from User Accounts.

Deleting Resources from User Accounts

Waveset provides several deletion operations that can be used to remove Waveset user account access from a resource:

• Delete. For each resource selected, Waveset deletes the user’s account on the remote resource. (To delete a user from Waveset, select Waveset as the resource.)

  • Deleted resource accounts are automatically unlinked from the Waveset user.

  • Deleted resource accounts are not unassigned from the user. The resource remains assigned to the user unless the unassign action is also selected.

• Unassign. For each resource selected, Waveset removes the resource from the user’s list of assigned resources.

  • Unassigned resource accounts are automatically unlinked from the Waveset user.

  • The user account on the remote resource is not deleted. The account remains intact unless the delete action is also selected.

• Unlink. For each resource selected, the user’s resource account information is removed from Waveset.

  • The user’s account on the remote resource remains intact unless a delete action is also selected.

  • The resource remains on the user’s list of assigned resources unless an unassign action is also selected.

  • If you unlink an account that has been indirectly assigned to the user through a role or resource group, the link may be restored when the user is updated.

Although deprovision appears as a user-action in the User List page menus, there are actually only three Deletion actions in Waveset: delete, unassign, and unlink.

To deprovision a remote resource, use the delete and unassign actions on the resource.

To Start a Delete, Unassign, or Unlink Action for a Single User Account

Use the following procedure to perform a delete operation on a single Waveset user. By working with one user account at a time, you can specify different delete, unassign, and/or unlink operations for individual resource accounts.

You can use the Delete Resource Accounts page to unassign or unlink resource accounts when the Delete operation has been disabled.

1. In the Administrator interface, click Accounts in the main menu.

   The User List page displays on the List Accounts tab.

2. Select a user and click the User Actions drop-down menu.

3. Select any of the Deletion actions (Delete, Deprovision, Unassign, or Unlink) from the list.

   Waveset displays the Delete Resource Accounts page (Figure 3–4).

4. Complete the form. For more information on the Delete, Unassign, and Unlink actions, see Deleting Resources from User Accounts.

5. Click OK.

   Figure 3–4 shows the Delete Resource Accounts page. In the screen capture, the user jrenfro has one active account on a remote resource (the Simulated Resource). The Delete action is selected, which means that when the form is submitted, jrenfro’s account on the resource will be deleted. Because deleted accounts are automatically unlinked, the account information for this resource will be removed from Waveset. The Simulated Resource will remain assigned to jrenfro because the Unassign action is not selected.

   To delete jrenfro’s Waveset account, the Delete action should be selected for Waveset.

   Figure 3–4 The Delete Resource Accounts page

   
   

To Start A Delete, Unassign, or Unlink Action for Multiple Users

You can perform a delete operation on more than one Waveset user account at a time, however, you can only perform the selected delete operation on all of the users’ resource accounts.

Delete operations can also be performed using Waveset’s Bulk Account Actions feature. See Delete, DeleteAndUnlink, Disable, Enable, Unassign, and Unlink Commands.

You can use the Delete Resource Accounts page to unassign or unlink resource accounts when the Delete operation has been disabled.

1. In the Administrator interface, click Accounts in the main menu.

   The User List page displays on the List Accounts tab.

2. Select one or more users and click the User Actions drop-down menu.

3. Select any of the Deletion actions (Delete, Deprovision, Unassign, or Unlink) from the list.

   Waveset displays the Confirm Delete, Unassign, or Unlink page (Figure 3–5).

4. Specify the action to be performed.

   The options include:

   • Delete user only. Deletes the users’ Waveset accounts. This option does not delete or unassign the users’ resource accounts.

   • Delete user and resource accounts. Deletes the users’ Waveset accounts and all of the users’ resource accounts.

   • Delete resource accounts only. Deletes all of the users’ resource accounts. This option does not unassign the resource accounts, nor does it delete the users’ Waveset accounts.

   • Delete resource accounts and unassign directly assigned resources from user. Deletes and unassigns all of the users’ resource accounts, but does not delete the users’ Waveset accounts.

   • Unassign directly assigned resource accounts from user. Unassigns directly assigned resource accounts. This option does not delete the users’ accounts on the remote resources. Resource accounts assigned through a role or resource group are not affected.

   • Unlink resource accounts from user. The users’ resource account information is removed from Waveset. The users’ accounts on the remote resources are not deleted and are not unassigned. Accounts that are indirectly assigned to the users through a role or resource group may be restored when the users are updated.

5. Click OK.

   Figure 3–5 shows the Confirm Delete, Unassign, or Unlink page. The top portion of the page displays the six available actions that can be carried out for multiple users. The bottom portion of the page displays the users who will be affected by the selected action.

   Figure 3–5 The Confirm Delete, Unassign, or Unlink Page

   
   

Changing User Passwords

All Waveset users are assigned a password. When set, the Waveset user password is used to synchronize the user’s resource account passwords. If one or more resource account passwords cannot be synchronized (for example, to comply with required password policies), you can set them individually.

For information about account password policies, as well as general information about user authentication, see Managing Account Security and Privileges.

To Change Passwords from the User List Page

You can use the Change Password User Action from the User List page (Accounts -> List Accounts) to change a user account password from the User List page. Follow these steps:

1. In the Administrator interface, click Accounts in the main menu.

   The User List page displays on the List Accounts tab.

2. Select a user and click the User Actions drop-down menu.

3. To change the password, select Change Password.

   The Change User Password page opens.

4. Type the new password and click the Change Password button.

To Change Passwords from the Main Menu

To change a user account password from the main menu, follow these steps:

1. In the Administrator interface, click Passwords in the main menu.

   The Change User Password page appears by default.

   Figure 3–6 Change User Password

   
   

2. Select a search term (such as account name, email address, last name, or first name), and then a search type (starts with, contains, or is).

3. Type one or more letters of a search term in the entry field, and then click Find. Waveset returns a list of all users whose IDs contain the entered characters. Click to select a user and return to the Change User Password page.

4. Enter and confirm new password information, and then click Change Password to change the user password on the listed resource accounts. Waveset displays a workflow diagram that shows the sequence of actions taken to change the password.

Resetting User Passwords

The process for resetting Waveset user account passwords is similar to the change process. The reset process differs from a password change in that you do not specify a new password. Rather, Waveset randomly generates a new password (depending on your selections and password policies) for the user account, resource accounts, or a combination of these.

The policy assigned to the user (by direct assignment or through the user’s organization) controls several reset options, including:

• How often a password can be reset before resets are disabled

• Where the new password is displayed or sent

  Depending on the Reset Notification Option selected for the role, Waveset emails the new password to the user or displays it (on the Results page) to the Waveset administrator requesting the reset.

To Reset Passwords from the User List Page

The Reset Password user action is available on the User List page (Accounts > List Accounts).

To reset a password from the User List page, use the following steps.

1. In the Administrator interface, click Accounts in the main menu. The User List page displays on the List Accounts tab.

2. Select a user and click the User Actions drop-down menu.

3. To reset the password, select Reset Password.

   The Reset User Password page opens.

4. Click the Reset Password button.

To Expire Passwords Using the Waveset Account Policy

When you reset a user password, the password is immediately expired by default. Consequently, the first time users log in after a password reset, they must select a new password to gain access. You can use the Edit the Reset User Password form to override this default, so that the user’s password will expire according to the expire password policy set in the Waveset Account Policy associated with that user.

Use the following process to override the default change-password requirement.

1. Edit the Reset User Password Form and set the following value to false.

   resourceAccounts.currentResourceAccounts[Lighthouse].expirePassword

2. Use the Reset option in the Waveset Account Policy to specify when a password expires.

   The settings include

   • permanent. Waveset uses the time period specified in the passwordExpiry policy attribute to calculate the relative date from the current date when the password is reset, and then set that date on the user. If no value is specified, the changed or reset password never expires.

   • temporary. Waveset uses the time period specified in the tempPasswordExpiry policy attribute to calculate the relative date from the current date when the password is reset, and then set that date on the user. If no value is specified, the changed or reset password never expires. If tempPasswordExpiry is set to a value of 0, then the password is expired immediately.

     The tempPasswordExpiry attribute applies only when passwords are reset (randomly changed). It does not apply to password changes.

Disabling, Enabling, and Unlocking User Accounts

This section describes how to disable and enable Waveset user accounts, and describes how to help users who have become locked out of their Waveset accounts.

To Disable User Accounts

When you disable a user account, you alter that account so that the user can no longer log in to either Waveset or to his assigned resource accounts.

Note that administrators can disable user accounts from the Administrator interface, but they cannot lock user accounts. Accounts can only become locked if the user exceeds the allowable number of unsuccessful login attempts defined by the Waveset account policy

If an assigned resource does not have native support for account disabling, but does support password changes, then Waveset can be configured to disable user accounts on that resource by assigning new, randomly generated passwords.

Use the following steps to ensure that this functionality works correctly:

1. Open the “Identity System Parameters” page in the Edit Resource Wizard. (See Managing Resources for instructions on how to open the wizard.)

2. In the “Account Features Configuration” table verify that both the Password feature and the Disable feature do not have check marks in the Disable? column. (To display the Disable feature, select Show All Features.)

   If the Disable feature does have a check mark in the Disable? column, accounts in the resource cannot be disabled.

Disabling Single User Accounts

To disable a user account, select it in the User List, and then select Disable from the User Actions drop-down menu.

On the displayed Disable page, select the resource accounts to disable, and then click OK. Waveset displays the results of disabling the Waveset user account and all associated resource accounts. The accounts list indicates that the user account is disabled.

Disabling Multiple User Accounts

You can disable two or more Waveset user accounts at the same time. Select more than one user account in the list, and then select Disable from the User Actions list.

When you choose to disable multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process disables all resources on all user accounts you select.

To Enable User Accounts on a Resource Through Password Resets

User account enabling reverses the disabling process.

Depending on selected notification options, Waveset also displays the password on the administrator’s results page.

The user can then reset his password (through the authentication process), or a user with administrator privileges can reset it.

If an assigned resource does not have native support for account enabling, but does support password changes, then Waveset can be configured to enable user accounts on that resource through password resets.

To ensure that this functionality works correctly, do the following:

1. Open the “Identity System Parameters” page in the Edit Resource Wizard. (See Managing Resources for instructions on how to open the wizard.)

2. In the “Account Features Configuration” table, verify that both the Password feature and the Enable feature do not have check marks in the Disable? column. (To display the Enable feature, select Show All Features.)

   If the Enable feature does have a check mark in the Disable? column, accounts in the resource cannot be enabled.

Enabling Single User Accounts

To enable a user account, select it in the list, and then select Enable from the User Actions list.

On the displayed Enable page, select the resources to enable, and then click OK. Waveset displays the results of enabling the Waveset account and all associated resource accounts.

Enabling Multiple User Accounts

You can enable two or more Waveset user accounts at the same time. Select more than one user account in the list, and then select Enable from the User Actions list.

When you choose to enable multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process enables all resources on all user accounts you select.

To Unlock User Accounts

Users become locked out if they are unsuccessful at logging in to Waveset. To become locked out, the user has to exceed the allowable number of unsuccessful login attempts defined by the Waveset account policy.

Only login attempts on an Waveset user interface are counted towards an Waveset lockout (that is, either the administrator interface, the end-user interface, the command-line interface, or the SPML API interface). Failed login attempts on resource accounts are not counted and will not cause the user to be locked out of their Waveset account.

The Waveset account policy establishes the maximum number of failed password or question login attempts that can be made.

• Users who exceed the maximum number of failed password login attempts are locked out of all Waveset application interfaces, including the Forgot My Password interface.

• Users who exceed the maximum number of failed question login attempts can authenticate to any Waveset application interface except Forgot My Password.

Failed Password Login Attempts

Users who are locked out of Waveset due to excessive failed password login attempts will not be able to log in until an administrator unlocks the account or until the lock expires.

• An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.

• If a Lock Timeout value is set in the Waveset Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed password login attempts is set by the Account lock created by failed password-logins expires in value.

Failed Question Login Attempts

Users who are locked out of the Forgot My Password interface due to excessive failed question login attempts will not be able to log in to that interface until an administrator unlocks the account, or until the locked user (or a user with appropriate capabilities) changes or resets the user’s password, or until the lock expires.

• An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.

• If a Lock Timeout value is set in the Waveset Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed question login attempts is set by the Account lock created by failed question-logins expires in value.

An administrator with appropriate capabilities can perform the following operations on a user in locked state:

• Update (including resource reprovisioning)

• Change or reset password

• Disable or enable

• Rename

• Unlock

To unlock accounts, select one or more user accounts in the list, and then select Unlock Users from the User Actions or Organization Actions list.

Bulk Account Actions

You can perform several bulk actions on Waveset accounts, which allow you to act on multiple accounts at the same time.

You can initiate the following Bulk actions:

• Delete. Deletes, unassigns, and unlinks selected resource accounts. Select the “Target the Waveset Account” option to also delete each user’s Waveset account.

• Delete and Unlink. Deletes any selected resource accounts and unlinks the accounts from the users.

• Disable. Disables any selected resource accounts. Select the “Target the Waveset Account” option to also disable each user’s Waveset account.

• Enable. Enables any selected resource accounts. Select the “Target the Waveset Account” option to enable each user’s Waveset account.

• Unassign, Unlink. Unlinks any selected resource accounts and removes the Waveset user account’s assignments to those resources. Unassigning does not remove the account from the resource. You cannot unassign an account that has been indirectly assigned to the Waveset user through a role or resource group.

• Unlink. Removes a resource account’s association (link) with the Waveset user account. Unlinking does not remove the account from the resource. If you unlink an account that has been indirectly assigned to the Waveset user through a role or resource group, the link may be restored when the user is updated.

Bulk actions work best if you have a list of users in a file or application, such as an email client or spreadsheet program. You can copy and paste the list into a field on this interface page, or you can load the list of users from a file.

Many of these actions can be performed on the results of a user search. Use the Find Users page (Accounts -> Find Users) to search for users.

You can save the results of a bulk account operation to a CSV file by clicking Download CSV when the task results appear upon completion of the task.

Launching Bulk Account Actions

To Launch Bulk Account Actions

1. In the Administrator interface, click Accounts in the main menu.

2. Click Launch Bulk Actions in the secondary menu.

3. Complete the form and then click Launch.

   Waveset launches a background task to perform the bulk actions.

   To monitor the status of the bulk actions task, click Server Tasks in the main menu, and then click All Tasks.

Using Action Lists

You can specify a list of bulk actions using comma-separated values (CSV) format. This allows you to provide a mix of different action types in a single action list. In addition, you can specify more complicated creation and update actions.

The CSV format consists of two or more input lines. Each line consists of a list of values separated by commas. The first line contains field names. The remaining lines each correspond to an action to be performed on an Waveset user, the user’s resource accounts, or both. Each line should contain the same number of values. Empty values will leave the corresponding field value unchanged.

Two fields are required in any bulk action CSV input:

• user. Contains the name of the Waveset user.

• command. Contains the action taken on the Waveset user. Valid commands are:

  • Delete. Deletes, unassigns, and unlinks resource accounts, the Waveset account, or both.

  • DeleteAndUnlink. Deletes and unlinks resource accounts.

  • Disable. Disables resource accounts, the Waveset account, or both.

  • Enable. Enables resource accounts, the Waveset account, or both.

  • Unassign. Unassigns and unlinks resource accounts.

  • Unlink. Unlinks resource accounts.

  • Create. Creates the Waveset account. Optionally creates resource accounts.

  • Update. Updates the Waveset account. Optionally creates, updates, or deletes resource accounts.

  • CreateOrUpdate. Performs a create action if the Waveset account does not already exist. Otherwise, it performs an update action.

Delete, DeleteAndUnlink, Disable, Enable, Unassign, and Unlink Commands

If you are performing Delete, DeleteAndUnlink, Disable, Enable, Unassign, or Unlink actions, the only additional field you need to specify is resources. Use the resources field to specify which accounts on which resources will be affected.

The resources field can have the following values:

• all. Process all resource accounts including the Waveset account.

• resonly. Process all of the resource accounts excluding the Waveset account.

• resource_name [ | resource_name ... ]. Process the specified resource accounts. Specify Waveset to process the Waveset account.

The following is an example of the CSV format for several of these actions:

command,user,resources
Delete,John Doe,all
Disable,Jane Doe,resonly
Enable,Henry Smith,Waveset
Unlink,Jill Smith,Windows Active Directory|Solaris Server

Create, Update, and CreateOrUpdate Commands

If you are performing Create, Update, or CreateOrUpdate commands, you can specify fields from the User View in addition to the user and command fields. The field names used are the path expressions for the attributes in the views. See User View Attributes in Oracle Waveset 8.1.1 Deployment Reference for information about the attributes that are available in the User View. If you are using a customized User Form, then the field names in the form contain some of the path expressions that you can use.

Some of the more common path expressions used in bulk actions are:

• waveset.roles. A list of one or more role names to assign to the Waveset account.

• waveset.resources. A list of one or more resource names to assign to the Waveset account.

• waveset.applications. A list of one or more role names to assign to the Waveset account.

• waveset.organization. The organization name in which to place the Waveset account.

• accounts[resource_name].attribute_name. A resource account attribute. The names of the attributes are listed in the schema for the resource.

The following example illustrates the CSV format for create and update actions:

command,user,waveset.resources,password.password,
password.confirmPassword,accounts[Windows Active Directory].description,
accounts[Corporate Directory].location Create,John Doe,
Windows Active Directory|Solaris Server,changeit,changeit,John Doe - 888-555-5555,
Create,Jane Smith,Corporate Directory,changeit,changeit,,New York
CreateOrUpdate,Bill Jones,,,,,California

The CreateOrUpdate command allows you to specify a specific account-type on a resource that supports multiple account-types. So if a user has multiple accounts on a specific resource, with each account being a different account type, the following example shows how to update the admin account type for the userAye user:

command,user,accounts[Sim1|admin].emailAddress
CreateOrUpdate,userAye,bbye8@example.com

Although the CreateOrUpdate command allows you to set account-specific attributes for a user's accounts, be aware that the following values in the global section of the User's View will be applied to all specified accounts:

• accountId

• email

• password

• disable

• All extended attributes

Consequently, a BulkOps command of the following form might not do what you expect.

command,user,accounts[Sim1].email
CreateOrUpdate,userAye,bbye8@example.com

If userAye already has a value for email, that value will be applied to the email attribute on the Sim1 resource. You have no way to override this behavior.

Fields with More Than One Value

Some fields can have multiple values. These are known as multivalued fields. For example, the waveset.resources field can be used to assign multiple resources to a user. You can use the vertical bar (|) character (also known as the “pipe” character) to separate multiple values in a field. The syntax for multiple values can be specified as follows:

value0 | value1 [ | value2 ... ]

When updating multivalued fields on existing users, replacing the current field’s values with one or more new values may not be what you want. You may want to remove some values or add to the current values. You can use field directives to specify how to treat the existing field’s values. Field directives go in front of the field value and are surrounded by the vertical bar character, as follows:

|directive [ ; directive ] | field values

You can choose from the following directives:

• Replace. Replace the current values with the specified values. This is the default if no directive (or just the List directive) is specified.

• Merge. Add the specified values to the current values. Duplicate values are filtered.

• Remove. Remove the specified values from the current values.

• List. Force the field’s value to be handled as if it had multiple values, even if it only has a single value. This directive is not usually needed as most fields are handled appropriately regardless of the number of values. This is the only directive that can be specified with another directive.

Field values are case-sensitive. This is important when specifying the Merge and Remove directives. The values must match exactly to correctly remove values or avoid having multiple similar values when merging.

Special Characters in Field Values

If you have a field value with a comma (,) or double quote (") character, or you want to preserve leading or trailing spaces, you must embed your field value within a pair of double quotes ("field_value"). You then need to replace double quotes in the field value with two double quote (") characters. For example, "John ""Johnny"" Smith" results in a field value of John "Johnny" Smith.

If you have a field value with a vertical bar (|) or backslash (\) character in it, you must precede it with a backslash (\| or \\).

Bulk Action View Attributes

When the Create, Update, or CreateOrUpdate actions are performed, there are additional attributes in the User View that are only used or available during bulk action processing. These attributes can be referenced in the User Form to allow behavior specific to bulk actions.

The attributes are as follows:

• The waveset.bulk.fields.field_name attributes contain the values for the fields that were read in from the CSV input, where field_name is the name of the field. For example, the command and user fields are in the attributes with path expressions waveset.bulk.fields.command and waveset.bulk.fields.user, respectively.

• The waveset.bulk.fieldDirectives.field_name attributes are only defined for those fields for which a directive was specified. The value is the directive string.

• Set the waveset.bulk.abort Boolean attribute to true to abort the current action.

• Set the waveset.bulk.abortMessage attribute to a message string to display when waveset.bulk.abort is set to true. If this attribute is not set, a generic abort message is displayed.

Correlation and Confirmation Rules

Use correlation and confirmation rules when you do not have the Waveset user name available to put in the user field of your actions. If you do not specify a value for the user field, then you must specify a correlation rule when launching the bulk action. If you do specify a value for the user field, then the correlation and confirmation rules will not be evaluated for that action.

A correlation rule looks for Waveset users that match the action fields. A confirmation rule tests an Waveset user against the action fields to determine whether the user is a match. This two-stage approach allows Waveset to optimize correlation by quickly finding possible users (based on name or attributes), and by performing expensive checks only on the possible users.

Create a correlation or confirmation rule by creating a rule object with a subtype of SUBTYPE_ACCOUNT_CORRELATION_RULE or SUBTYPE_ACCOUNT_CONFIRMATION_RULE, respectively.

For more information about correlation and confirmation rules, see Chapter 3, Data Loading and Synchronization, in Oracle Waveset 8.1.1 Deployment Guide.

Correlation Rules

Input for any correlation rule is a map of the action fields. Output must be one of the following:

• String (containing user name or ID)

• List of String elements (each a user name or ID)

• List of WSAttribute elements

• List of AttributeCondition elements

A typical correlation rule generates a list of user names based on values of the fields in the action. A correlation rule may also generate a list of attribute conditions (referring to queryable attributes of Type.USER) that will be used to select users.

A correlation rule should be relatively inexpensive but as selective as possible. If possible, defer expensive processing to a confirmation rule.

Attribute conditions must refer to queryable attributes of Type.USER. These are configured in the Waveset configuration object named IDM Schema Configuration.

Correlating on an extended attribute requires special configuration. The extended attribute must be specified as queryable.

Use the following steps to set an extended attribute as queryable:

1. Open IDM Schema Configuration. You must have the IDM Schema Configuration capability to view or edit IDM Schema Configuration.

2. Locate the <IDMObjectClassConfiguration name=’User’> element.

3. Locate the <IDMObjectClassAttributeConfiguration name=’ xyz ’> element, where xyz is the name of the attribute that you want to set as queryable.

4. Set queryable=’true’

   In Correlation Rules the email extended attribute is defined as queryable.

Example 3–1 XML Excerpt That Defines the Email Extended Attribute as Queryable

<IDMSchemaConfiguration>
  <IDMAttributeConfigurations>
    <IDMAttributeConfiguration name=’email’ syntax=’STRING’/>
    </IDMAttributeConfiguration>
  </IDMAttributeConfigurations>
  <IDMObjectClassConfigurations>
    <IDMObjectClassConfiguration name=’User’ extends=’Principal’ description=’User description’>
      <IDMObjectClassAttributeConfiguration name=’email’ queryable=’true’/>
    </IDMObjectClassConfiguration>
  </IDMObjectClassConfigurations>
 </IDMSchemaConfiguration>

You must restart the Waveset application (or the application server) for the IDM Schema Configuration change to take effect.

Confirmation Rules

Inputs to any confirmation rule are as follows:

• Use userview for a full view of an Waveset user.

• Use account for a Map of action fields.

A confirmation rule returns a string-form Boolean value of true if the user matches the action fields; otherwise, it returns a value of false.

A typical confirmation rule compares internal values from the user view to the values of the action fields. As an optional second stage in correlation processing, the confirmation rule performs checks that cannot be expressed in a correlation rule (or that are too expensive to evaluate in a correlation rule).

In general, you need a confirmation rule only for the following situations:

• The correlation rule may return more than one matching user.

• User values that must be compared are not queryable.

A confirmation rule is run once for each matching user returned by the correlation rule.

Managing Account Security and Privileges

This section discusses actions you can take to provide secure access for user accounts and to manage user privileges in Waveset.

• Setting Password Policies

• Setting Account Authentication Policies

• Assigning Administrative Privileges

Setting Password Policies

Resource password policies establish the limitations for passwords. Strong password policies provide added security to help protect resources from unauthorized login attempts. You can edit a password policy to set or select values for a range of characteristics.

To begin working with password policies, click Security on the main menu, and then click Policies.

To edit a password policy, click it in the Policies list. To create a password policy, select String Quality Policy from the New list of options.

For more information on policies, see Configuring Waveset Policies.

Creating a Policy

Password policies are the default type for string quality policies. After naming and providing an optional description for a new policy, select options and parameters for the rules that define that policy.

Length Rules

Length rules set the minimum and maximum required character length for a password. Select this option to enable the rule, and then enter a limit value for the rule.

Policy Type

Choose one of the policy type buttons . If you choose the Other option, you must enter the type in the text field provided.

Character Type Rules

Character type rules establish the minimum and maximum characters of certain types and number that can be included in a password.

These include:

• Minimum and maximum alphabetic, numeric, uppercase, lowercase, and special characters

• Minimum and maximum embedded numeric characters

• Maximum repetitive and sequential characters

• Minimum beginning alphabetic and numeric characters

Enter a numeric limit value for each character type rule; or enter All to indicate that all characters must be of that type.

Minimum Number of Character Type Rules

You can also set the minimum number of character type rules that must pass validation, as illustrated in Figure 3–7. The minimum number that must pass is one. The maximum cannot exceed the number of character type rules that you have enabled.

To set the minimum number that must pass to the highest value, enter All.

Figure 3–7 Password Policy (Character Type) Rules

Dictionary Policy Selection

You can choose to check passwords against words in a dictionary to guard against simple dictionary attacks.

Before you can use this option, you must:

• Configure the dictionary

• Load dictionary words

You configure the dictionary from the Policies page. For more information about how to set up the dictionary, see What is a Dictionary Policy?.

Password History Policy

You can prohibit the reuse of passwords that were used immediately preceding a newly selected password.

In the Number of Previous Passwords that Cannot be Reused field, enter a numeric value greater than one to prohibit re-use of the current and preceding passwords. For example, if you enter a numeric value of 3, the new password cannot be the same as the current password or the two passwords used immediately before it.

You can also prohibit re-use of similar characters from passwords used previously. In the Maximum Number of Similar Characters from Previous Passwords that Cannot be Reused field, enter the number of consecutive characters from the previous password or passwords that cannot be repeated in the new password. For example, if you enter a value of 7, and the previous password was password1, then the new password cannot be password2 or password3.

If you enter a value of 0, then all characters must be different regardless of sequence. For example, if the previous password was abcd, then the new password cannot include the characters a, b, c, or d.

The rule can apply to one or more previous passwords. The number of previous passwords checked is the number specified in the Number of Previous Passwords that Cannot be Reused field.

Must Not Contain Words

You can enter one or more words that the password may not contain. In the entry box, enter one word on each line.

You can also exclude words by configuring and implementing the dictionary policy. For more information, see What is a Dictionary Policy?.

Must Not Contain Attributes

You can enter one or more attributes that the password may not contain.

You can specify the following attributes:

• accountID

• email

• firstname

• fullname

• lastname

You can change the allowed set of “must not contain” attributes for passwords in the UserUIConfig configuration object. See Must Not Contain Attributes in Policies for more information.

Implementing Password Policies

Password policies are established for each resource. To put a password policy in place for a specific resource, select it from the Password Policy list of options, which is located in the Policy Configuration area of the Create or Edit Resource Wizard: Waveset Parameters pages.

Setting Account Authentication Policies

You must configure user authentication, and the rules that govern authentication, as part of an Waveset account policy. Unlike password policies, Waveset account policies are assigned directly to the user or through the organization assigned to the user (on the Create and Edit User pages). The user authentication methods you establish enables users to access Waveset when they forget their user ID or passwords, or when their passwords are reset.

You can configure the following authentication methods for an Waveset account policy:

• Authentication questions. Require users to answer one or more account authentication questions to gain access to Waveset. The authentication question policy determines what happens when a user clicks on the Forgot Your Password? button on the login page or when accessing the Change My Answers page.

• Login recovery. Resets the user's password, then emails both the login and password to the user's email address.

Instructions for configuring these methods from the Waveset Administrator interface follow.

To Establish Authentication Questions for an Account Policy

1. Select Security > Policies from the main menu.

2. Choose DefaultWaveset Account Policy from the list of policies.

   Authentication selections are offered in the Secondary Authentication Policy Options area of the page. The following table describes each option.

   Option	Description
   All	Requires the user to answer all policy-defined and personalized questions.
   Any	Waveset displays all policy-defined and personalized questions. You must specify how many questions the user must answer.
   Next	Requires the user to answer all possible policy-defined questions the first time that user logs in.   If the user clicks the Forgot Your Password? button during login, Waveset displays the first question. If the user answers incorrectly, Waveset displays the next question, and so on until the user answers an authentication question correctly and logs in, or is locked out based on the specified failure attempts limit. User-generated questions are not supported for this policy.
   Random	Allows the administrator to specify how many questions the user must answer. Waveset randomly selects and displays the specified number of questions from the list of questions defined in the policy as well as those the user has defined. The user must answer all questions displayed.
   Round robin	Waveset selects the next question from the list of configured questions and assigns this question to the user. The first user is assigned the first question in the list of authentication questions, and the second user is assigned the second question. This pattern continues until the number of questions is exceeded. At that point, questions are assigned to users in sequential order. For example, if there are 10 questions, the 11th and 21st users are assigned the first question.  Only the selected question is displayed. If you want the user to answer a different question every time, use the Random policy and set the number of questions to 1.  Users cannot define their own authentication questions. See Using Personalized Authentication Questions for more information about this feature.

You can verify your authentication choices by logging in to the Waveset End User interface, clicking the Forgot Your Password? button, and answering the presented question or questions.

After you set up the authentication questions, users must log in to the End User interface and provide initial answers to their authentication questions. If the users do not set answers the first time they log in, they cannot successfully log in without a password.

The following figure shows an example of the User Account Authentication screen.

Figure 3–8 User Account Authentication

Using Personalized Authentication Questions

In the Waveset account policy, you can select an option to allow users to supply their own authentication questions in the End User and Administrator interfaces. You can additionally set the minimum number of questions that the user must provide and answer to be able to log in successfully by using personalized authentication questions.

To configure Waveset to allow user-supplied questions, perform the following steps:

1. Select the Security > Policies tabs.

2. On the Policies page, click Default Identity Manager Account Policy.

3. When the Policy page displays, scroll down to the Secondary Authentication Policy Options section.

   Complete this section as follows:

   • For Login Interface. Select User Interface from the menu.

   • Maximum Number of Failed Login Attempts. Enter the maximum number of failed attempts you want to allow.

   • Enforce Answer Policy at Login. Deselect this option.

   • Authentication Questions Policy. Select Any from the menu.

   • Minimum Number of Questions User is Required to Answer. Enter the minimum number of questions you want the user to answer.

   • Answer Quality Policy. Select None from the menu.

     ---

     Note –

     If you previously configured one or more Authentication Answer Quality Policies, they will be available for selection from the menu. Otherwise, the only option is None.

     ---

   • Allow User Supplied Questions. Select this option to allow user-supplied questions.

   • Minimum Number of User Supplied Questions. Enter the minimum number of questions you want the user to provide.

   • Supplied Question Quality Policy. Select None from the menu.

     ---

     Note –

     If you previously configured one or more Authentication Question Quality Policies, they will be available for selection from the menu. Otherwise, the only option is None.

     ---

   • Organizations. Select one or more organizations to which this object will be available.

4. Click Save to save your changes.

Users can add and change questions from the Change Answers to Authentication Questions page. An example of this page is shown in Figure 3–9.

Figure 3–9 Change Answers: Personalized Authentication Questions

Bypassing the Change Password Challenge after Authentication

When users successfully authenticate by answering one or more questions, by default they are challenged by the system to provide a new password. You can configure Waveset to bypass the change password challenge, however, by setting the bypassChangePassword system configuration property for one or more Waveset applications.

For instructions on editing the system configuration object, see Editing Waveset Configuration Objects.

To bypass the change password challenge for all applications following successful authentication, set the bypassChangePassword property as follows in the system configuration object.

Example 3–2 Setting the Attribute to Bypass the Change Password Challenge

<Attribute name="ui" 
 <Object>
   <Attribute name="web">
     <Object> 
       <Attribute name=’questionLogin’>
         <Object>
           <Attribute name=’bypassChangePassword’>
             <Boolean>true</Boolean>
           </Attribute>
         </Object>
       </Attribute>
   ...
 </Object>
...

To disable this password challenge for a specific application, set it as follows.

Example 3–3 Setting the attribute to Disable the Change Password Challenge

<Attribute name="ui">
  <Object>
    <Attribute name="web">
      <Object>
        <Attribute name=’user’>
          <Object>
            <Attribute name=’questionLogin’>
              <Object>
                <Attribute name=’bypassChangePassword’>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
         </Object>
       </Attribute>
     ... 
  </Object> 
...

To Establish Login Recovery for an Account Policy

Configuring Login Recovery as an alternative to the security questions-based login implements a message obfuscation option that renders the same generic result message for all errors and successes. This method helps prevent account harvesting.

The obfuscate messages option is enabled by default in the loginRecovery.jsp file. You can set this same option in the lookupUserId.jsp files.

Functionally, Login Recovery uses the same system as the Forgot Your User ID? method and both methods share the same configuration attributes. The main difference between these two methods is that Login Recovery also resets the user's password and then emails both the login and the password to the user's email address.

You can replace the security questions-based log-in method with the Login Recovery method by redirecting the Forgot Your Password? button or by creating a new Login Recovery button on the Log In pages. You configure either option in the System Configuration file, as follows:

• To redirect Forgot Password to Login Recovery, specify

  ui.web.user.questionLogin.forceLoginRecovery = true ui.web.admin.questionLogin.forceLoginRecovery = true

• To use a Login Recovery button instead of Forgot Password/Lookup, specify

  ui.web.user.disableLoginRecovery = false ui.web.admin.disableLoginRecovery = false ui.web.user.disableForgotPassword = true ui.web.admin.disableForgotPassword = true ui.web.user.disableForgotUserId = true ui.web.admin.disableForgotUserId = true

Assigning Administrative Privileges

You can assign Waveset administrative privileges, or capabilities, to users as follows:

• Admin Roles. Users assigned an Admin Role inherit the capabilities and controlled organizations defined by the role. By default, all Waveset user accounts are assigned the User Admin Role when created. For detailed information about Admin Roles and creating an Admin Role, see Understanding and Managing Admin Roles in Chapter 6, Administration.

• Capabilities. Capabilities are defined by rules. Waveset provides sets of capabilities grouped into functional capabilities that you can select from. Assigning capabilities allows for more granularity in assigning administrative privileges. For information about capabilities and creating capabilities, seeUnderstanding and Managing Capabilities in Chapter 6, Administration.

• Controlled organizations. Controlled organizations grant administrative control privileges over specified organizations. For more information, see Understanding Waveset Organizations in Chapter 6, Administration.

For more information about Waveset Administrators and administrative duties, see Chapter 6, Administration

User Self-Discovery

The Waveset end-user interface allows end-users to discover resource accounts. This means that a user with an Waveset identity can associate it with an existing, but unassociated, resource account.

To enable self-discovery, you must edit a special configuration object (End User Resources) and add to it the name of each resource on which the user will be allowed to discover accounts.

1. Edit the “End User Resources” configuration object.

   For instructions on editing Waveset configuration objects, see Editing Waveset Configuration Objects.

2. Add <String>Resource</String>, where Resource matches the name of a resource object in the repository, as illustrated in the following figure.

   

3. Click Save.

   When self-discovery is enabled, the user is presented with a new selection under the Profile menu tab on the Waveset User interface (Self Discovery). This area allows the user to select a resource from an available list, and then enter the resource account ID and password to link the account with his Waveset identity.

   ---

   Note –

   To give end-users access to Waveset configuration objects, administrators can also use the “End User” organization. See The End User Organization for details.

   ---

Anonymous Enrollment

The anonymous enrollment feature allows a user without an Waveset account to obtain one by request.

Enabling Anonymous Enrollment

By default, the anonymous enrollment feature is disabled.

To enable the anonymous enrollment feature,

1. In the Administrator interface, click Configure, and then click User Interface.

2. In the Anonymous Enrollment area, select the Enable option, and then click Save.

   When a user logs in to the User interface, the login page will display the text First time user? followed by a Request Account link.

   

   ---

   Note –

   The text First time user? Request Account is customizable. See the Oracle Waveset 8.1.1 Deployment Guidefor details.

   ---

Configuring Anonymous Enrollment

From the Anonymous Enrollment area on the User Interface page, you can configure the following options for the anonymous enrollment process:

• Notification Template. Specify the ID of an email template to use to send notifications to the user requesting an account.

• Require Privacy Policy. If selected, then the user must accept the privacy policy before he can request an account. This is enabled by default.

• Enable Validation. If selected, then the user must validate his employment before he can request an account. This is enabled by default.

• Process Launch URL. Enter a URL to specify which workflow will be used for the anonymous enrollment process.

• Enable Notifications. If selected, then a notification email will be sent to the user when his account has been created.

• Email Domain. Enter the name of the email domain to use to construct the user’s email address.

Click Save when finished.

User Enrollment Process

When a user logs on to the User interface, that user can request an account by clicking Request Account on the login page.

Waveset displays the first of two registration pages, which requests a first name, last name, and employee ID. If the Enable Validation attribute is set to yes (the default), then this information must be validated before the user can proceed to the next page.

The verifyFirstname, verifyLastname, verifyEmployeeId, and verifyEligibility rules in EndUserLibrary validate the information for each attribute.

You may need to modify one or more of these rules. In particular, you should modify the rule that verifies the employee ID to use a Web services call or Java class to verify the information.

If the Enable Validation attribute is disabled, then the initial registration page does not display. In this case, you must modify the End User Anonymous Enrollment Completion form to allow the user to enter information normally captured by the initial validation form.

From the information provided on the Registration page, Waveset generates:

• An account ID (following the convention of first initial, last initial, employee ID).

• An email address in the form:

  FirstName.LastName@EmailDomain

  Where EmailDomain is the domain set by the Email Domain attribute in anonymous enrollment configuration.

• The manager attribute (idmManager). You can set this attribute by modifying the EndUserRuleLibrary:getIdmManager rule. By default, the manager is set to Configurator. The administrator designated as the manager must approve the user request before his account is provisioned.

• The organization attribute. You can set this attribute by customizing the EndUserRuleLibrary:getOrganization rule. By default, users are assigned to the top of the organizational hierarchy (“Top”).

If the information provided by the user on the Registration page validates correctly, then Waveset presents the user with the second Registration page. Here the user must enter a password and password confirmation. If the Require Privacy Policy attribute is set to yes, then the user must also select an option to accept the terms of the privacy policy.

When the user clicks Register, Waveset presents a confirmation page. If the Enable Notifications attribute is set to yes, then the page indicates the user will receive email notification when he account has been created.

The account is created after the standard Create User process (including approvals required by the idmManager attribute and policy settings) is complete.