An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager. Organization in Oracle Identity Manager is used only for security purposes. It is not an enterprise organization, or an LDAP organization or organization unit.
The concepts related to organizations and procedures to manage organizations are described in the following sections:
Vision Inc. is a fictitious company used in this document to depict a typical delegated administration use case. There are five user types: employees, contractors, suppliers, partners, and customers. There are approximately one hundred applications that are to be provisioned to each user. In this example, the proposed solution is called IDM.
Vision Inc. has two major sets of users, Internal Users consisting of employees and contractors, and External Users consisting of partners, suppliers, and customers, as illustrated in Figure 13-1:
Internal Users are on-boarded and managed by a HR Administrator directly by using Oracle Identity Self Service. IDM administrator creates various partners, suppliers, and customers, as shown in Figure 13-1, and assigns delegated administrator for each of these organizations. For example, the IDM administrator can create and manage a partner organization called Partner1, create one or more users under Partner1, and assign one or more of these users as the delegated administrator for that organization. The delegated administrator, for example Partner1 DA, can then create additional hierarchy under Partner1, for example Partner1 US and Partner1 EMEA, and can specify a delegated administrator under each of these organizations. For example, Partner1 DA can specify User1 under Partner1 US as delegated administrator of Partner1 US. This hierarchy levels can go to the nth level.
The users created under each of these organizations follow a strict permission model. For example, users in the External Users organization cannot see users Internal Users, but internal users who are a part of IDM Administrator can see both internal and external users. Partner1 DA is not able to see users under Partner2 or vice versa. Similarly, Partner1 US DA is not able to see Partner1 EMEA users. A parent delegated administrator can see all children delegated administrators but not the reverse. For example, Partner1 DA can see Partner1 US and Partner1 EMEA users, but Partner1 US users are able to see only users in Partner1 US. This entire delegation model is achieved through organization hierarchy, viewer admin role assignment to users, and publishing the entities to only those organizations to which the users belong.
The ability of the users in organizations to view and access resources follows hierarchy. For example, all resources/roles that are permitted for Partner1 is visible by default to Partner1 US and Partner1 EMEA. This is achieved by selecting a flag to include suborganizations when publishing the entities, described later in this document. Both publishing and delegation are organization hierarchy-aware. Each of the delegated administrators can further limit the resource availability for their corresponding entities.
The delegated administration model is achieved through the following:
Organization definition: Users and entities are defined in logical containers called organizations, and a set of attributes are defined for the organizations. See "Organization Entity Definition" for details.
Organization scoping with logical organization hierarchy: Scoping the entities to certain set of users. This means that not all users can view or access all entities. For example, the users in the Partners organization can only view the roles, entitlements, and application instances available to the Partners organization. These users cannot view or access the entities available to the Suppliers and Customers organizations. See "Organization Scoping and Hierarchy" for details.
Publishing of entities to organizations: The entities are made available to the users of an organization. See "Publishing Entities to Organizations".
Admin roles: The permissions that a user has on a entity is governed by the admin role assignment to the user. See "Admin Roles" for details.
In Oracle Identity Manager, attributes are defined by default for the organization entity. These attributes are the same for all entities, such as user, organization, role, role hierarchy, and role membership. For a list of attributes defined for the entities, see "User Entity Definition".
Table 13-1 lists the default attributes of the organization entity:
Table 13-1 Default Attributes of the Organization Entity
Attribute Name | Category | Type | Data Type | Display Type | Properties |
---|---|---|---|---|---|
Organization Name |
Basic |
Single |
String |
Single line text |
Required: Yes System-Can-Default: No System-Controlled: No Encryption: Clear User-Searchable: Yes |
Type |
Basic |
Single |
String |
LOV |
Required: Yes System-Can-Default: Yes System-Controlled: Yes Encryption: Clear User-Searchable: Yes |
Parent Organization |
Basic |
Single |
String |
Single line text |
Required: No System-Can-Default: No System-Controlled: No Encryption: Clear User-Searchable: Yes |
Status |
Basic |
Single |
String |
Single line text |
Required: Yes System-Can-Default: Yes System-Controlled: Yes Encryption: Clear User-Searchable: Yes |
Password Policy |
Basic |
Single |
String |
LOV |
Required: false System-Can-Default: No System-Controlled: No Encryption: Clear User-Searchable: Yes |
In Oracle Identity Manager, the root of the organizational hierarchy is represented by the Top organization. The Top organization is a predefined organization that is available in Oracle Identity Manager. By default, every organization in Oracle Identity Manager extends from the Top organization.
Oracle Identity Manager provides an organizational-level scoping mechanism for delegated administration and data security of various entities. This is achieved by the following:
User's admin role memberships in organizations: User is assigned permissions over an organization by assigning admin role in that organization scope.
Entities available in organizations: Data is secured by confining its availability only in a set of organizations. The process of making data available in organization scope is referred to as publishing. The user is allowed to perform operations on an entity as assigned by the user's admin roles, if those roles are published to the organization and the entity is published to the same organization.
Publishing an entity to an organization is making the entity available to that organization. The enterprise roles, entitlements, or application instances can be published by respective administrators to a list of organizations to enable these to be granted to the users of those organizations. Enterprise roles, entitlements, and application instances are published to a list of organizations to make these:
Requestable to users under the list of organizations
Manageable to the list of organization administrators to manage these roles
You can publish entities to organizations from the Organizations tab of the respective entity details page in Identity Self Service.
When an entity admin creates an entity (for example, a Role Admin creates an enterprise role), then that entity (role, in this example) is automatically made available to all the organizations where the admin has entity admin roles. This avoids creating and then publishing entities for admins in their respective organizations or organization hierarchies). However, if the entity needs to be published to other organizations, then the entity needs to be manually published.
Admin role is a first class entity in Oracle Identity Manager and is not the same as enterprise role or group entity. The authorization and security model in Oracle Identity Manager works on the basis of the admin role assignment to a user. The assignment can be in the given organization scope or in Top organization scope. As mentioned earlier, the Top organization is at the root of the organization hierarchy in Oracle Identity Manager. Authorization policies are created according to the admin roles. Admin roles are predefined in Oracle Identity Manager, and you cannot add new admin roles. Admin roles cannot be created, updated, deleted, or requested.
Entities have the following admin roles defined for it:
Entity Administrator: Can manage the entire lifecycle of the entity and perform any operation on the entity.
Entity Viewer: Can view the entity in the catalog or request profile and request for the entity
Entity Authorizer: Can view the entity in the catalog or request profiles and request for it, but does not require approval. There is no authorizer on the organization entity because organization membership cannot be requested. Similarly, there is no authorizer for the user. The user admin and user authorizer are the same.
However, there are certain exceptions for the entity administrator. For example, Role Administrators cannot assign or revoke users to or from that role. To assign or revoke users to the role, the role administrator must explicitly have any one of the following:
Role Viewer role: To be able to assign or revoke users to that role through requests, which are subject to approval.
Role Authorizer role: To be able to assign or revoke users to that role as a direct operation.
Similarly, Application Instance Administrators and Entitlement Administrators cannot assign or revoke users to or from the respective entities. These admin roles must have explicit entity viewer or entity authorizer roles to be able to assign or revoke to or from that entity, through request or direct operation respectively.
Admin roles have no hierarchy. However, admin role memberships are hierarchy-aware and can be cascaded downwards to the child organizations. Admin role membership is always given in an organization scope, and can only be assigned by the System Administrator or System Configurator. Admin roles do not have autogroup membership or role membership rules.
Note:
Admin roles cannot be stored in LDAP data store and are stored in Oracle Identity Manager database.
Admin roles belong to a role category called admin roles. The admin roles cannot be requested and are never exposed to end users. Only the System Administrator and System Configurator roles, which require users to be assigned to these roles to perform system functions, can access admin roles.
The System Administrator and System Configurator admin roles are available only to the Top organization. Therefore, only System Administrators and System Configurators can assign System Administrator and System Configurator roles because they have access to the Top organization. Only a System Administrator can provision resources to an organization.
Table 13-2 lists the admin roles in Oracle Identity Manager for each entity.
Note:
In Table 13-2, you will come across implicit permissions called org basic info, role basic info, entitlement basic info, and appinstance basic info. The basic-info permission gives the permission only to view-search the given entity. Consider the following examples:
View Org permission provides all the permissions defined for the Organization Viewer admin role, but org basic info provides the permissions only to search and view the organization attributes.
The User Viewer admin role provides the basic info permission on roles, organizations, application instances, and entitlements in that scoped organization.
Table 13-2 Admin Roles in Oracle Identity Manager
Entity | Admin Role | Description |
---|---|---|
System Administrator |
Oracle Identity Manager System Administrator role with all privileges |
|
System Configurator |
Role with privileges to configure Oracle Identity Manager |
|
SPML Administrator |
SPML administrator to manage SPML operations |
|
Role |
Role Administrator |
Role with privileges to administer all assigned enterprise roles |
Role Authorizer |
Role with privileges to authorize all assigned enterprise roles. Role authorizer can grant roles as a direct operation. |
|
Role Viewer |
Role with privileges to view assigned enterprise roles. |
|
Entitlement |
Entitlement Administrator |
Role with privileges to administer all assigned entitlements |
Entitlement Authorizer |
Role with privileges to authorize all assigned entitlements |
|
Entitlement Viewer |
Role with privileges to view all assigned entitlements |
|
Application Instance |
Application Instance Administrator |
Role with privileges to administer all assigned application instances |
Application Instance Authorizer |
Role with privileges to authorize all assigned application instances |
|
Application Instance Viewer |
Role with privileges to view all assigned application instances |
|
Organization |
Organization Administrator |
Role with privileges to administer all assigned organizations |
Organization Viewer |
Role with privileges to view all assigned organizations |
|
User |
User Administrator |
Role with privileges to administer all assigned users |
HelpDesk |
Help Desk to manage users |
|
User Viewer |
Role with privileges to view all assigned user records |
|
Catalog |
Catalog Administrator |
Role with privileges to manage all catalog items |
See Also:
"Security Architecture" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about admin roles
Table 13-3 lists the admin roles in Oracle Identity Manager and the corresponding permissions allowed provided by the admin roles.
Table 13-3 Admin Roles and Permissions
Admin Role in Oracle Identity Manager | Implicit Permissions | Organization Scoped Permissions | Request or Direct Operation |
---|---|---|---|
User Administrator |
Organization Viewer |
Search User (attribute-level security) |
NA |
Role Viewer |
View User (attribute-level security) |
NA |
|
Entitlement Viewer |
Create User |
Direct |
|
AppInstance Viewer |
Delete User |
Direct |
|
Modify User (attribute-level security) |
Direct |
||
Lock User |
NA |
||
Unlock User |
NA |
||
Enable User |
Direct |
||
Disable User |
Direct |
||
Grant Role |
Direct |
||
Revoke Role |
Direct |
||
Grant Accounts |
Direct |
||
Revoke Accounts |
Direct |
||
Grant Entitlements |
Direct |
||
Revoke Entitlements |
Direct |
||
Change User Password |
NA |
||
Change Account Passwords |
NA |
||
Modify User Account |
Direct |
||
Enable User Account |
Direct |
||
Disable User Account |
Direct |
||
View Org |
NA |
||
View Role |
NA |
||
View Entitlements |
NA |
||
View Application Instance |
NA |
||
View Requests |
NA |
||
View Admin Role Memberships |
NA |
||
View Role Memberships |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
View Proxy |
NA |
||
Add Proxy |
Direct |
||
Delete Proxy |
Direct |
||
Help Desk |
Org Basic Info |
Search User (attribute-level security) |
NA |
Role Basic Info |
View User (attribute-level security) |
NA |
|
Entitlement Basic Info |
Enable User |
Request |
|
AppInstance Basic Info |
Disable User |
Request |
|
Unlock User ONLY IF locked out due to failed logins |
Direct |
||
Change User Password |
Direct |
||
Change Account Password |
Direct |
||
View Org |
NA |
||
View Role |
NA |
||
View Entitlements |
NA |
||
View Application Instance |
NA |
||
View Requests |
NA |
||
View Role Memberships |
NA |
||
View Proxy |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
User Viewer |
Organization Viewer |
Create User |
Request |
Role Viewer |
Delete User |
Request |
|
Entitlement Viewer |
Modify User (attribute-level security) |
Request |
|
AppInstance Viewer |
Search User (attribute-level security) |
NA |
|
View User (attribute-level security) |
NA |
||
Enable User |
Request |
||
Disable User |
Request |
||
Grant Role |
Request |
||
Revoke Role |
Request |
||
Grant Accounts |
Request |
||
Revoke Accounts |
Request |
||
Grant Entitlements |
Request |
||
Revoke Entitlements |
Request |
||
Modify User Account |
Request |
||
View Org |
NA |
||
View Role |
NA |
||
View Entitlements |
NA |
||
View Application Instance |
NA |
||
View Requests |
NA |
||
View Role Memberships |
NA |
||
View Proxy |
NA |
||
Enable User Account |
Request |
||
Disable User Account |
Request |
||
View Admin Role Memberships |
NA |
||
Add Admin roles |
NA |
||
Delete Admin roles |
NA |
||
Modify Admin Role membership |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Role Viewer |
Org Basic Info |
Grant Role |
Request |
User Basic Info |
Revoke Role |
Request |
|
View Org |
NA |
||
View Role |
NA |
||
View Users |
NA |
||
View Role Memberships |
NA |
||
Organization Viewer |
Org Basic Info |
Search Org |
NA |
User Basic Info |
View Org |
NA |
|
AppInstance Info |
View Users |
NA |
|
Entitlement Info |
View Role |
NA |
|
View AppInstance |
NA |
||
View Entitlement |
NA |
||
View All Publications |
NA |
||
View All Org Members |
NA |
||
View Admin Role & memberships |
NA |
||
View Accounts Provisioned to Org |
NA |
||
Application Instance Viewer |
User Basic Info |
Search Application Instance |
NA |
Org Basic Info |
View Application Instance (excluding passwords) |
NA |
|
Entitlement Info |
Grant Account |
Request |
|
Revoke Accounts |
Request |
||
Modify User Account |
Request |
||
Enable User Account |
Request |
||
Disable User Account |
Request |
||
View Org |
NA |
||
View User |
NA |
||
View AppInstance |
NA |
||
View Entitlements |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Entitlement Viewer |
User Basic Info |
Search Entitlement |
NA |
Org Basic Info |
View Entitlement |
NA |
|
AppInstance Basic Info |
Grant Entitlement |
Request |
|
Revoke Entitlement |
Request |
||
View Orgs |
NA |
||
View Users |
NA |
||
View AppInstance |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Role Administrator |
User Basic Info |
Search Role |
NA |
Org Basic Info |
View Role |
NA |
|
Create Role |
Direct |
||
Modify Role |
Direct |
||
Delete Role |
Direct |
||
View Role Members |
NA |
||
Manage Role Hierarchy |
Direct |
||
Publish role (only to allowed orgs) |
Direct |
||
Unpublish role (only to allowed orgs) |
Direct |
||
Manage Role Membership Rules |
Direct |
||
Create Role Category |
Direct |
||
Update Role Category |
Direct |
||
Delete Role Category |
Direct |
||
View Users |
NA |
||
View Orgs |
NA |
||
View Role Memberships |
NA |
||
Application Instance Administrator |
User Basic Info |
Create Application instance |
Direct |
Org Basic Info |
Modify Application instance |
Direct |
|
Entitlement Administrator |
Delete Application instance |
Direct |
|
Search Application Instance |
NA |
||
View Application Instance |
NA |
||
Publish Application Instance (only to allowed orgs) |
Direct |
||
Unpublish Application Instance (only to allowed orgs) |
Direct |
||
Publish Entitlements (only to allowed orgs) |
Direct |
||
Unpublish Entitlements (only to allowed orgs) |
Direct |
||
Access Advanced UI |
NA |
||
View accounts |
NA |
||
View Users |
NA |
||
View Orgs |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Organization Administrator |
User Basic Info |
Search Org |
NA |
AppInstance Basic Info |
View Org |
NA |
|
Entitlement Basic Info |
Create Organization |
Direct |
|
Role Basic Info |
Modify Organization |
Direct |
|
Delete Organization |
Direct |
||
All Role Admin Privileges for Admin Roles. |
Direct |
||
Update Organization Hierarchy (for a specific organization) |
Direct |
||
Associate password policy |
Direct |
||
View members |
NA |
||
View roles published |
NA |
||
View app instances published |
NA |
||
View entitlements published |
NA |
||
View accounts (provisioned to org) Note: Provisioning resources to organization is allowed only to the System Administrator. |
NA |
||
Entitlement Administrator |
User Basic Info |
Search Entitlements |
NA |
AppInstance Basic Info |
View Entitlements |
NA |
|
Org Basic Info |
add Entitlements (API) |
Direct |
|
delete Entitlements (API) |
Direct |
||
update Entitlements (API) |
Direct |
||
Publish Entitlement (only to allowed orgs) |
Direct |
||
Unpublish Entitlement (only from allowed orgs) |
Direct |
||
View orgs |
NA |
||
View User |
NA |
||
View app instance |
NA |
||
View accounts |
NA |
||
View Entitlement Members |
NA |
||
View Published Entitlements (API) org data security applies |
NA |
||
Catalog Administrator |
AppInstance Basic Info |
Edit Catalog metadata |
Direct |
Entitlement Basic Info |
Create Request Profiles |
Direct |
|
Role Basic Info |
Modify Request Profiles |
Direct |
|
Delete Request Profiles |
Direct |
||
View application instances |
NA |
||
View entitlements |
NA |
||
View roles |
NA |
||
Role Authorizer |
User Basic Info |
View Role |
NA |
Org Basic Info |
Grant Role |
Direct |
|
Revoke Role |
Direct |
||
View Orgs |
NA |
||
View Users |
NA |
||
View Role Memberships |
NA |
||
Appplication Instance Authorizer |
User Basic Info |
Search Application Instance |
NA |
Org Basic Info |
View Application Instance (excluding passwords) |
NA |
|
Grant account |
Direct |
||
Revoke account |
Direct |
||
Modify account |
Direct |
||
Enable account |
Direct |
||
Disable account |
Direct |
||
View Org |
NA |
||
View Entitlements |
NA |
||
View Users |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Entitlement Authorizer |
User Basic Info |
Search Entitlement |
NA |
Org Basic Info |
View Entitlement |
NA |
|
AppInstance Basic Info |
Grant Entitlement |
Direct |
|
Revoke Entitlement |
Direct |
||
View Users |
NA |
||
View Orgs |
NA |
||
View Application Instance |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Catalog System Administrator |
App Instance Basic Info |
Edit Catalog metadata |
Direct |
Entitlement Basic Info |
Create Request Profiles |
Direct |
|
Role Basic Info |
Modify Request Profiles |
Direct |
|
Delete Request Profiles |
Direct |
||
View Application Instances |
NA |
||
View Entitlements |
NA |
||
View Roles |
NA |
||
System Configuration Administrator |
Role Basic Info |
View Forms |
NA |
Org Basic Info |
Create Forms |
NA |
|
Application Instance Basic Info |
Modify Forms |
NA |
|
Entitlement Basic Info |
Delete Forms |
NA |
|
Import Connector |
NA |
||
Export Connector |
NA |
||
View Resource Object |
NA |
||
Create Resource Object |
NA |
||
Modify Resource Object |
NA |
||
Delete Resource Object |
NA |
||
View Application Instance |
NA |
||
Create Application Instance |
NA |
||
Modify Application Instance |
NA |
||
Delete Application Instance |
NA |
||
Publish Application Instance |
NA |
||
View Entitlement |
NA |
||
Publish Entitlement |
NA |
||
Delete Entitlement (using APIs) |
NA |
||
Modify Entitlement (using APIs) |
NA |
||
Add Entitlement (using APIs) |
NA |
||
View Approval Policies |
NA |
||
Create Approval Policies |
NA |
||
Modify Approval Policies |
NA |
||
Delete Approval Policies |
NA |
||
Access Advanced UI |
NA |
||
View Password Policy |
NA |
||
Create Password Policy |
NA |
||
Modify Password Policy |
NA |
||
Delete Password Policy |
NA |
||
View Notification |
NA |
||
Create Notification |
NA |
||
Delete Notification |
NA |
||
Modify Notification |
NA |
||
Add Locale to Notification |
NA |
||
Remove Locale To Notification |
NA |
||
Complete Async Event Handlers |
NA |
||
Orchestration Operation |
NA |
||
Register Plugin |
NA |
||
Unregister Plugin |
NA |
||
View scheduled Jobs |
NA |
||
Start Scheduler |
NA |
||
Stop Scheduler |
NA |
||
Add Task |
NA |
||
Modify Task |
NA |
||
Delete Task |
NA |
||
Create Trigger |
NA |
||
Delete Trigger |
NA |
||
Modify Trigger |
NA |
||
View Jobs |
NA |
||
Create Jobs |
NA |
||
Modify Jobs |
NA |
||
Delete Jobs |
NA |
||
Enable Jobs |
NA |
||
Disable Jobs |
NA |
||
Run-now Jobs |
NA |
||
Pause Jobs |
NA |
||
Resume Jobs |
NA |
||
Stop Jobs |
NA |
||
Reset Status |
NA |
||
View System Properties |
NA |
||
Create System Properties |
NA |
||
Modify System Properties |
NA |
||
Delete System Properties |
NA |
||
View Attributes |
NA |
||
Add Attributes |
NA |
||
Modify Attributes |
NA |
||
Delete Attributes |
NA |
||
Add Derived Attributes |
NA |
||
SPML Admin |
Create, modify, and delete users |
Request |
|
Search users on all the attributes |
NA |
||
Enable user status |
Request |
||
Disable user status |
Request |
||
Add role memberships |
Request |
||
Delete role memberships |
Request |
||
Search roles on all the attributes |
NA |
||
Create, modify, and delete roles |
Request |
Note:
You can add a restriction on home organization permissions such that only a manager can view or modify the manager's reportees. To do so, open and delete the following policies by using the Authorization Policy Management (APM) UI:
OrclOIMUserHomeOrgDirectWithAttributesPolicy
OrclOIMUserHomeOrgDirectPolicy
OrclOIMUserHomeOrgApprovalWithAttributesPolicy
OrclOIMUserHomeOrgApprovalPolicy
For more information about the authorization policies used to control user's access to Oracle Identity Manager application, see the "Security Architecture" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
There are some operations that can be delegated to other users (delegated administrators). These operations are:
Create User
Modify User
Enable User
Disable User
Change Password
Assign Roles
Assign Organizations
Assign Entitlements
Provisioning Accounts
Create and Manage Organization and Organization hierarchy
Create and Manage Role and Role Hierarchy
Create and Manage RO and IT Resource Instances
The following operations cannot be delegated to other users:
Create and Manage Catalog
Other System Administration Tasks
Lookup Definition Management
Password Policy Definition management
Password policies are a list of rules or conditions that govern the syntax of the password. Password policies are created by System Administrators. For more information about creating and managing password policies, see the "Managing Password Policies" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Organization administrators can attach a password policy to an organization either while creating an organization or at any later point in time. The procedure to create or modify an organization is discussed later in this chapter.
In Oracle Identity Manager, password policies are evaluated in the following scenarios:
When users register themselves to Oracle Identity Manager to perform certain tasks in Identity Self Service or Oracle Identity System Administration.
When users reset their password using the Forgot Password? link.
When users change their enterprise password or target system account password from the Change Password section of the My Information page.
When an administrator sets or changes the password of a user manually.
The following is the order in which a user's effective password policy is evaluated:
The password policy (if available) set for the user's home organization is applicable for the user.
If no password policy is set for the user's home organization, then the policy of the organization at the next level in the organization hierarchy of the user's home organization is picked. This procedure of identifying an organization at the next level in the hierarchy of the user's home organization continues until an organization associated with a password policy is determined. This password policy is applicable to the user.
If none of the organizations in the hierarchy has password policies set, then the password policy attached to the Top organization is applicable. If no password policy is attached to the Top organization, then the default password policy of the XellerateUsers resource is applicable.
The tasks related to organization management are performed in the Organizations section of Identity Self Service. The tasks are described in the following sections:
To search for organizations:
Log in to Identity Self Service.
In the left pane, under Administration, click Organizations. The Organization page is displayed.
Select any one of the following:
All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is Starts With. The Equals comparator is available in the list as an alternative.
You can use wildcard characters to specify the organization name.
From the Type list, select the organization type. The organization type can be Branch, Company, or Department.
To add a field in your search:
Click Add Fields, and select a field, such as Organization Status.
Enter value for the search attribute that you added. In this example, from the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.
If you want to remove a field that you added in the search, then click the cross icon next to the field.
Click Search. The results are displayed in the search results table.
The search results table displays the organization name, parent organization name, organization type, and organization status, as shown in Figure 13-2:
To create an organization:
In Identity Self Service, under Administration, click Organizations. The Organization page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Organization page is displayed, as shown in Figure 13-3:
In the Organization Name field, enter the name of the organization.
From the Type list, select the type of the organization, such as Branch, Company, or Department.
Specify the parent organization to which the newly created organization will belong. To do so:
Click the search icon next to the Parent Organization field. The Search Organizations dialog box is displayed.
Search and select the organization that you want to specify as the parent organization.
Click Select. The selected organization is added as the parent organization.
Specify a password policy name that you want to associate with the organization. To do so:
Click the search icon next to the Password Policy Name field. The Search Password Policy Name dialog box is displayed.
Search and select the password policy that you want to associate with the organization. To list all password policies, you can click the search icon, and then you can select the password policy from the search results.
Click Add. The selected password policy name is added to the Password Policy Name field.
See Also:
"Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about creating and managing password policies
Click Save to create the organization.
The view organization operation allows you to view detailed organization profile information in the organization details page. You can view this page only if you are authorized to view the organization profile as determined by the authorization policy. If you have the authorization to modify the organization, then you can also modify the organization by using this page.
To open the details of an organization:
In Identity Self Service, under Administration, click Organizations. The Organization page is displayed.
Search and select the organization whose details you want to display.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The details of the selected organization is displayed in a new page, as shown in Figure 13-4:
Figure 13-4 The Organization Details Page
You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually. The modification for each section is described in the following sections:
The Attributes tab, as shown in Figure 13-4, of the organization details page displays attributes of the organization. If you are authorized to modify the organization profile as determined by authorization policy, then the organization details page opens in editable mode, and you can modify organization information. You can modify the values for the attributes, and then click Apply to save the changes.
Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields.
Note:
The Status attribute in the organization details page is read-only.
The Children tab displays a list of child organizations that the open organization has. For each child organization in the list, the organization name, organization type, and organization status are displayed.
The Children tab enables you to perform the following:
In the Children tab, you can create a child organization or suborganization of the open organization by selecting Create Sub-org from the Actions menu. Alternatively, click Create Sub-org on the toolbar. The Create organization page is displayed. Perform the steps described in "Creating an Organization" to complete creating the child organization.
To delete a child organization:
In the Children tab, select the organization you want to delete.
From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
Click Yes to confirm. The selected child organization is deleted.
To disable a child organization:
In the Children tab, select the organization you want to disable.
From the Actions menu, select Disable. Alternatively, click Disable on the toolbar. A message is displayed asking for confirmation.
Click Yes to confirm. The selected child organization is disabled.
To enable a child organization:
In the Children tab, select the organization you want to enable.
From the Actions menu, select Enable. Alternatively, click Enable on the toolbar. A message is displayed asking for confirmation.
Click Yes to confirm. The selected child organization is enabled.
From the Children tab, you can open the details of a child organization by selecting the organization, and selecting Open from the Actions menu. Alternatively, you can click Open on the toolbar, or simply click the name of the organization.
To modify a child organization, click the child organization name that you want to modify. The organization details page for the selected organization is displayed, by using which you can modify the details of that organization.
The Members tab is a read-only tab that displays a list of users in the selected organization. For each user in the list, the following are displayed:
User Login
Display Name
First Name
Last Name
Tip:
You can add or remove users to and from organizations by using the Attributes tab of the user details page.
You can view the roles in an organization by clicking the Available Roles tab of the organization details page. The role names, role categories, and corresponding organization names are listed in this tab.
You can view the admin roles that are assigned to an organization by clicking the Admin Roles tab of the organization details page. The admin roles and their corresponding description are listed in this tab. When you select an admin role, the users who have the selected admin role are displayed in the User Members section. This tab also allows you to grant and revoke admin roles available to the open organization to users.
In the Admin Roles tab, you can perform the following:
To grant an admin role to a user:
In the organization details page, click the Admin Roles tab. A list of admin roles assigned to the open organization is displayed.
Select the admin role that you want to grant to a user.
Click Assign on the toolbar. The Advanced Search for Target Users dialog box is displayed.
Search for the target users to whom you want to grant the selected admin role. You can select the Just show my directs option to list only your direct reports.
In the User Results section, select the user that you want to grant the admin role.
Click Add Selected to move the selected user to the Selected Users section. Alternatively, you can click Add All to move all the users from the User Results section to the Selected Users section.
Click Add. The admin roles is granted to the selected user. When you click the admin role in the Admin Roles tab, the selected user's record is displayed in the User Members section.
In the User Members section, select the user record. Select include sub-orgs to grant the admin role to the user's organization and its suborganizations. If you want to grant the admin role to the user's organization only, then do not select this option.
To revoke an admin role from a user:
In the Admin Roles tab, select an admin role from which you want to revoke the user.
In the User Members section, select the user from whom you want to revoke the admin roles.
From the Actions menu, select Revoke. Alternatively, click Revoke on the toolbar. A message is displayed asking for confirmation.
Click Revoke to confirm. The user record is no longer displayed when you select the admin role.
The accounts available to an organization are the accounts that have been published to the organization. This means that the accounts are available for requesting by the users of the organization. You can view the available accounts in an organization by clicking the Available Accounts tab in the organization details page.
The Provisioned Accounts tab displays the accounts that have been provisioned to the open organization.
In the Provisioned Accounts tab, you can perform the following:
To provision an account to an organization:
In the Provisioned Accounts tab, select the account that you want to provision.
From the Actions menu, select Provision. Alternatively, you can create Provision on the toolbar.
The Provision Resource to Organization page is displayed in a new window.
On the Step 1: Select a Resource page, select a resource from the list, and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page, enter the details of the account that you want to provision to the organization, and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided, and then click Continue. The "Provisioning has been initiated" message is displayed.
To revoke an account from an organization:
In the Provisioned Accounts tab, select the account that you want to revoke.
From the Actions menu, select Revoke. Alternatively, you can click Revoke on the toolbar.
A message is displayed asking for confirmation.
Click Yes.
To view the details of a provisioned account:
In the Provisioned Accounts tab, select the account you want to open.
From the Actions menu, select Open. Alternatively, you can click Open on the toolbar.
The details of the account is displayed in a new page.
To disable a provisioned account:
In the Provisioned Accounts tab, select the account you want to disable.
From the Actions menu, select Disable. Alternatively, you can click Disable on the toolbar.
A message is displayed stating that the provisioned account has been successfully disabled.
To enable a provisioned account:
In the Provisioned Accounts tab, select the account you want to enable.
From the Actions menu, select Enable. Alternatively, you can click Enable on the toolbar.
A message is displayed stating that the provisioned account has been successfully enabled.
You can view the entitlements published to the open organization by clicking the Available Entitlements tab. For each entitlement, the following information is displayed:
Entitlements name
Resource associated with the entitlement
Account name associated with the entitlement
Organization name
Note:
You cannot disable organizations with child organizations or users. You can force disable it only by setting the system property ORG.DISABLEDELETEACTIONENABLED to true. After you set this property, the users and suborganizations will be disabled while disabling the parent organization.
To disable an organization with enabled state:
In the organization details page, click Disable on the top of the page. Alternatively, in the search result for organizations in the Organization page, select the organization, and from the Actions menu, select Disable.
A message is displayed asking for confirmation.
Click Disable to confirm.
To enable an organization with disabled state:
In the search result for organizations in the Organization page, select the organization that you want to enable.
From the Actions menu, select Enable. A message is displayed asking for confirmation.
Click Enable to confirm.
Note:
You cannot delete organizations with child orgs or users. You can force delete it only by setting the system property ORG.DISABLEDELETEACTIONENABLED to true. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.
You can delete an organization only if you have the "Delete" permission for that organization.
The deleted record would still exist in the database, marked deleted.
In the search result for organizations in the Organization page, select the organization that you want to delete.
From the Actions menu, select Delete. Alternatively, you can click Delete on top of the organization details page. A message is displayed asking for confirmation.
Click Delete to confirm.