The Profile page enables you to view and modify personal details. The actions that you perform while managing a user profile are determined by the authorization policies defined for Self Service User Management. These authorization policies are defined for Oracle Identity Manager and stored in Oracle Entitlements Server (OES).
All authorization privileges are controlled by authorization policies. Every privilege that is granted is validated to check if you have the permission to use it. Table 8-1 lists the privileges for profile management operations:
Table 8-1 Profile Management Privileges
| Privilege | Description |
|---|---|
|
VIEW_USER_DETAILS |
This privilege determines if you have the ability to view the user profile attributes in the Attributes tab of the My Profile page. This privilege supports fine-grained attribute level controls, which allows you to select the specific attributes that apply to that operation. |
|
MODIFY_USER_DETAILS |
This privilege determines if you have the ability to modify the user profile attributes in the Attributes tab of the My Profile page. This privilege supports fine-grained attribute level controls, which allows you to select the specific attributes that apply to that operation. If you have view and modify privileges for an attribute, it will be shown as an editable attribute on the My Profile page. If you have the view privilege only for an attribute, then it will be shown as a read-only attribute on the My Profile page. |
|
MODIFY_SELF_USER_PROXY_PROFILE |
This privilege determines if you have the ability to add, modify, and remove a proxy in the Proxies tab of the My Profile page. |
See Also:
Chapter 15, "Managing Authorization Policies" for details on authorization policies and authorization for profile attributes
Chapter 17, "Managing Request Templates" for information about request templates
"Configuring Requests" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about request datasets
To view the Profile section:
Login to Oracle Identity Manager Self Service.
Click the Profile tab.
The Profile page has the following sections:
The first tab of the My Profile page is the Attributes tab. This tab displays the user's profile attributes. The attributes that are displayed are controlled by field-level authorization policies that determine which profile attributes are visible to self.
By default, all the profile attributes are visible to the user. Any new attribute added for the user entity is by default set to be hidden from the user until explicitly made visible. The access to the profile attributes is controlled by authorization policies. For more information about the authorization policies for this feature, see "Authenticated User Self Service".
In addition, field-level authorizations determine if the attributes are editable or not by self. Editable attributes are displayed in editable text boxes or appropriate UI widgets, such as lookup fields. You can provide new values and click the Apply button to submit a change.
When the profile update is submitted, request is created for modification of all attributes:
The attributes for which a request is raised are displayed and along with a tracking number for the request. Workflow rules determine the approval workflow to start and obtain approval before allowing the changes in attributes. The status of the request can be seen on the Requests tab of the self-service page. For more information about request tab and Modify User request, see Chapter 10, "Managing Requests".
The Preferences section on the Attributes tab provides access to user preferences. Using this option, you can set your preferences on how you expect the product to behave.
The user preferences in Oracle Identity Manager are attributes stored as part of the user's profile. By default, the following attributes are shown on the UI:
Locale: You can select the language preference for notification messages based on the languages supported by Oracle Identity Manager. The administrator defines the languages supported by installation as part of the deployment configuration. You can only select from the limited set of languages configured for the deployment.
Note:
In Oracle Identity Manager 11g release 1 (11.1.1.4), the language preference of the user for the UI is not set according to the locale specified by the user in the Preferences section of the Self Service. The UI locale is determined as described in "Setting the Language for Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Oracle Identity Manager supports translation of the following default languages:
Arabic (ar)
Czech (cs)
Canadian French (fr-CA)
Danish (da)
Dutch (nl)
English (en)
Finnish (fi)
French (fr)
German (de)
Greek (el)
Hebrew (he)
Hungarian (hu)
Italian (it)
Japanese (ja)
Korean (ko)
Norwegian (no)
Polish (pl)
Portuguese (pt)
Brazilian Portuguese (pt-BR)
Romanian (ro)
Russian (ru)
Simplified Chinese (zh-CN)
Traditional Chinese (zh-TW)
Slovak (sk)
Spanish (es)
Swedish (sv)
Thai (th)
Turkish (tr)
Tip:
To seed all supported MLS locales in Oracle Identity Manager, run the seedAllMLSLanguages operation of the MLSLanguageSeedingMBean Mbean in the System MBean Browser in Oracle Enterprise Manager. However, the locales are not seeded unless you restart Oracle Identity Manager. To seed the MLS locales without restarting Oracle Identity Manager:
Set JAVA_HOME and WL_HOME env variables.
Navigate to the $IDM_HOME/server/bin/ directory.
Run the PurgeCache.sh or PurgeCache.bat utility as follows:
./PurgeCache.sh SystemProperties
Time Zone: You can specify the time zone in which all data is displayed.
Note:
Other default attributes can be added by modifying the user profile in the self service user management administration policy in Oracle Identity Administration. A custom policy needs to be created to view and modify other attributes in my profile.
User-defined fields (UDFs) can be added by creating a policy and adding attributes in the self service user management administration policy in Oracle Identity Administration. To add the User defined attributes for view or modification under the Attributes tab, these UDFs need to be added to the modify user request dataset for self service. See "Configuring Requests" in the Fusion Middleware Developer's Guide for Oracle Identity Manager for information about request datasets.
In addition, a custom policy needs to be created under self service user management to grant permission to view and/or modify these attributes. For details on authorization policies, see "Creating and Managing Authorization Policies".
The Roles tab displays the roles of which you are a member, directly or indirectly. It displays the following information:
Role Display Name: Displays the role name.
Description: Displays the description of the role.
Membership Type: Displays the membership type, either direct role or indirect role.
Assigned Date: Displays the date on which you are assigned to a role.
The tab also provides options to start the following role management operations:
To request a role:
Go to My Profile, Roles.
From the Actions list, select Request Role. The Select Roles page of the Request Role wizard is displayed. The roles those are made available for the end user in the list of roles on Request Roles page are the result of intersection of the roles provided in the request template and roles for which the user has search permission.
Note:
If you have access to any other request template other than default request templates, then you will be prompted to select a template. This step is skipped if you have access only to pre-defined templates.
In the Role Name field, enter the name of the role that you want to request. You can also search for roles based on role name and/or role display name by using the icon next to the Role Name field to display a list of available roles.
From the Available Roles list, select one or more roles that you want to request, and then click the Move icon to include the roles in the Selected Roles list.
Click Next. The Justification page is displayed.
Enter values in the Effective Date and Justification fields to specify the date from which the role is to be active and a comment to justify the request respectively.
Click Finish. You can view the status of the request on the Requests tab of Oracle Identity Manager Self Service. See Chapter 10, "Managing Requests" for the detailed information about request statuses.
To remove a role:
Go to My Profile, Roles. A list of roles is displayed in a table.
Select a role to be removed in the table and from the Actions list, select Remove Role. The Select Roles page of the Remove Role wizard is displayed.
Note:
If you have access to any other request template other than default request templates, then you will be prompted to select a request template. This step is skipped if you have access only to default request templates.
In the Role Name box, enter the name of the role that you want to remove. You can also search for the role names by using the icon next to the Role Name field to display a list of available roles.
From the Available Roles list, select one or more roles that you want to remove, and then click the Move icon to include the roles in the Selected Roles list. This step is applicable only if a custom request template is configured for the self remove roles operation, and the user selects one of the templates.
Click Next. The Justification page is displayed.
Enter values in the Effective Date and Justification fields to specify the date from which the role is to be removed and a comments to justify the removal respectively.
Click Finish. The status of the request can be seen on the Requests tab of the self-service page. For more information about request tab, see Chapter 10, "Managing Requests".
The Resources tab displays the resources that are currently provisioned to you. For each resource in the list, you are allowed to view the following information associated with that resource:
Resource name
Status
Identifying information
Summary information block with additional information
You can drill down to a page that displays details about the provisioned resource. On this page, you can modify the resource by clicking the Modify Resource button. This redirects you to the Modify Resource request wizard with the beneficiary preset to self and the resource instance also preset. You can go through the process of providing the updates that you want to request, and any associated information. A tracking number for the request is generated.
Self-service requests can only modify one resource instance at a time and does not support bulk requests. If you want to modify another resource instance, then you must raise another request.
In the Resources tab, you can perform the following:
To request a resource:
Go to My Profile, Resources.
From the Actions list, select Request Resource. The Select Request Template page is displayed.
Note:
This page is displayed only if you have access to any other request template other than default request templates. You will be prompted to select a request template. This page is skipped if you have access only to default request templates.
From the Request Template list, select the request template assigned to the resource and click Next. The Select Resources page of the Request Resources wizard is displayed.
In the Resource Name field, enter the name of the resource that you want to request. You can also search for the resource names by using the icon next to the Resource Name field to display a list of available resources.
Note:
The resources displayed in this screen is a conjunction of the list of resources available and the list of resources restricted in request template that is being used. For example, If available resources are Active Directory, Exchange, and UNIX and in the template, if the resources are restricted to Active Directory and Exchange, this screen displays only Active Directory and Exchange.
If no resources are selected for restriction in the request template, then all the available resources are displayed.
From the Available Resources list, select a resource that you want to request, and then click the Move icon to include the resource in the Selected Resources list.
Note:
In case of bulk request, you must select two or more resources (two or more child requests will be created). The rest of the procedure is same for bulk request.
Click Next. The Enter Resource Data form is displayed.
Enter appropriate details related to the resource, and then click Next. The Justification page is displayed.
Enter values in the Effective Date and Justification fields to specify the date from which the resource is to be active and a comment to justify the request respectively.
Click Finish. The status of the request can be seen on the Requests tab of the self-service page. For more information about request tab, see Chapter 10, "Managing Requests"
To modify a resource:
Go to My Profile, Resources.
From the Actions list, select Modify Resource. The Select Request Template page is displayed.
Note:
This page is displayed only if you have access to any other request template other than default request templates. You will be prompted to select a request template. This page is skipped if you have access only to default request templates.
From the Request Template list, select the request template assigned to the resource and click Next. The Select Resources page of the Request Resources wizard is displayed. The Select Resources page is displayed.
In the Resource Name field, enter the name of the resource that you want to modify. You can also search for the resource names by using the icon next to the Resource Name field to display a list of available resources.
From the Available Resources list, select one or more resources that you want to request, and then click the Move icon to include the resource in the Selected Resource list.
Click Next. The Resource related page is displayed in which you can modify the resource details. Enter the updates that you want to request and any associated information.
Note:
You can raise a request to modify one resource instance at a time, and this model does not support bulk requests. If you want to modify another resource instance, then you must raise another request.
Click Next. The Justification page is displayed.
Enter values in the Effective Date and Justification fields to specify the date from which the resource is to be active and a comment to justify the request respectively.
Click Finish. The status of the request can be seen on the Requests tab of the self-service page. For more information about request tab, see Chapter 10, "Managing Requests".
To display resource details:
Go to My Profile, Resources.
From the resource information table, select a resource.
From the Actions list, select Open Resource Details. The Resource Details form with the details such as resource name, description, type, status, service account, and date provisioned are displayed for the selected resource.
The Proxies tab allows you to view and manage the proxy information. It displays the proxies currently set up within Oracle Identity Manager for you, and also allows you to view previously set up proxies. The Past Proxies view is read-only and no modifications are allowed.
The existing proxy view allows you to cancel an upcoming proxy whose start date is in the future. You can also edit only the end date of an in-progress proxy whose start date is in the past and end date is in future or not specified.
In the Proxies tab, you can also add new proxies. When adding up new proxies, you must specify a start date, an end date, and the proxy user.
This section contains the following topics:
To add a proxy:
Go to My Profile, Proxies.
In the Current Proxies section, from the Actions list, select Add Proxy. The Add Proxy window is displayed.
In the Proxy Name field, select My Manager to specify your manager as proxy. Otherwise, select Other User to specify any other user as proxy. To do so, click the lookup icon to search for the user you want to specify as proxy.
Note:
The user search result is governed by authorization policies. For more information, see Chapter 15, "Managing Authorization Policies".
In the Start Date field, specify a start date.
In the End Date field, specify an end date.
Click Apply. A message box is displayed asking for confirmation.
Click Yes.
Note:
Oracle Identity Manager does not allow adding another proxy whose start and end dates overlap with the existing proxy.
To edit a proxy:
Go to My Profile, Proxies.
In the Current Proxies section, from the Actions list, select Open Proxy Detail. The Proxy Detail window is displayed.
In the Proxy Name field, select My Manager to specify your manager as proxy. Otherwise, select Other User to specify any other user as proxy. You can search for the user name.
Note:
To change the proxy user, you can search only those users for which you have search permission.
Click Edit. In case of active proxy, you cannot edit the proxy name and the start date, but in case of the proxy that has not started, you can change the proxy user, start date, and end date.
Click Apply. A message box is displayed asking for confirmation.
Click Yes.
To edit a proxy:
Go to My Profile, Proxies. A table with the list of proxies is displayed.
Select a proxy to be removed.
In the Current Proxies section, from the Actions list, select Remove Proxy. The Remove Proxy window is displayed.
Click Remove. A message box is displayed asking for confirmation.
Click Yes.
The Security tab allows you to change your profile attributes related to password security. Using this tab, you can perform the following tasks:
Using this feature, you can reset your enterprise password. To specify a new password, enter and re-confirm the new passwords. The new password is evaluated for compliance against the applicable password policy, which is displayed on the Change Password page. If the new password does not comply with the password policies, then the password change will be rejected and you will be informed of the failing condition(s). If the password evaluates successfully against all policies, then the enterprise password is changed.
To change the password:
Go to My Profile page, click the Security tab.
In the Password section, click Change Password. The Change Password window is displayed with the applicable password policy.
In the Old Password field, enter the existing password.
In the New Password field, enter the new password that you want to set.
In the Re-Type New Password field, re-enter the new password.
Click Apply. If the old password is valid and the new password is in compliance with the password policy, then the password is changed. Otherwise, an error message is displayed.
The challenge-response service allows you to set up a series of challenge questions that are used to validate the user's identity. Only the user should know the correct answers to the challenge questions.
Questions and answers are stored as part of the user's profile as a name-value pair list, where the name is the question, and the value is the answer to that question. For example, for user John Doe, the challenge-response set could be as follows:
| Challenge | Response |
|---|---|
|
What is your favorite color? |
Blue |
|
What is the name of your pet? |
Rex |
|
What is the city of your birth? |
New York |
Note:
Oracle recommends defining answers to challenge questions that cannot be guessed easily by collecting information about the user from the Internet or other public sources.
When a user's identity needs to be validated without relying on the authentication scheme, the challenge questions are asked, and the user must provide the necessary number of correct answers.
Oracle Identity Manager configuration properties for this feature are as follows:
PCQ.USE_DEF_QUES: If Oracle Identity Manager has been customized to allow end-users to create their own challenge questions, this property specifies whether users must select their challenge questions from a predefined list, or if users should create their own challenge questions. The default value is TRUE (users must select their challenge questions from a predefined list). To require users to provide their own challenge questions, set the value to FALSE.
Note:
Functionality that allows end-users to create their own challenge questions is not supported in the standard, out-of-the-box user interface.
PCQ.NO_OF_QUES: Sets the number of challenge questions that must be completed by a user. The default value is 3.
PCQ.FORCE_SET_QUES: Determines if new users must set up challenge questions upon logging into the application for the first time, or if new users can skip this step and do it later. New users are redirected to the Self.jspx page where the user can select challenge questions. This page includes a Skip button so that users can skip the challenge question set up process.
Note:
You can access the Admin.jspx page in another tab. This is the same page for setting challenge questions in the Oracle Identity Manager Administrative and User Console by performing the password validation.
PCQ.NO_OF_CORRECT_ANSWERS: Represents how many questions the user must answer correctly to reset user password.
To set the challenge questions and responses:
Go to the My Profile page and click the Security tab.
In the Challenge Questions section, select questions from the Question 1, Question 2, and Question 3 fields.
In the corresponding Answer 1, Answer 2, and Answer 3 fields, select the answers.
Click Apply.
The following default challenge questions are localized automatically in Oracle Identity Manager:
What is the name of your pet?
What is the city of your birth?
What is your favorite color?
What is your mother's maiden name?
Localized default challenge questions are located in the xlWebAdmin_LANG.properties file. Here, LANG is the locale code.
If you add custom challenge questions to Oracle Identity Manager Design Console for lookup code Lookup.WebClient.Questions, add corresponding properties to the custom resource bundles to localize the question text in the supported languages. Corresponding translations should be saved to the following file:
CustomResource_LANG.properties
For example, you might add the new challenge question What is your favorite sport?. To localize this text, add properties to the property files in the following format:
global.Lookup.WebClient.Questions.question-text=value
Replace any white spaces in the question text with a hyphen (-). For example, to localize the "What is your favorite sport?" challenge question in French, add the following property to the customResources_fr.properties file:
global.Lookup.WebClient.Questions.What-is-your-favorite-sport?= Quel est votre sport favori?
To modify the text of the default challenge questions, add corresponding properties to the custom resource bundles. For example, to modify the text of the "What is your favorite color?" question to use the British spelling (colour) instead of the American version (color), add the following new property in the CustomResource_en.properties file:
global.Lookup.WebClient.Questions.What-is-your-favorite-color?=What is your favourite colour?
To modify the text of the default challenge questions for a specific locale, add properties for the modified questions to the customResources.properties file and the customResource_lang.properties file that represents the locale's language. For example, the customResources_ja.properties file contains language property translations for Japanese.
If you have forgotten your Oracle Identity Manager password, you can reset it by entering your responses for a series of challenge questions.
To reset your forgotten password:
In Oracle Identity Manager Administrative and User Console login page, click Forgot Password. The Enter Your User Login page of the Forgot Password wizard is displayed.
In the User Login field, enter your user login to allow Oracle Identity Manager to locate your user record. Then click Next. The Answer Challenge Questions page is displayed.
In this page, the wizard provides the challenge questions that you set during user registration to verify your user identity or edited by using the Self Service. This page also displays the applicable password policies. Enter your responses to the challenge questions, and then click Next. The Set a New Password page is displayed.
See Also:
Chapter 7, "Configuring and Using Self-Service Registration" for information about registering to oracle Identity Manager
In this step, enter the new password that you want to set, and click Save. The following are the possible outcomes of these steps:
If the new password fails to satisfy the configured password policies, then an error message is displayed specifying the rules of the password policy that are not met by the specified password. Also, if you exceed the maximum number of reset password attempts, you will no longer be able to perform this operation. An error message will be displayed stating, "User has exceeded the maximum number of password reset attempts allowed."
If you satisfy the identity verification criteria and the password is successfully set, a message is displayed stating that the password has been reset and you will be automatically logged in to the Self-Service console.
Password reset fails because either the user account is invalid or the challenge questions are not defined for this account.
Note:
The PCQ.NO_OF_QUES configuration property, as mentioned in "Setting Challenge Questions and Response", which controls the challenge questions in the Forgot Password wizard are:
Number of Challenge Questions to Ask: Number that specifies how many challenge questions to display in the wizard and to collect responses for.
Number of Correct Responses Needed: Number that specifies how many challenge questions must be answered correctly to pass the identity verification test. This cannot be greater than the previous configuration property.