13 Managing Organizations

An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager. Organization in Oracle Identity Manager is used only for security purposes. It is not an enterprise organization, or an LDAP organization or organization unit.

The concepts related to organizations and procedures to manage organizations are described in the following sections:

13.1 Delegated Administration Model

Vision Inc. is a fictitious company used in this document to depict a typical delegated administration use case. There are five user types: employees, contractors, suppliers, partners, and customers. There are approximately one hundred applications that are to be provisioned to each user. In this example, the proposed solution is called IDM.

Vision Inc. has two major sets of users, Internal Users consisting of employees and contractors, and External Users consisting of partners, suppliers, and customers, as illustrated in Figure 13-1:

Figure 13-1 Delegated Administration

Description of Figure 13-1 follows
Description of "Figure 13-1 Delegated Administration"

Internal Users are on-boarded and managed by a HR Administrator directly by using Oracle Identity Self Service. IDM administrator creates various partners, suppliers, and customers, as shown in Figure 13-1, and assigns delegated administrator for each of these organizations. For example, the IDM administrator can create and manage a partner organization called Partner1, create one or more users under Partner1, and assign one or more of these users as the delegated administrator for that organization. The delegated administrator, for example Partner1 DA, can then create additional hierarchy under Partner1, for example Partner1 US and Partner1 EMEA, and can specify a delegated administrator under each of these organizations. For example, Partner1 DA can specify User1 under Partner1 US as delegated administrator of Partner1 US. This hierarchy levels can go to the nth level.

The users created under each of these organizations follow a strict permission model. For example, users in the External Users organization cannot see users Internal Users, but internal users who are a part of IDM Administrator can see both internal and external users. Partner1 DA is not able to see users under Partner2 or vice versa. Similarly, Partner1 US DA is not able to see Partner1 EMEA users. A parent delegated administrator can see all children delegated administrators but not the reverse. For example, Partner1 DA can see Partner1 US and Partner1 EMEA users, but Partner1 US users are able to see only users in Partner1 US. This entire delegation model is achieved through organization hierarchy, viewer admin role assignment to users, and publishing the entities to only those organizations to which the users belong.

The ability of the users in organizations to view and access resources follows hierarchy. For example, all resources/roles that are permitted for Partner1 is visible by default to Partner1 US and Partner1 EMEA. This is achieved by selecting a flag to include suborganizations when publishing the entities, described later in this document. Both publishing and delegation are organization hierarchy-aware. Each of the delegated administrators can further limit the resource availability for their corresponding entities.

The delegated administration model is achieved through the following:

  • Organization definition: Users and entities are defined in logical containers called organizations, and a set of attributes are defined for the organizations. See "Organization Entity Definition" for details.

  • Organization scoping with logical organization hierarchy: Scoping the entities to certain set of users. This means that not all users can view or access all entities. For example, the users in the Partners organization can only view the roles, entitlements, and application instances available to the Partners organization. These users cannot view or access the entities available to the Suppliers and Customers organizations. See "Organization Scoping and Hierarchy" for details.

  • Publishing of entities to organizations: The entities are made available to the users of an organization. See "Publishing Entities to Organizations".

  • Admin roles: The permissions that a user has on a entity is governed by the admin role assignment to the user. See "Admin Roles" for details.

13.2 Organization Entity Definition

In Oracle Identity Manager, attributes are defined by default for the organization entity. These attributes are the same for all entities, such as user, organization, role, role hierarchy, and role membership. For a list of attributes defined for the entities, see "User Entity Definition".

Table 13-1 lists the default attributes of the organization entity:

Table 13-1 Default Attributes of the Organization Entity

Attribute Name Category Type Data Type Display Type Properties

Organization Name

Basic

Single

String

Single line text

Required: Yes

System-Can-Default: No

System-Controlled: No

Encryption: Clear

User-Searchable: Yes

Type

Basic

Single

String

LOV

Required: Yes

System-Can-Default: Yes

System-Controlled: Yes

Encryption: Clear

User-Searchable: Yes

Parent Organization

Basic

Single

String

Single line text

Required: No

System-Can-Default: No

System-Controlled: No

Encryption: Clear

User-Searchable: Yes

Status

Basic

Single

String

Single line text

Required: Yes

System-Can-Default: Yes

System-Controlled: Yes

Encryption: Clear

User-Searchable: Yes

Password Policy

Basic

Single

String

LOV

Required: false

System-Can-Default: No

System-Controlled: No

Encryption: Clear

User-Searchable: Yes


13.3 Organization Scoping and Hierarchy

In Oracle Identity Manager, the root of the organizational hierarchy is represented by the Top organization. The Top organization is a predefined organization that is available in Oracle Identity Manager. By default, every organization in Oracle Identity Manager extends from the Top organization.

Oracle Identity Manager provides an organizational-level scoping mechanism for delegated administration and data security of various entities. This is achieved by the following:

  • User's admin role memberships in organizations: User is assigned permissions over an organization by assigning admin role in that organization scope.

  • Entities available in organizations: Data is secured by confining its availability only in a set of organizations. The process of making data available in organization scope is referred to as publishing. The user is allowed to perform operations on an entity as assigned by the user's admin roles, if those roles are published to the organization and the entity is published to the same organization.

13.4 Publishing Entities to Organizations

Publishing an entity to an organization is making the entity available to that organization. The enterprise roles, entitlements, or application instances can be published by respective administrators to a list of organizations to enable these to be granted to the users of those organizations. Enterprise roles, entitlements, and application instances are published to a list of organizations to make these:

  • Requestable to users under the list of organizations

  • Manageable to the list of organization administrators to manage these roles

You can publish entities to organizations from the Organizations tab of the respective entity details page in Identity Self Service.

When an entity admin creates an entity (for example, a Role Admin creates an enterprise role), then that entity (role, in this example) is automatically made available to all the organizations where the admin has entity admin roles. This avoids creating and then publishing entities for admins in their respective organizations or organization hierarchies). However, if the entity needs to be published to other organizations, then the entity needs to be manually published.

13.5 Admin Roles

Admin role is a first class entity in Oracle Identity Manager and is not the same as enterprise role or group entity. The authorization and security model in Oracle Identity Manager works on the basis of the admin role assignment to a user. The assignment can be in the given organization scope or in Top organization scope. As mentioned earlier, the Top organization is at the root of the organization hierarchy in Oracle Identity Manager. Authorization policies are created according to the admin roles. Admin roles are predefined in Oracle Identity Manager, and you cannot add new admin roles. Admin roles cannot be created, updated, deleted, or requested.

Entities have the following admin roles defined for it:

  • Entity Administrator: Can manage the entire lifecycle of the entity and perform any operation on the entity.

  • Entity Viewer: Can view the entity in the catalog or request profile and request for the entity

  • Entity Authorizer: Can view the entity in the catalog or request profiles and request for it, but does not require approval. There is no authorizer on the organization entity because organization membership cannot be requested. Similarly, there is no authorizer for the user. The user admin and user authorizer are the same.

However, there are certain exceptions for the entity administrator. For example, Role Administrators cannot assign or revoke users to or from that role. To assign or revoke users to the role, the role administrator must explicitly have any one of the following:

Role Viewer role: To be able to assign or revoke users to that role through requests, which are subject to approval.

Role Authorizer role: To be able to assign or revoke users to that role as a direct operation.

Similarly, Application Instance Administrators and Entitlement Administrators cannot assign or revoke users to or from the respective entities. These admin roles must have explicit entity viewer or entity authorizer roles to be able to assign or revoke to or from that entity, through request or direct operation respectively.

Admin roles have no hierarchy. However, admin role memberships are hierarchy-aware and can be cascaded downwards to the child organizations. Admin role membership is always given in an organization scope, and can only be assigned by the System Administrator or System Configurator. Admin roles do not have autogroup membership or role membership rules.

Note:

Admin roles cannot be stored in LDAP data store and are stored in Oracle Identity Manager database.

Admin roles belong to a role category called admin roles. The admin roles cannot be requested and are never exposed to end users. Only the System Administrator and System Configurator roles, which require users to be assigned to these roles to perform system functions, can access admin roles.

The System Administrator and System Configurator admin roles are available only to the Top organization. Therefore, only System Administrators and System Configurators can assign System Administrator and System Configurator roles because they have access to the Top organization. Only a System Administrator can provision resources to an organization.

Table 13-2 lists the admin roles in Oracle Identity Manager for each entity.

Note:

In Table 13-2, you will come across implicit permissions called org basic info, role basic info, entitlement basic info, and appinstance basic info. The basic-info permission gives the permission only to view-search the given entity. Consider the following examples:

  • View Org permission provides all the permissions defined for the Organization Viewer admin role, but org basic info provides the permissions only to search and view the organization attributes.

  • The User Viewer admin role provides the basic info permission on roles, organizations, application instances, and entitlements in that scoped organization.

Table 13-2 Admin Roles in Oracle Identity Manager

Entity Admin Role Description
 

System Administrator

Oracle Identity Manager System Administrator role with all privileges

 

System Configurator

Role with privileges to configure Oracle Identity Manager

 

SPML Administrator

SPML administrator to manage SPML operations

Role

Role Administrator

Role with privileges to administer all assigned enterprise roles

 

Role Authorizer

Role with privileges to authorize all assigned enterprise roles. Role authorizer can grant roles as a direct operation.

 

Role Viewer

Role with privileges to view assigned enterprise roles.

Entitlement

Entitlement Administrator

Role with privileges to administer all assigned entitlements

 

Entitlement Authorizer

Role with privileges to authorize all assigned entitlements

 

Entitlement Viewer

Role with privileges to view all assigned entitlements

Application Instance

Application Instance Administrator

Role with privileges to administer all assigned application instances

 

Application Instance Authorizer

Role with privileges to authorize all assigned application instances

 

Application Instance Viewer

Role with privileges to view all assigned application instances

Organization

Organization Administrator

Role with privileges to administer all assigned organizations

 

Organization Viewer

Role with privileges to view all assigned organizations

User

User Administrator

Role with privileges to administer all assigned users

 

HelpDesk

Help Desk to manage users

 

User Viewer

Role with privileges to view all assigned user records

Catalog

Catalog Administrator

Role with privileges to manage all catalog items


See Also:

"Security Architecture" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about admin roles

Table 13-3 lists the admin roles in Oracle Identity Manager and the corresponding permissions allowed provided by the admin roles.

Table 13-3 Admin Roles and Permissions

Admin Role in Oracle Identity Manager Implicit Permissions Organization Scoped Permissions Request or Direct Operation

User Administrator

Organization Viewer

Search User (attribute-level security)

NA

 

Role Viewer

View User (attribute-level security)

NA

 

Entitlement Viewer

Create User

Direct

 

AppInstance Viewer

Delete User

Direct

   

Modify User (attribute-level security)

Direct

   

Lock User

NA

   

Unlock User

NA

   

Enable User

Direct

   

Disable User

Direct

   

Grant Role

Direct

   

Revoke Role

Direct

   

Grant Accounts

Direct

   

Revoke Accounts

Direct

   

Grant Entitlements

Direct

   

Revoke Entitlements

Direct

   

Change User Password

NA

   

Change Account Passwords

NA

   

Modify User Account

Direct

   

Enable User Account

Direct

   

Disable User Account

Direct

   

View Org

NA

   

View Role

NA

   

View Entitlements

NA

   

View Application Instance

NA

   

View Requests

NA

   

View Admin Role Memberships

NA

   

View Role Memberships

NA

   

View User Accounts

NA

   

View User Entitlements

NA

   

View Proxy

NA

   

Add Proxy

Direct

   

Delete Proxy

Direct

Help Desk

Org Basic Info

Search User (attribute-level security)

NA

 

Role Basic Info

View User (attribute-level security)

NA

 

Entitlement Basic Info

Enable User

Request

 

AppInstance Basic Info

Disable User

Request

   

Unlock User ONLY IF locked out due to failed logins

Direct

   

Change User Password

Direct

   

Change Account Password

Direct

   

View Org

NA

   

View Role

NA

   

View Entitlements

NA

   

View Application Instance

NA

   

View Requests

NA

   

View Role Memberships

NA

   

View Proxy

NA

   

View User Accounts

NA

   

View User Entitlements

NA

User Viewer

Organization Viewer

Create User

Request

 

Role Viewer

Delete User

Request

 

Entitlement Viewer

Modify User (attribute-level security)

Request

 

AppInstance Viewer

Search User (attribute-level security)

NA

   

View User (attribute-level security)

NA

   

Enable User

Request

   

Disable User

Request

   

Grant Role

Request

   

Revoke Role

Request

   

Grant Accounts

Request

   

Revoke Accounts

Request

   

Grant Entitlements

Request

   

Revoke Entitlements

Request

   

Modify User Account

Request

   

View Org

NA

   

View Role

NA

   

View Entitlements

NA

   

View Application Instance

NA

   

View Requests

NA

   

View Role Memberships

NA

   

View Proxy

NA

   

Enable User Account

Request

   

Disable User Account

Request

   

View Admin Role Memberships

NA

   

Add Admin roles

NA

   

Delete Admin roles

NA

   

Modify Admin Role membership

NA

   

View User Accounts

NA

   

View User Entitlements

NA

Role Viewer

Org Basic Info

Grant Role

Request

 

User Basic Info

Revoke Role

Request

   

View Org

NA

   

View Role

NA

   

View Users

NA

   

View Role Memberships

NA

Organization Viewer

Org Basic Info

Search Org

NA

 

User Basic Info

View Org

NA

 

AppInstance Info

View Users

NA

 

Entitlement Info

View Role

NA

   

View AppInstance

NA

   

View Entitlement

NA

   

View All Publications

NA

   

View All Org Members

NA

   

View Admin Role & memberships

NA

   

View Accounts Provisioned to Org

NA

Application Instance Viewer

User Basic Info

Search Application Instance

NA

 

Org Basic Info

View Application Instance (excluding passwords)

NA

 

Entitlement Info

Grant Account

Request

   

Revoke Accounts

Request

   

Modify User Account

Request

   

Enable User Account

Request

   

Disable User Account

Request

   

View Org

NA

   

View User

NA

   

View AppInstance

NA

   

View Entitlements

NA

   

View User Accounts

NA

   

View User Entitlements

NA

Entitlement Viewer

User Basic Info

Search Entitlement

NA

 

Org Basic Info

View Entitlement

NA

 

AppInstance Basic Info

Grant Entitlement

Request

   

Revoke Entitlement

Request

   

View Orgs

NA

   

View Users

NA

   

View AppInstance

NA

   

View User Accounts

NA

   

View User Entitlements

NA

Role Administrator

User Basic Info

Search Role

NA

 

Org Basic Info

View Role

NA

   

Create Role

Direct

   

Modify Role

Direct

   

Delete Role

Direct

   

View Role Members

NA

   

Manage Role Hierarchy

Direct

   

Publish role (only to allowed orgs)

Direct

   

Unpublish role (only to allowed orgs)

Direct

   

Manage Role Membership Rules

Direct

   

Create Role Category

Direct

   

Update Role Category

Direct

   

Delete Role Category

Direct

   

View Users

NA

   

View Orgs

NA

   

View Role Memberships

NA

Application Instance Administrator

User Basic Info

Create Application instance

Direct

 

Org Basic Info

Modify Application instance

Direct

 

Entitlement Administrator

Delete Application instance

Direct

   

Search Application Instance

NA

   

View Application Instance

NA

   

Publish Application Instance (only to allowed orgs)

Direct

   

Unpublish Application Instance (only to allowed orgs)

Direct

   

Publish Entitlements (only to allowed orgs)

Direct

   

Unpublish Entitlements (only to allowed orgs)

Direct

   

Access Advanced UI

NA

   

View accounts

NA

   

View Users

NA

   

View Orgs

NA

   

View User Accounts

NA

   

View User Entitlements

NA

Organization Administrator

User Basic Info

Search Org

NA

 

AppInstance Basic Info

View Org

NA

 

Entitlement Basic Info

Create Organization

Direct

 

Role Basic Info

Modify Organization

Direct

   

Delete Organization

Direct

   

All Role Admin Privileges for Admin Roles.

Direct

   

Update Organization Hierarchy (for a specific organization)

Direct

   

Associate password policy

Direct

   

View members

NA

   

View roles published

NA

   

View app instances published

NA

   

View entitlements published

NA

   

View accounts (provisioned to org)

Note: Provisioning resources to organization is allowed only to the System Administrator.

NA

Entitlement Administrator

User Basic Info

Search Entitlements

NA

 

AppInstance Basic Info

View Entitlements

NA

 

Org Basic Info

add Entitlements (API)

Direct

   

delete Entitlements (API)

Direct

   

update Entitlements (API)

Direct

   

Publish Entitlement (only to allowed orgs)

Direct

   

Unpublish Entitlement (only from allowed orgs)

Direct

   

View orgs

NA

   

View User

NA

   

View app instance

NA

   

View accounts

NA

   

View Entitlement Members

NA

   

View Published Entitlements (API) org data security applies

NA

Catalog Administrator

AppInstance Basic Info

Edit Catalog metadata

Direct

 

Entitlement Basic Info

Create Request Profiles

Direct

 

Role Basic Info

Modify Request Profiles

Direct

   

Delete Request Profiles

Direct

   

View application instances

NA

   

View entitlements

NA

   

View roles

NA

Role Authorizer

User Basic Info

View Role

NA

 

Org Basic Info

Grant Role

Direct

   

Revoke Role

Direct

   

View Orgs

NA

   

View Users

NA

   

View Role Memberships

NA

Appplication Instance Authorizer

User Basic Info

Search Application Instance

NA

 

Org Basic Info

View Application Instance (excluding passwords)

NA

   

Grant account

Direct

   

Revoke account

Direct

   

Modify account

Direct

   

Enable account

Direct

   

Disable account

Direct

   

View Org

NA

   

View Entitlements

NA

   

View Users

NA

   

View User Accounts

NA

   

View User Entitlements

NA

Entitlement Authorizer

User Basic Info

Search Entitlement

NA

 

Org Basic Info

View Entitlement

NA

 

AppInstance Basic Info

Grant Entitlement

Direct

   

Revoke Entitlement

Direct

   

View Users

NA

   

View Orgs

NA

   

View Application Instance

NA

   

View User Accounts

NA

   

View User Entitlements

NA

Catalog System Administrator

App Instance Basic Info

Edit Catalog metadata

Direct

 

Entitlement Basic Info

Create Request Profiles

Direct

 

Role Basic Info

Modify Request Profiles

Direct

   

Delete Request Profiles

Direct

   

View Application Instances

NA

   

View Entitlements

NA

   

View Roles

NA

System Configuration Administrator

Role Basic Info

View Forms

NA

 

Org Basic Info

Create Forms

NA

 

Application Instance Basic Info

Modify Forms

NA

 

Entitlement Basic Info

Delete Forms

NA

   

Import Connector

NA

   

Export Connector

NA

   

View Resource Object

NA

   

Create Resource Object

NA

   

Modify Resource Object

NA

   

Delete Resource Object

NA

   

View Application Instance

NA

   

Create Application Instance

NA

   

Modify Application Instance

NA

   

Delete Application Instance

NA

   

Publish Application Instance

NA

   

View Entitlement

NA

   

Publish Entitlement

NA

   

Delete Entitlement

(using APIs)

NA

   

Modify Entitlement

(using APIs)

NA

   

Add Entitlement

(using APIs)

NA

   

View Approval Policies

NA

   

Create Approval Policies

NA

   

Modify Approval Policies

NA

   

Delete Approval Policies

NA

   

Access Advanced UI

NA

   

View Password Policy

NA

   

Create Password Policy

NA

   

Modify Password Policy

NA

   

Delete Password Policy

NA

   

View Notification

NA

   

Create Notification

NA

   

Delete Notification

NA

   

Modify Notification

NA

   

Add Locale to Notification

NA

   

Remove Locale To Notification

NA

   

Complete Async Event Handlers

NA

   

Orchestration Operation

NA

   

Register Plugin

NA

   

Unregister Plugin

NA

   

View scheduled Jobs

NA

   

Start Scheduler

NA

   

Stop Scheduler

NA

   

Add Task

NA

   

Modify Task

NA

   

Delete Task

NA

   

Create Trigger

NA

   

Delete Trigger

NA

   

Modify Trigger

NA

   

View Jobs

NA

   

Create Jobs

NA

   

Modify Jobs

NA

   

Delete Jobs

NA

   

Enable Jobs

NA

   

Disable Jobs

NA

   

Run-now Jobs

NA

   

Pause Jobs

NA

   

Resume Jobs

NA

   

Stop Jobs

NA

   

Reset Status

NA

   

View System Properties

NA

   

Create System Properties

NA

   

Modify System Properties

NA

   

Delete System Properties

NA

   

View Attributes

NA

   

Add Attributes

NA

   

Modify Attributes

NA

   

Delete Attributes

NA

   

Add Derived Attributes

NA

SPML Admin

 

Create, modify, and delete users

Request

   

Search users on all the attributes

NA

   

Enable user status

Request

   

Disable user status

Request

   

Add role memberships

Request

   

Delete role memberships

Request

   

Search roles on all the attributes

NA

   

Create, modify, and delete roles

Request


Note:

You can add a restriction on home organization permissions such that only a manager can view or modify the manager's reportees. To do so, open and delete the following policies by using the Authorization Policy Management (APM) UI:

  • OrclOIMUserHomeOrgDirectWithAttributesPolicy

  • OrclOIMUserHomeOrgDirectPolicy

  • OrclOIMUserHomeOrgApprovalWithAttributesPolicy

  • OrclOIMUserHomeOrgApprovalPolicy

For more information about the authorization policies used to control user's access to Oracle Identity Manager application, see the "Security Architecture" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

13.6 Delegable and Nondelegable Operations

There are some operations that can be delegated to other users (delegated administrators). These operations are:

  • Create User

  • Modify User

  • Enable User

  • Disable User

  • Change Password

  • Assign Roles

  • Assign Organizations

  • Assign Entitlements

  • Provisioning Accounts

  • Create and Manage Organization and Organization hierarchy

  • Create and Manage Role and Role Hierarchy

  • Create and Manage RO and IT Resource Instances

The following operations cannot be delegated to other users:

  • Create and Manage Catalog

  • Other System Administration Tasks

  • Lookup Definition Management

  • Password Policy Definition management

13.7 Evaluating Password Policies

Password policies are a list of rules or conditions that govern the syntax of the password. Password policies are created by System Administrators. For more information about creating and managing password policies, see the "Managing Password Policies" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Organization administrators can attach a password policy to an organization either while creating an organization or at any later point in time. The procedure to create or modify an organization is discussed later in this chapter.

In Oracle Identity Manager, password policies are evaluated in the following scenarios:

  • When users register themselves to Oracle Identity Manager to perform certain tasks in Identity Self Service or Oracle Identity System Administration.

  • When users reset their password using the Forgot Password? link.

  • When users change their enterprise password or target system account password from the Change Password section of the My Information page.

  • When an administrator sets or changes the password of a user manually.

The following is the order in which a user's effective password policy is evaluated:

  1. The password policy (if available) set for the user's home organization is applicable for the user.

  2. If no password policy is set for the user's home organization, then the policy of the organization at the next level in the organization hierarchy of the user's home organization is picked. This procedure of identifying an organization at the next level in the hierarchy of the user's home organization continues until an organization associated with a password policy is determined. This password policy is applicable to the user.

  3. If none of the organizations in the hierarchy has password policies set, then the password policy attached to the Top organization is applicable. If no password policy is attached to the Top organization, then the default password policy of the XellerateUsers resource is applicable.

13.8 Organization Management Tasks

The tasks related to organization management are performed in the Organizations section of Identity Self Service. The tasks are described in the following sections:

13.8.1 Searching Organizations

To search for organizations:

  1. Log in to Identity Self Service.

  2. In the left pane, under Administration, click Organizations. The Organization page is displayed.

  3. Select any one of the following:

    • All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

    • Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

  4. In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is Starts With. The Equals comparator is available in the list as an alternative.

    You can use wildcard characters to specify the organization name.

  5. From the Type list, select the organization type. The organization type can be Branch, Company, or Department.

  6. To add a field in your search:

    1. Click Add Fields, and select a field, such as Organization Status.

    2. Enter value for the search attribute that you added. In this example, from the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.

      If you want to remove a field that you added in the search, then click the cross icon next to the field.

  7. Click Search. The results are displayed in the search results table.

    The search results table displays the organization name, parent organization name, organization type, and organization status, as shown in Figure 13-2:

    Figure 13-2 Organization Search Results

    Description of Figure 13-2 follows
    Description of "Figure 13-2 Organization Search Results"

13.8.2 Creating an Organization

To create an organization:

  1. In Identity Self Service, under Administration, click Organizations. The Organization page is displayed.

  2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Organization page is displayed, as shown in Figure 13-3:

    Figure 13-3 The Create Organization Page

    Description of Figure 13-3 follows
    Description of "Figure 13-3 The Create Organization Page"

  3. In the Organization Name field, enter the name of the organization.

  4. From the Type list, select the type of the organization, such as Branch, Company, or Department.

  5. Specify the parent organization to which the newly created organization will belong. To do so:

    1. Click the search icon next to the Parent Organization field. The Search Organizations dialog box is displayed.

    2. Search and select the organization that you want to specify as the parent organization.

    3. Click Select. The selected organization is added as the parent organization.

  6. Specify a password policy name that you want to associate with the organization. To do so:

    1. Click the search icon next to the Password Policy Name field. The Search Password Policy Name dialog box is displayed.

    2. Search and select the password policy that you want to associate with the organization. To list all password policies, you can click the search icon, and then you can select the password policy from the search results.

    3. Click Add. The selected password policy name is added to the Password Policy Name field.

    See Also:

    "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about creating and managing password policies

  7. Click Save to create the organization.

13.8.3 Viewing and Modifying Organizations

The view organization operation allows you to view detailed organization profile information in the organization details page. You can view this page only if you are authorized to view the organization profile as determined by the authorization policy. If you have the authorization to modify the organization, then you can also modify the organization by using this page.

To open the details of an organization:

  1. In Identity Self Service, under Administration, click Organizations. The Organization page is displayed.

  2. Search and select the organization whose details you want to display.

  3. From the Actions menu, select Open. Alternatively, click Open on the toolbar. The details of the selected organization is displayed in a new page, as shown in Figure 13-4:

    Figure 13-4 The Organization Details Page

    Description of Figure 13-4 follows
    Description of "Figure 13-4 The Organization Details Page"

You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually. The modification for each section is described in the following sections:

13.8.3.1 Modifying Organization Attributes

The Attributes tab, as shown in Figure 13-4, of the organization details page displays attributes of the organization. If you are authorized to modify the organization profile as determined by authorization policy, then the organization details page opens in editable mode, and you can modify organization information. You can modify the values for the attributes, and then click Apply to save the changes.

Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields.

Note:

The Status attribute in the organization details page is read-only.

13.8.3.2 Managing Child Organizations

The Children tab displays a list of child organizations that the open organization has. For each child organization in the list, the organization name, organization type, and organization status are displayed.

The Children tab enables you to perform the following:

13.8.3.2.1 Creating a Child Organization

In the Children tab, you can create a child organization or suborganization of the open organization by selecting Create Sub-org from the Actions menu. Alternatively, click Create Sub-org on the toolbar. The Create organization page is displayed. Perform the steps described in "Creating an Organization" to complete creating the child organization.

13.8.3.2.2 Deleting a Child Organization

To delete a child organization:

  1. In the Children tab, select the organization you want to delete.

  2. From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.

  3. Click Yes to confirm. The selected child organization is deleted.

13.8.3.2.3 Disabling a Child Organization

To disable a child organization:

  1. In the Children tab, select the organization you want to disable.

  2. From the Actions menu, select Disable. Alternatively, click Disable on the toolbar. A message is displayed asking for confirmation.

  3. Click Yes to confirm. The selected child organization is disabled.

13.8.3.2.4 Enabling a Child Organization

To enable a child organization:

  1. In the Children tab, select the organization you want to enable.

  2. From the Actions menu, select Enable. Alternatively, click Enable on the toolbar. A message is displayed asking for confirmation.

  3. Click Yes to confirm. The selected child organization is enabled.

13.8.3.2.5 Opening a Child Organization

From the Children tab, you can open the details of a child organization by selecting the organization, and selecting Open from the Actions menu. Alternatively, you can click Open on the toolbar, or simply click the name of the organization.

To modify a child organization, click the child organization name that you want to modify. The organization details page for the selected organization is displayed, by using which you can modify the details of that organization.

13.8.3.3 Viewing Organization Membership

The Members tab is a read-only tab that displays a list of users in the selected organization. For each user in the list, the following are displayed:

  • User Login

  • Display Name

  • First Name

  • Last Name

  • Email

Tip:

You can add or remove users to and from organizations by using the Attributes tab of the user details page.

13.8.3.4 Viewing Available Roles

You can view the roles in an organization by clicking the Available Roles tab of the organization details page. The role names, role categories, and corresponding organization names are listed in this tab.

13.8.3.5 Managing Admin Roles

You can view the admin roles that are assigned to an organization by clicking the Admin Roles tab of the organization details page. The admin roles and their corresponding description are listed in this tab. When you select an admin role, the users who have the selected admin role are displayed in the User Members section. This tab also allows you to grant and revoke admin roles available to the open organization to users.

In the Admin Roles tab, you can perform the following:

13.8.3.5.1 Granting an Admin Role

To grant an admin role to a user:

  1. In the organization details page, click the Admin Roles tab. A list of admin roles assigned to the open organization is displayed.

  2. Select the admin role that you want to grant to a user.

  3. Click Assign on the toolbar. The Advanced Search for Target Users dialog box is displayed.

  4. Search for the target users to whom you want to grant the selected admin role. You can select the Just show my directs option to list only your direct reports.

  5. In the User Results section, select the user that you want to grant the admin role.

  6. Click Add Selected to move the selected user to the Selected Users section. Alternatively, you can click Add All to move all the users from the User Results section to the Selected Users section.

  7. Click Add. The admin roles is granted to the selected user. When you click the admin role in the Admin Roles tab, the selected user's record is displayed in the User Members section.

  8. In the User Members section, select the user record. Select include sub-orgs to grant the admin role to the user's organization and its suborganizations. If you want to grant the admin role to the user's organization only, then do not select this option.

13.8.3.5.2 Revoking an Admin Role

To revoke an admin role from a user:

  1. In the Admin Roles tab, select an admin role from which you want to revoke the user.

  2. In the User Members section, select the user from whom you want to revoke the admin roles.

  3. From the Actions menu, select Revoke. Alternatively, click Revoke on the toolbar. A message is displayed asking for confirmation.

  4. Click Revoke to confirm. The user record is no longer displayed when you select the admin role.

13.8.3.6 Viewing Available Accounts

The accounts available to an organization are the accounts that have been published to the organization. This means that the accounts are available for requesting by the users of the organization. You can view the available accounts in an organization by clicking the Available Accounts tab in the organization details page.

13.8.3.7 Viewing Provisioned Accounts

The Provisioned Accounts tab displays the accounts that have been provisioned to the open organization.

In the Provisioned Accounts tab, you can perform the following:

13.8.3.7.1 Provisioning an Account

To provision an account to an organization:

  1. In the Provisioned Accounts tab, select the account that you want to provision.

  2. From the Actions menu, select Provision. Alternatively, you can create Provision on the toolbar.

    The Provision Resource to Organization page is displayed in a new window.

  3. On the Step 1: Select a Resource page, select a resource from the list, and then click Continue.

  4. On the Step 2: Verify Resource Selection page, click Continue.

  5. On the Step 5: Provide Process Data page, enter the details of the account that you want to provision to the organization, and then click Continue.

  6. On the Step 6: Verify Process Data page, verify the data that you have provided, and then click Continue. The "Provisioning has been initiated" message is displayed.

13.8.3.7.2 Revoking an Account

To revoke an account from an organization:

  1. In the Provisioned Accounts tab, select the account that you want to revoke.

  2. From the Actions menu, select Revoke. Alternatively, you can click Revoke on the toolbar.

    A message is displayed asking for confirmation.

  3. Click Yes.

13.8.3.7.3 Viewing the Details of a Provisioned Account

To view the details of a provisioned account:

  1. In the Provisioned Accounts tab, select the account you want to open.

  2. From the Actions menu, select Open. Alternatively, you can click Open on the toolbar.

    The details of the account is displayed in a new page.

13.8.3.7.4 Disabling a Provisioned Account

To disable a provisioned account:

  1. In the Provisioned Accounts tab, select the account you want to disable.

  2. From the Actions menu, select Disable. Alternatively, you can click Disable on the toolbar.

    A message is displayed stating that the provisioned account has been successfully disabled.

13.8.3.7.5 Enabling a Provisioned Account

To enable a provisioned account:

  1. In the Provisioned Accounts tab, select the account you want to enable.

  2. From the Actions menu, select Enable. Alternatively, you can click Enable on the toolbar.

    A message is displayed stating that the provisioned account has been successfully enabled.

13.8.3.8 Viewing Available Entitlements

You can view the entitlements published to the open organization by clicking the Available Entitlements tab. For each entitlement, the following information is displayed:

  • Entitlements name

  • Resource associated with the entitlement

  • Account name associated with the entitlement

  • Organization name

13.8.4 Disabling and Enabling Organizations

Note:

You cannot disable organizations with child organizations or users. You can force disable it only by setting the system property ORG.DISABLEDELETEACTIONENABLED to true. After you set this property, the users and suborganizations will be disabled while disabling the parent organization.

To disable an organization with enabled state:

  1. In the organization details page, click Disable on the top of the page. Alternatively, in the search result for organizations in the Organization page, select the organization, and from the Actions menu, select Disable.

    A message is displayed asking for confirmation.

  2. Click Disable to confirm.

To enable an organization with disabled state:

  1. In the search result for organizations in the Organization page, select the organization that you want to enable.

  2. From the Actions menu, select Enable. A message is displayed asking for confirmation.

  3. Click Enable to confirm.

13.8.5 Deleting an Organization

Note:

  • You cannot delete organizations with child orgs or users. You can force delete it only by setting the system property ORG.DISABLEDELETEACTIONENABLED to true. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.

  • You can delete an organization only if you have the "Delete" permission for that organization.

  • The deleted record would still exist in the database, marked deleted.

To delete an organization:

  1. In the search result for organizations in the Organization page, select the organization that you want to delete.

  2. From the Actions menu, select Delete. Alternatively, you can click Delete on top of the organization details page. A message is displayed asking for confirmation.

  3. Click Delete to confirm.