The user management feature in Oracle Identity Manager includes creating, updating, deleting, enabling and disabling, resetting passwords, locking, and unlocking of user accounts.
You can perform the following user management tasks by using Oracle Identity Self Service:
The search operation lets you search user entities based on the search criteria that you specify. Each search criterion consists of:
The attribute to search against
The search operators, such as Equals and Starts with
The values to search for
To search for users:
Log in to Identity Self Service.
On the left pane, under Administration, select Users. The Manage Users page is displayed.
Select any one of the following options:
All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the searchable user attribute fields, such as User Login, specify a value. You can include wildcard characters (*) in the attribute value.
For some attributes, select the attribute value from the list. For example, to search all users with locked accounts, select Locked from the Account Status list.
For each attribute value that you specify, select a search operator from the list.
The following search operators are available for String type of attributes:
Starts with
Ends with
Equals
Does not equal
Contains
Does not contain
The following search operators are available for Date type of attributes:
Equals
Before
After
On or before
On or after
Between
The search operator can be combined with wildcard characters to specify a search condition. The asterisk (*) character is used as a wildcard character. For example, you can specify the value of the User Login attribute to be Jo* as the search criteria, and select Equals as the search operator. The users with login names that begins with Jo are displayed.
To add a searchable user attribute to the Search Users page, click Add Fields, and select the attribute from the list of attributes.
For example, if you want to search all users with the Country attribute as US, then you can add the Country attribute as a searchable field and specify a search condition.
Note:
You can configure the attributes that are searchable. The attributes available for search must be a subset of the attributes defined for the user entity that are marked with the Searchable = Yes property.Optionally click Reset to reset the search conditions and values that you specified. Typically, you perform this step to remove the specified search conditions and specify a new search condition.
Click Search. The search results is displayed in a tabular format.
If you want to hide columns in the search results table, then perform the following steps:
Click View on the toolbar, select Columns, Manage Columns. The Manage Columns dialog box is displayed.
From the Visible Columns list, select the columns that you want to hide.
Click the left arrow icon to add the columns in the Hidden Columns list.
Click OK. The selected columns are not displayed in the search results. A status message displays along the bottom of the search table to identify how many columns are currently hidden. Figure shows that three columns are hidden:
This section describes the operations that you can perform based on selection of row(s) in the search results table. It is divided into single selection operations and bulk or multiple selection operations.
You can perform the following single selection operations by selecting a user from the search results table:
View detail
Modify, only if the user status is active
Enable, only if the user status is disabled
Disable, only if the user status is enabled
Lock, only if the selected user's account is unlocked
Unlock, only if the selected user's account is locked
Reset password
Delete
You can perform the following bulk or multiple selection operations by selecting multiple users from the search results table:
Modify
Enable, only if the user status is disabled
Disable, only if the user status is enabled
Lock, only if the selected user's account is unlocked
Unlock, only if the selected user's account is locked
Delete
Note:
Operations can be direct or request-based that is subject to approval, based on the authorization privileges you have determined by the admin roles of the user.You can create a new user in Oracle Identity Manager by using the Create User page. You can open this page only if you are authorized to create users as determined by the authorization policy on the Create User privilege on any organization in Oracle Identity Manager.
Note:
The create user operation can be a direct operation or generate a request, which is subject to approval, based on the authorization privileges you have.To create a user:
In Identity Self Service, under Administration, click Users. The Search Users page is displayed.
From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
Enter details of the user in the Create User page. Table 11-1 describes the fields in the Create User page:
Table 11-1 Fields in the Create User Page
| Section | Field | Description |
|---|---|---|
|
Justification and Effective Date |
Justification |
Justification for creating the user. |
|
Effective Date |
Date on which the user must be created. |
|
|
Basic Information |
First Name |
First name of the user. |
|
Middle Name |
Middle name of the user. |
|
|
Last Name |
Last name of the user. |
|
|
|
E-mail address of the user. |
|
|
Manager |
The reporting manager of the user. |
|
|
Organization |
The organization to which the user belongs. This is also known as the home organization. |
|
|
User Type |
The type of employee, such as consultant, contractor, contingent worker, employee, full-time employee, intern, non-worker, other, part-time employee, or temporary. |
|
|
Display Name |
It can have localized values, which can be added by clicking Manage Localizations, and selecting from a list of languages. Display Name is available in 33 languages. |
|
|
Account Settings |
User Login |
The user name to be specified for logging in to the Administration Console. |
|
Password |
The password to be specified for logging in to the Administration console. |
|
|
Confirm Password |
Re-enter the password to be specified for logging in to the Administration console. |
|
|
Account Effective Dates |
Start Date |
The date when the user will be activated in the system. |
|
End Date |
The date when the user will be deactivated in the system. |
|
|
Provisioning Dates |
Provisioning Date |
Date when user is getting provisioned into the system. |
|
Deprovisioning Date |
Date when the user is getting deprovisioned from the system. Note: The Provisioning Date and Deprovisioning Dates fields are not used in Oracle Identity Manager 11g Release 2 (11.1.2.2.0). |
|
|
Contact Information |
Telephone Number |
The telephone number of the user. |
|
Home Phone |
The telephone number of the user's residence. |
|
|
Fax |
The fax number of the user. |
|
|
Mobile |
The mobile number of the user. |
|
|
Pager |
The pager number of the user. |
|
|
Home Postal Address |
The postal address of the user's residence. |
|
|
Postal Address |
The postal address of the user. |
|
|
Postal Code |
The postal code number of the user's address. |
|
|
PO Box |
The post box number of the user's address. |
|
|
State |
The state name of the user. |
|
|
Street |
The street name where the user resides. |
|
|
Country |
The country where user resides. |
|
|
Preferences |
Locale |
The locale code of the user. |
|
Timezone |
The timezone of the user. |
|
|
Other Attributes |
Common Name |
The common name of the user. |
|
Department Number |
The department number of the user. |
|
|
Employee Number |
The employee number of the user. |
|
|
Generation Qualifier |
Whether the user qualifies the generation. |
|
|
Hire Date |
The hiring date of the user. |
|
|
Locality Name |
The name of the locality where user resides. |
|
|
Initials |
The initials of the user. |
|
|
Title |
The title for the user. |
Click Submit or Save as Draft. A message is displayed stating that the user is created successfully.
Tip:
Users can be created by any one of the following methods:By using Oracle Identity Administration
By self registration
By using SPML Web service or APIs
For all the above methods, Oracle Identity Manager uses the default password policy or Password Policy against Default Rule. If you want to use a different password policy, then you must attach the new password policy to the default rule by using Oracle Identity System Administration. To do so, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
The view user operation allows you to view detailed user profile information in the User Details page. You can open this page if you are authorized to view the user's profile as determined by the authorization policy through the View User Details privilege.
To display user details:
In Identity Self Service, under Administration, click Users. The Search Users page is displayed.
Search for the user for which you want to display the details.
In the search results table, click the user login name in the User Login column. The User Details page is displayed.
The user details are displayed in the following tabs:
The Attributes Tab: Displays the attribute profile that includes details about basic user information, account effective dates, and provisioning dates. For more details, see "Editing User Attributes".
The Roles Tab: Displays a list of roles to which the user belongs. You can click each role to display summary information about the role.
In the Roles tab, you can assign roles to the user and remove roles from the user. For more details, see "Requesting and Removing Roles".
The Entitlements Tab: Displays a list of entitlements for the user. You can click each entitlement to display a summary of the entitlement.
In the Entitlements tab, you can request for entitlements and remove entitlements from the user. For more details, see "Requesting, Removing, and Modifying Entitlements".
The Accounts Tab: Displays a list of accounts for the user. You can click each account to display a summary of the account.
Typical tasks you perform in this tab are request for an account, modify and remove accounts, mark an account as primary, and disable and enable accounts. For more details, see "Requesting, Removing, and Modifying Accounts".
The Direct Reports Tab: Displays a read-only table of users for whom the user is set as the manager. In other words, this tab lists the direct reportees of the user. For each user in the table, it displays the following:
Display Name
User Login
Status
Organization
If you select a row in the table, then summary information about the direct reportee is displayed at the bottom.
Direct reports allows you to open the user details of the direct reportees. To do so, select a row in the table of direct reportees, and click the open icon on the toolbar.
The Admin Roles Tab: Displays a list of admin roles assigned to the user. You can select an admin role to display a summary of the admin role.
Using the admin role detail information, you can select or deselect the include sub-orgs option. When this option is selected, it specifies that the admin role is applicable to the users of the organization and all the suborganizations of the organization. When this option is not selected, it specifies that the admin role is applicable to the users of the organization only. See "Managing Admin Roles" for more information.
You can perform administrative user modification tasks from the user details. The modification is broken up across the different tabs in the page that displays user details, which means that modifications done in each tab are independent of each other and must be saved individually. The modifications you can perform in each tab is outlined in the following sections:
Note:
The modify user operation can be a direct operation or generate a request, which is subject to approval, based on the authorization privileges you have.To edit the attributes of a user:
In the Users section under Administration, search for the user for which you want to modify the attributes.
Select the user in the search results table.
Modify the user in one of the following ways:
Click Edit on the toolbar.
From the Actions menu, select Edit.
Click the user login of the user record that you want to modify. On the User Details page, click Modify User on the toolbar.
In the Modify User page, change values of the attributes in the respective fields as required.
Click Submit. The modify attribute operation is completed successfully.
In the Roles tab of the User Details page, you can add and remove roles. To assign roles for a user:
In the User Details page, click the Roles tab. The Roles tab is displayed with the list of roles assigned to the user.
From the Actions menu, select Request. Alternatively, you can click Request Roles on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Note:
The catalog items that are available for requesting by a user is governed by authorization privileges defined for the admin roles of the user.Select the catalog item for the role that you want to request.
Click Add Selected to Cart. The selected role catalog item is added to the request cart.
Click Checkout. The role will be assigned to the user when an approver approves the request.
You can edit the catalog item by clicking View & Edit.
To remove roles from a user:
In the User Details page, click the Roles tab. The Roles tab is displayed with the list of roles assigned to the user.
Select the role that you want to remove.
From the Actions menu, select Remove. Alternatively, you can click Remove Roles on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Select the catalog item for the role that you want to remove.
Click Add Selected to Cart. The selected role catalog item is added to the request cart.
Click Checkout. The role is either removed immediately or a request is raised depending on authorization privileges granted to the user.
You can edit the catalog item by clicking View & Edit.
To request entitlements for a user:
In the User Details page, click Entitlements. The Entitlements tab is displayed with the list of entitlements assigned to the user.
From the Actions menu, select Request. Alternatively, you can click Request Entitlements on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Note:
The catalog items that are available for requesting by a user is governed by authorization privileges defined for the admin roles of the user.Select the catalog item for the entitlement that you want to request.
Click Add Selected to Cart. The selected entitlement catalog item is added to the request cart.
Click Checkout. The Cart Details page is displayed.
(Optional) For the requested entitlements, enter any additional information as needed. This additional information can be added using a form associated with the entitlement, provided the entitlement forms have been generated or re-generated by system administrators.
For example, you can enter effective start and end dates for the entitlement. Then, the approver can review and/or modify this additional information and decide whether the entitlements can be provisioned or not. The entitlements will be assigned to the user when the approver approves the request.
To remove entitlements from a user:
In the User Details page, click Entitlements. The Entitlements tab is displayed with the list of entitlements assigned to the user.
Select the entitlement that you want to remove.
From the Actions menu, select Remove. Alternatively, you can click Remove Entitlements on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Select the catalog item for the entitlement that you want to remove.
Click Add Selected to Cart. The selected entitlement catalog item is added to the request cart.
Click Checkout. The entitlement will be removed from the user when an approver approves the request.
You can edit the catalog item by clicking View & Edit.
You can perform the following account modification operations from the Accounts tab of the User Details page:
You can request accounts by requesting an application instance. You can request for the following types of accounts (application instances):
Primary account: A primary account is the first account created for a user in a target application. In other words, a primary account is the first application instance that is being requested. Oracle Identity Manager supports multiple accounts for a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account. When the user requests entitlements, the entitlements are appended to the primary account.
Non-primary account: If a user already has a primary account and requests for another account in the same target application, then that account is a non-primary account. A user can have multiple non-primary accounts, but only one primary account.
See Also:
"Marking an Account as Primary" for more information on marking an account as primaryTo request for an account:
In the User Details page, click the Accounts tab. This tab lists the accounts of the user.
From the Actions menu, select Request. Alternatively, click Request Accounts on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Note:
The catalog items that are available for requesting by a user is governed by authorization privileges defined for the admin roles of the user.Select the catalog item for the account that you want to request. In other words, select the application instance that you want to request.
Click Add Selected to Cart. The selected account catalog item is added to the request cart.
Click Checkout. The account will be granted to the user when an approver approves the request.
You can edit the catalog item by clicking View & Edit.
To modify an account for the user:
In the Accounts tab, select the account that you want to modify.
From the Actions menu, select Modify. Alternatively, click Modify Accounts on the toolbar. The account details is displayed which is available for editing.
Edit the fields that you want to modify.
Click Ready to Submit and then click Submit.
To remove an account from the user:
In the Accounts tab, select the account that you want to modify.
From the Actions menu, select Remove. Alternatively, click Remove Accounts on the toolbar. The Remove Accounts page is displayed.
Click Submit.
Oracle Identity Manager supports multiple accounts in a single application instance. The first account that is created is tagged as the primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account.
All types of entitlements are available for request in the request catalog. If the request for an entitlement is approved, it is associated with the primary account and not the non-primary account.
When the user gets provisioned to an application instance, Oracle Identity Manager checks if it is the first account provisioned for the user in that application instance. If so, the account is marked as primary. When existing user accounts are reconciled from application instances, the first account that gets reconciled is marked as primary.
A user can have only one primary account. However, Oracle Identity Manager supports multiple accounts for a single application instance. If the account marked as primary is not supposed to be the actual primary account, you can manually change the primary tag for the account and mark another account as primary. By doing so, you can ensure that when the user requests entitlements, the entitlements are appended to the primary account.
To mark an account as a primary account:
In the Accounts tab, select the account that you want to mark as primary.
From the Actions menu, select Make Primary. Alternatively, click Make Primary on the toolbar.
A message is displayed asking for confirmation.
Click Yes to confirm. The account is marked as primary.
You can disable an account that is in enabled state. To disable an account:
In the Accounts tab, select the account that you want to disable.
From the Actions menu, select Disable. Alternatively, click Disable on the toolbar.
Click Submit. The account is disabled.
The modify the details of direct reports:
In the User Details page, click the Direct Reports tab. This tab lists the direct reports of the open user.
Select the user or direct report you want to modify.
From the Actions menu, click Open. Alternatively, click Open on the toolbar. The User details page of the selected direct report is displayed. Use the toolbar and tabs to modify the details of the direct report.
To disable a user that is in enabled state:
In the Users section under Administration, search for and select the user you want to disable.
Disable the user in one of the following ways:
Click Disable on the toolbar.
From the Actions menu, select Disable.
Click the user login of the user record that you want to disable. On the User Details page, click Disable User on the toolbar.
In the Target Users section, click the plus icon to search for more target users and add to the list of users that you want to disable. You can also view the user details by clicking the User Details link for each user.
In the Justification and Effective Date section, specify a justification and effective date for disabling the selected user.Click Submit. A message is displayed stating that the user is successfully disabled.
To enable a disabled user:
In the Users section under Administration, search for and select the user you want to enable.
Enable the user in one of the following ways:
Click Enable on the toolbar.
From the Actions menu, select Enable.
Click the user login of the user record that you want to enable. On the User Details page, click Enable User on the toolbar.
In the Target Users section, click the plus icon to search for more target users and add to the list of users that you want to enable. You can also view the user details by clicking the User Details link for each user.
In the Justification and Effective Date section, specify a justification and effective date for enabling the selected user.Click Submit. A message is displayed stating that the user is successfully enabled.
To delete a user:
In the Users section under Administration, search for and select the user you want to delete.
Delete the user in one of the following ways:
Click Delete on the toolbar.
From the Actions menu, select Delete.
Click the user login of the user record that you want to delete. On the User Details page, click Delete User on the toolbar.
Verify that the selected user is displayed in the Target Users section.
If required, in the Target Users section, click the plus icon to search for more target users and add to the list of users that you want to delete. You can also view the user details by clicking the User Details link for each user.
In the Justification field, enter a justification for deleting the user.
In the Effective Date field, specify a date from which the user account must be removed.
Click Submit. A request to delete the user is created, which is subject to approval.
To lock the account of a user:
In the Users section under Administration, search for and select the user you want to lock.
Lock the user in one of the following ways:
Click Lock Account on the toolbar.
From the Actions menu, select Lock Account.
Click the user login of the user record that you want to lock. On the User Details page, click Lock Account on the toolbar.
In the confirmation message that is displayed, click Lock. The account of the selected user is locked.
Note:
Users with special characters in the user login name cannot be locked.When you try to lock a user account that contains some special characters in the user login name, the following error is displayed:
An unknown exception occurred, please review server logs.The user with the key USER_KEY does not exist.
The following special characters are not allowed in the user login name:
[!@#$%^&*()_-+=[{]}\|;:'",<.>/?
To unlock the account of a user:
In the Users section under Administration, search for and select the user you want to unlock.
Unlock the user in one of the following ways:
Click Unlock Account on the toolbar.
From the Actions menu, select Unlock Account.
Click the user login of the user record that you want to unlock. On the User Details page, click Unlock Account on the toolbar.
In the confirmation message that is displayed, click Unlock. The account of the selected user is unlocked.