10 User Groups

The User Groups option is used to create and manage records of collections of users to whom you may assign some common functionality, such as access rights, roles, or permissions. These collections of users are known as user groups.

User Groups can be organizational-independent (spanning across multiple organizations) or contain users who belong to a single organization.

A group serves as a central mechanism by which to accomplish any of the following for multiple users:

• Designate the menu items that the users can access through the Oracle Identity Manager Administrative and User Console.

• Assign users or sub-groups to the User Groups

• Designate the statuses to which the user can set process tasks.

• Make modifications and request permissions for data objects.

• Designate group administrators (for example, enable members of another user group to assign or remove members to or from the current user group and modify other characteristics of the group).

• Designate provisioning policies for a user group. These policies are used to determine whether a resource object is to automatically be provisioned to or requested for a member of the user group.

• Assign/remove membership rules to/from the user group. These rules will determine which Oracle Identity Manager users can be assigned automatically to the user group.

Oracle Identity Manager provides three default user group definitions:

• System Administrators

• Operators

• All Users

You may modify the permissions associated with these user groups. In addition, you can create additional user groups, as needed.

Members of the System Administrators user group have full permissions to create, edit, and delete records within Oracle Identity Manager (except for system records). Also, these users can control the permissions of other users, change the status of process tasks (even when the task is not assigned to them), and generally administer the system from the highest level.

Members of the Operators user group have access to the Organizations, Users, and Task List forms. These users can perform limited functionality within these forms

Members of the All Users user group have minimal permissions, which include, but are not limited to, the ability to access one's own user record. By default, each user automatically belongs to the All Users user group.

This chapter includes the following sections:

• Creating Groups

• Managing Groups

Note: A user cannot be removed from the All Users group. Important: There is a fourth user group definition, SELF OPERATORS, which is added to Oracle Identity Manager, by default. This user group contains one user, XELSELFREG, who is responsible for modifying the privileges that users have when performing self-registration actions within the Oracle Identity Manager Administrative and User Console. Oracle Identity Manager strongly recommends that you do not modify the permissions associated with the SELF OPERATORS user group. In addition, you should not assign any users to this group.

Creating Groups

To create a User Group:

1. Click User Groups in the Explorer Menu, the click Create.

2. The Create User Group page appears. Enter information in the required fields indicated by an asterisk (*).

3. Enter the name of the user group to be created in the Name field.

4. Click Create. Otherwise, click Cancel.

5. The Group Detail page appears.

   
   

   Note: Since you have just created a new User Group, the Group Detail page will not show any additional information for this group. However, you can begin adding (or Assigning) more information by using the additional detail drop-down menu. Refer to the Manage section for detailed instructions on using the additional detail drop-down menu items.

   
   

6. Click Edit to modify the Group Name. Otherwise, click Delete to delete the user group.

Managing Groups

Use the Manage option to administrate existing User Groups. This option enables you to do the following:

• Searching for User Groups

• Deleting User Groups

• Viewing and Administering a User Group

Searching for User Groups

1. Click User Group in the Explorer Menu. Then click Manage. The Manage Group page appears.

2. Use the drop-down menu to select the Group Name search criteria (the name of the User Group) for querying on the User Group. Then enter the appropriate value that corresponds with the search criteria. Otherwise, use the asterisk (*) wildcard to query for all the user groups. The search Results table appears. This page enables you to delete User Groups.

Deleting User Groups

1. Search for a group as described in Searching for User Groups.

2. Select the Delete check box next to the group you want to delete, then click Delete. The Confirmation page appears.

3. Click Confirm Delete to complete deleting this user group. Otherwise, click Cancel.

Viewing and Administering a User Group

After selecting the user group you like to view, you can view the details of that particular user group by using the additional details drop-down menu. Each of these menu items also provides the ability to modify the user group. This menu contains the following search criteria:

• Member and Sub-Groups

• Menu Items

• Administrative Groups

• Access Policies

• Membership Rules

• Permissions

• Allowed Reports

Member and Sub-Groups

The Member and Sub-Group search criteria display all members and sub-group(s) associated with this User Group. The Member and Sub-Group option also enables you to assign a new member (user) or sub-group.

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Members and Sub-Groups. The Group Detail >>Members and Sub-Groups page appears.

   
   

   Note: Since the Assign Users and Assign Sub-groups options are similar in functionality, the Assign Users is used as an example in this section.

   
   

3. Click Assign Users. The Group Detail >> Members and Sub-Groups >> Search Member Users page appears

4. Click Search Users to display a list of user names. Otherwise, click Clear. The Results table appears.

5. To increase or decrease the priority of a member, click the radio button associated with the member in the Increase/Decrease Priority column of the Results table, and then click Increase or Decrease.

6. To remove a member, click the member's radio button in the Remove column of the Results table, and then click Remove Member.

7. Select the desired User ID(s) checkbox, then click Assign. The Confirmation page appears with the User ID names that you have just selected.

8. If these are the correct user names you want to assign to this user group, then click Confirm Assigns. Otherwise, click Cancel.

Menu Items

The Menu Items search criteria displays all menu items that are permitted for this user group. The Menu Items option enables you to assign a new menu item for the user group.

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Menu Items. The Group Detail >>Menu Items page appears

3. Click Assign Menu Items. The Group Detail >> Menu Items >> Assign Menu Items page appears.

4. Select the desired menu item name checkbox(es), then click Assign. The Confirmation page appears.

5. If these are the correct menu item names you want to assign to this user group, then click Confirm Assign. Otherwise, click Cancel. The Result table is displayed with the menu items permitted for this user group. This page also enables you to delete the menu items you wish not to permit.

6. To delete a menu item, select the menu item name(s) checkbox, then click Delete. The menu item is no longer associated with this user group.

Administrative Groups

The Administrative Groups search criteria displays all administrative groups associated with this user group. The Administrative Groups option enables you to assign a new administrative group for the user group. From the additional detail drop-down menu, select Administrative Groups. The Group Detail >> Administrative Groups page appears. This page displays the existing administrative group associated with this user group along with their permission to write and delete accesses. This page also enables you to:

• Assign an administrative group

• Create a new administrative group

• Update the permissions for the administrative group

Assigning an Administrative Group

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Administrative Groups. The Group Detail >> Administrative Groups page appears.

3. Click Assign Administrative Groups. The Group Detail >> Administrative Groups >> Assign Administrative Groups page appears.

4. This page displays all administrative groups available to be associated with this user group. Select the desired administrative group name(s) checkbox and respective permission settings for write and delete accesses. Then click Assign. The Confirmation page appears.

5. If this is the correct administrative group name(s) you want to assign to this user group, then click Confirm Assign. Otherwise, click Cancel. The Result table is displayed with the administrative group that can administrate this user group. This page also enables you to delete an administrative group from this user group.

Creating a New Administrative Group

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Administrative Groups. The Group Detail >> Administrative Groups page appears.

3. You can create a new administrative group for this user group by clicking Create New Group. The Assign Administrators – Step 1: Assign Administrators page appears.

4. Select the desired user name(s) checkbox you wish to be in this new administrative group. Click Add. The User Login names appear in the Selected list. Click Continue. Otherwise click Back or Exit to end the wizard. The Assign Administrators – Step 2: Specify Alias page appears.

5. Enter an alias name for the new administrative group. Click Continue. Otherwise, click Back to go to the previous page or Exit to end the wizard. The Assign Administrators – Step 3: Specify Permissions page appears.

6. By default the Read permission checkbox is activated. If desired, activate the Write or Delete permission. Then click Continue. The Assign Administrators – Step 4: Verify Delegation Information page appears.

   This page displays the Alias name of the administrative group, the users who belong to this administrative group, and the permissions for the group.

7. To make modifications for this administrative group, use the Change link. Clicking on the Change link brings you back to the appropriate wizard page where you can make modifications. Otherwise, click Continue. The Group Detail >> Administrative Groups page appears.

Updating Group Permissions

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Administrative Groups. The Group Detail >> Administrative Groups page appears.

3. To update the permission for the administrative groups associate with this user group, click Update Permission. The Group Detail >> Administrative Groups >> Update Permissions page appears

   This page displays the administrative group names and permissions for write and delete accesses.

4. To change the permission setting for an administrative group, click the desired checkboxes for Write Access and Delete Access. Click Update to make the modifications. Otherwise, click Cancel. The Confirmation page appears.

5. This page displays the administrative group names that you have updated. If these are the correct names, then click Confirm Update. Otherwise, click Cancel. The Group Details >> Administrative Groups page appears.

   The updated administrative group(s) is displayed with their modified Write or Delete access permissions.

6. You can delete an administrative group by selecting the desired group name checkbox(es) then click Delete.

Access Policies

The Access Policies search criteria displays all available access policies for this user group. The Access Policies option enables you to assign a new access policy for the user group.

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Access Policies. The Group Detail >> Access Policies page appears.

3. To assign a new access policy, click Assign. The Group Detail >> Access Policies >> Assign Access Policies page appears.

   This page displays the policy name and brief description of the policy.

4. Select the desired access policy(s) checkbox for this user group, then click Confirm Assign. Otherwise, click Cancel. The Confirmation page appears.

5. If this is the correct access policy you want to assign for this user group, then click Confirm Assign. Otherwise, click Cancel. The Group Detail >> Access Policies page appears.

6. To delete this access policy, select the desired policy name(s) checkbox and click Delete.

Membership Rules

The Membership Rules search criteria displays all available membership rules for this user group. The Membership Rules option enables you to assign a new membership rule for the user group.

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Membership Rules. The Group Detail >> Membership Rules page appears.

3. To assign a new membership rule, click Assign Rules. The Group Detail >> Membership Rules >> Assign Membership Rules page appears. This page displays the name of the membership rule.

4. Select the desired membership rule(s) checkbox for this user group, then click Confirm Assign. Otherwise, click Cancel. The Confirmation page appears.

5. If this is the correct membership rule you want to assign for this user group, then click Confirm Assign. Otherwise, click Cancel. The Group Detail >> Membership Rules page appears.

6. To delete this membership rule, select the desired membership rule checkbox(es) and click Delete.

Permissions

The Permissions search criteria displays all available permissions for this user group. The Permissions option enables you to assign or update new permissions for the user group.

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Permissions. The Group Detail >> Permissions page appears.

3. To assign a new permission, click Assign. The Group Detail >> Permissions >> Assign Permissions page appears. This page displays the name of the permission and activated permission settings (Insert, Write and Delete Access).

4. Select the desired permission name(s) checkbox and respective permission settings, then click Assign. Otherwise, click Cancel. The Confirmation page appears.

5. lf this is the correct permission you want to assign for this user group, then click Confirm Assign. Otherwise, click Cancel. The Group Detail >> Permissions page appears.

6. To delete a permission name, select the desired permission name(s) checkbox and click Delete

7. To update the permissions, click Update Permissions. The Group Detail >> Permissions >>Update Permissions page appears.

8. Select or de-select the desired permissions (Allow Insert, Allow Update, Allow Delete), then click Update. Otherwise, click Cancel. The Confirmation page appears.

9. This page displays all the updated permissions. If this is correct, then click Confirm Update. Otherwise click Cancel. The Group Detail >> Permissions page appears.

10. The Group Detail >> Permissions page displays the fine-grained permission information for this user group. It also enables you to delete any permissions. To delete a permission, select the desired permission name(s) checkbox and click Delete.

Allowed Reports

The Allowed Reports search criteria lists the reports that group members are allowed to run.

1. Search for a group as described in Searching for User Groups, and then click the name of a group in the Results table. The Group Detail page appears.

2. From the additional details box, select Allowed Reports. The Group Detail >> Reports page appears.

3. To provide access to new reports for users, click Assign Reports. The Group Detail >> Reports >> Assign Reports page appears. This page displays available report names and types.

4. Select the desired report checkbox, and then click Assign. Otherwise, click Cancel. The Confirmation page appears.

5. lf this is the correct report you want to assign for this user group, then click Confirm Assign. Otherwise, click Cancel. The Group Detail >> Reports page appears.

6. To delete a report, select the desired report name checkbox and click Delete.