8 Creating and Managing Users

Any identity that exists within Oracle Identity Manager and is managed within Oracle Identity Manager is called an OIM User. An OIM User can be created in the following ways:

• Through reconciliation from one or more trusted identity sources, such as HRMS or LDAP

• Manually through the Administrative and User Console

• Through the Java APIs and/or the SPML Web Service

An OIM User may or may not have an OIM Account. In Oracle Identity Manager release 9.1.0, every OIM User has an OIM Account.

An OIM Account is granted to an OIM User to give the OIM User the ability to log in to Oracle Identity Manager to access Oracle Identity Manager features. At the minimum, these features involve self-service and request. An OIM Account can be granted additional permissions including delegated administration of various entities, such as users, organizations, and roles, and the ability to define workflows. As an administrator, even if you allow users to self-register, you may still want to provide other administrators with the ability to create accounts on behalf of other users. Not all users will be able to create accounts for other users.

This chapter discusses the following topics:

• Creating Users

• Managing Users

Creating Users

To create an OIM User:

1. In the left navigation pane of the Administrative and User Console, click Users, and then click Create.

2. On the Create User page, enter the data required for user registration.

   Table 8-1 describes the GUI elements on the Create User page.

   Table 8-1 GUI Elements on the Create User Page

   Label on the Create User Page	Action or Description
   User ID field	Enter a user ID for the user account. An exception is thrown if you attempt to reuse an existing user ID after setting the User ID Reuse property to true in the Design Console. To resolve this issue, delete the unique index for the USR_LOGIN column in the USR table and create a non-unique index. See Oracle Identity Manager Design Console Guide for more information about User ID Reuse property.
   First Name field	Enter the first name of the user.
   Middle Name field	Enter the middle name of the user.
   Last Name field	Enter the last name of the user.
   Status field	During user account creation, this display-only check box is grayed out (disabled). On the User Detail page, which is displayed after you click Create User, this check box shows the current status of the user account. The status value can be one of the following: Active Disabled Disabled Until Start Date Deleted
   Organization lookup field	Select the organization in which you want to create the user account.
   User Type list	Select one of the following user types: End-User End-User Administrator
   Employee Type list	Select one of the following employee types: Full-Time Employee Part-Time Employee Temp Intern Consultant
   Manager ID field	Enter the user ID of the user's manager.
   Email field	Enter an e-mail address for the user.
   User Disabled check box	During user account creation, this display-only check box is grayed out (disabled). If the user is in the Disabled or Disabled Until Start Date state during or at any time after account creation, then this check box is selected on the User Detail page displayed after you click Create User. A user account is in the Disabled Until Start Date state if you enter a future date value in the Start Date field during user account creation.
   Password field	Enter a password for the user.
   Confirm Password field	Reenter the password.
   User Locked check box	During user account creation, this display-only check box is grayed out (disabled). At any time after account creation, if the user is in the Locked state, then this check box is selected on the User Detail page that is displayed during a Manage User operation. The user account is locked after a specified number of unsuccessful login attempts. If this happens, then the user can answer the challenge questions and unlock the account. If the user is not able to correctly answer the challenge questions, then only an administrator can unlock the user account.
   Start Date date editor	Enter a start date for the user account. If you enter a future date, then the user account is disabled until the start date. If you do not enter a start date, then the user is active immediately after account creation and the Start Date value is set to the current date.
   End Date date editor	Enter an end date if you want the user account to be deleted (that is, moved to the Deleted state) and all the resources provisioned to be revoked on a particular date.
   Provisioning Date date editor	Enter the date from which resources can be provisioned to the user. Provisioning requests for the user can be initiated before the specified provisioning date. However, the actual provisioning of those resources to the user will not occur until after the specified provisioning date. If you do not specify a provisioning date, then resources can be provisioned to the user immediately after the account is created.
   Provisioned Date field	This display-only field shows the date on which provisioning was enabled for the user.
   Deprovisioning Date date editor	Enter the date on which you want to deprovision (that is, revoke) all resources provisioned to the user. After this date, resources cannot be provisioned to the user.
   Deprovisioned Date field	This display-only field shows the date on which provisioning was disabled for the user.
   Change Password at next logon check box	Select this check box if you want the user to change the user's password at first logon. If you select the Change password at next logon check box, then the Change Password page is displayed for the user when the user logs in after the option is set. When a user is created in Oracle Identity Manager, the user is forced to change the password when logging in for the first time. This is done by setting the value of the Force Password Change At First Login property, which has the XL.ForcePasswordChangeAtFirstLogin keyword, to True by using the System Configuration form of the Design Console. Note that the user is forced to change the password at first logon only when the user is created with the XL.ForcePasswordChangeAtFirstLogin keyword already set to True. See Also: The "Password Policies Form" section in Oracle Identity Manager Design Console Guide for information about creating a password policy Whenever you change the value of the Force Password Change At First Login property, you must restart the server or purge the cache for the change to take effect. For this, the cache category is ServerCachedProperties. Note: The default value of the Force Password Change At First Login property is True. To disable the property, set the value to False. See Oracle Identity Manager Best Practices Guide for information about running the PurgeCache utility.

   
   

3. Click Create User.

   Oracle Identity Manager creates the user account and displays the User Details page with the user's account information.

   If you select any of the options in the Additional Details region, then you will see limited information because you have just created the user.

On the User Detail page, you can select the following:

• Edit: Change the user profile.

• Disable: Disable the user from being provisioned.

• Unlock: Unlock the user account if it is locked after login retry limit was exceeded.

• Delete: Delete the user account.

• Change Password: Change the current password.

Editing User Profiles

To edit a user profile:

1. On the left navigation pane, click Users, and then click Manage.

2. On the Manage User page, select one or more attributes from the menus, and then enter search criteria, including an asterisk (*) if you need a wildcard, in the field next to the menu.

   To use the Employee Type and Status search criteria, select values from the corresponding fields.

3. Click Search User.

4. From the list of users that is displayed, click the field for the user whose information you want to edit.

   The User Detail page is displayed. See Table 8-1 for information about the GUI elements displayed on this page.

5. Click Edit.

6. Edit the user's data, and then click Save.

Disabling Users

By disabling a user, you can ensure that nothing will be provisioned to the user. Depending on your role or status, the Edit User page allows the Disable button to toggle between Disable and Enable.

To disable a user profile:

1. In the left navigation pane, click Users, and then click Manage.

2. On the Manage User page, select one or more attributes from the menus, and enter search criteria, including an asterisk (*) if you need a wildcard, in the field next to the menu.

   To use the Employee Type and Status search criteria, select values from the corresponding fields.

3. Click Search User.

4. From the list of users that is displayed, select the check box for the user whose information you want to disable, and then click Disable.

Changing User Passwords

To change a user's password:

1. Click Change Password.

   The Change Password page is displayed.

2. Enter a new password and confirm.

3. Click Save Password.

Managing Users

You can modify, disable, delete, and unlock user accounts. You can also change the passwords of user accounts.

Note:

Only locked accounts can be unlocked. An account becomes locked if a user has exceeded the maximum number of login retry attempts.

The following procedure describes how to manage a user account:

1. In the left navigation pane, click Users, then click Manage.

   The Manage User page is displayed.

2. Enter information related to the user in the fields.

   Use one or more menus to deselect search attributes. After making a selection, enter text to be matched in the next field or use a wildcard asterisk (*). The more information you provide, the more precise the retrieved list of user records will be. To use the Employee Type and Status search criteria, select values from the corresponding boxes.

   Note:

   If you specify a search criterion, leave the value field blank, and click Search User, then the results displayed include NULL values from the user table. This is because the search criterion field is not included in the query criteria at all.

   However, if you specify a search criterion, enter the asterisk (*) in the value field, and click Search User, then the results displayed include only non-NULL values of the field specified as the search criterion.

3. Click Search User.

   Oracle Identity Manager displays the list of users who match the criteria you entered.

4. To disable, enable, unlock or delete an account, select the appropriate check box and button.

   For example, to disable the user accounts, select the Disable check box in the applicable rows and click Disable.

5. To edit a user's account, click the user ID for that account.

   Oracle Identity Manager displays the user's profile.

6. To edit, disable, enable, unlock, delete, or change the password of an account, click the appropriate button.

   Use the menu to view additional details about the user.

   • Click Resource Profile to view resources that are provisioned for the user.

     You can also provision resources in this page by clicking Provision New Resource.

   • Click Group Membership to view the Group Membership page, which lists any group membership that the user is associated with.

     You can also use the Group Membership page to assign users to groups.

   • Click Proxy Details to view the Proxy Details page, which lists any proxy user that the user is associated with.

     You can also use the Proxy Details page to assign a proxy.