Oracle® Identity Manager Reference Release 9.1.0.1 Part Number E14066-01 |
|
|
View PDF |
Oracle Identity Manager client tier consists of two interfaces, the Administrative and User Console and the Design Console. Using the Administrative and User Console, you can create requests for resources and approve the provisioning of resources of the users that you manage. Users can search for, edit, and delete account information in the Oracle Identity Manager database by using the Administrative and User Console.
This chapter contains the following topics:
The left navigation pane of the Administrative and User Console lists the menu items that enable you to perform various administrative tasks, such as managing Oracle Identity Manager accounts and managing resources. The menu items are grouped together according to functionality; for example, the menu items for creating and managing users are grouped under one head. Figure 1-1 shows the Welcome screen of the Administrative and User Console.
Figure 1-1 The Welcome Screen of the Administrative and User Console
This section describes the functionalities offered by the Administrative and User Console that are grouped under the following top-level menu items:
My Account
In the My Account section, you can access and manage your Oracle Identity Manager account by using the following menu items:
Account profile: View and edit your account.
Change Password: Change your password.
Challenge Q&A: Change challenge questions and answers.
My Proxy: Designate a proxy user.
My Resources
In the My Resources section, you can view resources that have been provisioned to you and request access to resources for yourself and others by using the following menu items:
My Resources: View the resources that have been provisioned to you.
My Requests: View all resource requests that are raised for you or are raised by you.
Request New Resources: Make a new request for resources.
Requests
In the Requests section, you can create and track requests for resources that you have requested for users and organizations by using the following menu items:
Resources: Create and manage requests for provisioning resources to yourself, other users, and organizations. Using the Resources menu item, you can make the following types of requests:
Grant Resource: Grant resources to targets.
Disable Resource: Temporarily prevent targets from accessing a resource.
Reenable Resource: Activate targets who have been temporarily suspended from using resources.
Revoke Resource: Remove resources from targets.
Track: View requests for resources based on the privileges that have been assigned to you in Oracle Identity Manager. Additionally, you can edit details or approve tasks within those requests.
To-Do List
A To-Do list is a list of tasks within a process. The processes for approving requests and their associated resources and making them available for provisioning consist of tasks, which can be performed by using the following menu items:
Pending Approvals: View and complete the tasks that are assigned to you and view requests that are assigned to users that you manage. You can also view all the tasks based on your indirect group membership.
Open Tasks: The Open Tasks menu item lists tasks that are defined for a provisioning process. The Open Tasks menu item displays all open provisioning tasks that are assigned to you or a person that you manage. You can also view a list of provisioning tasks assigned to you based on your indirect group membership. Use the Open Tasks menu item to retry a task if it has the Rejected
status, reassign a provisioning task to another user, or specify a response for a provisioning task.
Attestation: Attestation is a mechanism by which reviewers are periodically notified of a report they must review. This report outlines the provisioned resources that certain users have. The reviewer can attest to the accuracy of the entitlements with an appropriate response. You can display all open attestation tasks that are assigned to you, and certify, reject, decline, or delegate attestation tasks.
Users
In the Users section, you can create and manage user records, for example, Oracle Identity Manager accounts, that your employees require. You can create and manage user records by using the following menu items:
Create: Create a user account.
Manage: Enable, disable, provision resources to, and unlock user accounts. A user account must be disabled to be eligible for enabling. Only locked accounts can be unlocked. An account becomes locked if a user has exceeded the maximum number of login retry attempts or maximum number of password reset attempts. You can manage a user account by editing a user's Oracle Identity Manager record.
Organizations
In the Organizations section, you can create and manage information pertaining to your organization by using the following menu items:
Create: Create an organization.
Manage: Manage an organization by:
Searching for and Viewing Organizations.
Enabling an Organization.
Disabling an Organization.
Deleting an Organization.
User Groups
You use user groups to create and manage records of collections of users to whom you can assign some common functionality, such as access rights, roles, or permissions. You can modify the permissions associated with these user groups, and you can create additional user groups by using the following menu items:
Create: Create a user group.
Manage: Find user groups, add information to them, and perform other administrative functions for user groups.
Access Policies
In the Access Policies section, you can create and use access policies for users and resources in Oracle Identity Manager. You define an access policy for provisioning resources to user groups and users. You can create and use access policies by using the following menu items:
Create: Create an access policy by using the Create Access Policy wizard.
Manage: Manage access policies by modifying information in existing access policies.
Resource Management
The Resource Management feature lets you manage resource objects for an organization or an individual user by using the menu items:
Manage: Manage resources, which includes the ability to:
Search for a resource and view its details.
Disable, enable, or revoke a resource from users or organizations.
Manage Resource Administrator and Authorizer groups.
View and define work flows.
View and define resource audit objectives.
Create IT Resource: Create IT resources and set access permissions to user groups on the IT resource.
Manage IT Resource: View, modify, and delete IT resources.
Create Scheduled Task: Create scheduled tasks by specifying the schedule and adding scheduled task attributes.
Manage Scheduled Task: View and modify scheduled tasks.
Deployment Management
The Deployment Manager is a tool used for exporting and importing Oracle Identity Manager configurations. The Deployment Manager enables you to export the objects that constitutes your Oracle Identity Manager configuration. You use the Deployment Manager to exchange Oracle Identity Manager items between environments. Usually, you use the Deployment Manager to migrate a configuration from one deployment to another, for example, from a test to a production deployment, or to create a backup of your system. The Deployment Management section provides the following menu items:
Export: You can export objects from your Oracle Identity Manager system and save them in an XML file. The Deployment Manager has an Export Wizard that enables you to build up your export file.
Import: You can import objects that were saved in an XML file into your Oracle Identity Manager system by using the Deployment Manager. You can import all or part of the XML file, and you can import multiple XML files at once.
Install Connector: You can install predefined connectors, and automate copying connector files to the specified installation directory, importing the connector XML files, and compiling adapters.
Reports
Based on whether you access current operational data or historical data, the reports you can generate by using Oracle Identity Manager are divided into Operational Reports and Historical Reports. These reports describe the resources available to users.
Operational Reports
Operational reports can be used by administrators and auditors for operational and compliance purposes. Operational reports are of the following types:
Resource Access List: Queries all existing users provisioned to a resource
Policy List: Displays a list of policies for a specified group
Policy Detail: Displays complete details about specified policies
Oracle Identity Manager Password Expiration: Lists user password expiration settings
User Resource Access: Queries access rights for users that match specified query parameters
Entitlements Summary: Lists the number of users for each status within each resource
Attestation Requests by Process: Lists attestation requests by process
Attestation Request Detail: Returns complete details of a specified attestation request
Resource Password Expiration: Returns a list of users whose resource passwords are about to expire
Group Membership: Lists the number of users in each group
Attestation Process List: Lists all defined attestation processes
Attestation Requests by Reviewer: Lists attestation requests by reviewer
Group Membership Profile: Lists user group memberships
Historical Reports
Administrators and auditors can use historical reports for compliance and forensic auditing purposes. Historical reports are of the following types:
User Membership History: Displays a history of a user's group memberships
User Resource Access History: Lists a user's resource access history over the life cycle of the account
Group Membership History: Displays a history of a group's memberships
User Profile History: Lists a user's profile history over the life cycle of the account
Resource Access List History: Queries all users provisioned to a resource over its life cycle
See Also:
The "Oracle Identity Manager Reporting" chapter in Audit Report Developer's Guide for the entire list of operational and historical reportsGeneric Technology Connector
Using this menu item, you can create and manage generic technology connectors.
Attestation
In this section, you can create, manage, and view attestation tasks by using the following menu items:
Create: Create a new attestation process.
Manage: Manage attestation processes by:
Editing an attestation process
Disabling an attestation process
Enabling an attestation process
Deleting an attestation process
Running an attestation process
Managing attestation process administrators
Viewing attestation process execution history
Dashboard: View the state of any attestation processes that are owned by any group of which you are a member. To use the Attestation Dashboard, expand the Attestation link and click Attestation Dashboard. The Attestation Dashboard page is displayed with a table listing the state of any attestation processes that are owned by any group of which you are a member.
This section describes the settings in the Administrative and User Console for configuring functions such as user registration and account creation. Review this section prior to deploying the Oracle Identity Manager Administrative and User Console to ensure that you have configured the product to function as intended.
This section discusses the following topics:
To customize the Oracle Identity Manager Administrative and User Console user interface, see Oracle Identity Manager Administrative and User Console Customization Guide.
Table 1-1 describes the settings for user registration operations.
Table 1-1 User Registration Operation Settings
Function | Description |
---|---|
To allow users to self-register in Oracle Identity Manager |
Set the Is Self-Registration Allowed property in the System Configuration form to true. The System Configuration form is available in the Oracle Identity Manager Design Console. |
To require users to select their verification questions and provide answers to these question when registering |
Set the Does user have to provide challenge information during registration property in the System Configuration form to true. The System Configuration form is available in the Oracle Identity Manager Design Console. |
To designate the number of verification questions that the user must answer |
Set the Number of Questions property in the System Configuration form to the number of questions that you want users to answer. Ensure that the number of questions you supply in the Lookup.WebClient.Questions lookup definition is equal to or greater than the value of the Number of Questions property. You might need to create additional questions. The System Configuration form is available in the Oracle Identity Manager Design Console. |
To designate the list of questions that users select from when setting their verification questions and answers |
Define a row on the Lookup.WebClient.Questions lookup definition for each question in the Lookup Definition form. The Lookup Definition form is available in the Oracle Identity Manager Design Console. |
To require an approval for self-registration |
Define an approval task in the User Registration approval process. |
To configure different workflow approvals for self-registration depending on user profile information |
Define additional approval processes for the Request resource definition and create a rule of type process determination with a rule element that at least requires that the request object action is Create Entity. Associate the new rule with the approval process on the Request resource definition to enable Oracle Identity Manager to determine which process to select. |
To automatically add a user to groups based on self-registration |
Define rules of type general and attach them to the user group definitions to which you want users to be added on registration. This enables Oracle Identity Manager to determine which groups to add users to based on the criteria they enter on registration. The criteria in the rules must match the user-entered criteria. |
Table 1-2 describes the settings for configuring access privileges.
Table 1-2 Access Privileges Settings
Function | Description |
---|---|
To designate the pages to which all users are to be allowed access |
Specify these pages on the Menu Items tab of the All Users user group. |
To designate the pages to which various administrative groups are to be allowed access |
Specify these pages on the Menu Items tab of the applicable administrative user groups, for example, System Administrator, AdminGroup1, and so on. |
Table 1-3 describes the settings for configuring account creation operations for administrators.
Table 1-3 Account Creation Operation Settings
Function | Description |
---|---|
To allow administrators to create an Oracle Identity Manager account for other users |
Ensure that the groups that these administrators belong to are added to the Administrators tab of the organizations that contain the users they are to administer. |
To configure fields for administrators to supply data when creating the user account |
Create these fields in the |
To specify fields that are required when creating a user account |
Modify these fields in the |
To specify the groups of which a user is automatically made a member |
Define rules of type general and attach them to the user group definitions to which you want users automatically added upon registration. This enables Oracle Identity Manager to determine which groups to add users to based on the criteria entered when their account was created. The criteria in the rules must match the entered criteria. |
To designate the groups to which administrators can add users whom they administer |
Ensure that the groups of which these administrators are members are added to the Administrators tab of the group definitions to which you wish to allow them to add users. |
Table 1-4 describes the settings for configuring profile editing operations for users.
Table 1-4 Profile Editing Operation Settings
Function | Description |
---|---|
To specify that an approval is required for self-initiated Oracle Identity Manager profile updates |
Define an approval task in the User Profile Edit approval process |
To configure different workflow approvals for self-initiated profile updates |
Define additional approval processes for the Request resource definition and create a rule of type process determination with a rule element that at least requires the request object action to be Modify Entity. Associate the rule with the approval process on the Request resource definition to enable Oracle Identity Manager to determine which process to select. |
To control which fields users can edit in their own profiles |
Configure the fields in the |
Table 1-5 describes the settings for configuring account modification operations for administrators.
Table 1-5 Account Modification Operation Settings
Function | Description |
---|---|
To control which users can edit the profiles of other users |
You must designate the forms to which members of the various administrative groups are to have access. You must also add these groups to the Administrators tab of the Organizations that contain the users they are to administer. |
To control which Oracle Identity Manager system fields (for example user ID, first name, and so on) administrators can edit |
You must designate which fields you want to allow administrators to edit for other users. The fields you want to make editable must be specified in the |
To control which user-defined fields (for example Social Security number, local identity, and so on) administrators can edit. |
You must designate which fields you want to allow administrators to edit for other users. Depending on the pages in the Administrative and User Console on which these fields are displayed, you might need to edit the |