1 Introduction to the Administrative and User Console

Oracle Identity Manager is an advanced, flexible provisioning system for automatically granting and revoking access to enterprise applications and managed systems. You use Oracle Identity Manager to provide access to enterprise resources to staff and partners, and to enforce access policies that are associated with these resources.

Oracle Identity Manager enables you to do the following:

• View your Oracle Identity Manager user account information such as group memberships and e-mail address.

• Modify your profile.

• Review the resources that you have permission to access.

• View requests that you made and requests made for you.

• Make requests for additional resources for yourself.

• Change your password.

• View and modify login challenge questions and answers.

• Set up your user proxy.

• View and manage your pending requests, if you are the authorized approver.

In addition, depending on your permissions in Oracle Identity Manager, you may also be able to do the following:

• Update passwords and user IDs for accounts on resources that you have been allocated (provisioned).

• Create requests for resources for any users you manage.

• Complete draft requests for resources for any users you manage.

• Approve the provisioning of resources for other users.

• Respond to requests for more information.

Oracle Identity Manager provides the Administrative and User Console to create requests for resources and approve the provisioning of resources of the users that you manage. Users can search for, edit, and delete account information in the Oracle Identity Manager database by using the Administrative and User Console.

The rest of this guide describes the actions you can perform in Oracle Identity Manager by using the Administrative and User Console. This chapter discusses the following topics:

• Understanding User Roles and Capabilities

• Overview of the Resource Model

Note:

Not all functions are available to all users. The features you can view and use in Oracle Identity Manager depend on the permissions that you are assigned.

If you are the system administrator for the Oracle Identity Manager system, read Appendix A, "System Configuration Considerations for Administrators" in this guide before running your product in a production environment.

See Also:

• Oracle Identity Manager Administrative and User Console Customization Guide for information about customizing Oracle Identity Manager Administrative and User Console

• Oracle Identity Manager Globalization Guide for information about globalizing Oracle Identity Manager Administrative and User Console

1.1 Understanding User Roles and Capabilities

Table 1-1 lists important user roles associated with Oracle Identity Manager.

Table 1-1 User Roles

Role	Description
Administrator	A person who manages users, organizations, user groups, resources, and policies.
Approver	A person who approves and denies access to resources.
End user	A person who uses self-service features of Oracle Identity Manager and who is not an administrator.

1.2 Overview of the Resource Model

Oracle Identity Manager allows resources to be requested and allocated (provisioned) to enterprise users. The resource can be an application, access to a database, rights to a directory structure on a network, or other entities to which access is vital. The manner in which access to the resource is granted and the permissions given to a user on that resource are governed by provisioning processes that you define. Access to a resource may be provisioned uniformly for all users. Alternatively, access may be provisioned in a unique fashion, based on variables such as the following:

• Your role, for example, "administrator" and "accountant"

• Your location

• Your employment status, for example, "full time" and "consultant"

• Your group or department designation

• Other criteria that are deemed relevant by the resource-specific and Oracle Identity Manager administrators

Once a resource is successfully provisioned to you, you can access that resource without further interaction with Oracle Identity Manager. For example, if you request access to a Microsoft Exchange application and that resource is successfully provisioned to you, then you can log in to that application by using the user ID and password provided by Oracle Identity Manager.

Oracle Identity Manager controls the provisioning of resources by using processes and tasks that comprise them. It also uses a specific kind of process, called an approval process, to govern the approvals that must be obtained before the provisioning of a resource may occur. Oracle Identity Manager has two different types of resource-related processes: approval processes and provisioning processes.

1.2.1 Approval Processes

An approval process determines whether or not a resource is to be approved for provisioning to one or more users or organizations for whom it is requested. Approval processes consist of a series of tasks that require responses from the users responsible for approving the provisioning of the resource. Because these responses are manually provided, these are assigned to an approver or a group of approvers.

Approvers can act upon all tasks in an approval process that are assigned to them. If an approver is assigned to a task in a request, then the approver can view all tasks in the request. If you are an approver for a request, the request ID is displayed when you click Pending Approvals under the To-Do List menu in the Administrative and User Console.

Note:

Approval processes are optional. As an Oracle Identity Manager administrator, you can configure some resources to be provisioned without requiring approval. In this case, access to the resource is granted as soon as the request is submitted.

1.2.2 Provisioning Processes

A provisioning process is the process used to allocate (provision) the resource to one or more users or organizations for whom it is requested. Provisioning processes consist of a series of automated tasks that perform the steps necessary to grant access to a given resource. The provisioning process cannot be initiated until the approval process is complete, except in cases where an approval process has not been defined for the resource. The provisioning process can also use a special form to prompt users for, and capture, data required to grant access to a resource.

Oracle Identity Manager's exception capabilities allow you to handle problems that may occur during the provisioning process. For example, you can add business logic to a provisioning process that prevents the transaction from stopping or failing if a resource is unavailable. Oracle Identity Manager also includes a state engine that allows the system to roll back to the last known consistent state in the event that a provisioning transaction fails. The state engine also rolls back the system to its original state if a provisioning request is rejected.