Creating Users and Working with User Accounts

From the Accounts/User List page in the Administrator interface, you can perform a range of actions on the following system objects:

• Administrators & Users. View, create, edit, move, rename, deprovision, enable, disable, update, unlock, delete, unassign, unlink, and audit.

  For more information about creating and editing administrator accounts, see Understanding Waveset Administration.

• Organizations. Create, edit, refresh, and perform user actions on members of the organization.

  For more information on organizations, see Understanding Waveset Organizations.

• Directory Junctions. Create a hierarchically related set of organizations to mirror a directory resource's actual set of hierarchical containers.

  For more information about directory junctions, see Understanding Directory Junctions and Virtual Organizations.

Enabling Process Diagrams for Use in Waveset

Process diagrams depict the workflow that Waveset follows when it creates or otherwise acts on a user account. When enabled, process diagrams display on the results page or task summary page that is created when Waveset completes the task.

In Waveset version 8.0, process diagrams were disabled for both new and upgrade installations.

Use the following steps to enable process diagrams for use in Waveset.

1. Open the system configuration object for editing by following the procedure on Editing Waveset Configuration Objects.

2. Locate the following XML element.

   <Attribute name=’disableProcessDiagrams’> <Boolean>true</Boolean> </Attribute>

3. Change the true value to false.

4. Click Save.

5. Restart your server (or servers) in order for the change to take effect.

   Process diagrams can also be enabled in the end-user interface, but only if they are first enabled in the Administrator interface using the steps described above. For details, see To Enable Process Diagrams in the End-User Interface.

Creating a User in Waveset

You can create and manage users from the Accounts tab on the Administrator interface menu bar.

1. In the Administrator interface, click Accounts.

2. To create a user in a specific organization, select the organization, then select New User from the New Actions list.

   Otherwise, to create a user account in the Top organization, select New User from the New Actions list.

3. Complete the information in the following tabs or sections.

   • Identity. Name, organization, password, and other details. (See Identity Tab.)

   • Resources. Individual resource and resource group assignments, as well as resource exclusions. (See Resources Tab.)

   • Roles. Role assignments. For information on roles, see Understanding and Managing Roles. See To Assign Roles to a User for instructions on completing the Roles tab.

   • Security. Admin roles, controlled organizations and capabilities. Also, user form settings and account policy. (See Security Tab.)

   • Delegations. Work item delegations. (See Delegations Tab.)

   • Attributes. Specific attributes for assigned resources. (See Attributes Tab.)

   • Compliance. Select attestation and remediation forms for the user account. The compliance area also lets you specify the assigned audit policies for the user account, including those in effect through the user’s organization assignment. Indicates the current status of policy scans, violations, and exemptions, and includes information about the user’s last audit policy scan. (See Attributes Tab.)

     Note that selections available in one area may depend on selections you make in another.

   To better reflect your business processes or specific administrator capabilities, you should customize the user form specifically for your environment. For more information about customizing the user form, see Customizing Forms in Oracle Waveset 8.1.1 Deployment Reference.

4. When you are finished, Save the account.

   You have two options for saving a user account:

   • Save. Saves the user account. If you assign a large number of resources to the account, this process could take some time.

   • Background Save. This process saves a user account as a background task, which allows you to continue working in Waveset. A task status indicator displays on the Accounts page, the Find User Results page, and the Home page, for each save in progress.

     Status indicators, as described in the following table, help you monitor the progress of the save process.

   Status Indicator	Status
   	The save process is in progress.
   	The save process is suspended. Often, this means that the process is waiting for approval.
   	The process completed successfully. This does not mean that the user was successfully saved; rather that the process completed with no errors.
   	The process has not yet started.
   	The process completed with one or more errors.

   By moving your mouse over the user icon that displays within the status indicator, you can see details about the background save process.

   ---

   Note –

   If sunrise is configured, creating a user creates a work item that can be viewed from the Approvals tab. Approving this item overrides the sunrise date and creates the account. Rejecting the item cancels account creation. For more information about configuring sunrise, see Configuring the Sunrise and Sunset Tab.

   ---

Creating Multiple Resource Accounts for a User

Waveset provides the ability to assign multiple resource accounts to a single user. It does this by allowing multiple resource account types or types of accounts to be defined for each resource. Resource account types should be created as needed to match each functional account type on the resource. For example, AIX SuperUser or AIX BusinessAdmin.

Why Assign Multiple Accounts per User per Resource?

In some situations, an Waveset user may require more than one account on a resource. A user can have several different job functions related to the resource. For example, the user can be both a user and administrator of the resource. Best practice suggests using separate accounts for each function. That way, if one account is compromised, the access granted by the other accounts is still secure.

Configuring Types of Accounts

For a resource to support multiple accounts for a single user, the resource account types must first be defined in Waveset. To define resource account types for a resource, use the Resource Wizard. For information, see Managing the Resources List.

You must enable and configure resource account types before assigning them to users.

Assigning Types of Accounts

Once you have defined account types, you can assign them to a resource. Waveset treats each assignment of an account type as a separate account. As a result, each distinct assignment in a role can have different attributes set.

Similar to the single account per resource case, all assignments of a specific type create only one account, regardless of the number of assignments.

Although you can assign users to any number of different types of accounts on a resource, each user can be assigned one account of a given type on a resource. The exception to this rule is the built-in “default” type. Users can have any number of accounts of default type on a resource. It is not recommended that you do this however, as this leads to ambiguity when referencing accounts in forms and views.

Finding and Viewing User Accounts

The Waveset find feature lets you search for user accounts. After you enter and select search parameters, Waveset finds all accounts that match your selections.

To search for accounts, select Accounts -> Find Users from the menu bar. You can search for accounts by using one or more of these search types:

• Account detail (such as user name, email address, or last name, or first name). These choices depend on your institution’s specific Waveset implementation.

• User’s manager. The manager’s user name appears in parentheses if the user name does not match an existing account in Waveset.

• Resource account status. Options include:

  • Disabled. User cannot access any Waveset or assigned resource accounts.

  • Partially Disabled. User cannot access one or more assigned resource accounts.

  • Enabled. User has access to all assigned resource accounts.

• Assigned resource. Options include:

  • Role (see To Find Users Assigned to a Specific Role)

  • Organization

  • Organizational control

  • Capabilities

  • Admin role

• User account status. Options include:

  • Locked. User account is locked because the maximum number of failed password or question login attempts exceeds the maximum allowed.

  • Not Locked. User account access is not restricted.

• Update status. Use this query to search for users for whom all updates have or have not succeeded. Options include:

  • no. User accounts that have not been updated on any resource.

  • some. User accounts that require an update (identified by an exclamation point symbol).

  • all. User accounts that have been updated on all assigned resources (no updates are required).

The search results list shows all accounts that match your search.

From the results page, you can:

• Select user accounts to edit. To edit an account, click it in the search results list; or select it in the list, and then click Edit.

• Perform actions (such as enable, disable, unlock, delete, update, or change/reset passwords) on one or more accounts. To perform an action, select one or more accounts in the search results list, and then click the appropriate action.

• Create user accounts.

  

Editing Users

The information in this section covers viewing, editing, reassigning, and renaming user accounts.

To View User Accounts

Use the View User page and perform the following steps to view account information.

1. In the Administrator interface, click Accounts in the menu.

   The User List page opens.

2. Select the box next to the user whose account you want to view.

3. In the User Actions drop-down menu, select View.

   The View User page displays a subset of the user’s identity, assignments, security, delegations, attributes, and compliance information. The information on the View User page is view-only and cannot be edited.

4. Click Cancel to return to the Accounts list.

To Edit User Accounts

Use the Edit User page and perform the following steps to edit account information.

1. In the Administrator interface, click Accounts in the menu.

2. Select the box next to the user whose account you want to edit.

3. In the User Actions drop-down menu, select Edit.

4. Make and save your changes.

   Waveset displays the Update Resource Accounts page. This page shows resource accounts assigned to the user and the changes that will apply to the account.

5. Select Update All resource accounts to apply changes to all assigned resources, or individually select none, one, or more resource accounts associated with the user to update.

6. Click Save again to complete the edit, or click Return to Edit to make further changes.

   Figure 3–2 Edit User (Update Resource Accounts)

   
   

Reassigning Users to Another Organization

The move action allows you to remove one or more users from one organization and reassign, or move, the users to a new organization. Use the following steps to move a user:

1. In the Administrator interface, click Accounts in the menu.

   The User List page opens.

2. Select the box next to the user (or users) to be moved.

3. In the User Actions drop-down menu, select Move.

   The Change Organization of Users task page opens.

4. Select the organization that you want to reassign the user to and click Launch.

Renaming Users

Typically, renaming an account on a resource is a complex action. Because of this, Waveset provides a separate feature to rename a user’s Waveset account, or one or more resource accounts, that are associated with that user.

To use the rename feature, select a user account in the list, and then select the Rename option from the User Actions list.

The Rename User page allows you to change the user account name, associated resource account names, and resource account attributes associated with the user’s Waveset account.

---

Note –

Some resource types do not support account renaming.

---

As shown in the following figure, the user has an assigned Active Directory resource.

During the renaming process, you can change:

• Waveset user account name

• Active Directory resource account name

• Active Directory resource attribute (fullname)

  

Updating Resources Associated with an Account

In an update action, Waveset updates the resources that are associated with a user account. Updates performed from the accounts area send any pending changes that were previously made to a user to the resources selected.

This situation may occur if:

• A resource was unavailable when updates were made.

• A change was made to a role or resource group that needed to be pushed to all users assigned to that role or resource group. In this case, you should use the Find User page to search for users, and then select one or more users on which to perform the update action.

When you update the user account, you have the following options:

• Choose whether assigned resource accounts will receive the updated information.

• Update all resource accounts, or select individual accounts from a list.

Updating Resources on a Single User Account

To update a user account, select it in the list, and then select Update from the User Actions list.

On the Update Resource Accounts page, select one or more resources to update, or select Update All resource accounts to update all assigned resource accounts. When finished, click OK to begin the update process. Alternatively, click Save in Background to perform the action as a background process.

A confirmation page confirms the data sent to each resource.

Figure 3–3 illustrates the Update Resource Accounts page.

Figure 3–3 Update Resource Accounts

Updating Resources on Multiple User Accounts

You can update two or more Waveset user accounts at the same time. Select more than one user account in the list, and then select Update from the User Actions list.

---

Note –

When you choose to update multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process updates all resources on all user accounts you select.

---

Deleting Waveset User Accounts

In Waveset, an Waveset user account is deleted in the same way that a remote resource account is deleted. Follow the steps for deleting a resource account, but instead of selecting a remote resource account for deletion, select the Waveset account.

---

Note –

If a user has outstanding work items, or if a user has outstanding work items that have been delegated to another user, Waveset will not allow the user’s Waveset account to be deleted. The delegated work items either need to be resolved or forwarded to another user before the user’s Waveset account can be deleted.

---

For more information, see Deleting Resources from User Accounts.

Deleting Resources from User Accounts

Waveset provides several deletion operations that can be used to remove Waveset user account access from a resource:

• Delete. For each resource selected, Waveset deletes the user’s account on the remote resource. (To delete a user from Waveset, select Waveset as the resource.)

  • Deleted resource accounts are automatically unlinked from the Waveset user.

  • Deleted resource accounts are not unassigned from the user. The resource remains assigned to the user unless the unassign action is also selected.

• Unassign. For each resource selected, Waveset removes the resource from the user’s list of assigned resources.

  • Unassigned resource accounts are automatically unlinked from the Waveset user.

  • The user account on the remote resource is not deleted. The account remains intact unless the delete action is also selected.

• Unlink. For each resource selected, the user’s resource account information is removed from Waveset.

  • The user’s account on the remote resource remains intact unless a delete action is also selected.

  • The resource remains on the user’s list of assigned resources unless an unassign action is also selected.

  • If you unlink an account that has been indirectly assigned to the user through a role or resource group, the link may be restored when the user is updated.

Although deprovision appears as a user-action in the User List page menus, there are actually only three Deletion actions in Waveset: delete, unassign, and unlink.

To deprovision a remote resource, use the delete and unassign actions on the resource.

To Start a Delete, Unassign, or Unlink Action for a Single User Account

Use the following procedure to perform a delete operation on a single Waveset user. By working with one user account at a time, you can specify different delete, unassign, and/or unlink operations for individual resource accounts.

---

Note –

You can use the Delete Resource Accounts page to unassign or unlink resource accounts when the Delete operation has been disabled.

---

1. In the Administrator interface, click Accounts in the main menu.

   The User List page displays on the List Accounts tab.

2. Select a user and click the User Actions drop-down menu.

3. Select any of the Deletion actions (Delete, Deprovision, Unassign, or Unlink) from the list.

   Waveset displays the Delete Resource Accounts page (Figure 3–4).

4. Complete the form. For more information on the Delete, Unassign, and Unlink actions, see Deleting Resources from User Accounts.

5. Click OK.

   Figure 3–4 shows the Delete Resource Accounts page. In the screen capture, the user jrenfro has one active account on a remote resource (the Simulated Resource). The Delete action is selected, which means that when the form is submitted, jrenfro’s account on the resource will be deleted. Because deleted accounts are automatically unlinked, the account information for this resource will be removed from Waveset. The Simulated Resource will remain assigned to jrenfro because the Unassign action is not selected.

   To delete jrenfro’s Waveset account, the Delete action should be selected for Waveset.

   Figure 3–4 The Delete Resource Accounts page

   
   

To Start A Delete, Unassign, or Unlink Action for Multiple Users

You can perform a delete operation on more than one Waveset user account at a time, however, you can only perform the selected delete operation on all of the users’ resource accounts.

Delete operations can also be performed using Waveset’s Bulk Account Actions feature. See Delete, DeleteAndUnlink, Disable, Enable, Unassign, and Unlink Commands.

---

Note –

You can use the Delete Resource Accounts page to unassign or unlink resource accounts when the Delete operation has been disabled.

---

1. In the Administrator interface, click Accounts in the main menu.

   The User List page displays on the List Accounts tab.

2. Select one or more users and click the User Actions drop-down menu.

3. Select any of the Deletion actions (Delete, Deprovision, Unassign, or Unlink) from the list.

   Waveset displays the Confirm Delete, Unassign, or Unlink page (Figure 3–5).

4. Specify the action to be performed.

   The options include:

   • Delete user only. Deletes the users’ Waveset accounts. This option does not delete or unassign the users’ resource accounts.

   • Delete user and resource accounts. Deletes the users’ Waveset accounts and all of the users’ resource accounts.

   • Delete resource accounts only. Deletes all of the users’ resource accounts. This option does not unassign the resource accounts, nor does it delete the users’ Waveset accounts.

   • Delete resource accounts and unassign directly assigned resources from user. Deletes and unassigns all of the users’ resource accounts, but does not delete the users’ Waveset accounts.

   • Unassign directly assigned resource accounts from user. Unassigns directly assigned resource accounts. This option does not delete the users’ accounts on the remote resources. Resource accounts assigned through a role or resource group are not affected.

   • Unlink resource accounts from user. The users’ resource account information is removed from Waveset. The users’ accounts on the remote resources are not deleted and are not unassigned. Accounts that are indirectly assigned to the users through a role or resource group may be restored when the users are updated.

5. Click OK.

   Figure 3–5 shows the Confirm Delete, Unassign, or Unlink page. The top portion of the page displays the six available actions that can be carried out for multiple users. The bottom portion of the page displays the users who will be affected by the selected action.

   Figure 3–5 The Confirm Delete, Unassign, or Unlink Page

   
   

Changing User Passwords

All Waveset users are assigned a password. When set, the Waveset user password is used to synchronize the user’s resource account passwords. If one or more resource account passwords cannot be synchronized (for example, to comply with required password policies), you can set them individually.

---

Note –

For information about account password policies, as well as general information about user authentication, see Managing Account Security and Privileges.

---

To Change Passwords from the User List Page

You can use the Change Password User Action from the User List page (Accounts -> List Accounts) to change a user account password from the User List page. Follow these steps:

1. In the Administrator interface, click Accounts in the main menu.

   The User List page displays on the List Accounts tab.

2. Select a user and click the User Actions drop-down menu.

3. To change the password, select Change Password.

   The Change User Password page opens.

4. Type the new password and click the Change Password button.

To Change Passwords from the Main Menu

To change a user account password from the main menu, follow these steps:

1. In the Administrator interface, click Passwords in the main menu.

   The Change User Password page appears by default.

   Figure 3–6 Change User Password

   
   

2. Select a search term (such as account name, email address, last name, or first name), and then a search type (starts with, contains, or is).

3. Type one or more letters of a search term in the entry field, and then click Find. Waveset returns a list of all users whose IDs contain the entered characters. Click to select a user and return to the Change User Password page.

4. Enter and confirm new password information, and then click Change Password to change the user password on the listed resource accounts. Waveset displays a workflow diagram that shows the sequence of actions taken to change the password.

Resetting User Passwords

The process for resetting Waveset user account passwords is similar to the change process. The reset process differs from a password change in that you do not specify a new password. Rather, Waveset randomly generates a new password (depending on your selections and password policies) for the user account, resource accounts, or a combination of these.

The policy assigned to the user (by direct assignment or through the user’s organization) controls several reset options, including:

• How often a password can be reset before resets are disabled

• Where the new password is displayed or sent

  Depending on the Reset Notification Option selected for the role, Waveset emails the new password to the user or displays it (on the Results page) to the Waveset administrator requesting the reset.

To Reset Passwords from the User List Page

The Reset Password user action is available on the User List page (Accounts > List Accounts).

To reset a password from the User List page, use the following steps.

1. In the Administrator interface, click Accounts in the main menu. The User List page displays on the List Accounts tab.

2. Select a user and click the User Actions drop-down menu.

3. To reset the password, select Reset Password.

   The Reset User Password page opens.

4. Click the Reset Password button.

To Expire Passwords Using the Waveset Account Policy

When you reset a user password, the password is immediately expired by default. Consequently, the first time users log in after a password reset, they must select a new password to gain access. You can use the Edit the Reset User Password form to override this default, so that the user’s password will expire according to the expire password policy set in the Waveset Account Policy associated with that user.

Use the following process to override the default change-password requirement.

1. Edit the Reset User Password Form and set the following value to false.

   resourceAccounts.currentResourceAccounts[Lighthouse].expirePassword

2. Use the Reset option in the Waveset Account Policy to specify when a password expires.

   The settings include

   • permanent. Waveset uses the time period specified in the passwordExpiry policy attribute to calculate the relative date from the current date when the password is reset, and then set that date on the user. If no value is specified, the changed or reset password never expires.

   • temporary. Waveset uses the time period specified in the tempPasswordExpiry policy attribute to calculate the relative date from the current date when the password is reset, and then set that date on the user. If no value is specified, the changed or reset password never expires. If tempPasswordExpiry is set to a value of 0, then the password is expired immediately.

     The tempPasswordExpiry attribute applies only when passwords are reset (randomly changed). It does not apply to password changes.

Disabling, Enabling, and Unlocking User Accounts

This section describes how to disable and enable Waveset user accounts, and describes how to help users who have become locked out of their Waveset accounts.

To Disable User Accounts

When you disable a user account, you alter that account so that the user can no longer log in to either Waveset or to his assigned resource accounts.

Note that administrators can disable user accounts from the Administrator interface, but they cannot lock user accounts. Accounts can only become locked if the user exceeds the allowable number of unsuccessful login attempts defined by the Waveset account policy

---

Note –

If an assigned resource does not have native support for account disabling, but does support password changes, then Waveset can be configured to disable user accounts on that resource by assigning new, randomly generated passwords.

---

Use the following steps to ensure that this functionality works correctly:

1. Open the “Identity System Parameters” page in the Edit Resource Wizard. (See Managing Resources for instructions on how to open the wizard.)

2. In the “Account Features Configuration” table verify that both the Password feature and the Disable feature do not have check marks in the Disable? column. (To display the Disable feature, select Show All Features.)

   If the Disable feature does have a check mark in the Disable? column, accounts in the resource cannot be disabled.

Disabling Single User Accounts

To disable a user account, select it in the User List, and then select Disable from the User Actions drop-down menu.

On the displayed Disable page, select the resource accounts to disable, and then click OK. Waveset displays the results of disabling the Waveset user account and all associated resource accounts. The accounts list indicates that the user account is disabled.

Disabling Multiple User Accounts

You can disable two or more Waveset user accounts at the same time. Select more than one user account in the list, and then select Disable from the User Actions list.

---

Note –

When you choose to disable multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process disables all resources on all user accounts you select.

---

To Enable User Accounts on a Resource Through Password Resets

User account enabling reverses the disabling process.

Depending on selected notification options, Waveset also displays the password on the administrator’s results page.

The user can then reset his password (through the authentication process), or a user with administrator privileges can reset it.

---

Note –

If an assigned resource does not have native support for account enabling, but does support password changes, then Waveset can be configured to enable user accounts on that resource through password resets.

To ensure that this functionality works correctly, do the following:

---

1. Open the “Identity System Parameters” page in the Edit Resource Wizard. (See Managing Resources for instructions on how to open the wizard.)

2. In the “Account Features Configuration” table, verify that both the Password feature and the Enable feature do not have check marks in the Disable? column. (To display the Enable feature, select Show All Features.)

   If the Enable feature does have a check mark in the Disable? column, accounts in the resource cannot be enabled.

Enabling Single User Accounts

To enable a user account, select it in the list, and then select Enable from the User Actions list.

On the displayed Enable page, select the resources to enable, and then click OK. Waveset displays the results of enabling the Waveset account and all associated resource accounts.

Enabling Multiple User Accounts

You can enable two or more Waveset user accounts at the same time. Select more than one user account in the list, and then select Enable from the User Actions list.

---

Note –

When you choose to enable multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process enables all resources on all user accounts you select.

---

To Unlock User Accounts

Users become locked out if they are unsuccessful at logging in to Waveset. To become locked out, the user has to exceed the allowable number of unsuccessful login attempts defined by the Waveset account policy.

---

Note –

Only login attempts on an Waveset user interface are counted towards an Waveset lockout (that is, either the administrator interface, the end-user interface, the command-line interface, or the SPML API interface). Failed login attempts on resource accounts are not counted and will not cause the user to be locked out of their Waveset account.

---

The Waveset account policy establishes the maximum number of failed password or question login attempts that can be made.

• Users who exceed the maximum number of failed password login attempts are locked out of all Waveset application interfaces, including the Forgot My Password interface.

• Users who exceed the maximum number of failed question login attempts can authenticate to any Waveset application interface except Forgot My Password.

Failed Password Login Attempts

Users who are locked out of Waveset due to excessive failed password login attempts will not be able to log in until an administrator unlocks the account or until the lock expires.

• An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.

• If a Lock Timeout value is set in the Waveset Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed password login attempts is set by the Account lock created by failed password-logins expires in value.

Failed Question Login Attempts

Users who are locked out of the Forgot My Password interface due to excessive failed question login attempts will not be able to log in to that interface until an administrator unlocks the account, or until the locked user (or a user with appropriate capabilities) changes or resets the user’s password, or until the lock expires.

• An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.

• If a Lock Timeout value is set in the Waveset Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed question login attempts is set by the Account lock created by failed question-logins expires in value.

An administrator with appropriate capabilities can perform the following operations on a user in locked state:

• Update (including resource reprovisioning)

• Change or reset password

• Disable or enable

• Rename

• Unlock

To unlock accounts, select one or more user accounts in the list, and then select Unlock Users from the User Actions or Organization Actions list.