Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) E14316-05 |
|
Previous |
Next |
An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager.
Organizations are containers that can be used for delegated administrative models. In addition, an organization defines the scope of other Oracle Identity Manager entities, such as users. Oracle Identity Manager can have a flat organization structure or a hierarchical structure, which means that an organization can contain other organizations. The hierarchy represents departments, geographical areas, or other logical divisions facilitating management of Oracle Identity Manager entities.
To scale the ability to manage a large number of roles and people in an organization of a significant size by using delegated administration, Oracle Identity Manager provides the ability to define delegated administration policies based on the membership of an object within a hierarchy. This also supports recursive organization membership, such as the hierarchy shown in Figure 13-1:
Figure 13-1 Recursive Organization Membership
If a hierarchical delegated administration policy is defined to provide Delegated Administrator1 the permission to reset password starting from Engineering, then the permission is granted for Employee1, Employee2, Employee3, and Employee4. If the membership root is Development, then Bob has the permission for Employee2 and Employee3 only.
The functional description of the organization services and the UI components that support these services are described in the following sections:
In Oracle Identity Manager, attributes are defined by default for the organization entity. You can also add your own attributes to the organization entity.
The following attributes are defined for organization entity attributes:
Attribute Name: The name of the attribute.
Category: The category for the attribute. The categorization is used to organize the data in the UI.
Type: The type of the attribute, such as string, data, number, or boolean.
display-type: The display type of the attribute in the UI, such as single line text, multi-line text, e-mail address, radio button, List of Values (LOV).
Note: The list of values can come from an API call or a system defined list of values, or you can add your own values. |
Properties: For each attribute, you must configure the following properties:
Required: Determines if the organization in the repository must have a non-null value for this attribute or not
System Controlled: Determines if the value can only be set and edited by the system itself
System Can Default: Determines if the value can be set by the system to a default if no value is provided
Encrypted: Determines if the value is stored in the repository as hashed (Hash), reversible encrypted (Encrypt), or clear (Clear)
Searchable: Determines if the value can be used in searches or not
Unique: Determines if the value must be unique across all organizations in the repository or not
Table 13-1 lists the default attributes of the organization entity:
Table 13-1 Default Attributes of the Organization Entity
Attribute Name | Category | Type | Data Type | Display Type | Properties |
---|---|---|---|---|---|
Organization |
Basic |
Single |
String |
Single line text |
Required: Yes System Can Default: No System Controlled: No Encrypted: Clear Searchable: Yes Unique: Yes |
Organization Type |
Basic |
Single |
String |
LOV |
Required: Yes System Can Default: Yes System Controlled: Yes Encrypted: Clear Searchable: Yes Unique: No |
Parent Organization |
Basic |
Single |
String |
Single line text |
Required: No System Can Default: No System Controlled: No Encrypted: Clear Searchable: Yes Unique: No |
Status |
Basic |
Single |
String |
Single line text |
Required: Yes System Can Default: Yes System Controlled: Yes Encrypted: Clear Searchable: Yes Unique: No |
The tasks related to organization management are performed in the Organization Management section of Oracle Identity Management Administration. The tasks are described in the following sections:
Oracle Identity Administration allows you to perform the following types of organization search operations:
The simple search operation lets you search organization entities based on the search strings that you specify as search attributes. This operation is also referred to as simple search or quick search.
To perform a simple search for organizations:
Login to Oracle Identity Administration.
In the Administration tab on the left pane, from the drop-down list, select Organizations.
In the Search field, enter an organization name as a search criterion. You can include wildcard characters (*) in your search criterion. For performance reasons, initial (prefix) wildcards will be removed. However, a trailing (prefix) wildcard will be added to all searches.
Click the search icon. In the Search Results tab, the search result is displayed in a table that shows the organization names that matched the search criterion. Figure 13-2 shows the search results table:
Advanced search for organizations allows you to specify more complex search criteria than the simple search operation. The results are displayed in search results table.
To perform advanced search for organizations:
Login to Oracle Identity Administration.
In the Welcome page, under Organizations, click Advanced Search - Organizations. The Advanced Search page is displayed on the right pane.
Select any one of the following:
All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is "Begins With". The comparator "Equals" is available in the pulldown list as an alternative. See "Search Comparators" for more information about search comparators.
You can use wildcard characters to specify the organization name.
From the Organization Customer Type list, select the organization type. The organization type can be Branch, Department, or Company.
From the Add Fields button, select Organization Status.
From the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.
Click Search. The results are displayed in the search results table, as shown in Figure 13-3. The search results table displays the organization name, parent organization, organization customer type, and organization status.
You can browse data in the Organizations section in Oracle Identity Manager Administration. The browse functionality is available in the left pane of the UI.
Using the browse operation, you can navigate through the organization tree in the system, starting at the root organization. If there are multiple organization trees, then all the trees are displayed. Each tree starts at a root organization node, which has no parent organization. The users defined in the organization are not displayed as nodes in the tree.
To browse through organizations, in the left pane of Oracle Identity Manager Administration, under the Browse tab, click Organization. All the organizations in Oracle Identity Manager are displayed in the browse list, as shown in Figure 13-4:
The organization browse list shows the organizations trees with the root and child organizations.
In the organization browse list, you can perform the following:
Create an organization. See "Creating an Organization".
Open the details of an organization. See "Viewing and Modifying Organizations".
Delete an organization. See "Deleting an Organization".
Manage administrative roles: See "Managing Administrative Roles".
You create an organization by using the Create Organization page. You can access this page only if you are authorized to create an organization.
Note: You are allowed to create an organization only if you have the Create Organization privilege for one or more organizations. |
To create an organization:
Open the Create Organization page. To do so, perform any one of the following:
In the Welcome page of Oracle Identity Manager Administration, under Organizations, click Create New Organization.
In the left pane, click the Browse tab. Under Organizations, from the Action menu, select Create. You can also click the Create icon on the toolbar.
In the left pane, click the Search Results tab with Organizations selected in the search list. From the Actions menu, select Create. You can also click the Create icon on the toolbar.
In the Advanced Search: Organization page, from the Actions menu, select Create Org, or click Create on the toolbar.
Figure 13-5 shows the Create Organization page.
Enter values in the fields in the Create Organization page. Table 13-2 lists the fields in the Create Organization page:
In the Name field, enter the name of the organization.
In the Type field, select the type of the organization, such as Company, Department, or Branch.
Specify the parent organization to which the newly created organization will belong. To do so:
Click the search icon next to the Parent Organization field. The Search: Organizations dialog box is displayed, as shown in Figure 13-6:
Figure 13-6 The Search: Organizations Dialog Box
Select any one of the following options:
All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the Organization Name field, enter the organization name that you want to search. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Organization Name field. The search conditions include "Equals" or "Begins With".
In the Organization Customer Type field, enter the organization type of the parent organization. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Organization Customer Type field.
Click Search. The organizations that match the search criteria you specified are displayed in the search results table.
From the search results table, select the organization that you want to specify as the parent organization.
Click Finish. The selected organization is added as the parent organization.
Click Save to create the organization.
The view organization operation allows you to view detailed organization profile information in the User Details page. You can view this page only if you are authorized to view the organization profile as determined by the authorization policy on the View Organization Detail privilege. If you have the authorization to modify the organization, then you can also modify the organization by using this page.
Note: The organization details page for the organization entity is auto-generated by the system based on configuration and fine-grained authorization. In Oracle Identity Manager, there is no mechanism to override the system-generated page with a custom-defined page. |
To open the details of an organization, perform any one of the following:
In the left pane of Oracle Identity Manager Administration, click the Browse tab. Under Organization, select the organization whose details you want to display. From the Actions menu, select Open. Alternatively, click the Open icon on the toolbar.
Perform a simple search for the organization whose details you want to display. From the search result, select the organization. From the Actions menu, select Open. Alternatively, click the Open icon on the toolbar.
Perform an advanced search for the organization whose details you want to display. From the advanced search result, select the organization, and from the Actions menu, select Update Org. Alternatively, click Open on the toolbar.
The organization details page is displayed, as shown in Figure 13-7:
Figure 13-7 The Organization Details Page
You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually. The modification for each section is described in the following sections:
Note: You must have "organization create" permission to update or delete organizations. |
The Attributes tab, as shown in Figure 13-7, of the organization details page displays attributes of the organization. If you are authorized to modify the organization profile as determined by authorization policy on the Modify Organization Profile privilege, then the organization details page opens in editable mode and you can modify organization information. You can modify the values for the attributes, and then click Save to save the changes.
Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields. See "Organization Management Authorization" for information about authorization of the organization management feature.
Note: The Status attribute in the organization details page is read-only. |
The Hierarchy tab is a read-only tab that displays a list of child organizations that the selected organization has. For each child organization in the list, the following are displayed:
Organization name
Type
Status
From the Hierarchy tab, you can open the details of a child organization by selecting the organization, and selecting Open from the Actions menu. Alternatively, you can click Open on the toolbar, or simply click the name of the organization.
To modify a child organization, click the child organization name that you want to modify. The organization details page for the selected organization is displayed, by using which you can modify the details of that organization.
The Members tab is a read-only tab that displays a list of users in the selected organization. For each user in the list, the following are displayed:
User Name
First Name
Last Name
Manager Name
From the Members tab, you can open the details of a user by selecting the user, and selecting Open from the Actions menu. Alternatively, you can click Open on the toolbar, or simply click the name of the user.
Tip: You can add or remove users to and from organizations by using the Attributes tab of the user details page. For more information, see "The Attributes Tab". |
The Resources tab displays the permitted resources for the selected organization. You can select one or multiple resources in the list, and then perform the following:
To provision resources to the organization:
From the Actions menu, select Provision. Alternatively, click Provision on the toolbar. This brings up a wizard " Step 1: Select a Resource".
Search for the resource that you want to provision. Select the resource and click Continue.
In the Step 2: Verify Resource Selection page, the resource that you selected for adding to the organization is displayed. Verify the information and click Continue. Provisioning the selected resource to the organization starts.
Close the Provision Resource to Organization wizard. The resource is added to the Hierarchy tab.
Tip: If the provisioned resource is not displayed in the Hierarchy tab, then click Refresh on the toolbar. |
To revoke a resource:
Select the resource that you want to remove.
From the Actions list, select Revoke. Alternatively, click Revoke on the toolbar. A message is displayed asking for confirmation.
Click OK to confirm.
Note:
|
To disable an organization with enabled state:
In the organization details page, click Disable Organization on the top of the page. A message is displayed asking for confirmation. Alternatively, in the simple search result for organizations, select the organization, and from the Actions menu, select Disable.
Click OK to confirm. A message is displayed stating that the organization is successfully disabled.
Click OK.
To enable an organization with disabled state:
In the organization details page, click Enable Organization on the top of the page. Alternatively, in the simple search result for organizations, select the organization, and from the Actions menu, select Enable. A message is displayed asking for confirmation.
Click OK to confirm. A message is displayed stating that the organization is successfully enabled.
Click OK.
Note: You can enable an organization only if you have the "Write" permission for that organization. |
The organization details page allows you to view and define a list of administrative roles and associated permissions that can administer the selected organization. To assign administrative roles to an organization, you must have the appropriate permission to create an organization. To assign permission to create organization:
On the role detail page for the role to which you want to assign administrative privileges for organizations, click Data Object Permissions. The Role Details >> Permissions page is displayed.
Click Assign. The Assign Permissions page is displayed with a list of permission names that you can select to assign the permissions to the role.
For the Organizations permission, select the Allow Insert option. This grants the "create organization" permission to the orgadmin role. Then select the Assign option to the right of the "Organizations" permission.
Click Assign. A message is displayed asking for confirmation.
Click Confirm Assign. The permission is assigned to the role.
To assign administrative roles to an organization:
Note: The "Insert" permission is a prerequisite to Write and Delete permissions. Expanding the "Insert" permission allows you to create new organizations. The "Write" permission allows to update, enable, and disable organizations. The "Delete" permission enables to delete the organization. |
Open the Administrative Roles page by selecting any one of the following:
In the organization simple search result, select an organization. From the Actions menu, select Administrative Roles.
In the Browse tab on the left pane, select an organization. From the Actions menu, select Administrative Roles.
In the organization detail page, click Administrative Roles.
On the Administrative Roles page, in the Filter By Role Name, enter a search criterion to search for administrative roles that can administer the organization. Then, click Search. A list of roles with associated permissions are displayed.
To unassign any role from the organization, select the Unassign option to the right of the administrative role, and click Unassign.
To assign an administrative role to the organization:
Click Assign. The Assign page is displayed with a list of available roles.
You can filter the role names by entering a search criteria in the Filter By Role Name box, and clicking Find.
Note that the Read options are selected by default for all the roles.
Select the Write, Delete, and Assign options for the administrative roles to provide write, delete, and assign administrative permissions respectively.
Click Assign.
To update permissions for the administrative roles:
Click Update Permissions. The Update page is displayed with a list of administrative roles, whose permissions you can modify.
You can filter the role names by entering a search criteria in the Filter By Role Name box, and clicking Find.
Note that the Read options are selected by default for all the roles.
Select or deselect the Write and Delete options for the administrative roles to modify the write and delete permissions respectively.
Click Update.
When finished, close the Administrative Roles page. Figure 13-8 shows the Administrative Roles page.
The Permitted Resources page allows you to assign and update a list of permitted resources to the users of the selected organization.
To assign permitted resources to the users in the selected organization:
In the Browse tab on the left pane, select an organization. From the Actions menu, select Open.
In the organization detail page, click Permitted Resources.
In the Permitted Resources page, select the resources and click Assign.
To update the resources allowed to the selected organization:
In the Browse tab on the left pane, select an organization. From the Actions menu, select Open.
In the organization detail page, click Permitted Resources.
In the Permitted Resources page, select the resources and click Update.
Figure 13-9 shows the Assign Permitted Resources page.
Note:
|
In the advanced search result for organizations, select the organization that you want to delete.
From the Actions menu, select Delete. A message is displayed asking for confirmation. Alternatively, in the simple search result for organizations, select Delete from the Actions menu. Otherwise, in the Browse tab, select Delete from the Actions menu, or on the organization details page, click Delete Organization.
Click OK to confirm. A message is displayed stating that the organization is successfully deleted.
Click OK.
Authorization of the organization management feature is based on organization administrative roles. The following sets of distinct permissions is required by a role to manage an organization:
The role must have the following data object permission on organization entities:
Insert - This enables the user (with this role) to create new organizations and manage them.
Enable/Disable/Update
These permissions are not specific to a particular organization.
When role is assigned as an administrative role for an organization, the following permissions are required:
"Read and View" permissions are implicit by virtue of being administrative role
Write
Delete
These permissions are configured per organization.
Permission to get access to Oracle Identity Manager Administration from Oracle Identity Manager Self Service is governed by "menu item" permissions. When the user has access to Oracle Identity Manager Administration, the user is allowed to browse users, roles, and organizations.
Second level menus for edit, view, and delete actions on user and role entities are derived from the OES policies, such as create, update, delete on user and role respectively.
Similarly, second level menus to edit, view, and delete organizations is derived from "orgadmin role" and "data-object" permissions on organization entity type.
In Oracle Identity Manager 11g Release 1 (11.1.1), "delegated administration" permissions are managed by using Oracle Entitlements Server (OES) authorization policies. These OES policies for user management can be used to control:
See Also: Chapter 15, "Managing Authorization Policies" for information about OES authorization policies |
Under which organizations you can create or modify users
Data constraints can specify that you can change users in a set of organizations with or without hierarchy.
Together these capabilities give us the delegated administrative model.
To configure a delegated administrator for an organization:
Define a custom authorization policy to manage users and set organization constraints. Organization constraints can be hierarchy aware. See "Creating Custom Authorization Policies" for information about creating custom authorization policies and setting data constraints.
Add the user to the role specified in the custom policy. See "Adding and Removing Roles" for information about adding a user to a role.
To configure the role as organization administrator, first create a role. See "Creating Roles".
When you create the orgadmin role, the role detail page for this role is displayed.
Assign this orgadmin role "data object" permissions on the organization type. With this "data object" permission, the user (with this role), can create new organizations and manage them. See "Managing Administrative Roles" for information about assigning "create organization" permission to a role.
Select an organization and assign the orgadmin role as administrative role for the organization. This step would give the user the ability to manage the selected organization. Manage permissions include update, enable, disable, and delete. See "Managing Administrative Roles" for information about assigning administrative roles to an organization.