This chapter contains the following sections:
Section 6.2, "Understanding the Identity Warehouse User Interface"
Section 6.2.1, "The Identity Warehouse > Business Structures Page"
Section 6.7, "Setting the Segregation of Duties at the Policy and Role Levels"
The Identity Warehouse is a central repository that contains all of the important entitlement data for your organization, including Users, Roles, Policies, Resources, and Business Structures. This data is imported from your organization's databases on a regular, scheduled basis. The Oracle Identity Analytics software has an import engine that supports complex entitlement feeds. The engine accepts either text or XML files, and includes Extract, Transform, and Load (ETL) processing capabilities. The engine also captures the glossary description of each entitlement.
This section provides help using the Identity Warehouse portion of the user interface.
To open the Identity Warehouse - Business Structures page, choose Identity Warehouse > Business Structures from the main menu.
The Identity Warehouse - Business Structures page has four subtabs, which are described in the following section.
This section describes the pages that open when you click the tabs on the Identity Warehouse > Business Structures page.
This page displays basic information about the business structure, including Type, Division, and Owner. Also provides information about the status of the business structure. Actions can only be taken on a business structure if it is in the active state.
This page displays all users who are part of the selected business structure.
This page displays all the roles associated with the selected business structure.
This page displays all the policies associated with the selected business structure.
To open the Identity Warehouse - Users page, choose Identity Warehouse > Users from the main menu.
This page displays user name, first name, last name, primary e-mail, and risk summary information. Quick search and advanced search are provided.
You can get detailed information about a user by clicking the user name link. This will open a page in a new window that contains the user's roles, business structures, accounts, general details, custom properties, and relationship map. See Section 6.3.5, "Viewing User Details" for additional information.
An orphan account is an account that is no longer associated with any user entry. (The user may have left the organization or shifted departments, but the account was not deactivated when the user left or moved.)
The Orphan Accounts page is documented in the "Identity Warehouse" chapter in the Oracle Identity Analytics Administration Guide.
Upon selecting a user, a page with tabs opens. This section describes the pages that open when you click the tabs on the selected user page.
This page displays basic information about user.
Risk Summary - The user's overall risk (high, medium, or low), as calculated by Oracle Identity Analytics based on the user's Item Risk and any related risk factors. In OIA, three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.
To better understand Risk Summary values, see "Understanding How Risk Summaries are Calculated" in the "Oracle Identity Analytics Identity Warehouse" chapter of the Administrator's Guide for Oracle Identity Analytics.
Displays information about the user's accounts.
Displays information about the user's assigned roles.
Displays information about the business structures that the user is assigned to.
Displays three approver fields that are populated with data if OIA has been integrated with the CA Identity Manager provisioning server. The three approver fields are Business Approver, Technical Approver, and Delegate.
Note:
The Workflow tab is hidden by default. To enable it, see "To Enable the Workflow Tab on the Identity Warehouse Pages" in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the OIA User Interface" chapter.
Displays custom information about the user. For more information about custom properties, see "Working With Extended User Custom Properties" in the "Oracle Identity Analytics Identity Warehouse" chapter, in the Administrator's Guide for Oracle Identity Analytics.
Displays the user's relationship to other objects in the system hierarchy
To open the Identity Warehouse - Roles page, choose Identity Warehouse > Roles from the main menu.
The Roles page is divided into the following sections:
The left side displays the following subtabs:
The Hierarchy subtab displays roles in the organization
The Search subtab displays the search feature
The right side displays ten tabs that are described in the following section.
This section describes the pages that open when you click the tabs on the Identity Warehouse > Roles page.
Use this page to view or enter basic information about the role, such as the name of the role, the role type, the Item Risk level, the status (Active, Inactive, Decommissioned), and so on.
Type - A role can be one of the following types:
Provisioning role - Entitlement roles used in Oracle Identity Manager or other provisioning solutions.
Access Control role - Roles that capture policies for products that are integrated with Oracle Identity Analytics, like Siteminder and Open SSO.
Organizational role - Roles that are based on job function, such as Consultant, Analyst, Contractor, and so on.
Risk Level - The assigned Item-Risk level (high, medium, or low) for this role. In OIA, three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.
For more information about Risk Levels and how they are used to calculate Risk Summaries, see "Understanding How Risk Summaries are Calculated," in the "Oracle Identity Analytics Identity Warehouse" chapter, in the Administrator's Guide for Oracle Identity Analytics.
Status - A role can exist in one of the following states:
Active - Applies to roles that have been approved by the role owner. Only active roles can be acted upon.
Inactive - Applies to old roles.
Composing - Applies to roles that are in the process of being created. Roles in a composing state have not yet been sent by an administrator for approval.
Pending Approval - Applies to roles that have been sent by an administrator for approval.
Decommissioned - Applies to roles that no longer exist. All information regarding the role, however, is retained in Oracle Identity Analytics.
Service Desk / Service Desk Ticket# - The helpdesk system reference number for the role, if relevant to your organization.
Use this page to view, add, and remove the business structures associated with the role.
Use this page to view, add, and remove the policies that make up the role.
Use this page to (1) view the users who are assigned to the role, (2) add additional users to the role, and (3) remove users who are assigned to the role.
The page is divided into the following sections.
|
Composing |
Applies to user-role assignments that are in the process of being created. Assignments in a composing state have not yet sent by an administrator for approval.
|
|---|---|
|
Pending Approval |
Applies to user-role assignments that have been sent by an administrator for approval. |
|
Active |
Applies to user-role assignments that have been approved by the role owner and are active.
|
|
Pending Activation |
Applies to user-role assignment that have been approved by the role owner but are not yet active. |
|
Modified |
Applies to user-role assignment that have been modified. |
Exclusion Roles Tab (Optional)
Note:
The Exclusion Roles tab is hidden by default. To enable it, see the steps in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the Oracle Identity Analytics User Interface" chapter, "Enabling Hidden Pages in the UI" section.
The Exclusion Roles page displays conflicting roles. This information defines segregation of duties at the role level. See Section 6.7, "Setting the Segregation of Duties at the Policy and Role Levels" for more information.
Click Add Exclusion Roles and add the roles that need to be excluded to define segregation of duties at the role level.
Select one or more roles and click Remove Exclusion Roles to remove the role(s) from the Exclusion Roles list.
This page displays the owner(s) of the role.
Displays three approver fields that are populated with data if OIA has been integrated with the CA Identity Manager provisioning server. The three approver fields are Business Approver, Technical Approver, and Delegate.
Note:
The Workflow tab is hidden by default. To enable it, see "To Enable the Workflow Tab on the Identity Warehouse Pages" in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the OIA User Interface" chapter.
This page displays the custom properties associated with the role.
This page displays all versions of the role. This section allows you compare two versions and revert to an older version of the role.
This page displays the role's history. Role history is divided into four sections: Role Membership History, Owner History, Policy History, and Attribute History.
To open the Identity Warehouse - Policies page, choose Identity Warehouse > Policies from the main menu.
The left side of the Policies page displays the following subtabs:
The Hierarchy subtab displays resource types. Policies are displayed below each resource type. The bottom section displays policies that have been revised, but not approved.
The Search subtab displays the search feature.
The right side displays eight tabs that are described in the following section.
This section describes the pages that open when you click the tabs on the Identity Warehouse > Policies page.
Use this page to view or change the policy name, status (Active, Inactive, Decommissioned), and Item Risk level. You can also enter comments about the policy, and add a Service Desk Ticket number.
This page displays the business structures associated with the policy.
This page displays the roles associated with the policy.
This page displays the resources that are part of the policy.
This page displays conflicting policies. This information defines segregation of duties at the policy level. See Section 6.7, "Setting the Segregation of Duties at the Policy and Role Levels" for more information.
Use this page to view the current policy owner(s) and add or remove policy owners.
Displays three approver fields that are populated with data if OIA has been integrated with the CA Identity Manager provisioning server. The three approver fields are Business Approver, Technical Approver, and Delegate.
Note:
The Workflow tab is hidden by default. To enable it, see "To Enable the Workflow Tab on the Identity Warehouse Pages" in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the OIA User Interface" chapter.
This page displays all versions of the policy.
This page displays the resource attributes and values that make up the policy.
To open the Identity Warehouse - Applications page, choose Identity Warehouse > Applications from the main menu.
An application is a collection of multiple resource types and resources. The Applications page lists the applications that are stored in the Oracle Identity Analytics Identity Warehouse. Oracle Identity Analytics administrators define the resource types, resources, and metadata that define the application.
Click an application in the Application Name column to open a page with application detail. The application detail page has four tabs that are described in the next section.
Note:
To learn more about working with applications, see the "Working With Applications" topic in the "Oracle Identity Analytics Identity Warehouse" chapter of the Administrator's Guide for Oracle Identity Analytics.
This section describes the pages that open when you click the tabs on the Identity Warehouse > Application > Application Details page.
Displays basic information about the application, including Name, Version, Description, Environment, Comments, and Status (Active or Inactive).
Lists all the users that are associated with the application.
Lists the assigned owner(s) of the application. Application owners are responsible for reviewing user access on the applications that they own.
The following actions are available to Oracle Identity Analytics administrators:
Click Add Owner to add one or more additional users as owners for this application.
Select one or more users and click Remove Owner to remove the users from the owners list for this application.
Lists the resource type, resource, attribute name, and attribute value associated with the application.
Click Add Condition to open the Add Conditions dialog box.
Create a condition that includes either a Resource Type and Resource, or a condition that includes a Resource Type, a Resource, an Attribute Name, and an Attribute Value. (You do not have to select from all four columns.)
Click OK.
Select one or more conditions and click Remove Condition to remove the conditions from the list for this application.
To open the Identity Warehouse - Resources page, choose Identity Warehouse > Resources from the main menu.
The Resources page lists all the resources in Oracle Identity Analytics and the Item-Risk Level for each resource.
Click in the Resource column to open a page showing resource detail. The resource detail page has three tabs that are described in the next section.
To learn more about working with resources, refer to the "Working With Resources" section in the Administrator's Guide for Oracle Identity Analytics.
Displays basic information about the resource, including Resource Name, Host Name, Host IP Address, Description, Comments, and Item-Risk Level. The Risk Level is the assigned Item-Risk level (high, medium, or low) for this resource. In OIA, three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.
Displays the resource-attribute values (also referred to as entitlements) for the selected resource.
Use the Search box to filter the attribute values displayed in the table. Choose whether to search in the Attribute Value, Glossary, or Description columns, then type your search string. The system returns all matching results, including substring matches. (So for example, typing "ar" in the Attribute Value search box, might return qcfar and warpdev.)
The table displays the following information for each resource-attribute value:
Glossary - A user-friendly descriptive name for the attribute value (entitlement). During identity certification, if a glossary entry is available, OIA displays the glossary entry instead of the actual attribute-value name.
Description - A brief description of the attribute value.
Data Owner - The person responsible for the attribute value (entitlement). In a Data Owner Certification, data owners certify the user accounts that have a specific attribute value assigned.
Classification - A classification value for the attribute.
Risk Level - The Item Risk level associated with the resource-attribute value. In OIA, three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.
Administrators can click a resource-attribute value and edit these settings. The data entered here is made available to certifiers during the certification process.
Displays remediation settings and information for the resource. To define the remediation process, first select the provisioning mode used for this resource. If Auto mode is selected, choose the appropriate provisioning connection. If Manual mode is selected, you must describe the steps required to de-provision an account belonging to this resource.
This section contains instructions on how to perform common user tasks in Oracle Identity Analytics.
Tip:
For help with the Identity Warehouse > Users user interface, see Section 6.2.2, "The Identity Warehouse > Users Page."
Oracle Identity Analytics provides quick search and advanced search options for user searches. Quick search enables searching for users on any of the commonly populated user fields (for example, User Name, First Name, Last Name, Business Unit, Department, Manager). Advanced Search should be used to conduct a narrower search and to create complex searches.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
To perform a quick search, choose a field from the drop-down menu.
All the commonly populated fields are available to search on.
Enter a value to search for.
Wildcards are accepted, for example, a* or j*n*.
To search on the selected field for the entered value, click Search. The results for the search are displayed.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Click Advanced Search.
Create a condition by selecting values for Attribute, Condition, and Value. Attributes can be selected over an extensive range including Resources, Business Units, and any other commonly populated user field. The Value field supports wildcards, for example, a* or j*n*.
To create more conditions, click Add.
To remove conditions, select the condition by selecting its corresponding checkbox and click Remove. In the case of multiple conditions, set Operation to AND or OR to specify the logical operation between the conditions.
To group two conditions together, select them and click Group. Groupings are displayed by a different color coding for each group. In the case of nested groups, the outermost grouping will have one color code with each component group having its own color code.
To ungroup a grouped conditional, select the grouped conditional by selecting its corresponding checkbox, and click Ungroup. The created search condition is dynamically displayed in a highlighted line under the Group and Ungroup tags as a single logical condition.
To search on the created condition, click Search.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
To add a new user, click the New User button on the top panel.
The Create User pop-up window opens.
Complete the form and click OK to create the user.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for the user.
For help using Search, see Section 6.3.1, "Searching for a User."
Click the user's link in the User Name column.
Type a new name for the user and click Save.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for the user. For help using Search, see Section 6.3.1, "Searching for a User."
Select the user name for the user that you want to delete, and click the Delete User button.
This section describes how to view a user's account and account type details.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for the required user.
For help using Search, see Section 6.3.1, "Searching for a User."
Click to select the User, and click the Accounts tab.
Click the required account to view account details.
Account Types help describe accounts. Knowing the type associated with an account can be helpful when making decisions during remediation and access certification, and when performing a role engineering wave. To designate an account type while importing accounts using the Oracle Identity Analytics automated import process, a type attribute should be provided in the .rbx schema file. This predefined account type can then be leveraged while performing identity certifications, role engineering, and remediations, allowing the different Oracle Identity Analytics actors to make educated decisions.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for a user.
For help using Search, see Section 6.3.1, "Searching for a User."
Click to select the user.
Click the Accounts tab.
The account type is listed in the Account Type column.
User status can be set to either active or inactive. If a user is scheduled to leave the company, an End Date for the user can be specified in Oracle Identity Analytics.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for the user. For help using Search, see Section 6.3.1, "Searching for a User."
Select the user.
On the General tab, scroll down to the Suspension section.
In the Status field, set the status to Active or Inactive in the drop-down menu.
If you set the user to Inactive, the End Date for the user is automatically changed to today's date.
If you set the user to Active, specify an End Date for the user.
Note:
To make an inactive user active, you must set the user's status to Active and specify a new End Date for the user.
To temporarily assign a role to a user, see Section 6.6.5, "To Assign a User to a Role."
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for the user. For help using Search, see Section 6.3.1, "Searching for a User."
Select the user and then click the Roles tab.
Click Add Roles.
Search for the role. For help using Search, see Section 6.6.2, "To Search for a Role."
Select the role.
Once one or more roles are assigned to the user, an approval process needs to be completed before they are displayed. For more information, see Section 6.6.1, "Understanding the Role Approval Process."
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Users.
Search for the user that you want to associate with a business unit. For help using Search, see Section 6.3.1, "Searching for a User."
Select the user and then click the Business Unit tab.
Click the Add Business Unit(s) button, and assign one or more business unit(s) to the user.
This section describes how to delete and create Business Structures in the Identity Warehouse.
Tip:
For help with the Identity Warehouse > Business Structures user interface, see Section 6.2.1, "The Identity Warehouse > Business Structures Page."
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Business Structures.
Click to select the business structure that you want to delete.
Click Delete Business Structures.
A Delete Business Structures confirmation window opens.
Click Yes to delete.
The business structure is deleted.
An n-level business structure hierarchy can be defined in Oracle Identity Analytics. A business structure can have various child business structures under it.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Business Structures.
Click New Business Structure to create a business structure.
The Create Business Structure window opens.
Complete the form as follows:
Name - Type the name of the business structure.
Parent - Select the parent business structure from the drop-down menu.
Enter the Service Desk Tick # - Each business structure can be associated with a unique service desk ticket number if an integration between Oracle Identity Analytics and a ticketing system is used in your organization.
Click OK.
Policies are templates that define the various access levels that a user has on the target systems. Policies are individually defined for each resource. Roles are made up of policies.
The polices component displays all available policies that exist for the organization categorized according to Resource Type. Resources are depicted using a round globe icon. The available policies are shown under each resource type.
Tip:
For help with the Identity Warehouse > Policies user interface, see Section 6.2.4, "The Identity Warehouse > Policies Page."
The lifecycle of a policy is managed by out-of-the-box workflows. Workflows are step-by-step explanations (flowcharts) that Oracle Identity Analytics follows to complete a selected set of tasks. The workflows can be modified to suit the requirements of your organization.
Workflows only show active information when a Policy is going through the approval process, for example during the "Pending Approval" state. In the "Active" state, workflows do not convey much information.
Oracle Identity Analytics has the following policy workflows:
Policy creation workflow
Policy modification workflow
The default policy creation and policy modification workflows each have three steps:
Start workflow - This steps kicks-off once a policy is created or modified.
Policy Owner Approval - If a policy owner approves the request, the workflow proceeds to the next step. Otherwise, the policy is discarded.
Finish - The policy is created.
To understand or change policy workflows, refer to the Oracle Identity Analytics Workflows chapter in the Administrator's Guide.
Modifications to a policy are activated only after the approval of the policy owner.
To approve a policy change request, see Section 5.1.1, "To Approve Pending Requests."
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Policies.
Click New Policy.
The Policy Wizard window opens.
Select the resource type for which you are creating the policy and click Next.
Select the resource for which access needs to be defined and click Next.
Click Add Owner to search for the owners for this policy and click Next. For help using Search, see Section 6.3.1, "Searching for a User."
Note:
Depending on how the system is configured, only users who have the permissions required to manage the policy will be listed.
When the Policy Property window opens up, complete the form:
Name - Type the name of the policy.
Comments - Type any additional comments about the policy.
Service Desk Ticket # - Add the helpdesk system reference number, if relevant to your organization.
Click the Entitlements tab and complete the form:
Value - Enter the value of the attribute defined for the resource.
Required - Selecting this means the value is mandatory and needs to be assigned to the role. This value cannot be excluded.
Risk Level - This policy attribute is not currently used and is deprecated.
Note:
Only the policy Risk Level attribute is deprecated. For more information about Risk attributes in OIA, see the Administrator's Guide for Oracle Identity Analytics, "Oracle Identity Analytics Identity Warehouse" chapter, "Understanding How Risk Summaries are Calculated" section.
+ / - - Use these to add or delete an attribute value.
Click Finish.
The new policy is displayed under the resource type on the Policies page.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Policies.
To rename a policy, do the following:
Select the policy by clicking on the policy name.
Change the name of the policy and click Save.
To delete a policy, do the following:
Select the policy by clicking on the policy name.
Click the Delete Policy button.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Policies.
Policies are listed by resource type on the left side of the page.
Click to select the desired policy.
Click the Resources tab in the panel on the right.
Click the Add Resources button.
Select one or more resources from the list and click OK. (Hold down the Control key while clicking to select multiple items. Click an item again while holding down Control to clear that item.)
Click Save.
The resource will not be associated with the policy until it has been approved by the policy owner.
Click Send For Approval.
Once the policy owner approves it, the resource is associated with the policy.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Select a role and click the Policies tab on the right side of the page to add policies to (or remove policies from) the role.
Choose one of the following tasks:
Click Add Policies to assign the selected policies to the role.
Click Remove Policies to remove the selected policies from the role.
Click Save.
The policies associated with a role will display on the Policies tab for the role.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Policies.
Policies are listed by resource type on the left side of the page.
Click a policy and click the Ownership tab on the right side of the page.
Click Add Owner and search for the user (or users) to add.
For help using Search, see Section 6.3.1, "Searching for a User."
Note:
Depending on how the system is configured, only users who have the permissions required to manage the policy will be listed.
Click Save.
Oracle Identity Analytics administers role-based access controls. Roles make it easier to assign access levels to users and to audit those assignments on an ongoing basis. Rather than assigning access levels to users directly, access levels are assigned to a role. Roles are assigned to users, and a user's access level is determined by the roles assigned to that user.
Role-based administration typically grows and expands as new situations occur. The main advantage of using this approach is ease of implementation. Role-based administration can be established in a centralized fashion, distributed throughout your network, or hybridized. Oracle Identity Analytics can be configured to match the unique structure and needs of your organization. Roles can be defined in a hierarchical format, and segregation of duties (SoD) can be administered through a role.
Tip:
For help with the Identity Warehouse > Roles user interface, see Section 6.2.3, "The Identity Warehouse > Roles Page."
The lifecycle of a role is managed by out-of-the-box workflows. Workflows are step-by-step explanations (flowcharts) that Oracle Identity Analytics follows to complete a selected set of tasks. The workflows can be modified to suit the requirements of your organization.
Workflows only show active information when a role is going through the approval process, for example during the "Pending Approval" state. In the "Active" state, workflows do not convey much information.
Oracle Identity Analytics has the following role workflows:
Role creation workflow
Role modification workflow
Role membership workflow
Mass modification workflow
The mass modification workflow enables you to bulk modify roles.
The default role creation, role modification, and role membership workflows each have four steps:
Start workflow: This step starts once a role is created, modified, or a member is added or removed.
Policy Owner Approval: If a policy owner approves the request, the workflow proceeds to the next step. Otherwise, the role is rejected.
Role Owner Approval: If a role owner approves the request, the workflow proceeds to the next step. Otherwise, the role is rejected.
Finish: The role is created or modified.
To understand or change role workflows, refer to the Oracle Identity Analytics Workflows chapter in the Administrator's Guide.
Modifications to a role are activated only after the approval of the role owner.
To approve a role change request, see Section 5.1.1, "To Approve Pending Requests."
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
To use quick search, click the Search tab on the left side of the page and choose an option from the drop-down menu. Commonly populated fields are available to be searched on.
Enter a value to search for. Wildcards can be used (for example, a* or j*n*).
Click Search to search the selected field for the value specified. Search results are displayed in the Search panel on the left side of the screen.
Click a role to select it.
There are three ways to create roles in Oracle Identity Analytics:
Manually
From existing roles
From an existing user
When a role is created, it is placed into the Composing state until the system sends it for approval. After the role is sent for approval, the role moves into the Active state.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Choose New Role > Create Role Manually.
The Create New Role pop-up window opens.
Complete the form:
Name - Type a name for the role.
Parent Role - Click the button to open the Select Role window, select the role that you want to designate as the parent role for the role you are creating, and click OK.
Risk Level - The Item-Risk level for the role. Select High, Medium, or Low from the menu.
Status - When a role is created, it is placed into the Composing state until the system sends it for approval. After the role is sent for approval, the role moves into the Active state.
Start Date - Enter the start date. The role will be active on this date.
End Date - (Optional) Leave this field blank to make the role active indefinitely, or enter an end date to schedule the last date that the role should be active.
Service Desk Ticket - Add the helpdesk system reference number, if relevant to your organization.
Click Next.
The Select Owners page opens.
Click Add Owners to select one or more owners for this role. For help using Search, see Section 6.3.1, "Searching for a User."
Depending on how the system is configured, the list of users to choose from may only include users who have sufficient privileges to perform the Role Owner job.
Click Next.
The Select Users page opens.
Click Add Users to select one or more users that you want to assign this role to. For help using Search, see Section 6.3.1, "Searching for a User."
Click Next.
The Select Policies page opens.
Click Add Policies to select one or more policies to assign to this role.
Click Finish to create the role.
The role is available in the Roles view under the Identity Warehouse tab.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Choose New Role > Create Role Using an Existing Role as Template.
The Create Role pop-up window opens.
Complete the form:
Name - Type a name for the role.
Template Role - Click Select Template Role, search for the role that you want to use as a template for the new role, select the role, and click OK.
Click Save to create the role.
The role is available in the Roles view under the Identity Warehouse tab.
You can create a role based on an existing user. All of the entitlements that the selected user has are used to create corresponding policies that are assigned to the new role.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Choose New Role > Create Role From Existing User.
The Create New Role pop-up window opens.
Type a name for the role and click Select User.
The Search window opens.
Use either the user quick search or advanced search feature to search for the user whose entitlements will be used to create policies for the new role.
For help using the search feature, see Section 6.3.1, "Searching for a User."
Select the user and click OK.
Click Save to create the role.
The role is available in the Roles view under the Identity Warehouse tab.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Search for a role, or select a role from the Roles panel on the left side of the screen. For help using the search feature, see Section 6.3.1, "Searching for a User."
Do one of the following tasks:
To rename a role, click the General tab, type the new role name in the Name field, and click Save. Or, to modify a role, type or select the new role properties, and click Save.
Select the new version that was created for the role and click Send for Approval. See Section 6.6.1, "Understanding the Role Approval Process" for more information.
To delete a role, click the Decommission Role button. Decommissioning a role removes all role-user associations. The role itself, however, is not truly deleted. Instead, the role is made inactive and stored in Oracle Identity Analytics. The role cannot be made active again, and it cannot be modified in any way or assigned to users.
Also see Section 6.3.7, "To Assign a Role to a User."
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Click a role and click the Users tab.
Click to expand the Composing panel.
Click Add Users and add one or more users.
(Optional) To temporarily assign the role to the user, enter an End Date in the User-Role Association pop-up.
To assign a user to a role indefinitely, leave the End Date blank.
Click OK.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Click a role and click the Business Structures tab.
Click the Add Business Structures button and select the desired business units.
Click Save.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Click a role and click the Ownership tab.
Click the Add Owners button and search for the user (or users) to add.
For help searching for users, see Section 6.3.1, "Searching for a User."
Note:
Depending on how the system is configured, only users who have the permissions required to manage the role will be listed.
Select one or more users.
Click Save.
A new version of the role is created.
Select the new version of the role (the role should be in the Composing state) and click Send for Approval.
Similar to a business unit hierarchy, an n-level role hierarchy can be defined in Oracle Identity Analytics. A role can have various "child roles" under it. To define a role hierarchy, add a new child role to it. When a child role is added to a user, the parent role is also automatically assigned to the user. The role hierarchy defines an organized structure of roles. Roles defined in an organization may have a hierarchy associated with them. In addition, enterprise-level roles and application-level roles can be defined.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles. The role hierarchy is defined when a new Role is created manually.
To change a role hierarchy, follow these steps:
Select the role and click the button located next to the Parent Role field on the General tab.
From the list of roles that appear, select the role that you want to designate as the parent role.
To select the child role for a user, follow these steps:
Choose Identity Warehouse > Users and search for the user that you want to assign to a role.
Select the user and click the Role tab.
Click the Add Roles button. The parent Role is automatically assigned to the user. If the parent role is removed, the child role is automatically removed from the user.
The reason you define segregation of duties (SoD) is to separate certain duties or areas of responsibility so that they cannot be assigned to the same person. By defining segregation of duties, you reduce opportunities for unauthorized modification or misuse of data or services. Segregation of duties is a primary internal control intended to decrease the risk of errors or irregularities, identify problems, and ensure that corrective action is taken. This is done by assuring that no single individual has control over all phases of a transaction. Oracle Identity Analytics performs SoD at the policy level and, if enabled, the role level.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Policies.
Click a policy to select it and go to the Exclusion Policies tab.
Click Add Exclusion Policies.
Add the policies to be excluded.
Click Save.
A new version of the policy is created.
Select the new version of the policy (the policy should be in the Composing state) and click Send for Approval.
When a policy is added to a role, the excluded policies both cannot be assigned to the role.
Note:
The Exclusion Roles tab is hidden by default. To enable it, see the steps in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the Oracle Identity Analytics User Interface" chapter, "Enabling Hidden Pages in the UI" section.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Roles.
Click a role, then click the Exclusion Roles tab.
Click Add Exclusion Roles.
Add the roles that need to be excluded.
Click Save.
A new version of the role is created.
Select the new version of the role (the role should be in the Composing state) and click Send for Approval.