12 Oracle Identity Analytics Access Control

This chapter describes how to assign privileges to Oracle Identity Analytics users. It contains the following sections:

12.1 Overview

In Oracle Identity Analytics, you use the Access Control tab (Administration > Access Control) to assign Oracle Identity Analytics roles to Oracle Identity Analytics users. Oracle Identity Analytics users are actors who need privileges within Oracle Identity Analytics to attest, revoke, and remediate certifications and policies, or carry out various other tasks. Oracle Identity Analytics roles are the privileges or permissions assigned to Oracle Identity Analytics users.

Oracle Identity Analytics access control has two components: system-level privileges and business-level privileges. Usually system-level privileges are most appropriate for administrator roles, and business-level privileges are most appropriate for business user roles. System-level privileges and business-level privileges are added to roles as needed, and roles are assigned to Oracle Identity Analytics users based on the tasks that users need to complete.

Oracle Identity Analytics includes nine roles that work out-of-the-box that you can edit or delete as needed.

Table 12-1 Oracle Identity Analytics Default System Roles

Role Name Description Privileges

OIA Admin

Oracle Identity Analytics administrator

OIA Administrator

Certification Manager

Grants certification privileges

Access to the Identity Certification view

Policy Violation Remediator

Grants a user the ability to remediate policy violations

Access Policy Violations sub-tab under Identity Audit tab, Read access to Assigned Policy Violations, Write access to Assigned Policy Violations

Role Engineer - Administrator

Role Engineer - Administrator

Access to Role Management tab, access to My Requests tab, access to Policies view, access to Roles view, Create Role, Delete Role, Update Role, Create Policy, Delete Policy, and Update Policy

Policy Owner (Identity Audit)

Policy Owner (Identity Audit)

Access the Dashboard sub-tab under the Identity Audit tab, access the Policies sub-tab under the Identity Audit tab, access the Rules sub-tab under the Identity Audit tab, access Policy Violations sub-tab under the Identity Audit tab

Warehouse Administrator

Warehouse administrator

Create Business Structure, delete Business Structure, update Business Structure, create User, delete User, update User, create role, delete Role, update Role, create Policy, delete Policy, update Policy, access to Business Structures view, access to Policies view, access to Roles view, access to Users view, access the Users tab in Business Structure view, access the Roles tab in Business Structure view, access the Policies tab in Business Structure view, access the Policies tab in the Resources view, access the Business Structure tab in the Roles view, access the users tab in the Roles view, access the Policies tab in the Roles view, access the Exclusion Roles tab in Roles view, access the roles tab in Users view, access the Business Structure tab in the Users view, access the Accounts tab in the Users view, run Business Structure reports.

Workflow Designer

Workflow designer

Access the Workflow Design sub-tab under Administration / Configuration

Reporting Administrator

Reporting administrator

Run Business Structure reports, access the reports dashboard, upload custom reports, run system reports, run Audit reports, run custom reports, access the scheduling reports sub-tab under the Reports tab

Compliance Administrator

Compliance Administrator

Access to Identity certification View, Create IDC Certification, access the Dashboard sub-tab under the Identity Audit tab, access the Policies sub-tab under the Identity Audit tab, access the Rules sub-tab under the Identity Audit tab, access the Policy Violations sub-tab under the Identity Audit tab, run business structure reports, upload custom reports, run system reports, run Audit reports, run Custom reports, access to the Scheduling Reports sub-tab under the Reports tab, access to the Reports dashboard, access to Identity Certification Remediation Tracking, access to the Resource type view, configure Identity certification, configure email template, and access the Configuration system sub-tab


12.2 System Privileges

Table 12-2 OIA System Privileges

Privilege Description

CREATE Business Unit

Allows a user to add new Business Units

UPDATE Business Unit

Allows a user to modify existing Business Units

DELETE Business Unit

Allows a user to delete existing Business Units

CREATE User

Allows a user to add new Global Users

UPDATE User

Allows a user to modify existing Global Users

DELETE User

Allows a user to delete existing Global Users

CREATE Role

Allows a user to add new Roles

UPDATE Role

Allows a user to modify existing Roles

DELETE Role

Allows a user to delete existing Roles

CREATE Policy

Allows a user to add new Policies

UPDATE Policy

Allows a user to modify existing Policies

DELETE Policy

Allows a user to delete existing Policies

CREATE Resource

Allows a user to add new Resources

UPDATE Resource

Allows a user to modify existing Resources

DELETE Resource

Allows a user to delete existing Resources

CREATE Schedule Job

Allows a user to add new Schedule Jobs

UPDATE Schedule Job

Allows a user to modify existing Schedule Jobs

DELETE Schedule Job

Allows a user to delete existing Schedule Jobs

Access Report Dashboard

Allows a user to review compliance performance

Import Data

Allows a user to import data from ETrust Admin to Oracle Identity Analytics

Export Data

Allows a user to export data from Oracle Identity Analytics to ETrust Admin

Configure System

Allows a user to configure the IAM servers and attributes

Access Configuration system subtab

Allows a user to access the Configuration system sub-tab

Access Resource type view

Allows a user to access Resource Type view

Configure Resource type definitions

Allows a user to configure Resource Type definitions

Configure Identity Certification

Allows a user to configure identity certifications

Configure Email Templates

Allows a user to configure email templates

Access to Audit view

Allows a user to access Audit view

Access to Business Structures view

Allows a user to access Business Structures view

Access to Resource view

Allows a user to access Resource view

Access to Policies view

Allows a user to access Policies view

Access to Roles view

Allows a user to access Roles view

Access to Scheduler view

Allows a user to access Scheduler view

Access to Users view

Allows a user to access Users view

Run Business Structure Reports

Allows a user to run Business Structure reports

Upload Custom Reports

Allows a user to upload custom reports

Run System Reports

Allows a user to run System Reports

Run Audit Reports

Allows a user to run Audit Reports

Run Custom Reports

Allows a user to run custom reports

Access the Users tab in Business Structure View

Grants a user access to the Users tab in Business Structure view

Access the Roles tab in Business Structure View

Grants a user access to the Roles tab in Business Structure view

Access the Policies tab in Business Structure View

Grants a user access to the Policies tab in Business Structure view

Access the Policies tab in Resources view

Grants a user access to the Policies tab in Resources view

Access the Business Structure tab in Roles view

Grants a user access to the Business Structure tab in Roles view

Access the Users tab in Roles view

Grants a user access to the Users tab in Roles view

Access the Policies tab in Roles view

Grants a user access to the Policies tab in Roles view

Access the Exclusion Roles tab in Roles view

Grants a user access to the Exclusion Roles tab in Roles view

Access the Roles tab in Users view

Grants a user access to the roles tab in Users view

Access the Business Structure tab in Users view

Grants a user access to the Business Structure tab in Users view

Access the Accounts tab in Users view

Grants a user access to the Accounts tab in Users view

Create IDC Certification

Allows a user to create a new identity certification

Access to Access Control tab

Grants a user access to the Access Control tab

Access to Glossary tab

Grants a user access to the Glossary tab

Access to Auditing & Events tab

Grants a user access to the Auditing & Events tab

Access to Password Configuration tab

Grants a user access to the Password Configuration tab

Access to Audit Event Logs sub-tab under Auditing & Events tab

Grants a user access to the Audit Event Logs subtab under Auditing & Events tab

Access to Import Logs subtab under Auditing & Events tab

Grants a user access to the Import Logs subtab under Auditing & Events tab

Access Workflow Design subtab under Administration > Configuration

Grants a user access to the Workflow Design subtab under Administration > Configuration

Access to web service method Find Users in a given role

Grants a user access to the web service method Find Users in a given role

Read Access to Assigned Policy Violations

Grants a user read access to the Assigned Policy Violations

Write Access to Assigned Policy Violations

Grants a user write access to the Assigned Policy Violations

Access to Identity Certification View

Grants a user access to the Identity Certification View

Access to Identity Certification Dashboard

Grants a user access to the Identity Certification Dashboard

Access to Identity Certification Remediation Tracking

Grants a user access to the Identity Certification Remediation Tracking

Access Dashboard subtab under Identity Audit tab

Grants a user access to the Dashboard subtab under Identity Audit tab

Access Policies subtab under Identity Audit tab

Grants a user access to the Policies subtab under Identity Audit tab

Access Rules subtab under Identity Audit tab

Grants a user access to the Rules subtab under the Identity Audit tab

Access Policy Violations subtab under Identity Audit tab

Grants a user access to the Policy Violations subtab under Identity Audit tab

Access the Role Management tab

Grants a user access to the Role Management tab in the main view

Access to My Requests tab

Grants a user access to the My Requests tab in the main view

Access to scheduling reports subtab under Reports tab

Grants a user access to the Scheduling Reports subtab under the Reports tab


12.3 Business Privileges

Table 12-3 OIA Business Privileges

Privilege Description

Access Business Structure

Allows a user to access Business Structure details

Add Child Business Structure to Business Structure

Allows a user to add child Business Structure

Add/Remove User to/From Business Structure

Allows a user to add/remove Global users

Add/Remove Role to/From Business Structure

Allows a user to add/remove Roles

Add/Remove Policy to/From Business Structure

Allows a user to add/remove Policies

Sign off Reports

Allows a user to sign off on reports

Certify Entitlements

Allows a user to certify associated entitlements


12.4 Working With Oracle Identity Analytics Users And Roles

This section describes how to create and manage users who will be using Oracle Identity Analytics. It also describes how to create Oracle Identity Analytics roles.

12.4.1 To Create, Update, and Delete an Oracle Identity Analytics User

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Access Control.

  3. Click OIA Users.

    • The Search field searches on the User Name column. Searching on la*, for example, might return the users with user names ladams and lapple.

    • To delete a user, find the user and click Delete in the Action column.

    • To update a user, find the user, click the user name, make updates as needed, and click Save.

    • To create a new user, click New OIA User.

    1. Complete the user information form and click Next.

    2. Use the arrow buttons to move system roles between the Available System Roles column and the Selected System Roles column, and click Next.

      The available Business Roles are listed on the left-hand side.

    3. Select the desired Business Role by using the arrow keys and click Finish.

    4. Once the Roles have been assigned to the user, click Save.

      A New user will be created and will appear in the OIA Users List.

12.4.2 To Modify User Password

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Access Control.

  3. Click OIA Users.

  4. Find the user whose password you need to change and click the User Name.

    The Search field searches on the User Name column. Searching on la*, for example, might return the users with user names ladams and lapple.

  5. Click Change Password.

    The Change Password dialog box opens.

  6. Type the new password in the New Password and Confirm Password fields and click OK.

12.4.3 To Create OIA Roles

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Access Control.

  3. Click OIA Roles.

  4. Click New OIA Role.

  5. Type a name for the role and a description, and click Next.

    The New OIA Role Manager Wizard opens.

  6. Use the arrow buttons to move system privileges between the Available System Privileges column and the Selected System Privileges column, and click Next.

  7. Use the arrow buttons to move business privileges between the Available Business Structure Privileges column and the Selected Business Structure Privileges column, and click Next.

  8. Click Finish.

    The new OIA Role is created.

12.5 Configuring Password Policy Settings

Password policy settings in OIA consist of password quality and password expiration settings.

12.5.1 To Configure Password Policy Settings

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Access Control.

  3. Click Password Policy Settings.

  4. Complete the form and click Save.

12.5.1.1 Password Quality Settings

To configure password quality settings, select Enable Quality Check and/or Enable Dictionary Check. Use these options to enforce password quality guidelines when creating OIA user account passwords.

Table 12-4 Password Quality Configuration Settings

Quality Settings Description

Minimum Password Length

Set the minimum password length

Minimum Alphabetics Characters

Set the minimum alphabet characters required in the password

Minimum Upper Case Characters

Set the minimum upper case characters required in the password

Minimum Lower Case Characters

Set the minimum lower case characters required in the password

Minimum Numeric Characters

Set the minimum numeric characters required in the password

Minimum Special Characters

Set the minimum special characters required in the password

Minimum Alpha Numeric Characters

Set the minimum alpha numeric characters required in the password


Select Enable Dictionary Check to reject passwords that appear in the system's dictionary.

12.5.1.2 Password Expiration Settings

Table 12-5 Password Expiration Configuration Settings

Expiration Settings Description

Maximum Change Interval

Set the number of days after which the password expires

Expiration Warning Interval

Set the number of days prior to password expiration to start redirecting user logins to the password expiration warning page

Force Change By Date

Set the date by which every user must change his password. When this field is set to a date in the future, the current date is recorded in a hidden configuration variable to establish the force-change-by-date interval start. Any user logging in having no last-password-change value or one prior to the start of the force-change-by-date interval will be directed to the expiring password page. Once the force-change-by-date has passed, any user who has not changed his password since the start of the force-change-by-date interval will be directed to the expired password page. The normal password expiration policy is in effect once a user has satisfied the force-change-by-date policy.