This chapter describes how to assign privileges to Oracle Identity Analytics users. It contains the following sections:
In Oracle Identity Analytics, you use the Access Control tab (Administration > Access Control) to assign Oracle Identity Analytics roles to Oracle Identity Analytics users. Oracle Identity Analytics users are actors who need privileges within Oracle Identity Analytics to attest, revoke, and remediate certifications and policies, or carry out various other tasks. Oracle Identity Analytics roles are the privileges or permissions assigned to Oracle Identity Analytics users.
Oracle Identity Analytics access control has two components: system-level privileges and business-level privileges. Usually system-level privileges are most appropriate for administrator roles, and business-level privileges are most appropriate for business user roles. System-level privileges and business-level privileges are added to roles as needed, and roles are assigned to Oracle Identity Analytics users based on the tasks that users need to complete.
Oracle Identity Analytics includes nine roles that work out-of-the-box that you can edit or delete as needed.
Table 12-1 Oracle Identity Analytics Default System Roles
Role Name | Description | Privileges |
---|---|---|
OIA Admin |
Oracle Identity Analytics administrator |
OIA Administrator |
Certification Manager |
Grants certification privileges |
Access to the Identity Certification view |
Policy Violation Remediator |
Grants a user the ability to remediate policy violations |
Access Policy Violations sub-tab under Identity Audit tab, Read access to Assigned Policy Violations, Write access to Assigned Policy Violations |
Role Engineer - Administrator |
Role Engineer - Administrator |
Access to Role Management tab, access to My Requests tab, access to Policies view, access to Roles view, Create Role, Delete Role, Update Role, Create Policy, Delete Policy, and Update Policy |
Policy Owner (Identity Audit) |
Policy Owner (Identity Audit) |
Access the Dashboard sub-tab under the Identity Audit tab, access the Policies sub-tab under the Identity Audit tab, access the Rules sub-tab under the Identity Audit tab, access Policy Violations sub-tab under the Identity Audit tab |
Warehouse Administrator |
Warehouse administrator |
Create Business Structure, delete Business Structure, update Business Structure, create User, delete User, update User, create role, delete Role, update Role, create Policy, delete Policy, update Policy, access to Business Structures view, access to Policies view, access to Roles view, access to Users view, access the Users tab in Business Structure view, access the Roles tab in Business Structure view, access the Policies tab in Business Structure view, access the Policies tab in the Resources view, access the Business Structure tab in the Roles view, access the users tab in the Roles view, access the Policies tab in the Roles view, access the Exclusion Roles tab in Roles view, access the roles tab in Users view, access the Business Structure tab in the Users view, access the Accounts tab in the Users view, run Business Structure reports. |
Workflow Designer |
Workflow designer |
Access the Workflow Design sub-tab under Administration / Configuration |
Reporting Administrator |
Reporting administrator |
Run Business Structure reports, access the reports dashboard, upload custom reports, run system reports, run Audit reports, run custom reports, access the scheduling reports sub-tab under the Reports tab |
Compliance Administrator |
Compliance Administrator |
Access to Identity certification View, Create IDC Certification, access the Dashboard sub-tab under the Identity Audit tab, access the Policies sub-tab under the Identity Audit tab, access the Rules sub-tab under the Identity Audit tab, access the Policy Violations sub-tab under the Identity Audit tab, run business structure reports, upload custom reports, run system reports, run Audit reports, run Custom reports, access to the Scheduling Reports sub-tab under the Reports tab, access to the Reports dashboard, access to Identity Certification Remediation Tracking, access to the Resource type view, configure Identity certification, configure email template, and access the Configuration system sub-tab |
Table 12-2 OIA System Privileges
Privilege | Description |
---|---|
CREATE Business Unit |
Allows a user to add new Business Units |
UPDATE Business Unit |
Allows a user to modify existing Business Units |
DELETE Business Unit |
Allows a user to delete existing Business Units |
CREATE User |
Allows a user to add new Global Users |
UPDATE User |
Allows a user to modify existing Global Users |
DELETE User |
Allows a user to delete existing Global Users |
CREATE Role |
Allows a user to add new Roles |
UPDATE Role |
Allows a user to modify existing Roles |
DELETE Role |
Allows a user to delete existing Roles |
CREATE Policy |
Allows a user to add new Policies |
UPDATE Policy |
Allows a user to modify existing Policies |
DELETE Policy |
Allows a user to delete existing Policies |
CREATE Resource |
Allows a user to add new Resources |
UPDATE Resource |
Allows a user to modify existing Resources |
DELETE Resource |
Allows a user to delete existing Resources |
CREATE Schedule Job |
Allows a user to add new Schedule Jobs |
UPDATE Schedule Job |
Allows a user to modify existing Schedule Jobs |
DELETE Schedule Job |
Allows a user to delete existing Schedule Jobs |
Access Report Dashboard |
Allows a user to review compliance performance |
Import Data |
Allows a user to import data from ETrust Admin to Oracle Identity Analytics |
Export Data |
Allows a user to export data from Oracle Identity Analytics to ETrust Admin |
Configure System |
Allows a user to configure the IAM servers and attributes |
Access Configuration system subtab |
Allows a user to access the Configuration system sub-tab |
Access Resource type view |
Allows a user to access Resource Type view |
Configure Resource type definitions |
Allows a user to configure Resource Type definitions |
Configure Identity Certification |
Allows a user to configure identity certifications |
Configure Email Templates |
Allows a user to configure email templates |
Access to Audit view |
Allows a user to access Audit view |
Access to Business Structures view |
Allows a user to access Business Structures view |
Access to Resource view |
Allows a user to access Resource view |
Access to Policies view |
Allows a user to access Policies view |
Access to Roles view |
Allows a user to access Roles view |
Access to Scheduler view |
Allows a user to access Scheduler view |
Access to Users view |
Allows a user to access Users view |
Run Business Structure Reports |
Allows a user to run Business Structure reports |
Upload Custom Reports |
Allows a user to upload custom reports |
Run System Reports |
Allows a user to run System Reports |
Run Audit Reports |
Allows a user to run Audit Reports |
Run Custom Reports |
Allows a user to run custom reports |
Access the Users tab in Business Structure View |
Grants a user access to the Users tab in Business Structure view |
Access the Roles tab in Business Structure View |
Grants a user access to the Roles tab in Business Structure view |
Access the Policies tab in Business Structure View |
Grants a user access to the Policies tab in Business Structure view |
Access the Policies tab in Resources view |
Grants a user access to the Policies tab in Resources view |
Access the Business Structure tab in Roles view |
Grants a user access to the Business Structure tab in Roles view |
Access the Users tab in Roles view |
Grants a user access to the Users tab in Roles view |
Access the Policies tab in Roles view |
Grants a user access to the Policies tab in Roles view |
Access the Exclusion Roles tab in Roles view |
Grants a user access to the Exclusion Roles tab in Roles view |
Access the Roles tab in Users view |
Grants a user access to the roles tab in Users view |
Access the Business Structure tab in Users view |
Grants a user access to the Business Structure tab in Users view |
Access the Accounts tab in Users view |
Grants a user access to the Accounts tab in Users view |
Create IDC Certification |
Allows a user to create a new identity certification |
Access to Access Control tab |
Grants a user access to the Access Control tab |
Access to Glossary tab |
Grants a user access to the Glossary tab |
Access to Auditing & Events tab |
Grants a user access to the Auditing & Events tab |
Access to Password Configuration tab |
Grants a user access to the Password Configuration tab |
Access to Audit Event Logs sub-tab under Auditing & Events tab |
Grants a user access to the Audit Event Logs subtab under Auditing & Events tab |
Access to Import Logs subtab under Auditing & Events tab |
Grants a user access to the Import Logs subtab under Auditing & Events tab |
Access Workflow Design subtab under Administration > Configuration |
Grants a user access to the Workflow Design subtab under Administration > Configuration |
Access to web service method Find Users in a given role |
Grants a user access to the web service method Find Users in a given role |
Read Access to Assigned Policy Violations |
Grants a user read access to the Assigned Policy Violations |
Write Access to Assigned Policy Violations |
Grants a user write access to the Assigned Policy Violations |
Access to Identity Certification View |
Grants a user access to the Identity Certification View |
Access to Identity Certification Dashboard |
Grants a user access to the Identity Certification Dashboard |
Access to Identity Certification Remediation Tracking |
Grants a user access to the Identity Certification Remediation Tracking |
Access Dashboard subtab under Identity Audit tab |
Grants a user access to the Dashboard subtab under Identity Audit tab |
Access Policies subtab under Identity Audit tab |
Grants a user access to the Policies subtab under Identity Audit tab |
Access Rules subtab under Identity Audit tab |
Grants a user access to the Rules subtab under the Identity Audit tab |
Access Policy Violations subtab under Identity Audit tab |
Grants a user access to the Policy Violations subtab under Identity Audit tab |
Access the Role Management tab |
Grants a user access to the Role Management tab in the main view |
Access to My Requests tab |
Grants a user access to the My Requests tab in the main view |
Access to scheduling reports subtab under Reports tab |
Grants a user access to the Scheduling Reports subtab under the Reports tab |
Table 12-3 OIA Business Privileges
Privilege | Description |
---|---|
Access Business Structure |
Allows a user to access Business Structure details |
Add Child Business Structure to Business Structure |
Allows a user to add child Business Structure |
Add/Remove User to/From Business Structure |
Allows a user to add/remove Global users |
Add/Remove Role to/From Business Structure |
Allows a user to add/remove Roles |
Add/Remove Policy to/From Business Structure |
Allows a user to add/remove Policies |
Sign off Reports |
Allows a user to sign off on reports |
Certify Entitlements |
Allows a user to certify associated entitlements |
This section describes how to create and manage users who will be using Oracle Identity Analytics. It also describes how to create Oracle Identity Analytics roles.
Log in to Oracle Identity Analytics.
Choose Administration > Access Control.
Click OIA Users.
The Search field searches on the User Name column. Searching on la*
, for example, might return the users with user names ladams and lapple.
To delete a user, find the user and click Delete in the Action column.
To update a user, find the user, click the user name, make updates as needed, and click Save.
To create a new user, click New OIA User.
Complete the user information form and click Next.
Use the arrow buttons to move system roles between the Available System Roles column and the Selected System Roles column, and click Next.
The available Business Roles are listed on the left-hand side.
Select the desired Business Role by using the arrow keys and click Finish.
Once the Roles have been assigned to the user, click Save.
A New user will be created and will appear in the OIA Users List.
Log in to Oracle Identity Analytics.
Choose Administration > Access Control.
Click OIA Users.
Find the user whose password you need to change and click the User Name.
The Search field searches on the User Name column. Searching on la*
, for example, might return the users with user names ladams and lapple.
Click Change Password.
The Change Password dialog box opens.
Type the new password in the New Password and Confirm Password fields and click OK.
Log in to Oracle Identity Analytics.
Choose Administration > Access Control.
Click OIA Roles.
Click New OIA Role.
Type a name for the role and a description, and click Next.
The New OIA Role Manager Wizard opens.
Use the arrow buttons to move system privileges between the Available System Privileges column and the Selected System Privileges column, and click Next.
Use the arrow buttons to move business privileges between the Available Business Structure Privileges column and the Selected Business Structure Privileges column, and click Next.
Click Finish.
The new OIA Role is created.
Password policy settings in OIA consist of password quality and password expiration settings.
Log in to Oracle Identity Analytics.
Choose Administration > Access Control.
Click Password Policy Settings.
Complete the form and click Save.
To configure password quality settings, select Enable Quality Check and/or Enable Dictionary Check. Use these options to enforce password quality guidelines when creating OIA user account passwords.
Table 12-4 Password Quality Configuration Settings
Quality Settings | Description |
---|---|
Minimum Password Length |
Set the minimum password length |
Minimum Alphabetics Characters |
Set the minimum alphabet characters required in the password |
Minimum Upper Case Characters |
Set the minimum upper case characters required in the password |
Minimum Lower Case Characters |
Set the minimum lower case characters required in the password |
Minimum Numeric Characters |
Set the minimum numeric characters required in the password |
Minimum Special Characters |
Set the minimum special characters required in the password |
Minimum Alpha Numeric Characters |
Set the minimum alpha numeric characters required in the password |
Select Enable Dictionary Check to reject passwords that appear in the system's dictionary.
Table 12-5 Password Expiration Configuration Settings
Expiration Settings | Description |
---|---|
Maximum Change Interval |
Set the number of days after which the password expires |
Expiration Warning Interval |
Set the number of days prior to password expiration to start redirecting user logins to the password expiration warning page |
Force Change By Date |
Set the date by which every user must change his password. When this field is set to a date in the future, the current date is recorded in a hidden configuration variable to establish the force-change-by-date interval start. Any user logging in having no last-password-change value or one prior to the start of the force-change-by-date interval will be directed to the expiring password page. Once the force-change-by-date has passed, any user who has not changed his password since the start of the force-change-by-date interval will be directed to the expired password page. The normal password expiration policy is in effect once a user has satisfied the force-change-by-date policy. |