Skip Headers
Oracle® Fusion Middleware User's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)

Part Number E14316-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

11 Managing Users

The user management feature in Oracle Identity Manager includes the creation, updation, deletion, enabling and disabling, locking, and unlocking of user accounts. This feature is described in the following sections:

11.1 User Lifecycle

User lifecycle is a term to describe the process flow of how a user entity is created, managed, and terminated in the system based on certain events or time factors.

A user entity goes through various stages in the lifecycle. The stages are non-existent, disabled, active, and deleted. Figure 11-1 depicts the different lifecycle stages, all possible transitions, and the operations that set up those transitions:

Figure 11-1 User Life Cycle

Description of Figure 11-1 follows
Description of "Figure 11-1 User Life Cycle"

There is a possibility of process rules or business requirements being defined for each transition of the user lifecycle. You can use the sample scenarios listed in Table 11-1 to establish the link between user lifecycle transitions and business objectives.

Table 11-1 User Life Cycle and Business Objectives Sample Scenarios

Current State Operation Sample Scenario Process Description

Non-existent

Create

HR enters user profile information for a new hire. If the new hire is not introduced to the system immediately, then HR sets a future start date for the user.

If the start is not a future date then the user is introduced into the system in an Active state.If the Start Date is in future then the create process creates the user in a disabled state.

Disabled

Enable

User's start date is in effect. The system initiates provisioning for the new hire.

User is marked enabled in the system and the user is now able to login and use the system. By default, all necessary memberships and accounts are established as part of the workflow.

Active

Modify

User is promoted to a new position. As a result, HR changes the job title of the user.

New resources are provisioned to the user, and old irrelevant resources are deprovisioned from the user.

Active

Disable

User takes one year sabbatical from the company. HR manually disables the user on the last working day of the user. The user re-joins the company after some period. HR can make the user Active again.

User is marked disabled in the system, and the user is no longer able to login to the system. The disabled users can be made Active again.

Active

Deleted

User retires from the company. HR manually deletes the user on the last working day of the user.

User is marked disabled in the system, and the user is no longer able to login to the system. By default, all users' accounts are deprovisioned as part of the workflow.


The following concepts are integral to user lifecycle management:

11.1.1 OIM Account

OIM Account is an abstraction representing a means to be authenticated to access Oracle Identity Manager. In Oracle Identity Manager, the cardinality of relationship between user and OIM account is one-to-one. By default, users are associated with OIM accounts that allows users to access Oracle Identity Manager. However, there may be users who do not need to access Oracle Identity Manager, and therefore, may not be provisioned with an OIM account.

Some user operations, such as lock and unlock, are explicitly account operations. When locking or unlocking a user, you lock or unlock the user's OIM account.

In Oracle Identity Manager, each user has a Design Console Access attribute that controls the OIM account of the user. If the Design Console Access option for a user is selected in the UI, then the user is End-User Administrator. If this option is not selected, then the user is an End-User.

11.1.2 Organization

Organization is a logical container for authorization and permission data. A user in Oracle Identity Manager must belong to one organization only. For detailed information about organizations in Oracle Identity Manager, see Chapter 13, "Managing Organizations".

11.1.3 Role

Oracle Identity Manager provides easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles. Roles are designed to ease the administration of end-user system and schema object privileges. For detailed information about roles, see Chapter 12, "Managing Roles".

11.2 User Entity Definition

Attributes are defined for the user entity in Oracle Identity Manager. You can add your own attributes to the user entity.

For each attribute for a user entity, the following properties are defined in Oracle Identity Manager:

Table 11-2 lists the attributes defined for the user entity in Oracle Identity Manager:

Table 11-2 Attributes Defined for User Entity

Attribute Name Category Description Data Type Properties LOV (default in bold)

usr_key

Account Settings

The GUID of the user. It is autogenerated when the user is created.

number

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: Yes

Max-Size: 19

Visible: No

Display Type: ENTITY

N/A

act_key

Basic User Information

The GUID of the organization to which the user belongs. This is a mandatory field.

number

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 19

Visible: Yes

Display Type: ENTITY

N/A

Last Name

Basic User Information

The last name of the user. This is a mandatory field.

string

Required: Yes

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

First Name

Basic User Information

The first name of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Middle Name

Basic User Information

The middle name of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Full Name

Basic User Information

The full name of the user. The full name is localized and stored at account creation time.

string

Required: No

MLS: Yes

Multi-represented: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 164

Visible: No

Display Type: TEXT

N/A

Display Name

Basic User Information

The display name of the user. If not specified, then it is autogenerated while creating the user.

string

Required: No

MLS: No

Multi-represented: Yes

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 382

Visible: Yes

Display Type: TEXT

N/A

Xellerate Type

Basic User Information

The type of user, end-user or administrator.

string

Required: Yes

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 30

Visible: Yes

Display Type: CHECKBOX

Lookup.Users.XellerateType

End-User

End-User Administrator

usr_password

Account Settings

The password of the user. It is stored as an encrypted value.

string

Required: Yes

System Controlled: No

Encryption: Encrypt

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 128

Visible: Yes

Display Type: SECRET

N/A

usr_disabled

Account Settings

Indicates whether the user is disabled or enabled.

0 indicates that the user is enabled. 1 Indicates that the user is disabled.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: Yes

Read-Only: Yes

Max-Size: 1

Visible: Yes

Display Type: CHECKBOX

N/A

Status

Account Settings

The status of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: Yes

Max-Size: 25

Visible: Yes

Display Type: LOV

Lookup.WebClient.Users.Status

Active

Disabled

Deleted

Disabled Until Start Date

Role

Basic User Information

The role to which the user is a member.

string

Required: Yes

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 255

Visible: Yes

Display Type: LOV

Lookup.Users.Role

Full-Time

Part-Time

Temp

Intern

Consultant

EMP

CWK

NONW

OTHER

Contractor

User Login

Account Settings

The login ID of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 256

Visible: Yes

Display Type: TEXT

N/A

usr_manager_key

Basic User Information

The GUID of the user's manager.

number

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 19

Visible: Yes

Display Type: ENTITY

N/A

Start Date

Account Effective Dates

The start date of the user.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: -

Visible: Yes

Display Type: DATE_ONLY

N/A

End Date

Account Effective Dates

The end date of the user.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: -

Visible: Yes

Display Type: DATE_ONLY

N/A

usr_provisioning_date

Provisioning Dates

The date on which the user profile has been created in Oracle Identity Manager.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: -

Visible: Yes

Display Type: DATE_ONLY

N/A

usr_deprovisioning_date

Provisioning Dates

The date when the resources will be deprovisioned from the user.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: -

Visible: Yes

Display Type: DATE_ONLY

N/A

usr_provisioned_date

System

The date when the resources have been provisioned to the user.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

usr_deprovisioned_date

System

The date when the resources are deprovisioned from the user.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

Email

Basic User Information

The e-mail address of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 256

Visible: Yes

Display Type: TEXT

N/A

usr_locked

Account Settings

Indicates whether the user account is locked or unlocked.

The value 0 indicates that the account is unlocked.

The value 1 indicates that the account is locked.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: Yes

Display Type: LOV

Users.Lock User

0

1

Locked On

Lifecycle

The date on which the user account has been locked.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

Automatically Delete On

Lifecycle

The date on which the user account will be automatically deleted.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

Manually Locked

Lifecycle

Indicates whether the user account has been automatically or manually locked.

1 indicates that the account has been manually locked by an administrator.

0 indicates that the account has been automatically locked, for instance, on exceeding the maximum number of login attempts with incorrect password.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: TEXT

N/A

usr_login_attempts_ctr

System

The number of times the user has tried logging in with incorrect password. It is set to 0 at every successful login.

number

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 19

Visible: No

Display Type: NUMBER

N/A

usr_create

System

The date on which the user has been created.

date

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

usr_update

System

The date on which the user has been last updated.

date

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

usr_timezone

Preferences

The timezone preference of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 100

Visible: Yes

Display Type: TIME_ZONE

N/A

usr_locale

Preferences

The locale preference of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 100

Visible: Yes

Display Type: LOV

Notification.Languages

English

French

German

Italian Spanish

Brazilian Portuguese

Japanese

Korean

Simplified Chinese

Traditional Chinese

Arabic

Czech

Danish

Dutch

Finnish

Greek

Hebrew

Hungarian

Norwegian

Polish

Portuguese

Romanian

Russian

Slovak

Swedish

Thai

Turkish

usr_pwd_cant_change

System

This field is currently not used.

string

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: CHECKBOX

N/A

usr_pwd_must_change

System

This field is currently not used.

The value 0 indicates that the password is not required to be changed.

The value 1 mandates that the user changes the password.

string

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: CHECKBOX

N/A

usr_pwd_never_expires

System

This field is currently not used.

The value 0 indicates that the password will expire.

The value 1 indicates that password never expires.

string

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: Yes

Display Type: CHECKBOX

N/A

usr_pwd_expire_date

System

The date on which the password will expire. Valid if Password Never Expires is 0.

date

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

usr_pwd_warn_date

System

The date after which the user will be warned to change the password.

date

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

usr_pwd_expired

System

Indicates whether the user password has expired. If so, then the password must be reset.

The value 0 indicates that password has not expired.

The value 1 indicates that password has expired.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: CHECKBOX

N/A

usr_pwd_warned

System

Indicates whether the user has been warned to change the password.

0 indicates that the user has not been warned to change the password yet.

1 indicates that the user has been warned to change the password.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: CHECKBOX

N/A

usr_pwd_reset_attempts_ctr

System

The number of times the user has tried resetting the password with incorrect answers to challenge questions. It is set to 0 at every successful reset password.

number

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 19

Visible: No

Display Type: NUMBER

N/A

usr_change_pwd_at_next_logon

System

Indicates whether the user must change his password at next login.

The value 1 indicates that the user must reset password at next login. The value 0 indicates that user does not need to reset password at next login.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: CHECKBOX

N/A

usr_data_level

System

Indicates the kind of operation, such as add, modify, or delete, supported on this record.

The possible values for this column are:

0: Indicates that this row can be updated or deleted

1: Indicates that this row cannot be updated and deleted

2: Indicates that the row can only be modified and cannot be deleted

3: Indicates that the row can only be deleted and cannot be modified

string

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: TEXT

N/A

usr_pwd_min_age_date

System

If set, then it indicates the date before which the user password cannot be changed.

date

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: -

Visible: No

Display Type: DATE_ONLY

N/A

usr_createby

System

The GUID of the user who created this user.

number

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 19

Visible: No

Display Type: ENTITY

N/A

usr_updateby

System

The GUID of the user who updated this user.

number

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 19

Visible: No

Display Type: ENTITY

N/A

usr_created

System

This is not currently used in Oracle Identity Manager.

date

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 19

Visible: No

Display Type: DATE_ONLY

N/A

usr_policy_update

System

This is used to re-evaluate the user's policies. To re-evaluate object policies for any user to whom the current policy applies, evaluate the UPP and UPD tables to get list of users for the current policy. For each user found, set the policy_update flag. Attach as a post-insert, post-update and post_delete event handler to tcPOP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: Yes

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: TEXT

N/A

Country

Other User Attributes

The country of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 100

Visible: Yes

Display Type: TEXT

N/A

Department Number

Other User Attributes

The department number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Description

Other User Attributes

The description of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 2000

Visible: Yes

Display Type: TEXT

N/A

Common Name

Other User Attributes

The common name of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 240

Visible: Yes

Display Type: TEXT

N/A

Employee Number

Other User Attributes

The employee number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Fax

Other User Attributes

The FAX number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

Generation Qualifier

Other User Attributes

The Generation Qualifier for the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

Hire Date

Other User Attributes

The hire date of the user.

date

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: -

Visible: Yes

Display Type: DATE_ONLY

N/A

Home Phone

Other User Attributes

The home phone number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

Locality Name

Other User Attributes

The locality name of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Mobile

Other User Attributes

The mobile number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

Pager

Other User Attributes

The pager number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

Home Postal Address

Other User Attributes

The home postal address of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 256

Visible: Yes

Display Type: TEXT

N/A

Postal Address

Other User Attributes

The postal address of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 256

Visible: Yes

Display Type: TEXT

N/A

Postal Code

Other User Attributes

The postal code of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 230

Visible: Yes

Display Type: TEXT

N/A

PO Box

Other User Attributes

The PO box number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

State

Other User Attributes

The state of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Street

Other User Attributes

The street name in the user's address.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Telephone Number

Other User Attributes

The telephone number of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: Yes

Display Type: TEXT

N/A

Title

Other User Attributes

The title of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

Initials

Other User Attributes

The initials of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 10

Visible: Yes

Display Type: TEXT

N/A

Password Generated

System

This flag indicates whether the password has been autogenerated for the user.

string

Required: No

System Controlled: Yes

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: Yes

Max-Size: 1

Visible: No

Display Type: TEXT

N/A

LDAP Organization

Other User Attributes

User organization name in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

LDAP Organization Unit

Other User Attributes

User organization unit in LDAP, such as department or any subentity of a larger entity.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 80

Visible: Yes

Display Type: TEXT

N/A

LDAP GUID

Other User Attributes

User global unique identifier in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 256

Visible: Yes

Display Type: TEXT

N/A

LDAP DN

Other User Attributes

User distinguished name in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: No

Read-Only: No

Max-Size: 256

Visible: Yes

Display Type: TEXT

N/A

Embedded Help

Other User Attributes

Indicates whether to suppress the help popups on rollover. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 10

Visible: No

Display Type: LOV

Lookup.Users.EmbeddedHelp

true

false

Number Format

Other User Attributes

The number format preference of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 30

Visible: No

Display Type: LOV

Lookup.Users.NumberFormat

#,##0.##[.,]

#,##0.###[\u00A0,]

#,##0.###

#,##0.###;#,##0.###-

#,##0.###[.,]

#,##0.###;(#,##0.###)[.,]

#,##0.##[\u00A0,]

#,##0.###['.]

#,##0.###[',]

Date Format

Other User Attributes

The date format preference of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: No

Display Type: LOV

Lookup.Users.DateFormat

MM-dd-yyyy

MM-dd-yy

MM.dd.yyyy

MM.dd.yy

MM/dd/yyyy

MM/dd/yy

M-d-yyyy

M-d-yy

M.d.yyyy

M.d.yy

M/d/yyyy

M/d/yy

dd-MM-yyyy

dd-MM-yy

d-M-yyyy

d-M-yy

dd.MM.yyyy

dd.MM.yy

d.M.yyyy

d.M.yy

dd/MM/yyyy

dd/MM/yy

d/M/yyyy

d/M/yy

yyyy-MM-dd

yy-MM-dd

yyyy-M-d

yy-M-d

yyyy.MM.dd

yy.MM.dd

yyyy.M.d

yy.M.d

yy. M. d

yyyy/MM/dd

yy/MM/dd

yyyy/M/d

yy/M/d

Time Format

Other User Attributes

The time format preference of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: No

Display Type: LOV

Lookup.Users.TimeFormat

HH.mm

HH.mm.ss

HH:mm

HH:mm:ss

H:mm

H:mm:ss

H.mm

H.mm.ss

a hh.mm

a hh.mm.ss

a hh:mm

a hh:mm:ss

ah:mm

ah:mm:ss

hh.mm a

hh.mm.ss a

hh:mm a

hh:mm:ss a

Currency

Other User Attributes

The preferred currency code of the user.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: No

Display Type: LOV

Lookup.Users.Currency

Font Size

Other User Attributes

The preferred font size of the user, such as large or medium. This is related to the Accessibility feature. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 10

Visible: No

Display Type: LOV

Lookup.Users.FontSize

LARGE

MEDIUM

Color Contrast

Other User Attributes

The preferred color contrast of the user, such as standard or high. This is related to the Accessibility feature. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 10

Visible: No

Display Type: LOV

Lookup.Users.ColorContrast

STANDARD

HIGH

Accessibility Mode

Other User Attributes

The preferred accessibility feature of the user, such as Screen Reader Optimized or Standard Accessibility. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: No

Support Bulk Update: No

Read-Only: No

Max-Size: 20

Visible: No

Display Type: LOV

Lookup.Users.AccessibilityMode

screenReader

inaccessible

default

User Name Preferred Language

Preferences

The preference language of the user used to only show the display name of the user in that language.

Note: The preference can be stored in Oracle Identity Manager, but it is not honored on Oracle Identity Manager UI.

string

Required: No

System Controlled: No

Encryption: Clear

Searchable: Yes

Support Bulk Update: Yes

Read-Only: No

Max-Size: 20

Visible: No

Display Type: LOV

Select MLS_LOCALE_CODE as USR_NAME_PREFERRED_LANG from mls_locale where locale_flag=0 OR locale_flag 1 order by mls_locale_code asc


11.3 User Management Tasks

You can perform the following user management tasks in the Oracle Identity Administration:

11.3.1 Searching Users

In Oracle Identity Manager Administration, you can perform the following types of search operations for the user entity:

11.3.1.1 Simple Search

The search operation lets you search user entities based on the search strings that you specify as search attributes. This operation is also referred to as simple search or quick search.

The search feature is described in the following topics:

11.3.1.1.1 Searchable Attributes

The default set of attributes across which search is conducted are:

  • User Login

  • First Name

  • Last Name

  • Display Name

11.3.1.1.2 Search Comparators

The search comparator for the search operation is set to Begins With. The search comparator can be combined with wildcard characters to specify a search condition. The asterisk (*) character is used as a wildcard character.

11.3.1.1.3 Search String

Search string is not case-sensitive. Only the asterisk (*) character is supported as a wildcard for the search string. Oracle Identity Manager Administration removes any leading or trailing white spaces from the search string. For performance reasons, any leading occurrences of (*) in the search string are removed.

11.3.1.1.4 Conjunction Operator

The conjunction operator for the search operation is by default set to be OR.

The relationships between the search attributes, search comparator, search string, and conjunction operator is described by using the following query composition formula:

Query begins with ((attribute 1 begins with 'search string') or (attribute 2 begins with 'search string') or …)

For example, if you enter Jo* as a search text, then the search operation forms an internal query where User Login begins with Jo* or First Name begins with Jo* or Last Name begins with Jo* or Display Name begins with Jo*. As a result, all the users whose user name, first name, or last name starts with Jo are displayed.

11.3.1.1.5 Search Results

Result attributes define the set of attributes that are to be returned by the search operation. The actual set of result attributes, however, are determined dynamically based on user's permissions.

Note:

The search results do not include deleted users, which means users with status = Deleted.

The limited search result table shows a subset of the columns of the full search result table. User configuration specifies the columns to display in the search results, and the subset to display in the limited search result table. For more details about configuration management, see "Configuring User Attributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

The simple search result table displays the Display Name attribute only. Here, the Display Name of all those users whose Display Name, User Login, First Name, or Last Name attribute value equals search text are displayed in the search result.

You can perform sorting and paging of the displayed data in the search results table.

Tip:

When you scroll up or down, the page index changes. Each page contains a fixed set of entries. When page index changes and the next required page is not within the UI, the UI triggers an event. As a response to this event, the result page is displayed.

There are up and down arrows provided on each attribute in the search result table. Clicking the up or down arrow of the attribute provides with the sort attribute and sorting order.

11.3.1.1.6 Operations on Search Results

This section describes the operations that you can perform based on selection of row(s) in the search results table. It is divided into single selection operations and bulk or multiple selection operations.

You can perform the following single selection operations by selecting a user from the search results table:

  • View detail

  • Modify, only if the user status is active

  • Enable, only if the user status is disabled

  • Disable, only if the user status is enabled

  • Lock, only if the selected user's account is unlocked

  • Unlock, only if the selected user's account is locked

  • Reset password

  • Delete

You can perform the following bulk or multiple selection operations by selecting multiple users from the search results table:

  • Enable, only if the user status is disabled

  • Disable, only if the user status is enabled

  • Lock, only if the selected user's account is unlocked

  • Unlock, only if the selected user's account is locked

  • Delete

11.3.1.1.7 Performing a Simple Search

To perform a simple search and display the details of the user:

  1. Login to Oracle Identity Manager Administration.

  2. To search users, in the left pane, select Users from the drop-down list.

  3. In the search field, enter a search criterion. You can include wildcard characters (*) in your search criterion.

  4. Click the icon to the right of the search field. The search result is displayed in the left pane that shows the display names of the users that matches the search criterion you specified. Figure 11-2 shows the search results:

    Figure 11-2 Simple Search Result

    Description of Figure 11-2 follows
    Description of "Figure 11-2 Simple Search Result"

11.3.1.2 Advanced Search

The advanced search options are displayed in the right pane of Oracle Identity Manager Administration. The advance search allows you to specify more complex search criteria than the simple search criteria. The results are displayed in search results tables.

The advanced search operation is described in the following sections:

11.3.1.2.1 Advanced Search Page

You specify the search criteria in the Advanced Search page. This page lets you create a search query that consists of multiple criteria. Each criterion consists of:

  • The attribute to search against

  • The search comparator, such as equals and begins with

  • The values to search for

The value can be multiple in the case where the comparator requires two or more values. You can specify multiple search criteria if the comparator requires two or more values, for example, range searches on numeric fields or data ranges on date fields. When you specify multiple search criteria, you must specify the AND or OR conjunction operator for the search operation.

11.3.1.2.2 Search Comparators

The search comparators that the Advanced Search page supports are predefined in Oracle Identity Manager. Each comparator specifies the kind of attribute (data type) it supports, and also the number of input data fields it requires.

Table 11-3 lists the comparators supported by advanced search:

Table 11-3 Advanced Search Comparators

Comparator Field Types Supported

Equals

Text, Date, Numeric, Boolean

Begins With

Text


11.3.1.2.3 Conjunction Operator

The conjunction operators for the search operation are:

  • All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

  • Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

11.3.1.2.4 Searchable Attributes

Searchable attributes define the set of attributes that you can use in the Advanced Search page. While creating the search criteria, you can select the attributes that you want to search against from this base list.

Only a subset of the searchable attributes, called default fields in Table 11-4, is displayed by default in the Advanced Search page. You can add additional searchable attributes to the page by using the Add Fields functionality. Each attribute also specifies the comparators it supports.

Table 11-4 Default Search Attributes

Attribute Comparators Available Default Fields

Display Name

Begins With, Equals

Yes

User Login

Begins With, Equals

Yes

First Name

Begins With, Equals

Yes

Last Name

Begins With, Equals

Yes

Identity Status

Equals, Not Equals

Yes

Organization

Equals, Begins With

Yes

Email

Begins With, Equals

Yes

Start Date

Equal, Before, After, Range

Yes

End Date

Equals, Before, After, Range

Yes


Note:

You can configure the attributes that are searchable in User Management Configuration.

The searchable attributes configured for advanced search must be a subset of the attributes defined for the User Entity that are marked with the Searchable = Yes property.

11.3.1.2.5 Search Results

The search results table is displayed in the same tab as the Advanced Search page so that the user can view the query they searched by along with the search results. The table, being in the right pane, is always displayed as the full search results table.

If your search returns a lot of information, you can hide one or more columns in the search results table. For example, if your table contains 20 columns, you might want to display only the eight most-important columns, so you do not have to keep scrolling through the less important information.

To hide one or more columns, open the Search Results pane, click View, and deselect the columns you want to hide. A status message displays along the bottom of all search tables to identify how many columns are currently hidden in a particular table view. Figure 11-3 shows that the user has hidden three columns.

Figure 11-3 Advanced Search Result with Hidden Columns

Surrounding text describes Figure 11-3 .

The search results does not return deleted users, unless the user explicitly selects the Status attribute in the Advanced Search page and provides a value, Status Equals Deleted. In that case, deleted users will be returned as part of the search results.

11.3.1.2.6 Performing an Advanced Search Operation

To perform an advanced search operation and display the search result:

  1. In the Welcome page of Oracle Identity Manager Administration, under users, click Advanced Search - Users. Alternatively, you can click Administration, and under the Browse tab, click the Advanced Search: Users.

  2. Select All or Any conjunction operator. For information about these operators, see "Conjunction Operator".

  3. Specify a search criteria in the fields. You can include wildcard characters (*) in your search criterion. For performance reasons, initial (prefix) wildcards will be removed. Select the search comparators in the lists adjacent to the fields. See Table 11-3, "Advanced Search Comparators" for information about the advanced search comparators.

    Note:

    The asterix wildcard character (*) search for the Identity Status field returns only the users with Active , Disabled, and Disabled Until Start Date statuses, but not with Deleted status. To search for users with Deleted status, you must enter Deleted in the Identity Status field.

    To add a field in the search criteria, click Add Fields, and then select the field name from the list.

  4. Click Search. The user records that match your search criteria are displayed in the search results table, as shown in Figure 11-4:

    Figure 11-4 Advanced Search Result

    Description of Figure 11-4 follows
    Description of "Figure 11-4 Advanced Search Result"

11.3.2 Creating Users

You can create a new user in Oracle Identity Manager by using the Create User page. You can open this page only if you are authorized to create users as determined by the authorization policy on the Create User privilege on any organization in Oracle Identity Manager.

To create a user:

  1. Login to Oracle Identity Manager Administration.

  2. Open the Create User page. To do so, perform any one of the following:

    • In the Welcome page, under Users, click Create Users.

    • Click the Administration tab on the tool bar, and in the Welcome page, under Users, click Create Users.

    • Click the Search Results tab, and from the Action menu, select Create User.

    • In the Search Results tab, click the Create User icon on the toolbar.

    The Create User page displays input fields for user profile attributes. The attributes that are displayed in the create user page are determined by the configuration of the Create User page in User Management Configuration. In this configuration, each of the attributes defined for the user entity is marked as being available on the Create User page.

    See Also:

    "Configuring User Attributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about configuring the Create User page
  3. Enter details of the user in the Create User page. Table 11-5 describes the fields in the Create User page:

    Table 11-5 Fields in the Create User Page

    Section Field Description

    Basic User Information

    First Name

    First name of the user.

     

    Middle Name

    Middle name of the user.

     

    Last Name

    Last name of the user.

     

    Design Console Access

    The user of OIM User type. It can have one of the two possible values, End-User and End-User Administrator. The OIM User type tells whether or not the user can log in to Oracle Identity Manager Design Console. If the "Design Console Access" check box is selected, the user type will be "End-User Administrator" and the user will have access to design console.

     

    Email

    E-mail address of the user.

     

    Manager

    The reporting manager of the user.

     

    Organization

    The organization to which the user belongs to.

     

    User Type

    The type of employee, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary.

     

    Display Name

    It can have localized values, which can be added by clicking Manage Localizations, and selecting from a list of languages. Display Name is available in 33 languages.

    Account Settings

    User Login

    The user name to be specified for logging in to the Administration Console.

     

    Password

    The password to be specified for logging in to the Administration console.

     

    Confirm Password

    The password to be re-entered for confirmation.

    Account Effective Dates

    Start Date

    The date when the user will be activated in the system.

     

    End Date

    The date when the user will be deactivated in the system.

    Provisioning Dates

    Provisioning Date

    Date when user is getting provisioned into the system.

     

    Deprovisioning Date

    Date when the user is getting deprovisioned from the system.

    Other User Attributes

    Country

    The country where user resides.

     

    Department Number

    The department number of the user.

     

    Common Name

    The common name of the user.

     

    Employee Number

    The employee number of the user.

     

    Fax

    The fax number of the user.

     

    Generation Qualifier

    Whether the user qualifies the generation.

     

    Hire Date

    The hiring date of the user.

     

    Home Phone

    The home phone number of the user.

     

    Locality Name

    The name of the locality where user resides.

     

    Mobile

    The mobile number of the user.

     

    Pager

    The pager number of the user.

     

    Home Postal Address

    The house address of the user.

     

    Postal Address

    The postal address of the user.

     

    Postal Code

    The postal code number of the user's address.

     

    PO Box

    The post box number of the user's address.

     

    State

    The state name of the user.

     

    Street

    The street name where the user resides.

     

    Telephone Number

    The telephone number of the user's residence.

     

    Title

    The title for the user.

     

    Initials

    The initials of the user.


    You can enter attribute values in more than one language in the pages for creating or updating entities, such as users, organizations, and roles.

  4. After you enter the user information, click Save to create the user.

Tip:

Users can be created by any one of the following methods:
  • By using Oracle Identity Administration

  • By self registration

  • By creating a request

  • By using SPML Web service or APIs

For all the above methods, Oracle Identity Manager uses the default password policy or Password Policy against Default Rule. If you want to use a different password policy, then you must attach the new password policy to the default rule by using the Design Console. To do so, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

11.3.3 Viewing and Modifying User Information

The view user operation allows you to view detailed user profile information in the User Detail page. You can open this page if you are authorized to view the user's profile as determined by the authorization policy through the View User Details privilege. If you have the authorization to modify the user, then you can modify the user by using this page.

To display user details, perform any of the following:

  • Click the user login link in the search results table for simple search.

  • Select a record in the user search results table for both simple and advanced search, and then select Modify User from the Actions menu. Alternatively, you can click Modify User on the toolbar.

The viewing and modifying operations are described in the following sections:

11.3.3.1 User Details Page

The user details page for the user entity is auto-generated based on configuration and authorization. This page is divided into the following tabs:

11.3.3.1.1 The Attributes Tab

This tab displays the attribute profile that includes details about basic user information, account settings, and other user attributes. You can modify any field to change the attribute profile information, and click Apply.

To eliminate the changes made in this page, click Revert.

11.3.3.1.2 The Roles Tab

This tab displays a list of roles to which the user belongs. You can click each role to display summary information about the role. For each role in the list, it displays the following:

  • Display Name: The name displayed on the UI.

  • Role Name: Name of the role assigned to a user.

  • Role Namespace: Namespace to which the role is assigned.

  • Description: A description of the role.

In the Roles tab, you can assign roles to the user and remove roles from the user. For more details, see "Adding and Removing Roles".

11.3.3.1.3 The Resources Tab

This section displays a list of resources that a user has been provisioned. For each resource in the list, it displays the following:

  • Resource Name: Name of the resource assigned to a user

  • Request ID: If the provisioned instance is associated with a request

  • Service Account: Yes if the account was provisioned as a service account, otherwise No.

  • Description: If any, for the provisioned instance

  • Type: The type of resource

  • Status: The status of the resource such as Provisioned, Enabled, or Disabled

  • Provisioned On: The date when the resource was provisioned to the user

11.3.3.1.4 The Proxies Tab

This tab displays all proxies that are currently set up for the user. For each proxy in the list, it displays the following:

  • Proxy Name: The display name of the proxy user

  • Start Date: The start date for the proxy user

  • End Date: The end date for the proxy user

  • Status: The status of the proxy user

  • Relationship: The relationship of the proxy user with the open user, such as manager

  • Last Updated: The date when the proxy user was last updated

This section also displays the history of proxy information for the user in which the end date is shown. The Current Proxies display the current proxies for the user. The Past Proxies display the proxies history for the user. The Status column is not displayed in the Past Proxies table.

If you select a row in the table that displays proxies information, then a summary information about the proxy is displayed where you can edit the proxy name, relationship with the user, start date, and end date.

The Proxies tab allows you to add proxies to the user and to remove proxies from the user. For information about adding and removing proxies, see "Modifying Proxy Details".

11.3.3.1.5 Direct Reports

This tab displays a read-only table of users for whom the user is set as the manager. In other words, this tab lists the direct reportees of the user. For each user in the table, it displays the following:

  • Display Name

  • User Login

  • Status

  • Organization

If you select a row in the table, then summary information about the direct reportee is displayed at the bottom.

Direct reports allows you to open the user details of the direct reportees. To do so, select a row in the table of direct reportees, and form the Action menu, select Open User. Alternatively, you can click Open User on the toolbar.

11.3.3.1.6 The Requests Tab

This tab displays the requests raised by the user (where the user is the requester) and the requests raised for the user (where the user is the beneficiary of the target user). For each request, the following details are displayed:

  • Request ID: An ID to uniquely identify the request

  • Model Name: The request model name

  • Status: Shows the current state of the request

  • Requested By: The requester who raised the request

  • Parent ID: An ID of the parent request, if any, to which the request is a child request

  • Date Requested: The date on which the request is created

See Also:

Chapter 14, "Creating and Searching Requests" for information about requests, request types, and parent and child requests

This tab allows you to open the details of the requests by clicking the request IDs.

11.3.3.2 User Modifications

You can perform administrative user modification tasks from the user details. The modification is broken up across the different tabs in the page that displays user details, which means that modifications done in each tab are independent of each other and must be saved individually. The modifications you can perform in each tab is outlined in the following sections:

11.3.3.2.1 Modifying Attribute Profile

The attribute profile information is displayed in the Attributes tab of the user details page. To modify the attribute profile, edit the fields in the Attributes tab, and click Apply.

11.3.3.2.2 Adding and Removing Roles

To add a role:

  1. In the Roles tab, from the Action menu, select Assign Roles. Alternatively, you can click Assign Roles on the toolbar. The Assign Role to User window is displayed.

  2. From the Search Roles list, select the type of role or role category. The default role categories are OIM Roles and Default. In addition, you can create custom role categories. See "Creating and Managing Role Categories" for detailed information about role categories.

  3. Search can be performed on the following fields:

    • Display Name

    • Name

    • Role Namespace

    Select All or any conjunction operator. For information about these operators, see "Conjunction Operator".

  4. Enter a search criterion in the search field. You can specify the asterix (*) wildcard character in the search criterion. Then, click the search icon. All roles that belong to the category you selected are displayed in the Available Roles list.

  5. Select one or more roles from the Available Roles list (Shift + Click for contiguous row selection and Ctrl + Click for non-contiguous selection). Then click the Move or Move All buttons to move the selected roles to the Roles to Assign list.

    See Also:

    Table 12-5, "Default Roles in Oracle Identity Manager" for information about the default roles in Oracle Identity Manager
  6. Click OK. A confirmation message is displayed and the roles you selected are assigned to the user.

The Roles tab allows you to select one or multiple roles in the list, and then allows you to remove roles. To remove a role:

  1. Select the role or roles that you want to remove.

  2. From the Action menu, select Revoke Roles. Alternatively, you can click Revoke Roles on the toolbar. A message is displayed asking you to confirm.

  3. Click OK. A success message is displayed on the user details page for successful role assignment.

11.3.3.2.3 Adding and Removing Resources

The Resources tab allows you to select one or multiple resources in the list, and then perform various operations, such as adding and removing resources, enabling and disabling resources, and displaying resource details and history.

To add a resource to a user:

  1. In the Resources tab, from the Action menu, select Add. Alternatively, you can click Add Resource on the toolbar. The Provision Resource to User wizard is displayed.

  2. In Step 1: Select a Resource page, select the resource you want to provision.

  3. Click Continue. The Step 2: Verify Resource Selection page is displayed. This page displays the resource that you selected for provisioning to the target user.

  4. Click Continue. The Step 3: Process Data page is displayed.

  5. Enter values in the fields to specify information about the selected resource.

  6. Click Continue. The Step 4: Verify Process Data page is displayed with details about the resource.

    Figure 11-5 shows the Step 4: Verify Process Data page with sample values for the ebusiness Suite User TCA Foundation resource to be provisioned to the user John Doe with user ID JohnD.

    Figure 11-5 Sample Process Data

    Description of Figure 11-5 follows
    Description of "Figure 11-5 Sample Process Data"

  7. If you want to edit any information displayed in this page, click Edit on the top-right corner of the page. The Step 3: Provide Process Data page is displayed that allows you to edit process data. When finished, click Continue to go back to the Step 4: Verify Process Data page.

    After verifying all information, click Continue.

    WARNING:

    Make sure that you verify the process data before clicking Continue. This is because clicking Continue starts provisioning.

  8. Click Continue to start provisioning the selected resource to the user. A message is displayed stating that the provisioning has been started.

To remove a resource from a user:

  1. In the Resources tab, select a resource that you want to remove.

  2. From the Action menu, select Remove Resource. Alternatively, you can click Revoke on the toolbar. A confirmation message is displayed.

  3. Click OK. The resource is removed, and a success message is displayed.

11.3.3.2.4 Enabling and Disabling Resources

A resource can be enabled if the status of the selected resource is Disabled or Provisioned. To enable a resource:

  1. In the Resources tab, select a resource that you want to enable.

  2. From the Action menu, select Enable. A confirmation message is displayed.

  3. Click OK. The resource is enabled, and a success message is displayed.

A resource can be disabled if the status of the selected resource is Enabled. To disable a resource:

  1. In the Resources tab, select a resource that you want to disable.

  2. From the Action menu, select Disable. A confirmation message is displayed.

  3. Click OK. The resource is disabled, and a success message is displayed.

11.3.3.2.5 Displaying Resource Details

To display resource details:

  1. In the Resources tab, select a resource whose details you want to display.

  2. From the Action menu, select Open. A page is displayed with the resource details. You can edit resource details in this page. When finished, click Save.

11.3.3.2.6 Displaying Resource History

To display resource history:

  1. In the Resources tab, select a resource whose history you want to display.

  2. From the Action menu, select Resource History. A page is displayed with the provisioning details of the resource. The details include task name, task details, date assigned, and the user to whom the task is assigned. A retry checbox is also displayed. You must enable this to retry all failed tasks.

11.3.3.2.7 Modifying Proxy Details

The Proxies tab allows you to add a proxy and select one or multiple proxies in the list, and then invoke the following operations:

  • Edit a proxy, only if a single user is selected

  • Remove a proxy

To add a proxy:

  1. In the Proxies tab, from the Action menu, select Add. The Add Proxy dialog box is displayed.

  2. In the Proxy Name field, select an appropriate proxy. Your proxy can be any user. Search for proxy user's name from the search field below the Proxy Name field or select Manager to add your manager as a proxy.

  3. Specify a start date and end date for the proxy to operate on your behalf.

  4. Click OK. A message is displayed asking for confirmation.

  5. Click OK. A confirmation message is displayed stating that the proxy is assigned.

To remove a proxy, select the proxy in the Proxies tab, and click Remove Proxy.

To modify proxy details:

  1. Select a row in the table displaying proxy information. The details of the proxy are displayed at the bottom of the tab.

  2. Edit the fields to modify proxy information.

  3. Click Save.

11.3.3.3 Single User Operations

You can perform user management operations for a single user from the page that displays user details. These operations are:

11.3.3.3.1 Enabling a User

This operation is available only if the user status is Disabled. To enable a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Enable User. Alternatively, you can click the Enable User icon on the toolbar. If the user details page for the user is open, then you can click Enable User on the toolbar. A message box is displayed asking for confirmation.

  3. Click OK to confirm. A confirmation message is displayed stating that the user is enabled.

    If you enable a user from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

11.3.3.3.2 Disabling a User

This operation is available only if the user status is Enabled. To disable a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Disable User. Alternatively, you can click the Disable User icon on the toolbar. If the user details page for the user is open, then you can click Disable User on the toolbar. A message box is displayed asking for confirmation.

  3. Click OK to confirm. A confirmation message is displayed stating that the user is disabled.

    If you disable a user from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

11.3.3.3.3 Locking a User

This operation is available only if the user account is unlocked. To lock a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Lock Account. Alternatively, you can click the Lock Account icon on the toolbar. If the user details page for the user is open, then you can click Lock Account on the toolbar. A message is displayed asking for confirmation.

  3. Click OK. A confirmation message is displayed stating that the user is successfully locked.

    If you lock an account from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

11.3.3.3.4 Unlocking a User

This operation is available only if the user account is locked. To unlock as user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Unlock Account. Alternatively, you can click the Unlock Account icon on the toolbar. If the user details page for the user is open, then you can click Unlock Account on the toolbar. A message is displayed asking for confirmation.

  3. Click OK. A confirmation message is displayed stating that the user is successfully unlocked.

    If you unlock an account from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search result, then the corresponding row in the list is refreshed.

11.3.3.3.5 Resetting the Password for a User

You can reset the password for a user by performing any one of the following:

  • Generate the password manually: You can reset the password of a user manually in instances such as the user has forgotten the password and has called HelpDesk to reset the password quickly. Helpdesk can immediately reset the password manually by entering a password, and the user can login by using the new password. This resolves the issue faster than the user waiting for an e-mail notification.

  • Generate a random password: When a password has to be reset by someone other than the target user, an administrator for example, random password generation is useful so that the person changing the password will not know the new password. A random password can be generated in the following instances:

    • A user has forgotten the password and it needs to be reset.

    • The password has expired. A user has been locked.

    • A user has been locked.

    In such scenarios, when the password is reset, Oracle Identity Manager can automatically generate a new random password that conforms to the given password policy. Also, when the password is reset, the administrator gets an option to check a check box, which when checked will send out an e-mail notifying the user about the password change. This method enables you to generate temporary passwords randomly that cannot be easily guessed by anyone. After you generate the random password, at the next login, the user is prompted to reset the randomly generated password.

To reset the password for a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Reset Password. Alternatively, you can click the Reset Password icon on the toolbar. If the user details page for the user is open, then you can click Reset Password on the toolbar. The Reset Password dialog box is displayed, as shown in Figure 11-6:

    Figure 11-6 The Reset Password Dialog Box

    Description of Figure 11-6 follows
    Description of "Figure 11-6 The Reset Password Dialog Box"

  3. To manually change the user's password:

    1. Select the Manually change the Password option.

    2. In the New Password field, enter the new password that conforms to the password policy that is displayed in the Password Policy section.

      The Password Policy section displays the password policy assigned to the user. This section does not display the password policy if no password policy is defined. For information about password policies, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

    3. In the Confirm new password field, re-enter the password.

  4. To generate a random password, select the Auto generate the Password (Randomly generated) option.

  5. Verify that the Email the new password to the user option is selected so that the new password is sent to the user through e-mail.

  6. Click Reset Password. A confirmation message is displayed stating that the password is changed successfully.

Tip:

If the user forgets the password and tries to retrieve it, then the challenge questions are prompted to the user. The user must enter the same answers provided while creating a password. You can configure the challenge questions for the users by using Oracle Identity Manager Design Console.

To configure challenge questions for the user:

  1. Login to Oracle Identity Manager Design Console.

  2. Navigate to Administration, Lookup Definition.

  3. Search for the Lookup for challenge questions, that is, lookup Code = Lookup.WebClient.Questions.

  4. In the Lookup Code Information tab, add questions by entering the appropriate values in the Code Key and Decode fields.

  5. Click Add.

  6. Add this key to the custom resource bundle.

For more information about the Lookup Definition form, see "Lookup Definition Form" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

11.3.3.3.6 Deleting User

This operation is available only if the user status is not Deleted.

If the user is currently disabled, and the Automatically Delete On attribute is set to a future date, then the disable operation fails, and a message is displayed stating that the user cannot be deleted because it is currently scheduled to be deleted at a future date.

To delete a user:

  1. In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.

  2. From the Action menu, select Delete User. Alternatively, you can click the Delete User icon on the toolbar. If the user details page for the user is open, then you can click Delete User on the toolbar. A message is displayed asking for confirmation.

  3. Click OK. A confirmation message is displayed stating that the user is successfully deleted.

  4. Click OK to close the message box.

    If you delete a user from the user detail page, then the successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.

Sometimes, you might not want a delete operation to immediately delete the user. Instead, you might want a delete operation to disable the user for a predefined period of time, during which the delete operation can be canceled. After that predefined period of time, the user is deleted. This is called a delayed delete.

To configure delayed delete in Oracle Identity Manager, you must define the Period to Delay User Delete configuration property, which specifies the predefined wait period in days to hold on the delete operation. If you do not want to configure delayed delete, then set the value of the Period to Delay User Delete configuration property to 0 or a negative number. After a user is deleted, if you want to disable the user entity with a date counter that specifies the date and time when the user must be permanently deleted, then set the value of the Period to Delay User Delete configuration property to greater than 0.

Note:

To configure delayed delete:
  1. In the Welcome page for Oracle Identity Manager Administration, under System Management, click System Configuration.

  2. In the left pane, search for system properties.

  3. In the search result, select the Period to Delay User Delete property.

  4. Edit the property value to specify a delay period to delete the user.

  5. Save the property.

For more information about system properties, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

As a result of delayed delete:

  • The disable status is similar to a regular disable operation that prevents the user from logging into Oracle Identity Manager and disables all provisioned resources.

  • When a user is in disabled status, enabling the user cancels the delete operation. The date on which the user will be deleted is displayed on the user profile.

  • If a user stays disabled and the predefined period expires, then the user is deleted at that time.

11.3.3.4 Bulk User Modifications

The bulk operations are performed from the search results for simple and advanced search. You can select multiple users and then select the available option from the Action menu. You can perform the following bulk operations:

  • Enabling users: If all the selected users are in Disabled state

  • Disabling users: If all the selected users are in Enabled state

  • Locking users: If all the selected user are in Unlocked state

  • Unlocking users: If all the selected users are in Locked state

  • Deleting users: If all the selected users are not in Deleted state

Note:

For all the bulk modify operations, you must have the required authorization and you must select multiple users.

You can use the Bulk Modify page to make changes to multiple users at a time. You can open this page if you are authorized to modify users as determined by the authorization policy on the Modify User Profile privilege on any organization in Oracle Identity Manager.

You can open the Bulk Modify page in any one of the following ways:

  • Selecting Bulk Modify from the Action menu in a user search results page, after selecting multiple users

  • Selecting the Bulk Modify icon on the toolbar in a user search results page, after selecting multiple users

Table 11-6 describes the fields in various sections of the Bulk Modify page:

Table 11-6 Fields in the Bulk Modify Page

Section Field Description

Basic User Information

Design Console Access

Design Console Access check box that indicates whether or not the users can login to the Design Console.

 

Manager

The reporting manager of the selected users.

 

Organization

The organization to which the selected users belong.

 

User Type

The type of selected employees, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary.

Account Effective Dates

Start Date

The date when the selected users will be activated in the system.

 

End Date

The date when the selected users will be deactivated in the system.

Provisioning Dates

Provisioning Date

The date when the users are provisioned.

 

Deprovisioning Date

The date when the users are provisioned.


Only those attributes configured as part of the modify operation in user management configuration are displayed as fields in the Bulk Modify page. The attributes displayed are restricted to those defined in the user entity definition with the Support Bulk Update property set to Yes. The attributes are further filtered based on authorization policies that specify the attributes for the selected users that you have privileges to modify.

The permissions are based on authorization policy. For instance, if the authorization policy mentions that you can modify only the first name for one user and only the last name for another user, based on the users selected, it is possible that you select these names and the attributes to display on the page, results in no fields being allowed. As a result, the Bulk Modify page displays an error message stating that the attributes of the selected users cannot be modified in bulk, and the user selection must be changed.

11.4 User Management Authorization

Run-time security is enforced in the user management service through authorization policies. Each role in Oracle Identity Manager can be associated with one or more such authorization policies. Users that are members of a role are authorized to perform various user tasks based on the privileges granted to the role by its associated authorization policies. Because a user may have many roles, the privileges of a user are the cumulative privileges of his collective roles.

The access controls are implemented in the form of authorization policies that are managed by the Oracle Entitlements Server (OES). These policies define the controls in terms of roles and targets. The target is a combination of privilege, entity, and entity attribute.

See Also:

Chapter 15, "Managing Authorization Policies" for detailed information about authorization policies in Oracle Identity Manager

If a user has multiple roles that have different authorization policies applicable in the same context, then the user's access rights are the cumulative rights across those policies. In other words, if a policy with read permission is granted to a role, and a policy with write permission is granted to another role, then a user with both the roles has read and write permission.

The authorization model is described in the following topics:

11.4.1 Privileges

All authorization privileges are controlled by authorization policies. Oracle Identity Manager explicitly defines privileges that control access rights for performing various operations in the application.

Table 11-7 lists the authorization privileges available in Oracle Identity Manager for the user management feature that and can be assigned to roles as part of an authorization policy definition:

Note:

For the Entity Instance Level, there must be a qualifier that determines over which users the logged in user has the privilege for all the privileges.

Table 11-7 Authorization Privileges for User Management

Privilege Description

Search for Users

You can define this qualifier in terms of organizations, role memberships, or attribute-based rules. For information about defining this qualifier, see Chapter 15, "Managing Authorization Policies".

Note:

  • The "Search for Users" privilege depends on the "View User Details" privilege to determine which attributes can be included in the search results and which attributes can be included in the search criteria for a user search. Consequently, any User Management policy that provides the "Search User" permission should also provide the "View User Details" permission. The "View User Details" permission should include the User Login, Account Status, Identity Status, and Display Name attributes. If you do not provide these attributes, the user might not be fully viewable or editable.

  • To enable users to perform a search based upon an user attribute, you must also configure that attribute as "Searchable" in the user configuration.

There is a default authorization policy for the search operation that decides what the user can search. For information about default authorization policies for user management, see "User Management".

View User Details

This privilege determines if you have the ability to display the User Details page for a user from the search results table.

This privilege supports the following fine-grained controls:

  • Entity Instance Level: The qualifier can be defined in terms of the organization membership and/or the management chain. Refer "Creating an Authorization Policy for User Management" for details on how to define these qualifiers. Refer "Data Constraints" for information about data constraints used in authorization policies for user management.

  • Attribute Level: There must be qualifiers that determine your privilege to view attributes in the User Details page. This qualifier must list all the attributes from the user entity definition that you can view.

Note: The View User Details privilege cannot specify which detail sections can be viewed by the user. This privilege determines whether or not complete user details page with all sections can be viewed. If the user details page can be viewed, then this privilege determines which attributes are displayed in the Attribute Profile of a user.

Modify User Profile

This privilege determines if you have the ability to modify the user profile attributes of a user on the User Details page.

This privilege supports the following fine-grained controls:

  • Entity Instance Level: The qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

  • Attribute Level: There must be qualifiers that determine your privilege to modify attributes in the User Details page. This qualifier must list all the attributes from the user entity definition that you can edit. You must also grant the View User Details privilege for all these attributes.

Provision Resource to User

This privilege determines if you have the ability to provision or deprovision resources to a user on the Resource Profile section of the User Details Page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Modify User Proxy Profile

This privilege determines if you have the ability to modify the user's proxy details on the Proxy Details section of the User Details page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Modify User Status

This privilege determines if you have the ability to enable or disable a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Modify OIM Account Status

This privilege determines if you have the ability to lock or unlock a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Delete User

This privilege determines if you have the ability to delete a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Change Password

This privilege determines if you have the ability to change a user's enterprise password. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.

Create User

This privilege determines if you have the ability to create users in Oracle Identity Manager. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier must be defined in terms of organizations.

Evaluate Access Policies

This privilege determines if you have the ability to initiate access policy evaluation for a user when necessary.

Note: There is no UI operation to initiate on-demand access policy evaluation.

View User Requests

This privilege determines if you have the ability to view the requests raised for a user.

Change User Password

This privilege determines if you have the ability to change the password of a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules.


Note:

The Modify Role Membership permission for role management determines if the user can perform add or remove role operations from the Roles tab of the modify user page. For more information about this permission, see "Managing Authorization for Roles".

11.4.2 Attributes

The read/write permissions for attributes define the actual set of readable or modifiable attributes in the context of the view or modify operation.

11.4.3 Data Constraints

The following data constraints are used in the authorization policies for user management:

  • List of organizations: This limits the scope of the privilege for the assignee to only the organizations listed. Organization membership can be controlled by the Hierarchy Aware option in the authorization policies UI.

    • When the Hierarchy Aware option is set to false, then the scope of the privilege is only to the users that are direct members of the organization. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users that are directly under the Development Center organization.

    • When the Hierarchy Aware option is set to true, then the scope of the privilege is applicable to users who are direct members of the listed organization and the users who are members of any of the sub-organizations of these organizations. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users in all of these organizations.

  • Assignee must be in the same organization: This flag limits the scope of the privilege for the assignee to only the assignee's organization. For example, the organization list in the policy is USA, China, and Canada. If this flag is set and the assignee's organization is USA, then the privilege can be exercised only in the USA organization.

  • Management chain of user: This flag limits the scope of the privilege for the assignee to only the assignee's direct and indirect reports. For example:

    DR1, DR2, and DR3 are direct reports of M1.

    DR1_1, DR1_2, DR1_3, and DR1_4 are direct reports of DR1.

    DR2_1, DR2_2, and DR2_3 are direct reports of DR2.

    DR2_2_1 and DR2_2_2 are direct reports of DR2_2.

    Here, M1 can exercise the privilege on all of DR1, DR2, and DR3 and their direct and indirect reports if the Management Chain of User option is selected.

11.4.4 Authorization with Multiple Policies

If a user has multiple roles that have different authorization policies applicable in the same context, then the user's access rights are the cumulative rights across those policies.

The authorization check for the Search for Users permission returns a list of obligations. This is a list of obligations from each applicable authorization policy. These obligations from multiple policies are combined to get a unified search result.

This section describes how obligations are handled for various user management operations. It contains the following topics:

11.4.4.1 Search Operation Authorization with Multiple Authorization Policies

There can be the following types of obligations for the search operation:

  • List of organizations: The list of organizations can be for direct or indirect organization membership, which is controlled by the Hierarchy Aware data constraint. A special value here can be list of all organizations in Oracle Identity Manager. The logged in user can search only within this set of organizations.

  • Is in the same organization: This obligation means that the logged in user can search for users only in the user's own organization.

  • Is in management hierarchy: This obligation means that the logged in user can search for any users in the user's management hierarchy.

  • Viewable Attributes: This obligation contains the list of authorized viewable attributes. The search operation can be performed only against these attributes.

If there are multiple authorization policies that grant the search privilege to a user, then the search behavior is as follows:

  1. The set of users who can be searched by the logged in user will be the union of set of users on which search privilege is provided by each of these policies.

  2. The set of attributes returned as part of the search results is the union of sets of attributes on which View User Details privilege is granted by each of the these policies.

This is described with the help of the following example:

Policy1 returns the First Name, Last Name, and Middle Name attributes, and Policy2 returns the User Login, User Type, and OIM User Type attributes. When obligations from both the policies are enforced, the returned attribute list is First Name, Last Name, Middle Name, User Login, User Type, and OIM User Type for all users. The policy due to which the user is selected as part of the results is not checked. Therefore, do not configure attributes from the configuration service that might display confidential data in the search results.

In an another example, suppose there are three authorization policies defined for the search operation. The following table lists the details of the sample authorization policies:

Policy Name Entity Name Permissions Data Constraints Assignment
Policy1 User management Search

Modify User Profile. Attributes include First Name, Last Name, and Middle Name

View User Details. Attributes include Display Name, First Name, Last Name, and Middle Name

Users that are members of the Org1 and Org2 organizationsHierarchy Aware (include all Child Organizations) = TRUE Role: Role1

Management Chain of User = FALSE

Assignee must be a member of the User's Organization = TRUE

Policy2 User management Search

Modify User Profile. Attribute includes User Type

View User Details. Attributes include User Login, User Type, and OIM User Type

Users that are members of the Org3 organizationHierarchy Aware (include all Child Organizations) = FALSE Role: Role2

Management Chain of User = FALSE

Assignee must be a member of the User's Organization = FALSE

Policy3 User management Search

Modify User Profile. Attribute includes Designation

View User Details. Attributes include User Login, User Type, OIM User Type, and Designation

All Users Role: Role2

Management Chain of User = TRUE

Assignee must be a member of the User's Organization = FALSE


In this example:

  • Org1 has Org1Child1 and Org1Child2 as child organizations.

  • Org1Child1 has Org1Child1_Child1 as the child organization.

  • Org3 has Org3Child1 and Org3Child2 as child organizations.

Consider the following scenarios:

Scenario I:

User1 has Role1 only and belongs to the Org1Child1 organization. The user can:

  • Search for users who are members of Org1Child1 organization. The search can be performed on the basis of First Name, Last Name, and Middle Name, and Display Name user attributes and also the search result can contain a subset of the set of these attributes.

  • Modify the First Name, Last Name, and Middle Name user attributes from the Org1Child1 organization.

Scenario II:

User2 has Role1 and Role2 and belongs to the Org2 organization. User2 has direct reports DR1 and DR2 belonging to the Org2 organization. The user can:

  • View the User Login, User Type, and OIM User Type user attributes from the Org3 organization because of Policy2.

  • Modify the User Type attribute from the Org3 organization because of Policy2.

  • View the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1.

  • Modify the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1.

  • View the User Login, User Type, OIM User Type, and Designation user attributes of all the user's direct reports because of Policy3.

  • Modify the Designation attribute of all the user's direct reports because of Policy3.

If the user being tried to modify is DR1, then the list of modifiable attributes are First Name, Last Name, Middle Name because of Policy1, and Designation because of Policy3.

The user cannot view, modify, and search users from child organizations of Org3, which are Org3Child1 and Org3Child2.

Based on these scenarios, for the search operation, a union of the viewable attributes from all the three authorization policies are displayed to the user. In other words, the user is able to see User Login, User Type, OIM User Type, First Name, Last Name, Middle Name, Display Name, and Designation attributes in the search results irrespective of the authorization policy. Here, the Designation attribute is displayed not only for DR1 and DR2, who are direct reports of User2, but are displayed for all the users in the results.

11.4.4.2 Modify Operation Authorization with Multiple Authorization Policies

If the logged in user is allowed to modify a user profile as defined by multiple policies, then a union of the set of attributes from individual policies is used for performing the operation. Refer to Scenario II of the "Search Operation Authorization with Multiple Authorization Policies" for the example related to the modify operation in case of multiple applicable authorization policies.

11.5 Username Reservation

A request for creating a user can be raised from Oracle Identity Manager Self Service or Oracle Identity Manager Administration. When the request is submitted, the following scenarios are possible:

To avoid these problems, you can reserve the username in both Oracle Identity Manager and LDAP while the create user request is pending for approval. If a request is created to create a user with the same username, then an error message is displayed and the create user request is not created.

See Also:

"Creating a Request To Create a User" for information about creating requests to create a user

For reserving the username:

If user attribute reservation is enabled, the reservation happens in two phases:

In the first phase, an entry is created in Oracle Identity Manager database and a user is created in reservation container. This entry in Oracle Identity Manager database is removed after successful creation of user, rejection by approver, or request failure.

In the second phase, in LDAP, on successful creation, the user is moved to the reservation container. In other cases such as rejection by approver or request failure, the user is removed from the reservation container.

After the request-level and operation-level approvals are obtained for the create user request, the username is no longer reserved in the username container in LDAP. The username is moved to the container in which the existing users are stored. The user is also created in Oracle Identity Manager.

This section consists of the following topics:

11.5.1 Enabling and Disabling Username Reservation

The username reservation functionality is enabled by default in Oracle Identity Manager. This is done by keeping the value of the USER ATTRIBUTE RESERVATION ENABLED system property to TRUE. You can verify the value of this system property in the System Configuration section of Oracle Identity Manager Administration.

To disable username reservation:

  1. Log in to the Administrative and User Console.

  2. Click Advanced Administration.

  3. Click System Management.

  4. Click System Configuration.

  5. On the left pane, click the search icon to search for all existing system properties. A list of system properties are displayed in the search results table.

  6. Click User Attribute Reservation Enabled. The System Property Detail page for the selected system property is displayed, as shown in Figure 11-7:

    Figure 11-7 The System Property Detail Page

    Description of Figure 11-7 follows
    Description of "Figure 11-7 The System Property Detail Page"

  7. In the Value field, enter False.

  8. Click Save. The username reservation functionality is disabled.

11.5.2 Configuring the Username Policy

Username Policy is a plugin implementation for username operations such as username generation and username validation. The policies follow Oracle Identity Manager plug-in framework. You can add your own policies by adding new plug-ins and changing the default policies from the System Configuration section in Oracle Identity Administration.

See Also:

"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the plug-in framework

In case of create user request, the plugins are invoked only if the user login is not provided. In such a case, the plugin to be invoked is picked up from the system property, "Default policy for username generation".

Table 11-8 lists the predefined username policies provided by Oracle Identity Manager. In this table, the dollar ($) sign in the username generation indicates random alphabet:

Table 11-8 Predefined Username Policies

Policy Name Expected Information Username Generated

oracle.iam.identity.usermgmt.impl.plugins.EmailUserNamePolicy

E-mail

If e-mail is provided, then e-mail is generated as username.

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstInitialLocalePolicy

First name, last name, and locale

last name + first initial_locale, last name + middle initial + first initial_locale, last name + $ + first initial_locale (all possibilities of single random alphabets), last name + $$ + first initial_locale

oracle.iam.identity.usermgmt.impl.plugins.FirstInitialLastNameLocalePolicy

Firstname, Lastname, Locale

first initial + lastname_locale, first initial + middle initial + first name_locale, first initial + $ + lastname_locale, first initial + $$ + lastname_locale

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstInitialPolicy

Firstname, Lastname

lastname+firstInitial, lastname+middleinitial+firstInitial, lastname+$+firstInitial ( all possibilities of single random alphabets) , lastname+$$+firstInitial

oracle.iam.identity.usermgmt.impl.plugins.FirstInitialLastNamePolicy

Firstname, Lastname

firstInitial+lastname, firstInitial+middleInitial+firstname, firstInitial+$+lastname, firstInitial+$$+lastname

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicy

Firstname, Lastname

lastname.firstname, lastname.middleinitial.firstname, lastname.$.firstname ( all possibilities of single random alphabets) , lastname.$$.firstname

oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicy

Firstname, Lastname

firstname.lastname, firstname.middleinitial.lastname, firstname.$.lastname (all possibilities of single random alphabets) , firstname.$$.lastname

oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy

E-mail

If e-mail is provided, then username is generated based on the e-mail. If e-mail is not available, then it generates username based on firstname and lastname by appending a user domain to it. The user domain is configured as the Default user name domain system property, and the default value is @oracle.com

oracle.iam.identity.usermgmt.impl.plugins.LastNamePolicy,

Lastname

lastname, middle initial + lastname , $ + lastname, $$ + lastname

oracle.iam.identity.usermgmt.impl.plugins.LastNameLocalePolicy

Lastname, Locale

lastname_locale, middle initial + lastname_locale , $ + lastname_locale, $$ + lastname_locale

oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD

Firstname, Lastname

firstname+lastname, substring of firstname+lastname+$, substring of firstname+ substring of lastname+$

oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD

Lastname, Firstname

lastname+firstname, lastname+substring of firstname+$, substring of lastname+ substring of firstname+$


Values must be provided for all the parameters of the username generation format. If any of the parameters are not provided, then Oracle Identity Manager generates an error. For example, If the firstname.lastname policy is configured and the firstname is not provided, then the error would be "An error occurred while generating the Username. Please provide firstname as expected by the firstname.lastname policy".

The UserManager exposes APIs for username operations. The APIs take the user data as input and return a generated username. The APIs make a call to plug-ins that return the username. This allows you to replace the default policies with custom plug-ins with your implementation for username operations.

Note:

You can plug-in your own username policies by implementing the plug-in interface, as shown:

package oracle.iam.identity.usermgmt.api;
public interface UsernamePolicy {
           public String getUserNameFromPolicy(HashMap<String, String> reqData) throws UserNameGenerationException;
        
          public boolean isUserNameValid(String userName, HashMap<String, String> reqData);
          public String getDescription(Locale locale);
}

This plug-in point is exposed as a kernel plug-in that takes request data as input and returns the username. Each plug-in expects some information and generates username based on that information provided. The policy implementations generate the username, check for its availability, and if the username is not available, then generate other username based on the policy in the order mentioned in Table 11-8, and repeat the procedure. The dollar ($) sign in the username generation indicates random alphabet. If any of the expected information is missing, then the policies generate errors.

The username generation is exposed as public APIs in User Manager. Oracle Identity Manager provides an utility class for accessing the functionality of generating user names. The class that contains utility methods is as shown:

oracle.iam.identity.usermgmt.api.UserManager

This class exposes the following main methods:

//Method that will generate username based on default policy
        public String generateUserName(HashMap<String, String> requestData) 
                                    throws UserNameGenerationException

//Method that will generate username based on policy
        public String generateUserName(String policyID, HashMap requestData)                                    throws UserNameGenerationException

//Method that will check whether username is valid against default policy
        public boolean isUserNameValid(String userName,                          HashMap<String, String> reqData)

//Method that will check whether username is valid against given policy
        public boolean isUserNameValid(String userName, String userNamePolicyPluginID, HashMap<String, String> requestData)

//Method to return all policies (including customer written)
        public List<Map<String, String>> getAllUserNamePolicies(Locale locale)

//Method that will return policy description in given locale
        public String getPolicyDescription(String policyID, Locale locale)

Table 11-9 lists the constants defined in the UserManager class to represent the policy ID of the default username policies:

Table 11-9 Constants Representing Policy IDs

Policy Name Constant

EmailUserNamePolicy

EMAIL_ID_POLICY

LastNameFirstInitialLocalePolicy

FIRSTNAME_LASTNAME_POLICY

FirstInitialLastNameLocalePolicy

LASTNAME_FIRSTNAME_POLICY

LastNameFirstInitialPolicy

FIRSTINITIAL_LASTNAME_POLICY

FirstInitialLastNamePolicy

LASTNAME_FIRSTINITIAL_POLICY

LastNameFirstNamePolicy

FIRSTINITIAL_LASTNAME_LOCALE_POLICY

FirstNameLastNamePolicy

LASTNAME_FIRSTINITIAL_LOCALE_POLICY

DefaultComboPolicy

DEFAULT_COMBO_POLICY

LastNamePolicy

LASTNAME_POLICY

LastNameLocalePolicy

LASTNAME_LOCALE_POLICY

FirstNameLastNamePolicyForAD

FIRSTNAME_LASTNAME_POLICY_FOR_AD

LastNameFirstNamePolicyForAD

LASTNAME_FIRSTNAME_POLICY_FOR_AD


When called to generate username, the policy classes expect the attribute values to be set in a map by using the key constants defined in the oracle.iam.identity.utils class.Constants. This means that a proper parameter value must be passed to call the method by using the appropriate constant defined for it, for example, the FirstName parameter has a constant defined for it.

The default username policy can be configured by using Oracle Identity Manager Administration. To do so:

  1. Navigate to the System Configuration section.

  2. Search for all the system properties.

  3. Click Default policy for username generation. The System Property Detail page for the selected property is displayed, as shown in Figure 11-8:

    Figure 11-8 The Default Username Policy Configuration

    Description of Figure 11-8 follows
    Description of "Figure 11-8 The Default Username Policy Configuration"

    The XL.DefaultUserNameImpl system property is provided for picking up the default policy implementation. By default, it points to the default username policy, which is oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy displayed in the Value field.

  4. In the Value field, enter oracle.iam.identity.usermgmt.impl.plugins.POLICY. Here, POLICY is one of the policy implementations.

    Note:

    All the plug-ins must be registered with Oracle Identity Manager by using the /identity/metadata/plugin.xml file. A sample plugin.xml file is as shown:
    <plugins pluginpoint="oracle.iam.identity.usermgmt.api.UserNamePolicy">        <plugin
    pluginclass="oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicy"
    version="1.0" name="LastNameFirstNamePolicy"/>
    </plugins>
    
  5. Click Save.

11.5.3 Releasing the Username

The username is released in the following scenarios:

  • When the request is approved, and the user is successfully created in Oracle Identity Manager and provisioned to LDAP, and the username from the reserved table is removed. The reserved username is removed after successful user creation after the approvals. The reserved entry in LDAP is removed and the actual user is created.

  • If the request is rejected, then the reserved entry of username in LDAP and Oracle Identity Manager are removed.

  • If the request fails while or before creating a user in Oracle Identity Manager or LDAP, then the reserved username is deleted.

11.5.4 Configuring Username Generation to Support Microsoft Active Directory

In Oracle Identity Manager deployment with LDAP synchronization is enabled, where Microsoft Active Directory (AD) is the data store, the User Login attribute in Oracle Identity Manager is mapped to the uid attribute in LDAP, which in turn is mapped to the sAMAccountName attribute. The sAMAccountName attribute is used as login for all AD-based applications. There is limitation on the maximum length supported for value contained in the sAMAccountName attribute in AD. It cannot exceed 20 characters.

Oracle Identity Manager accepts user name as an input at the time of user creation and it can be more than 20 characters. Because AD does not support user name of more than 20 characters, Oracle Identity Manager can be configured to generate the user name, which consists of less than 20 characters.

When AD is used as data store, you can configure the autogeneration of user name by setting the value of the XL.DefaultUserNamePolicyImpl system property to any one of the following:

  • FirstNameLastNamePolicyForAD: Generates the user login by prefixing a substring from the first name to that of the last name

  • LastNameFirstNamePolicyForAD: Generates the user login by prefixing a substring from last name to that of the first name

See "Administering System Properties" for information about the XL.DefaultUserNamePolicyImpl system property and setting values of system properties.

Note:

If AD is the data store, then any one of the FirstNameLastNamePolicyForAD or LastNameFirstNamePolicyForAD policies must be used. Any other user name generation policy will fail to generate the user name.

11.6 Common Name Generation

The generation of the Common Name user attribute value in Oracle Identity Manager is described in the following sections:

11.6.1 Common Name Generation for Create User Operation

In an LDAP-enabled deployment of Oracle Identity Manager, Fusion applications such as Human Capability Management (HCM) does not pass the common name via SPML request. Given that the common name is a mandatory attribute in LDAP and Oracle Identity Manager is setup to use it as the RDN, Oracle Identity Manager must generate a unique common name.

Based on the description on Common Name, it is the user's display name consisting of first name and last name. Therefore, Oracle Identity Manager generates the Common Name with the help of a common name generation policy that specifies the Common Name in the "firstname lastname" format.

To configure common name generation in Oracle Identity Manager, set the value of the XL. DefaultCommonNamePolicyImpl system property to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicy. For information about the XL. DefaultCommonNamePolicyImpl system property and setting the value of a system property, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

The following are the details of the FirstNameLastNamePolicy:

  • Expected information: Firstname, Lastname

  • Common Name generated: firstname.lastname, firstname.$.lastname (all possibilities of single random alphabets), firstname.$$.lastname and so on until a unique common name is generated

    Note:

    The common name must be reserved until the user is created by the request so that multiple requests generated simultaneously having same first and last names do not generate the same common name.

11.6.2 Common Name Generation for Modify User Operation

When the user profile is modified, one or more attributes can change. HCM cannot filter out and send only the modified data to Oracle Identity Manager because it does not have the old user attributes and cannot determine which ones are modified. Therefore, all attributes including the common name (CN) are passed to Oracle Identity Manager by the SPML request. Because the CN changed, Oracle Identity Manager attempts a modify operation (modrdn) in the directory resulting in DN change. Because of this unintended DN change, the group membership DN becomes stale resulting in the user loosing membership in that group. This subsequently results in authorization failure. This happens when referential integrity is turned off in the LDAP server, and therefore, the referenced groups are not updated when the RDN of the user changes. Therefore, referential integrity must be turned on in the target LDAP server. Otherwise, the group memberships become stale. The referential integrity issue is also applicable to roles. Groups are also members of other groups and any RDN changes must be reflected as well.

You can turn on the referential integrity by setting the value of the XL.IsReferentialIntegrityEnabled system property to TRUE. For information about this system property, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Table 11-10 lists the possible scenarios when RDN is modified:

Table 11-10 RDN Modification Scenarios

Referential Integrity in LDAP XL.IsReferentialIntegrityEnabled Result of Modify Operaton (modrdn)

Disabled

FALSE

Oracle Identity Manager generates an error and operation fails.

Disabled

TRUE

Modify operation passes from Oracle Identity Manager and RDN is changed in LDAP. However, the group references are not updated and are stale. This configuration is not recommended.

Enabled

FALSE

Oracle Identity Manager generates an error and modify operation fails. This property must be set to TRUE in Oracle Identity Manager because referential integrity is enabled in LDAP.

Enabled

TRUE

Modify operation passes and RDN is updated. In addition, the references for the DN are updated in LDAP.

Multiple directories with roles and users stored in separate directories.

Referential integrity property is not relevant here.

FALSE

Modify operation fails from Oracle Identity Manager. This is not supported by LDAP. Therefore, FALSE is the recommended value in Oracle Identity Manager for the property.

Multiple directories with roles and users stored in separate directories.

Referential integrity property is not relevant here.

TRUE

Modify operation passes and RDN is modified. However, because LDAP does not support referential integrity in multiple directories, the group references are stale and must be manually updated.