13 Managing Organizations

An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager.

Organizations are containers that can be used for delegated administrative models. In addition, an organization defines the scope of other Oracle Identity Manager entities, such as users. Oracle Identity Manager can have a flat organization structure or a hierarchical structure, which means that an organization can contain other organizations. The hierarchy represents departments, geographical areas, or other logical divisions facilitating management of Oracle Identity Manager entities.

To scale the ability to manage a large number of roles and people in an organization of a significant size by using delegated administration, Oracle Identity Manager provides the ability to define delegated administration policies based on the membership of an object within a hierarchy. This also supports recursive organization membership, such as the hierarchy shown in Figure 13-1:

Figure 13-1 Recursive Organization Membership

Description of Figure 13-1 follows
Description of "Figure 13-1 Recursive Organization Membership"

If a hierarchical delegated administration policy is defined to provide Delegated Administrator1 the permission to reset password starting from Engineering, then the permission is granted for Employee1, Employee2, Employee3, and Employee4. If the membership root is Development, then Bob has the permission for Employee2 and Employee3 only.

The functional description of the organization services and the UI components that support these services are described in the following sections:

13.1 Organization Entity Definition

In Oracle Identity Manager, attributes are defined by default for the organization entity. These attributes are the same for all entities, such as user, organization, role, role hierarchy, and role membership. For a list of attributes defined for the entities, see "User Entity Definition".

Table 13-1 lists the default attributes of the organization entity:

Table 13-1 Default Attributes of the Organization Entity

Attribute Name Category Type Data Type Display Type Properties

Organization Name

Basic

Single

String

Single line text

Required: Yes

System-Can-Default: No

System-Controlled: No

Encryption: Clear

User-Searchable: Yes

Type

Basic

Single

String

LOV

Required: Yes

System-Can-Default: Yes

System-Controlled: Yes

Encryption: Clear

User-Searchable: Yes

Parent Organization

Basic

Single

String

Single line text

Required: No

System-Can-Default: No

System-Controlled: No

Encryption: Clear

User-Searchable: Yes

Status

Basic

Single

String

Single line text

Required: Yes

System-Can-Default: Yes

System-Controlled: Yes

Encryption: Clear

User-Searchable: Yes

13.2 Organization Management Tasks

The tasks related to organization management are performed in the Organization Management section of Oracle Identity Management Administration. The tasks are described in the following sections:

13.2.1 Searching Organizations

Oracle Identity Administration allows you to perform the following types of organization search operations:

Note:

The organizations that are displayed in the search result when you search for organizations, is controlled by the XL.EnableOrgPermissionCheck system property. See "System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about this system property.

13.2.1.1 Performing Simple Search

The simple search operation lets you search organization entities based on the search strings that you specify as search attributes. This operation is also referred to as simple search or quick search.

To perform a simple search for organizations:

  1. Login to Oracle Identity Administration.

  2. In the Administration tab on the left pane, from the drop-down list, select Organizations.

  3. In the Search field, enter an organization name as a search criterion. You can include wildcard characters (*) in your search criterion. For performance reasons, initial (prefix) wildcards will be removed. However, a trailing (prefix) wildcard will be added to all searches.

  4. Click the search icon. In the Search Results tab, the search result is displayed in a table that shows the organization names that matched the search criterion. Figure 13-2 shows the search results table:

    Figure 13-2 Organization Search Result

    Description of Figure 13-2 follows
    Description of "Figure 13-2 Organization Search Result"

13.2.1.2 Performing Advanced Search

Advanced search for organizations allows you to specify more complex search criteria than the simple search operation. The results are displayed in search results table.

To perform advanced search for organizations:

  1. Login to Oracle Identity Administration.

  2. In the Welcome page, under Organizations, click Advanced Search - Organizations. The Advanced Search page is displayed on the right pane.

  3. Select any one of the following:

    • All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

    • Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

  4. In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is "Begins With". The comparator "Equals" is available in the pulldown list as an alternative. See "Search Comparators" for more information about search comparators.

    You can use wildcard characters to specify the organization name.

  5. From the Organization Customer Type list, select the organization type. The organization type can be Branch, Department, or Company.

  6. From the Add Fields button, select Organization Status.

  7. From the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.

  8. Click Search. The results are displayed in the search results table, as shown in Figure 13-3. The search results table displays the organization name, parent organization, organization customer type, and organization status.

    Figure 13-3 Advanced Search

    Description of Figure 13-3 follows
    Description of "Figure 13-3 Advanced Search"

13.2.2 Browsing Organizations

You can browse data in the Organizations section in Oracle Identity Manager Administration. The browse functionality is available in the left pane of the UI.

Using the browse operation, you can navigate through the organization tree in the system, starting at the root organization. If there are multiple organization trees, then all the trees are displayed. Each tree starts at a root organization node, which has no parent organization. The users defined in the organization are not displayed as nodes in the tree.

To browse through organizations, in the left pane of Oracle Identity Manager Administration, under the Browse tab, click Organization. All the organizations in Oracle Identity Manager are displayed in the browse list, as shown in Figure 13-4:

Figure 13-4 Organization Browse List

Description of Figure 13-4 follows
Description of "Figure 13-4 Organization Browse List"

The organization browse list shows the organizations trees with the root and child organizations.

In the organization browse list, you can perform the following:

13.2.3 Creating an Organization

You create an organization by using the Create Organization page. You can access this page only if you are authorized to create an organization.

Note:

You are allowed to create an organization only if you have the Create Organization privilege for one or more organizations.

To create an organization:

  1. Open the Create Organization page. To do so, perform any one of the following:

    • In the Welcome page of Oracle Identity Manager Administration, under Organizations, click Create New Organization.

    • In the left pane, click the Browse tab. Under Organizations, from the Action menu, select Create. You can also click the Create icon on the toolbar.

    • In the left pane, click the Search Results tab with Organizations selected in the search list. From the Actions menu, select Create. You can also click the Create icon on the toolbar.

    • In the Advanced Search: Organization page, from the Actions menu, select Create Org, or click Create on the toolbar.

    Figure 13-5 shows the Create Organization page.

    Figure 13-5 The Create Organization Page

    Description of Figure 13-5 follows
    Description of "Figure 13-5 The Create Organization Page"

  2. Enter values in the fields in the Create Organization page. Table 13-2 lists the fields in the Create Organization page:

    Table 13-2 Fields in the Create Organization Page

    Field Description

    Name

    The name of the organization

    Type

    The type of the organization, either Company, Department, or Branch

    Parent Organization

    The organization to which the newly created organization will belong

  3. In the Name field, enter the name of the organization.

  4. In the Type field, select the type of the organization, such as Company, Department, or Branch.

  5. Specify the parent organization to which the newly created organization will belong. To do so:

    1. Click the search icon next to the Parent Organization field. The Search: Organizations dialog box is displayed, as shown in Figure 13-6:

      Figure 13-6 The Search: Organizations Dialog Box

      Description of Figure 13-6 follows
      Description of "Figure 13-6 The Search: Organizations Dialog Box"

    2. Select any one of the following options:

      • All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

      • Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

    3. In the Organization Name field, enter the organization name that you want to search. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Organization Name field. The search conditions include "Equals" or "Begins With".

    4. In the Organization Customer Type field, enter the organization type of the parent organization. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Organization Customer Type field.

    5. Click Search. The organizations that match the search criteria you specified are displayed in the search results table.

    6. From the search results table, select the organization that you want to specify as the parent organization.

    7. Click Finish. The selected organization is added as the parent organization.

  6. Click Save to create the organization.

13.2.4 Viewing and Modifying Organizations

The view organization operation allows you to view detailed organization profile information in the User Details page. You can view this page only if you are authorized to view the organization profile as determined by the authorization policy on the View Organization Detail privilege. If you have the authorization to modify the organization, then you can also modify the organization by using this page.

Note:

The organization details page for the organization entity is auto-generated by the system based on configuration and fine-grained authorization. In Oracle Identity Manager, there is no mechanism to override the system-generated page with a custom-defined page.

To open the details of an organization, perform any one of the following:

  • In the left pane of Oracle Identity Manager Administration, click the Browse tab. Under Organization, select the organization whose details you want to display. From the Actions menu, select Open. Alternatively, click the Open icon on the toolbar.

  • Perform a simple search for the organization whose details you want to display. From the search result, select the organization. From the Actions menu, select Open. Alternatively, click the Open icon on the toolbar.

  • Perform an advanced search for the organization whose details you want to display. From the advanced search result, select the organization, and from the Actions menu, select Update Org. Alternatively, click Open on the toolbar.

The organization details page is displayed, as shown in Figure 13-7:

Figure 13-7 The Organization Details Page

Description of Figure 13-7 follows
Description of "Figure 13-7 The Organization Details Page"

You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually. The modification for each section is described in the following sections:

Note:

You must have "organization create" permission to update or delete organizations.

13.2.4.1 Modifying Organization Attributes

The Attributes tab, as shown in Figure 13-7, of the organization details page displays attributes of the organization. If you are authorized to modify the organization profile as determined by authorization policy on the Modify Organization Profile privilege, then the organization details page opens in editable mode and you can modify organization information. You can modify the values for the attributes, and then click Save to save the changes.

Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields. See "Organization Management Authorization" for information about authorization of the organization management feature.

Note:

The Status attribute in the organization details page is read-only.

13.2.4.2 Viewing Child Organizations

The Hierarchy tab is a read-only tab that displays a list of child organizations that the selected organization has. For each child organization in the list, the following are displayed:

  • Organization name

  • Type

  • Status

From the Hierarchy tab, you can open the details of a child organization by selecting the organization, and selecting Open from the Actions menu. Alternatively, you can click Open on the toolbar, or simply click the name of the organization.

To modify a child organization, click the child organization name that you want to modify. The organization details page for the selected organization is displayed, by using which you can modify the details of that organization.

13.2.4.3 Viewing User Information

The Members tab is a read-only tab that displays a list of users in the selected organization. For each user in the list, the following are displayed:

  • User Name

  • First Name

  • Last Name

  • Manager Name

From the Members tab, you can open the details of a user by selecting the user, and selecting Open from the Actions menu. Alternatively, you can click Open on the toolbar, or simply click the name of the user.

Tip:

You can add or remove users to and from organizations by using the Attributes tab of the user details page. For more information, see "The Attributes Tab".

13.2.4.4 Modifying Resources

The Resources tab displays the permitted resources for the selected organization. You can select one or multiple resources in the list, and then perform the following:

13.2.4.4.1 Provisioning Resources

To provision resources to the organization:

  1. From the Actions menu, select Provision. Alternatively, click Provision on the toolbar. This brings up a wizard " Step 1: Select a Resource".

  2. Search for the resource that you want to provision. Select the resource and click Continue.

  3. In the Step 2: Verify Resource Selection page, the resource that you selected for adding to the organization is displayed. Verify the information and click Continue. Provisioning the selected resource to the organization starts.

  4. Close the Provision Resource to Organization wizard. The resource is added to the Hierarchy tab.

    Tip:

    If the provisioned resource is not displayed in the Hierarchy tab, then click Refresh on the toolbar.

13.2.4.4.2 Revoking Resources

To revoke a resource:

  1. Select the resource that you want to remove.

  2. From the Actions list, select Revoke. Alternatively, click Revoke on the toolbar. A message is displayed asking for confirmation.

  3. Click OK to confirm.

13.2.5 Disabling and Enabling Organizations

Note:

  • You cannot disable organizations with child orgs or users. You can force delete it only by setting the system property ORG.DISABLEDELETEACTIONENABLED to true. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.

  • You can disable an organization only if you have the "Write" permission for that organization.

To disable an organization with enabled state:

  1. In the organization details page, click Disable Organization on the top of the page. A message is displayed asking for confirmation. Alternatively, in the simple search result for organizations, select the organization, and from the Actions menu, select Disable.

  2. Click OK to confirm. A message is displayed stating that the organization is successfully disabled.

  3. Click OK.

To enable an organization with disabled state:

  1. In the organization details page, click Enable Organization on the top of the page. Alternatively, in the simple search result for organizations, select the organization, and from the Actions menu, select Enable. A message is displayed asking for confirmation.

  2. Click OK to confirm. A message is displayed stating that the organization is successfully enabled.

  3. Click OK.

Note:

You can enable an organization only if you have the "Write" permission for that organization.

13.2.6 Managing Administrative Roles

The organization details page allows you to view and define a list of administrative roles and associated permissions that can administer the selected organization. To assign administrative roles to an organization, you must have the appropriate permission to create an organization. To assign permission to create organization:

  1. On the role detail page for the role to which you want to assign administrative privileges for organizations, click Data Object Permissions. The Role Details >> Permissions page is displayed.

  2. Click Assign. The Assign Permissions page is displayed with a list of permission names that you can select to assign the permissions to the role.

  3. For the Organizations permission, select the Allow Insert option. This grants the "create organization" permission to the orgadmin role. Then select the Assign option to the right of the "Organizations" permission.

  4. Click Assign. A message is displayed asking for confirmation.

  5. Click Confirm Assign. The permission is assigned to the role.

To assign administrative roles to an organization:

Note:

The "Insert" permission is a prerequisite to Write and Delete permissions. Expanding the "Insert" permission allows you to create new organizations. The "Write" permission allows to update, enable, and disable organizations. The "Delete" permission enables to delete the organization.

  1. Open the Administrative Roles page by selecting any one of the following:

    • In the organization simple search result, select an organization. From the Actions menu, select Administrative Roles.

    • In the Browse tab on the left pane, select an organization. From the Actions menu, select Administrative Roles.

    • In the organization detail page, click Administrative Roles.

  2. On the Administrative Roles page, in the Filter By Role Name, enter a search criterion to search for administrative roles that can administer the organization. Then, click Search. A list of roles with associated permissions are displayed.

  3. To unassign any role from the organization, select the Unassign option to the right of the administrative role, and click Unassign.

  4. To assign an administrative role to the organization:

    1. Click Assign. The Assign page is displayed with a list of available roles.

      You can filter the role names by entering a search criteria in the Filter By Role Name box, and clicking Find.

      Note that the Read options are selected by default for all the roles.

    2. Select the Write, Delete, and Assign options for the administrative roles to provide write, delete, and assign administrative permissions respectively.

    3. Click Assign.

  5. To update permissions for the administrative roles:

    1. Click Update Permissions. The Update page is displayed with a list of administrative roles, whose permissions you can modify.

      You can filter the role names by entering a search criteria in the Filter By Role Name box, and clicking Find.

      Note that the Read options are selected by default for all the roles.

    2. Select or deselect the Write and Delete options for the administrative roles to modify the write and delete permissions respectively.

    3. Click Update.

  6. When finished, close the Administrative Roles page. Figure 13-8 shows the Administrative Roles page.

Figure 13-8 Assign Administrative Roles

Surrounding text describes Figure 13-8 .

13.2.7 Managing Permitted Resources

The Permitted Resources page allows you to assign and update a list of permitted resources to the users of the selected organization.

  1. To assign permitted resources to the users in the selected organization:

    1. In the Browse tab on the left pane, select an organization. From the Actions menu, select Open.

    2. In the organization detail page, click Permitted Resources.

    3. In the Permitted Resources page, select the resources and click Assign.

  2. To update the resources allowed to the selected organization:

    1. In the Browse tab on the left pane, select an organization. From the Actions menu, select Open.

    2. In the organization detail page, click Permitted Resources.

    3. In the Permitted Resources page, select the resources and click Update.

    Figure 13-9 shows the Assign Permitted Resources page.

    Figure 13-9 Assign Permitted Resources

    Surrounding text describes Figure 13-9 .

13.2.8 Deleting an Organization

Note:

  • You cannot delete organizations with child orgs or users. You can force delete it only by setting the system property ORG.DISABLEDELETEACTIONENABLED to true. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.

  • You can delete an organization only if you have the "Delete" permission for that organization.

  • The deleted record would still exist in the database, marked deleted.

To delete an organization:

  1. In the advanced search result for organizations, select the organization that you want to delete.

  2. From the Actions menu, select Delete. A message is displayed asking for confirmation. Alternatively, in the simple search result for organizations, select Delete from the Actions menu. Otherwise, in the Browse tab, select Delete from the Actions menu, or on the organization details page, click Delete Organization.

  3. Click OK to confirm. A message is displayed stating that the organization is successfully deleted.

  4. Click OK.

13.3 Organization Management Authorization

Authorization of the organization management feature is based on organization administrative roles. The following sets of distinct permissions is required by a role to manage an organization:

  • The role must have the following data object permission on organization entities:

    • Insert - This enables the user (with this role) to create new organizations and manage them.

    • Enable/Disable/Update

    These permissions are not specific to a particular organization.

  • When role is assigned as an administrative role for an organization, the following permissions are required:

    • "Read and View" permissions are implicit by virtue of being administrative role

    • Write

    • Delete

    These permissions are configured per organization.

Permission to get access to Oracle Identity Manager Administration from Oracle Identity Manager Self Service is governed by "menu item" permissions. When the user has access to Oracle Identity Manager Administration, the user is allowed to browse users, roles, and organizations.

Second level menus for edit, view, and delete actions on user and role entities are derived from the OES policies, such as create, update, delete on user and role respectively.

Similarly, second level menus to edit, view, and delete organizations is derived from "orgadmin role" and "data-object" permissions on organization entity type.

In Oracle Identity Manager 11g Release 1 (11.1.1), "delegated administration" permissions are managed by using Oracle Entitlements Server (OES) authorization policies. These OES policies for user management can be used to control:

See Also:

Chapter 15, "Managing Authorization Policies" for information about OES authorization policies

  • Under which organizations you can create or modify users

  • Data constraints can specify that you can change users in a set of organizations with or without hierarchy.

Together these capabilities give us the delegated administrative model.

To configure a delegated administrator for an organization:

  1. Define a custom authorization policy to manage users and set organization constraints. Organization constraints can be hierarchy aware. See "Creating Custom Authorization Policies" for information about creating custom authorization policies and setting data constraints.

  2. Add the user to the role specified in the custom policy. See "Adding and Removing Roles" for information about adding a user to a role.

  3. To configure the role as organization administrator, first create a role. See "Creating Roles".

    When you create the orgadmin role, the role detail page for this role is displayed.

  4. Assign this orgadmin role "data object" permissions on the organization type. With this "data object" permission, the user (with this role), can create new organizations and manage them. See "Managing Administrative Roles" for information about assigning "create organization" permission to a role.

  5. Select an organization and assign the orgadmin role as administrative role for the organization. This step would give the user the ability to manage the selected organization. Manage permissions include update, enable, disable, and delete. See "Managing Administrative Roles" for information about assigning administrative roles to an organization.