7 Managing Access

In Oracle Identity Manager, you have access to entities, such as roles, entitlements, accounts, and admin roles. Access to these entities is governed by authorization policies. For information about authorization policies, see "Security Architecture" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

The entities to which you have access are displayed in the My Access section of the Oracle Identity Self Service. Typical tasks you perform in the My Access section are described in the following topics:

• Managing Roles

• Managing Entitlements

• Managing Accounts

• Viewing Admin Roles

Tip:

Adding and removing entities, such as roles, entitlements, and accounts, go through requests that are subject to approval. Before you perform the steps to manage your access to entities, it is recommended that you see Chapter 9, "Managing Requests" for detailed information about requests in Oracle Identity Manager.

7.1 Managing Roles

The Roles tab in the My Access section displays the roles assigned to you. In this tab, you can perform the following:

• Requesting for Roles

• Modifying Role Details

• Removing Roles

7.1.1 Requesting for Roles

To request for roles from the My Access page:

1. Log in to Identity Self Service.

2. Under My Profile, click My Access. The My Access page is displayed.

3. Click the Roles tab. A list of roles assigned to you is displayed.

   Note:

   In all the tabs in the My Access page, you can refine your search by using Query By Example. For information about using Query By Example, see "Using Query By Example".

4. From the Actions menu, select Request. Alternatively, click Request Roles on the toolbar.

   The Catalog page is displayed. You use the Catalog page to create requests. For information about request catalog, and how to create requests from the Catalog page, see "Creating Requests".

   When you submit your request for roles, and the request is approved at all approval levels, the roles will be assigned to you.

7.1.2 Modifying Role Details

Modification of selected role is possible only if the user is a Role Administrator for the organization to which the role is published. If the user is of any other role or an end-user, then the user can only view the role details.

To modify the details of a role assigned to you:

1. In the Roles tab of the My Access page, select a role whose details you want to modify.

2. From the Actions menu, select Open. Alternatively, click Open on the toolbar.

   The Role: ROLE_NAME page is displayed with details of the selected role. In this page, you can modify role attributes, role hierarchy, role membership, and publish the role to organizations. For details about these tasks, see "Managing Roles".

7.1.3 Removing Roles

To remove roles assigned to you:

1. In the Roles tab of the My Access page, select a role that you want to remove.

2. From the Actions menu, select Remove. Alternatively, click Remove Roles on the toolbar. The Remove Roles catalog page is displayed.

3. Submit the request to remove roles. The role will be removed after the request is approved.

7.2 Managing Entitlements

The Entitlements tab in the My Access page displays the entitlements assigned to you. In this tab, you can perform the following:

• Requesting for Entitlements

• Removing Entitlements

7.2.1 Requesting for Entitlements

To request for entitlements:

1. In the My Access page, click the Entitlements tab. A list of entitlements assigned to you is displayed.

   Note:

   In an upgraded deployment of Oracle Identity Manager 11g Release 2 (11.1.2.1.0), the entitlements provisioned to the users before the upgrade are not displayed in the Entitlements tab. To display the entitlements in the Entitlements tab after the upgrade, login to Oracle Identity System Administration, and run the Entitlement Assignments scheduled job. See "Predefined Scheduled Tasks" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about the Entitlement Assignments scheduled job.

2. From the Actions menu, click Request. Alternatively, click Request Entitlements on the toolbar. The Catalog page is displayed.

3. Submit the request from the Catalog page. The entitlement will be assigned after the request is approved.

   For information about creating a request, see "Creating Requests".

7.2.2 Removing Entitlements

To remove entitlements assigned to you:

1. In the Entitlements tab, select the entitlements that you want to remove.

2. From the Actions menu, select Remove. Alternatively, click Remove Entitlements from the toolbar. The Catalog page is displayed.

3. Submit the request to remove entitlements. The entitlement will be removed after the request is approved.

7.3 Managing Accounts

The Accounts tab in the My Access page displays the accounts assigned to you. In this tab, you can perform the following:

• Requesting for Accounts

• Modifying Accounts

• Removing Accounts

• Disabling an Account

• Enabling an Account

7.3.1 Requesting for Accounts

To request for accounts:

1. In the My Access page, click the Accounts tab. A list of accounts assigned to you is displayed.

2. From the Actions menu, click Request. Alternatively, click Request Accounts on the toolbar. The Catalog page is displayed.

3. Submit the request from the Catalog page. The account will be assigned after the request is approved.

   For information about creating a request, see "Creating Requests".

Note:

If you request for an entitlement and application instance together in a single request, and if the beneficiary does not have an account provisioned at the time of entitlement provisioning, then entitlement provisioning fails. However, application instance provisioning succeeds. Therefore, if you request for entitlement and application instance together in a single request, then you must have a primary account provisioned to the target on which the entitlement is stored.

7.3.2 Modifying Accounts

To modify accounts assigned to you:

1. In the Accounts tab, select an account that you want to modify.

2. From the Actions menu, select Modify. Alternatively, click Modify Accounts on the toolbar. The Catalog page is displayed.

3. Edit the attributes of the account and submit the request from the Catalog page. The account will be modified after the request is approved.

7.3.3 Removing Accounts

To remove accounts assigned to you:

1. In the Accounts tab, select the account that you want to remove.

2. From the Actions menu, select Remove. Alternatively, click Remove Accounts from the toolbar. The Catalog page is displayed.

3. Submit the request to remove accounts. The accounts will be removed after the request is approved.

7.3.4 Disabling an Account

To disable an account:

1. In the Accounts tab, select an account that you want to disable.

2. From the Actions menu, select Disable. Alternatively, select Disable on the toolbar. The Catalog Page is displayed.

3. Submit the request to disable accounts. The accounts will be disabled after the request is approved.

7.3.5 Enabling an Account

To enable an account:

1. In the Accounts tab, select an account that you want to enable.

2. From the Actions menu, select Enable. Alternatively, select Enable on the toolbar. The Catalog Page is displayed.

3. Submit the request to enable accounts. The accounts will be enabled after the request is approved.

7.4 Viewing Admin Roles

The Admin Roles tab of the My Access page displays the admin roles you have. Admin roles determine the operations you can perform on each entity. This is governed by authorization policies based on organizations and admin roles. For details on admin roles and authorization in Oracle Identity Manager, see "Security Architecture" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.