An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager. Organization in Oracle Identity Manager is used only for security purposes. It is not an enterprise organization, or an LDAP organization or organization unit.
The concepts related to organizations and procedures to manage organizations are described in the following sections:
Vision Inc. is a fictitious company used in this document to depict a typical delegated administration use case. There are five user types: employees, contractors, suppliers, partners, and customers. In this example, the proposed solution is called IDM.
Vision Inc. has two major sets of users, Internal Users consisting of employees and contractors, and External Users consisting of partners, suppliers, and customers, as illustrated in Figure 13-1:
Internal Users are on-boarded and managed by a HR Administrator directly by using Oracle Identity Self Service. IDM administrator creates various partners, suppliers, and customers, as shown in Figure 13-1, and assigns delegated administrator for each of these organizations. For example, the IDM administrator can create and manage a partner organization called Partner1, create one or more users under Partner1, and assign one or more of these users as the delegated administrator for that organization. The delegated administrator, for example Partner1 DA, can then create additional hierarchy under Partner1, for example Partner1 US and Partner1 EMEA, and can specify a delegated administrator under each of these organizations. For example, Partner1 DA can specify User1 under Partner1 US as delegated administrator of Partner1 US. This hierarchy levels can go to the nth level.
The users created under each of these organizations follow a strict permission model. For example, users in the External Users organization cannot see users Internal Users, but internal users who are a part of IDM Administrator can see both internal and external users. Partner1 DA is not able to see users under Partner2 or vice versa. Similarly, Partner1 US DA is not able to see Partner1 EMEA users. A parent delegated administrator can see all children delegated administrators but not the reverse. For example, Partner1 DA can see Partner1 US and Partner1 EMEA users, but Partner1 US users are able to see only users in Partner1 US. This entire delegation model is achieved through organization hierarchy, viewer admin role assignment to users, and publishing the entities to only those organizations to which the users belong.
The ability of the users in organizations to view and access resources follows hierarchy. For example, all resources/roles that are permitted for Partner1 is visible by default to Partner1 US and Partner1 EMEA. This is achieved by selecting a flag to include suborganizations when publishing the entities, described later in this document. Both publishing and delegation are organization hierarchy-aware. Each of the delegated administrators can further limit the resource availability for their corresponding entities.
The delegated administration model is achieved through the following:
Organization definition: Users and entities are defined in logical containers called organizations, and a set of attributes are defined for the organizations.
Organization scoping with logical organization hierarchy: Scoping the entities to certain set of users. This means that not all users can view or access all entities. For example, the users in the Partners organization can only view the roles, entitlements, and application instances available to the Partners organization. These users cannot view or access the entities available to the Suppliers and Customers organizations. See "Organization Scoping and Hierarchy" for details.
Publishing of entities to organizations: The entities are made available to the users of an organization. See "Publishing Entities to Organizations".
Admin roles: The permissions that a user has on a entity is governed by the admin role assignment to the user. See "Admin Roles" for details.
In Oracle Identity Manager, the root of the organizational hierarchy is represented by the Top organization. The Top organization is a predefined organization that is available in Oracle Identity Manager. By default, every organization in Oracle Identity Manager extends from the Top organization.
Oracle Identity Manager provides an organizational-level scoping mechanism for delegated administration and data security of various entities. This is achieved by the following:
User's admin role memberships in organizations: User is assigned permissions over an organization by assigning admin role in that organization scope.
Entities available in organizations: Data is secured by confining its availability only in a set of organizations. The process of making data available in organization scope is referred to as publishing. The user is allowed to perform operations on an entity as assigned by the user's admin roles, if those roles are published to the organization and the entity is published to the same organization.
Publishing an entity to an organization is making the entity available to that organization. The enterprise roles, entitlements, or application instances can be published by respective administrators to a list of organizations to enable these to be granted to the users of those organizations. Enterprise roles, entitlements, and application instances are published to a list of organizations to make these:
Requestable to users under the list of organizations
Manageable to the list of organization administrators to manage these roles
You can publish entities to organizations from the Organizations tab of the respective entity details page in Identity Self Service.
When an entity admin creates an entity (for example, a Role Admin creates an enterprise role), then that entity (role, in this example) is automatically made available to all the organizations where the admin has entity admin roles. This avoids creating and then publishing entities for admins in their respective organizations or organization hierarchies). However, if the entity needs to be published to other organizations, then the entity needs to be manually published.
Admin role is a first class entity in Oracle Identity Manager and is not the same as enterprise role or group entity. The authorization and security model in Oracle Identity Manager works on the basis of the admin role assignment to a user. The assignment can be in the given organization scope or in Top organization scope. As mentioned earlier, the Top organization is at the root of the organization hierarchy in Oracle Identity Manager. Authorization policies are created according to the admin roles. Admin roles are predefined in Oracle Identity Manager, and you cannot add new admin roles. Admin roles cannot be created, updated, deleted, or requested.
Entities have the following admin roles defined for it:
Entity Administrator: Can manage the entire lifecycle of the entity and perform any operation on the entity.
Entity Viewer: Can view the entity in the catalog or request profile and request for the entity
Entity Authorizer: Can view the entity in the catalog or request profiles and request for it, but does not require approval. There is no authorizer on the organization entity because organization membership cannot be requested. Similarly, there is no authorizer for the user. The user admin and user authorizer are the same.
However, there are certain exceptions for the entity administrator. For example, Role Administrators cannot assign or revoke users to or from that role. To assign or revoke users to the role, the role administrator must explicitly have any one of the following:
Role Viewer role: To be able to assign or revoke users to that role through requests, which are subject to approval.
Role Authorizer role: To be able to assign or revoke users to that role as a direct operation.
Similarly, Application Instance Administrators and Entitlement Administrators cannot assign or revoke users to or from the respective entities. These admin roles must have explicit entity viewer or entity authorizer roles to be able to assign or revoke to or from that entity, through request or direct operation respectively.
Admin roles have no hierarchy. However, admin role memberships are hierarchy-aware and can be cascaded downwards to the child organizations. Admin role membership is always given in an organization scope, and can only be assigned by the System Administrator or System Configurator. Admin roles do not have autogroup membership or role membership rules.
Note:
Admin roles cannot be stored in LDAP data store and are stored in Oracle Identity Manager database.Admin roles belong to a role category called admin roles. The admin roles cannot be requested and are never exposed to end users. Only the System Administrator and System Configurator roles, which require users to be assigned to these roles to perform system functions, can access admin roles.
The System Administrator and System Configurator admin roles are available only to the Top organization. Therefore, only System Administrators and System Configurators can assign System Administrator and System Configurator roles because they have access to the Top organization. Only a System Administrator can provision resources to an organization.
Table 13-1 lists the admin roles in Oracle Identity Manager for each entity.
Note:
In Table 13-1, you will come across implicit permissions called org basic info, role basic info, entitlement basic info, and appinstance basic info. The basic-info permission gives the permission only to view-search the given entity. Consider the following examples:View Org permission provides all the permissions defined for the Organization Viewer admin role, but org basic info provides the permissions only to search and view the organization attributes.
The User Viewer admin role provides the basic info permission on roles, organizations, application instances, and entitlements in that scoped organization.
Table 13-1 Admin Roles in Oracle Identity Manager
Entity | Admin Role | Description |
---|---|---|
System Administrator |
Oracle Identity Manager System Administrator role with all privileges |
|
System Configuration Administrator |
Role with privileges to configure Oracle Identity Manager |
|
SPML Admin |
SPML administrator to manage SPML operations |
|
Role |
Role Administrator |
Role with privileges to administer all assigned enterprise roles |
Role Authorizer |
Role with privileges to authorize all assigned enterprise roles. Role authorizer can grant roles as a direct operation. |
|
Role Viewer |
Role with privileges to view assigned enterprise roles. |
|
Entitlement |
Entitlement Administrator |
Role with privileges to administer all assigned entitlements |
Entitlement Authorizer |
Role with privileges to authorize all assigned entitlements |
|
Entitlement Viewer |
Role with privileges to view all assigned entitlements |
|
Application Instance |
Application Instance Administrator |
Role with privileges to administer all assigned application instances |
Application Instance Authorizer |
Role with privileges to authorize all assigned application instances |
|
Application Instance Viewer |
Role with privileges to view all assigned application instances |
|
Organization |
Organization Administrator |
Role with privileges to administer all assigned organizations |
Organization Viewer |
Role with privileges to view all assigned organizations |
|
User |
User Administrator |
Role with privileges to administer all assigned users |
HelpDesk |
Help Desk to manage users |
|
User Viewer |
Role with privileges to view all assigned user records |
|
Catalog |
Catalog System Administrator |
Role with privileges to manage all catalog items |
Certification |
Certification Administrator |
Role with privileges to manage all certification definitions, jobs, and instances. |
Certification Viewer |
Role with privileges to view all certification definitions, jobs, and instances. |
See Also:
"Security Architecture" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about admin rolesTable 13-2 lists the admin roles in Oracle Identity Manager and the corresponding permissions allowed provided by the admin roles.
Table 13-2 Admin Roles and Permissions
Admin Role in Oracle Identity Manager | Implicit Permissions | Organization Scoped Permissions | Request or Direct Operation |
---|---|---|---|
User Administrator |
Organization Viewer |
Search User (attribute-level security) |
NA |
Role Viewer |
View User (attribute-level security) |
NA |
|
Entitlement Viewer |
Create User |
Direct |
|
AppInstance Viewer |
Delete User |
Direct |
|
Modify User (attribute-level security) |
Direct |
||
Lock User |
NA |
||
Unlock User |
NA |
||
Enable User |
Direct |
||
Disable User |
Direct |
||
Grant Role |
Direct |
||
Revoke Role |
Direct |
||
Grant Accounts |
Direct |
||
Revoke Accounts |
Direct |
||
Grant Entitlements |
Direct |
||
Revoke Entitlements |
Direct |
||
Change User Password |
NA |
||
Change Account Passwords |
NA |
||
Modify User Account |
Direct |
||
Enable User Account |
Direct |
||
Disable User Account |
Direct |
||
View Org |
NA |
||
View Role |
NA |
||
View Entitlements |
NA |
||
View Application Instance |
NA |
||
View Requests |
NA |
||
View Admin Role Memberships |
NA |
||
View Role Memberships |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
View Proxy |
NA |
||
Add Proxy |
Direct |
||
Delete Proxy |
Direct |
||
Help Desk |
Org Basic Info |
Search User (attribute-level security) |
NA |
Role Basic Info |
View User (attribute-level security) |
NA |
|
Entitlement Basic Info |
Enable User |
Request |
|
AppInstance Basic Info |
Disable User |
Request |
|
Unlock User ONLY IF locked out due to failed logins |
Direct |
||
Change User Password |
Direct |
||
Change Account Password |
Direct |
||
View Org |
NA |
||
View Role |
NA |
||
View Entitlements |
NA |
||
View Application Instance |
NA |
||
View Requests |
NA |
||
View Role Memberships |
NA |
||
View Proxy |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
User Viewer |
Organization Viewer |
Create User |
Request |
Role Viewer |
Delete User |
Request |
|
Entitlement Viewer |
Modify User (attribute-level security) |
Request |
|
AppInstance Viewer |
Search User (attribute-level security) |
NA |
|
View User (attribute-level security) |
NA |
||
Enable User |
Request |
||
Disable User |
Request |
||
Grant Role |
Request |
||
Revoke Role |
Request |
||
Grant Accounts |
Request |
||
Revoke Accounts |
Request |
||
Grant Entitlements |
Request |
||
Revoke Entitlements |
Request |
||
Modify User Account |
Request |
||
View Org |
NA |
||
View Role |
NA |
||
View Entitlements |
NA |
||
View Application Instance |
NA |
||
View Requests |
NA |
||
View Role Memberships |
NA |
||
View Proxy |
NA |
||
Enable User Account |
Request |
||
Disable User Account |
Request |
||
View Admin Role Memberships |
NA |
||
Add Admin roles |
NA |
||
Delete Admin roles |
NA |
||
Modify Admin Role membership |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Role Viewer |
Org Basic Info |
Grant Role |
Request |
User Basic Info |
Revoke Role |
Request |
|
View Org |
NA |
||
View Role |
NA |
||
View Users |
NA |
||
View Role Memberships |
NA |
||
Organization Viewer |
Org Basic Info |
Search Org |
NA |
User Basic Info |
View Org |
NA |
|
AppInstance Info |
View Users |
NA |
|
Entitlement Info |
View Role |
NA |
|
View AppInstance |
NA |
||
View Entitlement |
NA |
||
View All Publications |
NA |
||
View All Org Members |
NA |
||
View Admin Role & memberships |
NA |
||
View Accounts Provisioned to Org |
NA |
||
Application Instance Viewer |
User Basic Info |
Search Application Instance |
NA |
Org Basic Info |
View Application Instance (excluding passwords) |
NA |
|
Entitlement Info |
Grant Account |
Request |
|
Revoke Accounts |
Request |
||
Modify User Account |
Request |
||
Enable User Account |
Request |
||
Disable User Account |
Request |
||
View Org |
NA |
||
View User |
NA |
||
View AppInstance |
NA |
||
View Entitlements |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Entitlement Viewer |
User Basic Info |
Search Entitlement |
NA |
Org Basic Info |
View Entitlement |
NA |
|
AppInstance Basic Info |
Grant Entitlement |
Request |
|
Revoke Entitlement |
Request |
||
View Orgs |
NA |
||
View Users |
NA |
||
View AppInstance |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Role Administrator |
User Basic Info |
Search Role |
NA |
Org Basic Info |
View Role |
NA |
|
Create Role |
Direct |
||
Modify Role |
Direct |
||
Delete Role |
Direct |
||
View Role Members |
NA |
||
Manage Role Hierarchy |
Direct |
||
Publish role (only to allowed orgs) |
Direct |
||
Unpublish role (only to allowed orgs) |
Direct |
||
Manage Role Membership Rules |
Direct |
||
Create Role Category |
Direct |
||
Update Role Category |
Direct |
||
Delete Role Category |
Direct |
||
View Users |
NA |
||
View Orgs |
NA |
||
View Role Memberships |
NA |
||
Application Instance Administrator |
User Basic Info |
Create Application instance |
Direct |
Org Basic Info |
Modify Application instance |
Direct |
|
Entitlement Administrator |
Delete Application instance |
Direct |
|
Search Application Instance |
NA |
||
View Application Instance |
NA |
||
Publish Application Instance (only to allowed orgs) |
Direct |
||
Unpublish Application Instance (only to allowed orgs) |
Direct |
||
Publish Entitlements (only to allowed orgs) |
Direct |
||
Unpublish Entitlements (only to allowed orgs) |
Direct |
||
Access Advanced UI |
NA |
||
View accounts |
NA |
||
View Users |
NA |
||
View Orgs |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Organization Administrator |
User Basic Info |
Search Org |
NA |
AppInstance Basic Info |
View Org |
NA |
|
Entitlement Basic Info |
Create Organization |
Direct |
|
Role Basic Info |
Modify Organization |
Direct |
|
Delete Organization |
Direct |
||
All Role Admin Privileges for Admin Roles. |
Direct |
||
Update Organization Hierarchy (for a specific organization) |
Direct |
||
Associate password policy |
Direct |
||
View members |
NA |
||
View roles published |
NA |
||
View app instances published |
NA |
||
View entitlements published |
NA |
||
View accounts (provisioned to org) Note: Provisioning resources to organization is allowed only to the System Administrator. |
NA |
||
Entitlement Administrator |
User Basic Info |
Search Entitlements |
NA |
AppInstance Basic Info |
View Entitlements |
NA |
|
Org Basic Info |
add Entitlements (API) |
Direct |
|
delete Entitlements (API) |
Direct |
||
update Entitlements (API) |
Direct |
||
Publish Entitlement (only to allowed orgs) |
Direct |
||
Unpublish Entitlement (only from allowed orgs) |
Direct |
||
View orgs |
NA |
||
View User |
NA |
||
View app instance |
NA |
||
View accounts |
NA |
||
View Entitlement Members |
NA |
||
View Published Entitlements (API) org data security applies |
NA |
||
Catalog System Administrator |
AppInstance Basic Info |
Edit Catalog metadata |
Direct |
Entitlement Basic Info |
Create Request Profiles |
Direct |
|
Role Basic Info |
Modify Request Profiles |
Direct |
|
Delete Request Profiles |
Direct |
||
View application instances |
NA |
||
View entitlements |
NA |
||
View roles |
NA |
||
Role Authorizer |
User Basic Info |
View Role |
NA |
Org Basic Info |
Grant Role |
Direct |
|
Revoke Role |
Direct |
||
View Orgs |
NA |
||
View Users |
NA |
||
View Role Memberships |
NA |
||
Application Instance Authorizer |
User Basic Info |
Search Application Instance |
NA |
Org Basic Info |
View Application Instance (excluding passwords) |
NA |
|
Grant account |
Direct |
||
Revoke account |
Direct |
||
Modify account |
Direct |
||
Enable account |
Direct |
||
Disable account |
Direct |
||
View Org |
NA |
||
View Entitlements |
NA |
||
View Users |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
Entitlement Authorizer |
User Basic Info |
Search Entitlement |
NA |
Org Basic Info |
View Entitlement |
NA |
|
AppInstance Basic Info |
Grant Entitlement |
Direct |
|
Revoke Entitlement |
Direct |
||
View Users |
NA |
||
View Orgs |
NA |
||
View Application Instance |
NA |
||
View User Accounts |
NA |
||
View User Entitlements |
NA |
||
System Configuration Administrator |
Role Basic Info |
View Forms |
NA |
Org Basic Info |
Create Forms |
NA |
|
Application Instance Basic Info |
Modify Forms |
NA |
|
Entitlement Basic Info |
Delete Forms |
NA |
|
Import Connector |
NA |
||
Export Connector |
NA |
||
View Resource Object |
NA |
||
Create Resource Object |
NA |
||
Modify Resource Object |
NA |
||
Delete Resource Object |
NA |
||
View Application Instance |
NA |
||
Create Application Instance |
NA |
||
Modify Application Instance |
NA |
||
Delete Application Instance |
NA |
||
Publish Application Instance |
NA |
||
View Entitlement |
NA |
||
Publish Entitlement |
NA |
||
Delete Entitlement (using APIs) |
NA |
||
Modify Entitlement (using APIs) |
NA |
||
Add Entitlement (using APIs) |
NA |
||
View Approval Policies |
NA |
||
Create Approval Policies |
NA |
||
Modify Approval Policies |
NA |
||
Delete Approval Policies |
NA |
||
Access Advanced UI |
NA |
||
View Password Policy |
NA |
||
Create Password Policy |
NA |
||
Modify Password Policy |
NA |
||
Delete Password Policy |
NA |
||
View Notification |
NA |
||
Create Notification |
NA |
||
Delete Notification |
NA |
||
Modify Notification |
NA |
||
Add Locale to Notification |
NA |
||
Remove Locale To Notification |
NA |
||
Complete Async Event Handlers |
NA |
||
Orchestration Operation |
NA |
||
Register Plugin |
NA |
||
Unregister Plugin |
NA |
||
View scheduled Jobs |
NA |
||
Start Scheduler |
NA |
||
Stop Scheduler |
NA |
||
Add Task |
NA |
||
Modify Task |
NA |
||
Delete Task |
NA |
||
Create Trigger |
NA |
||
Delete Trigger |
NA |
||
Modify Trigger |
NA |
||
View Jobs |
NA |
||
Create Jobs |
NA |
||
Modify Jobs |
NA |
||
Delete Jobs |
NA |
||
Enable Jobs |
NA |
||
Disable Jobs |
NA |
||
Run-now Jobs |
NA |
||
Pause Jobs |
NA |
||
Resume Jobs |
NA |
||
Stop Jobs |
NA |
||
Reset Status |
NA |
||
View System Properties |
NA |
||
Create System Properties |
NA |
||
Modify System Properties |
NA |
||
Delete System Properties |
NA |
||
View Attributes |
NA |
||
Add Attributes |
NA |
||
Modify Attributes |
NA |
||
Delete Attributes |
NA |
||
Add Derived Attributes |
NA |
||
SPML Admin |
Create, modify, and delete users |
Request |
|
Search users on all the attributes |
NA |
||
Enable user status |
Request |
||
Disable user status |
Request |
||
Add role memberships |
Request |
||
Delete role memberships |
Request |
||
Search roles on all the attributes |
NA |
||
Create, modify, and delete roles |
Request |
Note:
You can add a restriction on home organization permissions such that only a manager can view or modify the manager's reportees. To do so, open and delete the following policies by using the Authorization Policy Management (APM) UI:OrclOIMUserHomeOrgDirectWithAttributesPolicy
OrclOIMUserHomeOrgDirectPolicy
OrclOIMUserHomeOrgApprovalWithAttributesPolicy
OrclOIMUserHomeOrgApprovalPolicy
For more information about the authorization policies used to control user's access to Oracle Identity Manager application, see the "Security Architecture" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
There are some operations that can be delegated to other users (delegated administrators). These operations are:
Create User
Modify User
Enable User
Disable User
Change Password
Assign Roles
Assign Organizations
Assign Entitlements
Provisioning Accounts
Create and Manage Organization and Organization hierarchy
Create and Manage Role and Role Hierarchy
Create and Manage RO and IT Resource Instances
The following operations cannot be delegated to other users:
Create and Manage Catalog
Other System Administration Tasks
Lookup Definition Management
Password Policy Definition management
Password policies are a list of rules or conditions that govern the syntax of the password. Password policies are created by System Administrators. For more information about creating and managing password policies, see the "Managing Password Policies" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Organization administrators can attach a password policy to an organization either while creating an organization or at any later point in time. The procedure to create or modify an organization is discussed later in this chapter.
In Oracle Identity Manager, password policies are evaluated in the following scenarios:
When users register themselves to Oracle Identity Manager to perform certain tasks in Identity Self Service or Oracle Identity System Administration.
When users reset their password using the Forgot Password? link.
When users change their enterprise password or target system account password from the Change Password section of the My Information page.
When an administrator sets or changes the password of a user manually.
The following is the order in which a user's effective password policy is evaluated:
The password policy (if available) set for the user's home organization is applicable for the user.
If no password policy is set for the user's home organization, then the policy of the organization at the next level in the organization hierarchy of the user's home organization is picked. This procedure of identifying an organization at the next level in the hierarchy of the user's home organization continues until an organization associated with a password policy is determined. This password policy is applicable to the user.
If none of the organizations in the hierarchy has password policies set, then the password policy attached to the Top organization is applicable. If no password policy is attached to the Top organization, then the default password policy of the XellerateUsers resource is applicable.
The tasks related to organization management are performed in the Organizations section of Identity Self Service. The tasks are described in the following sections:
To search for organizations:
Log in to Identity Self Service.
In the left pane, under Administration, click Organizations. The Organization page is displayed.
Select any one of the following:
All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is Starts With. The Equals comparator is available in the list as an alternative.
You can use wildcard characters to specify the organization name.
From the Type list, select the organization type. The organization type can be Branch, Company, or Department.
To add a field in your search:
Click Add Fields, and select a field, such as Organization Status.
Enter value for the search attribute that you added. In this example, from the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.
If you want to remove a field that you added in the search, then click the cross icon next to the field.
Click Search. The results are displayed in the search results table.
The search results table displays the organization name, parent organization name, organization type, and organization status, as shown in Figure 13-2:
To create an organization:
In Identity Self Service, under Administration, click Organizations. The Search Organizations page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Organization page is displayed, as shown in Figure 13-3:
In the Organization Name field, enter the name of the organization.
From the Type list, select the type of the organization, such as Branch, Company, or Department.
Specify the parent organization to which the newly created organization will belong. To do so:
Click the search icon next to the Parent Organization field. The Search Organizations dialog box is displayed.
Search and select the organization that you want to specify as the parent organization.
Click Select. The selected organization is added as the parent organization.
(Optional) Select a user in the Certifier User Login field to specify the selected user as the organization certifier of the organization being created. See "Setting User Manager and Organization Certifier" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about organization certifier.
Specify a password policy name that you want to associate with the organization. To do so:
Click the search icon next to the Password Policy Name field. The Search Password Policy Name dialog box is displayed.
Search and select the password policy that you want to associate with the organization. To list all password policies, you can click the search icon, and then you can select the password policy from the search results.
Click Add. The selected password policy name is added to the Password Policy Name field.
See Also:
"Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about creating and managing password policiesClick Save to create the organization.
The view organization operation allows you to view detailed organization profile information in the organization details page. You can view this page only if you are authorized to view the organization profile as determined by the authorization policy. If you have the authorization to modify the organization, then you can also modify the organization by using this page.
To open the details of an organization:
In Identity Self Service, under Administration, click Organizations. The Organization page is displayed.
Search and select the organization whose details you want to display.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The details of the selected organization is displayed in a new page, as shown in Figure 13-4:
Figure 13-4 The Organization Details Page
You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually. The modification for each section is described in the following sections:
The Attributes tab, as shown in Figure 13-4, of the organization details page displays attributes of the organization. If you are authorized to modify the organization profile as determined by authorization policy, then the organization details page opens in editable mode, and you can modify organization information. You can modify the values for the attributes, and then click Apply to save the changes.
Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields.
Note:
The Status attribute in the organization details page is read-only.The Children tab displays a list of child organizations that the open organization has. For each child organization in the list, the organization name, organization type, and organization status are displayed.
The Children tab enables you to perform the following:
In the Children tab, you can create a child organization or suborganization of the open organization by selecting Create Sub-org from the Actions menu. Alternatively, click Create Sub-org on the toolbar. The Create organization page is displayed. Perform the steps described in "Creating an Organization" to complete creating the child organization.
To delete a child organization:
In the Children tab, select the organization you want to delete.
From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
Click Delete to confirm. The selected child organization is deleted.
To disable a child organization:
In the Children tab, select the organization you want to disable.
From the Actions menu, select Disable. Alternatively, click Disable on the toolbar. A message is displayed asking for confirmation.
Click Disable to confirm. The selected child organization is disabled.
To enable a child organization:
In the Children tab, select the organization you want to enable.
From the Actions menu, select Enable. Alternatively, click Enable on the toolbar. A message is displayed asking for confirmation.
Click Enable to confirm. The selected child organization is enabled.
To open a child organization:
In the Children tab, select the organization you want to open.
From the Actions menu, select Open. Alternatively, click Open on the toolbar, or click the name of the organization.
The organization details page for the selected organization is displayed, by using which you can modify the details of that organization.
The Members tab that displays a list of users in the open organization. For each user in the list, the following are displayed:
User Login
Display Name
First Name
Last Name
Relationship Type
Tip:
You can add or remove users to and from organizations by using the Attributes tab of the user details page.The Relationship Type column displays the type of relationship that the user member has with the organization. This is described in detail in "Managing Dynamic Organization Membership".
Users are assigned to organizations by specifying an organization name in the Organization attribute of the user details. This is called a static membership. In addition, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. All users that satisfy the user-membership rule are dynamically associated with the organization irrespective of which organization hierarchy the users statically belong to.
Each organization can have one user-membership rule that enables a user to be a member of multiple organizations at a time, and thereby view and request for additional resources.
The dynamic memberships can be revoked by changing the user-membership rules.
Managing dynamic user-organization memberships is described in the following sections:
To create dynamic membership rule for an organization:
In the Members tab of the organization details page, click Add Rule. The Expression Builder is displayed.
In the Attributes tab, select an attribute, such as Country, and then click Add. The attribute is added to the expression builder for which you can specify a value. In addition, the Literals tab is displayed.
In the Value field, enter a value for the selected attribute, such as US, and then click Add. The value is added to the expression builder. The expression for the membership rule specifies that users with Country as US will be members of the selected organization.
Figure 13-5 shows the Expression Builder with a sample dynamic organization membership rule.
Figure 13-5 Dynamic Organization Membership Rule
Click the Preview Results tab. This tab displays all the users that match the specified membership rule and will be assigned to the selected organization.
Click Save. The Members tab is displayed with the membership rule added in the User Membership Rule section.
Click any one of the following:
Apply: Clicking this button saves the membership rule for later evaluation. The users matching the rule criteria will be assigned to the selected organization when you run the Refresh Organization Memberships scheduled job. This scheduled job evaluates the changes in user-organization membership rules since the last job run and assigns users to organizations based on the rules. For more information about this scheduled job, see "Predefined Scheduled Tasks" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Apply and Evaluate: Clicking this button saves the membership rule and evaluates it against all users. As a result, the users that match the rule criteria are displayed in the list of members of the selected organization. The Relationship Type column for such users display Dynamic Member because these users are assigned to the selected organization based on the membership rule.
Revert: Clicking this button reverts the changes done after saving.
WARNING:
The membership rule will be lost if you close the organization details page without clicking any one of the Apply, Apply and Evaluate, and Revert buttons.
To modify a user-membership rule:
In the User Membership Rule section of the Members tab, click Edit Rule. The Expression Builder is displayed with the user-membership rule.
If you want to change the attribute in the existing user-membership rule, then click the attribute to select it, and select another attribute in the Attributes tab. When finished, click Add.
Similarly, you can click the value to change it and specify a different value.
To add more criteria to the user-membership rule, click the down arrow and select any operator, such as AND or OR. To remove the rule, select REMOVE. You can specify complex criteria by building an expression as required.
Click the Preview Results tab. This tab displays all the users that match the specified membership rule and will be assigned to the selected organization.
Click Save. The Members tab is displayed with the modified membership rule in the User Membership Rule section.
To delete a user-membership rule:
In the User Membership Rule section of the Members tab, click Delete Rule. A warning message is displayed asking for confirmation.
Click Yes to confirm the deletion.
After confirming the rule deletion, all the organization memberships are deleted immediately in the post-process. There is no offline evaluation for organization membership rule deletion.
You can view the roles in an organization by clicking the Available Roles tab of the organization details page. The role names, role categories, and corresponding organization names are listed in this tab.
You can view the admin roles that are assigned to an organization by clicking the Admin Roles tab of the organization details page. The admin roles and their corresponding description are listed in this tab. When you select an admin role, the users who have the selected admin role are displayed in the User Members section. This tab also allows you to grant and revoke admin roles available to the open organization to users.
Note:
Oracle Identity Manager does not support the creation of new admin roles.In the Admin Roles tab, you can perform the following:
To grant an admin role to a user:
In the organization details page, click the Admin Roles tab. A list of admin roles assigned to the open organization is displayed.
Select the admin role that you want to grant to a user.
From the Actions menu, select Assign. Alternatively, click Assign on the toolbar. The Advanced Search for Target Users dialog box is displayed.
Search for the target users to whom you want to grant the selected admin role. You can select the Just show my directs option to list only your direct reports.
In the User Results section, select the user that you want to grant the admin role.
Click Add Selected to move the selected user to the Selected Users section. Alternatively, you can click Add All to move all the users from the User Results section to the Selected Users section.
Click Select. The admin roles is granted to the selected user. When you click the admin role in the Admin Roles tab, the selected user's record is displayed in the User Members section.
In the User Members section, select the user record. Select the include sub-orgs option to grant the admin role to the user's organization and its suborganizations. If you want to grant the admin role to the user's organization only, then do not select this option.
To revoke an admin role from a user:
In the Admin Roles tab, select an admin role from which you want to revoke the user.
In the User Members section, select the user from whom you want to revoke the admin roles.
From the Actions menu, select Revoke. Alternatively, click Revoke on the toolbar. A message is displayed asking for confirmation.
Click Revoke to confirm. The user record is no longer displayed when you select the admin role.
To revoke user from suborganizations of the currently opened organization, select the include sub-orgs option, and click Apply in the User Members section.
The accounts available to an organization are the accounts that have been published to the organization. This means that the accounts are available for requesting by the users of the organization. The Available Accounts tab shows the accounts provisioned to users in the organization.
The Provisioned Accounts tab displays the accounts that have been provisioned to the open organization.
In the Provisioned Accounts tab, you can perform the following:
To provision a resource to an organization:
In the Provisioned Accounts tab, select the account that you want to provision.
From the Actions menu, select Provision. Alternatively, you can create Provision on the toolbar.
The Provision Resource to Organization page is displayed in a new window.
On the Step 1: Select a Resource page, select a resource from the list, and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page, enter the details of the account that you want to provision to the organization, and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided, and then click Continue. The "Provisioning has been initiated" message is displayed.
To revoke a resource from an organization:
In the Provisioned Accounts tab, select the account that you want to revoke.
From the Actions menu, select Revoke. Alternatively, you can click Revoke on the toolbar.
A message is displayed asking for confirmation.
Click Yes.
To view the details of a provisioned resource:
In the Provisioned Accounts tab, select the account you want to open.
From the Actions menu, select Open. Alternatively, you can click Open on the toolbar.
The details of the account is displayed in a new page.
To disable a provisioned resource:
In the Provisioned Accounts tab, select the account you want to disable.
From the Actions menu, select Disable. Alternatively, you can click Disable on the toolbar.
A message is displayed stating that the provisioned account has been successfully disabled.
To enable a resource provisioned to the organization:
In the Provisioned Accounts tab, select the resource you want to enable.
From the Actions menu, select Enable. Alternatively, you can click Enable on the toolbar.
A message is displayed stating that the provisioned account has been successfully enabled.
You can view the entitlements published to the open organization by clicking the Available Entitlements tab. For each entitlement, the following information is displayed:
Entitlements name
Resource associated with the entitlement
Account name associated with the entitlement
Organization name
Note:
You cannot disable organizations with child organizations or users. You can force disable it only by setting the value of the ORG.DisableDeleteActionEnabled system property totrue
. After you set this property, the users and suborganizations will be disabled while disabling the parent organization.To disable an organization with enabled state:
In the search result for organizations in the Search Organization page, select the organization that you want to disable.
From the Actions menu, select Disable. Alternatively, click Disable on the toolbar, or open the organization details page and click Disable.
A message is displayed asking for confirmation.
Click Disable to confirm.
To enable an organization with disabled state:
In the search result for organizations in the Search Organization page, select the organization that you want to enable.
From the Actions menu, select Enable. Alternatively, click Enable on the toolbar, or open the organization details page and click Enable.
A message is displayed asking for confirmation.
Click Enable to confirm.
Note:
You cannot delete organizations with child orgs or users. You can force delete it only by setting the value of the ORG.DisableDeleteActionEnabled system property to true
. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.
You can delete an organization only if you have the "Delete" permission for that organization.
The deleted record would still exist in the database, marked deleted.
In the search result for organizations in the Organization page, select the organization that you want to delete.
From the Actions menu, select Delete. Alternatively, click Delete on the toolbar, or click Delete on top of the organization details page.
A message is displayed asking for confirmation.
Click Delete to confirm.