15 Managing Self Service Capability Policy

Oracle Identity Manager allows you to control what operations a user can perform for the self. For example, if a user belongs to a particular organization, then the user is allowed only to change self profile, and other operations in Oracle Identity Manager are restricted. This can be achieved by setting rules in the Self Service Capability Policy. In Self Service Capability Policy, you can define rules based on user attributes. You can set user attributes as denied attributes for the user who satisfies the rule. The user attributes marked as denied attributes cannot be viewed or edited. The return value of this rule is the capability assigned to the user and the denied attributes that are configured. Self Service Capability Policy is seeded with a default rule.

Multiple self service capability rules can be configured. The evaluation of these rules is based on their order. The order can be configured from the Self Service Capability page in Oracle Identity System Administration. All the rules are evaluated one by one and capabilities of the first matching rule are assigned to the user.

This chapter includes the following sections:

• Default Self Service Capability Rule

• Example of Self Service Capability Rules and Rule Evaluation Order

• Creating a Rule in Self Service Capability Policy

• Modifying a Rule in Self Service Capability Policy

• Deleting a Rule in Self Service Capability Policy

15.1 Default Self Service Capability Rule

The Self Service Capability Policy is seeded with a Default Self Service Capability rule. The default condition always evaluates to true. Therefore, if any other rule defined in the Self Service Capability Policy is not satisfied, the default rule is satisfied and provides the user with all the self service capabilities.

15.2 Example of Self Service Capability Rules and Rule Evaluation Order

Example of rules that can be set are:

• If user type is Contractor, then user is allowed only to manage self profile.

  If user.Role Equal Contractor THEN capability Equal selfModifyUser
  

• If user type is Full Time and belongs to Sales department, then user is allowed to request roles and modify their profiles.

  If user.Role Equal Full-time AND user.Department Number Equal Sales 
  THEN 
  capability Equal addSelfRoles
  AND 
  capability Equal selfModifyUser
  

• If user type is Full Time and country is not USA, then user is allowed to modify their profiles and Middle Name is a denied attribute to this user.

  If user.Role Equal Full-time AND user.Country Not Equal USA 
  THEN 
  capability Equal selfModifyUser
  AND 
  deniedAttribute Equal Middle Name
  

• If user type is Full Time and country is USA, then user is allowed to modify their profiles.

  If user.Role Equal Full-time AND user.Country Equal USA
  THEN 
  capability Equal selfModifyUser
  

When a user is created, the first rule that is evaluated is the latest defined rule, followed by the next latest up to the default rule. Evaluation stops as soon as a match is found.

For example, consider that, Contractor rule is created first, followed by Full-Time User, Full Time User USA, and Full Time User non USA. Figure 15-1 shows the order of rules.

When a user is created, user attribute values are evaluated against Full Time User non USA first, if it does not match, it proceeds to evaluate against Full Time User USA. If this does not match it is evaluated against Full-Time User and then Contractor. If non of these rules match, then it is evaluated against the default rule, that is Default Self Service Capability. If evaluation against Full Time User non USA is satisfied, then capability of the user is set according to the condition in the rule.

Figure 15-1 List of Rules Defined in Self Service Capabilities Page

Description of ''Figure 15-1 List of Rules Defined in Self Service Capabilities Page''

The order of the rule can be modified using the arrow buttons in the Order column of the rule.

15.3 Creating a Rule in Self Service Capability Policy

To create a rule in self service capabilities:

1. Login to Oracle Identity System Administration.

2. In the left pane, under System Configuration, click Self Service Capabilities. The Self Service Capabilities page is displayed.

3. Click Create on the toolbar. The Add Self Service Capability Policy Rule page is displayed.

4. Under the Create Rule section, enter Name, Description, Owner, and Status for the new rule. Status of a rule can be set to Enable or Disable. If the Status is set to Disable, then when a user is created, this rule is skipped during evaluation.

5. Set the rule condition in the Condition Builder section. For example,

   To set rule using Condition Builder:

   1. Under IF part of the rule, to enter attribute, click the condition builder icon. Condition builder pop-up screen is displayed.

      As an example, Figure 15-2 shows the Add Rule page.

      Figure 15-2 Creating Rule With Condition Builder Option

      
      Description of ''Figure 15-2 Creating Rule With Condition Builder Option''
      
      

   2. Select the User attribute from the attribute list. List of searchable attributes and UDFs associated with User are listed.

      Search for the particular attribute from the list or type the name of the attribute in the text box and click the Search icon. Select the attribute from the list and click OK.

   3. Select the condition from the conditions drop-down. The available conditions are, Equal, Not Equal, Contains, Does Not Contain, Begins With, Does Not Begins With, Ends With, and Does Not Ends With.

      Note:

      This list varies based on the type of attribute. The list above is for text type. Number type attributes can have values Greater than, Lesser than and so on.

   4. To enter value, type the value in the text box and click OK or click the Value icon to open the Condition builder pop-up screen.

      In the condition builder, you can opt to enter Value or Expression.

      If you select Value, list of value is displayed. Select the required value or type the value in the text box and click OK.

      If you select Expression, list of condition is displayed. Select the required value and click OK.

      Note:

      This field is case sensitive.

   5. To enter the THEN part of the rule, click the condition builder icon. Condition builder pop-up screen is displayed. Select Capability or Denied Attributes and click OK.

   6. Condition is set to Equals and cannot be changed.

   7. To select the Capability or Denied Attribute based on the selection in previous step, click condition builder icon under THEN section. Condition builder pop-up screen is displayed. Select the desired default capability or denied attribute from the list and click OK.

      Note:

      • Mandatory attributes and System generated attributes like Status, Display name, User Login and so on cannot be included in denied attributes list.

      • When denied attributes are specified, the user will not be able to view or modify those attributes.

6. To set complex rules click Add Condition. Select AND or OR condition and set additional rule by following instruction in Step 5.

7. Click Create.

15.4 Modifying a Rule in Self Service Capability Policy

To modify a rule in self service capabilities:

1. Login to Oracle Identity System Administration.

2. In the left pane, under System Configuration, click Self Service Capabilities. The Self Service Capabilities window is displayed.

3. Select the self service capability you want to modify from the list and click Open.

4. Modify the required details and click Update.

   If you do not wish to update the changes made to the rule, click Revert. The rule is restored to the original rule.

15.5 Deleting a Rule in Self Service Capability Policy

To delete a rule in self service capabilities:

1. Login to Oracle Identity System Administration.

2. In the left pane, under System Configuration, click Self Service Capabilities. The Self Service Capabilities window is displayed.

3. Select the self service capability that needs to be deleted from the list and click Delete.