Managing Users

User life cycle is a term to describe the process flow of how a user account is created, managed, and deleted in an identity domain based on certain events or time factors.

A user account goes through various stages in the life cycle. The stages are non-existent, deactivated, activated, and deleted.

You can define business requirements for each transition of the user life cycle. Use the sample scenarios listed in the following table to establish the link between user life-cycle transitions and business objectives.

Current State Operation Sample Scenario Process Description
Non-existent Create Human resources (HR) enters user profile information for a new hire.

If the new hire's start date isn't a future date, then the user account is introduced with an Activated status.

If the new hire's start date is a future date, then the user account is created, and is then deactivated.

Deactivated Activate The user's start date is in effect.

The user account is activated, and the user can now sign in and use this Oracle Cloud service. The user can access all groups, applications, and administration role privileges assigned to the user account.

Activated Modify The user is promoted to a new position. HR changes the job title of the user.

New groups, applications, and administration roles are assigned to the user account. Old irrelevant groups, applications, and administration roles are removed from the user account.

Activated Deactivate The user takes a one-year sabbatical from the company. HR manually deactivates the user account on the last working day of the user. The user rejoins the company after some period. HR activates the user account. The user account is deactivated, and the user can no longer sign-on and use this Oracle Cloud service. The user account can be activated again.
Activated Delete The user retires from the company. HR manually deletes the user account on the last working day of the user.

The user account is removed. All groups, applications, and administration role privileges assigned to the user account are revoked as part of the workflow.

If you remove (delete) the user, the audit data of the user remains in the system. To manually (and immediately) purge the audit data of the deleted user, see Purging Audit Data for a Deleted User.

The following concepts are integral to user lifecycle management:

  • User Account: A user account represents a user in an identity domain, and enables the user to access the Oracle Cloud service to which they belong. In an identity domain, there is a one-to-one relationship between a user and a user account. By default, all users can use their accounts to perform self-service capabilities. Users can update their profiles, reset their passwords, unlock their accounts, and change their email preferences.

  • Administrator Role: You might want to provide a user account with administrative capabilities in IAM. To do this, you assign administrator roles to user accounts. See Assigning Users to Roles.

  • Group: Identity domains provide easy and controlled privilege management through groups. Groups are the links between user accounts and applications in the identity domain. Groups are designed to ease the administration of privileges that you grant to user accounts or other groups. See Managing Groups.

  • Application: Oracle applications are a complete and modular set of enterprise applications, engineered from the ground up to be cloud-ready and to coexist seamlessly in mixed environments.

    You can use identity domains in IAM to grant access to Oracle applications in two ways:

    • Directly: Assigning users to the applications

    • Indirectly: Assigning groups to the applications. Any users who are members of the groups are granted access to the applications.

    In addition to granting users and groups access to Oracle applications, you can grant users and groups access to entitlements within applications. For example, you use IAM to grant John Doe and Jane Doe access to Oracle Java Cloud Service. You want John Doe to have administrator privileges for Oracle Java Cloud Service, but Jane Doe to have user privileges only.

    Each entitlement in an Oracle application is represented by an application role. So by assigning John Doe to the application administrator role of Oracle Java Cloud Service, he can not only access this Oracle Cloud service, but he can also function as an administrator within it.

    See Managing Applications for more information about how you can use IAM to grant and revoke access rights for users and groups to applications and application roles.

Using the Console

Creating Users
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click Create user.
  4. In the First name and Last name fields of the Create user window, enter the user’s first and last name.
  5. To have the user sign in with their email address:
    1. Leave the Use the email address as the username check box selected.
    2. In the Username / Email field, enter the email address for the user account.
    OR
  6. To have the user sign in with their user name:
    1. Clear the Use the email address as the username check box.
    2. In the Username field, enter the user name that the user is to use to sign in to the Console.
      Note

      The value that you enter into the Username field can be either a valid email address or a non-email string. If it's a non-email string, then the following characters are allowed:

      • a-z

      • A-Z

      • 0-9

      • Special characters !@#$%^&*()_+=-{}[]|\:"';<>?/.,

      • White space

    3. In the Email field, enter the email address for the user account.
      Note

      If the Primary email address required check box is selected on the Domain settings page, then you must provide an email address in the Email field to create the user account.

      If you cleared the Primary email address required check box, then you can create the account without entering an email address in the Email field.

  7. To assign the user to a group, select the check box for each group that you want to assign to the user account.
  8. Click Create.
Viewing and Editing User Details
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user account that you want to modify.
  4. Click Edit user.
  5. Modify an attribute value for the user account by:
    1. Entering a value in the attribute field (for example, the City field).
    2. Turning on or off a switch (for example, the Federated switch).
    3. Selecting a value from the list (for example, a Microsoft Active Directory (AD) domain from the Authenticated by list).
      Note

      You can't edit attribute values for your user account. To do this, access the My Profile page of the Console.
  6. After editing attribute values for the user account, click Save changes.
Assigning Applications to Users

After viewing details about a user account, you can modify the account by assigning applications to it.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user account that you want to modify.
  4. Click Applications.
  5. Click Assign applications.
  6. In the Assign applications window, click the Actions menu and select Assign for each application that you want to assign to the user account.
  7. If you're assigning a managed application to the user account, then an Assign Application window appears, containing a form for the application. To populate this form:
    1. Enter the required values for the form.
    2. If the form contains multi-valued attributes, then an Add button appears to the right of each attribute. Click Add, and then in the Allowed Values window, select the values for the attribute, and click OK.
      Tip

      To remove an existing value from the attribute, click the X button to the right of the value.
    3. Click Save.
    Note

    The Active icon for each application in the Access tab represents the active status of the user account and not the application status. The status remains active as long as the user account is active, regardless of whether the application is active or inactive.

  8. Click Finish.
    Note

    If you assigned a managed application to the user account, then you can modify the values of the application form. To do this, click the Action menu Action menu, select Edit, change the appropriate values, and then click Save.

    Also, if you have enabled and configured synchronization for an App Catalog app, and assigned the app to a user account, then you can activate or deactivate the user's account with the app. To do so:

    1. Click the Action menu to the right of the App Catalog app that you assigned to the user.

    2. Click Activate or Deactivate.

    3. In the Confirmation window, click OK.

Removing Applications from Users
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user that you want to modify.
  4. Click Applications.
  5. Select the check box for each application that you want to remove from the user.
  6. Click Remove application.
  7. Click Remove application to confirm.
To Edit a User's Capabilities
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click a user to see the user details.
  4. Click Edit user capabilities.
  5. Select or clear the check box to add or remove a capability.
  6. Click Save changes.
Assigning Users to Roles

By default, all users can perform self-service capabilities such as updating their profiles, resetting their passwords, and changing their email preferences. You might want to provide a user account with administrative capabilities. For example, you might want a user to manage applications. So, you would assign the user account to the application administrator role.

A user account can be assigned to more than one administrator role. The user account inherits the privileges for each administrator role assigned to the account. If a user account is assigned to both the application administrator role and the user administrator role, then the user can manage applications, users, groups, and group memberships.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Administrators.
  3. Expand the node for the administrator role for which you want to add or remove a user account, and then perform one of the following:
    • To add a user account to an administrator role, click Add user, select the check box for each user account that you want to add, and then click Add users.

      If you're adding users to the user manager role, then after selecting the check box for each user that you're adding to this role, you must also select one of the following options:
      • Manage all users: These users can manage all users in the IAM identity domain.
      • Manage selected groups of users: These users can manage only those users who belong to the groups that you select. After selecting this option, enter or select the groups to be managed by these users.

      After making this selection, click Add users. If you want to modify either the users who are assigned to the user manager role or the groups that these users can manage, click the Actions menu, and select Edit from the that appears.

    • To remove a user account from an administrator role, select the user account that you want to remove, click Remove, and then in the Confirmation window, click Remove user.
Adding Users to Groups
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Select the user that you want to modify.
  4. Click Groups.
  5. Click Assign user to groups. To search for groups to assign to the user account, in the search field, enter all or part of the beginning of the group names or descriptions that you want to locate.
  6. In the Assign user to groups window, select the check box for each group that you want to assign to the user account.
  7. Click Assign user.
Removing Users from Groups
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user account that you want to modify.
  4. Click Groups.
  5. Select the check box for each group that you want to remove from the user account.
  6. Click Remove user from group.
  7. In the Remove group window, click Remove group.
Resetting User Passwords

You can reset the password for a user account. When you request a password change, a notification is sent to the user so that the user can provide a new password for the account.

You can reset a password for a single account, for multiple accounts, or for all accounts in the identity domain.

You can't reset the passwords for deactivated user accounts. To activate all deactivated user accounts, search for accounts with a status of Inactive. Then select the Select All check box.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Select the check box for each user account for which you want to reset the password.
    Tip

    To reset the passwords for all user accounts, do not select any check boxes, and go to Step 4.
  4. Click More actions, and then perform one of the following choices.
    • If you selected either a single or multiple user accounts:
      1. Select Reset password.

      2. In the Reset password window, click Reset password.

    • If you didn’t select any user accounts (because you want to reset the passwords for all accounts):
      1. Select Reset all passwords.

      2. In the Reset all passwords window, click Reset all passwords.

Unlocking Users

After a consecutive number of unsuccessful login attempts, a user account is locked. The user receives a notification that contains a link that the user can click to reset their password and unlock their account. An administrator can unlock accounts without requiring a password reset.

If a user's account is locked, and the user or an administrator doesn't unlock the account, then IAM unlocks it automatically. An administrator can set this time period ranging between 5 minutes and 24 hours.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user account that you want to unlock.
    Tip

    To display all user accounts that are locked, click the search field and select the Locked status.
  4. Click More actions, and select Unlock User.
  5. In the Confirmation window, click OK.
Deactivating and Reactivating User Accounts

Deactivating a user account temporarily disables the access rights that the user account has.

Deactivated users are not able to sign in until you reactivate the user account. Group memberships and application roles remain intact and are available after the user account is reactivated.
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Select the check box for each activated user account that you want to deactivate.
  4. Click More actions.
  5. Click Deactivate.
  6. In the Confirm deactivation window, click Deactivate.
  7. To reactivate an account, select the check box for each deactivated user account that you want to activate, then click More actions and click Activate.
Resetting Authentication Factors for User Accounts

Reset all verification factors for users enrolled in Multi-Factor Authentication (MFA) if a user’s device can't be used to provide a second factor for authentication. Resetting all verification factors removes any existing factors in which the user is enrolled.

Resetting all verification factors removes any existing factors in which the user is enrolled. The next time the user logs in, the user is prompted to enroll in 2–Step Verification and account recovery.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user account for which you want to reset authentication factors.
  4. Click Reset factors.
  5. In the Reset factors window, click Reset factors.
Generating Bypass Codes for Users

You can increase security for user accounts by using Multi-Factor Authentication (MFA) capabilities provided by IAM. MFA adds an extra layer of identity verification to the sign-on process by requiring a user to provide a second verification method, such as a one-time passcode (OTP) for the device associated with the user’s account, notification, short message service (SMS), also known as a text message, or security questions.

The ability to generate a bypass code is available to the user after the user enrolls in 2-Step Verification. The user can generate a bypass code and store it for later use or request that an administrator generate a bypass code for the user. For example, when a user has forgotten their phone, doesn’t have cell service, or can’t access their computer, at the 2-Step Verification page, the user can contact the help desk to have an administrator generate a bypass code.

As a result, the user can use this bypass code as a one-time 2-Step Verification method to sign in.

In addition, the administrator can set when the bypass code expires, and how often the bypass code can be used for the user account.

Note

The user must already be enrolled in MFA to use a bypass code or request that one is generated for the user.
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click the user for which you want to generate a bypass code.
  4. Click More Actions and then select Generate bypass code.
  5. In the Bypass Code expires after region of the Generate Bypass Code window, set when the bypass code expires.
    1. Set the time (in days, hours, and minutes) that the bypass code will expire. After this time elapses, the user can't use the bypass code.
    2. If you don't want the bypass code to expire, then click Never Expires.
  6. In the Bypass Code can be used region of the Generate Bypass Code window, specify how often the bypass code can be used.
    1. If the bypass code can be used only one time, then click Once.
    2. If the bypass code can be used for a finite number of times, then click the button to the left of the text box. Enter a number in the text box that represents how many times the bypass code can be used.
    3. If the bypass code can be used for an unlimited number of times, then click Unlimited.
  7. Click OK.
  8. In the Bypass Code window, click Email. A notification is sent to the user. This notification contains the bypass code that the user uses as a one-time 2-Step Verification method to sign in.
Resending Invitations to Users to Activate their Accounts

After a user account is created, a Welcome invitation is sent to the user, requesting that the user activates the account. The new user account must be activated before it can be used.

If the user account isn't activated after a designated amount of time, then the identity domain administrator can send another invitation to the user to activate the account.
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Select the check box for each user account to which you want to send an invitation.
    Tip

    To send invitations to all user accounts, select the Select All check box.
  4. Click More actions, and then select Resend invitation.
  5. In the Confirmation window, click Send invitation.
Removing User Accounts

You can remove user accounts who no longer need access to the service. You can remove either a single user account or multiple accounts.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Select the check box for each user account that you want to remove.
  4. Click More actions, and then click Delete.
  5. In the Delete user window, click Delete user.
Note

If you remove (delete) a user, the audit data of the user remains in the system.