Manage Administrative Console Settings

As an AG_Administrator, you can customize console settings from the Service AdministrationSettings tab. Currently, it provides controls to restrict or allow non-administrator users to export identity, account and enterprise-wide data to CSV from the Oracle Access Governance Console.

CSV Data Export Settings

As an AG_Administrator, you can allow non administrator users to export data to CSV files. By default, non-administrator users aren't allowed to export identity, account and enterprise-wide data to CSV files.

Overview: CSV Data Export Settings

When CSV download is OFF, you cannot export CSV from:
When CSV export is ON, the following roles can export CSVs:
  • Service Desk Administrator AG_ServiceDesk_Admin
  • Enterprise-wide Access Administrator AG_Enterprise_Wide_Access_Admin
  • Auditor AG_Auditor

Enable CSV Data Export Settings for Non-Administrator Users

To enable the users to export identity, account and enterprise-wide data to CSV:
  1. Sign in to the Oracle Access Governance Console with the appropriate application role. See Predefined Application Roles Reference.
  2. From the Menu Navigation Menu icon, select Service Administration, and then Settings. The Settings page opens to customize settings.
  3. On the CSV data export tab, select Edit.
  4. Turn on the option to allow non-administrator users to export identity, account and enterprise-wide data to CSV.
  5. Click Save. On the CSV data export tab, the value is displayed as On.

Configure Password Policy

As an AG_Administrator, you can specify rules for password complexity, such as minimum and maximum length and required character types, and set mandatory password rotation intervals.

Oracle Access Governance users may request or set password that are valid for up to 7 days. After this period, access is revoked automatically, and a new password must be requested.

Configure Password Policy for Accounts Managed by Oracle Access Governance

To configure password policy:
  1. Sign in to the Oracle Access Governance Console with the appropriate application role. See Predefined Application Roles Reference.
  2. From the Menu Navigation Menu icon, select Service Administration, and then Settings. The Settings page opens to customize settings.
  3. On the Password policy tab, select Edit.
  4. Configure the fields as per your organization policies.
  5. Click Save.

Global Account Terminations Settings

As an AG_Administrator, you can configure global account termination settings for all orchestrated systems. You can also define override rules based on identity attribute values to exclude specific users from account termination.

When global account termination settings are enabled, application administrators AG_AppOwner_Admin cannot manage account termination settings at the orchestrated system level.

To enable global account termination settings for all orchestrated systems:
  1. Sign in to the Oracle Access Governance Console.
  2. From the Menu Navigation Menu icon, select Service Administration, and then Settings. The Settings page opens to customize settings.
  3. Select Account Terminations.
  4. For Account terminations, select Edit.
  5. Enable the Do you want administrators to manage the termination settings? option to configure account termination settings.
Configure Termination Settings
  1. Select what to do with accounts when early termination begins: Choose the action to perform when an early termination begins. This happens when you need to revoke identity accesses before official termination date.
    • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.

      Note:

      If specific orchestrated system doesn't support the action, then no action is taken.
    • Disable: Disables all accounts and disables permissions managed by Oracle Access Governance.
      • Delete the permissions for disabled accounts: To ensure zero residual access, select this to delete directly assigned permissions and policy-granted permissions during account disablement.
    • No action: No action is taken when an identity is flagged for early termination by Oracle Access Governance.
  2. Select what to do with accounts on the termination date: Choose the action to perform during official termination. This happens when you need to revoke identity accesses on the official termination date.
    • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.

      Note:

      If specific orchestrated system doesn't support Delete action, then no action is taken.
    • Disable: Disables all accounts and disables permissions managed by Oracle Access Governance.
      • Delete the permissions for disabled accounts: To ensure zero residual access, select this to delete directly assigned permissions and policy-granted permissions during account disablement.

      Note:

      If specific orchestrated system doesn't support the Disable action, then account is deleted.
    • No action: No action is taken on accounts and permissions by Oracle Access Governance.

Setting Override Rules for Account Termination

Overrides allow you to exclude specific orchestrated systems from global account termination settings. Use overrides to control how accounts are de-provisioned when termination starts and when termination ends.

Use override rules when certain users with specific identity attributes, such as job types or locations, should be excluded. For example, users in particular locations or roles can retain their accounts or permissions (with No Action) on specific systems, even when global identity termination rules are triggered.

Each override includes:

  • Orchestrated systems: One or more systems the override applies to.
  • Identity attribute values: One or more values. If omitted, the override applies to all values.
  • Termination-start configuration: How to handle accounts when termination starts.
  • Termination-end configuration: How to handle accounts when termination ends.

When termination starts or ends for an identity, the system evaluates overrides to determine account de-provisioning. If an override exists that matches both the identity attribute value and the orchestrated system, the system uses that override’s configuration.

To add override rules for one or more orchestrated systems:

Add Override Rules
  1. On the Account terminations page, go to the Overrides section.
  2. In the Override attribute list, select an identity attribute to want to use to apply override rules.
  3. Select + Add override.
  4. In the Name field, enter override name.
  5. Select one or more orchestrated systems that you want to exclude.
  6. (Optional) In the list, select Identity attribute values to apply override rules for specific values.
  7. Choose the action to perform when an early termination begins. This happens when you need to revoke identity accesses before official termination date.
  8. Choose the action to perform during official termination. This happens when you need to revoke identity accesses on the official termination date.

    Note:

    If the Disable operation is not supported by the orchestrated system, then accounts are deleted. If the Delete operation is not supported by the orchestrated system, then no action is taken.

Avoiding Duplicate Rules for Overrides

  • If a new override would create a scope that already exists (same attribute value + same system), it is rejected.
  • You can add new specific rules in addition to wild card rules (that allows all values for an identity attribute)
    You can have <Orchestrated-System,Specific> on top of <Orchestrated-System,Any>
  • If you create a single override involving multiple orchestrated systems, Oracle Access Governance divides the rule into separate entries based on {OS + Identity Attribute value}. If any one of these entries already exists, the entire override rule will be rejected, and none of the changes will be saved.