Manage Identities

Administrators can manage two types of identity population within the Oracle Access Governance service. The Manage Identities feature allows administrators to activate/inactivate identities within the service, and flag identities as either Workforce or Consumer users.

Active/Inactive Identities

• Active identities: Identities flagged as active within the Oracle Access Governance service, which enables the following features:
  • Access to the Oracle Access Governance console, allowing identities to utilize features including My Access, My Access Reviews, My Preferences and so on.
  • Allows the identity's access to be governed in Oracle Access Governance.
  • Allows identities to be included in access review campaigns.
  • Active identities are considered for billing purposes.
• Inactive identities: Identities flagged as inactive within the Oracle Access Governance service.
  • Inactive identities have no access to the Oracle Access Governance console.
  • Inactive identities access governance is not governed in Oracle Access Governance.
  • Inactive identities are not included in access review campaigns.
  • Inactive identities are not considered for billing.

Note:

The default status of identities present in Oracle Access Governance is NULL. In order for identities to use the service functionality, and be considered for billing, you must activate all users for which this is required, using the steps detailed in this article.

Identities imported from Oracle Identity Governance have a status of Disabled or Enabled. This is different from the Oracle Access Governance status Active/Inactive. You should consider the following conditions when dealing with identities imported from Oracle Identity Governance:

• A Disabled identity can be marked as an Active identity in Access Governance to review its access privileges.
• An Oracle Access Governance Administrator may set rules, based on the attributes of disabled identites, to mark those disabled identities as Active in Oracle Access Governance.
• Oracle Access Governance will include only those Disabled identities for billing that are marked as Active.

Consumer/Workforce Users

A user can be either a Workforce user or a Consumer. The main difference is that a Consumer user has no access to the Oracle Access Governance service. By default, users are Workforce users. The specific differences between the two types are given in the table below:

Table - Workforce and Consumer Users

Capabilities	Workforce User	Consumer User
Access the Oracle Access Governance service: by console or programmatically.	YES	NO
Perform configurations and integrations, such as orchestrated systems, identity marking, identity attributes.	YES	NO
Manage access control objects (Role, Access Bundle, Identity Collection, Policy).	YES	NO
Manage access review campaigns (event-based, periodic, one-time).	YES	NO
Generate reports for access reviews and approvals.	YES	NO
View access privileges assigned to self or others.	YES	NO
Raise access request for self and/or others.	YES	NO
Perform access approval tasks.	YES	NO
Access privileges are managed by others.	YES	YES
Assigned access privileges are assigned by others.	YES	YES

Navigate to Manage Identities

Here's how you can access the Manage Identities page:

1. Log in to the Oracle Access Governance Console as a user with the Administrator application role.
2. Click in the top left corner to display the navigation menu.
3. Select Service Administration → Manage Identities to begin defining your identity rules.

The Manage Identities page is displayed, where you have to define which identities you want to activate.

Select Identities for Activation

In the Manage Identities page, an Administrator defines the identities that you want to include in the Oracle Access Governance service.

You can identify identities to include in your service by selecting criteria based on conditional statements. Either at least one (Any) or all (All) the set conditions must be satisfied. The list of available attributes is determined by the ingested data from the Managed System, and may include custom attributes.

You can select identities based on Membership rule and/or Named identities. Identities satisfying the set criteria for the Membership rule will automatically be included in your service. Using Named identities, you can directly add specific identities based on their full name.

You can also exclude specific members from your service by selecting Manage exclusions and entering the identities you want to exclude.

1. Select Any if any one of the set conditions should be satisfied, or select All if all the set conditions must be satisfied for that identity.
2. Select the attribute name from the list.

   Note:

   Based on the Managed System, you can select both core and/or custom attributes. To enable custom attributes, see Manage Identity Attributes
3. Select the conditional operator. Based on the data type of the attribute selected, the usage of these operators will vary.
4. Type the attribute value.
5. Continue to add the conditional statements or rules for more attributes.

   By default all the identities matching the criteria will be included. Click the Manage Exclusions button next to Excluding # identity from the attribute conditions and then select the identities that you want to exclude from your service.

6. Once you have defined your rules, select Preview summary based on the rule above to go to the Preview Summary popup. This will display the following information, for the top 10 in each category:
   • Total number of matches based on the rules you have entered.
   • Total number of identities in the service.
   • Breakdown of the distribution of included identities based on:
     • Organization
     • Job code
     • Location
     • Employee type
7. If you are satisfied with your preview, click Save.

Note:

Existing customers with identities loaded from Oracle Identity Governance should be aware that they must activate identities required, else they will not be able to see loaded identities in the system as all identities are excluded by default. Customers in this situation can either activate users, as described above, or set the following rule which will activate all identities they previously loaded from Oracle Identity Governance.

status equals Active

Select Consumer Users

In the Manage Identities page, an Administrator defines the identities that you want to be flagged as consumer users in the Oracle Access Governance service.

You can identify identities to include as consumers in your service by selecting criteria based on conditional statements. Either at least one (Any) or all (All) the set conditions must be satisfied. The list of available attributes is determined by the ingested data from the Managed System, and may include custom attributes.

You can select identities based on Membership rule and/or Named identities. Identities satisfying the set criteria for the Membership rule will automatically be included as consumers in your service. Using Named identities, you can directly add specific identities based on their full name.

You can also exclude specific members from your service by selecting Manage exclusions and entering the identities you want to exclude.

1. Select Any if any one of the set conditions should be satisfied, or select All if all the set conditions must be satisfied for that identity.
2. Select the attribute name from the list.

   Note:

   Based on the Managed System, you can select both core and/or custom attributes. To enable custom attributes, see Manage Identity Attributes
3. Select the conditional operator. Based on the data type of the attribute selected, the usage of these operators will vary.
4. Type the attribute value.
5. Continue to add the conditional statements or rules for more attributes.

   By default all the identities matching the criteria will be included. Click the Manage Exclusions button next to Excluding # identity from the attribute conditions and then select the identities that you want to exclude from your service.

6. Once you have defined your rules, select Preview summary based on the rule above to go to the Preview Summary popup. This will display the following information, for the top 10 in each category:
   • Total number of matches based on the rules you have entered.
7. If you are satisfied with your preview, click Save.

Create and Manage Organizations

As an Administrator, you can now structure identities and form relationships between identities by creating and managing Organization with the Oracle Access Governance Console.

You can use Organizations to perform various operations within the Oracle Access Governance Console. For example, you can use it as an attribute (Organization) to create an Identity Collection, which can then be used for identity reviews, assigning access privileges, or for provisioning operations.

Note:

This Organization concept is native to Oracle Access Governance and is different than the source organization, which is loaded from an orchestrated system. It will be available in the core attribute list as agOrganization (where the orchestrated system is Internal) with the Manage Identities flag set to true. See View and Configure Custom Identity Attributes. If this flag is set to true, you can use this Organization to create/manage an Identity collection within Oracle Access Governance.

In the Oracle Access Governance Console, click the icon, and select Service Administration, and then Manage Identities, and then Organizations. You will see the Organizations page where you can view and manage existing organization, or create new ones.

Create Organization

To create a new organization, click the Create an organization button. The Add Details task is displayed. In the Add Details task, you can enter specifics about your organization. Here, you can give a meaningful name and add its supporting description.

1. Enter a name for your organization in the What do you want to call this organization? field.
2. Add a description for your organization in the How would you describe this organization? field.
3. Select one or more identities from the Who else can manage this organization list. The owner along with the listed identities can manage this organization.
4. Add one or more tags to identify or search your organization.
5. Once you have set your preferences, select Next to go to the Select Identities step.

In the Select Identities task, add identities that you want be part of your organization.

You can select identities based on Membership rule and/or Named identities. For Membership rule, the identities satisfying the set criteria will automatically be included in organization. In Named identities, you can directly add identities based on their full name. All the available active identities (configured from the Licence Management page) will be displayed.

You can also exclude specific members from your organization by selecting Manage exclusions and entering the identities you want to exclude.

1. Select Any if any one of the set conditions should be satisfied, or select All if all the set conditions must be satisfied for that identity.
2. Select the attribute name from the list.

   Note:

   Based on the orchestrated system, you can select both core and/or custom attributes. To enable custom attributes, see View and Configure Custom Identity Attributes
3. Select the conditional operator. Based on the data type of the attribute selected, the usage of these operators will vary.
4. Type the attribute value.
5. Continue to add the conditional statements or rules for more attributes.

   By default all the identities matching the criteria will be included. Click the Manage Exclusions button next to Excluding # identity from the attribute conditions and then select the identities that you want to exclude from an organization.

6. Once you have set your preferences, select Next to go to the Review and submit step.
7. You can preview graphical summary of how many identities are included in your organization by clicking the Preview the organization link. This link is available on the right-side, towards the bottom of the Who is included panel.
8. If you are satisfied with your organization preview, click Create.

Manage Organization

Oracle Access Governance Administrators can view and manage organizations from the Oracle Access Governance Console. You can view existing organization and manage the ones that you created, or are authorized to manage, using the Oracle Access Governance Console. Use the Actions menu icon to edit, delete or view details of the organization.

Note:

Only organization owners and/or authorized users (selected while creating/modifying an identity collection) can edit or delete the organization.

You can perform the following:

• Search and Filter available organizations: You can use the Search field to locate the required organization by its name. You can narrow down the results by applying the available filters.
• Edit an organization: The Edit an organization page provides the same guided tasks as you see while creating a new identity collection. Owner of the organization and/or authorized users can modify its description, identity type, or added identities. After updating the details, on the Review and submit step, select Update to update the organization.
• View organization details: You can see Organization page displaying complete organization details, such as Organization owner, created and last modified dates, current members, as well as how the current members were included (through named identities or membership rule).
• Delete an organization: You can delete the organization if you are the owner of the organization or you have been given the rights by the owner. If an identity collection is based on the deleted organization value, then those identities would no longer be members of that identity collection.

---

Title and Copyright Information

Manage Identities

Copyright ©2024,

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.