View Details About User Accounts

With the Users page, you can see profile information for a user account, any groups or apps to which the account is assigned, and risk data collected for the account.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, and then click Users.
  2. Click the user account about which you want to view additional information.


    To search for users, in the search field, enter all or part of the beginning of the user name, first name, or last name that you want to locate, and then press Enter. To fine-tune your search, click the search field again, and then select a status (Active, Inactive, or Locked).
  3. Click Details to see additional profile information that you can edit, such as:
    Profile Information Description
    The user's primary email address This email address is the user's email address to which Oracle Identity Cloud Service will send notifications. See Understanding the Types of Notifications.
    The user's password recovery email address If the user forgets their password, then Oracle Identity Cloud Service will send notifications to this email address.
    If the user account is a federated single sign-on (SSO) account With a federated account, a user can interact with Oracle Identity Cloud Service through an identity provider, using a website that's external to Oracle Identity Cloud Service. See Adding an Identity Provider.
    The user's country, time zone, and preferred language If these attribute values for the user are different from attribute values that you set for the identity domain, then you can modify them. See Set Up or Modify Your Profile.
    The custom and enterprise attributes assigned to a user If you can't find an attribute that you need from the base Oracle Identity Cloud Service schema attributes, you can add your own custom attributes. See Add a Custom Schema Attribute.
  4. Click Groups to see a list of any groups assigned to the user account.
    You can assign groups to the user account or remove groups from the user account.
  5. Click Access to see a list of any applications assigned to the user account.
    You can assign applications to the user account or remove applications from the user account.


    The Active icon for each application on the Access tab represents the active status of the user account and not the application status. The status remains active as long as the user account is active, regardless of whether the application is active or inactive.
  6. Click Security to see risk data collected for the user, including whether the user is enrolled in Multi-Factor Authentication (MFA).


    If you don't see the Security tab, then activate Adaptive Security or at least one risk provider. See Activate Adaptive Security and Activate a Risk Provider. Also, see Understand Risk Providers to learn more about risk ranges, risk providers, and risk scores associated with user accounts because you must be familiar with these concepts to understand the panes of the Security tab.
  7. In the User Risk Scores pane, click the default risk provider to view the risk incidents and details associated with this risk provider for the user account.


    If you don’t see the default risk provider, then activate it. See Activate a Risk Provider.

    Two panes appear below the default risk provider: Risk Incidents and Details.

    • The Risk Incidents pane displays a graph that illustrates user-threat risk scores and risk scores after remediation for a selected time interval. The risk scores are displayed as per the risk score ranges.

    • The Details pane displays incidents associated with actions that a user is performing in Oracle Identity Cloud Service.

      There are three incidents (or events) that Oracle Identity Cloud Service uses to lower the risk score of the user:

      • Time-based risk-score re-evaluation: The user's risk score has been lowered because Oracle Identity Cloud Service detected that the user hasn't committed risky activity over a period of time. The score is reduced periodically as long as there are no threat events.

      • Successful user password reset: The user reset their Oracle Identity Cloud Service password.

      • Successful user login: The user signed in to Oracle Identity Cloud Service.


      If the default risk provider is deactivated, then the user’s risk score won’t be lowered.


      Expand the Access from suspicious IP addresses event and click the Information icon to the right of the IP address to see why the integrated IP reputation provider blacklisted it. Reasons include:
      • Spam Sources: The IP address is tunnelling spam messages through proxy, anomalous SMTP activities, or forum spam activities.

      • Windows Exploits: The IP address is offering or distributing malware, shell code, rootkits, worms, or viruses.

      • Web Attacks: The IP address is involved in attacks such as cross-site scripting, iFrame injection, SQL injection, cross-domain injection, or domain password brute force.

      • Botnets: The IP address is seen in Botnet C&C channels and infected zombie machines are controlled by the bot master.

      • Scanners: The IP address is seen in reconnaissance such as probes, host scans, domain scans, and password brute force.

      • Denial of Service: The IP address is noticed in DOS, DDOS, anomalous SYN flood, and anomalous traffic detection.

      • Phishing: The IP address is hosting phishing sites and other kinds of fraud activities such as Ad Click Fraud or Gaming Fraud.

      • Proxy: The IP address is providing proxy and anonymization services. This also includes TOR anonymizer IP addresses.

      • Mobile Threats: The IP address is associated with malicious and unwanted mobile applications.

      • Package: This IP address is associated with information about all other reasons.

      • TOR Proxy: The IP address acts as an exit node for the TOR Network. The exit node is at the last point along the proxy chain and makes a direct connection to the originator’s intended destination.

      • Reputation: This IP address is associated with other IP addresses (for example, through common ownership, having the same subnet, and so on). This IP address is classified as high risk because of documented threat activity.


      If the default risk provider is deactivated, then the user’s risk score won’t be increased.
  8. In the Risk Incidents pane, filter the data that appears in this graph by completing one of the following options:
    1. To view risk score ranges that represent user-threat risk scores and risk scores after remediation for the current day, week, or month, or since the user signed in to Oracle Identity Cloud Service for the first time, from the drop-down menu, select 1 Day, 1 Week, 1 Month, or All.
    2. To specify a custom date-and-time range to view risk-related user activity for the user account, click the left Calendar icon to specify the start date and time, and the right Calendar icon to set the end date and time.
  9. In the Details pane, click an incident (either a threat or an event) to learn more about it.