Advanced User and Access Management - Identity Cloud Service Admin Console

Use the Identity Cloud Service admin console to manage applications, perform user management and administer general and security settings also view basic reports.

Managing Users

Users can be added and maintained via Identity Cloud Service admin console. Access the Users portal from the Identity Cloud Service admin console dashboard or from the navigation bar.

To add a new User, click the +Add button and populate the required user details. On the next screen you can also immediately add user to one or more Groups

In addition to add and remove, the following multi-record actions are available on the User page:

• Resend Invitation

• Reset Password

• Activate/Deactivate User

• Update User information and preferences (on individual User record)

• Unlock User (on individual User record)

Resend Invitation to Service

The initial email invitation to access the service is sent to the user immediately upon user record creation. This invitation is expired after certain period of time.

Reset Password

Resets a single, multiple, or all passwords. Users will receive a password reset email notification immediately

Activate/Deactivate User

User can be temporarily activated or deactivated. The email notification is sent to the user immediately.

If the deactivation lasts longer than the password rotation period the activation wil cause password reset.

Update User Information and Preferences

Updates details for individual users. In addition to the minimum required information provided during user creation the following details can be updated:

• Title

• Time Zone and Address including Country

• Preferred language

• Alternative email and contact information

Unlock User

Unlocks a locked user account. The user's account may be locked for various reasons for example after too many unsuccessful login attempts.

Select Unlock User from the More menu to unlock the locked account.

Managing Groups

Users and groups can be added and maintained using the Identity Cloud Service admin console.

Access the Groups portal from the Identity Cloud Service admin console dashboard or from the navigation bar.

Select one or more entries from the list.

In addition to add and remove, the following actions are available:

• Import Groups

• Export Groups

Managing Applications

The applications that represent the provisioned services are pre-created during the service order processing. The Application Roles are also pre-configured.

The administrator is authorized to activate or deactivate certain applications, assign users to Application Roles and also perform import and export of application role's members.

Bulk Upload and Download

IDCS supports import and export of users, groups and application roles membership. The bulk identity data operations may be required for the fast user onboarding or as part of the federated single sign on setup.

The Import and Export actions are available on multiple Admin Console pages:

• Users page:

• Import all or a selected set of users

• Export information for one or more users

• Groups page:

• Import all or a selected set of groups and their member users

• Export one or more groups and their member users

• Application > Application Roles page:

• Import all or a selected set of application role's membership (users and groups)

• Export one or more application role's membership (users and groups)

Importing

1. Navigate to the Users, Groups, or Applications (Application Roles tab) page as appropriate.

2. Click Import on the top actions bar.

3. Download the sample file.

4. Review the sample file. Note that you can provide different type of information:

• Users

• Groups

• Application Roles Membership

5. Populate the file with user's data and save.

6. Import the file into Identity Cloud Service.

Exporting

1. Navigate to the Users, Groups, or Applications (Application Roles tab) page as appropriate.

2. Select entries for the export.

3. Click Export on the top actions bar

A notification email is sent as soon as the export job is competed and the file is available for the download.

Updating Settings

Use the navigation bar to expand the Settings topic. The following settings can be modified:

• Default Settings: Used to manage default time zone, language and audit setup

• Session Settings: Used to manage session expiration

• Password Policy: Used to amend the default password policy according to your requirements

• Notifications: Used to modify the default email notification templates provided with Identity Cloud Service

Notification Update Example: Welcome Email

The email notification templates are provided for multiple identity management-related events. The default content of these notifications can be amended to reflect customer's business requirements.

For example, there are two approaches to user account creation: using email address as a user name as opposed to using a manually defined user name. The former means the user knows what to specify on the login screen (email address). The later means the user name that is created manually by the security administrator has to be communicated to the user. In order to communicate the user name in the Welcome email perform the following steps:

• Select Notification on the left-side navigation bar

• Click on the Email Templates tab

• Expand the Welcome template:

In the email body the greeting line reads: Hello ${user.displayName}

• Modify the greeting to include the user name (login) as follows:

Hello ${user.displayName} (${user.userName})

Note that other substitution variables are also available for use in the notifications. To explore the variables available to a specific template click the Email Variables link above the email body editor.

Updating Security Privileges

Use side navigation panel to expand the Security topic. Use Administrators link to add or remove administrative privileges from the users.

Sign-On Policies for Online Access

IDCS supports the ability to restrict web-browser-based access to the applications based on set of conditions including the user's client IP addresses. Both IP "blocklist" and "allowlist" approaches are supported.

• A blocklist defines a set of IP addresses that are blocked from the access. This approach should be used when the "bad" IP-s are well-known and permanent and the list is not expected to change very often.

• An allowlist defines the set of IP addresses that are permitted to access the application while everybody else is denied access.

In addition to IP addresses the following can be allowed or blocked:

• Specific users

• Groups

• User's administrative role in IDCS

• User being authenticated by a specific external identity provider(s)

Note: Sign-On Policies are applied ONLY when user attempts to authenticate to IDCS using a web browser. They are not applicable for requests submitted via REST/SOAP API.

Setup a Network Perimeter

A Network Perimeter represents a set of IP addresses, and can be defined as:

• A list of one or more IP addresses

• A range of IP addresses

• One or more IP addresses in IPv4 CIDR notation, which encompass all IP addresses belonging to a subnet. You can also use the IPv4 CIDR notation to refer to the entire internet: 0.0.0.0/0.

Create Network Perimeters:

• Use side navigation panel to expand the Security Topic

• Locate Network Perimeters

• Add one or more Network Perimeters that define "blocklist" and/or "allowlist" IP addresses

Setup Sign-On Policies

Sign-on policies define the set of rules used for granting the access to the applications. The out-of-box default policy contains a single default rule that grants the access to every authenticated user. You can either modify the default policy or create a new one(s).

Sign-on policy rule definition includes multiple optional conditions to filter the users and an action to allow or deny the access:

• By authenticating the Identity Provider: Denying/allowing access for users authenticated by specific external IP in case of a federated SSO

• By group membership: Denying/allowing access for specific set of groups

• By being or not being an IDCS administrator

• By being one of the explicit list of users

• By the user client's IP address being in one or more of the Network Perimeters

The rules on the policy are evaluated top-to-bottom. The first result halts the evaluation. Meaning if the user satisfies the rule's condition, the rule's action (allow or deny access) is applied and evaluation ends.

Note: The default rule on the default policy cannot be deleted, therefore it has to be modified first.

Example:

Let's assume that the requirement is to:

• Allow access from IP addresses on the company's intranet

• In addition, allow certain administrators to connect from their personal home computers

• Block anyone else

To configure this example:

• Create two new Network Perimeters:

• NP1-Company to represent the intranet: specify the an entire subnet using CIDR notation, like, for example, 10.10.0.1/24, which means all addresses in 10.10.0 subnet

• NP2-Admins: specify one or more IP addresses, comma-separated

• Configure Default Sign-On Policy:

• Modify Default Rule:

• Set the rule’s "and the user's client IP address is" condition to "in one or more of these network perimeters" and specify NP1-Company

• Set the rule's action to "Allowed"

• Add new Rule:

• Set the rule’s "And is an administrator" condition to "true"

• Set the rule’s "and the user's client IP address is" condition to "in one or more of these network perimeters" and specify NP2-Admins

• Set the rule's action to "Allowed"

• Add new Rule

• Set the rule’s "and the user's client IP address is" condition to "Anywhere"

• Set the rule's action to "Denied"

Sample Sign-in Scenarios:

Scenario 1: An employee is trying to login from the office computer that is connected to the intranet.

• The first rule (the default rule) is evaluated first. The user's IP satisfies the condition by being on the NP1-Company perimeter. The rule's action ("Allowed") is applied and the user is allowed to sign in.

Scenario 2: The administrator is trying to login with admin's user name from a personal computer whose IP is listed in NP2-Admins perimeter.

• The first rule (the default rule) is evaluated first. The user's IP does not satisfy the condition by being on the NP1-Company perimeter

• The second rule is evaluated. The user's IP does satisfies both conditions: being and administrator and being on the Np2-Admins perimeter.

• The rule's action ("Allowed") is applied and the user is allowed to sign in

Scenario 3: The employee is trying to connect from the home computer.

• The first rule (the default rule) is evaluated first. The user's IP does not satisfy the condition by being on the NP1-Company perimeter.

• The second rule is evaluated. The user's IP does not satisfy any of the conditions: being neither an administrator nor being on the Np2-Admins perimeter.

• The third rule is evaluated. The user's IP satisfies the "Anywhere" condition.

• The rule's action ("Denied") is applied and the sign in is blocked. The IDCS login error message: "Sign-on policy denies access." is displayed.

Refer to IDCS documentation for the detailed instructions regarding Sign-On Policy and Network Perimeter setup.

Available Reports

The following Identity Cloud Service reports are available for review and download:

• Successful Login Attempts

• Unsuccessful Login Attempts

• Application Access

• Granted and Revoked Application Roles