5 Managing Access for Self

Oracle Identity Self Service enables you to access entities, such as roles, entitlements, accounts, and administrator roles. The entities to which you have access are listed in the My Access section.

The tasks you perform in the My Access section are described in the following topics:

• Managing Roles

• Managing Entitlements

• Managing Accounts

• Viewing Admin Roles

Tip:

Before you perform the steps to manage your access to entities, it is recommended that you see Requesting Access for detailed information about requests in Oracle Identity Manager

5.1 Managing Roles

Roles are used to define the access rights that an entity may have. Roles determine the links and menus that are available to users when they log in to Identity Self Service.

In the Roles tab, you can perform the following:

• Requesting for Roles

• Removing Roles

• Modifying Role Grant Duration

5.1.1 Requesting for Roles

When you submit your request for roles, it is submitted for approval. When the request is approved at all approval levels, the role is assigned to you.

To request for roles from the My Access page:

1. Log in to Identity Self Service.
2. Click Self Service. Self service Home page is displayed.
3. Click My Access box. The My Access page is displayed.
4. Click the Roles tab. A list of roles assigned to you are displayed.

   Click the Granted tab to view the roles that are granted to you. This includes both direct and indirect roles.

   Click the Pending tab to view the roles that are approved and are pending on their future starting dates. When the starting date arrives, after the Process Pending Role Grants scheduled job runs, these roles are processed and displayed in the Granted tab. Roles that are not yet approved are not displayed in the Pending tab. You can use track request to view the status and details of such roles.

   Note:

   In all the tabs in the My Access page, you can refine your search by using Query By Example. For information see, Using Query By Example.

5. From the Actions menu, select Request. Alternatively, click Request on the toolbar. The Role Access Request page opens. Catalog tab is displayed.
6. Select a catalog item that you want to request. You can also select multiple items in the table.

   If the user wants to see information about a catalog item then, click the i icon next to the Add to Cart button. A new tab with the details about the catalog item is displayed.

7. Click Add to Cart that is present against the catalog item.

   The selected items are added to the request cart.

8. If you want to remove any requested catalog item from the cart, click the Cart icon. The Cart Details page is displayed. Click Remove button present against the request. If you want to remove all items from the cart then, click Remove All.
9. Click Checkout or click Next. The Cart Details page is displayed.
10. Enter Request Information.
11. Enter Grant Duration details such as Start Date and End Date or specify if grant is effective immediately by selecting the Grant will be effective immediately upon request completion option.

    If you do not specify a value in the Start Date field, then the role is assigned immediately as soon as the role is created either directly or after role creation request approval.

    If the Start Date is of future then grant will happen on that day, when the Process Pending Role Grants job is run, which is scheduled to run daily. On the End Date the grant on the role is revoked when the Process Pending Role Grants job is run.

12. Click Submit.

5.1.2 Removing Roles

When you submit your request for removing a role that is assigned to you, it is submitted for approval. The role is removed after the request is approved.

To remove roles assigned to you:

1. Log in to Identity Self Service.
2. Click Self Service. Self service Home page is displayed.
3. Click My Access box. The My Access page is displayed.
4. Click the Roles tab. A list of roles assigned to you is displayed. Select a role that you want to remove.
5. From the Actions menu, select Remove. Alternatively, click Remove Roles on the toolbar. The Remove Roles catalog page is displayed.
6. Submit the request to remove roles. The role will be removed after the request is approved.

5.1.3 Modifying Role Grant Duration

When you submit your request for change of role grant duration, the Roles tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.

To modify the grant duration of the role assigned to you or to be assigned to you:

1. Log in to Identity Self Service.
2. Click Self Service. Self service Home page is displayed.
3. Click My Access box. The My Access page is displayed.
4. Click the Roles tab. A list of roles assigned to you is displayed. Select a role for which you want to modify the grant duration.

   The grant duration fields, Start Date and End Date, are displayed in the Roles tab.

5. From the Actions menu, select Modify Grant Duration. The Modify Grant Duration dialog box is displayed.
6. In the Justification box, enter a justification for modifying the start date, or end date, or both.
7. Enter values in any one or both of the following fields:

   • Start Date: The start date when the role will be provisioned. This must be a future date. This field is not available for modification if the role is already assigned.

   • End Date: The end date when the role will be revoked.

8. Click OK.

   The Start Date and End Date fields in the Roles tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.

5.2 Managing Entitlements

An entitlement can be a role, responsibility, or group membership assigned to a user. The Entitlements tab in the My Access page allows you to manage the entitlements assigned to you.

In the Entitlements tab, you can perform the following:

• Requesting for Entitlements

• Modifying Entitlements

• Removing Entitlements

• Modifying Entitlement Grant Duration

5.2.1 Requesting for Entitlements

When you submit your request for entitlements, it is submitted for approval. When the request is approved at all approval levels, the entitlement is assigned to you.

To request for entitlements:

1. In the My Access page, click the Entitlements tab. A list of entitlements assigned to you is displayed.

   Note:

   The Entitlements tab displays entitlements with the Provisioned status and Future Granted status. The status displayed here is entitlement status and not the account status.

2. From the Actions menu, click Request. Alternatively, click the Request button on the toolbar or use the Request Entitlement option from the Accounts tab. The Catalog page is displayed.

   Note:

   You can Request Entitlement after Application Instance is requested, otherwise the request for entitlement will fail.

3. Select a entitlement item that you want to request. You can also select multiple items in the list.
4. Click Add Selected to Cart or click Add to Cart beside the item to be added.

   You can add items one by one by clicking Add to Cart beside each item. The selected items are added to the request cart.

5. Click Checkout or click Next. The Cart Details page is displayed.
6. Enter Request Information.
7. Enter Grant Duration details such as Start Date and End Date or specify if grant is effective immediately by selecting the Grant will be effective immediately upon request completion option.
8. (Optional) For the requested entitlements, enter any additional information as needed. This additional information can be added using a form associated with the entitlement, provided the entitlement forms have been generated or re-generated by system administrators.

   For example, you can enter effective start and end dates for the entitlement. Then, the approver can review and/or modify this additional information and decide whether the entitlements can be provisioned or not.

   Note:

   The corresponding application instance will also be displayed in the cart if the application instance is not already provisioned to the user.

9. Click Submit. The entitlement will be assigned after the request is approved.

   Note:

   If you want to save the cart in the request for editing or submitting later, then click Save as Draft.

5.2.2 Modifying Entitlements

When you submit your request for modifying an entitlement that is assigned to you, it is submitted for approval. The entitlement is updated after the request is approved.

To modify an entitlement assigned to you:

1. In the Entitlements tab, select the entitlement that you want to modify.
2. From the Actions menu, click Modify.
3. Modify and submit the request to modify entitlement. The entitlement will be modified after the request is approved.

5.2.3 Removing Entitlements

When you submit your request for removing an entitlement that is assigned to you, it is submitted for approval. The entitlement is removed after the request is approved.

To remove entitlements assigned to you:

1. In the Entitlements tab, select the entitlement that you want to remove.
2. From the Actions menu, select Remove. Alternatively, click Remove from the toolbar. The Catalog page is displayed.
3. Submit the request. The entitlement will be removed after the request is approved. Removing an Entitlement can not be done for a future date. To remove a entitlement in future you need to set the end date field in Grant Duration to that date.

Note:

If an account is revoked, its entitlements will be revoked. However, if an account is disabled, then its entitlements will remain granted.If entitlements have end dates and the end dates are reached, then the entitlements that are not yet revoked will be revoked.

5.2.4 Modifying Entitlement Grant Duration

When you submit your request for change of entitlement grant duration, the Entitlements tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.

To modify the grant duration of the entitlement assigned to you or to be assigned to you:

1. In the Entitlements tab of the My Access page, select an entitlement for which you want to modify the grant duration.

   The grant duration fields, Start Date and End Date, are displayed in the Entitlements tab.

2. From the Actions menu, select Modify Grant Duration. The Modify Grant Duration dialog box is displayed.
3. In the Justification box, enter a justification for modifying the start date, or end date, or both.
4. Enter values in any one or both of the following fields:

   • Start Date: The start date when the entitlement will be provisioned. This must be a future date. This field is not available for modification if the entitlement is already assigned.

   • End Date: The end date when the entitlement will be revoked.

5. Click OK.

   The Start Date and End Date fields in the Roles tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.

5.3 Managing Accounts

An account is granted to a user to give the user the ability to log in to Oracle Identity Manager and access its features. The Accounts tab in the My Access page allows you to manage the accounts assigned to you.

In the Accounts tab, you can perform the following:

Note:

It is recommended not to update a field that is marked as an entitlement field in the child table. To update a field marked as an entitlement, you will have to revoke and grant an entitlement.

• Requesting for Accounts

• Modifying Accounts

• Removing Accounts

• Disabling an Account

• Enabling an Account

• Resetting Password for an Account

• Modifying Account Grant Duration

5.3.1 Requesting for Accounts

When you submit your request for an account, it is submitted for approval. When the request is approved at all approval levels, the account is assigned to you.

To request for accounts:

1. In the My Access page, click the Accounts tab. A list of accounts assigned to you is displayed.
2. From the Actions menu, click Request. Alternatively, click Request on the toolbar. The Catalog page is displayed.
3. Select a catalog item that you want to request. You can also select multiple items in the list.
4. Click Add to Cart that is present against the catalog item or Add Selected to Cart.

   The selected items are added to the request cart.

5. Click Checkout or click Next and provide additional information, however this is not mandatory. Ensure to provide unique values for User Id and Password, else the request will fail.
6. Click Submit. The account will be assigned after the request is approved.

   For more information, see Requesting Access.

5.3.2 Modifying Accounts

When you submit your request for modifying an account that is assigned to you, it is submitted for approval. The account is updated after the request is approved.

To modify accounts assigned to you:

1. In the Accounts tab, select an account that you want to modify.
2. From the Actions menu, select Modify. The Catalog page is displayed.
3. Edit the attributes of the account. Provide the Effective Date for the modifications to be propagated to the account. If it is left blank the account will be modified when the account is approved.
4. Submit the request from the Catalog page. The account will be modified after the request is approved.

Note:

Changing the account password as part of the Modify operation in the Account form page will have no effect on the password. The account password can be changed using the Reset Password operation.

As a workaround, you can hide the account password fields by customizing the UI.

5.3.3 Removing Accounts

When you submit your request for removing an account that is assigned to you, it is submitted for approval. The account is removed after the request is approved.

To remove accounts assigned to you:

1. In the Accounts tab, select the account that you want to remove.
2. From the Actions menu, select Remove. Alternatively, click Remove from the toolbar. The Catalog page is displayed.
3. Submit the request to remove accounts. The accounts will be removed after the request is approved. Removing an Account can not be done for a future date. To remove a account in future you need to set the end date field in Grant Duration to that date.

5.3.4 Disabling an Account

When you submit your request to disable an account that is assigned to you, it is submitted for approval. The account is disabled after the request is approved.

To disable an account:

1. In the Accounts tab, select an account that you want to disable.
2. From the Actions menu, select Disable. The Catalog Page is displayed.
3. Specify Effective Date. This is the date when the account will be disabled.
4. Submit the request to disable accounts. The accounts will be disabled after the request is approved.

5.3.5 Enabling an Account

When you submit your request to enable an account that was assigned to you but is in disable state, it is submitted for approval. The account is enabled after the request is approved.

To enable an account:

1. In the Accounts tab, select an account that you want to enable.
2. From the Actions menu, select Enable. The Catalog Page is displayed.

   Note:

   The Enable icon will be active only when a disabled account is selected.

3. Specify Effective Date. This is the date when the account will be enabled.
4. Submit the request to enable accounts. The accounts will be enabled after the request is approved.

5.3.6 Resetting Password for an Account

To reset password for an account assigned to you, use one of the following ways:

• Go to the Accounts tab of the My Access page. Then, select an account and click Reset Password.

• If you are an admin user, go to the Accounts tab of the Users page. Then, select an account and click Reset Password.

5.3.7 Modifying Account Grant Duration

When you submit your request for change of account grant duration, the Accounts tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.

To modify the grant duration of the account assigned to you or to be assigned to you:

1. In the Accounts tab of the My Access page, select an account for which you want to modify the grant duration.

   The grant duration fields, Start Date and End Date, are displayed in the Accounts tab.

2. From the Actions menu, select Modify Grant Duration. The Modify Grant Duration dialog box is displayed.
3. In the Justification box, enter a justification for modifying the start date, or end date, or both.
4. Enter values in any one or both of the following fields:

   • Start Date: The start date when the account will be provisioned. This must be a future date. This field is not available for modification if the account is already assigned.

   • End Date: The end date when the account will be revoked.

5. Click OK.

   The Start Date and End Date fields in the Roles tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.

5.4 Viewing Admin Roles

The Admin Roles tab of the My Access page displays the admin roles you have. Admin roles determine the operations you can perform in Oracle Identity Manager.