13 Managing Self Service Capability Policy
This chapter contains the following sections:
13.1 About Self Service Capability Rule
The self service capabilities feature lets you control what operations a user can perform for the self by setting rules in the self service capability policy. The Self Service Capabilities page in the Identity System Administration allows you to view, create, delete, and modify rules.
Oracle Identity Manager allows you to control what operations a user can perform for the self. For example, if a user belongs to a particular organization then, user is allowed only to change self profile and other operations in Oracle Identity Manager is restricted. This can be achieved by setting rules in Self Service Capability Policy. In Self Service Capability Policy, you can define rules based on user attributes. You can set user attributes as denied attributes for the user who satisfies the rule. The user attributes marked as denied attributes can not be viewed or edited. The return value of this rule is the capability assigned to the user and the denied attributes that are configured. Self Service Capability is seeded with a default rule.
Multiple self service capability rules can be configured. The evaluation of these rules will be based on their order. The order can be configured from the Self Service Capability page. All the rules will be evaluated one by one and capabilities of the first matching rule will be assigned to user.
13.2 Default Self Service Capability Rule
Self Service Capability is seeded with a Default Self Service Capability rule.
The default condition always evaluates to True. Thus if any other rule defined in Self Service Capability does not get satisfied, the default rule will be satisfied and will provide the user with all the self service capabilities.
13.3 Example of Self Service Capability Rules and Rule Evaluation Order
Self service capability rules and the order of rule evaluation can be set based on the type and role of the user.
Example of rules that can be set are:
-
If user type is Contractor then, user is allowed only to manage self profile.
If user.Role Equal Contractor THEN capability Equal selfModifyUser
-
If user type is Full Time and belongs to Sales department then, user is allowed to request roles and modify their profiles.
If user.Role Equal Full-time AND user.Department Number Equal Sales THEN capability Equal addSelfRoles AND capability Equal selfModifyUser
-
If user type is Full Time and country is not USA then, user is allowed to modify their profiles and Middle Name is a denied attribute to this user.
If user.Role Equal Full-time AND user.Country Not Equal USA THEN capability Equal selfModifyUser AND deniedAttribute Equal Middle Name
-
If user type is Full Time and country is USA then, user is allowed to modify their profiles.
If user.Role Equal Full-time AND user.Country Equal USA THEN capability Equal selfModifyUser
When a user is created, the first rule that is evaluated is the latest defined rule, followed by the next latest up to the default rule. Evaluation stops as soon as a match is found.
For example, if Contractor rule is created first, followed by Full-Time User, Full Time User USA, and Full Time User non USA. Figure 13-1 shows the order of rules.
Figure 13-1 List of Rules defined in Self Service Capabilities page
Description of "Figure 13-1 List of Rules defined in Self Service Capabilities page"
Then, when a user is created, user attribute values are evaluated against Full Time User non USA first, if it does not match, it proceeds to evaluate against Full Time User USA. If this also does not match it is evaluated against Full-Time User and then Contractor. If non of these rules match then, it is evaluated against the default rule, that is Default Self Service Capability. If evaluation against Full Time User non USA is satisfied then, capability of the user is set according to the condition in the rule.
The order of the rule can be modified using the arrow buttons in the Order column of the rule.
13.4 Creating a Rule in Self Service Capability Policy
You can create a new rule in the Add Self Service Capability Policy Rule page. Using the Condition Builder, you can configure a rule condition. Using the AND or OR condition option, you can configure an advanced rule.
To create a rule in self service capabilities:
-
Login to Oracle Identity System Administration.
-
In the left pane, under System Configuration, click Self Service Capabilities. The Self Service Capabilities page is displayed.
-
Click Create on the toolbar. The Add Self Service Capability Policy Rule page is displayed.
-
Under the Create Rule section, enter Name, Description, Owner, and Status for the new rule. Status of a rule can be set to Enable or Disable. If the Status is set to Disable then when a user is created, this rule is skipped during evaluation.
-
Set the rule condition in the Condition Builder section. For example,
To set rule using Condition Builder:
-
Under IF part of the rule, to enter attribute, click the condition builder icon. Condition builder pop-up screen is displayed.
As an example, Figure 13-2 shows the Add Rule page.
Figure 13-2 Creating rule with Condition Builder Option for Self Service Capability
Description of "Figure 13-2 Creating rule with Condition Builder Option for Self Service Capability" -
Select the User attribute from the attribute list. List of searchable attributes and UDFs associated with User are listed.
Search for the particular attribute from the list or type the name of the attribute in the text box and click the Search icon. Select the attribute from the list and click OK.
-
Select the condition from the conditions drop-down. The available conditions are, Equal, Not Equal, Contains, Does Not Contain, Begins With, Does Not Begins With, Ends With, and Does Not Ends With.
Note:
This list varies based on the type of attribute. The list above is for text type. Number type attributes can have values Greater than, Lesser than and so on.
-
To enter value, type the value in the text box and click OK or click the Value icon to open the Condition builder pop-up screen.
In the condition builder, you can opt to enter Value or Expression.
If you select Value, list of value is displayed. Select the required value or type the value in the text box and click OK.
If you select Expression, list of condition is displayed. Select the required value and click OK.
Note:
This field is case sensitive.
-
To enter the THEN part of the rule, click the condition builder icon. Condition builder pop-up screen is displayed. Select Capability or Denied Attributes and click OK.
-
Condition is set to Equals and cannot be changed.
-
To select the Capability or Denied Attribute based on the selection in previous step, click condition builder icon under THEN section. Condition builder pop-up screen is displayed. Select the desired default capability or denied attribute from the list and click OK.
Note:
-
Mandatory attributes and System generated attributes like Status, Display name, User Login and so on cannot be included in denied attributes list.
-
When denied attributes are specified, the user will not be able to view or modify those attributes.
-
-
-
To set complex rules click Add Condition. Select AND or OR condition and set additional rule by following instruction in Step 5.
-
Click Create.
13.5 Modifying a Rule in Self Service Capability Policy
You can edit the existing rules in the self service capability policy by opening the policy, modifying the rule details, and saving the modified policy.
To modify a rule in self service capabilities:
13.6 Deleting a Rule in Self Service Capability Policy
Delete the rules in the self service capability policy that are not required or are not in use.
To delete a rule in self service capabilities:
- Login to Oracle Identity System Administration.
- In the left pane, under System Configuration, click Self Service Capabilities. The Self Service Capabilities window is displayed.
- Select the self service capability that needs to be deleted from the list and click Delete.