1. Performing Self Service Tasks with Oracle Identity Governance
  2. Working with Identity Administration
  3. Managing Organizations

18 Managing Organizations

The organization management feature in Oracle Identity Manager allows you to view and manage organizations. Some of the organization management tasks include creating, viewing, modifying, and deleting organizations.

The tasks are described in the following sections:

18.1 About Organization Entity

An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager. Organization in Oracle Identity Manager is used only for security purposes.

Organizations allow you to:

  • Logically and securely manage user accounts and administrators

  • Limit access to users, applications, roles, and entitlements

Customers can setup delegated administration by creating organizations and assigning users to various locations in an organizational hierarchy. Organizations that contain one or more other organizations are called parent organizations.

All Oracle Identity Manager users (including administrators) are statically assigned to one organization. Users also can be dynamically assigned to additional organizations. Oracle Identity Manager administrators are additionally assigned to control organizations.

18.2 Searching Organizations

Use the Organization page to perform simple and advanced search for organization.

To search for organizations you can perform one of the following:

18.2.1 Performing Basic Search for Organization

  1. Log in to Identity Self Service.
  2. Click Manage. Click Organizations box. The Organization page is displayed.
  3. To perform basic search, select any one of the following search criteria from the Search drop-down and click Search icon:

    • Organization Name

    • Type

    • Organization Status

    • Parent Organization Name

    • Certifier User Login

    The search results table displays the organization name, parent organization name, organization type, and organization status.

18.2.2 Performing Advanced Search for Organization

  1. Log in to Identity Self Service.

  2. Click Manage and click Organizations box. The Organization page is displayed.

  3. Click Advance link. Advance Organization search page opens.

  4. Select any one of the following Match options:

    • All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

    • Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

  5. In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is Starts With. The Equals comparator is available in the list as an alternative.

    You can use wildcard characters to specify the organization name.

  6. From the Type list, select the organization type. The organization type can be Branch, Company, or Department.

  7. To add a field in your search:

    1. Click Add Fields, and select a field, such as Organization Status.

    2. Enter value for the search attribute that you added. In this example, from the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.

      If you want to remove a field that you added in the search, then click the cross icon next to the field.

  8. Click Search. The results are displayed in the search results table.

    The search results table displays the organization name, parent organization name, organization type, and organization status.

18.3 Creating an Organization

Using the Create Organization page, you can create an organization of type branch, company or department, control password behavior, and select applicable password policy for the organization.

To create an organization:

Note:

Organizations are persisted in the Oracle Identity Manager database regardless of whether the users and groups are stored in a Directory or the Oracle Identity Manager database.

  1. In Identity Self Service, click Manage to open the Home Page. Click Organizations. The Search Organizations page is displayed.

  2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Organization page is displayed.

  3. In the Organization Name field, enter the name of the organization.

  4. From the Type list, select the type of the organization, such as Branch, Company, or Department.

  5. Specify the parent organization to which the newly created organization will belong. To do so:

    1. Click the search icon next to the Parent Organization field. The Search Organizations dialog box is displayed.

    2. Search and select the organization that you want to specify as the parent organization.

    3. Click Select. The selected organization is added as the parent organization.

  6. (Optional) Select a user in the Certifier User Login field to specify the selected user as the organization certifier of the organization being created.

    See Setting User Manager and Organization Certifier, for information about organization certifier.

  7. Organization can control password behavior of the users entering into it by using home organization modification of the user. If the Home Organization of a user gets changed from one organization to other, and the password policies attached to these two organizations are different, then the Enforce password policy flag of the new home organization will determine if the user has to change the password as per the password policy of the new home organization at the next logon or user can continue using the same password.

    Select the Enforce password policy on reassignment from the drop down. Options are, Inherit from Parent Org, No, or Yes. Default value is Yes.

    • If Enforce password policy on reassignment is Yes, then the user has to change password as per the password policy of the new home organization at the first login after home organization is changed.

      Note:

      In case, challenge policy is enabled in the password policy of new home organization, then new password and challenge question has to be set at the first login.

    • If Enforce password policy on reassignment is No, then user can continue using the existing password.

    • If Enforce password policy on reassignment is Inherit from Parent Org, then value Yes or No is inherited from its nearest parent where it is set.

  8. Specify a password policy name that you want to associate with the organization. To do so:

    1. Click the search icon next to the Password Policy Name field. The Search Password Policy Name dialog box is displayed.

    2. Search and select the password policy that you want to associate with the organization. To list all password policies, you can click the search icon, and then you can select the password policy from the search results.

      For information on how to create a new password policy see, Managing Password Policies.

    3. Click Add. The selected password policy name is added to the Password Policy Name field.

  9. Click Save to create the organization.

18.4 Viewing and Modifying Organizations

You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually.

. The modification for each section is described in the following sections:

18.4.1 Opening Organization Details

You can view details of an organization in the organization details page.

To open the details of an organization:

  1. In Identity Self Service, click Manage to open the Home Page. Click Organizations. The Search Organizations page is displayed.
  2. Search and select the organization whose details you want to display.
  3. From the Actions menu, select Open. Alternatively, click Open on the toolbar. The details of the selected organization is displayed in a new page.

18.4.2 Modifying Organization Attributes

The Attributes tab of the organization details page displays attributes of the organization. You can modify the organization attributes if you have the appropriate authorization.

If you are authorized to modify the organization profile as determined by authorization policy, then the organization details page opens in editable mode, and you can modify organization information. You can modify the values for the attributes, and then click Apply to save the changes.

Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields.

Note:

The Status attribute in the organization details page is read-only.

18.4.3 Managing Child Organizations

The Children tab displays a list of child organizations that the open organization has. You can create new child organization, view, delete and enable or disable a child organization.

For each child organization in the list, the organization name, organization type, and organization status are displayed. The Children tab enables you to perform the following:

18.4.3.1 Creating a Child Organization

In the Children tab, you can create a child organization or suborganization of the open organization by selecting Create Sub-org from the Actions menu. Alternatively, click Create Sub-org on the toolbar. The Create organization page is displayed. Perform the steps described in Creating an Organization to complete creating the child organization.

18.4.3.2 Deleting a Child Organization

To delete a child organization:

  1. In the Children tab, select the organization you want to delete.
  2. From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
  3. Click Delete to confirm. The selected child organization is deleted.
18.4.3.3 Disabling a Child Organization

To disable a child organization:

  1. In the Children tab, select the organization you want to disable.
  2. From the Actions menu, select Disable. Alternatively, click Disable on the toolbar. A message is displayed asking for confirmation.
  3. Click Disable to confirm. The selected child organization is disabled.
18.4.3.4 Enabling a Child Organization

To enable a child organization:

  1. In the Children tab, select the organization you want to enable.
  2. From the Actions menu, select Enable. Alternatively, click Enable on the toolbar. A message is displayed asking for confirmation.
  3. Click Enable to confirm. The selected child organization is enabled.
18.4.3.5 Opening a Child Organization

To open a child organization:

  1. In the Children tab, select the organization you want to open.
  2. From the Actions menu, select Open. Alternatively, click Open on the toolbar, or click the name of the organization.

    The organization details page for the selected organization is displayed, by using which you can modify the details of that organization.

18.4.4 Viewing Organization Membership

The Members tab displays a list of users in the open organization.

For each user in the list, the following are displayed:

  • User Login

  • Display Name

  • First Name

  • Last Name

  • E-mail

  • Relationship Type

Tip:

You can add or remove users to and from organizations by using the Attributes tab of the user details page.

The Relationship Type column displays the type of relationship that the user member has with the organization. This is described in detail in Managing Dynamic Organization Membership.

18.4.5 Managing Dynamic Organization Membership

You can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. You can create new dynamic membership rule, view and modify existing rules, or delete rules from the Members tab.

Managing dynamic user-organization memberships is described in the following sections:

18.4.5.1 About Dynamic Organization Membership Rule

Users are assigned to organizations by specifying an organization name in the Organization attribute of the user details. This is called a static membership. In addition, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. All users that satisfy the user-membership rule are dynamically associated with the organization irrespective of which organization hierarchy the users statically belong to.

Each organization can have one user-membership rule that enables a user to be a member of multiple organizations at a time, and thereby view and request for additional resources.

The dynamic memberships can be revoked by changing the user-membership rules.

18.4.5.2 Creating a Dynamic Organization Membership Rule

To create dynamic membership rule for an organization:

  1. In the Members tab of the organization details page, click Add Rule. The Expression Builder is displayed.
  2. In the Attributes tab, select an attribute, such as Country, and then click Add. The attribute is added to the expression builder for which you can specify a value. In addition, the Literals tab is displayed.
  3. In the Value field, enter a value for the selected attribute, such as US, and then click Add. The value is added to the expression builder. The expression for the membership rule specifies that users with Country as US will be members of the selected organization.

    Figure 18-1 shows the Expression Builder with a sample dynamic organization membership rule.

    Figure 18-1 Dynamic Organization Membership Rule

    Description of Figure 18-1 follows
    Description of "Figure 18-1 Dynamic Organization Membership Rule"
  4. Click the Preview Results tab. This tab displays all the users that match the specified membership rule and will be assigned to the selected organization.
  5. Click Save. The Members tab is displayed with the membership rule added in the User Membership Rule section.
  6. Click any one of the following:

    • Apply: Clicking this button saves the membership rule for later evaluation. The users matching the rule criteria will be assigned to the selected organization when you run the Refresh Organization Memberships scheduled job. This scheduled job evaluates the changes in user-organization membership rules since the last job run and assigns users to organizations based on the rules. For more information about this scheduled job, see "Predefined Scheduled Tasks" in the Administering Oracle Identity Governance.

    • Apply and Evaluate: Clicking this button saves the membership rule and evaluates it against all users. As a result, the users that match the rule criteria are displayed in the list of members of the selected organization. The Relationship Type column for such users display Dynamic Member because these users are assigned to the selected organization based on the membership rule.

    • Revert: Clicking this button reverts the changes done after saving.

    WARNING:

    The membership rule will be lost if you close the organization details page without clicking any one of the Apply or Apply and Evaluate buttons.

18.4.5.3 Modifying a Dynamic Organization Membership Rule

To modify a user-membership rule:

  1. In the User Membership Rule section of the Members tab, click Edit Rule. The Expression Builder is displayed with the user-membership rule.
  2. If you want to change the attribute in the existing user-membership rule, then click the attribute to select it, and select another attribute in the Attributes tab. When finished, click Add.

    Similarly, you can click the value to change it and specify a different value.

  3. To add more criteria to the user-membership rule, click the down arrow and select any operator, such as AND or OR. To remove the rule, select REMOVE. You can specify complex criteria by building an expression as required.
  4. Click the Preview Results tab. This tab displays all the users that match the specified membership rule and will be assigned to the selected organization.
  5. Click Save. The Members tab is displayed with the modified membership rule in the User Membership Rule section.
18.4.5.4 Deleting a Dynamic Organization Membership Rule

To delete a user-membership rule:

  1. In the User Membership Rule section of the Members tab, click Delete Rule. A warning message is displayed asking for confirmation.
  2. Click Yes to confirm the deletion.

After confirming the rule deletion, all the organization memberships are deleted immediately in the post-process. There is no offline evaluation for organization membership rule deletion.

18.4.6 Managing Admin Roles

You can view the admin roles that are assigned to the organization, assign admin roles to a user or revoke admin roles of a user.

In the Admin Roles tab, you can perform the following:

18.4.6.1 About Admin Role in Organization Details

You can view the admin roles that are assigned to an organization by clicking the Admin Roles tab of the organization details page. The admin roles and their corresponding description are listed in this tab. When you select an admin role, the users who have the selected admin role are displayed in the User Members section. This tab also allows you to grant and revoke admin roles available to the open organization to users.

18.4.6.2 Granting an Admin Role

To grant an admin role to a user:

  1. In the organization details page, click the Admin Roles tab. A list of admin roles assigned to the open organization is displayed.
  2. Select the admin role that you want to grant to a user.
  3. From the Actions menu, select Assign. Alternatively, click Assign on the toolbar. The Advanced Search for Target Users dialog box is displayed.
  4. Search for the target users to whom you want to grant the selected admin role. You can select the Just show my directs option to list only your direct reports.
  5. In the User Results section, select the user that you want to grant the admin role.
  6. Click Add Selected to move the selected user to the Selected Users section. Alternatively, you can click Add All to move all the users from the User Results section to the Selected Users section.
  7. Click Select. The admin roles is granted to the selected user. When you click the admin role in the Admin Roles tab, the selected user's record is displayed in the User Members section.
  8. In the User Members section, select the user record. Select the include sub-orgs option to grant the admin role to the user's organization and its suborganizations. If you want to grant the admin role to the user's organization only, then do not select this option.
18.4.6.3 Revoking an Admin Role

To revoke an admin role from a user:

  1. In the Admin Roles tab, select an admin role from which you want to revoke the user.
  2. In the User Members section, select the user from whom you want to revoke the admin roles.
  3. From the Actions menu, select Revoke. Alternatively, click Revoke on the toolbar. A message is displayed asking for confirmation.
  4. Click Revoke to confirm. The user record is no longer displayed when you select the admin role.

    To revoke user from suborganizations of the currently opened organization, select the include sub-orgs option, and click Apply in the User Members section.

18.4.7 Viewing Available Accounts

The accounts available to an organization are the accounts that have been published to the organization. This means that the accounts are available for requesting by the users of the organization. The Available Accounts tab shows the accounts provisioned to users in the organization.

18.4.8 Viewing Provisioned Accounts

The Provisioned Accounts tab displays the accounts that have been provisioned to the open organization. You can provision a resource, revoke a resource, view the details of a provisioned resource, enable or disable a provisioned resource, or view the action history of a provisioned resource from the Provisioned Accounts tab.

In the Provisioned Accounts tab, you can perform the following:

18.4.8.1 Provisioning a Resource

To provision a resource to an organization:

  1. In the Provisioned Accounts tab, from the Actions menu, select Provision. Alternatively, you can click Provision on the toolbar. The Provision Resource to Organization window is displayed.
  2. In the Select Resource tab, search for the resource by Resource Name. Select the Resource from the Search Result table, and then click Next. The Provide Process Data tab is displayed.

    Note:

    In any search result in the Identity Self Service, you might not be able to select a control field or option, such as a row or a radio button, by pressing the Tab or Space bar keys. This is because some fields in a page are not accessible through the keys. Therefore, to pass accessibility test, run the JAWS tool, press the Insert + F3 keys and select the control field. Then, you can select the rows or radio buttons from your key board.
  3. In the Provide Process Data tab, select the required details and then click Next. The Review Summary tab is displayed.
  4. You can review the summary, and then click Finish. Provisioning has been initiated message is displayed.
18.4.8.2 Revoking a Resource

To revoke a resource from an organization:

  1. In the Provisioned Accounts tab, select the account that you want to revoke.
  2. From the Actions menu, select Revoke. Alternatively, you can click Revoke on the toolbar.

    A message is displayed asking for confirmation.

  3. Click Yes.
18.4.8.3 Viewing the Details of a Provisioned Resource

To view the details of a provisioned resource:

  1. In the Provisioned Accounts tab, select the account you want to open.
  2. From the Actions menu, select Open. Alternatively, you can click Open on the toolbar.

    The details of the account is displayed in a new page.

18.4.8.4 Disabling a Provisioned Resource

To disable a provisioned resource:

  1. In the Provisioned Accounts tab, select the account you want to disable.
  2. From the Actions menu, select Disable. Alternatively, you can click Disable on the toolbar.

    A message is displayed stating that the provisioned account has been successfully disabled.

18.4.8.5 Enabling a Provisioned Resource

To enable a resource provisioned to the organization:

  1. In the Provisioned Accounts tab, select the resource you want to enable.
  2. From the Actions menu, select Enable. Alternatively, you can click Enable on the toolbar.

    A message is displayed stating that the provisioned account has been successfully enabled.

18.4.8.6 Viewing Resource History

In the Provisioned Accounts tab of the organization details page, you can view the action history of a provisioned resource.

To view resource history:

  1. In the Provisioned Accounts tab, select the resource for which you want to view the resource history.
  2. From the Actions menu, select Resource History. Alternatively, click Resource History on the toolbar.

    The Resource History is displayed in a new window with the details of the provisioning tasks for the selected resource. It shows the task name, task status, date assigned, and the user to whom the resource is assigned to.

  3. (Optional) To add a task to the resource history, click Add Task, select the radio button corresponding to the task name you want to add, and click Add.

    Note:

    By default, the first row of the table is selected, but the radio button on the row is not selected. Keep pressing Shift + Tab to navigate to the last row of the table. The radio button in the last row is now selected. Use the space bar to switch the radio button and Up /Down arrow keys to select the rows.

18.4.9 Viewing Available Entitlements

You can view the entitlements published to the open organization in the Available Entitlement tab.

For each entitlement, the following information is displayed:

  • Entitlements name

  • Resource associated with the entitlement

  • Account name associated with the entitlement

  • Organization name

18.5 Creating a User Member

You can create a user for the organization using the Create User option available on the organization details page.

The organization name is pre-filled in read only format on this create user page. The password policy of this organization is applicable when creating user and not the default password policy.

To create user:

  1. In the organization details page, click Create User on the toolbar. Create user page is displayed.
  2. Enter the required details. For description of the different fields see, Creating a User.
  3. Click Submit.

18.6 Creating a Sub-Organization

Using the Create Organization page, you can create a sub-organization of type branch, company or department, control password behavior, and select applicable password policy for the organization.

To create a sub-organization for the open organization:

  1. In the organization details page, click Create Sub-org on the toolbar. The Create Organization page is displayed. The open organization name is populated by default as the parent organization name.
  2. Enter the organization attribute values, as described in Creating an Organization.
  3. From the Enforce password policy on reassignment list, select a value to specify whether or not to enforce password policy on reassignment, or to inherit the password policy of the parent organization.
  4. Click Save.

18.7 Disabling and Enabling Organizations

You can disable or enable an organization from the Search Organization page.

This section describes how to enable and disable organizations in the following topics:

Note:

You cannot disable organizations with child organizations or users. You can force disable it only by setting the value of the ORG.DisableDeleteActionEnabled system property to true. After you set this property, the users and suborganizations will be disabled while disabling the parent organization.

18.7.1 Disabling an Organization

To disable an organization with enabled state:

  1. In the search result for organizations in the Search Organization page, select the organization that you want to disable.
  2. From the Actions menu, select Disable. Alternatively, click Disable on the toolbar, or open the organization details page and click Disable.

    A message is displayed asking for confirmation.

  3. Click Disable to confirm.

18.7.2 Enabling an Organization

To enable an organization with disabled state:

  1. In the search result for organizations in the Search Organization page, select the organization that you want to enable.
  2. From the Actions menu, select Enable. Alternatively, click Enable on the toolbar, or open the organization details page and click Enable.

    A message is displayed asking for confirmation.

  3. Click Enable to confirm.

18.8 Deleting an Organization

Delete the organization that are not required or are not in use.

Note:

  • You cannot delete organizations with child orgs or users. You can force delete it only by setting the value of the ORG.DisableDeleteActionEnabled system property to true. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.

  • You can delete an organization only if you have the "Delete" permission for that organization.

  • The deleted record would still exist in the database, marked deleted.

To delete an organization:

  1. In the search result for organizations in the Organization page, select the organization that you want to delete.
  2. From the Actions menu, select Delete. Alternatively, click Delete on the toolbar, or click Delete on top of the organization details page.

    A message is displayed asking for confirmation.

  3. Click Delete to confirm.