1. Performing Self Service Tasks with Oracle Identity Governance
  2. Working with Identity Administration
  3. Managing Roles

16 Managing Roles

The role management feature in Oracle Identity Manager provides a Role-based access control capability which make it easier to assign access levels to users and to audit those assignments on an ongoing basis.

This chapter describes about Roles and the different tasks related to roles in the following sections:

16.1 About Roles

Roles make it easier to assign access levels to users and to audit those assignments on an ongoing basis.

Oracle Identity Manager provides a comprehensive set of role-based access control capabilities. Role-based access control ensures higher visibility and ease in assigning and unassigning access privileges to users, enforces the notion of least privilege, and enables compliance and audit insight.

Role-based administration typically grows and expands as new situations occur, such as applications are onboarded or phased out, as business requirements evolve. The main advantage of using this approach is ease of implementation and compliance oversight. Role-based administration can be established in a centralized fashion, distributed throughout your network, or hybridized.

Using this feature in Oracle Identity Manager, you can:

  • Create, edit, and delete roles via role owner approvals to enforce increased accountability and audit

  • Assign users to roles and remove users from roles

  • Assign a role as a parent role to an existing role

  • View access policies assigned to a role

  • Add, edit, or remove user membership rule of a role

  • Publish roles to organizations and unpublish roles from organizations

  • Make educated decisions to administer role content via advanced role analytics

16.2 Role Membership Inheritance

Oracle Identity Manager supports inheriting the access granted via access policies from the parent role to child role.

This section discusses the following topics:

16.2.1 About Role Membership Inheritance

Membership inheritance means that the members of the inheritor role inherit from the inherited role. For example:

Note:

The role that inherits membership is called the member-inheritor role. The role from which the member-inheritor role inherits membership is called the inherited-member role

  • Role B inherits memberships from Role A. Role B is the member-inheritor role to Role A.

  • Role C also inherits memberships from Role A. Role C is also a member-inheritor role of Role A.

In this example, all members of Role A are also implicit or indirect members of Role B and Role C, but members of Role B are not automatically members of Role A. In other words, Roles B and C are the member-inheritor roles of Role A, and Role A is the inherited-member role of Role B and Role C. A real example for this is that the Employee Role (Role B) inherits memberships from the Manager Role (Role A).

Role membership inheritance is described with the help of the following scenario:

  • The role of CEO is an inherited-member role of the Manager role, as a list of managers will include the CEO role.

  • The role Manager is an inherited-member role of the Employee role.

  • The role Software Architect is an inherited-member role of the Software Engineer role.

  • The role Software Engineer is an inherited-member role of the Employee role.

  • The Employee role has two inherited-member roles - the Manager role and the Software Engineer role.

Figure 16-1 shows the parent and child roles in this example, along with the membership inheritance:

Figure 16-1 Role Membership Inheritance

Description of Figure 16-1 follows
Description of "Figure 16-1 Role Membership Inheritance"

Each user in an inherited-member role automatically becomes a member in any of its member-inheritor roles. If that member-inheritor role is itself an inherited-member role, then the user is also added to its member-inheritor roles, and so on. This continues until there are no more member-inheritor roles in the inheritance chain. For example, a CEO is a manager and is automatically a member of the Manager role. Similarly, a manager is automatically an employee. This is why a member added to an inherited-member role gets inherited by its member-inheritor roles, and so on. This explains why the direct membership of the Employee role is empty, and considering membership inheritance, the Employee role has more members than all other roles.

A user can be a member of a role in one of the following ways:

  • The member has been inherited from the inherited-member role, which is called indirect membership.

  • The user is directly assigned to the role, which is called direct membership.

  • The user is directly assigned to the role by using membership rules, which is also called direct membership.

An indirect member can be assigned as a direct member as well. If a user's direct membership in a role is revoked, the user is still a member of that role because of inheritance.

16.2.2 Evaluating Access Granted to User Through Role Inheritance

Inheriting the access granted via access policies from the parent role to child role is enabled by setting XL.AllowRoleHierarchicalPolicyEval system property to TRUE. This is explained in the following example:

  • Role1 contains Policy1 which contains account A1 and entitlement E1.

  • Role2 contains Policy2 which contains account A1 and entitlement E2.

  • Role1 is parent role of Role 2.

  • If XL.AllowRoleHierarchicalPolicyEval is set to TRUE, then when you grant Role2 to User1, User1 will get account A1 and entitlements E1 and E2.

  • If XL.AllowRoleHierarchicalPolicyEval is set to FALSE, then when you grant Role2 to User 1, User1 will get account A1 and Entitlement E2 (which are part of Role2).

Note:

It is not required to restart the server after this property is changed.

16.3 Default Roles

Oracle Identity Manager supports many default roles that are assigned to internal use only.

In Oracle Identity Manager, the following types of roles are available:

  • Enterprise roles: These are roles that users (depending on the permissions granted) can create, modify, or delete in Oracle Identity Manager and request for the roles by using the access catalog.

  • Admin roles: These are predefined roles in Oracle Identity Manager that have a one-to-one mapping with the application roles defined in Oracle Entitlement Server. Admin roles are not visible to the end users. Therefore, admin roles cannot be requested. However, you can create and manage admin roles, as described in Managing Administration Roles.

    Table 16-1 shows the list of default roles in Oracle Identity Manager.

Table 16-1 Default Roles in Oracle Identity Manager

Role Description

ALL USERS

Members of this role have minimal permissions, including the ability to access the user's own user record. By default, each user belongs to the ALL USERS role.

SYSTEM ADMINISTRATORS

For this role, name and display name are read-only. All other operations are permitted on this role, such as adding/removing parent roles, access policies, organizations, rules, and members.

Note: By default, XELSYSADM and OIMINTERNAL users are members of this role.

Administrators

This role is for internal use only, meaning it is for Oracle Identity Manager users, and other users can only view it on UI. Oracle WebLogic Server administrator is a member of this role.

OPERATORS

This role is for internal use only, meaning it is for Oracle Identity Manager users, and other users can only view it on UI.

SELF OPERATORS

This role is for internal use only, meaning it is for OIM users, and other users can only view it on UI. No users are associated with this role.

Note: Oracle Identity Manager recommends that you do not modify the permissions associated with the SELF OPERATORS user role. In addition, you should not assign any users to this role.

BIReportAdministrator

This role is for internal use only, meaning it is for Oracle Identity Manager users, and other users can only view it on UI. This role is an Administrators role for BI Publisher Reports.

16.4 Creating Roles

Using the Create Roles page, you can create a role by providing role details, choosing parent roles, adding access policies to define access rights to the role, adding members to the role, and specifying the organizations to which the role will belong.

Note:

A role, SELF OPERATORS, is added to Oracle Identity Manager by default. No users are associated to this role.

Oracle recommends that you do not modify the permissions associated with the SELF OPERATORS role and do not assign users to this role.

To create a role:

  1. Login to Oracle Identity Self Service.

  2. Click the Manage tab.

  3. Click the Roles and Access Policies box.

  4. Click Roles. The Roles page is displayed.

  5. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Attributes page of the Create Role wizard is displayed.

  6. Under General Role Information, specify values for Name, Display Name, Role E-mail, Role Description, and Owned By details.

    By default, the value in the Role Display Name field is populated by the value of the Role Name field. You can change the value if you want.

    If a value of the Owned By field is not specified, then it takes the logged-in user as the role owner.

  7. Under Catalog Attributes, specify values for the attributes. These attributes are displayed in the role details of the request catalog. See Requesting New Access for more information about viewing the details of a role in the request catalog.

    Note:

    A role can be created without role hierarchy, associated access policies, role members and organizations to which the role is published. Therefore, steps 5 through 8 are optional.

  8. Click Next. The Hierarchy page of the Create Role wizard is displayed.

  9. In the Hierarchy page, you can choose parent roles for the role you are creating.

    To inherit permissions from the existing role, click Add Parent Roles. The Search Role dialog box is displayed. To search and select a parent role:

    1. From the Search list, select an attribute based on which you want to search the parent role.

    2. In the Search box, enter a value of the selected attribute, and click the Search icon. The asterisk (*) character is used as a wildcard character.

      Roles matching the search criteria are listed.

      If you do not specify a search criterion, all the default roles are listed.

    3. From the list of roles, select the required Role and click Add Selected.

      Alternatively, you can add all the listed roles. To do so, click Add All.

    4. If you want to deselect any roles from Selected roles list, click Remove Selected or Remove All options.

    5. Click Select. The Define Role Hierarchies panel lists the selected roles.

    6. If you want to undo adding the parent role, then click Undo on the toolbar. A warning is displayed. Click Undo to confirm.

    7. If you want to remove any parent role, then click Remove on the toolbar. A warning is displayed. Click Remove to confirm.

      Note:

      You can click the Undo button for undoing the addition of any items in multiple pages of the Create Role wizard. Similarly, you can click the Remove button to remove any selected item from multiple pages of the wizard. This is applicable to the Hierarchy, Access Policy, Members, and Organization pages.

    8. Click Next. The Access Policy page of the Create Role wizard is displayed.

  10. In the Select Access Policy panel, you can add access policies to define access rights to this role.

    The access policies that are available for associating with a role are created by using Oracle Identity System Administration. See Managing Access Policies for information about creating and managing access policies.

    To add access policies to the role:

    1. Click Add Access Policies. The Add Access Policies dialog box is displayed.

    2. Select the desired search criteria and click the Search icon. The access policies that match the search criteria are listed.

    3. From the list of Access Policies, select the required access policy and click Add Selected or to add all the listed capabilities click Add All.

    4. If you want to deselect any Access Policy from Selected Access Policy list and click Remove Selected or Remove All options.

    5. Click Select. The Define Access Policy panel lists the selected access policies.

      If you want to add more policies or remove policies from this list follow procedure in The Access Policy Tab.

    6. Click Next. The Members page of the Create Role wizard is displayed.

  11. In the Members page, you can add members to the role either statically by selecting one or more users , dynamically by specifying membership rules or by SQL membership rule.

    To add a member to a role:

    1. Search for Users by using appropriate search criteria and click the Search icon. Users matching the search criteria are listed.

    2. From the list of users select the required user and click Add Selected or to add all the listed users click Add All.

      If you want to deselect any User from Selected users list click Remove Selected or Remove All options.

    3. Click Select. The Members tab is displayed with the assigned users in the Member Assignment section.

      Select the Start Date and End Date for with this role is assigned to the user. If you do not specify a value in the Start Date field, then the role is assigned immediately as soon as the role is created either directly or after role creation request approval.

      If the Start Date is of future then grant will happen on that day, when the Process Pending Role Grants job is run, which is scheduled to run daily. On the End Date the grant on the role is revoked when the Process Pending Role Grants job is run.

    To create membership rules for dynamically assigning members to a role:

    1. Click Create Membership Rule to open the User membership rules for role tab.

    2. In the Expression Builder tab, under Attributes tab, select an attribute, such as Country, and then click Add. The attribute is added to the expression builder for which you can specify a value. In addition, the Literals tab is displayed.

    3. In the Value field, enter a value for the selected attribute, such as US, and then click Add. The value is added to the expression builder. The expression for the membership rule specifies that users with Country as US will be members of the selected role.

    4. Click the Preview Results tab. The role members that match the expression you specified are listed. You can use this preview for offline impact analysis to view the role members that meet the rule criteria.

    5. Click Save. The Members tab is displayed with the membership rule added in the User Membership Rule section.

    6. If you want the membership rule to be evaluated as soon as the role is created, then select the Evaluate membership rule now option.

      If you want to add/remove more role members or membership rules, then perform the procedures described in The Members Tab.

    7. Click Next. The Organization page of the Create Role wizard is displayed.

    To create membership rules for dynamically assigning members to a role using an SQL query:

    Note:

    • You must enable the property RoleUserMembershipRuleSQLSupported to view the Create SQL Membership Rule option. You can also enable property RefreshRoleMembershipJob.EvaluateAllRolesForSQLMembershipRule to evaluate all SQL membership rule when the Refresh Role Membership job is executed. For more information, see Default System Properties in Oracle Identity Governance.
    • If you revert these system properties, then you must first delete the SQL Membership Rules that is created for the Role and then revert back.

    1. Click Create SQL Membership Rule to open the SQL User membership rules for role sample.

    2. Under SQL Query tab, enter the SQL Query details.
    3. Click the Preview Results tab. The role members that match the expression you specified are listed. You can use this preview for to view the role members that meet the SQL query rule criteria

      Note:

      In case the SQL query is incorrect then the results are not displayed.
    4. Click Save. The Members tab is displayed with the SQL Query added in the User Membership Rule section.

    5. If you want the membership rule to be evaluated as soon as the role is created, then select the Evaluate membership rule now option.

      If you want to add/remove more role members or membership rules, then perform the procedures described in The Members Tab.

    6. Click Next. The Organization page of the Create Role wizard is displayed.

  12. In the Organizations page, you can specify the organizations to which the role will belong. In other words, you can publish the role to one or more organizations. See The Organizations Tab for more information about publishing roles to organizations.

    Note:

    After you create the Role using the SQL Membership Rule, if you delete the rule and want to return to Membership Rule for adding the role, then click Apply and click Role to add using the Membership Rule.

    To assign organizations:

    1. Click Add Organizations. The search panel is displayed.

    2. From the list of Organizations, select the required organization and click Add Selected or to add all the listed organizations click Add All.

      If you want to deselect any organization from Selected Organization list click Remove Selected or Remove All options.

    3. Click Select. The Organizations tab is displayed with the list of Organizations to which this role will be published.

      If you want to add more organizations or remove them from this list follow procedure in The Organizations Tab.

    4. Click Next.The Summary page of the Create Role wizard is displayed.

  13. The Summary page displays the role summary information of the role that will be created. Role summary contains all information related to role, such as parent roles, access policies, members, and organizations. The Summary tab also has the View Analytics button when the Identity Audit feature is enabled.

    Optionally, click View Analytics to open the analytic details of the role that is being created. This button is displayed only when the Identity Audit feature is enabled. For detailed information about role analytics, see Displaying Role Analytics.

  14. Click Finish. The role is created successfully.

    Depending on the admin role assignment of the logged-in user and the applicable approval workflow rule, a request is generated, or the role is created directly and the role details page is displayed. In addition, a request is generated when the Identity Audit feature is enabled.

    Note:

    When role workflows are enabled, the role is created only after all the approvers in the workflow have approved. The role is not created successfully unless approved.

    If new members are added, then a separate request is submitted for role grant (which is controlled by its own approval workflow). And if there are multiple grants, then the request is a parent request. On its approval, child requests will be raised for each role grant. Each child request must be approved before the grant happens.

16.5 Managing Roles

You can find roles, add information to them, and perform other administrative functions for roles.

Tip:

Managing role category is deprecated in the current release and any reference to it in this version of Oracle Identity Manager is only for backward compatibility.

This section discusses the following topics:

16.5.1 Searching for Roles

Use the Roles page to perform simple and advanced search for roles.

To search for Role you can perform one of the following:

16.5.1.1 Performing Basic Search for Roles

To perform basic search:

  1. Log in to Identity Self Service.
  2. Click the Manage tab, and then click the Roles and Access Policies box. Click Roles. The Roles page is displayed.
  3. Select any one of the following search criteria from the Search list:

    • Display Name

    • Name

    • Role Namespace

  4. In the Search field, enter a search criteria. You can optionally use the asterisk (*) wild card character in the search criteria for basic search. The asterisk (*) character is used as a wildcard character. For example, you can specify the value of the Display Name attribute to be Jo* as the search criteria, and select Equals as the search operator. The roles with Display Name that begins with Jo are displayed.
  5. Click the search icon. The roles that match the selected search criteria are listed.
16.5.1.2 Performing Advanced Search for Roles

To perform advanced search:

  1. Log in to Identity Self Service.

  2. Click the Manage tab, and then click the Roles and Access Policies box. Click Roles. The Roles page is displayed.

  3. Click the Advanced link. Advance Roles search page is displayed.

  4. Select any one of the Match options:

    • All: On selecting this option, the search is performed with the AND condition. The roles are displayed in search result for which all the search criteria specified have matched.

    • Any: On selecting this option, the search is performed with the OR condition. The roles are displayed in search result for which any one of the search criteria specified has matched.

  5. In the searchable role attribute fields, such as Display Name, specify a value.

    For some attributes, select the attribute value from the lookup. For example, to search all roles in the Default role category, select Default in the Role Category field.

  6. For each attribute value that you specify, select a search operator from the list. The following search operators are available for text type of attributes:

    • Starts with

    • Ends with

    • Equals

    • Does not equal

    • Contains

    • Does not contain

  7. To add a searchable role attribute to the Search Roles page, click Add Fields, and select the attribute from the list of attributes.

    For example, if you want to search all roles whose description contains custom admin role , then select Role Description from Add Fields, and specify a search condition as Contains and value as custom admin role.

    Note:

    You can configure the attributes that are searchable. All default and custom-defined searchable role attributes are shown in Add Fields. The searchable attribute are the ones marked with the Searchable = Yes property.

  8. Optionally click Reset to reset the values that you specified as search conditions. Typically, you perform this step to remove the specified search conditions and specify a new search condition.

  9. If you want to save the search criteria for future use, then click Save. See Using Saved Search for information about creating and managing saved search.

  10. Click Search. The search results is displayed in a tabular format.

  11. If you want to hide columns in the search results table, then perform the following steps:

    1. Click View on the toolbar, select Columns, Manage Columns. The Manage Columns dialog box is displayed.

    2. From the Visible Columns list, select the columns that you want to hide.

    3. Click the left arrow icon to add the columns in the Hidden Columns list.

    4. Click OK. The selected columns are not displayed in the search results.

16.5.2 Viewing and Administering Roles

You can open the details of a role and edit the role attributes, modify the role inheritance and membership, and then publish roles to organization.

The details of the role is displayed in a new page. The role display name is displayed at the top of the page. You can display the details of the role and modify role information in the following tabs of this page:

Note:

  • After you make changes in any one or more of the tabs in the role details page, click Apply to save the changes.

  • Depending upon the approval workflow configuration, a request might be generated for any change made to a role.

16.5.2.1 Opening Role Page

You can open the details of a role and edit the role attributes, modify the role inheritance and membership, and then publish roles to organization. To open the details of a role and modify it, perform one of the following:

  • In the Search Roles page, search and select the role that you want to open. From the Actions menu, select Open. Alternatively, click Open on the toolbar.

  • In the search results table of the Search Roles page, click the name of the role.

Note:

After modifications are made to the role, the modifications go through an approval process, if role workflows are configured. Only when the approvers approve, the role changes are reflected in Oracle Identity Manager.

16.5.2.2 About Attributes Tab

The Attributes tab displays the role attributes. Except for the Role Namespace field (which is a read-only field), the rest of the fields in the Attributes tab are same as available in the Create Role page. The Role Namespace field displays the namespace to which the role is assigned.

Note:

Modifying the values of Name and Display Name attribute for default roles, for example OPERATORS, ALL USERS, and SELF OPERATORS, is not supported.

If you modify the attribute values in the Catalog Attributes section, then the modifications are also displayed in Detailed Information section of the corresponding catalog item in the request catalog. See Requesting New Access for more information about viewing the details of a role in the request catalog.

To modify the role attributes, change the values in the fields, and click Apply.

Note:

Roles with same names are allowed with different name spaces.

16.5.2.3 Understanding Hierarchy Tab
16.5.2.3.1 About Role Hierarchy

The Hierarchy tab displays the role hierarchy information in the following sections:

  • Inherits From: This section displays the parent roles from which the open role is inherited. The base role has the same permissions and privileges on the members as the inherited roles. Only inherited roles can be added or removed from the base role, but the base role cannot be added or removed from the inherited role.

  • Inherited By: This section lists the child roles that are inherited by the open role. This is a read-only display of the roles.

16.5.2.3.2 Adding a Parent Role to a Child Role

To add a parent role to a role:

  1. Open the role.
  2. Click the Hierarchy tab. In the Inherits From section, this tab lists the parent roles of the opened role and the opened role inherits the permissions from these parent roles.
  3. Verify that Inherits From is active.
  4. From the Actions menu, select Add. Alternatively, click Add on the toolbar. The Search Roles dialog box is displayed.
  5. From the Search list, select a role attribute based on which you want to search for the role. Then, select an attribute by using the lookup icon. You can also include wildcard characters (*) in your search criterion. Then, click the search icon. A list of roles that matches your search criterion is displayed.
  6. Select one or more roles that you want to add as parent roles. Then, click Add Selected to move the selected roles to the Selected Roles list.

    Alternatively, you can click Add All to add all the roles in the Selected Roles list.

  7. Click Select. The selected roles are added as parent roles to the opened role and the role hierarchy is displayed in the Inherits From section of the Hierarchy tab.
  8. Select the inherited role that is added. A summary information of the selected role is displayed in a popup.
16.5.2.3.3 Removing a Parent Role from a Role

To remove a parent role from a role:

  1. In the Inherits From section of the Hierarchy tab, select the role that you want to remove.
  2. From the Actions menu, select Remove. Alternatively, click Remove on the toolbar. A message box is displayed asking for confirmation.
  3. Click Remove. Pending action is filled with Remove. Repeat this if you want to remove more than one role. And click Undo if you do not want to remove the role that is already marked for removal.
  4. Click Apply. If workflow is configured, then the inherited roles selected are removed from the Inherits From section of the Hierarchy tab after approval.
16.5.2.3.4 Displaying Summary Information for Parent/Child Roles

You can display read-only summary information of the parent roles from the Inherits From section of the Hierarchy tab. You can also display summary information of the child roles from the Inherited By section.

To display the summary information of a parent/child role:

  1. To display the summary of the parent role, in the Inherits From section of the Hierarchy tab, click the Display Name of the role for which you want to display the summary information.

    A popup is displayed with the summary information of the parent role. It displays the role name, role display name, role description, role category, and the user who owns the role.

  2. Close the popup.
  3. To display the summary of the child role, in the Inherited By section of the Hierarchy tab, click the Display Name of the role for which you want to display the summary information.

    A popup is displayed with the summary information of the child role. It displays the role name, role display name, role description, role category, and the user who owns the role.

  4. Close the popup.
16.5.2.4 The Access Policy Tab

The Access Policy tab displays the access policies assigned for the role. In this tab, you can assign the access policies to the role or remove the access policies that are already assigned to the role.

In the Access Policies tab, you can perform the following:

16.5.2.4.1 Adding an Access Policy to a Role

To add access policies to a role:

  1. From the Actions menu, select Add. Alternatively, click Add on the toolbar.
  2. Select the desired search criteria and click the Search icon. Access Policies matching the search criteria are listed.
  3. From the list of Access Policies, select the required Access Policy and click Add Selected or to add all the listed capabilities click Add All.
  4. If you want to deselect any access policy from the Selected Policies list, then select the access policy from the Selected Policies list, and click Remove Selected. You can click Remove All to deselect all the selected access policies.
  5. Click Select. The selected access policies are displayed in the Access Policy tab. Pending action is filled with Add. Repeat this if you want to add more policies. You can click Undo if you do not want to add the policy that is already marked with add.
  6. Click Apply. The request is to be approved if it raises a workflow. Then the selected policies are added to the role.
16.5.2.4.2 Removing an Access Policy

To remove the access policy assigned to this role:

  1. From the list of access policies assigned, select the access policy that you want to remove.
  2. From the Actions menu, select Remove. Alternatively, click Remove on the toolbar.
  3. Click Remove to confirm. The selected access policy is removed from the Access Policy tab. Pending action is filled with Remove. Repeat this if you want to remove more policies. You can click Undo if you do not want to remove the policy that is already marked with remove.
  4. Click Apply. The request is to be approved if it raises a workflow. Then the selected policies are removed from the role.
16.5.2.5 The Members Tab
16.5.2.5.1 About Members Tab

The Members tab displays the members assigned to the open role. This information is displayed in the following sections:

  • Direct Members: This section displays the members that are statically assigned to the open role.

  • Rule Based Members: This section displayed the members that are assigned to the open role via membership rules.

  • Indirect Members: This section displays the members that are indirectly inherited by the role.

  • All Members: This section displays all the members, direct and indirect, assigned to the open role.

  • Pending Members: This section displays all the members that are pending for this role, that is the role assignment date assigned with future start date.

16.5.2.5.2 Assigning Members to a Role

To assign members to a role:

  1. In the Direct Members section of the Members tab, click Add. The Add Members dialog box is displayed.
  2. From the Search list, specify a role attribute name. Enter a search parameter in the search field, and click the search icon. The roles that match the search criteria are displayed.
  3. Select the role that you want to assign, and click Add Selected. The selected role is added to the Selected Users table.

    To add all the roles to the Selected Users table, click Add All.

  4. If you want to remove a role from the Selected Users table, then select the role and click Remove Selected. To remove all roles from the Selected Users table, click Remove All.
  5. Click Select. Pending action is filled with Add. Repeat this if you want to add more users. You can click Undo if you do not want to add the user that is already marked with add.
  6. Click Apply. The request is to be approved if it raises a workflow. Then the selected members are added to the role.
16.5.2.5.3 Revoking Members from a Role

To revoke members from a role:

  1. In any section of the Members tab, select the member that you want to remove.
  2. Click Remove on the toolbar. A message is displayed asking for confirmation.
  3. Click Remove to confirm. Pending action is filled with Remove. Repeat this if you want to remove more users. You can click Undo if you do not want to remove the user that is already marked with remove.
  4. Click Apply. The request is to be approved if it raises a workflow. Then the selected members are removed from the role.
16.5.2.5.4 Adding Membership Rules

In the Members tab, you can add, modify, or delete the user membership rules or create membership rules for dynamically assigning members to a role using an SQL query. You can specify simple to complex condition expressions as the user membership rule or assign members to a role using an SQL query. When you modify a user membership rule, the existing user memberships are evaluated, and then the existing role memberships that are not valid are revoked and new role memberships are granted.

To add a user membership rule:

  1. In the Members tab, click Create Membership Rule. The Expression Builder is displayed.
  2. In the left pane, verify that <ADD> is selected. This is the placeholder to specify a user attribute for the condition.
  3. Under Select Operand Value, in the Attributes tab, select a user attribute, for example, Country.
  4. Click Add to add the attribute to the condition in the left pane.
  5. From the list of operators, select a comparator. In Build Expression, select a comparator from the list of operators. If the attribute is of type integer, then comparators, such as = (equals), > (greater than), >= (greater than equal to), < (less than), => (less than equal to), and IN, are displayed.

    If the attribute is of type String, then comparators, such as = (equals), != (not equals), Contains, Starts with, Ends with, and IN, are displayed.

  6. Under Select Operand Value, in the Literals tab, specify a value in the Value field, such as United States of America.

    When a checkbox or lookup type UDF or default attribute is used in membership rule, then it must be treated as shown in the following example:

    ( ( ( Last Name = "Klein" ) AND ( First Name Contains "Robert" ) )
OR ( ( User Login Starts with "rob" ) AND ( Common Name Ends with "ein" ) )
OR ( ( Robert2UserUDF111DL != "Robert2UserUDF111DL" ) AND ( Robert2UserNumberDL >= 99999 )
AND ( RobertUserDateDL =< 2013-12-31 ) AND ( Robert2UserchkboxDL = "1" )
AND ( Robert2UserLookupDL IN ["RobertLookUpCode3","RobertLookUpCode9"] ) ) )

    Here:

    • Robert2UserchkboxDL is check box, which must be used in the rule as a string. Use "1" to check for True/yes/Selected/Checked, and use "0" to check for False/no/Unselected/unchecked.

    • Robert2UserLookupDL is lookup type. In the default userprofile, "Robert2LookUpMean3" will be displayed. But you must use its code value "Robert2LookUpCode3" in the expression.

    • For All type of Attributes, there is no way to check NULL or no value.

    Note:

    Checkbox fields are stored as strings in the backend. The data type for a checkbox field is a String and not Boolean. Therefore, all string operations will be displayed.

  7. Click Add to add the specified value to the condition expression. The expression now means that users belonging to United States of America will be dynamically assigned to the open role.

    Figure 16-2 shows the expression builder with the condition.

    Figure 16-2 The Expression Builder

    Description of Figure 16-2 follows
    Description of "Figure 16-2 The Expression Builder"
  8. If required, on the Preview Results tab, you can preview members to whom this rule will be applied.
  9. Click Save. The expression builder closes, and the rule you defined has been saved.
  10. Click Evaluate membership rule now to evaluates this rule against all users immediately, else you will have to run the Refresh Role Memberships scheduled job to evaluate rule.
To create membership rules for dynamically assigning members to a role using an SQL query:

Note:

  • You must enable the property RoleUserMembershipRuleSQLSupported to view the Create SQL Membership Rule option. You can also enable property RefreshRoleMembershipJob.EvaluateAllRolesForSQLMembershipRule to evaluate all SQL membership rule when the Refresh Role Membership job is executed. For more information, see Default System Properties in Oracle Identity Governance.
  • If you revert these system properties, then you must first delete the SQL Membership Rules that is created for the Role and then revert back.

  1. Click Create SQL Membership Rule to open the SQL User membership rules for role sample.

  2. Under SQL Query tab, enter the SQL Query details.
  3. Click the Preview Results tab. The role members that match the expression you specified are listed. You can use this preview for to view the role members that meet the SQL query rule criteria

    Note:

    In case the SQL query is incorrect then the results are not displayed.
  4. Click Save. The Members tab is displayed with the SQL Query added in the User Membership Rule section.

  5. If you want the membership rule to be evaluated as soon as the role is created, then select the Evaluate membership rule now option.

    If you want to add/remove more role members or membership rules, then perform the procedures described in The Members Tab.

  6. Click Next. The Organization page of the Create Role wizard is displayed.

Note:

After you create the Role using the SQL Membership Rule, if you delete the rule and want to return to Membership Rule for adding the role, then click Apply and click Role to add using the Membership Rule.
16.5.2.5.5 Modifying Membership Rules

To modify a user membership rule:

  1. In the Members tab, in the User Membership Rule section, click Edit Rule. The expression builder is displayed.
  2. Specify a condition to dynamically assign members, as described in the steps for adding membership rule.
  3. If required, on the Preview Results tab, you can preview members to whom the modified rule will be applied.
  4. Click Save. The expression builder closes, and the rule you modified has been saved. You can then click the Apply, Apply and Evaluate, and Revert buttons, as required.
16.5.2.5.6 Deleting Membership Rules

T o delete a user membership rule:

  1. In the Members tab, in the User Membership Rule section, click Delete Rule. A dialog box asking to confirm whether you want to delete the membership rule is displayed.
  2. Click Yes. The membership rule is deleted.

After adding, modifying, or deleting user membership rule, click Apply. The request is to be approved if it raises a workflow. Then the rule is added, edited, or removed from the role. Rule evaluation takes place immediately if the Evaluate membership rule now option is selected. Otherwise, it will be evaluated only when the Refresh Role Memberships scheduled job is ran.

16.5.2.6 The Organizations Tab
16.5.2.6.1 About Organizations Tab

The Organizations tab allows you to assign and revoke organizations to and from the open role. By assigning an organization to the open role, you make the role available to the organization. This is called publishing the role entity to an organization.

All the organizations, to which the open role has been published, are displayed in the Organizations tab. For each organization, the include sub-orgs option is available for selection in the Hierarchy Aware column. Select this option if you want the open role to be available to the entire hierarchy of the organization. To make the open role available only to the organization and not its hierarchy, leave this option deselected.

16.5.2.6.2 Publishing Roles to an Organization

To publish roles to an organization:

  1. In the Role details page, click the Organizations tab. This tab displays the organizations that are assigned to the open role.
  2. From the Actions menu, select Add. Alternatively, click Add on the toolbar. The Add Organizations dialog box is displayed.
  3. Search for the organizations you want to add. The organizations are displayed in the Organization Results section.
  4. Select the organizations that you want to add, and click Add Selected. The selected organizations are added to the Selected Organizations section.
  5. For each selected organization, the Hierarchy option is selected by default. If you want to publish the role to the suborganizations of the selected organization, then leave the Hierarchy option selected.

    To publish the role to the selected organization only, deselect the Hierarchy option.

  6. Click Select. Pending action is filled with Add. Repeat this if you want to add more organizations. You can click Undo if you do not want to add the organization that is already marked with add.

    Note:

    if no organization is selected, then the role is auto published to the organization of the logged-in user and to the organizations on which the logged-in user has admin roles capabilities.

16.5.2.6.3 Revoking Roles From an Organization

To revoke a role from an organization:

  1. In the Organizations tab, select the organization from which you want to revoke the role.
  2. To revoke the role from sub organizations of the currently selected organization, select the Hierarchy Aware option, and then click Apply. A message is displayed. Click Revoke.
  3. From the Actions menu, select Remove. Alternatively, click Remove on the toolbar. A message is displayed asking for confirmation.
  4. Click Remove. Pending action is filled with Remove. Repeat this if you want to remove more organizations. You can click Undo if you do not want to remove the organizations that are already marked with remove.
  5. Click Apply. The request is to be approved if it raises a workflow. Then the selected organizations are added or removed from the role.
16.5.2.7 The History Tab

In the History tab, you can perform the following:

16.5.2.7.1 About History Tab

The History tab is displayed only when Identity Audit is enabled in the Oracle Identity Manager deployment.

This tab displays all data about the open role that have been modified within a specified date range. Using this tab, the role administrator can track any changes to the role definition. The role administrator can enter a date range, and view the modifications that have been done within that date range to the role attributes, role hierarchy, access policies, role memberships, organizations, membership rules, and role certifications. By default, the history for the last seven days is displayed in this tab.

Note:

In the History tab, data is available for only the retention period for auditing that is configured in the Remove Audit Log Entries scheduled job, for example, six months. See "Predefined Scheduled Tasks" in the Administering Oracle Identity Governance for information about the Remove Audit Log Entries scheduled job.

16.5.2.7.2 Searching Role History

To search for role history:

  1. Open the role.
  2. Click the History tab.
  3. In the Search History section, enter a date range in the two date fields. You can also click the calendar icons and select the dates.
  4. Click Search. The role history within specified date range is populated in the subtabs of the History tab. For example, all role attribute modifications are listed in the Attributes subtab.

    You can click Reset to reset the date ranges mentioned.

    If you do not specify any values in the date fields and click Search, then all modifications made to the role from its creation till date are displayed in the subtabs.

    Note:

    All data shown in History is read-only and can not be modified.

16.5.2.7.3 Viewing Role History

To view role history:

  1. Search for role history by specifying a date range, as described in Searching Role History.
  2. Click the Attributes tab. The modifications made to the role attributes within the specified date range are displayed in a table. The columns in the table provide information about the attributes modified, the new value of the attributes, the old value of the attributes before modification, the date on which the attribute is modified, and the user who updated the attribute.
  3. Click the Hierarchy tab. This tab displays the modifications made in the role hierarchy of the open role in a tabular format. The columns in the table provide information about the Display Name of the parent that have been added/removed, the change action (add/modify/delete), the user who modified the role hierarchy, and the dates on which the modification have been done.
  4. Click the Access Policy tab. This tab displays the modification made to the access policies associated with the open role in a tabular format. The columns in the table provide information about the policy names that have been added/removed, the user who modified the access policies, the change action, and the dates on which the access policies were modified.
  5. Click the Organizations tab. This tab displays the modifications made to the organization assignment of the open role in a tabular format. The columns in the tab provide information about the organization name that have been added or removed or updated, the change action, the user who modified the organization assignment, and the dates on which the modification have been done.
  6. Click the Role Membership tab. This tab displays the modification made to the role membership of the open role in a tabular format. The columns in the table provide information about the user names that have been added or removed, the change action, the user who modified the role membership, and the dates on which the modification have been made.
  7. Click the Membership Rules tab. This tab displays the modifications made to the membership rules in a tabular format. The columns in the table provide information about the rule name that have been modified, the change action (add/update/remove), the user who modified the rule, and the dates on which the modification have been done.
  8. Click the Certification tab. This tab displays the certifications performed for the open role in a tabular format. The columns in the table provide information about the certification name that have been modified, the user who certified, and the dates on which the last certification have been made.

16.5.3 Displaying Role Analytics

When Identity Audit is enabled, administrators or approvers can view the role analytics during creation/modification/track request/approval of a role, such as impact analysis on users that will be or are assigned the role, role consolidation information, and SoD violations.

This section describes the following:

16.5.3.1 About Viewing Role Analytics

Role analytics can be viewed in the following ways:

  • In the Summary page of the Create Role wizard, click View Analytics.

  • In the role details page, if you modify any attribute or any other data, then the View Analytics button is available.

  • In the Request Details tab of the Pending Approvals page, click View Analytics. This is for the request approver to compare the role with other existing roles to justify or reject the creation of the requested role.

16.5.3.2 Viewing Role Analytics

To view role analytics:

  1. In the Summary page of the Role Creation wizard, or in the role details page, or in the Request Details tab of the Pending Approvals page, click View Analytics. The Analytic Details page for the role is displayed. This page has the following sections:

    • Impact Analysis: Displays the number of potential users members that will be affected when a role is created/modified/deleted. The impact analysis is based on changes to the user membership rule and/or access policy association changes. The parameter affecting the members is user membership rule. Based on the rule, the potential members can be evaluated and displayed on the approval UI. The list of user names are paginated. This section also displays the impact of adding or removing the access policies from the role. The impact displays which users will get the entitlements associated with the access policy added as well as the users that will have the entitlements revoked when an access policy is removed from the role.

    • SoD Violations: Displays any access policies or entitlements within and across access policies that are in SoD conflict. See Managing Identity Audit for information about configuring identity audit rules and policies.

    • Role Consolidation: Displays contextual information about how similar the role is to other roles in the access catalog. The similarity is based on the entitlements of the two roles. The entitlement matching percentage must be at least 50 percent to be considered as a match. When a match is found, the common memberships must be calculated. Only the top three percentage matches are displayed, if they match the 50 percent cutoff. For example, if the top three percentages are 100%, 85%, and 50%, and 10 roles match 100%, one role match 85%, and 8 roles match 50%, then all of these are displayed.

      If the percentage of entitlements matching is greater than or equal to 50%, then the percentage of users matching is also displayed along with the percentage of matching entitlements.

  2. Click the down arrow in the Impact Analysis box.

    An overview of the impact on users and entitlements of the role is displayed. Impact Analysis is displayed in the following sections:

    • Users: This section provides a graphical representation of the users that have been added and deleted, and the unchanged users. It shows users that are added/revoked only via membership rules and does not show the users that are added/removed directly.

    • Users Added: This section contains a table that shows the usernames, user login IDs, and the email IDs of the users that have been added to the role. It has the following subsections:

      • Users Deleted: This section contains a table that shows the usernames, user login IDs, and the email IDs of the users that have been revoked from the role.

      • Users Unchanged: This section contains a table that shows the usernames, user login IDs, and the email IDs of the users that are unchanged in the role.

      To view more details about each user, you can click the user name. More information about the user is displayed in the User Details popup. It displays information about added/deleted/modified users and entitlements. Click Cancel to close the User Details popup.

    • Entitlements: This section provides a graphical representation of the entitlements that have been added and deleted, and the unchanged entitlements.

    • Entitlements Added: This section contains a table that shows the Display Name, Entitlement Name, and Description of the entitlements that have been added to the role. It contains the following subsections:

      • Entitlements Deleted: This section contains a table that shows the display names, entitlement names, and descriptions of the entitlements that have been revoked from the role.

      • Entitlements Unchanged: This section contains a table that shows the Display Name, Entitlement Name, and Description of the entitlements that are unchanged in the role.

      To view more information about each entitlement, click the entitlement name. More information about the entitlement is displayed in a popup.

  3. Click the down arrow in the SoD Violations box. The SoD Violations box already shows the number of items that are in violation. When you activate this box, all the SoD policies that are in violation are displayed. When you click a policy, the details of the policy are displayed in the Description box. This box lists all the items that are in violation. The name and description of the items are displayed in a tabular format. On selecting each item, the severity of the violation is also shown above the table.
  4. Click the down arrow in the Role Consolidation box. The Role Consolidation box already shows the number of roles that are similar to the open role. Similar roles are roles with matching entitlements. For these similar roles, memberships match is then computed, irrespective of whether they have any memberships or not. All roles are considered, pending, direct grants, and dynamic memberships

    The role comparison is represented as a graph, which shows the similar roles and the membership and entitlement matching percentage of the similar roles with the open role.

    Note:

    Roles without members are considered for role consolidation. The similarity is only based on entitlements. After similar roles are found, then membership match for only those roles are computed. It could be 0 if the similar role has no memberships.

  5. You can click Back to go back to the previous page.

16.5.4 Deleting Roles

Delete the roles that are not required or are not in use.

To delete a role:

  1. In the Search Roles page, search for a role as described in Searching for Roles.
  2. Select the role that you want to delete.
  3. From the Actions menu, select Delete. Alternatively, click Delete on the toolbar.

    If the role has existing relationships, such as parent roles, access policies, members, or organizations, then a message is displayed stating that , Deleting the selected role will also delete its relationships.

  4. Click Yes to confirm.

    If workflows are configured, then an approval task is sent to the Role Owner for approval, and the role is not deleted from the system until all approvers have approved. During the approval, the approver can see the impact of deleting the role by clicking View Analytics.