6 Requesting Access
This section describes the following topics:
6.1 Requesting New Access
Based on permissions, you can request access for self or for other users by using the access catalog.
This section describes how to request access by using the access catalog in the following sections:
6.1.1 Requesting Access for Self
You can request access for self by using the access catalog.
To request access for self:
-
Login to Oracle Identity Self Service.
-
In the Self Service tab, click the Request Access box, and select Request for Self. The Add Access page of the Request Access wizard is displayed. The Add Access page enables you to search and select the items you want to request for. This page consists of the following tabs:
-
Catalog: This tab enables you to search and add access (entities) to the request cart, and then create the request for access.
-
Request Profiles: This tab enables you to search and view request profiles, and add profiles to the cart. See Managing Request Profiles for information about request profiles.
-
-
Click the Catalog tab, if it is not already active.
-
Search for the entities that you want to request for self. To do so:
-
Select any one of the following options:
-
All: To specify that all entities are being searched, such as roles, application instances, and entitlements.
-
Application: To specify that only application instances are being searched.
-
Entitlement: To specify that entitlements are being searched. While searching for entitlements, you can specify the associated application instances. When you select the Entitlement option, the Application list is displayed. For information about selecting one or more application instances, see Specifying Application Instances in Entitlements Search.
-
Role: To specify that only roles are being searched.
-
-
In the Search field, enter a search keyword, and click Search.
For information about search keywords that you can specify, see Keyword Search in the Access Catalog.
The items that match the search criteria are listed. An icon is displayed with each catalog item that denotes whether the item is a role, application instance, or entitlement, as listed in Table 6-1.
Table 6-1 Icons Denoting Catalog Item Type
Icon Item Type Role
Application Instance
Entitlement
-
-
You can refine the catalog items to list all items or any one of the application instance, entitlement, or role entities. See Refining Search Results for more information.
-
To view the details of the catalog item, click the information icon for the item. The Detailed Information page is displayed that shows the attributes for the item.
For application instances and entitlements, you can edit the values of the attributes in the Detailed Information page. To do so, click the information icon for the application instance or entitlement, modify the values of the attributes in the Detailed Information page, and click Apply.
For roles, the attributes displayed in the Detailed Information page are read-only and cannot be modified. These attributes can only be edited by the Catalog Administrator. If Catalog Administrator wants to update any catalog attribute for role, then it can be done only from the role details page.
After modifying or reviewing the attribute values, close the page.
-
To add a catalog item to the request cart, click Add to Cart for that item.
To add multiple catalog items to the request cart, select multiple items by clicking the items while pressing the
Ctrl
key, and then click Add Selected to Cart.Note:
If you switch workspace, then cart items are lost. For example, after adding items to the cart, if you click the Manage tab and then come back to Self Service again, then the items added to the cart are lost.
The items are added to the cart. Scroll to the top of the page. The number of items added to the cart is displayed with the cart icon.
To remove the selected items from the cart, see Adding and Removing Catalog Items to and from the Cart.
When requesting access, each item in the cart can have its own temporal grant dates. If you want specific dates set for the cart items, then the dates must be set manually for each cart item. If no dates are entered, then the start date will default to the current date and the end date will be left empty indicating an indefinite access. See Adding and Removing Grant Duration for information about grant duration.
Tip:
To add items to the cart by using request profiles, click the Request Profiles tab. For information about request profiles and using request profiles to create a request, see Managing Request Profiles and Requesting Access By Using a Request Profile.
-
Click Next. The Checkout page is displayed.
-
In the Cart Details section, expand Request Information, if it is not already expanded.
-
In the Justification field, enter a justification for the request. This is for the approver to review the justification, and then approve or reject the request.
-
Expand Cart Items, if it is not already expanded. This section lists the catalog items that you selected and have been added to the request cart. For each item, one of the following icons represents the submission readiness of the item:
-
The
icon denotes that the item is ready for submission.
-
The
icon denotes that the item is not ready for submission.
You can click the information icon for each item to display the details of the item in a pop-up window.
-
-
(Optional) If you want to remove any item from the cart, then click the cross icon for that item.
-
Click an item to display the request details of the item in the Request Details section. This section consists of the following tabs:
-
Grant Duration: This tab is represented by the
icon and is displayed for all types of entities.
-
Details: This tab is represented by the
icon and is displayed only for application instances and entitlements that require additional data.
-
-
Click the Grant Duration icon. The Grant Duration section provides options that enable you to control the duration when the access will be provisioned. To specify grant duration:
-
Select the Grant will be effective immediately upon request completion option if you want the role, account, or entitlement to be provisioned immediately on request approval. By default, this option is selected.
-
If the Grant will be effective immediately upon request completion option is not selected, then specify date values for the following fields:
-
Start Date: The start date when the role, account, or entitlement will be provisioned.
-
End Date: The end date when the role, account, or entitlement will be revoked.
For detailed information about grant duration, see Adding and Removing Grant Duration.
-
-
-
Click the Details icon. The form associated with the application instance or complex entitlement is displayed. You can modify the attributes in this form. These attributes are the form fields of the application instance or complex entitlement, and is propagated to the target account after the provision/modify operation is completed.
The Details icon is displayed only when you select a cart item that is an application instance or a complex entitlement.
-
Click Update. The values you entered for the selected cart item are updated in the cart.
-
Click Submit to submit the request.
If the Identity Audit feature is enabled, then based on the Identity Audit rules configured, the Cart Items sections can display a warning for policy violations. For information about the policy violations displayed in the Cart Items section and how to mitigate the same, see Requesting Access With Policy Violations.
6.1.2 Requesting Access for Other Users
Based on permissions, you can request access for other users.
To request access for others:
-
Log in to Oracle Identity Self Service.
-
In the Self Service tab, click the Request Access box, and then select Request for Others. The Select Users page of the Request Access for Others wizard is displayed.
-
Search for the users for which you want to request access. You can perform a basic search or an advanced search for users.
-
To perform a basic search for users:
-
If Advanced search is active, then click Basic. Otherwise, proceed to step 2.
-
From the Search list, select an attribute based on which you want to search the users.
-
In the Search field, enter a keyword for your search.
-
Click the Search icon. The users that match the search keyword are listed in the Users pane.
-
-
To perform an advanced search for users:
-
Click Advanced. A number of attributes are displayed based on which you can search the users.
-
For one or more attributes, select the search operator from the lists, such as Starts With, Ends With, Equals, Does Not Equal, Contains, and Does Not Contain. For any date field, the search operators are Equals, Before, After, On or before, On or after, Between.
-
Specify values for one or more attributes. The search result will be displayed based on the values that you specify for these attributes.
-
Optionally, you can add fields to your search criteria by clicking Add Fields and selecting fields from the list. A cross icon is displayed with the added fields. You can click the cross icon to remove the added field.
-
Click Search. The users that match the search criteria are listed in the Users pane.
-
Note:
If you switch from basic to advanced search and fill in search criteria and then switch back to basic search again, the basic search still has the criteria from the advanced search. It is now no longer a basic search. This issue is applicable to search screens for all entities that have basic and advanced search.
-
-
In the Users pane, you can view the details of each user by clicking the information icon for that user. The User Details dialog box displays the user attributes, and the roles, accounts, and entitlements assigned to the user. Click Close to close the User Details dialog box.
-
For each user that you want to select, click Add User. The user is added to the Selected Users pane.
-
Click Next. The Add Access page of the Request Access wizard is displayed.
-
Complete the steps in the wizard, as described in Requesting Access for Self.
6.1.3 Requesting Access By Using a Request Profile
You can request access by using a request profile.
To do so:
Note:
For information about request profiles, see Managing Request Profiles.
-
In the Request Access box of the Self Service tab, click the Request Access box, and select Request for Self. The Add Access page of the Request Access wizard is displayed.
-
Click the Request Profiles tab.
-
Click the request profile name that you want to use to create the request. The Cart Details page is displayed.
-
The Target Users section displays the usernames of beneficiaries for the request. You can click information icon against each user to view the details.
-
To add beneficiaries to the request:
-
Click the Add icon. The Advanced Search for Target Users dialog box is displayed.
-
Search and select one or more users that you want to add.
-
Click Add Selected to add the selected users to the Selected Users list. Alternatively, click Add All to add all the users in the Selected Users list.
-
Click Add. The selected users or beneficiaries are added to the Users section of the Request Cart Details page.
You can also select a user that you want to remove from the list of beneficiaries, and click the Remove icon.
-
-
If required, in the Justification and Effective Date section, in the respective fields, specify a justification and effective date when the request will be active.
-
In the Cart Items section, select a cart item to display the details of the item.
-
After reviewing and modifying the details for each request in the cart, click Submit. If the Submit button is not active, then click Ready to Submit for each cart item with Not Ready to Submit status.
The request is submitted for approval, and the Request Summary page is displayed with summary information, target user or beneficiary information, and request and approval details.
6.1.4 Keyword Search in the Access Catalog
Using keyword search in the access catalog, you can search on the basis of entity name, entity display name, or user-defined tags that administrator has provided for that catalog item. Here, entity refers to role, application instance, and entitlement.
Catalog keyword search has the following characteristics:
-
Appending wildcard characters, such as asterisk (*) or percentage sign (%), is not required.
-
Catalog keyword search does not support * or % sign as a prefix.
-
Search is performed as if with the
Begins With
operator.
For example, if you are searching for a role with role name as Act Admin
and display name as Accounts Administration
, then you can specify the search keyword as Act
or Acco
or Accounts
or Admin
. Searching with *unts
will not work.Any catalog UDF that is marked as searchable is displayed automatically on the catalog search form as an attribute, by using which you can search catalog items. See "Creating a Custom Attribute" in the Administering Oracle Identity Governance for information about marking a UDF as searchable.
6.1.5 Specifying Application Instances in Entitlements Search
When you search for entitlements in the access catalog, you can specify one or more associated application instances based on which you want to search the entitlements.
To do so:
-
Navigate to the Catalog tab in the Add Access page of the Request Access wizard, as described in Requesting New Access.
-
To specify an entity type to be searched, select the Entitlement option. The Application list is displayed.
-
Select an application instance based on which you want to search the entitlement. The number of selected application instance is shown in the Selected Apps link. This number of selected application instances is updated if you again select more application instances from the list.
-
(Optional) Instead of selecting the application instances one by one, you can search and select multiple application instances. To do so:
-
From the Application list, select Search and select multiple. The Choose Applications dialog box is displayed.
-
In the Search box, enter a keyword to search for the application instances you want to select.
-
Click the search icon. The application instances that match the search keyword are displayed.
-
Click Select for each application instance that you want to select.
Note:
You can select a maximum of 20 application instances at a time.
-
If you want to remove application instances from your selection, then click Deselect for each application instance that you want to remove.
-
To select or deselect all application instances at a time, you can click the Select All and Deselect All buttons respectively.
-
Click OK. The application instances are selected.
-
-
(Optional) To remove the selected application instances, click the Selected Apps link, and then click the cross icons adjacent to the application instances that you want to remove. To remove all selected application instances, click Clear All.
You can Continue with the search by specifying a search keyword, as described in Requesting New Access.
6.1.6 Refining Search Results
You can refine your search results to make it more precise.
After searching for catalog items, as described in Requesting New Access, you can refine your search results to make it more precise. To do so, in the Categories section of the Catalog tab, select one or more categories to display the catalog items of those categories. You can select or deselect the Select All checkbox to display or hide all items belonging to the categories.
Categories are a way of organizing entities in the access catalog. Each catalog item is associated with one and only one category. Default categories of a catalog item can be roles, entitlements, or application instances. You can also define new custom categories by changing or updating the category of a catalog item in its detailed information page. For example, you can refine your search result to display catalog items belonging to the entitlements category only by selecting Entitlements in the Categories section.
6.2 Viewing Hierarchical Attributes of Entitlements
If viewing additional attributes for entitlements is configured, then the request details screen displays the additional attributes.
See "Configuring Hierarchical Attributes of Entitlements" in the Administering Oracle Identity Governance for information about configuring the display of additional attributes for entitlements.
To view the additional attributes for entitlements:
6.3 Adding and Removing Catalog Items to and from the Cart
A request cart, also known as a cart, contains a set of catalog items that the user selects from the request catalog. Users can add catalog items to the request cart to submit a request for entities such as roles, entitlements, and application instances. The request cart does not persist across user sessions.
To add catalog items to the cart:
6.4 Adding and Removing Grant Duration
The access catalog provides the Start Date and End Date fields for specifying the grant duration of roles, accounts, and entitlements to self or other users.
This section describes the following operations related to grant duration:
6.4.1 Specifying Grant Duration
Specifying grant duration for role/account/entitlements enable you to control the duration when the access will be provisioned.
When you add access to users, the grant duration fields have the following functionality:
-
If both grant duration fields, Start Date and End Date, are specified, then it means that role/account/entitlement will be provisioned on the specified start date only, and it will be revoked on the specified end date.
-
If only Start Date is specified, then role/account/entitlement will be provisioned on the specified start date, and there is no end date applicable for the access.
-
If only End Date is specified, then role/account/entitlement will be provisioned immediately, and role/account/entitlement will be revoked automatically on end date.
-
If both the grant duration fields are not specified, then role/account/entitlement will be provisioned immediately, and role/account/entitlement to entity remains with the user indefinitely.
-
If the operation requires approval, then role/account/entitlement will be provisioned only after approval is done and start date is reached (if specified).
-
If the operation does not require approval, then role/account/entitlement will be provisioned only after start date is reached (if specified).
-
If the grant date is set to a future date, then the access is displayed in the following manner:
-
For roles: The Assigned on date is not displayed if a future start date is set.
-
For entitlements: The access is displayed with the
Future Grant
status in the user's entitlements tab. -
For accounts: The account will be in disabled state until the start date is reached.
-
For information about specifying grant duration, see steps 13 and 14 of Requesting Access for Self for information about specifying grant duration when requesting roles/accounts/entitlements for self. The same steps apply for specifying grant duration while requesting access for other users.
6.4.2 Modifying Grant Duration
Start date can be modified only when roles/accounts/entitlements have not yet been provisioned. End date can be modified at any time.
Grant duration can be modified from the following sections in Identity Self Service:
-
The My Access page: For information about modifying the grant duration fields from the My Access page, see Modifying Role Grant Duration, Modifying Entitlement Grant Duration, and Modifying Account Grant Duration.
-
The User Details page: For information about modifying the grant duration fields from the User Details page, see Modifying Role Grant Duration, Modifying Entitlement Grant Duration, and Modifying Account Grant Duration.
-
The Pending Approvals page: During the approval process of a request, the approver can modify the start and end dates. For details, see Modifying Grant Duration.
6.4.3 Revoking Access
Revoking access to an existing role/account/entitlement can be done immediately or in the future.
To revoke access immediately, select the role/account/entitlement from the corresponding table, and click Remove.
To revoke access on a future date, select the role/account/entitlement, from the Action menu, select Modify Grant Duration. In the Modify Grant Duration popup, set the End Date field to the date when the access should be revoked.
6.5 Managing Request Profiles
Request profiles are request carts that are saved for future reuse by the users. You can create a request profile, modify request profile and delete request profiles.
This section discusses the following topics:
Note:
Creating, modifying, or deleting a request profile can be performed only by catalog administrators or system administrators.
6.5.1 About Request Profile
When you select catalog items for requesting, the items are added to a request cart. The request cart is similar to the shopping cart in web sites that sell products to customers. You can view the selected items in the cart, or edit the request cart to add or remove items.
Request profiles are request carts that are saved for future reuse by the users. The request cart is saved by the catalog administrator or system administrator so that the user can use it to request for entities without searching through thousands of catalog items.
6.5.2 Creating a Request Profile
You can create a request profile after adding catalog items to the cart.
To create a request profile:
- Login to Oracle Identity Self Service.
- Click the Self Service tab if it is not already active.
- Click the Request Access box, and select Request for Self.
- Select one or more catalog items, and click Add to Cart. The catalog items are added to the request cart.
- Click Next. The Checkout page is displayed with the cart details. The selected catalog items are displayed in the Cart Items section.
- Click the down arrow beside Save As, and then select Profile. The Save As Profile dialog box is displayed with a list of the items in the cart.
- In the Profile Name field, enter a name for the request profile. This is a mandatory field.
- In the Description field, enter a description of the request profile.
- Click Save. The request profile is created.
Note:
If you create a request profile with cart items that have additional information and save the request profile, then the additional information is not saved.
6.5.3 Modifying a Request Profile
You can modify an existing request profile to update the cart items.
To modify a request profile:
- Open the access catalog, and go to the Add Access page.
- Click the Request Profiles tab.
- Locate the request profile that you want to modify, and click Add to Cart. Click Next to move to the Checkout page.
- Click Save As Profile. The Save as Profile dialog box is displayed.
- In the Save Profile Name field, enter the name for the request profile that is being modified. If you enter a new name, then a new request profile is created. If you enter the name of an existing request profile, then that request profile is updated with the latest changes.
- In the Description field, enter a description of the request profile.
- Click Save. Depending on whether you have entered the name of an existing request profile or new name, the request profile is created or updated, respectively.
Note:
Values that you add or specify for Start Date, End Date, or Effective Date are not saved in a request profile.
6.6 Tracking a Request
You can search for requests that you want to track, view the details of the request. If you are the requester, then you can modify, submit, or delete the draft request.
This section describes how to search and track requests:
6.6.1 Searching Track Request
Use the Track Requests page to perform simple and advanced search for requests.
To track a request:
-
In Identity Self Service, click the Self Service tab if it is not already active.
-
Click the icon in the Track Requests box. The Track Requests page is displayed.
-
Search for the requests you want to track. You can perform basic and advanced search for requests.
To perform basic search for requests:
-
From the Search list, select an attribute name based on which you want to specify the search parameter.
-
In the Search box, enter a value for the selected attribute.
-
Click the Search icon.
To perform an advanced search for requests:
-
Click Advanced.
-
Select any one of the following:
-
All: On selecting this option, the search is performed with the AND condition. This means that the search operation returns requests that match all the search criteria that is specified.
-
Any: On selecting this option, the search is performed with the OR condition. This means that the search operation returns requests that match the search criterion that is specified.
-
-
In the searchable request attribute fields, such as Request ID, specify a value. You can include wildcard characters (*) in the attribute value.
For some attributes, select the attribute value from the lookup or drop down. For example, to search all requests with the
Request Awaiting Approval
status, from the Status list, select the Equals search operator, and then select Request Awaiting Approval from the adjacent list. -
For each attribute value that you specify, select a search operator from the list. For example, the following search operators are available for Request ID:
-
Starts with
-
Ends with
-
Equals
-
Does not equal
-
Contains
-
Does not contain
For other fields, for example Status, Request Type, Beneficiary, and Requester, only Equals and Does not equal operators are available.
For fields of date type, the search operators are:
-
Equals
-
Does not equal
-
Before
-
After
-
On or before
-
On or after
-
-
To add a searchable request attribute to the Track Requests page, click Add Fields, and select the attribute from the list of attributes.
For example, if you want to track all requests by a requester, then you can add the Requester attribute as a searchable field and specify a search condition.
-
Optionally, click Reset to reset the search conditions that you specified. Typically, you perform this step to remove the specified search conditions and specify a new search condition.
-
Click Search. The search results is displayed in a tabular format.
-
-
If the request search you performed displays a large number of records, then you can filter the request search result. To do so:
-
From the Show list, select any of the following:
-
Requests Raised By Me: This is selected by default. Returns requests created by logged-in user.
-
Requests Raised For Me: Returns requests where login user exists as beneficiary or target user.
-
For Reportee: This option is available if the logged-in user is a manager of a user.
-
For User: This option is available if the logged-in user has been granted the User Administrator or the HelpDesk admin role.
-
All: Returns all requests in the search result. This option is available if the logged-in user has been granted the System Administrator role.
-
-
To sort the requests in the search result by any of the columns such as Request ID or Status, click the Sort Ascending or Sort Descending arrows in the column. The requests in the search result are sorted by the selected column.
-
-
In the request search result, click a request to view the details of the request. The details of the request is shown in a page with the following information:
-
Summary information: This section shows general request details, such as request ID, request status, and effective date.
-
Target Users: This section lists the beneficiaries or target users for the request.
-
Related Requests: This section lists requests that are related to the open request, if any.
-
Request Details: This tab lists the requested catalog items. You can select an item to display a summary information of the item.
-
Approval Details: This tab displays the status of request approval by each approver to whom the request has been assigned.
Note:
HelpDesk users and beneficiaries can view request approval details. However, they cannot add comments or attachments on the request summary page.
-
6.6.2 Tracking a Draft Request
A requester can save a request for modifying, submitting, or deleting it later. This is useful if the requester is awaiting additional information before submitting the request.
Only the requester can modify, submit, or delete the draft request. Users such as system administrators and beneficiaries cannot view draft requests saved by others.
To track a draft request:
Note:
The request data saved in draft mode does not include sensitive information such as passwords, even if they were entered before saving the request as draft.
6.8 Withdrawing a Request
A request can be withdrawn by the requester, and only the requests that have not started the execution phase can be withdrawn. Also, beneficiaries cannot withdraw requests.
Requests having the following stages can be withdrawn:
-
Obtaining Approval
-
Approved
Note:
-
Approved requests cannot be closed unless the request has the Request Awaiting Completion status.
-
Draft requests, which are in Request Draft Created status, cannot be withdrawn.
-
If a request is closed while the request is in the Obtaining Approval stage, then all the approvals that are still pending in the approver task list are removed.
-
To withdraw a request:
- In the Self Service tab, click the icon in the Track Requests box. The Track Requests page is displayed.
- Search for the requests that you want to withdraw. The search results display a list of requests that match your search criteria with a Withdraw Request button for each request.
- For a request that you want to withdraw, click Withdraw Request. Alternatively, you can open the details of a request by clicking the request ID, and subsequently clicking Withdraw Request on the request details page.
- Click Yes in the confirmation message box. The request is withdrawn and a notification is sent to the beneficiary and requester of the request. If the withdrawal is successful, then request moves to the Request Withdrawn stage. Any pending approval tasks associated with the request are canceled.
6.9 Closing a Request
Administrators can prematurely close any request that has not started the execution phase. This includes all requests waiting for approvals or has completed approvals but no operation has been started.
Requests with the following state can be closed:
-
Obtaining Approval
-
Approved
Note:
-
Approved requests cannot be closed unless the request has the Request Awaiting Completion status.
-
Draft requests, which are in Request Draft Created status, cannot be closed.
-
If a request is closed while the request is in the Obtaining Approval stage, then all the approvals that are still pending in the approver task list are removed.
To close a request:
6.10 Requesting Access With Policy Violations
You can submit request with known access violations.
The following sections describe requesting access with policy violations:
6.10.1 About Requesting Access With Policy Violations
When a request for access is submitted and the Identity Audit feature is enabled, the information in the request data is scanned to detect any possible access violations.
A violation occurs if the combination of the access currently assigned to a user along with the access being requested, matches an audit policy.
For example, consider an Identity Audit policy consisting of the following rule:
role[*].Role Name EQUAL AP Expense Approver AND role[*].Role Name EQUAL AP Merchandise Vendor Approver
The rule specifies that a user cannot have both the AP Expense Approver and the AP Merchandise Approver roles at the same time. If this situation occurs, then it is a policy violation.
If a violation is detected, the initial request is returned to the requestor, and the page is refreshed to indicate the violations.
Each cart item that is causing the violation is indicated with the icon, and an overall warning message is displayed. Clicking the message displays an overall view of all the violations detected.
It is still possible to submit the request with the known violations by clicking the Submit with Violations button.
Figure 6-1 shows the Checkout page that is indicating policy violations.
6.10.2 Migrating the Policy Violations and Submitting the Requesting
You can take corrective steps to mitigate the requests with policy violations and submit the request.
Perform the following steps to mitigate the policy violations and submit the request:
6.10.3 Predictive Policy Validation for In-Flight Requests
Identity audit policy validation takes place for in-flight requests.
By default, identity audit policies validate entitlements that are being requested for the accounts in provisioned, enabled, or disabled states. This validation does not apply when the requests for applications and entitlements are pending for approval. For example, the target user already has associated application instance and some or no entitlements on the account, and identity audit policy rule states that Entitlement A and Entitlement B cannot be provisioned together. When the request for Entitlement A is submitted, the request is pending for approval. At the same time, Oracle Identity Governance allows to submit another request for Entitlement B.
After you apply Oracle Identity Governance Bundle Patch 12.2.1.4.210428, the identity audit policy validation takes place for in-flight requests, in other words, for application and entitlement requests that are pending for approval. Therefore, for the above example, submitting the request for Entitlement B results in policy violation.