15 Managing Users
The user management feature in Oracle Identity Manager includes creating, updating, deleting, enabling and disabling, resetting passwords, locking, and unlocking of user accounts.
You can perform the following user management tasks by using Oracle Identity Self Service:
15.1 Searching Users
Use the Users page to perform simple and advanced search for users.
To search for users, you can perform one of the following:
15.1.2 Performing Advanced Search for Users
To perform advanced search:
-
Log in to Identity Self Service.
-
Click Manage, click Users. The Users page is displayed.
-
Click Advance link. Advance Users search page is displayed.
-
Select any one of the following options.
-
All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
-
Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
-
-
In the searchable user attribute fields, such as User Login, specify a value. You can include wildcard characters (*) in the attribute value.
For some attributes, select the attribute value from the list. For example, to search all users with locked accounts, select Locked from the Account Status list.
-
For each attribute value that you specify, select a search operator from the list.
The following search operators are available for String type of attributes:
-
Starts with
-
Ends with
-
Equals
-
Does not equal
-
Contains
-
Does not contain
The following search operators are available for Date type of attributes:
-
Equals
-
Before
-
After
-
On or before
-
On or after
-
Between
The search operator can be combined with wildcard characters to specify a search condition. The asterisk (*) character is used as a wildcard character. For example, you can specify the value of the User Login attribute to be Jo* as the search criteria, and select Equals as the search operator. The users with login names that begins with Jo are displayed.
-
-
To add a searchable user attribute to the Search Users page, click Add Fields, and select the attribute from the list of attributes.
For example, if you want to search all users with the Country attribute as US, then you can add the Country attribute as a searchable field and specify a search condition.
Note:
You can configure the attributes that are searchable. The attributes available for search must be a subset of the attributes defined for the user entity that are marked with the Searchable = Yes property.
-
Optionally click Reset to reset the search conditions and values that you specified. Typically, you perform this step to remove the specified search conditions and specify a new search condition.
-
Click Search. The search results is displayed in a tabular format.
-
If you want to hide columns in the search results table, then perform the following steps:
-
Click View on the toolbar, select Columns, Manage Columns. The Manage Columns dialog box is displayed.
-
From the Visible Columns list, select the columns that you want to hide.
-
Click the left arrow icon to add the columns in the Hidden Columns list.
-
Click OK. The selected columns are not displayed in the search results. A status message displays along the bottom of the search table to identify how many columns are currently hidden.
-
15.1.3 Operations on Search Results
This section describes the operations that you can perform based on selection of row(s) in the search results table. It is divided into single selection operations and bulk or multiple selection operations.
You can perform the following single selection operations by selecting a user from the search results table:
-
View detail
-
Modify
-
Enable, only if the user status is disabled
-
Disable, only if the user status is enabled
-
Lock, only if the selected user's account is unlocked
-
Unlock, only if the selected user's account is locked
-
Reset password
-
Delete
You can perform the following bulk or multiple selection operations by selecting multiple users from the search results table:
-
Modify
-
Enable, only if the user status is disabled
-
Disable, only if the user status is enabled
-
Lock, only if the selected user's account is unlocked
-
Unlock, only if the selected user's account is locked
-
Delete
15.2 Creating a User
You can create a new user in Oracle Identity Manager by using the Create User page. You can open this page only if you are authorized to create users as determined by the authorization policy on the Create User privilege on any organization in Oracle Identity Manager.
To create a user:
15.3 Viewing User Details
The view user operation allows you to view detailed user profile information in the User Details page. You can open this page if you are authorized to view the user's profile as determined by the authorization policy through the View User Details privilege.
To display user details:
15.4 Modifying Users
You can perform administrative user modification tasks from the user details. The modification is broken up across the different tabs in the page that displays user details, which means that modifications done in each tab are independent of each other and must be saved individually.
Note:
The modify user operation can be a direct operation or generate a request, which is subject to approval, based on the authorization privileges you have.
15.4.1 Editing User Attributes
You can modify the user attributes from the Attribute tab.
To edit the attributes of a user:
15.4.2 Requesting, Removing, and Modifying Roles
You can request for new roles, modify the roles associated with the user, remove roles or modify the role grant duration from the Roles tab.
You can perform the following operations from the Roles tab of the User Details page:
15.4.2.1 Requesting Roles for a User
In the Roles tab of the User Details page, you can add and remove roles. To assign roles to a user:
15.4.2.2 Modifying a Role
To modify a role assigned to a user:
- In the User Details page, click the Roles tab.
- Select the role that you want to modify.
- From the Actions menu, select Open. The role details is displayed, which is available for editing.
- Edit the fields that you want to modify. You can click each tab and modify the role hierarchy, role membership, access policies, and organizations. For more information, see Viewing and Administering Roles.
- Click Apply.
15.4.2.3 Removing Roles from a User
To remove roles from a user:
- In the User Details page, click the Roles tab. The Roles tab is displayed with the list of roles assigned to the user.
- Select the role that you want to remove.
- From the Actions menu, select Remove. Alternatively, you can click Remove on the toolbar. The Remove Roles page is displayed.
- Fill in the Justification, click Submit.
15.4.3 Requesting and Removing Entitlements
You can request for new entitlements, remove entitlements or modify the entitlements grant duration from the Entitlements tab.
You can perform the following entitlement modification operations from the Entitlements tab of the User Details page:
15.4.3.2 Removing Entitlements from a User
To remove entitlements from a user:
- In the User Details page, click the Entitlements tab. The Entitlements tab is displayed with the list of entitlements assigned to the user.
- Select the entitlement that you want to remove.
- From the Actions menu, select Remove. Alternatively, you can click Remove on the toolbar. The Remove Entitlement page is displayed.
- Fill in the justification, and click Submit.
15.4.4 Requesting, Removing, and Modifying Accounts
You can request for new account, remove an account, modify an account, mark an account as primary account, enable or disable an account, or modify the entitlements grant duration from the Accounts tab.
You can perform the following account modification operations from the Accounts tab of the User Details page:
15.4.4.1 Understanding Requesting for an Account
This section describes about requesting for an account in the following topic:
15.4.4.1.1 Types of Account
You can request accounts by requesting an application instance. You can request for the following types of accounts (application instances):
-
Primary account: A primary account is the first account created for a user in a target application. In other words, a primary account is the first application instance that is being requested. Oracle Identity Manager supports multiple accounts for a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account. When the user requests entitlements, the entitlements are appended to the primary account.
-
Non-primary account: If a user already has a primary account and requests for another account in the same target application, then that account is a non-primary account. A user can have multiple non-primary accounts, but only one primary account.
See Also:
Marking an Account as Primary for more information on marking an account as primary
15.4.4.2 Modifying an Account
To modify an account for the user:
- In the Accounts tab, select the account that you want to modify.
- From the Actions menu, select Modify. The account details is displayed which is available for editing.
- Edit the fields that you want to modify.
- Click Ready to Submit and then click Submit.
15.4.4.3 Removing an Account
To remove an account from the user:
- In the Accounts tab, select the account that you want to modify.
- From the Actions menu, select Remove. Alternatively, click Remove on the toolbar. The Remove Accounts page is displayed.
- Click Submit.
15.4.4.4 About Multiple Accounts in Single Application Instance
Oracle Identity Manager supports multiple accounts in a single application instance. The first account that is created is tagged as the primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account.
All types of entitlements are available for request in the request catalog. If the request for an entitlement is approved, it is associated with the primary account and not the non-primary account.
When the user gets provisioned to an application instance, Oracle Identity Manager checks if it is the first account provisioned for the user in that application instance. If so, the account is marked as primary. When existing user accounts are reconciled from application instances, the first account that gets reconciled is marked as primary.
A user can have only one primary account. However, Oracle Identity Manager supports multiple accounts for a single application instance. If the account marked as primary is not supposed to be the actual primary account, you can manually change the primary tag for the account and mark another account as primary. By doing so, you can ensure that when the user requests entitlements, the entitlements are appended to the primary account.
15.4.4.6 Disabling an Account
You can disable an account that is in enabled state. To disable an account:
- In the Accounts tab, select the account that you want to disable.
- From the Actions menu, select Disable.
- Click Submit. The account is disabled.
15.4.4.7 Enabling an Account
You can enable an account that is in disabled state. To enable an account:
- In the Accounts tab, select the disabled account that you want to enable.
- From the Actions menu, select Enable.
- Click Submit. The account is enabled.
15.4.5 Modifying Details of Direct Reports
You can modify the direct reportee details from the Direct Reports tab.
The modify the details of direct reports:
- In the User Details page, click the Direct Reports tab. This tab lists the direct reports of the open user.
- Select the user or direct report you want to modify.
- From the Actions menu, click Open. Alternatively, click Open on the toolbar. The User details page of the selected direct report is displayed. Use the toolbar and tabs to modify the details of the direct report.
15.5 Disabling a User
You can disable a user that is in enabled state from a specific date.
To disable a user:
15.6 Enabling a User
You can enable a disabled user from a specific date.
To enable a disabled user:
15.7 Deleting a User
You can delete the user that are not required or are not in use.
To delete a user:
Note:
When a user is deleted, the deleted record would still exist in the database, marked as deleted. These records are not available for any operations.15.8 Locking a User Account
You can lock the account of a user from the Users page.
To lock the account of a user:
Note:
Users with special characters in the user login name cannot be locked.
When you try to lock a user account that contains some special characters in the user login name, the following error is displayed:
An unknown exception occurred, please review server logs.The user with the key USER_KEY does not exist.
The following special characters are not allowed in the user login name:
[!@#$%^&*()_-+=[{]}\|;:'",<.>/?
15.9 Unlocking a User Account
You can unlock the account of a user from the Users page.
To unlock the account of a user: