The user management feature in Oracle Identity Manager includes creating, updating, deleting, enabling and disabling, resetting passwords, locking, and unlocking of user accounts.
You can perform the following user management tasks by using Oracle Identity Self Service:
To search for users, you can perform one of the following:
Log in to Identity Self Service.
Click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
To perform basic search, select any one of the following search criteria from the Search drop-down and click Search icon:
User Login
First Name
Last Name
Identity Status
Start Date
End Date
Display Name
Account Status
Organization
It lists the Users that match the selected Search Criteria.
To perform advanced search:
Log in to Identity Self Service.
Click Manage, click Users. The Users page is displayed.
Click Advance link. Advance Users search page is displayed.
Select any one of the following options.
All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the searchable user attribute fields, such as User Login, specify a value. You can include wildcard characters (*) in the attribute value.
For some attributes, select the attribute value from the list. For example, to search all users with locked accounts, select Locked from the Account Status list.
For each attribute value that you specify, select a search operator from the list.
The following search operators are available for String type of attributes:
Starts with
Ends with
Equals
Does not equal
Contains
Does not contain
The following search operators are available for Date type of attributes:
Equals
Before
After
On or before
On or after
Between
The search operator can be combined with wildcard characters to specify a search condition. The asterisk (*) character is used as a wildcard character. For example, you can specify the value of the User Login attribute to be Jo* as the search criteria, and select Equals as the search operator. The users with login names that begins with Jo are displayed.
To add a searchable user attribute to the Search Users page, click Add Fields, and select the attribute from the list of attributes.
For example, if you want to search all users with the Country attribute as US, then you can add the Country attribute as a searchable field and specify a search condition.
Note:
You can configure the attributes that are searchable. The attributes available for search must be a subset of the attributes defined for the user entity that are marked with the Searchable = Yes property.Optionally click Reset to reset the search conditions and values that you specified. Typically, you perform this step to remove the specified search conditions and specify a new search condition.
Click Search. The search results is displayed in a tabular format.
If you want to hide columns in the search results table, then perform the following steps:
Click View on the toolbar, select Columns, Manage Columns. The Manage Columns dialog box is displayed.
From the Visible Columns list, select the columns that you want to hide.
Click the left arrow icon to add the columns in the Hidden Columns list.
Click OK. The selected columns are not displayed in the search results. A status message displays along the bottom of the search table to identify how many columns are currently hidden.
This section describes the operations that you can perform based on selection of row(s) in the search results table. It is divided into single selection operations and bulk or multiple selection operations.
You can perform the following single selection operations by selecting a user from the search results table:
View detail
Modify
Enable, only if the user status is disabled
Disable, only if the user status is enabled
Lock, only if the selected user's account is unlocked
Unlock, only if the selected user's account is locked
Reset password
Delete
You can perform the following bulk or multiple selection operations by selecting multiple users from the search results table:
Modify
Enable, only if the user status is disabled
Disable, only if the user status is enabled
Lock, only if the selected user's account is unlocked
Unlock, only if the selected user's account is locked
Delete
You can create a new user in Oracle Identity Manager by using the Create User page. You can open this page only if you are authorized to create users as determined by the authorization policy on the Create User privilege on any organization in Oracle Identity Manager.
To create a user:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
Enter details of the user in the Create User page.
Table 15-1 describes the fields in the Create User page:
Table 15-1 Fields in the Create User Page
Section | Field | Description |
---|---|---|
Justification and Effective Date |
Justification |
Justification for creating the user. |
Start Date |
Date on which the user must be created. |
|
Stop Date |
Date till which the user must be active. |
|
Basic Information |
First Name |
First name of the user. |
Middle Name |
Middle name of the user. |
|
Last Name |
Last name of the user. |
|
|
E-mail address of the user. |
|
Manager |
The reporting manager of the user. |
|
Organization |
The organization to which the user belongs. This is also known as the home organization. |
|
User Type |
The type of employee, such as consultant, contractor, contingent worker, employee, full-time employee, intern, non-worker, other, part-time employee, or temporary. |
|
Display Name |
It can have localized values, which can be added by clicking Manage Localizations, and selecting from a list of languages. Display Name is available in 33 languages. |
|
Account Settings |
User Login |
The user name to be specified for logging in to the Administration Console. |
Password |
The password to be specified for logging in to the Administration console. |
|
Confirm Password |
Re-enter the password to be specified for logging in to the Administration console. |
|
Account Effective Dates |
Start Date |
The date when the user will be activated in the system. |
End Date |
The date when the user will be deactivated in the system. |
|
Contact Information |
Telephone Number |
The telephone number of the user. |
Home Phone |
The telephone number of the user's residence. |
|
Fax |
The fax number of the user. |
|
Mobile |
The mobile number of the user. |
|
Pager |
The pager number of the user. |
|
Home Postal Address |
The postal address of the user's residence. |
|
Postal Address |
The postal address of the user. |
|
Postal Code |
The postal code number of the user's address. |
|
PO Box |
The post box number of the user's address. |
|
State |
The state name of the user. |
|
Street |
The street name where the user resides. |
|
Country |
The country where user resides. |
|
Preferences |
Locale |
The locale code of the user. |
Timezone |
The timezone of the user. |
|
Other Attributes |
Common Name |
The common name of the user. |
Department Number |
The department number of the user. |
|
Employee Number |
The employee number of the user. |
|
Generation Qualifier |
Whether the user qualifies the generation. |
|
Hire Date |
The hiring date of the user. |
|
Locality Name |
The name of the locality where user resides. |
|
Initials |
The initials of the user. |
|
Title |
The title for the user. |
Click Submit or Save as Draft. A message is displayed stating that the user is created successfully.
Tip:
Users can be created by any one of the following methods:By using Oracle Identity Administration
By self registration
By using SCIM-based APIs
For all the above methods, Oracle Identity Manager uses the default password policy or Password Policy against Default Rule. If you want to use a different password policy, then you must attach the new password policy to the default rule. To do so, see "Managing Password Policies".
For more information about how to use SCIM/REST services, see "Using SCIM/REST Services" in the Developing and Customizing Applications for Oracle Identity Manager.
The view user operation allows you to view detailed user profile information in the User Details page. You can open this page if you are authorized to view the user's profile as determined by the authorization policy through the View User Details privilege.
To display user details:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
The user details are displayed in the following tabs:
The Attributes Tab: Displays the attribute profile that includes details about basic user information, account effective dates, and provisioning dates. For more details, see "Editing User Attributes".
The Roles Tab: Displays a list of roles to which the user belongs. You can click each role to display summary information about the role.
In the Roles tab, you can assign roles to the user and remove roles from the user. For more information, see "Requesting, Removing, and Modifying Roles".
The Entitlements Tab: Displays a list of entitlements for the user. You can click each entitlement to display a summary of the entitlement.
In the Entitlements tab, you can request for entitlements and remove entitlements from the user. For more information, see "Requesting and Removing Entitlements".
The Accounts Tab: Displays a list of accounts for the user. You can click each account to display a summary of the account.
Typical tasks you perform in this tab are request for an account, modify and remove accounts, mark an account as primary, and disable and enable accounts. For more information, see "Requesting, Removing, and Modifying Accounts".
The Direct Reports Tab: Displays a read-only table of users for whom the user is set as the manager. In other words, this tab lists the direct reportees of the user. For each user in the table, it displays the following:
Display Name
User Login
Status
Organization
If you select a row in the table, then summary information about the direct reportee is displayed at the bottom.
Direct reports allows you to open the user details of the direct reportees. To do so, select a row in the table of direct reportees, and click the open icon on the toolbar.
The Admin Roles Tab: Displays a list of admin roles assigned to the user. You can select an admin role to display a summary of the admin role.
Using the admin role detail information, you can select or deselect the include sub-orgs option. When this option is selected, it specifies that the admin role is applicable to the users of the organization and all the suborganizations of the organization. When this option is not selected, it specifies that the admin role is applicable to the users of the organization only. For more information, see "Managing Admin Roles".
You can perform administrative user modification tasks from the user details. The modification is broken up across the different tabs in the page that displays user details, which means that modifications done in each tab are independent of each other and must be saved individually. The modifications you can perform in each tab is outlined in the following sections:
Note:
The modify user operation can be a direct operation or generate a request, which is subject to approval, based on the authorization privileges you have.To edit the attributes of a user:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
Select the user in the search results table.
Modify the user in one of the following ways:
Click Edit on the toolbar.
From the Actions menu, select Edit.
Click the user login of the user record that you want to modify. On the User Details page, click Modify User on the toolbar.
In the Modify User page, change values of the attributes in the respective fields as required.
Click Submit. The modify attribute operation is completed successfully.
You can perform the following operations from the Roles tab of the User Details page:
In the Roles tab of the User Details page, you can add and remove roles. To assign roles to a user:
In the User Details page, click the Roles tab. The Roles tab is displayed with the list of roles assigned to the user.
Click the Granted tab to view the roles that are granted to you. This includes both direct and indirect roles.
Click the Pending tab to view the roles that are pending for approval.
From the Actions menu, select Request. Alternatively, you can click Request Roles on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Note:
The catalog items that are available for requesting by a user is governed by authorization privileges defined for the admin roles of the user.Select the catalog item for the role that you want to request.
Click Add Selected to Cart. The selected role catalog item is added to the request cart.
Click Checkout. The role will be assigned to the user when an approver approves the request.
You can edit the catalog item by clicking View & Edit.
To modify a role assigned to a user:
In the User Details page, click the Roles tab.
Select the role that you want to modify.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The role details is displayed, which is available for editing.
Edit the fields that you want to modify. You can click each tab and modify the role hierarchy, role membership, access policies, and organizations. For more information, see "Viewing and Administering Roles".
Click Apply.
To remove roles from a user:
In the User Details page, click the Roles tab. The Roles tab is displayed with the list of roles assigned to the user.
Select the role that you want to remove.
From the Actions menu, select Remove. Alternatively, you can click Remove Roles on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Select the catalog item for the role that you want to remove.
Click Add Selected to Cart. The selected role catalog item is added to the request cart.
Click Checkout. The role is either removed immediately or a request is raised depending on authorization privileges granted to the user.
You can edit the catalog item by clicking View & Edit.
To modify the grant duration fields for the role:
In the Roles tab of the User Details page, select a role for which you want to modify the grant duration.
The grant duration fields, Start Date and End Date, are displayed in the Roles tab.
From the Actions menu, select Modify Grant Duration. Alternatively, click Modify Grant Duration on the toolbar. The Modify Grant Duration dialog box is displayed.
In the Justification box, enter a justification for modifying the start date, or end date, or both.
Enter values in any one or both of the following fields:
Start Date: The start date when the role will be provisioned. This must be a future date. This field is not available for modification if the role is already assigned to you.
End Date: The end date when the role will be revoked from you.
For more information about grant duration, see "Adding and Removing Grant Duration".
Click OK.
The Start Date and End Date fields in the Roles tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.
You can perform the following entitlement modification operations from the Entitlements tab of the User Details page:
To request entitlements for a user:
In the User Details page, click the Entitlements tab. The Entitlements tab is displayed with the list of entitlements assigned to the user.
From the Actions menu, select Request. Alternatively, you can click Request Entitlements on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Note:
The catalog items that are available for requesting by a user is governed by authorization privileges defined for the admin roles of the user.Select the catalog item for the entitlement that you want to request.
Click Add Selected to Cart. The selected entitlement catalog item is added to the request cart.
Click Checkout. The Cart Details page is displayed.
(Optional) For the requested entitlements, enter any additional information as needed. This additional information can be added using a form associated with the entitlement, provided the entitlement forms have been generated or re-generated by system administrators.
For example, you can enter effective start and end dates for the entitlement. Then, the approver can review and/or modify this additional information and decide whether the entitlements can be provisioned or not. The entitlements will be assigned to the user when the approver approves the request.
To remove entitlements from a user:
In the User Details page, click the Entitlements tab. The Entitlements tab is displayed with the list of entitlements assigned to the user.
Select the entitlement that you want to remove.
From the Actions menu, select Remove. Alternatively, you can click Remove Entitlements on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Select the catalog item for the entitlement that you want to remove.
Click Add Selected to Cart. The selected entitlement catalog item is added to the request cart.
Click Checkout. The entitlement will be removed from the user when an approver approves the request.
You can edit the catalog item by clicking View & Edit.
To modify the grant duration fields for the entitlement assigned to the open user:
In the Entitlements tab of the User Details page, select an entitlement for which you want to modify the grant duration.
The grant duration fields, Start Date and End Date, are displayed in the Entitlements tab.
From the Actions menu, select Modify Grant Duration. Alternatively, click Modify Grant Duration on the toolbar. The Modify Grant Duration dialog box is displayed.
In the Justification box, enter a justification for modifying the start date, or end date, or both.
Enter values in any one or both of the following fields:
Start Date: The start date when the entitlement will be provisioned. This must be a future date. This field is not available for modification if the entitlement is already assigned to the user.
End Date: The end date when the entitlement will be revoked from the user.
For more information, see "Adding and Removing Grant Duration".
Click OK.
The Start Date and End Date fields in the Entitlements tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.
You can perform the following account modification operations from the Accounts tab of the User Details page:
You can request accounts by requesting an application instance. You can request for the following types of accounts (application instances):
Primary account: A primary account is the first account created for a user in a target application. In other words, a primary account is the first application instance that is being requested. Oracle Identity Manager supports multiple accounts for a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account. When the user requests entitlements, the entitlements are appended to the primary account.
Non-primary account: If a user already has a primary account and requests for another account in the same target application, then that account is a non-primary account. A user can have multiple non-primary accounts, but only one primary account.
See Also:
"Marking an Account as Primary" for more information on marking an account as primaryTo request for an account:
In the User Details page, click the Accounts tab. This tab lists the accounts of the user.
From the Actions menu, select Request. Alternatively, click Request Accounts on the toolbar. The Catalog page is displayed.
Click the search icon next to the Catalog field. A list of catalog items available for requesting is displayed.
Note:
The catalog items that are available for requesting by a user is governed by authorization privileges defined for the admin roles of the user.Select the catalog item for the account that you want to request. In other words, select the application instance that you want to request.
Click Add Selected to Cart. The selected account catalog item is added to the request cart.
Click Checkout. The account will be granted to the user when an approver approves the request.
You can edit the catalog item by clicking View & Edit.
To modify an account for the user:
In the Accounts tab, select the account that you want to modify.
From the Actions menu, select Modify. Alternatively, click Modify Accounts on the toolbar. The account details is displayed which is available for editing.
Edit the fields that you want to modify.
Click Ready to Submit and then click Submit.
To remove an account from the user:
In the Accounts tab, select the account that you want to modify.
From the Actions menu, select Remove. Alternatively, click Remove Accounts on the toolbar. The Remove Accounts page is displayed.
Click Submit.
Oracle Identity Manager supports multiple accounts in a single application instance. The first account that is created is tagged as the primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account.
All types of entitlements are available for request in the request catalog. If the request for an entitlement is approved, it is associated with the primary account and not the non-primary account.
When the user gets provisioned to an application instance, Oracle Identity Manager checks if it is the first account provisioned for the user in that application instance. If so, the account is marked as primary. When existing user accounts are reconciled from application instances, the first account that gets reconciled is marked as primary.
A user can have only one primary account. However, Oracle Identity Manager supports multiple accounts for a single application instance. If the account marked as primary is not supposed to be the actual primary account, you can manually change the primary tag for the account and mark another account as primary. By doing so, you can ensure that when the user requests entitlements, the entitlements are appended to the primary account.
To mark an account as a primary account:
In the Accounts tab, select the account that you want to mark as primary.
From the Actions menu, select Make Primary. Alternatively, click Make Primary on the toolbar.
A message is displayed asking for confirmation.
Click Yes to confirm. The account is marked as primary.
You can disable an account that is in enabled state. To disable an account:
In the Accounts tab, select the account that you want to disable.
From the Actions menu, select Disable. Alternatively, click Disable on the toolbar.
Click Submit. The account is disabled.
You can enable an account that is in disabled state. To enable an account:
In the Accounts tab, select the disabled account that you want to enable.
From the Actions menu, select Enable. Alternatively, click Enable on the toolbar.
Click Submit. The account is enabled.
To modify the grant duration fields for the account assigned to the open user:
In the Accounts tab of the User Details page, select an account for which you want to modify the grant duration.
The grant duration fields, Start Date and End Date, are displayed in the Accounts tab.
From the Actions menu, select Modify Grant Duration. Alternatively, click Modify Grant Duration on the toolbar. The Modify Grant Duration dialog box is displayed.
In the Justification box, enter a justification for modifying the start date, or end date, or both.
Enter values in any one or both of the following fields:
Start Date: The start date when the account will be provisioned. This must be a future date. This field is not available for modification if the account is already assigned to the user.
End Date: The end date when the account will be revoked from the user.
For detailed information about grant duration, see "Adding and Removing Grant Duration".
Click OK.
The Start Date and End Date fields in the Accounts tab are updated with the values you specified immediately if no approver is assigned else if approver is assigned it is updated after the approval.
The modify the details of direct reports:
In the User Details page, click the Direct Reports tab. This tab lists the direct reports of the open user.
Select the user or direct report you want to modify.
From the Actions menu, click Open. Alternatively, click Open on the toolbar. The User details page of the selected direct report is displayed. Use the toolbar and tabs to modify the details of the direct report.
To disable a user that is in enabled state:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
Select the user you want to disable.
Disable the user in one of the following ways:
Click Disable on the toolbar.
From the Actions menu, select Disable.
Click the user login of the user record that you want to disable. On the User Details page, click Disable User on the toolbar.
In the Target Users section, click the plus icon to search for more target users and add to the list of users that you want to disable. You can also view the user details by clicking the User Details link for each user.
In the Justification and Effective Date section, specify a justification and effective date for disabling the selected user.Click Submit. A message is displayed stating that the user is successfully disabled.
To enable a disabled user:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
Select the user you want to enable.
Enable the user in one of the following ways:
Click Enable on the toolbar.
From the Actions menu, select Enable.
Click the user login of the user record that you want to enable. On the User Details page, click Enable User on the toolbar.
In the Target Users section, click the plus icon to search for more target users and add to the list of users that you want to enable. You can also view the user details by clicking the User Details link for each user.
In the Justification and Effective Date section, specify a justification and effective date for enabling the selected user.Click Submit. A message is displayed stating that the user is successfully enabled.
To delete a user:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
Select the user you want to delete.
Delete the user in one of the following ways:
Click Delete on the toolbar.
From the Actions menu, select Delete.
Click the user login of the user record that you want to delete. On the User Details page, click Delete User on the toolbar.
Verify that the selected user is displayed in the Target Users section.
If required, in the Target Users section, click the plus icon to search for more target users and add to the list of users that you want to delete. You can also view the user details by clicking the User Details link for each user.
In the Justification field, enter a justification for deleting the user.
In the Effective Date field, specify a date from which the user account must be removed.
Click Submit. A request to delete the user is created, which is subject to approval.
To lock the account of a user:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
Select the user you want to lock.
Note:
Users with special characters in the user login name cannot be locked.When you try to lock a user account that contains some special characters in the user login name, the following error is displayed:
An unknown exception occurred, please review server logs.The user with the key USER_KEY does not exist.
The following special characters are not allowed in the user login name:
[!@#$%^&*()_-+=[{]}\|;:'",<.>?/~
Lock the user in one of the following ways:
Click Lock Account on the toolbar.
From the Actions menu, select Lock Account.
Click the user login of the user record that you want to lock. On the User Details page, click Lock Account on the toolbar.
In the confirmation message that is displayed, click Lock. The account of the selected user is locked.
To unlock the account of a user:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
Search for the user for which you want to display the details. Follow steps shown in Searching Users.
Select the user you want to unlock.
Unlock the user in one of the following ways:
Click Unlock Account on the toolbar.
From the Actions menu, select Unlock Account.
Click the user login of the user record that you want to unlock. On the User Details page, click Unlock Account on the toolbar.
In the confirmation message that is displayed, click Unlock. The account of the selected user is unlocked.
To reset the password for a user:
In Identity Self Service, click Manage.
Click the icon in the Users box. The Users page is displayed.
Search and select the user for which you want to reset the password.
From the Actions menu, select Reset Password. Alternatively, you can click Reset Password on the toolbar. You can also open the user details, and then click Reset Password on the toolbar.
The Reset Password dialog box is displayed.
Select any one of the following options:
Manually change the Password: To reset the password by entering a new password. To do so, select this option, and enter a new password in the New Password and Confirm Password fields. You can click the information icon to view the criteria to specify a password.
When you select the Manually change the Password option, you can select the E-mail the new password to the user option if you want the new password to be sent via e-mail to the user. Otherwise, do not select this option.
Auto-generate the Password (Randomly generated): To enable Oracle Identity Manager to generate a random password. When you select this option, the E-mail the new password to the user option is selected by default.
Click Reset Password. The password of the open user is reset.