18 Managing Organizations
The tasks are described in the following sections:
18.1 About Organization Entity
An organization entity represents a logical container of entities such as users and other organizations in Oracle Identity Manager. Organization in Oracle Identity Manager is used only for security purposes.
Organizations allow you to:
-
Logically and securely manage user accounts and administrators
-
Limit access to users, applications, roles, and entitlements
Customers can setup delegated administration by creating organizations and assigning users to various locations in an organizational hierarchy. Organizations that contain one or more other organizations are called parent organizations.
All Oracle Identity Manager users (including administrators) are statically assigned to one organization. Users also can be dynamically assigned to additional organizations. Oracle Identity Manager administrators are additionally assigned to control organizations.
18.2 Searching Organizations
Use the Organization page to perform simple and advanced search for organization.
To search for organizations you can perform one of the following:
18.2.2 Performing Advanced Search for Organization
-
Log in to Identity Self Service.
-
Click Manage and click Organizations box. The Organization page is displayed.
-
Click Advance link. Advance Organization search page opens.
-
Select any one of the following Match options:
-
All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
-
Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
-
-
In the Organization Name field, enter the organization name search attribute that you want to search. To do so, select a search comparator. The default search comparator is Starts With. The Equals comparator is available in the list as an alternative.
You can use wildcard characters to specify the organization name.
-
From the Type list, select the organization type. The organization type can be Branch, Company, or Department.
-
To add a field in your search:
-
Click Add Fields, and select a field, such as Organization Status.
-
Enter value for the search attribute that you added. In this example, from the Organization Status list, select the organization status, which can be Active, Deleted, or Disabled.
If you want to remove a field that you added in the search, then click the cross icon next to the field.
-
-
Click Search. The results are displayed in the search results table.
The search results table displays the organization name, parent organization name, organization type, and organization status.
18.3 Creating an Organization
Using the Create Organization page, you can create an organization of type branch, company or department, control password behavior, and select applicable password policy for the organization.
To create an organization:
Note:
Organizations are persisted in the Oracle Identity Manager database regardless of whether the users and groups are stored in a Directory or the Oracle Identity Manager database.
-
In Identity Self Service, click Manage to open the Home Page. Click Organizations. The Search Organizations page is displayed.
-
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Organization page is displayed.
-
In the Organization Name field, enter the name of the organization.
-
From the Type list, select the type of the organization, such as Branch, Company, or Department.
-
Specify the parent organization to which the newly created organization will belong. To do so:
-
Click the search icon next to the Parent Organization field. The Search Organizations dialog box is displayed.
-
Search and select the organization that you want to specify as the parent organization.
-
Click Select. The selected organization is added as the parent organization.
-
-
(Optional) Select a user in the Certifier User Login field to specify the selected user as the organization certifier of the organization being created.
See Setting User Manager and Organization Certifier, for information about organization certifier.
-
Organization can control password behavior of the users entering into it by using home organization modification of the user. If the Home Organization of a user gets changed from one organization to other, and the password policies attached to these two organizations are different, then the Enforce password policy flag of the new home organization will determine if the user has to change the password as per the password policy of the new home organization at the next logon or user can continue using the same password.
Select the Enforce password policy on reassignment from the drop down. Options are, Inherit from Parent Org, No, or Yes. Default value is Yes.
-
If Enforce password policy on reassignment is Yes, then the user has to change password as per the password policy of the new home organization at the first login after home organization is changed.
Note:
In case, challenge policy is enabled in the password policy of new home organization, then new password and challenge question has to be set at the first login.
-
If Enforce password policy on reassignment is No, then user can continue using the existing password.
-
If Enforce password policy on reassignment is Inherit from Parent Org, then value Yes or No is inherited from its nearest parent where it is set.
-
-
Specify a password policy name that you want to associate with the organization. To do so:
-
Click the search icon next to the Password Policy Name field. The Search Password Policy Name dialog box is displayed.
-
Search and select the password policy that you want to associate with the organization. To list all password policies, you can click the search icon, and then you can select the password policy from the search results.
For information on how to create a new password policy see, Managing Password Policies.
-
Click Add. The selected password policy name is added to the Password Policy Name field.
-
-
Click Save to create the organization.
18.4 Viewing and Modifying Organizations
You can perform administrative organization modifications in the organization details page. The modification is divided across the different sections of the organization details page, which means that modifications done in each section are independent of each other and must be saved individually.
. The modification for each section is described in the following sections:
18.4.1 Opening Organization Details
You can view details of an organization in the organization details page.
To open the details of an organization:
- In Identity Self Service, click Manage to open the Home Page. Click Organizations. The Search Organizations page is displayed.
- Search and select the organization whose details you want to display.
- From the Actions menu, select Open. Alternatively, click Open on the toolbar. The details of the selected organization is displayed in a new page.
18.4.2 Modifying Organization Attributes
The Attributes tab of the organization details page displays attributes of the organization. You can modify the organization attributes if you have the appropriate authorization.
If you are authorized to modify the organization profile as determined by authorization policy, then the organization details page opens in editable mode, and you can modify organization information. You can modify the values for the attributes, and then click Apply to save the changes.
Whether or not the logged-in user is allowed to modify the organization is controlled by authorization policies. If you are not allowed to modify the organization, then the organization details page is displayed in read-only mode with no editable fields.
Note:
The Status attribute in the organization details page is read-only.
18.4.3 Managing Child Organizations
The Children tab displays a list of child organizations that the open organization has. You can create new child organization, view, delete and enable or disable a child organization.
For each child organization in the list, the organization name, organization type, and organization status are displayed. The Children tab enables you to perform the following:
18.4.3.1 Creating a Child Organization
In the Children tab, you can create a child organization or suborganization of the open organization by selecting Create Sub-org from the Actions menu. Alternatively, click Create Sub-org on the toolbar. The Create organization page is displayed. Perform the steps described in Creating an Organization to complete creating the child organization.
18.4.3.2 Deleting a Child Organization
To delete a child organization:
- In the Children tab, select the organization you want to delete.
- From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
- Click Delete to confirm. The selected child organization is deleted.
18.4.3.3 Disabling a Child Organization
To disable a child organization:
- In the Children tab, select the organization you want to disable.
- From the Actions menu, select Disable. Alternatively, click Disable on the toolbar. A message is displayed asking for confirmation.
- Click Disable to confirm. The selected child organization is disabled.
18.4.3.4 Enabling a Child Organization
To enable a child organization:
- In the Children tab, select the organization you want to enable.
- From the Actions menu, select Enable. Alternatively, click Enable on the toolbar. A message is displayed asking for confirmation.
- Click Enable to confirm. The selected child organization is enabled.
18.4.4 Viewing Organization Membership
The Members tab displays a list of users in the open organization.
For each user in the list, the following are displayed:
-
User Login
-
Display Name
-
First Name
-
Last Name
-
E-mail
-
Relationship Type
Tip:
You can add or remove users to and from organizations by using the Attributes tab of the user details page.
The Relationship Type column displays the type of relationship that the user member has with the organization. This is described in detail in Managing Dynamic Organization Membership.
18.4.5 Managing Dynamic Organization Membership
You can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. You can create new dynamic membership rule, view and modify existing rules, or delete rules from the Members tab.
Managing dynamic user-organization memberships is described in the following sections:
18.4.5.1 About Dynamic Organization Membership Rule
Users are assigned to organizations by specifying an organization name in the Organization attribute of the user details. This is called a static membership. In addition, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. All users that satisfy the user-membership rule are dynamically associated with the organization irrespective of which organization hierarchy the users statically belong to.
Each organization can have one user-membership rule that enables a user to be a member of multiple organizations at a time, and thereby view and request for additional resources.
The dynamic memberships can be revoked by changing the user-membership rules.
18.4.5.2 Creating a Dynamic Organization Membership Rule
To create dynamic membership rule for an organization:
18.4.5.4 Deleting a Dynamic Organization Membership Rule
To delete a user-membership rule:
- In the User Membership Rule section of the Members tab, click Delete Rule. A warning message is displayed asking for confirmation.
- Click Yes to confirm the deletion.
After confirming the rule deletion, all the organization memberships are deleted immediately in the post-process. There is no offline evaluation for organization membership rule deletion.
18.4.6 Managing Admin Roles
You can view the admin roles that are assigned to the organization, assign admin roles to a user or revoke admin roles of a user.
In the Admin Roles tab, you can perform the following:
18.4.6.1 About Admin Role in Organization Details
You can view the admin roles that are assigned to an organization by clicking the Admin Roles tab of the organization details page. The admin roles and their corresponding description are listed in this tab. When you select an admin role, the users who have the selected admin role are displayed in the User Members section. This tab also allows you to grant and revoke admin roles available to the open organization to users.
18.4.6.2 Granting an Admin Role
To grant an admin role to a user:
- In the organization details page, click the Admin Roles tab. A list of admin roles assigned to the open organization is displayed.
- Select the admin role that you want to grant to a user.
- From the Actions menu, select Assign. Alternatively, click Assign on the toolbar. The Advanced Search for Target Users dialog box is displayed.
- Search for the target users to whom you want to grant the selected admin role. You can select the Just show my directs option to list only your direct reports.
- In the User Results section, select the user that you want to grant the admin role.
- Click Add Selected to move the selected user to the Selected Users section. Alternatively, you can click Add All to move all the users from the User Results section to the Selected Users section.
- Click Select. The admin roles is granted to the selected user. When you click the admin role in the Admin Roles tab, the selected user's record is displayed in the User Members section.
- In the User Members section, select the user record. Select the include sub-orgs option to grant the admin role to the user's organization and its suborganizations. If you want to grant the admin role to the user's organization only, then do not select this option.
18.4.7 Viewing Available Accounts
The accounts available to an organization are the accounts that have been published to the organization. This means that the accounts are available for requesting by the users of the organization. The Available Accounts tab shows the accounts provisioned to users in the organization.
18.4.8 Viewing Provisioned Accounts
The Provisioned Accounts tab displays the accounts that have been provisioned to the open organization. You can provision a resource, revoke a resource, view the details of a provisioned resource, enable or disable a provisioned resource, or view the action history of a provisioned resource from the Provisioned Accounts tab.
In the Provisioned Accounts tab, you can perform the following:
18.4.8.3 Viewing the Details of a Provisioned Resource
To view the details of a provisioned resource:
18.4.9 Viewing Available Entitlements
You can view the entitlements published to the open organization in the Available Entitlement tab.
For each entitlement, the following information is displayed:
-
Entitlements name
-
Resource associated with the entitlement
-
Account name associated with the entitlement
-
Organization name
18.5 Creating a User Member
You can create a user for the organization using the Create User option available on the organization details page.
The organization name is pre-filled in read only format on this create user page. The password policy of this organization is applicable when creating user and not the default password policy.
To create user:
- In the organization details page, click Create User on the toolbar. Create user page is displayed.
- Enter the required details. For description of the different fields see, Creating a User.
- Click Submit.
18.6 Creating a Sub-Organization
Using the Create Organization page, you can create a sub-organization of type branch, company or department, control password behavior, and select applicable password policy for the organization.
To create a sub-organization for the open organization:
- In the organization details page, click Create Sub-org on the toolbar. The Create Organization page is displayed. The open organization name is populated by default as the parent organization name.
- Enter the organization attribute values, as described in Creating an Organization.
- From the Enforce password policy on reassignment list, select a value to specify whether or not to enforce password policy on reassignment, or to inherit the password policy of the parent organization.
- Click Save.
18.7 Disabling and Enabling Organizations
You can disable or enable an organization from the Search Organization page.
This section describes how to enable and disable organizations in the following topics:
Note:
You cannot disable organizations with child organizations or users. You can force disable it only by setting the value of the ORG.DisableDeleteActionEnabled system property to true
. After you set this property, the users and suborganizations will be disabled while disabling the parent organization.
18.8 Deleting an Organization
Delete the organization that are not required or are not in use.
Note:
-
You cannot delete organizations with child orgs or users. You can force delete it only by setting the value of the ORG.DisableDeleteActionEnabled system property to
true
. Once you set the property, the users and sub orgs will be deleted while deleting the parent org.
-
You can delete an organization only if you have the "Delete" permission for that organization.
-
The deleted record would still exist in the database, marked deleted.
To delete an organization: