15 Managing Identity and Resource Information

This chapter describes managing users in Oracle Identity Manager Design Console. It contains the following sections:

Overview of User Management
Managing Organization Information
Viewing Resources Allowed or Disallowed for Users
Assigning Role Entitlements

15.1 Overview of User Management

The User Management folder provides tools to create and manage information about a company's organizations, users, roles, and resources.

This folder contains the following forms:

Organizational Defaults: Use this form to view records that reflect the internal structure of your organization and to designate information related to these entities.
Policy History: Use this form to view user records that your employees require.
Roles: Use this form to view records for roles, called user groups in earlier releases of Oracle Identity Manager, to whom you can assign some common functionality.

15.2 Managing Organization Information

The Organizational Defaults form is in the User Management folder. You use this form to view records that reflect the structure of your organization and to enter and modify information related to organizational entities. An organization record contains information about an organizational unit, for example, a company, department, or branch.

A suborganization is an organization that is a member of another organization, for example, a department in a company. The organization that the suborganization belongs to is referred to as a parent organization.

You use the Organizational Defaults tab to specify default values for parameters on the custom process form for resources that can be provisioned for the current organization. Each process form is associated with a resource object that is allowed for the organization, or with a resource that has the Allow All option on the associated Resource Objects form selected.

The values that you provide on the Organizational Defaults tab become the default values for all users in the organization. Oracle recommends that you do not specify default values for passwords and encrypted parameters.

Figure 15-1 shows the Organizational Defaults form.

Figure 15-1 Organizational Default Form

Description of "Figure 15-1 Organizational Default Form"

Table 15-1 describes the fields of the Organizational Default form.

Table 15-1 Fields of the Organizational Defaults Form

Field Name	Description
Organization Name	Name of the organization.
Type	The classification type of the organization, for example, Company, Department, Branch.
Status	The current status of the organization (Active, Disabled, or Deleted).
Parent Organization	The organization to which this organization belongs. If a parent organization is displayed in this field, this organization is displayed on the Sub Organizations tab for the parent organization. If this field is empty, this organization is a top-level organization.

15.3 Viewing Resources Allowed or Disallowed for Users

You use the Policy History form to view information about the resources that are allowed or disallowed for a user.

There are two types of users in Oracle Identity Manager:

End-user administrators: This user can access Oracle Identity Manager Design Console and the Oracle Identity Manager Administrative and User Console. The system administrator sets permissions to enable end-user administrators to access a subset of the forms in Oracle Identity Manager Design Console.
End-users: This user can access only the Oracle Identity Manager Administrative and User Console and generally has fewer permissions than end-user administrators. Only resource objects that are defined as self-service on the Objects Allowed tab of the user's organization are available for provisioning requests by using the Oracle Identity Manager Administrative and User Console.

Table 15-1 shows this form.

Figure 15-2 Policy History Form

Description of "Figure 15-2 Policy History Form"

Table 15-2 describes the fields of the Policy History form.

Table 15-2 Fields of the Policy History Form

Field Name	Description
User ID	The user's Oracle Identity Manager login ID.
First Name	The user's first name.
Middle Name	The user's middle name.
Last Name	The user's last name.
Email Address	The user's e-mail address.
Start Date	The date on which the user's account will be activated.
Status	The current status of the user (Active, Disabled, or Deleted).
Organization	The organization to which the user belongs.
User Type	The user's classification status. Valid options are End-User and End-User Administrator. Only end-user administrators have access to Oracle Identity Manager Design Console.
Employee Type	The employment status of the user at the parent organization (for example, full-time, part-time, intern, and so on).
Manager ID	The user's manager.
End Date	The date on which the user's account will be deactivated.
Created on	The date and time when the user record was created.

15.3.1 Policy History Tab

Use this tab to view resource objects that are allowed or disallowed for a user, based on the following:

Access policies for the user group to which the user belongs
Resource objects that are allowed by the organization to which the user belongs

The Policy History tab contains a Display Selection region. To organize the contents of this tab, go to the uppermost box in this region and select an item from one of its menus, as follows:

Resource Policy Summary: Displays resource objects that are allowed or disallowed based on the user's organization and applicable access policies.
Not Allowed by Org: Displays only resource objects that are disallowed, based on the user's organization.
Resources by Policy: Displays a second box that contains the access policies for the user groups to which the user is a member.

Select an access policy from this box to display the resource objects that are allowed or disallowed for the user, based on this access policy.

A tracking system enables you to view resources that are allowed or disallowed for a user, based on the organizations the user is a member of and the access policies that apply to the user.

The resource objects that are allowed for the user are displayed in the Resources Allowed list. This list represents resource objects that can be provisioned for the user. It does not represent the resource objects that are provisioned for the user.

The resource objects that are disallowed for the user are displayed in the Resources Not Allowed list.

To view the tracking system:

Go to the Policy History tab.
Find the Display Selection region on this tab.
Click Policy History.

From the User Policy Profile History window, you can view resources that are allowed or disallowed for a user for the date and time you selected, as follows:

From the History Date box, you can select a date.
From the Display Type box, you can display resources that are allowed or disallowed based on the organizations the user is a member of, the access policies that apply to the user, or both.
From the Policy box, you can display the access policy that determines what resource objects are allowed or disallowed for the user.

15.4 Assigning Role Entitlements

The Group Entitlements form is displayed in the User Management folder. You use it to creating and move forms, and to designate the forms and folders that members of a role can access through the Explorer.

To designate forms and folders to roles by using the Group Entitlements form:

In the Explorer, double-click Group Entitlements.

The User Group Information page is displayed, as shown in Figure 15-3:

Figure 15-3 Roles Form

Description of "Figure 15-3 Roles Form"
In the Group Name field, enter the name of the role.
Click Assign.

The User Form Assignment lookup table is displayed.
From the lookup table, select the user form for this role.

Use the arrow buttons to either add or delete from the Assigned Forms list.
Click OK.

The newly added user forms are listed in a Group Entitlements table. The Group Entitlements Table displays all available roles. This table shows the name of the user form and the type. In the Group Entitlements table, there are two types, javaform and folder. A javaform is a Java-based, graphical interface. A folder is a container of one or many javaforms.