Lab 02 Fga For User and Role MGMT

OIM 11g PS1 Workshop - Lab2
Lab 2 - Enterprise User lifecycle influenced by Delegated

Administrators and End-users
Contents
Lab 2 - Enterprise User lifecycle influenced by Delegated Administrators and End-users .......................... 1
1. Introduction ............................................................................................................................................. 1
2. Contents.................................................................................................................................................... 4
2.1. Extend OIM User schema ................................................................................................................. 5

2.2. Configure Helpdesk Users and Role Authorization ................................................................... 19
2.3. Practice Helpdesk communities actions to experience configured authorizations................. 67
2.4. Configure Managers authorization for the administration of their directs’ reports ............... 91
2.5. Practice Managers’ actions to experience configured authorizations on User Administration105
2.6. End-Users Self profile edit authorization ................................................................................... 116
2.7. Practice Self Profile Edit as an End-user to experience configured authorizations .............. 123
3. Conclusion ........................................................................................................................................... 134
Introduction
This use case will cover the configurations and usage of OIM features to model advanced user account management scenarios
within a controlled system driven by strong authorization policies. The use case will consider people with various personas -
Helpdesk personnel / IT Administrators, End-users and their Managers, interacting with OIM.
1
Due to some recent changes in ACME user provisioning context, current OIM user schema needs to be extended by more attributes:
Professional Qualifications
 <Skillset> (text area)
 <Work Experience> (LOV)
 <Previous Job History Verified> (checkbox – Bulk updatable)
 <Post Graduate> (checkbox – searchable)
 <Contribution to Org KM portal> (text area)
Backend Attributes
 <Employee from acquisition> (this one should not show up on UI, backend logic will use it)
1.1.In this use cases, ‚Helpdesk‛ staff needs to be created. To perform their duties, members of Helpdesk staff need to be assigned
authorization policies in OIM, which will be modeled as members of an appropriate OIM Role. For creating and managing the
lifecycle of such static roles, ACME has a process in place which is carried out by dedicated Role Owners and Access Administrators.
 Members of a role named Role Owners have the rights to create any OIM role representing Helpdesk (ACME HelpDesk
Administrators role) and add it to a role category.
 Once Role Owners would have created the Helpdesk role, another group of users (who would be members of a role named
Access Administrators), would have to add a specific OIM user to the Helpdesk role. Of course this would be done for
those users who need to be a part of Helpdesk team and needs certain authorization controls (described in the points
below). However, it is important to keep into consideration that Access Administrators cannot add members to all roles
2
defined in OIM deployment. If ACME wants them to be able to define members to Helpdesk role, they need to be
selectively given the privileges to do the same.
1.2.Helpdesk staff gets to access OIM admin console:
 To create users directly (but they cannot delete) for only departments – ‚Public Finance‛ and its sub-department
‚Taxation‛.
 They are also asked to execute some operations in Bulk on a number of users collectively (like - Enable, Disable). Also they
can update the ‚Previous Job History Verified‛ flag on a batch of recently hired users collectively once notified from HR
(thru an email).
 They can only modify particular attributes of user profile but not all.
 When they create users for department ‚Mergers and Acquisition‛, the user id, password will have to be generated. User id
should be generated as follows:
 If e-mail is provided, then username is generated based on the e-mail. If e-mail is not available, then it generates username based on
firstname and lastname by appending a user domain to it. The user domain is configured as the Default user name domain system
property, and the default value is @oracle.com.
 When Helpdesk reset the password for a user, it is communicated to him thru an email. Password should meet the
enterprise password policy requirements. When user logs into OIM with the helpdesk-reset password, he should enforced
to change the password.
1.3.Managers can login and interact with the user records
3
 They can search for only their hierarchies, and only view their user details. They can go for a complicated search filter using
advanced search. They cannot view certain specific attributes like ‚Pay‛.
 Senior managers can search users who are post-graduates in their departments.
1.4.End-Users themselves login to self-service
 They can update attributes on their profile, which raises requests to User's manager. Manager approves it and the profile
gets updated.
Contents
2.1. Extend OIM User schema
2.2. Configure Helpdesk Users and Role Authorization
2.3. Practice Helpdesk communities actions to experience configured authorizations
2.4. Configure Managers authorization for the administration of their directs’ reports
2.5. Practice Managers’ actions to experience configured authorizations on User Administration
2.6. End-Users Self profile edit authorization
2.7. Practice Self Profile Edit as an End-user to experience configured authorizations
4
2.1.Extend OIM User schema
Purpose
This step includes the configuration required to extend OIM User schema as mentioned in section.
Steps
Login to the Oracle Identity Manager Administration console (use xelsysadm credentials unless specified otherwise).
In the Welcome page, under Advanced Administration, click User Configuration. Alternatively, you can click the Configuration
tab, and then click the User Configuration tab.
5
6
On the left pane of the console, from the Actions menu, select User Attributes. The User Attributes page is displayed with a
table containing all user attributes under the respective categories.
7
8
Click Add Category or select Add Category from Actions menu under User Attributes. Pop-up dialog box to create category
appears. Fill in the Category name as ‚Professional Qualifications‛. Click Save. Message confirming successful creation of
category appears.
9
Repeat the process to create another category ‚Backend Attributes‛
10
Click Create Attribute or Select Create Attribute form Actions menu. Pop-up dialog box to create attribute appears. Fill in the
details as following and Click Next
Attribute Category Name Back-end Attribute Display Type Properties

Name Name
Skillset Professional USR_UDF_SKILLSET Text Area Size: 200

Qualifications
11
12
Fill in Attribute Size as ‘200’ and Click Next
Click Save. Message confirming successful creation of attribute appears.
13
To add another attribute click Create Attribute or select Create Attribute from Actions menu. Pop-up dialog box to create
attribute appears. Fill in the details as:
Attribute Category Name Back-end Attribute Display Type Properties

Name Name
Work Professional USR_UDF_WORKEXP List of values

Experience Qualifications (LOV)
On selecting the LOV as Display type, the display window changes and additional options appear. Select LOV Type as Admin
Configured, and use Lookup.Users.WorkExp as LOV Code.
14
15
Fill in LOV Options as ‘1’ and LOV Options Description as ‘0-2 Yrs’ and Click Add.
Note: You can scroll down this screen to see the values just added.
Repeat to Add LOV Options 2,3,4,5 with LOV Options Description as follows:
LOV LOV Options

Options Description
2 2-5 Yrs
16
LOV LOV Options

Options Description
3 5-10 Yrs
4 10-20 Yrs
5 20+ Yrs
This is how it looks after adding all LOV option and descriptions.
17
Click Next.
Fill in Attribute size as ‘10’ and Click Next and then Click Save. Message confirming successful creation of attribute appears.
Repeat the steps outlined in 2.1.6 to 2.1.8 to add more attribute as per following:
Attribute Name Category Back-end Attribute Name Display Properties

Name Type
18
Attribute Name Category Back-end Attribute Name Display Properties

Name Type
Previous Job Professional USR_UDF_JOBHISTVER Checkbox Bulk

History Verified Qualifications Updatable:
Yes
Post Graduate Professional USR_UDF_POSTGRAD Checkbox Searchable:

Qualifications Yes
Contribution to Org Professional USR_UDF_CONTKMPORTAL Text Area Attribute

KM portal Qualifications Size: 500
Employee from Backend USR_UDF_ACQ Checkbox Visible: No

acquisition Attributes
Checkpoint
This completes the configuration of modifying OIM User schema. If at this point you, as ‘xelsysadm’ user, View existing Users, you
will not see their extended attributes as additional Auth Policies needs to be assigned to users to view these attributes, which we
will do in next section. If you create a new User, you will be presented with the new attributes as schema is extended.
2.2. Configure Helpdesk Users and Role Authorization
Purpose
We will configure HelpDesk User and Role authorizations in this section.
(A) Create ACME CAPITAL Organization Structure

(B) Create a Role Administrator user, an Access Administrator user and two HelpDesk Administrator users.
19
(C) Role Administrator user has specific responsibility to create and manage roles and role categories, so we will create a
corresponding role and auth policy to perform those duties.
(D) Helpdesk user performs specific helpdesk duties as outlined in use case and Access Administrator user has specific
responsibilities to manage membership of HelpDesk role to Helpdesk Administrator staff. To achieve that we will now have Role
Administrator log in create role for HelpDesk and Access Administrator. Auth Policies are still to be created by xelsysadm so we
will have xelsysadm create auth policies for both the roles. Once this is done we will have Access Administrator assign the
HelpDesk role to HelpDesk staff.
(E) Setup Email Notification (You may not get mails depending upon environment on which you are practicing these labs)
Steps
(A) Create ACME CAPITAL Organization Structure

An Organization with Name as ‘ACME CAPITAL’ is already pre-seeded in OIM VM. You will create all departments below ACME
CAPITAL Company:
20
ACMECAPITAL
ACME Public ACME Mergers

ACME HelpDesk
Finance and Aquisitions
ACME Taxation
In the Welcome tab of Oracle Identity Manager Administration page, under Organizations, click Create Organization.
Alternatively in the left pane, click the Browse tab. Under Organizations, from the Action menu, select Create. You can also click
the Create icon on the toolbar.
21
Create ACME HelpDesk Organization. Enter ‘ACME HelpDesk’ as Name, select Department as Type. To choose previously
created ACME CAPITAL as Parent Organization, Click on Search.
22
23
A pop-up window appears from which search for Parent Organization that Begins with ACME. Select ACME CAPITAL from
Search Results and Click Add. Note: Screen shows contains, instead it should be Begins With
24
Click Save and then repeat the process to create rest of the Organization Structure as:
ACME CAPITAL (Company)
ACME CAPITAL -> ACME HelpDesk (Department)
ACME CAPITAL -> ACME Public Finance (Department)
ACME CAPITAL -> ACME Public Finance -> ACME Taxation (Department)
25
ACME CAPITAL -> ACME Mergers and Acquisitions (Department)
The Organization Structure for ACME CAPITAL will look like this:
26
(B) Create a Role Administrator user, an Access Administrator user and two HelpDesk Administrator users.
In the Welcome page of Identity Administration, under Users, click Create New User. Alternatively Click the Administration
tab on the toolbar, and then in the Browse tab, click Create New User.
27
In Create User Page enter ACME as First Name, RoleAdmin as Last Name. Choose ACME CAPITAL as Organization, Employee
as User Type and roleadmin as User Login. Enter Abcd123 as Password. Click Save.
28
Having created Role Administrator we will now create Access Administrator by following steps from 2.2.5 and 2.2.6. Enter
ACME as First Name, AccessAdmin as Last Name. Choose ACME CAPITAL as Organization, Employee as User Type and
accessadmin as User Login. Enter Abcd123 as Password. Click Save
Following steps from 2.2.5 and 2.2.6 again, we will now create two new user for HelpDesk staff.
For first user, enter Acme as First Name, HelpDesk1 as Last Name. Choose ‘ACME HelpDesk’ as Organization, Employee as
User Type and acmehelpdesk1 as User Login. Enter Abcd123 as Password. Click Save
Similarly for second user, enter Acme as First Name, HelpDesk2 as Last Name. Choose ‘ACME HelpDesk’ as Organization,
Employee as User Type and acmehelpdesk2 as User Login. Enter Abcd123 as Password. Click Save
(C) Role Administrator user has specific responsibility to create and manage roles and role categories, so we will
create a corresponding role for this user and also create auth policy for this user to perform those duties.
In the Welcome page of Administration tab, under Roles, click Create Role. Alternatively, in the Browse tab of the left pane,
expand Roles, and from the Actions menu, select Create Role. Otherwise, click the Create Role icon on the toolbar.
29
Enter ‘Role Owners’ as Name of the role and Click Save
30
Select Members tab of role "Role Owners" and then click Assign to assign user created in last step "ACME RoleAdmin" to this
role.
31
Search and Select User "ACME RoleAdmin" and click Save.
32
On the Welcome page, under Authorization Policy, click Create Authorization Policy. Alternatively, you can you can click the
Create Authorization Policy icon on the toolbar.
33
34
In the Policy Name field, enter the name of the authorization policy as ‚Role Owners - Manage Roles‛. In the Description field,
enter a description of the authorization policy ‚Auth Policy assigned to Role Owners to create and manage roles and role
categories‛. In the Entity Name field, select the name of the feature for which you want to create the authorization policy. To
create an authorization policy for role management, select Role Management. Click Next
35
36
The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization poli cy.
We will select ‚Create Role‛, ‚Delete Role‛, ‚Modify Role Detail‛, ‚Create Role Category‛, ‚Delete Role Category‛, ‚Modify
Role Category‛ and Click Next
We are not constraining Role Owners, so click Next.
37
The Assignment page of the Create Policy wizard is displayed. To assign roles to the authorization policy: Click Add. The
Assign Roles dialog box is displayed. Search for Role Name Beings with ‚Role‛. From Search Results select ‚Role Owners‛ and
Click Add.
38
39
Click Next
Click Finish to create the policy
40
41
(D) Helpdesk user performs specific helpdesk duties as outlined in use case and Access Administrator user has
specific responsibilities to manage membership of HelpDesk role to Helpdesk Administrator staff. To achieve
that we will first have xelsysadm create Access Administrator role and assign to ACME Access Admin user and
then we will have Role Administrator log in to create role for HelpDesk Administrator. Auth Policies are still to
be created by xelsysadm so we will have xelsysadm log back in to create auth policies for both the roles. Once
this is done we will have Access Administrator assign the helpdesk role to helpdesk staff.
Follow steps from 2.2.9 to 2.2.11 to create a role called "Access Administrators" and assign "ACME AccessAdmin" to this role
Now logout and login with roleadmin credentials (to create HelpDesk Role). Note: If you are logging it as roleadmin for first
time, you will be redirected to password management screen
Again follow steps from 2.2.9 and 2.2.10 to create a role called "ACME HelpDesk Administrators".
Please note that there is a pre-seeded role ‚ACME Help Desk Administrators which has a space between ‘Help’ and ‘Desk’. The
one to create here is without space.
Now log out and login with xelsysadm credentials to create Auth Policies.
42
Follow steps from 2.2.13 to 2.2.19 to Create Auth Policy per following for Access Administrator.
Policy Name Description Entity Name Permissions Data Policy Assignments

Constraints
Access Auth Policy assigned to Role View Role ACME Role: Access
Administrators Access Administrators to Management Membership HelpDesk Administrators
- Manage Role View and Modify Role Administrators
Modify Role
Membership Memberships
Membership
So far we have created Auth Policies for Role Management which were assigned to roleadmin and accessadmin through
respective roles. Now we will create some auth policies for User Management which will be assigned to acmehelpdesk1 and
acmehelpdek2 who are helpdesk users do user management for ACME.
The following image illustrates what ACME HelpDesk’s user can do:
43
ACME HelpDesk can:
 Search and view details of users

 Bulk update user status
ENABLE/DISABLE ACME HelpDesk can create
 Reset user password, modify users (hierarchy aware)
user profile Job History Verified
ACME
attribute (hierarchy aware)
CAPITAL
ACME
ACME ACME Public
Mergers and
HelpDesk Finance
Aquisitions
ACME
Taxation
On the Welcome page, under Authorization Policy, click Create Authorization Policy. Alternatively, you can you can click the
Create Authorization Policy icon on the toolbar
44
In the Policy Name field, enter the name of the authorization policy as ‚HelpDesk CreateUser - Public Finance‛. In the
Description field, enter a description of the authorization policy ‚Auth Policy assigned to ACME HelpDesk Administrators to
create users in Public Finance Org‛. In the Entity Name field, select the name of the feature for which you want to create the
authorization policy. To create an authorization policy for user management, select User Management. Click Next
45
46
The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization policy.
We will select ‚Create User‛ and Click Next.
47
The Data Constraints page of the Create Policy wizard is displayed. In this page, options for the feature selected on the Entity
Name field in previous step are displayed. Select option ’Users that are members of selected Organizations’ to specify
organizations for whose members you want to create the authorization policy. Click Add Organization.
48
49
Add Organization dialog box is displayed. Search for Organization name that Begins with ‚ACME Public Finance‚. Select
ACME Public Finance from Search Results and Click Add.
50
Select checkbox ‚Hierarchy Aware (include all Child Organizations)‛ and Click Next. This is done so that Helpdesk can create
user in Public Finance as well as in child organization of Public Finance (Taxation).
51
The Assignment page of the Create Policy wizard is displayed. To assign roles to the authorization policy: Click Add. The
Assign Roles dialog box is displayed. Search for Role Name that Begins with ‚ACME HelpDesk‛. From Search Results select
‚ACME HelpDesk Administrators‛ and Click Add.
Click Next.
52
Click Finish.
53
Create other Auth policies per table below by following steps from 2.2.26 to 2.2.35:
Policy Name Description Entity Name Permissions Attributes Data Policy Assignments
Constraints
HelpDesk Auth Policy assigned to User Create User ACME Role: ACME
Create User - M ACME HelpDesk Management Mergers and HelpDesk
&A Administrators to create Acquisitions Administrators
users in Mergers and (Hierarchy
Acquisitions Org Aware)
HelpDesk Auth Policy assigned to User - Search User ACME Role: ACME
SearchUser ACME HelpDesk Management CAPITAL HelpDesk
- View User
Administrators to Search (Hierarchy Administrators
Details
Users and View their Details Aware)
before Updating or
Modifying them
HelpDesk Auth Policy assigned to User Modify User ACME Role: ACME
UpdateUser ACME HelpDesk Management Status CAPITAL HelpDesk
Administrators to Update (Hierarchy Administrators
User Status as Enable/Disable Aware)
HelpDesk Auth Policy assigned to User Modify User Previous Job ACME Role: ACME
ModifyUser ACME HelpDesk Management Profile History Verified CAPITAL HelpDesk
Administrators to Modify (Hierarchy Administrators
User Profile attribute - Aware)
Previous job History Verified
HelpDesk Auth Policy assigned to User Change User ACME Role: ACME
PasswordMgmt ACME HelpDesk Management Password CAPITAL HelpDesk
Administrators to reset user (Hierarchy
54
password Aware) Administrators
Now logout and login with accessadmin credentials to assign the role "ACME HelpDesk Administrator" to HelpDesk staff
(acmehelpdesk1 and acmehelpdesk2). Note: Since you are logging with accessadmin for first time, you will be redirected to
password management screen.
DON’T USE the pre-seeded role ‚ACME Help Desk Administrators‛. Note the space between ‘Help’ and ‘Desk’. The one to use
here is without space.
Workaround: Use URL http://<host>:<port/admin/faces/pages/Login.jspx> instead of http://<host>:<port>/oim
Search for role "ACME HelpDesk Administrator" and then follow the steps outlined in 2.2.11 to assign members acmehelpdesk1
and acmehelpdesk2 users to this role.
You will see that you are not able to search for users acmehelpdesk1 and acmehelpdesk2 (search doesn't return any user). This is
because of the fact that accessadmin is only authorized to change role membership but is not authorized to search user. To
workaround this issue create another auth policy per below (you need to log back as xelsysadm):
Policy Name Description Entity Name Permissions Attributes Data Policy Assignments
Constraints
Access Auth Policy assigned to User Search Users Role: Access

Administrators access administrtaors to Management Administrators
- Search users search users and thus be able
to change role meberships
Now log back in as accessadmin and retry assigning the role "ACME HelpDesk Administrator" to HelpDesk staff (acmehelpdesk1
and acmehelpdesk2).
55
DON’T USE the pre-seeded role ‚ACME Help Desk Administrators‛. Note the space between ‘Help’ and ‘Desk’. The one to use
here is without space.
Search for role "ACME HelpDesk Administrator" and then follow the steps outlined in 2.2.11 to assign members acmehelpdesk1
and acmehelpdesk2 users to this role.
Bug: System gives ADF error and UI doesn't show the members of this role but if you search for acmehelpdesk1 user and check his
role, you see the role is assigned.
56
(E) Email Notification setup
To setup Email Server, Login to the Oracle Identity Manager Administration Console. In the Welcome page, under Advanced
Administration, click Create IT Resource.
57
Note : If this training content is being used by people who do not work for Oracle and therefore do not have Oracle email ids,
should go for using a JES (Java Email Server) based mail server installed and configured in the Training VM environment. Lab 1
contains the details about running this particular Email Server and using it with OIM.
Create IT Resource dialog box appears. Enter ‘Email Server’ as IT Resource Name and select ‘Mail Server’ as IT Resource Type.
Click Continue.
58
The UI wizard has step numbers on the top, as shown in the screenshot. In Step 2 of Create IT Resource, enter ‘false’ as
Authentication, ‘mail.oracle.com’ as Server Name and enter your User Login and click Continue. Leave User Password blank.
Note: If mail.oracle.com as Server Name does not work for some reasons, another value that could be used is stbeehive.oracle.com. If
people not in oracle are doing these labs they need to use some mail server that they can reach to and doesn't require authnetication.
59
Leave everything else default in Step 3 and 4 and click Continue. From Step 5 click Continue. Steps 6 confirms the creation of IT
Resource and click Finish.
You should always ensure that the relevant system property is set to the right value for Email Server configuration to work.
60
Login to the Oracle Identity Manager Administration Console. In the Welcome page, under Advanced Administration, click
Search System Properties. Enter * under Search System Configuration and Click Search.
61
On the left pane of the window, scroll down to locate property Email Server and Click it. The System Property Detail: Email
Server window appears. Ensure that the Value field is set to as Email Server (same as IT Resource Name).
62
63
Setup UserID Generation Policy
To Setup UserId Generation Policy, select ‚Default policy for username generation‛ from the left pane above window. Make
sure the Value field is populated as ‘oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy’ which is the default
policy that we will use. If not change it and click Save.
64
65
To setup Default Domain for username generation, select ‘Default user name domain’ from the left pane above window. Make
sure the Value field is populated and has right domain. For our usecase we will use oracle.com, which is default. If not chan ge it
and click Save.
We will use default password policy, which can be checked through Design Console, if required.
66
Login as xelsysadm Open Each Organization e.g ACME CAPITAL Click on Administrative Roles and Assign the Role ACME
HelpDesk Administrator. Provide Read Permission (which is by Default). Do this for each organization , so that when you
search as acmehelpdesk1, user you can see the organization and test creating the user.
Checkpoint
This completes the configurations for HelpDesk User authorizations. We created ACME Organization hierarchy, HelpDesk Role,
HelpDesk Administrator Users and Authorization Policies. We assigned all these Auth Policies to HelpDesk Administrators
through HelpDesk Role. We also did some misc configuration to setup Email Server etc.
2.3.Practice Helpdesk communities actions to experience configured authorizations
Purpose
This section, we will login as one of the HelpDesk admin and perform various actions authorized for HelpDesk per configuration in
previous section like: Create User, Search User, Update User Status, Bulk Modify User Details and Reset User Password. We will
also see what HelpDesk is not authorized to do like: Delete User and Create User in Org’s it is not authorized for. Apart from this
we will see how user Login is created as per User Id generation Policy.
Steps
2.3.1. Login as helpdesk user (either acmehelpdesk1 or acmehelpdesk2).
67
To execute all parts of this use case, login only as one of the two helpdesk users you’ve just created.
Create a User in ACME CAPITAL – NOT allowed
While creating the User choose Organization as ‘ACME CAPITAL’. Notice acmehelpdesk1 is NOT allowed to create a user.
68
69
Create a User in ACME Public Finance – allowed
Create a User with Organization ‘ACME Public Finance’. Choose User Login ‘acmefinuser1’ and Password ‘Abcd1234’. User
acmefinuser1 is created successfully.
70
71
Create a User in ACME Taxation which is child org of Acme Public Finance – allowed
Create a User with Organization ‘ACME Taxation’. Choose User Login ‘acmetaxuser1’ and Password ‘Abcd1234’. User
acmetaxuser1 is created successfully.
72
73
Delete the User(s) just created – NOT allowed
Search for User with search pattern as *tax*. A List of users are displayed and delete icon is grayed out indicating logged in user is
not allowed for this operation. Even the option to delete from Actions Menu is also grayed out.
74
75
Advanced Search Users
While logged in as acmehelpdesk1, from Welcome page of Identity Administration select Advanced Search. Put 2 search criteria
with Last Name. Last Name Begins With Fin and Last Name Begins With Tax. A list of User’s are displayed.
Bulk modify User Status (Disable, Enable) – allowed
Select all displayed users from above and click Action -> Disable.
76
A confirmation dialog box appears.
Click Yes.
All users are now Disabled.
To confirm this, perform same search again and now you can see Identity Status of all users is displayed as Disabled.
77
Note: Before moving ahead. Repeat the above process to Enable back all users that were disabled.
78
Bulk Modify User Profile attribute (Previous Job History Verified) – allowed
While logged in as acmehelpdesk1, from Welcome page of Identity Administration select Advanced Search. Put search criteria Last
Name begins with Tax and Last Name Begins with Fin. A list of users is displayed. Select all the uses and click Bulk Modify.
Bulk Modify tab opens up. Check attribute: Previous Job History Verified and click Save. A message confirming successful
modification of attribute appears at top of the window.
79
Bulk Modify User Profile attribute (others) – NOT allowed
Follow the above process, this time try changing some other attribute, let’s say Start Date and you will be presented with a message
saying ‚Access denied while trying to modify the user(s).‛
80
Note: The actual error in screenshot is not correct.
81
Create a User in Mergers & Acquisitions (auto-generation of User Login from firstname & lastname).
Create a User with First Name ‚John‛, Last Name ‚Roe‛, Organization ‚ACME Mergers and Acquisition‛, User Type
‚Employee‛, Password ‚Abcd1234‛.
82
The user is created with User Login JOHN.ROE@ORACLE.COM from <FirstName>.<LastName>@<domain>
83
84
Create a User in Mergers & Acquisitions (auto-generation of User Login from email)
Create a User with First Name ‚Jane‛, Last Name ‚Roe‛, Organization ‚ACME Mergers and Acquisition‛, User Type ‚Employee‛
and Email as your own email id (Example: Nalin Sardana - Oracle employee, practicing this lab will put his email as
Nalin.Sardana@Oracle.COM). Only then you can see the result of the configuration as an actual mail arriving at your inbox. Also we
use this user for reset password in later lab, so it is important the new password arrives to accessible email address.
85
86
User created with your User Login (specified as email) and not from Name, which is Jane Roe
Check your mailbox for mail with temporary password for your account Jane Roe.
87
Reset end-user password by HelpDesk (compliance of password policy, password delivery by email and end-user is forced to
change password on next login)
Search for User Jane. Open the User and click Reset Password. Reset Password window appears. Select Radio button Manually
change the Password and enter Abcd1234 as New Password. Check E-mail the new password to the user and Click Reset
Password.
88
Notice Password Policy (default) is displayed. Password must confirm to this policy. Also password can be auto generated by
selecting Auto-generate the Password (Randomly generated) radio button.
89
Check your mailbox for new password. Logout and Login with your User Login Nalin.Sardana@oracle.com with password
Abcd1234. You will be prompted to change the password and answer security questions.
90
Checkpoint
In last section we completed configuration for HelpDesk User authorizations. In this section, we logged in as one of the HelpDesk
admin and performed various actions authorized for HelpDesk like: Create User, Search User, Update User Status, Bulk Modify
User Details and Reset User Password. We also saw what HelpDesk was not authorized to do like: Delete User and Create User in
Org’s helpDesk is not authorized for. Apart from this we saw how user Login is created as per User Id generation Policy. We also
configured email server and demonstrated Reset Password functionality.
2.4.Configure Managers authorization for the administration of their directs’ reports
Purpose
The purpose of this section is to configure Managers Authorization for administration of their direct reports. We will create a 3-level
hierarchy of users. We will also create a Senior Manager role for 2nd level managers who can do specific searches, which first level
mangers can’t do. In this step you will:
 Create ACME Taxation Users

 Create ‘ACME SeniorManagers’ Role
 Create ‘Search PostGrad’ Authorization Policy
At the end of this step, you will have the following organization structure:
91
92
Steps
Create ACME Taxation Users

2.4.1. Login as xelsysadm and create Users acmetaxexec reporting to user acmetaxmgr and who in turn reports to acmetaxdir (3 level
hierarchy) under organization ACME Taxation.
Create acmetaxdir (Acme Taxation Director)
93
Create acmetaxmgr (Acme Taxation Manager)
94
95
Create acmetaxexec (Acme Taxation Executive)
96
97
Create ACME SeniorManagers Role
Create ‘ACME SeniorManagers’ Role and assign the role to user ‘acmetaxdir’. Create Authorization Policy ‘Search PostGrad’ and
assign it to ‘ACME SeniorManagers’ Role. Configure Search to let ‘Post Graduate’ field be searchable.
In the Search Users, let the field empty and click the arrow icon.
Then select ‘Acme Taxation Director’ from the left list Available.
98
Click Save
99
Create ‘Search PostGrad’ Authorization Policy
Create ‘Search PostGrad’ Auth Policy with Policy Name ‘Search PostGrad’, Description ‘Auth Policy given to ACME Senior
Managers to search postgraduates in their own organizations’, Entity Name ‘User Management’. Give it Permissions to ‘Search
User’ and ‘View User Details’ (select only Post Graduate attribute). Specify Data Constraints as ‘ACME CAPITAL’ (Hierarchy
Aware). In Assignment specify Assign by Role as ‘ACME Senior Managers’ and Security Settings ‘Assignee must be a member
of the User’s Organization.
Click Next, Click Finish and then Click Apply
100
101
In the Welcome tab, under Advanced page, click User Configuration. On the left pane from the Actions menu, select Search
Configuration.
102
The User Search Configuration page is displayed. Scroll to Advanced Search: Search Attributes and select the attribute ‘Post
Graduate’ that you want to make available for advanced search. Click the Move buttons to add the attribute for advanced search.
Click Save.
103
Checkpoint
This finished the configuration of Managers Authorization for administration of their direct reports.
104
2.5.Practice Managers’ actions to experience configured authorizations on User Administration
Purpose
After configuring the Managers Authorization, we will now login as managers and perform the administration of direct reports. We
will first login as first level manager (acmetaxmgr) and then do some specific administration as second level manager (acmetaxdir).
A summary of the ‘Search PostGrad’ authorization policy is shown below:
Authorization policies for managers are shown below:
105
Steps
2.5.1. Login as acmetaxmgr (Acme Taxation Manager)
Acme Taxation Manager is first level manager
Search for Users – only direct reports are shown
Only person reporting to Acme Taxation Manager is Acme Taxation Executive, who is displayed. No other person in Acme
Taxation organization or any other organization is not displayed.
106
107
Advanced Search – allowed
Enter * as search filter in Display Name field and click Search. Acme Taxation Executive is the only report and hence the sea rch
returns only one User. Note: Screens shows Contains but actually it should be Begins With
108
View User Details (few attributes are shown)
Click on the Acme Taxation Executive User to display the User profile. Notice a few attributes from Basic User Information an d
Account Settings are displayed.
109
110
Search for User who are Postgraduates – NOT allowed
From Advanced Search window, click Add Fields and select Post Graduate. This will add Post Graduate field as search filter.
111
Enter ‘Post Graduate’ as search filter and click Search. An error message is popped up telling that you do not have the search
permission on Post Graduate attribute.
In later version of product you may see you can't add 'Post Graduate' for search as it is not allowed.
112
Logout and Login as Sr Manager ‘acmetaxdir’ (Acme Taxation Director)
Acme Taxation Director is second level manager.
Search for Users – only direct reports are shown
Acme Taxation Executive reports to Acme Taxation Manager who in turn reports to Acme Taxation Director. A search of User will
show both Executive and Manager and users below them
113
Search for Users who are Postgraduates – allowed
Using the procedure listed in previous step, add Post Graduate as search filter. Search for Users who are not Post Graduates: Post
Graduate Equals false. A list of users are displayed who are not Post Graduated.
114
Checkpoint
In this section we performed various administration functions carried out by Managers for their direct reports.
115
2.6.End-Users Self profile edit authorization
Purpose
In this section we will do configuration for modification of User Self Profile. We will create Approval policies, as profile attributes
will need approval before modification. In this procedure you will:
 Create First Approval Policy (SSRUserProfileModify_RL)

 Create Second Approval Policy (SSRUserProfileModify_OL)
Steps
Create First Approval Policy
The first approval policy will define which profile attributes end users can modify.
2.6.1. Login as xelsysadm. Create Approval Policies for request raised as a result of modifying attributes by a user on their profile.
Create Approval Policy from Advanced Identity Administration Page as follows:
116
First Approval Policy (SSRUserProfileModify_RL):
Policy Name SSRUserProfileModify_RL

Description Approval Policy to Approve Self Service
Request for User Profile Modification
Request Type Modify Self Profile
Level Request Level
117
Approval Process Auto Approval
Click Next.
Note: Update the screenshot below
118
Set Approval Rule and Component window appears. Set Rule Name as: ‘SSRUserProfileModify_RL_Rule’ and click Add
Simple Rule.
119
In Add Simple Rule window, select:
Entity Request
Attribute Request Type
Condition Equals
Value Modify Self Profile

Parent Rule Container Approval Rule
120
.
Click Save. Click Next.
Click Finish. Approval policy is created.
Create Second Approval Policy

The second approval policy will define manager’s approval for attributes modified by end users.
121
Following steps from above, create Second Approval Policy (SSRUserProfileModify_OL’):
Policy Name SSRUserProfileModify_OL

Description Approval Policy to Approve Self Service
Request for User Profile Modification
Request Type Modify Self Profile
Level Operation Level
All Scope checked

Approval Process default/RequesterManagerApproval!1.0 Select this process
Click Next.
Set Approval Rule and Component window appears. Set: Rule Name as ‘SSRUserProfileModify_OL_Rule’ and click Add
Simple Rule
In Add Simple Rule window select:
Entity Request
Attribute Request Type
Condition Equals
Value Modify Self Profile
Parent Rule Container Approval Rule
Click Save.
Click Next.
122
Click Finish. Approval policy is created.
Checkpoint
In this section we did configuration for modification of User Self Profile by creating Approval policies. We created Request Level
and Operation Level approval policies, which will be used for approval of request generated by end user upon modifying their own
profile.
2.7.Practice Self Profile Edit as an End-user to experience configured authorizations
Purpose
In this section we will login as end user and demonstrate the modification of User Self profile.
Steps
2.7.1. Login as acmetaxexec (Acme Taxation Executive)
Acme Taxation Executive is the end user
123
Update profile attributes to generate a request
Click Profile -> My Profile. Edit Middle Name, Email and Telephone Number. Click Apply
124
Notice a request is generated and none of the attributes modified in previous step are modified yet.
125
Click Requests -> My Requests and you will see that the generated request is in Status Obtaining Operation Approval. You can
select the request and click Open Request Details.
126
A new tab Request Detail: ID opens up. Click on Approval Tasks to see it is assigned to acmetaxmgr
127
Logout and Login as acmetaxmgr (Acme Tax Manager) to view/approve the request
128
Click Tasks -> Search Approvals Tasks. You will notice Request form previous step is waiting here for approval. Click Open
Task Detail
129
130
Task Details tab opens up. Click on View Details from Users tab to view more details
131
Verify the end user profile data user has requested for change
After checking the details close the popup dialog box and click Approve Task. A dialog box confirming approval of task
appears. Click OK
Logout and Login back as acmetaxexec to view updated attributes
Click Profile -> My Profile and verify that the changes made are reflected in the profile now.
132
Checkpoint
In this section we saw the modification of end-user Self-Profile. A request was raised upon changing attributes. Upon approval by
the users manager, attributes were modified and reflected in user profile.
133
Conclusion
In this lab, you accomplished the following:
 Enhancing OIM User schema to add a custom attribute
 Create Authorization policies for Helpdesk-oriented User Management
 Create Authorization policies for Manager-oriented User Management
 Create Authorization policies for Self-Service User Profile Management
 Create Users, Roles and Organizations
Relevant features that you should explore further:
 Extending/Customizing User Create-Update-Delete events by adding custom java code. This can be achieved by adding
pre-process, validation and post-process orchestration handlers on the OIM User entity
134

Lab 02 Fga For User and Role MGMT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 02 Fga For User and Role MGMT

Uploaded by

Copyright:

Available Formats

OIM 11g PS1 Workshop - Lab2

Lab 2 - Enterprise User lifecycle influenced by Delegated

2.1. Extend OIM User schema ................................................................................................................. 5

 <Skillset> (text area)

 <Work Experience> (LOV)

 <Previous Job History Verified> (checkbox – Bulk updatable)

 <Post Graduate> (checkbox – searchable)

 <Contribution to Org KM portal> (text area)

Administrators role) and add it to a role category.

selectively given the privileges to do the same.

1.2.Helpdesk staff gets to access OIM admin console:

should be generated as follows:

property, and the default value is @oracle.com.

to change the password.

1.3.Managers can login and interact with the user records

1.4.End-Users themselves login to self-service

2.2. Configure Helpdesk Users and Role Authorization

2.3. Practice Helpdesk communities actions to experience configured authorizations

2.5. Practice Managers’ actions to experience configured authorizations on User Administration

2.6. End-Users Self profile edit authorization

2.7. Practice Self Profile Edit as an End-user to experience configured authorizations

2.1.Extend OIM User schema

tab, and then click the User Configuration tab.

table containing all user attributes under the respective categories.

Repeat the process to create another category ‚Backend Attributes‛

details as following and Click Next

Attribute Category Name Back-end Attribute Display Type Properties

Skillset Professional USR_UDF_SKILLSET Text Area Size: 200

Fill in Attribute Size as ‘200’ and Click Next

Click Save. Message confirming successful creation of attribute appears.

attribute appears. Fill in the details as:

Attribute Category Name Back-end Attribute Display Type Properties

Work Professional USR_UDF_WORKEXP List of values

Configured, and use Lookup.Users.WorkExp as LOV Code.

LOV LOV Options

LOV LOV Options

Attribute Name Category Back-end Attribute Name Display Properties

Attribute Name Category Back-end Attribute Name Display Properties

Previous Job Professional USR_UDF_JOBHISTVER Checkbox Bulk

Post Graduate Professional USR_UDF_POSTGRAD Checkbox Searchable:

Contribution to Org Professional USR_UDF_CONTKMPORTAL Text Area Attribute

Employee from Backend USR_UDF_ACQ Checkbox Visible: No

2.2. Configure Helpdesk Users and Role Authorization

(A) Create ACME CAPITAL Organization Structure

(A) Create ACME CAPITAL Organization Structure

ACME Public ACME Mergers

the Create icon on the toolbar.

created ACME CAPITAL as Parent Organization, Click on Search.

ACME CAPITAL (Company)

ACME CAPITAL -> ACME HelpDesk (Department)

ACME CAPITAL -> ACME Public Finance (Department)

ACME CAPITAL -> ACME Mergers and Acquisitions (Department)

accessadmin as User Login. Enter Abcd123 as Password. Click Save

Enter ‘Role Owners’ as Name of the role and Click Save

Search and Select User "ACME RoleAdmin" and click Save.

Create Authorization Policy icon on the toolbar.

Role Category‛ and Click Next

We are not constraining Role Owners, so click Next.

Click Finish to create the policy

time, you will be redirected to password management screen

one to create here is without space.

Policy Name Description Entity Name Permissions Data Policy Assignments

acmehelpdek2 who are helpdesk users do user management for ACME.