Lab 2 - Enterprise User lifecycle influenced by Delegated ... · Login to the Oracle Identity Manager Administration console (use xelsysadm credentials unless specified otherwise)

OIM 11g PS1 Workshop - Lab2

1

Lab 2 - Enterprise User lifecycle influenced by Delegated

Administrators and End-users

Contents Lab 2 - Enterprise User lifecycle influenced by Delegated Administrators and End-users .......................... 1

1. Introduction ............................................................................................................................................. 1

2. Contents.................................................................................................................................................... 4

2.1. Extend OIM User schema ................................................................................................................. 5 2.2. Configure Helpdesk Users and Role Authorization ................................................................... 19 2.3. Practice Helpdesk communities actions to experience configured authorizations................. 67 2.4. Configure Managers authorization for the administration of their directs’ reports ............... 91 2.5. Practice Managers’ actions to experience configured authorizations on User Administration105 2.6. End-Users Self profile edit authorization ................................................................................... 116 2.7. Practice Self Profile Edit as an End-user to experience configured authorizations .............. 123

3. Conclusion ........................................................................................................................................... 134

Introduction

This use case will cover the configurations and usage of OIM features to model advanced user account management scenarios

within a controlled system driven by strong authorization policies. The use case will consider people with various personas -

Helpdesk personnel / IT Administrators, End-users and their Managers, interacting with OIM.


2

Due to some recent changes in ACME user provisioning context, current OIM user schema needs to be extended by more attributes:

Professional Qualifications

<Skillset> (text area)

<Work Experience> (LOV)

<Previous Job History Verified> (checkbox – Bulk updatable)

<Post Graduate> (checkbox – searchable)

<Contribution to Org KM portal> (text area)

Backend Attributes

<Employee from acquisition> (this one should not show up on UI, backend logic will use it)

1.1.In this use cases, ‚Helpdesk‛ staff needs to be created. To perform their duties, members of Helpdesk staff need to be assigned

authorization policies in OIM, which will be modeled as members of an appropriate OIM Role. For creating and managing the

lifecycle of such static roles, ACME has a process in place which is carried out by dedicated Role Owners and Access Administrators.

Members of a role named Role Owners have the rights to create any OIM role representing Helpdesk (ACME HelpDesk

Administrators role) and add it to a role category.

Once Role Owners would have created the Helpdesk role, another group of users (who would be members of a role named

Access Administrators), would have to add a specific OIM user to the Helpdesk role. Of course this would be done for

those users who need to be a part of Helpdesk team and needs certain authorization controls (described in the points

below). However, it is important to keep into consideration that Access Administrators cannot add members to all roles


3

defined in OIM deployment. If ACME wants them to be able to define members to Helpdesk role, they need to be

selectively given the privileges to do the same.

1.2.Helpdesk staff gets to access OIM admin console:

To create users directly (but they cannot delete) for only departments – ‚Public Finance‛ and its sub-department

‚Taxation‛.

They are also asked to execute some operations in Bulk on a number of users collectively (like - Enable, Disable). Also they

can update the ‚Previous Job History Verified‛ flag on a batch of recently hired users collectively once notified from HR

(thru an email).

They can only modify particular attributes of user profile but not all.

When they create users for department ‚Mergers and Acquisition‛, the user id, password will have to be generated. User id

should be generated as follows:

If e-mail is provided, then username is generated based on the e-mail. If e-mail is not available, then it generates username based on

firstname and lastname by appending a user domain to it. The user domain is configured as the Default user name domain system

property, and the default value is @oracle.com.

When Helpdesk reset the password for a user, it is communicated to him thru an email. Password should meet the

enterprise password policy requirements. When user logs into OIM with the helpdesk-reset password, he should enforced

to change the password.

1.3.Managers can login and interact with the user records


4

They can search for only their hierarchies, and only view their user details. They can go for a complicated search filter using

advanced search. They cannot view certain specific attributes like ‚Pay‛.

Senior managers can search users who are post-graduates in their departments.

1.4.End-Users themselves login to self-service

They can update attributes on their profile, which raises requests to User's manager. Manager approves it and the profile

gets updated.

Contents

2.1. Extend OIM User schema

2.2. Configure Helpdesk Users and Role Authorization

2.3. Practice Helpdesk communities actions to experience configured authorizations

2.4. Configure Managers authorization for the administration of their directs’ reports

2.5. Practice Managers’ actions to experience configured authorizations on User Administration

2.6. End-Users Self profile edit authorization

2.7. Practice Self Profile Edit as an End-user to experience configured authorizations


5

2.1.Extend OIM User schema

Purpose

This step includes the configuration required to extend OIM User schema as mentioned in section.

Steps

Login to the Oracle Identity Manager Administration console (use xelsysadm credentials unless specified otherwise).

In the Welcome page, under Advanced Administration, click User Configuration. Alternatively, you can click the Configuration

tab, and then click the User Configuration tab.


6


7

On the left pane of the console, from the Actions menu, select User Attributes. The User Attributes page is displayed with a

table containing all user attributes under the respective categories.


8


9

Click Add Category or select Add Category from Actions menu under User Attributes. Pop-up dialog box to create category

appears. Fill in the Category name as ‚Professional Qualifications‛. Click Save. Message confirming successful creation of

category appears.


10

Repeat the process to create another category ‚Backend Attributes‛


11

Click Create Attribute or Select Create Attribute form Actions menu. Pop-up dialog box to create attribute appears. Fill in the

details as following and Click Next

Attribute

Name

Category Name Back-end Attribute

Name

Display Type Properties

Skillset Professional

Qualifications

USR_UDF_SKILLSET Text Area Size: 200


12


13

Fill in Attribute Size as ‘200’ and Click Next

Click Save. Message confirming successful creation of attribute appears.


14

To add another attribute click Create Attribute or select Create Attribute from Actions menu. Pop-up dialog box to create

attribute appears. Fill in the details as:

Attribute

Name

Category Name Back-end Attribute

Name

Display Type Properties

Work

Experience

Professional

Qualifications

USR_UDF_WORKEXP List of values

(LOV)

On selecting the LOV as Display type, the display window changes and additional options appear. Select LOV Type as Admin

Configured, and use Lookup.Users.WorkExp as LOV Code.


15


16

Fill in LOV Options as ‘1’ and LOV Options Description as ‘0-2 Yrs’ and Click Add.

Note: You can scroll down this screen to see the values just added.

Repeat to Add LOV Options 2,3,4,5 with LOV Options Description as follows:

LOV

Options

LOV Options

Description

2 2-5 Yrs


17

LOV

Options

LOV Options

Description

3 5-10 Yrs

4 10-20 Yrs

5 20+ Yrs

This is how it looks after adding all LOV option and descriptions.


18

Click Next.

Fill in Attribute size as ‘10’ and Click Next and then Click Save. Message confirming successful creation of attribute appears.

Repeat the steps outlined in 2.1.6 to 2.1.8 to add more attribute as per following:

Attribute Name Category

Name

Back-end Attribute Name Display

Type

Properties


19

Attribute Name Category

Name

Back-end Attribute Name Display

Type

Properties

Previous Job

History Verified

Professional

Qualifications

USR_UDF_JOBHISTVER Checkbox Bulk

Updatable:

Yes

Post Graduate Professional

Qualifications

USR_UDF_POSTGRAD Checkbox Searchable:

Yes

Contribution to Org

KM portal

Professional

Qualifications

USR_UDF_CONTKMPORTAL Text Area Attribute

Size: 500

Employee from

acquisition

Backend

Attributes

USR_UDF_ACQ Checkbox Visible: No

Checkpoint

This completes the configuration of modifying OIM User schema. If at this point you, as ‘xelsysadm’ user, View existing Users, you

will not see their extended attributes as additional Auth Policies needs to be assigned to users to view these attributes, which we

will do in next section. If you create a new User, you will be presented with the new attributes as schema is extended.

2.2. Configure Helpdesk Users and Role Authorization

Purpose

We will configure HelpDesk User and Role authorizations in this section.

(A) Create ACME CAPITAL Organization Structure

(B) Create a Role Administrator user, an Access Administrator user and two HelpDesk Administrator users.


20

(C) Role Administrator user has specific responsibility to create and manage roles and role categories, so we will create a

corresponding role and auth policy to perform those duties.

(D) Helpdesk user performs specific helpdesk duties as outlined in use case and Access Administrator user has specific

responsibilities to manage membership of HelpDesk role to Helpdesk Administrator staff. To achieve that we will now have Role

Administrator log in create role for HelpDesk and Access Administrator. Auth Policies are still to be created by xelsysadm so we

will have xelsysadm create auth policies for both the roles. Once this is done we will have Access Administrator assign the

HelpDesk role to HelpDesk staff.

(E) Setup Email Notification (You may not get mails depending upon environment on which you are practicing these labs)

Steps

(A) Create ACME CAPITAL Organization Structure

An Organization with Name as ‘ACME CAPITAL’ is already pre-seeded in OIM VM. You will create all departments below ACME

CAPITAL Company:


21

In the Welcome tab of Oracle Identity Manager Administration page, under Organizations, click Create Organization.

Alternatively in the left pane, click the Browse tab. Under Organizations, from the Action menu, select Create. You can also click

the Create icon on the toolbar.

ACMECAPITAL

ACME HelpDeskACME Public

Finance

ACME Taxation

ACME Mergers and Aquisitions


22

Create ACME HelpDesk Organization. Enter ‘ACME HelpDesk’ as Name, select Department as Type. To choose previously

created ACME CAPITAL as Parent Organization, Click on Search.


23


24

A pop-up window appears from which search for Parent Organization that Begins with ACME. Select ACME CAPITAL from

Search Results and Click Add. Note: Screen shows contains, instead it should be Begins With


25

Click Save and then repeat the process to create rest of the Organization Structure as:

ACME CAPITAL (Company)

ACME CAPITAL -> ACME HelpDesk (Department)

ACME CAPITAL -> ACME Public Finance (Department)

ACME CAPITAL -> ACME Public Finance -> ACME Taxation (Department)


26

ACME CAPITAL -> ACME Mergers and Acquisitions (Department)

The Organization Structure for ACME CAPITAL will look like this:


27

(B) Create a Role Administrator user, an Access Administrator user and two HelpDesk Administrator users.

In the Welcome page of Identity Administration, under Users, click Create New User. Alternatively Click the Administration

tab on the toolbar, and then in the Browse tab, click Create New User.


28

In Create User Page enter ACME as First Name, RoleAdmin as Last Name. Choose ACME CAPITAL as Organization, Employee

as User Type and roleadmin as User Login. Enter Abcd123 as Password. Click Save.


29

Having created Role Administrator we will now create Access Administrator by following steps from 2.2.5 and 2.2.6. Enter

ACME as First Name, AccessAdmin as Last Name. Choose ACME CAPITAL as Organization, Employee as User Type and

accessadmin as User Login. Enter Abcd123 as Password. Click Save

Following steps from 2.2.5 and 2.2.6 again, we will now create two new user for HelpDesk staff.

For first user, enter Acme as First Name, HelpDesk1 as Last Name. Choose ‘ACME HelpDesk’ as Organization, Employee as

User Type and acmehelpdesk1 as User Login. Enter Abcd123 as Password. Click Save

Similarly for second user, enter Acme as First Name, HelpDesk2 as Last Name. Choose ‘ACME HelpDesk’ as Organization,

Employee as User Type and acmehelpdesk2 as User Login. Enter Abcd123 as Password. Click Save

(C) Role Administrator user has specific responsibility to create and manage roles and role categories, so we will

create a corresponding role for this user and also create auth policy for this user to perform those duties.

In the Welcome page of Administration tab, under Roles, click Create Role. Alternatively, in the Browse tab of the left pane,

expand Roles, and from the Actions menu, select Create Role. Otherwise, click the Create Role icon on the toolbar.


30

Enter ‘Role Owners’ as Name of the role and Click Save


31

Select Members tab of role "Role Owners" and then click Assign to assign user created in last step "ACME RoleAdmin" to this

role.


32

Search and Select User "ACME RoleAdmin" and click Save.


33

On the Welcome page, under Authorization Policy, click Create Authorization Policy. Alternatively, you can you can click the

Create Authorization Policy icon on the toolbar.


34


35

In the Policy Name field, enter the name of the authorization policy as ‚Role Owners - Manage Roles‛. In the Description field,

enter a description of the authorization policy ‚Auth Policy assigned to Role Owners to create and manage roles and role

categories‛. In the Entity Name field, select the name of the feature for which you want to create the authorization policy. To

create an authorization policy for role management, select Role Management. Click Next


36


37

The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization policy.

We will select ‚Create Role‛, ‚Delete Role‛, ‚Modify Role Detail‛, ‚Create Role Category‛, ‚Delete Role Category‛, ‚Modify

Role Category‛ and Click Next

We are not constraining Role Owners, so click Next.


38

The Assignment page of the Create Policy wizard is displayed. To assign roles to the authorization policy: Click Add. The

Assign Roles dialog box is displayed. Search for Role Name Beings with ‚Role‛. From Search Results select ‚Role Owners‛ and

Click Add.


39


40

Click Next

Click Finish to create the policy


41


42

(D) Helpdesk user performs specific helpdesk duties as outlined in use case and Access Administrator user has

specific responsibilities to manage membership of HelpDesk role to Helpdesk Administrator staff. To achieve

that we will first have xelsysadm create Access Administrator role and assign to ACME Access Admin user and

then we will have Role Administrator log in to create role for HelpDesk Administrator. Auth Policies are still to

be created by xelsysadm so we will have xelsysadm log back in to create auth policies for both the roles. Once

this is done we will have Access Administrator assign the helpdesk role to helpdesk staff.

Follow steps from 2.2.9 to 2.2.11 to create a role called "Access Administrators" and assign "ACME AccessAdmin" to this role

Now logout and login with roleadmin credentials (to create HelpDesk Role). Note: If you are logging it as roleadmin for first

time, you will be redirected to password management screen

Again follow steps from 2.2.9 and 2.2.10 to create a role called "ACME HelpDesk Administrators".

Please note that there is a pre-seeded role ‚ACME Help Desk Administrators which has a space between ‘Help’ and ‘Desk’. The

one to create here is without space.

Now log out and login with xelsysadm credentials to create Auth Policies.


43

Follow steps from 2.2.13 to 2.2.19 to Create Auth Policy per following for Access Administrator.

So far we have created Auth Policies for Role Management which were assigned to roleadmin and accessadmin through

respective roles. Now we will create some auth policies for User Management which will be assigned to acmehelpdesk1 and

acmehelpdek2 who are helpdesk users do user management for ACME.

The following image illustrates what ACME HelpDesk’s user can do:

Policy Name Description Entity Name Permissions Data

Constraints

Policy Assignments

Access

Administrators

- Manage Role

Membership

Auth Policy assigned to

Access Administrators to

View and Modify Role

Memberships

Role

Management

View Role

Membership

Modify Role

Membership

ACME

HelpDesk

Administrators

Role: Access

Administrators


44

On the Welcome page, under Authorization Policy, click Create Authorization Policy. Alternatively, you can you can click the

Create Authorization Policy icon on the toolbar

ACME

CAPITAL

ACME HelpDesk

ACME Public Finance

ACME Taxation

ACME Mergers and Aquisitions

ACME HelpDesk can:

Search and view details of users

Bulk update user status

ENABLE/DISABLE

Reset user password, modify

user profile Job History Verified

attribute (hierarchy aware)

ACME HelpDesk can create

users (hierarchy aware)


45

In the Policy Name field, enter the name of the authorization policy as ‚HelpDesk CreateUser - Public Finance‛. In the

Description field, enter a description of the authorization policy ‚Auth Policy assigned to ACME HelpDesk Administrators to

create users in Public Finance Org‛. In the Entity Name field, select the name of the feature for which you want to create the

authorization policy. To create an authorization policy for user management, select User Management. Click Next


46


47

The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization policy.

We will select ‚Create User‛ and Click Next.


48

The Data Constraints page of the Create Policy wizard is displayed. In this page, options for the feature selected on the Entity

Name field in previous step are displayed. Select option ’Users that are members of selected Organizations’ to specify

organizations for whose members you want to create the authorization policy. Click Add Organization.


49


50

Add Organization dialog box is displayed. Search for Organization name that Begins with ‚ACME Public Finance‚. Select

ACME Public Finance from Search Results and Click Add.


51

Select checkbox ‚Hierarchy Aware (include all Child Organizations)‛ and Click Next. This is done so that Helpdesk can create

user in Public Finance as well as in child organization of Public Finance (Taxation).


52

The Assignment page of the Create Policy wizard is displayed. To assign roles to the authorization policy: Click Add. The

Assign Roles dialog box is displayed. Search for Role Name that Begins with ‚ACME HelpDesk‛. From Search Results select

‚ACME HelpDesk Administrators‛ and Click Add.

Click Next.


53

Click Finish.


54

Create other Auth policies per table below by following steps from 2.2.26 to 2.2.35:

Policy Name Description Entity Name Permissions Attributes Data

Constraints

Policy Assignments

HelpDesk

Create User - M

& A


ACME HelpDesk

Administrators to create

users in Mergers and

Acquisitions Org

User

Management

Create User ACME

Mergers and

Acquisitions

(Hierarchy

Aware)

Role: ACME

HelpDesk

Administrators

HelpDesk

SearchUser


ACME HelpDesk

Administrators to Search

Users and View their Details

before Updating or

Modifying them

User

Management

- Search User

- View User

Details

ACME

CAPITAL

(Hierarchy

Aware)

Role: ACME

HelpDesk

Administrators

HelpDesk

UpdateUser


ACME HelpDesk

Administrators to Update

User Status as Enable/Disable

User

Management

Modify User

Status

ACME

CAPITAL

(Hierarchy

Aware)

Role: ACME

HelpDesk

Administrators

HelpDesk

ModifyUser


ACME HelpDesk

Administrators to Modify

User Profile attribute -

Previous job History Verified

User

Management

Modify User

Profile

Previous Job

History Verified

ACME

CAPITAL

(Hierarchy

Aware)

Role: ACME

HelpDesk

Administrators

HelpDesk

PasswordMgmt


ACME HelpDesk

Administrators to reset user

User

Management

Change User

Password

ACME

CAPITAL

(Hierarchy

Role: ACME

HelpDesk


55

Now logout and login with accessadmin credentials to assign the role "ACME HelpDesk Administrator" to HelpDesk staff

(acmehelpdesk1 and acmehelpdesk2). Note: Since you are logging with accessadmin for first time, you will be redirected to

password management screen.

DON’T USE the pre-seeded role ‚ACME Help Desk Administrators‛. Note the space between ‘Help’ and ‘Desk’. The one to use

here is without space.

Workaround: Use URL http://<host>:<port/admin/faces/pages/Login.jspx> instead of http://<host>:<port>/oim

Search for role "ACME HelpDesk Administrator" and then follow the steps outlined in 2.2.11 to assign members acmehelpdesk1

and acmehelpdesk2 users to this role.

You will see that you are not able to search for users acmehelpdesk1 and acmehelpdesk2 (search doesn't return any user). This is

because of the fact that accessadmin is only authorized to change role membership but is not authorized to search user. To

workaround this issue create another auth policy per below (you need to log back as xelsysadm):

Now log back in as accessadmin and retry assigning the role "ACME HelpDesk Administrator" to HelpDesk staff (acmehelpdesk1

and acmehelpdesk2).

password Aware) Administrators

Policy Name Description Entity Name Permissions Attributes Data

Constraints

Policy Assignments

Access

Administrators

- Search users


access administrtaors to

search users and thus be able

to change role meberships

User

Management

Search Users Role: Access

Administrators


56

DON’T USE the pre-seeded role ‚ACME Help Desk Administrators‛. Note the space between ‘Help’ and ‘Desk’. The one to use

here is without space.

Search for role "ACME HelpDesk Administrator" and then follow the steps outlined in 2.2.11 to assign members acmehelpdesk1

and acmehelpdesk2 users to this role.

Bug: System gives ADF error and UI doesn't show the members of this role but if you search for acmehelpdesk1 user and check his

role, you see the role is assigned.


57

(E) Email Notification setup

To setup Email Server, Login to the Oracle Identity Manager Administration Console. In the Welcome page, under Advanced

Administration, click Create IT Resource.


58

Note : If this training content is being used by people who do not work for Oracle and therefore do not have Oracle email ids,

should go for using a JES (Java Email Server) based mail server installed and configured in the Training VM environment. Lab 1

contains the details about running this particular Email Server and using it with OIM.

Create IT Resource dialog box appears. Enter ‘Email Server’ as IT Resource Name and select ‘Mail Server’ as IT Resource Type.

Click Continue.


59

The UI wizard has step numbers on the top, as shown in the screenshot. In Step 2 of Create IT Resource, enter ‘false’ as

Authentication, ‘mail.oracle.com’ as Server Name and enter your User Login and click Continue. Leave User Password blank.

Note: If mail.oracle.com as Server Name does not work for some reasons, another value that could be used is stbeehive.oracle.com. If

people not in oracle are doing these labs they need to use some mail server that they can reach to and doesn't require authnetication.


60

Leave everything else default in Step 3 and 4 and click Continue. From Step 5 click Continue. Steps 6 confirms the creation of IT

Resource and click Finish.

You should always ensure that the relevant system property is set to the right value for Email Server configuration to work.


61

Login to the Oracle Identity Manager Administration Console. In the Welcome page, under Advanced Administration, click

Search System Properties. Enter * under Search System Configuration and Click Search.


62

On the left pane of the window, scroll down to locate property Email Server and Click it. The System Property Detail: Email

Server window appears. Ensure that the Value field is set to as Email Server (same as IT Resource Name).


63


64

Setup UserID Generation Policy

To Setup UserId Generation Policy, select ‚Default policy for username generation‛ from the left pane above window. Make

sure the Value field is populated as ‘oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy’ which is the default

policy that we will use. If not change it and click Save.


65


66

To setup Default Domain for username generation, select ‘Default user name domain’ from the left pane above window. Make

sure the Value field is populated and has right domain. For our usecase we will use oracle.com, which is default. If not change it

and click Save.

We will use default password policy, which can be checked through Design Console, if required.


67

Login as xelsysadm Open Each Organization e.g ACME CAPITAL Click on Administrative Roles and Assign the Role ACME

HelpDesk Administrator. Provide Read Permission (which is by Default). Do this for each organization , so that when you

search as acmehelpdesk1, user you can see the organization and test creating the user.

Checkpoint

This completes the configurations for HelpDesk User authorizations. We created ACME Organization hierarchy, HelpDesk Role,

HelpDesk Administrator Users and Authorization Policies. We assigned all these Auth Policies to HelpDesk Administrators

through HelpDesk Role. We also did some misc configuration to setup Email Server etc.

2.3.Practice Helpdesk communities actions to experience configured authorizations

Purpose

This section, we will login as one of the HelpDesk admin and perform various actions authorized for HelpDesk per configuration in

previous section like: Create User, Search User, Update User Status, Bulk Modify User Details and Reset User Password. We will

also see what HelpDesk is not authorized to do like: Delete User and Create User in Org’s it is not authorized for. Apart from this

we will see how user Login is created as per User Id generation Policy.

Steps

2.3.1. Login as helpdesk user (either acmehelpdesk1 or acmehelpdesk2).


68

To execute all parts of this use case, login only as one of the two helpdesk users you’ve just created.

Create a User in ACME CAPITAL – NOT allowed

While creating the User choose Organization as ‘ACME CAPITAL’. Notice acmehelpdesk1 is NOT allowed to create a user.


69


70

Create a User in ACME Public Finance – allowed

Create a User with Organization ‘ACME Public Finance’. Choose User Login ‘acmefinuser1’ and Password ‘Abcd1234’. User

acmefinuser1 is created successfully.


71


72

Create a User in ACME Taxation which is child org of Acme Public Finance – allowed

Create a User with Organization ‘ACME Taxation’. Choose User Login ‘acmetaxuser1’ and Password ‘Abcd1234’. User

acmetaxuser1 is created successfully.


73


74

Delete the User(s) just created – NOT allowed

Search for User with search pattern as *tax*. A List of users are displayed and delete icon is grayed out indicating logged in user is

not allowed for this operation. Even the option to delete from Actions Menu is also grayed out.


75


76

Advanced Search Users

While logged in as acmehelpdesk1, from Welcome page of Identity Administration select Advanced Search. Put 2 search criteria

with Last Name. Last Name Begins With Fin and Last Name Begins With Tax. A list of User’s are displayed.

Bulk modify User Status (Disable, Enable) – allowed

Select all displayed users from above and click Action -> Disable.


77

A confirmation dialog box appears.

Click Yes.

All users are now Disabled.

To confirm this, perform same search again and now you can see Identity Status of all users is displayed as Disabled.


78

Note: Before moving ahead. Repeat the above process to Enable back all users that were disabled.


79

Bulk Modify User Profile attribute (Previous Job History Verified) – allowed

While logged in as acmehelpdesk1, from Welcome page of Identity Administration select Advanced Search. Put search criteria Last

Name begins with Tax and Last Name Begins with Fin. A list of users is displayed. Select all the uses and click Bulk Modify.

Bulk Modify tab opens up. Check attribute: Previous Job History Verified and click Save. A message confirming successful

modification of attribute appears at top of the window.


80

Bulk Modify User Profile attribute (others) – NOT allowed

Follow the above process, this time try changing some other attribute, let’s say Start Date and you will be presented with a message

saying ‚Access denied while trying to modify the user(s).‛


81

Note: The actual error in screenshot is not correct.


82

Create a User in Mergers & Acquisitions (auto-generation of User Login from firstname & lastname).

Create a User with First Name ‚John‛, Last Name ‚Roe‛, Organization ‚ACME Mergers and Acquisition‛, User Type

‚Employee‛, Password ‚Abcd1234‛.


83

The user is created with User Login [email protected] from <FirstName>.<LastName>@<domain>

mailto:[email protected]


84


85

Create a User in Mergers & Acquisitions (auto-generation of User Login from email)

Create a User with First Name ‚Jane‛, Last Name ‚Roe‛, Organization ‚ACME Mergers and Acquisition‛, User Type ‚Employee‛

and Email as your own email id (Example: Nalin Sardana - Oracle employee, practicing this lab will put his email as

[email protected]). Only then you can see the result of the configuration as an actual mail arriving at your inbox. Also we

use this user for reset password in later lab, so it is important the new password arrives to accessible email address.



86


87

User created with your User Login (specified as email) and not from Name, which is Jane Roe

Check your mailbox for mail with temporary password for your account Jane Roe.


88

Reset end-user password by HelpDesk (compliance of password policy, password delivery by email and end-user is forced to

change password on next login)

Search for User Jane. Open the User and click Reset Password. Reset Password window appears. Select Radio button Manually

change the Password and enter Abcd1234 as New Password. Check E-mail the new password to the user and Click Reset

Password.


89

Notice Password Policy (default) is displayed. Password must confirm to this policy. Also password can be auto generated by

selecting Auto-generate the Password (Randomly generated) radio button.


90

Check your mailbox for new password. Logout and Login with your User Login [email protected] with password

Abcd1234. You will be prompted to change the password and answer security questions.



91

Checkpoint

In last section we completed configuration for HelpDesk User authorizations. In this section, we logged in as one of the HelpDesk

admin and performed various actions authorized for HelpDesk like: Create User, Search User, Update User Status, Bulk Modify

User Details and Reset User Password. We also saw what HelpDesk was not authorized to do like: Delete User and Create User in

Org’s helpDesk is not authorized for. Apart from this we saw how user Login is created as per User Id generation Policy. We also

configured email server and demonstrated Reset Password functionality.

2.4.Configure Managers authorization for the administration of their directs’ reports

Purpose

The purpose of this section is to configure Managers Authorization for administration of their direct reports. We will create a 3-level

hierarchy of users. We will also create a Senior Manager role for 2nd level managers who can do specific searches, which first level

mangers can’t do. In this step you will:

Create ACME Taxation Users

Create ‘ACME SeniorManagers’ Role

Create ‘Search PostGrad’ Authorization Policy

At the end of this step, you will have the following organization structure:


92


93

Steps

Create ACME Taxation Users

2.4.1. Login as xelsysadm and create Users acmetaxexec reporting to user acmetaxmgr and who in turn reports to acmetaxdir (3 level

hierarchy) under organization ACME Taxation.

Create acmetaxdir (Acme Taxation Director)


94

Create acmetaxmgr (Acme Taxation Manager)


95


96

Create acmetaxexec (Acme Taxation Executive)


97


98

Create ACME SeniorManagers Role

Create ‘ACME SeniorManagers’ Role and assign the role to user ‘acmetaxdir’. Create Authorization Policy ‘Search PostGrad’ and

assign it to ‘ACME SeniorManagers’ Role. Configure Search to let ‘Post Graduate’ field be searchable.

In the Search Users, let the field empty and click the arrow icon.

Then select ‘Acme Taxation Director’ from the left list Available.


99

Click Save


100

Create ‘Search PostGrad’ Authorization Policy

Create ‘Search PostGrad’ Auth Policy with Policy Name ‘Search PostGrad’, Description ‘Auth Policy given to ACME Senior

Managers to search postgraduates in their own organizations’, Entity Name ‘User Management’. Give it Permissions to ‘Search

User’ and ‘View User Details’ (select only Post Graduate attribute). Specify Data Constraints as ‘ACME CAPITAL’ (Hierarchy

Aware). In Assignment specify Assign by Role as ‘ACME Senior Managers’ and Security Settings ‘Assignee must be a member

of the User’s Organization.

Click Next, Click Finish and then Click Apply


101


102

In the Welcome tab, under Advanced page, click User Configuration. On the left pane from the Actions menu, select Search

Configuration.


103

The User Search Configuration page is displayed. Scroll to Advanced Search: Search Attributes and select the attribute ‘Post

Graduate’ that you want to make available for advanced search. Click the Move buttons to add the attribute for advanced search.

Click Save.


104

Checkpoint

This finished the configuration of Managers Authorization for administration of their direct reports.


105

2.5.Practice Managers’ actions to experience configured authorizations on User Administration

Purpose

After configuring the Managers Authorization, we will now login as managers and perform the administration of direct reports. We

will first login as first level manager (acmetaxmgr) and then do some specific administration as second level manager (acmetaxdir).

A summary of the ‘Search PostGrad’ authorization policy is shown below:

Authorization policies for managers are shown below:


106

Steps

2.5.1. Login as acmetaxmgr (Acme Taxation Manager)

Acme Taxation Manager is first level manager

Search for Users – only direct reports are shown

Only person reporting to Acme Taxation Manager is Acme Taxation Executive, who is displayed. No other person in Acme

Taxation organization or any other organization is not displayed.


107


108

Advanced Search – allowed

Enter * as search filter in Display Name field and click Search. Acme Taxation Executive is the only report and hence the search

returns only one User. Note: Screens shows Contains but actually it should be Begins With


109

View User Details (few attributes are shown)

Click on the Acme Taxation Executive User to display the User profile. Notice a few attributes from Basic User Information and

Account Settings are displayed.


110


111

Search for User who are Postgraduates – NOT allowed

From Advanced Search window, click Add Fields and select Post Graduate. This will add Post Graduate field as search filter.


112

Enter ‘Post Graduate’ as search filter and click Search. An error message is popped up telling that you do not have the search

permission on Post Graduate attribute.

In later version of product you may see you can't add 'Post Graduate' for search as it is not allowed.


113

Logout and Login as Sr Manager ‘acmetaxdir’ (Acme Taxation Director)

Acme Taxation Director is second level manager.

Search for Users – only direct reports are shown

Acme Taxation Executive reports to Acme Taxation Manager who in turn reports to Acme Taxation Director. A search of User will

show both Executive and Manager and users below them


114

Search for Users who are Postgraduates – allowed

Using the procedure listed in previous step, add Post Graduate as search filter. Search for Users who are not Post Graduates: Post

Graduate Equals false. A list of users are displayed who are not Post Graduated.


115

Checkpoint

In this section we performed various administration functions carried out by Managers for their direct reports.


116

2.6.End-Users Self profile edit authorization

Purpose

In this section we will do configuration for modification of User Self Profile. We will create Approval policies, as profile attributes

will need approval before modification. In this procedure you will:

Create First Approval Policy (SSRUserProfileModify_RL)

Create Second Approval Policy (SSRUserProfileModify_OL)

Steps

Create First Approval Policy

The first approval policy will define which profile attributes end users can modify.

2.6.1. Login as xelsysadm. Create Approval Policies for request raised as a result of modifying attributes by a user on their profile.

Create Approval Policy from Advanced Identity Administration Page as follows:


117

First Approval Policy (SSRUserProfileModify_RL):

Policy Name SSRUserProfileModify_RL

Description Approval Policy to Approve Self Service

Request for User Profile Modification

Request Type Modify Self Profile

Level Request Level


118

Approval Process Auto Approval

Click Next.

Note: Update the screenshot below


119

Set Approval Rule and Component window appears. Set Rule Name as: ‘SSRUserProfileModify_RL_Rule’ and click Add

Simple Rule.


120

In Add Simple Rule window, select:

Entity Request

Attribute Request Type

Condition Equals

Value Modify Self Profile

Parent Rule Container Approval Rule


121

.

Click Save. Click Next.

Click Finish. Approval policy is created.

Create Second Approval Policy

The second approval policy will define manager’s approval for attributes modified by end users.


122

Following steps from above, create Second Approval Policy (SSRUserProfileModify_OL’):

Policy Name SSRUserProfileModify_OL

Description Approval Policy to Approve Self Service

Request for User Profile Modification

Request Type Modify Self Profile

Level Operation Level

All Scope checked

Approval Process default/RequesterManagerApproval!1.0

Click Next.

Set Approval Rule and Component window appears. Set: Rule Name as ‘SSRUserProfileModify_OL_Rule’ and click Add

Simple Rule

In Add Simple Rule window select:

Entity Request

Attribute Request Type

Condition Equals

Value Modify Self Profile

Parent Rule Container Approval Rule

Click Save.

Click Next.

Select this process


123

Click Finish. Approval policy is created.

Checkpoint

In this section we did configuration for modification of User Self Profile by creating Approval policies. We created Request Level

and Operation Level approval policies, which will be used for approval of request generated by end user upon modifying their own

profile.

2.7.Practice Self Profile Edit as an End-user to experience configured authorizations

Purpose

In this section we will login as end user and demonstrate the modification of User Self profile.

Steps

2.7.1. Login as acmetaxexec (Acme Taxation Executive)

Acme Taxation Executive is the end user


124

Update profile attributes to generate a request

Click Profile -> My Profile. Edit Middle Name, Email and Telephone Number. Click Apply


125

Notice a request is generated and none of the attributes modified in previous step are modified yet.


126

Click Requests -> My Requests and you will see that the generated request is in Status Obtaining Operation Approval. You can

select the request and click Open Request Details.


127

A new tab Request Detail: ID opens up. Click on Approval Tasks to see it is assigned to acmetaxmgr


128

Logout and Login as acmetaxmgr (Acme Tax Manager) to view/approve the request


129

Click Tasks -> Search Approvals Tasks. You will notice Request form previous step is waiting here for approval. Click Open

Task Detail


130


131

Task Details tab opens up. Click on View Details from Users tab to view more details


132

Verify the end user profile data user has requested for change

After checking the details close the popup dialog box and click Approve Task. A dialog box confirming approval of task

appears. Click OK

Logout and Login back as acmetaxexec to view updated attributes

Click Profile -> My Profile and verify that the changes made are reflected in the profile now.


133

Checkpoint

In this section we saw the modification of end-user Self-Profile. A request was raised upon changing attributes. Upon approval by

the users manager, attributes were modified and reflected in user profile.


134

Conclusion

In this lab, you accomplished the following:

Enhancing OIM User schema to add a custom attribute

Create Authorization policies for Helpdesk-oriented User Management

Create Authorization policies for Manager-oriented User Management

Create Authorization policies for Self-Service User Profile Management

Create Users, Roles and Organizations

Relevant features that you should explore further:

Extending/Customizing User Create-Update-Delete events by adding custom java code. This can be achieved by adding

pre-process, validation and post-process orchestration handlers on the OIM User entity

Documents

Lab 2 - Enterprise User lifecycle influenced by Delegated ... · Login to the Oracle Identity Manager Administration console (use xelsysadm credentials unless specified otherwise)