The user management feature in Oracle Identity Manager includes the creation, updation, deletion, enabling and disabling, locking, and unlocking of user accounts. This feature is described in the following sections:
User lifecycle is a term to describe the process flow of how a user entity is created, managed, and terminated in the system based on certain events or time factors.
A user entity goes through various stages in the lifecycle. The stages are non-existent, disabled, active, and deleted. Figure 11-1 depicts the different lifecycle stages, all possible transitions, and the operations that set up those transitions:
There is a possibility of process rules or business requirements being defined for each transition of the user lifecycle. You can use the sample scenarios listed in Table 11-1 to establish the link between user lifecycle transitions and business objectives.
Table 11-1 User Life Cycle and Business Objectives Sample Scenarios
| Current State | Operation | Sample Scenario | Process Description | 
|---|---|---|---|
| Non-existent | Create | HR enters user profile information for a new hire. If the new hire is not introduced to the system immediately, then HR sets a future start date for the user. | If the start is not a future date then the user is introduced into the system in an Active state.If the Start Date is in future then the create process creates the user in a disabled state. | 
| Disabled | Enable | User's start date is in effect. The system initiates provisioning for the new hire. | User is marked enabled in the system and the user is now able to login and use the system. By default, all necessary memberships and accounts are established as part of the workflow. | 
| Active | Modify | User is promoted to a new position. As a result, HR changes the job title of the user. | New resources are provisioned to the user, and old irrelevant resources are deprovisioned from the user. | 
| Active | Disable | User takes one year sabbatical from the company. HR manually disables the user on the last working day of the user. The user re-joins the company after some period. HR can make the user Active again. | User is marked disabled in the system, and the user is no longer able to login to the system. The disabled users can be made Active again. | 
| Active | Deleted | User retires from the company. HR manually deletes the user on the last working day of the user. | User is marked disabled in the system, and the user is no longer able to login to the system. By default, all users' accounts are deprovisioned as part of the workflow. | 
The following concepts are integral to user lifecycle management:
OIM Account is an abstraction representing a means to be authenticated to access Oracle Identity Manager. In Oracle Identity Manager, the cardinality of relationship between user and OIM account is one-to-one. By default, users are associated with OIM accounts that allows users to access Oracle Identity Manager. However, there may be users who do not need to access Oracle Identity Manager, and therefore, may not be provisioned with an OIM account.
Some user operations, such as lock and unlock, are explicitly account operations. When locking or unlocking a user, you lock or unlock the user's OIM account.
In Oracle Identity Manager, each user has a Design Console Access attribute that controls the OIM account of the user. If the Design Console Access option for a user is selected in the UI, then the user is End-User Administrator. If this option is not selected, then the user is an End-User.
Organization is a logical container for authorization and permission data. A user in Oracle Identity Manager must belong to one organization only. For detailed information about organizations in Oracle Identity Manager, see Chapter 13, "Managing Organizations".
Oracle Identity Manager provides easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles. Roles are designed to ease the administration of end-user system and schema object privileges. For detailed information about roles, see Chapter 12, "Managing Roles".
Attributes are defined for the user entity in Oracle Identity Manager. These attributes are the same for all entities. You can add your own attributes to the user entity.
For each attribute of an entity, the following properties are defined in Oracle Identity Manager:
Attribute Name: The name of the attribute.
Category: All entity attributes are classified into a category. This categorization is used to organize the data in the UI. The category is only for display on the UI and is not used anywhere else. The default categories are:
Basic User Information: This category contains basic user attributes such as user first name, user last name, e-mail, manager, organization, and user type.
Account Settings: This category contains account-related attributes such as user login, identity status, account status, and global unique identifier (GUID).
Account Effective Dates: This category contains account start and end date attributes.
Provisioning Dates: This category contains provisioning date and deprovisioning date attributes.
Lifecycle : This category shows flags related to User Account such as manually locked, locked on, or automatically delete on.
All the attributes in the category are hidden by default so the category is also not visible.
System: This category contains the system controlled attributes for the user entity such as created on, password expiration date, password reset attempts, and so on.
Other User Attributes: This category contains a list of all the FA and LDAP related attributes.
CustomAttributes: This is an empty category where the user can add all the new custom attributes.
Preferences: This category contains the attributes related to user preferences. It contains various attributes such as locale, timezone, currency, date format, and so on.
Type: Indicates the type of data in the attribute. Supported types are string, number, date, and Boolean.
Properties: For each attribute, the following properties can be defined:
required: Determines whether or not every user in the repository must have a non-null value for this attribute
system-controlled: Determines if the value can only be set and edited by the system itself
system-can-default: Determines if the value can be set by the system to a default if no value is provided
encryption: Determines if the value stored in the repository is encrypted. If true, then the value is encrypted but this encrypted value can be decrypted producing the original value. If false, then the value is stored as CLEAR, meaning that the stored value is not encrypted.
user-searchable: Determines if the values can be used in searches
bulk-updatable: Determines if the field can be modified as part of a bulk modification of multiple users. Fields that are expected to be unique to users, such as username, name fields, and password, do not support bulk update. For fields with system-controled=Yes or Unique=Yes, this property can never be set to Yes. For information about setting the properties of an attribute, see "Configuring User Attributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
display-type: Determines how the field is displayed in the UI for creating and modifying users. It can have any one of the following values:
TEXT, TEXTAREA, NUMBER, DOUBLE, CHECKBOX, DATE_ONLY, SECRET, LOV, and ENTITY.
multi-valued: Determines whether the attribute is multi-valued or not. The value of this property is either true or false. Oracle Identity Manager does not support multiple values, and therefore, this property is set to false for all user attributes.
max-size: Indicates the maximum allowed length for the specified attribute.
read-only: Indicates if the attribute has "read-only" permission only or if it is editable.
custom: Determines if the attribute is a default attribute or a user-defined attribute.
visible: Determines if the attribute is visible to the user.
Table 11-2 lists the attributes defined for the user entity in Oracle Identity Manager:
Table 11-2 Attributes Defined for User Entity
| Attribute Name | Category | Description | Data Type | Properties | LOV (default in bold) | 
|---|---|---|---|---|---|
| usr_key | Account Settings | The GUID of the user. It is autogenerated when the user is created. | number | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: Yes Max-Size: 19 Visible: No Display-Type: ENTITY | N/A | 
| act_key | Basic User Information | The GUID of the organization to which the user belongs. This is a mandatory field. | number | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 19 Visible: Yes Display-Type: ENTITY | N/A | 
| Last Name | Basic User Information | The last name of the user. This is a mandatory field. | string | Required: Yes System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| First Name | Basic User Information | The first name of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Middle Name | Basic User Information | The middle name of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Full Name | Basic User Information | The full name of the user. The full name is localized and stored at account creation time. | string | Required: No MLS: No Multi-represented: Yes System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 164 Visible: No Display-Type: TEXT | N/A | 
| Display Name | Basic User Information | The display name of the user. If not specified, then it is autogenerated while creating the user. | string | Required: No MLS: No Multi-represented: Yes System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 382 Visible: Yes Display-Type: TEXT | N/A | 
| Xellerate Type | Basic User Information | The type of user, end-user or administrator. | string | Required: Yes System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 30 Visible: Yes Display-Type: CHECKBOX | Lookup.Users.XellerateType End-User End-User Administrator | 
| usr_password | Account Settings | The password of the user. It is stored as an encrypted value. | string | Required: Yes System-Controlled: No Encryption: Encrypt User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 128 Visible: Yes Display-Type: SECRET | N/A | 
| usr_disabled | Account Settings | Indicates whether the user is disabled or enabled. 0 indicates that the user is enabled. 1 Indicates that the user is disabled. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: Yes Read-Only: Yes Max-Size: 1 Visible: Yes Display-Type: CHECKBOX | N/A | 
| Status | Account Settings | The status of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: Yes Max-Size: 25 Visible: Yes Display-Type: LOV | Lookup.WebClient.Users.Status Active Disabled Deleted Disabled Until Start Date | 
| Role | Basic User Information | The role to which the user is a member. | string | Required: Yes System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 255 Visible: Yes Display-Type: LOV | Lookup.Users.Role Full-Time Part-Time Temp Intern Consultant EMP CWK NONW OTHER Contractor | 
| User Login | Account Settings | The login ID of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 256 Visible: Yes Display-Type: TEXT | N/A | 
| usr_manager_key | Basic User Information | The GUID of the user's manager. | number | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 19 Visible: Yes Display-Type: ENTITY | N/A | 
| Start Date | Account Effective Dates | The start date of the user. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: - Visible: Yes Display-Type: DATE_ONLY | N/A | 
| End Date | Account Effective Dates | The end date of the user. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: - Visible: Yes Display-Type: DATE_ONLY | N/A | 
| usr_provisioning_date | Provisioning Dates | The date on which the user profile has been created in Oracle Identity Manager. | date | Required: No System-Controlled: No Encryption: Clear Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: - Visible: Yes Display-Type: DATE_ONLY | N/A | 
| usr_deprovisioning_date | Provisioning Dates | The date when the resources will be deprovisioned from the user. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: - Visible: Yes Display-Type: DATE_ONLY | N/A | 
| usr_provisioned_date | System | The date when the resources have been provisioned to the user. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_deprovisioned_date | System | The date when the resources are deprovisioned from the user. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
|  | Basic User Information | The e-mail address of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 256 Visible: Yes Display-Type: TEXT | N/A | 
| usr_locked | Account Settings | Indicates whether the user account is locked or unlocked. The value 0 indicates that the account is unlocked. The value 1 indicates that the account is locked. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Update: No Read-Only: Yes Max-Size: 1 Visible: Yes Display-Type: LOV | Users.Lock User 0 1 | 
| Locked On | Lifecycle | The date on which the user account has been locked. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| Automatically Delete On | Lifecycle | The date on which the user account will be automatically deleted. | date | Required: No System-Controlled: No Encryption: Clear Searchable: Yes Bulk-Updatable: Yes Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| Manually Locked | Lifecycle | Indicates whether the user account has been automatically or manually locked. 1 indicates that the account has been manually locked by an administrator. 0 indicates that the account has been automatically locked, for instance, on exceeding the maximum number of login attempts with incorrect password. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: TEXT | N/A | 
| usr_login_attempts_ctr | System | The number of times the user has tried logging in with incorrect password. It is set to 0 at every successful login. | number | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 19 Visible: No Display-Type: NUMBER | N/A | 
| usr_create | System | The date on which the user has been created. | date | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_update | System | The date on which the user has been last updated. | date | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_timezone | Preferences | The timezone preference of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 100 Visible: Yes Display-Type: TIME_ZONE | N/A | 
| usr_locale | Preferences | The locale preference of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 100 Visible: Yes Display-Type: LOV | Notification.Languages English French German Italian Spanish Brazilian Portuguese Japanese Korean Simplified Chinese Traditional Chinese Arabic Czech Danish Dutch Finnish Greek Hebrew Hungarian Norwegian Polish Portuguese Romanian Russian Slovak Swedish Thai Turkish | 
| usr_pwd_cant_change | System | This field is currently not used. | string | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: CHECKBOX | N/A | 
| usr_pwd_must_change | System | This field is currently not used. The value 0 indicates that the password is not required to be changed. The value 1 mandates that the user changes the password. | string | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: CHECKBOX | N/A | 
| usr_pwd_never_expires | System | This field is currently not used. The value 0 indicates that the password will expire. The value 1 indicates that password never expires. | string | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: Yes Display-Type: CHECKBOX | N/A | 
| usr_pwd_expire_date | System | The date on which the password will expire. Valid if Password Never Expires is 0. | date | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_pwd_warn_date | System | The date after which the user will be warned to change the password. | date | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Update: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_pwd_expired | System | Indicates whether the user password has expired. If so, then the password must be reset. The value 0 indicates that password has not expired. The value 1 indicates that password has expired. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Update: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: CHECKBOX | N/A | 
| usr_pwd_warned | System | Indicates whether the user has been warned to change the password. 0 indicates that the user has not been warned to change the password yet. 1 indicates that the user has been warned to change the password. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: CHECKBOX | N/A | 
| usr_pwd_reset_attempts_ctr | System | The number of times the user has tried resetting the password with incorrect answers to challenge questions. It is set to 0 at every successful reset password. | number | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 19 Visible: No Display-Type: NUMBER | N/A | 
| usr_change_pwd_at_next_logon | System | Indicates whether the user must change his password at next login. The value 1 indicates that the user must reset password at next login. The value 0 indicates that user does not need to reset password at next login. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Update: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: CHECKBOX | N/A | 
| usr_data_level | System | Indicates the kind of operation, such as add, modify, or delete, supported on this record. The possible values for this column are: 0: Indicates that this row can be updated or deleted 1: Indicates that this row cannot be updated and deleted 2: Indicates that the row can only be modified and cannot be deleted 3: Indicates that the row can only be deleted and cannot be modified | string | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: TEXT | N/A | 
| usr_pwd_min_age_date | System | If set, then it indicates the date before which the user password cannot be changed. | date | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: - Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_createby | System | The GUID of the user who created this user. | number | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 19 Visible: No Display-Type: ENTITY | N/A | 
| usr_updateby | System | The GUID of the user who updated this user. | number | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 19 Visible: No Display-Type: ENTITY | N/A | 
| usr_created | System | This is not currently used in Oracle Identity Manager. | date | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 19 Visible: No Display-Type: DATE_ONLY | N/A | 
| usr_policy_update | System | This is used to re-evaluate the user's policies. To re-evaluate object policies for any user to whom the current policy applies, evaluate the UPP and UPD tables to get list of users for the current policy. For each user found, set the policy_update flag. Attach as a post-insert, post-update and post_delete event handler to tcPOP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: Yes Read-Only: Yes Max-Size: 1 Visible: No Display-Type: TEXT | N/A | 
| Country | Other User Attributes | The country of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 100 Visible: Yes Display-Type: TEXT | N/A | 
| Department Number | Other User Attributes | The department number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Description | Other User Attributes | The description of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 2000 Visible: Yes Display-Type: TEXT | N/A | 
| Common Name | Other User Attributes | The common name of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 240 Visible: Yes Display-Type: TEXT | N/A | 
| Employee Number | Other User Attributes | The employee number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Fax | Other User Attributes | The FAX number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| Generation Qualifier | Other User Attributes | The Generation Qualifier for the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| Hire Date | Other User Attributes | The hire date of the user. | date | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: - Visible: Yes Display-Type: DATE_ONLY | N/A | 
| Home Phone | Other User Attributes | The home phone number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| Locality Name | Other User Attributes | The locality name of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Mobile | Other User Attributes | The mobile number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| Pager | Other User Attributes | The pager number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| Home Postal Address | Other User Attributes | The home postal address of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 256 Visible: Yes Display-Type: TEXT | N/A | 
| Postal Address | Other User Attributes | The postal address of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 256 Visible: Yes Display-Type: TEXT | N/A | 
| Postal Code | Other User Attributes | The postal code of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 230 Visible: Yes Display-Type: TEXT | N/A | 
| PO Box | Other User Attributes | The PO box number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| State | Other User Attributes | The state of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Street | Other User Attributes | The street name in the user's address. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Telephone Number | Other User Attributes | The telephone number of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: Yes Display-Type: TEXT | N/A | 
| Title | Other User Attributes | The title of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| Initials | Other User Attributes | The initials of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 10 Visible: Yes Display-Type: TEXT | N/A | 
| Password Generated | System | This flag indicates whether the password has been autogenerated for the user. | string | Required: No System-Controlled: Yes Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: Yes Max-Size: 1 Visible: No Display-Type: TEXT | N/A | 
| LDAP Organization | Other User Attributes | User organization name in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| LDAP Organization Unit | Other User Attributes | User organization unit in LDAP, such as department or any subentity of a larger entity. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 80 Visible: Yes Display-Type: TEXT | N/A | 
| LDAP GUID | Other User Attributes | User global unique identifier in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 256 Visible: Yes Display-Type: TEXT | N/A | 
| LDAP DN | Other User Attributes | User distinguished name in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 256 Visible: Yes Display-Type: TEXT | N/A | 
| FA Language | Preferences | Language of the user for LDAP environment. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 100 Visible: No Display-Type: TEXT | NA | 
| Embedded Help | Other User Attributes | Indicates whether to suppress the help popups on rollover. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 10 Visible: No Display-Type: LOV | Lookup.Users.EmbeddedHelp true false | 
| Number Format | Other User Attributes | The number format preference of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 30 Visible: No Display-Type: LOV | Lookup.Users.NumberFormat #,##0.##[.,] #,##0.###[\u00A0,] #,##0.### #,##0.###;#,##0.###- #,##0.###[.,] #,##0.###;(#,##0.###)[.,] #,##0.##[\u00A0,] #,##0.###['.] #,##0.###[',] | 
| Date Format | Other User Attributes | The date format preference of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: No Display-Type: LOV | Lookup.Users.DateFormat MM-dd-yyyy MM-dd-yy MM.dd.yyyy MM.dd.yy MM/dd/yyyy MM/dd/yy M-d-yyyy M-d-yy M.d.yyyy M.d.yy M/d/yyyy M/d/yy dd-MM-yyyy dd-MM-yy d-M-yyyy d-M-yy dd.MM.yyyy dd.MM.yy d.M.yyyy d.M.yy dd/MM/yyyy dd/MM/yy d/M/yyyy d/M/yy yyyy-MM-dd yy-MM-dd yyyy-M-d yy-M-d yyyy.MM.dd yy.MM.dd yyyy.M.d yy.M.d yy. M. d yyyy/MM/dd yy/MM/dd yyyy/M/d yy/M/d | 
| Time Format | Other User Attributes | The time format preference of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: No Display-Type: LOV | Lookup.Users.TimeFormat HH.mm HH.mm.ss HH:mm HH:mm:ss H:mm H:mm:ss H.mm H.mm.ss a hh.mm a hh.mm.ss a hh:mm a hh:mm:ss ah:mm ah:mm:ss hh.mm a hh.mm.ss a hh:mm a hh:mm:ss a | 
| Currency | Other User Attributes | The preferred currency code of the user. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: No Display-Type: LOV | Lookup.Users.Currency | 
| Font Size | Other User Attributes | The preferred font size of the user, such as large or medium. This is related to the Accessibility feature. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 10 Visible: No Display-Type: LOV | Lookup.Users.FontSize LARGE MEDIUM | 
| Color Contrast | Other User Attributes | The preferred color contrast of the user, such as standard or high. This is related to the Accessibility feature. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 10 Visible: No Display-Type: LOV | Lookup.Users.ColorContrast STANDARD HIGH | 
| Accessibility Mode | Other User Attributes | The preferred accessibility feature of the user, such as Screen Reader Optimized or Standard Accessibility. This attribute is not interpreted by Oracle Identity Manager and is used to persist values in LDAP. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: No Bulk-Updatable: No Read-Only: No Max-Size: 20 Visible: No Display-Type: LOV | Lookup.Users.AccessibilityMode screenReader inaccessible default | 
| FA Territory | Preferences | Region of the user for LDAP environment. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: No Read-Only: No Max-Size: 100 Visible: No Display-Type: LOV | NA | 
| User Name Preferred Language | Preferences | The preference language of the user used to show only the display name of the user in that language. Note: The preference can be stored in Oracle Identity Manager, but it is not honored on Oracle Identity Manager UI. | string | Required: No System-Controlled: No Encryption: Clear User-Searchable: Yes Bulk-Updatable: Yes Read-Only: No Max-Size: 20 Visible: No Display-Type: LOV | Select MLS_LOCALE_CODE as USR_NAME_PREFERRED_LANG from mls_locale where locale_flag=0 OR locale_flag 1 order by mls_locale_code asc | 
You can perform the following user management tasks in the Oracle Identity Administration:
In Oracle Identity Manager Administration, you can perform the following types of search operations for the user entity:
The search operation lets you search user entities based on the search strings that you specify as search attributes. This operation is also referred to as simple search or quick search.
The search feature is described in the following topics:
The default set of attributes across which search is conducted are:
User Login
First Name
Last Name
Display Name
The search comparator for the search operation is set to Begins With. The search comparator can be combined with wildcard characters to specify a search condition. The asterisk (*) character is used as a wildcard character.
Search string is not case-sensitive. Only the asterisk (*) character is supported as a wildcard for the search string. Oracle Identity Manager Administration removes any leading or trailing white spaces from the search string. For performance reasons, any leading occurrences of (*) in the search string are removed.
The conjunction operator for the search operation is by default set to be OR.
The relationships between the search attributes, search comparator, search string, and conjunction operator is described by using the following query composition formula:
Query begins with ((attribute 1 begins with 'search string') or (attribute 2 begins with 'search string') or …)
For example, if you enter Jo* as a search text, then the search operation forms an internal query where User Login begins with Jo* or First Name begins with Jo* or Last Name begins with Jo* or Display Name begins with Jo*. As a result, all the users whose user name, first name, or last name starts with Jo are displayed.
Result attributes define the set of attributes that are to be returned by the search operation. The actual set of result attributes, however, are determined dynamically based on user's permissions.
Note:
The search results do not include deleted users, which means users with status = Deleted.
The limited search result table shows a subset of the columns of the full search result table. User configuration specifies the columns to display in the search results, and the subset to display in the limited search result table. For more details about configuration management, see "Configuring User Attributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
The simple search result table displays the Display Name attribute only. Here, the Display Name of all those users whose Display Name, User Login, First Name, or Last Name attribute value equals search text are displayed in the search result.
You can perform sorting and paging of the displayed data in the search results table.
Tip:
When you scroll up or down, the page index changes. Each page contains a fixed set of entries. When page index changes and the next required page is not within the UI, the UI triggers an event. As a response to this event, the result page is displayed.
There are up and down arrows provided on each attribute in the search result table. Clicking the up or down arrow of the attribute provides with the sort attribute and sorting order.
This section describes the operations that you can perform based on selection of row(s) in the search results table. It is divided into single selection operations and bulk or multiple selection operations.
You can perform the following single selection operations by selecting a user from the search results table:
View detail
Modify, only if the user status is active
Enable, only if the user status is disabled
Disable, only if the user status is enabled
Lock, only if the selected user's account is unlocked
Unlock, only if the selected user's account is locked
Reset password
Delete
You can perform the following bulk or multiple selection operations by selecting multiple users from the search results table:
Enable, only if the user status is disabled
Disable, only if the user status is enabled
Lock, only if the selected user's account is unlocked
Unlock, only if the selected user's account is locked
Delete
To perform a simple search and display the details of the user:
Login to Oracle Identity Manager Administration.
To search users, in the left pane, select Users from the drop-down list.
In the search field, enter a search criterion. You can include wildcard characters (*) in your search criterion.
Click the icon to the right of the search field. The search result is displayed in the left pane that shows the display names of the users that matches the search criterion you specified.
The advanced search options are displayed in the right pane of Oracle Identity Manager Administration. The advance search allows you to specify more complex search criteria than the simple search criteria. The results are displayed in search results tables.
The advanced search operation is described in the following sections:
You specify the search criteria in the Advanced Search page. This page lets you create a search query that consists of multiple criteria. Each criterion consists of:
The attribute to search against
The search comparator, such as equals and begins with
The values to search for
The value can be multiple in the case where the comparator requires two or more values. You can specify multiple search criteria if the comparator requires two or more values, for example, range searches on numeric fields or data ranges on date fields. When you specify multiple search criteria, you must specify the AND or OR conjunction operator for the search operation.
The search comparators that the Advanced Search page supports are predefined in Oracle Identity Manager. Each comparator specifies the kind of attribute (data type) it supports, and also the number of input data fields it requires.
Table 11-3 lists the comparators supported by advanced search:
The conjunction operators for the search operation are:
All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
Searchable attributes define the set of attributes that you can use in the Advanced Search page. While creating the search criteria, you can select the attributes that you want to search against from this base list.
Only a subset of the searchable attributes, called default fields in Table 11-4, is displayed by default in the Advanced Search page. You can add additional searchable attributes to the page by using the Add Fields functionality. Each attribute also specifies the comparators it supports.
Table 11-4 Default Search Attributes
| Attribute | Comparators Available | Default Fields | 
|---|---|---|
| Display Name | Begins With, Equals | Yes | 
| User Login | Begins With, Equals | Yes | 
| First Name | Begins With, Equals | Yes | 
| Last Name | Begins With, Equals | Yes | 
| Identity Status | Equals, Not Equals | Yes | 
| Organization | Equals, Begins With | Yes | 
|  | Begins With, Equals | Yes | 
| Start Date | Equal, Before, After, Range | Yes | 
| End Date | Equals, Before, After, Range | Yes | 
Note:
You can configure the attributes that are searchable in User Management Configuration.
The searchable attributes configured for advanced search must be a subset of the attributes defined for the User Entity that are marked with the Searchable = Yes property.
The search results table is displayed in the same tab as the Advanced Search page so that the user can view the query they searched by along with the search results. The table, being in the right pane, is always displayed as the full search results table.
If your search returns a lot of information, you can hide one or more columns in the search results table. For example, if your table contains 20 columns, you might want to display only the eight most-important columns, so you do not have to keep scrolling through the less important information.
To hide one or more columns, open the Search Results pane, click View, and deselect the columns you want to hide. A status message displays along the bottom of all search tables to identify how many columns are currently hidden in a particular table view. Figure 11-2 shows that the user has hidden three columns.
The search results does not return deleted users, unless the user explicitly selects the Status attribute in the Advanced Search page and provides a value, Status Equals Deleted. In that case, deleted users will be returned as part of the search results.
To perform an advanced search operation and display the search result:
In the Welcome page of Oracle Identity Manager Administration, under users, click Advanced Search - Users. Alternatively, you can click Administration, and under the Browse tab, click the Advanced Search: Users.
Select All or Any conjunction operator. For information about these operators, see "Conjunction Operator".
Specify a search criteria in the fields. You can include wildcard characters (*) in your search criterion. For performance reasons, initial (prefix) wildcards will be removed. Select the search comparators in the lists adjacent to the fields. See Table 11-3, "Advanced Search Comparators" for information about the advanced search comparators.
Note:
The asterix wildcard character (*) search for the Identity Status field returns only the users with Active , Disabled, and Disabled Until Start Date statuses, but not with Deleted status. To search for users with Deleted status, you must enter Deleted in the Identity Status field.
To add a field in the search criteria, click Add Fields, and then select the field name from the list.
Click Search. The user records that match your search criteria are displayed in the search results table.
You can create a new user in Oracle Identity Manager by using the Create User page. You can open this page only if you are authorized to create users as determined by the authorization policy on the Create User privilege on any organization in Oracle Identity Manager.
To create a user:
Login to Oracle Identity Manager Administration.
Open the Create User page. To do so, perform any one of the following:
In the Welcome page, under Users, click Create Users.
Click the Administration tab on the tool bar, and in the Welcome page, under Users, click Create Users.
Click the Search Results tab, and from the Action menu, select Create User.
In the Search Results tab, click the Create User icon on the toolbar.
The Create User page displays input fields for user profile attributes. The attributes that are displayed in the create user page are determined by the configuration of the Create User page in User Management Configuration. In this configuration, each of the attributes defined for the user entity is marked as being available on the Create User page.
See Also:
"Configuring User Attributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about configuring the Create User page
Enter details of the user in the Create User page. Table 11-5 describes the fields in the Create User page:
Table 11-5 Fields in the Create User Page
| Section | Field | Description | 
|---|---|---|
| Basic User Information | First Name | First name of the user. | 
| Middle Name | Middle name of the user. | |
| Last Name | Last name of the user. | |
| Design Console Access | The user of OIM User type. It can have one of the two possible values, End-User and End-User Administrator. The OIM User type tells whether or not the user can log in to Oracle Identity Manager Design Console. If the "Design Console Access" check box is selected, the user type will be "End-User Administrator" and the user will have access to design console. | |
|  | E-mail address of the user. | |
| Manager | The reporting manager of the user. | |
| Organization | The organization to which the user belongs to. | |
| User Type | The type of employee, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary. | |
| Display Name | It can have localized values, which can be added by clicking Manage Localizations, and selecting from a list of languages. Display Name is available in 33 languages. | |
| Account Settings | User Login | The user name to be specified for logging in to the Administration Console. | 
| Password | The password to be specified for logging in to the Administration console. | |
| Confirm Password | The password to be re-entered for confirmation. | |
| Account Effective Dates | Start Date | The date when the user will be activated in the system. | 
| End Date | The date when the user will be deactivated in the system. | |
| Provisioning Dates | Provisioning Date | Date when user is getting provisioned into the system. | 
| Deprovisioning Date | Date when the user is getting deprovisioned from the system. | |
| Other User Attributes | Country | The country where user resides. | 
| Department Number | The department number of the user. | |
| Common Name | The common name of the user. | |
| Employee Number | The employee number of the user. | |
| Fax | The fax number of the user. | |
| Generation Qualifier | Whether the user qualifies the generation. | |
| Hire Date | The hiring date of the user. | |
| Home Phone | The home phone number of the user. | |
| Locality Name | The name of the locality where user resides. | |
| Mobile | The mobile number of the user. | |
| Pager | The pager number of the user. | |
| Home Postal Address | The house address of the user. | |
| Postal Address | The postal address of the user. | |
| Postal Code | The postal code number of the user's address. | |
| PO Box | The post box number of the user's address. | |
| State | The state name of the user. | |
| Street | The street name where the user resides. | |
| Telephone Number | The telephone number of the user's residence. | |
| Title | The title for the user. | |
| Initials | The initials of the user. | 
You can enter attribute values in more than one language in the pages for creating or updating entities, such as users, organizations, and roles.
After you enter the user information, click Save to create the user.
Tip:
Users can be created by any one of the following methods:
By using Oracle Identity Administration
By self registration
By creating a request
By using SPML Web service or APIs
For all the above methods, Oracle Identity Manager uses the default password policy or Password Policy against Default Rule. If you want to use a different password policy, then you must attach the new password policy to the default rule by using the Design Console. To do so, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
The view user operation allows you to view detailed user profile information in the User Detail page. You can open this page if you are authorized to view the user's profile as determined by the authorization policy through the View User Details privilege. If you have the authorization to modify the user, then you can modify the user by using this page.
To display user details, perform any of the following:
Click the user login link in the search results table for simple search.
Select a record in the user search results table for both simple and advanced search, and then select Modify User from the Actions menu. Alternatively, you can click Modify User on the toolbar.
The viewing and modifying operations are described in the following sections:
The user details page for the user entity is auto-generated based on configuration and authorization. This page is divided into the following tabs:
This tab displays the attribute profile that includes details about basic user information, account settings, and other user attributes. You can modify any field to change the attribute profile information, and click Apply.
To eliminate the changes made in this page, click Revert.
This tab displays a list of roles to which the user belongs. You can click each role to display summary information about the role. For each role in the list, it displays the following:
Display Name: The name displayed on the UI.
Role Name: Name of the role assigned to a user.
Role Namespace: Namespace to which the role is assigned.
Description: A description of the role.
In the Roles tab, you can assign roles to the user and remove roles from the user. For more details, see "Adding and Removing Roles".
This section displays a list of resources that a user has been provisioned. For each resource in the list, it displays the following:
Resource Name: Name of the resource assigned to a user
Request ID: If the provisioned instance is associated with a request
Service Account: Yes if the account was provisioned as a service account, otherwise No.
Description: If any, for the provisioned instance
Type: The type of resource
Status: The status of the resource such as Provisioned, Enabled, or Disabled
Provisioned On: The date when the resource was provisioned to the user
This tab displays all proxies that are currently set up for the user. For each proxy in the list, it displays the following:
Proxy Name: The display name of the proxy user
Start Date: The start date for the proxy user
End Date: The end date for the proxy user
Status: The status of the proxy user
Relationship: The relationship of the proxy user with the open user, such as manager
Last Updated: The date when the proxy user was last updated
This section also displays the history of proxy information for the user in which the end date is shown. The Current Proxies display the current proxies for the user. The Past Proxies display the proxies history for the user. The Status column is not displayed in the Past Proxies table.
If you select a row in the table that displays proxies information, then a summary information about the proxy is displayed where you can edit the proxy name, relationship with the user, start date, and end date.
The Proxies tab allows you to add proxies to the user and to remove proxies from the user. For information about adding and removing proxies, see "Modifying Proxy Details".
This tab displays a read-only table of users for whom the user is set as the manager. In other words, this tab lists the direct reportees of the user. For each user in the table, it displays the following:
Display Name
User Login
Status
Organization
If you select a row in the table, then summary information about the direct reportee is displayed at the bottom.
Direct reports allows you to open the user details of the direct reportees. To do so, select a row in the table of direct reportees, and form the Action menu, select Open User. Alternatively, you can click Open User on the toolbar.
This tab displays the requests raised by the user (where the user is the requester) and the requests raised for the user (where the user is the beneficiary of the target user). For each request, the following details are displayed:
Request ID: An ID to uniquely identify the request
Model Name: The request model name
Status: Shows the current state of the request
Requested By: The requester who raised the request
Parent ID: An ID of the parent request, if any, to which the request is a child request
Date Requested: The date on which the request is created
See Also:
Chapter 14, "Creating and Searching Requests" for information about requests, request types, and parent and child requests
This tab allows you to open the details of the requests by clicking the request IDs.
You can perform administrative user modification tasks from the user details. The modification is broken up across the different tabs in the page that displays user details, which means that modifications done in each tab are independent of each other and must be saved individually. The modifications you can perform in each tab is outlined in the following sections:
The attribute profile information is displayed in the Attributes tab of the user details page. To modify the attribute profile, edit the fields in the Attributes tab, and click Apply.
To add a role:
In the Roles tab, from the Action menu, select Assign Roles. Alternatively, you can click Assign Roles on the toolbar. The Assign Role to User window is displayed.
From the Search Roles list, select the type of role or role category. The default role categories are OIM Roles and Default. In addition, you can create custom role categories. See "Creating and Managing Role Categories" for detailed information about role categories.
Search can be performed on the following fields:
Display Name
Name
Role Namespace
Select All or any conjunction operator. For information about these operators, see "Conjunction Operator".
Enter a search criterion in the search field. You can specify the asterix (*) wildcard character in the search criterion. Then, click the search icon. All roles that belong to the category you selected are displayed in the Available Roles list.
Select one or more roles from the Available Roles list (Shift + Click for contiguous row selection and Ctrl + Click for non-contiguous selection). Then click the Move or Move All buttons to move the selected roles to the Roles to Assign list.
See Also:
Table 12-5, "Default Roles in Oracle Identity Manager" for information about the default roles in Oracle Identity Manager
Click OK. A confirmation message is displayed and the roles you selected are assigned to the user.
The Roles tab allows you to select one or multiple roles in the list, and then allows you to remove roles. To remove a role:
Select the role or roles that you want to remove.
From the Action menu, select Revoke Roles. Alternatively, you can click Revoke Roles on the toolbar. A message is displayed asking you to confirm.
Click OK. A success message is displayed on the user details page for successful role assignment.
The Resources tab allows you to select one or multiple resources in the list, and then perform various operations, such as adding and removing resources, enabling and disabling resources, and displaying resource details and history.
To add a resource to a user:
In the Resources tab, from the Action menu, select Add. Alternatively, you can click Add Resource on the toolbar. The Provision Resource to User wizard is displayed.
In Step 1: Select a Resource page, select the resource you want to provision.
Click Continue. The Step 2: Verify Resource Selection page is displayed. This page displays the resource that you selected for provisioning to the target user.
Click Continue. The Step 3: Process Data page is displayed.
Enter values in the fields to specify information about the selected resource.
Click Continue. The Step 4: Verify Process Data page is displayed with details about the resource.
Figure 11-3 shows the Step 4: Verify Process Data page with sample values for the ebusiness Suite User TCA Foundation resource to be provisioned to the user John Doe with user ID JohnD.
If you want to edit any information displayed in this page, click Edit on the top-right corner of the page. The Step 3: Provide Process Data page is displayed that allows you to edit process data. When finished, click Continue to go back to the Step 4: Verify Process Data page.
After verifying all information, click Continue.
WARNING:
Make sure that you verify the process data before clicking Continue. This is because clicking Continue starts provisioning.
Click Continue to start provisioning the selected resource to the user. A message is displayed stating that the provisioning has been started.
To remove a resource from a user:
In the Resources tab, select a resource that you want to remove.
From the Action menu, select Remove Resource. Alternatively, you can click Revoke on the toolbar. A confirmation message is displayed.
Click OK. The resource is removed, and a success message is displayed.
A resource can be enabled if the status of the selected resource is Disabled or Provisioned. To enable a resource:
In the Resources tab, select a resource that you want to enable.
From the Action menu, select Enable. A confirmation message is displayed.
Click OK. The resource is enabled, and a success message is displayed.
A resource can be disabled if the status of the selected resource is Enabled. To disable a resource:
In the Resources tab, select a resource that you want to disable.
From the Action menu, select Disable. A confirmation message is displayed.
Click OK. The resource is disabled, and a success message is displayed.
To display resource details:
In the Resources tab, select a resource whose details you want to display.
From the Action menu, select Open. A page is displayed with the resource details. You can edit resource details in this page. When finished, click Save.
To display resource history:
In the Resources tab, select a resource whose history you want to display.
From the Action menu, select Resource History. A page is displayed with the provisioning details of the resource. The details include task name, task details, date assigned, and the user to whom the task is assigned. A retry checbox is also displayed. You must enable this to retry all failed tasks.
The Proxies tab allows you to add a proxy and select one or multiple proxies in the list, and then invoke the following operations:
Edit a proxy, only if a single user is selected
Remove a proxy
To add a proxy:
In the Proxies tab, from the Action menu, select Add. The Add Proxy dialog box is displayed.
In the Proxy Name field, select an appropriate proxy. Your proxy can be any user. Search for proxy user's name from the search field below the Proxy Name field or select Manager to add your manager as a proxy.
Specify a start date and end date for the proxy to operate on your behalf.
Click OK. A message is displayed asking for confirmation.
Click OK. A confirmation message is displayed stating that the proxy is assigned.
To remove a proxy, select the proxy in the Proxies tab, and click Remove Proxy.
To modify proxy details:
Select a row in the table displaying proxy information. The details of the proxy are displayed at the bottom of the tab.
Edit the fields to modify proxy information.
Click Save.
You can perform user management operations for a single user from the page that displays user details. These operations are:
This operation is available only if the user status is Disabled. To enable a user:
In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.
From the Action menu, select Enable User. Alternatively, you can click the Enable User icon on the toolbar. If the user details page for the user is open, then you can click Enable User on the toolbar. A message box is displayed asking for confirmation.
Click OK to confirm. A confirmation message is displayed stating that the user is enabled.
If you enable a user from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.
This operation is available only if the user status is Enabled. To disable a user:
In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.
From the Action menu, select Disable User. Alternatively, you can click the Disable User icon on the toolbar. If the user details page for the user is open, then you can click Disable User on the toolbar. A message box is displayed asking for confirmation.
Click OK to confirm. A confirmation message is displayed stating that the user is disabled.
If you disable a user from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.
This operation is available only if the user account is unlocked. To lock a user:
In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.
From the Action menu, select Lock Account. Alternatively, you can click the Lock Account icon on the toolbar. If the user details page for the user is open, then you can click Lock Account on the toolbar. A message is displayed asking for confirmation.
Click OK. A confirmation message is displayed stating that the user is successfully locked.
If you lock an account from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.
This operation is available only if the user account is locked. To unlock as user:
In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.
From the Action menu, select Unlock Account. Alternatively, you can click the Unlock Account icon on the toolbar. If the user details page for the user is open, then you can click Unlock Account on the toolbar. A message is displayed asking for confirmation.
Click OK. A confirmation message is displayed stating that the user is successfully unlocked.
If you unlock an account from the user detail page, then it's successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search result, then the corresponding row in the list is refreshed.
You can reset the password for a user by performing any one of the following:
Generate the password manually: You can reset the password of a user manually in instances such as the user has forgotten the password and has called HelpDesk to reset the password quickly. Helpdesk can immediately reset the password manually by entering a password, and the user can login by using the new password. This resolves the issue faster than the user waiting for an e-mail notification.
Generate a random password: When a password has to be reset by someone other than the target user, an administrator for example, random password generation is useful so that the person changing the password will not know the new password. A random password can be generated in the following instances:
A user has forgotten the password and it needs to be reset.
The password has expired. A user has been locked.
A user has been locked.
In such scenarios, when the password is reset, Oracle Identity Manager can automatically generate a new random password that conforms to the given password policy. Also, when the password is reset, the administrator gets an option to check a check box, which when checked will send out an e-mail notifying the user about the password change. This method enables you to generate temporary passwords randomly that cannot be easily guessed by anyone. After you generate the random password, at the next login, the user is prompted to reset the randomly generated password.
To reset the password for a user:
In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of Advanced Search. In addition, you can perform this operation from the page that displays user details.
From the Action menu, select Reset Password. Alternatively, you can click the Reset Password icon on the toolbar. If the user details page for the user is open, then you can click Reset Password on the toolbar. The Reset Password dialog box is displayed, as shown in Figure 11-4:
Figure 11-4 The Reset Password Dialog Box

To manually change the user's password:
Select the Manually change the Password option.
In the New Password field, enter the new password that conforms to the password policy that is displayed in the Password Policy section.
The Password Policy section displays the password policy assigned to the user. This section does not display the password policy if no password policy is defined. For information about password policies, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the Confirm new password field, re-enter the password.
To generate a random password, select the Auto generate the Password (Randomly generated) option.
Verify that the Email the new password to the user option is selected so that the new password is sent to the user through e-mail.
Click Reset Password. A confirmation message is displayed stating that the password is changed successfully.
Tip:
If the user forgets the password and tries to retrieve it, then the challenge questions are prompted to the user. The user must enter the same answers provided while creating a password. You can configure the challenge questions for the users by using the Oracle Identity Manager Design Console. See "Configuring Challenge Questions for the User" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This operation is available only if the user status is not Deleted.
If the user is currently disabled, and the Automatically Delete On attribute is set to a future date, then the disable operation fails, and a message is displayed stating that the user cannot be deleted because it is currently scheduled to be deleted at a future date.
In the user search result on the left pane of Oracle Identity Manager Administration, select a user. Alternatively, you can select the user from the search results of advanced search. In addition, you can perform this operation from the page that displays user details.
From the Action menu, select Delete User. Alternatively, you can click the Delete User icon on the toolbar. If the user details page for the user is open, then you can click Delete User on the toolbar. A message is displayed asking for confirmation.
Click OK. A confirmation message is displayed stating that the user is successfully deleted.
Click OK to close the message box.
If you delete a user from the user detail page, then the successful completion refreshes the Attributes tab. If you perform this operation from a user list, such as simple or advanced search results, then the corresponding row in the list is refreshed.
Sometimes, you might not want a delete operation to immediately delete the user. Instead, you might want a delete operation to disable the user for a predefined period of time, during which the delete operation can be canceled. After that predefined period of time, the user is deleted. This is called a delayed delete.
To configure delayed delete in Oracle Identity Manager, you must define the Period to Delay User Delete configuration property, which specifies the predefined wait period in days to hold on the delete operation. If you do not want to configure delayed delete, then set the value of the Period to Delay User Delete configuration property to 0 or a negative number. After a user is deleted, if you want to disable the user entity with a date counter that specifies the date and time when the user must be permanently deleted, then set the value of the Period to Delay User Delete configuration property to greater than 0.
Note:
To configure delayed delete:
In the Welcome page for Oracle Identity Manager Administration, under System Management, click System Configuration.
In the left pane, search for system properties.
In the search result, select the Period to Delay User Delete property.
Edit the property value to specify a delay period to delete the user.
Save the property.
For more information about system properties, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
As a result of delayed delete:
The disable status is similar to a regular disable operation that prevents the user from logging into Oracle Identity Manager and disables all provisioned resources.
When a user is in disabled status, enabling the user cancels the delete operation. The date on which the user will be deleted is displayed on the user profile.
If a user stays disabled and the predefined period expires, then the user is deleted at that time.
The bulk operations are performed from the search results for simple and advanced search. You can select multiple users and then select the available option from the Action menu. You can perform the following bulk operations:
Enabling users: If all the selected users are in Disabled state
Disabling users: If all the selected users are in Enabled state
Locking users: If all the selected user are in Unlocked state
Unlocking users: If all the selected users are in Locked state
Deleting users: If all the selected users are not in Deleted state
Note:
For all the bulk modify operations, you must have the required authorization and you must select multiple users.
You can use the Bulk Modify page to make changes to multiple users at a time. You can open this page if you are authorized to modify users as determined by the authorization policy on the Modify User Profile privilege on any organization in Oracle Identity Manager.
You can open the Bulk Modify page in any one of the following ways:
Selecting Bulk Modify from the Action menu in a user search results page, after selecting multiple users
Selecting the Bulk Modify icon on the toolbar in a user search results page, after selecting multiple users
Table 11-6 describes the fields in various sections of the Bulk Modify page:
Table 11-6 Fields in the Bulk Modify Page
| Section | Field | Description | 
|---|---|---|
| Basic User Information | Design Console Access | Design Console Access check box that indicates whether or not the users can login to the Design Console. | 
| Manager | The reporting manager of the selected users. | |
| Organization | The organization to which the selected users belong. | |
| User Type | The type of selected employees, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary. | |
| Account Effective Dates | Start Date | The date when the selected users will be activated in the system. | 
| End Date | The date when the selected users will be deactivated in the system. | |
| Provisioning Dates | Provisioning Date | The date when the users are provisioned. | 
| Deprovisioning Date | The date when the users are provisioned. | 
Only those attributes configured as part of the modify operation in user management configuration are displayed as fields in the Bulk Modify page. The attributes displayed are restricted to those defined in the user entity definition with the Support Bulk Update property set to Yes. The attributes are further filtered based on authorization policies that specify the attributes for the selected users that you have privileges to modify.
The permissions are based on authorization policy. For instance, if the authorization policy mentions that you can modify only the first name for one user and only the last name for another user, based on the users selected, it is possible that you select these names and the attributes to display on the page, results in no fields being allowed. As a result, the Bulk Modify page displays an error message stating that the attributes of the selected users cannot be modified in bulk, and the user selection must be changed.
Run-time security is enforced in the user management service through authorization policies. Each role in Oracle Identity Manager can be associated with one or more such authorization policies. Users that are members of a role are authorized to perform various user tasks based on the privileges granted to the role by its associated authorization policies. Because a user may have many roles, the privileges of a user are the cumulative privileges of his collective roles.
The access controls are implemented in the form of authorization policies that are managed by the Oracle Entitlements Server (OES). These policies define the controls in terms of roles and targets. The target is a combination of privilege, entity, and entity attribute.
See Also:
Chapter 15, "Managing Authorization Policies" for detailed information about authorization policies in Oracle Identity Manager
If a user has multiple roles that have different authorization policies applicable in the same context, then the user's access rights are the cumulative rights across those policies. In other words, if a policy with read permission is granted to a role, and a policy with write permission is granted to another role, then a user with both the roles has read and write permission.
The authorization model is described in the following topics:
All authorization privileges are controlled by authorization policies. Oracle Identity Manager explicitly defines privileges that control access rights for performing various operations in the application.
Table 11-7 lists the authorization privileges available in Oracle Identity Manager for the user management feature that and can be assigned to roles as part of an authorization policy definition:
Note:
For the Entity Instance Level, there must be a qualifier that determines over which users the logged in user has the privilege for all the privileges.
Table 11-7 Authorization Privileges for User Management
| Privilege | Description | 
|---|---|
| Search for Users | You can define this qualifier in terms of organizations, role memberships, or attribute-based rules. For information about defining this qualifier, see Chapter 15, "Managing Authorization Policies". Note: 
 There is a default authorization policy for the search operation that decides what the user can search. For information about default authorization policies for user management, see "User Management". | 
| View User Details | This privilege determines if you have the ability to display the User Details page for a user from the search results table. This privilege supports the following fine-grained controls: 
 Note: The View User Details privilege cannot specify which detail sections can be viewed by the user. This privilege determines whether or not complete user details page with all sections can be viewed. If the user details page can be viewed, then this privilege determines which attributes are displayed in the Attribute Profile of a user. | 
| Modify User Profile | This privilege determines if you have the ability to modify the user profile attributes of a user on the User Details page. This privilege supports the following fine-grained controls: 
 | 
| Provision Resource to User | This privilege determines if you have the ability to provision or deprovision resources to a user on the Resource Profile section of the User Details Page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
| Modify User Proxy Profile | This privilege determines if you have the ability to modify the user's proxy details on the Proxy Details section of the User Details page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
| Modify User Status | This privilege determines if you have the ability to enable or disable a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
| Modify OIM Account Status | This privilege determines if you have the ability to lock or unlock a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
| Delete User | This privilege determines if you have the ability to delete a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
| Change Password | This privilege determines if you have the ability to change a user's enterprise password. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
| Create User | This privilege determines if you have the ability to create users in Oracle Identity Manager. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier must be defined in terms of organizations. | 
| Evaluate Access Policies | This privilege determines if you have the ability to initiate access policy evaluation for a user when necessary. Note: There is no UI operation to initiate on-demand access policy evaluation. | 
| View User Requests | This privilege determines if you have the ability to view the requests raised for a user. | 
| Change User Password | This privilege determines if you have the ability to change the password of a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. | 
Note:
The Modify Role Membership permission for role management determines if the user can perform add or remove role operations from the Roles tab of the modify user page. For more information about this permission, see "Managing Authorization for Roles".
The read/write permissions for attributes define the actual set of readable or modifiable attributes in the context of the view or modify operation.
The following data constraints are used in the authorization policies for user management:
List of organizations: This limits the scope of the privilege for the assignee to only the organizations listed. Organization membership can be controlled by the Hierarchy Aware option in the authorization policies UI.
When the Hierarchy Aware option is set to false, then the scope of the privilege is only to the users that are direct members of the organization. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users that are directly under the Development Center organization.
When the Hierarchy Aware option is set to true, then the scope of the privilege is applicable to users who are direct members of the listed organization and the users who are members of any of the sub-organizations of these organizations. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users in all of these organizations.
Assignee must be in the same organization: This flag limits the scope of the privilege for the assignee to only the assignee's organization. For example, the organization list in the policy is USA, China, and Canada. If this flag is set and the assignee's organization is USA, then the privilege can be exercised only in the USA organization.
Management chain of user: This flag limits the scope of the privilege for the assignee to only the assignee's direct and indirect reports. For example:
DR1, DR2, and DR3 are direct reports of M1.
DR1_1, DR1_2, DR1_3, and DR1_4 are direct reports of DR1.
DR2_1, DR2_2, and DR2_3 are direct reports of DR2.
DR2_2_1 and DR2_2_2 are direct reports of DR2_2.
Here, M1 can exercise the privilege on all of DR1, DR2, and DR3 and their direct and indirect reports if the Management Chain of User option is selected.
If a user has multiple roles that have different authorization policies applicable in the same context, then the user's access rights are the cumulative rights across those policies.
The authorization check for the Search for Users permission returns a list of obligations. This is a list of obligations from each applicable authorization policy. These obligations from multiple policies are combined to get a unified search result.
This section describes how obligations are handled for various user management operations. It contains the following topics:
Search Operation Authorization with Multiple Authorization Policies
Modify Operation Authorization with Multiple Authorization Policies
There can be the following types of obligations for the search operation:
List of organizations: The list of organizations can be for direct or indirect organization membership, which is controlled by the Hierarchy Aware data constraint. A special value here can be list of all organizations in Oracle Identity Manager. The logged in user can search only within this set of organizations.
Is in the same organization: This obligation means that the logged in user can search for users only in the user's own organization.
Is in management hierarchy: This obligation means that the logged in user can search for any users in the user's management hierarchy.
Viewable Attributes: This obligation contains the list of authorized viewable attributes. The search operation can be performed only against these attributes.
If there are multiple authorization policies that grant the search privilege to a user, then the search behavior is as follows:
The set of users who can be searched by the logged in user will be the union of set of users on which search privilege is provided by each of these policies.
The set of attributes returned as part of the search results is the union of sets of attributes on which View User Details privilege is granted by each of the these policies.
This is described with the help of the following example:
Policy1 returns the First Name, Last Name, and Middle Name attributes, and Policy2 returns the User Login, User Type, and OIM User Type attributes. When obligations from both the policies are enforced, the returned attribute list is First Name, Last Name, Middle Name, User Login, User Type, and OIM User Type for all users. The policy due to which the user is selected as part of the results is not checked. Therefore, do not configure attributes from the configuration service that might display confidential data in the search results.
In an another example, suppose there are three authorization policies defined for the search operation. The following table lists the details of the sample authorization policies:
| Policy Name | Entity Name | Permissions | Data Constraints | Assignment | 
|---|---|---|---|---|
| Policy1 | User management | Search Modify User Profile. Attributes include First Name, Last Name, and Middle Name View User Details. Attributes include Display Name, First Name, Last Name, and Middle Name | Users that are members of the Org1 and Org2 organizationsHierarchy Aware (include all Child Organizations) = TRUE | Role: Role1 Management Chain of User = FALSE Assignee must be a member of the User's Organization = TRUE | 
| Policy2 | User management | Search Modify User Profile. Attribute includes User Type View User Details. Attributes include User Login, User Type, and OIM User Type | Users that are members of the Org3 organizationHierarchy Aware (include all Child Organizations) = FALSE | Role: Role2 Management Chain of User = FALSE Assignee must be a member of the User's Organization = FALSE | 
| Policy3 | User management | Search Modify User Profile. Attribute includes Designation View User Details. Attributes include User Login, User Type, OIM User Type, and Designation | All Users | Role: Role2 Management Chain of User = TRUE Assignee must be a member of the User's Organization = FALSE | 
In this example:
Org1 has Org1Child1 and Org1Child2 as child organizations.
Org1Child1 has Org1Child1_Child1 as the child organization.
Org3 has Org3Child1 and Org3Child2 as child organizations.
Consider the following scenarios:
User1 has Role1 only and belongs to the Org1Child1 organization. The user can:
Search for users who are members of Org1Child1 organization. The search can be performed on the basis of First Name, Last Name, and Middle Name, and Display Name user attributes and also the search result can contain a subset of the set of these attributes.
Modify the First Name, Last Name, and Middle Name user attributes from the Org1Child1 organization.
User2 has Role1 and Role2 and belongs to the Org2 organization. User2 has direct reports DR1 and DR2 belonging to the Org2 organization. The user can:
View the User Login, User Type, and OIM User Type user attributes from the Org3 organization because of Policy2.
Modify the User Type attribute from the Org3 organization because of Policy2.
View the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1.
Modify the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1.
View the User Login, User Type, OIM User Type, and Designation user attributes of all the user's direct reports because of Policy3.
Modify the Designation attribute of all the user's direct reports because of Policy3.
If the user being tried to modify is DR1, then the list of modifiable attributes are First Name, Last Name, Middle Name because of Policy1, and Designation because of Policy3.
The user cannot view, modify, and search users from child organizations of Org3, which are Org3Child1 and Org3Child2.
Based on these scenarios, for the search operation, a union of the viewable attributes from all the three authorization policies are displayed to the user. In other words, the user is able to see User Login, User Type, OIM User Type, First Name, Last Name, Middle Name, Display Name, and Designation attributes in the search results irrespective of the authorization policy. Here, the Designation attribute is displayed not only for DR1 and DR2, who are direct reports of User2, but are displayed for all the users in the results.
If the logged in user is allowed to modify a user profile as defined by multiple policies, then a union of the set of attributes from individual policies is used for performing the operation. Refer to Scenario II of the "Search Operation Authorization with Multiple Authorization Policies" for the example related to the modify operation in case of multiple applicable authorization policies.
A request for creating a user can be raised from Oracle Identity Manager Self Service or Oracle Identity Manager Administration. When the request is submitted, the following scenarios are possible:
While the request is pending, another create user request is submitted with the same username. If the second request is approved and the user is created, then the first request, when approved, fails because the username already exists in Oracle Identity Manager.
While the request is pending, another user with the same username is directly created in the LDAP identity store. When the create user request is approved, it fails while provisioning the user entity to LDAP because an entry already exists in LDAP with the same username.
To avoid these problems, you can reserve the username in both Oracle Identity Manager and LDAP while the create user request is pending for approval. If a request is created to create a user with the same username, then an error message is displayed and the create user request is not created.
See Also:
"Creating a Request To Create a User" for information about creating requests to create a user
For reserving the username:
The USER ATTRIBUTE RESERVATION ENABLED system property must be set to TRUE for the functionality to be enabled. For information about searching and modifying system properties, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Reservation in LDAP is done only if reservation functionality is enabled, and LDAP is in sync with Oracle Identity Manager database. For information about synchronization between Oracle identity Manager and LDAP identity store, see ""Integration Between LDAP Identity Store and Oracle Identity Manager".
Note:
If LDAP provider is not configured, then the reservation is done only in Oracle Identity Manager.
When LDAP synchronization and user attribute reservation features are enabled, it is recommended to enable UID uniqueness in the directory server. Without this, user reservation in the directory does not work properly because while the user is reserved in the reservation container, the user with the same user ID can be created in the user container. This results is user creation failure when Oracle Identity Manager tries to move the user from the reservation container to the user container.
If user attribute reservation is enabled, the reservation happens in two phases:
In the first phase, an entry is created in Oracle Identity Manager database and a user is created in reservation container. This entry in Oracle Identity Manager database is removed after successful creation of user, rejection by approver, or request failure.
In the second phase, in LDAP, on successful creation, the user is moved to the reservation container. In other cases such as rejection by approver or request failure, the user is removed from the reservation container.
After the request-level and operation-level approvals are obtained for the create user request, the username is no longer reserved in the username container in LDAP. The username is moved to the container in which the existing users are stored. The user is also created in Oracle Identity Manager.
This section consists of the following topics:
The username reservation functionality is enabled by default in Oracle Identity Manager. This is done by keeping the value of the USER ATTRIBUTE RESERVATION ENABLED system property to TRUE. You can verify the value of this system property in the System Configuration section of Oracle Identity Manager Administration.
To disable username reservation:
Log in to the Administrative and User Console.
Click Advanced Administration.
Click System Management.
Click System Configuration.
On the left pane, click the search icon to search for all existing system properties. A list of system properties are displayed in the search results table.
Click User Attribute Reservation Enabled. The System Property Detail page for the selected system property is displayed, as shown in Figure 11-5:
Figure 11-5 The System Property Detail Page

In the Value field, enter False.
Click Save. The username reservation functionality is disabled.
Username Policy is a plugin implementation for username operations such as username generation and username validation. The policies follow Oracle Identity Manager plug-in framework. You can add your own policies by adding new plug-ins and changing the default policies from the System Configuration section in Oracle Identity Administration.
See Also:
"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the plug-in framework
In case of create user request, the plugins are invoked only if the user login is not provided. In such a case, the plugin to be invoked is picked up from the system property, "Default policy for username generation".
Table 11-8 lists the predefined username policies provided by Oracle Identity Manager. In this table, the dollar ($) sign in the username generation indicates random alphabet:
Table 11-8 Predefined Username Policies
| Policy Name | Expected Information | Username Generated | 
|---|---|---|
| oracle.iam.identity.usermgmt.impl.plugins.EmailIdPolicy |  | If e-mail is provided, then e-mail is generated as username. | 
| oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstInitialLocalePolicy | First name, last name, and locale | last name + first initial_locale, last name + middle initial + first initial_locale, last name + $ + first initial_locale (all possibilities of single random alphabets), last name + $$ + first initial_locale | 
| oracle.iam.identity.usermgmt.impl.plugins.FirstInitialLastNameLocalePolicy | Firstname, Lastname, Locale | first initial + lastname_locale, first initial + middle initial + first name_locale, first initial + $ + lastname_locale, first initial + $$ + lastname_locale | 
| oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstInitialPolicy | Firstname, Lastname | lastname+firstInitial, lastname+middleinitial+firstInitial, lastname+$+firstInitial ( all possibilities of single random alphabets) , lastname+$$+firstInitial | 
| oracle.iam.identity.usermgmt.impl.plugins.FirstInitialLastNamePolicy | Firstname, Lastname | firstInitial+lastname, firstInitial+middleInitial+firstname, firstInitial+$+lastname, firstInitial+$$+lastname | 
| oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicy | Firstname, Lastname | lastname.firstname, lastname.middleinitial.firstname, lastname.$.firstname ( all possibilities of single random alphabets) , lastname.$$.firstname | 
| oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicy | Firstname, Lastname | firstname.lastname, firstname.middleinitial.lastname, firstname.$.lastname (all possibilities of single random alphabets) , firstname.$$.lastname | 
| oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy |  | If e-mail is provided, then username is generated based on the e-mail. If e-mail is not available, then it generates username based on firstname and lastname by appending a user domain to it. The user domain is configured as the Default user name domain system property, and the default value is @oracle.com | 
| oracle.iam.identity.usermgmt.impl.plugins.LastNamePolicy, | Lastname | lastname, middle initial + lastname , $ + lastname, $$ + lastname | 
| oracle.iam.identity.usermgmt.impl.plugins.LastNameLocalePolicy | Lastname, Locale | lastname_locale, middle initial + lastname_locale , $ + lastname_locale, $$ + lastname_locale | 
| oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD | Firstname, Lastname | firstname+lastname, substring of firstname+lastname+$, substring of firstname+ substring of lastname+$ | 
| oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD | Lastname, Firstname | lastname+firstname, lastname+substring of firstname+$, substring of lastname+ substring of firstname+$ | 
Values must be provided for all the parameters of the username generation format. If any of the parameters are not provided, then Oracle Identity Manager generates an error. For example, If the firstname.lastname policy is configured and the firstname is not provided, then the error would be "An error occurred while generating the Username. Please provide firstname as expected by the firstname.lastname policy".
The UserManager exposes APIs for username operations. The APIs take the user data as input and return a generated username. The APIs make a call to plug-ins that return the username. This allows you to replace the default policies with custom plug-ins with your implementation for username operations.
Note:
For user name generation and validation, public APIs are exposed in UserManager.
While creating the policy, ensure that the attributes used in generating the username are defined in the request data set. For information about request data set, see "Request Dataset" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
You can plug-in your own username policies by implementing the plug-in interface, as shown:
package oracle.iam.identity.usermgmt.api;
public interface UsernamePolicy {
           public String getUserNameFromPolicy(HashMap<String, String> reqData) throws UserNameGenerationException;
        
          public boolean isUserNameValid(String userName, HashMap<String, String> reqData);
          public String getDescription(Locale locale);
}
This plug-in point is exposed as a kernel plug-in that takes request data as input and returns the username. Each plug-in expects some information and generates username based on that information provided. The policy implementations generate the username, check for its availability, and if the username is not available, then generate other username based on the policy in the order mentioned in Table 11-8, and repeat the procedure. The dollar ($) sign in the username generation indicates random alphabet. If any of the expected information is missing, then the policies generate errors.
The username generation is exposed as public APIs in User Manager. Oracle Identity Manager provides an utility class for accessing the functionality of generating user names. The class that contains utility methods is as shown:
oracle.iam.identity.usermgmt.api.UserManager
This class exposes the following main methods:
//Method that will generate username based on default policy
        public String generateUserName(HashMap<String, String> requestData) 
                                    throws UserNameGenerationException
//Method that will generate username based on policy
        public String generateUserName(String policyID, HashMap requestData)                                    throws UserNameGenerationException
//Method that will check whether username is valid against default policy
        public boolean isUserNameValid(String userName,                          HashMap<String, String> reqData)
//Method that will check whether username is valid against given policy
        public boolean isUserNameValid(String userName, String userNamePolicyPluginID, HashMap<String, String> requestData)
//Method to return all policies (including customer written)
        public List<Map<String, String>> getAllUserNamePolicies(Locale locale)
//Method that will return policy description in given locale
        public String getPolicyDescription(String policyID, Locale locale)
Table 11-9 lists the constants defined in the UserManager class to represent the policy ID of the default username policies:
Table 11-9 Constants Representing Policy IDs
| Policy Name | Constant | 
|---|---|
| EmailIDPolicy | EMAIL_ID_POLICY | 
| LastNameFirstInitialLocalePolicy | FIRSTNAME_LASTNAME_POLICY | 
| FirstInitialLastNameLocalePolicy | LASTNAME_FIRSTNAME_POLICY | 
| LastNameFirstInitialPolicy | FIRSTINITIAL_LASTNAME_POLICY | 
| FirstInitialLastNamePolicy | LASTNAME_FIRSTINITIAL_POLICY | 
| LastNameFirstNamePolicy | FIRSTINITIAL_LASTNAME_LOCALE_POLICY | 
| FirstNameLastNamePolicy | LASTNAME_FIRSTINITIAL_LOCALE_POLICY | 
| DefaultComboPolicy | DEFAULT_COMBO_POLICY | 
| LastNamePolicy | LASTNAME_POLICY | 
| LastNameLocalePolicy | LASTNAME_LOCALE_POLICY | 
| FirstNameLastNamePolicyForAD | FIRSTNAME_LASTNAME_POLICY_FOR_AD | 
| LastNameFirstNamePolicyForAD | LASTNAME_FIRSTNAME_POLICY_FOR_AD | 
When called to generate username, the policy classes expect the attribute values to be set in a map by using the key constants defined in the oracle.iam.identity.utils class.Constants. This means that a proper parameter value must be passed to call the method by using the appropriate constant defined for it, for example, the FirstName parameter has a constant defined for it.
The default username policy can be configured by using Oracle Identity Manager Administration. To do so:
Navigate to the System Configuration section.
Search for all the system properties.
Click Default policy for username generation. The System Property Detail page for the selected property is displayed, as shown in Figure 11-6:
Figure 11-6 The Default Username Policy Configuration

The XL.DefaultUserNameImpl system property is provided for picking up the default policy implementation. By default, it points to the default username policy, which is oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy displayed in the Value field.
In the Value field, enter oracle.iam.identity.usermgmt.impl.plugins.POLICY. Here, POLICY is one of the policy implementations.
Note:
All the plug-ins must be registered with Oracle Identity Manager by using the /identity/metadata/plugin.xml file. A sample plugin.xml file is as shown:
<plugins pluginpoint="oracle.iam.identity.usermgmt.api.UserNamePolicy"> <plugin pluginclass="oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicy" version="1.0" name="LastNameFirstNamePolicy"/> </plugins>
Click Save.
The username is released in the following scenarios:
When the request is approved, and the user is successfully created in Oracle Identity Manager and provisioned to LDAP, and the username from the reserved table is removed. The reserved username is removed after successful user creation after the approvals. The reserved entry in LDAP is removed and the actual user is created.
If the request is rejected, then the reserved entry of username in LDAP and Oracle Identity Manager are removed.
If the request fails while or before creating a user in Oracle Identity Manager or LDAP, then the reserved username is deleted.
In Oracle Identity Manager deployment with LDAP synchronization is enabled, where Microsoft Active Directory (AD) is the data store, the User Login attribute in Oracle Identity Manager is mapped to the uid attribute in LDAP, which in turn is mapped to the sAMAccountName attribute. The sAMAccountName attribute is used as login for all AD-based applications. There is limitation on the maximum length supported for value contained in the sAMAccountName attribute in AD. It cannot exceed 20 characters.
Oracle Identity Manager accepts user name as an input at the time of user creation and it can be more than 20 characters. Because AD does not support user name of more than 20 characters, Oracle Identity Manager can be configured to generate the user name, which consists of less than 20 characters.
When AD is used as data store, you can configure the autogeneration of user name by setting the value of the XL.DefaultUserNamePolicyImpl system property to any one of the following:
FirstNameLastNamePolicyForAD: Generates the user login by prefixing a substring from the first name to that of the last name
LastNameFirstNamePolicyForAD: Generates the user login by prefixing a substring from last name to that of the first name
See "Administering System Properties" for information about the XL.DefaultUserNamePolicyImpl system property and setting values of system properties.
Note:
If AD is the data store, then any one of the FirstNameLastNamePolicyForAD or LastNameFirstNamePolicyForAD policies must be used. Any other user name generation policy will fail to generate the user name.
The generation of the Common Name user attribute value in Oracle Identity Manager is described in the following sections:
In an LDAP-enabled deployment of Oracle Identity Manager, Fusion applications such as Human Capability Management (HCM) does not pass the common name via SPML request. Given that the common name is a mandatory attribute in LDAP and Oracle Identity Manager is setup to use it as the RDN, Oracle Identity Manager must generate a unique common name.
Based on the description on Common Name, it is the user's display name consisting of first name and last name. Therefore, Oracle Identity Manager generates the Common Name with the help of a common name generation policy that specifies the Common Name in the "firstname lastname" format.
To configure common name generation in Oracle Identity Manager, set the value of the XL. DefaultCommonNamePolicyImpl system property to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicy. For information about the XL. DefaultCommonNamePolicyImpl system property and setting the value of a system property, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
The following are the details of the FirstNameLastNamePolicy:
Expected information: Firstname, Lastname
Common Name generated: firstname.lastname, firstname.$.lastname (all possibilities of single random alphabets), firstname.$$.lastname and so on until a unique common name is generated
Note:
The common name must be reserved until the user is created by the request so that multiple requests generated simultaneously having same first and last names do not generate the same common name.
When the user profile is modified, one or more attributes can change. HCM cannot filter out and send only the modified data to Oracle Identity Manager because it does not have the old user attributes and cannot determine which ones are modified. Therefore, all attributes including the common name (CN) are passed to Oracle Identity Manager by the SPML request. Because the CN changed, Oracle Identity Manager attempts a modify operation (modrdn) in the directory resulting in DN change. Because of this unintended DN change, the group membership DN becomes stale resulting in the user loosing membership in that group. This subsequently results in authorization failure. This happens when referential integrity is turned off in the LDAP server, and therefore, the referenced groups are not updated when the RDN of the user changes. Therefore, referential integrity must be turned on in the target LDAP server. Otherwise, the group memberships become stale. The referential integrity issue is also applicable to roles. Groups are also members of other groups and any RDN changes must be reflected as well.
You can turn on the referential integrity by setting the value of the XL.IsReferentialIntegrityEnabled system property to TRUE. For information about this system property, see "Administering System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Table 11-10 lists the possible scenarios when RDN is modified:
Table 11-10 RDN Modification Scenarios
| Referential Integrity in LDAP | XL.IsReferentialIntegrityEnabled | Result of Modify Operation (modrdn) | 
|---|---|---|
| Disabled | FALSE | Oracle Identity Manager generates an error and operation fails. | 
| Disabled | TRUE | Modify operation passes from Oracle Identity Manager and RDN is changed in LDAP. However, the group references are not updated and are stale. This configuration is not recommended. | 
| Enabled | FALSE | Oracle Identity Manager generates an error and modify operation fails. This property must be set to TRUE in Oracle Identity Manager because referential integrity is enabled in LDAP. | 
| Enabled | TRUE | Modify operation passes and RDN is updated. In addition, the references for the DN are updated in LDAP. | 
| Multiple directories with roles and users stored in separate directories. Referential integrity property is not relevant here. | FALSE | Modify operation fails from Oracle Identity Manager. This is not supported by LDAP. Therefore, FALSE is the recommended value in Oracle Identity Manager for the property. | 
| Multiple directories with roles and users stored in separate directories. Referential integrity property is not relevant here. | TRUE | Modify operation passes and RDN is modified. However, because LDAP does not support referential integrity in multiple directories, the group references are stale and must be manually updated. |