Manage Identities

Administrators can manage two types of identity population within the Oracle Access Governance service. The Manage Identities feature allows administrators to activate/inactivate identities within the service, and flag identities as either Workforce or Consumer users.

Active/Inactive Identities

Active identities: Identities flagged as active within the Oracle Access Governance service, which enables the following features:
- Access to the Oracle Access Governance console, allowing identities to utilize features including My Access, My Access Reviews, My Preferences and so on.
- Allows the identity's access to be governed in Oracle Access Governance.
- Allows identities to be included in access review campaigns.
- Active identities are considered for billing purposes.
Inactive identities: Identities flagged as inactive within the Oracle Access Governance service.
- Inactive identities have no access to the Oracle Access Governance console.
- Inactive identities access governance is not governed in Oracle Access Governance.
- Inactive identities are not included in access review campaigns.
- Inactive identities are not considered for billing.

Note:

The default status of identities present in Oracle Access Governance is NULL. In order for identities to use the service functionality, and be considered for billing, you must activate all users for which this is required, using the steps detailed in this article.

Identities imported from Oracle Identity Governance have a status of Disabled or Enabled. This is different from the Oracle Access Governance status Active/Inactive. You should consider the following conditions when dealing with identities imported from Oracle Identity Governance:

A Disabled identity can be marked as an Active identity in Access Governance to review its access privileges.
An Oracle Access Governance Administrator may set rules, based on the attributes of disabled identites, to mark those disabled identities as Active in Oracle Access Governance.
Oracle Access Governance will include only those Disabled identities for billing that are marked as Active.

Consumer/Workforce Users

A user can be either a Workforce user or a Consumer. The main difference is that a Consumer user has no access to the Oracle Access Governance service. By default, users are Workforce users. The specific differences between the two types are given in the table below:

Table - Workforce and Consumer Users

Capabilities	Workforce User	Consumer User
Access the Oracle Access Governance service: by console or programmatically.	YES	NO
Perform configurations and integrations, such as orchestrated systems, identity marking, identity attributes.	YES	NO
Manage access control objects (Role, Access Bundle, Identity Collection, Policy).	YES	NO
Manage access review campaigns (event-based, periodic, one-time).	YES	NO
Generate reports for access reviews and approvals.	YES	NO
View access privileges assigned to self or others.	YES	NO
Raise access request for self and/or others.	YES	NO
Perform access approval tasks.	YES	NO
Access privileges are managed by others.	YES	YES
Assigned access privileges are assigned by others.	YES	YES

Navigate to Manage Identities

Here's how you can access the Manage Identities page:

Log in to the Oracle Access Governance Console as a user with the Administrator application role.
Click in the top left corner to display the navigation menu.
Select Service Administration → Manage Identities to begin defining your identity rules.

The Manage Identities page is displayed, where you have to define which identities you want to activate. Oracle Access Governance identities are displayed in this page with each identity showing attributes such as First Name, Last Name, Employee User Name, Email, and others. You can modify the attributes displayed for each identity by selecting the Edit list settings icon. In the List settings pop-up, you can choose to Show or Hide attributes. An example would be that you want to flag identities which have delegations defined. To implement this you would select to Show the Delegation attribute.

You can use the Search field to locate the required identity using a string search. Alternatively you can select one of the available filters, for example, if you select the Delegation Yes filter would restrict identities displayed to those for which delegations are defined.

Select Identities for Activation

In the Manage Identities page, an Administrator defines the identities that you want to include in the Oracle Access Governance service.

You can identify identities to include in your service by selecting criteria based on conditional statements. Either at least one (Any) or all (All) the set conditions must be satisfied. The list of available attributes is determined by the ingested data from the Managed System, and may include custom attributes.

You can select identities based on Membership rule and/or Named identities. Identities satisfying the set criteria for the Membership rule will automatically be included in your service. Using Named identities, you can directly add specific identities based on their full name.

You can also exclude specific members from your service by selecting Manage exclusions and entering the identities you want to exclude.

Select Any if any one of the set conditions should be satisfied, or select All if all the set conditions must be satisfied for that identity.
Select the attribute name from the list.

Note:
Based on the Managed System, you can select both core and/or custom attributes. To enable custom attributes, see Manage Identity Attributes
Select the conditional operator. Based on the data type of the attribute selected, the usage of these operators will vary.
Type the attribute value.
Continue to add the conditional statements or rules for more attributes.
By default all the identities matching the criteria will be included. Click the Manage Exclusions button next to Excluding # identity from the attribute conditions and then select the identities that you want to exclude from your service.
Once you have defined your rules, select Preview summary based on the rule above to go to the Preview Summary popup. This will display the following information, for the top 10 in each category:
- Total number of matches based on the rules you have entered.
- Total number of identities in the service.
- Breakdown of the distribution of included identities based on:
  - Organization
  - Job code
  - Location
  - Employee type
If you are satisfied with your preview, click Save.

Note:

Existing customers with identities loaded from Oracle Identity Governance should be aware that they must activate identities required, else they will not be able to see loaded identities in the system as all identities are excluded by default. Customers in this situation can either activate users, as described above, or set the following rule which will activate all identities they previously loaded from Oracle Identity Governance.

status equals Active

Select Consumer Users

In the Manage Identities page, an Administrator defines the identities that you want to be flagged as consumer users in the Oracle Access Governance service.

You can identify identities to include as consumers in your service by selecting criteria based on conditional statements. Either at least one (Any) or all (All) the set conditions must be satisfied. The list of available attributes is determined by the ingested data from the Managed System, and may include custom attributes.

You can select identities based on Membership rule and/or Named identities. Identities satisfying the set criteria for the Membership rule will automatically be included as consumers in your service. Using Named identities, you can directly add specific identities based on their full name.

You can also exclude specific members from your service by selecting Manage exclusions and entering the identities you want to exclude.

Select Any if any one of the set conditions should be satisfied, or select All if all the set conditions must be satisfied for that identity.
Select the attribute name from the list.

Note:
Based on the Managed System, you can select both core and/or custom attributes. To enable custom attributes, see Manage Identity Attributes
Select the conditional operator. Based on the data type of the attribute selected, the usage of these operators will vary.
Type the attribute value.
Continue to add the conditional statements or rules for more attributes.
By default all the identities matching the criteria will be included. Click the Manage Exclusions button next to Excluding # identity from the attribute conditions and then select the identities that you want to exclude from your service.
Once you have defined your rules, select Preview summary based on the rule above to go to the Preview Summary popup. This will display the following information, for the top 10 in each category:
- Total number of matches based on the rules you have entered.
If you are satisfied with your preview, click Save.

Create and Manage Organizations

You can now structure identities and form relationships between identities by creating and managing Organization with the Oracle Access Governance Console.

You can use Organizations to perform various operations within the Oracle Access Governance Console. For example, you can use it as an attribute (Organization) to create an Identity Collection, which can then be used for identity reviews, assigning access privileges, or for provisioning operations.

Note:

This Organization concept is native to Oracle Access Governance and is different than the source organization, which is loaded from an orchestrated system. It will be available in the core attribute list as agOrganization (where the orchestrated system is Internal) with the Manage Identities flag set to true. See View and Configure Custom Identity Attributes. If this flag is set to true, you can use this Organization to create/manage an Identity collection within Oracle Access Governance.

In the Oracle Access Governance Console, click the icon, and select Service Administration, and then Manage Identities, and then Organizations. You will see the Organizations page where you can view and manage existing organization, or create new ones.

Create Organization

To create a new organization, click the Create an organization button. The Add Details task is displayed. In the Add Details task, you can enter specifics about your organization. Here, you can give a meaningful name and add its supporting description.

Enter a name for your organization in the What do you want to call this organization? field.
Add a description for your organization in the How would you describe this organization? field.
Select one or more identities from the Who else can manage this organization list. The owner along with the listed identities can manage this organization.
Add one or more tags to identify or search your organization.
Once you have set your preferences, select Next to go to the Select Identities step.

Add Owners

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

Note:

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.

To add owners:

Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.

You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Select Identities

In the Select Identities task, add identities that you want be part of your organization. You can select identities based on Membership rule and/or Named identities. For Membership rule, the identities satisfying the set criteria will automatically be included in organization. In Named identities, you can directly add identities based on their full name. All the available active identities (configured from the Licence Management page) will be displayed.

You can also exclude specific members from your organization by selecting Manage exclusions and entering the identities you want to exclude.

Select Any if any one of the set conditions should be satisfied, or select All if all the set conditions must be satisfied for that identity.
Select the attribute name from the list.

Note:
Based on the orchestrated system, you can select both core and/or custom attributes. To enable custom attributes, see View and Configure Custom Identity Attributes
Select the conditional operator. Based on the data type of the attribute selected, the usage of these operators will vary.
Type the attribute value.
Continue to add the conditional statements or rules for more attributes.
By default all the identities matching the criteria will be included. Click the Manage Exclusions button next to Excluding # identity from the attribute conditions and then select the identities that you want to exclude from an organization.
Once you have set your preferences, select Next to go to the Review and submit step.
You can preview graphical summary of how many identities are included in your organization by clicking the Preview the organization link. This link is available on the right-side, towards the bottom of the Who is included panel.
If you are satisfied with your organization preview, click Create.

Manage Organization

Oracle Access Governance Administrators can view and manage organizations from the Oracle Access Governance Console. You can view existing organization and manage the ones that you created, or are authorized to manage, using the Oracle Access Governance Console. Use the Actions

Actions menu icon to edit, delete or view details of the organization.

Note:

Only organization owners and/or authorized users (selected while creating/modifying an identity collection) can edit or delete the organization.

You can perform the following:

Search and Filter available organizations: You can use the Search field to locate the required organization by its name. You can narrow down the results by applying the available filters.
Edit an organization: The Edit an organization page provides the same guided tasks as you see while creating a new identity collection. Owner of the organization and/or authorized users can modify its description, identity type, or added identities. After updating the details, on the Review and submit step, select Update to update the organization.
View organization details: You can see Organization page displaying complete organization details, such as Organization owner, created and last modified dates, current members, as well as how the current members were included (through named identities or membership rule).
Delete an organization: You can delete the organization if you are the owner of the organization or you have been given the rights by the owner. If an identity collection is based on the deleted organization value, then those identities would no longer be members of that identity collection.

Manage Account Lifecycle with Oracle Access Governance Service Desk Administrator Support

As a user with AG_ServiceDesk_Admin role, you can directly initiate account management operations with no approval process. You may enable, disable, delete accounts, or terminate all accounts and associated accesses for an identity. You can also retry provisioning for failed or pending statuses, and revoke permissions assigned directly or through requests from the Manage Identities → Identities page.

Additionally, AG_ServiceDesk_Admin can manage delegations or change password. For more details, see Manage Delegation Preferences and View Access Details and Manage Account.

Terminate all Accounts and Accesses for an Identity

You can terminate accounts and associated accesses for an identity immediately without an approval process. The identity would still remain Active in Oracle Access Governance.

Accounts and accesses with Grant Type DIRECT cannot be terminated. You may view the termination status by selecting the Terminated in Access Governance column from the Manage Identities → Identities page.

Required roles: AG_ServiceDesk_Admin

For more details, see Application Roles and Responsibilities Reference.

Terminate Accounts and Accesses for an Identity

Log in to Oracle Access Governance Console.
Click the navigation icon in the top left corner to display the navigation menu.
Select Service Administration, and then Manage Identities. The Identities page opens by default.
From the Identities list, select theActions icon and select Terminate.
A confirmation dialog box is displayed confirming that all accounts and accesses for an identity will be deleted or disabled based on account settings.
Select the acknowledgment check box to terminate an identity access.
Select Terminate in the dialog box. A confirmation message stating termination request has been initiated will be displayed.
Once terminated, the status changes to Yes in the Terminated in Access Governance column along with a flag Terminated in the Identity details page. You may have to edit the list settings to view the column. You cannot manage these accounts from Oracle Access Governance.

Activate Accounts and Accesses for an Identity

You can re-provision terminated accounts and accesses using the Activate operation, ensuring seamless account management in Oracle Access Governance.

Terminated accounts with Grant Type Policy can be re-provisioned into Oracle Access Governance.

For more details, see Application Roles and Responsibilities Reference.

From the Identities list, select theActions icon and select Activate.
A confirmation dialog box is displayed confirming accesses for an identity will be enabled.
Select the acknowledgment check box to activate an identity access.
Select Activate. A confirmation message stating activation request has been initiated will be displayed.
Once activated, the status changes back to No in the Terminated in Access Governance column. You can now manage these accounts for an identity from Oracle Access Governance.

Revoke Permissions for an Account Managed by Oracle Access Governance

Permissions assigned directly, with grant type Direct, or access bundles granted through a self-service request, with grant type Request, can directly be revoked for an identity from the Manage Identities → Identities page.

You cannot revoke permissions for Oracle Cloud Infrastructure (OCI) and Oracle Identity Governance (OIG).

Log in to Oracle Access Governance Console.
Click the navigation icon in the top left corner to display the navigation menu.
Select Service Administration, and then Manage Identities. The Identities page opens by default.
From the Identities list, select theActions icon and select View details.
The Identity details page is displayed with the Permissions tab selected by default.
Select the Actions icon corresponding to the permission that you want to revoke.
Select Revoke permission. A confirmation dialog box is displayed confirming that permission accesses will be revoked.
Select Revoke. A confirmation message stating revocation request has been initiated will be displayed.

During the revocation process, a transitional state indicator with an

icon and tool tip are displayed. Once the process is complete, the final status is displayed in the Status column. For failed or pending statuses, you may again retry provisioning for the permissions provisioned within Oracle Access Governance.

Retry Provisioning for Failed or Pending Accesses

You can retry provisioning for accesses with the Failed or Pending statuses. You can perform this operation for access bundles granted through request or granted via policy, that is, Grant Type Request or Grant Type Policy.

Log in to Oracle Access Governance Console.
Click the navigation icon in the top left corner to display the navigation menu.
Select Service Administration, and then Manage Identities. The Identities page opens by default.
From the Identities list, select theActions icon and select View details.
The Identity details page is displayed with the Permissions tab selected by default.
Select the Actions icon corresponding to the permission for which you want to retry provisioning.
Select Retry provisioning. A confirmation dialog box is displayed confirming that provisioning for the accesses will be retried.
Select Retry. A confirmation message will be displayed.

During the retry provisioning process, a transitional state indicator with an

icon and tool tip are displayed. Once the process is complete, the final status is displayed in the Status column.

Disable and Enable an Account Managed by Oracle Access Governance

You can directly disable one or more accounts that are managed by Oracle Access Governance. You can perform this operation for the orchestrated systems that support this operation.

Disable an Account Managed by Oracle Access Governance

Log in to Oracle Access Governance Console.
Click the navigation icon in the top left corner to display the navigation menu.
Select Service Administration, and then Manage Identities. The Identities page opens by default.
From the Identities list, select theActions icon and select View details.
The Identity details page is displayed with the Permissions tab selected by default.
Select the Accounts tab.
Select the Actions icon corresponding to the account that you want to disable.
Select Disable account. A confirmation dialog box is displayed confirming that account will be disabled and access will be removed.
Select Disable. A success message is displayed.
During the process, a transitional state indicator with an icon and tool tip are displayed. Once the process is complete, the final status changes to Disabled in the Status column.

Enable an Account to be Managed by Oracle Access Governance

To enable a disabled account and restore the accesses, select the Actions icon corresponding to the account that you want to enable.
Select Enable account. A confirmation dialog box is displayed confirming that account will be enabled and access will be granted or re-provisioned.
Select Enable. A success message is displayed.
During the process, a transitional state indicator with an icon and tool tip are displayed. Once the process is complete, the final status changes to Enabled in the Status column.

Delete an Account Managed by Oracle Access Governance

You can directly delete one or more accounts that are managed by Oracle Access Governance. Once deleted, you can no longer manage these accounts from Oracle Access Governance.

Delete an Account Managed by Oracle Access Governance

Log in to Oracle Access Governance Console.
Click the navigation icon in the top left corner to display the navigation menu.
Select Service Administration, and then Manage Identities. The Identities page opens by default.
From the Identities list, select theActions icon and select View details.
The Identity details page is displayed with the Permissions tab selected by default.
Select the Accounts tab.
Select the Actions icon corresponding to the account that you want to delete.
Select Delete account. A confirmation dialog box is displayed confirming that account will be deleted and access will be removed.
Select Delete. A success message is displayed.
During the process, a transitional state indicator with an icon and tool tip are displayed. Once the process is complete, the account is removed from the list.

Title and Copyright Information

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customer access to and use of Oracle support services will be pursuant to the terms and conditions specified in their Oracle order for the applicable services.