Once you have setup and verified your orchestrated system, you can run dataloads to ingest identity and account details, depending on the configuration mode you have selected, Authoritative Source or Managed System.

Data loaded in Authoritative Source mode will consist of user data from the orchestrated system. If the user is new, then a new identity is created in Oracle Access Governance. If the identity already exists in Oracle Access Governance, then any updates initiated in the orchestrated system will be applied.

Data loaded in Managed System mode comprises account data and permissions from the orchestrated system. If the account is provisioned from Oracle Access Governance, then a new account is created, together with associated permissions, in the orchestrated system. Accounts and permissions directly loaded from your orchestrated system can be managed by Oracle Access Governance. You can remediate permissions associated with a managed system account. If the account only has one permission assigned then remediation of this permission will also result in the revoking of the account.

For further details about account creation, refer to Request Access.

You can assign permissions to an account using the Request a new access functionality of Oracle Access Governance. This allows you to request an access bundle containing permissions applicable to your application. When you request an access bundle, either directly or through an Oracle Access Governance role or policy, a provisioning operation is initiated which updates the permissions in your application with the permissions included in the referenced access bundle.

For further details about permission assignment, refer to Request Access. To learn more about roles and policies, refer to Manage Roles, and Manage Policies.

You can remove permissions from an account by revoking the permission from the role, policy or access bundle to which it is assigned. In this case, the permission assignment is revoked from all users to whom the role, policy or access bundle is applied. Say you had an access bundle with two permissions, Admin, and Developer which had previously been provisioned to your application. You could update the access bundle containing these permissions to remove Developer and add Composer, resulting in the access bundle containing Admin, and Composer. This change would be reflected following the next provisioning operation, by removing the Developer role and assigning the Composer role. Admin would remain assigned.

Another way to remove a permission would be by revoking role, policy or access bundle assignment from a specific account. This would be done using the revoke operation in access reviews.

For further details about permission assignment, refer to Delete a Role, Delete a Policy, or Manage Access Bundles -> Delete an Access Bundle.

Users with the AG_ServiceDesk_Admin role can directly revoke permissions from the Manage Identities page, using the Revoke permission operation. The Grant Type of these permissions must either be DIRECT or Access Bundles granted through REQUEST. You cannot revoke permissions for Oracle Cloud Infrastructure (OCI) or Oracle Identity Governance (OIG) systems. For detailed steps, see Revoke one or multiple permissions for an Account.

The ability to change an account password is provided by the My Access functionality in Oracle Access Governance Console. If you change the account password in this page, the details will be sent to the chosen application in the next provisioning operation, and the password change is applied to your Database Application Tables account.

For further details about changing passwords, refer to Change Account Password.

If you revoke an account in an access review, provisioning tasks will be created to revoke the account in the corresponding application. For further details about revoking accounts, refer to Delete a Role, or Delete a Policy.

Users with the AG_ServiceDesk_Admin role can now directly disable accounts managed by Oracle Access Governance from the Manage Identities page, using the Disable account operation. Once disabled all the associated accesses are revoked. The accounts can still be managed by Oracle Access Governance. For detailed steps, see Disable and Enable an Account Managed by Oracle Access Governance.

You may delete accounts using the Delete account operation. For deleted accounts, all the associated accesses are removed and you can no longer manage the accounts from Oracle Access Governance. For detailed steps, see Delete an Account Managed by Oracle Access Governance.

Users with the AG_ServiceDesk_Admin role can re-provision the accounts and the accesses using the Enable account operation from the Manage Identities page. Once enabled, all the accounts and accesses are re-provisioned, into Oracle Access Governance. For detailed steps, see Disable or Enable an Account Managed by Oracle Access Governance.