11-56 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

11.5 Username Reservation

A request for creating a user can be raised from Oracle Identity Manager Self Service or Oracle Identity Manager Administration. When the request is submitted, the following scenarios are possible: ■ While the request is pending, another create user request is submitted with the same username. If the second request is approved and the user is created, then the first request, when approved, fails because the username already exists in Oracle Identity Manager. ■ While the request is pending, another user with the same username is directly created in the LDAP identity store. When the create user request is approved, it fails while provisioning the user entity to LDAP because an entry already exists in LDAP with the same username. To avoid these problems, you can reserve the username in both Oracle Identity Manager and LDAP while the create user request is pending for approval. If a request is created to create a user with the same username, then an error message is displayed and the create user request is not created. For reserving the username: ■ The USER ATTRIBUTE RESERVATION ENABLED system property must be set to TRUE for the functionality to be enabled. For information about searching and modifying system properties, see Administering System Properties in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. ■ Reservation in LDAP is done only if reservation functionality is enabled, and LDAP is in sync with Oracle Identity Manager database. For information about synchronization between Oracle identity Manager and LDAP identity store, see Integration Between LDAP Identity Store and Oracle Identity Manager on page 4-23. If user attribute reservation is enabled, the reservation happens in two phases: In the first phase, an entry is created in Oracle Identity Manager database and a user is created in reservation container. This entry in Oracle Identity Manager database is removed after successful creation of user, rejection by approver, or request failure. See Also: Creating a Request To Create a User on page 14-1 for information about creating requests to create a user Note: ■ If LDAP provider is not configured, then the reservation is done only in Oracle Identity Manager. ■ When LDAP synchronization and user attribute reservation features are enabled, it is recommended to enable UID uniqueness in the directory server. Without this, user reservation in the directory does not work properly because while the user is reserved in the reservation container, the user with the same user ID can be created in the user container. This results is user creation failure when Oracle Identity Manager tries to move the user from the reservation container to the user container. Managing Users 11-57 In the second phase, in LDAP, on successful creation, the user is moved to the reservation container. In other cases such as rejection by approver or request failure, the user is removed from the reservation container. After the request-level and operation-level approvals are obtained for the create user request, the username is no longer reserved in the username container in LDAP. The username is moved to the container in which the existing users are stored. The user is also created in Oracle Identity Manager. This section consists of the following topics: ■ Enabling and Disabling Username Reservation ■ Configuring the Username Policy ■ Releasing the Username ■ Configuring Username Generation to Support Microsoft Active Directory

11.5.1 Enabling and Disabling Username Reservation

The username reservation functionality is enabled by default in Oracle Identity Manager. This is done by keeping the value of the USER ATTRIBUTE RESERVATION ENABLED system property to TRUE. You can verify the value of this system property in the System Configuration section of Oracle Identity Manager Administration. To disable username reservation: 1. Log in to the Administrative and User Console.

2. Click Advanced Administration.

3. Click System Management.

4. Click System Configuration.

5. On the left pane, click the search icon to search for all existing system properties. A list of system properties are displayed in the search results table.

6. Click User Attribute Reservation Enabled. The System Property Detail page for

the selected system property is displayed, as shown in Figure 11–7 : Figure 11–7 The System Property Detail Page

7. In the Value field, enter False.

8. Click Save. The username reservation functionality is disabled.

11-58 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

11.5.2 Configuring the Username Policy

Username Policy is a plugin implementation for username operations such as username generation and username validation. The policies follow Oracle Identity Manager plug-in framework. You can add your own policies by adding new plug-ins and changing the default policies from the System Configuration section in Oracle Identity Administration. In case of create user request, the plugins are invoked only if the user login is not provided. In such a case, the plugin to be invoked is picked up from the system property, Default policy for username generation. Table 11–8 lists the predefined username policies provided by Oracle Identity Manager. In this table, the dollar sign in the username generation indicates random alphabet: See Also: Developing Plug-ins in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about the plug-in framework Table 11–8 Predefined Username Policies Policy Name Expected Information Username Generated oracle.iam.identity.usermgmt.impl.plugi ns.EmailUserNamePolicy E-mail If e-mail is provided, then e-mail is generated as username. oracle.iam.identity.usermgmt.impl.plugi ns.LastNameFirstInitialLocalePolicy First name, last name, and locale last name + first initial_locale, last name + middle initial + first initial_locale, last name + + first initial_locale all possibilities of single random alphabets, last name + + first initial_locale oracle.iam.identity.usermgmt.impl.plugi ns.FirstInitialLastNameLocalePolicy Firstname, Lastname, Locale first initial + lastname_locale, first initial + middle initial + first name_locale, first initial + + lastname_locale, first initial + + lastname_locale oracle.iam.identity.usermgmt.impl.plugi ns.LastNameFirstInitialPolicy Firstname, Lastname lastname+firstInitial, lastname+middleinitial+firstInitial, lastname++firstInitial all possibilities of single random alphabets , lastname++firstInitial oracle.iam.identity.usermgmt.impl.plugi ns.FirstInitialLastNamePolicy Firstname, Lastname firstInitial+lastname, firstInitial+middleInitial+firstname, firstInitial++lastname, firstInitial++lastname oracle.iam.identity.usermgmt.impl.plugi ns.LastNameFirstNamePolicy Firstname, Lastname lastname.firstname, lastname.middleinitial.firstname, lastname..firstname all possibilities of single random alphabets , lastname..firstname oracle.iam.identity.usermgmt.impl.plugi ns.FirstNameLastNamePolicy Firstname, Lastname firstname.lastname, firstname.middleinitial.lastname, firstname..lastname all possibilities of single random alphabets , firstname..lastname