Managing Users 11-49 Only those attributes configured as part of the modify operation in user management configuration are displayed as fields in the Bulk Modify page. The attributes displayed are restricted to those defined in the user entity definition with the Support Bulk Update property set to Yes. The attributes are further filtered based on authorization policies that specify the attributes for the selected users that you have privileges to modify. The permissions are based on authorization policy. For instance, if the authorization policy mentions that you can modify only the first name for one user and only the last name for another user, based on the users selected, it is possible that you select these names and the attributes to display on the page, results in no fields being allowed. As a result, the Bulk Modify page displays an error message stating that the attributes of the selected users cannot be modified in bulk, and the user selection must be changed.

11.4 User Management Authorization

Run-time security is enforced in the user management service through authorization policies. Each role in Oracle Identity Manager can be associated with one or more such authorization policies. Users that are members of a role are authorized to perform various user tasks based on the privileges granted to the role by its associated authorization policies. Because a user may have many roles, the privileges of a user are the cumulative privileges of his collective roles. The access controls are implemented in the form of authorization policies that are managed by the Oracle Entitlements Server OES. These policies define the controls in terms of roles and targets. The target is a combination of privilege, entity, and entity attribute. If a user has multiple roles that have different authorization policies applicable in the same context, then the users access rights are the cumulative rights across those Table 11–6 Fields in the Bulk Modify Page Section Field Description Basic User Information Design Console Access Design Console Access check box that indicates whether or not the users can login to the Design Console. Manager The reporting manager of the selected users. Organization The organization to which the selected users belong. User Type The type of selected employees, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary. Account Effective Dates Start Date The date when the selected users will be activated in the system. End Date The date when the selected users will be deactivated in the system. Provisioning Dates Provisioning Date The date when the users are provisioned. Deprovisioning Date The date when the users are provisioned. See Also: Chapter 15, Managing Authorization Policies for detailed information about authorization policies in Oracle Identity Manager 11-50 Oracle Fusion Middleware Users Guide for Oracle Identity Manager policies. In other words, if a policy with read permission is granted to a role, and a policy with write permission is granted to another role, then a user with both the roles has read and write permission. The authorization model is described in the following topics: ■ Privileges ■ Attributes ■ Data Constraints ■ Authorization with Multiple Policies

11.4.1 Privileges

All authorization privileges are controlled by authorization policies. Oracle Identity Manager explicitly defines privileges that control access rights for performing various operations in the application. Table 11–7 lists the authorization privileges available in Oracle Identity Manager for the user management feature that and can be assigned to roles as part of an authorization policy definition: Note: For the Entity Instance Level, there must be a qualifier that determines over which users the logged in user has the privilege for all the privileges. Table 11–7 Authorization Privileges for User Management Privilege Description Search for Users You can define this qualifier in terms of organizations, role memberships, or attribute-based rules. For information about defining this qualifier, see Chapter 15, Managing Authorization Policies . Note : ■ The Search for Users privilege depends on the View User Details privilege to determine which attributes can be included in the search results and which attributes can be included in the search criteria for a user search. Consequently, any User Management policy that provides the Search User permission should also provide the View User Details permission. The View User Details permission should include the User Login, Account Status, Identity Status, and Display Name attributes. If you do not provide these attributes, the user might not be fully viewable or editable. ■ To enable users to perform a search based upon an user attribute, you must also configure that attribute as Searchable in the user configuration. There is a default authorization policy for the search operation that decides what the user can search. For information about default authorization policies for user management, see User Management on page 15-14. Managing Users 11-51 View User Details This privilege determines if you have the ability to display the User Details page for a user from the search results table. This privilege supports the following fine-grained controls: ■ Entity Instance Level: The qualifier can be defined in terms of the organization membership andor the management chain. Refer Creating an Authorization Policy for User Management on page 15-5 for details on how to define these qualifiers. Refer Data Constraints on page 11-52 for information about data constraints used in authorization policies for user management. ■ Attribute Level: There must be qualifiers that determine your privilege to view attributes in the User Details page. This qualifier must list all the attributes from the user entity definition that you can view. Note: The View User Details privilege cannot specify which detail sections can be viewed by the user. This privilege determines whether or not complete user details page with all sections can be viewed. If the user details page can be viewed, then this privilege determines which attributes are displayed in the Attribute Profile of a user. Modify User Profile This privilege determines if you have the ability to modify the user profile attributes of a user on the User Details page. This privilege supports the following fine-grained controls: ■ Entity Instance Level: The qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. ■ Attribute Level: There must be qualifiers that determine your privilege to modify attributes in the User Details page. This qualifier must list all the attributes from the user entity definition that you can edit. You must also grant the View User Details privilege for all these attributes. Provision Resource to User This privilege determines if you have the ability to provision or deprovision resources to a user on the Resource Profile section of the User Details Page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Modify User Proxy Profile This privilege determines if you have the ability to modify the users proxy details on the Proxy Details section of the User Details page. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Modify User Status This privilege determines if you have the ability to enable or disable a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Modify OIM Account Status This privilege determines if you have the ability to lock or unlock a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Table 11–7 Cont. Authorization Privileges for User Management Privilege Description 11-52 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

11.4.2 Attributes

The readwrite permissions for attributes define the actual set of readable or modifiable attributes in the context of the view or modify operation.

11.4.3 Data Constraints

The following data constraints are used in the authorization policies for user management: ■ List of organizations: This limits the scope of the privilege for the assignee to only the organizations listed. Organization membership can be controlled by the Hierarchy Aware option in the authorization policies UI. – When the Hierarchy Aware option is set to false, then the scope of the privilege is only to the users that are direct members of the organization. For example, if the organization is Development Center and it has USA Development Center and China Development Center as the suborganizations, then the privilege can be exercised against users that are directly under the Development Center organization. Delete User This privilege determines if you have the ability to delete a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Change Password This privilege determines if you have the ability to change a users enterprise password. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Create User This privilege determines if you have the ability to create users in Oracle Identity Manager. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier must be defined in terms of organizations. Evaluate Access Policies This privilege determines if you have the ability to initiate access policy evaluation for a user when necessary. Note : There is no UI operation to initiate on-demand access policy evaluation. View User Requests This privilege determines if you have the ability to view the requests raised for a user. Change User Password This privilege determines if you have the ability to change the password of a user. There must be a qualifier that determines over which users the logged in user has this privilege. This qualifier can be defined in terms of organizations, role memberships, or attribute-based rules. Note: The Modify Role Membership permission for role management determines if the user can perform add or remove role operations from the Roles tab of the modify user page. For more information about this permission, see Managing Authorization for Roles on page 12-23. Table 11–7 Cont. Authorization Privileges for User Management