Managing Users 11-55 ■ Org3 has Org3Child1 and Org3Child2 as child organizations. Consider the following scenarios: Scenario I: User1 has Role1 only and belongs to the Org1Child1 organization. The user can: ■ Search for users who are members of Org1Child1 organization. The search can be performed on the basis of First Name, Last Name, and Middle Name, and Display Name user attributes and also the search result can contain a subset of the set of these attributes. ■ Modify the First Name, Last Name, and Middle Name user attributes from the Org1Child1 organization. Scenario II: User2 has Role1 and Role2 and belongs to the Org2 organization. User2 has direct reports DR1 and DR2 belonging to the Org2 organization. The user can: ■ View the User Login, User Type, and OIM User Type user attributes from the Org3 organization because of Policy2. ■ Modify the User Type attribute from the Org3 organization because of Policy2. ■ View the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1. ■ Modify the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1. ■ View the User Login, User Type, OIM User Type, and Designation user attributes of all the users direct reports because of Policy3. ■ Modify the Designation attribute of all the users direct reports because of Policy3. If the user being tried to modify is DR1, then the list of modifiable attributes are First Name, Last Name, Middle Name because of Policy1, and Designation because of Policy3. The user cannot view, modify, and search users from child organizations of Org3, which are Org3Child1 and Org3Child2. Based on these scenarios, for the search operation, a union of the viewable attributes from all the three authorization policies are displayed to the user. In other words, the user is able to see User Login, User Type, OIM User Type, First Name, Last Name, Middle Name, Display Name, and Designation attributes in the search results irrespective of the authorization policy. Here, the Designation attribute is displayed not only for DR1 and DR2, who are direct reports of User2, but are displayed for all the users in the results.

11.4.4.2 Modify Operation Authorization with Multiple Authorization Policies

If the logged in user is allowed to modify a user profile as defined by multiple policies, then a union of the set of attributes from individual policies is used for performing the operation. Refer to Scenario II of the Search Operation Authorization with Multiple Authorization Policies on page 11-53 for the example related to the modify operation in case of multiple applicable authorization policies. 11-56 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

11.5 Username Reservation

A request for creating a user can be raised from Oracle Identity Manager Self Service or Oracle Identity Manager Administration. When the request is submitted, the following scenarios are possible: ■ While the request is pending, another create user request is submitted with the same username. If the second request is approved and the user is created, then the first request, when approved, fails because the username already exists in Oracle Identity Manager. ■ While the request is pending, another user with the same username is directly created in the LDAP identity store. When the create user request is approved, it fails while provisioning the user entity to LDAP because an entry already exists in LDAP with the same username. To avoid these problems, you can reserve the username in both Oracle Identity Manager and LDAP while the create user request is pending for approval. If a request is created to create a user with the same username, then an error message is displayed and the create user request is not created. For reserving the username: ■ The USER ATTRIBUTE RESERVATION ENABLED system property must be set to TRUE for the functionality to be enabled. For information about searching and modifying system properties, see Administering System Properties in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. ■ Reservation in LDAP is done only if reservation functionality is enabled, and LDAP is in sync with Oracle Identity Manager database. For information about synchronization between Oracle identity Manager and LDAP identity store, see Integration Between LDAP Identity Store and Oracle Identity Manager on page 4-23. If user attribute reservation is enabled, the reservation happens in two phases: In the first phase, an entry is created in Oracle Identity Manager database and a user is created in reservation container. This entry in Oracle Identity Manager database is removed after successful creation of user, rejection by approver, or request failure. See Also: Creating a Request To Create a User on page 14-1 for information about creating requests to create a user Note: ■ If LDAP provider is not configured, then the reservation is done only in Oracle Identity Manager. ■ When LDAP synchronization and user attribute reservation features are enabled, it is recommended to enable UID uniqueness in the directory server. Without this, user reservation in the directory does not work properly because while the user is reserved in the reservation container, the user with the same user ID can be created in the user container. This results is user creation failure when Oracle Identity Manager tries to move the user from the reservation container to the user container.