Oracle Cloud Infrastructure Documentation

Manage Administrative Console Settings

As an AG_Administrator, you can customize Console settings from the Settings page.

CSV Data Export Settings

As an AG_Administrator, you can allow non-administrator users to export data to CSV files.

By default, non-administrator users aren't allowed to export identity, account and enterprise-wide data to CSV files.

Overview: CSV Data Export Settings

When CSV download is OFF, you can't export CSV from:

  • Enterprise-wide Browser
  • Identity Details page: Accounts and Permissions
  • Resources
  • Access Profile Side Reference Panels: Policies, Identities, Identity Collections, Roles, Workflows, and Delegations
  • Manage Identities
  • Unmatched Accounts

When CSV export is ON, the following roles can export CSVs:

  • Service Desk Administrator AG_ServiceDesk_Admin
  • Enterprise-wide Access Administrator AG_Enterprise_Wide_Access_Admin
  • Auditor AG_Auditor

Enable CSV Data Export Settings for Non-Administrator Users

To enable users to export identity, account and enterprise-wide data to CSV.

To enable the users to export identity, account and enterprise-wide data to CSV:
  1. Sign in to the Oracle Access Governance Console with the appropriate application role.
    See Predefined Application Roles Reference.
  2. From the Navigation menu icon, select Service Administration, and then Settings. The Settings page opens to customize settings.
  3. On the CSV data export tab, select Edit.
  4. Turn on the option to enable non-administrator users to export identity, account and enterprise-wide data to CSV.
  5. Select Save.
    On the CSV data export tab, the value is displayed as On.

Configure Password Policy

As an AG_Administrator, you can specify rules for password complexity and rotation intervals.

Specify rules for password complexity, such as minimum and maximum length and required character types, and set mandatory password rotation intervals. Oracle Access Governance users can request or set passwords that are valid for up to 7 days. After this period, access is revoked automatically, and a new password must be requested.
  1. Sign in to the Oracle Access Governance Console with the appropriate application role.
    See Predefined Application Roles Reference.
  2. From the Navigation menu icon, select Service Administration, and then Settings. The Settings page opens to customize settings.
  3. On the Password policy tab, select Edit.
  4. Configure the fields according to the organization policies.
  5. Select Save.

Global Account Terminations Settings

As an AG_Administrator, you can configure global account termination settings for all orchestrated systems.

As an AG_Administrator, configure global account termination settings for all orchestrated systems. You can also define override rules based on identity attribute values to exclude specific users from account termination.

Note

When global account termination settings are enabled, application administrators AG_AppOwner_Admin can't manage account termination settings at the orchestrated system level.

Enable Global Account Termination Settings

To enable global account termination settings for all orchestrated systems.

  1. Sign in to the Oracle Access Governance Console with the appropriate application role.
    See Predefined Application Roles Reference.
  2. From the Navigation menu icon, select Service Administration, and then Settings. The Settings page opens to customize settings.
  3. Select Account Terminations.
  4. Select Edit.
  5. Enable the Do you want administrators to manage the termination settings? option to configure account termination settings.

Configure Termination Settings

Select actions to perform with accounts during early termination and on termination date.

  1. Select what to do with accounts when early termination begins. This happens when you need to revoke identity accesses before official termination date. Select from the following options:
    • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.
      Note

      If specific orchestrated system doesn't support the action, then no action is taken.
    • Disable: Disables all accounts and disables permissions managed by Oracle Access Governance. You can also select Delete the permissions for disabled accounts to ensure zero residual access.
    • No action: No action is taken when an identity is flagged for early termination by Oracle Access Governance.
  2. Select what to do with accounts on the termination date. This happens when you need to revoke identity accesses on the official termination date. Select from the following options:
    • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.
      Note

      If specific orchestrated system doesn't support the action, then no action is taken.
    • Disable: Disables all accounts and disables permissions managed by Oracle Access Governance. You can also select Delete the permissions for disabled accounts to ensure zero residual access.
    • No action: No action is taken when an identity is flagged for early termination by Oracle Access Governance.

Setting Override Rules for Account Termination

Overrides enable you to exclude specific orchestrated systems from global account termination settings.

Overrides enable you to exclude specific orchestrated systems from global account termination settings. Use overrides to control how accounts are deprovisioned when termination starts and when termination ends. Use override rules when certain users with specific identity attributes, such as job types or locations, should be excluded. For example, users in particular locations or roles can retain their accounts or permissions (with No Action) on specific systems, even when global identity termination rules are triggered.

Each override includes:

  • Orchestrated systems: One or more systems the override applies to.
  • Identity attribute values: One or more values. If omitted, the override applies to all values.
  • Termination-start configuration: How to handle accounts when termination starts.
  • Termination-end configuration: How to handle accounts when termination ends.
When termination starts or ends for an identity, the system evaluates overrides to decide account de-provisioning. If an override exists that matches both the identity attribute value and the orchestrated system, the system uses that override's configuration.
  1. On the Account terminations page, go to the Overrides section.
  2. In the Override attribute list, select an identity attribute to use to apply override rules.
  3. Select + Add override.
  4. In the Name field, enter override name.
  5. Select one or more orchestrated systems that you want to exclude.
  6. (Optional) In the list, select Identity attribute values to apply override rules for specific values.
  7. Select the action to perform when an early termination begins. This happens when you need to revoke identity accesses before official termination date.
  8. Select the action to perform during official termination. This happens when you need to revoke identity accesses on the official termination date.

Rules for Duplicate Overrides

  • If a new override would create a scope that already exists (same attribute value + same system), it's rejected.
  • You can add new specific rules in addition to wild card rules (that allows all values for an identity attribute)
    You can have <Orchestrated-System, Specific> on top of <Orchestrated-System,Any>
  • If you create a single override involving several orchestrated systems, Oracle Access Governance divides the rule into separate entries based on {OS + Identity Attribute value}. If any one of these entries already exists, the entire override rule is rejected, and none of the changes are saved.