Manage Identities

Your tenant might contain data about employees, customers, and devices like cell phones or printers. Each has its own identity—​a unique combination of defining attributes. Identity Cloud stores these attributes in identity profiles.

You can specify roles and assignments in a user or device identity profile. roles and assignments define the type and extent of access permissions you want a user or device to have. Identity Cloud uses roles and assignments to provision an identity profile with the permissions a user or device needs to access resources.

View identity resources

To view and manage user profiles, roles, and assignments in your tenant:
In the Identity Cloud Admin UI, go to Identities > Manage.

  • Resources are grouped by realm. If you can’t find a particular resource, be sure that you’re looking in the correct realm.

  • To view a list of only tenant administrators, see View the administrators list.

  • To view realm settings, see Realm settings.

Users

A user can be a customer, employee, vendor — a person — whose identity profile, is stored in your tenant. A user identity profile is also called a user profile.

Create a user profile

  1. In the Identity Cloud Admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click Users > + New User.

  3. In the New User page, enter user details.

    User details:
    • Username: Name to be displayed in Users list

    • Password: Created by user

    • First Name: User’s given name

    • Last Name: User’s surname

    • Email Address: Provided by user

  4. Click Create User.

Edit a user profile

  1. In the platform console, go to Identities > Manage.

  2. In the Users list, click a username.

  3. In the User profile, edit user details.

    User details:
    Details
    To reference these field names in scripts or API calls, see User Profile Properties and Attributes Reference.

    Username
    First Name
    Last Name
    Email address
    Password
    Telephone Number
    City
    Postal Code
    Country
    State/Province
    Manager

    Generic Indexed String (up to 5)
    Generic Unindexed String (up to 5)
    Generic Indexed Multivalue (up to 5)
    Generic Unindexed Multivalue (up to 5) Generic Indexed Date (up to 5)
    Generic Unindexed Date (up to 5)
    Generic Indexed Integer (up to 5)
    Generic Unindexed Integer (up to 5)

    Preferences
    • Send me news and updates (Disabled by default)

    • Send me special offers and services (Disabled by default)

    Provisioning Roles

    Also known as external roles.

    • Provisioning role Type: Choose from available options.

    • Assign role only during a selected time period. (Disabled by default)

    Authorization Roles

    Also known as internal roles.

    • Authorization role Type: Choose from available options.

    Direct Reports
    • Username

  4. When you’re satisfied with your changes, click Save.

More Options

  • To reset a user’s password, click Password Reset.
    In the Reset Password dialog box, enter a new password. Then click Reset Password to save the new password.

  • To end a user’s session, click End Sessions.
    This clears the user’s open SSO sessions within the current realm, and revokes the session tokens. The user must reauthenticate to create a new SSO session. This is useful for testing and troubleshooting purposes.

    The following knowledge base article describes how to use the AM Admin UI to view a user’s active session details: https://backstage.forgerock.com/knowledge/kb/article/a15540427.

  • To delete a user, click Delete Realm Name - User.

    You cannot undo the Delete operation.

For a deep dive into Identity Platform user identities, see "Managed Users".

Roles

For a quick take, see Roles.

Create an external role

  1. In the platform console, click go to Identities > Manage > External Roles.

  2. Click + New External Role.

  3. In the New External Role card, enter role details.

    External role details:
    • Role Name:

    • Role Description:

  4. Click Next.

  5. Choose one or more role assignments, then click Next.

  6. (Optional) Enable dynamic role assignment.

    Dynamic role conditions
    • Use the choosers to define a condition for automatically adding assigning a user to a role.

    • To add more conditions, click Add (+).

    • Click Advanced Editor to create a query-based condition.

    When you’re satisfied with your role conditions, click Next.

  7. (Optional) Enable a role time constraint.

    Role time constraints
    • Use the calendar and clock choosers to define when the role is in effect.

      • Specify the time zone to be used for the start date/time and end/date you specified. Choose a time zone relative to Greenwich Mean Time (GMT). GMT is the same as Universal Time Coordinated (UTC).

      • Click Time zones chart to calculate the offset time.

  8. Click Save Role.

  9. (Optional) To add a member to a role, in the Members list, click + Add Members.

    1. Use the chooser to select one or more users to add to the role members list.

    2. Click + Add members.

Edit an external role

  1. In the Identity Cloud Admin UI, go to Identities > Manage > External Roles.

  2. In the external roles list, click the role name.

  3. In the External Role card, click Members.

    • To add a member, in the Members list, click + Add Members.

      1. Use the chooser to select one or more users to add to the role members list.

      2. Click +Add members.

    • To edit a member profile, in the Members list, find the member username.
      In the same row, click More () and choose Edit.

  4. When you’re satisfied with your changes, click Save.

Create an internal role

  1. In the platform console, go to Identities > Manage> Internal Roles.

  2. Click + New Internal Role.

  3. In the New Internal Role card, enter role details.

    Internal role details:
    • Role Name: Unique identifier to display in the Roles list.

    • Role Description: String that’s meaningful to your organization.
      Examples: Employee, Customers, Sales Department, Europe

  4. Click Next.

  5. Choose the type of identities (users or devices) you want to define permissions for, then click Add.

  6. In the Role Permissions card, enable the permissions you want to grant to this identity type (Users or Devices). You can grant permissions to view, create, update, or delete resources in your extranet.

  7. To grant attribute-based or filter-based permissions, click Advanced.

    Attribute-Based Permissions

    By default, each identity with this role in its profile has Read-only access to your resources.
    For each identity attribute in this list, you can:

    • Add additional write access by choosing Read/Write

    • Restrict access completely by choosing None.

    Filter-Based Permissions

    You are giving permission to any identity with this role in its profile that also meets the conditions you specify here. The permissions you give here overrides the view, create, update, or delete options you enabled for this role.

    1. Use the slider to enable Filter-based Permissions.

    2. Use the choosers to specify additional conditions for granting permission.

    3. (Optional) Click Advanced Editor to create a query-based condition.

    4. Click Next.

  8. (Optional) Enable a role time constraint for this role.

    Role time constraints
    • Use the calendar and clock choosers to define when the role is in effect.

      • Specify the time zone to be used for the start date/time and end/date you specified.

        Choose a time zone relative to Greenwich Mean Time (GMT). GMT is the same as Universal Time Coordinated (UTC).

      • Click Time zones chart to calculate the offset time.

  9. Click Save Role.

  10. To add a member, in the Members list, click +Add Members.

    1. Use the chooser to select one or more identities to add to the role members list.

    2. Click Add members.

Edit an internal role

  1. In the Identity Cloud Admin UI, go to Identities > Manage > External Roles.

  2. In the internal roles list, click the role name.

  3. In the Internal Role card, click Members.

    • To add a member, in the Members list, click +Add Members.

      1. Use the chooser to select one or more users to add to the role members list.

      2. Click + Add members.

    • To edit a member profile, in the Members list, find the member username.
      In the same row, click More (), and choose Edit.

    • When you’re satisfied with your changes, click Save.

For a deep dive into roles, see Roles.

Assignments

For a quick take, see Assignments.

Create an assignment

  1. In the platform console, go to Identities > Manage > Assignments.

  2. Click +New Assignment.

  3. In the New Assignment card, choose the source-target mapping you want to use for synchronizing identity data stores.

    Tell me more

    The first column lists your tenant data stores. The second column lists available target data stores. For more information, see "Assignments"§.

  4. Click Next.

  5. In the Assignment Details card, enter Assignment details.

    Assignment details:
    • Assignment: Name to be displayed in Assignments list

    • Assignment Description: The permission this assignment provides.
      For example, Allows access to Reporting App.

  6. Click Next.

  7. To provision an attribute in the target data store, click Add an attribute. Then enter attribute details.

    Attribute details:

    Create an attribute-value pair for provisioning the target user account.

    1. From the Attribute menu, choose an identity attribute in your tenant.

    2. In the Value field, enter a value for the attribute you just chose. This attribute-value pair will be synced with user accounts in the target data store.

    3. Click Assignment Operations (settings).
      Define how Identity Cloud will sync assignment attributes on the target data store:

      • The On Assignment menu defines what Identity Cloud will do with a new assignment attribute.

        • The Merge with target option adds a new attribute value to an existing attribute in the target user account.

        • The Replace target option removes the existing attribute-value pair in the target user account, and replaces it with the attribute-value you’ve defined.

      • The On Unassignment menu defines what Identity Cloud will do with an existing assignment attribute.

        • The Remove from target option deletes the specified attribute-value pair from the target user account.

        • The No operation option preserves the attribute-value pair in your tenant identities and in the target user accounts.

      • To add more assignment attributes, click Add (+)

      • To remove an assignment attribute, click Delete (-).

  8. Click Save Assignment.

Edit an assignment

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Assignments.

  2. In the Assignments list, click the assignment name.

  3. Click Details to edit assignment details.

    Assignment details:
    • Mapping: The source and target data stores to be synced for this assignment. The first column lists your identity platform data store. The second column lists a data store that contains user accounts outside your tenant.

    • Assignment Details: Edit the name or description to suit your needs.

  4. To provision an attribute in the target data store, click Add an attribute. Then enter attribute details.

    Attribute details:

    Create an attribute-value pair for provisioning the target user account.

    1. From the Attribute menu, choose an identity attribute in your tenant.

    2. In the Value field, enter a value for the attribute you just chose. This attribute-value pair will be synced with user accounts in the target data store.

    3. Click Assignment Operations (settings).
      Define how Identity Cloud will sync assignment attributes on the target data store:

      • The On Assignment menu defines what Identity Cloud will do with a new assignment attribute.

        • "Merge with target" adds a new attribute value to an existing attribute in the target user account.

        • "Replace target" removes the existing attribute-value pair in the target user account, and replaces it with the attribute-value you’ve defined.

      • The On Unassignment menu defines what Identity Cloud will do with an existing assignment attribute.

        • The Remove from target option deletes the specified attribute-value pair from the target user account.

        • The No operation option preserves the attribute-value pair in your tenant identities and in the target user accounts.

      • To add more assignment attributes, click Add (+)

      • To remove an assignment attribute, click Delete (-).

    4. Click Save.

  5. (Optional)To use a script to customize an assignment, click + Add an event script.

    Tell me more
    1. On the Add Event Script card, choose the event to trigger your script.

    2. Provide your script to Identity Cloud in one of these ways:

      • Enter your script in the text box, and indicate the script Type: JavaScript. Groovy is not supported this time.

      • Enable Upload File, and specify the script filename.

    3. (Optional) Use the Variables fields to define variables in your script.
      Enable JSON to enter your variables using the JSON format.

    4. Click Save.

  6. Click Roles to view roles linked to this assignment:

    1. To add a new role, click +New Role.

    2. To edit an existing role, click More ().

  7. When you’re satisfied with your changes, click Save.

For a deep dive into roles and assignments, see Use Assignments to Provision Users.

Organizations

For a quick take, see Organizations.

Managing Organizations

Using the REST APIs
Using the Identity Cloud Admin UI

In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.
Follow the steps described on this page.

Before you begin

You can build organizations in many different ways. For example, you can start with a parent organization that contains all user identities, and then build your organization hierarchy. Or you can first build a hierarchy of empty organizations and sub-organizations, and then add users to the various target organizations. Regardless of the approach you take, at some point you’ll have to import identities to an organization.

Importing identities to an organization

In this example:

  • A .csv file containing 100 user identities already exists.

  • A parent organization containing no members already exists.

To import identities:

  1. In the Identity Cloud Admin UI, go to Identities > Import.

  2. On the Import Identities page, click + New Import.

  3. In the Upload CSV menu, select Realm - Users.

  4. Click Next.

    300

  5. In the Upload CSV dialog box, enter upload details:

    CSV File

    Enter the name of your .csv file containing identities to import.

    Match Using

    Enter a property name to use for matching and filtering objects. In this example, userName is used to import user profiles that will become members of the target organization.

  6. Click Next.

  7. When the Import Complete dialog box displays, and you can confirm that the import was successful, click Done.

  8. Verify that users were imported to the organization your created:

    1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Users.

    2. Open any user’s profile, and click Organizations to which I Belong.

      In the organizations list, you should see the name of the organization you created.

    3. Go to Identities > Manage > Realm - Organizations.

      In the organizations list, you should see the name of the organization you created.

    4. Click the name of the organization you created, then click Members.

      In the list of members, you should see all the user identities you imported into the organization.

Create an organization

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. Click + New Realm - Organization.

  3. In the New Realm - Organization dialog box, enter a name for the new organization, then click Save.
    Verify that the new organization is listed in the Manage Identities > Organizations tab.

Edit an organization profile

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization profile you want to edit.

  3. In the organization profile page, edit organization details.

    Details

    Name

    Enter a display name. Uppercase, lowercase, alphanumeric & special characters, and white spaces are allowed.

    Description

    Enter a description meaningful to you.

    Parent Organization

    Enter the name of the organization one level up from this child organization.

  4. Click Save.

Create an organization owner

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization you want to add an owner to.

  3. Click Owner, then click + Add Owner.

  4. In the Add Owner dialog box, in the Owner search field, choose the name of the user you want to designate as the organization owner.

    Do not make an organization owner a member of the organization. This can result in giving the organization administrator greater control of the organization than its owner.

  5. Click Save.

Create a sub-organization

An organization owner can create a sub-organization only within their own organization.

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. On the Organizations page, click + New Organization.

  3. In the New Realm - organization page, enter a name for the new sub-organization.

    If an organization owner signs in to Identity Cloud as an administrator-user:
    • The owner can create and manage parent and sub-organizations.

    • The owner add or remove organizations they own.

    If an organization owner signs in to Identity Cloud as an end user:
    • The owner can add sub-organizations to organizations they own.

    • The owner cannot add a parent organization.

    • The owner cannot modify ownership of any organizations or sub-organizations.

  4. In the New Organization dialog box, enter a name for the sub-organization.

  5. Click Save.
    The new organization now displays in the organizations list.

  6. Click the name of the new organization.

  7. In the organization profile, in the Parent Organization search field, choose the name of an existing parent organization.

  8. Click Save.

Add an organization administrator

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the Organization list, click the name of the organization you want to add an administrator to.

  3. Click Administrators.

  4. Click + Add Administrators.

  5. In the Add Administrators dialog box, enter a username in the Administrators search field.
    The user must already belong to the organization.

  6. Click Save.

    The username or usernames you added now display in the members list.

Adding a member to an organization

Organization owners

Owners have access to only the members in organizations they own.

Organization administrators

Administrators have access to only the members in their administrative area.

To add a member to an organization

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization you want to add a member to.

  3. On the Organizations page, click Members.

  4. Click + Add Members.

  5. In the Add Members dialog box, enter names of users to add to this organization in the search field.

  6. Click Save.

    The username or usernames you added now display in the members list.

Create a new user profile in an organization

You must be an authorized owner or administrator to create a new user profile in an organization.

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Users.

  2. In the Realm - User list, click + New Realm - User.

  3. In the New Realm - User dialog box, enter user profile details.

    User profile details:

    Username

    Enter a unique username. No white spaces.

    First Name

    Enter the user’s given name.

    Last Name

    Enter the user’s surname.

    Email Address

    Enter the user’s email address.

  4. Click Save.
    The new user profile is displayed in the Realm - Users list.

  5. Open the new user’s identity profile.

  6. Click Organizations to which I Belong.

  7. Click + Add Organizations to which I Belong.

  8. In the Add Organization to which I Belong dialog box, choose an existing organization from the search field. You can choose more than one.

  9. Click Save.

Delete an organization

You must be an organization owner to delete an organization.

  1. In the Identity Cloud Admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization you want to delete.

  3. On the Realm - Organization page, click Delete Realm - Organization.
    This operation cannot be undone.