Identity Cloud

Manage identities

Your tenant might contain data about employees, customers, and devices like cell phones or printers. Each has its own identity—​a unique combination of defining attributes. Identity Cloud stores these attributes in identity profiles.

You can specify roles and assignments in a user or device identity profile. roles and assignments define the type and extent of access permissions you want a user or device to have. Identity Cloud uses roles and assignments to provision an identity profile with the permissions a user or device needs to access resources.

View identity resources

To view and manage user profiles, roles, and assignments in your tenant:
In the Identity Cloud admin UI, go to Identities > Manage.

  • Resources are grouped by realm. If you can’t find a particular resource, be sure that you’re looking in the correct realm.

  • To view a list of only tenant administrators, see View the administrators list.

  • To view realm settings, see Realm settings.

Users

A user can be a customer, employee, vendor — a person — whose identity profile, is stored in your tenant. A user identity profile is also called a user profile.

Create a user profile

  1. In the Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click Users > + New User.

  3. In the New User page, enter user details.

    User details:
    • Username: Name to be displayed in Users list

    • Password: Created by user

    • First Name: User’s given name

    • Last Name: User’s surname

    • Email Address: Provided by user

  4. Click Create User.

Edit a user profile

  1. In the Identity Cloud admin UI, go to Identities > Manage.

  2. In the Users list, click a username.

  3. In the User profile, edit user details.

    User details:
    Details
    To reference these field names in scripts or API calls, see User identity attributes and properties reference.

    Username
    First Name
    Last Name
    Email address
    Password
    Telephone Number
    City
    Postal Code
    Country
    State/Province
    Manager

    Generic Indexed String (up to 5)
    Generic Unindexed String (up to 5)
    Generic Indexed Multivalue (up to 5)
    Generic Unindexed Multivalue (up to 5) Generic Indexed Date (up to 5)
    Generic Unindexed Date (up to 5)
    Generic Indexed Integer (up to 5)
    Generic Unindexed Integer (up to 5)

    Preferences
    • Send me news and updates (Disabled by default)

    • Send me special offers and services (Disabled by default)

    Provisioning Roles

    Also known as external roles.

    • Provisioning role Type: Choose from available options.

    • Assign role only during a selected time period (Disabled by default)

    Authorization Roles

    Also known as internal roles.

    • Authorization role Type: Choose from available options.

    Direct Reports
    • Username

  4. When you’re satisfied with your changes, click Save.

More Options

  • To reset a user’s password, click Password Reset.
    In the Reset Password dialog box, enter a new password. Then, click Reset Password to save the new password.

  • To end a user’s session, click End Sessions.
    This clears the user’s open SSO sessions within the current realm, and revokes the session tokens. The user must reauthenticate to create a new SSO session. This is useful for testing and troubleshooting purposes.

    The following knowledge base article describes how to use the AM admin UI to view a user’s active session details: https://backstage.forgerock.com/knowledge/kb/article/a15540427.

  • To delete a user, click Delete Realm Name - User.

    You cannot undo the Delete operation.

For a deep dive into Identity Platform user identities, see "Managed Users".

Roles

For a quick take, see Roles.

Create an external role

  1. In the Identity Cloud admin UI, click go to Identities > Manage > External Roles.

  2. Click + New External Role.

  3. In the New External Role card, enter role details, then click Next.

  4. Choose one or more role assignments, then click Next.

  5. (Optional) Enable dynamic role assignment.

    Dynamic role conditions
    • Use the choosers to define a condition for automatically adding assigning a user to a role.

    • To add more conditions, click Add (+).

    • Click Advanced Editor to create a query-based condition.

    When you’re satisfied with your role conditions, click Next.

  6. (Optional) Enable a role time constraint.

    Role time constraints
    • Use the calendar and clock choosers to define when the role is in effect.

      • Specify the time zone to be used for the start date/time and end/date you specified. Choose a time zone relative to Greenwich Mean Time (GMT). GMT is the same as Universal Time Coordinated (UTC).

      • Click Time zones chart to calculate the offset time.

  7. Click Save Role.

  8. (Optional) To add a member to a role, in the Members list, click + Add Members.

    1. Use the chooser to select one or more users to add to the role members list.

    2. Click + Add members.

Edit an external role

  1. In the Identity Cloud admin UI, go to Identities > Manage > External Roles.

  2. In the external roles list, click the role name.

  3. In the External Role card, click Members.

    • To add a member, in the Members list, click + Add Members.

      1. Use the chooser to select one or more users to add to the role members list.

      2. Click +Add members.

    • To edit a member profile, in the Members list, find the member username.
      In the same row, click More () and choose Edit.

  4. When you’re satisfied with your changes, click Save.

Create an internal role

  1. In the Identity Cloud admin UI, go to Identities > Manage > Internal Roles.

  2. Click + New Internal Role.

  3. In the New Internal Role card, enter role details.

    Internal role details:
    • Role Name: Unique identifier to display in the Roles list.

    • Role Description: String that’s meaningful to your organization.
      Examples: Employee, Customers, Sales Department, Europe

  4. Click Next.

  5. Choose the type of identities (users or devices) you want to define permissions for, then click Add (+).

  6. In the Role Permissions card, enable the permissions you want to grant to this identity type (Users or Devices). You can grant permissions to view, create, update, or delete resources in your extranet.

  7. To grant attribute-based or filter-based permissions, click Advanced.

    Attribute-Based Permissions

    By default, each identity with this role in its profile has Read-only access to your resources.
    For each identity attribute in this list, you can:

    • Add additional write access by choosing Read/Write.

    • Restrict access completely by choosing None.

    Filter-Based Permissions

    You are giving permission to any identity with this role in its profile that also meets the conditions you specify here. The permissions you give here overrides the view, create, update, or delete options you enabled for this role.

    1. Use the slider to enable Filter-based Permissions.

    2. Use the choosers to specify additional conditions for granting permission.

    3. (Optional) Click Advanced Editor to create a query-based condition.

    4. Click Next.

  8. (Optional) Enable a role time constraint for this role.

    Role time constraints
    • Use the calendar and clock choosers to define when the role is in effect.

      • Specify the time zone to be used for the start date/time and end/date you specified.

        Choose a time zone relative to Greenwich Mean Time (GMT). GMT is the same as Universal Time Coordinated (UTC).

      • Click Time zones chart to calculate the offset time.

  9. Click Save Role.

  10. To add a member, in the Members list, click +Add Members.

    1. Use the chooser to select one or more identities to add to the role members list.

    2. Click Add members.

Edit an internal role

  1. In the Identity Cloud admin UI, go to Identities > Manage > External Roles.

  2. In the internal roles list, click the role name.

  3. In the Internal Role card, click Members.

    • To add a member, in the Members list, click +Add Members.

      1. Use the chooser to select one or more users to add to the role members list.

      2. Click + Add members.

    • To edit a member profile, in the Members list, find the member username.
      In the same row, click More (), and choose Edit.

    • When you’re satisfied with your changes, click Save.

For a deep dive into roles, see Roles.

Assignments

For a quick take, see Assignments.

Create an assignment

  1. In the Identity Cloud admin UI, go to Identities > Manage > Assignments.

  2. Click +New Assignment.

  3. In the New Assignment card, choose the source-target mapping you want to use for synchronizing identity data stores.

    Tell me more

    The first column lists your tenant data stores. The second column lists available target data stores. For more information, see "Assignments"§.

  4. Click Next.

  5. In the Assignment Details card, enter Assignment details.

    Assignment details:
    • Assignment: Name to be displayed in Assignments list

    • Assignment Description: The permission this assignment provides.
      For example, Allows access to Reporting App.

  6. Click Next.

  7. To provision an attribute in the target data store, click Add an attribute. Then enter attribute details.

    Attribute details:

    Create an attribute-value pair for provisioning the target user account.

    1. From the Attribute menu, choose an identity attribute in your tenant.

    2. In the Value field, enter a value for the attribute you just chose. This attribute-value pair will be synced with user accounts in the target data store.

    3. Click Assignment Operations (settings).
      Define how Identity Cloud will sync assignment attributes on the target data store:

      • The On Assignment menu defines what Identity Cloud will do with a new assignment attribute.

        • The Merge with target option adds a new attribute value to an existing attribute in the target user account.

        • The Replace target option removes the existing attribute-value pair in the target user account, and replaces it with the attribute-value you’ve defined.

      • The On Unassignment menu defines what Identity Cloud will do with an existing assignment attribute.

        • The Remove from target option deletes the specified attribute-value pair from the target user account.

        • The No operation option preserves the attribute-value pair in your tenant identities and in the target user accounts.

      • To add more assignment attributes, click Add (+)

      • To remove an assignment attribute, click Delete (-).

  8. Click Save Assignment.

Edit an assignment

  1. In the Identity Cloud admin UI, go to Identities > Manage > Assignments.

  2. In the Assignments list, click the assignment name.

  3. Click Details to edit assignment details.

    Assignment details:
    • Mapping: The source and target data stores to be synced for this assignment. The first column lists your identity platform data store. The second column lists a data store that contains user accounts outside your tenant.

    • Assignment Details: Edit the name or description to suit your needs.

  4. To provision an attribute in the target data store, click Add an attribute. Then enter attribute details.

    Attribute details:

    Create an attribute-value pair for provisioning the target user account.

    1. From the Attribute menu, choose an identity attribute in your tenant.

    2. In the Value field, enter a value for the attribute you just chose. This attribute-value pair will be synced with user accounts in the target data store.

    3. Click Assignment Operations (settings).
      Define how Identity Cloud will sync assignment attributes on the target data store:

      • The On Assignment menu defines what Identity Cloud will do with a new assignment attribute.

        • Merge with target adds a new attribute value to an existing attribute in the target user account.

        • Replace target removes the existing attribute-value pair in the target user account, and replaces it with the attribute-value you’ve defined.

      • The On Unassignment menu defines what Identity Cloud will do with an existing assignment attribute.

        • The Remove from target option deletes the specified attribute-value pair from the target user account.

        • The No operation option preserves the attribute-value pair in your tenant identities and in the target user accounts.

      • To add more assignment attributes, click Add (+)

      • To remove an assignment attribute, click Delete (-).

    4. Click Save.

  5. (Optional) To use a script to customize an assignment, click + Add an event script.

    Tell me more
    1. On the Add Event Script card, choose the event to trigger your script.

    2. Provide your script to Identity Cloud in one of these ways:

      • Enter your script in the text box, and indicate the script Type: JavaScript. Groovy is not supported at this time.

      • Click Upload File, and specify the script filename.

    3. (Optional) Use the Variables fields to define variables in your script.
      Enable JSON to enter your variables using the JSON format.

    4. Click Save.

  6. Click Roles to view roles linked to this assignment:

    1. To add a new role, click + New Role.

    2. To edit an existing role, click More ().

  7. When you’re satisfied with your changes, click Save.

For a deep dive into roles and assignments, see Use Assignments to Provision Users.

Organizations

For a quick take, see Organizations.

Managing Organizations

Tenant administrators:
  • Using the REST APIs:

  • Using the Identity Cloud admin UI:

    • In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations. Follow the steps described on this page.

Organization owners and organization administrators:
  • Using the Identity Cloud End User UI:

    • In the Identity Cloud End User UI, go to Realm - Organizations. Follow the steps described on this page.

Before you begin

You can build organizations in many different ways. For example, you can start with a parent organization that contains all user identities, and then build your organization hierarchy. Or, you can first build a hierarchy of empty organizations and sub-organizations, and then add users to the various target organizations. Regardless of the approach you take, at some point you’ll have to import identities into an organization.

Import identities into an organization

Tenant administrators Organization owners Organization administrators

  • Only tenant administrators can import identities into an organization.

Tenant administrators:

In this example:

  • A .csv file containing 100 user identities already exists.

  • A parent organization containing no members already exists.

To import identities:

  1. In the Identity Cloud admin UI, go to Identities > Import.

  2. On the Import Identities page, click + New Import.

  3. In the Upload CSV menu, select Realm - Users.

  4. Click Next.

    300

  5. In the Upload CSV dialog box, enter upload details:

    CSV File

    Enter the name of your .csv file containing identities to import.

    Match Using

    Enter a property name to use for matching and filtering objects. In this example, userName is used to import user profiles that will become members of the target organization.

  6. Click Next.

  7. When the Import Complete dialog box displays, and you can confirm that the import was successful, click Done.

  8. Verify that users were imported to the organization you created:

    1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Users.

    2. Open any user’s profile, and click Organizations to which I Belong. In the organizations list, you should see the name of the organization you created.

    3. Go to Identities > Manage > Realm - Organizations. In the organizations list, you should see the name of the organization you created.

    4. Click the name of the organization you created, then click Members. In the list of members, you should see all the user identities you imported into the organization.

Create a parent organization

Tenant administrators Organization owners Organization administrators

  • Only tenant administrators can create a parent organization.

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations.

  2. On the Organizations page, click + New Organization.

  3. In the New Realm - organization page, enter the following:

    Name

    Enter a display name. Uppercase, lowercase, alphanumeric & special characters, and white spaces are allowed.

  4. Click Save. This saves the new organization, then immediately opens the new organization profile to edit:

    Name

    Update if necessary, see step 3.

    Description

    Enter a description meaningful to you.

    Parent Organization

    Leave empty to designate the new organization as a parent organization.

  5. Click Save.

Create an organization owner

Tenant administrators Organization owners Organization administrators

  • Only tenant administrators can create an organization owner.

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization you want to add an owner to.

  3. Click Owner, then click + Add Owner.

  4. In the Add Owner dialog box, in the Owner search field, choose the name of the user you want to designate as the organization owner.

    Do not make an organization owner a member of the organization. This can result in giving the organization administrator greater control of the organization than its owner.

  5. Click Save.

Create an organization administrator

Tenant administrators Organization owners Organization administrators

  • Tenant administrators can create an organization administrator in any organization.

  • Organization owners can create an organization administrator only within organizations or sub-organization where they are the owner.

  • Organization administrators cannot create other organization administrators.

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organization list, click the name of the organization you want to add an administrator to.

  3. Click Administrators.

  4. Click + Add Administrators.

  5. In the Add Administrators dialog box, enter a username in the Administrators search field. The user must already belong to the organization.

  6. Click Save. The username or usernames you added now display in the members list.

Organization owners:
  1. In the Identity Cloud End User UI, go to Realm - Organizations.

  2. Follow steps 2–6 in the tenant administrator instructions above.

Create a sub-organization

Tenant administrators Organization owners Organization administrators

  • Tenant administrators can create a sub-organization within any organization.

  • Organization owners can create a sub-organization only within organizations or sub-organizations where they are the owner.

  • Organization administrators can create a sub-organization only within organizations or sub-organizations where they are an administrator.

Tenant administrators:
  1. Follow the instructions to create a parent organization.

  2. In step 4, set a parent organization as follows:

    Parent Organization

    Enter the name of an existing organization one level up from this child organization.

    Tenant administrators have visibility of all organizations.
Organization owners and organization administrators:
  1. In the Identity Cloud End User UI, go to Realm - Organizations.

  2. On the Organizations page, click + New Organization.

  3. In the New Realm - organization page, enter the following:

    Name

    Enter a display name. Uppercase, lowercase, alphanumeric & special characters, and white spaces are allowed.

    Parent Organization

    Enter the name of an existing organization one level up from this child organization.

    Organization owners and organization administrators have visibility only of the organizations and sub-organizations that they own or administrate.
  4. Click Save. This saves the new organization, then immediately opens the new organization profile to edit:

    Name

    Update if necessary, see step 3.

    Description

    Enter a description meaningful to you.

    Parent Organization

    Update if necessary, see step 3.

  5. Click Save.

While privileges for default attributes are automatically included when setting up a sub-organization, custom attributes need to be manually added to your privileges configuration before creating the sub-organization.

Do this by adding the custom attribute to the accessFlags section of the owner-view-update-delete-orgs and owner-create-orgs privileges. These are accessed through the REST API at the /openidm/config/alphaOrgPrivileges or /openidm/config/bravoOrgPrivileges endpoints (depending on the realm you are updating).

Edit an organization or sub-organization

Tenant administrators Organization owners Organization administrators

  • Tenant administrators can edit any organization or sub-organization.

  • Organization owners can only edit organizations or sub-organization where they are the owner.

  • Organization administrators can only edit organizations or sub-organization where they are an administrator.

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization profile you want to edit.

  3. In the organization profile page, edit organization details.

    Name

    Enter a display name. Uppercase, lowercase, alphanumeric characters, special characters, and white spaces are allowed.

    Description

    Enter a description meaningful to you.

    Parent Organization

    Enter the name of the organization one level up from this child organization, or leave empty to designate the organization as a parent organization.

  4. Click Save.

Organization owners and organization administrators:
  1. In the Identity Cloud End User UI, go to Realm - Organizations.

  2. In the organizations list, click the name of the organization profile you want to edit.

  3. In the organization profile page, edit organization details.

    Name

    Enter a display name. Uppercase, lowercase, alphanumeric characters, special characters, and white spaces are allowed.

    Description

    Enter a description meaningful to you.

    Parent Organization

    Enter the name of the organization one level up from this child organization.

  4. Click Save.

Add or create organization members

Tenant administrators Organization owners Organization administrators

  • Tenant administrators have access the members of all organizations.

  • Organization owners have access to only the members in organizations they own.

  • Organization administrators have access to only the members in their administrative area.

Add a member to an organization

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization you want to add a member to.

  3. On the Organizations page, click Members.

  4. Click + Add Members.

  5. In the Add Members dialog box, enter names of users to add to this organization in the search field.

  6. Click Save. The username or usernames you added now display in the members list.

Organization owners and organization administrators:
  1. In the Identity Cloud End User UI, go to Realm - Organizations.

  2. Follow steps 2–6 in the tenant administrator instructions above.

Create a new user profile in an organization

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Users.

  2. In the Realm - User list, click + New Realm - User.

  3. In the New Realm - User dialog box, enter user profile details.

    Username

    Enter a unique username. No white spaces.

    First Name

    Enter the user’s given name.

    Last Name

    Enter the user’s surname.

    Email Address

    Enter the user’s email address.

  4. Click Save. The new user profile is displayed in the Realm - Users list.

  5. Open the new user’s identity profile.

  6. Click Organizations to which I Belong.

  7. Click + Add Organizations to which I Belong.

  8. In the Add Organization to which I Belong dialog box, choose an existing organization from the search field. You can choose more than one.

  9. Click Save.

Organization owners and organization administrators:
  1. In the Identity Cloud End User UI, go to Realm - Users.

  2. Follow steps 2–9 in the tenant administrator instructions above.

Delete an organization

Tenant administrators Organization owners Organization administrators

  • Tenant administrators can delete any organization or sub-organization.

  • Organization owners can only delete organizations or sub-organization where they are the owner.

  • Organization administrators can only delete organizations or sub-organization where they are an administrator.

Tenant administrators:
  1. In the Identity Cloud admin UI, go to Identities > Manage > Realm - Organizations.

  2. In the organizations list, click the name of the organization you want to delete.

  3. On the Realm - Organization page, click Delete Realm - Organization.

    This operation cannot be undone.
Organization owners and organization administrators:
  1. In the Identity Cloud End User UI, go to Realm - Organizations.

  2. Follow steps 2–3 in the tenant administrator instructions above.

Copyright © 2010-2022 ForgeRock, all rights reserved.