People management overview

People management tasks include managing users, groups, and services.

You can create, modify, delete, and search for users, groups, and services. Additions and changes you make have an immediate effect on Cloud Identity Service authentication and authorization. For example, if you create an account record for a user, that user can then access the Cloud Identity Service and Self Service applications. You might also add a user to a group to give them access to a specific web application. Service memberships might not take effect immediately if approval is required.

Users

You can add, modify, delete, and search for user records. A user record can be created as an identity or as an account. An account gives a user login access to Self Service applications, and potentially, other resources that are managed by Cloud Identity Service. An identity is only a record of information about a user.

A user record is composed of a number of user identity attributes. Many of these attributes are common to most Identity Management system, for example, given name, surname, and email address. Your organization also has a number of attributes that are unique to your own set of applications. Attributes are collected from sources of record or identity repositories already in your organization, during the initial configuration of Cloud Identity Service for your organization. Most of the existing user records are created from these existing identity repositories.

Groups

Various Identity and Access Management policy decisions are best enacted by treating users collectively. Users that share some common characteristics can be grouped. For example, a group of users that work in the same department of a company can be granted the same access to a specified web application. In this case, the group of users is defined and then that group is referenced by an access control list (ACL) policy. The policy grants (or denies) application access to all the users in that group.

The user membership of a group can be statically or dynamically defined. Static user membership requires you to manually add each user to the group, and to manually manage group membership. Dynamic user membership automatically selects users for membership. Membership is based on any matching combination of identity attribute values, other group or service memberships, or assignment of a manager role. For example, you might group users who are in a specific country or locality. You might group users who have an account within a specific account number range, and who are also members of another specified group.

Dynamic user membership is implemented by using a dynamic provisioning policy, in which you define the group membership selection criteria.

Schema management

You can manage your LDAP (Lightweight Directory Access Protocol) schema by adding custom identity attributes to extend the information help in user identity records.