Scribd
Upload
826 views

IdentityGov 11gR2

This document outlines an Oracle Identity Manager 11gR2 hands-on workshop over 4 days. The workshop covers topics like Oracle Identity Manager 11gR2 at a high level, provisioning, access requests, security, UI customization, and more. Each day consists of introductions, discussions, labs and demos to help attendees learn how to use Oracle Identity Manager 11gR2 features.

Uploaded by

alexandru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
826 views

IdentityGov 11gR2

This document outlines an Oracle Identity Manager 11gR2 hands-on workshop over 4 days. The workshop covers topics like Oracle Identity Manager 11gR2 at a high level, provisioning, access requests, security, UI customization, and more. Each day consists of introductions, discussions, labs and demos to help attendees learn how to use Oracle Identity Manager 11gR2 features.

Uploaded by

alexandru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 182

Oracle Identity Manager 11gR2 Hands-on Workshop

[email protected], [email protected]
Product Management, Oracle Identity Governance

This document is for informational purposes. It is not a commitment to


deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. The development, release, and timing of any
features or functionality described in this document remains at the sole
discretion of Oracle. This document in any form, software or printed matter,
contains proprietary information that is the exclusive property of
Oracle. This document and information contained herein may not be
disclosed, copied, reproduced or distributed to anyone outside Oracle
without prior written consent of Oracle. This document is not part of your
license agreement nor can it be incorporated into any contractual
agreement with Oracle or its subsidiaries or affiliates.

Oracle Confidential Do Not Distribute

Day 1
Introductions
Discussion

Lunch
Lets bring it to the desk for
today

Oracle Identity Management 11gr2 @ 100 ft level


Oracle Identity Management 11gr2 Governance platform
Oracle Identity Manager 11gr2 Provisioning (Application Instances, Forms)
Oracle Identity Manager 11gr2 Access Request (Catalog, Approval Workflow,
Request)
Some Useful tips for executing the labs smoothly

Lab 1 Getting started


Lab 2 Install and Extend OUD connector
Lab 3 Develop Approval Workflow

Oracle Confidential Do Not Distribute

Day 2
Lab 4 Empower Catalog, Configure Request Scenarios
Lab 5 Request Profiles (Practice Offline)
Discussion
Oracle Identity Manager 11gR2 Security

Lunch
Lab 6 Organizational Security based Delegated Administration
Lab 7 Advanced Security Scenarios

Oracle Confidential Do Not Distribute

Day 3
Discussion
Oracle Identity Manager 11gR2 UI Customization

Lab 8 Personalization
Lab 9 Basic UI Customization
Lab 10 Adding UDF on User Schema
Lab 11 Transitioning Catalog LAF thru Advanced UI Customization
Lunch
Lab 12 Advanced UI Customization on User Creation page

Oracle Confidential Do Not Distribute

Day 4

Lab 13, 14 Bulk Load, Reconciliation (Practice Offline)


Lab 15 Self registration and Access Policy with Approval
Lab 16 Disconnected Resources
Discussion
Oracle Identity Manager 11gr2 Improved Customization Lifecycle management
and Infrastructure (T2P, Event Handler, Notification changes)
Roadmap

Lunch
Lab 17 Lab 22 ICF, Event Handlers, Notification, Reports, User
attribute trigger (Practice Offline)

OPAM (extended to Day

5)

Oracle Confidential Do Not Distribute

11g Deployment Momentum


Identity &
Access
Identity

Access

Directory

Sun

Oracle Confidential Do Not Distribute

Oracle Identity Business Today


4000+ Customers in 45 Countries
INDUSTRY LEADERSHIP

User Provisioning

Identity Governance
Oracle Confidential Do Not Distribute

Access Management
8

Identity is Key to Emerging Requirements


From Gartner

Cloud

Mobile

Oracle Confidential Do Not Distribute

Social

Identity Management at the Center


Complete, Open, Integrated

Web

Social

Mobile

User
Engagement
User Engagement
Business Process
Management

Service

Content
Management

Service
Integration
Integration

Business
Intelligence

Data
Integration

Data Integration

Identity Management & Security


Development
Development
Tools
Tools

Cloud Application
Foundation

Enabling
the Interaction

Securing
the Experience

Enterprise
Management

Oracle Confidential Do Not Distribute

10

11gR2 Themes and Drivers


Simplify and Innovate

Modernized Platform

Simplified Experience

Cloud, Mobile and Social

Extreme Scale

Clear Upgrade Path

Faster
Deployment
Oracle Confidential Do Not Distribute

Lower
TCO
11

New Identity Platform


Convergence: Simple to Adopt, Simple to Deploy

Identity
Governance
Access
Management
Directory
Services

Lifecycle Management & 360 visibility


Regular & Privileged identities
Complete access control
& SSO
Fraud Detection
Converged Policy Administration & Control
Detection
LDAP, VirtualizationFraud
& Meta-directory

Unified Administration & Management

Oracle Confidential Do Not Distribute

12

Identity Management Portfolio 11gR2


Modern, Innovative & Integrated
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based Provisioning
Role Mining
Attestation
Separation of Duties

Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Integrated ESSO
Token Services
Fraud Detection

Directory
LDAP Storage
Virtual Directory
Meta Directory

Platform Security Services


Oracle Confidential Do Not Distribute

13

Re-designed Access Request


Shopping Cart Simplicity
Role & Entitlement
Catalog

Simplified Search

Browse & Select


Add to Cart
Receipt
Confirmation

Oracle Confidential Do Not Distribute

Tracking &
Visibility

14

Common UI Framework
One Platform Unlimited Potential

Oracle Confidential Do Not Distribute

15

Privileged Account Management


Complete Lifecycle Management of High Risk Accounts
Password
Vault

Account
Lifecycle

Policy
Control

Reduce
Risk
Checkin
Checkout

Audit
Logging

Oracle Confidential Do Not Distribute

Improve
Compliance

16

Managing Privileged Accounts


A Platform Approach

Single Workflow

Single Connector Set

Single Attestation
Oracle Confidential Do Not Distribute

17

Mobile & Social Sign-on

REST

Single
Sign-on

OAuth

Step-up
Auth

Oracle Confidential Do Not Distribute

18

Mobile and Social Service Architecture

Oracle Confidential Do Not Distribute

19

Mobile Application Security

Oracle Confidential Do Not Distribute

20

Social Sign-on
Select

Login

Oracle Confidential Do Not Distribute

Authorize

21

Visibility & Control

Oracle Confidential Do Not Distribute

22

Access Management Highlights


Interoperability & Cohesion

Federation

Web Access
Control

Enterprise
Sign-on

Integrated
Fraud Detection

Fraud
Detection

Token Services

External
Authorization

Standards
Based
Fraud Detection

SOA Security

Oracle Confidential Do Not Distribute

23

Operational Scale
Economies of Scale & Faster Performance

DIRECTORY SERVICES

ACCESS MANAGEMENT

Optimized System
Unified Directory

3x

Performance
Oracle
SPARC T4

Unified Directory

3xRead 5xWrite

250M Users

1/6

3K Auth/Second
Two Servers at 5250 TPS

Cost

Oracle Confidential Do Not Distribute

24

Taking a Platform Approach


Building on Components of Fusion Middleware

User Interface
Customization
Performance

Fusion Middleware
Oracle Confidential Do Not Distribute

25

Upgrading
Gain a Platform Advantage

Complete & Modern

End to End Compliance

Lower TCO
Oracle Confidential Do Not Distribute

26

What Customers Are Saying


Platform is an Advantage
Your mobile security and social identity
features are standardizing one of the big
issues we have been struggling with we
can now replace our homegrown band aids
with a solution that leverages our existing
access infrastructure, and provide mobile
SSO and enhanced device security

We really like the user interface and the


ability to integrate with OIM for approval
workflows. We have been considering
buying a point product, but we prefer
OPAM because of all the built in
integration

Oracle Confidential Do Not Distribute

27

What Customers are Saying About R2


We were struggling with providing
organization specific UIs to Roche
and Genentech and the R2
customization framework will allow
us to meet each organizations
requirements. We were looking at
HP ServiceNow for request, but
R2 UI is much cleaner, user
friendly and the SOA features like
attachment for approvals are
great.

You guys read our minds on how


things are organized for roles and
requests. Love new organization
based security model and form
designer. How soon can we start
our upgrade from 9.1 to R2?

Even a novice can use the request


interface. Plain and simple. I have
not seen identity UI that is so clean
OOTB. Concepts match the vision
that Merck has for our self service
portal.

I can finally replace Remedy and


SIM with OIM

Filtering search results is huge for


us.
Tracking bulk approval
requests with graphical workflows
will be handy for our helpdesk
users to track where a request
stands.

User personalization is big for us. We want you


to finish consolidation of OIA on this architecture
as soon as possible.

Oracle Confidential Do Not Distribute

28

What Customers are Saying About R2


Your mobile security and social
identity features are standardizing
one of the big issues we have
been struggling with we can
now replace our homegrown band
aids with a solution that leverages
our existing access infrastructure,
and provide mobile SSO and
enhanced device security

We are very excited about OAM


new mobile features and can't wait
to begin it is exactly what we
need for both our internal and our
customer facing initiatives.

The new mobile security and


internet identity capabilities will put
your access management products
ahead of the competition we
expect to do a lot of deployments.

OPAM is exactly what I need.


We will stop evaluating other
products and deploy OPAM when
its available.

New OAM mobile is the highlight


of my trip - we are seeing an
explosion of mobile-driven access
projects in Europe, and OAM will
now
address
the
core
requirements for these projects out
of the gate.

We are rolling out Cyber-Ark now,


but given OPAM-OIM integration to
have request, certification and
auditing end-to-end for regular
accounts and privileged accounts,
we will limit Cyber-Ark deployment
and replace it with OPAM when it is
ready.

Oracle Confidential Do Not Distribute

29

Oracle Internal adoption


Same IdM platform for
Oracle public cloud - Full delegated administration and self
service, bulk on boarding, and customizable UIs
Fusion Applications User management in LDAP, Single sign
on, Externalized Authorization

Oracles own IT operations (PDIT)


OnDemand hosts OAM, OAAM and OIF for a large banking customer

Oracle Confidential Do Not Distribute

30

facebook.com/OracleIDM

White Papers

blogs.oracle.com/OracleIDM

Datasheets

twitter.com/OracleIDM

Oracle Confidential Do Not Distribute

31

Oracle Identity Governance

Oracle Confidential Do Not Distribute

32

Agenda - Oracle Identity Governance


Introduction to Oracle Identity Governance

Overview of 11g R2 features


Demo
Summary

Oracle Confidential Do Not Distribute

33

Oracle Identity Governance 11g R2


Key Release Themes
Enhanced Usability & Security
Intuitive Access Request based on e-Commerce and internet search patterns
Business Friendly User Interface with OOB customization and personalization features
Single, Consistent Organization Scoped Security Model

Deployment Efficiency with Modernized Tooling


Browser-based Tooling for managing entity definitions, applications, designing forms,
workflows and workflow rules
UI customization framework that supports durable, upgrade-safe customizations
Faster On-boarding for Disconnected Applications

Reduced TCO with a Unified Platform

Single platform for access request and certification features


Risk-based and closed-loop certification pre-integrated with provisioning
Privileged Account Management (PAM), pre-integrated with Access Request
Common connectors for provisioning, certification and privileged access

Oracle Confidential Do Not Distribute

34

Oracle Identity Governance


Integrated and Complete Identity Governance
Shopping Cart Access Request

Sophisticated Approval Workflows


Business User Access Certification
Closed Loop Remediation
Standard and Privileged Accounts
Flexible Administrative Interfaces

Oracle Confidential Do Not Distribute

35

Oracle Identity Governance


Governance Platform

Connectors

Access
Request

Provision

De-Provision

Grant User Access

Monitor User Access

Privileged

Role

Check-in/

Identity

IT Audit

Rogue

Reporting &

Account

Lifecycle

Checkout

Certifications

Monitoring

Detection &

Privileged

Request

Management

Reconciliation

Access
Monitoring

Roles

Access Catalog

Entitlements
Accounts

Ownership, Risk &


Audit
Objectives
Catalog
Management

Glossaries

Oracle Confidential Do Not Distribute

36

Oracle Identity Governance


Access Catalog

Harvesting

Catalog
definition

Catalog enrichment

Oracle Confidential Do Not Distribute

37

Oracle Identity Governance


Shopping Cart Simplicity
Browse

Compare &
Select

Track

Oracle Confidential Do Not Distribute

Receipt
Confirmation

38

Oracle Identity Governance


Approvals
View and take action on approval
tasks via email, mobile (browser) and
self-service UI
Add comments and attachments
See current and future approvers

Prioritize and organize tasks

Oracle Confidential Do Not Distribute

39

Oracle Identity Governance


Privileged Access Request
Password check-out for shared OS,
database, and application accounts

Leverages same connectors that are


used in access request and access
certification
Access request for break-the-glass
and regular checkout

Access
Request

Audit /
Monitoring

Certification

Password
Vault

Check-in /
Check-out

Access certification for access review


and audit

Oracle Confidential Do Not Distribute

40

Oracle Identity Governance


Connectors
Common Connectors for all
Governance needs

Supports multiple target versions


and multiple instances of a target
simultaneously
Flexible deployment options
local and remote deployment

Cloud Applications

Access
Request
Access
Certification
Privileged
Access

Extensible Administrators can


extend the capabilities without coding

Enterprise Applications

Identity
Connector
Framework

Identity
Connectors

Directories

Databases

Custom Applications
and Mainframes

Oracle Confidential Do Not Distribute

41

Oracle Identity Governance


Role Lifecycle Management
Role Definition
Role
Modeling

Top-Down
Approach

Role Governance

Role
Audit, Analytics
Role
Mining

Change Mgmt

Role Change Approvals


Role Versioning
Rollbacks & Comparison
Role Change Impact Analysis
Rule Management

Bottom-Up
Approach

Role Audit
Role Entitlement Mapping
History
Role Membership History
Approvals History
Role Ownership History

Oracle Confidential Do Not Distribute

Governance

Role Definition Attestation


Role Membership Attestation
Role Consolidation
Role Mining

42

Oracle Identity Governance


Role Mining
Intelligent Role Discovery Engine

Comprehensive Role Discovery using Hybrid Approach:


Bottom Up (User Entitlements)
Top Down (User HR Attributes)
Flexible User Population Selection
Mining Results Dashboard
Statistics & Analytics
Graphical Representations
Incremental Role Mining
Role Entitlement Discovery to mine new applications based on existing roles

Oracle Confidential Do Not Distribute

43

Oracle Identity Governance


Risk-based Certification
Identity Warehouse

Applications

Risk Factors
Identity Data
Sources
DB
Roles

Certification
History

Entitlements

Mainframe

Provisioning
Events

Resources

Policy
Violations

Risk Aggregation

Low Risk User


Bulk Certify

High Risk User


Cert360

Approve

Reject
Focused
Sign-off

Oracle
Confidential
Oracle Confidential
Do
Not Distribute

44

Oracle Identity Governance


IT Audit Monitoring

IT Audit Policies

Role Exceptions

Monitoring

Across Entitlements & Roles

Roles Vs. Actuals

50+ Reports

Within Application or CrossApplications

Entitlements Outside Roles

Compliance Dashboards

Mitigating Controls

Compliance Metrics Monitoring

Preventative & Detective


Remediation

Manager Signoff for Audit


Exceptions

Historical Trend Analysis

Oracle Confidential Do Not Distribute

Remediation Tracking

45

Oracle Identity Governance


Reporting and Privileged Access Monitoring
Actionable dashboards for risk analysis
and compliance

80+ OOTB reports providing a 360 deg.


view of users access
Flexible deployment options, including
ability to schedule report runs

Publicly available schema

Oracle Confidential Do Not Distribute

46

Oracle Identity Governance Platform


Common Platform
Access
Request

Common
Workflows
Privileged
Access

Audit

Common
Connectors

Provisioning
& Connectors

Access
Certification

Common
Catalog

Access
Catalog

Oracle Confidential Do Not Distribute

47

Oracle Identity Governance Platform


Common Governance
Access
Request

Define
Roles and Policies
Privileged
Access

Audit

Audit and
certify access

Provisioning
& Connectors

Access
Certification

Approve and
fulfill access

Access
Catalog

Oracle Confidential Do Not Distribute

48

Oracle Identity Governance Platform


Closed-loop Remediation
Access
Request
Rogue
Detection

Enterprise/
Roles

Provisioning
& Connectors
Audit/ Policy
Monitoring

Access
Certification

Oracle Confidential Do Not Distribute

Monitor
Access
Reduce
Risk
Improve
Compliance

49

Oracle Identity Governance Platform


Gain a Platform Advantage

Complete & Modern

End to End Compliance

Lower TCO
Oracle Confidential Do Not Distribute

50

Oracle Identity Governance Platform


Customers

Oracle Confidential Do Not Distribute

51

Oracle Identity Manager


Intuitive Access Request
Request Catalog
Catalog items include Roles, Standard& Privileged Entitlements
and Application Instances
Business context (display name, glossary descriptions, risk
levels, owners, approvers, certifiers, etc.) defined once in catalog
and used across for request, approval and certifications
Automatic Seeding and Manual Edits for Keyword Tags
Navigational/Filter Categories

Business User Friendly Patterns


Full Text Search with Auto-Tagging
Saved Shopping Cart (Request Profiles), Bookmark/Quick-Links
Saved Catalog Queries
Add Request Items and Beneficiary Users in Any Order

Shopping Cart Experience


Add Access to Cart and then Submit
Oracle Confidential Do Not Distribute

52

Oracle Identity Manager


Intuitive Access Request
Request Tracking
Workflow Visualization in Tracking
Navigation from Request to Sub-Request to Provisioning status

Approvals
Email Folder Style Inbox for Approvals, Manual Provisioning &
will be extended for Certification by R2 Patchset 1.
Priority Queues and User Defined Views to Prioritize Assigned
Tasks

Other Business User Focused Enhancements


Attachments with Request/Approvals
Support for Reassignment, Delegation, Escalations and
Reminders
Email Approval: Direct from Email or Deep-Link to Request
Details

Oracle Confidential Do Not Distribute

53

Oracle Identity Manager


Intuitive Access Request
R2 Upgrade Considerations for OIM and SIM Customers
Users were required to be trained to search and request access
as there was no business glossary associated to each access.
Users had to upfront know how an access is modeled in the
target system. For example, a business user needed to know if
an AD group that provided them expense approval access was
available in a specific AD instance
Entitlement request could only be made by modifications to
Accounts that prevented entitlement certifications. Customers
employed complex customizations by modeling each
entitlement as a resource object to achieve this use case
There was no way to bundle and reuse commonly requested
items
Request did not support comments or attachments
Request tracking did not provide an end-to-end visibility
resulting in increased help desk calls

Oracle Confidential Do Not Distribute

54

Oracle Identity Manager


Business Friendly User Interfaces
End users can personalize the Home Page by
changing the layout and adding/ removing
regions
End users can set their search, sort preferences,
save frequently used search filters
UI can be customized and re-skinned without
using any IDE and without coding
Access to features can be controlled using
security policies

Oracle Confidential Do Not Distribute

55

Oracle Identity Manager


Business Friendly User Interfaces
End-users can
pick
the regions
they want

Change account
passwords

Perform business
functions
without leaving the
Home Page

Property-editing
without IDE or
code

Use EL
Expressions
for dynamic
control over
properties

Oracle Confidential Do Not Distribute

56

Oracle Identity Manager


Extensible User Interfaces
Out of the box User
Interface

Customized User
Interface

Oracle Confidential Do Not Distribute

57

Oracle Identity Manager


Organization-scoped Security Model
Uses standard ADF security model for functional security
and use OES best practices for data security.
Employs a consistent architecture that specifies how we support
delegated-administration of various entities managed in OIM for
example Roles, organizations, entitlements and Application Instances.
Employs a consistent architecture that lets backend make various security
decisions for example who can request what, who can have what, who needs
to go through approval etc. This architecture facilitates the security of catalog
based request module and of converged UI and backend of selfService/delegated-administration.
Supports a organizational level scoping mechanism for delegatedadministration and data security of various entities.

Oracle Confidential Do Not Distribute

58

Oracle Identity Manager


Organization-scoped Security Model
Function Security

OES Policies control who can perform what actions?


Customers can change OOB seeded security policies
Actor checks in UI and Beneficiary checks in the back-end

Data Security

Who can perform actions on what data?


Who can see what in the Catalog?
Who can request for which beneficiary?
Who is authorized to have what access?
Data is secured by publishing it to a set of orgs
Admin Roles control what functions are allowed on data published to that organization
Each of the Admin Roles that are pre-seeded in OIM has one-to-one mapping to the Application Roles in
Oracle Entitlement Server
Application roles have associated policies that govern what permissions are allowed for users who belong to
this role
Each entity has an Admin, Authorizer and Viewer role in addition to Catalog Admin, System Admin and
System Configurator admin roles.
Both publishing and delegation are organization hierarchy aware

Oracle Confidential Do Not Distribute

59

Oracle Identity Manager


Enhanced Usability & Security
R2 Upgrade Considerations for OIM and SIM Customers
There was no user personalization feature that provided userpreferred content and experience
UI Customizations in OIM and SIM were extremely complex
requiring tweaking of OOTB pages, re-packaging, re-deploying or
restarting production servers
All such customizations were non-durable making patch/upgrade a
non-starter or scary thought for many customers
There was no way to stripe and control a set of access to a set of
users which made simple delegated administration use cases very
complex to implement and non-scalable

Oracle Confidential Do Not Distribute

60

Oracle Identity Manager


Modern Tooling
Browser-based UI customization framework
protects customizations across patches and upgrade
Eliminates XML editing and proprietary scripting

Single browser-based tool to


Extend (add UDF) User, Role, Organization, Catalog and
Application Instance entities
Once the UDF is added/deleted, the system will automatically
propagate this to other OIM metadata
Create request forms

Sandbox - Single browser-based tool to


Test customizations without impacting other users
Rollback or commit customizations
Move customizations from one environment to another

Oracle Confidential Do Not Distribute

61

Oracle Identity Manager


Modern Tooling
Rules-driven workflows can be managed by business analysts

User, Role, Entitlement, Application information available as business facts


Routing rules and approver selection can be done using business facts

Single browser-based tool to

Manage notification configuration


Manage routing rules
Manage approver resolution rules

Common connectors for provisioning, certification and privileged


access

One connector to harvest catalog, reconcile and provision standard and


privileged accounts, load OIA identity warehouse and perform closed loop
remediation
Connectors also compatible for Sun Identity Manager Provisioning functions

Oracle Confidential Do Not Distribute

62

Oracle Identity Manager


Modern Tooling Disconnected Application
A significantly streamlined browser-based application
on-boarding framework for manually fulfilled applications
Administrators can define forms with various attributes,
define entitlements and publish disconnected applications
without any coding or complex configuration steps
Reduction in the time needed to on-board a new
application - from days to a matter of few minutes
Manual provisioning tickets may be fulfilled in OIM itself

Oracle Confidential Do Not Distribute

63

Oracle Identity Manager


Modern Tooling Disconnected Application
Leverages the existing request approval framework
for manual provisioning routing and unified inbox for
pending approvals
Support for all actions that are supported for
approvals: reassign, suspend and complete
Supports both account and entitlement level request

Oracle Confidential Do Not Distribute

64

Oracle Identity Manager


Modern Tooling
R2 Upgrade Considerations for OIM and SIM Customers
Disconnected Application on-boarding took days requiring manual
creation and configuration of OIM artifacts
SIM did not have disconnected application provisioning support and
often required integration with external ticket management solutions
like Remedy
SIM customers needed resources specialized with its proprietary and
complex XPRESS language to perform any
customizations/configurations
There was no way to centrally configure and manage schema
extensions. Also such extensions required complex and non-durable UI
customizations when deciding the layout of the attributes in different
pages
There was no way to non-intrusively perform and test UI
customizations before committing/finalizing changes to the
environment. T2P of such customizations were also complex.
Oracle Confidential Do Not Distribute

65

Oracle Identity Manager


Modern Tooling
R2 Upgrade Considerations for OIM and SIM Customers
Changes to workflow or notification policies could not be done by business
policy owners and required developers intervention
There was no unified inbox that showed all pending tasks for the user
Privileged Access Management was often neglected or ignored during
deployments
Customers had to procure separate licenses for connectors to perform
provisioning and certification
Customers had to clone connectors for different instances of the target
system
There was no way to upgrade or uninstall existing connectors

Oracle Confidential Do Not Distribute

66

Oracle Privileged Account Management


Privileged Accounts
Secure vault to centrally manage passwords for privileged
and shared accounts
Targets include Databases, Operating Systems and
Oracle FMW applications
Multiple access points for OPAM users and administrator
Automatic password change using Identity Connector Framework
Policy based password check-out and check-in
Flexible usage policies
Customizable audit reports through BI Publisher and real time status
Extension to Identity Governance OIM and OIA integration for
complete governance

Oracle Confidential Do Not Distribute

67

Oracle Privileged Account Management


Simplified Password Check-out Process

Oracle Confidential Do Not Distribute

68

Summary
Complete, Comprehensive Solution

Identity self service for personalized, business user friendly user experience
Extensible Access Catalog and Access cart for business user friendly access request
Support for intranet and extranet Identity Administration using an organization-scoped
security model
Pre-integrated with Oracle Identity Analytics and Oracle Privileged Account Manager
providing a complete Governance Platform

Superior Solution Architecture

Browser-based customization and configuration


Upgrade-safe, browser-based UI customization
Simplified application onboarding framework supports rapid onboarding of manually fulfilled
applications

Applications Integration

Integrated with all Oracle Applications Unlimited product lines


Identity admin service provider for Fusion Applications
Identity admin service provider for Oracle Public Cloud

Strategic Roadmap

Convergence of OIM and OIA for access certification


Convergence of developer friendly features from Oracle Waveset
Oracle Confidential Do Not Distribute

69

Provisioning

70 Not Distribute
Oracle Confidential Do

70

Agenda - Provisioning
Concepts Application Instance, Entitlement, AdminRoles, Catalog, Connected /
Disconnected Application Instances & Entitlement, Account Types, Properties.
High level flow - How it all fits together?
On-boarding Application Instance, Entitlement
Catalog Based request for Application Instance & Entitlement and approval /
provisioning / manual provisioning SOA task.
Application Instance life cycle
Entitlement life cycle
Schedule Jobs
Impact on other OIM Features
Request Status for Application Instance / Entitlement
Access Policy Enhancements
Pre-Upgrade guidelines for Provisioning

71 Not Distribute
Oracle Confidential Do

71

Concepts
Application Instance An entity representing an actual target server instance.
Abstraction of ITResource and Resource.
Dependent App Instance Still based on Resource Object.
Entitlement First class entity representing privilege in target system.
Admin Roles OOTB roles having permissions for specific operations on entities.
Viewer operation via request & approval
Administrator To manage (CRUD) entity via sys admin console.
Authorizer direct operation without request & approval.

Catalog Collection of all request-able entities, namely, Roles, Application Instances


and Entitlements.
Disconnected Application Instance/ Entitlements Any system for which OOTB
connector not available e.g Laptop, Cellphone, Badge, Any custom application. And yes,
no Design console needed for Disconnected Application Instance & Entitlements.

Oracle Confidential Do Not Distribute

72

Concepts
Publishing App Instance/Entitlement to Org
To make them available for requester.

Account type
primary The very first Provisioned Account. Entitlements are initially associated to primary
account.
other All other accounts other than primary and service account.
service Account that is marked as a service account. Service account can not be a primary
account.

Process form-field properties


ITResource = true (process form with multiple ITResourceLookup fields)
Entitlement = true (on child form to mark field as entitlement)
AccountName = true (the unique attribute on process form that can be tagged as account
name)
AccountDiscriminator = true (column uniquely identifying resource instance across multiple
ones provisioned for the same resource)

Form UI construct necessary to provide request data.


Sandbox Defines logical start & end point for UI customization.
Oracle Confidential Do Not Distribute

73

High level flow - How it all fits together ?

Oracle Confidential Do Not Distribute

74

On-boarding Application Instance


Connected Application Instance
Import connector
Tag properties ITResource=true, AccountName = true, Tag Entitlement = true

in child process form.


Create Sandbox.
Create Application Instance
Automatically gets created, after first recon or AP based prov
Describe
Create Form and associate to Application Instance
Onboard Entitlements
Run Lookup recon scheduled job
Run Entitlement Synch scheduled job
Publish Application Instance (and its entitlements) to Organization
Run Catalog Synchronization job.

Oracle Confidential Do Not Distribute

75

On-boarding Application Instance


Disconnected Application Instance
Create Sandbox.
Create Application Instance (check disconnected)
Create Form and associate to Application Instance
Publish Application Instance to Organization
Run Catalog Synchronization job.

OIM artifacts created behind the scene.


Customize request form for more UI cosmetic changes or add new attributes
Enrich the catalog entry for disconnected app instance or entitlements to assign fulfillment
responsibility
Enhance the fulfillment composite to model task assignment rules based on application
metadata and compliance objectives.

Oracle Confidential Do Not Distribute

76

On-boarding Entitlements
Connected Entitlements
Import connector.
Tag Entitlement = true in child process form.
Run Lookup Reconciliation Job
Run Entitltment List Job
Run Catalog Synchronization Job.

Publish all Entitlements to


Organization

Disconnected Entitlements
Create Child form using UI
Add field of type Lookup
Populate lookup manually or by using flat file
based lookup recon (covered in Lab 16)
Run Entitlement List Job
Run Catalog Synchronization Job.

Oracle Confidential Do Not Distribute

77

Adding Entitlement via UI

Oracle Confidential Do Not Distribute

78

Catalog Based request

Oracle Confidential Do Not Distribute

79

Entitlement Provisioning

80

Oracle Confidential Do Not Distribute

80

Manual Provisioning Task

Oracle Confidential Do Not Distribute

81

Manual Provisioning Task Configuration

Oracle Confidential Do Not Distribute

82

Application Instance Life Cycle

Oracle Confidential Do Not Distribute

83

Entitlement Life Cycle

84

Oracle Confidential Do Not Distribute

84

Schedule Jobs
Lookup Reconciliation Task - Populates Lookup
Target System LKU/LKV ENT_LIST (if marked Entitlement=true)

Entitlement List Populates Entitlements.


LKV ENT_LIST CATALOG
Catalog Synchronization Job Populates catalog.
ENT_LIST CATALOG
APP_INSTANCE CATALOG
Entitlement Assignments Populates Provisioned Entitlements.
UD_CHILD ENT_ASSIGN (for upgrade)
Entitlement Post Delete Processing Job
Entitlement life cycle (on deletion impact on catalog, provisioned entitlements)
Application Instance Post Delete Processing Job
App Instance life cycle (on deletion impact on catalog, provisioned accounts)
Update Accounts With App Instance Job
Create App instance based on ITResource + Resource Object
Update accounts that do not have app instance associated to them.

Oracle Confidential Do Not Distribute

85

Impact on other OIM Features


Access Policy
Mandatory to populate ITResource field in AP default.
Mandatory to create App instance for ITRes + Res
Update Account with App Instance Job
Catalog
Need periodic harvesting of Entitlement/AppInstance to include newly created
entities into catalog and remove soft-deleted entities from the catalog.
Reconciliation
No functional change in Recon engine.
Associate ApplicationInstance & OIU_TYPE to accounts provisioned via target
reconciliation.
GTC
Target recon via GTC passes ITResource via Schedule Task.

Oracle Confidential Do Not Distribute

86

Impact on OIM Features


Deployment Manager
Changes to export application instance
Connectors (No Mandatory impact, choice to leverage the properties optionally)
New properties AccountDiscriminator=true, AccountName=true, ITResource=true,
Entitlement=true
The Entitlement values populated in the lookup tables are of the format
ITRESKEY~ENTCODE
OIM-OIA integration - No functional changes
SOD Integration - No functional changes
Reports - No functional changes
Audit - No functional change in Audit engine.
Bulk load - No functional changes.

Oracle Confidential Do Not Distribute

87

Special Request Status related to Fulfillment


(Provisioning)
Post Operation Processing Initiated After operation level approval is done. (This is
R2 status)
Approval Complete Fulfillment Pending In case of disconnected app
instance/entitlement, after approval completed, h/w, manual provisioning task is yet to
be completed. (This is post R2 status)
Approval Complete Fulfillment Rejected After operation level approval done, manual
provisioning task is Rejected.
Request Fulfillment Failed When provisioning fails.
Request Fulfillment Failed After Max Retry When provisioning fails after Rejected
provisioning task is retried max. # of times.
Mention the top request status.

Oracle Confidential Do Not Distribute

88

Access Policy: RNLA/DNLA


Accounts provisioned via AP will either be Revoked or Disabled if policy ceases to apply.
i.e They will no longer be in provisioned state in any case.
Flags in AP definition
RNLA Revoke if No Longer Applies. (marks OIU_REVOKE = 1)
DNLA Disable if No Longer Applies. (marks OIU_REVOKE = 2)

If more than one policies applies, one with Revoke and other with Disable, then Disable
takes precedence. i.e (OIU_REVOKE = 2)
Entitlements (child data) are always revoked (for both Disable/Revoke case).
If policy applies again, accounts in Disabled state are Enabled rather than Provisioning
new account.
If AP is with Approval, Request is only created for Access Policy Based Provision (and not
for Disable, Enable, Revoke action. )
Anything that is not RNLA, will become DNLA as a part of upgrade.

89

Oracle Confidential Do Not Distribute

89

Access Policy Evaluation Only Via Schedule


Task

90

Oracle Confidential Do Not Distribute

90

Pre-Upgrade guidelines for Provisioning


AccountName=true Account login on the parent form.
Every RO should have ITResource (except GTC).
ITResource=true (for RO with multi ITRes on process).
Entitlements in lookup (LKV) must have ITRes key prefixed to the encoded
values using ~ (tilda). Ex - 14~CN=AITTAA0,DC=abc,DC=com.
Entitlement=true Entitlement fields in the child tables
Entitlement=true should be same as the key attribute for the child data in
reconciliation field mapping.
AP must have ITRes field populated with default value.
AP with RNLA unchecked = DNLA in R2

91

Oracle Confidential Do Not Distribute

91

Access Request

92 Not Distribute
Oracle Confidential Do

92

Agenda Access Request


Catalog Configuration
Approval Workflow Configuration
Whats more new in R2 Access Request

93 Not Distribute
Oracle Confidential Do

93

Catalog Configuration
Harvesting
Base Entity creation
Role - Create, describe
App instance - Create, describe
Entitlement
Have app instance created for underlying IT resource
Ensure form properties are set - Entitlement = true
Connector lookup recon, bring in LKU
ENT synch job
Navigate to app instance, open entitlements and describe
Catalog Harvesting
Role - automatic
App instance, entitlement - Catalog synch sch task
Approval workflow configured
Start using the request engine

94 Not Distribute
Oracle Confidential Do

94

Catalog Configuration
Extend Catalog
Add UDF on catalog form using form designer
UI customization of catalog page, add field
Data Enrichment (empower tagged searches, filtered by category, risk flagged by
colors)
Manual - catalog admin role. Edit Category, Audit Objective, Risk Level and User
Defined Tags attributes. Name, display name and Description comes from base
entity.
Bulk - check IT resource key, prepare CSV, run catalog synch (metadata mode)
API
Configure Security
Publish catalog (base entities) to respective organizations
Roles
Application Instances (with or without Entitlements)
Specific Entitlements

95 Not Distribute
Oracle Confidential Do

95

Approval Workflow Configuration


Same SOA based technology for both scenarios
Request Approval
Disconnected resource fulfillment

Best Practices adoption


"Generic" composite, model "business process" irrespective of "IT facts" (Active directory,
EBS, Database).
Approvals driven by "compliance objectives" and "data ownership", leveraging the enriched
catalog metadata - Risk level, audit objective, approver, manual
Business agility - Business analysts can edit approval workflow logic without
development/IT involvement/redevelopment/redeployment

Effectively leveraging Open stds & SOA technology - Web services, XSDs, WSSecurity, Business rules.
Request Web service (reqsvc)
XSDs - User, Role, Org, Request (request and general request), App Instance, Entitlement,
Resource, Account, Catalog item, Fault data
WSDL - Operations to get data for all the above mentioned entities in the same
datastructure as defined by the XSD files
Secured by default with username token policy and exposes CSF key to clients.
96 Not Distribute
Oracle Confidential Do

96

Approval Workflow Configuration


0. Add WSDL amnd XSDs w.r.t the request web service to the project. Also add
BusinessRule XSD which has the data structure defined to capture details of
actual approval/human task which should get invoked.
1. Partner link to OIM Request webservice, client side security configurations
2. Assign activity, for setting request webservice URL to partner link
3. oim request paylod sent to soa, having basic request + catalog data. Assign
activity to take request key from payload and pass it to Invoke Request Details
operation
4. Invoke Request Details operation calls OIM request webservice thru partner link
and get ALL possible Request data (RequestData)
5. Assign Activity to take Catalog entity key and entity type from request data and
pass it to Invoke Catalog Details operation
6. Invoke Catalog Details operation calls OIM request webservice thru partner link
and get ALL possible Catalog entity data (CatalogData)
7. Assign activity to take ALL possible Catalog entity data (CatalogData) and assign
it to global variable "catalogData".
8. Create variable "workflowstage", datatype as StageOutput (BusinessRules xsd).
97 Not Distribute
Oracle Confidential Do

97

Approval Workflow Configuration


9. Create a business rule, "workflow selection" and have the following conditions
modeled in there. Input is variable "catalogData" and output is variable
"workflowStage"
IF
catalog item == ROLE

AND
IF
risk == 3 (low)
THEN
stageType = Auto
IF
catalog item != ROLE
AND

IF
risk == 3 (low)
THEN
stageType = Manager
IF
risk == 5 (medium)
THEN
stageType = Parallel (Beneficiary Manager (User) || Audit Review Team(Role))
IF
risk == 7 (High)
THEN
stageType = Serial (Beneficiary Manager (User) Audit Review

Team(Role))

98 Not Distribute
Oracle Confidential Do

98

Approval Workflow Configuration


10. Switch activity After the business rule for workflow selection- conditions
a)Manager, b)Parallel and c)Serial approval. Conditions met when StageOutput
received from business rule.
11. Add Human task for each condition
11.1 Set task params
11.2 Actionable notfn. Escalation reminders
11.3 Parameterized Task details
11.2 Add stages to the Human task based on the desired logic.
11.4 In each stage, connect that to a business rule, which should
IF
(any task)
THEN
CORRESPONDING APPROVER (user)

12. Define source values for Task parameters, using what we have from payload
13. Set identification key as request ID
14. Map output to the response.
15. Deploy workflow
16. Create Approval policies (IT details agnostic ), no logic in rules, use them as
dummy connection between OIM SOA Composite

99 Not Distribute
Oracle Confidential Do

99

Access Request - Whats more new in R2?

Empowered by catalog, support for multiple first class entries


Request Lifecycle & Heterogeneous requests
Adoption of a unified Security Model
SOA Tasklist (taskflow) adoption in Task assignment UI - Unified Inbox
Edit Approval workflows via browser - using Composer
Approval Policy enhancements
Request editing capability for approvers
Request Profiles

100 Not Distribute


Oracle Confidential Do

100

New entities exposed on Access Request UI


End user can access catalog to raise request for:
Roles
Application Instances
Entitlements
Can be extended in future, to any other entity managed within Access
Catalog. E.g. Application Roles.

Oracle Confidential Do Not Distribute

101

Changes to Request Types


New request types:
Provision Application Instance
Revoke Account
Delete Account
Disable Account
Revoke Account
Provision Entitlement
Revoke Entitlement
Heterogeneous request

Oracle Confidential Do Not Distribute

102

Changes to Request Types (contd)

Deprecated request types:


All Self related request types(except Self-registration).
All Resource related request types.

Oracle Confidential Do Not Distribute

103

Request Lifecycle
An operation performed by user may/may not require approvals based
on his/her access permissions.
Bulk operation always requires approval(s).
Operations performed by Entity Authorizers do not require approvals.
Future effective date requires approval
Request dataset management through form designer.

Oracle Confidential Do Not Distribute

104

Heterogeneous requests
Request access for heterogeneous entities (any of
ApplicationInstance/Entitlement/Role) in a go.
An account in the Target is required before requesting access to the
Targets Entitlements.
Heterogeneous request split to individual request types after Request
level approval.
Eg: If a user requests access to an ApplicationInstance & an Entitlement,
after Request level approval, it would be split into child requests of
types Provision ApplicationInstance and Provision Entitlement.

Oracle Confidential Do Not Distribute

105

Heterogeneous requests (contd)

Oracle Confidential Do Not Distribute

106

Adoption of a Unified Security Model


Unlike 11GR1, R2 introduces request engine leveraging the same OES
based Security architecture used by other modules of the OIM.
<Entity> Viewer Admin Role members and Org members
Can access catalog and request for published entities
Approval gets kicked off.

<Entity> Authorizer/Administrator Admin Role members request


Access for <Entity>, no approval.

Oracle Confidential Do Not Distribute

107

SOA Tasklist adoption in Task assignment UI


Unified Inbox

OIM 11gR2 directly renders in its UI:


SOA Tasklist UI with tasks (requests) listed with actions available in dropdown.
SOA Taskflow with complete graphical display of approval path.

Same tasklist UI used for both the scenarios


Request Approval
Manual fulfillment of disconnected applications access

File attachments can be added with the request


Requestor can do it after request submission
Approver can do the same

Oracle Confidential Do Not Distribute

108

Editing Approval workflows on browser


Using Composer

Edit workflow Using SOA Composer UI


Any approval workflow human task basic information can be edited.
Assignment and Routing policy
Escalation/Reminder policy.
Notification attach at a new stage, edit existing, change recipient, change format,
make actionable, attachments, secure

If the approval workflow uses Business Rules, even the logic can be
updated both IF conditions and THEN assertions!!

Oracle Confidential Do Not Distribute

109

Approval Policy enhancements


Auto-registration of Approval processes/SOA composites while approval
policy creation Ease of SOA composite/workflow registration.
Support for new request types:
Provision Entitlement
Revoke Entitlement
Heterogeneous request (only at Request level)
Rules can be created based on Catalog metadata (say Item Risk).

Oracle Confidential Do Not Distribute

110

Request Profiles
Its a saved cart, containing related entities and optionally, form data for
the entities.
Can be used to raise Access requests alone.
Created by Catalog Administrators and accessible to all users.
Pros:
- Simplified Access request creation for end-users.
- Re-usability of saved carts.
- Avoid human errors while filling form data.

Oracle Confidential Do Not Distribute

111

Request Editing Capability

Approvers can edit any field in the form data.


Addition/removal of Target users/ entities is not allowed.
approver-only property has been deprecated.
Cannot modify entitlement data.
Request data would be re-validated before persisting the changes.

Oracle Confidential Do Not Distribute

112

Some Useful tips for executing the labs


smoothly
Read Getting Started carefully.
Kill your social awareness outside the training room and hence do not
run outlook, messengers, facebook etc. and give more and RAM to the
VM.
For running each lab, only run the bare minimum processes required to
run that Lab.

Oracle Confidential Do Not Distribute

113

Labs for Day 1


Lab 1
What is installed where, how to run server processes and launch IDEs/tools, deploy
assets

Lab 2
Install connector, create app instance, extend the form schema, execute lookup recon
for gathering entitlements, create automated provisioning configuration (Access
Policies + Role membership rules).

Lab 3
Generic/IT application agnostic, compliance objectives driven approval workflow
and manual fulfillment SOA composite - development and deployment. Output
composites are already available in the VM.

Day 2..Lab 4
Base entity updates, Catalog harvesting, extension, manual/bulk enrichment, security,
catalog UI customization, Access request scenarios (using composite developed in
Lab 3)
Oracle Confidential Do Not Distribute

114

Security

115Not Distribute
Oracle Confidential Do

115

Agenda - Security
OIM Authorization using OES
Admin Roles
Entity Publication
Enhanced Security architecture
Authorization Policy Enforcement points
Functional placement and use cases
Updating OOTB Authorization Policies
Understanding the OOTB Authorization Policies
Authorization Use-cases

Oracle Confidential Do Not Distribute

116

OIM Authorization using OES


PEP, PDP
Initiates action that is
policy protected
End User

Oracle Identity Manager

Authorization Service

Oracle Entitlement Server


Authorization Engine
OIM User/Role/Org

OES Policy
Repository

Repository

Container (Weblogic)
OIM Database

Oracle Confidential Do Not Distribute

117

Enhanced Security Architecture


Overview
Standard ADF security model for functional security and use OES best practices for data
security.
Consistent architecture

Supports delegated administration of roles, organizations, entitlements, application instances, and LDAP groups.
Lets backend make various security decisions, for example, who can request what, who can have what, and who
needs to go through approval. Facilitates the security of catalog-based request module and of converged UI and
backend of self service and delegated-administration.

Scoping mechanism for delegated administration and data security of various entities. All
entities are scoped by the organization structure

Oracle Confidential Do Not Distribute

118

Architecture R2 Security Model

Admin Role Memberships &


Publication

Oracle Confidential Do Not Distribute

119

Admin Roles
The new authorization model works on the basis of the admin role assignment to a user.
New admin roles cannot be added. Admin roles cannot be created, updated, deleted or
requested
Admin Roles: System-Wide/Global Assigned in scope of Top org only.

Catalog Administrator Role


Manage catalog metadata and request profile
System Administrator Role
All permissions, no approval required
System Configurator Role
All permissions on system configuration, no approval required.
SPML Administrator Role
Manage SPML request related.

Admin Roles: Assigned in the scope of Organizations Any org including Top

[Entity] Admin Role


Can manage the entire lifecycle of the entity and perform any operation on the entity.
[Entity] Authorizer Role
Can view the entity in the catalog or request profiles and request for it, but does not require approval.
[Entity] Viewer Role
Required to view the entity in UI
Oracle Confidential Do Not Distribute

120

Admin Roles
Admin role membership organization scoping is hierarchy-aware, and can be cascaded
downwards to the child organizations.
Admin role membership is always given in an organization scope, and can only be assigned by
the System Administrator or System Configuration Administrator.
Inherent permissions: The organization to which a user is a member is referred as the Home
organization for that user. A user has certain implicit permissions on the entities available to the
Home organization.
Management hierarchy: If User A is the manager of User B and User C, then User A has implicit
permissions on User B and User C, even if User B and User C are in different organizations.
User A does not need explicit privileges on the direct reports, irrespective of which organization
the direct reports belong.
Each admin role in Oracle Identity Manager has one-to-one mapping to the application roles in
the OES.
The application roles have associated policies that govern what permissions are allowed for
users who belong to this role. Changing the functional and data constraints on these policies,
you must open the respective policy in Authorization Policy Management (APM) UI in OES, and
modify the policy
The basic-info permission gives the permission only to view-search the given entity.

Oracle Confidential Do Not Distribute

121

Admin Roles (contd)

Top Org

Non Top Org

Global Admin Roles only


available in the context of
TOP org

Only scoped Admin Roles


available

Oracle Confidential Do Not Distribute

122

Admin Roles (contd)


Admin Role

Display Name

Description

OrclOIMSystemAdministrator **

System Administrator

OIM System Administrator Role with All Privileges

OrclOIMSystemConfigurator **
OrclOIMCatalogAdmin **

System Configuration Administrator


Catalog System Administrator

Role with privileges to configure OIM application


Role can administer all the catalog items

OrclOIMRoleAdministrator
OrclOIMRoleAuthorizer
OrclOIMRoleViewer
OrclOIMEntitlementAdministrator
OrclOIMEntitlementAuthorizer
OrclOIMEntitlementViewer

Role Administrator
Role Authorizer
Role Viewer
Entitlement Administrator
Entitlement Authorizer
Entitlement Viewer

Role can manage all assigned enterprise roles


Role can authorize assigned enterprise roles
Role can view assigned enterprise roles.
Entitlement administrator
Entitlement authorizer
Role can view assigned entitlements.

OrclOIMApplicationInstanceAdministratorRole

Application Instance Administrator

Role can manage assigned application instances.

OrclOIMApplicationInstanceAuthorizerRole

Application Instance Authorizer

Role with authorizations on assigned application instances.

OrclOIMApplicationInstanceViewerRole
OrclOIMOrgAdministrator
OrclOIMOrgViewer
OrclOIMUserAdmin
OrclOIMUserHelpDesk
OrclOIMUserViewer
OrclOIMSPMLAdmin **

Application Instance Viewer


Organization Administrator
Organization Viewer
User Administrator
HelpDesk
User Viewer
SPML Admin

Role can view assigned application instances.


Role can manage assigned organizations.
Role can view assigned organizations.
Role can manage assigned set of users.
HelpDesk to manage users
Role can view assigned user records.
SPML Admin to manage SPML.

** denotes the Global Admin roles


Oracle Confidential Do Not Distribute

123

Enhanced Security Architecture


Admin Roles for User Entity
Role
User Admin

Helpdesk Admin

User Viewer

Function Security
Create User
Delete User
Get user in search results
View User (requires attribute-level security)
Modify User attributes (includes updating the organization attribute of a user in Standard Edition). Requires attribute-level security
Enable User
Disable User
Unlock User
Change User Password
Change Password in Application Instance
Grant/ Revoke Roles
Provision/ Deprovision/ Modify/ Enable/ Disable Application Instances
Grant/ Revoke Entitlements
Get user in search results
View User (requires attribute-level security)
Enable User
Disable User
Unlock User
Change User Password
Change Password in Application Instance
Create User through Request
Delete User through Request
Get user in search results
View User (requires attribute-level security)
Modify User attributes (includes updating the organization attribute of a user) through Request. Requires attribute-level security
Enable User through Request
Disable User through Request
Grant/ Revoke Roles through Request
Provision/ Deprovision/ Modify/ Enable/ Disable Application Instances through Request
Grant/ Revoke Entitlements through Request

Any and All Users (Any OIM users, Self Modify user profile
All Users is not a role)
Self Change Passwords/ Challenge Questions
Raise Request for self

Scoping Rules
1)
I can perform the functions (given in Function Security)
on users that are in the orgs that I am allowed to
manage.
2)
I can only perform the functions on user attributes for
which I have access

For self only

Oracle Confidential Do Not Distribute

124

Enhanced Security Architecture


Admin Roles for Role Entity
Role Admin

Create Role
View Role
Update Role attributes
Delete Role
View Role Members
Create Role Category
Update Role Category
Delete Role Category
Manage Role Hierarchy
Publish role to a set of organizations (in this context, data security applies)

1)

Role Viewer

View Role in search results


View role attributes
Request Role grant/ revoke for users

I can perform functions on Roles that


have been published to orgs that I am
allowed to manage

Role Authorizer

View Role in search results


View role attributes
View Role Members
Request Role grant/ revoke for users
No approval needed

I can perform functions on Roles that


have been published to orgs that I am
allowed to manage

Oracle Confidential Do Not Distribute

2)
3)

I can publish the role to the orgs


that I am allowed to manage
I can manage the Roles that are
published to my org
I can manage the Roles that are
published to org(s) that I can
manage

125

Enhanced Security Architecture


Admin Roles for Organization Entity
Organization
Admin

Create Organization
View and Manage (Update) Organization attributes
Delete Organization
All Role Admin Privileges for Admin Roles.
Update Organization Hierarchy (for a specific organization)
Update organization attributes (of a specific organization)

I can perform functions on


organizations that I am
allowed to manage

Organization
Viewer

Get organization in search results


View organization and organization attributes

I can perform functions on


organizations that I am
allowed to manage

Oracle Confidential Do Not Distribute

126

Enhanced Security Architecture


Admin Roles for Entitlement Entity
Entitlement
Admin

Entitlement
Authorizer

Entitlement
Viewer

Publish Entitlements available to a set of organizations (in this context, 1) I can publish the
data security applies)
Entitlements to the orgs
View Entitlement Members
that I am allowed to
manage
2) I can manage the
entitlements that are
published to org(s) that I
can manage
View Entitlement in search results
I can perform functions on
View Entitlement attributes
entitlements that have been
View Entitlement Members
published to org(s) that I am
Request Entitlement grant/ revoke for users
allowed to manage
No approval needed
View Entitlement in search results
I can perform functions on
View Entitlement attributes
entitlements that have been
Request Entitlement grant/ revoke for users
published to org(s) that I am
allowed to manage

Oracle Confidential Do Not Distribute

127

Enhanced Security Architecture


Admin Roles for Application Instance & Catalog Entities
Application
Authorizer

Application
Viewer

Application
Admin

Catalog Admin

Instance View Application Instance in search results


View Application Instance attributes (excluding passwords)
Request to provision of account in Application instance
Request to de-provision of account in Application instance
Request to modify of account in Application instance
Request for enable of account in Application instance
Request for disable of account in Application instance
View accounts
No approval needed
Instance View Application Instance in search results
View Application Instance attributes (excluding passwords)
Request to provision of account in Application instance
Request to de-provision of account in Application instance
Request to modify of account in Application instance
Request for enable of account in Application instance
Request for disable of account in Application instance
Instance Create Application instance
Create Resource Object
Modify Application instance
Modify Resource Object
Delete Application instance
Delete Resource Object
View accounts
Publish Application Instance available to a set of organizations (in this context, data security applies)
Edit Catalog metadata
Create Request Profiles
Modify Request Profiles
Delete Request Profiles

Oracle Confidential Do Not Distribute

I can perform functions on Application


Instances that have been published to orgs
that I am allowed manage

I can perform functions on Application


Instances that have been published to orgs
that I am allowed manage

1)

2)

I can publish the Application Instance


to the orgs that I am allowed to
manage
I can manage the Application Instance
that are published to org(s) that I can
manage

128

Admin Role Memberships

Admin role membership defines the relationship between a user and an admin role in the context
of an org.
Admin role memberships are hierarchy aware, that means that a user having a admin role at
parent org can also act with the same admin role in the child org too if hierarchy flag is set to
true.
Can be viewed from the context of an org OR from the context of a user.

Oracle Confidential Do Not Distribute

129

Admin Role Membership Entity Lifecycle


NonExistent
Create

Deleted

Delete

Active
Modify

Oracle Confidential Do Not Distribute

130

Creating Admin Roles Memberships


Click Assign

1. Search User

2. Select & click Add


Selected

Role Admin assigned to


User FOO

Oracle Confidential Do Not Distribute

3. Click Add

131

View Admin Roles Memberships

From Org context

From User context

Oracle Confidential Do Not Distribute

132

Entity Publication
Publication is the way of making an entity available to an org.
Role, App Instance, and Entitlement can be published by respective administrators from the entity
details screen.
Publication is hierarchy aware, so an entity can be made visible to child orgs too, though its actually
published to parent org.
Auto Publish :When an entity administrator creates an entity, then that entity is automatically made
available to all the organizations for which the administrator has entity admin role. For example, when
a user with Role Administrator privilege creates an enterprise role, the newly created role is
automatically made available to all the organizations on which the user is the Role Administrator.
Publishes dependent data too: The publishing service also supports publishing of dependent data (like
entitlements for app-instance), when the parent entity is published.

Oracle Confidential Do Not Distribute

133

Entity Publication Organization scoping


Organization in OIM will ONLY be used for security purposes. It is NOT an enterprise organization, not an LDAP
organization unit or organization.
Data security using organization scoping uses following principal:
Data is secured by confining its availability only in a set of organizations. (Publishing)
User is assigned permissions over an organization by assigning admin role in that organization scope
(Delegation/Delegated admins)
If the organization where user has set of permissions and the organization where entity is published match, then
user is allowed to perform operations as per the users admin roles.
Both publishing and admin role memberships are organization hierarchy aware.

Users admin-role
memberships in
organizations

Entities available in
organizations

Oracle Confidential Do Not Distribute

134

Publication Entity Lifecycle


NonExistent
Create

Delete

Deleted

Active
Modify

Please Note : The life-cycle of publication entity is separate from the actual entity (like role etc) life
cycle itself. However when the entity is deleted, the actual publication also gets deleted.

Oracle Confidential Do Not Distribute

135

Add Entity Publications

Create a Role

Since the role was created by


System Admin it got auto
published to Top Org

To manually publish .
Click Assign

1. Search Org

2. Select & click Add


Selected

3. Click Ok
Role published to org

Oracle Confidential Do Not Distribute

136

View Entity Publications

From Org context


From Entity context

Oracle Confidential Do Not Distribute

137

DB Objects - Entity Publication

Oracle Confidential Do Not Distribute

138

DB Objects - Admin Role/ Membership

Oracle Confidential Do Not Distribute

139

Enhanced Security Architecture


Security Policies for Function & Data
Who can request what from catalog?
Who can request for which beneficiaries?
Who is authorized to have what?

Actor checks in UI and Beneficiary checks in the


back-end
Approval Workflows: Separate from security policies
Which requests need manual approval and which are auto
approved?
Who all need to approve the request?
Oracle Confidential Do Not Distribute

140

Enhanced Security Architecture


Function Security
Who can perform what actions?
Tool: OES/APM
Customizable: Customers can change OOB seeded security policies

Data Security
Who can perform actions on what data?
Tool: OIM Admin Role Assignment
Data Scoping

Data is secured by publishing it to a set of orgs


Admin Roles are assigned in the scope of an organization
Users with admin roles in an org can perform allowed functions on data published to that
org
Both publishing and delegation are organization hierarchy aware

Oracle Confidential Do Not Distribute

141

Enhanced Security Architecture


Functional Security

OIM Self Service console will have ADF security enabled. Which means access to all task-flows and page
definitions is governed by ADF Security policies defined in the JAZN file.
All OOTB OIM task-flows must be protected by defining them as a resource and adding them in JAZN file
with appropriate permissions to application roles. There are two special roles, authenticated-user and
anonymous-user.
If logged in user does not have permission to perform an action as per his admin roles, then the action
(menu, button, or link) will be either disabled or not visible to the user in the UI. This is enforced by using EL
scripts in the ADF UI. As an example, to check if user has permission to create a user, the EL script is as
follows:
<af:commandNavigationItem rendered=#{oimuser.create.allowed} />

Oracle Confidential Do Not Distribute

142

Enhanced Security Architecture


Attribute Security

The attribute level security is only implemented for user attributes.


All the authorization policies are configured to show all the attributes of a user.
To restrict the list of attributes to be viewed by the User Viewer role or restrict the list of attributes to be
viewed and edited by User Admin Roles, it is proposed to include the list of attributes to be restricted in the
deny attribute list of the respective policy in OES APM UI

Oracle Confidential Do Not Distribute

143

Authorization Policy Management UI (APM)

OIM Authorization Policy - Concepts:


Principal
Obligation
Condition
Permission

Oracle Confidential Do Not Distribute

144

Authorization Policy Enforcement Points

User Management
Role Management
Organization Management
Application Instance
Entitlement
Entity Configuration
Reconciliation Management
Scheduler
Approval Policy Management
Notification Management
System Properties
Diagnostic Dashboard
Plug In Framework
Authenticated User Self Service

Oracle Confidential Do Not Distribute

145

Authorization Policies for User management

Policies for Management hierarchy


Policies for peer permissioning (Home Org)
Policies for authenticated self-service
Policies for admin-roles(User Admin, User Viewer, SPML-Admin & HelpDesk)
Policies for basic-info related permission and for the request-context.
Deny policy for System-Config role, Except for view & serach.

Oracle Confidential Do Not Distribute

146

Authorization Policies for User management

Management Hierarchy

Oracle Confidential Do Not Distribute

147

Authorization Policies for User management

Home Org (peer permissioning)`

Oracle Confidential Do Not Distribute

148

Authorization Policies for User management

Authenticated Self Service

Oracle Confidential Do Not Distribute

149

Authorization Policies for Role management

Policies for peer permissionning (Home Org)


Policies on the basis of the assignment
Policies for admin-roles(Role Admin, Role Viewer, SPML-Admin, Catalog-Admin & Role
Authorizer)
Policies for basic-info related permission and for the request-context.
Deny policy for System-Config role, Except for view & serach.

Oracle Confidential Do Not Distribute

150

Authorization Policies for Organization management

Policies for peer permissionning (Home Org)


Policies for admin-roles(Org Admin, Org Viewer)
Policies for basic-info related permission.
Deny policy for System-Config role, Except for view & serach.

Oracle Confidential Do Not Distribute

151

Authorization Policies for Entitlement management

Policies for peer permissionning (Home Org)


Policies on the basis of the assignment
Policies for admin-roles(Entitlement Admin, Entitlement Viewer, Catalog-Admin &
Entitlement Authorizer)
Policies for basic-info related permission and for the request-context.
Deny policy for System-Config role, Except for view & serach.

Oracle Confidential Do Not Distribute

152

Authorization Policies for Application Instance management

Policies for peer permissionning (Home Org)


Policies on the basis of the assignment
Policies for admin-roles(AppInstance Admin, AppInstance Viewer, Catalog-Admin &
AppInstance Authorizer)
Policies for basic-info related permission and for the request-context.
Deny policy for System-Config role, Except for view & serach.

Oracle Confidential Do Not Distribute

153

Authorization Policies defined for the System Configurator

We have various policies defined for System Configurator and they don't have any datascoping for Scheduler/Notification & so on.

Note: There are no authorization policies defied for the System administrator role, All the
actions are allowed for user having the system admin role.

Oracle Confidential Do Not Distribute

154

Authorization Use Cases

Helpdesk community
Can only reset password and on various accounts
Can lock/unlock & disable/enable an user
Role Authorizers can request for roles as Direct operation while for role-viewer its request
operation
End-User can request for role-grants published to the Home-Organization.
Organization Admin can create sub-organizations only if they are admin with includehierarchy as true.
Managers can search for reports and raise requests for role-grants.
Organization Viewer can only search and view the organizations
Role Administrators can publish the roles to the organizations.
Demonstrate Organization based scoping
Publishing entities to organization (with/without hierarchy)

Oracle Confidential Do Not Distribute

155

UI Customization

156Not Distribute
Oracle Confidential Do

156

Agenda UI Customization
OIM UI Applications Deployment Topology
Customization Scenarios
Personalization
WebCenter and Web Composer
Sandbox

157Not Distribute
Oracle Confidential Do

157

Deployment topology Upgrade safe!!

Oracle Confidential Do Not Distribute

158

Customization Scenarios
Personalization
Customizations @ run time, done on browser itself, activate without
restarting server
Seeded Customizations- Adding taskflows, changing skin, deploy and
restart

Oracle Confidential Do Not Distribute

159

Personalization
Rearrange sections in home page, add, delete them
Saved Searches
Personalized View of search results table

Oracle Confidential Do Not Distribute

160

Web Composer

Customize

SANDBOX

Publish

Oracle Confidential Do Not Distribute

161

Sandbox
Activate
Deactivate
Publish
CLOSE ALL OPEN TABS

Recovery strategy 1 Take MDS back, so that you can restore the previous state again
Follow instructions to revert back the changes made by a sandbox

Export

Before publishing

Import
Conflict Management

View/Modify Sandbox content


Avoid Multiple user sessions interacting on same sandboxes
If multiple users working on different sandboxes, do not work on the same objects

Oracle Confidential Do Not Distribute

162

Customizations @ runtime using Web Composer

Change Logo and Banner


Change x*x dimensions for ANYTHING
Change font color, background color for ANYTHING
Add/Remove fields/buttons/links/table columns/menu items
of any UI Type, Edit their labels, change their positions, show/hide them
always/based on a condition (EL)
And a lot more.. !!!!!!!!!!!!!!!!!!!

Oracle Confidential Do Not Distribute

163

Customizations @ runtime using Web Composer


Handling UDFs

Oracle Confidential Do Not Distribute

164

Customizations @ runtime using Web Composer


Handling UDFs

Choose right Data Component while adding the display of a OIM


User UDF on a User Management page
Create User, Modify User Catalog
View/Search User Manage User
My Information, Registration - Their own data component

Oracle Confidential Do Not Distribute

165

Customizations @ runtime using Web Composer


Handling UDFs

Internationalization

Create custom Resource Bundle files in the WAR


Make an entry with the right format

CUSTOMRB_BANNER_TEXT=My Identity and Access


Redeploy war, restart
Navigate to the page thru Web Composer, access the right UI field and instead of a static label, use an
expression to refer the internationalized value
#{adfBundle['oracle.iam.ui.custom.CustomResourceBundle'].CUSTOMRB_BANNER_TEXT}

Oracle Confidential Do Not Distribute

166

Customizations @ runtime using Web Composer


Deciding display of fields on conditional logic (Expression Language)

Oracle Confidential Do Not Distribute

167

Customizations @ runtime using Web Composer


Deciding display of fields on conditional logic

Use Expression language (EL)


OOTB EL available in

User Context

#{oimcontext.currentUser.adminRoles['OrclOIMSystemAdministrator'] != null}
#{oimcontext.currentUser['ATTRIBUTE_NAME']}
Many More

RequestForm Context

#{pageFlowScope.requestFormContext.requestEntityType == 'APP_INSTANCE'}
#{pageFlowScope.requestFormContext.beneficiaryIds}

Many More

http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#BABHBFGH

Oracle Confidential Do Not Distribute

168

Customizations @ runtime using Web Composer


Deciding display of fields on conditional logic

Show Request Profiles conditionally


Display a request profile called Profile to users of the Suppliers organization only, and display any other profile
to other users, then use the following expression:

#{(row.profileName == 'Profile' && oimcontext.currentUser['Organization Name'] == 'Suppliers') ||


row.profileName != 'Profile'}

Oracle Confidential Do Not Distribute

169

Customizations @ runtime using Web Composer


Adding Inline Help

Address requirement for showing Tool tip text for UI fields


Add the entry in the relevant Resource Bundle (RB)
Edit the UI object on Composer, in the Components diaolog box,
provide the content (RB key) in Help Topic ID field

Oracle Confidential Do Not Distribute

170

Customizations @ runtime using Web Composer


Challenge Questions

Edit Lookup code Lookup.WebClient.Questions


Steps to be followed in Web Composer

Oracle Confidential Do Not Distribute

171

Seeded Customizations

Changing Skin
Using ADF data validations
Adding custom Help topics
Building a custom ADF taskflow
Adding one more custom region to the home page
Creating an external link

Oracle Confidential Do Not Distribute

172

Seeded Customizations
Developing Managed Beans
Showing components conditionally: Show the Contact Information panel on the Create User
page only when the User Type is Full-Time Employee

Cascading LOVs : Based on the selected value in the User Type list on the Create User page, you
might want to display the Job Code list or another LOV component whose list of values is dependent
on the currently selected value in the User Type list.

Form pre-population based on a condition: Pre-populate values in the User Login and E-mail
fields on the Create User page based on the values of the First Name and Last Name fields

Setting fields as Mandatory based on a condition: Make the Manager field on the Create User
page mandatory only if the User Type is Intern

Form data validation: OOTB ADF validation, Custom Validations - Start Date cannot be after End
Date

Oracle Confidential Do Not Distribute

173

Improvements in Customizations LCM

and Infrastructure

174Not Distribute
Oracle Confidential Do

174

LCM Improvements
One Example Developing Event handler.
Deployment, Un-deployment using OIM Customization Installer
Not a part of the product, Asset available on OTN
Create connection to OIM managed server and OIM MDS database
Deploy
Undeploy
Option to deploy it using Plugin registration utility. No separate deployment of event
handler XML using MDS utilities is required.
Verify the deployment using Enterprise Manager
Navigate to the relevant form and query using Entity and Orchestration name.
Travers through the ordered list of Event handlers and verify that your guy is IN.
Export using Improved Deployment manager
Exports EVERYTHING, not only the metadat

175Not Distribute
Oracle Confidential Do

175

Overall LCM

176Not Distribute
Oracle Confidential Do

176

Notification Engine Improvements


OIM Notification engine uses SOA UMS
Develop Notification Event, if required
Configure Notification template in OIM
Make SOA Notification configuration in Enterprise Manager
Option to route back the notification to use OIM notification engine
Configure Email Server IT resource.
Change setting in EM to direct notifications to OIM notification provider.

177Not Distribute
Oracle Confidential Do

177

Upgrade from R1 to R2
Pre-upgrade Analysis
What will get upgraded, What not etc. Run reports

Pre-upgrade checklist
take backups- database, middleware home, domain

Download R2 bits for WLS, SOA, IAM


Software Upgrade, using the downloaded bits
Schema Creation
run RCU to create OES/OPSS, its MDS and APM schemas.

Extend the domain for DB based Policy store


Datasources creation
Policy store re-association from PS1 file store to R2 DB store

Schema Upgrade
From the IAM home, run Patchset Assistant (PSA) upgrade schema of all IAM products (OIM, OAM
etc.). Choose to upgrade database schema OIM PS1 DB user and other schema like MDS, SOA etc.

178Not Distribute
Oracle Confidential Do

178

Upgrade from R1 to R2
Middleware Upgrade - Admin and SOA servers should be running but not OIM. Run Standalone OIM

Upgrade script (OIMs homegrown script) which would upgrade middleware and domain of OIM. Upgrade the
MDS schema plus the domain configurations. This step logs on the execution to a HTML report.

SOA composites get deployed

Domain level configurations (New EARs deployed, old EARs redeployed)

OIM Data Migration to cover feature-level transformations

Feature Upgrade reports are generated

Verification
Restart all servers (even this would carry out a lot of important steps for upgrade, like populating more
policies to DB policy store etc.). This step also logs on the execution to a HTML report.
Navigate to the relevant directory and check all reports for verification of upgrade and errors if any, to
plan manual remediation.

Post-Upgrade step Catalog Synch, UI customizations etc.


Propagate all nodes to clusters - Take the domain from the upgraded environment machine1, pack
it and unpack to all other nodes of the cluster. The domain footprint will already be present on all the nodes as it
was an existing PS1 environment but will get updated as part of unpack.

179Not Distribute
Oracle Confidential Do

179

Oracle Identity Manager Roadmap

1HCY2012:
- OIM 11g R2
- Business User friendly
Experience
- Simplified Customization
- Integrated with OIA for closed
loop governance
- Integrated with OPAM for
Privileged Account Governance

1HCY2013:
OIM R2 PS1
- WebSphere Certification
- Common Data Model for
Access Request and
Certification

Oracle Confidential Do Not Distribute

2HCY2013:
OIM R2 PS2
- Oracle Identity Manager XE
- Connector Attribute Mapping
- Hierarchical Attribute
Description
- Complete Accessibility

180

Oracle Confidential Do Not Distribute

181

Oracle Confidential Do Not Distribute

182

You might also like