Oracle Identity Manager Administration

Oracle Identity Manager: Administration

Volume I • Student Guide

D46308GC10

Edition 1.0

January 2007

D48930

®

Oracle Identity Manager: AdministrationElectronic Presentation

D46308GC10Edition 1.0 January 2007D48932

®

Copyright © 2007, Oracle. All rights reserved.

Disclaimer

This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.

The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free.

Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTSThe U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.

Trademark Notice

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Authors

Robert La Vallie

Technical Contributors and Reviewers

John Aisien

Rhonda Bassett

Mary Bryksa

Eugene Choi

Usha George

Rohit M Gupta

Susan Jang

Pavana Jain

Nishant Kaushik

Ed King

Svetlana Kolomeyskaya

Su Lim

Bruce Lowenthal

Todd Morrissette

Naga Nagarajan

Holger Dindler Rasmussen

Vickie Reed

Stanislav Sadykov

Mohit Singh

Adam Skaffloth

Jayanthan Thomas

Trent Watkins

Editors

Richard Wallis

Daniel Milne

Graphic Designer

Steve Elwood

Satish Bettegowda

Publisher

Jobi Varghese


Disclaimer

This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.

The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free.

Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTSThe U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.

Trademark Notice

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Authors

Robert La Vallie

Technical Contributors and Reviewers

John Aisien

Rhonda Bassett

Mary Bryksa

Eugene Choi

Usha George

Rohit M Gupta

Pavana Jain

Susan Jang

Nishant Kaushik

Ed King

Svetlana Kolomeyskaya

Su Lim

Bruce Lowenthal

Todd Morrissette

Naga Nagarajan

Holger Dindler Rasmussen

Vickie Reed

Stanislav Sadykov

Mohit Singh

Adam Skaffloth

Jayanthan Thomas

Trent Watkins

Editors

Richard Wallis

Daniel Milne

Graphic Designer

Steve Elwood

Satish Bettegowda

Publisher

Jobi Varghese


Introduction

Copyright © 2007, Oracle. All rights reserved.1 - 2

Course Objectives

After completing this course, you should be able to:

• Explain Oracle Identity Manager and its role in identity management

• Identify the three tiers and components of the Oracle Identity Manager architecture

• List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning

• Describe how Oracle Identity Manager handles reconciliation and provisioning


Course Objectives

• Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions

• List the components that this connector must have

• Explain the steps that need to be completed to build an Oracle Identity Manager connector

• Prepare a predefined database for Oracle Identity Manager

• Install and deploy your Oracle Identity Manager Diagnostic Dashboard


Course Objectives

• Use the dashboard tool to verify that Oracle Database is prepared properly and that Oracle Identity Manager can connect to it

• Install the Oracle Identity Manager Server

• Install the Oracle Identity Manager Design Console

• Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console

• Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly

• Launch the Oracle Identity Manager Server

• Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console)


Course Objectives

• Differentiate between the two consoles

• Explain the links in the Administrative Console

• Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users

• Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups)

• Differentiate between an organization and a user group

• Create records for an organization, the three types of Oracle Identity Manager users, and a user group


Course Objectives

• Assign an Oracle Identity Manager user to a user group

• Explain the following:– How administrators view and modify their profiles in

Oracle Identity Manager

– How administrators change their challenge questions and, as a result, reset their passwords

– What a proxy is

– How administrators assign, modify, and remove proxies

– How administrators see the resources that are provisioned to them

– How administrators see requests that are initiated by them and requests that require their approval


Course Objectives

• Identify resources and Oracle Identity Manager connectors

• Explain how Oracle Identity Manager connectors differ from resources

• Discuss the three ways that a connector can be assigned to an Oracle Identity Manager user

• See how an administrator of an Oracle Identity Manager connector can view a graphical representation of a provisioning workflow

• Analyze what approval processes are and how they affect a provisioning workflow

• Identify the key features of autoprovisioning


Course Objectives

• Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:– Temporarily deactivating an end user’s account with a

resource

– Reinstating an end user’s account

– Modifying the password of an end user’s account

– Permanently revoking the access rights that an end user has with the resource

• Identify the two levels of customization for the Oracle Identity Manager Administrative Console

• Modify the look and feel of the console (that is, brand it)


Course Objectives

• Change the functionality of the console without modifying the Oracle Identity Manager code

• Explain why the code should never be changed

• Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another

• Identify the different ways that connectors can be transported between environments

• Explain how to export a connector

• Discuss how to import a different connector and configure it so that it is operable in your environment


Course Objectives

• Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports

• Differentiate between these two types of reports

• List the different operational and historical reports that are available with Oracle Identity Manager

• Discuss additional reports that can be created using a third-party tool (such as Oracle Discoverer)

• Create operational and historical reports with the Oracle Identity Manager Administrative Console


Course Objectives

• Define attestation and attestation processes, including the fundamental components of an attestation process

• Describe the types of users who analyze, create, and manage attestation processes

• Identify the types of data that can be attested

• Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes)

• Explain the workflow of an attestation process from beginning to end

• Configure your Oracle Identity Manager environment so that it can handle attestation processes


Course Objectives

• Create an attestation process by using the Oracle Identity Manager Administrative Console

• Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer

• Access this console as a process owner and view information about the attestation process, including its status (certified, rejected, declined, or delegated to another reviewer)

• Troubleshoot Oracle Identity Manager


Course Units

This course is divided into the following units:

1. Product Overview

2. Installing, Configuring, and Launching Oracle Identity Manager

3. Managing Users, User Entities, and Resources

4. Modifying the Oracle Identity Manager Administrative Console

5. Deploying Resources

6. Constructing Reports

7. Using Attestation

8. Performing Advanced Functions with Oracle Identity Manager


Unit 1: Product Overview

This unit has a single lesson titled “Understanding Oracle Identity Manager.”


Unit 2: Installing, Configuring, and Launching Oracle Identity Manager

This unit comprises the following lessons:

• Installing and Configuring Oracle Identity Manager

• Starting and Understanding Oracle Identity Manager’s Consoles


Unit 3: Managing Users, User Entities, and Resources


• Managing Users and User Entities

• Assigning Oracle Identity Manager Connectors to Users

• Provisioning Resources to Users


Unit 4: Modifying the Oracle Identity Manager Administrative Console

This unit has a single lesson titled “Customizing the Oracle Identity Manager Administrative Console.”


Unit 5: Deploying Resources

This unit has a single lesson titled “Transferring Oracle Identity Manager Connectors.”


Unit 6: Constructing Reports

This unit has a single lesson titled “Creating Reports.”


Unit 7: Using Attestation


• Understanding Attestation

• Creating, Managing, and Reviewing Attestation Processes


Unit 8: Performing Advanced Functions with Oracle Identity Manager

This unit has a single lesson titled “Troubleshooting Oracle Identity Manager.”


Summary

In this introductory lesson, you should have learned about the course units and lessons.


Understanding Oracle Identity Manager


Objectives

After completing this lesson, you should be able to:

• Explain Oracle Identity Manager and its role in identity management

• Identify the three tiers and components of the Oracle Identity Manager architecture

• List the key features of Oracle Identity Manager with respect to identity management: Reconciliation and provisioning

• Describe how Oracle Identity Manager handles reconciliation and provisioning


Objectives





Oracle Identity Manager

Oracle Identity Manager is an application that handles and selectively automates tasks that manage a user’s access privileges. Such tasks include:

• Creating access privileges to resources for users

• Modifying these privileges dynamically based on changes to user and business requirements

• Removing these access privileges from users


Oracle Identity Manager Architecture

The architecture for Oracle Identity Manager:

• Is based on a Java 2 Enterprise Edition (J2EE) environment

• Separates the platform’s Presentation, Server, andData & Enterprise Integration tiers

• Enables the creation of n levels of layers


Oracle Identity Manager Architecture: Advantages

The advantages of this architecture include:

• Scalability

• Flexibility

• Variety


Oracle Identity Manager Architecture: Tiers

The Oracle Identity Manager architecture has three tiers:

Presentation tier Server tierData & Enterprise

Integration tier


The Presentation tier of Oracle Identity Manager has two layers:

• Presentation layer– Two consoles for Oracle Identity

Manager: Administrative Console and Design Console

• Dynamic Presentation Logic layer– Logic for generating dynamic pages

for the Administrative Console by using JSPs, Java Servlets, XML, and JavaBeans

Tier 1: Presentation Tier


• The Server tier of Oracle Identity Manager is the interface between the Presentation and Data & Enterprise Integration tiers.

• The application server for Oracle Identity Manager:– Resides in the Server tier

– Provides the life-cycle management, security, deployment, and run-time services to the logical components that support Oracle Identity Manager

Tier 2: Server Tier


Tier 2: Server Tier

The Server tier of Oracle Identity Manager supports:

• Clustering

• Load balancing

• Security management

• Scheduling


Tier 3: Data & Enterprise Integration Tier

The Data & Enterprise Integration tierof Oracle Identity Manager has two layers:

• Data Access layer– Layer that has components, which

Oracle Identity Manager needs to communicate with its database

• Back-end Database layer– Layer where the database resides


Tier 3: Data & Enterprise Integration Tier

The Back-end Database layer leverages the following capabilities:

• Clustering

• Standby database

• Replication


Reconciliation andProvisioning: Overview

• Reconciliation is the process by which Oracle Identity Manager receives information from an external resource.

• Provisioning is the process by which Oracle Identity Manager sends information to a target resource.

• By using reconciliation and provisioning, Oracle Identity Manager can perform the following actions:– Create a user record in a resource

– Modify the privileges that the user has with the resource

– Remove the user record from the resource


Reconciliation: Types

There are two types of reconciliation that Oracle Identity Manager performs:

• Trusted source reconciliation

• Targeted resource reconciliation


Reconciliation: Events

Oracle Identity Manager can perform three types of reconciliation events with an external resource:

• Reconciliation Insert

• Reconciliation Update

• Reconciliation Delete


Provisioning: Types

There are two types of provisioning that Oracle Identity Manager performs:

• Day-one provisioning– Initial creation of access privileges to resources for users

– Removal of these privileges from users

• Day-two provisioning– Dynamic modification of user privileges with resources,

based on changes to user and business requirements


Trusted Source Reconciliation:Conceptual Diagram

Via provisioning and reconciliation, Oracle Identity Manager can build an accurate picture of the user identities that it manages in both a trusted source and a target resource.

1

Reconciliation flow

Provisioning flow

Targetresource

(for example, an Oracle database)

Administrator End userTrustedsource

(for example, a corporate directory)


Targeted Resource Reconciliation:Conceptual Diagram

Via provisioning and reconciliation, Oracle Identity Manager can build an accurate picture of the user identities it manages in both a trusted source and a target resource.

Reconciliation flow

Provisioning flow

2End user AdministratorTrustedsource

(for example, a corporate directory)

Targetresource

(for example, an Oracle database)


Oracle Identity Manager Connector: Overview

An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to:

• Reconcile with an external resource

• Provision a user with a target resource


Oracle Identity Manager Connector: Components

A connector must have the following seven components:

• IT resource type

• IT resource

• Process form

• Process task adapter

• Resource object

• Provisioning process

• Process task


Constructing an Oracle Identity Manager Connector: Step 1

IT resource type 1

Create an IT resource type. This record represents the classification type, parameter fields, and encryption settings that are associated with a resource.



This screenshot illustrates an IT resource type for an Oracle database. There is a one-to-one relationship between the IT resource type and the connector. That is, each connector should have only one IT resource type.



IT resource

IT resource type

2

Define an IT resource. This record contains the values that Oracle Identity Manager needs to communicate with a resource and access it as a system administrator (for provisioning or reconciliation purposes).



This screenshot illustrates an IT resource for an Oracle database. There is a one-to-one relationship between the IT resource and the system, service, or application that it represents. If you have four resources, you would thus have four IT resources.



IT resource type

Customprocess

form3

IT resource

Create a custom process form. This record is a central housing mechanism that holds everything that Oracle Identity Manager needs to either provision a user to a target resource or reconcile a user with an external resource.



This screenshot illustrates a custom process form for an Oracle database.



IT resource

IT resource type

Customprocess

formProcess task adapter 4

Build a process task adapter. This piece of Java code is used by Oracle Identity Manager to automate the completion of a provisioning process task.



A process task adapter automates the creation of a user’s account in an Oracle database. There is a one-to-one relationship between the adapter and a process task: each task can be associated with only one adapter.



Define a resource object. This record is a virtual representation of a resource and contains everything needed to either provision a user to that resource or reconcile a user with it.

IT resource

IT resource type

Resource object

Customprocess

formProcess task adapter

5



Example of a resource object for an Oracle database



Create a provisioning process. This record contains the steps that Oracle Identity Manager must complete to perform provisioning or reconciliation with a particular resource.

IT resource

IT resource type

Resource object

Provisioning processCustomprocess

formProcess task adapter

6



There is a 1-to-1 relationship between a provisioning process and the workflow that it represents. If you have two resource-related workflows, you should have two processes.



Create a process task.

IT resource

IT resource type

Resource object


form

Process task adapterProcess task7



Example of a process task that Oracle Identity Manager uses to create a user’s account in an Oracle database



Attach the process task adapter to the process task.

IT resource

IT resource type

Resource object


form

Process task adapterProcess task

8



Example of a process task adapter being connected to a process task to create a user’s account in an Oracle database


Summary

In this lesson, you should have learned how to:

• Describe Oracle Identity Manager and its role in identity management

• Explain the three tiers and components of the Oracle Identity Manager architecture

• List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning

• Explain how Oracle Identity Manager handles reconciliation and provisioning






Summary


Installing and ConfiguringOracle Identity Manager


Objectives


• Prepare a predefined database for Oracle Identity Manager

• Install and deploy your Oracle Identity Manager Diagnostic Dashboard

• Use the dashboard tool to verify that your Oracle database is prepared properly and that Oracle Identity Manager can connect to it

• Install the Oracle Identity Manager Server

• Install the Oracle Identity Manager Design Console

• Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console


Objectives

• Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly


Preparing a Database for Oracle Identity Manager

Oracle Identity Manager requires a database. To use Oracle Database, you must:

• Install Oracle Database

• Create a database instance

• Prepare this database


Preparing a Database for Oracle Identity Manager

With the prepare_xl_db.bat script, administrators can prepare a database for Oracle Identity Manager.

E:\OIM901_Installation\installServer\Xellerate\db\oracle> prepare_xl_db.bat train91 E:\orant\ora92 sysadm sysadm train91tbs E:\orant\ora92\oradata train91tbs_01 TEMP sys


Oracle Identity Manager Diagnostic Dashboard (Preinstallation)

The Oracle Identity Manager Diagnostic Dashboard is a Web application that can be used to check the preinstallation requirements for Oracle Identity Manager.

These requirements include whether:

• An Oracle database is created and prepared properly

• Oracle Identity Manager can establish a connection to this database


Launching the Oracle Identity Manager Diagnostic Dashboard

To launch this tool, enter the appropriate URL in the Address field.


Using the Oracle Identity ManagerDiagnostic Dashboard (Preinstallation)

To use this tool, select the check boxes for the tests that you want to perform, enter the test parameters (where applicable), and click Verify.


Test passed

Test failed

Using the Oracle Identity Manager Diagnostic Dashboard (Preinstallation)


Installing the Oracle Identity Manager Server

The following slides illustrate how to install the Oracle Identity Manager Server. You must install this server on the same machine that is running the JBoss application server.


Installing the Oracle Identity Manager Server:Steps 1–4

Select “Oracle Identity Manager with Audit and Compliance module” to use the attestation features for audit and compliance purposes.


Installing the Oracle Identity Manager Server:Steps 5–6

Enter the base directory where you install the Oracle Identity Manager Server: E:\OIM901_server.


Installing the Oracle Identity Manager Server:Step 7

Select the Oracle option to configure Oracle Identity Manager to work with an Oracle database.


Installing the Oracle Identity Manager Server: Step 8

Populate the Database Information screen with values that Oracle Identity Manager uses to connect to your Oracle database.


Installing the Oracle Identity Manager Server: Step 9

Select the “Oracle Identity Manager Default Authentication” option to use predefined settings to authenticate the Administrative Console.


Installing the Oracle Identity Manager Server: Steps 10-11

Select the JBoss option to configure Oracle Identity Manager to work with a JBoss application server.


Installing the Oracle Identity Manager Server: Steps 12-15

Configure Oracle Identity Manager to work with your JBoss application server.


Installing the Oracle Identity Manager Design Console

The following slides illustrate how to install the Oracle Identity Manager Design Console.

Note: You do not have to install the Administrative Console. To launch it, start the Oracle Identity Manager Server, open a Web browser, and enter the appropriate URL in the Address field.


Installing the Oracle Identity Manager Design Console: Steps 1-5

Enter the base directory where you install the Design Console: E:\OIM901_client.


Installing the Oracle Identity Manager Design Console: Step 6

Select the JBoss option to configure the Design Console to work with a JBoss application server.



Select this option to configure the Design Console to use the JRE that is packaged with Oracle Identity Manager.



Populate the Application Server configuration screen so that the Design Console works with your JBoss application server.


Installing the Oracle Identity Manager Design Console: Steps 9-12

Configure the Design Console to display approval and provisioning processes in a Web browser.


Performing Postinstallation Tasks for Oracle Identity Manager

The following section covers postinstallation tasks for the Oracle Identity Manager Server and Design Console.

In this section of the lesson, you learn about the following tasks:

• Specifying an Oracle Identity Manager log level for the JBoss application server

• Making the Design Console operable by copying a JAR file into the appropriate Oracle Identity Manager directory


Setting Oracle Identity Manager Log Levels for JBoss

Oracle Identity Manager supports five log levels:• DEBUG• INFO• WARN• ERROR• FATAL

The levels are listed here in descending order according to the amount of information logged. Thus, DEBUG logs the most information and FATAL logs the least information.


Setting Oracle Identity Manager Log Levelsfor JBoss

In the priority value tag, you can set the log level for the JBoss application server to DEBUG, INFO, WARN, ERROR, or FATAL.

<category name =“XELLERATE”>

<priority value=“WARN” />

</category>


Making the Design Console Functional

Copy the jbossall-client.jar file and paste it into the E:\OIM901_client\xlclient\ext directory.


Oracle Identity Manager Diagnostic Dashboard (Postinstallation)

The Diagnostic Dashboard can be used to:

• Check preinstallation requirements for Oracle Identity Manager

• Perform postinstallation checks and create reports to ensure that the Oracle Identity Manager environment is installed and configured properly


Diagnostic Dashboard: Postinstallation Checks

You can use the Diagnostic Dashboard after installation to determine whether:

• An Oracle Identity Manager user account is locked because of successive invalid login attempts

• The data encryption key in your Oracle Identity Manager installation is identical to the one used to encrypt the data in your Oracle Identity Manager database

• The scheduler service is running

• Oracle Identity Manager can communicate with remote managers


Diagnostic Dashboard: Postinstallation Checks

You can use the Diagnostic Dashboard after installation to determine whether:

• Oracle Identity Manager can submit and process a Java Messaging Service (JMS) message

• Single Sign-On (SSO) is configured properly for Oracle Identity Manager


Diagnostic Dashboard: Reports

You can use the Diagnostic Dashboard to create reports that display the following information about your Oracle Identity Manager environment:

• System properties that are associated with all Java Virtual Machines

• Information about the version numbers of the library and extension files

• Detailed (or manifest) information about the library and extension files


Test passed

Test failed

Using the Oracle Identity Manager Diagnostic Dashboard (Postinstallation)

To use the Diagnostic Dashboard, launch it. Select the check boxes for the tests that you want to perform, and then click Verify.


Summary


• Configure a preexisting Oracle database so that it works properly with Oracle Identity Manager

• Load and start the Oracle Identity Manager Diagnostic Dashboard

• Use the dashboard to ensure that the database is prepared correctly and that Oracle Identity Manager can connect to it

• Install the Oracle Identity Manager Server and Design Console

• Set an Oracle Identity Manager log level for the JBoss application server


Summary


• Make the Design Console functional by copying a JAR file into an Oracle Identity Manager directory

• Use the Diagnostic Dashboard to verify that your Oracle Identity Manager environment is installed and configured correctly


Practice 3 Overview: Installing and ConfiguringOracle Identity Manager

This practice covers the following topics:

• Preparing a database for Oracle Identity Manager

• Installing and deploying the Oracle Identity Manager Diagnostic Dashboard

• Using the dashboard to verify that the database is prepared properly and that Oracle Identity Manager can connect to it

• Installing and configuring an Oracle Identity Manager Server and an Oracle Identity Manager Design Console

• Using the Diagnostic Dashboard to verify that the Oracle Identity Manager environment is installed and configured properly


Starting and Understanding Oracle Identity Manager’s Consoles


Objectives


• Launch the Oracle Identity Manager Server

• Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console)

• Differentiate between the two consoles

• Explain the links on the Administrative Console


Launching the Oracle Identity Manager Server

Double-click the xlStartServer.bat command script, which resides in the E:\OIM901_server\xellerate\bin directory on your machine.


Launching the Oracle Identity Manager Administrative Console

Open the login page and enter the appropriate credentials in the User ID and Password fields. Then click Login.


Launching the Oracle Identity Manager Design Console

Open the login window and enter the appropriate credentials in the User ID and Password fields. Then click Login.


Oracle Identity Manager Consoles

Developers use the Design Console to build Oracle Identity Manager connectors.


Oracle Identity Manager Consoles

Administrators use the Administrative Console to manage Oracle Identity Manager connectors.


Administrative Console: My Account Link

With the My Account link, administrators view and modify their account information, reset a password, and designate a proxy.


Administrative Console: My Resources Link

With the My Resources link, administrators view, create, and modify information about requests and resources.


Administrative Console: Requests Link

With the Requests link, administrators create and track requests of resources for other Oracle Identity Manager users, as well as manage approval tasks.


Administrative Console: To-Do List Link

With the To-Do List link, administrators can handle all tasks that require their attention.


Administrative Console: Users Link

With the Users link, administrators create and manage records for Oracle Identity Manager users.


Administrative Console: Organizations Link

With the Organizations link, administrators create and manage records for Oracle Identity Manager organizational units.


Administrative Console: User Groups Link

With the User Groups link, administrators create and manage records for user groups.


Administrative Console: Access Policies Link

With the Access Policies link, administrators create and manage access policies.


Administrative Console: Resource Management Link

With the Resource Management link, administrators manage resources for a user or organization.


Administrative Console: Deployment Management Link

With the Deployment Management link, administrators transfer connectors from one environment to another.


Administrative Console: Reports Link

With the Reports link, administrators create operational and historical reports.


Administrative Console: Attestation Link

With the Attestation link, administrators can create and manage an attestation process.


Administrative Console: Help Link

With the Help link, administrators can view an online version of the Oracle Identity Manager Administrative Console and User Guide.


Summary


• Start the Oracle Identity Manager Server, the Administrative Console, and the Design Console

• Identify the two consoles, including the differences between them

• Provide a thorough discussion of the links on the Administrative Console


Practice 4 Overview: Starting and Understanding Oracle Identity Manager’s Consoles


• Launching the Oracle Identity Manager Server

• Launching the Oracle Identity Manager Administrative Console

• Launching the Oracle Identity Manager Design Console


Managing Users and User Entities


Objectives


• Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users

• Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups)


• Create records for an organization, the three types of Oracle Identity Manager users, and a user group

• Assign an Oracle Identity Manager user to a user group


Objectives

In addition, you should be able to explain:

• How administrators view and modify their profiles in Oracle Identity Manager

• How administrators change their challenge questions and, as a result, reset their passwords

• What a proxy is

• How administrators assign, modify, and remove proxies

• How administrators see the resources that are provisioned to them

• How administrators see requests that are initiated by them and requests that require their approval


Oracle Identity Manager Users: Three Types

• System administrators: Users who have both read access and write access to all forms and records in Oracle Identity Manager

• Administrators of Oracle Identity Manager connectors: Users who have read- and write-access rights to their own user profiles (and the records associated with them), as well as the profiles and records of any end users whom they supervise

• End users: Users who are recipients of the resources that are provisioned to them by Oracle Identity Manager. They have read-access rights to their own user profile (and the records associated with it).


Oracle Identity ManagerUser Entities: Two Types

• Organization: Record that represents a unit in a company’s hierarchy (for example, a department, division, or cost center)

• User group: Collection of one or more Oracle Identity Manager users who share some common functionality, such as access rights, roles, or permissions for resources

User groups

User

Organization


Creating Oracle Identity Manager Users and User Entities

• The following slides illustrate how to create:– Organizations

– Three types of Oracle Identity Manager users

– User groups

• In addition, you learn how to assign a user to a group and perform various administrative functions for a user.


Creating an Organization

Example: Creating an organization named Curriculum Dev. The organization’s classification type is Department.


Creating a User

Example: Creating a user named Robert La Vallie


Creating a User Group

Example: Creating a user group named Oracle 10g Approvers


Assigning a User to a User Group

Example: Assigning the user named Robert La Vallie to the ORACLE 9i USERS group


Viewing Your Profile

Administrators can see basic information about their user accounts. This example shows the profile of the administrator named Pauline Sammut.


Modifying Your Profile

Administrators can change basic information about their user accounts. This example illustrates modifying the profile of the administrator named Pauline Sammut.


Changing Your Challenge Questions and Answers

Administrators can change their challenge questions and answers.


Resetting Your Password

Administrators can reset their passwords. This example illustrates resetting an administrator’s password.


Proxies: Overview

Administrators can delegate any task approval responsibilities for which they are unavailable (because of illness, vacation, and so on) to another administrator. This delegated administrator is known as a proxy.


Assigning a Proxy

Administrators can assign proxies. This example illustrates assigning a proxy named Leonard Agneta to an administrator.


Modifying a Proxy

Administrators can modify their proxies. This example illustrates modifying the proxy named Leonard Agneta for an administrator.


Removing a Proxy

Administrators can remove their proxies. This example illustrates removing the proxy named Leonard Agneta from an administrator.


Viewing Your Resources

Administrators can see the resources that are provisioned to them. This example shows that a resource named Oracle RO is provisioned to an administrator.


Viewing Your Requests

Administrators can see the requests that they initiate as well as requests that require their approval.


Summary


• Create system administrators, administrators of Oracle Identity Manager connectors, and end users

• Create organizations and user groups


• Assign a user to a user group

• View and modify an administrator’s profile in Oracle Identity Manager

• Change an administrator’s challenge questions and answers

• Reset an administrator’s password


Summary


• Assign, modify, and remove a proxy for an administrator

• See the resources that are provisioned to an administrator

• View, track, and approve requests generated by and for an administrator


Practice 5 Overview: Managing Users and User Entities


• Creating records for an organization, a user group, and the three types of Oracle Identity Manager users

• Assigning an Oracle Identity Manager user to a group

• Viewing and modifying the profile of an Oracle Identity Manager administrator

• Changing challenge questions and answers and, as a result, resetting the password of an administrator

• Assigning, modifying, and removing a proxy for an administrator

• Viewing the resources and requests that are associated with an administrator


Assigning Oracle Identity Manager Connectors to Users


Objectives

After completing this lesson, you should be able to do the following:


• Explain how Oracle Identity Manager connectors differ from resources

• Discuss the three ways in which a connector can be assigned to an Oracle Identity Manager user


Resources

A resource is an external system, service, or application with which Oracle Identity Manager communicates to perform either provisioning or reconciliation.

Server Messagingapplications

Operatingsystems


Examples of Resources

Examples of resources include the following:

• Collaboration and messaging applications: Microsoft Exchange 3.3; Novell GroupWise 2.1

• Database servers: Oracle9i Database Enterprise Edition; Oracle Database 10g; MS SQL Server 2000

• Directory servers: MS Active Directory 4.4; Novell eDirectory 2.1; Oracle Internet Directory 1.1; Sun Java System Directory Server 4.1

• Enterprise applications: Oracle E-Business Suite 2.1; PeopleSoft Enterprise Applications 3.0; SAP Enterprise Applications 3.0

• Operating systems: Microsoft Windows 2.1; UNIX 4.1


Examples of Resources

• Security managers: IBM RACF 1.1; RSA Authentication Manager 4.1

• Web access control applications: RSA ClearTrust 3.0


Oracle Identity Manager Connectors

• An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to:– Reconcile with an external resource

– Provision a user with a target resource

• In short, each resource is represented in Oracle Identity Manager by a corresponding connector.


How Connectors Differ from Resources

• Assigning a connector to a user does not necessarily mean that the related resource is provisioned to the user.

• For provisioning to occur, you must: – Populate the fields of the custom process form that is

contained in your connector

– Save this information to your Oracle Identity Manager database


How Connectors Are Assigned to Users

• There are three ways that an Oracle Identity Manager connector can be assigned to a user:– Through direct provisioning

– Via criteria (autogroup membership rules and access policies)

– By requests

• The following slides illustrate the three ways that a connector can be assigned to a user.


Assigning Connectors to Users: Direct Provisioning

The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user through direct provisioning.

Administrator Connector End user


Assigning Connectors to Users: Criteria

The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user via criteria (autogroup membership rules and access policies).

Administrator User group Accesspolicy

ApproverAutogrouprule

ApprovalprocessConnectorEnd user


Assigning Connectors to Users: Requests

The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user by a request.

Request

Administrator Approvalprocess

ConnectorEnd user

Approver


Direct-Provisioning a Connector to a User

This example illustrates using direct provisioning to assign a connector to the end user named Leonard Agneta.


Using Criteria to Assign a Connector to a User

Another way to assign a connector to an end user is for Oracle Identity Manager to evaluate criteria about the user. These criteria include an autogroup membership rule and an access policy.

For this to occur, you need to complete the following steps:

• Assign an autogroup membership rule to a user group. As a result, Oracle Identity Manager can add the end user to the group.

• Build the access policy. Oracle Identity Manager allocates the connector to the user because the user belongs to the user group.


Assigning an Autogroup Membership Rule to a User Group

This example illustrates assigning an autogroup membership rule to the Developers user group.


Creating an Access Policy

This example illustrates creating an access policy for the Developers user group.


Using a Request to Assign a Connector to a User

This example illustrates using a request to assign the Oracle RO connector to the user with the ID of LAGNETA.


Summary



• Differentiate between Oracle Identity Manager connectors and resources

• Assign an Oracle Identity Manager connector to a user through direct provisioning, criteria (specifically, autogroup membership rules and access policies), and requests


Practice 6 Overview: Assigning Oracle Identity Manager Connectors to Users

This practice covers assigning an Oracle Identity Manager connector to a user in three ways:

• Direct provisioning

• Autogroup membership rules and access policies

• Requests


Provisioning Resources to Users


Objectives


• See how administrators of Oracle Identity Manager connectors can view a graphical representation of a provisioning workflow

• Analyze what approval processes are and how they impact a provisioning workflow

• Identify the key features of autoprovisioning


Objectives

• Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:– Temporarily deactivating an end user’s account with a

resource

– Reinstating an end user’s account

– Modifying the password of an end user’s account

– Permanently revoking the access rights that an end user has with the resource


Graphical Workflow Definition Renderer: Overview

The Graphical Workflow Definition Renderer tool enables Oracle Identity Manager administrators to see a visual representation of the connector’s provisioning workflow.


Viewing a Graphical Representation of a Provisioning Workflow

This screenshot is a visual representation of the DataBase Access (Login) provisioning process via the Graphical Workflow Definition Renderer.


Graphical Workflow Definition Renderer: High-Level Information

This example shows top-level information about the DataBase Access (Login) provisioning process.


Graphical Workflow Definition Renderer: Features

Features of the Graphical Workflow Definition Renderer include:

• Dragging and dropping the components that appear in the workflow (for visibility purposes)

• Customizing the items that can be displayed in the workflow

• Saving the current state of the workflow as an image

• Refreshing the workflow


Graphical Workflow Definition Renderer: Provisioning Tab

This tab displays all process tasks that are used to give a user access rights to a resource. In this example, the Create Login task is used to provision a user to an Oracle database.


Graphical Workflow Definition Renderer: Reconciliation Tab

This tab displays the tasks and flow of the reconciliation events associated with a provisioning process. In this example, the Reconciliation Insert event is displayed.


Graphical Workflow Definition Renderer: Resource Event Tab

This tab displays all workflows associated with changes to a user’s access rights with a resource. The Enable Login workflow reinstates the user’s access to the resource.


Graphical Workflow Definition Renderer: Form Event Tab

This tab displays workflows associated with changes to data in the process form attached to the provisioning process. The Password Updated workflow modifies the user’s password on the target resource.


Approval Processes: Overview

• An approval process is used to approve the provisioning of a representative resource for a user.

• Approval processes are usually completed manually whereas provisioning processes are typically completed automatically.

• To complete an approval process, certain tasks must be completed.

• Although a connector is not required to have an approval process, it must have at least one provisioning process.


Completing an Approval Process

In this example, the user who belongs to the US_ORACLE_ RO_APPROVERS group approves the allocation of the Oracle RO connector for the user named Jill James.


Types of Provisioning

• Manual provisioning

• Autoprovisioning


Manual Provisioning

• An administrator of an Oracle Identity Manager connector completes the custom process form and saves the values to the database.

• Manual intervention is required by the administrator for provisioning to occur.


Autoprovisioning

• Autoprovisioning is the Oracle Identity Manager process of:– Populating a custom process form of a connector

– Saving the values in the form to its database

– Using these values to provision an end user with a resource

• With autoprovisioning, Oracle Identity Manager provisions the corresponding resource to an end user after the connector is assigned to the user.


Day-Two Provisioning Functions

Oracle Identity Manager is an application that can handle day-two provisioning functions, including:

• Temporarily disabling an end user’s account with an external resource

• Reinstating the user’s account with the resource

• Modifying the password of the user’s account

• Permanently revoking the access rights that the user has with the resource


Day-Two Provisioning Functions: Disabling a User’s Account

In this example, an administrator disables Robert La Vallie’s account with an external resource. As a result, Oracle Identity Manager temporarily deactivates this user’s account.


Day-Two Provisioning Functions:Reinstating the User’s Account

In this example, an administrator enables Robert La Vallie’s account with an external resource. As a result, Oracle Identity Manager reinstates this user’s account.


Day-Two Provisioning Functions: Modifying the User’s Password

In this example, an administrator modifies the password of Robert La Vallie’s account with an external resource.


Day-Two Provisioning Functions:Deleting the User’s Account

In this example, an administrator deletes Robert La Vallie’s account with an external resource. As a result, Oracle Identity Manager permanently revokes the access rights that this user has with the resource.


Summary


• View a graphical representation of a provisioning workflow in Oracle Identity Manager

• Discuss approval processes, including how they affect a provisioning workflow

• Complete an approval process

• Analyze autoprovisioning

• Perform day-two provisioning functions, including:– Disabling an end user’s account with an external

resource

– Reinstating the account

– Modifying the password of the user who is accessing the account

– Deleting the user’s account with the resource


Practice 7 Overview: Provisioning Resources to Users


• Completing the approval process of an Oracle Identity Manager connector

• Direct-provisioning a connector to an end user

• Temporarily disabling an end user’s account with an external resource

• Reinstating the user’s account with the resource

• Modifying the password of the user’s account

• Permanently revoking the access rights that the user has with the account


Customizing the Oracle Identity Manager Administrative Console


Objectives


• Identify the two levels of customization for the Oracle Identity Manager Administrative Console

• Modify the look and feel of the console to brand it for your company




There are two levels of customization that an administrator should perform with the Oracle Identity Manager Administrative Console:

• Modifying the look and feel of the console (that is, branding it)

• Changing the functionality of the console without modifying the Oracle Identity Manager code

Levels of Customization


Branding the Console

There are different ways to brand the Administrative Console, including:

• Customizing the overall layout of the Web pages of the console

• Modifying the descriptive text and labels that appear on the Web pages of the console

• Replacing company and product logos with your own icons

• Changing the color, font, and alignment of text


Changing the Functionality

There are different ways to change the functionality of the Administrative Console without changing the code, including:

• Customizing the self-registration process for creating a user’s account

• Configuring how users can modify the profiles of their accounts

• Customizing the behavior of the fields that appear on the Web pages of this console

• Setting the menu items that are available to users who belong to a particular group

• Customizing search pages


Customizing the Overall Layout of a Web Page

In this example, you customize the general layout of a Web page by displaying the company logo at the right side of the header banner.


Adding Logos

In this example, you replace the product’s default logo with your own company logo.


Modifying Text and Labels

In this example, you modify the text and label of the Search User button that appears on the Manage User form.


Customizing Colors, Font, and Alignment of Text

In this example, you modify the color, font, and alignment of the text that appears in the footer banner of the console.


Customizing the Self-Registration Process

In this example, you change the Middle Name field of the User Self-Registration form from optional to mandatory.


Customizing the Behavior of a Form Field

In this example, you change the Email Address field of the Create User form from optional to mandatory.


Customizing Menu Items for User Groups

In this example, you add menu items associated with deploying Oracle Identity Manager connectors to users (such as Dawn Jones) who belong to a particular group.


Customizing Search Pages

In this example, you customize the search pages of your console by reducing (from 10 to 5) the maximum number of search results that can appear on a Web page.


Summary


• Differentiate between the two levels of customization for the Oracle Identity Manager Administrative Console

• Brand the console




Practice 8 Overview: Customizing the Oracle Identity Manager Administrative Console


• Branding the Oracle Identity Manager Administrative Console

• Changing the functionality of the console without modifying the Oracle Identity Manager code


Transferring Oracle Identity Manager Connectors


Objectives


• Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another

• Identify the different ways that connectors can be transported between environments

• Explain how to export a connector

• Discuss how to import a different connector and configure it so that it is operable in your environment


Transferring Oracle Identity Manager Connectors: Benefits

Benefits of transferring Oracle Identity Manager connectors from one environment to another:

• Efficiency

• Error reduction


Transferring Oracle Identity Manager Connectors: Ways

• Transfer a component of a connector or an entire connector from one environment to another

• Transport multiple Oracle Identity Manager connectors between environments simultaneously


Exporting Oracle Identity Manager Connectors

To export an Oracle Identity Manager connector so that it is operable in another environment:1. Build an *.xml file that contains the components of

your connector.

2. Export this file into a designated location that can be accessed from your home or office environment.


Exporting Oracle Identity Manager Connectors

In this example, you export the Oracle RO connector.


Using Oracle Identity Manager Connectors: Setup

The following steps show you how to set up and run an Oracle Identity Manager connector so that it is operable in your environment.1. Import the *.xml file that contains the designated

Oracle Identity Manager connector.

2. Paste any external JAR files into their designated locations.

3. Recompile the adapters that are contained in your Oracle Identity Manager connector.

4. Define IT resources for the specific machines, applications, or services that are represented by your connector.


Using Oracle Identity Manager Connectors: Run Time

5. Assign the Oracle Identity Manager connector to a user.

6. Populate the fields of the custom process form that is contained in your connector. Then save this information to the database.

7. Verify that the login credentials you entered in the custom form can be used to access the external resource (that is, an Oracle database).


Step 1: Importing Oracle Identity Manager Connectors

In this example, you import a connector into your Oracle Identity Manager environment.


Step 2: Pasting the JAR Files

Copy the xliDatabaseAccess.jar file (which resides in your E:\OIM901_files directory) and paste it into your E:\OIM901_server\xellerate\JavaTasks directory.


Step 3: Recompiling the Adapters

The Adapter Manager form is used to compile multiple adapters simultaneously.

1 2


Step 4: Defining the IT Resources

An IT resource is an instance that contains the values that Oracle Identity Manager needs to:• Communicate with an external resource (in this case,

an Oracle database) • Access the external resource as an administrator (for

provisioning purposes)


Step 5: Assigning a Connector to a User

In this example, you assign an Oracle Identity Manager connector to a user.


Step 6: Completing the Custom Process Form

The values in the custom process form represent the login credentials of the target user that Oracle Identity Manager passes into the corresponding external resource (in this case, an Oracle database).


Step 7: Accessing the Database

This screenshot illustrates a successful login to your Oracle SQL*Plus client. It indicates that the designated user is provisioned with the external resource (in this case, an Oracle database).


Summary


• Describe the benefits and different ways of transferring Oracle Identity Manager connectors between environments

• Discuss how to export an Oracle Identity Manager connector

• Explain how to import a different Oracle Identity Manager connector and configure it so that it works in your environment


Practice 9 Overview: Transferring Oracle Identity Manager Connectors

This practice covers exporting an *.xml file that contains your Oracle Identity Manager connector.


Creating Reports


Objectives


• Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports

• Differentiate between these two types of reports


• Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports)



Operational and Historical Reports

An administrator can create two types of reports for Oracle Identity Manager users:

• Operational reports: Information about resources that a user can access (current data)

• Historical reports: Information about resources that are associated with a user throughout that user’s employment with the company (life-cycle data)


Operational Reports: Types

There are four types of operational reports:

• Who Has What

• Resource Access List

• Entitlements Summary

• Policy List


Historical Reports: Types

There are five types of historical reports:

• User Resource Access History

• Resource Access List History

• User Profile History

• User Membership History

• Group Membership History


Other Reports: Types

An administrator can create the following eight additional reports by using a third-party reporting tool.

• Who Has What: Lists the users and the resources with which they are provisioned

• Direct Provisioned: Shows the following information:– Resources that are directly provisioned to the target

users

– User who directly provisioned the resources for the target users

– Users who received the resources


Other Reports: Types

• Requests Made: Displays requests that are created by users

• Active Queue: Subset of the Requests Made report; lists the requests that are approved by users

• Requests Executed: Subset of the Active Queue report; shows the requests that are executed by Oracle Identity Manager

• Reconciled Apps: Lists the successful events that are associated with reconciliation

• Reconciled Users: Displays the users who are added to Oracle Identity Manager through reconciliation

• Unreconciled Data: Shows the reconciliation events that could not be matched to a specific user, organization, or provisioning process


Creating a Who Has What Operational Report

In this example, you create a Who Has What operational report for the user with the ID of RLAVALLI.


Creating a Resource Access ListOperational Report

In this example, you create a Resource Access List operational report for the Oracle RO resource.


Creating an Entitlements SummaryOperational Report

In this example, you create an Entitlements Summary operational report. DataBase Access (Login) is the designated resource and Revoked is the associated status level (or entitlement).


Creating a Policy List Operational Report

In this example, you create a Policy List operational report. Users Access Policy is the designated policy and Oracle 9iUsers is the target user group.


Creating a User Resource Access History Historical Report

In this example, you create a User Resource Access History historical report for the user with the ID of RLAVALLI.


Creating a Resource Access List History Historical Report

In this example, you create a Resource Access List History historical report for the Oracle RO resource.


Creating a User Profile History Historical Report

Current e-mail address

Original e-mail address

In this example, you create a User Profile History historical report for the user with the ID of RLAVALLI.


Creating a User Membership HistoryHistorical Report

In this example, you create a User Membership History historical report for the user with the ID of RLAVALLI.


Creating a Group Membership HistoryHistorical Report

In this example, you create a Group Membership History historical report for the Oracle 9i Approvers user group.


Summary


• Identify operational reports and historical reports (and the differences between them)


• Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports)



Practice 10 Overview: Creating Reports

This practice covers creating the following types of reports:

• Operational reports – Who Has What

– Resource Access List

– Entitlements Summary

– Policy List

• Historical reports – User Resource Access History

– Resource Access List History

– User Profile History

– User Membership History

– Group Membership History


Understanding Attestation


Objectives


• Define attestation and attestation processes, including the fundamental components of an attestation process

• Describe the types of users who analyze, create, and manage attestation processes

• Identify the types of data that can be attested

• Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes)

• Explain the workflow of an attestation process from beginning to end


Attestation

• Mechanism by which Oracle Identity Manager users are notified periodically of a report they must review – This report outlines the provisioned resources that

certain users have.

• Process of authorizing established internal controls, processes, and policies for user-related and transactional-related data


Attestation Processes

An attestation process is the framework by which an attestation workflow is set up and created. It contains the following run-time components:

User Data Schedule

+ +


Attestation Process: Users

Four types of users analyze, create, and manage attestation processes:

ReviewerSystem administrator

Compliance manager

Processowner


Attestation Process: Data

Two types of data can be attested:

• Oracle Identity Manager users and the resources they can access

• Fine-grained privileges that determine how a user should be entitled to a resource


Attestation Process: Schedule

All activities that are associated with an attestation process can be:

• Run at a periodic interval (for example, every three months)

• Executed on demand


Reviewer

Attestation Process: Workflow

1

Schedule Data

2

E-mail notification

3

4

E-mail notification

Process owner

E-mail notification

Reviewer

Oracle Identity Manager repository

Reject

Certify

Delegate

Decline


Summary


• Identify attestation and attestation processes, including the primary components of an attestation process

• Describe the users, data, and schedules that are associated with attestation processes

• Explain how an attestation process works from beginning to end


Creating, Managing, and Reviewing Attestation Processes


Objectives



• Create an attestation process through the Oracle Identity Manager Administrative Console

• Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer

• Access this console as a process owner and view information about the attestation process, including its status: whether it is certified, rejected, declined, or delegated to another reviewer


Configuring an Attestation Process

There are six steps in setting up an attestation process:

1. Configuring your Oracle Identity Manager environment so that its attestation features are available

2. Configuring the resource object of your connector so that its data can be reviewed during an attestation process

3. Configuring the process form of your connector so that its data is available for review during an attestation process

4. Assigning a manager to the user who is the recipient of the target resource (This manager is responsible for reviewing the attestation process for the user.)


Configuring an Attestation Process

5. Assigning menu items to the following user groups:• User group that is responsible for creating and managing

the attestation process (that is, the process owner group)

• User group that is responsible for reviewing the attestation process (the reviewer group)

6. Assigning administrative privileges and permissions to each of these groups


Installing the Oracle Identity Manager Server

By selecting this option, you can use the attestation features of Oracle Identity Manager for audit and compliance purposes.


Select the Financially Significant check box of your connector’s representative resource object in the Design Console.

Configuring the Resource Object


Configuring the Process Form

Set the value of this record to Resource Form in the Design Console.


Assign the manager with the ID of TJONES to the end user named Robert La Vallie. This manager is responsible for reviewing the attestation process for the user.

Assigning a Manager to a User


Assign menu items to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.

Assigning Menu Items to User Groups


Assign a menu item to users who belong to the Managers group. This group represents the users who are responsible for reviewing attestation processes.

Assigning Menu Items to User Groups


Assigning Administrative Privileges and Permissions for User Groups

Assign administrative privileges and permissions to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.


Creating an Attestation Process

There are five stages in creating an attestation process:

1. Defining high-level information about the attestation process

2. Defining the scope and reviewer for the attestation process

3. Defining the administrative details of the attestation process

4. Verifying the information of the attestation process

5. Assigning groups of users to the attestation process who are responsible for reviewing and managing it


Stage 1: Defining High-Level Information

On the Define Process screen, you specify high-level information about the attestation process.


Stage 2: Defining the Scope and Reviewer

On the Define Attestation Scope And Reviewer screen, you specify how a user should have access rights to a resource (that is, the scope) and the reviewer for the attestation process.


Stage 3: Defining the Administrative Details

On the Define Administrative Details screen, you specify how often the attestation process should be run. You also specify its process owner group.


Stage 4: Verifying the Information

On the Verify Info Page screen, you ensure that the information in the attestation process is correct.


Stage 5: Assigning Groups

On the Administrative Groups screen, you assign groups of users who are responsible for reviewing and managing the attestation process.


Reviewer Actions for an Attestation Process

As a reviewer of an attestation process, you can perform one of the following actions with it:

• Delegate it to another reviewer

• Reject it

• Certify it

• Decline to act on it


Reviewing an Attestation Process

As a reviewer, you perform an action on an attestation process. You can certify, reject, or decline an attestation process or can delegate it to another reviewer.


Process Owner Actions for an Attestation Process

As the owner of an attestation process, you can view the following information about it:

• High-level and detailed information

• The date and time when the attestation process is submitted to a reviewer

• The reviewer who received the attestation process

• The status of the attestation process (that is, whether the reviewer certified it, rejected it, declined it, or delegated it to another reviewer)

• The delegation path (if the attestation process is delegated to another reviewer)


Viewing an Attestation Process

As a process owner, you can view both high-level and detailed information about an attestation process.


Summary



• Create an attestation process with the Oracle Identity Manager Administrative Console

• Act on an attestation process as a reviewer: certify it, decline it, reject it, or delegate it to another reviewer

• View information about an attestation process as a process owner, including its status: whether it is certified, rejected, declined, or delegated to another reviewer


Practice 12 Overview: Creating, Managing, and Reviewing Attestation Processes


• Setting up your environment so that you can create attestation processes

• Using the Oracle Identity Manager Administrative Console to create an attestation process

• Acting on an attestation process (for example, certifying it)

• Viewing both high-level and detailed information about an attestation process


Troubleshooting Oracle Identity Manager


Objectives

After completing this lesson, you should be able to troubleshoot problems that administrators commonly encounter with Oracle Identity Manager. These problems are fixed through the use of disaster-recovery procedures.


Increasing the Size of the Java Pool

• Problem: After launching the Oracle Identity Manager Diagnostic Dashboard, the Database Prerequisites Check fails.– The reason for the failure is that the current Java pool

size of your Oracle database is 32 MB. As a result, it does not meet the minimum requirement of 60 MB.

• Solution: 1. Stop the Oracle Identity Manager Server.

2. Access the database by using the Oracle Enterprise Manager Console.

3. Click the Instance subnode. A Configuration form is nested in this node.


Increasing the Size of the Java Pool

4. Click the Configuration form (to make it active).

5. In this form, select the Memory tab. In the Java Pool field, enter 60. Then click the Apply button that appears on this tab. A Shutdown Options window appears.

6. In the Shutdown Options window, select the Immediate option. Then click OK. Your database is shut down and restarted so that the changes to your Java pool can be registered.

7. Close the Oracle Enterprise Manager Console.

8. Restart the Oracle Identity Manager Server.


Changing the Authentication Mode

• Problem: After installing Oracle Identity Manager, you want to change the authentication mode from the application’s default setting to Single Sign-On (SSO).

• Solution: 1. Stop the Oracle Identity Manager Server.2. Use a text editor to open the xlconfig.xml file, which is

located in the E:\OIM901_Server\xellerate\config directory.

3. Look for the following piece of code:<Authentication>

Default</Authentication>


Changing the Authentication Mode

4. Replace the Default value with the name of the header value configured in the SSO system.

5. Save your changes.



Exporting a File Properly

• Problem: Exporting a file via the Deployment Manager form (which can be found in the Oracle Identity Manager Administrative Console) results in an invalid file, a corrupted XML file, or a file created with 0 KB.

• Solution: 1. When you export your file, make sure that no other users

are also attempting to export a file.

2. At the same time, verify that no reconciliation workflows or scheduled tasks are being run.

3. Reconfigure the minimum and maximum memory parameters of the JBoss application server to 512 MB and 1,024 MB, respectively.


Verifying That the Oracle Identity Manager Scheduler Is Running

• Problem: You want to verify that the service that programs events to be executed at periodic intervals (that is, the Oracle Identity Manager Scheduler) is running.

• Solution: 1. Launch a Web browser.

2. In the Address field, enter the following URL:

http://localhost:8087/xlScheduler/status (localhost is the machine name for the application server, and 8087 is this server’s port number.)


Customizing the Login Page of the Administrative Console

• Problem: You want to customize the Login page of the Administrative Console.

• Solution: Open the tjspLoginTiles.jsp file, which is located in the following directory:E:\jboss-4.0.2\server\default\deploy\XellerateFull.ear\xlWebApp.war\xlWebApp\tilesThis file contains the properties that pertain to the Login page.


Changing the Background Color of Oracle Identity Manager Explorer

• Problem: You want to customize the Administrative Console so that the background color for the header is different from the background color that appears in your Oracle Identity Manager Explorer.

• Solution: 1. Stop the Oracle Identity Manager Server.2. Use a text editor to open the Xellerate.css file, which

is located in the E:\jboss-4.0.2\server\default\deploy\XellerateFull.ear\xlWebApp.war\cssdirectory.



3. In this file, create a new class called ExplorerMenu and add the new background color. To do so, add this piece of code to it:.ExplorerMenu

{BACKGROUND-COLOR: <color>;}

In the code, <color> represents the new color.

4. Use a text editor to open the tjspClassicLayout.jspfile, which is located in the E:\jboss-4.0.2\server\default\deploy\XellerateFull.ear\xlWebApp.war\layoutsdirectory.



5. Replace the Sidebar element with the ExplorerMenuclass.

6. Save your changes.



Unlocking the xelsysadm User Account

• Problem: The xelsysadm user account is locked and cannot be unlocked because an Oracle Identity Manager user exceeded the maximum number of login attempts.

• Solution: 1. Stop the Oracle Identity Manager Server.

2. Open a DOS window.

3. In the DOS prompt that appears, enter sqlplus /nolog. A SQL prompt appears.

4. Connect to the Oracle database as an administrator (for example, connect sys/sys@train91 as sysdba, where sys is the system user and password and train91 is the name of the database).


Unlocking the xelsysadm User Account

5. Run the following query:SQL>UPDATE SYS.USR SET USR_LOCKED=0,

USR_LOGIN_ATTEMPTS_CTR=0 WHERE USR_LOGIN=‘XELSYSADM’;

6. After you see that the row is updated, commit the changes to the database. To do so, enter the following at the SQL prompt:SQL>commit;



Summary

In this lesson, you should have learned how to use disaster-recovery procedures to fix common problems that administrators encounter with Oracle Identity Manager.

Oracle Identity Manager Administration

Documents

Transcript of Oracle Identity Manager Administration