Download - Detailed Identity Data Flow

OIM Identity

Store

Authorization Policy

Roles Assigned

Provision to

Resources

Scheduler Job Runs

Central Repository

Network User

Accounts

Corporate eMail

Digital Workplace

Remedy Prowatch

Employee Active

Directory

Department Roles

Retirement Portal

Home Drive

Corporate Portal

Global Address

Book “GAL”

Mobile MyPay

Org Charts 1

Org Charts 2

Salary Administration

File System“T Drive” (T:\

)

PeopleSoft

NOS Active Directory

Contact Information

Other Attributes

Authoritative Human Resource Records from Oracle Service Bus

Basic Information

User Type

Display Name

Organization

First Name

Middle Name

Manager

Last Name

Account Settings

User Login

Password

Account Effective Dates

Start Date

End Date

Postal Address

Postal Code

Pager

Home Phone

Fax

Mobile

Home Postal Address

Street

Country

State

PO Box

Extended Information

Retiree Code

fullOrPartTime

Retiree Status

Location Code

Location Description

Division Description

Per_Org

Job Code

Department Description

Manager Description

Manager Level

Manager Name

Initials

Title

Locality Name

Common Name

Department Number

Generation Qualifier

Hire Date

Employee Number

personOfOrigin

preferredFirstName + lastName

Division

preferredFirstName / firstName

middleName

supervisorId

lastName

If preferredname is not present then use firstName

Direct flow

Direct flow

Attribute will be derived by looking up the value of SUPERVISOR_ID with OIM

Division changes will trigger OIM to perform business logic

Logic will be based on if they are POI(Person of Interest), EMP(employees), CWR(Contingent worker)

If preferredname is not present then use firstName with lastName (ex: Mike Reams)

OSB Data Source Attributes

DeptId For CORPT employees, default AD groups will be provisioned for certain departments

employeeid Direct Flow: Unique Identifier (10 digit Alpha ID)

efftdate Direct flow: Will be used as Hire Date & Start Date for New Hires & Rehires only

jobTitle Only flow Title when primary flag is set

locationAddress.addressLine1

locationAddress.postalCode

locationAddress.country

locationAddress.state

Direct flow

Direct flow

Direct flow

Direct flow

locationCode

locationDescription


Per_Org

jobCode

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow-Determines type of person in PeopleSoft

Future Flow with RTIP

Future Flow with RTIP

fullOrPartTime

deptDescription

managerLevel

supervisorName

Direct flow

Direct flow

Trigger for manager level of 20 or below will invoke Exception Rule#1

managerLevelDescription

Direct flow

Full or Part-time status in PeopleSoft ex: (FULL-TIME)

Employee’s management level in PeopleSoft ex: (50)

Employee’s management level description in PeopleSoft ex: (Senior Manager)

Value of time of provisioning for all users

Used only for non-employees

Direct flow

Authoritative Human Resource Records

PeopleSoft Data Attributes Business Logic in the Oracle Service Bus

Used only for non-employees in data flow

OIM Role to Application Mapping

suffix

prefix

preferredlastName

preferredFullName

businessUnit

businessUnitDescription



regularOrTemp

Oracle Identity Manager

Identity & Access Provisioning Architecture Data Flow

Provisioning Dates

Deprovisioning Date

Provisioning Date

FIRST_NAME_SRCH

employeeid

efftdate Direct flow: Will be used as Hire Date & Start Date for New Hires & Rehires only

Direct Flow: Unique Identifier (10 digit Alpha ID)

Random password generated and sent in email workflow

Email flows from Active Directory and lookup is based on “HomeEmployeeID”

Phone Number flows from Active Directory and lookup is based on “HomeEmployeeID”

Secondary TitlejobTitle Only flow Title when secondary flag is set

LAST_NAME_SRCH

BUSINESS_UNIT

NAME52

PER_ORG

DEPTID

EMPLID

BUSINESS_UNIT

CEH_BUS_ENT_DESCR

JOBTITLE

EMPLID

Authoritative Data from Active Directory

mail

telephoneNumber

Basic Attributes

Email

Telephone Number

Active Directory Attributes

PeopleSoft

Provision Phone & Email Information about User

EMGR

PAY

XX

CSUITE

BENFITS

XX

XX

XX

XX

XX

XX

PROFILE

OIM Role Names

REC

THM

XX

XX

XX

QUSER

EMANAGER

EVIEWER

MGR2

MGR1

Active Directory

Import all RolesProvision all Roles

Role Based Access “MGR1” & “MGR2”

Role Based Access “MANAGER” & “VIEWER”

Role Based Access “PAY”

Oracle Unified Directory

Provision all Roles


Provision all “Active” Users & Roles

Corporate Portal

Mobile MyPay

Digital Workplace

Org Charts 1

Org Charts 2

Provision Phone & Email Information about User

OIM Role Names

Audit

Corporate Development

Accounting

Roles for Department Provisioning (OIM Business Logic)

SAP Support

LTD Employees

Benefits

Communications

AD Group SamAccountNames=Users1, Employees, PS Financial Users



AD Group SamAccountNames=Users1, Employees, PS Financial Users, 0BusDev

AD Group SamAccountNames=Users1, Employees, PS Financial Users, ATDept

AD Group SamAccountNames=Users1, Employees, PS Financial Users, PortalUsers

AD Group SamAccountNames=Users1, Employees, PS Financial Users, ATLCommunications

OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ102”. If so then provision to this OIM Role




OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ103Y”. If so then provision to this OIM Role

OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQLTD”. If so then provision to this OIM Role


Active Directory Group Provisioning

OIM Role Names

Timesheet Manager

COMP Super User

Timesheet

Authoritative Roles for “On-Prem” Applications

Role Based Access

COMP Manager

Timesheet BOTH

Employees who have the “TIMESHEET” role in Kronos will have an OIM Authorization Policy applied

Employees who have the “TSMGR” role in Kronos will have an OIM Authorization Policy applied

Employees who have the “All” role in Kronos will have an OIM Authorization Policy applied

Employees who have the “Comp.SuperUser” role in Sal Admin will have an OIM Authorization Policy applied

Employees who have the “Comp.ManagerUser” role in Sal Admin will have an OIM Authorization Policy applied

Role Based Access


Provision Roles

Corporate Portal

Salary Administration

Corporate Portal Employee

Retirement Portal Admin

Portal Admin

Retirement Portal MemberProvision Roles

Corporate Portal Contractor

This role will be managed only within OIM that will be mapped to the Portal Admin Group to grant Administrative access to the portal

This role will be managed real-time for people coming through SOA that have “Org” set to equal “EMP”. An OIM Authorization Policy will apply to these users

This role will be managed real-time for people coming through SOA that have “Org” set to equal “CWR”. An OIM Authorization Policy will apply to these users

This role will be managed only within OIM that will be mapped to the Retiree Portal Admin Group to grant Administrative access to the portal

This role will be managed real-time for retirees coming through SOA that have a value set. An OIM Authorization Policy will apply to these users

Retirement Portal


Role Based Access

Timesheet Oracle Database

Timesheet contains a multi-value view in which the OIM GTC can connect against as the authoritative source of record for

Access Roles

Microsoft SQL Database

The Compensation App contains a multi-value view in SQL which the OIM GTC can connect against as the authoritative

source of record for Access Roles

Department Roles

NTFS Mappings

Role Based Access

PeopleSoft Oracle Database

HCM will send Department updates via the SOA layer

The OIM Authorization Policy for each OIM Role will kick in and then sync out change to the Active

Directory per defined Department ID

The Oracle Service Bus receives data from HCM and transform based on business logic

User data enters the Service Bus Queue and is sent to the OIM Java Web Service Listener

Provision All Roles

HCM Authoritative Roles

EMGR

PAY

XX

CSUITE

BENFITS

XX

XX

XX

XX

XX

XX

PROFILE

REC

THM

XX

XX

XX

QUSER

MANAGER

VIEWER

MGR2

MGR1

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

Direct flow

PeopleSoft Oracle Database

The HCM Stat executes business processes to populate views through Control-M

The OIM Authorization Policy for each OIM Role will kick in and then sync out change to AD and OUD. AD is

a short-term solution

The views called “EMP_GRP_VW” as the Base View and “EMP_MEM_VW” as the

multi-value view

Oracle Identity Manager runs via Control-M or manually, the job for the OIM HCM Role

Recon which then populates OIM with updated employee members from the

Oracle Database Views

PeopleSoft Role Names

OIM Role to Application Mapping

OIM Data Flow


(dc=companyA,dc=com)

CitylocationAddress.city Direct flow

MIDDLE_INITIAL

STATE

POSTAL

ADDRESS1

LOCATION

LOCATION_DESCR

JOBCODE

Yammer

Active Directory “NOS”

HCM

NOS-networkID

PER_ORG

NOS-networkDomain

Project:

Oracle OAM/OIM

Revision:

1.13

Drawing #1.2

Date:12/6/2015

Size:Letter34x44

Technical Design By

Mike Reams

Out-of-the-boxCustom Attributes

Direct Flow EX: 000555

Direct Flow

Direct Flow EX: Reams

Direct Flow EX: Reams, Mike (Atlanta)

Direct Flow EX: Lead Solution Architect

Direct Flow EX: CORPT

Direct Flow EX: EMP | CWR |POI

EX: CN=ManagerName,OU=Users,OU=Enterprises,OU=CEI,DC=Company,DC=com

Direct Flow

Direct Flow EX: 2014-10-20

Direct Flow EX: 6205 Peachtree Dunwoody Rd NE

Direct Flow EX: 30328-4524

Direct Flow EX: GA

Direct Flow EX: United States

Direct Flow

Active Directory

File System“T Drive” (T:\)

User Type

Display Name

Division

givenName

middleName

Manager

sn

Direct Flow EX: Mike

Active Directory

employeeID

Title

cei-startDate

homeEmployeeIDDirect Flow

accountExpires

Password Sync Process password

Postal Address

Postal Code

Country

State

localID

Location Description


Per_Org

Job Code


City

networkID

networkDomain

Direct Flow-Location Code in PeopleSoft ex: (CXHQ)

Direct Flow-Location description in PeopleSoft ex: (CompanyA, Inc. Headqtrs)

Direct Flow-Job Code in PeopleSoft ex: (A148)

Data Provisioning to LDAP Directories

Direct Flow-Division description in PeopleSoft ex: (Television)

Direct Flow-Person of Origin in PeopleSoft ex: (POI(Person of Interest), EMP(employees), CWR(Contingent worker))

Direct Flow-Employee’s Business City in PeopleSoft ex: (Atlanta)

Direct Flow-Employee’s department description in PeopleSoft ex: (Product Management)

givenName

middleName

sn

Central Repository

UID

Title

accountExpires

password

Postal Address

Postal Code

Country

State

Retiree Code

fullOrPartTime

Retiree Status

localID


Per_Org

Job Code


Manager Description

Manager Name

City

networkID

networkDomain

Will have a value set to determine if the elig_config6 value is set or not. Value will either be Null or set to “Retired”

Value from HCM that shows retiree role to assign the user. Ex: (REMED)

EmployeeType

Display Name

cei-division & division

givenName

middleName

Manager

sn

Internet Directory

UID | cn

Title

cei-startDate

Cei-homeEmployeeID

userpassword

homePostalAddress

postalCode

Country

State

businessCategory

localID

company

divisionDescr

jobcode

department

physicalDeliveryOfficeName

networkID

networkDomain

For CORPT users, OIM will set this since it manages account creation

For CORPT users, OIM will set this to (DOMAIN) since it manages account creation

CORPT users will get this assigned by OIM

CORPT users will get a constant value by OIM

NOS-networkDomain

NOS-networkID

http://insite.coxenterprises.com