Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Release 9.0.4

Part Number E10451-20
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

4 Using the Connector

This chapter discusses the following topics:

4.1 Guidelines on Using the Connector

Apply the following guidelines while using the connector:

4.2 Scheduled Tasks for Lookup Field Synchronization

The following are the scheduled tasks for lookup field synchronization:

Note:

The procedure to configure these scheduled tasks is described later in the guide.

These scheduled tasks populate lookup fields in Oracle Identity Manager with resources, datasets, or group IDs. Values from these lookup fields can be assigned during user provisioning operations and reconciliation runs. When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource, dataset, or group IDs on the target system for reconciliation.

Table 4-1 describes the attributes of the Find All Datasets and Find All Groups scheduled task.

Table 4-1 Attributes of the Find All Datasets and Find All Groups Scheduled Tasks

Attribute Description

IT Resource

Enter the name of the IT resource that was configured for the target system.

Sample value: RacfResource

Resource Object

Enter the name of the resource object against which provisioning runs must be performed.

Sample value: OIMRacfResourceObject

Lookup Code Name

Enter the name of the lookup code where OIM will store the names of any datasets or groups to which the user belongs.

Sample value: Lookup.Users.DatasetMemberships

Recon Type

Enter "Append" or "Replace". This attribute determines whether dataset and group memberships from the target system will be appended to the current lookup, or replace the existing values in the lookup. If set to "Replace", the existing lookup will be deleted.

Sample value: Replace

R2

Enter whether the version of Oracle Identity Manager in use is 11.1.2.x.

Sample value: true


Table 4-2 describes the attributes of the Find All Resources scheduled task.

Table 4-2 Attributes of the Find All Resources Scheduled Task

Attribute Description

IT Resource

Enter the name of the IT resource that was configured for the target system.

Sample value: RacfResource

Resource Object

Enter the name of the resource object against which provisioning runs must be performed.

Sample value: OIMRacfResourceObject

Lookup Code Name

Enter the name of the lookup code where OIM will store the names of any resources to which the user belongs.Sample value: Lookup.Users.ResourceMemberships

Recon Type

Enter "Append" or "Replace". This attribute determines whether resources from the target system will be appended to the current lookup, or replace the existing values in the lookup. If set to "Replace", the existing lookup will be deleted.Sample value: Replace

Resource Class Type

Enter the name of the type of resource class you are reconciling. You can enter multiple resource class types as a comma-separated list. If you want to reconcile all resources, enter *.Sample value: FACILITY,CONSOLE,PROGRAM

R2

Enter whether the version of Oracle Identity Manager in use is 11.1.2.x.

Sample value: true


4.3 Configuring the Security Attributes Lookup Field

The Lookup.RacfSecurityAttributes lookup definition is one of the lookup definitions that is created in Oracle Identity Manager when you deploy the connector. This lookup field is populated with standard RACF nonvalue security attributes such as ADSP, AUDIT, SPECIAL, and so on. The IBM RACF Advanced connector includes a scheduled task to automatically populate the lookup field used for storing RACF security attributes. Table 4-3 describes the attributes of the Find All Security Attributes scheduled task.

Note:

The Find All Security Attributes scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~securityAttributeName" pairs based on the IT Resource and Security Attribute scheduled task property values.

Table 4-3 Attributes of the Find All Security Attributes Scheduled Task

Attribute Description

IT Resource

Enter the name of the IT resource that was configured for the target system.

Sample value: RacfResource

Security Attributes

Enter a comma-separated list of RACF non-value security attributes.

Sample value: ADSP, AUDIT, RESTRICTED, SPECIAL, UAUDIT

Lookup Code Name

Enter the name of the lookup code where Oracle Identity Manager will store the security attribute entries.

Sample value: Lookup.RacfSecurityAttributes

Recon Type

Enter "Append" or "Replace". This attribute determines whether "IT resource key~security attribute" pairs will be appended to the current lookup, or replace the existing values in the lookup. If set to "Replace", the existing lookup will be deleted.

Sample value: Replace


However, you can also manually add additional values.

To add additional security attributes for provisioning and reconciliation:

  1. Log in to Oracle Identity Manager Design Console.

  2. Expand Administration and then double-click Lookup Definition.

  3. Search for the Lookup.RacfSecurityAttributes lookup definition.

  4. Click Add.

  5. In the Code Key column, enter the name of the security attribute. Enter the same value in the Decode column. The following is a sample entry: Code Key: ADSP Decode: ADSP

  6. Click the Save icon.

4.4 Configuring Reconciliation

The IBM RACF Advanced connector supports both incremental reconciliation (sometimes referred to as real-time reconciliation) and full reconciliation. This section discusses the following topics related to configuring reconciliation:

4.4.1 Incremental Reconciliation

The Voyager agent and the LDAP gateway perform incremental reconciliation. To configure incremental reconciliation:

  1. Copy the racf-adv-agent-recon.jar and VOYAGER_ID.properties files from the lib directory of the installation media to the LDAP_INSTALL_DIR/etc directory.

  2. Open the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file, and set values for the following properties described in Table 4-4.

    Table 4-4 Properties in the VOYAGER_ID.properties File

    Property Description

    itResource

    Use this property to specify the name of the IT resource that you define by performing the procedure described in Section 3.5, "Configuring the IT Resource".

    xlAdminId

    Use the xlAdminId property to specify the user ID of a user belonging to the SYSTEM ADMINISTRATORS group.

    xlAdminPwd

    Use this property to specify the password of the user whose user ID you specify as the value of the xlAdminId property. This property is used only on Oracle Identity Manager release 11.1.1.

    If required, you can encrypt the password for security purposes. You can use the propertyEncrypt script to encrypt passwords. This script is in the scripts directory on the installation media. The procedure to use the script is given in 5 Step of Section 3.9, "Installing and Configuring the LDAP Gateway". After you run the script, copy the encrypted password as the value of the xlAdminPwd property.

    xlAdminPwdEncrypt

    Enter true as the value of the xlAdminPwdEncrypt property if you have set an encrypted password as the value of the xlAdminPwd property.

    Otherwise, enter false. This property is used only on Oracle Identity Manager release 11.1.1.

    xlJndiUrl

    This property is used only on Oracle Identity Manager release 11.1.1. To determine the JNDI URL:

    In a text editor, open the following file:

    OIM_DC_HOME/xlclient/Config/xlconfig.xml

    Here, OIM_DC_HOME is the name and full path of the directory in which you install the Oracle Identity Manager Design Console.

    Copy the value of the java.naming.provider.url element.

    Set the value for the xlJndiUrl property.

    Sample value: t3://localhost:14000/oim

    xlJndiFactory

    The default value is weblogic.jndi.WLInitialContextFactory.

    Do not change this default value. This property is used only on Oracle Identity Manager releases 11.1.1 and 11.1.2.x.


  3. The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the racf-adv-agent-recon.jar file for reconciliation. For example, if VOYAGER_ID=VOYAGE14 in the Voyager control file, then the .properties file should be named VOYAGER14.properties. See Appendix H for more information on the VOYAGER_ID agent parameter.

    Rename the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file to match the VOYAGER_ID property in the Voyager agent control file.

  4. From the LDAP_INSTALL_DIR/dist/idfserver.jar file, extract the beans.xml file and then open the file in an editor.

  5. In the beans.xml file, locate the bean definition for RACF:

    <bean name="racf" singleton="true" class="com.identityforge.idfserver.backend.racf.RacfModule">
     
    <property name="suffix" value="dc=racf,dc=com"/>
    <property name="workingDirectory" value="../racf"/>
    <property name="adminUserDN" value="cn=idfRacfAdmin, dc=racf,dc=com"/>
    <property name="adminUserPassword" value="idfRacfPwd"/>
    <property name="altAdminUserDN" value="cn=oimRacfAdmin, dc=racf,dc=com"/>
    <property name="altAdminUserPassword" value="oimRacfPwd"/>
    <property name="allowAnonymous" value="true"/>
    <property name="entryCacheSize" value="1000"/>
    <property name="defaultUacc" value="read"/>
    <property name="searchUsersType" value="user"/>
     
    <property name="schema" ref="schemas"/>
    <property name="metaBackend"><ref bean="hpbe2"/></property>
     
    <property name="configLocation" value="../conf/racf.properties"/>
     
    <property name="agent" value="false"/>
    <property name="agentAdapters">
    <list>
    <value>com.thortech.xl.racf.recon.RacfAgentReconImpl</value>
    </list>
    </property>
    </bean>
    
  6. Locate the line for the agent and set the value to true:

    <property name="agent" value="true"/>
    

    This setting determines whether the LDAP gateway will receive messages from the Voyager agent. To enable to LDAP gateway for Voyager messages, set the value to true.

  7. Log files generated during real-time reconciliation will be stored in the LDAP_INSTALL_DIR/logs/racf-agent-recon.log file.

4.4.2 Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

When you run the Connector Installer, a scheduled job for user reconciliation (RACF Reconcile All Users) is automatically created in Oracle Identity Manager.

To perform full reconciliation, run the RACF Reconcile All Users scheduled task.

4.4.3 Reconciliation Scheduled Tasks

When you run the Connector Installer, the following reconciliation scheduled tasks are automatically created in Oracle Identity Manager:

4.4.3.1 RACF Reconcile All Users

The RACF Reconcile All Users scheduled task is used to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.

Table 4-5 describes the attributes of RACF Reconcile All Users scheduled task.

Table 4-5 Attributes of the RACF Reconcile All Users Scheduled Task

Attribute Description

IT Resource

Enter the name of the IT resource that was configured for the target system.

Sample value: RacfResource

Resource Object

Enter the name of the resource object against which reconciliation runs must be performed.

Sample value: OIMRacfResourceObject

Trusted Resource Object

Enter the name of the resource object against which trusted reconciliation runs must be performed.

Sample value: Xellerate User

MultiValuedAttributes

Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma.

Sample value: attributes, memberOf

SingleValueAttributes

Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field.

Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize

Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.

TrustedReconciliation

Enter whether the target system should be treated as a trusted source.

Sample value: true

uidCase

Enter either "upper" or "lower" for the case of the UID attribute value.

Sample value: upper

UsersList

Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, then all users on the target system will be reconciled.

Sample value: userQA01,georgeb,marthaj,RST0354

R2

Enter whether the version of Oracle Identity Manager in use is 11.1.2.x.

Sample value: true


4.4.3.2 RACF Reconcile Deleted Users

The RACF Reconcile Deleted Users scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.

When you run this scheduled task, it fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager. In other words, during a reconciliation run, for each deleted user account on the target system, the RACF User resource is revoked for the corresponding OIM User.

Table 4-6 describes the attributes of RACF Reconcile Deleted Users scheduled task.

Table 4-6 Attributes of the RACF Reconcile Deleted Users Scheduled Task

Attribute Description

IT Resource

Enter the name of the IT resource that was configured for the target system.

Sample value:RacfResource

Resource Object

Enter the name of the resource object against which the delete reconciliation runs will be performed.

Sample value: OIMRacfResourceObject

Recon Matching Rule Attributes

Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter "IT".

Sample value: UID,IT


4.5 Configuring Account Status Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes from IBM RACF.

When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager. To configure reconciliation of user status changes made on IBM RACF:

  1. If using real-time reconciliation, in the LDAP_INSTALL_DIR/VOYAGER_ID.properties file, add the Status attribute to the reconAttrs property.

  2. If using scheduled task reconciliation, in the RACF Reconcile All Users scheduled task, add the Status attribute to the SingleValueAttributes property list.

  3. Log in to the Design Console:

    See Also:

    Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about the following steps

    1. In the OIMRacfResourceObject resource object, create a reconciliation field to represent the Status attribute.

    2. In the OIMRacfProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.

4.6 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 4-7 lists the scheduled tasks that you must configure.

Table 4-7 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task Description

RACF Find All Resources

This scheduled task is used to synchronize the values of resource lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."

RACF Find All Datasets

This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."

RACF Find All Groups

This scheduled task is used to synchronize the values of group IDs lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."

RACF Find All Security Attributes

This scheduled task is used to automatically populate the security attributes lookup field with IT Resource Key~Security Attribute Name pairs. For information about this scheduled task and its attributes, see Section 4.3, "Configuring the Security Attributes Lookup Field."

RACF Reconcile All Users

This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see Section 4.4.3.1, "RACF Reconcile All Users."

RACF Reconcile Deleted Users

This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the RACF User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Section 4.4.3.2, "RACF Reconcile Deleted Users."


To configure a scheduled task:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 9.1.0.x:

      1. Log in to the Administrative and User Console.

      2. Expand Resource Management, and then click Manage Scheduled Task.

    • For Oracle Identity Manager release 11.1.1:

      1. Log in to the Administrative and User Console.

      2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

      3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    • For Oracle Identity Manager release 11.1.2.x:

      1. Log in to Oracle Identity System Administration.

      2. In the left pane, under System Management, click Scheduler.

  2. Search for and open the scheduled task as follows:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      1. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

      2. In the search results table, click the edit icon in the Edit column for the scheduled task.

    • If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then:

      1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

      2. In the search results table on the left pane, click the scheduled job in the Job Name column.

  3. Modify the details of the scheduled task. To do so:

    1. If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task page, modify the following parameters, and then click Continue:

      Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

      Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

      Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

      Frequency: Specify the frequency at which you want the task to run.

      When you click Edit, the Edit Scheduled Task page is displayed.

    2. If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then on the Job Details tab, you can modify the following parameters:

    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

    Note:

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

    In addition to modifying the job details, you can enable or disable a job.

  4. Specify values for the attributes of the scheduled task. To do so:

    Note:

    • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

    • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

    • See "Reconciliation Scheduled Tasks" for the list of scheduled tasks and their attributes.

    • If you are using Oracle Identity Manager release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.

    • If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

  5. After specifying the attributes, do one of the following:

    • If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.

      Note:

      The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

    • If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then click Apply to save the changes.

      Note:

      The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

4.7 Performing Provisioning Operations in Oracle Identity Manager Release 9.1.0.x and 11.1.1

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager releases 9.1.0.x and 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 4.7.3, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager."

This following are types of provisioning operations:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

4.7.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.

  2. If you want to first create an OIM User and then provision a target system account, then:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      • From the Users menu, select Create.

      • On the Create User page, enter values for the OIM User fields and then click Create User.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      • On the Welcome to Identity Administration page, in the Users region, click Create User.

      • On the Create User page, enter values for the OIM User fields, and then click Save.

  3. If you want to provision a target system account to an existing OIM User, then:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      • From the Users menu, select Manage.

      • Search for the OIM User and select the link for the user from the list of users displayed in the search results.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      • On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

      • From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

  4. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      • On the User Detail page, select Resource Profile from the list at the top of the page.

      • On the Resource Profile page, click Provision New Resource.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      • On the user details page, click the Resources tab.

      • From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

  5. On the Step 1: Select a Resource page, select OIMRACFResourceObject from the list and then click Continue.

  6. On the Step 2: Verify Resource Selection page, click Continue.

  7. On the Step 3: Provide Process Data for RACF Advanced Details page, enter the details of the account that you want to create on the target system and then click Continue.

  8. If required, on the Step 4: Provide Process Data for RACF Group Membership Details page, search for and select any groups for the user on the target system and then click Continue.

  9. If required, on the Step 5: Provide Process Data for RACF Dataset Membership Details page, search for and select any datasets for the user on the target system and then click Continue.

  10. If required, on the Step 5: Provide Process Data for RACF Resource Profile Membership Details page, search for and select any resource profiles for the user on the target system and then click Continue.

  11. If required, on the Step 5: Provide Process Data for RACF Attribute Details page, enter any non-value attributes (such as TSO, SPECIAL, or OPERATIONS) for the user on the target system and then click Continue.

  12. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

  13. The "Provisioning has been initiated" message is displayed. Perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then

      • Click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      • Close the window displaying the "Provisioning has been initiated" message.

      • On the Resources tab, click Refresh to view the newly provisioned resource.

4.7.2 Request-Based Provisioning

Note:

The information provided in this section is applicable only if you are using Oracle Identity Manager releases 9.1.0.x or 11.1.1

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

4.7.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Advanced in the upper-right corner of the page.

  3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and click Next.

  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

  7. From the Available Users list, select the user to whom you want to provision the account.

    If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

  10. From the Available Resources list, select OIMRacfResourceObject, move it to the Selected Resources list, and then click Next.

  11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

  12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

  13. If you click the Request ID, then the Request Details page is displayed.

  14. To view details of the approval, on the Request Details page, click the Request History tab.

4.7.2.1.1 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Self-Service in the upper-right corner of the page.

  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

  4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.

4.7.3 Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager

Note:

It is assumed that you have performed the procedure described in Section 3.8, "Configuring Oracle Identity Manager for Request-Based Provisioning."

If you want to switch from request-based provisioning to direct provisioning, then:

  1. Log in to the Design Console.

  2. Disable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the OIMRacfProvisioningProcess process definition.

    3. Deselect the Auto Save Form check box.

    4. Click the Save icon.

  3. If the Self Request Allowed feature is enabled, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the OIMRacfResourceObject resource object.

    3. Deselect the Self Request Allowed check box.

    4. Click the Save icon.

If you want to switch from direct provisioning back to request-based provisioning, then:

  1. Log in to the Design Console.

  2. Enable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the OIMRacfProvisioningProcess process definition.

    3. Select the Auto Save Form check box.

    4. Click the Save icon.

  3. If you want to enable end users to raise requests for themselves, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the OIMRacfResourceObject resource object.

    3. Select the Self Request Allowed check box.

    4. Click the Save icon.

4.8 Provisioning Operations in Oracle Identity Manager Release 11.1.2 or Later

To perform provisioning operations in Oracle Identity Manager release 11.1.2 or later:

  1. Log in to Oracle Identity Administrative and User console.

  2. Create a user. See the "Managing Users" chapter in Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information about creating a user.

  3. On the Account tab, click Request Accounts.

  4. In the Catalog page, search for and add to cart the application instance created in Section 3.6.1.3, "Creating an Application Instance", and then click Checkout.

  5. Specify value for fields in the application form and then click Ready to Submit.

  6. Click Submit.

  7. If you want to provision entitlements, then:

    1. On the Entitlements tab, click Request Entitlements.

    2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

    3. Click Submit.