9 Developing Resource Objects

The Resource Management features of the Administrative and User Console enable you to manage resource objects for an organization or individual user. Managing resources includes the following activities:

• Searching for and viewing the details of a resource

• Provisioning, disabling, enabling, and revoking a resource from users or organizations

• Managing resource administrator and authorizer roles

• Viewing, creating, and modifying workflows

• Creating and managing IT resources

This chapter includes the following topics related to managing resources:

• Viewing Resource Details

• Working with Organizations Associated with Resources

• Using the Resource Administrator Option

• Using the Resource Authorizers Option

• Using the Resource Workflows Option to View Workflows

• Using the Resource Workflows Option to Create and Modify Workflows

• Creating IT Resources

• Managing IT Resources

• Managing Resources By Using the Design Console

9.1 Viewing Resource Details

To view the details of a resource:

1. Login to the Administrative and User Console, and then click Advanced.

2. In the Welcome page, under Configuration, click Manage Resource.

   Alternatively, click the Configuration tab, click Resource Management, and then select Manage Resource.

   The Resource Search page is displayed.

3. Use the fields at the top of the page to select the search criteria, and enter the corresponding search value in the adjoining field or use the asterisk (*) wildcard character. To use the Resource Type and Target criteria, select a value from the corresponding box.

4. From the Resource Audit Objective list, select the required option.

   The Resource Audit Objective list lets you group resources by any data type. You can select multiple values for the same resource. You can also add audit schedule values for quarterly, semiannual and annual reviews in the list of values of the field, and select a combination, such as SOX and quarterly, as audit requirements.

   The predefined values in the Resource Audit Objective list are as follows:

   • SOX (Hosts Financially Significant Information)

   • HIPAA (Hosts Private Healthcare Information)

   • GLB (Hosts Non-Public Information)

   • Requires Quarterly Review

   • Requires Annual Review

5. Click Search.

   The results table is displayed.

6. Click the name of a resource. For example, you can select a resource named Active Directory.

   The Resource Detail page is displayed.

7. To view detailed information about the resource, use the menu.

   The detailed information depends on the type of object, such as user or organization. For example, the detailed information that you can view for the organization object includes the following:

   • Organization Associated With This Resource

   • Resource Administrators

   • Resource Authorizers

9.2 Working with Organizations Associated with Resources

You can enable, delete, and revoke resources that are associated with an organization. You can also determine mapping categories for resources that are provisioned more than once to an organization.

To work with an organization that is associated with a resource:

1. Perform Steps 1 through 3 of the procedure described in the "Viewing Resource Details".

2. Select the Organization Associated For the Resource option.

   The Organization Associated For the Resource page is displayed.

3. Use the options to filter the list of associated organizations.

   Selecting the All option lists all the organizations. The By Status option filters the organizations on the basis of values in the Resource Status column. The organizations associated with the resource are listed under the Organization Name column. The resource status in this case, indicates that the resource is provisioned for each of the organizations listed. To modify the resource for the organization, select one of the following:

   • Enable

   • Disable

   • Revoke

   The value in the Identifier column corresponds with a field type that you can map from the Process Definition form in the Design Console by using the Map Descriptive Field. This value lets you distinguish which mapping category is defined, such as Process Type, Organization Name, or Request Key, when the same resource has been provisioned several times to the same organization.

9.3 Using the Resource Administrator Option

On the Resource Detail page, select Resource Administrator. The Resource Administrators page displays the names of roles that are assigned as administrators to this resource. This page also displays the Write Access and Delete Access permissions. These are permissions that the administrator roles have on the resource, but not with resource parameters. Write access allows the role to make changes to the resource. Delete access allows the role to delete the resource.

You can perform the following operations:

• Assigning Roles as Administrators for Resources

• Updating Permissions of an Administrative Role

9.3.1 Assigning Roles as Administrators for Resources

To assign a role or a user group as administrators for resources:

1. Click Assign.

   The Assign Administrators page is displayed.

   This page displays all role names that can be assigned to this resource. Select the options to activate the write and delete access and assign the role to this resource.

2. Click Assign.

   The Confirm Assign page is displayed. This page displays the new roles that are to be assigned as administrators for the resource.

3. Click Confirm Assign or click Cancel.

   The Resource Administrators page is displayed with a list of all role names associated with this resource. You can modify this information.

9.3.2 Updating Permissions of an Administrative Role

You can update the permissions of an administrative role.

To update the permissions:

1. Click Update Permissions.

   The Update Administrators page is displayed.

2. To change the permission setting for an administrative role, click the options for write and delete access.

3. Click Update to make the modifications, otherwise, click Cancel.

   The Confirmation page is displayed. It displays the administrative role names that you updated.

4. If these are the correct names, click Confirm Update, otherwise, click Cancel.

9.4 Using the Resource Authorizers Option

You can determine which roles are authorized to provision the resource.

To determine the resource authorizer:

1. On the Resource Detail page, select Resource Authorizer from the menu.

   The Resource Authorizers page is displayed.

2. To set the level of priority for authorizing this resource, select Increase/Decrease Priority.

3. To delete the authorizer of this resource, select the appropriate Group Name option, and then click Delete.

4. To add additional roles to authorize resources, click Assign.

   The Assign Authorizers page is displayed.

5. Select the appropriate role name option and click Assign, otherwise, click Cancel.

   The Confirmation page is displayed.

6. If the information is correct, click Confirm Assign, otherwise, click Cancel.

   The Resource Authorizers page is displayed. Note that the role name that you assigned to this resource is added to the results table.

9.5 Using the Resource Workflows Option to View Workflows

The Resource Workflows option in the Administrative and User Console consists of the Workflow Visualizer and the Workflow Designer. Using the Workflow Visualizer, you can view workflows. Using the Workflow Designer, you can create and edit workflows. This section discusses the Workflow Visualizer.

See Also:

"Using the Resource Workflows Option to Create and Modify Workflows"

The Workflow Visualizer tool provides a visual representation of task sequences, dependencies, and other components of a workflow definition. The visual representation provides an overview of the workflow, its relationships, and the task components that constitute the flow. You can also print the workflow view.

The Workflow Visualizer tool displays processes of type Provisioning. The Provisioning type process is used to provision Oracle Identity Manager resources to users or organizations.

Note:

To access the Workflow Visualizer, the Nexaweb applet requires your Web browser configuration to use Java Virtual Machine 1.4.2.x.x.

This section includes the following topics:

• Opening the Workflow Visualizer

• Elements of the Workflow Visualizer

• Operations on the Workflow Visualizer

9.5.1 Opening the Workflow Visualizer

To open the Workflow Visualizer:

1. On the Resource Detail page, select Resource Workflows from the list.

   The Resource Workflows page is displayed. This page displays the resource name and a table that lists the names of the workflow definitions for this resource.

2. To render the workflow definition into a graphic flowchart, select the required workflow.

   A graphical representation of the workflow definition is displayed in a new window.

9.5.2 Elements of the Workflow Visualizer

For provisioning workflows, multiple tabs are displayed on the Workflow Designer page. Provisioning workflows can have forms associated with them, and the workflow details header shows the form name.

Table 9-1 lists the information fields in the Workflow Visualizer.

Table 9-1 Information Fields in the Workflow Visualizer

Field	Description
Workflow Name	The name of the Process Definition.
For Resource	The name of the Object (resource object that is provisioned).
Workflow Type	The Process Definition type, which is Provisioning. The type also indicates whether or not the workflow is the default for the resource.
Form Name	The name of the form associated with a provisioning workflow.

Table 9-2 describes the toolbar menu items in the Workflow Visualizer.

Table 9-2 Toolbar Menu items in the Workflow Visualizer

Field	Description
Display Option	This option lets you view the elements on the page. You can show or hide the elements on the page, which helps in keeping the page uncluttered. Display Unknown Response Code: The Unknown Response Code is defined for every task in the workflow. It is not used in the logic of the workflow. However, you can use this option to display the Unknown Response Code. Display Adapter Name On-Screen: You can display the name of the automated adapter. Display Undo Tasks: You can display the undo tasks for the tasks. Display Recovery Tasks: You can display the recovery tasks for the tasks.
Generate Image	This option enables you to save the workflow view as an image that can be printed. When you click this menu item, a new browser window opens and it displays a JPEG formatted image. The entire workflow is displayed, even parts of the flowchart that are hidden due to scrolling limitations of the display area. You can then use the standard Web browser features to save the image on your computer.
Reload Workflow	This option refreshes the workflow view and rearranges the different items on the page based on a predefined graph algorithm.
Legend	This option provides an explanation of all the visual components that are used to create the flowchart of the workflow definition. Figure 9-1 shows the Legend page. Markers The Markers nodes represent position markers for special conditions. These conditions are: Start Point: This marker represents the logical start point within the workflow. It is not an actual task within the workflow definition. On-Page Reference: This marker represents a task node that has already been drawn somewhere else in the workflow chart. It is used to show connectivity to other tasks without crowding the workflow view with crossing links. Response Sub-Tree: The Response Sub-Tree (Expansion Nodes) helps keep the workflow uncluttered by hiding significant subtrees of response nodes. You can double-click the Expansion Node marker to redraw the flowchart with the responses. Tasks The Tasks nodes represent the tasks in the workflow. They are: Manual Tasks: These tasks require user action in order to be completed. Automated Tasks: These tasks do not require user interaction in order to be completed. Automated tasks always require a process task adapter. Provisioning processes generally consist of automated tasks. Responses The Response nodes represent the response codes that are defined on the tasks. The Response node shows the actual response code within it. The response code is based on the status that the response has set on the task. Completes Task: The process task has been completed, and this is indicated in green color. Rejects Task: The process task has been rejected, and this is indicated in red color. Cancels Task: The process task has been canceled, and this is indicated in blue color. Links Direction arrow lines connect the task and response nodes and indicate the flow of the workflow. The color of the link indicates the type of relationship between two nodes that it connects. The types of links are: Initial Task: The Initial Task is the first process task in the workflow definition. Response Generated Task: The Response Generate Task is defined as a process task that is triggered when the current task has the Completed status. In general, a new process task can be triggered when the conditional task receives a particular response code in conjunction with the running of the process task. Recovery Task: The Recovery Task is defined as a process task that is triggered when the current process task has the Rejected status. Undo Task: The Undo Task is defined as a process task that is triggered when the current process task has the Canceled status. Dependent Task: The Dependent Task is defined as a process task that is dependent on another process. Oracle Identity Manager can start this type of task only when the process task on which it is dependent is completed.

Figure 9-1 shows the Legend page.

Figure 9-1 Legend Page

Description of "Figure 9-1 Legend Page"

In addition to the Information Fields and Toolbar Menu Items of the Workflow Visualizer, the UI elements of the workflow are tasks and responses. For information about tasks and responses, see Table 9-1 and the "Creating and Configuring Tasks and Responses".

9.5.2.1 Using the Provisioning Workflow Definition Event Tabs

The Provisioning Workflow Definition is displayed with associated event tabs of the logical flow of the way tasks get executed based on their responses. The event tabs represent the various task sequences for a specific event in the workflow definition. When you click an event tab, it displays the appropriate tasks for the workflow event of the process. You can arrange the flowchart to meet your requirements. If there is no task defined for the workflow event, then the tab displays a blank view. If there is more than one task sequence for the workflow event type, then the tab displays a menu from which you can select the process flowchart that you want to view.

9.5.2.1.1 Provisioning Tab

The Provisioning tab shows the tasks that will provision a resource. When the workflow type is Provisioning, the workflow shows all the tasks needed to provision a resource.

9.5.2.1.2 Reconciliation Tab

The Reconciliation tab shows the reconciliation event for the provisioning process with marker tasks inserted into it: either Reconciliation Insert Received, Reconciliation Update Received, or Reconciliation Delete Received. These tasks can have adapters attached to them to start a provisioning action. If a task has no adapters attached to it, then a response code of Event Processed is assigned to the task. Additional provisioning process tasks can be generated based on this response code to start a provisioning flow due to the reconciliation event.

9.5.2.1.3 Service Account Tab

The Service Account tab shows all the provisioning processes of service accounts for users (administrators). When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. When the resource is revoked or the user is deleted, the provisioning process for the service account is not canceled. Instead, a task is inserted into the provisioning process to remove the mapping from the user to the service account. The provisioning processes of the service account are: Service Account Changed, Service Account Alert, and Service Account Moved.

9.5.2.1.4 User Event Tab

The User Event tab shows the workflows that respond to changes to a user record, for example, updating the password or user ID.

9.5.2.1.5 Org Event Tab

The Org Event tab shows workflows that respond to changes to an organization record (for example, updating the name or parent name) that the resource is provisioned to or the organization of the user that the resource is provisioned to.

9.5.2.1.6 Resource Event Tab

The Resource Event tab shows workflows that respond to state changes of the provisioned resource instance, for example, being enabled or disabled.

9.5.2.1.7 Form Event Tab

The Form Event tab shows workflows that respond to data changes in the process form of the provisioned resource instance.

9.5.2.1.8 Attestation Tab

The Attestation Event tab shows the workflows that respond to data changes in an attestation process.

9.5.3 Operations on the Workflow Visualizer

This section discusses the various operations that you can perform by using the Workflow Visualizer:

• Rearranging Elements

• Using the Expansion Nodes

• Accessing the Task Details

Suppose the Corporate DB Provisioning workflow definition is shown. Selecting an event tab displays the appropriate sequence of tasks for that event. These event tabs are discussed in the "Using the Provisioning Workflow Definition Event Tabs". Figure 9-2 shows a sample workflow in the Workflow Visualizer.

Figure 9-2 Sample Workflow Displayed in the Workflow Visualizer

Description of "Figure 9-2 Sample Workflow Displayed in the Workflow Visualizer"

9.5.3.1 Rearranging Elements

You can rearrange the graphical workflow by moving the icons that constitute the workflow definition to any location in the workflow view. As you move an icon component, the direction arrow continues to be associated with the link. The drag-and-drop functionality of the components in a workflow is illustrated in Figure 9-3.

Figure 9-3 Using Drag-and-Drop in the Workflow Visualizer

Description of "Figure 9-3 Using Drag-and-Drop in the Workflow Visualizer"

You can also use the Display Options toolbar menu item to display or hide Unknown Response Code, Adapter Name, Undo Tasks, and Recovery Tasks. The workflow automatically refreshes and redraws the workflow based on the changes that you made.

When you right-click a task node, the Hide Responses option is displayed. When you click this option, the response subtree collapses and is replaced with an expansion node. The task node label is highlighted in yellow to denote that it was collapsed. If the node is collapsed, then the Hide Responses option does not appear. Figure 9-4 shows the task node.

Figure 9-4 Using the Task Node (Shortcut Menu)

Description of "Figure 9-4 Using the Task Node (Shortcut Menu)"

9.5.3.2 Using the Expansion Nodes

Task Nodes with more than five response codes, not including the Unknown Response code, are not to be drawn with their responses in the flowchart. Instead, an expansion node replaces the entire response subtree. When you double-click the expansion node, the flowchart is redrawn to display the response subtree for the parent task (node). The label of the task node is highlighted in yellow. Figure 9-5 shows a collapsed response subtree.

Figure 9-5 Collapsed Response Subtree in the Workflow Visualizer

Description of "Figure 9-5 Collapsed Response Subtree in the Workflow Visualizer"

Note:

When you place the cursor over the expansion node, a tooltip indicates how many response codes are associated with it. Unknown Response Codes are hidden, by default.

9.5.3.3 Accessing the Task Details

To view detailed information about a particular task, double-click the task icon. The Task Detail page displays information about the task definition on the following tabs:

• General: This tab displays task information, for example, the name and description.

• Automation: This tab provides information about any adapter automating the task, its status, and variable mappings.

• Task Assignment: This tab displays information about how the task is assigned and all associated information.

• Depends On: This tab lists all tasks that the selected task depends on.

• Resource Status Management: This tab shows the mapping between the task status and the resource status.

9.5.3.3.1 General Tab

Table 9-3 describes the fields on the General tab:

Table 9-3 Fields on the General Tab

Field	Description
Task Name	This field displays the name of the process task.
Task Description	This field displays explanatory information about the process task.
Task Effect	This field indicates the process action for this task. It can be ENABLED, DISABLED, or NONE. A process is enabled or disabled for a user's access to a resource. A disabled action will also disable all associated tasks. The NONE action indicates that this task is not associated with a particular process action.
Retry Interval	This field indicates the time in minutes, for which you want to wait before adding this process task instance.
Retry Attempt Limit	This field indicates the number of times Oracle Identity Manager will retry a rejected task.
Conditional Task	This field specifies any condition that must be met for the process task.
Complete On Recovery	This field indicates that Oracle Identity Manager will change the status of the current process task from Rejected to Unsuccessfully Completed on completion of all recovery tasks that are generated. This flag triggers other dependent process tasks.
Allow Cancellation While Pending	This field indicates whether or not the process task can be canceled if its status is Pending.
Allow Multiple	This field indicates whether or not the task is allowed to be inserted multiple times within a single process instance.
Required For Workflow Completion	This field indicates that the process cannot be completed if the process task does not have a Completed status.
Manual Insert	This field indicates whether or not a user can manually add the current process task to the process.

9.5.3.3.2 Automation Tab

Tasks belonging to provisioning processes are usually automated. Table 9-4 describes the fields on the Automation tab.

Note:

If the task is not automated, then this tab is not displayed.

Table 9-4 Fields on the Automation Tab

Field	Description
Adapter Name	This field shows the name of the adapter.
Adapter Status	This field indicates whether or not the adapter is completely mapped.
Adapter Variable	This field contains a user-defined placeholder within the adapter that contains run-time application data used by its adapter tasks.
Mapped?	This field indicates whether or not the adapter variable is mapped.

9.5.3.3.3 Task Assignment Tab

This tab specifies the assignment rules for the process task. These rules determine how the process task is assigned.

Tasks belonging to provisioning processes are usually automated. As a result, they do not need task assignment rules.

9.5.3.3.4 Depends On Tab

This tab displays the task name that the current task is dependent on.

9.5.3.3.5 Resource Status Management Tab

A resource is provided with predefined provisioning statuses that represent the various statuses of the resource object throughout its lifecycle as it is provisioned to the target user or organization. This tab displays the link between the status of a process task (Task Status) and the provisioning status of the resource (Resource Status) to which it is assigned. Table 9-5 describes the fields on the Resource Status Management tab.

Table 9-5 Fields on the Resource Status Management Tab

Field	Description
Task Status	The status can be one of the predefined provisioning status types.
Resource Status	The status can be one of the following: Waiting, Provisioning, None, Ready, Enabled, Disabled, Revoked, Provisioned, and Provide Information.

9.6 Using the Resource Workflows Option to Create and Modify Workflows

The Workflow Designer provides the ability to create and modify workflows. While the Workflow Visualizer provides a graphical view of the workflows, the Workflow Designer provides the ability to create workflows and to edit them.

See Also:

"Process Definition Form" for information about the Process Definition form

This section discusses the following topics:

• Opening the Workflow Designer

• Creating a Workflow

• Workflow Designer Main Page

• Creating and Configuring Tasks and Responses

• Configuring Data Flows

9.6.1 Opening the Workflow Designer

To open the Workflow Designer:

1. In the welcome page of Oracle Identity Manager Advanced Administration, click Manage Resource. Alternatively, you can click Configuration, and from the Resource Management list, select Manage Resource.

   The Resource Search page is displayed.

   Note:

   To open the Workflow Designer by using Mozilla Firefox Web browser, an additional authentication dialog box might be displayed. Providing authentication in this dialog box allows access to the Workflow Designer. To avoid this additional authentication:

   1. In Mozilla Firefox, from the Tools menu, select Options. The Options dialog box is displayed.

   2. Click Privacy.

   3. Select the Accept third-party cookies option.

   4. Click OK.

   The additional authentication is not required when the Workflow Designer is opened by using Microsoft Internet Explorer Web browser.

2. Search for a resource.

3. Select a resource by clicking the resource name. The Resource Detail page is displayed.

4. Select Resource Workflows from the additional details list. The Resource Workflows page is displayed.

5. Click Create New Workflow to open the Workflow Designer and create a new workflow. Alternatively, click Edit in the Edit Workflow column of the results table to open the Workflow Designer and edit an existing workflow.

9.6.2 Creating a Workflow

On the Resource Workflows page, when you click Create New Workflow, the Workflow Designer opens with the Create Workflow dialog box, as shown in Figure 9-6.

Figure 9-6 Create Workflow Dialog Box

Description of "Figure 9-6 Create Workflow Dialog Box"

In this dialog box, you must specify the values that are required to create a new workflow. Table 9-6 describes the fields in the Create Workflow dialog box.

Table 9-6 Fields in the Create Workflow Dialog Box

Field	Description
Workflow Name	The name of the new workflow.
Workflow Form	The form associated with the resource for which the workflow is defined. The forms can be: All the process forms that are not yet assigned to any processes All the process forms assigned to the other processes defined for the current resource, for which this workflow is being defined
Default Workflow	This check box specifies whether or not the current Business Workflow is to be designated as the default provisioning Business Workflow for the resource object with which it is associated. If this check box is selected, then the Business Workflow will be set as the default provisioning Business Workflow for the resource object to which it is assigned. If this check box is not selected, then the process will start only if a process selection rule causes it to be selected.
Create Workflow	The button to create the workflow.

9.6.3 Workflow Designer Main Page

After you click Create Workflow in the Create Workflow dialog box by selecting the Provisioning option, the Workflow Designer main page is displayed as shown in Figure 9-7.

Figure 9-7 Workflow Designer Main Page

Description of "Figure 9-7 Workflow Designer Main Page"

This page has different sections, with each section giving more information or options to extend the new workflow.

The Workflow Designer main page consists of the following sections:

• Information

• Toolbar

• Designer Page

• Menu Section

9.6.3.1 Information

This section displays the following labels that provide global information about the current workflow:

• Workflow Name: The name of the current workflow

• Workflow Type: The type of the current workflow, Provisioning or Approval

• For Resource: The resource to which the current workflow is attached

9.6.3.2 Toolbar

The toolbar provides features to manage and view the workflow designer pages. This includes options to configure the global workflow information such as the name, form name, auto save, auto prepopulate, generating an image of the graphical workflow view, reloading the workflow, a popup legend, saving the workflow, and providing display options.

This section discusses the functions of the following toolbar buttons:

• Workflow Configuration

• Task Library

• Display Options

• Generate Image

• Legend

• Refresh

• Save

9.6.3.2.1 Workflow Configuration

Clicking Workflow Configuration opens the Workflow Configuration dialog box, as shown in Figure 9-8. This dialog box provides options for configuring the current workflow.

Figure 9-8 Workflow Configuration Dialog Box

Description of "Figure 9-8 Workflow Configuration Dialog Box"

Table 9-7 describes the fields in the Workflow Configuration dialog box.

Table 9-7 Fields in the Workflow Configuration Dialog Box

Field	Description
Workflow Name	The name of the current workflow.
Default Workflow	This check box specifies whether or not the current process is to be designated as the default provisioning process for the resource object with which it is associated. Note: For more information about this check box, see "Creating a Workflow".
Descriptive Field	This is used to map any of the following to a particular instance of the provisioned resource: Request Key User Login Organization Name Process Type Data From Workflow Form
Form Name	The form assigned to the current workflow.
Auto Save Form	This check box is used to set autosave for the form during provisioning without prompting the user for form data. This helps in setting default values for form fields either through predetermined set default values or through data flows.
Auto Prepopulate Form	This check box is used to prepopulate the fields during provisioning, with data either from default values or from data flows. Setting this option lets you see the forms while provisioning, along with the data on the fields that you can modify.

9.6.3.2.2 Task Library

Clicking Task Library opens the Task Library page. The Task Library page displays a list of all the tasks in the workflow across all subworkflows. This page also shows a few parameters related to each task, such as in which subworkflows it is present (for provisioning workflows), whether or not multiple instances are allowed, whether or not cancellation while pending is allowed, retry period, and retry count. In addition, you can edit and delete tasks on this page. Figure 9-9 shows the Task Library page.

Figure 9-9 Task Library Page

Description of "Figure 9-9 Task Library Page"

You can delete a task only after both the following conditions are met:

• The task is removed from all workflows. This implies that the task is deleted by right-clicking the task on any subworkflow and clicking Remove Task and Subflow.

• No instance of the task is present in the system. For instance, if a workflow is created with a task and if the resource for that workflow is provisioned to a user and the workflow is started resulting in the task being run, then an instance of that task is created in the system. In that case, the task cannot be deleted.

The Task Library page has search criteria on the top that you can use to search for tasks. The main section lists the tasks with various parameters. You can click a row to highlight it. If a task can be deleted, then the Remove Selected Task button is enabled along with the Edit Selected Task button.

9.6.3.2.3 Display Options

Clicking Display Options opens the Set Display Options dialog box that provides options to specify how the workflow is displayed when you are designing the workflow. Figure 9-10 shows the Set Display Options dialog box.

Figure 9-10 Set Display Options Dialog Box

Description of "Figure 9-10 Set Display Options Dialog Box"

You can use this dialog box to enable or disable the following options:

• Display Unknown Response Code: Display or hide unknown response codes.

• Display Adapter Name On-Screen: Display or hide adapter names attached to the tasks.

• Display Undo Tasks: Display or hide undo tasks.

• Display Recovery Tasks: Display or hide recovery tasks.

9.6.3.2.4 Generate Image

Clicking Generate Image saves the current view of the workflow as a JPEG image. The image opens in a new browser window.

9.6.3.2.5 Legend

Clicking Legend opens the Legend dialog box, which is shown in Figure 9-11. This dialog box shows the following types of elements:

Figure 9-11 Legend Dialog Box

Description of "Figure 9-11 Legend Dialog Box"

• Markers: These elements represent a particular marking or place in the workflow. For example, the starting point, an on-page reference, or a place representing an extended workflow with more elements underneath can be represented with a marker.

  You can right-click a Task element and select the option to hide the responses. When you hide a response, the icon for the Response subtree is displayed to indicate that there are hidden responses. The on-page reference marker refers to other elements on the page whose relationship is not shown with links. An example of this is a response code defined for a task and for that response a response-generated task is defined. If this response-generated task has its response referring to the original task in a circular manner, then an on-page reference marker makes it easier to show the relationship.

• Tasks: These icons are used to indicate manual and automated tasks. If a task has an event handler or an adapter attached to it for autocompletion, then it is an automated task. Otherwise, it remains a manual task.

• Responses: These are the different color codes used for different types of response codes, such as Completes, Rejects, and Cancels. Any user-defined response code is shown with a different color code.

• Links: These are the different color codes used for links that display the relationship or linkage between elements. Depending on the type of task the link refers to, the color code for the link is different. For example, the color code indicates whether or not the task is undo or recovery. The different types of links are: Initial Task, Response Generated Task, Recovery Task, and Undo Task.

9.6.3.2.6 Refresh

Clicking Refresh reloads the workflow to display it with default indentations and locations for the labels and icons. It regenerates the topology to arrange the elements on the workflow by using the JGraph algorithm.

9.6.3.2.7 Save

Clicking Save saves all changes made to the workflow, including all the additions and modifications to the Oracle Identity Manager database.

Caution:

You must click Save to commit the changes. If you close the Workflow Designer main page without saving the workflow, then all the changes will be lost.

9.6.3.3 Designer Page

The designer page displays the workflow with all the elements and their positions in the process flow with the help of links. This is similar to a drawing board in which the components, such as tasks and responses, can be created by using appropriate options. These components on the designer page can be further configured. On this page, the different entities of the workflow can be graphically shown along with their relationship with each other. For a newly created workflow, this page displays a start marker that indicates the starting point for the workflow process. All the objects that are added to this page are relative to this marker, which acts as a reference point.

9.6.3.4 Menu Section

The menu section consists of the menu items that represent a particular subsection of the workflow. This section is available only for Provisioning workflows. The menu items available are the following:

• Provisioning: This is the default page displayed when the Workflow Designer application is started.

• Reconciliation: This provides a list of tasks that are run on reconciliation events, such as Reconciliation Insert Received, Reconciliation Update Received, and Reconciliation Delete Received. These tasks are submenu items under the Reconciliation menu item.

• Service Account: Service accounts are general administrator accounts, such as admin1, admin2, and admin3, that are used for maintenance purposes. Usually, these accounts are used to allow one system, rather than a user, to interact with another system. The model for managing and provisioning service accounts is different from standard provisioning. Service accounts are requested, provisioned, and managed in the same manner as regular accounts. Service accounts use the same resource objects, provisioning processes, and process forms as regular accounts. A service account is distinguished from a regular account by an internal flag. When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. This user is considered the owner of the service account. The tasks that are available under the Service Account menu item are Service Account Change, Service Account Alert, and Service Account Moved.

• User Event: This provides a list of tasks that are run based on the events on users. They have the following default names:

  • Change User Location

  • Move User

  • Change User Type

  • Change User Password

  • Change User Manager

  • Change Username

  • Change First Name

  • Change Last Name

  • Change User Identity

    Note:

    These names are derived from the decoded values of Lookup.USR_PROCESS_TRIGGERS in the design console Lookup Definition form. If the values are modified, then these names will be different accordingly.

  A user event can be inserted into the workflow by clicking the plus sign (+) icon next to the User Event menu item. Clicking the + icon opens the Add User Event Lookups dialog box with a list of currently available event tasks, as shown in Figure 9-12. Selecting a task and clicking Add Event to Workflows will create a new menu item under the User Event menu and open the page for that workflow.

  Figure 9-12 Add User Event Lookups Dialog Box

  
  Description of "Figure 9-12 Add User Event Lookups Dialog Box"
  
  

  The Add User Event Lookups dialog box also provides the following options to create new lookup events and edit or remove existing lookup events:

  • Create New Lookup: When you click this button, the Create Lookup Event dialog box is displayed, as shown in Figure 9-13.

    Figure 9-13 Create Lookup Event Dialog Box

    
    Description of "Figure 9-13 Create Lookup Event Dialog Box"
    
    

  • Edit Selected Lookup: When you click this button, the Edit Lookup Event dialog box is displayed, as shown in Figure 9-14.

    Figure 9-14 Edit Lookup Event Dialog Box

    
    Description of "Figure 9-14 Edit Lookup Event Dialog Box"
    
    

  • Remove Selected Lookup: When you click this button, the Remove Lookup Event dialog box is displayed, as shown in Figure 9-15.

    Figure 9-15 Remove Lookup Event Dialog Box

    
    Description of "Figure 9-15 Remove Lookup Event Dialog Box"
    
    

• Org Event: This provides a list of tasks that are run based on the events on organizations. They have the following default names:

  • Change Organization Type

  • Change Organization Name

  • Move Organization

  An organization event can be inserted into the workflow by clicking the + icon next to the Org Event menu item. Clicking the + icon opens the Add Organization Event Lookups dialog box with a list of currently available event tasks, as shown in Figure 9-16. You can select a task and click Add Event to Workflows to create a new menu item under the Org Event menu and open the page for that workflow.

  Figure 9-16 Add Organization Event Lookups Dialog Box

  
  Description of "Figure 9-16 Add Organization Event Lookups Dialog Box"
  
  

  The Add Organization Event Lookups dialog box also provides the following options to create new lookup events and edit or remove existing lookup events:

  • Create New Lookup: When you click this button, the Create Lookup Event dialog box is displayed, as shown in Figure 9-17.

    Figure 9-17 Create Lookup Event Dialog Box

    
    Description of "Figure 9-17 Create Lookup Event Dialog Box"
    
    

  • Edit Selected Lookup: When you click this button, the Edit Lookup Events dialog box is displayed, as shown in Figure 9-18.

    Figure 9-18 Edit Lookup Event Dialog Box

    
    Description of "Figure 9-18 Edit Lookup Event Dialog Box"
    
    

  • Remove Selected Lookup: When you click this button, the Remove Lookup Events dialog box is displayed, as shown in Figure 9-19.

    Figure 9-19 Remove Lookup Event Dialog Box

    
    Description of "Figure 9-19 Remove Lookup Event Dialog Box"
    
    

• Resource Event: This provides a list of tasks that are inserted into the workflow and run when an event occurs on the resource. These events are defined as disabled or enabled events on the resource. There are submenu items for Enable Resource and Disable Resource under the Resource Event menu item. A resource event can be inserted into the workflow by clicking the + icon next to the Resource Event menu item. Clicking the + icon opens the Add Resource Event Lookups dialog box with two options, Enable Resource and Disable Resource, as shown in Figure 9-20. You can select an option and click Add Event to Workflows to create a new menu item under the Resource Event menu and open the page for that workflow.

  Figure 9-20 Add Resource Event Lookups Dialog Box

  
  Description of "Figure 9-20 Add Resource Event Lookups Dialog Box"
  
  

• Form Event: This provides a list of tasks that get inserted and run based on an event on a form field or child table. For events on parent process form fields, the name of the tasks have the following convention:

  Field field_name Updated
  

  The events on child tables are named based on the child table name and the type of event such as insert, update, and delete. A form event can be inserted into the workflow by clicking the + icon next to the menu item. Clicking the + icon opens the Add Form Event Lookups dialog box with the fields shown in Figure 9-21.

  Figure 9-21 Add Form Event Lookups Dialog Box

  
  Description of "Figure 9-21 Add Form Event Lookups Dialog Box"
  
  

  In the Add Form Event Lookups dialog box, you can select either parent form or child form in the Form Type field. When you select Parent Form, the fields in the Child Form section are disabled. Similarly, when you select Child Form, the fields in the Parent Form section are disabled. In the Parent Form section, only the Update operation is available. In the Child Form section, the available operations are Insert, Update, and Delete. These operations trigger the event. Each section has fields for the form fields of the parent form, or the form names in case of child forms. The Task names for only the child table event tasks can be modified after creation.

  Note:

  The parent form field event names are fixed, and the task name fields cannot be edited. Although the name is inherently in a fixed format, it can be customized and localized by updating the global.workflow.startMarker.UpdatedField property in the xlRichClient.properties file. See Chapter 25, "Customizing Oracle Identity Manager Interfaces" for information about customizing the UI.

• Attestation: This menu item is for the attestation events. There are two types of attestation events, User Attestation and Resource Attestation. No new events can be added to attestation although the existing workflows can be modified similar to other subworkflows.

9.6.4 Creating and Configuring Tasks and Responses

A workflow can consist of more than one task. This section discusses the following topics related to tasks:

• General Menu Options

• Task Options

• Response Options

• Link Options

• Configuring Tasks

• Configuring Responses

9.6.4.1 General Menu Options

You can right-click the designer page to display a menu with general options to create tasks and responses. The general menu options are:

• Create New Task: Creates a new task with a default name, which can be further modified and configured. The task is represented as an icon.

• Insert Existing Task: Displays the Existing Tasks dialog box with the list of all existing tasks across the subworkflows except the tasks present in the current subworkflow and the main user, organization, resource, and form event tasks for provisioning workflows. You can select a task and insert it in the current workflow.

• Create Response: Creates a new response with a default response code, which can be further modified and configured. The response is represented as an icon.

Various options are available when you right-click the task icons, response icons, and the links between the tasks and responses.

9.6.4.2 Task Options

You can right-click a task icon to display a menu that provides the following options related to tasks:

• Link To Response: This option is used to link a task to a response. To use this option, first create a response. When you select this menu item, a link is displayed starting from the task icon. This link extends with the mouse pointer. When you click the response, the arrowhead of the link positions itself on the response, and the response is created for the task.

• Link To Undo Task: This option is used to link two tasks with the undo relationship. It is used when you want to add a task as the undo task of the current selected task. To do this:

  1. Select the task to which the undo task is to be added.

  2. Right-click the task icon, and select the Link To Undo Task menu item.

  3. Select the target tasks icon to add it as the undo task.

  Note:

  If the Display Undo Tasks option in the Display Options toolbar is selected with the value No, then the Undo task will not be visible after creating the undo relationship. To see the undo task, select Yes for the Display Undo Tasks option.

• Link To Recovery Task: This is used to link two tasks with the recovery relationship. It is used when you want to add a task as the recovery task of the currently selected task. To do this:

  1. Select the task to which the recovery task is to be added.

  2. Right-click the task icon, and select the Link To Recovery Task menu item.

  3. Select the target task to add it as the recovery task.

     Note:

     If the Display Recovery Tasks option in the Display Options toolbar button is selected with the value No, then the recovery task will not be displayed after creating the recovery relationship. To display the recovery task, select Yes for the Display Recovery Tasks option.

• Remove Task and Subflow: This is used to remove a task and all the elements under the task. This includes all the links originating from the task and all their child elements and their child elements and so on. When the same task is present in multiple subworkflows and it is removed from one subworkflow, it gets removed from all the subworkflows where this task has the same parent task, which is the task whose response-generated tasks contain the current removed task.

  Removing a task or the children will not delete the tasks from the system but only from the workflows. Deleting a task from the system permanently can be done from the Task Library. Removing tasks from the designer page still keeps the task definitions and removes them only from the workflows.

9.6.4.3 Response Options

You can right-click a response icon to display a menu that provides the following options related to responses:

• Add Response Generated Task: This is used to add a task as a response-generated task for the selected response. To do this:

  1. Create the response-generated task.

  2. Right-click the response, and select Add Response Generated Task. A link is created.

  3. Select the task. The link positions on the task and the relationship are created.

• Remove: This is used to remove a response. When you select this option, a confirmation page is displayed. Confirming the deletion removes the response and all its children. When a response is removed that contains generated tasks, then those tasks will be removed but not deleted. When a task is removed, it is removed only from the workflow and is not deleted permanently. You can permanently delete a task from the Task Library.

9.6.4.4 Link Options

You can remove the relationships between some elements by right-clicking the link and clicking the Remove option. This option is not available for all links. For example, for reconciliation workflows, you cannot delete the default tasks connected to the start marker. Therefore, you cannot remove the relationship between the start markers and the default tasks. The link for which you can remove the relationship is highlighted with a broken arrow when you roll your mouse on the relationship. When the arrow is highlighted, right-click the arrow and the Remove option is displayed. This helps in removing the link between a response and a task and to assign another response to the task, or to assign another task to the response, without the need to delete the link and create new ones.

9.6.4.5 Configuring Tasks

You can configure tasks in the Workflow Designer by using the Task Details dialog box. This dialog box is shown in Figure 9-22. To open the Task Details dialog box, double-click the task icon on the designer page.

Figure 9-22 Task Details Dialog Box

Description of "Figure 9-22 Task Details Dialog Box"

This section discusses the following tabs in the Task Details dialog box:

• General Tab

• Automation Tab

• Notification Tab

• Task Assignment Tab

• Depends On Tab

• Resource Status Management Tab

General Tab

Figure 9-23 shows the General tab of the Task Details dialog box.

Figure 9-23 General Tab

Description of "Figure 9-23 General Tab"

This tab lets you specify the general information about the task:

• Task Name: This is the name of the process task. This field can be edited, except when the task name cannot be changed. For example, on the Form Events page, the event task for parent field update.

• Task Description: This is descriptive information about the process task.

• Retry Configuration: This section is present only for provisioning workflows and consists of the following options:

  • Retry Interval: If a process task has the Rejected status, then this is the time interval in minutes before Oracle Identity Manager inserts a new instance of that task with a Pending status.

  • Retry Attempt Limit: This is the number of times Oracle Identity Manager retries a rejected task.

• Properties: This section has the following options:

  • Allow Multiple Instances: This check box determines whether or not the process task can be inserted into the current process more than once. If you select this check box, then multiple instances of the process task can be added to the process. If you deselect this check box, then the process task can be added to the current process only once.

  • Required for Workflow Completion: This check box determines whether or not the current process task must be completed for the process to be completed. If you select this check box, then the process cannot be completed if the process task does not have a Completed status. If you deselect this check box, then the status of the process task does not affect the completion status of the process.

  • Complete On Recovery: This check box determines whether or not the status of the task must be set to Completed on completion of the recovery tasks.

  • Allow Cancellation While Pending: This check box determines whether or not the process task can be canceled if its status is Pending. If you select this check box, then the process task can be canceled if it has a Pending status. If you deselect this check box, then the process task cannot be canceled if its status is Pending.

  • Disable Manual Insert: This check box determines whether or not a user can manually add the current task to the workflow. If this check box is selected, then the task cannot be added to the workflow manually. If you deselect this check box, then a user can add the task to the process.

Automation Tab

Figure 9-24 shows the Automation tab of the Task Details dialog box.

Figure 9-24 Automation Tab

Description of "Figure 9-24 Automation Tab"

The Automation tab lets you attach an event handler or an adapter with the task that helps in the automation of the process task.

The options on this tab are divided into two parts. The task automation section shows the currently attached adapter with the status of the adapter. The Adapter Mappings section shows the adapter variable mappings. There are buttons on the tab that enable you to add an adapter or event handler, remove the adapter, and edit the variable mappings when an adapter is attached.

When you click Add Adapter, a dialog box is displayed. This dialog box consists of a section for the handler type with an option each for system event handlers and adapters. Selecting each option displays the corresponding descriptive text below the handler type section. You can select an item in the list and click Add.

The Adapter Mappings section shows the variables associated with the adapters along with the mappings. It displays the variable name and whether or not it has been mapped. When you select a variable, the Edit Variable Mapping button is enabled. You can click this button to open the Adapter Mappings dialog box with all the various options available to map this variable. This dialog box provides the following options:

• Variable Name: This text label displays the name of the adapter variable for which you are setting a mapping, such as UUID.

• Data Type: This text label displays the data type of the adapter variable. For example, String is the data type for the UUID variable.

• Map To: This list displays the types of mappings that you can set for the adapter variable, such as IT Resources.

  When you map the adapter variable to a location or contact, Oracle Identity Manager enables a list with values for a specific type of location or contact to which you are mapping the adapter variable. In addition, if you map the adapter variable to a custom process form and this form contains child tables, then Oracle Identity Manager enables the adjacent list. From this list, select the child table to which you are mapping the adapter variable. If you are not mapping the adapter variable to a location, contact, or child table of a custom process form, then this list is disabled.

• Qualifier: This list contains the qualifiers for the mapping that is selected in the Map To list, such as IT Asset.

• Old Value: This check box specifies whether or not you map the adapter variable to the value that was originally selected in the Qualifier check box before modification. Process task adapters associated with process tasks are conditionally triggered when some field on the process form is changed. If you select the Old Value option and the process task is marked Conditional, then the value that is passed to the adapter is the previous value of the field or variable for which the mapping is being selected. This is useful for fields that accept passwords. For example, if you want to disallow setting the password to the same value, then you can use the old value for comparison. If you are not mapping the adapter variable to a field that belongs to a child table of a custom process form, then this check box is disabled.

Note:

Different fields may be displayed in the Adapter Mappings dialog box, based on what you select from the Qualifier and Map To lists.

Notification Tab

Figure 9-25 shows the Notification tab of the Task Details dialog box.

Figure 9-25 Notification Tab

Description of "Figure 9-25 Notification Tab"

This tab lets you designate the e-mail notification to be generated when the current process task achieves a particular status. For each status that a task can achieve, a separate e-mail notification can be generated. If an e-mail notification is no longer valid, then you can remove it from the Notification tab.

Note:

For Oracle Identity Manager to send an e-mail notification to a user, a template for the e-mail message must first be created by using the E-mail Definition form.

There are three buttons in the dialog box: Add Notification, Remove Notification, and Edit Notification. You can use these buttons to configure the notifications tab by adding, deleting, and editing notifications.

Task Assignment Tab

Figure 9-26 shows the Task Assignment tab of the Task Details dialog box.

Figure 9-26 Task Assignment Tab

Description of "Figure 9-26 Task Assignment Tab"

This tab lets you add task assignment rules for the current task. It provides options to add the rules, assignment type, whom the task must be assigned to, adapter, e-mail template, and escalation time. The added rules are displayed in a tree based on the priority. The shortcut menu that is displayed when you right-click the rule provides options to change the priority of the rule, and to edit or delete the rule.

When you click Add Task Assignment Rule, the Task Assignment Rule dialog box opens with different input fields needed for assignments, as shown in Figure 9-27.

Figure 9-27 Task Assignment Rule Dialog Box

Description of "Figure 9-27 Task Assignment Rule Dialog Box"

The Task Assignment Rule dialog box provides the following options:

• Rule Name: A lookup field with a list of the rules.

• Assignment Types: A lookup field with the following options for assignment types:

  • Object Administrator User with Least Load

  • Group User with Least Load

  • Request Target Users Manager

  • Object Administrator

  • User

  • Object Authorizer User with Least Load

  • Requestor's Manager

  • Group

• Assign To: A lookup field. The values of this field vary with the selection in the Assignment Types field. Therefore, the value selected in the Assignment Types field is validated first.

• Adapter: A lookup field that brings up a list of the available task assignment adapters.

• Email Template: A lookup field that opens a dialog box with a list of e-mail templates from which to choose.

• Send Email: A check box. When this is selected, Oracle Identity Manager sends the e-mail notification to a user or role after the current process task is assigned.

• Escalation Time (ms): A text field to specify the amount of time (in milliseconds) in which the user or role has to complete the process task. The user or role is associated with the rule that Oracle Identity Manager triggers. If this process task is not completed within the allotted time, then Oracle Identity Manager reassigns it to another user or role. The escalation rule adheres to the order defined by the assignment type parameter.

When an assignment rule is created, it is displayed in the Task Assignment tab of the Task Details dialog box with a tree structure.

Depends On Tab

Figure 9-28 shows the Depends On tab of the Task Details dialog box.

Figure 9-28 Task Details Dialog Box

Description of "Figure 9-28 Task Details Dialog Box"

This tab lets you add tasks that the current task will depend on. This is useful in setting up dependencies between tasks. This dialog box consists of buttons to add and remove tasks from this list. Any task in this list must be run before the current task is run.

When you click Add Preceding Task, the Assign Preceding Task dialog box is displayed. This dialog box list the tasks and the corresponding workflows in which they are used. You can select a task from this list and click OK.

When you select a task from the list and click Remove Preceding Task, the task is removed from the list.

Resource Status Management Tab

Figure 9-29 shows the Resource Status Management tab of the Task Details dialog box.

Figure 9-29 Resource Status Management Tab

Description of "Figure 9-29 Resource Status Management Tab"

This tab lets you establish a link between the status of a process task and the provisioning status of the resource object to which it is assigned.

A resource object contains data that is used to provision resources to users and applications. In addition, a resource object is provided with predefined provisioning statuses. Provisioning status changes through the life cycle of the resource object after the provisioning kicks off. The provisioning status represents the various statuses of the resource object throughout its lifecycle when it is provisioned to the target user or organization. The provisioning status of a resource object is determined by the status of its associated provisioning processes, as well as the tasks that comprise these processes. For this reason, a link between the status of a process task and the provisioning status of the resource object to which it is assigned must be provided.

This tab provides two columns that display the tasks status and the resource status. When no mappings are done, the list under the resource status column has a value of None for all task status. When you click Assign Status Mapping, the Object Status dialog box is displayed. This dialog box has the list of resource statuses from which to select and map to the task status.

After you make changes on all the tabs of the Task Details dialog box, click Apply to apply all changes to the task. Alternatively, click Cancel to cancel the operation.

9.6.4.6 Configuring Responses

You can double-click a response icon to open the Response Details dialog box that provides options to configure the response. Figure 9-30 shows the Response Details dialog box.

Figure 9-30 Response Details Dialog Box

Description of "Figure 9-30 Response Details Dialog Box"

The Response Details dialog box has the following fields:

• Response Code: This field is used to specify the response code. This code for the response uniquely identifies a response for a task.

• Response Status: This lookup field is used to select the response status, such as Cancelled, Completed, or Rejected.

• Response Description: This field is used to provide a description of the response.

After you specify the response configuration information, click Update Response to apply the input for the response. In the designer page, the response code is displayed in the response icon.

9.6.5 Configuring Data Flows

Data flows are used for transferring data to the workflow form fields without the need for the user to enter information. This is used for both provisioning and reconciliation. For provisioning, form data flows are used. For reconciliation, reconciliation data flows are used.

In reconciliation data flows, the flow is from reconciliation fields to workflow fields instead of between resource fields and workflow fields. For a trusted resource, the user attributes are displayed instead of the workflow form fields.

The Configure Reconciliation Data Flows page is used to define the relationship between the data elements in the target resource or trusted source and the fields within Oracle Identity Manager with which they are to be linked.

Only the fields defined in the Reconciliation Fields section of the associated resource are available for mappings. These mappings are used to determine which fields in Oracle Identity Manager must be populated with the information provided by using reconciliation events from the target system. In addition, for target resources, the key fields are indicated on this tab. Key fields are fields for which the values on the process form and the reconciliation event must be the same for a match to be generated on the Processes Matched Tree tab of the Reconciliation Manager form.

Note:

The reconciliation fields created in the Reconciliation Fields tab of the associated resource can be of the types Multi-Valued, String, Number, Date, and IT resource.

You configure reconciliation data flow on the Configure Reconciliation Data Flows page. The reconciliation data flow rules are as follows:

• When a workflow form field or child table is mapped to a reconciliation field, it cannot be mapped to another field unless the first one is removed.

• Each reconciliation field can be mapped only once.

Figure 9-31 shows the Configure Reconciliation Data Flows page.

Figure 9-31 Configure Reconciliation Data Flows Page

Description of "Figure 9-31 Configure Reconciliation Data Flows Page"

An additional property for reconciliation data flows is called the Key Reconciliation field. Each workflow field that is mapped for data flow can be set as a key field for reconciliation. This means that the reconciliation rules corresponding to this field must be met. This is represented in the form of a disabled key icon next to an established data flow. By default, each field is not a key field. To set a field as a key field, click the key icon. Click the key icon again to remove the key field setting.

Clicking the key icon sets the field as a key field, and the icon changes to an enable key icon. Clicking the icon again removes the field as a key field.

See Also:

• Chapter 25, "Customizing Oracle Identity Manager Interfaces" for information about customizing the Workflow Designer

• Chapter 28, "Using APIs" for information about the API methods used by the Workflow Designer

9.7 Creating IT Resources

To create an IT resource:

1. In the Welcome page of the Advanced Administration, under Configuration, click Create IT Resource.

   Alternatively, click the Configuration tab, click Resource Management, and then select Create IT Resource.

2. On the Step 1: Provide IT Resource Information page, enter the following information:

   • IT Resource Name: Enter a name for the IT resource.

   • IT Resource Type: Select an IT resource type for the IT resource.

     If you want to create an IT resource of the Remote Manager type, then select Remote Manager from the IT Resource Type list.

   • Remote Manager: If you want to associate the IT resource with a particular remote manager, then select the remote manager from this list. If you do not want to associate the IT resource with a remote manager, then leave this field blank.

     Note:

     If you select Remote Manager from the IT Resource Type list, then you must not select a remote manager from the Remote Manager list.

3. Click Continue.

4. On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource, and then click Continue.

5. On the Step 3: Set Access Permission to IT Resource page, if you want to assign roles to the IT resource and set access permissions for the roles, then:

   a. Click Assign Group.

   b. For the roles that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS role and set the Read and Write permissions to this role, then you must select the respective check boxes in the row, as well as the Assign check box, for this role.

   c. Click Assign.

6. On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of roles assigned to the IT resource, then:

   Note:

   You cannot modify the access permissions of the SYSTEM ADMINISTRATORS role. You can modify the access permissions of only other roles that you assign to the IT resource.

   a. Click Update Permissions.

   b. Depending on whether you want to set or remove specific access permissions for roles displayed on this page, select or deselect the corresponding check boxes.

   c. Click Update.

7. On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a role from the IT resource, then:

   Note:

   You cannot unassign the SYSTEM ADMINISTRATORS role. You can unassign only other roles that you assign to the IT resource.

   a. Select the Unassign check box for the role that you want to unassign.

   b. Click Unassign.

8. Click Continue.

9. On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.

10. To proceed with the creation of the IT resource, click Continue.

11. The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Create. If the test fails, then you can perform one of the following steps:

    • Click Back to revisit the previous pages and then make corrections in the IT resource creation information.

    • Click Cancel to stop the procedure, and then begin from the first step onward.

    • Proceed with the creation process by clicking Continue. You can fix the problem later, and then rerun the connectivity test by using the Diagnostic Dashboard.

      Note:

      If no errors are encountered, then the label of the button is Create, not Continue.

      See "Test Basic Connectivity" on page 16-11 for more information.

12. Click Finish.

9.8 Managing IT Resources

To locate an IT resource:

1. In the Welcome page of the Advanced Administration, under Configuration, click Manage IT Resource.

   Alternatively, click the Configuration tab, click Resource Management, and then select Manage IT Resource.

2. On the Manage IT Resource page, you can use one of the following search options to locate the IT resource that you want to view:

   • IT Resource Name: Enter the name of the IT resource, and then click Search.

   • IT Resource Type: Select the IT resource type of the IT resource, and then click Search.

   • Click Search.

On the Manage IT Resource page, the list of IT resources that meet the search criteria is displayed.

From this point onward, you can perform one of the following procedures on the IT resource:

• Viewing IT Resources

• Modifying IT Resources

• Deleting IT Resources

9.8.1 Viewing IT Resources

To view an IT resource:

1. From the list of IT resources displayed in the search results, click the IT resource name.

   Note:

   If you want to edit the IT resource, then click the edit icon in the same row.

2. If you want to view the IT resource parameters and their values, then select Details and Parameters from the list at the top of the page. Similarly, if you want to view the administrative roles assigned to the IT resource, then select Administrative Roles from the list.

9.8.2 Modifying IT Resources

To modify an IT resource:

1. From the list of IT resources displayed in the search results, click the edit icon for the IT resource that you want to modify.

2. If you want to modify values of the IT resource parameters, then:

   1. Select Details and Parameters from the list at the top of the page.

   2. Make the required changes in the parameter values.

   3. To save the changes, click Update.

3. If you want to modify the administrative roles assigned to the IT resource, first select Administrative Groups from the list at the top of the page and then perform the required modification.

4. If you want to unassign an administrative role, select the Unassign check box in the row in which the role name is displayed and then click Unassign.

   Note:

   • When you click Unassign, the administrative roles that you select are immediately unassigned from the IT resource. You are not prompted to confirm that you want to unassign the selected administrative roles.

   • You cannot unassign the SYSTEM ADMINISTRATORS role.

5. If you want to assign new administrative roles to the IT resource, then:

   a. Click Assign Group.

   b. For the administrative roles that you want to assign to the IT resource, select the access permission check boxes and the Assign check box.

   c. Click Assign.

6. If you want to modify the access permissions of the administrative roles that are currently assigned to the IT resource, then:

   a. Click Update Permissions.

   b. Depending on the changes that you want to make, select or deselect the check boxes in the table.

   Note:

   You cannot change the access permissions of the SYSTEM ADMINISTRATORS role.

   c. To save the changes, click Update.

9.8.3 Deleting IT Resources

To delete an IT resource:

1. From the list of IT resources displayed in the search results, click the Delete icon for the IT resource that you want to delete.

2. To confirm that you want to delete the IT resource, click Confirm Delete.

9.9 Managing Resources By Using the Design Console

This chapter describes resource management in the Design Console. It contains the following sections:

• Overview of Resource Management

• IT Resources Type Definition Form

• Rule Designer Form

• Resource Objects Form

• Service Account Management

9.9.1 Overview of Resource Management

The Resource Management folder provides you with tools to manage Oracle Identity Manager resources. This folder contains the following forms:

• IT Resources Type Definition: Use this form to create resource types that are displayed as lookup values on the IT Resources form.

• Rule Designer: Use this form to create rules that can be applied to password policy selection, automatic role membership, provisioning process selection, task assignment, and prepopulating adapters.

• Resource Objects: Use this form to create and manage resource objects. These objects represent resources that you want to make available to users and organizations.

See Also:

See Chapter 2, "Developing Adapters" and Chapter 3, "Using Adapters" for more information about adapters and adapter tasks

9.9.2 IT Resources Type Definition Form

The IT Resources Type Definition form is in the Resource Management folder. You use the IT Resources Type Definition form to classify IT resource types, for example, AD, Microsoft Exchange, and Solaris. Oracle Identity Manager associates resource types with resource objects that it provisions to users and organizations.

After you define an IT resource type on this form, it is available for selection when you define an IT resource. The type is displayed in the Create IT Resource and Manage IT Resource pages of Advanced Administration.

IT resource types are templates for the IT resource definitions that reference them. If an IT resource definition references an IT resource type, the resource inherits all of the parameters and values in the IT resource type. The IT resource type is the general IT classification, for example, Solaris. The resource is an instance of the type, for example, Solaris for Statewide Investments. You must associate every IT resource definition with an IT resource type.

Figure 9-32 shows the IT Resources Type Definition form.

Figure 9-32 The IT Resources Type Definition Form

Description of "Figure 9-32 The IT Resources Type Definition Form"

Table 9-8 describes the fields of the IT Resources Type Definition form.

Table 9-8 Fields of the IT Resources Type Definition Form

Field Name	Description
Server Type	The name of the IT resource type
Insert Multiple	Specifies whether or not this IT resource type can be referenced by more than one IT resource

Note:

If an IT resource must access an external resource but is not able to do so by using the network, you must associate it with a remote manager. For more information, see "Installing and Configuring a Remote Manager" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

9.9.2.1 Defining a Template (a Resource Type) for IT Resources

To define an IT resource type:

1. Enter the name of the IT resource type in the Server Type field, for example, Solaris.

2. To make the IT resource type available for multiple IT resources, select Insert Multiple.

3. Click Save.

   The IT resource type is defined. You can select it when defining IT resources in the Create IT Resource page of Advanced Administration.

9.9.2.2 Tabs on the IT Resource Type Definition Form

After you save the basic information for a new IT resource type, and when an IT resource type is returned on a query, the fields on the tabs of the IT Resources Type Definition form's lower region are enabled.

The IT Resources Type Definition form contains the following tabs:

• IT Resource Type Parameter tab

• IT Resource tab

9.9.2.2.1 IT Resource Type Parameter Tab

You use the IT Resource Type Parameter tab to specify default values and encryption settings for all connection parameters for the IT resource type, as shown in Figure 9-32. Oracle recommends that you do not specify default values for passwords and encrypted fields. Parameters and values on this tab are inherited by all IT resources that reference this IT resource type.

When you define a new parameter, the parameter and its values and encryption settings are added to the current IT resource type and to any new or existing IT resource definitions that reference this IT resource type. For an applicable resource definition, the new parameter is displayed in the Details and Parameters section of the Create IT Resource and Manage IT Resource pages of Advanced Administration.

Note:

You can customize the values and encryption settings for these parameters within each IT resource.

Adding a Parameter to an IT Resource Type

To add a parameter to an IT Resource Type:

1. Click Add.

   A new row is displayed in the IT Resource Type Parameter tab.

2. In the Field Name field, enter the name of the parameter.

3. In the Default Field Value field, enter a default value.

   This value is inherited by all IT resources that reference this IT resource type

4. Select or clear the Encrypted option.

   This check box determines if this parameter's value is masked, that is, represented with asterisk (*) in a form field.

   If you want the parameter's value to be masked, select this check box.

5. Click Save.

Removing a Parameter from an IT Resource Type

To remove a parameter from an IT Resource Type:

1. Select the parameter you want to remove.

2. Click Delete.

   The parameter and its associated value are removed from the IT resource type and from IT resource definitions that reference this type.

9.9.2.2.2 IT Resource Tab

This tab displays IT resources that reference a selected IT resource type. All IT resources on this tab share the same parameters, but the values can be unique for each IT resource.

9.9.2.3 IT Resource Type Definition Table

The IT Resource Type Definition Table displays the following information:

Field Name	Description
Server Type	The name of the resource asset type, as defined in the IT Resource Type Definition form
Insert Multiple	Indicates whether or not multiple instances of this IT Resource Definition can be created

9.9.3 Rule Designer Form

Rules are criteria that enable Oracle Identity Manager to match conditions and take action based on them. A rule can be assigned to a specific resource object or process, or a rule can apply to all resource objects or processes.

The following are examples of rule usage:

• Determining a password policy to apply to a resource object of type Application.

• Enabling users to be added to roles automatically.

• Specifying the provisioning process that apply to a resource object after that resource object is assigned to a request.

• Determining how a process task is assigned to a user.

• Specifying which prepopulate adapter is executed for a given form field.

See Also:

Oracle Identity Manager Tools Reference for more information about prepopulate adapters

The Rule Designer form shown in Figure 9-33 is in the Resource Management folder. You use this form to create and manage rules that are used with resources.

Figure 9-33 Rule Designer Form

Description of "Figure 9-33 Rule Designer Form"

There are four types of rules:

General: Enables Oracle Identity Manager to add a user to a role automatically and to determine the password policy that is assigned to a resource object.

Process Determination: Determines the provisioning processes for a for a resource object.

Task Assignment: Specifies the user or role that is assigned to a process task.

Prepopulate: Determines which prepopulate adapter is executed for a form field.

A rule contains the following items:

A rule element: Consists of an attribute, an operator, and a value. In Figure 9-33, the attribute is User Login, the operator is ==, and the value is XELSYSADM.

A nested rule: If one rule must be placed inside another rule for logic purposes, the internal rule is known as a nested rule. In Figure 9-33, a Rule to Prevent Solaris Access is nested in a Rule for Solaris.

An operation: When a rule contains multiple rule elements or nested rules, an operation shows the relationship among the components. In Figure 9-33, if the AND operation is selected, the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule must both be true for the rule to be successful.

Table 9-9 describes the fields of the Rule Designer form.

Table 9-9 Fields of the Rule Designer Form

Field Name	Description
Name	The rule's name.
AND/OR	These options specify the operation for the rule. To stipulate that a rule is successful only when all the outer rule elements and nested rules are true, select AND. To indicate that a rule is successful if any of its outer rule elements or nested rules are TRUE, select OR. Important: These options do not reflect the operations for rule elements that are contained within nested rules. In Figure 9-33, the AND operation applies to the User Login == XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. However, this operation has no effect on the Object Name != Solaris rule element within the Rule to Prevent Solaris Access rule.
Type	The rule's classification status. A rule can belong to one of four types: General: Enables Oracle Identity Manager to add a user to a role automatically and determines the password policy that is assigned to a resource object. Process Determination: Determines the provisioning processes for a resource object. Task Assignment: Determines which user or role is assigned to a process task. Prepopulate: Determines which prepopulate adapter is used for a form field.
Sub-Type	A rule of type Process Determination, Task Assignment, or Prepopulate can be categorized into one of four subtypes: Organization Provisioning: Classifies the rule as a provisioning rule. Determines the organization for which a process is provisioned, a task is assigned, or the prepopulate adapter is applied. User Provisioning: Classifies the rule as a provisioning rule. Determines the user for which a process is provisioned, a task is assigned, or a prepopulate adapter is applied. For Task Assignment or Prepopulate rule types, the approval and standard approval items are not displayed in the Sub-Type box. The Sub-Type box is grayed out for the General rule type.
Object	The resource object to which this rule is assigned.
All Objects	If selected, the rule can be assigned to all resource objects.
Process	The process to which this rule is assigned.
All Processes	If selected, the rule can be assigned to all processes.
Description	Explanatory information about the rule.

9.9.3.1 Creating a Rule

To create a rule:

Note:

In the following procedure, note that the options do not apply to rule elements within nested rules. For example, in Figure 9-33 the AND operation applies to the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. But this operation has no effect on the Object Name != Solaris rule element in the Rule to Prevent Solaris Access rule.

1. Open the Rule Designer form.

2. In the Name field, enter the name of the rule.

3. To stipulate that a rule is successful only when all of its rule elements or nested rules are true, select the AND option.

   To indicate that a rule is successful if any of its rule elements or nested rules are true, select the OR option.

4. Click the Type box, and in the custom menu select the classification status (General, Process Determination, Task Assignment, or Prepopulate) to associate with the rule.

   For Process Determination, click Sub-Type and select the classification status (Organizational Provisioning, User Provisioning, Approval, or Standard Approval) to associate with the rule.

   For Task Assignment or Prepopulate, click Sub-Type and select the classification status (Organization Provisioning or User Provisioning) to associate with the rule.

   If you select General from the Type box, go to Step 7.

5. To associate the rule with a single resource object, double-click the Object lookup field, and in the Lookup dialog box select a resource object.

   If you want the rule to be available to all resource objects, select the All Objects option.

6. To assign a rule to one process, double-click the Process lookup field, and from the Lookup dialog box, select the process to associate with the rule.

   Note:

   The only processes that are displayed in this Lookup window are the ones that are associated with the resource object you selected in Step 5.

   If you want the rule to be available to all processes, select the All Processes option.

   Note:

   If you select a resource object in Step 5 by selecting the All Processes option, this rule is available to every process that is associated with the selected resource object.

7. In the Description field, enter explanatory information about the rule.

8. Click Save.

9.9.3.2 Tabs on the Rule Designer Form

The Rule Designer form contains the following tabs:

• Rule Elements tab

• Usage tab

Each of these tabs is discussed in the following sections.

9.9.3.2.1 Rule Elements Tab

From this tab, you can create and manage elements and nested rules for a rule. For example, in Figure 9-34, the Rule for Solaris contains the User Login==XELSYSADM rule element. It also has a nested Rule to Prevent Solaris Access. Figure 9-34 displays the Rule Elements tab of the Rule Designer form.

Figure 9-34 Rule Elements Tab of the Rule Designer Form

Description of "Figure 9-34 Rule Elements Tab of the Rule Designer Form"

The rule in Figure 9-34 can be applied to a provisioning process for the Solaris resource object. After this resource object is assigned to a request, the rule is triggered. If the target user's login is XELSYSADM, and the name of the resource object is Solaris, the Solaris resource object is provisioned to the user. Otherwise, the user cannot access Solaris.

When a rule element or nested rule is no longer valid, remove it from the rule.

The following procedures describe how to:

• Add a rule element to a rule

• Add a nested rule to a rule

• Remove a rule element or nested rule from a rule

Adding a Rule Element to a Rule

To add a rule element to a rule:

1. Click Add Element.

   The Edit Rule Element dialog box is displayed.

   The custom menus in the boxes on the Edit Rule Element dialog box reflect the items in the Type and Sub-Type boxes of the Rule Designer form.

   Table 9-10 describes the data fields in the Edit Rule Element dialog box.

   Table 9-10 Fields of the Edit Rule Element Dialog Box

   Name	Description
   Attribute Source	From this box, select the source of the attribute. For example, if the attribute you wish to select is Object Name, the attribute source to select would be Object Information.
   User-Defined Form	This field displays the user-created form that is associated with the attribute source that is displayed in the adjacent box. Note: If Process Data are not displayed in the Attribute Source box, the User-Defined Form field will be empty.
   Attribute	From this box, select the attribute for the rule.
   Operation	From this box, select the relationship between the attribute and the attribute value (== or !=)
   Attribute Value	In this field, enter the value for the attribute. Note: The attribute's value is case-sensitive.

   
   

2. Set the parameters for the rule you are creating, as shown in Figure 9-35.

   Figure 9-35 Edit Rule Element Window

   
   Description of "Figure 9-35 Edit Rule Element Window"
   
   

   In this example, if the Login ID of the target user is XELSYSADM, the rule element is true. Otherwise, it is false.

   See Also:

   For more information about the parameters, see "Rule Elements Tab".

3. From the Toolbar of the Edit Rule Element dialog box, click Save, and click Close.

   The rule element is displayed in the Rule Elements tab of the Rule Designer form.

4. From the main screen's toolbar, click Save.

   The rule element is added to the rule.

Adding a Nested Rule to a Rule

To nest a rule within a rule:

Note:

In the following procedure, only rules of the same type and subtype as the parent rule are displayed in the Select Rule window.

1. Click Add Rule.

   The Select Rule dialog box is displayed.

2. Select a nested rule and click Save.

3. Click Close.

   The nested rule is displayed in the Rule Elements tab of the Rule Designer form.

4. From the main screen's Toolbar, click Save.

   The nested rule is added to the rule.

Removing a Rule Element or Nested Rule from a Rule

To remove a rule element or a nested rule:

1. Select the rule element or nested rule that you want to remove.

2. Click Delete.

   The rule element or nested rule is removed from the rule.

9.9.3.2.2 Usage Tab

This tab is displayed on the Rule Designer form. The information in the Usage tab reflects the rule's classification type. For example, if a rule type is prepopulate, the user-created field that this rule is applied to is displayed in this tab.

Figure 9-36 shows the Usage tab.

Figure 9-36 Usage Tab of the Rule Designer Form

Description of "Figure 9-36 Usage Tab of the Rule Designer Form"

This tab displays the following items:

• The password policy, resource object, process, process task, auto-role membership criteria, role, Oracle Identity Manager form field, and prepopulate adapter associated with a rule.

• A one-letter code, signifying the rule's classification type: P=Provisioning.

  This code is displayed for process determination rules only.

• The rule's priority number.

9.9.3.3 Rule Designer Table

The Rule Designer Table, as shown in Figure 9-37, displays all available rules defined in the Rule Designer form.

Figure 9-37 Rule Designer Table

Description of "Figure 9-37 Rule Designer Table"

Table 9-11 shows the information displayed in the Rule Designer Table.

Table 9-11 Information in the Rule Designer Table

Field Name	Description
Rule Name	The name of the rule.
Rule Type	A rule can belong to one of four types: General: Enables Oracle Identity Manager to add a user to a role automatically and determines the password policy that is assigned to a resource object. Process Determination: Determines the provisioning processes that are selected for a resource object. Task Assignment: Determines which user, role, or both are assigned to a process task. Pre-Populate: Determines which prepopulate adapter is executed for a given form field.
Rule Sub-Type	A rule of type Process Determination, Task Assignment, or Pre-Populate can be categorized into one of four sub-types: Organization Provisioning: Classifies the rule as a provisioning rule. You use this subtype to determine the organization for which a process is provisioned, a task is assigned, or the prepopulate adapter is applied. User Provisioning: Classifies the rule as a provisioning rule. You use this subtype to determine the user for which a process is provisioned, a task is assigned, or a pre-populate adapter is applied.
Rule Operator	The relationship between the attribute and the attribute value represented by the == or != operators.
Description	Explanatory information about the rule.
Last Updated	The date when the rule was last updated.

9.9.4 Resource Objects Form

The Resource Objects form is in the Resource Management folder. You use this form to create and manage the resource objects for the Oracle Identity Manager resources that you want to provision for organizations or users. Resource object definitions are templates for provisioning the resource. However, the provisioning of the resource depends on the design of the provisioning processes that you link to the resource object.

Table 9-12 describes the data fields of the Resource Objects form.

Table 9-12 Fields of the Resource Objects Form

Field Name	Description
Table Name	The name of the resource object form that is associated with this resource. (This is actually the name of the table that represents the form.)
Order For User/Order For Organization	Options that determine whether or not the resource object can be requested for users or organizations. To request the resource object for a user, select Order For User. To request the resource object for an organization, select Order For Organization.
Type	The resource object's classification status. A resource object can belong to one of three types: Application: Classifies this resource object as an application. Generic: Contains business-related processes. System: Oracle Identity Manager uses this type of resource object internally. Do not modify system resource objects without first consulting Oracle.
Allow Multiple	Designates if the resource is provisioned more than once to a user or organization. If it is selected, the resource object can be provisioned more than once for each user or organization.
Self Request Allowed	By selecting this check box, users as well as the system administrator can request the resource object for themselves. Note: The resources allowed for self request can be further requested at the request template level.
Allow All	By selecting this check box, the resource object can be requested for all Oracle users. This setting takes precedence over whether or not the organization to which a user belongs has allowed the resource that can be requested for its users.
Provision by Object Admin Only	This check box determines who can provision this resource. If this check box is selected, only users who are members of the roles listed on the Object Administrators tab will be able to provision this resource object (either directly or by manually initiating the provisioning process from the request). If this check box is deselected, no restrictions are placed on who can directly provision this resource.
Sequence Recon	If you select this check box, reconciliation events are processed in the sequence in which they are created. The application of this feature can be illustrated by the following example: Suppose there are two reconciliation events for the OIM User resource object for user John Doe. The first reconciliation event (E1) data is as follows: Login: testuser1 First Name: John Last Name: Doe Organization: Xellerate Users Type: End-User Role: Full-Time The second reconciliation event (E2) data is as follows: Login: testuser1 First Name: John1 Last Name: Doe1 Organization: Xellerate Users Type: End-User Role: Full-Time Between the first and second events, the first name and last name of the user was changed. During trusted source reconciliation, if events are processed in the order in which they are created, this change in first and last names is correctly reconciled into Oracle Identity Manager. However, if the second event is processed before the first one, data in the target system does not match data in Oracle Identity Manager at the end of the reconciliation run. This inconsistency will be reflected in the auditing tables, and will remain until another event from the trusted source is created for this user. If you enable the Sequence Recon option, you can ensure that events for the same entity (for example, same user or same process form) are processed in the order in which they were created.
Trusted Source	You can select this check box if you want to use the resource object for trusted user reconciliation. By default, this check box is not selected. It is selected by default only for the Xellerate User resource object.

9.9.4.1 Creating a Resource Object

To create a resource object:

1. Open the Resource Objects form.

2. In the Name field, enter the name of the resource object.

3. To request the resource object for a user, select Order For User.

   To request the resource object for an organization, select Order For Organization.

   Note:

   A resource object can be requested for either one user or one organization.

4. Double-click the Type lookup field.

   From the Lookup dialog box that is displayed, select the classification status (Application, Generic, or System) to associate with the resource object.

5. If you want multiple instances of the resource object to be requested for a user or an organization, select the Allow Multiple option. Otherwise, go to Step 6.

6. If you want to be able to request the resource object for yourself, select the Self Request Allowed option. Otherwise, go to Step 7.

7. To provision the resource object for all users, regardless of whether the organization to which the user belongs has the resource object assigned to it, select the Allow All check box. Otherwise, go to Step 8.

8. If you want to use the resource object for trusted source user reconciliation, you must select the Trusted Source option. Otherwise, go to Step 9.

   Note:

   You must deselect the Self Request Allowed and Allow All check boxes to ensure that the resource object is not available for provisioning requests and resource profiles.

9. To restrict the roles that can provision this resource object to roles that are displayed in the Object Administrators tab of the Resource Objects form, select the Provision by Object Admin Only option. This applies to resource objects that are provisioned directly or by assignment to a request. Otherwise, go to Step 10.

10. Click Save.

    The resource object is created.

9.9.4.2 Tabs on the Resource Objects Form

When you start the Resource Objects form and create a resource object, the tabs of this form become functional.

The Resource Objects form contains the following tabs:

• Depends On Tab

• Object Authorizers Tab

• Process Determination Rules Tab

• Event Handlers/Adapters Tab

• Resource Audit Objectives

• Status Definition Tab

• Administrators Tab

• Password Policies Rule Tab

• User-Defined Fields Tab

• Process Tab

• Object Reconciliation Tab

9.9.4.2.1 Depends On Tab

From this tab, you can select resource objects that Oracle Identity Manager must provision before provisioning the current resource object. If Oracle Identity Manager can provision the current resource object without first provisioning a resource object that is displayed on the Depends On tab, you must remove that resource object from the tab.

The following topics are related to the Depends On tab:

• Selecting a resource object on which the current resource object is dependent

• Removing the dependent resource object

Selecting a Dependent Resource Object

To select a dependent resource object:

1. Click Assign.

   The Assignment dialog box is displayed.

2. Select the resource object.

3. Click OK.

   The dependent resource object is selected.

Removing a Dependent Resource Object

To remove a dependent resource object:

1. Select the dependent resource object that you want to remove.

2. Click Delete.

   The resource object is removed from the Depends On tab.

9.9.4.2.2 Object Authorizers Tab

Use this tab to specify roles that are the object authorizers for this resource. You can select users who are members of the Object Authorizers roles as targets for task assignments.

Each role on the Object Authorizers tab has a priority number. The priority number can also be referenced when a task assigned to a role is escalated due to lack of action. You can increase or decrease the priority number for any role on this tab.

For example, suppose that you configure members of the SYSTEM ADMINISTRATORS roles to be object authorizers. Also suppose that a process task associated with this resource object has a task assignment rule attached to it. The first user authorized to complete this process task is the user with the priority number 1. If the user does not complete the process task in a user-specified time, Oracle Identity Manager reassigns the task to the user with the next priority in the SYSTEM ADMINISTRATORS role.

See Also:

"Rule Designer Form" and "Assignment Tab of the Editing Task Window" for more information about task assignment rules and process tasks

Assigning a Role to a Resource Object

To assign a role to a resource object:

1. Click Assign.

   The Assignment dialog box is displayed.

2. Select a role.

3. Click OK.

   The role is selected.

Removing a Role from a Resource Object

To remove a role from a resource object:

1. Select the desired role.

2. Click Delete.

   The role is removed from the Object Authorizers tab.

9.9.4.2.3 Process Determination Rules Tab

A resource object is a template for the resource that is provisioned to users or organizations. This template can be linked to multiple provisioning processes. Oracle Identity Manager uses process determination rules to select a provisioning process when a resource is requested or directly provisioned.

Process determination rules provide the following criteria:

• Which provisioning process to select when a resource is requested

• Which provisioning process to select when a resource is provisioned directly

Each provisioning process has a process determination rule. Each rule and process combination has a priority number that indicates the order in which Oracle Identity Manager will evaluate it.

If the condition of a rule is false, Oracle Identity Manager evaluates the rule with the next highest priority. If a rule is true, Oracle Identity Manager executes the process associated with it.

Adding a Process Determination Rule to a Resource Object

To add a process determination rule to a resource object:

1. Click Add in the Provisioning Processes region, depending on the rule or process combination you intend to create.

2. From the row that is displayed, double-click the Rules lookup field.

3. From the Lookup dialog box, select a rule, and assign it to the resource object (only rules of Process Determination type are available for selection).

4. Click OK.

5. In the adjacent column, double-click the Processes lookup field.

6. From the Lookup dialog box, select a process, and assign it to the rule.

7. Click OK.

8. Enter a numeric value in the Priority field.

   This determines the order in which Oracle Identity Manager evaluates the rule and process combination.

9. Click Save.

   The rule and process combination is added to the resource object.

Remove a Process Determination Rule From a Resource Object

To remove a process determination rule from a resource object:

1. Select a rule and process combination.

2. Click Delete.

   The rule and process combination is removed from the resource object.

9.9.4.2.4 Event Handlers/Adapters Tab

A resource object's provisioning process contains tasks that must be completed automatically. When this occurs, you must assign an event handler or an adapter to the resource object. An event handler is a software routine that provides the processing of this specialized information. An adapter is a specialized type of event handler that generates Java code, which enables Oracle Identity Manager to communicate and interact with external resources.

When an event handler or adapter that is assigned to a resource object that is no longer valid, you must remove it from the resource object.

For this example, the adpAUTOMATEPROVISIONINGPROCESS adapter was assigned to the Solaris resource object. Once this resource object is assigned to a request, Oracle Identity Manager triggers the adapter, and the associated provisioning process is executed automatically.

Assigning an Event Handler or Adapter to a Resource Object

To assign an event handler to an adapter or a resource object:

1. Click Assign.

   The Assignment dialog box is displayed.

2. Select an event handler, and assign it to the resource object.

3. Click OK.

   The event handler is assigned to the resource object.

Remove an Event Handler or Adapter from a Resource Object

To remove an event handler or adapter from a resource object, perform the following steps:

1. Select an event handler.

2. Click Delete.

   The event handler is removed from the resource object.

9.9.4.2.5 Resource Audit Objectives

The Resource Objects form in the Design Console includes a resource attribute named Resource Audit Objectives. This resource attribute helps you link resources to regulatory mandates.

Figure 9-38 The Resource Objects Form

A lookup is defined for the values of the Resource Audit Objectives resource attribute. The predefined values in the Resource Audit Objectives list are:

• SOX (Hosts Financially Significant Information)

• HIPAA (Hosts Private Healthcare Information)

• GLB (Hosts Non-Public Information)

• Requires Quarterly Review

• Requires Annual Review

You can extend this list by editing the Lookups.Resource Audit Objective.Type lookup by using the Lookup Definition Form in the Design Console.

9.9.4.2.6 Status Definition Tab

You use this tab to set provisioning status for a resource object. A provisioning status indicates the status of a resource object throughout its lifecycle, until it is provisioned to the target user or organization.

Every provisioning status of a resource object is associated with a task status for the relevant provisioning process. Oracle Identity Manager selects the provisioning process when the resource object is assigned to a request. For example, if the Provision for Developers process is selected, and a task in this process achieves Completed status, the corresponding status of the resource object can be set to Provisioned. This way, you can see how the resource object relates to the provisioning process, quickly and easily.

A resource object has the following predefined statuses:

• Waiting: This resource object depends on other resource objects that have not yet been provisioned.

• Revoked: The resources represented by the resource object are provisioned to target users or organizations that have been permanently deprovisioned from using the resources.

• Ready: This resource object either does not depend on any other resource objects, or all resource objects upon which this resource object depends are provisioned.

  After a resource is assigned to a request and the resource object's status is Ready, Oracle Identity Manager evaluates the process determination rules to determine the provisioning process. When this happens, the status of the resource object changes to Provisioning.

• Provisioning: The resource object is assigned to a request and a provisioning process has been selected.

• Provisioned: The resources represented by the resource object are provisioned to the target users or organizations.

• Provide Information: Additional information is required before the resources represented by the resource object can be provisioned to the target users or organizations.

• None: This status does not represent the provisioning status of the resource object. Rather, it signifies that a task that belongs to the provisioning process that Oracle Identity Manager selects has no effect on the status of the resource object.

• Enabled: The resources represented by the resource object are provisioned to the target users or organizations, and these users or organizations have access to the resources.

• Disabled: The resources represented by the resource object are provisioned to the target users or organizations, but these users or organizations have temporarily lost access to the resources.

Each provisioning status has a corresponding Launch Dependent check box. If the check box is selected and the resource object achieves that provisioning status, Oracle Identity Manager enables dependent resource objects to start their own provisioning processes.

For example, suppose that the Exchange resource object has the Launch Dependent check box selected for the Provisioned and Enabled provisioning statuses. Once the provisioning status of this resource object changes to Provisioned or Enabled, Oracle Identity Manager verifies that there are other resource objects upon which the Exchange resource object depends. If there are, Oracle Identity Manager starts the provisioning process of the dependent objects. Then, Oracle Identity Manager selects a provisioning process for the Exchange.

You might want to add additional provisioning statuses to a resource object to reflect the various task statuses of a provisioning process. For example, when the status of a task that belongs to a provisioning process is Rejected, you might want to set the corresponding provisioning status of the resource object to Revoked.

Similarly, when an existing provisioning status is no longer valid, you must remove it from the resource object.

The following sections discuss how to add a provisioning status to a resource object and remove a provisioning status from a resource object.

Adding a Provisioning Status to a Resource Object

To add a provisioning status to a resource object:

1. Click Add.

2. Add a provisioning status in the Status field.

3. When you want other, dependent resource objects to launch their own provisioning process once the resource object achieves the provisioning status you are adding, select the Launch Dependent check box. Otherwise, go to Step 4.

4. Click Save.

   The provisioning status is added to the resource object.

Removing a Provisioning Status from a Resource Object

The following procedure describes removing a provisioning status from a resource object:

1. Select a provisioning status.

2. Click Delete.

   The provisioning status is removed from the resource object.

9.9.4.2.7 Administrators Tab

This tab is used to select roles that can view, modify, and delete the current resource object.

When the Write check box is selected, the corresponding role can modify the current resource object. When the Delete check box is selected, the associated role can delete the current resource object.

The following sections describe how to assign a role to a resource object, and remove a role from a resource object.

Assigning a Role to a Resource Object

To assign a role to a resource object:

1. Click Assign.

   The Assignment dialog box is displayed.

2. Select the role, and assign it to the resource object.

3. Click OK.

   The role is displayed in the Administrators tab. By default, all members of this role can view the active record.

4. If you want this role to be able to modify the current resource object, select the corresponding Write check box.

   Otherwise, go to Step 5.

5. If you want this role to be able to delete the current resource object, select the associated Delete check box.

   Otherwise, go to Step 6.

6. Click Save.

   The role is assigned to the resource object.

Tip:

If you want to assign a permission for provisioning resource objects to users other than members of the SYSTEM ADMINISTRATORS role, then perform the following steps:

1. Using the Administrative and User Console, add the resource object to Resources tab for the Xellerate Users organization.

2. Assign a role as the administrator for the resource object.

3. Make the same role as the Administrative Role of Xellerate Users organization.

4. Assign the Manage Users menu item to the role so that the role members are able to perform provisioning.

5. In the Design Console, make the role as administrators of various Oracle Identity Manager entities, such as process definition or form, associated with the resource object.

   For example, if Role A is the administrator of the AD resource object, then add Role A to the administrator/authorizer tab of each Oracle Identity Manager entity associated with the AD resource object.

6. In the Resource Objects form, select the following options:

   - Provision by Object Admin Only: Selecting this is mandatory. See Table 9-12, "Fields of the Resource Objects Form" for information about this option.

   - Any other option as required.

Removing a Role from a Resource Object

To remove a role from a resource object:

1. Highlight the role that you want to remove.

2. Click Delete.

   The role is removed from the resource object.

9.9.4.2.8 Password Policies Rule Tab

If a resource object is of type Application, and you want to provision the resource object to a user or organization, you might want that user or organization to meet password criteria before accessing the resource object. This password criteria is created and managed in the form of password policies. These policies are created by using the Password Policies form.

Because the resource object definition is only a template for governing how a resource is to be provisioned, Oracle Identity Manager must be able to make determinations about how to provision the resource based on actual conditions and rules. These conditions might not be known until the resource is actually requested. Therefore, rules must be linked to the various processes and password policies associated with a resource. This enables Oracle Identity Manager to decide which ones to invoke in any given context.

Oracle Identity Manager determines which password policy to apply to the resource when creating or updating a particular user's account. This is done by evaluating the password policy rules of the resource and applying the criteria of the policy associated with the first rule that is satisfied. Each rule has a priority number, which indicates the order in which Oracle Identity Manager will evaluate it.

The following sections discuss how to add and remove a password policy rule from a resource object.

Adding a Password Policy Rule to a Resource Object

To add a password policy rule to a resource object:

1. Click Add.

2. From the row that is displayed, double-click the Rule lookup field.

3. From the Lookup dialog box, select a rule, and assign it to the resource object.

4. Click OK.

5. In the adjacent column, double-click the Policy lookup field.

6. From the Lookup dialog box, select an associated password policy, and assign it to the resource object.

7. Click OK.

8. Add a numeric value in the Priority field.

   This field contains the rule's priority number.

9. Click Save.

   The password policy rule is added to the resource object.

Note:

• If the resource type is Order for Organization, you cannot attach a password policy to the resource object. The exception to this rule is the Xellerate User resource object. Although this resource object is of Order for Organization type, password policies can be attached to it.

• If two or more rules evaluate to True, the password policy attached to the rule with the highest priority is applied.

• A Default rule is predefined in Oracle Identity Manager. This rule always evaluates to True. If no rules have been created through the Rule Designer, a password policy can be attached to the Default rule.

Removing a Password Policy Rule from a Resource Object

To remove a password policy from a resource object:

1. Select a password policy rule.

2. Click Delete.

   The password policy rule is removed from the resource object.

9.9.4.2.9 User-Defined Fields Tab

You use this tab to view and access user-defined fields that were created for the Resource Objects form. After a user-defined field is created, it is displayed on this tab and can accept and supply data.

See Also:

See "User Defined Field Definition Form" for instructions about how to create user-defined fields on existing Oracle Identity Manager forms

9.9.4.2.10 Process Tab

The Process tab displays all provisioning processes that are associated with the current resource object. The Default check boxes on this tab indicate what provisioning processes are the defaults for the resource.

Note:

You create provisioning processes and associate them with a resource by using the Process Definition form. Each process can be linked to a process determination rule by using the Process Determination Rules tab of the Resource Object form.

For example, suppose that the Solaris resource object has one provisioning processes (Provision Solaris for Devel.) associated with it. The Provision Solaris for Devel. has been designated as the default provisioning process for this resource object.

9.9.4.2.11 Object Reconciliation Tab

The Object Initial Reconciliation Date field on the Object Reconciliation Tab displays the date when initial reconciliation was performed for the resource.

Note:

The purpose of initial reconciliation is to bring all the user accounts from the target system into Oracle Identity Manager.

The date value stored in the Object Initial Reconciliation Date field is used to distinguish between initial reconciliation and subsequent reconciliations events. This date value is used by the two exception reports introduced in release 9.1.0. These exception reports display differences in the entitlements a user must have as compared to what the user actually has in the target system. The differences in entitlements are determined by using reconciliation data, along with other data items. The exception reports return data associated with only those reconciliation events that are created after the date stored in the Object Initial Reconciliation Date field. In addition, exception data is generated only if the Initial Object Reconciliation Date field displays a date value that is in the past. If required, you can enter a date value in this field so that the exception reports are generated.

The Object Reconciliation tab contains two subtabs, Reconciliation Fields and Reconciliation Action Rules.

• The Reconciliation Fields tab is used to define the fields on the target resources or trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager

• The Reconciliation Action Rules tab is used to specify the actions Oracle Identity Manager is to take when particular matching conditions are met.

Click the Create Reconciliation Profile button in the Object Reconciliation tab to generate reconciliation profile whenever any changes are made to the resource object or associated process forms.

Reconciliation Fields Tab

This tab is used to define the fields on the target resources or trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager. For each field on the target system or trusted source, the following information will be listed:

• Name of the field on the target resource or trusted source that is to be reconciled with data in Oracle Identity Manager (for example, targetfield1)

• Data type associated with the field (for example, String). Possible values are multi-valued, string, number, date, IT resource

• Indicator that designates whether or not this field is required in a reconciliation event

Note:

Oracle Identity Manager will not begin to match provisioning processes, users or organizations to the reconciliation event until all fields are processed on the Reconciliation section of the Event Management tab in the Advanced Administration.

The following is an example of a reconciliation field definition:

TargetField1 [String], Required

In the Reconciliation Fields tab, you can perform the following:

• Add a reconciliation field

  The following procedure adds fields from the target system or trusted source to the list of fields that are to be reconciled with information in Oracle Identity Manager.

  Note:

  Before Oracle Identity Manager can successfully perform reconciliation with an external target resource or trusted source, the fields you have defined on this tab must be mapped to the appropriate Oracle Identity Manager fields by using the Field Mappings tab of the resource's default provisioning process.

  To add a reconciliation field:

  1. Click Add Field.

     The Add Reconciliation Field dialog box is displayed.

  2. Enter the name of the field on the target resource or trusted source in the Field Name field.

     This is the name that will reference the target resource or trusted source field in Oracle Identity Manager.

  3. Select one of the following values from the menu in the Field Type field:

     • Multi-Valued

       This is meant for use with fields that contain one or more component fields.

     • String

     • String

     • Date

     • IT resource

       During reconciliation event creation, the value this field receives must be the same as the name of an IT resource defined in Oracle Identity Manager.

  4. Select the Required check box.

     If selected, the reconciliation field must be processed on the Reconciliation section of the Event Management tab in the Advanced Administration before Oracle Identity Manager will begin matching a provisioning process, user, or organization to the reconciliation event. If this check box is not selected, the inability to process this field in a reconciliation event will not prevent matching from occurring.

  5. Click Save.

     The field will be available for mapping in the resource's default provisioning process.

• Delete a reconciliation field

  Use the following procedure to remove a target system field from the list of fields that are to be reconciled with information in Oracle Identity Manager. For a trusted source, this must be the user resource definition.

  To delete a reconciliation field:

  1. Select the field you wish to remove.

  2. Click Delete Field.

     The selected field will be removed from the list of fields with which Oracle Identity Manager reconciles data on the target system (this will have no effect on the data in the target system itself).

Reconciliation Action Rules Tab

By using this tab, you can specify the actions that Oracle Identity Manager will perform when some matches within reconciliation event records are encountered. Each record in this tab is a combination of:

• The matching condition criteria

• The action to be performed

The conditions and actions from which you can select are predefined. Depending on the matching conditions, certain actions might not be applicable. A complete list of the available options is provided in Table 9-13.

Table 9-13 Rule Conditions and Possible Rule Actions

Rule Condition	Possible Rule Actions
No matches found	None Create User (only available with the trusted source)
One Process Match Found	None Establish Link
Multiple Process Matches Found	None
One Entity Match Found	None Establish Link
Multiple Entity Matches Found	None

See Also:

"Assignment Tab of the Editing Task Window" for a description of the classification types for the users and roles listed in the preceding table

Adding a Reconciliation Action Rule

To add a reconciliation action rule:

1. Click Add Field.

   The Add a new Action Rule dialog box is displayed.

2. Select the desired value from the Rule Condition menu.

   This is the matching condition that will cause the associated action to be executed. Each match condition can only be assigned to a single rule action.

3. Select a value from the Rule Action menu.

   This is the action that will be executed if the matching condition is met.

4. Click Save, and close the Add a new Action Rule dialog box.

Deleting a Reconciliation Action Rule

To delete a reconciliation action rule:

1. Select the matching action combination to delete.

2. Click Delete.

   The reconciliation action rule will be removed and the action associated with its condition will not be executed automatically.

9.9.4.3 Multiple Trusted Source Reconciliation

In earlier releases, you could set up only the Xellerate User resource object as a trusted source to reconcile identities. Now, you can do this by creating the reconciliation fields, reconciliation action rules, field mappings, and matching roles for the Xellerate User resource object and the process definition.

If there are two trusted sources from which you want to reconcile identities to create OIM Users, you are not able to configure a single resource object (Xellerate User) for both the trusted sources. Even if you create reconciliation fields for both the trusted sources in the Xellerate User resource object, you cannot create the corresponding reconciliation field mappings in the Xellerate User process definition.

From release 9.1.0 onward, you can configure resource objects other than Xellerate User as trusted sources for identity reconciliation. You can do this by selecting the Trusted Source check box in the Resource Objects form while creating a resource object.

For a resource object to which the Trusted Source flag is attached, you can create multiple reconciliation fields to denote the target system fields. You can also configure the reconciliation action rule in which if there are no process matches found, either a user is created or the data is sent to the administrator or authorizer for identity creation. If a process match is found, the link is established.

When defining provisioning process for trusted source resources, do not attach user-defined process forms. For these provisioning processes, reconciliation field mappings can be created between reconciliation fields defined on the resource and OIM User attributes.

Note:

If the resource object is for target resource reconciliation, the mapping is between the reconciliation fields and process data fields.

Do not use any resource objects that are defined as a trusted source for provisioning activities. These resources are meant to be used only for OIM Users' reconciliation.

Another addition in this release is the attribute authoritative sources feature. This means sources are trusted for only attributes of the identities and not the identities themselves. You can configure attribute authoritative source reconciliation by creating appropriate reconciliation action rules. If no process match is found, it is assigned to the administrator. This ensures that a user is not created by mistake even if there are no matches found. If a process match is found, the reconciliation action rule will establish a link.

The following sections discuss two use cases in which you can implement multiple trusted source reconciliation.

Note:

At some places in this document:

- Multiple trusted source reconciliation has been referred to as MTS.

- The terms fields and attributes have been used interchangeably.

9.9.4.3.1 Multiple Trusted Source Reconciliation Using MTS-Compatible Connectors

Note:

To determine whether or not your connector is MTS-compatible, see connector-specific documentation.

The following sections discuss scenarios in which you can implement multiple trusted source reconciliation by using MTS-compatible connectors:

• Configuring MTS-Compatible Connectors for Trusted Source Reconciliation by User Type

• Configuring MTS-Compatible Connectors for Trusted Source Reconciliation of Specific OIM User Attributes

Configuring MTS-Compatible Connectors for Trusted Source Reconciliation by User Type

In this context, user type refers to the type of users whose records you want to reconcile. Examples of user types are Employee and Customer.

To implement trusted source reconciliation by user type, perform the procedure to implement trusted source reconciliation while deploying the connectors of each target system that you want to configure as a trusted source.

During reconciliation, all the target system records of the specified user types are reconciled. If the target systems contain multiple user types, you can use the Limited Reconciliation feature to specify the user type for which records must be reconciled from each target system.

Configuring MTS-Compatible Connectors for Trusted Source Reconciliation of Specific OIM User Attributes

You might want to configure trusted source reconciliation for specific OIM User attributes from multiple target systems. The procedure to implement this is described with the help of the following sample scenario:

You want to reconcile identities from one target system, for example TS1, and specific attributes of these identities (for example attr1, attr2, and attr3) from another target system, for example TS2. This means that TS1 is the trusted source for the identities, and TS2 is the trusted source for specific attributes of those identities and not the identities themselves. TS1 must provide all the mandatory OIM User attributes for the successful creation of an OIM User. TS2 will provide only those OIM User attributes (either a mandatory OIM User attribute or a non-mandatory one) for which TS2 is the trusted source. If you reconcile a mandatory OIM User attribute from TS2, the value of this attribute overwrites the value contained in this attribute after the OIM User is created from TS1. If you want to reconcile only non-mandatory OIM User attributes from TS2, you can choose not to reconcile these attributes from TS1 during OIM User creation.

For the TS1 connector:

1. Perform all the steps required to deploy the TS1 connector and configure it for trusted source reconciliation.

   See Also:

   The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation

2. In the Reconciliation Fields tab on the Object Reconciliation page, delete all the TS1 attributes that you want to reconcile from TS2 (in this case attr1, attr2, and attr3).

3. In the Reconciliation Field Mappings tab on the Process Definition page, delete all the mappings other than the ones you want to retain.

   Instead of deleting reconciliation fields, you can remove the reconciliation field mappings of those fields for which you do not want to reconcile the values into the OIM User created through reconciliation.

4. In the Reconciliation Action Rules tab on the Object Reconciliation page, ensure that the following rule condition and action mappings exist:

   Rule Condition: No Matches Found

   Action: Create User

For the TS2 connector:

1. Perform all the steps required to deploy the TS2 connector and configure it for trusted source reconciliation.

   See Also:

   The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation

2. In the Reconciliation Field Mappings tab on the Process Definition page, delete all the mappings other than the ones you want to retain.

   Instead of deleting reconciliation fields, you can also choose to just remove the reconciliation field mappings of those fields for which you do not want to reconcile the values into the OIM User created through reconciliation.

3. In the Reconciliation Fields tab on the Object Reconciliation page, delete all the TS2 attributes other than attr1, attr2, and attr3. In addition, retain the attributes that you want to use to match OIM Users with existing TS2 accounts. This means that you retain only those attributes that will be used for reconciliation rule evaluation. For example, you might want to use the username attribute in Oracle Identity Manager to match the value of the first name attribute in TS1.

4. In the Reconciliation Action Rules tab on the Object Reconciliation page, create rule conditions and action mappings. One of these rule condition-action mappings must be the following:

   Rule Condition: No Matches Found

   Action: Anything other than Create User

9.9.4.3.2 Multiple Trusted Source Reconciliation Using Connectors That Are Not MTS-Compatible

Note:

To determine whether or not your connector is MTS-compatible, see connector-specific documentation.

For a connector that is not MTS-compatible, the following prerequisites must be addressed before you can use the connector in a multiple trusted source reconciliation setup:

i. Only one of the trusted source resource objects can be Xellerate User. In your operating environment, if the Xellerate User resource object is already in use by a connector for trusted source reconciliation, for the trusted source connector that you want to configure, you must create a new resource object and process definition.

ii. The scheduled task of the connector must have an attribute that accepts the name of the resource object used for trusted source user reconciliation as its value.

The following sections discuss scenarios in which you can implement multiple trusted source reconciliation by using non-MTS-compatible connectors:

• Configuring Non-MTS-Compatible Connectors for Trusted Source Reconciliation by User Type

• Configuring Non-MTS-Connectors for Trusted Source Reconciliation of Specific OIM User Attributes

Configuring Non-MTS-Compatible Connectors for Trusted Source Reconciliation by User Type

In this context, user type refers to the type of users whose records you want to reconcile. Examples of user types are Contractor, Employee, and Customer.

You use Microsoft Active Directory and Oracle e-Business Suite as trusted sources in your operating environment. Active Directory is used to store information about identities that belong to the Contractor user type. Oracle e-Business Suite is used to store information about identities that belong to the Customer and Employee user type. You want to reconcile Contractor records from Active Directory and Employee records from Oracle e-Business Suite. To do this, perform the following:

For Active Directory:

1. Perform all the steps required to deploy the Active Directory connector and configure it for trusted source reconciliation.

   See Also:

   The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation

   When you import the connector XML file for trusted source reconciliation, information specific to Active Directory is added in the Xellerate User resource object and process definition.

2. On the Resource Object tab, create the ActDir resource object for trusted source reconciliation with Active Directory.

   Note:

   You can assign any name to the resource object. This procedure is based on the use of ActDir as the name assigned to the resource object.

   For detailed information about the procedure to create a resource object, see "Resource Objects Form".

   While creating the resource object:

   1. Select the Trusted Source check box on the Resource Object tab.

   2. On the Object Reconciliation>>Reconciliation Fields tab, see Xellerate User resource object and add the Active Directory-specific fields that you want to reconcile in ActDir. All the mandatory OIM User fields must be covered by the fields that you add on this tab.

3. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. One of these rule condition-action mappings must be the following:

   Rule Condition: No Matches Found

   Action: Create User

4. Delete the fields specific to Active Directory and the corresponding rules from the Xellerate User resource object.

5. Create the ActDir process definition in the Process Definition form.

   For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the reconciliation field mappings in the Xellerate User process definition, on the Reconciliation Field Mappings tab, add the reconciliation field mappings for the ActDir process definition.

6. Delete the Active Directory-specific field mappings in the Xellerate User resource object.

7. In the Reconciliation Rule Builder form on the Reconciliation Rules page, query and open the reconciliation rule for this connector and change the value of the Object field to map to the resource object that you have created. By default, the value of this field is mapped to that of the Xellerate User resource object.

For Oracle e-Business Suite, repeat all the steps you performed for Active Directory. Perform the following steps of that procedure differently for the Oracle e-Business Employee Reconciliation connector:

1. On the Resource Object tab, create the EmpRecon resource object for trusted source reconciliation with Oracle e-Business Suite.

   Note:

   You can assign a name to the resource object. This procedure is based on the use of EmpRecon as the name assigned to the resource object.

2. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. One of these rule condition-action mappings must be the following:

   Rule Condition: No Matches Found

   Action: Create User

   Use the Limited Reconciliation feature to specify that only identities that belongs to the Employee user type must be reconciled.

3. After you add the fields and the reconciliation rules, delete the Oracle e-Business Suite-specific fields and the corresponding rules created in the Xellerate User resource object.

4. Create the EmpRecon process definition in the Process Definition form. For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the Xellerate User reconciliation field mappings, on the Reconciliation Field Mappings tab, add the field mappings for the EmpRecon process definition.

5. Delete the Oracle e-Business Suite-specific field mappings in the Xellerate User resource object.

6. On the Reconciliation Rules>>Reconciliation Rule Builder form, query and open the reconciliation rule for this connector and change the value of the Object field to map to the resource object that you have created. By default, the value of this field is mapped to that of the Xellerate User resource object.

For both Active Directory and Oracle e-Business Suite, perform the rest of the steps required to configure trusted source reconciliation. For example, while configuring the reconciliation scheduled task for each connector, specify the name of the trusted source resource object that must be used during trusted source user reconciliation.

The current value of the scheduled task attribute would be Xellerate User and it must be updated with the name of the new resource object configured for trusted source user reconciliation for this connector.

Figure 9-39 shows the design time implementation of trusted source reconciliation based on the user type.

Figure 9-39 Trusted Source Reconciliation by User Type

Description of "Figure 9-39 Trusted Source Reconciliation by User Type"

Configuring Non-MTS-Connectors for Trusted Source Reconciliation of Specific OIM User Attributes

You might want to configure trusted source reconciliation for specific OIM User attributes from multiple target systems. The procedure to implement this is described with the help of the following sample scenario:

You use Microsoft Active Directory and IBM Lotus Notes as your target systems. You want to reconcile identities from Active Directory and only the value of the e-mail address attribute of each identity (reconciled into Oracle Identity Manager from Active Directory) from Lotus Notes. To achieve this:

For the Active Directory connector:

1. Perform all the steps required to deploy the Active Directory connector and configure it for trusted source reconciliation.

   See Also:

   The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation

   When you import the connector XML file for trusted source reconciliation, Active Directory-specific information is added in the Xellerate User resource object and process definition.

2. On the Resource Object tab, create the ActDir resource object for trusted source reconciliation with Active Directory.

   Note:

   You can assign any name to the resource object. This procedure is based on the use of ActDir as the name assigned to the resource object.

   For detailed information about the procedure to create a resource object, see "Resource Objects Form".

   While creating the resource object:

   i. Select the Trusted Source check box on the Resource Object tab.

   ii. On the Object Reconciliation>>Reconciliation Fields tab, see Xellerate User resource object and add the Active Directory-specific fields that you want to reconcile in ActDir. All the mandatory OIM User fields must be covered by the fields that you add on this tab.

3. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. One of these rule condition-action mapping must be the following:

   Rule Condition: No Matches Found

   Action: Create User

4. Delete the Active Directory-specific fields and the corresponding rules from the Xellerate User resource object.

5. Create the ActDir process definition in the Process Definition form. For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the reconciliation field mappings in the Xellerate User process definition, on the Reconciliation Field Mappings tab, create the field mappings for the ActDir process definition.

6. Delete the Active Directory-specific field mappings in the Xellerate User resource object.

7. On the Reconciliation Rules>>Reconciliation Rule Builder form, query and open the reconciliation rule for this connector and change the value of the Object field to map to the resource object that you have created. By default, the value of this field is mapped to that of the Xellerate User resource object.

For IBM Lotus Notes, repeat all the steps you performed for Active Directory. Perform the following steps of that procedure differently for the Lotus Notes connector:

1. On the Resource Object tab, create the LotNotes resource object for trusted source reconciliation with Lotus Notes.

   Note:

   You can assign a name to the resource object. This procedure is based on the use of LotNotes as the name assigned to the resource object.

2. When you create the resource object, add only the e-mail address attribute.

3. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. Create any rule condition other than user creation if no matches are found. If a match is found, the link is established.

4. After you have added the fields and the reconciliation rules, delete the Lotus Notes-specific fields and the corresponding rules created in the Xellerate User resource object.

5. Create the LotNotes process definition in the Process Definition form. For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the Xellerate User reconciliation field mappings, on the Reconciliation Field Mappings tab, add the field mappings for the LotNotes process definition.

6. Delete the Lotus Notes-specific field mappings in the Xellerate User resource object.

For both Active Directory and Lotus Notes, perform the rest of the steps required to configure trusted source reconciliation. For example, while configuring the reconciliation scheduled task for each connector, specify the name of the trusted source resource object that must be used during reconciliation.

The current value of the scheduled task attribute would be Xellerate User and it must be updated with the name of the new resource object configured for trusted source user reconciliation for this connector.

Figure 9-40 shows the design time implementation of trusted source reconciliation of specific OIM User attributes.

Figure 9-40 Trusted Source Reconciliation for Specific OIM User Attributes

Description of "Figure 9-40 Trusted Source Reconciliation for Specific OIM User Attributes"

9.9.5 Service Account Management

Oracle Identity Manager supports service accounts. Service accounts are general administrator accounts (for example, admin1, admin2, admin3, and so on) that are used for maintenance purposes, and are typically shared by a set of users. The model for managing and provisioning service accounts is slightly different from normal provisioning.

Service accounts are requested, provisioned, and managed in the same manner as regular accounts. They use the same resource objects, provisioning processes, and process forms as regular accounts. A service account is distinguished from a regular account by an internal flag.

When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. When the resource is revoked, or the user gets deleted, the provisioning process for the service account does not get canceled (which would cause the undo tasks to start). Instead, a task is inserted into the provisioning process (the same way Oracle Identity Manager handles Disable and Enable actions). This task removes the mapping from the user to the service account, and returns the service account to the pool of available accounts.

This management capability is available through APIs.