1 Introducing the Oracle Role Manager Integration Library

This chapter provides an overview of the Oracle Role Manager Integration Library and includes the following sections:

• About the Oracle Role Manager Integration Library

• Architecture

1.1 About the Oracle Role Manager Integration Library

The section outlines the features available in the Oracle Role Manager Integration Library (Integration Library) used to integrate Oracle Role Manager with provisioning systems.

Oracle Role Manager manages roles and resolves role memberships, both memberships that result from direct grants and those that are derived based on rules and grant policies. Through the Integration Library, external systems can use these roles for role-based provisioning.

The Integration Library is currently available for Oracle Identity Manager and includes the following features:

• User provisioning and reconciliation

  • Real-time creation of a person record in Oracle Role Manager for every Oracle Identity Manager user.

    Users must have Oracle Role Manager records before they can be granted roles in Oracle Role Manager and this feature automates the process.

  • Real-time update of user data from Oracle Identity Manager.

    For all user attributes configured in XML to be sent to Oracle Role Manager, changes made to those values are sent as soon as they are submitted in Oracle Identity Manager. This ensures that Oracle Identity Manager remains the authoritative system of record for all people in the Oracle Role Manager system who are also users in Oracle Identity Manager.

  • Scheduled tasks for user reconciliation.

    Scheduled tasks ensure that user data in both systems is synchronized. This consists of sending all user records from Oracle Identity Manager to Oracle Role Manager and ensures that all users denoted as originating from Oracle Identity Manager have a corresponding Oracle Role Manager person record.

    There are two scheduled tasks for user reconciliation: quick user reconciliation and full user reconciliation. Quick user reconciliation can be run at periodic intervals to send to Oracle Role Manager all user data that has been created, updated or deleted since the last time the task was run or since a specified base time. Full user reconciliation additionally checks for users that have been either deleted or made inactive and reflects that change in status in Oracle Role Manager.

• Entitlement reconciliation

  • Real-time creation of an entitlement in Oracle Role Manager for every Oracle Identity Manager entitlement.

  • Real-time update of entitlement data from Oracle Identity Manager.

    Data for entitlements in Oracle Identity Manager is sent in real time as soon as changes are submitted. This ensures that entitlement data in Oracle Role Manager is always aligned with entitlements in Oracle Identity Manager.

  • Scheduled tasks for entitlement reconciliation.

    Scheduled tasks ensure that entitlement data in both systems is synchronized. This consists of sending all entitlement records from Oracle Identity Manager to Oracle Role Manager, where entitlements are updated or created to match what is sent from Oracle Identity Manager. Any changes to mapping of entitlements in Oracle Identity Manager will also be made in Oracle Role Manager as part of entitlement reconciliation.

    There are two scheduled tasks for entitlement reconciliation: quick entitlement reconciliation and full entitlement reconciliation. Quick entitlement reconciliation can be run at periodic intervals to send to Oracle Role Manager all entitlement data that has been created, updated or deleted since the last time the task was run or since a specified base time. Full entitlement reconciliation additionally checks for entitlements that have been deleted in Oracle Identity Manager, and deletes the corresponding entitlements in Oracle Role Manager.

• Business Role and role membership reconciliation

  • One-time import of user groups from Oracle Identity Manager to Business Roles in Oracle Role Manager.

    User groups from Oracle Identity Manager are represented in Oracle Role Manager as Business Roles. This scheduled task imports all user group data, user memberships, and mappings between user groups and access policies. It is recommended that the full entitlement reconciliation scheduled task be run before running this task.

  • Scheduled creation and update of user groups in Oracle Identity Manager for all Business Roles in Oracle Role Manager.

    Business Roles from Oracle Role Manager are represented in Oracle Identity Manager as user groups. (System Roles in Oracle Role Manager do not have corresponding user groups in Oracle Identity Manager.) This reconciliation event is scheduled through the configuration of the business role publishing timer in Oracle Role Manager.

  • Scheduled updates of changed user groups and membership lists in Oracle Identity Manager that have corresponding Business Roles in Oracle Role Manager.

    Deletions of roles in Oracle Role Manager that affect user groups in Oracle Identity Manager are reflected in Oracle Identity Manager. For example, if a Business Role is deleted in Oracle Role Manager, the corresponding user group in Oracle Identity Manager is deleted.

• IT role reconciliation

  • One-time import of access policies from Oracle Identity Manager to IT roles in Oracle Role Manager.

    Access policies from Oracle Identity Manager are represented in Oracle Role Manager as IT roles. This scheduled task imports all access policy data and mappings between those access policies and entitlements. It is recommended that the full entitlement reconciliation scheduled task be run before running this task.

  • Scheduled creation and update of access policies in Oracle Identity Manager for all IT roles in Oracle Role Manager.

    IT roles from Oracle Role Manager are represented in Oracle Identity Manager as access policies. This reconciliation event is scheduled through the configuration of the IT role publishing timer and the in Oracle Role Manager. It is recommended that the full entitlement reconciliation scheduled task be run before running this task.

• Approval role reconciliation

  Scheduled creation and update of user groups in Oracle Identity Manager for all Approver Roles in Oracle Role Manager.

  Approver Roles from Oracle Role Manager are represented in Oracle Identity Manager as user groups. This reconciliation event is scheduled through the configuration of the approver role publishing timer and the in Oracle Role Manager.

• Role grant approval

  Real-time approver event messages for role grants in Oracle Role Manager are sent to Oracle Identity Manager. These messages can be used to trigger workflows, for example, for a sequence of selected users as approvers of a role grant.

1.2 Important Considerations

Before using the Oracle Role Manager Integration Library, you may want to modify existing access policies in Oracle Identity Manager, depending on whether you have complex access policies in your system.

Access policies that contain only entitlement information will be reconciled by the Oracle Role Manager Integration Library. If any access policies exist in Oracle Identity Manager that have extra information attached to them (such as complex rules or accounts), the extra information will not be retained when imported into Oracle Role Manager. Similarly, any access policies that do not contain entitlement information will not be imported into Oracle Role Manager.

It is recommended that an Oracle Identity Manager administrator break up any access policies with extra information into separate access policies for management purposes. When making these kinds of changes to access policies, it is strongly recommended that administrators review and analyze the impact that these changes might have to their operational system.

1.3 Architecture

Figure 1-1illustrates the deployment and communication architecture of the Integration Library architecture with Oracle Role Manager and Oracle Identity Manager.

The Integration Library is run in the same application server as Oracle Identity Manager. It communicates with Oracle Identity Manager through the Oracle Identity Manager Java API and a JMS message bus. It communicates with Oracle Role Manager through the EJB-based Oracle Role Manager Java API.

Figure 1-1 High-Level Architecture