10 Testing the Oracle Role Manager Integration Library Installation

After you deploy and configure the Oracle Role Manager Integration Library, you must test it to ensure that it functions as expected. This chapter discusses the following topics related to testing the Integration Library:

• Testing User Reconciliation

• Testing Entitlement Reconciliation

• Testing Role and Role Membership Reconciliation

• Testing One-Time Import of User Groups

• Testing One-Time Import of Access Policies

• Testing Approver Role Resolution

• Testing Role Grant Approver Workflow

It is recommended to test your installation following the steps in the order they are presented in this chapter.

Note:

Some of the tests in this chapter use the sample data provided with Oracle Role Manager. If you did not load the sample data, you can still use these tests but you must create objects in Oracle Role Manager similar to those described in each test.

10.1 Testing User Reconciliation

When changes to user data are made in Oracle Identity Manager, messages are sent to Oracle Role Manager so that data is synchronized in real time.

Because there may be situations when the Oracle Role Manager system is unavailable, such as for scheduled maintenance down time, the default configuration provides predefined tasks to be scheduled for user reconciliation to ensure that any user data updates, when connectivity to Oracle Role Manager is not available, are later propagated to Oracle Role Manager.

There are two scheduled tasks for user reconciliation provided as part of the Integration Library configuration imported into Oracle Identity Manager: User Reconciliation and Full User Reconciliation. The difference between these reconciliation tasks is that full reconciliation also inspects users in Oracle Role Manager (who are also Oracle Identity Manager users) to check if any users were either removed or made inactive in Oracle Identity Manager, and properly reflect their status in Oracle Role Manager.

You might want to use reserve Full User Reconciliation for less frequent schedules or at times when there is less activity for performance reasons.

10.1.1 Real-Time User Synchronization

The test in this section verifies that the event handlers are functioning and messages are sent and received by creating a user in Oracle Identity Manager who appears in Oracle Role Manager.

To test user reconciliation:

1. If not currently running, start Oracle Identity Manager and then Oracle Role Manager.

2. Using the Oracle Identity Manager Administrative and User Console, create at least one user.

   For purposes of performing other tests later in this section, create at least one user whose first name begins with the letter C.

3. Find the new user or users in Oracle Role Manager as follows:

   1. Select Organizations & People, then select People.

   2. In the tree view, select Unassigned, then click Filter to display results.

   The new user from Oracle Identity Manager should display in the search results.

10.1.2 Scheduled Tasks for User Reconciliation

The test in this section verifies that messages from the scheduled tasks are able to communicate effectively between the two systems by testing that a user modification made in Oracle Identity Manager while Oracle Role Manager was inaccessible is synchronized after connectivity is restored when a scheduled task for user reconciliation is run.

To test the scheduled task for user reconciliation:

1. Shut down the Oracle Role Manager application server.

2. Using the Oracle Identity Manager Administrative and User Console, edit the name of a user you just created.

3. Start Oracle Role Manager and log in to the application.

4. Find the user in Oracle Role Manager.

   Note that the name change from Oracle Identity Manager has not been updated.

5. Enable the user reconciliation task as follows:

   1. In the Oracle Identity Manager Design Console (Oracle Identity Manager client), expand Administration, then double-click Task Scheduler.

   2. Click the Lookup button, and then the Go to End button to go to the last defined task.

   3. Click the left arrow button until you see the RoleManagerUserReconciliation_Full task.

   4. Clear the Disabled box then click the Save button on the tool bar.

   5. In the Status field, change the status to ACTIVE.

   6. In the Start Time field, enter the timestamp of the current date and time plus one minute.

   7. Click the Save button on the tool bar.

6. After a minute, in Oracle Role Manager, click Search again to refresh the search results.

   Note that Oracle Role Manager now shows the name change that was done in Oracle Identity Manager while the Oracle Role Manager server was unavailable.

10.2 Testing Entitlement Reconciliation

Scheduled tasks ensure that entitlement data in both systems is synchronized. This consists of sending all entitlement records from Oracle Identity Manager to Oracle Role Manager, where entitlements are updated or created to match what is sent from Oracle Identity Manager. Any changes to mapping of entitlements in Oracle Identity Manager will also be made in Oracle Role Manager as part of entitlement reconciliation.

There are two scheduled tasks for entitlement reconciliation: quick entitlement reconciliation and full entitlement reconciliation. Quick entitlement reconciliation can be run at periodic intervals to send to Oracle Role Manager all entitlement data that has been created, updated or deleted since the last time the task was run or since a specified base time. Full entitlement reconciliation additionally checks for entitlements that have been deleted in Oracle Identity Manager, and deletes the corresponding entitlements in Oracle Role Manager.

To test scheduled entitlement reconciliation:

1. Enable the full entitlement reconciliation task as follows:

   1. In the Oracle Identity Manager Design Console (Oracle Identity Manager client), expand Administration, then double-click Task Scheduler.

   2. Click the Lookup button, and then the Go to End button to go to the last defined task.

   3. Click the left arrow button until you see the RoleManagerEntitlementReconciliation_Full task.

   4. Clear the Disabled box then click the Save button.

   5. In the Status field, change the status to ACTIVE.

   6. In the Start Time field, enter the timestamp of the current date and time plus one minute.

   7. Click the Save icon on the tool bar.

2. Wait at least one minute for all entitlements to be reconciled.

3. Find the new entitlement in Oracle Role Manager as follows:

   1. Connect to the Oracle Role Manager Web application as a user who has permission to view entitlements in the system.

   2. Select Roles, then select Entitlements.

   3. In the left pane, right-click Entitlements, then select Search.

   4. Click Search.

      Note that the search results now contain the entitlements from Oracle Identity Manager.

10.3 Testing Role and Role Membership Reconciliation

Updates to user groups in Oracle Identity Manager occur when the role membership update timers trigger Oracle Role Manager to send synchronization messages. Along with membership changes, new roles created in Oracle Role Manager are also received in Oracle Identity Manager as part of batch role resolution and the three role membership update timer processes.

The three role membership update timer processes are ApproverRolePublishing, businessRolePublishing, and itRolePublishing. For more information about these timers, see Section 5.6.3, "Modifying the Role Membership Update Timers." There is no real-time role or role membership resolution.

To ensure that there are no invalid user groups or memberships as a result of roles having been deleted in Oracle Role Manager, there is a scheduled task to use to correct user groups and memberships in Oracle Identity Manager. This task can be enabled and configured in the same way as the user reconciliation tasks described in Section 10.1.

Note:

The names of user groups in Oracle Identity Manager that correspond with roles in Oracle Role Manager by default begins with ORM_AR_ for Approver Roles and ORM_BR_ for Business Roles. The default prefix for the naming of access policies that correspond with IT roles is ORM_IR_. This naming helps administrators identify the user groups that are modified only in the Oracle Role Manager system. Any changes made to these user groups or access policies in Oracle Identity Manager could cause synchronization between the system to fail.

Note:

Because the name attribute for user groups in Oracle Identity Manager is limited to 30 characters and is required to be unique, the names of roles reconciled from Oracle Role Manager may be truncated, thus potentially causing uniqueness constraint violations. You may want to check the Oracle Identity Manager console after running role reconciliation processes.

10.3.1 User Provisioning through Role/User Group Membership

The test in this section verifies that a user added as a member of a role in Oracle Role Manager is provisioned for the corresponding user group in Oracle Identity Manager. It also verifies that if a Business Role is mapped to an IT role in Oracle Role Manager, then the corresponding user group (created as a result of Business Role Publishing) is mapped to the access policy that corresponds with the mapped IT role (created as a result of IT role publishing).

To test role membership reconciliation:

1. If not currently running, start Oracle Identity Manager and then Oracle Role Manager.

2. View the Compliance Officer user group in Oracle Identity Manager to see its memberships as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select User Groups, then select Manage.

   3. Search for and select ORM_BR_Compliance Officer.

   4. Select Member and Sub-Groups from the list.

      Note that no membership exist for this user group.

3. View the ORM_IR_Telecom_Provisioner access policy as follows:

   1. Select Access Policies, then select Manage.

   2. Search for and select ORM_IR_Telecom Provisioner.

      On the Access Policy details screen, note that there are no groups for this access policy.

4. Grant the Compliance Officer role to a person who exists in Oracle Identity Manager as follows:

   1. Connect to the Oracle Role Manager Web application as a user who has permission to grant roles in the system.

   2. Select Organization & People, then select People.

   3. Click the Details icon in the Actions column.

   4. On the Business Roles tab, click Grant Role.

   5. Search for and select the Compliance Officer role, then click Finish.

   6. Click Submit.

5. Map the Compliance Officer Business Role in to Telecom Provisioner IT role in Oracle Role Manager as follows:

   1. Select Roles, then select Business Roles.

   2. In the left pane, right-click Business Roles, then select Search.

   3. Search for and select Compliance Officer.

   4. On the Mappings tab, click Map IT Role.

   5. Search for and select Telecom_Provisioner.

   6. Click Finish, then click Submit.

6. Depending on the role membership update timer configuration for Business Roles in Oracle Role Manager, wait that amount of time until the role membership update job for Business Roles has completed.

   For more information about timer configuration repeat interval and cron job configuration, see Oracle Role Manager Administrator's Guide.

7. After the Oracle Role Manager role membership update job has run, view the ORM_BR_Compliance Officer user group in Oracle Identity Manager as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select User Groups, then select Manage.

   3. Search for and select ORM_BR_Compliance Officer.

   4. Select Member and Sub-Groups from the list.

      Note that the new membership displays.

8. View the ORM_IR_Telecom_Provisioner access policy in Oracle Identity Manager to see the mapping to a user group from Oracle Role Manager as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select Access Policies, then select Manage.

   3. Search for and select ORM_IR_Telecom_Provisioner.

      On the Access Policies details screen, note that Compliance Officer user group is in the list.

10.3.2 User De-provisioning by Deleted Roles

The test in this section verifies that an IT role deleted in Oracle Role Manager unmaps the user groups and entitlements for the corresponding access policy in Oracle Identity Manager. It also verifies that a business role deleted in Oracle Role Manager deletes the corresponding user group in Oracle Identity Manager.

To test role deletion and de-provisioning:

1. If not currently running, start Oracle Identity Manager and then Oracle Role Manager.

2. Delete the Telecom Provisioner IT role in Oracle Role Manager as follows:

   1. Connect to the Oracle Role Manager Web application as a user who has permission to manage IT roles in the system.

   2. Select Roles, then select IT Roles.

   3. In the left pane, right-click IT Roles, then select Search.

   4. Search for and select Telecom Provisioner.

   5. Click the Delete icon in the Actions column.

   6. Click OK to confirm the deletion.

3. Search for the ORM_IR_Telecom_Provisioner access policy in Oracle Identity Manager as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select Access Policies, then select Manage.

   3. Search for and select ORM_IR_Telecom_Provisioner.

      On the Access Policies details screen, note that the ORM_BR_Compliance Officer user group is no longer mapped.

4. Delete the Mail Sorter Business Role in Oracle Role Manager as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select Roles, then select Business Roles.

   3. In the left pane, right-click Business Roles, then select Search.

   4. Search for and select Mail Sorter.

   5. Click the Delete icon in the Actions column.

   6. Click OK to confirm the deletion.

5. Search for the Mail Sorter user group in Oracle Identity Manager as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select User Groups, then select Manage.

   3. Search for and select ORM_BR_Mail Sorter.

      Note that no user group exists by this name.

10.4 Testing One-Time Import of User Groups

User groups from Oracle Identity Manager are represented in Oracle Role Manager as Business Roles. This scheduled task imports all user group data, user memberships, and mappings between user groups and access policies. It is recommended that the full entitlement reconciliation scheduled task be run before running this task.

To test one-time import of user groups:

1. Create a user group in Oracle Identity Manager as follows:

   1. Connect to the Oracle Identity Manager Administration and User Console.

   2. Select User Groups, then select Create.

   3. In the Group Name field, enter TestOIMUserGroup.

   4. Click Create.

2. Enable the user group reconciliation task as follows:

   1. In the Oracle Identity Manager Design Console (Oracle Identity Manager client), expand Administration, then double-click Task Scheduler.

   2. Click the Lookup button, and then the Go to End button to go to the last defined task.

   3. Click the left arrow button until you see the RoleManagerUserGroupsReconciliation_Full task.

   4. Clear the Disabled box then click the Save button.

   5. In the Status field, change the status to ACTIVE.

   6. In the Start Time field, enter the timestamp of the current date and time plus one minute.

   7. Click the Save icon on the tool bar.

3. Wait at least one minute for all user groups to be reconciled.

4. Find the new user group in Oracle Role Manager as follows:

   1. Connect to the Oracle Role Manager Web application.

   2. Select Roles, then select Business Roles.

      Note that the search results now contain the role named TestOIMUserGroup.

10.5 Testing One-Time Import of Access Policies

Access policies from Oracle Identity Manager are represented in Oracle Role Manager as IT roles. This scheduled task imports all access policy data and mappings between those access policies and entitlements. It is recommended that the full entitlement reconciliation scheduled task be run before running this task.

Note:

Only access policies that contain entitlement information alone will be reconciled by the Oracle Role Manager Integration Library. If any access policies exist in Oracle Identity Manager that have extra information attached to them (such as complex rules or accounts), the extra information will not be retained when imported into Oracle Role Manager. Similarly, any access policies that do not contain entitlement information will not be imported into Oracle Role Manager.It is recommended that an Oracle Identity Manager administrator break up any access policies with extra information into separate access policies for management purposes.

To test one-time import of access policies:

1. Create an access policy in Oracle Identity Manager as follows:

   1. Connect to the Oracle Identity Manager Administration and User Console.

   2. Select Access Policies, then select Create.

   3. In the Access Policy Name field, enter TestOIMAccessPolicy.

   4. In the Access Policy Description field, enter Testing one-time import of access policies.

   5. Click Next.

   6. Select the resource you want to provision in the Available list and move it to the Selected list.

   7. Click Continue.

   8. Click Create Access Policy.

2. Enable the access policy reconciliation task as follows:

   1. In the Oracle Identity Manager Design Console (Oracle Identity Manager client), expand Administration, then double-click Task Scheduler.

   2. Click the Lookup button, and then the Go to End button to go to the last defined task.

   3. Click the left arrow button until you see the RoleManagerAccessPoliciesReconciliation_Full task.

   4. Clear the Disabled box then click the Save button.

   5. In the Status field, change the status to ACTIVE.

   6. In the Start Time field, enter the timestamp of the current date and time plus one minute.

   7. Click the Save icon on the tool bar.

3. Wait at least one minute for all access policies to be reconciled.

4. Find the new IT role that represents the new access policy in Oracle Role Manager as follows:

   1. Connect to the Oracle Role Manager Web application.

   2. Select Roles, then select IT Roles.

      Note that the search results now contain the role named TestOIMAccessPolicy.

10.6 Testing Approver Role Resolution

Testing the way Approver Roles in Oracle Role Manager are used with processes in Oracle Identity Manager involves several preparatory steps as described in the following sections.

For information about creating and editing roles in Oracle Role Manager, see Oracle Role Manager User's Guide.

10.6.1 Oracle Role Manager Setup

The steps in this section are necessary to prepare Oracle Role Manager with the Approver Role whose grant policy defines the possible people qualified to act as approvers.

Note:

It is recommended that any Approver Roles in Oracle Role Manager that are referenced by processes in Oracle Identity Manager should have narrowly defined grant policies to reduce the number of returned records. Oracle Identity Manager supports only a single record to be considered as the approver, so the first member that meets the grant policy (determined by object key in ascending order) is sent through the Integration Library.

To set up the Approver Role in Oracle Role Manager:

1. Select Roles, then select Approver Roles.

2. In the tree view, right-click Office of the CEO, then select New Approver Role from the context menu.

3. In the Display Name field, enter OIM Approver.

4. On the Grant Policy tab, copy and paste the following rule example that determines which users are qualified to be approvers as members of this Approver Role.

   This rule finds all users in Oracle Role Manager who are also users in Oracle Identity Manager and whose name begins with the letter C.

   Note:

   Although the second condition in this example is provided only to narrow the results of this grant policy, the policy must include a condition using the attribute oimID. If Oracle Role Manager returns an approver who does not have an OIM ID, the approval process will fail.

   <?xml version="1.0" encoding="UTF-8"?>
   <predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <and-expression>
     <expressions>
       <attribute-expression>
         <attribute attribute-id="oimId" />
          <greater-than>
             <integer-constant>0</integer-constant>
          </greater-than>
       </attribute-expression>
       <attribute-expression>
         <attribute attribute-id="displayName"/>
           <starts-with>
                 <string-constant>C</string-constant>
           </starts-with>
       </attribute-expression>
     </expressions>
   </and-expression>
   </predicate>
   

   For details about how to define membership rules and grant policies, see Oracle Role Manager User's Guide.

5. On the Members tab, click Recalculate.

   You should see the user created in Section 10.1.1 whose name begins with C in the search results.

6. Click Submit.

7. Depending on how frequently the approval publishing timer is set to run on Oracle Role Manager, either wait that amount of time or reset the timer to another time. For information about resetting the timer, see Section 5.6.3, "Modifying the Role Membership Update Timers."

10.6.2 Oracle Identity Manager Setup

The steps in this section set up the sample resources and approval process that was imported into Oracle Identity Manager so that the display values match those referenced in Section 10.6.3 that are more suitable for demonstration purposes.

To create an approval process:

1. Check for the OIM Approver in Oracle Identity Manager as follows:

   1. Connect to the Oracle Identity Manager Administrative and User Console.

   2. Select User Groups, then select Manage.

   3. Select Group Name from the list, enter ORM_AR* in the field, then click Search.

      You should see the user group ORM_AR_OIM Approver in the list. If you do not, make sure that the approval publishing job in Oracle Role Manager has completed.

2. Rename the sample resource as follows:

   1. In the Oracle Identity Manager Design Console (Oracle Identity Manager client), expand Resource Management.

   2. Double-click Resource Objects.

   3. Click the Lookup button, and then the Go to End button to go to the last defined task.

      You should see the ORM Samples task.

   4. In the Name field, change ORM Samples to Oracle Financials.

   5. Click the Save icon.

3. Map the sample form to the renamed resource as follows:

   1. Expand Development Tools, then double-click Form Designer.

   2. Click the Lookup button, and then the Go to End button to go to the last defined form.

      You should see the form for the UD_ORAFIN table. If you do not, click the right arrow button until you see it display.

   3. Double-click in the Object Name field.

   4. Select Oracle Financials in the Lookup window, then click OK.

   5. Click the Save icon.

4. Go back to the Oracle Financials resource object you created previously, then double-click the Table Name field to add UD_ORAFIN.

5. Click the Save icon.

6. Rename the sample provisioning process as follows:

   1. Expand Process Management, then double-click Process Definition.

   2. Click the Lookup button, and then the Go to End button to go to the last defined process.

      You should see the process ORM Samples Provisioning. If you do not, click the left arrow button until you see it display.

   3. In the Name field, rename ORM Samples Provisioning to Oracle Financials Provisioning.

   4. Click the Save icon.

7. Rename the sample approval process as follows:

   1. Click the left arrow until the ORM Sample Approval displays.

   2. In the Name field, rename it to Oracle Financials Approval.

   3. Click the Save icon.

8. Add the group ORM_AR_OIM Approver to the task as follows:

   1. Expand Process Management, then double-click Process Definition.

   2. Click the Lookup icon, then click the Go to End icon to go to the last defined process.

      You should see the process Oracle Financials Approval. If you do not, click the left arrow button until you see it display.

   3. Double-click Get Manager Approval Task.

   4. On the Assignments tab, double-click the field in the Target Type column, then enter Group.

   5. Double-click the field in the Group column.

   6. In the Lookup window, select ORM_AR_OIM_Approver, then click OK.

   7. Ensure that the Adapter column is empty.

9. Click the save icon.

10.6.3 Performing the test

The test in this section verifies that the approval process in Oracle Identity Manager uses the Approver Role from Oracle Role Manager to get an appropriate approver based on the role's grant policy.

To run the approver test:

1. Using the Oracle Identity Manager Administrative and User Console, assign the Oracle Financials resource to the user created in Section 10.1.1 as follows:

   1. Select Requests, then select Resources.

   2. Choose Grant Resource, then click Continue.

   3. Choose Users, then click Continue.

   4. Select the user created in Section 10.1.1 and optionally any other users that you know also exist in the Oracle Role Manager system (non administrative or system users)

   5. Click Add to move them to Selected box, then click Continue.

   6. Select Oracle Financials.

   7. Click Add to move it to the Selected box, then click Continue.

      You should see the users and resource displayed.

2. Click Submit Now.

3. Click the link of the Request ID.

4. Select Approval Details from the list.

5. Select the box in the Action column, then click Approve.

6. Click Confirm.

   The page should refresh with the status of the approval process.

7. Note the group assigned to the Get Role Manager Approval Task to use in the next steps.

   This is the group that is automatically resolved as the resource approver after referencing the OIM Approver role in Oracle Role Manager.

8. Log out of the Administrative and User Console and log back in as any user who is a member of the group identified in the previous step.

9. Select To-Do List, then select Pending Approvals.

   You should see the request listed as pending, available to be approved.

10.7 Testing Role Grant Approver Workflow

When role grants in Oracle Role Manager require approval, event messages are sent to Oracle Identity Manager where the configured approver or sequence of approvers can either approve or deny the role grant request.

To test role grant approver workflow:

1. 1. Create a static business role in Oracle Role Manager as follows:

   1. Connect to the Oracle Role Manager Web application as a user who has permission to manage roles.

   2. Click Roles, then click Business Roles.

   3. On the left pane, click the organization where you want to create the test role, then click New Business Role.

   4. In the Business Role Type box, select Static, then click Submit.

   5. In the Display Name field, enter TestRoleForWorkflow.

   6. In the Approvers field, select Role Owner.

   7. In the Owner field, click Edit.

   8. Specify the search criterion for people who are eligible to be role owners of this role.

   9. Select the person to set as the role owner, then click OK.

      Make a note of this person since it will be this user who can approve or deny the role grant request.

   10. Click Submit.

2. Grant the role to a user in Oracle Role Manager as follows:

   1. Select Organizations & People, then click People.

   2. Right-click People, then click Search.

   3. Specify the search criterion for people to display.

   4. In the row for the person you want to grant the role, click the View/Edit icon.

      Make a note of the person who has been granted the role and whose role grant is pending approval.

   5. Click Business Roles, then click Grant Role.

   6. Search for and select the new TestRoleForWorkflow role.

   7. Click Next, then click Submit.

   8. In the left pane, click Outbox.

      You should see the submission of the role grant request transaction.

3. Approve the role grant request as follows:

   1. Connect to the Oracle Identity Manager Administrative and User console as the user who is the role owner of the TestRoleForWorkflow role (set in Step 1).

   2. Approve the role grant request.

   3. If there are other approvers for the role grant request, log in as those users to approve the request.

4. Verify that the user now has the role grant:

   1. Select Organizations & People, then click People.

   2. Right-click People, then click Search.

   3. Search for the person who was granted the role (set in Step 2).

   4. In the row for that person, click the View/Edit icon.

   5. Click Memberships.

      You should see the TestRoleForWorkflow role in the list.