| Oracle® Identity Manager Tools Reference Release 9.1.0.2 Part Number E14763-02 |
|
|
View PDF |
| Oracle® Identity Manager Tools Reference Release 9.1.0.2 Part Number E14763-02 |
|
|
View PDF |
An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function. An entitlement can be a role, responsibility, or group membership. For example, if user Richard is granted the Inventory Analyst role on a target system, then Richard can use that entitlement to access and generate inventory-related reports from the target system.
In Oracle Identity Manager, there is one process form for each account (resource) provisioned to an OIM User. Entitlement data is stored in child process forms of the process form. In the example described earlier, the process form for Richard's account on the target system has a child process form that holds Inventory Manager role data.
Attributes that constitute entitlement data stored on a child process form may vary from one target system to another. In addition, different types of entitlements, such as roles and responsibilities, may have different attributes. For example, Target System A contains the following role data attributes:
Role Name
Role Description
Start Date
End Date
The same target system can have a different set of attributes for responsibility data:
Responsibility ID
Date Assigned
Proxy User
Escalation User
You can mark or highlight the attribute that uniquely identifies an entitlement on a target system. For the sample role and responsibility data attributes listed earlier, the Role Name and Responsibility ID attributes uniquely identify the role and responsibility entitlements on Target System A. By marking attributes that uniquely identify entitlements, you enable the capture of entitlement data that can be used by other identity management solutions and also displayed in reports.
This chapter discusses the following sections:
Configuring the Oracle Application Server Installation to Use This Feature
Configuring Scheduled Tasks for Working with Entitlement Data
Disabling the Capture of Modifications to Assigned Entitlements
A target system can have a set of entitlements defined and ready for assignment to accounts (users) on the target system. When you integrate this target system with Oracle Identity Manager, you can import (synchronize) entitlement data from the target system into the LKV table on Oracle Identity Manager.
Note:
If you use a predefined connector to integrate the target system, then you can use scheduled tasks to fetch entitlement data into this table.Entitlements in the LKV table are available for assignment to accounts. In this guide, these entitlements are called available entitlements.
During a provisioning operation, you select the entitlement that you want to assign from a lookup field on the child process form. In this guide, entitlements assigned to accounts are called assigned entitlements. Data about assigned entitlements is stored in child process form tables.
After you mark the entitlement attribute in each child process form, the following processes take place:
The following steps describe how data about available entitlements is captured:
Note:
You must mark the entitlement attribute in each child process form to enable the process described in these steps. The procedure is described later in this chapter.Data about available entitlements is stored in the LKV table through synchronization with the target system.
You schedule and run the Entitlement List scheduled task.
The scheduled task identifies the entitlement attribute from the UD_ tables.
The scheduled task copies data about available entitlements from the LKV table to the ENT_LIST table.
This section describes how data about assigned entitlements is captured.
Note:
You must mark the entitlement attribute in each child process form UD_ table to enable the process described in these steps. The procedure is described later in this chapter.To perform first-time synchronization of assigned entitlements:
You schedule the Entitlement Assignments scheduled task to run once.
The scheduled task identifies the entitlement attribute from the child process form (UD_) tables.
The scheduled task creates INSERT, UPDATE, and DELETE triggers on each UD_ table.
The scheduled task copies data about assigned entitlements from the UD_ tables to the ENT_ASSIGN table.
Note:
The ENT_ASSIGN table holds data about entitlement currently assigned to resources (users). When an entitlement is revoked, the record for that entitlement is moved out of this table to history data. Details are given in the "Entitlement Updations" section.To perform incremental synchronization of assigned entitlements:
When a change is made to assigned entitlements through provisioning operations or reconciliation, the INSERT, UPDATE, or DELETE trigger copies the added, modified, or deleted row from the UD_ table to a staging table.
You configure and run the Entitlement Updations scheduled task.
For each record in the staging (ENT_ASSIGN_DELTA) table, the action taken by the scheduled task depends on the type of operation that was performed to the assigned entitlement:
Note:
The type of operation (INSERT, UPDATE, or DELETE) is one of the data items stored in the staging table.Event: The entitlement was newly assigned to the account.
Action: A new record is created (copied from the staging table) in the ENT_ASSIGN table.
Event: An existing entitlement was modified.
Action: The existing record is copied from the ENT_ASSIGN table into the ENT_ASSIGN_HIST table. The existing record is deleted from the ENT_ASSIGN table. A record corresponding to the newly modified entitlement is created in the ENT_ASSIGN table.
Event: An existing entitlement was revoked.
Action: The existing record is copied from the ENT_ASSIGN table into the ENT_ASSIGN_HIST table. The existing record is deleted from the ENT_ASSIGN table.
If your Oracle Identity Manager installation is running on Oracle Application Server and if you want to work with entitlement data, then:
In a text editor, open the opmn.xml file.
In this file, search for the following block of code:
<process-type id="home" module-id="OC4J" status="enabled">
<module-data>
<category id="start-parameters">
<data id="oc4j-options" value="-userThreads"/>
<data id="java-options"
value="-DXL.HomeDir=/home/testoc4j/OIM9102/xlserver/xellerate
-Dlog4j.configuration=file:/home/testoc4j/OIM9102/xlserver/xellerate/config/lo
g.properties -server -XX:PermSize=128M -XX:MaxPermSize=256M -ms512M -mx1024M
-XX:AppendRatio=3 -XX:AppendRatio=3
-Djava.security.policy=$ORACLE_HOME/j2ee/home/config/java2.policy
-Djava.awt.headless=true -Dhttp.webdir.enable=false"/>
</category>
Add the following line in this block of code as shown here:
<process-type id="home" module-id="OC4J" status="enabled">
<module-data>
<category id="start-parameters">
<data id="oc4j-options" value="-userThreads"/>
<data id="java-options"
value="-DXL.HomeDir=/home/testoc4j/OIM9102/xlserver/xellerate
-Dlog4j.configuration=file:/home/testoc4j/OIM9102/xlserver/xellerate/config/lo
g.properties -server -XX:PermSize=128M -XX:MaxPermSize=256M -ms512M -mx1024M
-XX:AppendRatio=3 -XX:AppendRatio=3
-Djava.security.policy=$ORACLE_HOME/j2ee/home/config/java2.policy
-Djava.awt.headless=true -Dhttp.webdir.enable=false"/>
<data id="oc4j-options" value="-userThreads"/>
</category>
Save and close the file.
You must mark the entitlement attribute in the child process form UD_ table for resources for which you want to capture entitlement data. Suppose there are 15 target systems in your operating environment. If you want to capture entitlement data from 12 of 15 resources, then you must mark the entitlement attribute in those 12 resources.
Apply the following guidelines while performing the procedure described in this section:
On a child process form, only one attribute holding entitlement data can be marked.
The attribute that you mark must be of the LookupField type and its property must be one of the following:
Lookup code
Lookup query
The Lookup query must satisfy the following conditions:
The query uses the LKU and LKV tables
The Lookup code in the query is from the LKU table
The LKV_ENCODED column value is used for saving
The LKV_DECODED column value is used for display purposes
To mark a field as an entitlement in a child process form:
Log in to the Design Console.
Expand Development Tools, and then double-click Form Designer.
Search for and open the child form on which you want to mark an entitlement.
For example, you might want to mark an entitlement on the UD_ADUSRC child form.
Click Create New Version.
Enter a label for the new version, click the Save icon, and then close the dialog box.
From the Current Version list, select the version that you create.
On the Properties tab, select the field that you want to mark as an entitlement and then click Add Property.
From the Property Name list in the Add Property dialog box, select Entitlement.
Note:
You can set Entitlement as the property of a field only if the column type is set to LookupField and the property name is set to Lookup Code.In the Property Value field, enter true.
You need not specify values for any of the other fields in the dialog box.
The following screenshot shows the Edit Property dialog box for the lookup field:
Click the Save icon and then close the dialog box.
If you want to enable the capture of Start Date and End Date values for the entitlement, then:
Note:
You can enable the capture of the Start Date and End Date values only if the column type for both fields is DateFieldDlg.On the Properties tab, select the Start Date field and then click Add Property.
From the Property Name list in the Add Property dialog box, select Entitlement Valid From.
In the Property Value field, enter true.
Click the Save icon and then close the dialog box.
On the Properties tab, select the End Date field and then click Add Property.
From the Property Name list in the Add Property dialog box, select Entitlement Valid To.
In the Property Value field, enter true.
The following screenshot shows the Edit Property dialog box for the Start Date field:
Click the Save icon, and then close the dialog box.
Click the Save icon to save the changes made to the child process form.
The following screenshot shows the Properties tab of the child process form:
Note:
Marking Start Date and End Date are optional.Click Make Version Active.
You configure the following scheduled tasks for working with entitlement data:
The Entitlement List scheduled task identifies the entitlement attribute from the child process form table and then copies entitlement data from the LKV table into the ENT_LIST table. A record created in the ENT_LIST table corresponds to an entitlement defined on a particular target system.
You must set a schedule for this task depending on how frequently new entitlements are defined on the target systems in your operating environment. In addition, you must run this scheduled task when new target systems are integrated with Oracle Identity Manager. In other words, you must run this task each time you mark a new entitlement. After the connector scheduled tasks fetch lookup field data from the target system into the LKV table, you can run the Entitlement List scheduled task to copy that entitlement data into the ENT_LIST table.
This scheduled task also handles updates to or deletion of entitlements from the target system. For example, if the Senior Accounts Analyst role is removed from the target system, then the connector scheduled task removes the entry for that role from the LKV table. When the Entitlement List scheduled task is run, it marks the row containing the role in the ENT_LIST table as a deleted row.
The Entitlement Assignments scheduled task is used for copying data about assigned entitlements into the ENT_ASSIGN table for the first time. This task identifies the entitlement attribute from the child process form table, and then copies data about assigned entitlements from the child process form table into the ENT_ASSIGN table. A record created in the ENT_ASSIGN table corresponds to an entitlement assigned to a particular user on a particular target system.
In addition, it creates INSERT, UPDATE, and DELETE triggers on the child process form tables from which it copies entitlement data. See "Capture of Data About Assigned Entitlements" for information about the function of these triggers.
You can use the RECORDS_TO_PROCESS_IN_BATCH attribute of this scheduled task to specify the number of records in each batch. The default batch size is 5000.
You must run this scheduled task the first time you start using entitlement data and whenever you mark a new child process form field as an entitlement.
The Entitlement Updations scheduled task updates the ENT_ASSIGN table with changes to entitlement assignment data in the child process form tables. Triggers created by the Entitlement Assignments scheduled task copy changes made to entitlement assignment data into a staging table. The Entitlement Updations scheduled task processes data in the staging table and makes the required changes to data in the ENT_ASSIGN table.
You can manually disable incremental synchronization of assigned entitlement data in the ENT_ASSIGN table. In other words, you can disable the capture of modifications to assigned entitlements. To achieve this, you create and run an SQL script to drop the following triggers created on the child process form tables:
Note:
These triggers are created by the Entitlement Assignments scheduled task.The OIU_U_TRG trigger created on the OIU table
The following triggers created on the UD_ tables:
UD_TABLE_NAME_I_TRG
UD_TABLE_NAME_D_TRG
UD_TABLE_NAME_U_TRG
After you run the script, modifications to assigned entitlements are not copied into the staging table.
The following predefined reports provide data about assigned entitlements:
Note:
You must be a member of the ADMINISTRATORS group to be able to view these reports.
Duplicate assignments of the same entitlement to a particular user are suppressed in the reports because they are not copied to the ENT_ tables. For example, if user John Doe has been assigned the Sales Superintendent role twice on a target system, then the reports show only one instance of this entitlement.
The Entitlement Access List report lists users who are currently assigned the entitlements that you specify while generating the report. The report provides basic information about the entitlements and the list of users to whom the entitlements are assigned.
The Entitlement Access List History report lists users who had been assigned the entitlements that you specify while generating the report. The report provides basic information about the entitlements and the list of users to whom the entitlements were assigned.
The User Resource Entitlement report lists the current entitlements of users whom you specify while generating the report. The report displays basic user information and entitlement details.
The User Resource Entitlement History report lists details of past entitlements assigned to users whom you specify while generating the report. The report displays basic user information and entitlement details.
Note:
The utility described in this section can be used only if your Oracle Identity Manager installation is using Oracle Database.Oracle Identity Manager does not automatically remove data from the ENT_ASSIGN_HIST table. Over a period of time, the gradual increase in the size of this table might have an adverse impact on the performance of the Oracle Identity Manager database. You can use the Entitlement Archival utility to archive and remove data from the ENT_ASSIGN_HIST table.
Note:
Data archived by the Entitlement Archival utility cannot be accessed by generating the reports listed in the "Entitlement-Related Reports" section.The following sections describe the procedure to run the Entitlement Archival utility:
Note:
The procedure described in this section is a one-time activity. The tablespace that you create is used for all subsequent runs of the Entitlement Archival utility.You must create a tablespace to store archived entitlement data. You can use the oim_archival_tablespace_setup.sql script to create the tablespace. This script is in the OIM_HOME/xellerate/db/oracle/Utilities/EntitlementArchival directory.
Note:
The default size of the datafile created for the OIM_TASK_ARCH tablespace is 3 GB, which can hold approximately 1 million records. To meet your requirements, you might want to add more space to the default datafile of Oracle Identity Manager or create a datafile.To create a tablespace in the Oracle Identity Manager database:
Connect to the Oracle Identity Manager database as SYSDBA.
Run the oim_archival_tablespace_setup.sql script.
The script prompts for the following information:
Name (with complete path) of the datafile
User name of an Oracle Identity Manager database account: The utility uses this account for archive operations.
Note:
It is recommended that you run the Entitlement Archival utility outside business hours.To run the Entitlement Archival utility:
Ensure that the Oracle Identity Manager database is available. In addition, verify that the Oracle Identity Manager database is not open for transactions with other sessions.
Create a backup of the ENT_ASSIGN_HIST table.
To check the last updated statistics of the active entitlement history table and their indexes, run the following query:
SELECT table_name, last_analyzed FROM user_tables;
Stop Oracle Identity Manager.
On Linux and UNIX platforms, to set execution permission for the oim_Entitlement_archival.sh file and to ensure that the file is a valid Linux and UNIX text file:
In a command window, switch to to the following directory:
OIM_HOME/xellerate/db/oracle/Utilities/EntitlementArchival
Run the following commands:
chmod 755 FULL_PATH/oim_Entitlement_archival.sh dos2unix FULL_PATH/oim_Entitlement_archival.sh
On Linux and UNIX platforms, run the FULL_PATH/oim_Entitlement_archival.sh file.
On Microsoft Windows platforms, run the FULL_PATH\oim_Entitlement_archival.bat file.
When you run the script, you are prompted for the following information:
Oracle home
Your response: Press the Enter key to accept the default Oracle home directory. Alternatively, provide the full path of the Oracle home directory.
Oracle SID
Your response: Enter y accept the default Oracle SID. Alternatively, provide the Oracle SID.
Oracle port number
Your response: Enter the port number at which Oracle Database is running.
Database user password
Your response: Enter the password of the database account that you create for the utility.
Date in YYYYMMDD format
Enter the end date limit for records that you want to archive. All tasks with dates equal to or earlier than the specified date are archived.
Batch size
Enter a batch size for the archive operation. The default batch size is 10000.
Archive action
Enter one of the following numbers:
Enter 1 to archive and then purge entitlement data.
Enter 2 to purge entitlement data without archiving it.
Enter 3 to quit.
At the end of the archive run, the Archival Complete message is displayed.
See the log file created in the following directory for information about the archive run:
OIM_HOME/xellerate/db/oracle/Utilities/EntitlementArchival/logs_ YYYYMMDD_hhmi
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|