This chapter contains the following sections:
This chapter describes the original approach to configuring Oracle Identity Analytics and Oracle Identity Manager so that the two products can be used together. This older integration method does not support incremental user and account imports. To use this integration method you must have at least Oracle Identity Manager version 9.1.0.2 BP5, and Oracle Identity Analytics 11gR1. A newer, preferred integration method is available that does support incremental user and account imports. For details, see Chapter 1, "Integrating With Oracle Identity Manager, Preferred Method."
Oracle Identity Analytics software and Oracle Identity Manager (OIM) software work together seamlessly when integrated using the Thor-API connection mechanism. When integrated, Oracle Identity Manager serves as the automated provisioning and identity synchronization solution, while Oracle Identity Analytics defines the Role-based Access Control (RBAC) framework, the attestation process, and the approach to Segregation of Duties (SoD) policy enforcement. Rather than assigning individual access entitlements, the RBAC framework allows organizations to assign and unassign roles as a means of controlling user access on various applications.
In a fully-integrated scenario, provisioning and role management works in the following manner:
OIM is the authoritative source for users, accounts, and entitlements. Any update made to the users or their corresponding accounts is done in OIM.
Oracle Identity Analytics is the authoritative source for role management and role membership. Oracle Identity Analytics is also the authoritative source for policy entitlement definitions. (Roles in Oracle Identity Analytics correspond to "groups" in OIM, and policies in Oracle Identity Analytics correspond to "access policies" in OIM.)
All roles are defined and created in Oracle Identity Analytics. All entitlements for policies and role-to-user relationships are managed from Oracle Identity Analytics.
Roles managed by Oracle Identity Analytics become read-only in OIM.
Note - Provisioning attribute definitions for Access Policies, which are required to create accounts, is managed in much the same way as the previous Oracle Role Manager (ORM) - OIM integration (by OIM or external process).
The following table maps Oracle Identity Analytics terminology to Oracle Identity Manager terminology.
Table 2-1 Comparing Oracle Identity Analytics Terminology and Oracle Identity Manager Version 9.x Terminology
| Oracle Identity Analytics Terminology | Oracle Identity Manager Terminology |
|---|---|
|
Resource Type |
Resource Type |
|
Resource Type Attributes (NameSpace Attributes) |
Provisioning Attributes and Entitlements |
|
Resource |
IT Resource |
|
Global Users |
Xellerate End Users |
|
Roles |
Groups |
|
Policies |
Access Policies |
Before You Begin -
At least version 9.1.0.2 BP5 of Oracle Identity Manager and at least version 11gR1 of Oracle Identity Analytics are required.
Oracle Identity Manager should be installed and configured.
In Oracle Identity Analytics add Oracle Identity Manager as a provisioning server option. ("Sun Identity Manager" and "File" are the default options.)
See Section 2.4.1, "Step 1: Enable Oracle Identity Manager as a Provisioning Server Option."
Copy the required Oracle Identity Manager API JAR files to Oracle Identity Analytics.
In Oracle Identity Analytics, designate Oracle Identity Manager as the provisioning server. Establish a connection by entering authentication details.
See Section 2.4.3, "Step 3: Designate Oracle Identity Manager as the Provisioning Server."
To send real time changes from Oracle Identity Analytics to Oracle Identity Manager, change the Oracle Identity Analytics configuration files related to workflows.
In the Oracle Identity Analytics user interface, the Administration > Configuration > Provisioning Servers tab displays file and sun as the available options. To display Oracle Identity Manager as a supported provisioning server, edit iam-context.xml in the RBACX_Home/WEB-INF folder as follows.
Uncomment the oracle key entry in the iamSolutions property map lines in iam-context.xml:
<bean id="rbacxIAMService" parent="baseTransactionProxy"> <property name="target"> <bean class="com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl" parent="baseServiceSupport"> <property name="iamSolutions"> <map> <entry key="sun"> <ref local="waveset"/> </entry> <!--entry key="ca"> <ref local="eTrust"/> </entry--> <!--entry key="ibm"> <ref local="tim"/> </entry--> <entry key="oracle"> <ref local="oim"/> </entry> <entry key="file"> <ref local="file"/> </entry> </map> </property>
and the second change to this file is to uncomment the bean definition:
<bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution">
<property name="metadataManager" ref="metadataManager"/>
<property name = "namespaceMap">
<map>
<!-- This mapping fetches the attributes from
the appropriate object form ( AD User). This
mapping clarifies that, for the "AD Server"
resource type, attributes are imported from
the "AD User" Object form in OIM -->
<entry key = "AD Server">
<value>AD User</value>
</entry>
</map>
</property>
<property name="resourceFieldMap">
<map>
<!-- This mapping identifies the field that is the
ITResourceLookupField for each resource type.
(Oracle Identity Manager "IT resources" map to
resources in Oracle Identity Analytics.) From the mapping
for the "AD Server" resource type field, we
define that the "UD_ADUSER_AD" column field
corresponds to the ITResource Entry. -->
<entry key="AD Server">
<value>UD_ADUSER_AD</value>
</entry>
</map>
</property>
<property name="accountIdentifierMap">
<map>
<entry key="AD Server">
<value>UD_ADUSER_UID</value>
</entry>
</map>
</property>
<property name = "secPolicyMap">
<map>
<entry key = "RACF Account">
<value>Server,Group</value>
</entry>
</map>
</property>
<property name="maxStaleDays">
<value>${com.vaau.rbacx.iam.oracle.maxStaleDays}</value>
</property>
<property name = "excludeFlag" >
<value>${com.vaau.rbacx.iam.oracle.excludeFlag}</value>
</property>
<property name = 'roleDao'>
<ref bean="roleDao"/>
</property>
<property name = "policyManager">
<ref bean = "policyManager"/>
</property>
<property name="userProperties">
<map>
<entry key = "userName">
<value>Users.User ID</value>
</entry>
<entry key = "firstName">
<value>Users.First Name</value>
</entry>
<entry key = "lastName">
<value>Users.Last Name</value>
</entry>
<entry key = "middleName">
<value>Users.Middle Name</value>
</entry>
<entry key = "manager">
<value>Users.Manager Login</value>
</entry>
<entry key = "primaryEmail">
<value>Users.Email</value>
</entry>
<entry key = "employeeType">
<value>Users.Role</value>
</entry>
<entry key = "startDate">
<value>Users.Start Date</value>
</entry>
<entry key = "endDate">
<value>Users.End Date</value>
</entry>
<entry key = "createDate">
<value>Users.Provisioned Date</value>
</entry>
</map>
</property>
<property name = "customProperties">
<list>
<value>Users.Email</value>
<value>Organizations.Organization Name</value>
<value>USR_UDF_LOCATION</value>
<value>Users.Deprovisioning Date</value>
<value>Users.Xellerate Type</value>
<value>Users.Identity</value>
<value>Users.Lock User</value>
<value>Users.Disable User</value>
<value>Users.Role</value>
</list>
</property>
</bean>
Copy the following Oracle Identity Manager Java API JAR files (located here: $OIM_HOME/xellerate/lib/.jar) to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
wlXLSecurityProviders.jar
xlAPI.jar
xlAuthentication.jar
xlCache.jar
xlCrypto.jar
xlDataObjectBeans.jar
xlDataObjects.jar
xlLogger.jar
xlScheduler.jar
xlUtils.xls
xLVO.jar
Copy the following Oracle Identity Manager Java API JAR file (located in the client/ext folder) to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
iam-platform-utils.jar
Copy the following JAR files if you are deploying to a JBoss or WebLogic application server:
If deploying to a JBoss application server, copy jbossall-client.jar
If deploying to a WebLogic application server, copy oim_design_console\xlclient\ext\wlfullclient.jar
Note - The wlfullclient.jar is only required if Oracle Identity Analytics and Oracle Identity Manager are on different WebLogic domains. This JAR file allows client applications, such as Oracle Identity Analytics, to communicate with the WebLogic Server over the T3 protocol. If you deploy OIA and OIM to the same WebLogic domain, skip this step, otherwise you may receive an error similar to the following:
Caused By: java.lang.LinkageError: loader constraint violation: loader (instance of weblogic/utils/classloaders/ChangeAwareClassLoader) previously initiated loading for a different type with name "javax/xml/namespace/QName"
If wlfullclient.jar is not present in Oracle Identity Manager, follow these steps to generate it:
Type cd <WLS-HOME>/server/lib, where <WLS-HOME> is the base WebLogic installation directory
Type java -jar wljarbuilder.jar
Copy the wlfullclient.jar file to the $RBACX_HOME/WEB-INF/lib folder
Copy the following 11g Oracle Identity Manager Java API JAR files to Oracle Identity Analytics:
Copy $OIM_HOME/server/client/oimclient.jar to $RBACX_HOME/WEB-INF/lib.
Note - If this JAR file is not present, you will receive the following exception during integrated operations:
java.lang.NoClassDefFoundError:oracle/iam/platform/OIMClient at Thor.API.tcUtilityFactory.<init>(tcUtilityFactory.java:154) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.getUtilityFactory(OIMIAMSolution. java:2595) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java)
Copy the OIM 11g logger JAR file, xlLogger10g.jar, to $RBACX_HOME/WEB-INF/lib.
Note - If this JAR file is not present, you will receive the following error during integrated operations:
Caused by: java.lang.NoClassDefFoundError: com/thortech/util/logging/Logger at Thor.API.tcUtilityFactory.<clinit>(tcUtilityFactory.java:80) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.getUtilityFactory(OIMIAMSolution. java:2595) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java:770) at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.importUsers(Rbacx IAMServiceImpl.java:119)
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Provisioning Servers.
Click New Provisioning Server Connection.
The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection that you want to create.
From the Type of Provisioning Server Connection drop-down menu, select Oracle and click Next.
Complete the form:
Server Name - Type the connection object name.
Xellerate Home - Type the path to the config file in OIM. (For example, C:\oracle\xellerate)
Login Config - Type the path to the authentication configuration (auth.config) file. (For example, C:\oracle\xellerate\config\auth.conf)
Provider URL - Type the provider URL. The format for this field is as follows:
WebLogic - t3://host:7001
JBoss - jnp://host:1099 (The default port number in a clustered environment is 1100.)
WebSphere - corbaloc:iiop:host:2809
Initial Context Factory - Enter the name of the environment property for specifying the initial context factory. The default values are as follows:
WebLogic - weblogic.jndi.WLInitialContextFactory
JBoss - org.jnp.interfaces.NamingContextFactory
WebSphere - com.ibm.websphere.naming.WsnInitialContextFactory
User Name - Enter the OIM user name. (example: xelsysadm)
Password - Enter the OIM password.
To send real-time changes from Oracle Identity Analytics to Oracle Identity Manager, change the configuration files related to workflows.
For example, the following code snippet has to be enabled in role-creation-workflow.xml during the "Finish" step ( step 6):
<!--<function name="exportIAMRoleFunction" type="spring"> <arg name="bean.name">exportIAMRoleFunction</arg> <arg name="iamConnectionName"/> </function>-->
This becomes the following:
<function name="exportIAMRoleFunction" type="spring"> <arg name="bean.name">exportIAMRoleFunction</arg> <arg name="iamConnectionName">OIMConnectionObjectName</arg> </function>
Note - OIMConnectionObjectName is the name of the connection object you define in Step 2. Similar changes have to be made for all role related workflows: role-modification-workflow.xml, role-user-membership-workflow.xml, role-user-membership-activation-workflow.xml
Refer to the use cases in this section if you have user entitlements in Oracle Identity Manager that you want to use to populate the Oracle Identity Analytics Identity Warehouse. Importing users and roles from Identity Manager into Oracle Identity Analytics should be a one-time event that takes place when first configuring the systems.
The users existing in Oracle Identity Manager (Xellerate End Users) are imported as global users in Oracle Identity Analytics on a scheduled basis. The attributes of the users in OIM are mapped to global user properties in Oracle Identity Analytics by way of a map. Extended attributes in OIM can be imported as custom properties in Oracle Identity Analytics.
The following table contains the default mapping of user attributes between Oracle Identity Analytics and Oracle Identity Manager.
Table 2-2 User Attribute Mappings Between Oracle Identity Analytics and Oracle Identity Manager
| Oracle Identity Analytics User Attribute Name | Oracle Identity Manager (OIM) User Attribute Name |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Import/Export.
To start a new import job, choose Schedule Job > Import > Import Users.
Under Data Selection Source, select the appropriate Connection Name and click Next.
Complete the form by entering the Name and Description of the Job.
Choose one of the following tasks:
To run the job immediately, select the Run the Job Now option.
To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.
Click Finish.
The import users job runs on the scheduled date and time.
Verify that the users are imported into Oracle Identity Analytics from Identity Manager by accessing the Users View in Oracle Identity Analytics (choose Identity Warehouse > User).
In the Oracle Identity Analytics integration with Identity Manager, information on resource metadata can be imported from Identity Manager to Oracle Identity Analytics. This eliminates the need to manually recreate resource metadata in Oracle Identity Analytics.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Import/Export.
To start a new import job, choose Schedule Job > Import > Import Resource Metadata.
The next page will prompt you to choose the resource from the list of available resources for which metadata on attributes needs to be imported.
Select the specific resource type.
Under Data Selection Source, select the appropriate Connection Name and click Next.
Complete the form by entering the Name and Description of the Job.
Choose one of the following:
To run the job immediately, select the Run the Job Now option.
To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.
Click Finish to generate the Import Job.
The import resource metadata job runs on the scheduled date and time.
Verify that the resource metadata was properly imported into Oracle Identity Analytics by accessing the Oracle Identity Analytics Resources Types tab (choose Configuration > Resources Types).
With out-of-the-box integration capabilities, Oracle Identity Analytics can import resources from Oracle Identity Manager to Oracle Identity Analytics. This eliminates the need to manually create the resources in Oracle Identity Analytics. ITResource in OIM corresponds to a resource in Oracle Identity Analytics.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Import/Export.
To start a new import job, choose Schedule Job > Import > Import Resources.
Under Data Selection Source, select the appropriate Connection Name and click Next.
Complete the form by typing a name and description for the job.
Choose one of the following tasks:
To run the job immediately, select the Run the Job Now option.
To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.
Click Finish to generate the import job.
The import resources job runs on the scheduled date and time.
Verify that the resources are imported into Oracle Identity Analytics from Identity Manager by accessing the Oracle Identity Analytics Resources tab (choose Identity Warehouse > Resources).
Groups defined in OIM are imported as Roles within Oracle Identity Analytics. This import also pulls in the relationship between the Group to Access Policy within OIM as Roles-Policy relationship within Oracle Identity Analytics. This requires a successful policy import.
In addition, this step also imports the group-user relationship from OIM and recreates it as a role-user relationship in Oracle Identity Analytics. To establish role-user relationship, ensure that users are imported.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Import/Export.
To start a new import job, choose Schedule Job > Import > Import Roles.
Under Data Selection Source, select the appropriate Connection Name and click Next.
Complete the form by typing a name and description for the job.
Choose one of the following tasks:
To run the job immediately, select the Run the Job Now option.
To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.
Click Finish to generate the import job.
The import resources job runs on the scheduled date and time.
Verify that the roles are imported into Oracle Identity Analytics from Identity Manager by accessing the Oracle Identity Analytics Roles tab (choose Identity Warehouse > Resources).
See the use cases in this section if you have user accounts in Oracle Identity Analytics that you want to use to populate the Identity Manager repository.
Roles defined in Oracle Identity Analytics can be exported to OIM on a scheduled basis, once role definition/management is completed. This use case will perform the following exports into OIM:
Export Oracle Identity Analytics roles to OIM groups.
Export the Oracle Identity Analytics policy definition and its entitlements from Oracle Identity Analytics into OIM Access Policies. If the policy does not exist it would create the new policy as Access Policies within OIM.
Export the Oracle Identity Analytics Policy-Resource relationship as OIM Access Policy- ITResource relationship.
Export the Oracle Identity Analytics Role-Policy relationship as OIM Group-Access Policy relationship.
Export the Oracle Identity Analytics Role-User relationship to OIM Group-User relationship.
Note:
During initial integration this is done on a scheduled basis. A recommended long-term solution is to update OIM as definitions are changed in Oracle Identity Analytics on a real-time basis.
Note:
Roles in Oracle Identity Analytics correspond to Groups in Identity Manager.
Policies (roles content) are exported as part of roles export. Therefore when the Export Roles scheduled job is run, the associated policies will also get exported from OIA to OIM.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Import/Export.
To start a new export job, choose Schedule Job > Export> Export Roles.
Under Data Selection Source, select the appropriate Connection Name and click Next.
Complete the form by entering the Name and Description of the Job.
Choose one of the following:
To run the job immediately, select the Run the Job Now option.
To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.
Click Finish to create the Import Job.
The job runs on the scheduled date and time.
Verify that the roles were properly exported to Identity Manager by opening Identity Manager and clicking the User Group > Manage link on the left pane.
With the integration of Oracle Identity Analytics and Oracle Identity Manager, it is possible to directly revoke roles and entitlements from Oracle Identity Manager if the results of the certification process require it. This integration eliminates the need for manual de-provisioning of access for managed resources. In addition, the manual process of revoking roles and entitlements by leveraging the information stored in the remediation configuration module is also retained. This takes into account non-managed applications.
If certification remediation is enabled, changes are propagated to Oracle Identity Manager either when the certification is complete, or when the certification end-date is reached (depending on configuration). OIM revokes or re-provisions target system accounts based on the revocations and certifications that occurred during the certification process.
Every resource type in Oracle Identity Analytics can be separately configured for automatic or manual remediation.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse> Resources.
Click the resource for which remediation action needs to be configured, and go to the Remediation tab.
Select the Select Provisioning Mode check box.
Choose the mode of provisioning desired for the particular resource.
Auto - Automatically send role/entitlement updates linked with this resource to Oracle Identity Manager. Select the appropriate connection name of the provisioning server and save the changes.
Manual - Use the manual steps for revocation of roles and entitlements using a text editor. List the steps to be followed for non-managed system remediation and save the changes.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Identity Certification.
Expand the Revoke and Remediation section, and, under the Remediation section, choose one of the following options:
Display Remediation Instructions - Select to display instructions about how to perform manual remediation of nonmanaged resources.
Perform Closed Loop Remediation on - Select to specify that the remediation be completed by either the Certification End Date or the Certification Completion Date.