3 Integrating With Oracle Waveset (Sun Identity Manager)

This chapter contains the following sections:

• Section 3.1, "Overview"

• Section 3.2, "Integration Architecture"

• Section 3.3, "Integrating Oracle Identity Analytics With Oracle Waveset"

• Section 3.4, "Populating Oracle Identity Analytics With User Information From Oracle Waveset"

• Section 3.5, "Populating Oracle Waveset With Roles Information From Oracle Identity Analytics"

• Section 3.6, "Understanding Closed Loop Compliance"

• Section 3.7, "Oracle Waveset Sample Workflows"

• Section 3.8, "Oracle Identity Analytics Web Services"

• Section 3.9, "Troubleshooting"

3.1 Overview

Oracle Identity Analytics software and Oracle Waveset software (formerly named Sun Identity Manager) work together seamlessly when integrated using the Service Provisioning Mark-Up Language (SPML). When integrated, Oracle Waveset serves as the automated provisioning and identity synchronization solution, while Oracle Identity Analytics defines the Role-based Access Control (RBAC) framework, the attestation process, and the approach to Segregation Of Duties (SoD) policy enforcement. Rather than assigning individual access entitlements, the RBAC framework allows organizations to assign and unassign roles as a means of controlling user access on various applications.

The Oracle Identity Analytics Identity Warehouse makes it possible for Oracle Identity Analytics to manage users and their identities across various target systems. Before Oracle Identity Analytics features can be utilized, however, the Identity Warehouse of users and their entitlements must be built. If Oracle Waveset is already in use, building the Identity Warehouse is as easy as connecting to Oracle Waveset and importing the user entitlement information that is stored in the Oracle Waveset repository. Roles are then assigned to users, either based on their actual entitlements or business-level attributes. These roles can be exported to Oracle Waveset for user management and provisioning purposes. Additionally, revocations made during the certification campaigns can also be sent from Oracle Identity Analytics to Oracle Waveset so that remediation can take place.

Figure 3-1 OIA and Oracle Waveset Integration Overview

Refer to the User's Guide for Oracle Identity Analytics for explanations of attributes, attribute categories, resource types, and other concepts.

Oracle Identity Analytics and Oracle Waveset share the following integration points:

• Oracle Waveset users are imported into Oracle Identity Analytics

• Oracle Waveset resources are imported into Oracle Identity Analytics

• Oracle Waveset resource metadata is imported into Oracle Identity Analytics

• Oracle Waveset user accounts are imported into Oracle Identity Analytics

• Oracle Identity Analytics roles and role content are exported to Oracle Waveset

• Closed Loop Compliance

Note:

See the "Oracle Identity Analytics Importing" chapter in the Administrator's Guide for Oracle Identity Analytics for more information about the import process.

Figure 3-2 OIA and Oracle Waveset Integration Diagram 1

3.2 Integration Architecture

As illustrated in the following figure, Oracle Waveset and Oracle Identity Analytics use SPML and Web Services (WSDL) to communicate. SPML calls are used when Oracle Identity Analytics initiates requests, and Web Services are used when Oracle Waveset initiates the requests.

User and entitlement data can be imported into Oracle Identity Analytics using flat files. In an environment where Oracle Waveset is already deployed, however, (or is in the process of being deployed) Oracle Identity Analytics can connect to Oracle Waveset using SPML to import the user and entitlement data of managed resources. Oracle Identity Analytics can also be used to export roles and user-role membership, and send revocations back to Oracle Waveset.

Figure 3-3 OIA and Oracle Waveset Integration Diagram 2

3.3 Integrating Oracle Identity Analytics With Oracle Waveset

This section describes how to configure Oracle Identity Analytics and Oracle Waveset so that the two products can be used together.

3.3.1 To Configure Oracle Identity Analytics and Oracle Waveset to Work Together

Before You Begin -

• At least version 8.1.1 of Oracle Waveset and at least version 11gR1 of Oracle Identity Analytics are required.

• Install and configure Oracle Waveset with the Oracle Waveset Gateway.

• In a production environment, deploy Oracle Waveset and Oracle Identity Analytics on separate application servers.

• If you are running Oracle Waveset on the WebLogic application server, install the Metro libraries in the Waveset WEB-INF/lib directory. For details, see Oracle Waveset Installation 8.1.1, "Installing Waveset on WebLogic," "Step 5: Install the Metro Libraries."

1. In Oracle Waveset, import the SPML Exchange File so that Oracle Waveset can receive (and respond to) SPML requests sent from Oracle Identity Analytics. The SPML Exchange File (rm_idm_init.xml) is supplied with Oracle Identity Analytics.

   See Section 3.3.1.1, "Step 1: To Import the Oracle Waveset SPML Exchange File" for details.

2. In Oracle Identity Analytics, create an Oracle Identity Analytics user that Oracle Waveset will use to connect to Oracle Identity Analytics using Web Services.

   See Section 3.3.1.2, "Step 2: To Create a Oracle Identity Analytics User That Oracle Waveset Will use to Connect" for details.

3. In Oracle Waveset, create an Oracle Waveset user that Oracle Identity Analytics will use to invoke SPML calls to Oracle Waveset.

   See Section 3.3.1.3, "Step 3: To Create an Oracle Waveset User That Oracle Identity Analytics Will use to Connect" for details.

4. In Oracle Identity Analytics, designate Oracle Waveset as the provisioning server.

   See Section 3.3.1.4, "Step 4: To Designate Oracle Waveset as the Provisioning Server" for details.

5. In Oracle Waveset, add Oracle Identity Analytics Web Services so that Oracle Waveset can send requests to (and receive responses from) Oracle Identity Analytics.

   See Section 3.3.1.5, "Step 5: To Configure Oracle Waveset to use Oracle Identity Analytics Web Services" for details.

6. In Oracle Waveset, configure the User Deferred Task Scanner. This step is required so that real-time Segregation of Duties (SoD) processing will work properly.

   See Section 3.3.1.6, "Step 6: To Configure the User Deferred Task Scanner" for details.

7. In Oracle Waveset, configure the User Form so that Oracle Identity Analytics can authenticate over SPML.

   See Section 3.3.1.7, "Step 7: To Configure the User Form so That Oracle Identity Analytics can Authenticate Over SPML" for details.

8. Configure Oracle Identity Analytics for closed loop remediation.

   For details, see Section 3.6, "Understanding Closed Loop Compliance."

3.3.1.1 Step 1: To Import the Oracle Waveset SPML Exchange File

1. Copy the rm_idm_init.xml file, which is located in the Oracle Identity Analytics conf/spml directory, to the Oracle Waveset server.

2. Log in to Oracle Waveset.

3. Choose Configure > Import Exchange File.

4. Click Browse and navigate to the rm_idm_init.xml file.

5. Click Import.

   The exchange file import status is displayed on the Admin Console.

6. Restart the Oracle Waveset application server.

3.3.1.2 Step 2: To Create a Oracle Identity Analytics User That Oracle Waveset Will use to Connect

1. Log in to Oracle Identity Analytics.

2. Create a user that Oracle Waveset can use to connect to Oracle Identity Analytics using Oracle Identity Analytics Web Services.

   For help creating an Oracle Identity Analytics user, see the Administrator's Guide for Oracle Identity Analytics, "Oracle Identity Analytics Access Control" chapter, To Create, Update, and Delete an Oracle Identity Analytics User task.

   1. Assign the user the SRMAdmin system role.

   2. Save the user.

3.3.1.3 Step 3: To Create an Oracle Waveset User That Oracle Identity Analytics Will use to Connect

1. Log in to Oracle Waveset.

2. Create a user that Oracle Identity Analytics can use to invoke SPML calls to Oracle Waveset. For help creating an Oracle Waveset user, see the Oracle Waveset Business Administrator's Guide, "Administration" chapter, To Create an Administrator task.

   1. If you are using Oracle Waveset 8.1.1, assign the user the "Identity Analytics Admin" admin role, and skip to step c. Otherwise, in at least version 8.1.1 of Oracle Waveset, assign the user the following capabilities:

      • Create User

      • Deprovision User

      • Update User

      • Unlink User

      • Unassign User

      • Rename User

      • Enable User

      • Disable User

      • View User

      • Role Administrator

   2. Assign the user control of the Top organization.

   3. Assign the user the Empty Form as its User Form.

   4. Save the user.

3.3.1.4 Step 4: To Designate Oracle Waveset as the Provisioning Server

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Provisioning Servers.

4. Click New Provisioning Server Connection.

   The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection to create.

5. From the Type of Provisioning Server Connection drop-down menu, select Sun and click Next.

6. Complete the form:

   • Connection Name - Type a new connection name for Oracle Waveset. This connection name is used during the import process instead of the host name and port.

   • SPML URL - Format the SPML URL as follows: http://IdentityManagerApplicationServerName:PortNumber/idm/servlet/rpcrouter2

     For example: http://localhost:8080/idm/servlet/rpcrouter2

   • Username - Type a user name that Oracle Identity Analytics will use to connect to Oracle Waveset. You should have created a special Oracle Waveset user account for this purpose in step 3. Do not use the configurator account.

   • Password - Type the password that Oracle Identity Analytics will use to connect to Oracle Waveset.

   • Test Connection - Click to test whether the connection was successfully established between Oracle Waveset and Oracle Identity Analytics. This will help you in troubleshooting connection issues.

   • Role Consumer - Select this box to export roles and role content from Oracle Identity Analytics to Oracle Waveset on a real-time basis. Oracle recommends that you select this option.

   • Role Update Schedule - Choose to schedule when to send updates back to Oracle Waveset.

     • Now - Updates roles in Oracle Waveset as soon as they are updated in Oracle Identity Analytics.

     • Later- Schedules the update of roles to take place on a daily, weekly, or monthly basis, or just one time, and schedules the time and date for the update task to start.

3.3.1.5 Step 5: To Configure Oracle Waveset to use Oracle Identity Analytics Web Services

Oracle Waveset needs to be configured to use Oracle Identity Analytics Web Services. Oracle Waveset uses Oracle Identity Analytics web service calls to both send requests to Oracle Identity Analytics, and receive responses. To configure Oracle Identity Analytics Web Services, use the Oracle Waveset resource wizard.

1. Log in to Oracle Waveset.

2. Choose the Resources tab and verify that the List Resources subtab is selected.

3. Locate the Resource Type Actions drop-down list and select New Resource.

   The New Resource page opens.

4. Select the Oracle Identity Analytics (Sun Role Manager) Web Services resource type from the drop-down list, and click New. (If this resource type is not listed, you need to enable it. See "Managing the Resources List" in the "Roles and Resources" chapter in the Oracle Waveset Business Administrator's Guide for details.)

   The Resource Wizard Welcome Page opens.

5. Click Next to begin configuring the Oracle Identity Analytics (Role Manager) Web Services resource.

   The Create Oracle Identity Analytics (Sun Role Manager) Web Services Resource Wizard / Resource Parameters page opens.

6. Complete the form:

   • Web Service Base URI - Type the Uniform Resource Identifier (URI) for your Oracle Identity Analytics installation as follows:

     http://server-name:port-number/rbacx

     where server-name is the IP address or alias of the server on which Oracle Identity Analytics is running, and port-number is the port number of the application server that is listening to Oracle Identity Analytics calls.

   • User - Type the user name that Oracle Waveset will use to connect to Oracle Identity Analytics. You should have created a special Oracle Identity Analytics user account for this purpose in step 2. Do not use the rbacxadmin account.

   • Password - Type the password that Oracle Waveset will use to connect to Oracle Identity Analytics.

   • Oracle Identity Analytics Version - Type the version number of Oracle Identity Analytics that Oracle Waveset is connecting to.

   • Is SRM Configured - Type true to enable Oracle Waveset to use Oracle Identity Analytics Web Services.

   • Test Configuration - Click to test the connection to Oracle Identity Analytics Web Services.

     Note - Upon completing the wizard, additional form fields are unlocked. These fields include the following:

     • Process Check Policy Results Rule - Value should be Sun Role Manager:Process Policy Result

     • Check Policy Compliance Violation Form - Value should be Sun Role Manager Compliance Violation Form

     • Check Policy Status Rule - Value should be Sun Role Manager:Risk Analysis Status

     • Compliance Violation Owners Rule - Value should be Sun Role Manager:Compliance Violation Owners

7. Click Next.

   The Create Oracle Identity Analytics (Sun Role Manager) Web Services Resource Wizard / Account Attributes page opens.

8. Verify that the account attribute mappings on this page are correct and click Next.

   The Create Oracle Identity Analytics (Sun Role Manager) Web Services Resource Wizard / Identity Template page opens.

9. Verify that the attribute value in the Identity Template box is correct and click Save.

3.3.1.6 Step 6: To Configure the User Deferred Task Scanner

The User Deferred Task Scanner in Oracle Waveset needs to be configured for a delay of one minute so that SoD processing will work properly. The scanner picks up SoD information after it has been retrieved from Oracle Identity Analytics using Oracle Identity Analytics (Sun Role Manager) web services.

1. Log in to Oracle Waveset.

2. Choose Server Tasks > Manage Schedule.

3. Click User Deferred Task Scanner to edit the task.

   The Edit Task Schedule page opens.

4. Change the value in the Repeat Every box to a value of 1 Minutes.

5. Click Save.

3.3.1.7 Step 7: To Configure the User Form so That Oracle Identity Analytics can Authenticate Over SPML

Within Identity Manger, the User Form of the user that Oracle Identity Analytics authenticates as over SPML needs to be set to "Empty Form."

1. Log in to Oracle Waveset.

2. Choose the Accounts tab and verify that the List Accounts subtab is selected.

3. Click the user that you created in Section 3.3.1.3, "Step 3: To Create an Oracle Waveset User That Oracle Identity Analytics Will use to Connect."

   The Edit User page opens.

4. Click the Security tab.

5. From the User Form drop-down box, select Empty Form.

6. Click Save.

Oracle Identity Analytics and Oracle Waveset are now configured to work together. To configure closed loop remediation, see Section 3.6, "Understanding Closed Loop Compliance."

3.4 Populating Oracle Identity Analytics With User Information From Oracle Waveset

Refer to the use cases in this section if you have user entitlements in Oracle Waveset that you want to use to populate the Oracle Identity Analytics Identity Warehouse. Importing users and roles from Oracle Waveset into Oracle Identity Analytics should be a one-time event that takes place when first configuring the systems.

3.4.1 Use Case 1: Importing Global Users From Oracle Waveset Into Oracle Identity Analytics

Oracle Waveset saves information about users who are auto-provisioned. These users are imported into Oracle Identity Analytics as global users before their accounts are pulled in.

3.4.1.1 To Import Users From Oracle Waveset Into Oracle Identity Analytics

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new import job, choose Schedule Job > Import > Import Users.

5. Under Data Selection Source, select the appropriate Connection Name and click Next.

6. Complete the form by entering the Name and Description of the Job.

7. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

8. Click Finish.

   The import users job runs on the scheduled date and time.

9. Verify that the users are imported into Oracle Identity Analytics from Oracle Waveset by accessing the Users View in Oracle Identity Analytics (choose Identity Warehouse > User).

3.4.2 Use Case 2: Importing Resource Metadata From Oracle Waveset Into Oracle Identity Analytics

A resource type in Oracle Waveset is a type of target system, whereas a resource is an instance of a resource type. For example, consider the case of four different Windows NT systems hosting four different sets of users. In this scenario, "Windows NT" is the resource type, whereas the four individual system names are resources of type "Windows NT."

In the Oracle Identity Analytics integration with Oracle Waveset, information on resource metadata can be imported from Oracle Waveset to Oracle Identity Analytics. This eliminates the need to manually recreate resource metadata in Oracle Identity Analytics.

3.4.2.1 To Import Resource Metadata From Oracle Waveset Into Oracle Identity Analytics

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new import job, choose Schedule Job > Import > Import Resource Metadata.

   The next page will prompt you to choose the resource from the list of available resources for which metadata on attributes needs to be imported.

5. Select the specific resource type.

6. Under Data Selection Source, select the appropriate Connection Name and click Next.

7. Complete the form by entering the Name and Description of the Job.

8. Choose one of the following:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

9. Click Finish to generate the Import Job.

   The import resource metadata job runs on the scheduled date and time.

10. Verify that the resource metadata was properly imported into Oracle Identity Analytics by accessing the Oracle Identity Analytics Resources Types tab (choose Configuration > Resources Types).

Note:

Seven resource types in Oracle Waveset are treated differently by Oracle Identity Analytics. They are the following:

• Simulated

• Scripted JDBC

• Database Table

• External

• Scripted Gateway

• Scripted Host

• Shell Script

Each resource within the above resource type is created as a resource_type within Oracle Identity Analytics. The naming convention is "ResourceName__ResourceTypeName". This is because each resource is likely to have its own resource type metadata rather than a common metadata format.

3.4.3 Use Case 3: Importing Resources From Oracle Waveset Into Oracle Identity Analytics

With out-of-the-box integration capabilities, Oracle Identity Analytics can import resources from Oracle Waveset to Oracle Identity Analytics. This eliminates the need to manually create the resources in Oracle Identity Analytics.

3.4.3.1 To Import Resources From Oracle Waveset Into Oracle Identity Analytics

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new import job, choose Schedule Job > Import > Import Resources.

5. Under Data Selection Source, select the appropriate Connection Name and click Next.

6. Complete the form by typing a name and description for the job.

7. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

8. Click Finish to generate the import job. The import resources job runs on the scheduled date and time.

9. Verify that the resources are imported into Oracle Identity Analytics from Oracle Waveset by accessing the Oracle Identity Analytics Resources tab (choose Identity Warehouse > Resources).

3.4.4 Use Case 4: Importing User Accounts From Oracle Waveset Into Oracle Identity Analytics

After global users are imported, you can import accounts into Oracle Identity Analytics for different resource types. Before importing user accounts, make sure that the resource types and attributes are correctly configured in Oracle Identity Analytics. For more information, see "Resource Types Configuration" in the Administrator's Guide for Oracle Identity Analytics, "Oracle Identity Analytics Configuration" chapter.

3.4.4.1 To Import Accounts From Oracle Waveset Into Oracle Identity Analytics

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new import job, choose Schedule Job > Import > Import Accounts, and then click Next.

5. From the list of available resources for which user accounts can be imported, select the resource and the specific resource type.

6. Under Data Selection Source, select the appropriate Connection Name and click Next.

7. Complete the form by entering the Name and Description of the Job.

8. Choose one of the following:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

9. Click Finish to create the Import Job.

   The job runs on the scheduled date and time.

10. Verify that the accounts imported into Oracle Identity Analytics match the corresponding resource type accounts in Oracle Waveset.

3.4.5 Use Case 5: Importing Roles From Oracle Waveset Into Oracle Identity Analytics

Note - This should be done only as a one time effort for initial Roles population. It is recommended that SRM kept as the Authoritative Source for roles and the toles would be overwritten if they are imported from IDM on an ongoing basis.

3.4.5.1 To Import Role From Oracle Waveset Into Oracle Identity Analytics

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new import job, choose Schedule Job > Import > Import Roles.

5. Under Data Selection Source, select the appropriate Connection Name and click Next.

6. Complete the form by typing a name and description for the job.

7. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

8. Click Finish to generate the import job.

   The import resources job runs on the scheduled date and time.

9. Verify that the roles are imported into Oracle Identity Analytics from Oracle Waveset by accessing the Oracle Identity Analytics Roles tab (choose Identity Warehouse > Resources).

3.5 Populating Oracle Waveset With Roles Information From Oracle Identity Analytics

See the use cases in this section if you have user accounts in Oracle Identity Analytics that you want to use to populate the Oracle Waveset repository.

Note - Exporting roles from Oracle Identity Analytics to Oracle Waveset should be a one-time event that takes place during configuration. To export roles to Oracle Waveset, be sure that the Role Consumer box is selected in the Sun (Oracle Waveset) Provisioning Server settings.

Oracle Identity Analytics can create roles based on either existing entitlements or business attributes (client requirements). Policy formation and role-policy association can be performed during role creation. In addition, the role-user association can also be established.

Oracle Waveset does not have the concept of policies. The roles in Oracle Identity Analytics are mapped to Business Roles in Oracle Waveset, whereas the policies in Oracle Identity Analytics are mapped to IT Roles in Oracle Waveset. As policies are directly assigned to resources in Oracle Identity Analytics, similarly, IT Roles are directly assigned to resources in Oracle Waveset. Thus, the one-to-many relationship between role and policies is carried forward from Oracle Identity Analytics to Oracle Waveset by way of the one-to-many relationship between Business Roles and IT Roles. This allows for more efficient grouping of entitlements and easier management of user access. Thus, along with roles, policies also need to be exported from Oracle Identity Analytics to Oracle Waveset.

3.5.1 Use Case 1: Exporting Roles From Oracle Identity Analytics to Oracle Waveset

Note - Roles in Oracle Identity Analytics correspond to Business Roles in Oracle Waveset.

3.5.1.1 To Export Roles to Oracle Waveset

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new export job, choose Schedule Job > Export> Export Roles.

5. Under Data Selection Source, select the appropriate Connection Name and click Next.

6. Complete the form by entering the Name and Description of the Job.

7. Choose one of the following:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

8. Click Finish to create the Import Job.

   The job runs on the scheduled date and time.

9. Verify that the roles were properly exported to Oracle Waveset by opening Oracle Waveset and clicking the Business Role Roles tab.

Note:

Policies (roles content) are exported as part of roles export.

3.6 Understanding Closed Loop Compliance

With the integration of Oracle Identity Analytics and Oracle Waveset, it is possible to directly revoke roles and entitlements from Oracle Waveset if the results of the certification process require it. This integration eliminates the need for manual de-provisioning of access for managed resources. In addition, the manual process of revoking roles and entitlements by leveraging the information stored in the remediation configuration module is also retained. This takes into account nonmanaged applications.

The following closed loop remediation diagram illustrates this process.

Figure 3-4 OIA and Oracle Waveset Closed-Loop Remediation Diagram

3.6.1 To Configure Resources in Oracle Identity Analytics for Remediation

Every resource type in Oracle Identity Analytics can be separately configured for automatic or manual remediation.

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse> Resources.

3. Click the resource for which remediation action needs to be configured, and go to the Remediation tab.

4. Select the Select Provisioning Mode check box.

5. Choose the mode of provisioning desired for the particular resource.

   • Auto - Automatically send role/entitlement updates linked with this resource to Oracle Waveset.

     Select the appropriate connection name of the provisioning server and save the changes.

   • Manual - Use the manual steps for revocation of roles and entitlements using a text editor.

     List the steps to be followed for non-managed system remediation and save the changes.

3.6.2 To Configure Certifications in Oracle Identity Analytics for Remediation

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Identity Certification.

4. Expand the Revoke and Remediation section and, under the Remediation section, choose one of the following options:

   • Display Remediation Instructions - Select to display instructions about how to perform manual remediation of nonmanaged resources.

   • Perform Closed Loop Remediation on - Select to specify that the remediation be completed by either the Certification End Date or the Certification Completion Date.

3.7 Oracle Waveset Sample Workflows

Sample Oracle Waveset workflows are available to facilitate the integration of Oracle Waveset with Oracle Identity Analytics. Use the sample workflows included with Oracle Waveset 8.1.1-Patch 1 (located in the sample/wfrolemanager.xml file).

Note - Do not use the sample workflows included with Oracle Waveset 8.1.1 because they are no longer current.

The following Oracle Waveset sample workflows are available.

Table 3-1 Oracle Waveset Sample Workflows

Workflow Name	Description
Check SRM Integration	Invokes workflow services to determine if Oracle Identity Analytics (Sun Role Manager) integration has been configured. Returns a Boolean value in the isSRMIntegrated variable.
Merge SRM Role Assignments	If Oracle Identity Analytics is integrated and the UserView option getRuleDrivenRoleManagerRoles is set to true, this process will retrieve the list of roles to be automatically assigned by OIA configured rules. This list of roles will be merged with the Waveset-assigned roles into the UserView.
Create SRM User	If Oracle Identity Analytics is integrated, this process invokes the create OIA user action based on UserView attributes.
Update SRM User	If Oracle Identity Analytics is integrated, this process invokes the update OIA user action based on UserView attributes.
Rename SRM User	If Oracle Identity Analytics is integrated, this process invokes the rename OIA user action.
Delete SRM User	If Oracle Identity Analytics is integrated, this process invokes the delete OIA user action.
Disable SRM User	If Oracle Identity Analytics is integrated, this process invokes a disable OIA user action.
Enable SRM User	If Oracle Identity Analytics is integrated, this process invokes an enable OIA user action.
Create SRM User Reconcile Response Workflow	If Oracle Identity Analytics is integrated, this per-account workflow invokes the creation of OIA users while processing unmatched accounts during reconciliation.

3.8 Oracle Identity Analytics Web Services

With an out-of-the-box integration, web services from both Oracle Waveset and Oracle Identity Analytics can be used as needed. For information about Oracle Identity Analytics web services, see the API Guide for Oracle Identity Analytics.

3.9 Troubleshooting

The information in this section briefly describes how to approach troubleshooting a Oracle Identity Analytics and Oracle Waveset integration.

3.9.1 System Logs

Application logs are generated and stored in the application deployment folder in rbacx.log. The log captures various details such as import/export information, ETL processing, and any exceptions that can arise while running the application. There are different levels of logging in the rbacx.log file, and these can be adjusted and modified as needed. The properties file that is used to alter the logging level is found under the $RBACX_HOME/WEB-INF folder, and the file name is log4j.properties.

There are three levels of logging that are commonly used by the system integrators: WARN, INFO, and DEBUG.

To change logging levels, open log4j.properties in a text editor and modify the line under the #Role Manager IAM logging section as follows:

log4j.logger.com.vaau.Role Manager.iam=DEBUG

Other parameters to be aware of are Security logging and IAM logging. These logs report Security and entitlement data exceptions.

For more information about logging, see the Administrator's Guide for Oracle Identity Analytics.