| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-07 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-07 |
|
|
PDF · Mobi · ePub |
A request template lets you customize a request type for a purpose. In other words, it allows you to control the attributes of the request by controlling the various capabilities in the UI. For instance, if you want to create requests for user creation for all contract employees and specify an attribute to have a particular value, then you can customize the Create User request type to create a request template that allows customization of the request. By creating the request template, you can specify that the organization for all employees must be XYZ Inc. or the user type of all contract employees must be Part-time Employee.
Access to templates for request creation is based on the role assignment defined in the template. After creation of a request template, it is available only to the users with the roles that are assigned to the template.
A default template is shipped predefined for each of the request type. These predefined templates can not be deleted or renamed. Names of these predefined templates is same as corresponding models.
You can use a request template for the following purposes:
Adding template-level approval: You can add an additional level of approval apart from request-level and operation-level while creating the template.
Adding restrictions: This includes:
Adding entity restrictions: You can specify restrictions of the entity types that can be selected through the request templates. For example, a template for Provisioning Resource request type might specify a number of valid resources that can be selected by using this template. This limits the use of the template to specific type of entities in case of generic requests. For example, the template defined on provisioning request type may specify that this template can only be used for Active Directory, Exchange, and UNIX resources.
Note:
If no entity type is restricted in the template, then all the available entity types are shown to the requester while creating the request by using this template.However, the data to be collected during various phases of the request lifecycle is controlled by request datasets. See "Step1: Creating a Request Dataset for the Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about request datasets.
Restricting data values for an attribute: If you specify a value for attributes, then the default value of the attribute is set, and the attribute is not displayed in the UI. On specifying multiple such values, the values are available to the user as List of Values (LOV), from which the user can select a value.
Attribute restriction can be of the following types:
Specifying a default value to an attribute in the request template. During the request creation using this template, this attribute is not shown to the requester. This attribute and the corresponding value is set automatically in the request data.
Restricting an attribute with multiple values in request template. On specifying multiple such values, the values are available to the requester as List of Values (LOV), from which the requester can select a value during the request creation by using this template.
Restricting an attribute with no value in request template, by selecting the Do not allow users to enter values for this attribute option. This type of restriction is allowed only for the nonmandatory attributes. With this restriction, during the request creation by using this template, this attribute is not shown to the requester. This attribute will not be part of request data.
Adding additional data collection attributes: These attributes are not associated with any entity. Data collected by using such mechanism cannot be used during request execution. However, it can be used for reporting purpose, validations on the request, and postsubmission data action handlers.
You can define new attributes in a request template that are shown to the requester during request creation in the additional data collection step. These attributes are specific to this template and are not associated with any entity.
Assigning roles to template to restrict the use by end users: Only the members of the appropriate roles assigned to the template can create a request by using that template.
To summarize, the following are achieved by using the request template:
The restricted entity types can be specified.
The restricted attributes that are not required to be collected as a part of the request for the entity can be specified.
The attribute can be restricted to one value or list of values. If only one value is specified, then the attribute is not shown to the requester while submitting the request. If a list of values is specified, then the requester has to select one value from the list of values.
Additional data collection attributes can be specified.
Roles can be assigned to templates to restrict the use by end users.
The template management service internally uses Oracle Entitlements Server (OES) for determining who can perform what operations. The OES policy for request template authorization specifies that only users with the REQUEST TEMPLATE ADMINISTRATORS role are authorized to create or clone, search, modify, and delete request templates. See ""Request Creation By Using Request Templates"" for information about the authorization policy for request templates.
This section discusses the following topics:
As a user belonging to the REQUEST TEMPLATE ADMINISTRATORS role, you can create a request template by using the Create Request Template wizard in the UI for request management. Steps in the wizard are dynamically generated based on the selection of the request type in the first step and the selection of resource for resource-based request types.
Creation of request templates is described with the help of the following scenarios:
Creating a Request Template Based on the Create User Request Type
Creating a Request Template Based on the Provisioning Resource Request Type
To create a request template based on the Create User request type:
Log in to Oracle Identity Manager Administrative and User Console with credentials that have the permission to create a request template.
Note:
The user who is a member of the REQUEST TEMPLATE ADMINISTRATORS role is allowed to create a request template. If the appropriate role is not assigned to the user, then the required UI options for creating a request template will not be available to the user.Click Advanced to open Oracle Identity Manager Advanced Administration.
Click the Configuration tab, and then click Request Templates. Alternatively, you click the Search Request Templates link under Configuration in the Welcome page.
On the left pane, from the Actions menu, select Create. Alternatively, you can click the Create Request Template icon on the toolbar. The Set request template details page of the Create Request Template wizard is displayed.
Enter values for the following fields, and then click Next.
Request Template Name: Enter the name of the template that you want to create, for example, Create Contractor.
Request Type: Select the type of request for which you want to create the request template, for example, Create User.
Description: Enter a description for the request template that you are creating.
Template Level Approval Process: Specify the approval workflow name if you want to specify an approval process for the Create User request. This is a template-level approval in addition to the request-level and operation-level approvals. For creating users for contract employees, you can specify that the HR representative, who is responsible for the recruitment of all contract employees, must approve the user creation. For more information about approval-levels, see "Approval Levels" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
See Also:
"Chapter 25: Configuring Workflows" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about default approval processesFigure 17-1 shows the Set request template details page of the Create Request Template wizard:
Figure 17-1 The Set Request Template Details Page
On the Select Attributes to Restrict page, select the attributes of the Create User type for which you want the user to enter values. Attributes that are restricted by the request templates are either not shown to the user, or the user is only allowed to select from predefined LOVs. User cannot enter any values. Figure 17-2 shows the Select Attributes to Restrict page:
Figure 17-2 The Select Attributes to Restrict Page
This page displays the attributes based on the dataset for Create User request type. If a request is created by using the Create User request template, then you can specify values for all these default attributes. If you want to restrict some of these attributes and want the requester to enter values for a few attributes, then you can select those attributes in this page. For example, you can select Middle Name because a value for this attribute must be specified. In this example, you can select the Middle Name, Organization, User Type, User Manager, and Country attributes.
Note:
Even if a dataset attribute is configured with a PrePopulationAdapter, it can be restricted in a request template. In such case, pre-population will not happen and the values restricted in template will be shown in Request creation UI. Hence, if pre-population is required for an attribute, it should not be restricted in the template.
As mentioned earlier in this section, the steps in the wizard are dynamically generated based on the request type and the resource selection for resource-based request types. The steps are indicated on the top of the tab.
On the Set Attribute Restrictions page, specify restrictions on the attributes that you selected in the Select Attributes to Restrict page. To specify restrictions:
Note:
This step is generated only if there are any attributes specified in the corresponding request data set.For the User Login attribute, select any one of the following:
- Do not allow users to enter values for this attribute: Select this option if you do not want the user to specify a value for the attribute. On selecting this option, the attribute will not be displayed in the UI when creating the user. This option is not displayed for a mandatory attribute because a value must be specified for a mandatory attribute.
- Restrict this attribute to the following values: Select this option if you want to specify one or more values for the attribute. For example, if you specify a value for the Department Number attribute, such as Software Engineering, then the default value of the attribute is set to Software Engineering, and the attribute is not displayed in the UI when creating a request by using this template. You can also specify multiple values for the attribute by using the + (plus) icon. On specifying multiple values, the values are available to the user as LOVs when creating a request by using this template, from which the user can select a value.
Tip:
These options are displayed for the Department Number attribute because the attribute is specified as a text box in the request dataset. For information about request datasets, see "Step 1: Creating a Request Dataset for the Resources" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.Specify one or more values for the Organization attribute. To do so, click the search icon next to the Organization field, select one or more organization names from the Available Organizations list, and clicking the Move button.
Tip:
The Organization attribute is displayed as a field for which you must select a value by searching the existing organization names because this attribute is specified as an entity in the request dataset. This is a dynamic LOV because organizations can be created in Oracle Identity Manager. For information about request datasets, see "Request Dataset" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.Specify a value for the User Type attribute. To do so, select one or more values from the Available User Type list, and click the Move button.
Tip:
The User Type attribute is displayed as a static LOV because this attribute is specified as a static LOV in the request dataset. This is a static LOV because the user must select from the available user types and cannot create new user types. For information about request datasets, see "Step 1: Creating a Request Dataset for the Resources" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.Specify values for the User Manager and Country attributes, and click Next.
Figure 17-3 shows the Set Attribute Restrictions page:
Figure 17-3 The Set Attribute Restrictions Page
Note:
Steps 5, 6, and 7 are common for all request templates creation.On the Set Additional Attributes page, you can specify additional information about attributes, which need to be collected based on the template that you are creating but are not used for the purpose of entity mapping.
Note:
The Additional Attribute Data is not used during request execution. This data is also not displayed to the approver.In this example, specify date of birth as the additional attribute name. Select the Data Type as Number and Display Type as Text Field, and then click Add. You can specify multiple attributes by clicking the Add button. When finished, click Next.
See Also:
"Step 1: Creating a Request Dataset for the Resources" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the additional attributes that are not mapped to the underlying Oracle Identity Manager entityFigure 17-4 shows the Set Additional Attributes page:
Figure 17-4 The Set Additional Attributes Page
On the Set Template User Roles page, you can select one or more roles, for example, AD Administrators, whose members are allowed to create requests by using the template that is being created. In this example, from the Available Roles list, select a role such as Contractor Administrators. Click Move to include the selected roles in the Selected Roles list, and then click Next.
Note:
Only members of the selected roles are allowed to create requests using the request template. This is governed by the authorization policy for creating requests by using request templates. See ""Request Creation By Using Request Templates" for information about creating a request by using request templates.Figure 17-5 shows the Set Template User Roles page:
Figure 17-5 The Set Template User Roles Page
On the Review Request Template Summary page, as shows in Figure 17-6, review the data that have been entered for Request Template Name, Request Type, Description, and Template Level Approval Process, and then click Finish.
Figure 17-6 The Review Request Template Summary Page
Click OK to confirm the template creation.
In the Create Request Template wizard, the following steps are common irrespective of the request type that you select or the request dataset that you define:
Request details to be specified in the Set request template details page. See step 5 in the create request templates.
Setting additional attributes in the Set Additional Attributes page. See step 8.
Setting roles for the template in the Set Template User Roles page. See step 9.
Request template information in the Review Request Template Summary page. See step 10.
The Provision Resource default request template that is based on the Provision Resource request type can be used for provisioning resources to users. But if you want to customize the request creation for provisioning specific resources to users, then you can create a request template, which is based on the Provision Resource request type.
To create a request template based on the Provisioning Resource request type:
In Oracle Identity Manager Advanced Administration, click the Configuration tab, and then click the Request Templates tab. Alternatively, you click the Search Request Templates link under Configuration in the Welcome page.
Note:
The user who is a member of the REQUEST TEMPLATE ADMINISTRATORS role is allowed to create a request template. If the appropriate role is not assigned to the user, then the required UI options for creating a request template will not be available to the user.On the left pane, from the Actions menu, select Create. Alternatively, you can click the Create a Request Template icon on the toolbar. The Set request template details page of the Create Request Template wizard is displayed.
Enter values for the following fields, and then click Next.
Request Template Name: Enter the name of the request template, for example, Provision E-Business Resource.
Request Type: Select a request type, such as Provision Resource.
Note:
The steps in the Create Request Template wizard are dynamically generated on clicking Next after providing the Request Template Basic Information in the first step of the wizard.Description: Enter a description for the request template that you are creating.
Approval Process: Enter the name of the approval workflow. For information about this field, see step 4 of "Creating a Request Template Based on the Create User Request Type".
In the Select Allowed Resources page, click Search to search for all the available resources.
From the Available Resources list, select one or more resources, and then click Move to include the selected resources in the Selected Resources list. In this example, select the E-Business RO resource, and then click Next.
Note:
Only the resources that you select in this step are displayed to the requester during request creation by using this template. If you do not select a resource here, then all the resources in Oracle Identity Manager are displayed while creating the request.
If no entity type is restricted in the template, then all the available entity types are shown to the requester while creating request using this template.
In the Select Attributes to Restrict page, select the attributes associated with the E-Business resource that you want to restrict. These attributes are defined in the request dataset for provisioning the E-Business resource. See "Step 1: Creating a Request Dataset for the Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about attributes.
If you select multiple resources in the Select Allowed Resources page, then the attributes associated with all the resources are displayed in the Select Attributes to Restrict page. Select the attributes for all the resources that you want to restrict, and then click Next.
In the Set Attribute Restrictions page, specify values for the attributes whose values you want to restrict. For example, for the Fax attribute, select the Do not allow users to enter values for this attribute option if you do not want the user to specify a value for the attribute. Otherwise, select the Restrict the attribute to the following values option and specify one or more values for the Fax attribute. For information about these options and setting restrictions for attributes, see "Creating a Request Template Based on the Create User Request Type".
Note that the Do not allow users to enter values for this attribute option is not available for the Server and Life Span Type attributes. This is because these attributes are specified as required in the request dataset. For information about the required property, see "Creating a Request Template Based on the Create User Request Type" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Select restriction values for all the attributes, and then click Next.
Tip:
If you are creating a request template for a request to provision multiple resources to users, click the Next Resource and Previous Resource buttons to set attribute restrictions for all the resources.Note:
Attributes coming up as shuttle on attribute restrictions page will show upto 200 results at a time. You need to provide appropriate search pattern to get relevant search results.Perform steps 8 through 10 of the procedure in "Creating a Request Template Based on the Create User Request Type" to complete the wizard.
Note:
In the Create Request Template wizard, the steps to select resources and set attribute restrictions vary based on the request type. The rest of the steps are similar.While creating a request template, if you select a resource that does not have a request dataset defined, then you are not allowed to restrict the attributes to collect from the user. This is because there is no information specified about the data that is to be collected from the user for the selected resource. As a result, the Step 3: Attributes and Step 4: Restrictions in the Create Request Template wizard are not applicable because the attributes in these steps are defined by the request dataset, in the absence of which, there is no data to restrict. However, when you select a resource that does not have a request dataset, the Service Account attribute is displayed in the Step 3: Attributes because this attribute is defined by the common request dataset. See "Common Request Dataset" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about common request dataset.
Oracle Identity Manager Administration allows you to perform simple and advanced search for request templates, if you have the privileges of the REQUEST TEMPLATE ADMINISTRATOR'S role.
To perform a simple search for request templates:
In Oracle Identity Manager Advanced Administration, click the Configuration tab, and then click the Request Templates tab. Alternatively, you click the Search Request Templates link under Configuration in the Welcome page.
In the left pane of the Request Templates section, enter a search criteria in the Search field. You can use the asterisk (*) wildcard character in the Search field.
Note:
In simple and advanced search for request templates, searching with translated request template name is not supported. For default request templates, you can search only with English template names as stored in the database. However, if you create a request template by specifying its name in another language, then you can search it using the same string, and not in any other language.Click the icon next to the Search field to display a list of default and nondefault request templates.
All the default request templates are blank templates without any customization on top of the request types. Table 17-1 lists the default request templates:
Table 17-1 Default Request Templates
| Request Template | Description |
|---|---|
|
Assign Roles |
Default template for assigning roles to users |
|
Create User |
Default template for creating users |
|
De-Provision Resource |
Default template for deprovisioning resources |
|
Delete User |
Default template for deleting users |
|
Disable Provisioned Resource |
Default template for disabling provisioned resources |
|
Disable User |
Default template for disabling users |
|
Enable Provisioned Resource |
Default template for enabling disabled resources |
|
Enable User |
Default template for enabling users |
|
Modify Provisioned Resource |
Default template for modifying provisioned resources |
|
Modify Self Profile |
Default template for modifying self profile |
|
Modify User Profile |
Default template for modifying user profiles |
|
Provision Resource |
Default template for provisioning resources |
|
Remove from Roles |
Default template for removing users from roles |
|
Self-Register User |
Default template for self registering users |
|
Self-Request Resource |
Default template for requesting resources for self |
Note:
Each request template mentioned in Table 17-1 has a default callback policy which are used by SPML webservice.To perform an advanced search for request templates:
In the left pane of the Request Templates section, click Advanced Search. The Advanced Search: Request Templates page is displayed.
Select any one of the following matching options:
All: On selecting this option, the search is performed with the AND condition. This means that the search result shows request templates when all the search criteria specified are matched.
Any: On selecting this option, the search is performed with the OR condition. This means that the search result shows request templates when any search criteria specified is matched.
Specify values in the fields as search criteria. For each field, select an operator, such as Equals, Contains, or Begins with.
Click Search. The search results table is displayed with details about the request template name, request type, approval process, and description.
Figure 17-7 Advanced Search Result for Request Templates
Select a template name in the search results table. From the Actions menu, select Open. The Template Details page is displayed with the details about the template.
In the Template Details section, the details of the template are displayed in the fields, as shown in Table 17-2:
Table 17-2 Fields in the Template Details Section
| Field | Description |
|---|---|
|
Request Template Name |
The name of the request template, for example, Create User |
|
Request Type |
The request type, for example, Create User |
|
Template Level Approval Process |
The additional approval process, which is invoked for requests that are created using this request template. |
|
Description |
The description for the request template |
Note:
Modification of Request Template Name and Request Type are not supported, and therefore, these fields are shown as non-editable in the template details.After you create a request template, and search for the request templates, the template that you created is also displayed in the search results table on the left pane. You can view the details of the template that you created. For example, if you select the Create Contractor request template and select Open from the Actions menu, then the Template Details page for the Create Contractor request template is displayed.
Note that the tabs that are displayed in the Template Details section correspond to the steps in the Create Template wizard. Similar to the steps in the wizard, the tabs in the Template Details page are dynamically generated, and each tab correspond to a step in the Create Template wizard. In general, the Request Template Details page has the following tabs:
Note:
These tabs are dynamically generated based on the request type that is associated with the request template. In other words, each tab that is displayed in the Request Template Details page corresponds to a step in the Create Request Template wizard.The Allowed Resources tab or the Allowed Roles tab is displayed only if the request type is associated with a resource or a role. Figure 17-8 shows the Allowed Resources tab:
The options available in this tab allows you to edit and delete resources or roles. To edit resources or roles:
Open/Edit the Request Template that you want to modify in Oracle Identity Manager Advanced Administration.
In the Allowed Resources tab of the request template details page, select the resource or role that you want to edit.
From the Actions list, select Edit. The Allowed Resources dialog box is displayed.
Search for the resource or role that you want to edit.
From the Available Resources list, select a resources or multiple resources and click Move or Move All to include the resources in the Selected Resources list.
Click Perform. The resource is listed in the Allowed Resources tab.
To delete a resource or role:
Select the resource or role that you want to delete.
From the Actions list, select Delete. A message box is displayed that confirms the deletion.
Click OK.
This tab contains the attribute restrictions, if any. Figure 17-9 shows the Attribute Restrictions tab:
Figure 17-9 The Attribute Restrictions Tab
Using this tab, you can put additional restrictions on the entity types that you can select if it is associated with a generic request type. To do so:
Open/edit the Request Template that you want to modify in Oracle Identity Manager Advanced Administration.
In the upper section, select new attributes for restriction, or deselect existing attributes, which are restricted for any of the user or resource entities that have been restricted.
In the lower section, modify the values for restricted attributes.
Click Next Resource. The attributes for the next resource are displayed. If there are multiple resources restricted, then navigation to attribute restrictions across the resources is possible using the Previous Resource and Next Resource buttons.
Note:
Restrictions for approver-only attribute by using request template is not supported.This tab is always displayed. Figure 17-10 shows the Additional Attributes tab:
Figure 17-10 The Additional Attributes Tab
Using this tab, you can specify additional attributes for data collection at the template level. These attributes are collected when the user creates a request. This data cannot be used during request execution. You can add new template attributes or delete the existing template attributes.
To specify additional attributes for data collection:
Open/Edit the Request Template that you want to modify in Oracle Identity Manager Advanced Administration.
In the Attribute Name field of the Additional Attributes tab, enter a name of the attribute.
From the Data Type list, select a value from String, Number, Date or Boolean.
From the Display Type list, select the type of field, such as text field, date field, and check box, which you want to display for this attribute.
Click Add. The attribute is added to the Additional Attributes section.
To delete an additional attribute, select the attribute and select Delete from the Actions list.
This tab allows you to select the roles that can be assigned to the request template. Only the users with the role are able to create requests by using the template. Figure 17-11 shows the Template User Roles tab:
To select roles for assigning to the request template:
Open/Edit the Request Template that you want to modify in Oracle Identity Manager Advanced Administration.
From the Available Roles list of the Template User Roles tab, select the roles that you want to create requests by using this template.
Click Move or Move All to include the roles in the Selected Roles list.
Cloning a request template is the procedure to create a new request template by inheriting all the properties of an existing request template.
Note:
The Request Type field cannot be modified while cloning a template. The Request Type of the new template will be the same as the existing template.To clone a request template:
Go to Oracle Identity Manager Advanced Administration.
From the advanced search results in the Template Details page, select a request template that you want to clone.
From the Actions menu, select Clone. The Clone Template page is displayed with the details of the request template that you have selected for cloning.
Modify the required details of the request template for creating the new request template.
Click Save to create the new request template.
To delete a template as a member of the Templates Administrators role:
In the Request Templates tab in Oracle Identity Manager Advanced Administration, search for the existing request templates.
From the search results table, select the template that you want to delete.
From the Actions list, select Delete. A message box is displayed that asks for confirmation.
Click Yes to confirm.
Note:
If the template to be deleted is referred by any existing request, then it cannot be deleted. Attempting deletion of such template displays an error message in the UI.
|
 Copyright © 1991, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
