| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Identity Analytics System Integrator's Guide 11g Release 1 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Identity Analytics System Integrator's Guide 11g Release 1 |
1. Integrating With Oracle Identity Manager, Preferred Method
2. Integrating With Oracle Identity Manager, Deprecated Method
3. Integrating With Oracle Waveset (Sun Identity Manager)
4. Integrating With Other Provisioning Servers
6. Integrating With Intellitactics Security Manager
7. Configuring Oracle Identity Analytics For Web Access Control
This appendix includes sample Oracle Waveset workflows that can be used to facilitate the integration of Oracle Waveset (previously Sun Identity Manager) with Oracle Identity Analytics (previously Sun Role Manager).
Note - Do not use the sample workflows included with Oracle Waveset 8.1.1. Instead, either use the updated workflows available in Waveset 8.1.1-Patch 1, or the updated workflows available in this appendix.
For more information about these workflows, see the Configuring the Maximum Number of Identity Certification Records That Should Display in the UI chapter.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
<!--
Workflow Processes related to integration with Role Manager.
-->
<!--============================================================================
Check SRM Integration
Invokes WorkflowServices to determine if SRM integration has been
configured. Returns the boolean value in the isSRMIntegrated variable.
=============================================================================-->
<Configuration name='Check SRM Integration'>
<Extension>
<WFProcess name='Check SRM Integration'>
<Variable name='isSRMIntegrated' output='true'/>
<Activity name='start'>
<Transition to='Test SRM Integration'/>
</Activity>
<Activity name='Test SRM Integration'>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='isSRMIntegrated'/>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Merge SRM Role Assignments
If SRM is integrated and the UserView option 'getRuleDrivenRoleManagerRoles'
is set to 'true', this process will retrieve the list of roles to be
automatically assigned by SRM configured rules. This list of roles will be
merged with the IdM assigned roles into the UserView.
=============================================================================-->
<Configuration name='Merge SRM Role Assignments'>
<Extension>
<WFProcess name='Merge SRM Role Assignments'>
<Variable name='user' input='true'/>
<Variable name='refreshedUser' output='true'>
<Comments>
The refreshed view of the user after merging SRM rule-based role
assignments.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
This is a boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Variable name='previewedRoles'>
<Comments>
The list of roles SRM is reporting should be assigned to the user.
</Comments>
</Variable>
<Variable name='wsResult'>
<Comments>
This is a GenericObject holding the result of calls to SRM web services.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check SRM Integration'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Check SRM Role Assignments'>
<and>
<isTrue><ref>isSRMIntegrated</ref></isTrue>
<isTrue>
<get>
<ref>user</ref>
<s>getRuleDrivenRoleManagerRoles</s>
</get>
</isTrue>
</and>
</Transition>
<Transition to='Set Refreshed User'/>
</Activity>
<Activity name='Set Refreshed User'>
<Action name='Set Refreshed User'>
<set name='refreshedUser'>
<ref>user</ref>
</set>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='Check SRM Role Assignments'>
<Variable name='inputParams'>
<map>
<s>user</s>
<ref>user</ref>
</map>
</Variable>
<Action name='Get SRM Role Assignments'
application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Preview'/>
<Argument name='wsObjType' value='Role'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
<Return from='wsResult' to='wsResult'/>
</Action>
<Action name='Set previewed roles'>
<set name='previewedRoles'>
<get>
<ref>wsResult</ref>
<s>PreviewRoles</s>
</get>
</set>
</Action>
<Transition to='Merge SRM Role Assignments'/>
</Activity>
<Activity name='Merge SRM Role Assignments'>
<Variable name='view'>
<Comments>
The refreshed view of the user after merging SRM rule-based role
assignments.
</Comments>
</Variable>
<Action name='Set Role Manager Roles'>
<invoke name='put'>
<ref>user</ref>
<s>waveset.roleManagerRoles</s>
<ref>previewedRoles</ref>
</invoke>
</Action>
<Action name='Set SelectAll'>
<Comments>
Indicate that any resources resulting from preview role assignments
should be provisioned.
</Comments>
<invoke name='put'>
<ref>user</ref>
<s>update.selectAll</s>
<s>true</s>
</invoke>
</Action>
<Action name='Update Role Assignments'
application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='refreshView'/>
<Argument name='view' value='$(user)'/>
<Return from='view' to='refreshedUser'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Create SRM User
If SRM is integrated, this process will invoke the a create SRM user action
based on UserView attributes.
=============================================================================-->
<Configuration name='Create SRM User'>
<Extension>
<WFProcess name='Create SRM User'>
<Variable name='user' input='true'>
<Comments>
The GenericObject containing the UserView for the account to be created.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
This is a boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check SRM Integration'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Create SRM User'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Create SRM User'>
<Variable name='inputParams'>
<map>
<s>user</s>
<ref>user</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Create'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Update SRM User
If SRM is integrated, this process will invoke the an update SRM user action
based on UserView attributes.
=============================================================================-->
<Configuration name='Update SRM User'>
<Extension>
<WFProcess name='Update SRM User'>
<Variable name='user' input='true'>
<Comments>
The GenericObject containing the UserView for the account to be updated.
</Comments>
</Variable>
<Variable name='updateRequested'>
<Comments>
Variable indicating whether an update is requested. This variable
will default to 'true'. OIA/SRM can set this to 'false' to avoid
an additional update to that system when a role membership request
originates in OIA/SRM.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
A boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check Update Requested'/>
</Activity>
<Activity name='Check Update Requested'>
<Action name='Set Update Requested'>
<set name='updateRequested'>
<cond>
<ref>user.viewOptions.updateOIA</ref>
<isTrue>
<ref>user.viewOptions.updateOIA</ref>
</isTrue>
<i>1</i>
</cond>
</set>
</Action>
<Transition to='Check SRM Integration'>
<isTrue>
<ref>updateRequested</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Update SRM User'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Update SRM User'>
<Variable name='inputParams'>
<map>
<s>user</s>
<ref>user</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Update'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Rename SRM User
If SRM is integrated, a rename SRM user action.
=============================================================================-->
<Configuration name='Rename SRM User'>
<Extension>
<WFProcess name='Rename SRM User'>
<Variable name='accountId' input='true'>
<Comments>
The name of the user to rename.
</Comments>
</Variable>
<Variable name='newAccountId' input='true'>
<Comments>
The new user name.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
This is a boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check SRM Integration'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Rename SRM User'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Rename SRM User'>
<Variable name='inputParams'>
<map>
<s>accountId</s>
<ref>accountId</ref>
<s>newAccountId</s>
<ref>newAccountId</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Rename'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Delete SRM User
If SRM is integrated, a delete SRM user action.
=============================================================================-->
<Configuration name='Delete SRM User'>
<Extension>
<WFProcess name='Delete SRM User'>
<Variable name='accountId' input='true'>
<Comments>
The ID of the user to delete.
</Comments>
</Variable>
<Variable name='options' input='true'>
<Comments>
Variables indicating whether or not the IdM user is to be deleted.
The SRM user will be deleted if the IdM user will be.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
A boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check SRM Integration'>
<!--
The conditions here are different from the ones used for disable/enable
but they are exactly the conditions used by the DeProvision subtask,
reused here for consistency
-->
<or>
<contains>
<ref>options.targets</ref>
<s>Lighthouse</s>
</contains>
<isTrue>
<ref>options.deleteUser</ref>
</isTrue>
<isTrue>
<ref>options.forceDelete</ref>
</isTrue>
</or>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Delete SRM User'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Delete SRM User'>
<Variable name='inputParams'>
<map>
<s>accountId</s>
<ref>accountId</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Delete'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Disable SRM User
If SRM is integrated, a disable SRM user action.
=============================================================================-->
<Configuration name='Disable SRM User'>
<Extension>
<WFProcess name='Disable SRM User'>
<Variable name='accountId' input='true'>
<Comments>
The ID of the user to disable.
</Comments>
</Variable>
<Variable name='options' input='true'>
<Comments>
Variables indicating whether or not the IdM user is to be disabled.
The SRM user will be disabled if the IdM user will be.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
A boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check SRM Integration'>
<or>
<isnull>
<ref>options</ref>
</isnull>
<!--
The viewers no longer put simple lists of strings into options.targets,
however, customizations might still do.
-->
<contains>
<ref>options.targets</ref>
<s>Lighthouse</s>
</contains>
<contains>
<dolist name='resInfo'>
<ref>options.targets</ref>
<invoke name='getResourceName'>
<ref>resInfo</ref>
</invoke>
</dolist>
<s>Lighthouse</s>
</contains>
</or>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Disable SRM User'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Disable SRM User'>
<Variable name='inputParams'>
<map>
<s>accountId</s>
<ref>accountId</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Disable'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Enable SRM User
If SRM is integrated, a enable SRM user action.
=============================================================================-->
<Configuration name='Enable SRM User'>
<Extension>
<WFProcess name='Enable SRM User'>
<Variable name='accountId' input='true'>
<Comments>
The ID of the user to enable.
</Comments>
</Variable>
<Variable name='options' input='true'>
<Comments>
Variables indicating whether or not the IdM user is to be enabled.
The SRM user will be enabled if the IdM user will be.
</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
A boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='Check SRM Integration'>
<or>
<isnull>
<ref>options</ref>
</isnull>
<!--
The viewers no longer put simple lists of strings into options.targets,
however, customizations might still do.
-->
<contains>
<ref>options.targets</ref>
<s>Lighthouse</s>
</contains>
<contains>
<dolist name='resInfo'>
<ref>options.targets</ref>
<invoke name='getResourceName'>
<ref>resInfo</ref>
</invoke>
</dolist>
<s>Lighthouse</s>
</contains>
</or>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Enable SRM User'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Enable SRM User'>
<Variable name='inputParams'>
<map>
<s>accountId</s>
<ref>accountId</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Enable'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
</Configuration>
<!--============================================================================
Notify Reconcile Response
=============================================================================-->
<!-- note that this does not use wstype='ProvisioningTask' we leave it
== as TaskDefinition so that the ProcessViewer can find it, it is expected
== to do its own authorization
-->
<TaskDefinition name='Create SRM User Reconcile Response Workflow'
authType='ReconAdminTask'
taskType='Workflow'
executor='com.waveset.workflow.WorkflowExecutor'
syncControlAllowed='true'
execMode='sync '
visibility='invisible'>
<Extension>
<WFProcess name='Create SRM User Reconcile Response Workflow'>
<Comments>
A sample per-account action.
Creates an SRM user when responsePerformed is CREATE_NEW_USER.
</Comments>
<Variable name='accountId' input='true'>
<Comments>
The account to which a response was just applied.
</Comments>
</Variable>
<Variable name='resourceId' input='true'>
<Comments>
The object id of the resource where the account resides.
</Comments>
</Variable>
<Variable name='resourceName' input='true'>
<Comments>
The name of the resource resource where the account resides.
</Comments>
</Variable>
<Variable name='userId' input='true'>
<Comments>
The object id of the Lighthouse user associated with the account.
If no user is associated with the account, this is null.
</Comments>
</Variable>
<Variable name='userName'>
<Comments>
The name of the Lighthouse user associated with the account.
If no user is associated with the account, this is null.
</Comments>
</Variable>
<Variable name='initialSituation' input='true'>
<Comments>
The situation that was initially discovered for the account,
triggering the response.
The value is a valid message key.
</Comments>
</Variable>
<Variable name='responseSuccess'>
<Comments>
A boolean indicating whether the response was successful.
</Comments>
</Variable>
<Variable name='finalSituation'>
<Comments>
The situation of the account after the response was performed.
The value is a valid message key.
If the account no longer exists - on the resource and in Lighthouse -
the value is null.
</Comments>
</Variable>
<Variable name='responsePerformed'>
<Comments>
The id of the response performed. One of the following:
LINK_ACCOUNT
UNLINK_ACCOUNT
CREATE_ACCOUNT
DELETE_ACCOUNT
DISABLE_ACCOUNT
CREATE_NEW_USER
DO_NOTHING
</Comments>
</Variable>
<Variable name='responsePerformedText'>
<Comments>The string representation of the response performed</Comments>
</Variable>
<Variable name='isSRMIntegrated'>
<Comments>
This is a boolean indicating if SRM is integrated.
</Comments>
</Variable>
<Variable name='user'>
<Comments>
The GenericObject containing the UserView for the account to be created.
</Comments>
</Variable>
<Activity name='start'>
<Transition to='end'>
<Comments>
Do nothing if no response was attempted or the action is not
CREATE_NEW_USER.
</Comments>
<or>
<isFalse>
<ref>responseSuccess</ref>
</isFalse>
<or>
<isnull>
<ref>responsePerformed</ref>
</isnull>
<neq>
<ref>responsePerformed</ref>
<s>CREATE_NEW_USER</s>
</neq>
</or>
</or>
</Transition>
<Transition to='Check SRM Integration'/>
</Activity>
<Activity name='Check SRM Integration'>
<Action process='Check SRM Integration'>
<Return from='isSRMIntegrated' to='isSRMIntegrated'/>
</Action>
<Transition to='Get Userview'>
<isTrue>
<ref>isSRMIntegrated</ref>
</isTrue>
</Transition>
<Transition to='end'/>
</Activity>
<Activity name='Get Userview'>
<Variable name='view'>
<Comments>
Local variable to hold view for view that gets checked out
</Comments>
</Variable>
<Action application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='getView'/>
<Argument name='type' value='User'/>
<Argument name='NoFetch' value='true'/>
<Argument name='NoViolationForm' value='true'/>
<Argument name='id'>
<ref>userName</ref>
</Argument>
<Return from='view' to='user'/>
</Action>
<Transition to='Create SRM User'/>
</Activity>
<Activity name='Create SRM User'>
<Variable name='inputParams'>
<map>
<s>user</s>
<ref>user</ref>
</map>
</Variable>
<Action application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='callWebService'/>
<Argument name='wsAction' value='Create'/>
<Argument name='wsObjType' value='User'/>
<Argument name='resource' value='Sun Role Manager Web Services'/>
<Argument name='parameters' value='$(inputParams)'/>
<Argument name='catch' value='cepException'/>
</Action>
<Transition to='end'/>
</Activity>
<Activity name='end'/>
</WFProcess>
</Extension>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</TaskDefinition>
</Waveset>
|