1 Introduction to Oracle Identity Navigator

Oracle Identity Navigator is an administrative portal designed to act as a single launch pad for accessing the administration consoles for other Oracle Identity Management components. It does not replace the individual component consoles. Rather, it allows you to access the Oracle Identity Management consoles centrally from one location. This chapter contains the following topics:

1.1 Relationships with Other Components

Oracle Identity Navigator is installed with other Oracle Identity Management components and centralizes access to product administration consoles, as well as other identity services. Oracle Identity Navigator can be installed with other Oracle Identity Management components in the same domain or in different domains. It is a web-based application that you access through a browser. You can use Oracle Identity Navigator to access the following product administration consoles and identity services:

  • Oracle Access Management Access Manager

  • Oracle Adaptive Access Manager

  • Oracle Authorization Policy Manager

  • Oracle Directory Services Manager

  • Oracle Directory Integration Platform

  • Oracle Enterprise Manager

  • Oracle Entitlements Server

  • Oracle Identity Analytics

  • Oracle Access Management Identity Federation

  • Oracle Identity Manager

  • Oracle Privileged Account Manager

  • Oracle Role Manager

  • Oracle WebLogic Server

  • Oracle Web Services Manager

Figure 1-1 shows the following relationships between Oracle Identity Navigator and the Oracle Identity Management components:

  • Each administration console launches in its own separate browser window. You configure Oracle Identity Navigator to connect to these consoles either by specifying the URLs directly, or by employing the product discovery feature.

  • Like Oracle Enterprise Manager Fusion Middleware Control, Oracle Identity Navigator is a Java EE application deployed on an Oracle WebLogic Server. It uses Oracle Metadata Service.

  • The Oracle Identity Navigator report feature relies on Oracle Business Intelligence Publisher and requires configuration to communicate with an Oracle Business Intelligence Publisher server.

  • You can access Oracle RSS feeds and view them in the Dashboard. You might need to configure a proxy to connect through your company's firewall.

Figure 1-1 Relationships Between Oracle Identity Navigator and Other Components

Description of Figure 1-1 follows
Description of "Figure 1-1 Relationships Between Oracle Identity Navigator and Other Components"

1.2 Single Sign-On Integration

Oracle Identity Navigator is integrated with 11g Oracle Platform Security Services for single sign-on (SSO) support. Some of the component consoles accessible from Oracle Identity Navigator are single sign-on enabled and can be configured to authenticate against the same authentication service in the Oracle Identity Navigator operation environment. Single sign-on enabled consoles include Oracle Access Management, Oracle Identity Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Privileged Account Manager. Double sign-on occurs for other components, such as Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control. For more information, see Section 2.3, "Configuring Single Sign-On (SSO)".

1.3 Common Admin Roles

Common Admin Roles are a set of predefined standardized application roles for securing administrative access to Oracle Identity Management applications. These roles encapsulate the common administrative tasks across the Oracle Identity Management Suite.

Note:

You must configure enterprise roles to support the Common Admin Roles before you can begin using them. For more information, see Section 2.2, "Configuring the Enterprise Roles".

Common Admin Roles can be assigned to users from the Oracle Identity Navigator Administration page. Each administrative role enables a corresponding set of rights that are common across the Identity Management Suite components.

Table 1-1 describes the responsibilities each role type supports and the skills and expertise required in order to perform typical duties associated with that role. You can assign any of the roles described in Table 1-1 to a user as a component role. Once a role assignment is made, the user is granted the corresponding administrative capabilities for that component.

Table 1-1 Summary of the Common Admin Roles

Common Admin Role Name Responsibility Skills and Expertise Required

Application Configurator

  • Use Identity Management applications to support business requirements within an assigned business scope.

  • Strong knowledge of product features.

  • Good knowledge of business requirements.

Application Auditor

  • Use Identity Management application to support business requirements within an assigned business scope.

  • Strong knowledge of product features.

  • Good knowledge of business requirements related to transactional pattern analysis.

Application Troubleshooter

  • Use Identity Management application to support business-specific troubleshooting or investigation.

  • Strong knowledge of analysis features.

Security Auditor

  • Provide audit reports to upper management.

  • Verify permissions and generate access reports.

  • Verify proper configuration of Identity Management applications.

  • Strong knowledge of access management processes.

  • Strong knowledge of the risks associated with unauthorized access.

  • Good understanding of information security and system architecture.

Security Admin

  • Configure Identity Management application roles and approve role grants.

  • Configure Identity Management applications to work with corporate infrastructure and applications.

  • Maintain system credentials for identity stores, key stores, databases, and other repositories

  • Grant administrative roles and permissions.

  • Strong knowledge of corporate infrastructure

  • Strong technical knowledge to troubleshooting infrastructure access rights.

  • Strong knowledge of Identity Management security architecture

User Manager

  • Create, modify, and delete users and groups.

  • Reset passwords and unlock accounts.

  • Strong knowledge of corporate identity infrastructure.

Helpdesk Admin

  • Reset passwords and unlock accounts.

  • Troubleshoot access problems.

  • Strong knowledge of corporate applications.

  • Strong knowledge of troubleshooting infrastructure access rights.


1.4 Administrative Role Types

Actions that an authenticated user can perform are based on the roles assigned. Oracle Identity Navigator supports two types of administrative roles:

  • Administrators with Common Admin Roles

    Administrators with Common Admin Roles specific to Oracle Identity Navigator can administer Oracle Identity Navigator as summarized in Table 1-2.

  • Component administrators

    A component administrator manages a specific Identity Management component. These role types can be finer grained than the Common Admin Role. For more information, see Section 2.9, "Advanced: Configuring Component Administrative Role-Based Access".

Table 1-2 describes the Common Admin Roles that are specific to Oracle Identity Navigator and the access rights each conveys. All authenticated users can access My Profile and News and Announcements.

Table 1-2 Summary of Oracle Identity Navigator Common Admin Roles

Common Admin Role Name Access Rights

Security Admin

  • Access to all the product links in the Product Launcher.

  • Access to the Access Privileges page for User/Role search and assignment.

Security Auditor

  • Access to all the product links in the Product Launcher.

  • Access to the My Reports page with full privileges for reports.

Application Configurator

  • Access to all the product links in the Product Launcher.

  • Access to BI Publisher, including configuration, report folder mapping, and assignment to product components.

  • Access to Product Registration, including Discover Products and Product Links setup.


After installation, all users who are members of the Oracle WebLogic Server Administrators group are granted all superuser privileges required to administer Oracle Identity Navigator. The default administrator is the weblogic user (also known as the bootstrap user) who is a member of the Administrators group.

The weblogic user, as the bootstrap user, can be used to map the users from the domain identity store to the Oracle Identity Navigator Common Admin Roles detailed in Table 1-2. Users mapped to the Security Admin role can assign the Common Admin Roles to other users, and can later replace the weblogic user in your environment. After the initial user mapping is completed, replace the default weblogic user by mapping the Security Admin role to at least one administrator user defined in your domain identity store.

Note:

Administration roles specific to Oracle Privileged Account Manager are managed in Oracle Identity Navigator. For information about managing Oracle Privileged Account Manager roles, see Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

1.5 Reports

Oracle Identity Navigator supports a set of default reports. These reports provide meaningful information to auditors for examining the security practices of the component as deployed, as well as enabling a check of the component health status.

1.5.1 Oracle Business Intelligence Publisher

All reports are generated using Oracle Business Intelligence Publisher. Oracle BI Publisher 11.1.1.5.0, or higher, must be installed separately. See Section 2.5.2, "Configuring Oracle Business Intelligence Publisher" for more information on installing and configuring Oracle BI Publisher.

1.5.2 My Reports

My Reports is a portlet used to view Oracle Identity Management BI Publisher Reports. In addition, the My Reports portlet allows you to save a report query so you can run the report again. Every administrative user has their own My Reports portlet in the Dashboard page. You can add report categories to My Reports and save different reports under different categories. Reports are categorized by the component name.

The following tasks can be performed in My Report:

  • Show a list of Oracle Identity Management BI Publisher Reports in a portlet configuration page.

  • Select, add configuration parameters to query the data, and add the report to My Reports list from a portlet configuration page.

  • View and run any report that the you have access to.

For more information about using My Reports, see Section 3.4, "Managing Your Reports".

1.6 News and Announcements

Oracle Identity Navigator supports the following three Oracle RSS feeds:

  • Identity Management Discussion Forum

  • Oracle New Downloads

  • Oracle Security Alerts

The RSS feeds can not be changed.

1.7 System Requirements and Certification

Refer to the system requirements and certification documentation for information about hardware and software requirements, platforms, databases, and other information. Both of these documents are available on Oracle Technology Network (OTN).

The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html