9 Managing Disconnected Resources

Disconnected resources are targets for which there is no connector. Therefore, the provisioning fulfillment for disconnected resources is not automated, but manual. In earlier releases of Oracle Identity Manager, disconnected provisioning is not supported as a first class use case, it is supported by using manual tasks in the provisioning process. This approach has a number of limitations, which are taken care in Disconnected Resources model. In Oracle Identity Manager 11g Release 2 (11.1.2), disconnected resources are an enhanced configuration for manual provisioning that leverage SOA integration to provide higher flexibility and configurability of the manual provisioning workflow.

Some examples of disconnected resources include a Badge, Laptop, Pager, or any such item wherein the fulfillment is manual.

This chapter enlists the following topics:

9.1 Disconnected Resources Architecture

The Disconnected Resource feature makes use of the existing Oracle Identity Manager provisioning engine artifacts such as the Provisioning Process, Process Task, Adapters and so on while providing BPEL Integration in a seamless and configurable manner.

When a Disconnected Application Instance is created from the UI, it automatically seeds a number of backend configuration artifacts, including a resource object (of type Disconnected), a provisioning process with tasks for the basic provisioning operations, an IT resource, and a process form with the minimal fields (which can be further customized).

Figure 9-1 illustrates the provisioning process architecture for disconnected resources.

Figure 9-1 Disconnected Resource Architecture

Description of Figure 9-1 follows
Description of "Figure 9-1 Disconnected Resource Architecture"

When a disconnected application instance is provisioned to a user (via request or otherwise), the specific workflow in the provisioning process is triggered. This fires the corresponding process task and executes the manual provisioning adapter that invokes the out of the box disconnected provisioning SOA composite. A SOA manual task is assigned to System Administrator by default. When the assignee acts on the manual task, the provisioningcallback webservice is invoked with the assignee specified response and it then completes or aborts the provisioning operation and updates the account appropriately.

Table 9-1 displays the attributes for manual provisioning SOA composite payload that is available in the composite.

Table 9-1 Manual Provisioning SOA Composite Payload Attributes

Attribute Description

Account ID

Account ID (oiu_key) for the account under consideration

AppInstance Name

Disconnected Application Instance Display Name

Resource Object Name

Disconnected Resource Object Name

ITResource Name

Disconnected ITResource Name

Beneficiary Login

Login of the account beneficiary

Entity Key

Application Instance Key in case of Provision, Revoke, Disable, and Enable account operations.

Entity Type

Type is set to ApplicationInstance, in case of Provision, Revoke, Disable, and Enable account operations.

Beneficiary First Name

First name of the account beneficiary

Beneficiary Last Name

Last name of the account beneficiary

Descriptive Field

Account descriptive field for the account under consideration

URL

Oracle Identity Manager callback URL for the webservice.

Request Key

Request Key if operation is through request.

Requester Login

Login of the requester if operation is through request.

9.2 Managing Disconnected Application Instance

Managing disconnected application instance includes the following tasks:

9.2.1 Creating a Disconnected Application Instance

Note:

Before creating the application instance, you must create a new sandbox and publish it after creating the application instance. See "Managing Sandboxes" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about creating and publishing a sandbox.

To create disconnected application instance:

  1. Log in to Oracle Identity System Administration.

  2. In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.

  3. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.

  4. In the respective attribute fields, enter the values as shown in the following table:

    Attribute Value
    Name Enter the name of the application instance. This is a required field.
    Display Name Enter the display name of the application instance. This is a required field.
    Description Specify a description of the application instance.
    Disconnected Select the checkbox. This is the flag to indicate whether the application instance is not connected.

    Note: This is a UI only flag and is not persisted in the backend. Checking this flag will disable Resource Object and ITResource Instance fields, as these will be automatically created in the back end.

    Figure 9-2 shows the attributes for Create Application Instance attributes:

    Figure 9-2 Create Application Instance Attributes

    Surrounding text describes Figure 9-2 .

  5. Click Save. The application instance is created, and the details of the application instance is displayed.

  6. The UI form for the disconnected resource is automatically created and set, click Apply.

  7. In addition to the application instance, in the back end, the following provisioning artifacts are automatically created:

    • Resource object of type Disconnected

    • ITresource type definition with the following parameters:

      • Configuration Lookup

      • Connector Server Name

      • Identity Gateway Name

        Note:

        IT resource type definition parameters are for future use and the values for the same need not be set.

    • IT resource of type definition

    • Parent process form with the following fields:

      • Account ID

      • Password

      • Account login

      • IT resource

    • Process definition with workflows for the following operations:

      • Provision Account

      • Enable Account

      • Disable Account

      • Revoke Account

      • Modify Account Attributes

    • Adapters

      • Manual Provisioning

      • Manual Entitlement Provisioning

  8. From the System Administration UI, search for schedule job called "Catalog Synchronization Job" and execute it.

9.2.2 Creating a Disconnected Application Instance for an Existing Disconnected Resource

To create a disconnected application instance for an existing disconnected resource, see Section 8.2.1, "Creating Application Instances".

Note:

You must not select the Disconnected option, as this will create artifacts including the resource object and IT resource in the backend.

9.3 Provisioning Operations on a Disconnected Application Instance

When provisioning process is triggered for Enable, Disable, Revoke, or Provision operations, the corresponding process task is inserted which runs the Manual Provisioning adapter. This adapter invokes the out of the box provisioning SOA composite. A SOA Human Task is assigned to the System Administrator by default.

The System Administrator from the pending approvals page can:

  • Check the task details

  • Check the account details

  • Change process form data in OIM by changing data and clicking the Fulfill button

  • Perform the operation manually in the target

  • Act on the pending task by clicking Complete or Reject.

    Figure 9-3 displays the field options for provisioning operations for beneficiary.

    Figure 9-3 Provision Operation for Disconnected Resources

    Surrounding text describes Figure 9-3 .

When the assignee acts on the pending manual tasks, the provisioning callback webservice is invoked which continues with the Oracle Identity Manager operation and updates the account appropriately. See Section 9.5, "Status Changes in Manual Process Task Action" for details on changes to account status based on assignee action.

9.3.1 Process Form Updates

When a process form field of a disconnected resource is updated, the "<FORM_NAME> Updated" process task will be inserted into the provisioning process. This would generate a manual SOA human task, so that the assignee can manually update the changes in the corresponding target.

Note:

The "<FORM_NAME> Updated" task will be inserted irrespective of whether updates are to a single process form field or multiple process form field. This behavior is different from that of a connected resource. In addition, note that the individual process form field update tasks need not be configured for a disconnected resource.

9.4 Managing Entitlement for Disconnected Resource

Managing entitlement for disconnected resource includes the following tasks:

9.4.1 Configuring Entitlement Grant

Configuring Entitlement Grant for disconnected resource involves configuring the following:

9.4.1.1 Creating a Child Form and Configuring Entitlement Lookup via Form Designer

To create a child form and configure the lookup definition for entitlements:

  1. Once the disconnected application instance is created, the IT Resource Instance field will be populated by the name of the IT Resource instance created. Note down the IT resource instance name (this step is referring to Create Application Instance page).

  2. Using SQL Plus, open a connection to Oracle Identity Manager database and run the following query:

    1. Select svr_key, svr_name from svr where svr_name=<IT_RESOURCE_NAME>

    2. Use the IT resource name from Step 1 as the svr_name. Note down the svr_key that this query returns.

  3. Go to Oracle Identity System Administration. Under Configuration, click Form Designer and perform the following steps:

    1. Select Type as Resource.

    2. Click on the Resource Type and search for the Disconnected Resource.

    3. From the search result, click on the disconnected application instance form name.

  4. Go to Child Objects tab and click Add to add a child form.

  5. In the Name field, provide a name to the child table and click OK.

    Surrounding text describes add_child_form.gif.

  6. Click the UD_<CHILD_TABLE_NAME> link to open it for editing.

  7. Create the custom field with the lookup type.

  8. Provide the following values for the entitlement field:

    1. In the Display Label field, enter a display name.

    2. In the Name field, enter a name for the lookup.

  9. Select the following check boxes:

    • Searchable

    • Entitlement

    • Searchable Picklist

      Note:

      It is mandatory that you must select Searchable, Entitlement, and Searchable Picklist check boxes to create an entitlement field on the child form.
      Surrounding text describes config_lookup.gif.

  10. Create a new custom field of Lookup Type and click OK.

    Surrounding text describes create_lookup.gif.

  11. In the List of Values section, click the create a new lookup type icon and provide values for Meaning (for example, Lookup.Laptop.apps), Code (for example, Lookup.Laptop.apps) and description as follows:

    1. Click new to add entitlement values to add Lookup Codes. The value in the Code and Meaning columns should have the following format:

      Code Meaning
      <svr_key>~<ENTITTLEMENT_NAME> <ENTITLEMENT_DESCRIPTION>

    2. Click Save and Close.

      Surrounding text describes entitlement_lookup.gif.

  12. Click Back to Parent Object to return to the parent form.

  13. Click Regenerate View to regenerate UI artifacts and dataset, and confirm by clicking OK.

    Surrounding text describes confirm_reg_lookup.gif.

  14. Go back to Oracle Identity System Administration, System Management, Scheduler.

  15. Search for a scheduled job called Entitlement List and execute it.

  16. After the scheduled job execution completes, search for another schedule job called Catalog Synchronization Job and execute it.

9.4.1.2 Configuring the Process Task that Invokes the SOA Composite

To configure the process task that invokes the SOA composite:

  1. From the Design Console, navigate to the Process Definition form of the disconnected resource.

  2. Click Add Task to add a new process task with the name for example, Grant UD_ENT Entitlement.

    Note:

    You must make sure:

    1. that the following flags are set:

      • Conditional

      • Allow Multiple Instances

    2. to deselect the "Required for Completion" flag.

  3. Select the child table, for example, UD_ENT from the combo box and set Trigger Type as Insert.

  4. Save the task. Figure 9-4 displays the process task fields.

    Figure 9-4 Create Process Task

    Surrounding text describes Figure 9-4 .

  5. Navigate to the Responses tab for the same task, and add Response, Description, and Status as shown in Figure 9-5.

    Figure 9-5 Edit Entitlement

    Surrounding text describes Figure 9-5 .

  6. Navigate to the Integration tab for the same task.

  7. Click Add and select the Adapters radio button.

  8. Select the adpMANUALENTITLEMENTPROVISIONING adapter. The adapter has seven variables. Figure 9-5 shows a sample adapter variable mapping.

    Figure 9-6 Sample Adapter Variable Mapping

    Surrounding text describes Figure 9-6 .

  9. Configure the adapter variable mappings to Literal Strings as shown in Table Table 9-2.

    Note:

    While performing this step, you must ensure that there are no trailing spaces.

    Table 9-2 Adapter Variable Mappings for Entitlement Grant

    Variable Name Map To

    AccountKey

    AccoutKey(Org)

    CompositeName

    SOA Composite

    ProvisioningOperation

    Grant Entitlement

    OperationKey

    Task Instance Key

    Service Name

    manualprovisioningprocess_client

    CompositeURL

    http://xmlns.oracle.com/DefaultProvisioningComposite/DisconnectedProvisioning/ManualProvisioningProcess

    Adapter Return Value

    Response Code

    Once the above configuration is done, a disconnected resource entitlement can be requested for a user with the account. This will insert the process task created in Step 4. A SOA Human Task will be assigned to the System Administrator for granting the entitlement in the target manually. When the assignee acts on the pending human task, the provisioning call back webservice is invoked which completes or aborts the Oracle Identity Manager Operation. See Section 9.5, "Status Changes in Manual Process Task Action" for more information about changes to status based on assignee action.

9.4.2 Configuring for Entitlement Revoke

To configure entitlement revoke:

  1. Go to Design Console, navigate to the Process Definition form of the disconnected resource, and click Add Task.

  2. Add a new process task with name, ManualRevokeEntitlementStart.

    Note:

    You must make sure:

    1. that the following flags are set:

      • Conditional

      • Allow Multiple Instances

    2. to deselect the "Required for Completion" flag.

  3. Navigate to the Responses tab for the same task, and add the following responses and statuses:

    Response Description Status
    Completed Completed C
    Rejected Rejected R

  4. Navigate to the Integration tab for the same task.

  5. Click Add and select the Adapters radio button.

  6. Select the adpMANUALENTITLEMENTPROVISIONING adapter. The adapter has seven variables.

  7. Click Save to save the process task and close.

  8. Configure the adapter variable mappings to Literal Strings as shown in Table 9-3.

    Note:

    You must make sure that there are no trailing spaces.

    Table 9-3 Adapter Variable Mappings for Entitlement Revoke

    Variable Name Map To

    AccountKey

    Process Data, Process Instance

    CompositeName

    default/DisconnectedProvisioning!1.0

    ProvisioningOperation

    Revoke Entitlement

    OperationKey

    Task Instance Key

    Service Name

    manualprovisioningprocess_client

    CompositeURL

    http://xmlns.oracle.com/DefaultProvisioningComposite/DisconnectedProvisioning/ManualProvisioningProcess

    Adapter Return Value

    Response Code

    Note:

    While performing this step, you must ensure that there are no trailing spaces.

9.5 Status Changes in Manual Process Task Action

Table 9-4 provides details about status changes based on manual task action:

Table 9-4 Manual Process Task Action Statuses

Provisioning Operation Manual Task Action Provisioning Action

Provision

Complete

Account status will be set to Provisioned.

Provision

Reject

Account status will not be updated.

Disable

Complete

Account status will be set to Disabled.

Disable

Reject

Account status will not be updated.

Enable

Complete

Account status will be set to Enabled.

Enable

Reject

Account status will not be updated.

Revoke

Complete

Account status will be set to Revoked.

Revoke

Reject

Account status will not be updated.

Update

Complete

No Operation

Update

Reject

No Operation

Grant Entitlement

Complete

Completes the child table insert trigger process task and sets entitlement status to Provisioned.

Grant Entitlement

Reject

Cancels the child table insert trigger process task, which deletes the child table entry.

Revoke Entitlement

Complete

Deletes the child table entry from Oracle Identity Manager.

Revoke Entitlement

Reject

No Operation

9.6 Customizing Provisioning SOA Composite

Provisioning SOA composite includes the following customizations:

9.6.1 Customizing Human Task Assignment via SOA Composer

The manual disconnected provisioning SOA composite, has a default rule, ManualProvisioningRule, which assigns the human task to the System Administrator.

A custom rule with higher priority, based on the payload, for example Application Instance Name, can be created from the SOA Composer UI, based on which the manual task assignment can be customized.

To add a custom rule:

  1. Log in to the SOA Composer UI and click Open Task and select DisconnectedProvisioning_rev1.0 composite.

  2. From the ManualProvisioningTaskRules.rules tab, click Edit to add a custom rule.

  3. Add Rule by providing the rule name and the conditional assignment rule.

  4. Using the Up arrow, move the custom rule above the ManualProvisioningRule.

  5. Save and commit changes. Figure 9-7 displays the manual provisioning rule that is added.

    See Also:

    SOA Composer documentation for more information about creating rules

    Figure 9-7 Add Manual Provisioning Rule

    Surrounding text describes Figure 9-7 .

9.6.2 Customizing by Modifying the Out of the Box Composite

To modify the out of the box Disconnected Provisioning composite:

  1. Copy the composite from OIM_HOME/workflows/composites/DisconnectedProvisioning.zip to a local JDeveloper working location. Unzip it in the same directory to create the DisconnectedProvisioning directory.

  2. Open the composite in JDeveloper in Default Role.

    Note:

    You must install the version of JDeveloper that is compatible with the Oracle Identity Manager deployment. In addition, install any patches for JDeveloper so that JDeveloper works correctly with the SOA composites.

  3. As part of customization do not alter the following:

    • Payload attributes defined in DisconnectedProvisioning\xsd\ManualProvisioningTaskPayload.xsd

    • ProvisioningCallbackService partnerlink and mappings

  4. Double-click composite.xml to open the composite and modify as per your requirements.

  5. Deploy the SOA composite from Jdeveloper to Oracle SOA server. Make sure that you do not update the Revision ID and select the Overwrite any existing composites with the same revision ID option.

9.7 Troubleshooting Disconnected Resources

Table 9-5 displays the common problems that you may encounter while performing provisioning and other tasks for disconnected resources.

Table 9-5 Troubleshooting Disconnected Resources

Problem Solution

Upon provisioning disconnected application instance, manual task is not assigned to assignee.

Perform the following steps:

  1. Make sure that the SOA server is running.

  2. Check Open tasks page for rejected process tasks, and check the error information in the task, if it exists.

  3. Check Oracle Identity Manager logs to check if adapter is running.

  4. Check the adapter mappings in the process task to make sure that there are no typos.

Upon manual task completion, account status is not modified.

Perform the following steps:

  1. Make sure that the provisioning callback webservice, Provcallback is deployed.

  2. Test the Webservice from the application server console.

Upon submitting catalog request for Revoke Entitlement operation, the following error is thrown:

JBO-29115 Unable to construct the error message due to error:

java.lang.IllegalArgumentException: can't parse argument number

UD_D1001C_INTERNALATTR=.

Make sure that the process task with name "ManualRevokeEntitlementStart" is configured correctly as per steps mentioned in Section 9.4.2, "Configuring for Entitlement Revoke".