Disconnected resources are targets for which there is no connector. Therefore, the provisioning fulfillment for disconnected resources is not automated, but manual. In earlier releases of Oracle Identity Manager, disconnected provisioning is not supported as a first class use case, it is supported by using manual tasks in the provisioning process. This approach has a number of limitations, which are taken care in Disconnected Resources model. In Oracle Identity Manager 11g Release 2 (11.1.2), disconnected resources are an enhanced configuration for manual provisioning that leverage SOA integration to provide higher flexibility and configurability of the manual provisioning workflow.
Some examples of disconnected resources include a Badge, Laptop, Pager, or any such item wherein the fulfillment is manual.
This chapter enlists the following topics:
Section 9.3, "Provisioning Operations on a Disconnected Application Instance"
Section 9.4, "Managing Entitlement for Disconnected Resource"
The Disconnected Resource feature makes use of the existing Oracle Identity Manager provisioning engine artifacts such as the Provisioning Process, Process Task, Adapters and so on while providing BPEL Integration in a seamless and configurable manner.
When a Disconnected Application Instance is created from the UI, it automatically seeds a number of backend configuration artifacts, including a resource object (of type Disconnected), a provisioning process with tasks for the basic provisioning operations, an IT resource, and a process form with the minimal fields (which can be further customized).
Figure 9-1 illustrates the provisioning process architecture for disconnected resources.
Figure 9-1 Disconnected Resource Architecture
When a disconnected application instance is provisioned to a user (via request or otherwise), the specific workflow in the provisioning process is triggered. This fires the corresponding process task and executes the manual provisioning adapter that invokes the out of the box disconnected provisioning SOA composite. A SOA manual task is assigned to System Administrator by default. When the assignee acts on the manual task, the provisioningcallback webservice is invoked with the assignee specified response and it then completes or aborts the provisioning operation and updates the account appropriately.
Table 9-1 displays the attributes for manual provisioning SOA composite payload that is available in the composite.
Table 9-1 Manual Provisioning SOA Composite Payload Attributes
Attribute | Description |
---|---|
Account ID |
Account ID (oiu_key) for the account under consideration |
AppInstance Name |
Disconnected Application Instance Display Name |
Resource Object Name |
Disconnected Resource Object Name |
ITResource Name |
Disconnected ITResource Name |
Beneficiary Login |
Login of the account beneficiary |
Entity Key |
Application Instance Key in case of Provision, Revoke, Disable, and Enable account operations. |
Entity Type |
Type is set to ApplicationInstance, in case of Provision, Revoke, Disable, and Enable account operations. |
Beneficiary First Name |
First name of the account beneficiary |
Beneficiary Last Name |
Last name of the account beneficiary |
Descriptive Field |
Account descriptive field for the account under consideration |
URL |
Oracle Identity Manager callback URL for the webservice. |
Request Key |
Request Key if operation is through request. |
Requester Login |
Login of the requester if operation is through request. |
Managing disconnected application instance includes the following tasks:
Section 9.2.1, "Creating a Disconnected Application Instance"
Section 9.2.2, "Creating a Disconnected Application Instance for an Existing Disconnected Resource"
Note:
Before creating the application instance, you must create a new sandbox and publish it after creating the application instance. See "Managing Sandboxes" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about creating and publishing a sandbox.To create disconnected application instance:
Log in to Oracle Identity System Administration.
In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
In the respective attribute fields, enter the values as shown in the following table:
Attribute | Value |
---|---|
Name | Enter the name of the application instance. This is a required field. |
Display Name | Enter the display name of the application instance. This is a required field. |
Description | Specify a description of the application instance. |
Disconnected | Select the checkbox. This is the flag to indicate whether the application instance is not connected.
Note: This is a UI only flag and is not persisted in the backend. Checking this flag will disable Resource Object and ITResource Instance fields, as these will be automatically created in the back end. |
Figure 9-2 shows the attributes for Create Application Instance attributes:
Click Save. The application instance is created, and the details of the application instance is displayed.
The UI form for the disconnected resource is automatically created and set, click Apply.
In addition to the application instance, in the back end, the following provisioning artifacts are automatically created:
Resource object of type Disconnected
ITresource type definition with the following parameters:
Configuration Lookup
Connector Server Name
Identity Gateway Name
Note:
IT resource type definition parameters are for future use and the values for the same need not be set.IT resource of type definition
Parent process form with the following fields:
Account ID
Password
Account login
IT resource
Process definition with workflows for the following operations:
Provision Account
Enable Account
Disable Account
Revoke Account
Modify Account Attributes
Adapters
Manual Provisioning
Manual Entitlement Provisioning
From the System Administration UI, search for schedule job called "Catalog Synchronization Job" and execute it.
To create a disconnected application instance for an existing disconnected resource, see Section 8.2.1, "Creating Application Instances".
Note:
You must not select the Disconnected option, as this will create artifacts including the resource object and IT resource in the backend.When provisioning process is triggered for Enable, Disable, Revoke, or Provision operations, the corresponding process task is inserted which runs the Manual Provisioning adapter. This adapter invokes the out of the box provisioning SOA composite. A SOA Human Task is assigned to the System Administrator by default.
The System Administrator from the pending approvals page can:
Check the task details
Check the account details
Change process form data in OIM by changing data and clicking the Fulfill button
Perform the operation manually in the target
Act on the pending task by clicking Complete or Reject.
Figure 9-3 displays the field options for provisioning operations for beneficiary.
When the assignee acts on the pending manual tasks, the provisioning callback webservice is invoked which continues with the Oracle Identity Manager operation and updates the account appropriately. See Section 9.5, "Status Changes in Manual Process Task Action" for details on changes to account status based on assignee action.
When a process form field of a disconnected resource is updated, the "<FORM_NAME> Updated" process task will be inserted into the provisioning process. This would generate a manual SOA human task, so that the assignee can manually update the changes in the corresponding target.
Note:
The "<FORM_NAME> Updated" task will be inserted irrespective of whether updates are to a single process form field or multiple process form field. This behavior is different from that of a connected resource. In addition, note that the individual process form field update tasks need not be configured for a disconnected resource.Managing entitlement for disconnected resource includes the following tasks:
Configuring Entitlement Grant for disconnected resource involves configuring the following:
Section 9.4.1.1, "Creating a Child Form and Configuring Entitlement Lookup via Form Designer"
Section 9.4.1.2, "Configuring the Process Task that Invokes the SOA Composite"
To create a child form and configure the lookup definition for entitlements:
Once the disconnected application instance is created, the IT Resource Instance field will be populated by the name of the IT Resource instance created. Note down the IT resource instance name (this step is referring to Create Application Instance page).
Using SQL Plus, open a connection to Oracle Identity Manager database and run the following query:
Select svr_key, svr_name from svr where svr_name=<IT_RESOURCE_NAME>
Use the IT resource name from Step 1 as the svr_name. Note down the svr_key that this query returns.
Go to Oracle Identity System Administration. Under Configuration, click Form Designer and perform the following steps:
Select Type as Resource.
Click on the Resource Type and search for the Disconnected Resource.
From the search result, click on the disconnected application instance form name.
Go to Child Objects tab and click Add to add a child form.
In the Name field, provide a name to the child table and click OK.
Click the UD_<CHILD_TABLE_NAME> link to open it for editing.
Create the custom field with the lookup type.
Provide the following values for the entitlement field:
In the Display Label field, enter a display name.
In the Name field, enter a name for the lookup.
Select the following check boxes:
Searchable
Entitlement
Searchable Picklist
Note:
It is mandatory that you must select Searchable, Entitlement, and Searchable Picklist check boxes to create an entitlement field on the child form.Create a new custom field of Lookup Type and click OK.
In the List of Values section, click the create a new lookup type icon and provide values for Meaning (for example, Lookup.Laptop.apps), Code (for example, Lookup.Laptop.apps) and description as follows:
Click new to add entitlement values to add Lookup Codes. The value in the Code and Meaning columns should have the following format:
Code | Meaning |
---|---|
<svr_key>~<ENTITTLEMENT_NAME> | <ENTITLEMENT_DESCRIPTION> |
Click Save and Close.
Click Back to Parent Object to return to the parent form.
Click Regenerate View to regenerate UI artifacts and dataset, and confirm by clicking OK.
Go back to Oracle Identity System Administration, System Management, Scheduler.
Search for a scheduled job called Entitlement List and execute it.
After the scheduled job execution completes, search for another schedule job called Catalog Synchronization Job and execute it.
To configure the process task that invokes the SOA composite:
From the Design Console, navigate to the Process Definition form of the disconnected resource.
Click Add Task to add a new process task with the name for example, Grant UD_ENT Entitlement.
Note:
You must make sure:that the following flags are set:
Conditional
Allow Multiple Instances
to deselect the "Required for Completion" flag.
Select the child table, for example, UD_ENT from the combo box and set Trigger Type as Insert.
Save the task. Figure 9-4 displays the process task fields.
Navigate to the Responses tab for the same task, and add Response, Description, and Status as shown in Figure 9-5.
Navigate to the Integration tab for the same task.
Click Add and select the Adapters radio button.
Select the adpMANUALENTITLEMENTPROVISIONING
adapter. The adapter has seven variables. Figure 9-5 shows a sample adapter variable mapping.
Configure the adapter variable mappings to Literal Strings as shown in Table Table 9-2.
Note:
While performing this step, you must ensure that there are no trailing spaces.Table 9-2 Adapter Variable Mappings for Entitlement Grant
Variable Name | Map To |
---|---|
AccountKey |
AccoutKey(Org) |
CompositeName |
SOA Composite |
ProvisioningOperation |
Grant Entitlement |
OperationKey |
Task Instance Key |
Service Name |
manualprovisioningprocess_client |
CompositeURL |
http://xmlns.oracle.com/DefaultProvisioningComposite/DisconnectedProvisioning/ManualProvisioningProcess |
Adapter Return Value |
Response Code |
Once the above configuration is done, a disconnected resource entitlement can be requested for a user with the account. This will insert the process task created in Step 4. A SOA Human Task will be assigned to the System Administrator for granting the entitlement in the target manually. When the assignee acts on the pending human task, the provisioning call back webservice is invoked which completes or aborts the Oracle Identity Manager Operation. See Section 9.5, "Status Changes in Manual Process Task Action" for more information about changes to status based on assignee action.
To configure entitlement revoke:
Go to Design Console, navigate to the Process Definition form of the disconnected resource, and click Add Task.
Add a new process task with name, ManualRevokeEntitlementStart
.
Note:
You must make sure:that the following flags are set:
Conditional
Allow Multiple Instances
to deselect the "Required for Completion" flag.
Navigate to the Responses tab for the same task, and add the following responses and statuses:
Response | Description | Status |
---|---|---|
Completed | Completed | C |
Rejected | Rejected | R |
Navigate to the Integration tab for the same task.
Click Add and select the Adapters radio button.
Select the adpMANUALENTITLEMENTPROVISIONING
adapter. The adapter has seven variables.
Click Save to save the process task and close.
Configure the adapter variable mappings to Literal Strings as shown in Table 9-3.
Note:
You must make sure that there are no trailing spaces.Table 9-3 Adapter Variable Mappings for Entitlement Revoke
Variable Name | Map To |
---|---|
AccountKey |
Process Data, Process Instance |
CompositeName |
default/DisconnectedProvisioning!1.0 |
ProvisioningOperation |
Revoke Entitlement |
OperationKey |
Task Instance Key |
Service Name |
manualprovisioningprocess_client |
CompositeURL |
http://xmlns.oracle.com/DefaultProvisioningComposite/DisconnectedProvisioning/ManualProvisioningProcess |
Adapter Return Value |
Response Code |
Note:
While performing this step, you must ensure that there are no trailing spaces.Table 9-4 provides details about status changes based on manual task action:
Table 9-4 Manual Process Task Action Statuses
Provisioning Operation | Manual Task Action | Provisioning Action |
---|---|---|
Provision |
Complete |
Account status will be set to Provisioned. |
Provision |
Reject |
Account status will not be updated. |
Disable |
Complete |
Account status will be set to Disabled. |
Disable |
Reject |
Account status will not be updated. |
Enable |
Complete |
Account status will be set to Enabled. |
Enable |
Reject |
Account status will not be updated. |
Revoke |
Complete |
Account status will be set to Revoked. |
Revoke |
Reject |
Account status will not be updated. |
Update |
Complete |
No Operation |
Update |
Reject |
No Operation |
Grant Entitlement |
Complete |
Completes the child table insert trigger process task and sets entitlement status to Provisioned. |
Grant Entitlement |
Reject |
Cancels the child table insert trigger process task, which deletes the child table entry. |
Revoke Entitlement |
Complete |
Deletes the child table entry from Oracle Identity Manager. |
Revoke Entitlement |
Reject |
No Operation |
Provisioning SOA composite includes the following customizations:
Section 9.6.1, "Customizing Human Task Assignment via SOA Composer"
Section 9.6.2, "Customizing by Modifying the Out of the Box Composite"
The manual disconnected provisioning SOA composite, has a default rule, ManualProvisioningRule, which assigns the human task to the System Administrator.
A custom rule with higher priority, based on the payload, for example Application Instance Name, can be created from the SOA Composer UI, based on which the manual task assignment can be customized.
To add a custom rule:
Log in to the SOA Composer UI and click Open Task and select DisconnectedProvisioning_rev1.0 composite.
From the ManualProvisioningTaskRules.rules tab, click Edit to add a custom rule.
Add Rule by providing the rule name and the conditional assignment rule.
Using the Up arrow, move the custom rule above the ManualProvisioningRule.
Save and commit changes. Figure 9-7 displays the manual provisioning rule that is added.
See Also:
SOA Composer documentation for more information about creating rulesTo modify the out of the box Disconnected Provisioning composite:
Copy the composite from OIM_HOME/workflows/composites/DisconnectedProvisioning.zip to a local JDeveloper working location. Unzip it in the same directory to create the DisconnectedProvisioning directory.
Open the composite in JDeveloper in Default Role.
Note:
You must install the version of JDeveloper that is compatible with the Oracle Identity Manager deployment. In addition, install any patches for JDeveloper so that JDeveloper works correctly with the SOA composites.As part of customization do not alter the following:
Payload attributes defined in DisconnectedProvisioning\xsd\ManualProvisioningTaskPayload.xsd
ProvisioningCallbackService partnerlink and mappings
Double-click composite.xml to open the composite and modify as per your requirements.
Deploy the SOA composite from Jdeveloper to Oracle SOA server. Make sure that you do not update the Revision ID and select the Overwrite any existing composites with the same revision ID option.
Table 9-5 displays the common problems that you may encounter while performing provisioning and other tasks for disconnected resources.
Table 9-5 Troubleshooting Disconnected Resources
Problem | Solution |
---|---|
Upon provisioning disconnected application instance, manual task is not assigned to assignee. |
Perform the following steps:
|
Upon manual task completion, account status is not modified. |
Perform the following steps:
|
Upon submitting catalog request for Revoke Entitlement operation, the following error is thrown: JBO-29115 Unable to construct the error message due to error: java.lang.IllegalArgumentException: can't parse argument number UD_D1001C_INTERNALATTR=. |
Make sure that the process task with name "ManualRevokeEntitlementStart" is configured correctly as per steps mentioned in Section 9.4.2, "Configuring for Entitlement Revoke". |