Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager
11g Release 2 (11.1.2)

Part Number E27149-16
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

16 Managing the Access Request Catalog

This chapter provides an introduction to the Access Request Catalog and describes the key features, benefits and use cases of the Access Request Catalog. It contains the following sections:

The Access Request Catalog provides a simple, intuitive, web-based user interface that allows business users to request access to roles, application instance, and additional access (also known as entitlements) within applications.

The Access Request Catalog allows a business to categorize and publish roles, application instance, and entitlements to the Catalog and provide additional business context using extensible metadata. Users use familiar request access for themselves using an intuitive "Catalog search" and "Shopping Cart" user experience.

16.1 Access Request Catalog

This section provides an introduction to the Access Request Catalog. It contains the following sections:

16.1.1 Access Request Challenges

Enterprises have tried to simplify and streamline the process of managing the identity lifecycle and access privileges of end users as part of improving operational efficiency and reducing IT costs. To meet these goals, businesses have tried to implement various solutions to allow end users to manage their own identity and access. However, they have faced several challenges in doing so:

  • End-users had to be trained to understand IT concepts and terminology and use IT processes to request access.

  • The training cycle had to be repeated as new employees joined, lowering productivity, and increasing IT costs.

  • End-users had to get IT assistance when their requests were not fulfilled in a timely manner and did not have visibility into the status of their request.

  • Typically, additional access within an application had to be granted by IT or by Application administrators.

  • This limited business users' view of available access and limited their productivity, while forcing them to rely on IT.

The Access Request Catalog addresses these challenges by providing an easy to use web interface where users can search and browse various types of access and select the ones they need to perform their job duties. It provides the following benefits:

  • The end user does not need to know technical jargon or follow IT processes to request access. The Catalog uses well-known and familiar search and shopping cart patterns to guide the user through the access request process.

  • The end-user does not need to know specific application instance, role or entitlement names. The Catalog provides an extensible metadata model and provides tagging capabilities. This allow business users to specify alternate terms to be used to search for the specific access. End users can search the Catalog using combinations of keywords and wildcards to search for the access they need.

16.1.2 Concepts

The following discussion introduces key access request catalog concepts

  • Catalog

    Catalog (aka Request Catalog) offers a consistent and intuitive request experience for customers to request Roles, Entitlements and Application Instances following the commonly used Shopping Cart paradigm. The catalog is a structured commodity with its own set of metadata.

  • Catalog Item

    A Catalog Item is an item (Roles, Entitlements or Application Instances) that can be requested by a user, either for themselves or on behalf of other users.

  • Category

    A Catalog Item Category is a way to organize the request catalog. Each catalog item is associated with one and only one category. A catalog item navigation category is an attribute of the catalog item. Catalog Administrators can edit a Catalog Item and provide a value for the category.

    Note:

    You cannot leave Category field blank for a catalog item. Therefore, you must ensure that a value is present for the category.

  • Application Instance

    An Application Instance represents an account on particular target. When users request an application instance, they are requesting an account in a particular target. Application Instances can be connected, if fulfillment is automated via a Connector, or disconnected, if fulfillment is manual. Application Instances can have entitlements associated with them.

  • Enterprise Roles

    Enterprise Roles are defined by customers. Enterprise Roles have policies associated with them. Users can request enterprise roles via the Catalog. When a role is granted, application instances or entitlements are provisioned to the user.

  • Entitlement

    Entitlements are privileges in an application that govern what a user of the application can do.

  • Catalog User-defined field

    Catalog User-defined fields are additional attributes that are added by customers to the Catalog entity

  • Catalog Item Metadata

    Catalog Item Metadata refers to the values for the Catalog Item attributes. Metadata can be managed on a per-item basis by the Catalog Administrator or can be populated in bulk.

  • Tags

    Tags are search keywords. When users search the Access Request Catalog, the search is performed against the tags. Tags are of three types

    • Auto-generated: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name

    • User-defined: User-defined Tags are additional keywords entered by the Catalog Administrator

    • Arbitrary tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags.

  • Catalog Administrator

    The Catalog Administrator is a global security role. The Catalog can be managed by members of this role only.

  • Shopping Cart

    The Shopping Cart refers to the collection of Catalog Items that are being requested. A user can have only one cart active at any given time and the cart can contain roles, application instances, entitlements, or any combination of the three.

  • Catalog synchronization

    Catalog synchronization refers to the process of loading roles, application instances, and entitlements into the Catalog.

16.1.3 Catalog Use cases

Use cases in this section explain how the access request catalog make it easy for end users to request roles, application instance, and entitlements required to perform their duties.

Requesting access

Mary, a Manager in MyCorp, would like to request access to MyCorp Trading application for herself and her directs. To do this, she searches the Catalog using the keyword trading. The catalog returns all items that match Mary's keywords and that she is allowed to request. Mary filters the search results by selecting Application from the list of categories. The Catalog returns a reduced set of search results. Mary adds the MyCorp Trading application to the cart and checks out. She adds herself and her directs to the request and submits the request.

Requesting access
Description of the illustration req_acc_1.gif

Administering the Catalog

Jim, a Catalog Administrator, would like to onboard new application instance and their entitlements, add additional attributes and improve the searchability of the catalog items. He runs the Catalog Synchronization job to harvest the new application instance and their entitlements. Next, he extends the Catalog metadata by adding additional attributes and identifies certain attributes as searchable. Next, he loads the catalog with metadata and tags for the new attributes. For certain Catalog items, he searches the Catalog and edits the Catalog item in place.

Administering the catalog
Description of the illustration req_acc_2.gif

These use cases are typical examples of using the Access Request Catalog to make applications and entitlements in the applications and roles visible in the Catalog and allowing users to request access to them via simple web-based interface.

16.2 About the Access Request Catalog

This section covers the features and benefits of the Access Request Catalog and its architecture. It contains the following topics

16.2.1 Features and Benefits

The Access Request Catalog is a searchable, categorized collection of entities that are requestable in Oracle Identity Manager. Any authenticated user can access the Catalog and search the Catalog using one or more keywords and search operators, add one or more Catalog items into a shopping cart and submit a request for themselves and others.

Key features of the access request catalog include:

  • Extensible Catalog schema that allows administrators to add additional attributes

    and specify how the attribute is rendered using a simple browser-based UI

  • Automated harvesting of roles, applications, and entitlements

  • Automated loading of Catalog metadata using a CSV file

  • Powerful search using keywords with support for complex search operators

  • Flexible categorization model that allows the Catalog to be organized based on customer choice

  • Catalog search results secured based on viewer privileges of the requester

  • Catalog item data available via a web service for use in workflows

16.2.2 Architecture

Figure 16-1 High-Level Catalog Architecture

Description of Figure 16-1 follows
Description of "Figure 16-1 High-Level Catalog Architecture"

Figure 16-1 shows the components of the Access Request Catalog and its relationship with other components of Oracle Identity Manager. The Access Request Catalog consists of the following components:

  1. Catalog Tables

  2. Catalog Loaders

  3. Catalog Metadata

  4. Catalog User Interface in the Identity Self Service Console

16.3 Administering the Access Request Catalog

This section describes the basic administration of the Access Request Catalog. It consists of the following topics

16.3.1 Pre-requisites

The Access Request Catalog is used by end-users to request access to roles and entitlements to help them perform their duties. As a result, it is very important that the Catalog be current, have a rich metadata and be organized so that users can find the right access. To ensure this, you need to have a plan to manage the Access Request Catalog. The ensuring sections give the steps that you should follow to administer the Catalog. Before implementing those steps, there are certain pre-requisites. These include

16.3.1.1 Setting up the Catalog Administrator

The Catalog Administrator is an admin role, similar to the System Administrator and System Configurator role. In Oracle Identity Manager 11g Release 2 (11.1.2), a member of this role (and those of the System Administrators role) can perform the following actions:

  • Load the Catalog

  • Manage Catalog Items

  • Manage Request Profiles

This role is a global role and not scoped by organization.

To grant the Catalog Administrator:

  1. Log in to the Oracle Identity System Administration Console.

  2. Click Organizations.

  3. Search for Top.

  4. Click the Admin Roles tab.

  5. Select the Catalog Administrators admin role and click Assign in the toolbar.

    Top admin roles
    Description of the illustration assign_roles.gif

  6. Search for the users you would like to assign and click Add Selected.

    Adding catalog administrators
    Description of the illustration add_cat_user1.gif

  7. Click Add to add the users.

The new members of the Catalog Administrator role can login to the Self Service Console and start managing the Catalog.

16.3.1.2 Defining the Catalog Metadata

A rich catalog metadata is important to for the following reasons:

  • End-users are only interested in getting access to what they need to perform their job duties. When they search and browse the Catalog, the information presented to them must relate to the business. If the Catalog is sparse (minimal attributes), users will not know which access to pick. If the Catalog is rich but technical, users will get confused and will choose not to use the Catalog.

  • Requesters and Approvers need as much contextual information as possible to help them submit a request or approver one. When approvers review a request, the Catalog item detail helps them understand what is being requested, why and the impact of approving the request.

  • Approval workflows use routing rules to correctly determine approvers. These rules need access to additional context about the requested item to do approver resolution. If the Catalog information is sparse, the routing rules will not have enough data available to determine the correct approvers.

To meet these challenges, the Catalog must contain additional metadata that can help place the access, that is the Catalog item, in the correct business context.

To add one or more attributes to the Catalog:

  1. Log in to the Oracle Identity System Administration Console.

  2. Click Sandboxes, Create Sandbox.

    Creating a sandbox
    Description of the illustration create_sandbox1.gif

  3. Click Save and Close to create and active the sandbox.

    Sandbox created
    Description of the illustration create_sandbox2.gif

  4. Ensure that you are in the correct and activated sandbox session.

  5. Click Form Designer.

  6. Select Catalog from the Type drop-down list.

  7. Click Search

  8. Select the Catalog entity and click Open

  9. Click Custom New Attribute to add an attribute.

    See Also:

    See "Developing Process Forms" for more information on the Form Designer and its capabilities and "Managing Sandboxes" for more information on the Sandbox and its capabilities

  10. Select from one of the pre-defined attribute types and click OK.

  11. Provide the necessary information and click Save and Close.

    Note:

    When you create a field (UDF) using form designer for an entity, you can specify the length of the field. During that time, you must ensure that you have chosen a significant value. Similarly, when you create a form for an existing process form make sure that fields in the process form have significant size to accommodate the necessary value size.

  12. Add additional attributes as required.

  13. You have completed the first step in extending the Catalog.

  14. If you do not want to modify the Catalog search results or Catalog Item details UI, then you can have your changes reviewed and after approval of the changes, click Publish to publish the sandbox.

  15. If you want to modify the Catalog search results and Catalog Item details UI, then proceed further.

  16. Logout and login to the Identity Console as a member of the System Administrator role.

  17. Click Sandboxes and select the same sandbox that you used to extend the Catalog.

  18. Click Activate to activate the sandbox.

  19. Publish the Sandbox by selecting the sandbox and clicking Publish Sandbox

16.3.2 Common Tasks

This section describes the common tasks to be performed by the Catalog Administrator. It consists of the following tasks:

16.3.2.1 Onboard Applications and Roles

The Access Request Catalog must be populated with enterprise roles, application instances and entitlements so that users can search and request for access. You must develop a process by which enterprise roles, application instances and entitlements can be on-boarded to the Catalog with minimal administrator intervention. This section covers the various steps involved in on-boarding roles, application instances and entitlements into the Catalog.

16.3.2.1.1 Prepare an Onboarding checklist

Use the following oboarding checklist items to develop a high-level process for onboarding roles, application instances and entitlements into the Access Request Catalog. Later, you can follow individual checklists for roles, application instances, and entitlements.

  • Identify Catalog Administrators

  • Identify and extended Catalog attributes

  • Customize Catalog search results UI

  • Customize Catalog Item Details UI

  • Identify navigational categories

  • Identify Owners, Certifiers, Approvers for roles and applications

  • Identify sources of truth for Catalog Item metadata/glossary

  • Develop procedures to generate and load Catalog item metadata/glossary

  • Develop glossary of tags and a process to maintain tags

16.3.2.1.2 Onboarding Roles

There are no onboarding steps for enterprise roles. Roles, belonging to a role category other than OIM Roles are published directly to the Catalog when they are created.

16.3.2.1.3 Onboarding Application Instances

Application Instances require additional configuration before they can be requested by end users. Use the following checklist items to make sure that you have performed the configuration required to onboard application instances:

  • Ensure that the Connector is installed (for new targets)

  • If you are upgrading Oracle Identity Manager from Release 9.1.x or 11g Release 1 to 11g Release 2 (11.1.2), see "Upgrading Oracle Identity Manager 11g Release (11.1.1.5.0) Environments" of the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management for information about mandatory post-upgrade steps

  • Verify that the process forms have an IT resource field

  • Verify that you have defined the form field properties correctly

  • Verify that you have created the application instances with suitable display names and descriptions

  • Verify that you have created the forms required for account requests

  • Verify that you have published the application instances to the relevant organizations

  • For disconnected applications, verify that you have created the application instances. See Section 9.2.1, "Creating a Disconnected Application Instance" for detailed description of the steps

After verifying the steps in the check list, follow the instructions below to onboard application instances.

See Also:

Section 8.2, "Managing Application Instances" for more information on managing Application Instances

Steps to onboard Application Instances

  1. Login to the System Administration Console as a member of the System Administrator role

  2. Click Scheduler

  3. Search for the Catalog Synchronization job

  4. Check the Process Application Instances parameter

  5. Set the parameter Mode to Incremental

16.3.2.1.4 Onboarding Entitlements

Use the following checklist items to make sure that you have performed the configuration required to onboard entitlements.

Note:

Job entitlement list loader should be executed before executing catalog synchronization job.

  • Ensure that the Connector is installed (for new targets)

  • If you are upgrading Oracle Identity Manager from Release 9.1.x or 11g Release 1 to 11g Release 2 (11.1.2), see "Upgrading Oracle Identity Manager 11g Release (11.1.1.5.0) Environments" of the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management for information about mandatory post-upgrade steps

  • Verify that the process forms have an IT resource field

  • Verify that you have defined the form field properties correctly

  • Verify that you have correctly associated the parent and child forms

  • Verify that you have run the common lookup reconciliation job for ICF-based targets

  • Verify that you have run the connector-specific lookup reconciliation jobs for non-ICF connectors

  • Verify that you have created application instances correctly, corresponding to the resource object and IT resource instance specified in the Lookup Reconciliation job

  • Verify that you have published entitlements to relevant organizations

  • Verify that you have run the entitlement list loader job, so that data can be populated in ent_list table

After verifying the steps in the check list, follow the instructions below to onboard entitlements

Steps to onboard Entitlements

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator role.

  2. Click Scheduler.

  3. Search for the Catalog Synchronization job.

  4. Check the Process Entitlements parameter.

  5. Set the parameter Mode to Incremental.

    Note:

    • If its a first time harvesting, then you should set the parameter to Full.

    • If the parameter mode is Incremental, then only those entities will be picked by scheduled task for processing, whose create date is greater than update date for creation, and update date is greater than update date value.

16.3.2.2 Bootstrapping the Catalog

Bootstrapping refers to the process of populating the Catalog for the first time. After Bootstrapping large number of any entity, you can gather statistics on base tables. This section refers to bootstrapping the Catalog after you have installed Oracle Identity Manager 11g Release 2 (11.1.2). If you are upgrading from Oracle Identity Manager 9.1.x or 11g Release 1, then see Chapter, "Upgrading Oracle Identity Manager 11g Release (11.1.1.5.0) Environments" of the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management.

Pre-requisites

  • You have extended the Catalog using the Form Designer by following the steps given in Section 16.3.1.2, "Defining the Catalog Metadata"

  • You have carried out the necessary UI customization steps required when a user-defined field is added to the Catalog.

16.3.2.2.1 Bootstrapping the Catalog with Roles

There are two ways to bootstrap the Catalog with Roles.

  • Bootstrapping the Catalog with Roles when you are not using Oracle Identity Analytics customer

    In Oracle Identity Manager 11g R2, roles are published immediately to the Catalog when they are created and assigned a role category other than the OIM Roles category. If you have made changes to the role categories or need to synchronize the enterprise roles with the Catalog, follow the steps given below

    To bootstrap the catalog with roles:

    1. Login to the Oracle Identity System Administration Console as a member of the System Administrator role.

    2. Click Scheduler.

    3. Search for the Catalog Synchronization job.

    4. Check the Process Roles parameter.

    5. Set the parameter Mode to Full.

      Note:

      If you are running the job for the first time and the Mode is set to Full, then you must not provide any value in the Update Date parameter.

    6. Click Run Now to run the job immediately or provide a date and time to run the job later.

  • Bootstrapping the Catalog with Roles when you are using Oracle Identity Analytics for managing the lifecycle of enterprise roles

16.3.2.2.2 Bootstrapping the Catalog with Application Instances

Bootstrapping the Catalog with Application Instances requires additional steps to be carried out. Use the checklist given in Section 16.3.2.1.3, "Onboarding Application Instances" to ensure that you have completed the pre-requisites.

Once you have completed the pre-requisites, follow the steps given below to onboard application instances:

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator role.

  2. Click Scheduler.

  3. Search for the Catalog Synchronization job.

  4. Check the Process Application Instances parameter.

  5. Set the parameter Mode to Full.

    Note:

    If you are running the job for the first time and the Mode is set to Full, then you must not provide any value in the Update Date parameter.

  6. Click Run Now to run the job immediately or provide a date and time to run the job later.

16.3.2.2.3 Bootstrapping the Catalog with Entitlements

Bootstrapping the Catalog with Entitlements requires additional steps to be carried out. Use the checklist given in Section 16.3.2.1.4, "Onboarding Entitlements" to ensure that you have completed the pre-requisites.

Once you have completed the pre-requisites, follow the steps given below to onboard entitlements.

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator role.

  2. Click Scheduler.

  3. Search for the Catalog Synchronization job.

  4. Check the Process Entitlements parameter.

  5. Set the parameter Mode to Full.

    Note:

    If you are running the job for the first time and the Mode is set to Full, then you must not provide any value in the Update Date parameter.

  6. Click Run Now to run the job immediately or provide a date and time to run the job later.

16.3.2.3 Ongoing Synchronization

To automate the process of onboarding roles, application instances, and entitlements, you can configure the Catalog Synchronization job in the following manner.

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator role.

  2. Click Scheduler.

  3. Search for the Catalog Synchronization job.

  4. Check the Process Roles, Process Application Instances, and Process Entitlements parameters.

  5. Set the parameter Mode to Incremental.

  6. Provide a date and time to run the job later.

  7. Set the Job frequency to run every five minutes.

16.3.2.4 Enrich the Catalog

Enriching the Catalog refers to the process of populating the Access Request Catalog with data so that the information is available for end-users to see. The additional data helps end-users understand the business context associated with the Catalog Item. The additional data is also available as part of the approval workflow, allowing the workflow to make intelligent routing decisions based on the data about the Catalog Item.

There are two ways to enrich the Catalog:

Pre-requisites

16.3.2.4.1 Editing a Catalog Item Online

To edit a Catalog Item online, using the Oracle Identity Manager Self Service Console:

Note:

Name, Display Name, and Description cannot be edited on the catalog screen. These are base level attributes and you cannot edit from Catalog UI.

  1. Log in to the Oracle Identity Manager Self Service Console as a member of the Catalog Administrator role.

  2. Click Catalog to access the Catalog.

  3. Enter one or more keywords and click Search.

  4. Use the Refine Search to find the Catalog Item(s) to be edited.

  5. Select the Catalog Item to be edited.

  6. Edit the Catalog Item and click Apply.

    Note:

    To see the edit changes, you must log out and relogin to the Catalog edit page.

16.3.2.4.2 Enriching the Catalog in bulk from external sources

While Catalog Administrators can make use of the robust Catalog Item editing capabilities in the Oracle Identity Manager Self Service Console, there are scenarios where the data needs to be loaded in bulk from external sources. Examples of bulk updates:

  • MyCorp wants to provide users with asset information from their IT CMDB system or from their Corporate Asset Management system. The information cannot be entered manually since the CMDB or AMS system gets updated on a regular basis. In such a scenario, MyCorp needs a way to update the Catalog in bulk.

  • MyCorp was using a home grown access request application prior to implementing Oracle Identity Manager 11g R2. This application contains the glossary and other relevant information about the roles, application instances and entitlements. As part of migrating to Oracle Identity Manager 11g R2, MyCorp Catalog Administrators would like to move the Catalog Item information from the legacy system.

16.3.2.4.3 Loading data from an external source

Follow the steps given below to load data from an external source into the Catalog:

  1. Export the data to be loaded into a comma-separated values format file.

  2. Ensure that the first line of the file contains the Catalog attribute names.

  3. Move the file to a file system that is accessible from the server on which is Oracle Identity Manager is deployed.

  4. Login to the Oracle Identity System Administration Console as a member of the System Administrator or System Configurator role.

  5. Click Scheduler.

  6. Search for the Catalog Synchronization Job.

  7. Provide the full path to the file in the parameter File Path.

  8. Set the value of the parameter Mode to Metadata. Table 16-1 provides sample parameter details.

    Table 16-1 Catalog Metadata Loader Sample

    Parameter Value

    ENTITY_TYPE

    Role

    ENTITY_KEY

    12

    ENTITY_NAME

    test

    IS_REQUESTABLE

    1

    USER_DEFINED_TAGS

    UDTags

    CATEGORY

    mycategory

    AUDIT_OBJECTIVE

    AO111

    APPROVER_USER

    1

    APPROVER_ROLE

    1

    FULFILLMENT_USER

    1

    FULFILLMENT_ROLE

    1

    CERTIFIER_USER

    1

    CERTIFIER_ROLE

    1

    ITEM_RISK

    1

    CERTIFIABLE

    1

    STUDF

    1


  9. Click Run Now to run the job immediately or select a data and click Apply to run the job later.

16.3.2.5 Managing Catalog Items

This section contains the following topics

16.3.2.5.1 Deleting a Catalog Item

To delete Catalog Items in a supported manner:

  1. To delete roles, login to the Oracle Identity System Administration Console.

  2. Search for the role to be deleted and delete the role.

  3. The associated Catalog Item will be marked as soft-deleted and will not appear in the Catalog.

  4. For deleting large number of roles, using the APIs to delete the role. It is not recommended to use database techniques to delete roles.

  5. Login to the Oracle Identity System Administration Console.

  6. Click Scheduler.

  7. Search for the Catalog Synchronization Job.

  8. Set the mode to Incremental.

  9. Click Run Now to run the job immediately or set it up to run at a particular time.

Deleting Catalog Items of type Application Instances

Application Instances, in almost all use cases, represent a target system (sometimes known as an endpoint) and an account in a target system. When you delete an Application Instance, you are essentially decommissioning the target system from Oracle Identity Manager. Depending upon the scale of your deployment and the number of accounts provisioned to the target system, deleting an Application Instance can have a significant impact to the end users and their access.

16.3.2.5.2 Deleting Catalog Items of type Entitlement

To delete Catalog Items in a supported manner:

  1. To delete Entitlements, login to the Oracle Identity System Administration Console.

  2. Click Lookups.

  3. In the Code column, enter the name of the Lookup Definition that contains the entitlement. Refer to the Connector documentation to find out the name of the Lookup Definition.

  4. Delete one or more entitlement values.

  5. Click Scheduler.

  6. Search for the Entitlement List Load job.

  7. Click Run now.

  8. Search for the Catalog Synchronization Job.

  9. Set the Mode to Incremental.

  10. Click Run Now to run the job immediately or set it up to run at a particular time.

16.3.3 Database Best Practices for Access Request Catalog

Access Request Catalog uses "Oracle Text" option in Oracle database for text search capabilities. Oracle Text is a fast and accurate full-text retrieval technology integrated with Oracle Database.

The CATALOG table which contains catalog items is indexed using CONTEXT index type of Oracle Text. Although Oracle Text index operates like a regular database index, the architecture and processing behind Text index highlights the importance of best practices when creating the Text index and also the on-going maintenance.

Following sections are aimed at providing more information in this regard for Oracle Identity Manager administrators and database administrators.

16.3.3.1 One-Time Optimizations for Oracle Text Index

When you install Oracle Identity Manager, the Text index for Access Request Catalog is created with possible optimizations. However, Oracle Text has some more optimizations that are better applied based on the characteristics of the deployment. Following are the optimizations that you should consider applying for improving Access Request Catalog search performance. It is important to note that Access Request Catalog is not usable when applying these and these are recommended to be done during a scheduled maintenance window.

Note:

Catalog Synchronization job and Access Request Catalog should be down when these one-time optimizations are applied.

Storage of Text Index

Oracle Text index is stored in relational tables (DR$) which are presently resides in the default tablespace of OIM schema. It is recommended to separate them out to their own tablespace. You can use the following commands to do that. You are recommended to be familiar with these steps and also make changes where needed.

  1. Login to SYS schema and create a new tablespace to hold the text index internal tables. You can use the following sample command for it. Replace DATA_DIR with the directory in which you want to store the data file and adjust the size and other parameters as necessary for your environment.

    CREATE TABLESPACE catalog_text_ind_tables
     DATAFILE 'DATA_DIR/catalog_text_ind_tables_01.dbf' SIZE 2048M REUSE
     EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO;
    
  2. Connect to the database using OIM schema.

  3. Create a storage preference using the commands below. Oracle recommends you to be familiar with BASIC_STORAGE clause of Oracle Text and add more storage clauses if required. You can find more info on BASIC_STORAGE in Oracle Text Reference document.

    Begin
    Ctx_Ddl.Create_Preference('cat_storage', 'BASIC_STORAGE');
    End;
    /
     
    Begin
    ctx_ddl.set_attribute('cat_storage','I_TABLE_CLAUSE','tablespace catalog_text_ind_tables storage (initial 5M next 5M)');
    End;
    /
     
    Begin
    ctx_ddl.set_attribute('cat_storage', 'K_TABLE_CLAUSE','tablespace catalog_text_ind_tables storage (initial 5M next 5M)');
    End;
    /
     
    Begin
    ctx_ddl.set_attribute('cat_storage', 'R_TABLE_CLAUSE','tablespace catalog_text_ind_tables storage (initial 1M) lob (data) store as (cache)');
    End;
    /
     
    Begin
    ctx_ddl.set_attribute('cat_storage', 'N_TABLE_CLAUSE','tablespace catalog_text_ind_tables storage (initial 1M)');
    End;
    /
     
    Begin
    ctx_ddl.set_attribute('cat_storage', 'I_INDEX_CLAUSE','tablespace catalog_text_ind_tables storage (initial 1M) compress 2');
    End;
    /
    
  4. Apply the new storage preference using the following command. Make sure the Text index status is valid after this step.

    ALTER INDEX CAT_TAGS rebuild parameters ('replace storage cat_storage');
    
  5. Verify that the above tables are moved to the new tablespace by querying USER_SEGMENTS table.

KEEP Pool Settings for Text Index:

Oracle recommends put all the tables that make up the Text index in database KEEP pool to improve the performance of Access Request Catalog search. You must size the KEEP pool (DB_KEEP_CACHE_SIZE) correctly so that these Text index tables and other OIM objects are retained in KEEP pool. To do so:

  1. Connect to the database using OIM schema.

  2. Compute the size of the text index using the following query and use that to set/adjust DB_KEEP_CACHE_SIZE accordingly.

    SELECT ctx_report.index_size('CAT_TAGS') FROM dual;
    
  3. Run the following commands as OIM schema user to put the tables in KEEP pool.

    ALTER INDEX DR$CAT_TAGS$X STORAGE (buffer_pool keep);
    ALTER TABLE DR$CAT_TAGS$R STORAGE (buffer_pool keep);
    ALTER TABLE DR$CAT_TAGS$R STORAGE (buffer_pool keep) MODIFY lob (data) (STORAGE (buffer_pool keep));
    ALTER TABLE DR$CAT_TAGS$K STORAGE (buffer_pool keep);
    ALTER TABLE DR$CAT_TAGS$I STORAGE (buffer_pool keep);
    

16.3.3.2 Text Index Optimization

The Text index could become fragmented due to on-going "Catalog Synchronization" Optimizing the text index on regular basis removes the old data and minimizes the fragmentations, which can improve the search performance of Access Request Catalog. To perform this, Oracle Identity Manager has introduced the following Oracle Database scheduler jobs:

  • FAST_OPTIMIZE_CAT_TAGS

  • REBUILD_OPTIMIZE_CAT_TAGS

These jobs reside in OIM database schema and they are disabled by default. Oracle strongly recommends you to view these jobs, make schedule changes if needed and enable them. When changing the schedule, make sure the new schedule is set on the same line as the default schedule.

FAST_OPTIMIZE_CAT_TAGS meant to be running on frequent basis. By default, it is scheduled to run once a day at 1 AM. REBUILD_OPTIMIZE_CAT_TAGS does a full optimization and rebuilds the Text index. REBUILD_OPTIMIZE_CAT_TAGS is not meant to be running frequent basis. By default, REBUILD_OPTIMIZE_CAT_TAGS is scheduled to run every Sunday at 2 AM. Note that optimization may take a long time if your Text index is big.

Perform the following steps to change the schedule and/or enable these jobs.

  1. Make sure the default schedule (daily 1 AM for FAST and every Sunday 2 AM for REBUILD) is acceptable to your environment. If not, change the schedule. If you are not sure, you can keep the default schedule and change later when needed.

  2. Enable the jobs using the following commands:

    BEGIN
    DBMS_SCHEDULER.ENABLE ('FAST_OPTIMIZE_CAT_TAGS');
    END;
    /
     
    BEGIN
    DBMS_SCHEDULER.run_job ('REBUILD_OPTIMIZE_CAT_TAGS');
    END;
    /
    

    Note:

    The Text index optimization can be done when the server is up and search of Access Request Catalog takes place.

16.4 Managing the Lifecycle of the Catalog

This section describes how to move Catalog customizations from a test environment to a production environment. You can extend the Catalog, customize the Catalog UI, and develop and test the customizations in a test environment, and then eventually roll out the customizations to your production environment.

This section includes the following topics

Figure 16-2 Test to Production Process for Catalog

Description of Figure 16-2 follows
Description of "Figure 16-2 Test to Production Process for Catalog"

16.4.1 Overview of Catalog Customization

While the Access Request Catalog in Oracle Identity Manager 11g R2 provides robust and rich out of the box functionality, there may be scenarios where you need to extend the Catalog and customize it to meet your business needs.

The following scenarios illustrate common scenarios where the Catalog may require customization.

  • MyCorp would like to add additional attributes such as Cost to Line of Business, License required, to give the requester an idea about the cost that would be incurred by the Line Of Business, when the requested item was granted. To support this scenario, the Catalog Administrator extends the Catalog and adds two additional attributes, Cost to Line of Business, a numeric attribute, and License required, a Boolean attribute. Next, the administrator customizes the Catalog search results and Catalog item details page.

  • MyCorp would like to show the Risk associated with an entitlement as part of Catalog search results. To support this scenario, the Catalog Administrator customizes the Catalog search results and adds the item risk as an image widget.

These customizations will be implemented by System Integrators or the customer's own IT staff and need to be moved to Test and to Production.

Figure 16-1 shows the high-level process of moving customizations from Test to Production for the Catalog. Catalog customizations have three components:

  1. ADF customizations

    ADF customizations include Catalog UI customizations including search results, item details, cart details and Catalog attributes added or modified using the Form Designer. These customizations should be done within a Sandbox session. For more information on Sandboxes, please refer to Section 16.4.2, "Test to Production procedures for Catalog customizations"

  2. Oracle Identity Manager metadata customizations

    When you add new attributes to the Catalog entity or modify an existing attribute and change its properties, additional metadata is generated in Oracle Identity Manager. For example, if a new attribute, Secondary Approver, is added to the Catalog entity using the Form Designer, Oracle Identity Manager adds a database column corresponding to the attribute. If the attribute is searchable, Oracle Identity Manager stores additional metadata. These customizations should be moved from Test to Production using the Deployment Manager.

  3. Data Migration

    The Catalog needs to be populated with relevant information, after adding/ modifying attributes in the Catalog to make the Catalog business-friendly and provide enough information so that users can use the Catalog effectively. Once this additional information, also referred to as the Glossary, has been reviewed and approved, it needs to be moved to Production.

16.4.2 Test to Production procedures for Catalog customizations

This section describes the steps to perform for moving the Catalog definition from Test to Production. It consists of the following steps:

Depending upon the type of customization done, you may need either one or both the steps. Use Table 16-2 to make a determination of which steps to carry out.

Table 16-2 Catalog Customization Steps

Customization Sandbox required Deployment Manager required

Adding/ Modifying a seeded Catalog attribute

Yes

Yes

Adding/ Modifying a Catalog UDF

Yes

Yes

Customizing Catalog UI

Yes

No

Populating Catalog

No

No


See Also:

16.4.2.1 Exporting using the Sandbox and Deployment Manager

To Export Using Sandbox

To move the ADF customizations from Test to Production, follow the steps given below

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator role.

    Note:

    In scenarios where you need to switch between the Self Service (or Identity) and System Administration consoles and the Oracle Identity Manager 11g R2 deployment is not protected by Single Sign On, you must log out of one console before logging in into another.

  2. Click Sandbox and select the Sandbox to be exported.

  3. Click Export Sandbox. A sandbox can be exported as a file for transporting, sharing, and other usages where packaging it as a file is required.

  4. Specify a file location for the zip file created.

To Export Using Deployment Manager

Note:

Make sure that you do not have any popup blockers enabled in your browser and that you have a supported Java Runtime Environment (JRE) installed in the browser. This is because the Deployment Manager uses a popup window and it requires JRE to be installed in the browser.

To export the Oracle Identity Manager metadata from Test to Production, follow the steps given below

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator or System Configurator role.

  2. Click Export.

  3. Select Catalog Metadata as the object to be exported.

  4. Enter * in the search field and click Search.

  5. Follow the steps to generate the Deployment Manager XML.

Note:

Perform the following optional steps as a best practice:

  • Backup/Check-in the sandbox zip file and the Deployment Manager XML as a single file into a source code control system like Subversion, SourceSafe, and so on.

  • Repeat the steps above in the target (Production) environment and backup the Catalog entity and the Catalog UI.

16.4.2.2 Importing Using the Deployment Manager and Sandbox

Importing the customizations should be done in the reverse order. This is required since the ADF customizations expect the Oracle Identity Manager metadata to be present, when the ADF customizations are imported.

To Import Using Deployment Manager

To import the Oracle Identity Manager metadata from Test to Production:

  1. Login to the Oracle Identity System Administration Console as a member of the System Administrator or System Configurator role.

  2. Click Import.

  3. In the File browser popup, select the Deployment Manager XML file to be imported.

  4. Follow the wizard steps to import the XML.

To import using the Sandbox

To move the ADF customizations from Test to Production:

  1. Login to the Identity or Oracle Identity System Administration Console as a member of the System Administrator role.

    Note:

    In scenarios where you need to switch between the Self Service (or Identity) and System Administration consoles and the Oracle Identity Manager 11g R2 deployment is not protected by Single Sign on, you must log out of one console before logging in into another.

  2. Click Sandbox and then click Import Sandbox.

  3. In the dialog, select the file to be imported.

  4. Click Import.

  5. In the Sandbox Manager, select the sandbox and click Publish Sandbox.

  6. Logout and log back in to view and verify the changes.

16.4.3 Limitations of the Test to Production procedures

There are some limitations in the Test to Production process for the Catalog, including the following:

  • All ADF customizations must be done within a single sandbox session. While you can have multiple sandboxes, only one sandbox can be active at a time and as a result, changes in the System Administration Console i.e. Catalog entity extension and those done in the Identity Console, that is, Catalog UI customization, must be done in the same sandbox.

  • Changes done outside a sandbox or done either before creating and activating a sandbox or after, are not visible in the sandbox.

  • Once you publish a sandbox, you cannot export it or revert it. As a result, you must export the sandbox while it is still activated and not published and also ensure that you back your customizations before you import and publish a sandbox.

  • Deployment Manager imports are committed immediately. There is no rollback capability in the Deployment Manager.

16.5 Troubleshooting

This section describes the troubleshooting procedures to be followed while resolving issues with the Access Request Catalog. It contains the following topics

16.5.1 Catalog synchronization issues

Catalog synchronization issues occur when roles, application instances and entitlements are not visible in the Access Request Catalog. Use the flow charts given below to troubleshoot synchronization issues for each of three Catalog item types that can be requested.

Note:

Harvesting job picks up the data for harvesting on the basis of the Update date parameter. If the update is blank, then all the records are fetched for processing.However, if the user has specified some date in the Update date parameter, only that data is processed which is created or updated after the given date.

  • Troubleshooting synchronizing Roles with the Catalog

    The synchronization of Roles with the Catalog is real-time in nature. When a role is created, it is published to the Catalog immediately as long as it does not belong to the OIM Roles category.

Note:

The OIM Roles role category is meant for OIM usage only. Customers should not use this category for their enterprise Roles.

In a new Oracle Identity Manager 11g R2 installation, enterprise roles created by customers will be available in the Catalog and the visibility will be based on the organization scoping. In an upgraded environment, customers will have to run the Catalog Synchronization job in a bootstrap mode to publish the existing roles to the Catalog. New roles, created after upgrade, will be available in the Catalog immediately.

Figure 16-3 shows a diagnostic flowchart that customers can use to troubleshoot scenarios where the roles created in Oracle Identity Manager are not visible in the Catalog.

Figure 16-3 Catalog Synchronization Diagnostic Flowchart

Description of Figure 16-3 follows
Description of "Figure 16-3 Catalog Synchronization Diagnostic Flowchart"

16.5.2 Catalog security issues

Catalog security is driven by two factors:

  • The security model that uses Organization-based scoping for users, roles, application instances and entitlements. This security model controls what items a requester can see in the Catalog search results and the users who can be added as target users.

  • The security model that is not scoped by organization and is used for global Admin Roles such as Catalog Administrator.

Typical issues with Catalog security are:

  • Requesters cannot see the Catalog item even though they have entered the correct search keyword.

  • Requesters are not able to add target users to the request

  • Requesters are not able to provide additional information for application instance requests

  • Requesters cannot see Catalog Item details such as Approver User, Approver Role, Fulfillment User, and Fulfillment Role.

  • Catalog Administrators do not see the Catalog Item in an edit mode and are not able to edit the Catalog Item

  • Catalog Administrators are not able to create Request Profiles

Figure 16-6 shows a diagnostic flow chart to be followed to troubleshoot issues with Catalog security.

Figure 16-6 Diagnostic Flowchart With Security Issues

Description of Figure 16-6 follows
Description of "Figure 16-6 Diagnostic Flowchart With Security Issues"

16.5.3 Catalog Search Issues

Figure 16-7 shows a diagnostic flow chart to be followed to troubleshoot issues with Catalog search.

Figure 16-7 Catalog Search

Description of Figure 16-7 follows
Description of "Figure 16-7 Catalog Search"