|Oracle® Fusion Middleware Developer's Guide for Oracle Identity Manager
11g Release 2 (11.1.2)
Part Number E27150-17
|PDF · Mobi · ePub|
Oracle Identity Manager is an enterprise identity management system that manages user's access privileges in enterprise IT resources by controlling users, roles, accounts, and entitlements. It provides the functionalities for provisioning, identity and role administration, approval and request management, policy-based entitlement management, technology integration, and audit and compliance automation. Oracle Identity Manager is designed to administer intranet as well as extranet users, roles, and organizational access privileges across a company's resources throughout the entire identity management life cycle.
Oracle Identity Manager platform automates access rights management, security, and provisioning of IT resources. It connects users to resources, and revokes and restricts unauthorized access to protect sensitive corporate information.
This chapter contains the following sections:
Oracle Identity Manager provides a flexible Deployment Manager utility to assist in the migration of integration and configuration information between environments. The utility exports integration and configuration information as XML files. These files are then imported into the destination environment, which can be staging or production. You can use the XML files to archive configurations and maintain versions, as well as replicate integrations.
The Deployment Manager provides you with the flexibility to select what to import and export. It also helps you to identify data object dependencies during both import and export steps. This flexibility enables you to merge integration work done by multiple people and to ensure the integrity of any migration.
Oracle Identity Manager provides a browser-based customization framework that does not require writing codes or relying on developers. The interface is based on Application Development Framework (ADF), which ensures that all customizations are consistent and safe from upgrades and patches. The browser-based customization can be performed by using the Oracle Web Composer.
Oracle Identity Manager also provides business-friendly user personalization by enabling users to save and reuse frequently-searched items, configure columns in the search results table, and sort and filter data.
Oracle Identity Manager abstracts and simplifies the configuration complexities through a business user-friendly extension framework for all entities. This allows users to extend the user, role, organization, catalog, and resource schemas by using the Form Designer. In addition, Web browser-based management of disconnected applications is allowed instead of cumbersome configuration in the Design Console. The SOA Tasklist embedded in Oracle Identity Manager simplifies disconnected application fulfillment, in which the provisioning of a disconnected resource is performed manually. To do so, SOA Tasklist leverages additional features of the SOA Tasklist, such as reassign or suspend manual application fulfillment.
You can deploy Oracle Identity Manager in single or multiple server instances. Multiple server instances provide optimal configuration options, supporting geographically dispersed users and resources for increased flexibility, performance, and control. The Java 2 Enterprise Edition (J2EE) application server model of Oracle Identity Manager also provides scalability, fault tolerance, redundancy, failover, and system load balancing. As deployments grow, moving from a single server to a multiserver implementation is a seamless operation.
To lower cost, minimize complexity, and leverage existing investments, Oracle Identity Manager is built on an open architecture. This allows Oracle Identity Manager to integrate with and leverage existing software and middleware already implemented within the IT infrastructure of an organization. For example, if an implementation requires integrating with an existing customer portal, then the advanced APIs of Oracle Identity Manager offer programmatic access to a comprehensive set of system functions. This allows IT staff to customize any part of its Oracle Identity Manager provisioning implementation to meet the specific needs of the organization.
Oracle Identity Manager enables you to define unlimited user organizational hierarchies and roles. It supports inheritance, customizable user ID policy management, password policy management, and user access policies that reflect customers' changing business needs. It also helps you to manage application parameters and entitlements, and to view a history of resource allocations. In addition, it provides delegated administration with comprehensive permission settings for user management.
Oracle Identity Manager contains a Web-based customizable Oracle Identity Manager Self Service that helps you extensively in user management.
Oracle Identity Manager contains a customizable Web-based, user self-service portal. This portal enables management of user information, self registration, changing passwords, resetting forgotten passwords, retrieving forgotten user login, requesting available applications, reviewing and editing available entitlements, and initiating or reacting to workflow tasks.
Oracle Identity Manager is built on Java EE architecture. The J2EE application server model of Oracle Identity Manager provides scalability, fail over, load-balancing, and Web deployment. It is based on an open, standards-based technology and has a three-tier architecture (the client application, an Oracle Identity Manager supported J2EE-compliant Application Server, and an ANSI SQL-compliant database). Oracle Identity Manager can provision LDAP-enabled and non-LDAP-enabled applications.
Java EE is a standard, robust, scalable, and secure platform that forms the basis for many enterprise applications. Oracle Identity Manager runs on leading Java EE compliant application server platforms, including Oracle WebLogic, to take advantage of the performance and scalability features inherent in these servers. Java EE defines a set of standardized, modular components, provides a complete set of services to those components, and handles many details of the application behavior.
The application server, on which Oracle Identity Manager runs, provides the life-cycle management, security, deployment, and run-time services to the logical components that constitute the Oracle Identity Manager application. These services include:
Scalable management of resources through clustering and failover: A cluster in Java EE architecture is defined as a group of two or more Java EE compliant Web or application servers that cooperate with each other through transparent object replication mechanisms to ensure that each server in the group presents the same content. Each server or node in the cluster is identical in configuration and acts as a single virtual server. Any Java EE server in the cluster can handle client requests directed to this virtual server independently, which gives the impression of a single entity hosting the Java EE application in the cluster.
High availability refers to the capability to ensure that applications hosted in the middle tier remain consistently accessible and operational to the clients. This is achieved through the redundancy of multiple Web and application servers within the cluster, and is implemented by the failover mechanisms of the cluster. If an application component fails to process its task, then the cluster's failover mechanism reroutes the task and any supporting information to a copy of the object on another server to continue the task. Oracle Identity Manager supports a clustered environment. This includes ensuring that the EJBs and the Value Objects used to store data support serialization for the object replication to work.
Transaction management through load balancing: Load balancing refers to the capability to optimally partition inbound client processing requests across all the Java EE servers that constitute a cluster based on certain factors, such as capacity, availability, response time, current load, historical performance, and administrative priorities placed on the clustered servers. A load balancer, which can be based on software or hardware, sits between the Internet and the physical server cluster, acting as a virtual server. When each client request arrives, the load balancer decides how the Java EE server satisfies that request.
Security management: Oracle Identity Manager architecture relies on the application server for certain security services as part of its overall security infrastructure. In addition, Oracle Identity Manager leverages the Java EE security framework to provide a secure application environment. It also has a flexible permission model to provide control over the various functions within the application
Messaging: The basic concept behind messaging is that distributed applications can communicate by using a self-contained package of business data and routing headers. These packages are called messages. While RMI and HTTP rely on a two-way active communication between a client and a server, messaging relies on two or more interested parties communicating asynchronously through a messaging server without waiting for a response. Java Messaging Service (JMS) is a wrapper API incorporated in the J2EE standard as a way to standardize messaging functionality. All standard application servers provide their own JMS server implementations as a part of their service offerings.
Oracle Identity Manager incorporates leading industry standards. For example, Oracle Identity Manager components are fully based on a J2EE architecture, so customers can run them from within their standard application server environments. Complete J2EE support results in performance and scalability benefits while aligning with existing customer environments to leverage in-house expertise.
Oracle develops its identity management products on a foundation of current and emerging standards. For example, Oracle is a Management Board member of Liberty Alliance, and incorporates Liberty Alliance developments in its solutions. Oracle participates in the Provisioning Services Technical Committee (PSTC), which operates under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS).
With Oracle Identity Manager, you can create business and provisioning process models in easy-to-use applications. Process models include support for approval workflows and escalations. You can track the progress of each provisioning event, including the current status of the event and error code support. Oracle Identity Manager supports complex, branching, and nested processes with data interchange and dependencies. The process flow is fully customizable and does not require programming.
Oracle Identity Manager enables you to package new processes, import and export existing ones, and move packages from one system to another.
The use of workflow and policy to automate business and IT processes can lead to improved operational efficiency, enhanced security, and more cost-effective compliance tracking. Oracle Identity Manager provides the following features in this category.
Oracle Identity Manager enables policy-based automated provisioning of resources with fine-grained entitlements. For any set of users, administrators can specify access levels for each resource to be provisioned, granting each user only the exact level of access required to complete the job. These policies can be driven by user roles or attributes, enabling implementation of role-based access control as well as attribute-based access control. Effective blending of role-based and attribute-based policies is key to a scalable and manageable organization provisioning solution.
A request goes through multiple approvals before it is executed. When the request is submitted, it must acquire approvals at different levels. An approval in the system can be configured by using an approval policy. An approval policy defines the approval process to be invoked and the approval rules associated with the policy. These approval rules help the request engine to select the approval process. Business analysts can define approval policies and approval rules.
Oracle Identity Manager supports the separation of approval and provisioning workflows. An approval workflow enables an organization to model its preferred approval processes for managing resource access requests. A provisioning workflow enables an organization to automate IT tasks for provisioning resources with the most complex of provisioning procedures.
The separation of these two workflows empowers business and IT process owners to manage work efficiently with minimum cross-process interferences. It also enables an organization to leverage existing workflows already deployed in systems such as a help desk and HRMS. Oracle Identity Manager provides the Workflow Visualizer that allows business users, administrators, and auditors to visualize task sequences and dependencies to understand process flow and the Workflow Designer to edit and manage the process flow.
Dynamic Error Handling
The error-handling capability of Oracle Identity Manager enables you to handle exceptions that occur during provisioning. Frequent problems, for example, absence of resources, do not stop the entire provisioning transaction or cause it to fail. Business logic defined within the provisioning workflow offers customized fail-safe capabilities within an Oracle Identity Manager implementation.
Based on embedded state management capabilities, Oracle Identity Manager provides the high level of transaction integrity required by other mission-critical organization systems. Oracle Identity Manager features a state engine with rollback and recovery capabilities. When a provisioning transaction fails or is stopped, the system is able to recover and roll back to the last successful state or reroute to a different path, in accordance with predefined rules.
Real-Time Request Tracking
To maintain better control and provide improved visibility into all provisioning processes, Oracle Identity Manager enables users and administrators to track request status in real time, at any point during a provisioning transaction.
Identity management forms a key component in any audit compliance solution of an organization. Oracle Identity Manager helps an organization to minimize risk and reduces the cost of meeting internal and external governance and security audits. This section discusses the features of Oracle Identity Manager that are listed in the audit and compliance management category.
Reconciliation is one of the significant capabilities of Oracle Identity Manager that enables it to monitor and track the creation, updation, and deletion of account across all managed resources. The process of reconciliation is performed by the reconciliation engine. If Oracle Identity Manager detects any accounts or changes to user access privileges are affected beyond its control, then the reconciliation engine can immediately take corrective action, such as undo the change or notify you. Oracle Identity Manager also helps you to detect and map existing accounts in target resources. This helps in the creation of an organization-wide identity and access profile for each employee, partner, or customer user.
Rogue and Orphan Account Management
A rogue account is an account created "out of process" or beyond the control of the provisioning system. An orphan account is an operational account without a valid owner. These accounts represent serious security risks to an organization. Oracle Identity Manager can monitor rogue and orphan accounts continuously. By combining denial access policies, workflows, and reconciliation, an organization can perform the required corrective actions when such accounts are discovered, in accordance with security and governance policies.
Oracle Identity Manager can also manage the life cycle of special service accounts, also known as administrator accounts. These accounts have special life cycle requirements that extend beyond the life cycle of an assigned user and across the life cycles of multiple assigned users. Proper management of service accounts can help to eliminate another source of potential orphan accounts.
Comprehensive Reporting and Auditing
Oracle Identity Manager reports on both the history and the current state of the provisioning environment. Some of the identity data captured by Oracle Identity Manager includes user identity profile history, role membership history, user resource access, and fine-grained entitlement history. Oracle Identity Manager also captures data generated by its workflow, policy, and reconciliation engines. By combining this data along with identity data, an organization has all the required data to address any identity and access-related audit inquiry.
Attestation, also referred to as recertification, is a key part of Sarbanes-Oxley compliance and a highly recommended security best practice. Organizations meet these attestation requirements mostly through manual processes based on spreadsheet reports and e-mails. These manual processes tend to be fragmented, are difficult and expensive to manage, and have little data integrity and auditability.
Oracle Identity Manager offers an attestation feature that can be deployed quickly to enable an organization-wide attestation process that provides automated report generation, delivery, and notification. Attestation reviewers can review fine-grained access reports within an interactive user interface that supports fine-grained certify, reject, decline, and delegate actions. All report data and reviewer actions are captured for future auditing needs. Reviewer actions can optionally trigger corrective action by configuring the workflow engine of Oracle Identity Manager.
A scalable and flexible integration architecture is critical for the successful deployment of organization provisioning solutions. Oracle Identity Manager offers a proven integration architecture and predefined connectors for fast and low-cost deployments.
Integrating most provisioning systems with managed resources is not easy. Connecting to proprietary systems might be difficult. The Adapter Factory eliminates the complexity associated with creating and maintaining these connections. The Adapter Factory provided by Oracle Identity Manager is a code-generation tool that enables you to create Java classes.
The Adapter Factory provides rapid integration with commercial or custom systems. Users can create or modify integrations by using the graphical user interface of the Adapter Factory, without programming or scripting. When connectors are created, Oracle Identity Manager repository maintains their definitions, creating self-documenting views. You use these views to extend, maintain, and upgrade connectors.
Oracle Identity Manager offers an extensive library of predefined connectors for commercial applications and other identity-aware systems that are used widely. By using these connectors, an organization can get a head start on application integration. Each connector supports a wide range of identity management functions. These connectors use the most appropriate integration technology recommended for the target resource, whether it is proprietary or based on open standards. These connectors enable out-of-the-box integration between a set of heterogeneous target systems and Oracle Identity Manager. Because the connectors provide a set of components that were originally developed by using the Adapter Factory, you can further modify them with the Adapter Factory to enable the unique integration requirements of each organization.
Generic Technology Connectors
If you do not need the customization features of the Adapter Factory to create your custom connector, you can use the Generic Technology Connector (GTC) feature of Oracle Identity Manager to create the connector.
The Identity Connector Framework (ICF) decouples the connectors from Oracle Identity Manager. As a result, connectors can be used with any product. Identity connectors are designed to separate the implementation of an application from the dependencies of the system that the application is attempting to connect to.
Provisioning provides outward flow of user information from Oracle Identity Manager to a target system. Provisioning is the process by which an action to create, modify, or delete user information in a resource is started from Oracle Identity Manager and passed into the resource. The provisioning system communicates with the resource and specifies changes to be made to the account.
Provisioning includes the following:
Automated user identity and account provisioning: This manages user identities and accounts in multiple systems and applications. For example, when an employee working in the payroll department is created in the human resources system, accounts are also automatically created for this user in the e-mail, telephone, accounting, and payroll reports systems.
Workflow and policy management: This enables identity provisioning. Administrators can use interfaces provided by provisioning tools to create provisioning processes based on security policies.
Reporting and auditing: This enables creating documentation of provisioning processes and their enforcement. This documentation is essential for audit, regulatory, and compliance purposes.
Attestation: This enables administrators to confirm users' access rights on a periodic basis.
Access deprovisioning: When the access for a user is no longer required or valid in an organization, Oracle Identity Manager revokes access on demand or automatically, as dictated by role or attribute-based access policies. This ensures that a user's access is promptly terminated where is it no longer required. This is done to minimize security risks and prevent paying for access to costly resources, such as data services.
Before deploying and using Oracle Identity Manager, you must ensure that your environment meets the minimum installation requirements.
The following URL contains information about supported installation types, platforms, operating systems, databases, JDKs, and third-party products for Oracle Fusion Middleware: