4 Developing Application Instances

Application instance is a provisionable entity. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism). Application instances have business-friendly names that are easier to remember. Creating and managing application instances are performed by using the Oracle Identity System Administration.

Application instances can be connected or disconnected. A connected application instance has a connector defined for the provisioning of entities. A disconnected application instance is used for the provisioning of a disconnected resource, for which a connector is not defined, and therefore, the provisioning is performed manually by the administrator.

For information about application instance concepts and how to create and manage application instances, see "Managing Application Instances" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

This chapter describes how application developers can manage resource objects and IT resources manually. In addition, it describes the procedure to convert a disconnected application instance to a connected application instance.

This chapter includes the following topics related to managing resources, IT resources, and application instances:

4.1 Creating IT Resources

To create an IT resource:

Note:

The IT resource type is created before the IT resource can be created. The IT resource type can be created either by using the Design Console, or by importing the IT resource type using the Deployment Manager.
  1. Login to Oracle Identity System Administration.

  2. Under Configuration, click IT Resource. The Manage IT Resource page is displayed.

  3. Click Create IT Resource. The Create IT Resource wizard is displayed.

  4. On the Step 1: Provide IT Resource Information page, enter the following information:

    • IT Resource Name: Enter a name for the IT resource.

    • IT Resource Type: Select an IT resource type for the IT resource.

      If you want to create an IT resource of the Remote Manager type, then select Remote Manager from the IT Resource Type list.

    • Remote Manager: If you want to associate the IT resource with a particular remote manager, then select the remote manager from this list. If you do not want to associate the IT resource with a remote manager, then leave this field blank.

      Note:

      If you select Remote Manager from the IT Resource Type list, then you must not select a remote manager from the Remote Manager list.
  5. Click Continue.

  6. On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource, and then click Continue.

  7. On the Step 3: Set Access Permission to IT Resource page, if you want to assign roles to the IT resource and set access permissions for the roles, then:

    a. Click Assign Role.

    b. For the roles that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS role and set the Read and Write permissions to this role, then you must select the respective check boxes in the row, as well as the Assign check box, for this role.

    c. Click Assign.

  8. On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of roles assigned to the IT resource, then:

    Note:

    You cannot modify the access permissions of the SYSTEM ADMINISTRATORS role. You can modify the access permissions of only other roles that you assign to the IT resource.

    a. Click Update Permissions.

    b. Depending on whether you want to set or remove specific access permissions for roles displayed on this page, select or deselect the corresponding check boxes.

    c. Click Update.

  9. On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a role from the IT resource, then:

    Note:

    You cannot unassign the SYSTEM ADMINISTRATORS role. You can unassign only other roles that you assign to the IT resource.

    a. Select the Unassign check box for the role that you want to unassign.

    b. Click Unassign.

  10. Click Continue.

  11. On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.

  12. To proceed with the creation of the IT resource, click Continue.

  13. The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Create. If the test fails, then you can perform one of the following steps:

    • Click Back to revisit the previous pages and then make corrections in the IT resource creation information.

    • Click Cancel to stop the procedure, and then begin from the first step onward.

    • Proceed with the creation process by clicking Continue. You can fix the problem later, and then rerun the connectivity test by using the Diagnostic Dashboard.

      Note:

      If no errors are encountered, then the label of the button is Create, not Continue.

      See "Test Basic Connectivity" on page 16-11 for more information.

  14. Click Finish.

4.2 Managing IT Resources

To locate an IT resource:

  1. In Oracle Identity System Administration, under Configuration, click IT Resource. The Manage IT Resource page is displayed.

  2. On the Manage IT Resource page, you can use one of the following search options to locate the IT resource that you want to view:

    • IT Resource Name: Enter the name of the IT resource, and then click Search.

    • IT Resource Type: Select the IT resource type of the IT resource, and then click Search.

    • Click Search.

On the Manage IT Resource page, the list of IT resources that meet the search criteria is displayed.

From this point onward, you can perform one of the following procedures on the IT resource:

4.2.1 Viewing IT Resources

To view an IT resource:

  1. From the list of IT resources displayed in the search results, click the IT resource name.

    Note:

    If you want to edit the IT resource, then click the edit icon in the same row.
  2. If you want to view the IT resource parameters and their values, then select Details and Parameters from the list at the top of the page. Similarly, if you want to view the administrative roles assigned to the IT resource, then select Administrative Roles from the list.

4.2.2 Modifying IT Resources

To modify an IT resource:

  1. From the list of IT resources displayed in the search results, click the edit icon for the IT resource that you want to modify.

  2. If you want to modify values of the IT resource parameters, then:

    1. Select Details and Parameters from the list at the top of the page.

    2. Make the required changes in the parameter values.

    3. To save the changes, click Update.

  3. If you want to modify the administrative roles assigned to the IT resource, first select Administrative Roles from the list at the top of the page and then perform the required modification.

  4. If you want to unassign an administrative role, select the Unassign check box in the row in which the role name is displayed and then click Unassign.

    Note:

    • When you click Unassign, the administrative roles that you select are immediately unassigned from the IT resource. You are not prompted to confirm that you want to unassign the selected administrative roles.

    • You cannot unassign the SYSTEM ADMINISTRATORS role.

  5. If you want to assign new administrative roles to the IT resource, then:

    1. Click Assign Role.

    2. For the administrative roles that you want to assign to the IT resource, select the access permission check boxes and the Assign check box.

    3. Click Assign.

  6. If you want to modify the access permissions of the administrative roles that are currently assigned to the IT resource, then:

    1. Click Update Permissions.

    2. Depending on the changes that you want to make, select or deselect the check boxes in the table.

      Note:

      You cannot change the access permissions of the SYSTEM ADMINISTRATORS role.
    3. To save the changes, click Update.

4.2.3 Deleting IT Resources

To delete an IT resource:

  1. From the list of IT resources displayed in the search results, click the Delete icon for the IT resource that you want to delete.

  2. To confirm that you want to delete the IT resource, click Confirm Delete.

Note:

Deleting IT resource instances soft-deletes the corresponding application instances.

4.3 Managing Resources By Using the Design Console

This chapter describes resource management in the Design Console. It contains the following sections:

Note:

You must use the System Administrator credentials to log in to the Design Console. Using non-System Administrator credentials to log in to the Design Console is not supported.

4.3.1 Overview of Resource Management

The Resource Management folder provides you with tools to manage Oracle Identity Manager resources. This folder contains the following forms:

  • IT Resources Type Definition: Use this form to create resource types that are displayed as lookup values on the IT Resources form.

  • Rule Designer: Use this form to create rules that can be applied to password policy selection, automatic role membership, provisioning process selection, task assignment, and prepopulating adapters.

  • Resource Objects: Use this form to create and manage resource objects. These objects represent resources that you want to make available to users and organizations.

See Also:

See Chapter 8, "Using the Adapter Factory" for more information about adapters and adapter tasks

4.3.2 IT Resources Type Definition Form

The IT Resources Type Definition form is in the Resource Management folder. You use the IT Resources Type Definition form to classify IT resource types, for example, AD, Microsoft Exchange, and Solaris. Oracle Identity Manager associates resource types with resource objects that it provisions to users and organizations.

After you define an IT resource type on this form, it is available for selection when you define an IT resource. The type is displayed in the Create IT Resource and Manage IT Resource pages of Advanced Administration.

IT resource types are templates for the IT resource definitions that reference them. If an IT resource definition references an IT resource type, the resource inherits all of the parameters and values in the IT resource type. The IT resource type is the general IT classification, for example, Solaris. The resource is an instance of the type, for example, Solaris for Statewide Investments. You must associate every IT resource definition with an IT resource type.

Figure 4-1 shows the IT Resources Type Definition form.

Figure 4-1 The IT Resources Type Definition Form

Description of Figure 4-1 follows
Description of "Figure 4-1 The IT Resources Type Definition Form"

Table 4-1 describes the fields of the IT Resources Type Definition form.

Table 4-1 Fields of the IT Resources Type Definition Form

Field Name Description

Server Type

The name of the IT resource type

Insert Multiple

Specifies whether or not this IT resource type can be referenced by more than one IT resource


Note:

If an IT resource must access an external resource but is not able to do so by using the network, you must associate it with a remote manager. For more information, see "Installing and Configuring a Remote Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

4.3.2.1 Defining a Template (a Resource Type) for IT Resources

To define an IT resource type:

  1. Enter the name of the IT resource type in the Server Type field, for example, Solaris.

  2. To make the IT resource type available for multiple IT resources, select Insert Multiple.

  3. Click Save.

    The IT resource type is defined. You can select it when defining IT resources in the Create IT Resource page of Advanced Administration.

4.3.2.2 Tabs on the IT Resource Type Definition Form

After you save the basic information for a new IT resource type, and when an IT resource type is returned on a query, the fields on the tabs of the IT Resources Type Definition form's lower region are enabled.

The IT Resources Type Definition form contains the following tabs:

  • IT Resource Type Parameter tab

  • IT Resource tab

4.3.2.2.1 IT Resource Type Parameter Tab

You use the IT Resource Type Parameter tab to specify default values and encryption settings for all connection parameters for the IT resource type, as shown in Figure 4-1. Oracle recommends that you do not specify default values for passwords and encrypted fields. Parameters and values on this tab are inherited by all IT resources that reference this IT resource type.

When you define a new parameter, the parameter and its values and encryption settings are added to the current IT resource type and to any new or existing IT resource definitions that reference this IT resource type. For an applicable resource definition, the new parameter is displayed in the Details and Parameters section of the Create IT Resource and Manage IT Resource pages of Advanced Administration.

Note:

You can customize the values and encryption settings for these parameters within each IT resource.

Adding a Parameter to an IT Resource Type

To add a parameter to an IT Resource Type:

  1. Click Add.

    A new row is displayed in the IT Resource Type Parameter tab.

  2. In the Field Name field, enter the name of the parameter.

  3. In the Default Field Value field, enter a default value.

    This value is inherited by all IT resources that reference this IT resource type

  4. Select or clear the Encrypted option.

    This check box determines if this parameter's value is masked, that is, represented with asterisk (*) in a form field.

    If you want the parameter's value to be masked, select this check box.

  5. Click Save.

Removing a Parameter from an IT Resource Type

To remove a parameter from an IT Resource Type:

  1. Select the parameter you want to remove.

  2. Click Delete.

    The parameter and its associated value are removed from the IT resource type and from IT resource definitions that reference this type.

4.3.2.2.2 IT Resource Tab

This tab displays IT resources that reference a selected IT resource type. All IT resources on this tab share the same parameters, but the values can be unique for each IT resource.

4.3.2.3 IT Resource Type Definition Table

The IT Resource Type Definition Table displays the following information:

Field Name Description
Server Type The name of the resource asset type, as defined in the IT Resource Type Definition form
Insert Multiple Indicates whether or not multiple instances of this IT Resource Definition can be created

4.3.3 Rule Designer Form

Rules are criteria that enable Oracle Identity Manager to match conditions and take action based on them. A rule can be assigned to a specific resource object or process, or a rule can apply to all resource objects or processes.

The following are examples of rule usage:

  • Determining a password policy to apply to a resource object of type Application.

  • Enabling users to be added to roles automatically.

  • Specifying the provisioning process that apply to a resource object after that resource object is assigned to a request.

  • Determining how a process task is assigned to a user.

  • Specifying which prepopulate adapter is executed for a given form field.

See Also:

Oracle Identity Manager Tools Reference for more information about prepopulate adapters

The Rule Designer form shown in Figure 4-2 is in the Resource Management folder. You use this form to create and manage rules that are used with resources.

Figure 4-2 Rule Designer Form

Description of Figure 4-2 follows
Description of "Figure 4-2 Rule Designer Form"

There are four types of rules:

General: Enables Oracle Identity Manager to add a user to a role automatically and to determine the password policy that is assigned to a resource object.

Process Determination: Determines the provisioning processes for a for a resource object.

Task Assignment: Specifies the user or role that is assigned to a process task.

Prepopulate: Determines which prepopulate adapter is executed for a form field.

A rule contains the following items:

A rule element: Consists of an attribute, an operator, and a value. In Figure 4-2, the attribute is User Login, the operator is ==, and the value is XELSYSADM.

A nested rule: If one rule must be placed inside another rule for logic purposes, the internal rule is known as a nested rule. In Figure 4-2, a Rule to Prevent Solaris Access is nested in a Rule for Solaris.

An operation: When a rule contains multiple rule elements or nested rules, an operation shows the relationship among the components. In Figure 4-2, if the AND operation is selected, the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule must both be true for the rule to be successful.

Table 4-2 describes the fields of the Rule Designer form.

Table 4-2 Fields of the Rule Designer Form

Field Name Description

Name

The rule's name.

AND/OR

These options specify the operation for the rule.

To stipulate that a rule is successful only when all the outer rule elements and nested rules are true, select AND. To indicate that a rule is successful if any of its outer rule elements or nested rules are TRUE, select OR.

Important: These options do not reflect the operations for rule elements that are contained within nested rules. In Figure 4-2, the AND operation applies to the User Login == XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. However, this operation has no effect on the Object Name != Solaris rule element within the Rule to Prevent Solaris Access rule.

Type

The rule's classification status. A rule can belong to one of four types:

  • General: Enables Oracle Identity Manager to add a user to a role automatically and determines the password policy that is assigned to a resource object.

  • Process Determination: Determines the provisioning processes for a resource object.

  • Task Assignment: Determines which user or role is assigned to a process task.

  • Prepopulate: Determines which prepopulate adapter is used for a form field.

Sub-Type

A rule of type Process Determination, Task Assignment, or Prepopulate can be categorized into one of four subtypes:

  • Organization Provisioning: Classifies the rule as a provisioning rule. Determines the organization for which a process is provisioned, a task is assigned, or the prepopulate adapter is applied.

  • User Provisioning: Classifies the rule as a provisioning rule. Determines the user for which a process is provisioned, a task is assigned, or a prepopulate adapter is applied.

For Task Assignment or Prepopulate rule types, the approval and standard approval items are not displayed in the Sub-Type box. The Sub-Type box is grayed out for the General rule type.

Object

The resource object to which this rule is assigned.

All Objects

If selected, the rule can be assigned to all resource objects.

Process

The process to which this rule is assigned.

All Processes

If selected, the rule can be assigned to all processes.

Description

Explanatory information about the rule.


4.3.3.1 Creating a Rule

To create a rule:

Note:

In the following procedure, note that the options do not apply to rule elements within nested rules. For example, in Figure 4-2 the AND operation applies to the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. But this operation has no effect on the Object Name != Solaris rule element in the Rule to Prevent Solaris Access rule.
  1. Open the Rule Designer form.

  2. In the Name field, enter the name of the rule.

  3. To stipulate that a rule is successful only when all of its rule elements or nested rules are true, select the AND option.

    To indicate that a rule is successful if any of its rule elements or nested rules are true, select the OR option.

  4. Click the Type box, and in the custom menu select the classification status (General, Process Determination, Task Assignment, or Prepopulate) to associate with the rule.

    For Process Determination, click Sub-Type and select the classification status (Organizational Provisioning, User Provisioning, Approval, or Standard Approval) to associate with the rule.

    For Task Assignment or Prepopulate, click Sub-Type and select the classification status (Organization Provisioning or User Provisioning) to associate with the rule.

    If you select General from the Type box, go to Step 7.

  5. To associate the rule with a single resource object, double-click the Object lookup field, and in the Lookup dialog box select a resource object.

    If you want the rule to be available to all resource objects, select the All Objects option.

  6. To assign a rule to one process, double-click the Process lookup field, and from the Lookup dialog box, select the process to associate with the rule.

    Note:

    The only processes that are displayed in this Lookup window are the ones that are associated with the resource object you selected in Step 5.

    If you want the rule to be available to all processes, select the All Processes option.

    Note:

    If you select a resource object in Step 5 by selecting the All Processes option, this rule is available to every process that is associated with the selected resource object.
  7. In the Description field, enter explanatory information about the rule.

  8. Click Save.

4.3.3.2 Tabs on the Rule Designer Form

The Rule Designer form contains the following tabs:

  • Rule Elements tab

  • Usage tab

Each of these tabs is discussed in the following sections.

4.3.3.2.1 Rule Elements Tab

From this tab, you can create and manage elements and nested rules for a rule. For example, in Figure 4-3, the Rule for Solaris contains the User Login==XELSYSADM rule element. It also has a nested Rule to Prevent Solaris Access. Figure 4-3 displays the Rule Elements tab of the Rule Designer form.

Figure 4-3 Rule Elements Tab of the Rule Designer Form

Description of Figure 4-3 follows
Description of "Figure 4-3 Rule Elements Tab of the Rule Designer Form"

The rule in Figure 4-3 can be applied to a provisioning process for the Solaris resource object. After this resource object is assigned to a request, the rule is triggered. If the target user's login is XELSYSADM, and the name of the resource object is Solaris, the Solaris resource object is provisioned to the user. Otherwise, the user cannot access Solaris.

When a rule element or nested rule is no longer valid, remove it from the rule.

The following procedures describe how to:

  • Add a rule element to a rule

  • Add a nested rule to a rule

  • Remove a rule element or nested rule from a rule

Adding a Rule Element to a Rule

To add a rule element to a rule:

  1. Click Add Element.

    The Edit Rule Element dialog box is displayed.

    The custom menus in the boxes on the Edit Rule Element dialog box reflect the items in the Type and Sub-Type boxes of the Rule Designer form.

    Table 4-3 describes the data fields in the Edit Rule Element dialog box.

    Table 4-3 Fields of the Edit Rule Element Dialog Box

    Name Description

    Attribute Source

    From this box, select the source of the attribute. For example, if the attribute you wish to select is Object Name, the attribute source to select would be Object Information.

    User-Defined Form

    This field displays the user-created form that is associated with the attribute source that is displayed in the adjacent box.

    Note: If Process Data are not displayed in the Attribute Source box, the User-Defined Form field will be empty.

    Attribute

    From this box, select the attribute for the rule.

    Operation

    From this box, select the relationship between the attribute and the attribute value (== or !=)

    Attribute Value

    In this field, enter the value for the attribute.

    Note: The attribute's value is case-sensitive.


  2. Set the parameters for the rule you are creating, as shown in Figure 4-4.

    Figure 4-4 Edit Rule Element Window

    Description of Figure 4-4 follows
    Description of "Figure 4-4 Edit Rule Element Window"

    In this example, if the Login ID of the target user is XELSYSADM, the rule element is true. Otherwise, it is false.

    See Also:

    For more information about the parameters, see "Rule Elements Tab".
  3. From the Toolbar of the Edit Rule Element dialog box, click Save, and click Close.

    The rule element is displayed in the Rule Elements tab of the Rule Designer form.

  4. From the main screen's toolbar, click Save.

    The rule element is added to the rule.

Adding a Nested Rule to a Rule

To nest a rule within a rule:

Note:

In the following procedure, only rules of the same type and subtype as the parent rule are displayed in the Select Rule window.
  1. Click Add Rule.

    The Select Rule dialog box is displayed.

  2. Select a nested rule and click Save.

  3. Click Close.

    The nested rule is displayed in the Rule Elements tab of the Rule Designer form.

  4. From the main screen's Toolbar, click Save.

    The nested rule is added to the rule.

Removing a Rule Element or Nested Rule from a Rule

To remove a rule element or a nested rule:

  1. Select the rule element or nested rule that you want to remove.

  2. Click Delete.

    The rule element or nested rule is removed from the rule.

4.3.3.2.2 Usage Tab

This tab is displayed on the Rule Designer form. The information in the Usage tab reflects the rule's classification type. For example, if a rule type is prepopulate, the user-created field that this rule is applied to is displayed in this tab.

Figure 4-5 shows the Usage tab.

Figure 4-5 Usage Tab of the Rule Designer Form

Description of Figure 4-5 follows
Description of "Figure 4-5 Usage Tab of the Rule Designer Form"

This tab displays the following items:

  • The password policy, resource object, process, process task, auto-role membership criteria, role, Oracle Identity Manager form field, and prepopulate adapter associated with a rule.

  • A one-letter code, signifying the rule's classification type: P=Provisioning.

    This code is displayed for process determination rules only.

  • The rule's priority number.

4.3.3.3 Rule Designer Table

The Rule Designer Table, as shown in Figure 4-6, displays all available rules defined in the Rule Designer form.

Figure 4-6 Rule Designer Table

Description of Figure 4-6 follows
Description of "Figure 4-6 Rule Designer Table"

Table 4-4 shows the information displayed in the Rule Designer Table.

Table 4-4 Information in the Rule Designer Table

Field Name Description

Rule Name

The name of the rule.

Rule Type

A rule can belong to one of four types:

  • General: Enables Oracle Identity Manager to add a user to a role automatically and determines the password policy that is assigned to a resource object.

  • Process Determination: Determines the provisioning processes that are selected for a resource object.

  • Task Assignment: Determines which user, role, or both are assigned to a process task.

  • Pre-Populate: Determines which prepopulate adapter is executed for a given form field.

Rule Sub-Type

A rule of type Process Determination, Task Assignment, or Pre-Populate can be categorized into one of four sub-types:

  • Organization Provisioning: Classifies the rule as a provisioning rule.

    You use this subtype to determine the organization for which a process is provisioned, a task is assigned, or the prepopulate adapter is applied.

  • User Provisioning: Classifies the rule as a provisioning rule.

    You use this subtype to determine the user for which a process is provisioned, a task is assigned, or a pre-populate adapter is applied.

Rule Operator

The relationship between the attribute and the attribute value represented by the == or != operators.

Description

Explanatory information about the rule.

Last Updated

The date when the rule was last updated.


4.3.4 Resource Objects Form

The Resource Objects form is in the Resource Management folder. You use this form to create and manage the resource objects for the Oracle Identity Manager resources that you want to provision for organizations or users. Resource object definitions are templates for provisioning the resource. However, the provisioning of the resource depends on the design of the provisioning processes that you link to the resource object.

Table 4-5 describes the data fields of the Resource Objects form.

Table 4-5 Fields of the Resource Objects Form

Field Name Description

Table Name

The name of the resource object form that is associated with this resource. (This is actually the name of the table that represents the form.)

Order For User/Order For Organization

Options that determine whether or not the resource object can be requested for users or organizations.

To request the resource object for a user, select Order For User. To request the resource object for an organization, select Order For Organization.

Type

The resource object's classification status. A resource object can belong to one of the following types:

  • Application: Classifies this resource object as an application.

  • Generic: Contains business-related processes.

  • System: Oracle Identity Manager uses this type of resource object internally.

    Do not modify system resource objects without first consulting Oracle.

  • Disconnected: Classifies the resource object as a disconnected resource.

Trusted Source

You can select this check box if you want to use the resource object for trusted user reconciliation.

By default, this check box is not selected. It is selected by default only for the Xellerate User resource object.


4.3.4.1 Creating a Resource Object

To create a resource object:

  1. Open the Resource Objects form.

  2. In the Name field, enter the name of the resource object.

  3. To request the resource object for a user, select Order For User.

    To request the resource object for an organization, select Order For Organization.

    Note:

    A resource object can be requested for either one user or one organization.
  4. Double-click the Type lookup field.

    From the Lookup dialog box that is displayed, select the classification status (Application, Generic, or System) to associate with the resource object.

  5. If you want to use the resource object for trusted source user reconciliation, you must select the Trusted Source option. Otherwise, go to Step 6.

  6. Click Save.

    The resource object is created.

4.3.4.2 Tabs on the Resource Objects Form

When you start the Resource Objects form and create a resource object, the tabs of this form become functional.

The Resource Objects form contains the following tabs:

4.3.4.2.1 Depends On Tab

From this tab, you can select resource objects that Oracle Identity Manager must provision before provisioning the current resource object. If Oracle Identity Manager can provision the current resource object without first provisioning a resource object that is displayed on the Depends On tab, you must remove that resource object from the tab.

In addition, you must setup a parent-child relationship between the application instances as well. This is done by opening the application instance for the dependent resource and selecting the independent application instance as the parent from the drop-down for parent application instance. See "Managing Application Instances" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about the application instance UI.

The following topics are related to the Depends On tab:

  • Selecting a resource object on which the current resource object is dependent

  • Removing the dependent resource object

Selecting a Dependent Resource Object

To select a dependent resource object:

  1. Click Assign.

    The Assignment dialog box is displayed.

  2. Select the resource object.

  3. Click OK.

    The dependent resource object is selected.

Removing a Dependent Resource Object

To remove a dependent resource object:

  1. Select the dependent resource object that you want to remove.

  2. Click Delete.

    The resource object is removed from the Depends On tab.

4.3.4.2.2 Object Authorizers Tab

Use this tab to specify roles that are the object authorizers for this resource. You can select users who are members of the Object Authorizers roles as targets for task assignments.

Each role on the Object Authorizers tab has a priority number. The priority number can also be referenced when a task assigned to a role is escalated due to lack of action. You can increase or decrease the priority number for any role on this tab.

For example, suppose that you configure members of the SYSTEM ADMINISTRATORS roles to be object authorizers. Also suppose that a process task associated with this resource object has a task assignment rule attached to it. The first user authorized to complete this process task is the user with the priority number 1. If the user does not complete the process task in a user-specified time, Oracle Identity Manager reassigns the task to the user with the next priority in the SYSTEM ADMINISTRATORS role.

See Also:

"Rule Designer Form" and "Assignment Tab of the Editing Task Window" for more information about task assignment rules and process tasks

Assigning a Role to a Resource Object

To assign a role to a resource object:

  1. Click Assign.

    The Assignment dialog box is displayed.

  2. Select a role.

  3. Click OK.

    The role is selected.

Removing a Role from a Resource Object

To remove a role from a resource object:

  1. Select the desired role.

  2. Click Delete.

    The role is removed from the Object Authorizers tab.

4.3.4.2.3 Process Determination Rules Tab

A resource object is a template for the resource that is provisioned to users or organizations. This template can be linked to multiple provisioning processes. Oracle Identity Manager uses process determination rules to select a provisioning process when a resource is requested or directly provisioned.

Process determination rules provide the following criteria:

  • Which provisioning process to select when a resource is requested

  • Which provisioning process to select when a resource is provisioned directly

Each provisioning process has a process determination rule. Each rule and process combination has a priority number that indicates the order in which Oracle Identity Manager will evaluate it.

If the condition of a rule is false, Oracle Identity Manager evaluates the rule with the next highest priority. If a rule is true, Oracle Identity Manager executes the process associated with it.

Adding a Process Determination Rule to a Resource Object

To add a process determination rule to a resource object:

  1. Click Add in the Provisioning Processes region, depending on the rule or process combination you intend to create.

  2. From the row that is displayed, double-click the Rules lookup field.

  3. From the Lookup dialog box, select a rule, and assign it to the resource object (only rules of Process Determination type are available for selection).

  4. Click OK.

  5. In the adjacent column, double-click the Processes lookup field.

  6. From the Lookup dialog box, select a process, and assign it to the rule.

  7. Click OK.

  8. Enter a numeric value in the Priority field.

    This determines the order in which Oracle Identity Manager evaluates the rule and process combination.

  9. Click Save.

    The rule and process combination is added to the resource object.

Remove a Process Determination Rule From a Resource Object

To remove a process determination rule from a resource object:

  1. Select a rule and process combination.

  2. Click Delete.

    The rule and process combination is removed from the resource object.

4.3.4.2.4 Event Handlers/Adapters Tab

A resource object's provisioning process contains tasks that must be completed automatically. When this occurs, you must assign an event handler or an adapter to the resource object. An event handler is a software routine that provides the processing of this specialized information. An adapter is a specialized type of event handler that generates Java code, which enables Oracle Identity Manager to communicate and interact with external resources.

When an event handler or adapter that is assigned to a resource object that is no longer valid, you must remove it from the resource object.

For this example, the adpAUTOMATEPROVISIONINGPROCESS adapter was assigned to the Solaris resource object. Once this resource object is assigned to a request, Oracle Identity Manager triggers the adapter, and the associated provisioning process is executed automatically.

Assigning an Event Handler or Adapter to a Resource Object

To assign an event handler to an adapter or a resource object:

  1. Click Assign.

    The Assignment dialog box is displayed.

  2. Select an event handler, and assign it to the resource object.

  3. Click OK.

    The event handler is assigned to the resource object.

Remove an Event Handler or Adapter from a Resource Object

To remove an event handler or adapter from a resource object, perform the following steps:

  1. Select an event handler.

  2. Click Delete.

    The event handler is removed from the resource object.

4.3.4.2.5 Resource Audit Objectives

The Resource Objects form in the Design Console includes a resource attribute named Resource Audit Objectives. This resource attribute helps you link resources to regulatory mandates.

Figure 4-7 The Resource Objects Form

Surrounding text describes Figure 4-7 .

A lookup is defined for the values of the Resource Audit Objectives resource attribute. The predefined values in the Resource Audit Objectives list are:

  • SOX (Hosts Financially Significant Information)

  • HIPAA (Hosts Private Healthcare Information)

  • GLB (Hosts Non-Public Information)

  • Requires Quarterly Review

  • Requires Annual Review

You can extend this list by editing the Lookups.Resource Audit Objective.Type lookup by using the Lookup Definition Form in the Design Console.

4.3.4.2.6 Status Definition Tab

You use this tab to set provisioning status for a resource object. A provisioning status indicates the status of a resource object throughout its lifecycle, until it is provisioned to the target user or organization.

Every provisioning status of a resource object is associated with a task status for the relevant provisioning process. Oracle Identity Manager selects the provisioning process when the resource object is assigned to a request. For example, if the Provision for Developers process is selected, and a task in this process achieves Completed status, the corresponding status of the resource object can be set to Provisioned. This way, you can see how the resource object relates to the provisioning process, quickly and easily.

A resource object has the following predefined statuses:

  • Waiting: This resource object depends on other resource objects that have not yet been provisioned.

  • Revoked: The resources represented by the resource object are provisioned to target users or organizations that have been permanently deprovisioned from using the resources.

  • Ready: This resource object either does not depend on any other resource objects, or all resource objects upon which this resource object depends are provisioned.

    After a resource is assigned to a request and the resource object's status is Ready, Oracle Identity Manager evaluates the process determination rules to determine the provisioning process. When this happens, the status of the resource object changes to Provisioning.

  • Provisioning: The resource object is assigned to a request and a provisioning process has been selected.

  • Provisioned: The resources represented by the resource object are provisioned to the target users or organizations.

  • Provide Information: Additional information is required before the resources represented by the resource object can be provisioned to the target users or organizations.

  • None: This status does not represent the provisioning status of the resource object. Rather, it signifies that a task that belongs to the provisioning process that Oracle Identity Manager selects has no effect on the status of the resource object.

  • Enabled: The resources represented by the resource object are provisioned to the target users or organizations, and these users or organizations have access to the resources.

  • Disabled: The resources represented by the resource object are provisioned to the target users or organizations, but these users or organizations have temporarily lost access to the resources.

Each provisioning status has a corresponding Launch Dependent check box. If the check box is selected and if the parent resource object achieves that provisioning status, then Oracle Identity Manager will continue the provisioning of the dependent resource object.

For example, suppose that the Exchange resource object depends on Active Directory and has the Launch Dependent check box selected for the Provisioned and Enabled provisioning statuses. When the provisioning status of Active Directory changes to Provisioned or Enabled, and if Exchange provisioning is waiting on it, then Oracle Identity Manager will continue the provisioning process of Exchange.

You might want to add additional provisioning statuses to a resource object to reflect the various task statuses of a provisioning process. For example, when the status of a task that belongs to a provisioning process is Rejected, you might want to set the corresponding provisioning status of the resource object to Revoked.

Similarly, when an existing provisioning status is no longer valid, you must remove it from the resource object.

The following sections discuss how to add a provisioning status to a resource object and remove a provisioning status from a resource object.

Adding a Provisioning Status to a Resource Object

To add a provisioning status to a resource object:

  1. Click Add.

  2. Add a provisioning status in the Status field.

  3. When you want other, dependent resource objects to launch their own provisioning process once the resource object achieves the provisioning status you are adding, select the Launch Dependent check box. Otherwise, go to Step 4.

  4. Click Save.

    The provisioning status is added to the resource object.

Removing a Provisioning Status from a Resource Object

The following procedure describes removing a provisioning status from a resource object:

  1. Select a provisioning status.

  2. Click Delete.

    The provisioning status is removed from the resource object.

4.3.4.2.7 Administrators Tab

This tab is used to select roles that can view, modify, and delete the current resource object.

When the Write check box is selected, the corresponding role can modify the current resource object. When the Delete check box is selected, the associated role can delete the current resource object.

The following sections describe how to assign a role to a resource object, and remove a role from a resource object.

Assigning a Role to a Resource Object

To assign a role to a resource object:

  1. Click Assign.

    The Assignment dialog box is displayed.

  2. Select the role, and assign it to the resource object.

  3. Click OK.

    The role is displayed in the Administrators tab. By default, all members of this role can view the active record.

  4. If you want this role to be able to modify the current resource object, select the corresponding Write check box.

    Otherwise, go to Step 5.

  5. If you want this role to be able to delete the current resource object, select the associated Delete check box.

    Otherwise, go to Step 6.

  6. Click Save.

    The role is assigned to the resource object.

Removing a Role from a Resource Object

To remove a role from a resource object:

  1. Highlight the role that you want to remove.

  2. Click Delete.

    The role is removed from the resource object.

4.3.4.2.8 Password Policies Rule Tab

If a resource object is of type Application, and you want to provision the resource object to a user or organization, you might want that user or organization to meet password criteria before accessing the resource object. This password criteria is created and managed in the form of password policies. These policies are created by using the Password Policies form.

Because the resource object definition is only a template for governing how a resource is to be provisioned, Oracle Identity Manager must be able to make determinations about how to provision the resource based on actual conditions and rules. These conditions might not be known until the resource is actually requested. Therefore, rules must be linked to the various processes and password policies associated with a resource. This enables Oracle Identity Manager to decide which ones to invoke in any given context.

Oracle Identity Manager determines which password policy to apply to the resource when creating or updating a particular user's account. This is done by evaluating the password policy rules of the resource and applying the criteria of the policy associated with the first rule that is satisfied. Each rule has a priority number, which indicates the order in which Oracle Identity Manager will evaluate it.

The following sections discuss how to add and remove a password policy rule from a resource object.

Adding a Password Policy Rule to a Resource Object

To add a password policy rule to a resource object:

  1. Click Add.

  2. From the row that is displayed, double-click the Rule lookup field.

  3. From the Lookup dialog box, select a rule, and assign it to the resource object.

  4. Click OK.

  5. In the adjacent column, double-click the Policy lookup field.

  6. From the Lookup dialog box, select an associated password policy, and assign it to the resource object.

  7. Click OK.

  8. Add a numeric value in the Priority field.

    This field contains the rule's priority number.

  9. Click Save.

    The password policy rule is added to the resource object.

Note:

  • If the resource type is Order for Organization, you cannot attach a password policy to the resource object. The exception to this rule is the Xellerate User resource object. Although this resource object is of Order for Organization type, password policies can be attached to it.

  • If two or more rules evaluate to True, the password policy attached to the rule with the highest priority is applied.

  • A Default rule is predefined in Oracle Identity Manager. This rule always evaluates to True. If no rules have been created through the Rule Designer, a password policy can be attached to the Default rule.

Removing a Password Policy Rule from a Resource Object

To remove a password policy from a resource object:

  1. Select a password policy rule.

  2. Click Delete.

    The password policy rule is removed from the resource object.

4.3.4.2.9 User-Defined Fields Tab

You use this tab to view and access user-defined fields that were created for the Resource Objects form. After a user-defined field is created, it is displayed on this tab and can accept and supply data.

4.3.4.2.10 Process Tab

The Process tab displays all provisioning processes that are associated with the current resource object. The Default check boxes on this tab indicate what provisioning processes are the defaults for the resource.

Note:

You create provisioning processes and associate them with a resource by using the Process Definition form. Each process can be linked to a process determination rule by using the Process Determination Rules tab of the Resource Object form.

For example, suppose that the Solaris resource object has one provisioning processes (Provision Solaris for Devel.) associated with it. The Provision Solaris for Devel. has been designated as the default provisioning process for this resource object.

4.3.4.2.11 Object Reconciliation Tab

The Object Initial Reconciliation Date field on the Object Reconciliation Tab displays the date when initial reconciliation was performed for the resource.

Note:

The purpose of initial reconciliation is to bring all the user accounts from the target system into Oracle Identity Manager.

The date value stored in the Object Initial Reconciliation Date field is used to distinguish between initial reconciliation and subsequent reconciliations events. This date value is used by the two exception reports. These exception reports display differences in the entitlements a user must have as compared to what the user actually has in the target system. The differences in entitlements are determined by using reconciliation data, along with other data items. The exception reports return data associated with only those reconciliation events that are created after the date stored in the Object Initial Reconciliation Date field. In addition, exception data is generated only if the Initial Object Reconciliation Date field displays a date value that is in the past. If required, you can enter a date value in this field so that the exception reports are generated.

The Object Reconciliation tab contains two subtabs, Reconciliation Fields and Reconciliation Action Rules.

  • The Reconciliation Fields tab is used to define the fields on the target resources or trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager

  • The Reconciliation Action Rules tab is used to specify the actions Oracle Identity Manager is to take when particular matching conditions are met.

Click the Create Reconciliation Profile button in the Object Reconciliation tab to generate reconciliation profile whenever any changes are made to the resource object or associated process forms.

Reconciliation Fields Tab

This tab is used to define the fields on the target resources or trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager. For each field on the target system or trusted source, the following information will be listed:

  • Name of the field on the target resource or trusted source that is to be reconciled with data in Oracle Identity Manager (for example, targetfield1)

  • Data type associated with the field (for example, String). Possible values are multi-valued, string, number, date, IT resource

  • Indicator that designates whether or not this field is required in a reconciliation event

Note:

Oracle Identity Manager will not begin to match provisioning processes, users or organizations to the reconciliation event until all fields are processed on the Reconciliation section of the Event Management tab in the Advanced Administration.

The following is an example of a reconciliation field definition:

TargetField1 [String], Required

In the Reconciliation Fields tab, you can perform the following:

  • Add a reconciliation field

    The following procedure adds fields from the target system or trusted source to the list of fields that are to be reconciled with information in Oracle Identity Manager.

    Note:

    Before Oracle Identity Manager can successfully perform reconciliation with an external target resource or trusted source, the fields you have defined on this tab must be mapped to the appropriate Oracle Identity Manager fields by using the Field Mappings tab of the resource's default provisioning process.

    To add a reconciliation field:

    1. Click Add Field.

      The Add Reconciliation Field dialog box is displayed.

    2. Enter the name of the field on the target resource or trusted source in the Field Name field.

      This is the name that will reference the target resource or trusted source field in Oracle Identity Manager.

    3. Select one of the following values from the menu in the Field Type field:

      • Multi-Valued

        This is meant for use with fields that contain one or more component fields.

      • String

      • String

      • Date

      • IT resource

        During reconciliation event creation, the value this field receives must be the same as the name of an IT resource defined in Oracle Identity Manager.

    4. Select the Required check box.

      If selected, the reconciliation field must be processed on the Reconciliation section of the Event Management tab in the Advanced Administration before Oracle Identity Manager will begin matching a provisioning process, user, or organization to the reconciliation event. If this check box is not selected, the inability to process this field in a reconciliation event will not prevent matching from occurring.

    5. Click Save.

      The field will be available for mapping in the resource's default provisioning process.

  • Delete a reconciliation field

    Use the following procedure to remove a target system field from the list of fields that are to be reconciled with information in Oracle Identity Manager. For a trusted source, this must be the user resource definition.

    To delete a reconciliation field:

    1. Select the field you wish to remove.

    2. Click Delete Field.

      The selected field will be removed from the list of fields with which Oracle Identity Manager reconciles data on the target system (this will have no effect on the data in the target system itself).

Reconciliation Action Rules Tab

By using this tab, you can specify the actions that Oracle Identity Manager will perform when some matches within reconciliation event records are encountered. Each record in this tab is a combination of:

  • The matching condition criteria

  • The action to be performed

The conditions and actions from which you can select are predefined. Depending on the matching conditions, certain actions might not be applicable. A complete list of the available options is provided in Table 4-6.

Table 4-6 Rule Conditions and Possible Rule Actions

Rule Condition Possible Rule Actions

No matches found

None

Create User (only available with the trusted source)

One Process Match Found

None

Establish Link

Multiple Process Matches Found

None

One Entity Match Found

None

Establish Link

Multiple Entity Matches Found

None


See Also:

"Assignment Tab of the Editing Task Window" for a description of the classification types for the users and roles listed in the preceding table

Adding a Reconciliation Action Rule

To add a reconciliation action rule:

  1. Click Add Field.

    The Add a new Action Rule dialog box is displayed.

  2. Select the desired value from the Rule Condition menu.

    This is the matching condition that will cause the associated action to be executed. Each match condition can only be assigned to a single rule action.

  3. Select a value from the Rule Action menu.

    This is the action that will be executed if the matching condition is met.

  4. Click Save, and close the Add a new Action Rule dialog box.

Deleting a Reconciliation Action Rule

To delete a reconciliation action rule:

  1. Select the matching action combination to delete.

  2. Click Delete.

    The reconciliation action rule will be removed and the action associated with its condition will not be executed automatically.

4.3.4.3 Multiple Trusted Source Reconciliation

You can create the reconciliation fields, reconciliation action rules, field mappings, and matching roles for the Xellerate User resource object and the process definition.

If there are two trusted sources from which you want to reconcile identities to create OIM Users, you are not able to configure a single resource object (Xellerate User) for both the trusted sources. Even if you create reconciliation fields for both the trusted sources in the Xellerate User resource object, you cannot create the corresponding reconciliation field mappings in the Xellerate User process definition.

You can configure resource objects other than Xellerate User as trusted sources for identity reconciliation. You can do this by selecting the Trusted Source check box in the Resource Objects form while creating a resource object.

For a resource object to which the Trusted Source flag is attached, you can create multiple reconciliation fields to denote the target system fields. You can also configure the reconciliation action rule in which if there are no process matches found, either a user is created or the data is sent to the administrator or authorizer for identity creation. If a process match is found, the link is established.

When defining provisioning process for trusted source resources, do not attach user-defined process forms. For these provisioning processes, reconciliation field mappings can be created between reconciliation fields defined on the resource and OIM User attributes.

Note:

If the resource object is for target resource reconciliation, then the mapping is between the reconciliation fields and process data fields.

Do not use any resource objects that are defined as a trusted source for provisioning activities. These resources are meant to be used only for OIM Users' reconciliation.

The attribute authoritative sources feature means that the sources are trusted for only attributes of the identities and not the identities themselves. You can configure attribute authoritative source reconciliation by creating appropriate reconciliation action rules. If no process match is found, it is assigned to the administrator. This ensures that a user is not created by mistake even if there are no matches found. If a process match is found, the reconciliation action rule will establish a link.

The following sections discuss two use cases in which you can implement multiple trusted source reconciliation:

Note:

At some places in this document:

- Multiple trusted source reconciliation has been referred to as MTS.

- The terms fields and attributes have been used interchangeably.

Note:

For both use cases, create reconciliation profiles by referring to "Creating New Reconciliation Profiles" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
4.3.4.3.1 Multiple Trusted Source Reconciliation Using MTS-Compatible Connectors

Note:

To determine whether or not your connector is MTS-compatible, see connector-specific documentation.

The following sections discuss scenarios in which you can implement multiple trusted source reconciliation by using MTS-compatible connectors:

Configuring MTS-Compatible Connectors for Trusted Source Reconciliation by User Type

In this context, user type refers to the type of users whose records you want to reconcile. Examples of user types are Employee and Customer.

To implement trusted source reconciliation by user type, perform the procedure to implement trusted source reconciliation while deploying the connectors of each target system that you want to configure as a trusted source.

During reconciliation, all the target system records of the specified user types are reconciled. If the target systems contain multiple user types, you can use the Limited Reconciliation feature to specify the user type for which records must be reconciled from each target system.

Configuring MTS-Compatible Connectors for Trusted Source Reconciliation of Specific OIM User Attributes

You might want to configure trusted source reconciliation for specific OIM User attributes from multiple target systems. The procedure to implement this is described with the help of the following sample scenario:

You want to reconcile identities from one target system, for example TS1, and specific attributes of these identities (for example attr1, attr2, and attr3) from another target system, for example TS2. This means that TS1 is the trusted source for the identities, and TS2 is the trusted source for specific attributes of those identities and not the identities themselves. TS1 must provide all the mandatory OIM User attributes for the successful creation of an OIM User. TS2 will provide only those OIM User attributes (either a mandatory OIM User attribute or a non-mandatory one) for which TS2 is the trusted source. If you reconcile a mandatory OIM User attribute from TS2, the value of this attribute overwrites the value contained in this attribute after the OIM User is created from TS1. If you want to reconcile only non-mandatory OIM User attributes from TS2, you can choose not to reconcile these attributes from TS1 during OIM User creation.

Note:

When there are multiple trusted sources, the logic to reconcile the entity attributes from the trusted sources is provided by the connector.

For the TS1 connector:

  1. Perform all the steps required to deploy the TS1 connector and configure it for trusted source reconciliation.

    See Also:

    The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation
  2. In the Reconciliation Fields tab on the Object Reconciliation page, delete all the TS1 attributes that you want to reconcile from TS2 (in this case attr1, attr2, and attr3).

  3. In the Reconciliation Field Mappings tab on the Process Definition page, delete all the mappings other than the ones you want to retain.

    Instead of deleting reconciliation fields, you can remove the reconciliation field mappings of those fields for which you do not want to reconcile the values into the OIM User created through reconciliation.

  4. In the Reconciliation Action Rules tab on the Object Reconciliation page, ensure that the following rule condition and action mappings exist:

    Rule Condition: No Matches Found

    Action: Create User

For the TS2 connector:

  1. Perform all the steps required to deploy the TS2 connector and configure it for trusted source reconciliation.

    See Also:

    The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation
  2. In the Reconciliation Field Mappings tab on the Process Definition page, delete all the mappings other than the ones you want to retain.

    Instead of deleting reconciliation fields, you can also choose to just remove the reconciliation field mappings of those fields for which you do not want to reconcile the values into the OIM User created through reconciliation.

  3. In the Reconciliation Fields tab on the Object Reconciliation page, delete all the TS2 attributes other than attr1, attr2, and attr3. In addition, retain the attributes that you want to use to match OIM Users with existing TS2 accounts. This means that you retain only those attributes that will be used for reconciliation rule evaluation. For example, you might want to use the username attribute in Oracle Identity Manager to match the value of the first name attribute in TS1.

  4. In the Reconciliation Action Rules tab on the Object Reconciliation page, create rule conditions and action mappings. One of these rule condition-action mappings must be the following:

    Rule Condition: No Matches Found

    Action: Anything other than Create User

4.3.4.3.2 Multiple Trusted Source Reconciliation Using Connectors That Are Not MTS-Compatible

Note:

To determine whether or not your connector is MTS-compatible, see connector-specific documentation.

For a connector that is not MTS-compatible, the following prerequisites must be addressed before you can use the connector in a multiple trusted source reconciliation setup:

i. Only one of the trusted source resource objects can be Xellerate User. In your operating environment, if the Xellerate User resource object is already in use by a connector for trusted source reconciliation, for the trusted source connector that you want to configure, you must create a new resource object and process definition.

ii. The scheduled task of the connector must have an attribute that accepts the name of the resource object used for trusted source user reconciliation as its value.

The following sections discuss scenarios in which you can implement multiple trusted source reconciliation by using non-MTS-compatible connectors:

Configuring Non-MTS-Compatible Connectors for Trusted Source Reconciliation by User Type

In this context, user type refers to the type of users whose records you want to reconcile. Examples of user types are Contractor, Employee, and Customer.

You use Microsoft Active Directory and Oracle e-Business Suite as trusted sources in your operating environment. Active Directory is used to store information about identities that belong to the Contractor user type. Oracle e-Business Suite is used to store information about identities that belong to the Customer and Employee user type. You want to reconcile Contractor records from Active Directory and Employee records from Oracle e-Business Suite. To do this, perform the following:

For Active Directory:

  1. Perform all the steps required to deploy the Active Directory connector and configure it for trusted source reconciliation.

    See Also:

    The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation

    When you import the connector XML file for trusted source reconciliation, information specific to Active Directory is added in the Xellerate User resource object and process definition.

  2. On the Resource Object tab, create the ActDir resource object for trusted source reconciliation with Active Directory.

    Note:

    You can assign any name to the resource object. This procedure is based on the use of ActDir as the name assigned to the resource object.

    For detailed information about the procedure to create a resource object, see "Resource Objects Form".

    While creating the resource object:

    1. Select the Trusted Source check box on the Resource Object tab.

    2. On the Object Reconciliation>>Reconciliation Fields tab, see Xellerate User resource object and add the Active Directory-specific fields that you want to reconcile in ActDir. All the mandatory OIM User fields must be covered by the fields that you add on this tab.

  3. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. One of these rule condition-action mappings must be the following:

    Rule Condition: No Matches Found

    Action: Create User

  4. Delete the fields specific to Active Directory and the corresponding rules from the Xellerate User resource object.

  5. Create the ActDir process definition in the Process Definition form.

    For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the reconciliation field mappings in the Xellerate User process definition, on the Reconciliation Field Mappings tab, add the reconciliation field mappings for the ActDir process definition.

  6. Delete the Active Directory-specific field mappings in the Xellerate User resource object.

  7. In the Reconciliation Rule Builder form on the Reconciliation Rules page, query and open the reconciliation rule for this connector and change the value of the Object field to map to the resource object that you have created. By default, the value of this field is mapped to that of the Xellerate User resource object.

For Oracle e-Business Suite, repeat all the steps you performed for Active Directory. Perform the following steps of that procedure differently for the Oracle e-Business Employee Reconciliation connector:

  1. On the Resource Object tab, create the EmpRecon resource object for trusted source reconciliation with Oracle e-Business Suite.

    Note:

    You can assign a name to the resource object. This procedure is based on the use of EmpRecon as the name assigned to the resource object.
  2. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. One of these rule condition-action mappings must be the following:

    Rule Condition: No Matches Found

    Action: Create User

    Use the Limited Reconciliation feature to specify that only identities that belongs to the Employee user type must be reconciled.

  3. After you add the fields and the reconciliation rules, delete the Oracle e-Business Suite-specific fields and the corresponding rules created in the Xellerate User resource object.

  4. Create the EmpRecon process definition in the Process Definition form. For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the Xellerate User reconciliation field mappings, on the Reconciliation Field Mappings tab, add the field mappings for the EmpRecon process definition.

  5. Delete the Oracle e-Business Suite-specific field mappings in the Xellerate User resource object.

  6. On the Reconciliation Rules>>Reconciliation Rule Builder form, query and open the reconciliation rule for this connector and change the value of the Object field to map to the resource object that you have created. By default, the value of this field is mapped to that of the Xellerate User resource object.

For both Active Directory and Oracle e-Business Suite, perform the rest of the steps required to configure trusted source reconciliation. For example, while configuring the reconciliation scheduled task for each connector, specify the name of the trusted source resource object that must be used during trusted source user reconciliation.

The current value of the scheduled task attribute would be Xellerate User and it must be updated with the name of the new resource object configured for trusted source user reconciliation for this connector.

Figure 4-8 shows the design time implementation of trusted source reconciliation based on the user type.

Figure 4-8 Trusted Source Reconciliation by User Type

Description of Figure 4-8 follows
Description of "Figure 4-8 Trusted Source Reconciliation by User Type"

Configuring Non-MTS-Connectors for Trusted Source Reconciliation of Specific OIM User Attributes

You might want to configure trusted source reconciliation for specific OIM User attributes from multiple target systems. The procedure to implement this is described with the help of the following sample scenario:

You use Microsoft Active Directory and IBM Lotus Notes as your target systems. You want to reconcile identities from Active Directory and only the value of the e-mail address attribute of each identity (reconciled into Oracle Identity Manager from Active Directory) from Lotus Notes. To achieve this:

For the Active Directory connector:

  1. Perform all the steps required to deploy the Active Directory connector and configure it for trusted source reconciliation.

    See Also:

    The documentation for the connector you are deploying for information about the procedure to configure trusted source reconciliation

    When you import the connector XML file for trusted source reconciliation, Active Directory-specific information is added in the Xellerate User resource object and process definition.

  2. On the Resource Object tab, create the ActDir resource object for trusted source reconciliation with Active Directory.

    Note:

    You can assign any name to the resource object. This procedure is based on the use of ActDir as the name assigned to the resource object.

    For detailed information about the procedure to create a resource object, see "Resource Objects Form".

    While creating the resource object:

    i. Select the Trusted Source check box on the Resource Object tab.

    ii. On the Object Reconciliation>>Reconciliation Fields tab, see Xellerate User resource object and add the Active Directory-specific fields that you want to reconcile in ActDir. All the mandatory OIM User fields must be covered by the fields that you add on this tab.

  3. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. One of these rule condition-action mapping must be the following:

    Rule Condition: No Matches Found

    Action: Create User

  4. Delete the Active Directory-specific fields and the corresponding rules from the Xellerate User resource object.

  5. Create the ActDir process definition in the Process Definition form. For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the reconciliation field mappings in the Xellerate User process definition, on the Reconciliation Field Mappings tab, create the field mappings for the ActDir process definition.

  6. Delete the Active Directory-specific field mappings in the Xellerate User resource object.

  7. On the Reconciliation Rules>>Reconciliation Rule Builder form, query and open the reconciliation rule for this connector and change the value of the Object field to map to the resource object that you have created. By default, the value of this field is mapped to that of the Xellerate User resource object.

For IBM Lotus Notes, repeat all the steps you performed for Active Directory. Perform the following steps of that procedure differently for the Lotus Notes connector:

  1. On the Resource Object tab, create the LotNotes resource object for trusted source reconciliation with Lotus Notes.

    Note:

    You can assign a name to the resource object. This procedure is based on the use of LotNotes as the name assigned to the resource object.
  2. When you create the resource object, add only the e-mail address attribute.

  3. On the Object Reconciliation>>Reconciliation Action Rules tab, create rule conditions and action mappings. Create any rule condition other than user creation if no matches are found. If a match is found, the link is established.

  4. After you have added the fields and the reconciliation rules, delete the Lotus Notes-specific fields and the corresponding rules created in the Xellerate User resource object.

  5. Create the LotNotes process definition in the Process Definition form. For detailed information about the procedure to create a process definition, see "Process Definition Form". Based on the Xellerate User reconciliation field mappings, on the Reconciliation Field Mappings tab, add the field mappings for the LotNotes process definition.

  6. Delete the Lotus Notes-specific field mappings in the Xellerate User resource object.

For both Active Directory and Lotus Notes, perform the rest of the steps required to configure trusted source reconciliation. For example, while configuring the reconciliation scheduled task for each connector, specify the name of the trusted source resource object that must be used during reconciliation.

The current value of the scheduled task attribute would be Xellerate User and it must be updated with the name of the new resource object configured for trusted source user reconciliation for this connector.

Figure 4-9 shows the design time implementation of trusted source reconciliation of specific OIM User attributes.

Figure 4-9 Trusted Source Reconciliation for Specific OIM User Attributes

Description of Figure 4-9 follows
Description of "Figure 4-9 Trusted Source Reconciliation for Specific OIM User Attributes"

4.3.5 Service Account Management

Oracle Identity Manager supports service accounts. Service accounts are general administrator accounts (for example, admin1, admin2, admin3, and so on) that are used for maintenance purposes, and are typically shared by a set of users. The model for managing and provisioning service accounts is slightly different from normal provisioning.

Service accounts are requested, provisioned, and managed in the same manner as regular accounts. They use the same resource objects, provisioning processes, and process forms as regular accounts. A service account is distinguished from a regular account by an internal flag.

When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. When the resource is revoked, or the user gets deleted, the provisioning process for the service account does not get canceled (which would cause the undo tasks to start). Instead, a task is inserted into the provisioning process (the same way Oracle Identity Manager handles Disable and Enable actions). This task removes the mapping from the user to the service account, and returns the service account to the pool of available accounts.

This management capability is available through APIs.

4.4 Converting a Disconnected Application Instance to Connected Application Instance

To describe the procedure to convert a disconnected application instance to a connected application instance, the following assumptions have been made:

  • A disconnected application instance exists in Oracle Identity Manager deployment, for example, the production environment. This disconnected application instance will be exported to another deployment of Oracle Identity Manager, for example, a test environment, and converted to a connected application instance. After testing the connected application instance in the test environment, it will be imported in the production environment again.

    Note:

    Optionally, the disconnected resource can be converted to a connected resource in the same environment. See "Modifying the Application Instance from Disconnected to Connected" for further details.
  • The application instance, process definition, forms, IT resource type definition, and IT resource retain the same name while converting a disconnected application instance to connected application instance.

The following are the broad-level steps to convert a disconnected application instance to a connected application instance:

  • Import the existing disconnected resource from the existing environment to the test environment.

  • Modify the implementation of the application instance, such as resource object definition and process definition.

  • Test the application instance by provisioning it to users and validating the behavior for enable, disable, revoke, and update tasks.

  • Export the new connected resource from the test environment and import it to the production environment.

Note:

  • Only the resource is exported between environments and not the application instance.

  • This section outlines the steps to import/export the resource of the application instance by using the Deployment Manager. Alternatively, the connector upgrade utility can also be used for import/export of the resource. See "Managing Connector Lifecycle" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about using the connector upgrade utility.

4.4.1 Creating a Disconnected Application Instance in the Production Environment

To create a disconnected application instance in the production environment:

  1. Login to Oracle Identity System Administration.

  2. Click Sandboxes to access sandbox management, create a sandbox, and activate it. See "Managing Sandboxes" for information about sandboxes and how to create, activate, and publish sandboxes.

  3. Under Configuration, click Application Instances. Click Create on the toolbar to open the Create Application Instance page.

  4. Enter values in the Name and Display Name fields, such as LaptopAppInstance.

  5. Select the Disconnected option to specify a disconnected application instance. Selecting the Disconnected option disables the rest of the fields in the page, such as Resource Object, IT Resource Instance, Form, and Parent AppInstance.

  6. Click Save, and then click OK to confirm creation of the FinApp application instance. The artifacts for a disconnected application instance are created.

  7. Go to the Manage Sandboxes page, and publish the sandbox.

Upon successful creation of the application instance, organization and entitlements can be configured if necessary. For testing purpose, create four or five users and provision the newly created disconnected application instance to the users. Ensure that the users have the application instance in one of the following status: Provisioned, Enabled, Disabled, and Revoke. Try modifying one of the users to ensure that the account can be successfully updated.

4.4.2 Exporting Disconnected Application Instance From Production Environment

To export the disconnected application instance from the production environment:

  1. Login to Oracle Identity System Administration. In the left pane, under System Management, click Export. The Deployment Manager wizard is displayed in a new window.

  2. Search for the disconnected application instance. To do so, in the search section, select Resource from the list, enter the name of the disconnected application instance, for example LaptopApplication*, and click Search. The disconnected application instance is displayed in the Search Results section.

  3. Select LaptopApplicationInstance in the Search Results section, and then click Select Children. The Select Children page is displayed.

  4. Select the required child attributes, as shown in Figure 4-10:

    Figure 4-10 Child Attributes

    Description of Figure 4-10 follows
    Description of "Figure 4-10 Child Attributes"

  5. Click Select Dependencies. The Select Dependencies page is displayed.

  6. Click Confirmation. In the Confirmation page, click Add For Export.

  7. After verifying that all the required dependencies are displayed in the export summary, as shown in Figure 4-11, click Export.

    Figure 4-11 Export Summary

    Description of Figure 4-11 follows
    Description of "Figure 4-11 Export Summary"

  8. Provide a name to the XML file, such as DisconnectedLaptopExp.xml. Upon successful export, a message is displayed.

4.4.3 Importing the Disconnected Application Instance in Test Environment

To import the disconnected application instance in test environment:

  1. In the left pane of the Oracle Identity System Administration, under System Management, click Import.

  2. Provide the path to the exported XML file, and then click OK. A confirmation page is displayed. Click Add File.

  3. In the Substitutions page, you can provide substitutions for users or groups. If there are no substitutions, then click Cancel Substitution.

  4. In the import summary, as shown in , check for any unresolved dependency, and then click Import.

    Figure 4-12 Import Summary

    Description of Figure 4-12 follows
    Description of "Figure 4-12 Import Summary"

  5. Verify that the process definition, resource object, and forms have been successfully imported.

4.4.4 Modifying the Application Instance from Disconnected to Connected

In the environment where the application instance has been imported, make the following changes to convert the disconnected application instance to a connected application instance:

  1. Login to the Design Console.

  2. Expand Resource Management. Click Resource Objects to open the Resource Objects form.

  3. Change the type of the resource object from Disconnected to Application.

  4. Define new IT resource parameters in conjunction with the connected resource as required in the IT Resource Type Definition form.

  5. Modify the existing IT resource (assuming that the ITResource is the same) with the new parameters added in step 4.

  6. Expand Process Management, and click Process Definition to open the Process Definition form.

  7. Search the process definition of the disconnected application instance. The following tasks are displayed:

    • ManualProvisioningStart

    • ManualProvisioningEnd

    • ManualEnableStart

    • ManualEnableEnd

    • ManualDisableStart

    • ManualDisableEnd

    • ManualRevokeStart

    • ManualRevokeEnd

  8. For each task, perform the following:

    1. Rename the task. For example, change the task name from ManualProvisioningStart to XXManualProvisioningStart.

    2. Make sure the Conditional option is selected. In addition, ensure that the Required for Completion option is not selected.

    3. If the task is an enable/disable/revoke task, then change the task effect to No effect.

    4. In the Integration tab, disassociate the adapters attached to the task by clicking on Remove.

    5. Remove task dependency, if any.

    6. Remove undo/recovery/generated tasks, if any.

    7. Change the object status mapping, if any, to none.

      Note:

      Step 6a through 6g are to ensure that the existing tasks for disconnected application instance do not start when the application instance is exported as a connected application instance.
  9. There is a task by the name PARENT_FORM_NAME Updated. This task triggers whenever the parent form is updated. Make sure to disassociate the existing adapters attached to the task and customize the task as required.

  10. If there are any tasks related to the child form, then make sure to remove the triggers for create/update/delete by clicking Clear. If these tasks are not going to be reused, then disassociate the adapters attached to these tasks and rename the tasks to ensure that they do not run. Oracle recommends creating new tasks for each create, update, and delete trigger.

    Note:

    • Optionally, the same tasks for the child data can be retained but custom adapters must be defined for the create/update/delete trigger.

    • For a disconnected application instance with child data, the task with the delete trigger will be associated with the tcCompleteTask adapter. Make sure to define and attach a custom adapter to this task to enable proper deletion of entitlement or child data.

  11. Define custom adapters for the create, disable, enable, revoke, and update account tasks. If there are child tables, then make sure to define custom adapters for the same.

  12. Create the following tasks in the process definition, and associate the corresponding adapters to each of those tasks. Map the required undo/recovery tasks and set the object status mapping.

    • Create User: Ensure that in the task properties, the Required for Completion option is selected and the Conditional option is not selected.

    • Disable User: Ensure that the task effect is Disable Processes or Access to Application.

    • Enable User: Ensure that the task effect is Enable Processes or Access to Application.

    • Delete User: Ensure that the task effect is Revoke Processes or Access to Application.

    • ATTRIBUTE_NAME Updated: For each attribute defined in the process form, corresponding update tasks have to be created. These tasks are triggered on updates to the process form, for example, Account Name Update, Account ID Updated, and so on.

  13. If there is a child table, then define tasks for each trigger type, such as create, update, and delete.

Test the connected application instance by provisioning it to a few users in the test environment. You must define a new application instance with the modified resource object and IT resource to provision the application instance to users.

4.4.5 Testing the Connected Application Instance

After converting the disconnected application instance to a connected application instance:

  • Export the modified resource from the test environment.

  • Import the modified resource to the production environment.