This is a list of user groups and the resources with which users in the group are to be provisioned or deprovisioned. Access policies are defined using the Access Policies menu item in Oracle Identity Manager Web admin console.
A Java class, generated by the Adapter Factory, that enables Oracle Identity Manager to interact with an external .jar file, a target IT resource (for example, a resource asset), or a user-defined form.
An adapter extends the internal logic and functionality of Oracle Identity Manager. It automates process tasks, and defines the rules for the auto-generation and validation of data in fields within Oracle Identity Manager.
There are five types of adapters: task assignment adapters, task adapters, rule generator adapters, pre-populate adapters, and entity adapters.
A code-generation tool provided by Oracle Identity Manager, which enables a User Administrator to create Java classes, known as adapters.
This is one of several possible components within an adapter. And this is a logical step within an adapter, equivalent to calling a programming language method. The following types of adapter tasks are available: Java Task, Remote Task, Stored Procedure Task, Utility Task, Oracle Identity Manager API Task, Set Variable Task, Error Handler Task, and Logic Task.
This is a user-defined placeholder within the adapter that contains runtime application data used by its adapter tasks. An adapter variable may be used multiple times within a single adapter.
Roles that are predefined in Oracle Identity Manager that have a one-to-one mapping to the Application Roles defined in Oracle Entitlement Server. Application Roles are Oracle Entitlements Server (OES) construct and cannot be viewed or assigned through Oracle Identity Manager. Hence, each Application Role in OES will have a corresponding Admin Role in Oracle Identity Manager
An entity that depicts the intersection between an IT resource instance and a resource object. Users are expected to have accounts and entitlements tied to application instance and not to the IT resource instance or resource object. Today, some Oracle Identity Manager features work at IT resource instance level and some work at resource object level. With the introduction of this entity, all accounts and entitlements will be consistently identified at Application Instance level.
This is the interface (calling conventions) by which an application program accesses an operating system and other services. An API is defined at the source code level and provides a level of abstraction between the application and the kernel (or other privileged utilities) to ensure the portability of the code.
An API can also provide an interface between a high-level language and lower-level utilities and services that were written without consideration for the calling conventions supported by compiled languages. In this case, the main task of the API may be the translation of parameter lists from one format to another and the interpretation of call-by-value and call-by-reference arguments in one or both directions.
Predefined roles in Oracle Entitlements Server that govern the policies and permissions each of these roles can perform.
Approval policy is a configurable entity of request management that helps associate various request types with approval processes defined in the request service only for request-level and operation-level approvals. It associates approval workflows to be initiated at request or operation levels for a request type. You can use approval policies to associate various request types with various approval processes, which are the SOA-based workflows. Approval policies control which approval process is to be invoked based on the request data evaluation.
Approval tasks are instantiated by request service and correspond to associated requests that are in the user or administrator's queue to be approved.
Attestation enables users designated as reviewers to be notified of reports they must review. These reports describe entitlements of other users. A reviewer can attest to the accuracy of these entitlements by providing a response.
An attestation process is the mechanism by which an attestation task is set up. Input that an attestation process requires includes information about how to define the components that constitute the attestation task and how to associate the attestation task with a schedule at which the task must be run.
The attestation action, along with the response the reviewer provides, any associated comments, and an audit view of the data that the reviewer views and attests to, is tracked and audited to provide a complete trail of accountability. In Oracle Identity Manager, this process is known as an attestation task.
This is also known as "Trusted Source Reconciliation", which can be used to create, update, and delete users in Oracle Identity Manager.
A beneficiary is an entity that benefits from the action performed after the request is completed and the request is completed only if it is executed successfully.
The Bulk Load utility is aimed at automating the process of loading a large amount of data into Oracle Identity Manager. It helps reduce the downtime involved in loading data. You can use this utility after you install Oracle Identity Manager or at any time during the production lifetime of Oracle Identity Manager. Bulk Load utility can be used to load user, account, role, role hierarchy, role membership, and role category data into Oracle Identity Manager.
The callback service invokes deployment-specific logic at predetermined points during Oracle Identity Manager event processing. The callback service triggers notifications and callbacks that allow external applications to perform some action as a part of Oracle Identity Manager event processing.
Catalog, also known as Request Catalog, offers a consistent and intuitive request experience for customers to request roles, entitlements and application instance following the commonly used Shopping Cart paradigm. The catalog is a structured commodity with its own set of metadata.
A catalog item is an entity, such as roles, entitlements or application instances, that can be requested by a user, either for themselves or on behalf of other users.
A catalog Item Navigation Category is a way to organize the request catalog. Each catalog item is associated with one and only one category. A catalog item navigation category is an attribute of the catalog item. Catalog Administrators can edit a Catalog Item and provide a value for the category.
Target systems that are online and have ways to provision directly by using connectors.
Used to integrate Oracle Identity Manager with a specific third-party application, such as Microsoft Active Directory or Novell eDirectory.
Connector Servers are implementation of the ICF Framework and allow remote execution of target connector from Oracle Identity Manager. Communication between Oracle Identity Manager and an ICF-based connector server happens over a socket layer.
A context is the environment in which an Oracle Identity Manager operation is performed. For example, a user creation operation performed in Oracle Identity Self Service is carried out in the Web context.
Areas of a form into which information may be entered (for example, Organization Name). Data fields are used to contain, display, and potentially edit the data entered into them.
This is the storage facility for data within Oracle Identity Manager. Oracle Identity Manager controls this data using a software application known as the Database Management System (DBMS).
This is an Oracle Identity Manager user who has been assigned administrative responsibilities. Administrative rights are assigned using membership within administrative groups. Administrators have access only to those organizations, forms, data, and users for which/whom they are responsible.
The Deployment Manager is a tool for exporting and importing Oracle Identity Manager configurations and customizations. Usually, the Deployment Manager is used to migrate a configuration from one deployment to another, for example, from a test to a production deployment, or to create a backup of the deployment.
The rescinding of a user's, user group's, and/or organization's access to a resource.
Diagnostic Dashboard is a stand-alone application that helps you validate some of the Oracle Identity Manager prerequisites and installation.
Disconnected resources are targets for which there is no connector. Therefore, the provisioning fulfillment for disconnected resources is not automated, but manual.
This is a predefined template that is used when generating e-mail notifications. E-mail definitions are created using the E-mail Definition form.
An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function. An entitlement can be an application role, responsibility, or group membership. For example, if user Richard is granted the Inventory Analyst role on a target system, then Richard can use that entitlement to access and generate inventory-related reports from the target system.
All Owners (Role, Entity, and Application Instance) are additional metadata on the entity, typically used in resolving approvals, certifications, etc. The Owners of an entity have no administrative rights on the entity itself.
This is one of several adapter task types. This type of adapter task is used to display any errors associated with an adapter that occur at runtime. In addition, you can view the reasons for the errors, along with possible solutions. See adapter task.
This is informative text that appears when a specific problem occurs within Oracle Identity Manager.
This is an action (initiated by Oracle Identity Manager, an external system, or a user) and/or a result of that action being performed.
An event handler is a piece of code that is registered with an orchestration on various stages. These event handlers are invoked when the relevant orchestration stage is performed.
A graphical user interface layout (i.e., mechanism) used to view, insert, edit, and delete information associated with records in the Oracle Identity Manager database. A form can be displayed as two distinct views:
Form View that contains detailed information related to a single record.
Table View that contains minimal information related to multiple records.
A form used to create customized Forms. Forms created using this form must be associated with a process or a resource object. These forms (and the fields they are comprised of) are used to provide processes or resource objects with a mechanism for obtaining additional information they require to conduct provisioning.
Generic Technology Connector (GTC) enables you to create a custom connector to link the target system and Oracle Identity Manager without using the customization features of the Adapter Factory.
Heterogeneous request is a request created for entities of different types. Oracle Identity Manager supports requesting roles, application instances, and entitlements in a single request, which is heterogeneous in nature.
Identity connectors are components developed to link Oracle Identity Manager with external stores of applications, directories, and databases. This release of Oracle Identity Manager provides support for developing and building identity connectors by using the Identity Connector Framework (ICF). Using the ICF decouples Oracle Identity Manager from the other applications to which it connects. Therefore, you can build and test an identity connector before integrating it with Oracle Identity Manager.
An identity connector server is required when an identity connector bundle is not directly executed within your application. By using one or more identity connector servers, the ICF architecture permits your application to communicate with externally deployed identity connector bundles. Identity connector servers are available for Java™ and Microsoft .NET Framework applications.
This is a Java Archive file. A compressed archive file (denoted by a .Jar extension) containing one or more Java class files. This file format is used to distribute and run Java applications.
This is one of several adapter task types available within the Adapter Factory form. This type of adapter task is used to communicate with an external source through a Java API. See adapter task.
JavaBeans allow developers to create reusable software components that can then be assembled together using visual application builder tools. Within Oracle Identity Manager, it is a Java program module that is used by Oracle Identity Manager Remote Manager to communicate bi-directionally with non-network-aware APIs. See remote manager.
This is one of several adapter task types available within the Adapter Factory form. This type of adapter task is used to build a conditional statement within an adapter (for example, an if statement, a for-loop, or a while loop). See adapter task.
A definition that can represent:
The name and description of a text field;
A lookup field and the values that are accessible from that lookup field; or
A combo box and the commands that can be selected from that combo box.
Lookup definitions are created using the Lookup Definition form (for default forms) or the Form Designer form (for custom forms). See lookup field.
This is a data field that provides the user with a set of pre-defined values. Lookup fields only accept values selected from the pre-defined list as valid entries. See data field.
You can define lookups (for lookup fields and combination boxes) in Oracle Identity Manager for user-defined fields (UDFs) in system forms (for example, User Form, Resource Object Form, etc.) and fields of user-defined resource and object forms. The lookups are defined in two ways:
Lookup Queries: where the queries are statically defined for the field and are run against the appropriate database table.
Lookup Codes: where the items are displayed in a list from a lookup definition table
The (custom) lookup queries has been enhanced to allow the lookup query to be parameter driven. The parameter property is a mapped parameter, where you can specify:Filter Column: the column for which a value is specified in the "where" clauseFilter Map: the source from where the value comes fromWhile the enhancement itself is delivered as part of the existing Forms Designer feature in the Java Client, any updates made by this feature are rendered on the Web Client dynamically as administrators, approvers, or end-users access the updated form(s).
This is an item, which contains information pertaining to the text field, lookup field, or combo box that represents the lookup definition. See lookup definition.
The list of Organizations that are explicitly assigned to delegated administrators. These are organization for which the users have been granted the associated Admin Role.
Is applicable globally and every manager will be able to manage (User Administration) their reports.
This is any task within a process that requires user action in order to be completed. Approval processes are generally comprised of manual tasks.
This is data about data. Metadata can represent information about or documentation of other data managed within an application or environment. For example, metadata can be used to provide information about data elements or attributes, (name, size, data type, etc.), records or data structures (length, fields, columns, etc.) or the physical location or permissions of data (where it is located, how it is associated, ownership, etc.). Within Oracle Identity Manager, there are two types of Metadata: system Metadata, which is internal to the Oracle Identity Manager system, and customer Metadata, such as process definitions.
If a user already has a primary account and requests for another account in the same target application, then that account is a non-primary account. A user can have multiple non-primary accounts, but only one primary account.
A software platform that automates access rights management and the provisioning of resources. Oracle Identity Manager instantly connects users to the resources they need to be productive, and revokes and or prevents unauthorized access to protect proprietary information and enhance security.
The process of any Oracle Identity Manager operation that goes through a predefined set of stages and executes some business logic in each stage is called an orchestration.
A collection of criteria used to validate password creation and modification within Oracle Identity Manager or on an external resource. The criteria within a policy are applied based on the rule associated with it on the resource object to which it has been attached. Password policies can be defined for Oracle Identity Manager and/or third-party system passwords.
A rule used to determine which password policy is to be applied to password creation and modification on a particular resource or within Oracle Identity Manager. Password policy rules are always of type General. See rule.
A plug-in is a logical component that extends the functionality of features provided by Oracle Identity Manager. The plug-in framework enables you to define, register, and configure plug-ins, which extend the functionality provided by features. Plug-ins can be predefined or custom-developed, and they are utilized at plug-in points.
A plug-in point is a specific point in the business logic where extensibility can be provided. An interface definition called the plug-in interface accompanies such a point. You can extend the plug-in interface based on the business requirements and register them as plug-ins.
If a user has multiple roles that have different authorization policies applicable in the same context, then the user's access rights are the cumulative rights across those policies. For example, the authorization check for the permission to search for users returns a list of obligations. This is a list of obligations from each applicable authorization policy. These obligations from multiple policies are combined to get a unified search result.
This is one of five Oracle Identity Manager adapter types that are used to populate data on user defined fields on user defined forms. This specific type of rule generator adapter can be attached either to custom fields of forms or to fields of custom forms. These fields are created using the User Defined Field Definition form and the Form Designer form, respectively.
A primary account is the first account created for a user in a target application. In other words, a primary account is the first application instance that is being requested. Oracle Identity Manager supports multiple accounts for a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The other accounts (non-primary accounts) are associated with the primary account. When the user requests entitlements, the entitlements are appended to the primary account.
This is a collection of one or more process tasks, also, a requested instance of a process definition. See process definition.
This is a record containing a detailed definition of all properties of a process as well as its workflow and the tasks that comprise it.
This is the current state of execution for a process. The status of a process is determined by the status of its tasks.
This is a step or component of a process (as specified within the Process Definition form). Process tasks can be independent or dependent on one another.
This is one of five Oracle Identity Manager adapter types. This type of adapter allows Oracle Identity Manager to automate the execution of a process task. See process task.
This is the granting of access for resources to users in conformance with Oracle Identity Manager policies. See deprovisioning.
This is an access policy that is applied to a user group during resource provisioning. A provisioning policy is one of several factors that determine whether a resource object may ultimately be provisioned to the user. A provisioning policy definition specifies the resource objects that can be allowed or disallowed for one or more user groups. See access policy. See resource object.
This is one of two Oracle Identity Manager process types. This type of process is used to provision Oracle Identity Manager resources to users or organizations.
The status of the resource object as it is being provisioned to a user or an organization. A resource object can have one of nine pre-defined statuses:
Provisioning: The resource object has been assigned to a request, and an approval process and a provisioning process have been selected.
Provisioned: The resources, represented by the resource object, have been provisioned to the users or organizations
Enabled: The resources, represented by the resource object, have been provisioned to the users or organizations. In addition, these users or organizations have access to the resources.
Disabled: The resources, represented by the resource object, have been provisioned to the users or organizations. However, these users or organizations have temporarily lost access to the resources.
Revoked: The resources, represented by the resource object, have been provisioned to the users or organizations. However, these users or organizations have been permanently deprovisioned from using the resources.
Provide Information: Additional information is required before the resources, represented by the resource object, can be provisioned to the target users or organizations.
None: This status does not represent the provisioning status of the resource object. Rather, it signifies that a task, which belongs to the provisioning process that Oracle Identity Manager selects, has no effect on the status of the resource object.
Provisioning tasks are tasks instantiated by requests, or pending manual provisioning tasks, or failed automatic provisioning tasks in the user or administrator's queue.
A list of roles (in Oracle Identity Manager Enterprise Edition), and entitlements and application instance (in Oracle Identity Manager) that are made available to organizations by the respective entity administrators
A method of searching for particular data records within a database using a common characteristic. For example, a common query performed on the Organizations page (Oracle Identity Self Service) is to retrieve all records related to a particular organizational unit. Oracle Identity Manager has many powerful built-in query syntax tools.
The process by which any action to create, modify, or delete a target system identity initiated in the target system (using traditional means) is communicated back to the provisioning system and recorded.
A collection of related items of information organized as a single unit of data (for example, a single record comprised of a name, telephone number, and address). The record is the entity stored in the database that contains this related information (whereas forms are the mechanism employed by the user to view or edit that information).
A server that enables Oracle Identity Manager to communicate with a remote application that is either non-network-aware, or is network-aware, but is not located on the Oracle Identity Manager Server. Remote managers are employed when Oracle Identity Manager needs to perform some function with this third-party application (for example, call a method that resides within the external API).
A request is an entity created by the users or administrators performing a specific action that requires a discretionary permission to be gained by someone or some process before the action can be performed. For example, a user can create a request to gain access to a laptop computer, and a manager can create an open requisition based on the request. A request has a requester, a beneficiary (optional), and a target entity.
A request cart contains a set of request items that a user has requested. The request cart does not persist across user sessions.
A request catalog is a collection of items that can be searched, browsed and requested by a user either for themselves or on behalf of others.
Request dataset is an XML definition file that dictates what data needs to be collected during various phases of the request lifecycle. In the request dataset, you can define what attributes need to be submitted by the requester and approver, whether or not an attribute is mandatory, and how UI should render the attribute to the user. Every attribute defined as a part of the dataset is associated with a set of properties that define the behavior of the attributes. Request dataset also allows you to define additional attributes, which exist only in the context of the request.
A request profile is a cart that has been saved by an administrator. The administrator can, optionally, enter additional information about the items in the cart, before saving it. For example if an application instance is included in the profile then the request form (data set) for the application instance can be filled during profile creation by the administrator. The end user who is creating request based on the profile can change the information in the form if he wants to. All users have access to all request profiles. However, all users don't have access to all items in the request profile.
Each request goes through a specific lifecycle after it is created in the system. This lifecycle is managed and controlled by the request service. The lifecycle transits the request through various stages. The stage a request is in determines what action the controller takes in that step, what operations are available on the request at that time, and what the possible stage transitions are. Each stage represents the logical next step in the request lifecycle. Only the successful execution of an operation can take the request from one stage to the next.
A requester is an entity that creates or raises a request. A requester can be a user or the system itself. The functional component decides on the requester for system-generated requests. An example of a system-generated request is a request created by the system based on access policy.
This is the ability of a user to change his or her password.
When the user first registers with Oracle Identity Manager (using the Oracle Identity Manager Web Application), he/she needs to select personal verification questions, and specify the answers to these questions. Oracle Identity Manager then uses these questions to verify a user's identity and reset his or her password.
Also referred to as a Resource Object. This is any unit of hardware, software, or data over which a company wishes to enforce provisioning control. For example, hardware resources might be servers and printers in the network. Software resources can be programs, utilities, or even smaller elements within a program. Data resources could be any accessible files or databases.
The Oracle Identity Manager resource object definition is the virtual representation of the resources to be provisioned. For example, a resource object can have one or more approval processes, provisioning processes, rules, and password policies.
The Oracle Identity Manager resource object definition is used to control the various processes and policies associated with the resource, as well as set system-wide options that will determine how the resource is provisioned.
User-defined criteria employed by Oracle Identity Manager to match conditions and take action based on them. There are five types of rules (the first four are defined using the Rule Designer form):
General: This type of rule enables Oracle Identity Manager to add a user to a user group automatically. It also determines the password policy that will be assigned to a resource object.
Process Determination: This type of rule determines the standard approval process that will be associated with a request, as well as the approval and provisioning processes, which will be selected for a resource object.
Task Assignment: This type of rule is used to determine the user or user group to which a task is to be assigned.
Pre-Populate: This type of rule is used to determine the pre-populate adapter that Oracle Identity Manager selects when populating a custom field of an Oracle Identity Manager or user-defined form. See prepopulate adapter.
Reconciliation: This type of rule is used to specify the criteria Oracle Identity Manager applies when attempting to match changes to data within target resources or trusted sources (for example, external systems with which you have configured Oracle Identity Manager to compare and reconcile data) with data in Oracle Identity Manager. Reconciliation rules are defined using the Reconciliation Rules form.
This is the logical component of a rule. It is a unit that consists of an attribute, an operator, and a value (for example, user role == full time).
This is one of five Oracle Identity Manager adapter types. This type of adapter is responsible for automatically generating, modifying, or verifying the value of a form's field, and saving this information to the database. Values supplied by a rule generator can be overridden by user input.
A sandbox represents an area in the MDS repository where metadata objects can be modified without effecting their mainline usage. Typically, sandboxes are used to test changes to metadata objects before exposing them to the mainline use. Any changes made to a sandbox are visible only in the sandbox. By publishing the sandbox the changes are merged to the mainline.
A scheduled task configure the metadata for a job, which is to be run, and the parameters required for execution of that task. This metadata is predefined for the predefined tasks. A new task can be added by the user, which will have the new metadata or the existing tasks can be updated to add/update the parameters for other configuration details.
Scheduler enables you to schedule jobs that automatically run predefined scheduled tasks at the specified time.
This is the ability of a user to register with Oracle Identity Manager, using the Oracle Identity Manager Web Application.
A job can be scheduled to run at the specified interval. You can create multiple jobs scheduled to run at different time intervals. A job run is a specific execution of a job. Each job run includes information such as the start time, stop time, exceptions and status of the execution.
Segregation of Duties (SoD) is aimed at applying checks and balances on business processes. The SoD validation process in Oracle Identity Manager occurs when a user creates a request for an entitlement on a particular target system. The request is funneled through a resource approval workflow and, if it passes that initial workflow, a resource provisioning workflow. If the user's request passes SoD validation (and an approver approves the request), the resource provisioning workflow is initiated. If the request fails SoD validation, the resource approval workflow can be configured to take remediation steps.
Oracle Identity Manager provides client applications with the Identity Management service to manage identities, which makes use of the Service Provisioning Markup Language (SPML).
An SQL program located within a particular database schema. Stored procedures contain information, such as SQL statements, which are pre-compiled for greater efficiency. See stored procedure task.
This is one of several adapter task types. This type of adapter task allows Oracle Identity Manager to map to and execute SQL programs that are located within a particular database schema. Within Oracle Identity Manager, these programs are known as stored procedures.
By incorporating a stored procedure task into an adapter and attaching this adapter to a process task, Oracle Identity Manager can utilize stored procedures on any Oracle or SQLServer database (assuming it is accessible on its network). This includes retrieving primitive values from stored procedures. See adapter task. See stored procedure.
System properties define the characteristics that control the behavior of Oracle Identity Manager. You can define the functionality of consoles such as the Oracle Identity System Administration and Oracle Identity Self Service by using system properties.
The external resource or application to which you wish to provision a user or organization with access using Oracle Identity Manager.
Within the context of Oracle Identity Manager's reconciliation functions, this term has a more specific meaning. It is then used to refer to a resource with which Oracle Identity Manager has been set to conduct reconciliation. Target resources differ from trusted sources in that Oracle Identity Manager only accepts changes to the primary user record from a trusted source. All other external applications with which Oracle Identity Manager is conducting reconciliation are referred to as target resources.
This refers to reconciliation that result in creation, update, or revocation of resources provisioned to a user in Oracle Identity Manager. Account Discovery, Orphan Account Discovery, Rogue Account Discovery, and Direct Management Discovery are all specific use cases within this type of reconciliation.
This adapter enables Oracle Identity Manager to automate the allocation of a process task to a user or group. A task assignment adapter can be written to dynamically assign a task based on parameters in the task request. The new Task Assignment Adapter is associated with a task assignment rule.
The Task Assignment Adapter enhances the mechanism of assigning a task through the Assignment tab of the Editing Task form (nested in the Process Definition form), where a rule is attached to a task, and users or groups are assigned to the current task.
The set of buttons along the top edge of the Oracle Identity Manager Design Console window that provides access to frequently used functions. Clicking the left mouse button when the pointer is over a button will execute that button's function. Hovering with your mouse over a button will cause a tool tip about that button to be displayed.
A digital ID, which verifies that the user's password for an external application is being transmitted to Oracle Identity Manager from the correct location.
This is the Resource object in which a unique key for reconciliation with data in Oracle Identity Manager has been defined. The trusted source is the resource object from which Oracle Identity Manager accepts changes to the user record definition. There may be more than one trusted source and more than one key per trusted source.
Entity attributes are properties of the entity. The information about the user entity is stored in the form of attributes, such as first name, last name, user login, and password. There are default user attributes in Oracle Identity Manager. However, you can create custom user attributes by using the Form Designer in the Oracle Identity System Administration. The custom attributes are referred to as user defined fields (UDFs). Oracle Identity Manager lets you create UDFs for the user, role, organization, and catalog entities.
An individual who possesses an account and login credentials within Oracle Identity Manager. There are two distinct types of users in Oracle Identity Manager:
End-User Administrators: This type of user may use either the Java or the Web version of Oracle Identity Manager. End-user administrators are responsible for configuring Oracle Identity Manager for their company's end-users.
End-Users: This type of user can access only the Oracle Identity Manager Web Application. End-users are generally only able to perform basic functions within Oracle Identity Manager.