|Oracle® Fusion Middleware User's Guide for Oracle Identity Manager
11g Release 2 (11.1.2)
Part Number E27151-04
|PDF · Mobi · ePub|
Oracle Identity Manager is a user provisioning and administration solution, which automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity and Access Management Suite.
Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility.
The features of Oracle Identity Manager can be divided into the following categories:
In earlier releases of Oracle Identity Manager, the usage of Oracle Identity Manager was IT centric. To request for a role, entitlement, or application, business users had to know details, such as which request template, resource object, or IT resource to use. From this release onward, Oracle Identity Manager is easy to use. Business users do not need to know about IT-related details. Instead, business users can search for an item in the request catalog and add it in the shopping cart.Oracle Identity Manager provides ease of use to business users through simplified request interface that includes shopping cart and catalog-based experience, business-friendly request tracking, unified inbox for approval and provisioning tasks, and unified interface for self service and delegated administration tasks.
In earlier releases of Oracle Identity Manager, complex request scenarios could be implemented by using role requests, request templates and SOA approval processes. However, the request management engine did not offer the ability to request application entitlements. In addition, the overall request process was cumbersome.
From this release onward, the shopping cart pattern has been introduced to simplify the request interface. End users can request for entities such as roles, entitlements, and application instances from the access request catalog by using the shopping cart pattern.
Administrators and end users can track all requests easily by using the simplified and user-friendly request tracking interface. By using the Track Requests page in Oracle Identity Self Service, you can view, approve, reject, or close requests by searching for requests based on request ID, status, request type, requested date, beneficiary, and requester.
Unlike earlier releases, the current release of Oracle Identity Manager provides a unified interface for the end user self-service for self and others, and user delegated-administration flows. In this release, delegated-administration functions on users are nothing but requests raised on behalf of other users that are automatically approved based on security configuration.
Oracle Identity Manager provides an organizational-level scoping mechanism for delegated administration and data security of various entities. Every entity is published to a set of organizations and only the users in the published organizations are allowed to receive access.
Oracle Identity Manager allows users to personalize Oracle Identity Self Service for their respective logins. Users can rearrange or hide regions in the Home Page, save and reuse regularly searched items, save sorting preferences, and so on.
Single Interface for Self Service and System Administration
Oracle Identity Manager provides a single Web-based interface for performing all types of operations related to self, identity administration, and system administration and configuration.
User Profile Management
Administrators can view and manage the profiles of other users subject to access permissions by using the user interface for Oracle Identity Manager administration. This allows administrators to create and edit user profiles, change passwords of users, and perform other delegated administration tasks.
Oracle Identity Self Service also enables users to create provisioning requests for resources with fine-grained entitlements, profile management requests, and role membership requests. The items to be requested can be selected from a Web-based catalog interface. Business approvers, such as team leaders, line managers, and department heads, can use the same Web-based interface to examine and approve incoming requests. This helps organizations in reducing effort and cost.
Oracle Identity Manager features a highly flexible security framework that supports delegation of most administrative functions to any group or user. By moving administration points as close to the user as possible, an organization can achieve tighter control and better security, increasing productivity at the same time.
Password management is one of the foremost issues in organizations nowadays. Implementing a password management solution reduces cost and overhead related to raising tickets or calling help desks. The password management features of Oracle Identity Manager discussed in this section aim to help organizations in this area.
Self-Service Password Management
Users can manage their own enterprise passwords, which might then be synchronized with their managed accounts depending on how the managed accounts are individually configured. The enterprise passwords are managed by using the self-service capabilities of Oracle Identity Manager. If a user forgets the password, Oracle Identity Manager can present customizable challenge questions to enable self-service identity verification and password reset. Research shows that the bulk of help desk calls are related to password reset and account lockout. By reducing the need for help desk calls, this self-service capability lowers costs.
Advanced Password Policy Management
Most best practices are supported out of the box and are configurable through an intuitive user interface. Supported password complexity requirements include: password length, alphanumeric and special characters usage, uppercase and lowercase usage, full or partial exclusion of user name, minimum password age, and historical passwords. Oracle Identity Manager lets you define complex password policies that control the passwords set by users. In addition, Oracle Identity Manager allows the application of multiple policies for each resource. For instance, users with fewer privileges can be subjected to a more relaxed password policy, whereas privileged administrators can be subjected to a more stringent policy.
Oracle Identity Manager can synchronize or map passwords across managed resources and enforce differences in password policies among these resources. In addition, if an organization is using the desktop-based password reset feature of Microsoft Windows, the Active Directory (AD) connector of Oracle Identity Manager can intercept password changes at the AD server and subsequently propagate these changes to other managed resources in accordance with policies. Similar bidirectional password synchronization capability is offered in most Oracle Identity Manager connectors for directory servers and mainframes.
Provisioning provides outward flow of user information from Oracle Identity Manager to a target system. Provisioning is the process by which an action to create, modify, or delete user information in a resource is started from Oracle Identity Manager and passed into the resource. The provisioning system communicates with the resource and specifies changes to be made to the account.
Provisioning includes the following:
Automated user identity and account provisioning: This manages user identities and accounts in multiple systems and applications. For example, when an employee working in the payroll department is created in the human resources system, accounts are also automatically created for this user in the e-mail, telephone, accounting, and payroll reports systems.
Workflow and policy management: This enables identity provisioning. Administrators can use interfaces provided by provisioning tools to create provisioning processes based on security policies.
Reporting and auditing: This enables creating documentation of provisioning processes and their enforcement. This documentation is essential for audit, regulatory, and compliance purposes.
Attestation: This enables administrators to confirm users' access rights on a periodic basis.
Access deprovisioning: When the access for a user is no longer required or valid in an organization, Oracle Identity Manager revokes access on demand or automatically, as dictated by role or attribute-based access policies. This ensures that a user's access is promptly terminated where is it no longer required. This is done to minimize security risks and prevent paying for access to costly resources, such as data services.
An organization entity represents a logical container of other entities such as users, roles, and policies in Oracle Identity Manager. In other words, organizations are containers that can be used for delegated administrative model. In addition, organizations define the scope of other Oracle Identity Manager entities, such as users. Oracle Identity Manager supports a flat organization structure or a hierarchical structure, which means that an organization can contain other organizations. The hierarchy can represent departments, geographical areas, or other logical divisions for easier management of entities.
Roles are logical groupings of users to whom you can assign access rights within Oracle Identity Manager, provision resources automatically, or use in common tasks such as approval and attestation. Roles can be independent of organizations, span multiple organizations, or can contain users from a single organization.