PK RwEoa,mimetypeapplication/epub+zipPKRwEiTunesMetadata.plistu artistName Oracle Corporation book-info cover-image-hash 659326020 cover-image-path OEBPS/dcommon/oracle-logo.jpg package-file-hash 797352215 publisher-unique-id E14568-08 unique-id 885234 genre Oracle Documentation itemName Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, 11g Release 1 (11.1.1) releaseDate 2014-08-02T11:35:05Z year 2014 PK PKYuPKRwEOEBPS/part_trob.htmj Troubleshooting

Part XIII

Troubleshooting

This part provides information for troubleshooting symptoms and gives solutions to the difficulties you may experience.

PK6{ojPKRwEOEBPS/rulelog.htmo> Rule and Fingerprint Logging

L Rule and Fingerprint Logging

You can enable logging to help troubleshoot problems or test rules. In rule logging, rows are written to the VR_RULE_LOGS table.

In Oracle Adaptive Access Manager, rule logs are captured during the execution of various policies and rules at the different checkpoints (such as Pre-Authentication, Post-Authentication, and others).

Oracle Adaptive Access Manager supports two rule logging options:

Time taken values are performance statistics and the length of time that the rule or policy took to execute.


Note:

On a production machine, you want to manage the amount of time logging is enabled since increasing the amount of logging may negatively affect performance.


L.1 About Rule Logging

Rule logging records the required rule processing information so that the Administrator can monitor the required information from a user session. Rule log details are captured in the VR_RULE_LOGS table while executing various policies and rules at different checkpoints.

L.1.1 Fingerprint Rule Logging

Fingerprint rule logging records the policies and rules that were executed. Fingerprint-based logs are a shorter version of the rule logs; they do not include alert sources and per rule time, and so on. Fingerprint based logging is done to minimize data growth and also keep the logging overhead to a minimum. The fingerprint is a digest of a set of rules that were triggered. When a set of rules is triggered, a digest of the triggered rules is created and persisted in the database. The next time the same set of rules is triggered, the digest is reused and persisted so that the new session will have the same digest now for the runtime. When fingerprint logging is performed, the time required for the rule and policy execution is not captured and displays as -1 or N/A in the Session Details page. Fingerprint rule logging is enabled by default.

L.1.2 Detailed Rule Logging

Detailed rule logging captures the captures the rules that were executed and the length of time that the rule or policy took to execute. The execution time is used as a performance statistic. Detailed rule logs are created only if the execution time is more than a threshold value that you have configure. On a production machine, you want to manage the amount of time before detailed logging is enabled since increasing the amount of logging may negatively affect performance. If the details are logged about the rules (runtime) that have a long execution time, the overhead for logging is decreased.

If the runtime requires an unusual amount of time, you might want to run detailed rule logging so that you can perform further analysis on why the rule took so long to run. Fingerprinting logging does not capture the timing information. Timing is an important factor in troubleshooting the "slow" runtime. In detailed logging, by default, only log timing for the rules that triggered are logged. The untriggered rules are not logged unless you specify you want to capture the untriggered rules also. Untriggered are captured in fingerprint rule logging.

L.1.3 Status Columns in the VR_RULE_LOGS Table

The VR_RULE_LOGS table enables administrators to view the status of the rules. This information can be used for troubleshooting rules.

This status columns are explained in this section.

0 = notfired

The rule was tested but the conditions were not satisfied, so the rule was not triggered.

Rule logs are not always created for notfired status. There are properties that control whether the notfired status is shown or not.

If vcrypt.tracker.rules.trace.notTriggered is set to false, then rule logs for the notfired status are never created.

The property vcrypt.tracker.rules.trace.notTriggered.logMillis contains a threshold in milliseconds. If the rule executed in fewer milliseconds than this threshold, then the rule log will not be created.

If you want to always log notfired status rules, then set vcrypt.tracker.rules.trace.notTriggered to true and set vcrypt.tracker.rules.trace.notTriggered.logMillis to 0.

If you never want to log notfired status rules, then set vcrypt.tracker.rules.trace.notTriggered to false.

If you only want to log notfired status rules that take longer than a certain amount of time to test the conditions, then set vcrypt.tracker.rules.trace.notTriggered to true and set vcrypt.tracker.rules.trace.notTriggered.logMillis to the threshold millisecond value that you want.

1 = fired

The rule was tested and the conditions were satisfied, so the rule was triggered.

2 = override

This status is not used currently.

3 = error

An internal error occurred while testing this rule. Check the logs for more details.

Status 4-8

These columns all deals with preconditions. If the rule was not tested because preconditions were set up to exclude the device, city, state, country, or group, then the rule log will show a status that matches the precondition.

4 = deviceScoreExclude

5 = cityScoreExclude

6 = stateScoreExclude

7 = countryScoreExclude

8 = groupExclude

99 = unknown

You should never have a rule log with this status.

L.2 Rule Logging Properties

Table L-1 shows the rule logging configuration properties.

Table L-1 Rule Logging Properties

PropertiesDescription

vcrypt.tracker.rules.trace.policySet

True/False

Enables rule logging.

vcrypt.tracker.rules.trace.policySet.checkpoint

True/False

Enables rule logging. You can specify the checkpoint in which to log the rules. The variable checkpoint corresponds to the checkpoint.

If the logging configuration is explicitly set at the given checkpoint, the Rules Engine uses that value; otherwise, it uses the value of vcrypt.tracker.rules.trace.policySet.

vcrypt.tracker.rules.trace.policySet.min.ms

1000 (milliseconds)

Specifies when to perform rule logging. You must configure this property to enable rule logging. You can configure this property for time so that logging is performed only if the total time taken for the runtime is greater than this value. The property, as set, logs for all runtime process rules only if the total time taken is more than 1000 ms.

-1

If you are unable to see the rules log in the Session Details page with the above property value, change it to -1.

vcrypt.tracker.rules.trace.notTriggered

False

If set to true, untriggered rules are logged along with the triggered rules

vcrypt.tracker.rules.trace.notTriggered.logMillis

Narrows down which rules are logged.

If the rule execution for untriggered rules exceeds the value specified then untriggered rules are logged.

vcrypt.tracker.rulelog.detailed.minMillis

2000

Determines the minimum time required for detailed logging. You can configure rule logging such that detailed rule logs are created only if the execution time is more than a threshold. That way, details are logged against the rules (runtime) with long execution time and hence the overhead of detailed logging is reduced.

Controls threshold for the logging for rules. By default, the Session Details page does not display the trigger sources if the execution time for alerts is less than 2000 millisecond (2000 ms) since detailed logging is dependent on the execution time.

vcrypt.tracker.rulelog.fingerprint.enabled

True/False

Enables fingerprint logging.

vcrypt.tracker.rulelog.exectime.maxlimit

Determine if fingerprint or detailed logging runs. If the value is exceeded, detailed logging is performed. Both are run if the property is set to -1.


L.3 Enabling Rule Logging

Enable rule logging by using the Properties editor. The steps are as follows:

  1. Log in to the OAAM Admin Console.

  2. In the Navigation pane, double-click Properties under the Environment node. The Properties Search page is displayed.

  3. Enter vcrypt.tracker.rules.trace.policySet in the Name field and click Search.

    You should see the property in the Search Results section.

  4. Click to select the property in the Search Results section.

  5. In the vcrypt.tracker.rules.trace.policySet details section, enter true in the Value field.

  6. Click Save.

    A confirmation dialog is displayed.

  7. Click OK to dismiss the dialog.

  8. If the property does not exists, from the Properties Search page, click the New Property button or Create new Property icon.

    A New Property dialog is displayed.

  9. In the New Property dialog, type in the property name and value.

  10. Click Create.

L.4 Enabling Rule Logging for a Specific Checkpoint

Enable rule logging for a specific checkpoint by using the Properties editor. The steps are as follows:

  1. Log in to the OAAM Admin Console.

  2. In the Navigation pane, double-click Properties under the Environment node. The Properties Search page is displayed.

  3. From the Properties Search page, click the New Property button or Create new Property icon.

    A New Property dialog is displayed.

  4. In the New Property dialog, type in vcrypt.tracker.rules.trace.policySet.checkpoint in the Name field.

  5. Enter true in the Value field and click Create.

To illustrate how rule logging for checkpoints is control by property combinations, a matrix is shown below. The Post-Authentication checkpoint is used to illustrate checkpoint rule logging flow.

The flow is as follows:

  1. The Rules Engine checks for a configuration for vcrypt.tracker.rules.trace.policySet.postauth.

  2. If there is no configuration for vcrypt.tracker.rules.trace.policySet.postauth, the Rules Engine checks the configuration value of vcrypt.tracker.rules.trace.policySet.

If the logging configuration is explicitly set at the given checkpoint, the Rules Engine uses that value; otherwise, it uses the value of vcrypt.tracker.rules.trace.policySet.

The following matrix shows an example of how value combinations control logging for a specified checkpoint.

vcrypt.tracker.rules.trace.policySet.postauthvcrypt.tracker.rules.trace.policySetCheckpoint Rule logging enabled?

true

false

yes

true

true

yes

true

not set

yes

false

false

no

false

true

no

false

not set

no

not set

false

no

not set

true

yes

not set

not set

yes


L.5 Enabling Logging of Untriggered Rules

To configure rule logging to log untriggered rules, use the Properties editor to set the following properties:

vcrypt.tracker.rules.trace.notTriggered=[true|false]
vcrypt.tracker.rules.trace.notTriggered.logMillis=[millis]

The value of vcrypt.tracker.rules.trace.notTriggered adds rules to log. If set to true, rules that are not triggered are logged along with the triggered rules.

The value of vcrypt.tracker.rules.trace.notTriggered.logMillis narrows down which rules are logged.

If the rule execution for untriggered rules exceeds the value of vcrypt.tracker.rules.trace.notTriggered.logMillis, only then will the Rules Engine log the untriggered Rules.

The following table shows the property values that control rule logging for untriggered rules.

vcrypt.tracker.rules.trace.notTriggeredvcrypt.tracker.rules.trace.notTriggered.logMillisResult

true

n

Logs the untriggered Rules that took more than "n" milliseconds. If "n" is set to a negative value, all rules are logged

false

n

None of the untriggered rules are logged


L.6 Enabling Detailed Logging

Configure the minimum time required for detailed logging so that details are logged for rules (runtimes) that have long execution times. Detailed rule logs are created only if the execution time is more than a threshold.

  1. In the Navigation tree, double-click Properties under Environment.

  2. Enter vcrypt.tracker.rulelog.detailed.minMillis in the Name field and click Search.

  3. In the Results table, select vcrypt.tracker.rulelog.detailed.minMillis.

  4. In the Details vcrypt.tracker.rulelog.detailed.minMillis section, edit the value in the Value field.

  5. Click Save.

    A confirmation dialog is displayed.

  6. Click OK to dismiss the dialog.

If a policy takes more than "n" in milliseconds specified, Oracle Adaptive Access Manager starts the detailed rule logging.

L.7 Enabling Fingerprint Rule Logging

To enable or disable fingerprint rule logging, modify the following property using the Property editor:

vcrypt.tracker.rulelog.fingerprint.enabled=true

L.8 Other Fingerprint and Detailed Logging Properties

Properties can be set for

  • Running either fingerprint or detailed logging

  • Running both fingerprint and detailed logging and when

  • Fingerprint logging threshold

Specify Whether Fingerprint or Detailed Logging Runs

To set a property to determine if fingerprint or detailed logging runs, set

vcrypt.tracker.rulelog.exectime.maxlimit

If the value is exceeded, detailed logging is performed.

Specify to Include Other Limits

To include all specified properties in determining the use of both, set

vcrypt.tracker.rulelog.exectime.maxlimit=-1

Specify Not to Use Both

To specify to perform logging with both logging mechanisms (detailed and fingerprint), set

vcrypt.tracker.rulelog.logBoth

to true. The value overrides vcrypt.tracker.rulelog.exectime.maxlimit.

Configuring Fingerprint Logging Threshold Time

To modify the threshold time after which fingerprint rule logging should be used, set the following property in milliseconds:

vcrypt.tracker.rulelog.exectime.maxlimit=

L.9 Archiving and Purging Rule Log Data

The OAAM archive and purge script will archive and purge all rule log data that is 30 days old, but you should set the value based on the customer care requirement. If the reporting database is used, then, rule logging data retention should be less than 30 days.

Table L-2 Rules and Policy Log Data Tables

Rules, Policy Log TablesCorresponding Archived Tables

VR_POLICYSET_LOGS

VR_POLICYSET_LOGS_PURGE

VR_RULE_LOGS

VR_RULE_LOGS_PURGE

VR_MODEL_LOGS

VR_MODEL_LOGS_PURGE

VR_POLICY_LOGS

VR_POLICY_LOGS_PURGE


PKm[/`ooPKRwEOEBPS/groups.htm Managing Groups

12 Managing Groups

Groups are like items that have been collected to simplify configuration workloads.

This chapter introduces you to the concept of groups and the different types of groups used in Oracle Adaptive Access Manager, and provides information on creating groups and editing group memberships, and group details. It also provides details on importing and exporting groups.

12.1 About Groups

As the security administrator, you must configure rules for actions and alerts, and rule conditions for users, locations and IPs, and so on.

For example, to create a rule "Restricted IPS," you must add a condition to find out if the user IP used for login is in the list of restricted IPs configured. The restricted IPs are grouped together as RestrictedIPSGroup of type IP and the rule condition uses this group.

12.2 Group Types

The following types of groups are available:

Table 12-1 Group Types

TypeDescription

ASN

This group holds ASNs. Autonomous System numbers (ASNs) are globally unique identifiers for Autonomous Systems. An Autonomous System (AS) is a group of IP networks having a single clearly defined routing policy, run by one or more network operators.

Actions

This group holds the different out-of-the-box actions.

An action is an event activated when a rule is triggered. For example, block access, challenge question, ask for PIN or password, and so on.

This is an enum group type.

Alerts

This group contains four kinds of alerts with four levels of severity.

An alert is a message generated when a rule is triggered. For example, "login attempt from a new country for this user."

Kinds of alerts are Fraud, Customer Care, Information, and Investigation.

Alert levels are Low, Medium, High, and Info.

Alerts are a special enum group type.

Authentication Status

This group contains the status of the user when logging in.

This is an enum group type.

Cities

This group contains cities. For example, Presque Isle, Alakanuk, Chattahoochee, and so on.

Connection Speed

This group contains the internet connection speeds or bandwidths (high, medium, low).

This is an enum group type.

Connection Type

This group contains connection types. Common connection types to the internet are Optical, T1/T3, Satellite, Cable, ISDN, Wireless, and so on.

This is an enum group type.

Countries

This group contains countries. For example, black-listed countries.

Devices

This group contains devices IDs. Device IDs are unique identifications for devices such as PDA, cell phone, kiosk, and so on. For example, black-listed devices.

Generics

This group contains members related to string, integer, or long number information.

Generic Longs

This group contains long numbers. For example, stolen Social Security numbers, credit card numbers, or MAC addresses.

Generic Strings

This group contains generic strings. For example, if you wanted to permit anyone who has a variation of Smith to log in (Smithson, Smithberg, Smithstein, and so on), then you could define a prefix string of "Smith" for comparison. Another example: if you want to block anyone from Pennsylvania, Transylvania, Spotsylvania, and so on, from logging in, you can define a suffix string.

IP Carriers

This group contains carriers of Internet Protocol (IP) traffic.

IP Ranges

This group contains a range of IPs.

IPs

This group contains the IP addresses of the users.

Addresses may map to locations, although some addresses are unknown or private (for example, 10.0.0.1).

ISP

This group contains Internet Service Providers. Examples of ISPs are Comcast, Verizon, AOL, and so on.

User Name

This group contains login names of users. It is set up by the user. For example: "Bob" is the login and the user is "xyz123."

User name may not be unique across applications. The unique combination would be the Organization ID with the user name.

Routing Type

This group contains routing types. Examples of routing types are POP, Satellite, Anonymizer, International, and so on.

This is an enum group type.

Second-level Domains

This group contains second-level domain names.

A second-level domain is a domain directly below a top-level domain (TLD). Second-level domains commonly refer to the organization that registered the domain name.

Second-level domain names can be used to pass and block whole sites such as *.example.org or entire intranet levels such as *.sales.* or *.admin.*

States

This group contains states. For example, black-listed states.

Top-level Domains

This group contains top-level domain names (the last part of an Internet domain name, that is, the letters that follow the final dot of any domain name).

Top-level domain names can be used to pass and block whole countries, for example,.uk, .ru, or .ca, and entire communities, for example, .mil, .info, .gov, or edu.

Transaction Status

This group contains the status of the user when a transaction is being performed.

This is an enum group type.

User ID

This group contains User IDs. The customer uses a scheme to uniquely identify users.

The User ID may not be unique across applications. The unique combination would be the Organization ID with the User ID.

A special type of group is the Organization ID. Organization ID is a primary user group. A flag is set so that when users log in from the application, they are autopopulated into the group if they are not already members. You can use members of that group to scope policies.


12.3 Group Usage

Groups are used in the following items:

  • Policies

    A policy is linked to a User ID group or all users and members of the user group or all users that are evaluated.

    The Policy Tree shows the linking of User ID groups to policies.

  • Rules within policies

    OAAM Admin applies rules on specified users, devices, or location groups to evaluate whether a fraud scenario occurred and to determine an outcome.

    A rule can trigger an action group, or an alert group, or both.

  • Conditions

    Some conditions use groups as a parameter type. For example, IP in IP Group. The condition takes IP Group name / IP as a parameter.

  • Trigger combinations

    Alerts in groups are specified in the trigger combination.

  • Pre-condition

    User groups can be excluded in a policy.

  • Configurable Actions

    Members of a User ID group can be added to a User ID group dynamically using configurable actions.

12.4 User Flows

In the create and edit user flow, you always begin by searching for a group and then viewing the details before deciding if you want to update group membership, edit group details, or edit group members, or if you want to define a group.

As an example user flow, the group creation flow, is shown in Figure 12-1.

Figure 12-1 Group Creation Flow

This figure illustrates the group creation flow.

12.5 Navigating to the Groups Search Page

From the Groups Search page, you can search, view, create, import, export, and delete groups.

To open the Groups Search page:

  1. Log in to OAAM Admin.

  2. From the Navigation tree, select Groups. The Groups Search page is displayed.

    Alternative methods to open search pages are listed in Section 3.9, "Search, Create, and Import."

    The Groups Search page displays a Search section and a Search Results table that shows a summary of the groups that match your search criteria.

    Figure 12-2 Groups Search page

    The Group Search page is shown.

12.6 Searching for a Group

When the Groups Search page first appears, the Search Results table is empty. You must press Search to see a list of groups in the Oracle Adaptive Access Manager environment.

In the Groups Search page, you can search for a specific group you are interested in by using the specific criteria in the search filter.

To search for a group:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. Specify criteria to locate the group and click Search.

    Clicking Reset instead of Search resets the search criteria.

    Search parameter values are not required. If you choose to leave the fields blank, all groups are displayed in your search results.

The search filters are described in Table 12-2.

Table 12-2 Groups Search Filter Criteria

Filters and FieldsDescriptions

Group Name

Name of the group. You can enter the complete name or part of a group name. For example, if you enter new, any group with new in any part of its name is displayed.

Cache Policy

Groups offer two Cache Policy options: Full Cache or None.

The "Full Cache" option caches group contents in server memory for the lifetime of the server. Static lookup groups and read-only groups are good candidates for the "Full Cache" option. Administrators must be careful using this option as it uses server memory. A long list of elements can have an adverse affect since groups are re-cached if there are changes to the list.

The "None" Cache Policy option does not use cache and consults the database every time. Device group types are set to "None" because in most cases, they are dynamic and manipulated while the server is running. If you have groups that stay static for the lifetime of the server, you can use the "Full Cache" option instead of "None."

Group Type

Category to which the group belongs. The types are listed in Table 12-1


The groups that are displayed are those that match the criteria specified in the Group Name, Group Type, and Cache Policy fields.

The option to sort is provided on every column in the Search Results table.

Each group has a name. If the description is too long to be fully shown, you can place the mouse over the text to see the entire description.

In the Search Results table, click the hyperlinked group name of the group you are interested in to view more details.

12.7 Viewing Details about a Group

The Group Details tab has summary, member, and usage tabs.

To view details about a group:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. Enter the name of the group in the Group Name field and click Search.

  3. Click the group name to view the Group Details page for that group.

    The Summary tab shows general information about the group, such as the name, type, cache policy, and description of the group.


    Note:

    You cannot change the group type in the Group Details page.


  4. From the members tab, you can add members to the group or select members of the group to remove.

    The members tab is labeled with the data type the group contains. For example, a User ID group has a member tab labeled User ID.

    The members tab shows all the members of the group. The members tab typically shows member name/ ID, description, and any other critical attributes of members. The exact information differs depending on the group type.


    Note:

    · You cannot edit existing Action elements and their properties.


  5. From the Usage tab, you can view all the different locations a group is used (conditions, overrides, configurable actions and so on) in a hierarchical fashion. If the group is not used, you are not able to access the tab.

    You can view the details of any node in the usage tree. For example, when you click Rule A above Precondition xyz, the right hand side panel shows brief details about Rule A and you can view additional details, if needed.

  6. To view details about the entity that the group is used in, click its link.

    Clicking the link launches the details page of that particular item in a new tab.

12.8 Adding an Entity to a Group

You could add an entity to a group or create a group and add the entity to it, or remove an entity from a group, using the Add to Group button from details pages.

The Add to Group feature is described below:

Table 12-3 Add to Group

FeatureDescription

Add entity to entity group

You can select an entity group from a list of entity groups with which the entity is not already associated and add the entity to it. A User Group can be either a User ID or User Name group type.

An entity cannot be added to the same entity group multiple times with the exception of the alert.

An alert can be added to an Alert Group multiple times, since whenever an alert is added to an Alert Group, a new instance of the existing alert is created and added to the group.

Create a new entity group and add entity to the newly created group.

You can create a new entity group and add the entity to it. A user group can be of either User ID or User Name group type.

Remove entity from entity group

You can select multiple entity groups with which it is already associated and remove the entity from the selected groups. Note: Removing users from Organization ID is not recommended.


12.9 Group Characteristics

The following table shows a summary of group characteristics.

The Group column shows the type of groups available in the system.

The Group Member Type column shows whether the record is a primitive type (long, string, and integer) or a structured type. An example of a structured type is Actions, which has name, ID, and message

The Cache column shows the cache option that is recommended for the group.

The Create column shows whether the group can be created using the user interface for groups.

The Edit column shows whether the group can be edited using the user interface for groups.

Table 12-4 Summary of Group Characteristics

#
GroupGroup Member TypeCacheCreateEdit

1

Actions

Struct

Yes

No

No

2

Authentication Status

Long

Yes

No

No

3

Connection type

Long

Yes

No

No

4

Connection speed

Long

Yes

No

No

5

Routing Type

String

Yes

No

No

6

Transaction Status

Struct

Yes

No

No

7

Alerts

Struct

Yes

Yes

Yes

8

Generic Integers, Generic Strings, Generic Long

Integer, String, Long

Yes

Yes

Yes

9

ASN

String

Yes

Yes

Yes

10

IP Carriers

String

Yes

Yes

Yes

11

Top-level Domains

String

Yes

Yes

Yes

16

Second-level Domains

String

Yes

Yes

Yes

12

Cities

String

Yes

No

No

13

Countries

String

Yes

No

No

14

States

String

Yes

No

No

15

ISPs

String

No

Yes

Yes

17

Device ID

Long

Yes

Yes

Yes

18

IPs

IP

Yes

Yes

Yes

19

IP Ranges

Struct

Yes

Yes

Yes

20

User Name

String

Yes

Yes

Yes

21

UserId groups

String

Yes

Yes

Yes


12.10 Creating a Group

The process for creating a group involves:

  1. Defining a Group

  2. Adding Members to a Group

12.10.1 Defining a Group

The same group name cannot exist across the group types. For example, if an action group called "Block" exists, you cannot create user name group called "block".

The steps for defining a group are:

Group Name and Group Type are required fields.

  1. In the Navigation tree, double-click Groups. The Groups Search page is displayed.

  2. From the Groups Search page, click the New Group button or icon.

    Alternative methods to open create pages are listed in Section 3.9, "Search, Create, and Import."

    The Create Group screen is displayed.

  3. In the Create Group screen, enter a group name and description.

    The group name must be unique.

  4. From the Group Type list, select a group type.

    The types are listed in Table 12-1

    Figure 12-3 Create Group screen

    The Create Group dialog is shown.
  5. Set the cache policy to Full Cache or None.


    Note:

    ISP groups cannot be cached.


  6. Click OK to create the group or Cancel to disregard the changes.

    If you click OK, a new group is created.

    A confirmation dialog is displayed.

  7. Click OK to dismiss the dialog.

    The Group Details page for the new group is displayed.

    Now, you can add members to the new group.

12.10.2 Adding Members to a Group

You can add members to a new or an existing group.

Because there are multiple group types, the procedure you perform to add members to a group depends on the group type. Refer to the following tables for the appropriate procedure for the group you are creating.


Note:

When group members are added to certain group types like "blacklisted countries," they are processed automatically since the rules are pre- configured.

For example, the rule "Check if login is from a blacklisted country" is pre-configured and attached to "blacklisted countries" by default. Hence adding members to this group automatically starts rules processing.


When you search for members, the ones that are already part of your group are not available in your search results.


Note:

The server must be restarted for enum elements to take effect. Enum group types are actions, connection speed, connection type, and so on.


Create a new member to add to the group (no search/ filter option)

Table 12-5 lists groups that add members without an option to search or filter.

If you are adding members to a group listed in Table 12-5, see Section 12.11, "Creating a New Element/Member to Add to the Group (No Search and Filter Options)."

Table 12-5 Create New Member (No Search Option)

GroupGroup TypeMember TypeCreate

Generic Integers, Generic Strings, Generic Long

Database

Integer, String, Long

Yes

ASN

Database

String

Yes

IP Carriers

Database

String

Yes

Top-level Domains

Database

String

Yes

Second-level Domains

Database

String

Yes


Add members from cities, states, and countries by filtering an existing list (no creation option)

Table 12-6 lists groups that add members from cities, states, or countries by filtering an existing list to find members and then adding the members to the group. The element cannot be created for these groups.

If you are adding members to a group listed in Table 12-6, see Section 12.12, "Filtering an Existing List to Select an Element to Add to the Group (No Creation of a New Element)."

Table 12-6 Add Members by Filtering Existing (No Creation Option)

GroupGroup TypeMember TypeCreate

Cities

Database

String

No

Countries

Database

String

No

States

Database

String

No


Search for existing elements or create new elements

Table 12-7 lists groups that add elements by searching existing elements or creating new elements and then adding them to the group.

If you are adding elements to a group listed in Table 12-7, see Section 12.13, "Searching for and Adding Existing Elements or Creating and Adding a New Element."

Table 12-7 Search for existing or create new elements

GroupGroup TypeMember TypeCreate

ISPs

Database

String

Yes

Device ID

Database

Long

Yes

IPs

Database

IP

Yes

IP Ranges

Database

Struct

Yes

User Name

Database

String

Yes

UserId groups

Database

String

Yes


Adding Alerts

For alerts you have the option to either search for an existing alert or create a new alert before adding it to the Alert group.

If you are adding alerts to an Alert group, see Section 12.14, "Adding Alerts to a Group."

Search and add existing elements only (No Creation)

Table 12-8 lists the groups that add members by searching for existing elements and then adding them to the group. You do not have the option to create a new element through the Groups user interface. To create a new element, you must use the Properties Editor.

If you are adding elements to a group listed in Table 12-8, see Section 12.15, "Searching for and Adding Existing Elements."

Table 12-8 Search and add existing only (no creation option)

GroupGroup TypeMember TypeCreate

Actions

Enum

Struct

No

Authentication Status

Enum

Long

No

Connection type

Enum

Long

No

Connection speed

Enum

Long

No

Routing Type

Enum

String

No

Transaction Status

Enum

Struct

No


12.11 Creating a New Element/Member to Add to the Group (No Search and Filter Options)

The following groups add new elements/members by entering values for the elements.

  • ASN

  • Generic Integers

  • Generic Longs

  • Generic Strings

  • IP Carriers

  • Second-level Domains

  • Top-level Domains

To add an element to a group:

  1. In the Group Details page, click Add Member.

    The Add Member dialog is displayed.

  2. In the Add Member dialog, enter the value for the new member that are added to the group.

    Table 12-9 Create Parameters

    GroupCreate Parameters

    Generic Integers, Generic Strings, Generic Long

    Value

    ASN

    ASN

    IP Carriers

    Name

    Top-level Domains

    Name

    Second-level Domains

    Name


  3. Click Add to add the member to the group or Cancel to disregard the changes.

    If you click Add, the member is created and added. A confirmation is displayed with the message, "The new element created successfully."

  4. Click OK.

    The Group Details page is displayed.

12.12 Filtering an Existing List to Select an Element to Add to the Group (No Creation of a New Element)

The following groups listed add members by filtering an existing list and then selecting an element to add. The element cannot be created for these groups.

  • Cities

  • States

  • Countries


Note:

To create a city, state, or country location group, you must populate the geolocation data. Geolocation data provides information about countries, states, and cities.


12.12.1 Adding a City to a Cities Group

To add cities to a cities group:

  1. In the Cities tab of the Group Details page, click Add.

    The Add Cities dialog is displayed.

  2. Select the country from the available country drop-down.

    The states of that country are made available in the states drop-down.

  3. Select the state from the available states drop-down.

    Based on the selection of the state, the cities are listed in the Available Cities table.

  4. From the Available Cities table, select one or more cities to add to the group.

  5. Click Add.

    The cities are added successfully to the group.



12.12.2 Adding a State to a States Group

To add states to a states group:

  1. In the States tab of the Group Details page, click Add.

    The Add Member dialog is displayed.

  2. Select a country.

    On selection of the available country, the available states are listed in the States table.

  3. From the Available States table, select one or more states to add to the group.

  4. Click Add.

    The states are added successfully to the group.

12.12.3 Adding a Country to a Country Group

To add countries to a countries group:

  1. In the Countries tab of the Group Details page, click Add.

    The Add Member dialog is displayed.

  2. From the Available Countries table, select one or more countries to add to the group.

  3. Click Add.

    The countries are added successfully to the group.

12.13 Searching for and Adding Existing Elements or Creating and Adding a New Element

For the following groups listed you have the option to either search for and add existing elements or create a new element to add.

  • IP Range

  • User ID

  • Devices

  • User Name

  • IP

  • Internet Service Provider

When you search for members, the ones that are already part of your group are not available in your search results.

Because the procedures for alert groups are different from the other groups listed earlier, separate sections are provided.

12.13.1 Selecting an Element to Add as a Member to the Group

To add an existing element as a member of the group, follow these steps:

  1. In the Group Details page, click Add Member.

    The Add Member page is displayed.

  2. In the Add Member page, select Search and select from the existing elements.

    Figure 12-4 Search and Select Member

    The group add members dialog is shown.
  3. Specify the filter criteria to find an element or list of elements and click Search.

    Table 12-10 Searching for Elements

    Search FilterDescription

    Application ID

    An application identifier used to look up properties based on application.

    User ID

    User's identification number

    User Name

    Login name of the users

    Device ID

    String that uniquely identifies each device and is autogenerated by the application

    IP Address

    Address mapped to a location usually, although some addresses are unknown or private

    Group Name

    Name of the group. You can enter the complete name or part of a group name. For example, if you enter new, any group with new in any part of its name is displayed.


  4. Select each element you want to include in the group.

  5. Click Add to add the element as a member of the group or Cancel to disregard the changes.

    If the element is added successfully, a confirmation is displayed.

  6. Click OK to dismiss the dialog.

Example 1: Adding a Device to a Group of Interest Using Groups Interface

To add an existing device to a group:

  1. Log in to the OAAM Admin Console.

  2. Double-click Groups in the Navigation tree.

  3. Search for the Device group.

  4. In the Search Results table, click the name of the Device group. The Device Details page appears.

  5. Click Members tab.

  6. Click the Add Member to this Group icon on the toolbar. The Add Devices dialog appears.

  7. Choose the Search and select from the existing Devices option and search for the Device ID.

  8. Select the Device ID and click Add.

  9. Click OK to dismiss the confirmation dialog.

Example 2: Adding an IP to a Group of Interest Using the Groups Interface

To add an existing IP to a group:

  1. Log in to the OAAM Admin Console.

  2. Double-click Groups in the Navigation tree.

  3. Search for the Device group.

  4. In the Search Results table, click the name of the Device group. The Device Details page appears.

  5. Click IPs tab.

  6. Click the Add Member to this Group icon on the toolbar. The Add Devices dialog appears.

  7. Choose the Search and select from the existing IPs option and search for the IP address.

  8. Select the IP address and click Add.

  9. Click OK to dismiss the confirmation dialog.

12.13.2 Creating an Element (Member) to Add to the Group

To create a new member and add it to the group:

  1. In the member tab of the Group Details page, click Add Member.

  2. In the Add Member page, select Create New Element.

    Figure 12-5 Add Member

    The Add Member screen is shown.
  3. Type in the values for the member.

    Table 12-11 Create Parameters

    GroupCreate Parameters

    ISPs

    NA

    Device ID

    Device ID

    IPs

    IP

    IP Ranges

    From IP

    To IP

    Description

    Login Ids

    Login ID

    UserId groups

    User ID


  4. Click Add to create and add the new member to the group or Cancel to disregard the changes.

    If the new element was created successfully, a confirmation dialog is displayed.

  5. Click OK to dismiss the dialog.

12.14 Adding Alerts to a Group

Procedures for adding alerts to an alert group are provided in the following sections.

12.14.1 Selecting an Existing Alert to Add to the Alert Group

To select from existing alerts to add to an alert group:

  1. In the Alerts tab of the Group Details page, click Add Member.

  2. In the Add Member page, select Search and select from the existing elements.

  3. Specify the criteria for the specific alert or a list of alerts you are interested in and click Search.

    Table 12-12 Searching for Alerts

    Search CriteriaDescription

    Alert Message

    Message to notify administrators

    Level

    High, Information, Low, Medium

    Type

    CSR, Fraud, Information, Investigation


  4. In the Search Results table, select the alerts you want to include in the alert group.

  5. Click Add to add the alerts to the group or Cancel to disregard the changes.

    If you click Add, the alerts are added.

    A confirmation dialog is displayed.

  6. Click OK to dismiss the dialog.

    The Group Details page is displayed with the added alerts.

When an existing alert is added to another group, a copy of the alert is added with a different unique Alert ID. If you were to change the message in one of the alerts, the change does not propagate to the other alerts.

12.14.2 Creating a New Alert to Add to the Alert Group

To create a new alert to add to the alert group:

  1. In the Alerts tab of the Group Details page, click Add Member.

  2. In the Add Member page, select Create new element.

    Table 12-13 Create Parameters for Alerts

    GroupCreate Parameters

    Alerts

    Alert Type

    Alert Level

    Alert Message


  3. Select the alert type.

    The alert types you can select from are Fraud, Customer Care, Information, Investigation.

  4. Select the alert level.

    The alert levels to select from are Low, Medium, High, and Information.

  5. Type in the alert message in the Alert Message box.

    For example: a "High Fraud" alert may require that you notify a manager (and the customized message has the manager's phone number), whereas an "Info" Information alert may have no message at all.

    Figure 12-6 Create an alert

    Add alert dialog is shown.
  6. Click Add to create and add the new alert to the alert group or Cancel to disregard the changes.

    If you click Add, the alert is added.

  7. When the confirmation dialog appears, click OK to dismiss the dialog.

12.15 Searching for and Adding Existing Elements

For the following groups listed you can only search and add existing elements to the group. You do not have the option to create a new element.

  • Authentication Status

  • Connection Type

  • Connection Speed

  • Routing Type

  • Transaction Status

  • Actions

To create or edit elements, you must use the Properties Editor.

When you search for members, the ones that are already part of your group are not available in your search results.

Because the procedure for the action group is different from the other groups listed earlier, a separate section is provided for actions.

12.15.1 Selecting an Element to Add as a Member to the Group

To add an existing element as a member of the group, follow these steps:

  1. In the Group Details page, click Add Member.

    The Add Member page is displayed.

  2. In the Add Member page, select Search and select from the existing elements.

  3. Specify the filter criteria to find an element or list of elements and click Search.

  4. Select each element you want to include in the group.

  5. Click Add to add the element as a member of the group or Cancel to disregard the changes.

    If the element is added successfully, a confirmation is displayed.

  6. Click OK to dismiss the dialog.

12.15.2 Adding Actions to an Action Group

Follow these steps for adding actions to an action group:

12.15.2.1 Selecting an Existing Action to Add to an Action Group

To search and select an action from existing actions:

  1. In the Actions tab of the Group Details page, click Add Member.

  2. In the Add Member page, select Search and select from the existing elements.

  3. Search for a specific action or a list of actions by using the Search filter and clicking Search.

    The list of actions includes actions, such as Allow, Block, Challenge, and others.

    Figure 12-7 Search for an Action

    A list of actions are shown.
  4. Select the row for each action you want to include in the group and click Add.

  5. When the confirmation dialog is displayed, click OK.

    The actions are added to the Action Group and the Group Details page displays the new action.

12.15.2.2 Creating a New Action to Add to an Action Group

You can only search and add existing actions to the Action group. To create or edit actions, you must use the Properties Editor.

The actions that you create are only intended to be used as trigger actions for configurable actions. These actions do not have any effect on applications directly.

12.16 Editing a Member of a Group

To edit a member of a group, follow these steps:

For a list of the groups in which members can be edited, see Table 12-14, "Editing a Member of a Group".

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. Specify criteria in the Search filter to locate the group that contains the member you want to edit.

  3. Click Search.

  4. In the list of groups, click the name of the group that contains the member.

  5. In the Members tab, select the member and click the Edit button.

  6. In the Edit Element screen, make the appropriate modifications.

  7. Click Apply to save the changes or Revert to discard them.

Table 12-14 Editing a Member of a Group

GroupEdit

Actions

No

Authentication Status

No

Connection type

No

Connection speed

No

Routing Type

No

Transaction Status

No

Alerts

Yes

Generic Integers, Generic Strings, Generic Long

Yes

ASN

Yes

IP Carriers

Yes

Top-level Domains

Yes

Second-level Domains

Yes

Cities

No

Countries

No

States

No

ISPs

Yes

Device ID

Yes

IPs

Yes

IP Ranges

Yes

Login Ids

Yes

UserId groups

Yes


12.17 Removing Members of a Group

To remove members of a group:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. Specify criteria in the Search filter to locate the group with the members you want to delete.

  3. Click Search.

  4. In the Results table, select the group you want to remove members from.

    The Group Details page is displayed.

  5. In the Members tab, select members of the group you want to remove and click Delete.

    A confirmation appears, asking if you want to delete the member from the group.

  6. Click Yes.

    A dialog appears with the message that the selected member is deleted successfully.

  7. Click OK to dismiss the dialog.

12.18 Removing a User from a User Group

To remove a user from a user group:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. Specify criteria to locate the group you want to remove the user from.

  3. Click Search.

  4. In the Results table, click the name of the user group.

  5. In the Group Details page, click the User ID tab.

  6. Select the row with the user ID of the user you want to remove and click Delete.

    A dialog appears with the message, "Are you sure you want to delete the member from the group?"

  7. Click Yes to confirm.

    A confirmation dialog appears with the message, "Selected members are deleted successfully."

  8. Click OK to dismiss the dialog.

12.19 Exporting and Importing a Group

You can use the Export and Import Groups commands to export and import a group as a ZIP file.

12.19.1 Exporting a Group

To export a group:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Sear{ch Page."

  2. Specify criteria in the Search filter to locate the group.

  3. Select all the rows corresponding to the groups you want to export.

  4. Select Export Selected from the Actions menu.

  5. When the export dialog appears, select Save File, and then OK.

    The file is exported and saved as a ZIP file.

12.19.2 Importing a Group

To import a group:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. In the Groups Search page, click the Import Group button. The Import Groups screen appears.

  3. In the Import Groups dialog box, type the path and name of the file; or use the Browse (...) button to locate the ZIP file that contains the groups, and then select the file.

  4. Click Open and then click OK.

    An Imported List dialog appears with the list of groups that have been imported along with the general details.

  5. Click OK.

    If the file contains groups with the same names as the existing groups, the groups are updated/overwritten. If the file contains groups with names that do not exist, the groups are added to the system.

    If you are importing a delete script, the groups are deleted from the system.

    If you try to import groups in an invalid format, an error is displayed.

12.20 Deleting Groups

To delete groups:

  1. Navigate to the Groups Search page, as described in Section 12.5, "Navigating to the Groups Search Page."

  2. In the Groups Search page, search for a specific group or a list of groups you are interested in by using the specific criteria in the Search filter and clicking Search.

  3. Select the rows corresponding to each group you want to delete and click Delete.

    If the groups selected for deletion are not used or linked to a policy, a confirmation dialog is shown asking for a confirmation. If you answer "yes," those groups are deleted.

    When multiple groups are selected for deletion and if some of the groups are used or linked to other systems, a message appears, telling you which ones can be deleted and which ones are in use or linked and cannot be deleted. Links to a usage tree are available for each of the used/linked groups. In the dialog, you are also given the option to delete the ones that are not in use.

    A confirmation is displayed, asking if you are sure you want to delete the group.

  4. Click Yes to delete the groups.

    A dialog is displayed with the message that selected groups are deleted successfully.

  5. Click OK to dismiss the dialog.

12.21 Updating a Group Directly

You can update a group directly in the XML file. For example, you can perform a bulk update to a blacklisted IP group based on a monthly list of high risk IPs gained from a 3rd party service.

To update a group directly:

  1. Export the group you want to update.

    For information, see Section 12.19.1, "Exporting a Group."

  2. Open the XML and make the edits you want.

  3. Import the group to either overwrite or append to the previous version.

    For information, see Section 12.19.2, "Importing a Group."

12.22 Use Cases

This section describes example use cases for groups.

12.22.1 Use Case: Migration of Groups

Chuck is an Administrator migrating a 10.1.4.5 deployment to 11g R1+. He must import his existing groups into the upgraded environment. All group types must be tested for proper migration between 10.1.4.5 and 11g R1+.

  1. Open Group in the Navigation tree.

  2. Click Import Group in Groups Search page.

  3. Import ZIP file of exported groups.

    1. Browse for ZIP file containing groups.

    2. Click OK.

  4. Import Groups confirmation screen appears with information about the groups imported (Group Name, Group Type, Cache Type, and Notes). Click OK.

12.22.2 Use Case: Create Alert Group and Add Members

The velocity rule you created (in Section 10.34.4, "Use Case: Add New Rule") needs an alert group assigned to it so investigators can easily see that a rule was triggered and why. Directions: Create a new alert group named "High velocity user." Craft a message about the velocity rule that would be useful to an investigator such as this "User appears to have traveled faster than 500 MPH since last login."

To create an alert group and add members:

  1. Log in to OAAM Admin as a security administrator.

  2. In the Navigation tree, double-click Groups. The Groups Search page is displayed.

  3. In the Groups Search page, search for an existing alert group you can reuse.

    1. Search for a group with Alerts as the Group Type and "velocity" as part of the Group Name.

    2. Select the group from the Search Results table.

    3. From the Group Details page, click the Alerts tab.

      Alerts in the alerts group appear.

    4. Check to see whether any alerts suit your needs.

    5. Repeat Steps b, c, and d.

      The alert groups do not contain the message that applies to your use case, so you decide to create a new one.

  4. Create an Alerts group.

    1. Click the New Group to create a new alert group. The New Group screen is displayed.

    2. In the Group Name field, enter High velocity user.

    3. From the Group Type list, select Alerts.

    4. From the Cache Policy list, select the cache policy as "Full Cache."

    5. Enter a description in the Description field.

    6. Click OK. A confirmation message appears.

    7. Click OK to dismiss the confirmation dialog.

      The new High velocity user group is created successfully and the Group Details page is displayed.

  5. Add an alert with messaging about a user with non-plausible velocity.

    1. Click the Alerts tab to add alerts to the group.

    2. In the Alerts tab, click the Add Member button.

    3. In the Add Member page, select Create new element.

    4. For Alert Type, select CSR.

    5. For Alert Level, select Medium.

    6. For Alert Message, enter "User appears to have traveled faster than 500 MPH since last login."

    7. Click Add to add the alert to the group.

      A confirmation dialog appears with the message, "The new element created successfully."

    8. Click OK to dismiss the dialog.

      The High velocity user group appears in the Search Results table of the Groups Search page.

    An alternative scenario for this adding the alert is to search for the message, "User appears to have traveled faster than 500 MPH since last login" and add that to the group.

12.22.3 Use Case: Remove User from Group

The restricted users group is intended for users who have had high risk activity. This practice helps protect the company and the users. The security team reviews the users in this group on a quarterly basis or when a customer issue is being looked at. Directions: Part A: Do a session search filtered to show only Phillip's activity for the last six months. Add Phillip to the restricted users group. Part B: Oops you made a mistake, please remove Phillip from the restricted users group since security team practices recommend this.

  1. Log in to OAAM Admin as an investigator.

  2. In the Navigation tree, double-click Sessions. The Sessions Search page is displayed.

  3. In the Sessions Search page, perform a search using the following criteria.

    1. In the Login Time fields, enter start and end dates for the last six months.

    2. In User Name field, enter Phillip's user name.

    3. In the Alert Level, select High.

    There are no other high severity security alerts.

  4. Copy Phillip's User ID from the search result's User ID column.

  5. In the Navigation tree, double-click Groups.

  6. In the Groups Search page, search for the Restricted User group.

  7. In the Results table, click the group name, Restricted User.

  8. In the Group Details page, click the User ID tab.

  9. Click Add.

  10. In the Add Member screen, select Create new element.

  11. For User ID, enter Phillip's User ID and click Add.

    A confirmation dialog appears with the message, "The new element created successfully."

  12. Click OK to dismiss the dialog.

    You learn that you made a mistake and must remove Phillip from the restricted users group since security team recommended this.

  13. In the Navigation tree, double-click Groups.

  14. In the Groups Search page, search for the Restricted User group.

  15. In the Results table, click the group name, Restricted User.

  16. In the Group Details page, click the User ID tab.

  17. Select the row with Phillip's User ID and click Delete.

    A dialog appears with the message, "Are you sure you want to delete the member from the group?"

  18. Click Yes to confirm.

    A confirmation dialog appears with the message, "Selected members are deleted successfully."

  19. Click OK to dismiss the dialog.

12.22.4 Use Case: Block Users from a Black-listed Country

To block a user if the IP is in a given country group:

  1. Navigate to the Policies Search page.

  2. Enter the search criteria you want and click Search.

  3. In the Results table, click the name of the policy you want to edit.

    The Policy Details page appears.

  4. In the Policy Details page, click the Rules tab.

  5. In the Rules tab, click Add.

  6. In the New Rule page, enter the rule name as Location: From IP.

  7. Click the Conditions tab.

  8. In the Conditions page, click Add.

    The Add Conditions page is displayed where you can search for and select the Location: In Country Group condition and add it to the rule.

  9. Click OK.

    The parameters for the condition are displayed in the bottom subpanel.

  10. In the parameters area, for Country in country group, select the Blacklisted Country group.

  11. Click Save.

  12. In the Results tab, select Block as the action group.

  13. Click Apply.

Figure 12-8 Black-Listed Countries

This diagram illustrates a black-listed country group.

12.22.5 Use Case: Company Wants to Block Users

An example of how groups work in policies and rules is described in this section.

In this example, Company A observes a significant increase in high-risk alerts from a collection of countries where customers do not normally log in from. Company A wants to block users in those countries.

The steps to create a policy that blocks user of high-risk countries are summarized in the following subsections. Three groups are created for this policy.

12.22.5.1 Create Country Blacklist Policy (1): Create Fraudulent Country Policy and Rule

You must first create a Fraudulent Country policy with the following attributes:

Table 12-15 Fraudulent Country Policy

AttributeValue

Name

BlackListCountry

Checkpoint

Post-Authentication (executed after the user enters the password)

Status

Active

Scoring Engine

Maximum

Weights

100

Rule and Condition

Rule contains "Condition: Location: In Country group - True"


12.22.5.2 Create Country Blacklist Policy (2): Create Country Group

A group type, "countries" contains the names of countries that have committed fraud.

Next, create a country group with the following attributes and then edit the group to add members.

Table 12-16 Country Group

AttributeValue

Group Name

Country_Blacklist

Group Type

Countries

Cache Policy

Full Cache

Description

OAAM Country Blacklist Group


12.22.5.3 Create Country Blacklist Policy (3): Create Fraud High Alert Group

Alerts are indicators to fraud analysts. This alert group is used when a user from a blocked country logs in, the rule triggers and outputs a high alert. The group contains the alerts to trigger.

Create a Fraud High Alert group with the following attributes:

Table 12-17 Fraud High Alert Group

AttributeValue

Group Name

Loc_Blacklist

Group Type

Alerts

Cache Policy

Full Cache

Description

OAAM Location Blacklist Group


Then, edit the group by setting:

  • Alert Level to ALERT_HIGH

  • Alert Type to Fraud

  • Alert Message to LOC_BLACK LIST COUNTRY

12.22.5.4 Create Country Blacklist Security Policy (4 of 5): Create Block Action Group

The result of a rule is an action that is executed as what should take place if the user logs in from blocked country and in this case you block him indicating the client application to redirect the user to a page with an appropriate message, "You Have Been Blocked."

Create a Block Action group with the following attributes:

Table 12-18 Block Group

AttributeValue

Group Name

Block

Group Type

Actions

Cache Policy

Full Cache

Description

Blacklist Action Group


Edit group by selecting Block from Available Actions.

12.22.5.5 Create Country Blacklist Security Policy (5 of 5): Attach Groups to Fraudulent Country Rule

Attach the Blacklisted country group to the rule so that when the rule triggers all users logging in from the countries in this list are blocked.

  1. In OAAM Admin, query for BlackListCountry policy.

  2. Add LocCountry_Rule that has Location: In Country group condition.

  3. Define policy so that:

    • Is in group: True

    • Country in Country Group: Country_blacklist

    • Score: 1000

    • Weight: 100

    • Action Group: Block

    • Alert Group: Loc_Blacklist

  4. Group Link - Set Group type to User ID

  5. From Group select a group.

12.22.6 Use Case: Block Users from Certain Countries

If the policy is to block users from countries that have been identified for suspicious activities, you could create Block Country, Fraud High Alert, and Block Action groups.

  • Block Country group - Country names are populated in a group type "countries" that have been identified for fraud

  • Fraud High Alert group - This group contains the alerts to trigger to indicate to analysts that a fraud scenario has occurred. This group is used when a user from a blocked country logs in and the rule triggers and outputs a high alert.

  • Block Action group - The result of a rule is an action that is executed--what should take place--if the user logs in from a blocked country. In this case you block him and indicate to the client application to redirect the user to a page with an appropriate message "You Have Been Blocked."

12.22.7 Use Case: Allow Only Users from Certain IP Addresses

If the policy is to allow only users from IP Addresses that have been white listed as safe zones, you could create IP and Investigation Medium Alert groups:

  • IP group - IP addresses are populated in a group type "IPs" that have been white listed as safe zones by an institution. Allow only users from IP Addresses that have been white listed as safe zones.

  • Investigation Medium Alert group - Alerts are indicators to fraud analysts. Users who log in from IP addresses that are not in the white list group generate a medium alert. Alert type to Investigation.

12.22.8 Use Case: Check Users from Certain Devices

If the policy is to check users from devices reported for fraudulent activities, you could create Device and Information Alert groups:

  • Device group - Devices that have been identified as suspicious are populated in a group type "devices." The devices are basically IDs that are generated based on many attributes such as browser, characteristics, flash, cookie, and so on.

  • Information Alert group - Alerts are indicators to fraud Analysts. When a user from a device that is identified as fraudulent active [registered in the device group] logs in the rule triggers and outputs an information type alert.

12.22.9 Use Case: Monitor Certain Users

If the policy is to monitor users who have been reported for fraudulent activities, you could create User ID and Customer Care Alert groups:

  • User ID group - Users who have been identified for fraud activity are populated in a group of type "User ID."

  • Customer Care Alert group - Alerts are indicators to fraud Analysts as well as for Customer care representatives. When a suspicious user logs in the rule triggers and outputs a customer care alert.

12.23 Best Practices

This section outlines some best practices for using groups.

  • Do not set the Cache Policy to "Full Cache" if you are using the group only for reports or for a group that is only collecting members and not used in any evaluation. For example, you should not cache a group if you have a long list of elements since groups are re-cached if there are any changes to the group.

  • Ensure that the caching is set to "Full Cache" for action and alert groups.

PKޔPKRwEOEBPS/envprop.htm5B Using the Properties Editor

28 Using the Properties Editor

Oracle Adaptive Access Manager provides properties out-of-the-box and a Properties Editor that enables you to create new database properties according to your requirement, modify existing database and file properties, and create and edit enumerations.

Note: not all roles have permissions to access the Properties Editor.

This chapter focuses on properties management using OAAM Admin. It includes the following topics:

28.1 Navigating to the Properties Search Page

The Properties Search page is the starting place for managing your property definitions.

To open the Properties Search page:

  1. In the Navigation tree, double-click Properties under Environment.

    Alternatively, you can:

    • Right-click Properties in the Navigation tree and select List Properties from the context menu.

    • Select Properties in the Navigation tree and then choose List Properties from the Actions menu.

    • Click the List Properties button in the Navigation tree toolbar.

    The Properties Search page is displayed.

  2. Click Search to view a list of properties in the system.

28.2 Searching for a Property

On the Properties Search page you can view a list of all properties in the system and search for a property based on the name, load type, and value.

Figure 28-1 Properties Page

The Properties search page is shown.

To view a list of the properties present in the system, click Search. All available properties are displayed in the Results table.

To search for a property:

  1. Specify the criteria in the search fields in the Properties Search page to locate the property.

    The search filter criteria are described in Table 28-1, "Search Filter Criteria".

    Table 28-1 Search Filter Criteria

    FieldDescription

    Name

    The property name.

    Load Type

    The property's load type. If the property is available in the database, its load type is database; if the property is in a property file, its load type is properties, and if the property is a system property, its load type is systems. By default the load type is set to "all."

    Value

    The value for the property.


  2. Click Search.

    If you want to reset the search parameters to the default setting, use the Reset button.

The Results Table displays a summary of the properties that match the criteria specified.

By default, properties are sorted on Property Name, but you can sort properties on the Load Type.

28.3 Viewing the Value of a Property

To view the value of a property, select the property in the Results table. The name, load type, and value for the property is displayed in the bottom panel.

28.4 Viewing Enumerations

Enumerations can be viewed and edited using the Properties Editor.

For the enumerations to be listed in the Properties Editor, you must set the following property to false:

bharosa.config.ui.list.filter.enum=false

28.5 Creating a New Database Type Property

To create a new database type property:

  1. From the Properties Search page, click the New Property button or Create new Property icon.

    A New Property dialog is displayed.

  2. In the New Property dialog, type in the property name and value.

    An error message appears for the following:

    • Duplicate name

    • Special characters

    • Blank value

    • Name or value that is more than the maximum length of 4000 ASCII characters or 1333 UTF-8 characters

    The property name cannot be edited after the property has been created.

  3. Click Save.

All properties created using the properties editor can be of the "Database" type only. They are created in the server database.

A system and file type properties cannot be created from the user interface.

If you do not want to create the new property, click Cancel instead of Save.

28.6 Editing the Values for Database and File Type Properties

You can easily edit the values for database and file type properties and save them.

System properties are read only and cannot be edited.

To edit a database or file type property, follow these steps:

  1. In the Results table, select the property.

    The name, load type, and value is shown in the details panel.

    If multiple properties are selected, details for the last selected property are shown in the details panel.

  2. In the details panel, edit the value of the property.

    Name and Type are read-only in the details panel.

  3. Click Save.

    The modified property detail are saved successfully.

    When a file load type property is edited, it changes to a database type property. The existing file type property will no longer be shown in the Results table.

    If you do not want to save the modified property, click Cancel instead of Save to revert the changes to the original value.

28.7 Deleting Database Type Properties

System and file properties are not allowed to be deleted.

To delete a database type property or properties:

  1. In the Results table, select the properties.

    A confirmation dialog appears.

  2. Click the Delete button. The selected properties are deleted successfully.

If you delete a database type property that had been changed from a file type property, the selected property is deleted and the old file type property is restored.

28.8 Exporting Database and File Type Properties

To export file properties, follow these steps:


Note:

System properties will not be exported. Only file and database type properties will be exported.


  1. In the Navigation tree, open Properties under Environment.

    The Properties Search page is displayed.

  2. Click Search to view a list of properties in the system.

  3. Select the properties you want to export.Select Export Selected from the Actions menu.

    An Export Properties dialog appears with options to select the export type and provide a name.

  4. Enter a name for your ZIP file.

  5. Choose Java Properties or XML Properties as the Export Type.

  6. Click Export.

    If you do not want to export the files, click Cancel instead of Save.

  7. Click Save and then OK.

    A ZIP file for the selected properties in XML or Java format is exported.

28.9 Importing Database Type Properties

To import database type properties, follow these steps:

  1. In the Navigation tree, open Properties under Environment.

    The Properties Search page is displayed.

  2. Click the Import Properties button.

    An Import Properties dialog appears.

  3. In the Import Groups dialog box, type the path and name of the file; or use the Browse (...) button to locate the ZIP file that contains the properties, and then select the file.

  4. Click Open and then click OK.

    Updates are saved to the database. Updates occur only if the value of the property changed.

  5. Click OK.

    If you try to import properties in an invalid format, an error will be displayed.

PKx55PKRwEOEBPS/dcommon/oracle.gifJGIF87aiyDT2F'G;Q_oKTC[ 3-Bq{ttsoGc4I)GvmLZ).1)!ꑈ53=Z]'yuLG*)g^!8C?-6(29K"Ĩ0Яl;U+K9^u2,@@ (\Ȱ Ë $P`lj 8x I$4H *(@͉0dа8tA  DсSP v"TUH PhP"Y1bxDǕ̧_=$I /& .)+ 60D)bB~=0#'& *D+l1MG CL1&+D`.1qVG ( "D2QL,p.;u. |r$p+5qBNl<TzB"\9e0u )@D,¹ 2@C~KU 'L6a9 /;<`P!D#Tal6XTYhn[p]݅ 7}B a&AƮe{EɲƮiEp#G}D#xTIzGFǂEc^q}) Y# (tۮNeGL*@/%UB:&k0{ &SdDnBQ^("@q #` @1B4i@ aNȅ@[\B >e007V[N(vpyFe Gb/&|aHZj@""~ӎ)t ? $ EQ.սJ$C,l]A `8A o B C?8cyA @Nz|`:`~7-G|yQ AqA6OzPbZ`>~#8=./edGA2nrBYR@ W h'j4p'!k 00 MT RNF6̙ m` (7%ꑀ;PKl-OJPKRwEOEBPS/dcommon/oracle-logo.jpgeJFIFC    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222'7" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE!KEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEzE7V%ȣOΏ9??:a"\fSrğjAsKJ:nOzO=}E1-I)3(QEQEQEQEQEQEQE֝Hza<["2"pO#f8M[RL(,?g93QSZ uy"lx4h`O!LŏʨXZvq& c՚]+: ǵ@+J]tQ]~[[eϸ (]6A&>ܫ~+כzmZ^(<57KsHf妬Ϧmnẁ&F!:-`b\/(tF*Bֳ ~V{WxxfCnMvF=;5_,6%S>}cQQjsOO5=)Ot [W9 /{^tyNg#ЄGsֿ1-4ooTZ?K Gc+oyڙoNuh^iSo5{\ܹ3Yos}$.nQ-~n,-zr~-|K4R"8a{]^;I<ȤL5"EԤP7_j>OoK;*U.at*K[fym3ii^#wcC'IIkIp$󿉵|CtĈpW¹l{9>⪦׺*ͯj.LfGߍԁw] |WW18>w.ӯ! VӃ :#1~ +މ=;5c__b@W@ +^]ևՃ7 n&g2I8Lw7uҭ$"&"b eZ":8)D'%{}5{; w]iu;_dLʳ4R-,2H6>½HLKܹR ~foZKZ࿷1[oZ7׫Z7R¢?«'y?A}C_iG5s_~^ J5?œ tp]X/c'r%eܺA|4ծ-Ե+ْe1M38Ǯ `|Kյ OVڅu;"d56, X5kYR<̭CiطXԮ];Oy)OcWj֩}=܅s۸QZ*<~%뺃ȶp f~Bðzb\ݳzW*y{=[ C/Ak oXCkt_s}{'y?AmCjޓ{ WRV7r. g~Q"7&͹+c<=,dJ1V߁=T)TR՜*N4 ^Bڥ%B+=@fE5ka}ędܤFH^i1k\Sgdk> ֤aOM\_\T)8靠㡮3ģR: jj,pk/K!t,=ϯZ6(((((((49 xn_kLk&f9sK`zx{{y8H 8b4>ÇНE|7v(z/]k7IxM}8!ycZRQ pKVr(RPEr?^}'ðh{x+ՀLW154cK@Ng C)rr9+c:׹b Жf*s^ fKS7^} *{zq_@8# pF~ [VPe(nw0MW=3#kȵz晨cy PpG#W:%drMh]3HH<\]ԁ|_W HHҡb}P>k {ZErxMX@8C&qskLۙOnO^sCk7ql2XCw5VG.S~H8=(s1~cV5z %v|U2QF=NoW]ո?<`~׮}=ӬfԵ,=;"~Iy7K#g{ñJ?5$y` zz@-~m7mG宝Gٱ>G&K#]؃y1$$t>wqjstX.b̐{Wej)Dxfc:8)=$y|L`xV8ߙ~E)HkwW$J0uʟk>6Sgp~;4֌W+חc"=|ř9bc5> *rg {~cj1rnI#G|8v4wĿhFb><^ pJLm[Dl1;Vx5IZ:1*p)إ1ZbAK(1ׅ|S&5{^ KG^5r>;X׻K^? s fk^8O/"J)3K]N)iL?5!ƾq:G_=X- i,vi2N3 |03Qas ! 7}kZU781M,->e;@Qz T(GK(ah(((((((Y[×j2F}o־oYYq $+]%$ v^rϭ`nax,ZEuWSܽ,g%~"MrsrY~Ҿ"Fت;8{ѰxYEfP^;WPwqbB:c?zp<7;SBfZ)dϛ; 7s^>}⍱x?Bix^#hf,*P9S{w[]GF?1Z_nG~]kk)9Sc5Ո<<6J-ϛ}xUi>ux#ţc'{ᛲq?Oo?x&mѱ'#^t)ϲbb0 F«kIVmVsv@}kҡ!ˍUTtxO̧]ORb|2yԵk܊{sPIc_?ħ:Ig)=Z~' "\M2VSSMyLsl⺿U~"C7\hz_ Rs$~? TAi<lO*>U}+'f>7_K N s8g1^CeКÿE ;{+Y\ O5|Y{/o+ LVcO;7Zx-Ek&dpzbӱ+TaB0gNy׭ 3^c T\$⫫?F33?t._Q~Nln:U/Ceb1-im WʸQM+VpafR3d׫é|Aү-q*I P7:y&]hX^Fbtpܩ?|Wu󭏤ʫxJ3ߴm"(uqA}j.+?S wV ~ [B&<^U?rϜ_OH\'.;|.%pw/ZZG'1j(#0UT` Wzw}>_*9m>󑓀F?EL3"zpubzΕ$+0܉&3zڶ+jyr1QE ( ( ( ( ( ( ( (UIdC0EZm+]Y6^![ ԯsmܶ捆?+me+ZE29)B[;я*wGxsK7;5w)}gH~.Ɣx?X\ߚ}A@tQ(:ͧ|Iq(CT?v[sKG+*רqҍck <#Ljα5݈`8cXP6T5i.K!xX*p&ќZǓϘ7 *oƽ:wlຈ:Q5yIEA/2*2jAҐe}k%K$N9R2?7ýKMV!{W9\PA+c4w` Wx=Ze\X{}yXI Ү!aOÎ{]Qx)#D@9E:*NJ}b|Z>_k7:d$z >&Vv󃏽WlR:RqJfGإd9Tm(ҝEtO}1O[xxEYt8,3v bFF )ǙrPNE8=O#V*Cc𹾾&l&cmCh<.P{ʦ&ۣY+Gxs~k5$> ӥPquŽўZt~Tl>Q.g> %k#ú:Kn'&{[yWQGqF}AЅ׮/}<;VYZa$wQg!$;_ $NKS}“_{MY|w7G!"\JtRy+贾d|o/;5jz_6fHwk<ѰJ#]kAȎ J =YNu%dxRwwbEQEQEQEQEQEQEQEQEQE'fLQZ(1F)hQ@X1KEQE-Q@ 1KE3h=iPb(((1GjZ(-ʹRPbR@ 1KE7`bڒyS0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((_ğ<+F; sU%ԑ >,BH(uSU xþ1Wϲs${wgoQn_swB/'L\ܓFgԏZ ^dj^L^NmH Ҁ6(?nƓjh%ةlΣ /F6}pj2E3HgHЌ(UQR8oX,G8OB]>o9@$xWy'ڹOM=ҼWb"٠9-*r⬻zWokeh͝(F@n~X=q+⟇1b>ƑeIX.~C,o5የ-m;D Nʬ` `+CcE??Ki!R!cxw[ jvc}&Eٱ7T)8&þ/?os$wSn^bo:-4^js4JKm!#rv89>' O59t , \8r,Vk|IgxEv((RmĜ+bkz6,u/}-|.'<VÚ~tk,^cH61¢ !;M;Ėz[#CuAƶ+j_&*/;Q8d ǹHyAsM↷7l-6rò,%Fs;A*',}'f[]tݷs~UWhk?:4JE]WpcY=" ƚw/|_xSw(kycH#r28,X7D5Kh76 mɍ~0H;6194WpGӧգ%8Z&GdPƧo6kcO5Kv`{}fyq \`@?Kv=26OޝyAe Qɼ芍H8͟2敮j#;iѻm؏6+wTx;KYY\-%'Aӣ?|=\-ٴk+٬$ɷ[$ISPE*vyPTaĜT`J|IgxEv((RmĜ+~~h ާ2}0F9|g=m5+x1h $)\  sdx^JfbKXYPCaݎ6-mS] mgC&>d, !Ƥ(p窀 V?IgZk:kHꧽsxg7__hÍB97 +9nn_o9Wc/m8ր=Y#t9? /q'#  Y}icמ o-{cŵ%'s s G^mqRwا s@W>w* O2Frk]k1֛4mݬRIp8F`F@kMvN&R +7đTT!z.W~k7KWX ߰E$HS`ʞK QL.dk 9y) F0v^k;{k9wyyv<'+.+^h~Fg"yRM?:3m' 2v{_kٲM[oǙ ~mUp~܎Mz~#ּQ/Cz5(u9KxTFAF$~VxIz~"uR-c6)#$=2H>?}wݻ~}S3Şҵ42+W죝ݑb˝$lmۑ]E-em[WwQ艥>#\H$i8\qQ^'):Ѵ zAT,H e @z`QEQEQEQEQEQEQEQEQEQEQEQEbj??G_h߷nw}s{aE~4?֖0֦bّL cs:FխeZ|i4m$ldnxuzE~ιqnO yQGA9bVqlX?|'}X,Xno-FIZ7 rrעCgqysg ]ZD) /ܣgX'_~ Dž/{/n"I! `θ9M ]i6[<&SnH%~UXvqX]wk&vMDlppAX?Z&}z7kz/̄*pNNHvV~'ypo3g=Eq\~5Eq54ծmX_a$\%_r0N9=GsoR%ާ*q]W>w* O2FrhGsoR%ާ*q\!>"rS?'G?~gݷsۭ{R58մ&>\[7m'GMF?kk}:o۾._Tz(3KoZ6-Qaqy+1H7_RGӭ=kTo}$M?*3)CNT<־*f fKAedQѸ?xSxoq(9$up9ysWIEx4߉.a𦛢B[{aaba/_>'&=YYl۳ 3 ``#wPEG66q,ўia'."_xY`1A_5s9$rYxqw5&y%E)0*,T́shrv3%]̤|PFG^Ž޷gJVJIF an'Jlύ~.v{egoHHPh '>{}X<5y_6d4Hy$hv 0` >KM'Wª\"p"I5-#kiky]MtSFLvY dc4Mʝ&%q `:e ]I}y$fJ1n{z4Lj*xkm5⽽qP򛔇 9T#M{y|EgIDoh>#Liog7!GC|FkZo+S`5bclJҼOiľ#ZYZj 5%_BF!pw289O<5`_xx/TĞ\Q~` Mܫ 89{Ng׍i<|YBƤ XuΩj>յYhjzm0Q60pr3Q^kxV{Y-et2&U`ѱ' 6<mxZm*}&6fgq`i&B>V- FW[Ɩv7zGg{V6ڄDkʝ.}z[~0}7l*\>2L̰یH%$B(/ Mo'Mg[n%3iN3" pv|F>2Țddį&HsVpNv~?]XOxQi!@VhpXn Ď1\<Y}F_kΑO6U89nG8~0x?\n5 Ǎ,l,1+3<6%\\K0Ds$QEI<9~&k:ǟ;Q[I>[@?1 vlύ~.v{egoHHPh '>*MCǞխkb*(xJDA s{އC}K*dW=UH A+n<5ߩ˶% ! KmݞcM6D7ͦ/m6"\ܼ ^+ծo:_4mB;4TM^D'2D(SX+0 Nѐ_'o c_Huiʩeو2`@8:OAkkH BRrr2wϊ!Mccf@W#]# Co?5uj3G ('Fr1@#𿈛_.^}.LᵻJJ. qp" [~0}7l*\>2L̰یH |Q k5[3uʤz qQxJk}Ixv~AL+_>#X|0o鶲^lFH$o%2I` sXb[vi+@5ieC$jr7pyO6OO׼+?}KZݬ,"]ݔ.p=*c'>!,xvMNhRX "p Z#7[E}b]1&ޟ6JDxU[uKXwwqFFTE.~bdN88ƷxG}rdݵSG Evw|+5O]B%$t#xo+ OmB#TusQg?O3/.ֲȊ~R͹:8 >Z4 $nmb&(Q|kr2I|I}RROXY8m@_mK+pC1=`n>$N58lA5ʅ H8[Y|%2 3[>/#߇1w%铣\5 :@X xFďk}| >,j1}os9s!o[iWw Fb"UI($SX7ׇ=⧟Dt{Y]Z(+"U9>.<[a=;BҖm*C Җ?0 Cwonȴ/v}SWxn6E#2 Pdkfy{OñJ5HP0 Ŵ@|H|avq/^IbFvW2qX}=.%~}^gXѯ`,m&@=O>7ѵ/skd@@2<ƑQm ڎI&OC)KieYT2H:Ñу3cM/=_=OMYQv]rG QZ u[NX s_nM#Q9>n[|pJWjz%Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@\iiwl%DYqgyϷgh^|xݿwM=1@(\Es ۞3((/PΗ¶Zc-;O >L9]826IV9G"[ǟ?/Olc(Bj"źke}ɟTI5k#<-_Gih&1TǩO@hR/4=3[P> +%)HߌQ@ ߋMg[ n'FA_`9NQ:ESu ˙?%ŷ2Q\}?5޿W!LrG8i''0j-Zhq,#Fbx\9*pwV|ax> J;4D 32p '/ٛS5 Ir2i@28 +G;<|ͻ6IHږ}p,ǠUPK= w5-H#P\]yQCM63d+81s1-  >l#/!̐Ȳ6a;s3@rA ߴL/,Q}3(%%rk0HDpC3hx_|vH\ڪ2{;WiC^~S~ݹ3G& gOyNvo8Ͻxk+^|ixsK8LK!B~erŊ 2#|?m|~om8[ᗂA.qIr47b0IמՉ"]?H$퐃FcIeHN󵝶}PoUby8M^COϯ'>( vg?(e}w;l׿[+CvUψc&mexGR;N̖ Wd˂17aCxG>Gϕugv߳nknbo^[Ε9P>ͳw:ܵWKxrx|Цs3Kha#%T1w!1ki^ƿp!q\O^.'дgI!mpHz =dkן\ռu[i^N|h]p 9 WXoCZ[kFՔq,N<Oo/^Sv@T>;dž ݣʨcKb3PZ|/~i1g"Z% cd9 P%פxkSOB ;B&(i(L97_5%FKyA8\:cv׬xkAcI<;;9,Ĝp3k/YYQ{G@%$y$#e ē˿ݍqszP?KIoQ%zq'sXVtoA˗S>TAȮ€</6!J#|7yE}TX(s4\E*\{=ej:XgΑvlB pIgο5Mgoymg5]n Oracle Legal Notices

Oracle Legal Notices

Copyright Notice

Copyright © 1994-2014, Oracle and/or its affiliates. All rights reserved.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

License Restrictions Warranty/Consequential Damages Disclaimer

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Warranty Disclaimer

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

Restricted Rights Notice

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

Hazardous Applications Notice

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Third-Party Content, Products, and Services Disclaimer

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Alpha and Beta Draft Documentation Notice

If this document is in preproduction status:

This documentation is in preproduction status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

Oracle Logo

PK0hPKRwEOEBPS/dcommon/blafdoc.cssc@charset "utf-8"; /* Copyright 2002, 2011, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2011.8.12 */ body { font-family: Tahoma, sans-serif; /* line-height: 125%; */ color: black; background-color: white; font-size: small; } * html body { /* http://www.info.com.ph/~etan/w3pantheon/style/modifiedsbmh.html */ font-size: x-small; /* for IE5.x/win */ f\ont-size: small; /* for other IE versions */ } h1 { font-size: 165%; font-weight: bold; border-bottom: 1px solid #ddd; width: 100%; text-align: left; } h2 { font-size: 152%; font-weight: bold; text-align: left; } h3 { font-size: 139%; font-weight: bold; text-align: left; } h4 { font-size: 126%; font-weight: bold; text-align: left; } h5 { font-size: 113%; font-weight: bold; display: inline; text-align: left; } h6 { font-size: 100%; font-weight: bold; font-style: italic; display: inline; text-align: left; } a:link { color: #039; background: inherit; } a:visited { color: #72007C; background: inherit; } a:hover { text-decoration: underline; } a img, img[usemap] { border-style: none; } code, pre, samp, tt { font-family: monospace; font-size: 110%; } caption { text-align: center; font-weight: bold; width: auto; } dt { font-weight: bold; } table { font-size: small; /* for ICEBrowser */ } td { vertical-align: top; } th { font-weight: bold; text-align: left; vertical-align: bottom; } li { text-align: left; } dd { text-align: left; } ol ol { list-style-type: lower-alpha; } ol ol ol { list-style-type: lower-roman; } td p:first-child, td pre:first-child { margin-top: 0px; margin-bottom: 0px; } table.table-border { border-collapse: collapse; border-top: 1px solid #ccc; border-left: 1px solid #ccc; } table.table-border th { padding: 0.5ex 0.25em; color: black; background-color: #f7f7ea; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } table.table-border td { padding: 0.5ex 0.25em; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } span.gui-object, span.gui-object-action { font-weight: bold; } span.gui-object-title { } p.horizontal-rule { width: 100%; border: solid #cc9; border-width: 0px 0px 1px 0px; margin-bottom: 4ex; } div.zz-skip-header { display: none; } td.zz-nav-header-cell { text-align: left; font-size: 95%; width: 99%; color: black; background: inherit; font-weight: normal; vertical-align: top; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-header-link { font-size: 95%; } td.zz-nav-button-cell { white-space: nowrap; text-align: center; width: 1%; vertical-align: top; padding-left: 4px; padding-right: 4px; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-button-link { font-size: 90%; } div.zz-nav-footer-menu { width: 100%; text-align: center; margin-top: 2ex; margin-bottom: 4ex; } p.zz-legal-notice, a.zz-legal-notice-link { font-size: 85%; /* display: none; */ /* Uncomment to hide legal notice */ } /*************************************/ /* Begin DARB Formats */ /*************************************/ .bold, .codeinlinebold, .syntaxinlinebold, .term, .glossterm, .seghead, .glossaryterm, .keyword, .msg, .msgexplankw, .msgactionkw, .notep1, .xreftitlebold { font-weight: bold; } .italic, .codeinlineitalic, .syntaxinlineitalic, .variable, .xreftitleitalic { font-style: italic; } .bolditalic, .codeinlineboldital, .syntaxinlineboldital, .titleinfigure, .titleinexample, .titleintable, .titleinequation, .xreftitleboldital { font-weight: bold; font-style: italic; } .itemizedlisttitle, .orderedlisttitle, .segmentedlisttitle, .variablelisttitle { font-weight: bold; } .bridgehead, .titleinrefsubsect3 { font-weight: bold; } .titleinrefsubsect { font-size: 126%; font-weight: bold; } .titleinrefsubsect2 { font-size: 113%; font-weight: bold; } .subhead1 { display: block; font-size: 139%; font-weight: bold; } .subhead2 { display: block; font-weight: bold; } .subhead3 { font-weight: bold; } .underline { text-decoration: underline; } .superscript { vertical-align: super; } .subscript { vertical-align: sub; } .listofeft { border: none; } .betadraft, .alphabetanotice, .revenuerecognitionnotice { color: #f00; background: inherit; } .betadraftsubtitle { text-align: center; font-weight: bold; color: #f00; background: inherit; } .comment { color: #080; background: inherit; font-weight: bold; } .copyrightlogo { text-align: center; font-size: 85%; } .tocsubheader { list-style-type: none; } table.icons td { padding-left: 6px; padding-right: 6px; } .l1ix dd, dd dl.l2ix, dd dl.l3ix { margin-top: 0ex; margin-bottom: 0ex; } div.infoboxnote, div.infoboxnotewarn, div.infoboxnotealso { margin-top: 4ex; margin-right: 10%; margin-left: 10%; margin-bottom: 4ex; padding: 0.25em; border-top: 1pt solid gray; border-bottom: 1pt solid gray; } p.notep1 { margin-top: 0px; margin-bottom: 0px; } .tahiti-highlight-example { background: #ff9; text-decoration: inherit; } .tahiti-highlight-search { background: #9cf; text-decoration: inherit; } .tahiti-sidebar-heading { font-size: 110%; margin-bottom: 0px; padding-bottom: 0px; } /*************************************/ /* End DARB Formats */ /*************************************/ @media all { /* * * { line-height: 120%; } */ dd { margin-bottom: 2ex; } dl:first-child { margin-top: 2ex; } } @media print { body { font-size: 11pt; padding: 0px !important; } a:link, a:visited { color: black; background: inherit; } code, pre, samp, tt { font-size: 10pt; } #nav, #search_this_book, #comment_form, #comment_announcement, #flipNav, .noprint { display: none !important; } body#left-nav-present { overflow: visible !important; } } PKr.hcPKRwEOEBPS/dcommon/doccd_epub.jsM /* Copyright 2006, 2012, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2012.3.17 */ function addLoadEvent(func) { var oldOnload = window.onload; if (typeof(window.onload) != "function") window.onload = func; else window.onload = function() { oldOnload(); func(); } } function compactLists() { var lists = []; var ul = document.getElementsByTagName("ul"); for (var i = 0; i < ul.length; i++) lists.push(ul[i]); var ol = document.getElementsByTagName("ol"); for (var i = 0; i < ol.length; i++) lists.push(ol[i]); for (var i = 0; i < lists.length; i++) { var collapsible = true, c = []; var li = lists[i].getElementsByTagName("li"); for (var j = 0; j < li.length; j++) { var p = li[j].getElementsByTagName("p"); if (p.length > 1) collapsible = false; for (var k = 0; k < p.length; k++) { if ( getTextContent(p[k]).split(" ").length > 12 ) collapsible = false; c.push(p[k]); } } if (collapsible) { for (var j = 0; j < c.length; j++) { c[j].style.margin = "0"; } } } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(compactLists); function processIndex() { try { if (!/\/index.htm(?:|#.*)$/.test(window.location.href)) return false; } catch(e) {} var shortcut = []; lastPrefix = ""; var dd = document.getElementsByTagName("dd"); for (var i = 0; i < dd.length; i++) { if (dd[i].className != 'l1ix') continue; var prefix = getTextContent(dd[i]).substring(0, 2).toUpperCase(); if (!prefix.match(/^([A-Z0-9]{2})/)) continue; if (prefix == lastPrefix) continue; dd[i].id = prefix; var s = document.createElement("a"); s.href = "#" + prefix; s.appendChild(document.createTextNode(prefix)); shortcut.push(s); lastPrefix = prefix; } var h2 = document.getElementsByTagName("h2"); for (var i = 0; i < h2.length; i++) { var nav = document.createElement("div"); nav.style.position = "relative"; nav.style.top = "-1.5ex"; nav.style.left = "1.5em"; nav.style.width = "90%"; while (shortcut[0] && shortcut[0].toString().charAt(shortcut[0].toString().length - 2) == getTextContent(h2[i])) { nav.appendChild(shortcut.shift()); nav.appendChild(document.createTextNode("\u00A0 ")); } h2[i].parentNode.insertBefore(nav, h2[i].nextSibling); } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(processIndex); PKo"nR M PKRwEOEBPS/clispts.htm Oracle Adaptive Access Manager Command-Line Interface Scripts

29 Oracle Adaptive Access Manager Command-Line Interface Scripts

This chapter provides information on the Command-Line Interface (CLI).

It contains the following sections:

29.1 CLI Overview

The Oracle Adaptive Access Manager Command-Line Interface (CLI) scripts enable users to perform various tasks instead of using OAAM Admin.

You can use Oracle Adaptive Access Manager CLI scripts for the following:

  • Import or export objects like policies, groups, conditions, and other modules without using the graphical user interface.

  • Load location data into the Oracle Adaptive Access Manager database

29.2 Setting Up the CLI Environment

Setting up the CLI environment involves the following tasks:

  1. Set up the CLI work folder

  2. Set up the Credential Store Framework (CSF) configuration

  3. Set up the Oracle Adaptive Access Manager database credentials

29.2.1 Set up the CLI Work Folder

Copy the CLI folder $IDM_ORACLE_HOME/oaam/cli/oaam_cli to a working directory, for example, "oaam_cli".


Note:

This task is required since it is not recommended to edit or change any files that are inside the IDM_ORACLE_HOME folder (the folder where you installed the IDM software).


In Unix:

Execute the following command:

cp -r <IDM_ORACLE_HOME>/oaam/cli ~/work/oaam_cli

In Windows

Execute the following command:

xcopy/s   <IDM_ORACLE_HOME>\oaam\cli   c:\work\oaam_cli

Select D=directory when it prompts so that entire folder can be copied.

29.2.2 Set Up the Credential Store Framework (CSF)

Choose one of the following mechanisms to access the Oracle Adaptive Access Manager Encryption keys stored in the Credential Store Framework (CSF):

  • CSF without Mbeans

  • CSF with MBeans

29.2.2.1 Use CSF without MBeans

Important notes about this approach are listed as follows:

  • This method requires that you run the Oracle Adaptive Access Manager command-line utility scripts on the same computer as the WebLogic Server.

  • This method does not require you to specify the WebLogic Administrator and password.

  • This method is not recommended if Oracle Adaptive Access Manager is deployed in a clustered environment

To use this mechanism:

  1. Go to the work folder where you copied the cli folder. Open the file, conf/bharosa_properties/oaam_cli.properties in a text editor and set the following properties:

    Property NameNotes about Property Value

    oaam.csf.useMBeans

    false

    oaam.jps.config.filepath

    Set the absolute path of jps-config-jse.xml. Usually, it resides in $DOMAIN_HOME/config/fmwconfig folder


  2. In a text editor set the following properties related to the Oracle Adaptive Access Manager database:

    Property NameNotes about Property Values

    oaam.db.url

    Specify valid JDBC URL of the Oracle Adaptive Access Manager database. Make sure there are no typos.

    oaam.db.additional.properties.file

    Leave this as blank if there are no additional toplink properties.

    Otherwise specify the name of the properties file that has additional toplink properties. Make sure the file is in the same folder as oaam_cli.properties

    oaam.db.driver

    oracle.jdbc.driver.OracleDriver (Change this value only if the Oracle Adaptive Access Manager schema is in non-oracle database)

    oaam.db.min.read-connections

    1 (Do not change this value unless required)

    oaam.db.max.read-connections

    25 (Do not change this value unless required)

    oaam.db.min.write-connections

    1 (Do not change this value unless required)

    oaam.db.max.write-connections

    25 (Do not change this value unless required)


29.2.2.2 Use CSF with MBeans

Important notes about this approach:

  • This method is recommended if Oracle Adaptive Access Manager is deployed in a clustered environment.

  • This method permits you to remotely connect to the Oracle Adaptive Access Manager WebLogic Server.

  • This method requires you to specify the Oracle Adaptive Access Manager WebLogic Admin user and password.

To configure the Oracle Adaptive Access Manager Database details with CSF with MBeans, follow these steps:

  1. Go to the work folder where you copied the cli folder. Open the file conf/bharosa_properties/oaam_cli.properties in a text editor and set the following properties:

    Property NameNotes about Property Value

    oaam.csf.useMBeans

    true (Keep it as true)

    oaam.adminserver.hostname

    <Host name where WebLogic Admin Server runs>

    oaam.adminserver.port

    <Port number of WebLogic Admin Server. Usually it is 7001>

    oaam.adminserver.username

    <User name of the WebLogic admin user. Usually it is WebLogic>

    oaam.adminserver.password

    <Password of the WebLogic admin user>


  2. Open the file, conf/bharosa_properties/oaam_cli.properties in a text editor and set the following properties related to the Oracle Adaptive Access Manager database:

    Property NameNotes about Value

    oaam.db.url

    Specify valid JDBC URL of the Oracle Adaptive Access Manager database. Make sure there are no typos.

    oaam.db.additional.properties.file

    Leave this as blank if there are no additional toplink properties.

    Otherwise specify the name of the properties file that has additional toplink properties. Make sure the file is in the same folder as oaam_cli.properties

    oaam.db.driver

    oracle.jdbc.driver.OracleDriver (Change this value only if the Oracle Adaptive Access Manager schema is in non-oracle database)

    oaam.db.min.read-connections

    1 (Do not change this value unless required)

    oaam.db.max.read-connections

    25 (Do not change this value unless required)

    oaam.db.min.write-connections

    1 (Do not change this value unless required)

    oaam.db.max.write-connections

    25 (Do not change this value unless required)


29.2.3 Set the Oracle Adaptive Access Manager Database Credentials in the Credential Store Framework

Refer to Section 2.4.7, "Setting Up Oracle Adaptive Access Manager Database Credentials in the Credential Store Framework" for steps.


Note:

If you want to use persistence.xml instead of setting the Oracle Adaptive Access Manager database credentials in CSF, go through the following steps. However this approach is not recommended and supported.


  1. Go to the work folder where you copied the cli folder. Open the file conf/bharosa_properties/oaam_cli.properties in a text editor and set the property value of oaam.db.toplink.useCredentialsFromCSF to false.

  2. Update the Oracle Adaptive Access Manager database connection details in the META-INF/persistence.xml file by editing the relevant eclipselink.jdbc properties, as in the following examples:

    <property name="eclipselink.jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
    <property name="eclipselink.jdbc.url" value="jdbc:oracle:thin:@<dbhost.mydomain.com>:1521/<SERVICE_NAME>"/>
    <property name="eclipselink.jdbc.user" value="<OAAM DB USER>"/>
    <property name="eclipselink.jdbc.password" value="< DB Password >"/>
    

29.3 Using CLI

The Oracle Adaptive Access Manager CLI is a tool in which you can perform various tasks using the keyboard rather than OAAM Admin.

You can use Oracle Adaptive Access Manager CLI in the following ways:

  • import or export objects like policies, groups, conditions, and other modules without using the graphical user interface

  • perform import and export between different environments (for example, QA and staging) using a program.

  • load location data

Set up the Oracle Adaptive Access Manager CLI environment before you run any of the scripts. For details refer to Section 29.2, "Setting Up the CLI Environment."

29.3.1 Obtaining Usage Information for Import or Export

To obtain usage information on Oracle Adaptive Access Manager CLI for import or export:

  1. At the command line, change to the Oracle Adaptive Access Manager CLI work folder.

  2. Run the runImportExport.sh script without any arguments.

    $ sh runImportExport.sh
    

29.3.2 Command-Line Options

This subsection provides details about the command-line options.

To perform an import or export, you enter commands coupled with:

  • information for actions like import or export

  • information for module like policies, groups, validations, or others

  • arguments for whether to export or import different modules

  • additional parameters for the import and export features.

29.3.2.1 What is the Syntax for Commands?

Use this syntax for the command-line interface (typed in a single line with no line breaks or carriage returns):

sh runImportExport.sh

|-- action < import | export >

| +-- <export>

| + |-- entitycmd < add | delete >

| + |-- exportmode < zip | file >

| + |-- includeelements < true | false >

| + |-- listelemcmd < add | delete | replace >

| + -- outdir < path_to_dest_dir >

| +-- <import>

| -- batchmode < true | false >

-- module < rules | groups | policy(models) | questions | validations | answerHint | properties | conditions | questionsForTranslation | patterns | entities | transactions | dynamicActions | taskGroups >

+-- <groups>"

-- submodule < all | users | alerts | ... >

+-- <properties>"

-- name < propertyId >

-- loadType < database | properties | system >

+-- <conditions>"

-- forceUpdate < true|false >

-- adminUser < username >

-- adminPassword < password >

29.3.2.2 CLI Parameters

The options are described in Section 29.3, "Using CLI.".

Table 29-1 CLI Parameters

ParametersDescription

entitycmd

Indicates whether the entities for the module being exported would be added to the database or deleted from the database on importing the file. Default is add

exportmode

Indicates whether the result of export will be a ZIP file or XML file. Default is ZIP.

includeelements

Indicates whether the group elements need to be included in export. Default is true. This is applicable only for export of groups.

listelemcmd

Indicates whether the group elements will be added, deleted for replaced in the database when this file is imported. Default is add. This is applicable only for groups export.

outdir

The output folder where the resulting files from export will be saved. Default value is current folder.

batchmode

Controls the database commits when list items are imported in a batch. When the batch reaches its limit, the objects are inserted into the database. If batchmode is equal to true, the database update is also committed. By default, batchmode is set to false.

submodule

Used to specify the type of groups that should be included in export. Default value is all. This is applicable for groups export.

loadType

Used to specify the type of properties that need to be exported. If not specified then all type of properties are included. This is applicable for properties export.


29.3.2.3 Supported Modules for Import and Export

The list of supported modules for Oracle Adaptive Access Manager 11g is shown in Table 29-2.

Table 29-2 Support Modules

ModuleEntity Name

groups

groups

policies

models

questions

questions

validations

validations

answer hint

answerHint

properties

properties

conditions

conditions

questions for translation

questionsForTranslation

patterns

patterns

entities

entities

transactions

transactions

configurable actions

dynamicActions

scheduler task groups

taskGroups


The 10g policy set and policy modules are not longer valid in 11g.

The difference between CLI import/export in 10g and 11g is that the module models and policies means the same: -module policy is same as -module models.

29.3.2.4 Import of Files

Examples of import options are as follows:

Import from a File

To import from a file, issue the following command:

$ sh runImportExport -action import -module properties exportData\properties\<properties_zip_file>

Import Contents of ZIP file

To import the contents of a ZIP file, issue the following command:

$ sh runImportExport.sh -action import -module <supported_module> <filename>

Here are examples:

To upload challenge questions, issue the following command:

$ sh runImportExport.sh -action import -module questions <filename>

To import conditions, issue the following command:

$ sh runImportExport.sh -action import -module conditions <filename>

To import policies, run the following command

$ sh runImportExport.sh -action import -module models <filename>

To import groups, run the following command

$ sh runImportExport.sh -action import -module groups <filename>

Import a Groups of Users in an XML File

To import a group of users in an XML file, issue the following command:

$ sh runImportExport.sh -action import -module groups <abc.xml>

Import Multiple Policies from Multiple ZIP Files

To import multiple policies in multiple XML file, issue the following command:

$ sh runImportExport.sh -action import

-module models <ManyModels.zip> <OneModel.zip>

Import Multiple Questions from Multiple ZIP Files

To import multiple questions from multiple ZIP files, issue the command:

$ sh runImportExport.sh -action import

-module questions <ManyQuestions.zip> <OneQuestions.zip>

Import Multiple Validations from Multiple ZIP Files

To import multiple validations from multiple ZIP files, issue the command:

$ sh runImportExport.sh -action import

-module validations <ManyValidations.zip> <OneValidations.zip>


Note:

You may note that inapplicable options will be silently ignored (for example, the outdir option used for import) and options with lower precedence will be overridden (for example, listelemcmd is irrelevant when includeelements is equal to false).


29.3.2.5 Export of Files

Here are examples of export options:

Export Properties

To export all the properties irrespective of loadtype, issue the following command:

$ sh runImportExport.sh -action export -module properties

To export all the properties of any particular loadtype, issue the following command:

$ sh runImportExport.sh -action export -module properties -loadtype < database | properties | system>

For example, to export all the properties of database loadtype, issue the following command:

$ sh runImportExport.sh -action export -module properties -loadtype database

To export any single property, issue the following command:

$ sh runImportExport.sh -action export -module properties -name <propertyname>

Export All

When performing an export, if no entity names are specified, all the entities of that particular module (and submodule) are exported. Thus, specifying names is not necessary for export.

To export all entities of a particular module, issue the following command:

$ sh runImportExport.sh -action export -module <module entity_name>

Export all Policies

To export all policies, issue the following command:

$ sh runImportExport.sh -action export -module models

Export all User Groups

To export groups, issue the following command:

$ sh runImportExport.sh -action export -module groups -submodule users

Export All Questions

To export questions, issue the following command:

$ sh runImportExport.sh -action export -module questions

CLI exports all the related categories, validations, and locale information to make these questions complete.

Export All Validations:

To export all validations, issue the following command:

$ sh runImportExport.sh -action export -module validations

Export Conditions

To export conditions, issue the following command:

$ sh runImportExport -action export -module conditions

Export Condition with Delete Script

To export conditions with a delete script, issue the following command:

$ sh runImportExport -action export -module conditions -entitycmd delete

Export Specific Groups, Grp1 and Grp2, without Elements for Delete

To export specific groups without elements, issue the following command:

$ sh runImportExport.sh -action export

-module groups -includeelements false -entitycmd delete Grp1 Grp2

entitycmd indicates whether the entities for the module being exported would be added to the database or deleted from the database on importing the file.

In this example, Groups Grp1 and Grp2 are deleted from the database when the resulting file from this export command is imported back.

Export Groups with List Command Replace

To export groups with list command replace, issue the following command:

$ sh runImportExport.sh -action export -module groups -listelemcmd replace G1 G2

The group elements for groups G1 and G2 will be replaced by the elements in the ZIP file during the import of the file resulting from this export command. For example, if group G1 has elements e1 and e2 in the database, and the ZIP file has elements e2 and e3, after the execution of the import, group G1 will have elements e2 and e3. However, if the value of listelemcmd had been "add," then after the import, G1 would have elements e1, e2 and e3. If the value specified was "delete," then after import, group G1 would have element e1 only as e2 would have been deleted.

Export Policies to DESTDIR, But Do Not Create a ZIP File

To export policies to DESTDIR, but not create a ZIP file, issue the following command:

$ sh runImportExport.sh -action export -outdir DESTDIR -exportmode file

-module groups Group1 Group2

If exportmode is "file," then the data is exported as one or more XML files.


Note:

The command does not work for modules like policies and questions which have dependent data. A error will occur with the message that a ZIP stream is expected.


29.3.2.6 Import Options

The batchmode option controls the database commits when list items are imported in a batch. When the batch reaches its limit, the objects are inserted into the database. If batchmode is equal to true, the database update is also committed. By default, batchmode is set to false.

batchmode {true | false}


Note:

batchmode is not to be used in conjunction with importing other modules. It should be used with Lists only.


Here is an example of batchmode usage:

Import Groups in Batch Mode

To import groups in batch mode, issue the following command:

$ sh runImportExport.sh -action import -module groups -batchmode true

29.3.2.7 Importing Multiple Types of Entities in One Transaction

The examples preceding cover only those scenarios where the entities to be processed are of the same type. To be able to process different types of modules together, the command line has been altered to support multiple modules. All entities specified in a command are processed in a single transaction, which allows a related set of entities to be used together to ensure the "all or nothing" approach.

Here are examples of importing modules together:

Import Various Modules Together

To import various modules together, issue the following command:

$ sh runImportExport.sh -action import

-module groups 5grps.zip

-module models model1.zip


Note:

The action parameter is not to be repeated, but only the command from the -module parameter is repeated as per the different items to be imported. The order of the items supplied in the command line is retained for both, the type of entities, and the files for each entity.


29.3.2.8 Multiple Modules and Extra Options (Common vs. Specific)

Support for multiple modules raises many questions:

  • What about the extra options?

  • How to specify options common to all modules?

  • How to specify options specific to a certain module, even though it has been defined as a common option?

The following things can be kept in mind:

  • When writing an import or export command, keep in mind that -module is considered as the beginning of a new set of options. Everything that follows -module forms one set of options.

  • Everything that is specified before the first -module option is taken as a set of common options, which are applied to each -module.

  • If a certain option is specified as a common option and is also specified as a module specific option, the specific value will take precedence.

Examples are:

Export Everything to "all" Directory, but Policies to "policies" directory

To export everything to "all" directory, but policies to "policies" directory, issue the following command:

$ sh runImportExport.sh -action export -outdir all

-module models -outdir models

-module groups

Export Groups G1 and G2 for Delete Items, and G3 and G4 for Replace Items

To export groups G1 and G2 for delete items and G3 and G4 for replace items, issue the following command:

$ sh runImportExport.sh -action export

-module groups -listelemcmd delete G1 G2

-module groups -listelemcmd replace G3 G4

29.3.2.9 Transaction Handling

Transaction handling is different from imports and exports.

Import operates strictly in one transaction, except when using batch mode for importing lists. If there is any error in importing any entity for any module, the entire process is rolled back. Thus, no database updates will be committed. You may also note that though import strictly follows one transaction, it does not break down if it encounters invalid items in a list (for example, importing a city with an incorrect state or a country, and so on.) A warning message is logged and the import process continues, ignoring such items.

Export operates on a "best effort" basis. If an export for any entity fails, it continues with the next entity. The reason is that export does not perform any database updates. It only selects information from the database and places it into files.

29.3.2.10 Upload Location Database

To use the IP location loader utility, follow the setup instructions in Section 29.4, "Importing IP Location Data."

29.3.3 Globalization

For this release, CLI is not globalized.

29.4 Importing IP Location Data

This section describes how to import IP location data into the Oracle Adaptive Access Manager database. This data is used by the risk policies framework to determine the risk of fraud associated with a given IP address.

This section contains the following subsections:

29.4.1 Loading the Location Data to the Oracle Adaptive Access Manager Database

Set up the Oracle Adaptive Access Manager CLI environment before you run any of the scripts. For details refer to Section 29.2, "Setting Up the CLI Environment."

29.4.1.1 Setting Up for SQL Server Database

To load data to Microsoft SQL Server database, sqljdbc.jar should be copied to a third party directory. This file can be downloaded for free from Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyID=6d483869-816a-44cb-9787-a866235efc7c&DisplayLang=en

29.4.1.2 Setting Up IP Location Loader Properties

  1. Change to the <ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli directory and make a copy of the sample bharosa_location.properties file.

    cp sample.bharosa_location.properties bharosa_location.properties
    
  2. Update bharosa_location.properties with the location data details as in the following example. The location data should be obtained from one of the supported vendors (ip2location, maxmind, Quova/Neustar).

Note that the properties marked as "Advanced" are not to be changed in general.

Table 29-3 IP Loader Properties

IP Loader PropertiesDescription

location.data.provider

quova or ip2location or maxmind

location.data.file

/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz

location.data.ref.file

/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz

location.data.anonymizer.file

/tmp/quova/anonymizers_2008-07-09.dat.gz

location.data.location.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.data.blocks.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.data.country.code.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.data.sub.country.code.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.loader.database.pool.size

number of threads to use to update the database

location.loader.dbqueue.maxsize

Advanced: maximum number of location records to be kept in queue for database threads

location.loader.cache.location.maxcount

Advanced: maximum number of location records to be kept in cache, while updating existing location data

location.loader.cache.split.maxcount

Advanced: maximum number of location split records to be kept in cache, while updating existing location data

location.loader.cache.anonymizer.maxcount

Advanced: maximum number of anonymizer records to be kept in cache, while updating existing location data

location.loader.database.commit.batch.size

Maximum number of location records to batch before issuing a database commit

location.loader.database.commit.batch.seconds

Maximum time to hold an uncommitted batch

location.loader.cache.isp.maxcount

Maximum number of ISP records to be kept in cache


29.4.1.3 Setting Up for Loading MaxMind IP data

Before running the IP location loader, Blocks.csv file from MaxMind must be preprocessed with the following commands:

   $ mv Blocks.csv Blocks-original.csv
   $ sed -e 's/\"//g' Blocks-original.csv | sort -n -t, -k1,1 -o Blocks.csv

29.4.1.4 Setting Up Encryption

Refer to Chapter 2, "Setting Up the Oracle Adaptive Access Manager Environment for the First Time" for information on setting up encryption.

29.4.1.5 Loading Location Data

After completing the setup detailed preceding, run the following command to load the location data into the Oracle Adaptive Access Manager database.

  1. Set the JAVA_HOME environment variable to point to the location of the JDK.

    Make sure the JAVA_HOME environment variable is set to the JDK certified for the Identity Management Suite for 11g.

  2. Run the loadIPLocationData script.

    From bash shell, execute loadIPLocationData.sh

    From Windows command prompt, execute loadIPLocationData.cmd

    The command returns 0 when the data load is successful; on failure it returns 1.

29.4.2 System Behavior

The IP location loader utility reads the information from the IP location data files (from Quova/Neustar or ip2location or maxmind) to populate the IP location tables in the Oracle Adaptive Access Manager system. The first time the utility is run against a new database, it inserts one or more rows into the vcrypt_ip_location_map for each record in the data file. It also creates a new record in vcrypt_country for each unique country name in the data file, a new record in vcrypt_state for each unique combination of country name and state name in the data file, and a new record in vcrypt_city for each unique combination of country name, state name, and city name in the data file.

When the IP location loader is run with a new data file against an already populated database, it skips records in the datafile that have matching, identical records in the vcrypt_ip_location_map table. It creates a new row in the vcrypt_ip_location_map for each record in the data file whose FROM_IP_ADDR does not already appear in the database. It updates the rows in the vcrypt_ip_location_map whose FROM_IP_ADDR matches the record in the data file, but has different data in other columns. The loader also creates new countries, states, and cities that do not already exist in the database.

29.4.3 Quova/Neustar File Layout

The Quova/Neustar data file is a pipe-delimited ('|') file, with 29 fields on each line, and one record per line. The information in these tables comes from Quova/Neustar's GeoPoint Data Glossary. In the following table, IP represents the vcrypt_ip_location_map table, CO represents the vcrypt_country table, ST represents the vcrypt_state table, and CI represents the vcrypt_city table.

The file layout is as follows:

Table 29-4 Quova/Neustar File Layout

Quova/Neustar FieldOracle Adaptive Access Manager FieldDescription

Start IP

IP.from_ip_addr

The beginning of the IP range, also used as an alternate primary key on the vcrypt_ip_location_map table.

End IP

IP.to_ip_addr

The end of the IP range.

CIDR

(not used)


Continent

(not used)


Country

CO.country_name

The country name.

Country ISO2

(not used)


Region

(not used)


State

ST.state_name

The state name.

City

CI.city_name

The city name.

Postal code

(not used)


Time zone

(not used)


Latitude

CI.latitude

The latitude of the IP address. Positive numbers represent North, and negative numbers represent South.

Longitude

CI.longitude

The latitude of the IP address. Positive numbers represent East, and negative numbers represent West.

Phone number prefix

(not used)


AOL Flag

mapped to IP.isp_id

Tells whether the IP address is an AOL IP address.

DMA

(not used)


MSA

(not used)


PMSA

(not used)


Country CF

IP.country_cf

The confidence factor (1-99) that the correct country has been identified.

State CF

IP.state_cf

The confidence factor (1-99) that the correct state has been identified.

City CF

IP.city_cf

The confidence factor (1-99) that the correct city has been identified.

Connection type

mapped to IP.connection_type

Describes the data connection between the device or LAN and the internet. See the Connection Type mapping.

IP routing type

mapped to IP.routing_type

Tells how the user is routed to the internet. See the IP Routing Type mapping.

Line speed

mapped to IP.connection_speed

Describes the connection speed. This depends on connection type. See the Connection Speed mapping.

ASN

IP.asn

Globally unique number assigned to a network or group of networks that is managed by a single entity.

Carrier

IP.carrier

The name of the entity that manages the ASN entry.

Second-level Domain

mapped to IP.sec_level_domain

The second level domain of the URL. For example, Name in www.oracle.com. This is mapped through the Quova/Neustar reference file.

Top-level Domain

mapped to IP.top_level_domain

The top level domain of the URL. For example,. com in www.company.com. This is mapped through the Quova/Neustar reference file.

Registering Organization

(not used)



29.4.3.1 Routing Types Mapping

A table for routing types mapping is shown in Table 29-5.

Table 29-5 Routing Types Mappings

Routing TypeOracle Adaptive Access Manager IDDescription

fixed

1

User IP is at the same location as the user.

anonymizer

2

User IP is located within a network block that has tested positive for anonymizer activity.

aol

3

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

aol pop

4

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

aol dialup

5

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

aol proxy

6

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

pop

7

User is dialing into a regional ISP and is likely to be near the IP location; the user could be dialing across geographical boundaries

superpop

8

User is dialing into a multistate or multinational ISP and is not likely to be near the IP location; the user could be dialing across geographical boundaries.

satellite

9

A user connecting to the Internet through a consumer satellite or a user connecting to the Internet with a backbone satellite provider where no information about the terrestrial connection is available.

cache proxy

10

User is proxied through either an internet accelerator or content distribution service.

international proxy

11

A proxy that contains traffic from multiple countries.

regional proxy

12

A proxy (not anonymizer) that contains traffic from multiple states within a single country.

mobile gateway

13

A gateway to connect mobile devices to the public internet. For example, WAP is a gateway used by mobile phone providers.

none

14

Routing method is not known or is not identifiable in the preceding descriptions.

unknown

99

Routing method is not known or is not identifiable in the preceding descriptions.


29.4.3.2 Connection Types Mapping

Table 29-6 shows connection types mappings.

Table 29-6 Connection Types Mappings

Connection TypeOracle Adaptive Access Manager IDDescription

ocx

1

This represents OC-3 circuits, OC-48 circuits, and so on, which are used primarily by large backbone carriers.

tx

2

This includes T-3 circuits and T-1 circuits still used by many small and medium companies.

satellite

3

This represents high-speed or broadband links between a consumer and a geosynchronous or lowearth orbiting satellite.

framerelay

4

Frame relay circuits may range from low to highspeed and are used as a backup or alternative to T-1. Most often they are high-speed links, so GeoPoint classifieds them as such.

dsl

5

Digital Subscriber Line broadband circuits, which include aDSL, iDSL, sDSL, and so on. In general ranges in speed from 256k to 20MB per second.

cable

6

Cable Modem broadband circuits, offered by cable TV companies. Speeds range from 128k to 36MB per second, and vary with the load placed on a given cable modem switch.

isdn

7

Integrated Services Digital Network high-speed copper-wire technology, support 128K per second speed, with ISDN modems and switches offering 1MB per second and greater speed. Offered by some major telcos.

dialup

8

This category represents the consumer dialup modem space, which operates at 56k per second. Providers include Earthlink, AOL and Netzero.

fixed wireless

9

Represents fixed wireless connections where the location of the receiver is fixed. Category includes WDSL providers such as Sprint Broadband Direct, as well as emerging WiMax providers.

mobile wireless

10

Represents cellular network providers such as Cingular, Sprint and Verizon Wireless who employ CDMA, EDGE, EV-DO technologies. Speeds vary from 19.2k per second to 3MB per second.

consumer satellite

11


unknown high

12

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.

unknown medium

13

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.

unknown low

14

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.

unknown

99

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.


29.4.3.3 Connection Speed Mapping

Table 29-7 shows connection speed mappings.

Table 29-7 Connection Speed Mappings

Connection SpeedOracle Adaptive Access Manager IDDescription

high

1

OCX, TX, and Framerelay.

medium

2

Satellite, DSL, Cable, Fixed Wireless, and ISDN.

low

3

Dialup and Mobile Wireless.

unknown

99

Quova/Neustar was unable to obtain any line speed information.


29.4.4 Oracle Adaptive Access Manager Tables

This section contains the tables used by the ETL process

29.4.4.1 Anonymizer

The following tables and sequences are used for uploading the Anonymizer data. Make sure the ETL process has sufficient privileges to read and update these tables.

Table 29-8 Anonymizer Data

NameTable/Sequence

V_LONG_VALUE_ELEM_SEQ

Sequence

VCRYPT_LONG_VALUE_ELEMENT

Table

VCRYPT_VALUE_LIST

Table

V_VALUE_LIST_SEQ

Sequence

VCRYPT_CACHE_STATUS

Table

VCRYPT_CACHE_STATUS_SEQ

Sequence


29.4.4.2 Tables in Location Loading

The IP location loader requires read/write access to the following tables:

  • VCRYPT_IP_LOCATION_MAP

  • V_IP_LOCATION_MAP_SEQ

  • V_IP_LOC_MAP_HIST

  • V_IP_LOC_MAP_HIST_SEQ

  • V_IP_LOC_MAP_SPLIT

  • V_IP_LOC_MAP_SPLIT_SEQ

  • V_IP_LOC_MAP_SPLIT_HIST

  • V_IP_LOC_MAP_SPLIT_HIST_SEQ

  • VCRYPT_COUNTRY

  • V_COUNTRY_SEQ

  • V_COUNTRY_HIST

  • V_COUNTRY_HIST_SEQ

  • VCRYPT_STATE

  • V_STATE_SEQ

  • V_STATE_HIST

  • V_STATE_HIST_SEQ

  • VCRYPT_CITY

  • V_CITY_SEQ

  • V_CITY_HIST

  • V_CITY_HIST_SEQ

  • VCRYPT_ISP

  • VCRYPT_ISP_SEQ

  • V_ISP_HIST

  • V_ISP_HIST_SEQ

  • V_LOC_LOOKUP

  • V_LOC_LOOKUP_SEQ

  • V_LOC_UPD_SESS

  • V_LOC_UPD_SESS_SEQ

  • V_UPD_LOGS

  • V_UPD_LOGS_SEQ

  • VCRYPT_LONG_VALUE_ELEMENT

  • V_LONG_VALUE_ELEM_SEQ

  • VCRYPT_VALUE_LIST

  • V_VALUE_LIST_SEQ

  • VCRYPT_VALUE_LIST_HIST

  • V_VALUE_LIST_HIST_SEQ

  • VCRYPT_CACHE_STATUS

  • VCRYPT_CACHE_STATUS_SEQ

29.4.5 Verifying When the Loading was a Success

The loader script returns 0 when the data load is successful; on failure it returns 1.

PKȩddPKRwEOEBPS/bipreports.htmu= Oracle Adaptive Access Manager Reports Reference

D Oracle Adaptive Access Manager Reports Reference

Reports are available for the following topics in Oracle Adaptive Access Manager:

D.1 Common Reports

These reports provide data based on device location or login information.

Report NameDescription

RecentLogins

Lists all logins in the specified time range.


D.2 Devices Reports

These reports provide data based on the device information.

Report NameDescription

DeviceIdScoring

Displays Device ID scoring summary for the designated date range.

MultipleFailures

Lists all devices with multiple login failures in the specified time range.

MultipleUsers

Lists all devices that have multiple users.


D.3 KBA Reports

These reports provide data based on the KBA information.

Report NameDescription

ChallengeStatistics

Lists challenge response statistics.

For example,

Users with Failure counter > 0 - failures more than none (have at least failed once)

Users with multiple failures - failures more than one (have failed multiple times)

QuestionStatistics

Lists challenge question statistics.

Registration

Lists question registration statistics.



Note:

Updated statistics are not available immediately after a user is challenged or answers a question. The BI Publisher reports are generated from the database and database updates do not occur in real-time for the statistics.


D.4 Location Reports

These reports provide data based on the location information.

Report NameDescription

CountryAggregates

Displays country aggregate summary for the designated date range.

MultipleUsers

Lists all locations that have multiple users.

StateAggregates

Displays state aggregate summary for the designated date range.


D.5 Performance Reports

These reports provide data based on the performance information.

Report NameDescription

RulesAPIPerformance

Displays the Average Processing time and counts for Rule API calls for the designated date range.

RulesPerformance

Displays the Average Processing time, runtime, and counts for the rules in the designated date range.

TrackerAPIPerformance

Displays the Average Processing time and counts for Tracker API calls for the designated date range.


D.6 Security Reports

These reports provide data based on the security information.

Report NameDescription

AlertsBreakdown

Displays alert breakdown summary for the designated date range.

PostAuthScoring

Displays post-authorization scoring summary for the designated date range.

PreAuthScoring

Displays pre-authorization scoring summary for the designated date range.

RulesBreakdown

Displays rules breakdown summary for the designated date range.

ScoringCombinations

Displays score combination summary for the designated date range.


D.7 Summary Reports

These reports provide summaries for date ranges.

Report NameDescription

AveragesSummary

Displays average summary for the designated date range.

LoginSummary

Displays login aggregate summary for the designated date range.


D.8 Users Reports

These reports provide data based on the user information.

Report NameDescription

MultipleDevices

Lists all users that use multiple devices.


PK.5z=u=PKRwEOEBPS/part_jobs.htmV Scheduling Jobs

Part VIII

Scheduling Jobs

This part provides information about defining, scheduling, and running jobs for performing batch analysis.

PKU[VPKRwEOEBPS/cfgprop.htm# Oracle Adaptive Access Manager Properties

G Oracle Adaptive Access Manager Properties

This appendix provides essential properties used by Oracle Adaptive Access Manager.

G.1 Properties

Action Override

The Action Override feature is turned off by default. To enable action overrides, set the following property to "true":

vcrypt.tracker.rules.allowControlledActions

Authenticator Phrase

To customize the phrase in the virtual authentication device, set the following two parameters:

bharosa.user.noun.list
bharosa.user.adj.list

The authenticator phrase is created by these two properties.

Both are comma-separated lists of words.

Examples:

actors,age,air,aircraft
abundant,accessible,accommodating

For images to be displayed, set the following properties

vcrypt.user.image.dirlist.property.name=bharosa.image.dirlist
bharosa.image.dirlist=<imagePath>

The following property in client_resource_<locale>.properties determines whether the QuestionPad is set for visible text input or password (non-visible) input.

bharosa.authentipad.questionpad.datafield.input.type

Valid values are text and password.

The accessible versions of the pads contain tabbing, directions and ALT text necessary for navigation via screen reader and other assistive technologies.

To enable these versions, set the is ADA compliant flag to true.

For native integration the property to control the pads is

desertref.authentipad.isADACompliant

For UIO, the property to control the pads is

bharosa.uio.default.authentipad.is_ada_compliant

Autolearning

To enable autolearning properties:

  1. Ensure that vcrypt.tracker.autolearning.enabled is set to true.

    This property must always be set to true. It is like a "master (on/off) switch" for autolearning.

  2. Set the following properties to true:

    • vcrypt.tracker.autolearning.use.auth.status.for.analysis

      This property must be set to true for the authentication patterns to work. Authentication patterns are the patterns that analyze the data related to authentication (login) related information only.

    • vcrypt.tracker.autolearning.use.tran.status.for.analysis

      This property must be set to true.

  3. If the properties do not exist, create them.

User Name in Lowercase

If you want the user name to be in lowercase, set bharosa.uio.default.username.case.sensitive to false.

By default this property is set to true.

When it is set to true, the user name is always in lower case. If it is set to false, the user name is taken as is.

For example:

myusername

MyUserName

myUserName

If property is true (default), all of these are the same user and will appear in OAAM Admin as "myusername".

If property is false, all of these are different users and will appear in OAAM Admin as entered.

Configurable Actions

To enable the configurable actions feature, set dynamicactions.enabled to true.

Device Registration

Setting the following properties adds text and a checkbox to the bottom of the challenge page. When a user is challenged, the checkbox and text would allow him to register the current device (if it is not already registered). If the device is already registered for that user, the option will not appear unless the user unregisters the device in user preferences.

bharosa.uio.default.registerdevice.enabled=true
bharosa.uio.default.userpreferences.unregister.this.enabled=true
bharosa.uio.default.userpreferences.unregister.all.enabled=true 

In native integration, to enable device registration:

Set bharosa.tracker.send.devideId to true, so the device ID can be captured

Enumerations

For the enumerations to be listed in the Properties Editor, you must set the following property to false:

bharosa.config.ui.list.filter.enum=false

Expiry Behavior for CSR Cases

To set "expiry" behavior for CSR cases (default setting), modify the following properties:

customercare.case.expirybehavior.enum.csrcase.behavior = expiry 
customercare.case.expirybehavior.enum.csrcase.label = Expired
customercare.case.expirybehavior.enum.csrcase.durationInHrs = 24
customercare.case.expirybehavior.enum.csrcase.resetonaccess = false

When durationInHrs is set to 24 hours, the case expires in a day.

When resetonaccess is set to true, the expiration date is reset when a case is accessed.

To disable the "expiry" behavior for CSR cases, modify the following property:

customercare.case.expirybehavior.enum.csrcase.behavior = none 

KBA

Ensure the bharosa.kba.active property is set to true.

The "Questions user will register" setting should be between 3 and 7. This provides enough questions to offer good security but does not over burden a user's memory. The basic industry standard for KBA is 3 registered questions.

The max and min limits are configurable through the following properties.

bharosa.config.type.kba_config.enum.regQuestionsCount.validation.minValue=3 
bharosa.config.type.kba_config.enum.regQuestionsCount.validation.maxValue=7

Proxy Mode Setting

OAAM Server is configured to be in non-proxy mode with the flag bharosa.uio.proxy.mode.flag set to false by default.

The user must explicitly configure OAAM Server to be used in proxy mode.

Scheduler

To enable scheduler so that jobs are run, set the following property to true:

vcrypt.reports.scheduler.activate

By default, the property is set to false. Jobs can be created, but they will not run until the property is changed to true.

Transactions in Session Details

Before you can view transactions in the Session Details page, you must set the property to show transactions to true.

bharosa.trackeradmin.show.transaction.detail=true

Setting the property to false turns off the display for transactions.

G.2 Time Zone

A time zone identifies an area that always shares the same local time.

To set the time zone that will be used for all timestamps in the user interface, use the Property Editor to set oaam.adf.timezone to the desired time zone.

For example,

oaam.adf.timezone = Atlantic/Reykjavik

PKS##PKRwEOEBPS/part_util.htmb Command-Line Interface

Part XI

Command-Line Interface

This part describes how to set up and use Oracle Adaptive Access Manager's command-line interface.

PKp/gbPKRwE OEBPS/toc.ncx. Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, 11g Release 1 (11.1.1) Cover Title and Copyright Information Contents List of Figures List of Tables Preface What's New in Oracle Adaptive Access Manager 11g Release 1 (11.1.1)? Part I Getting Started with Oracle Adaptive Access Manager 1 Introduction to Oracle Adaptive Access Manager 2 Setting Up the Oracle Adaptive Access Manager Environment for the First Time 3 Oracle Adaptive Access Manager Navigation Part II Customer Service and Forensics 4 Managing and Supporting CSR Cases 5 Investigation Using Agent Cases 6 Viewing Additional Details for Investigation Part III Managing KBA and OTP 7 Managing Knowledge-Based Authentication 8 Enabling Challenge Questions 9 Setting Up OTP Anywhere Part IV Managing Policy Configuration 10 Managing Policies, Rules, and Conditions 11 OAAM Security and Autolearning Policies 12 Managing Groups 13 Managing the Policy Set 14 Using the Scoring Engine 15 Creating Checkpoints 16 Managing System Snapshots Part V Autolearning 17 Managing Autolearning 18 Managing Configurable Actions 19 Predictive Analysis Part VI Managing Transactions 20 Creating and Managing Entities 21 Managing Transactions Part VII OAAM Offline Environment 22 OAAM Offline Part VIII Scheduling Jobs 23 Scheduling and Processing Jobs in OAAM Part IX Reporting 24 Using the Dashboard 25 Configuring BI Publisher Reports 26 Monitoring Performance by Using Fusion Middleware Control 27 Monitor and Audit of Events Part X Deployment Management 28 Using the Properties Editor Part XI Command-Line Interface 29 Oracle Adaptive Access Manager Command-Line Interface Scripts Part XII Multitenancy 30 Multitenancy Access Control for CSR and Agent Operation Part XIII Troubleshooting 31 FAQ/Troubleshooting Part XIV Appendixes A Access Roles B Pattern Processing C Conditions Reference D Oracle Adaptive Access Manager Reports Reference E The Discovery and OAAM Policy Development Processes F Globalization Support G Oracle Adaptive Access Manager Properties H Device Fingerprinting I Setting Up Archive and Purge Procedures J Configuring SOAP Web Services Access K Configuring Logging L Rule and Fingerprint Logging Glossary Index Copyright PKg` ..PKRwEOEBPS/part_offline.htmO OAAM Offline Environment

Part VII

OAAM Offline Environment

This part contains instructions on how to use an OAAM Offline environment.

PKuOkTOPKRwEOEBPS/lang.htmH Globalization Support

F Globalization Support

This chapter provides information on customizing Oracle Adaptive Access Manager for your locale.

F.1 Supported Languages

Oracle Adaptive Access Manager 11g is translated into 9 Admin languages for OAAM Admin and 26 languages for OAAM Server. These translations are bundled along with the English version of the product.

The languages and their locale identifiers (in parentheses) are listed below. A locale identifier consists of at least a language identifier, and a region identifier (if required).

OAAM Admin is translated into French (fr), German (de), Italian (it), Spanish (es), Brazilian Portuguese (pt_br), Japanese (ja), Korean (ko), Simplified Chinese (zh_cn), and Traditional Chinese (zh_tw).

When one of the non-OAAM Admin locale languages is set in the browser (for example Arabic), OAAM Admin uses the default locale, English. When one of the non-standard runtime locale languages is set in the browser, OAAM Server uses the default locale, English.

OAAM Server is translated into 26 languages: French (fr), German (de), Italian (it), Spanish (es), Brazilian Portuguese (pt_br), Japanese (ja), Korean (ko), Simplified Chinese (zh_cn), Traditional Chinese (zh_tw) Arabic (ar), Czech (cs), Danish (da), Dutch (nl), Finnish (fi), Greek (el), Hebrew (iw), Hungarian (hu), Norwegian (no), Polish (pl), Portuguese (pt), Romanian (ro), Russian (ru), Slovak (sk), Swedish (sv), Thai (th), and Turkish (tr).

F.2 Turning Off Localization

There is no flag to turn-off localization, but there is a property that captures the locales supported by the deployment. The property can be used to enable only one locale.

You would change the locale.enum.XXX.adminSupported and locale.enum.XXX.enabled properties to false for each unwanted locale.

F.3 Configuring Language Defaults for Oracle Adaptive Access Manager

You can configure language defaults in the client_resource_<locale>.properties file using the bharosa.locale. enum property. Refer to "Extending/Customizing OAAM" in Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager for instructions on customizing Oracle Adaptive Access Manager.

An example of a bharosa.locale. enum is shown here:

bharosa.locale.enum.german=2
bharosa.locale.enum.german.name=German
bharosa.locale.enum.german.description=German
bharosa.locale.enum.german.language=de
bharosa.locale.enum.german.country=
bharosa.locale.enum.german.adminSupported=true
bharosa.locale.enum.german.enabled=true

To enable the default locale:

  1. Add and set the bharosa.local.enum.<locale>.enabled properties of the locales you want to support to true.

  2. Add and set the bharosa.local.enum.<locale>.enabled properties of the locales you do not want to support to false.

  3. Add and set the bharosa.default.locale property to match the bharosa.locale.enum.<locale> property of your locale.


Note:

The only locales supported are the ones listed in the enums.


F.3.1 Example 1

A German bank wants to set German as the default language and wants to support only German. To do this, follow these steps for client_resource_de.properties:

  1. If the locale enum does not exist, create it:

    bharosa.locale.enum.german.enabled=true
    
  2. If the locale enum already exists, set it to true.

  3. If present, set other bharosa.local.enum.<locale>.enabled properties to false.

    bharosa.locale.enum.italian.enabled=false 
    bharosa.locale.enum.french.enabled=false 
    bharosa.locale.enum.portuguese_br.enabled=false 
    bharosa.locale.enum.spanish.enabled=false
    bharosa.locale.enum.korean.enabled=false 
    bharosa.locale.enum.chinese_cn.enabled=false 
    bharosa.locale.enum.chinese_tw.enabled=false 
    bharosa.locale.enum.japanese.enabled=false 
    bharosa.locale.enum.arabic.enabled=false 
    bharosa.locale.enum.czech.enabled=false 
    bharosa.locale.enum.danish.enabled=false 
    bharosa.locale.enum.dutch.enabled=false 
    bharosa.locale.enum.finnish.enabled=false 
    bharosa.locale.enum.greek.enabled=false 
    bharosa.locale.enum.hebrew.enabled=false 
    bharosa.locale.enum.hungarian.enabled=false 
    bharosa.locale.enum.norwegian.enabled=false 
    bharosa.locale.enum.polish.enabled=false 
    bharosa.locale.enum.portuguese.enabled=false 
    bharosa.locale.enum.romanian.enabled=false 
    bharosa.locale.enum.russian.enabled=false 
    bharosa.locale.enum.slovak.enabled=false 
    bharosa.locale.enum.swedish.enabled=false 
    bharosa.locale.enum.thai.enabled=false 
    bharosa.locale.enum.turkish.enabled=false
    
  4. Set bharosa.default.locale property to match the value of the locale enum.

    Since bharosa.locale.enum.german=2, set bharosa.default.locale property to 2.

    If the property does not exist, create it.

F.3.2 Example 2

A Brazilian bank wants to set Brazilian Portuguese as the default, but wants to display all the other languages that OAAM Server had been translated to. To do this:

  1. If the locale enum does not exist, create it:

    bharosa.locale.enum.pt_br.enabled=true
    
  2. If the locale enum already exists, set it to true.

  3. Set all other bharosa.local.enum.<locale>.enabled properties using the Properties Editor to false.

  4. Set bharosa.default.locale property to the value of the locale enum using the Properties Editor.

    If bharosa.locale.enum.pt_br=9, set bharosa.default.locale property to 9.

  5. Set bharosa.locale.enum.<locale>.enabled property in client_resource_<locale>.properties for all the languages OAAM Server had been translated to and ensure they are set to true.

    bharosa.locale.enum.german.enabled=true 
    bharosa.locale.enum.italian.enabled=true 
    bharosa.locale.enum.french.enabled=true 
    bharosa.locale.enum.portuguese_br.enabled=true 
    bharosa.locale.enum.spanish.enabled=true
    bharosa.locale.enum.korean.enabled=true 
    bharosa.locale.enum.chinese_cn.enabled=true 
    bharosa.locale.enum.chinese_tw.enabled=true 
    bharosa.locale.enum.japanese.enabled=true 
    bharosa.locale.enum.arabic.enabled=true 
    bharosa.locale.enum.czech.enabled=true 
    bharosa.locale.enum.danish.enabled=true 
    bharosa.locale.enum.dutch.enabled=true 
    bharosa.locale.enum.finnish.enabled=true 
    bharosa.locale.enum.greek.enabled=true 
    bharosa.locale.enum.hebrew.enabled=true 
    bharosa.locale.enum.hungarian.enabled=true 
    bharosa.locale.enum.norwegian.enabled=true 
    bharosa.locale.enum.polish.enabled=true 
    bharosa.locale.enum.portuguese.enabled=true 
    bharosa.locale.enum.romanian.enabled=true 
    bharosa.locale.enum.russian.enabled=true 
    bharosa.locale.enum.slovak.enabled=true 
    bharosa.locale.enum.swedish.enabled=true 
    bharosa.locale.enum.thai.enabled=true 
    bharosa.locale.enum.turkish.enabled=true
    
  6. Set bharosa.default.locale property in client_resource_<locale>.properties to 9.

F.3.3 Example 3

A French bank wants clients to see French as a default, and wants to support only French, German, English, and Italian. The French locale enum is already present in the client_resource_fr.properties file.

bharosa.locale.enum.french=5
bharosa.locale.enum.french.name=French
bharosa.locale.enum.french.description=French
bharosa.locale.enum.french.language=fr
bharosa.locale.enum.french.country=
bharosa.locale.enum.french.adminSupported=true
bharosa.locale.enum.french.enabled=true

To configure the application:

  1. In client_resource_fr.properties set bharosa.locale.enum.<locale>.enabled to true for German, Italian, and English.

    bharosa.locale.enum.german.enabled=true
    bharosa.locale.enum.italian.enabled=true
    bharosa.locale.enum.english.enabled=true
    
  2. Set all other bharosa.local.enum.<locale>.enabled properties to false.

  3. Set bharosa.default.locale property to the value of the locale enum.

    Since bharosa.locale.enum.french=5, set bharosa.default.locale property to 5.

F.3.4 Example 4

A German bank wants to set English as the default language and wants to support all other languages. To do this, follow these steps for client_resource_de.properties:

  1. If the locale enum does not exist, create it:

    bharosa.locale.enum.english.enabled=true
    
  2. If the locale enum already exists, set it to true.

  3. If present, set other bharosa.local.enum.<locale>.enabled properties to true.

    bharosa.locale.enum.italian.enabled=true 
    bharosa.locale.enum.german.enabled=true
    bharosa.locale.enum.french.enabled=true 
    bharosa.locale.enum.portuguese_br.enabled=true 
    bharosa.locale.enum.spanish.enabled=true
    bharosa.locale.enum.korean.enabled=true 
    bharosa.locale.enum.chinese_cn.enabled=true 
    bharosa.locale.enum.chinese_tw.enabled=true 
    bharosa.locale.enum.japanese.enabled=true 
    bharosa.locale.enum.arabic.enabled=true 
    bharosa.locale.enum.czech.enabled=true 
    bharosa.locale.enum.danish.enabled=true 
    bharosa.locale.enum.dutch.enabled=true 
    bharosa.locale.enum.finnish.enabled=true 
    bharosa.locale.enum.greek.enabled=true 
    bharosa.locale.enum.hebrew.enabled=true 
    bharosa.locale.enum.hungarian.enabled=true 
    bharosa.locale.enum.norwegian.enabled=true 
    bharosa.locale.enum.polish.enabled=true 
    bharosa.locale.enum.portuguese.enabled=true 
    bharosa.locale.enum.romanian.enabled=true 
    bharosa.locale.enum.russian.enabled=true 
    bharosa.locale.enum.slovak.enabled=true 
    bharosa.locale.enum.swedish.enabled=true 
    bharosa.locale.enum.thai.enabled=true 
    bharosa.locale.enum.turkish.enabled=true
    
  4. Set bharosa.default.locale property to match the value of the locale enum.

    Since bharosa.locale.enum.english=0, set bharosa.default.locale property to 0.

    If the property does not exist, create it.

F.4 Dashboard

The Oracle Adaptive Access Manager Dashboard is an application that provides a high-level view of real monitor data. Monitor data is a representative sample of data. It presents a real-time view of activity via aggregates and trending.

To view the Dashboard in the language you want, set your browser's language preference to the appropriate language.

All data viewed in the Dashboard is based on the time zone of the server. This means that any data generated by OAAM is governed by the time zone of the server, and not the user time zone, but the information is presented per your browser settings. For information on setting the time zone, refer to Section 2.9, "Setting the Time Zone Used for All Time Stamps in the Administration Console."

For more information on the dashboard, refer to Chapter 24, "Using the Dashboard."

F.5 Knowledge Based Authentication

Oracle Adaptive Access Manager provides out-of-the-box secondary authentication in the form of knowledge based authentication (KBA). KBA provides an infrastructure for challenge question creation and logic algorithm for registration and answers. This section contains information customizing certain KBA user experiences.

F.5.1 Answer Logic Phonetics Algorithms

Answers that "sound like" the registered answer, regional spelling differences, and common misspellings are handled by the phonetics algorithm.

For information on customization, see Section 7.10, "Customizing English Abbreviations and Equivalences."

The phonetics algorithm is only supported in English.

For information on customization for locales, see Section 7.11, "Customizing Abbreviations and Equivalences for Locales."

F.5.2 Keyboard Fat Fingering

Oracle's Fat Fingering algorithm accounts for typos due to the proximity of keys on a standard keyboard and transposed letters. Answers with typos due to the proximity of keys on a standard keyboard are handled by the fat fingering algorithm.

The fat fingering algorithm is only supported in English.

F.5.3 Adding Abbreviations and Equivalences for Answer Logic

Oracle Adaptive Access Manager supports the concept of "fuzzy logic." Fuzzy logic, in part, relies on pre-configured sets of word equivalents, commonly known as abbreviations.

In the English version of Oracle Adaptive Access Manager, there are several thousand English abbreviations (and equivalences).

In all other languages, it is necessary for the installer to enhance the brief abbreviation files provided. Without additions, the fuzzy logic will be not as effective.

For information on customizing abbreviations and equivalences for locales, refer to Section 7.11, "Customizing Abbreviations and Equivalences for Locales."

F.5.4 Adding Registration Questions

The deployment administrator must ensure that there are enough questions in the database for each of the supported locale as configured in OAAM Admin during deployment; otherwise, OAAM Server displays only the English language questions during registration.

The number of locale-specific questions must be equal to or greater than the "Questions User Will Register" multiplied by the "Questions per Menu" multiplied by the "Categories per Menu."

For information on adding registration questions, refer to Section 7.5.3, "Creating a New Question."

PKHHPKRwEOEBPS/content.opf o Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, 11g Release 1 (11.1.1) en-US E14568-08 Oracle Corporation Oracle Corporation Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, 11g Release 1 (11.1.1) 2014-08-02T11:35:05Z The Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager provides information on administering and using Oracle Adaptive Access Manager's set of tools for fraud monitoring and detection. PKB5Lo oPKRwEOEBPS/ckpt.htm/ Creating Checkpoints

15 Creating Checkpoints

A checkpoint is a specified point in a session when Oracle Adaptive Access Manager collects and evaluates security data using the rules engine.

New checkpoints can be added and existing checkpoint properties can be modified using the Properties Editor.

This chapter provides information on how to create and configure a new checkpoint and how to modify an existing checkpoint.

15.1 Creating a New Checkpoint

To create a new checkpoint, use the Properties Editor.

The enumeration for a checkpoint is shown below for your reference.

profile.type.enum.<nameofcheckpoint>=<Checkpoint Value>
profile.type.enum.<nameofcheckpoint>.name=<Checkpoint Name>
profile.type.enum.<nameofcheckpoint>.description=<Checkpoint Description>
profile.type.enum.<nameofcheckpoint>.ruleTypes=user,device,location
profile.type.enum.<nameofcheckpoint>.listTypes=vtusers
profile.type.enum.<nameofcheckpoint>.finalactionrule=process_results.rule
profile.type.enum.<nameofcheckpoint>.isPreAuth=true

The Checkpoint value must unique number. Make sure no other checkpoint uses the identifier. This ID is like a primary key in database terminology. For example, "1001."

The Checkpoint name must be user-presentable and meaningful. The name is used in Oracle Adaptive Access Manager.

If the checkpoint creation is successful, add the appropriate properties by clicking the Add New button under the Properties box.

The Checkpoint's required properties are:

  • finalactionrule=process_results.rule

    The "finalactionrule" property specifies the Rule file that decides the final action. When the Rules Engine processes the policies for the checkpoint, it determines the score and a list of actions. The rule file is consulted to see what action should be given as final action. If you are not sure, set the value as in the other checkpoints.The out-of-the-box "process_results.rule" file is sufficient for most actions.

  • listTypes= vtusers

    Always set listTypes to "vtusers."

    The policy can be linked to only usergroups.

  • ruleTypes= user,device,location,in_session

    The "ruleTypes" property defines the list of rule types supported during the checkpoint. Depending on the context of the checkpoint, possible values are "user," "device," "location," and "in_session." Use commas to separate multiple values. All Rules of the comma separated types can be used in this checkpoint.

    For example if ruleTypes is set to "user,location," the Rules of the type "user" and "location" can be used in this checkpoint, and the user and location information is available for this checkpoint.

    Another example, for the "Cancel Order" checkpoint, if "user,device,location" are specified for ruleTypes, the "user" Rule type expects that the user information to be available during the "Cancel Order" checkpoint. If the user information is not available at the time of the "Cancel Order" checkpoint, "user" should not be included in the list.

Other properties you may add are:

  • isPreAuth

    True indicates that this checkpoint is a pre-authentication checkpoint. OAAM Admin updates the user details with the pre-auth score and pre-auth action. The default for isPreAuth is "false." Note that there cannot be two checkpoints with this flag set to "true." Also the same checkpoint cannot be marked as postAuth and preAuth.

  • isPostAuth

    True indicates that this checkpoint is a post-authentication checkpoint. OAAM Admin updates the user details with the post-auth score and post-auth action. The default for isPostAuth is "false." Note that there cannot be two checkpoints with this flag set to "true." Also the same checkpoint cannot be marked as postAuth and preAuth.

After creating the checkpoint, you need to restart the server.

15.2 Creating a Checkpoint Example

Below is an example for creating the "addressChange" checkpoint.

profile.type.enum.addressChange=88
profile.type.enum.addressChange.name=Address Change
profile.type.enum.addressChange.description=Address Change checkpoint
profile.type.enum.addressChange.ruleTypes=user,device,location
profile.type.enum.addressChange.listTypes=vtusers
profile.type.enum.addressChange.finalactionrule=process_results.rule
profile.type.enum.addressChange.isPreAuth=true

For finalactionrule, "process_results.rule" was provided because the Final Action for a given checkpoint during rules evaluation is determined by this rule file. File process_results.rule is supplied out-of-the-box and no additional steps are required.

PK ?4/PKRwEOEBPS/post.htm Setting Up the Oracle Adaptive Access Manager Environment for the First Time

2 Setting Up the Oracle Adaptive Access Manager Environment for the First Time

All tasks in this book presume that you have Oracle Adaptive Access Manager 11g installed with initial configuration completed as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

This chapter presents details on setting up the Oracle Adaptive Access Manager environment for first time users. For information on how to upgrade an existing Oracle Adaptive Access Manager 10g (10.1.4.5) to Oracle Adaptive Access Manager 11g Release 1, refer to the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

2.1 Installation and Configuration

The Oracle Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) provides all installation and initial configuration details.

Oracle Adaptive Access Manager is installed into an environment where you may install other Oracle Identity Management 11g components.

The following Oracle Adaptive Access Manager-related components are deployed in a new WebLogic administration domain using the Oracle Fusion Middleware Configuration Wizard:

  • WebLogic Administration Server

  • Managed Server for Oracle Adaptive Access Manager

  • Oracle Adaptive Access Manager Console deployed on the Administration Server

For information on how to install and configure Oracle Adaptive Access Manager, see the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

2.2 Setting Up the Oracle Adaptive Access Manager Base Environment

After installing and configuring Oracle Adaptive Access Manager, you must complete the following tasks to set up the initial base Oracle Adaptive Access Manager environment.

Procedures are provided in the following sections:

2.3 Setting Up CLI Environment

The Oracle Adaptive Access Manager Command-Line Interface (CLI) scripts enable users to perform various tasks instead of using the Oracle Adaptive Access Manager Administration Console.

For information on setting up the CLI environment, see Section 29.2, "Setting Up the CLI Environment."

2.4 Setting Up Encryption and Database Credentials for Oracle Adaptive Access Manager

Encryption is used to protect data within Oracle Adaptive Access Manager from unauthorized access. The process uses methods and a key or keys to encode plain text into a non-readable form. A key is required to decrypt the encrypted information and make it readable again. Authorized persons who possess the key can decrypt information that is encrypted with the same key.

This section provides instructions to set up encryption and database credentials for Oracle Adaptive Access Manager.

2.4.1 Overview of the Process

An overview for setting up encryption and database credentials is provided in this section.

2.4.1.1 Setting up Encryption

Setting up encryption involves the following steps:

  • Ensure the secret keys (a.k.a symmetric keys) for both the configuration value and database are available. If you do not have a secret key, generate an encoded symmetric key using the genEncodedKey command.

  • Encode the key using the base64encode option of the encodeKey command. This step is not required if the genEncodedKey command was used to generate the key.

  • Use the Fusion Middleware Control to add the encoded secret key to an alias in the Credential Store Framework in the domain where Oracle Adaptive Access Manager is installed.

    A credential store is a repository to store user name/password or generic credentials (a certificate). The value of using a credential store is that the application does not store passwords in clear text and does not have to invent its own solutions for protecting passwords, allowing administrators and developers alike to work with a consistent credential repository.

2.4.1.2 Configuring Database Credentials in the Credential Store Framework

Configuring database credentials in the Credential Store Framework involves the following steps:

  • Use the Fusion Middleware Control to add database credentials (user name and password) in the Credential Store Framework in the domain where Oracle Adaptive Access Manager is installed. These credentials are used by the Oracle Adaptive Access Manager command-line utilities.

  • Configure the properties files that are used by the Oracle Adaptive Access Manager CLI utilities with details of the WebLogic administration server and Oracle Adaptive Access Manager database.

For information on the credential store, refer to "Managing the Credential Store" in the Oracle Fusion Middleware Application Security Guide.

2.4.2 Prerequisites

Prerequisites for setting up encryption and database credentials for Oracle Adaptive Access Manager are:

  1. If you do not have access to the Oracle Adaptive Access Manager installation folder, make sure Oracle Adaptive Access Manager 11g is configured with Fusion Middleware Control while creating the domain.

  2. If you have access to the Oracle Adaptive Access Manager installation folder then make sure you have access to running the command-line scripts in the MW_HOME\IDM_ORACLE_HOME\oaam\cli folder.

  3. Make sure Sun JDK is installed and check that the java command is in the path by executing the java command.


Note:

If you are upgrading from Oracle Adaptive Access Manager 10.1.4.5 to Oracle Adaptive Access Manager 11g, you can skip Section 2.4.3, "Setting up Secret Key for Encrypting Configuration Values,", Section 2.4.4, "Setting Up Secret Key for Encrypting Database Values,"and Section 2.4.5, "Generating an Encoded Secret Key," since the Upgrade Assistant automatically migrates the secret keys from Oracle Adaptive Access Manager 10.1.4.5 to the Credential Store Framework in Oracle Adaptive Access Manager 11g.


2.4.3 Setting up Secret Key for Encrypting Configuration Values

To set up the secret key for encrypting configuration values, follow the steps in this section:

  1. Go to the Oracle Adaptive Access Manager command-line folder MW_HOME\IDM_ORACLE_HOME\oaam\cli.

  2. Create a file config_secret_key.file and add the secret key to the file by entering:

    tobase64=<secret-key>


    Note:


  3. Encode the key using the Base64 algorithm by executing the following command.

    1. In Unix

      encodeKey.sh config_secret_key.file
      
    2. In Windows

      encodeKey.cmd config_secret_key.file
      

    If the encoding command was successful, you see output similar to the following:

    base64encode is done! 
    Base64 Encoded value =<encoded_value>
    

    If the KeyStore command was not successful, you might see the following error:

    Exception in thread "main" java.lang.NoClassDefFoundError: while resolving
    class: com.bharosa.vcrypt.common.util.KeyStoreUtil at
    java.lang.VMClassLoader.resolveClass(java.lang.Class)
    (/usr/lib/libgcj.so.5.0.0) at java.lang.Class.initializeClass()
    (/usr/lib/libgcj.so.5.0.0) at java.lang.Class.forName(java.lang.String,
    boolean, java.lang.ClassLoader) (/usr/lib/libgcj.so.5.0.0) at
    java.lang.Class.forName(java.lang.String) (/usr/lib/libgcj.so.5.0.0)
    
  4. Note down the encoded value of the key printed on the screen. Make sure there are no spaces. You need this to add to the Credential Store Framework.

  5. Refer to Section 2.4.6, "Adding Symmetric Key to the Credential Store Framework" for instructions to add the encoded key to the Credential Store Framework.

2.4.4 Setting Up Secret Key for Encrypting Database Values

To set up the secret key for encrypting database values:

  1. Go to the Oracle Adaptive Access Manager command-line folder MW_HOME\IDM_ORACLE_HOME\oaam\cli.

  2. Create a file db_secret_key.file and add the secret key to the file by entering:

    tobase64=<secret-key>


    Note:


  3. Encode the key using Base64 algorithm by executing the following command.

    1. In Unix

      encodeKey.sh db_secret_key.file
      
    2. In Windows

      encodeKey.cmd db_secret_key.file
      

    If the encoding command was successful, you see output similar to the following:

    base64encode is done!
    Base64 Encoded value = <encoded_value>
    

    If the KeyStore command was not successful, you might see the following error:

    Exception in thread "main" java.lang.NoClassDefFoundError: while resolving
    class: com.bharosa.vcrypt.common.util.KeyStoreUtil at
    java.lang.VMClassLoader.resolveClass(java.lang.Class)
    (/usr/lib/libgcj.so.5.0.0) at java.lang.Class.initializeClass()
    (/usr/lib/libgcj.so.5.0.0) at java.lang.Class.forName(java.lang.String,
    boolean, java.lang.ClassLoader) (/usr/lib/libgcj.so.5.0.0) at
    java.lang.Class.forName(java.lang.String) (/usr/lib/libgcj.so.5.0.0)
    
  4. Note down the encoded value of the key printed on the screen. Make sure there are no spaces. You need this to add to the Credential Store Framework.

  5. Refer to Section 2.4.6, "Adding Symmetric Key to the Credential Store Framework" for instructions on adding the encoded key to the Credential Store Framework.

2.4.5 Generating an Encoded Secret Key

To generate an encoded secret key:

  1. Execute the following command:

    1. In Unix

      genEncodedKey.sh sample.db_3des_input.properties
      
    2. In Windows

      genEncodedKey.cmd sample.db_3des_input.properties
      
  2. If the command is successful you see output similar to the following:

    Generated key = <encoded_key>
    

Note:

Encoding the generated key is not necessary since it is already encoded.


2.4.6 Adding Symmetric Key to the Credential Store Framework

OAAM Servers automatically generate the secret key if you start them after domain creation. You can choose to use those autogenerated secret keys if you do not want to use different secret keys.

To add symmetric key to the Credential Store Framework:

  1. Log in to Fusion Middleware Control at http://weblogic_admin_server:port/em using the Web browser and use the WebLogic Administrator credentials to log in.

  2. Expand the WebLogic Domain icon in the Navigation tree in the left pane.

  3. Select OAAM domain and right-click and select the menu option Security, and then the option Credentials in the submenu.

  4. Check if there is a map with the name oaam. If not, click the Create Map option and enter the Map Name as oaam. Click OK to save the map.

  5. Click oaam to select the map and then click Create Key.

  6. In the pop-up dialog make sure Select Map is oaam.

  7. Enter:

    • Key Name: DESede_db_key_alias if the key is database-related or DESede_config_key_alias if it is configuration/application related. Make sure there are no typos or spaces.

    • Type: Generic.

    • Credential Value: encoded value of the symmetric key

  8. Enter a description in the Description field.

  9. Click OK to save the secret key to the Credential Store Framework.

  10. Make sure you back up the alias and the secret key.

    The backup is required if you must recreate the domain and point the domain to the existing Oracle Adaptive Access Manager database.


    Note:

    If you lose the secret key, all the existing data in the Oracle Adaptive Access Manager database becomes unusable since many important administrative operations involve encrypted data.


2.4.7 Setting Up Oracle Adaptive Access Manager Database Credentials in the Credential Store Framework

To set up the Oracle Adaptive Access Manager database credentials in the Credential Store Framework:

  1. Log in to Fusion Middleware Control at http://weblogic_admin_server:port/em using the Web browser and use the WebLogic Administrator credentials to log in.

  2. Expand the WebLogic Domain icon in the Navigation tree in the left pane.

  3. Select the OAAM domain and right-click and select the menu option Security and then the option Credentials in the submenu.

  4. Check to see whether there is a map with the name oaam. If not click the Create Map option and enter the Map Name as oaam. Click OK to save the map.

  5. Click oaam to select the map and then click Create Key.

    OAAM Servers automatically generate the secret key if you start them after domain creation. You can choose to use those auto-generated secret keys if you do not want to use different secret keys.

  6. In the pop-up dialog make sure Select Map is oaam.

  7. Enter the following:

    • Key: oaam_db_key. Make sure there are no typos and spaces.

    • Type: Password

    • UserName: database user name of OAAM

    • Password: database password of OAAM

  8. Enter the description.

  9. Click OK to save the secret key to the Credential Store Framework.

2.4.8 Backing Up Secret Keys and Database and Configuration Keys

You must back up the secret keys used. You may need these keys, if you have to recreate the Oracle Adaptive Access Manager 11g domain. Make sure you note the secret key and the alias name.

  1. Log in to Oracle Enterprise Manager.

  2. Expand the WebLogic Domain on the left pane, and select OAAM domain.

  3. From the OAAM Domain, select Security, and then Credentials.

  4. Expand oaam and select the symmetric key related entries associated with the Type Generic.

  5. Click Edit.

  6. Go to the Credentials section then copy the symmetric key related entries and note the key name.

  7. Repeat the above steps to back-up database and configuration keys.


Note:

If you delete and recreate the Oracle Adaptive Access Manager 11g domain, make sure you use the backed-up secret keys when setting the encryption keys so that the existing data in the Oracle Adaptive Access Manager database can be decrypted properly.


2.5 Creating OAAM Users

Before you can access the Oracle Adaptive Access Manager Administration Console, you must create users. Creating these users allows you to use OAAM.

The user can be created in the WebLogic Administration Console. Details for creating an administration user in the WebLogic Administration Console are provided below.

If you want to take care of user and group creation in the external LDAP store, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

You create a user as follows:

  1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

  2. In the left pane, select Security Realms.

  3. On the Summary of Security Realms page select the name of the realm (for example, myrealm).

  4. On the Settings for Realm Name page select Users and Groups > Users.

  5. Click New and provide the required information to create a user, such as user1, in the security realm.

  6. Click the newly created user, user1.

  7. Click the Groups tab.

  8. Assign any of the groups with the OAAM prefix to the user, user1.

  9. Click Save.

2.6 Importing the OAAM Snapshot

A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The oaam_base_snapshot.zip file is located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.

  1. Log in to the Oracle Adaptive Access Manager Administration Console (OAAM Admin) using the following URL:

    http://host:port/oaam_admin
    
  2. Load the snapshot file into the system by following these instructions:

    1. Open System Snapshot under Environment in the Navigation tree.

    2. Click the Load from File button.

      A Load and Restore Snapshot dialog appears.

    3. Deselect Back up current system now and click Continue.

      A dialog appears with the message that you have not chosen to back up the current system, and do you want to continue?

    4. When the dialog appears with the message that you have not chosen to back up the current system, and do you want to continue, click Continue.

      The Load and Restore Snapshot page appears for you to choose a snapshot to load.

    5. Browse for oaam_base_snapshot.zip and click the Load button to load the snapshot into the system database.

    6. Click OK and then Restore.

The snapshot contains the following items that must be imported into OAAM:

  • Challenge questions for English (United States)

    During registration, which could be enrollment, opening a new account, or another events such as a reset, the user selects different questions from a list of questions and enters answers to them. These questions, called challenge questions, are used to authenticate users.

    Questions for the languages you want to support must be in the system before users can be asked to register. These questions may also be required to log in to OAAM Server.

  • Entity definitions

    The actors that are tracked during authentication are called authentication entities and include user, city, device, and so on. These base entities are required to enable conditions that are used for patterns.

  • Out-of-the-box patterns

    Patterns are used by Oracle Adaptive Access Manager to either define one bucket or dynamically create buckets. Oracle Adaptive Access Manager collects data and populates these buckets with members based on pattern parameters, and rules perform risk evaluations on dynamically changing membership and distributions of the buckets.

  • Out-of-the-box configurable actions

    Configurable actions are actions that are triggered based on the result action or risk scoring or both after a checkpoint execution. The configurable actions are built using action templates.


    Note:

    If you are upgrading from Oracle Adaptive Access Manager 10.1.4.5 to Oracle Adaptive Access Manager 11g, you see that the names and descriptions of the out-of-the-box action templates are slightly different, since the action templates in Oracle Adaptive Access Manager 11g are globalized and hence the difference.


  • Out-of-the-box policies

    Policies are designed to help evaluate and handle business activities or potentially risky activities that are encountered in day-to-day operation.

  • Any groups

    Collections of items used in rules, user groups, and action and alert groups are shipped with OAAM.

If you need to customize any properties, you should import the snapshot into your new test system, make the changes, export the snapshot, and import it into your new system. Alternatively you can import the snapshot on the new system and make the property changes directly, thereby eliminating the test system completely.


Note:

This procedure is only for first time initial setup. Importing a snapshot overwrites the existing environment and replaces it with a new one. For upgrades, import separate zip files for the entities, definitions, or policies.


For upgrading policies, components, and configurations, perform a backup, and then import the separate file. The following are available:

  • Base policies are shipped in the oaam_policies.zip file, which is located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory

  • Configurable action templates are shipped in the OOTB_Configurable_Actions.zip file, which is located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.

  • Base-authentication required entities are shipped in the Auth_EntityDefinition.zip file, which is located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.

  • Default patterns are shipped in the OOB_Patterns.zip file, which is located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory

2.7 Importing IP Location Data

IP location data is used by the risk policies framework to determine the risk of fraud associated with a given IP address (location).

To be able to determine location of the login or transaction, this data must be uploaded. For information, see Section 29.4, "Importing IP Location Data."

2.8 Enabling OTP

For information on enabling OTP, refer to Section 9.6, "Enabling OTP Challenge."

2.9 Setting the Time Zone Used for All Time Stamps in the Administration Console

A time zone identifies an area that always shares the same local time.

Time zones are used throughout Oracle Adaptive Access Manager for a variety of purposes. A time stamp can indicate when an alert was generated, the process start and end dates of a job, search pages, and so on. Users often are most comfortable working in their local time zones. As the administrator, you can configure the preferred time zones for the OAAM Administration Console.

The property is a system wide time zone setting and not a per-user one. All users must be in the single time zone.

Note that time zone and the browser locale formatting are independent of each other. For example, if you set your browser to en-gb, but set your oaam.adf.time zone to America/Los_Angeles, the time stamps are formatted as per British locale formatting but the time zone is still Pacific Time.

Use the Property Editor to set oaam.adf.timezone to the desired time zone.

For example,

oaam.adf.timezone = Atlantic/Reykjavik

For instructions on using the Properties Editor, refer to Chapter 28, "Using the Properties Editor."

The property takes the standard values for the time zone as listed in Section 2.9.1, "Values for the Common Timezones."

2.9.1 Values for the Common Timezones

The time zones are as follows:

Pacific/Midway (GMT-11:00) Midway - Samoa Time (ST)

Pacific/Pago_Pago (GMT-11:00) Pago Pago - Samoa Time (ST)

Pacific/Honolulu (GMT-10:00) Honolulu - Hawaii Time (HT)

America/Anchorage (GMT-09:00) Alaska Time (AKT)

America/Tijuana (GMT-08:00) Tijuana - Pacific Time (PT)

America/Vancouver (GMT-08:00) Vancouver - Pacific Time (Canada) (PT)

America/Los_Angeles (GMT-08:00) Los Angeles - Pacific Time (PT)

America/Chihuahua (GMT-07:00) Chihuahua - Mexico Time 2 (MT)

America/Denver (GMT-07:00) Denver - Mountain Time (MT)

America/Edmonton (GMT-07:00) Mountain Time

Canada (MT)

America/Phoenix (GMT-07:00) Mountain Time (MT)

America/Mazatlan (GMT-07:00) Mexico Time 2 (MT)

America/Guatemala (GMT-06:00) Guatemala - Central America Time (CT)

America/Regina (GMT-06:00) Regina - Central Time (CT)

America/Chicago (GMT-06:00) Chicago - Central Time (CT)

America/Managua (GMT-06:00) Managua - Central America Time (CT)

America/Winnipeg (GMT-06:00) Central Time (Canada) (CT)

America/El_Salvador (GMT-06:00) El Salvador - Central America Time (CT)

America/Costa_Rica (GMT-06:00) Costa Rica - Central America Time (CT)

America/Mexico_City (GMT-06:00) Mexico City - Mexico Time (MT)

America/Guayaquil (GMT-05:00) Guayaquil - Ecuador Time (ECT)

America/Indiana/Indianapolis (GMT-05:00) Indianapolis

Indiana - Eastern Time (ET)

America/Bogota (GMT-05:00) Bogota - Colombia Time (COT)

America/Lima (GMT-05:00) Lima - Peru Time (PET)

America/Panama (GMT-05:00) Panama - Eastern Time (ET)

America/Montreal (GMT-05:00) Montreal - Eastern Time (Canada) (ET)

America/New_York (GMT-05:00) New York - Eastern Time (ET)

America/Puerto_Rico (GMT-04:00) Puerto Rico - Atlantic Time (AT)

America/Halifax (GMT-04:00) Canada Atlantic Time (AT)

America/Santiago (GMT-04:00) Santiago - Chile Time (CLT)

America/Caracas (GMT-04:00) Caracas - Venezuela Time (VET)

America/Godthab (GMT-03:00) Godthab - Western Greenland Time (WGT)

America/Argentina/Buenos_Aires (GMT-03:00) Buenos Aires - Argentine Time (ART)

America/Sao_Paulo (GMT-03:00) Sao Paulo - Brasilia Time (BRT)

America/St_Johns (GMT-03:30) St Johns - Newfoundland Time (NT)

America/Noronha (GMT-02:00) Noronha - Fernando de Noronha Time (FNT)

Atlantic/Azores (GMT-01:00) Azores - Azores Time (AZOT)

Atlantic/Cape_Verde (GMT-01:00) Cape Verde - Cape Verde Time (CVT)

Europe/Dublin (GMT+00:00) Dublin - Greenwich Mean Time (GMT)

Europe/London (GMT+00:00) London - Greenwich Mean Time (GMT)

Etc/UTC (GMT+00:00) Coordinated Universal Time (UTC)

Africa/Casablanca (GMT+00:00) Casablanca - Western European Time (WET)

Europe/Lisbon (GMT+00:00) Lisbon - Western European Time (WET)

Africa/Nouakchott (GMT+00:00) Nouakchott - Greenwich Mean Time (GMT)

Atlantic/Reykjavik (GMT+00:00) Reykjavik - Greenwich Mean Time (GMT)

Europe/Prague (GMT+01:00) Prague - Central European Time (CET)

Europe/Budapest (GMT+01:00) Budapest - Central European Time (CET)

Europe/Madrid (GMT+01:00) Madrid - Central European Time (CET)

Europe/Vienna (GMT+01:00) Vienna - Central European Time (CET)

Africa/Algiers (GMT+01:00) Algiers - Central European Time (CET)

Africa/Lagos (GMT+01:00) Lagos - Western African Time (WAT)

Europe/Belgrade (GMT+01:00) Belgrade - Central European Time (CET)

Europe/Oslo (GMT+01:00) Oslo - Central European Time (CET)

Europe/Rome (GMT+01:00) Rome - Central European Time (CET)

Africa/Tunis (GMT+01:00) Tunis - Central European Time (CET)

Europe/Stockholm (GMT+01:00) Stockholm - Central European Time (CET)

Europe/Copenhagen (GMT+01:00) Copenhagen - Central European Time (CET)

Europe/Tirane (GMT+01:00) Tirane - Central European Time (CET)

Europe/Zurich (GMT+01:00) Zurich - Central European Time (CET)

Europe/Paris (GMT+01:00) Paris - Central European Time (CET)

Europe/Berlin (GMT+01:00) Berlin - Central European Time (CET)

Europe/Warsaw (GMT+01:00) Warsaw - Central European Time (CET)

Europe/Amsterdam (GMT+01:00) Amsterdam - Central European Time (CET)

Europe/Brussels (GMT+01:00) Brussels - Central European Time (CET)

Europe/Luxembourg (GMT+01:00) Luxembourg - Central European Time (CET)

Europe/Bucharest (GMT+02:00) Bucharest - Eastern European Time (EET)

Asia/Nicosia (GMT+02:00) Nicosia - Eastern European Time (EET)

Europe/Kiev (GMT+02:00) Kiev - Eastern European Time (EET)

Europe/Sofia (GMT+02:00) Sofia - Eastern European Time (EET)

Europe/Riga (GMT+02:00) Riga - Eastern European Time (EET)

Africa/Johannesburg (GMT+02:00) Johannesburg - South Africa Time (SAT)

Europe/Athens (GMT+02:00) Athens - Eastern European Time (EET)

Africa/Tripoli (GMT+02:00) Tripoli - Eastern European Time (EET)

Africa/Cairo (GMT+02:00) Cairo - Egypt Time (ET)

Asia/Beirut (GMT+02:00) Beirut - Eastern European Time (EET)

Europe/Tallinn (GMT+02:00) Tallinn - Eastern European Time (EET)

Europe/Vilnius (GMT+02:00) Vilnius - Eastern European Time (EET)

Europe/Helsinki (GMT+02:00) Helsinki - Eastern European Time (EET)

Asia/Amman (GMT+02:00) Amman - Eastern European Time (EET)

Asia/Damascus (GMT+02:00) Damascus - Eastern European Time (EET)

Africa/Harare (GMT+02:00) Harare - Central African Time (CAT)

Asia/Jerusalem (GMT+02:00) Jerusalem - Israel Time (IT)

Europe/Istanbul (GMT+02:00) Istanbul - Eastern European Time (EET)

Africa/Khartoum (GMT+03:00) Khartoum - Eastern African Time (EAT)

Asia/Aden (GMT+03:00) Aden - Arabia Time (AT)

Africa/Mogadishu (GMT+03:00) Mogadishu - Eastern African Time (EAT)

Asia/Baghdad (GMT+03:00) Baghdad - Arabia Time (AT)

Asia/Bahrain (GMT+03:00) Bahrain - Arabia Time (AT)

Africa/Djibouti (GMT+03:00) Djibouti - Eastern African Time (EAT)

Africa/Nairobi (GMT+03:00) Nairobi - Eastern African Time (EAT)

Europe/Moscow (GMT+03:00) Moscow - Moscow Time (MSK)

Asia/Qatar (GMT+03:00) Qatar - Arabia Time (AT)

Asia/Kuwait (GMT+03:00) Kuwait - Arabia Time (AT)

Asia/Riyadh (GMT+03:00) Riyadh - Arabia Time (AT)

Asia/Tehran (GMT+03:30) Tehran - Iran Time (IRT)

Asia/Dubai (GMT+04:00) Dubai - Gulf Time (GT)

Asia/Baku (GMT+04:00) Baku - Azerbaijan Time (AZT)

Asia/Muscat (GMT+04:00) Muscat - Gulf Time (GT)

Asia/Kabul (GMT+04:30) Kabul - Afghanistan Time (AFT)

Asia/Yekaterinburg (GMT+05:00) Yekaterinburg - Yekaterinburg Time (YEKT)

Asia/Karachi (GMT+05:00) Karachi - Pakistan Time (PKT)

Asia/Tashkent (GMT+05:00) Tashkent - Uzbekistan Time (UZT)

Asia/Kolkata (GMT+05:30) Kolkata - India Time (IT)

Asia/Colombo (GMT+05:30) Colombo - Sri Lanka Time (LKT)

Asia/Katmandu (GMT+05:45) Katmandu - Nepal Time (NPT)

Asia/Dhaka (GMT+06:00) Dhaka - Bangladesh Time (BDT)

Asia/Almaty (GMT+06:00) Almaty - Alma-Ata Time (ALMT)

Asia/Novosibirsk (GMT+06:00) Novosibirsk - Novosibirsk Time (NOVT)

Asia/Rangoon (GMT+06:30) Rangoon - Myanmar Time (MMT)

Asia/Krasnoyarsk (GMT+07:00) Krasnoyarsk - Krasnoyarsk Time (KRAT)

Asia/Ho_Chi_Minh (GMT+07:00) Ho Chi Minh - Indochina Time (ICT)

Asia/Jakarta (GMT+07:00) Jakarta - West Indonesia Time (WIT)

Asia/Bangkok (GMT+07:00) Bangkok - Indochina Time (ICT)

Asia/Kuala_Lumpur (GMT+08:00) Kuala Lumpur - Malaysia Time (MYT)

Asia/Shanghai (GMT+08:00) Shanghai - China Time (CT)

Asia/Taipei (GMT+08:00) Taipei - China Time (CT)

Asia/Irkutsk (GMT+08:00) Irkutsk - Irkutsk Time (IRKT)

Asia/Singapore (GMT+08:00) Singapore - Singapore Time (SGT)

Asia/Hong_Kong (GMT+08:00) Hong Kong - Hong Kong Time (HKT)

Asia/Manila (GMT+08:00) Manila - Philippines Time (PHT)

Australia/Perth (GMT+08:00) Perth - Western Time (Australia) (WT)

Asia/Yakutsk (GMT+09:00) Yakutsk - Yakutsk Time (YAKT)

Asia/Tokyo (GMT+09:00) Tokyo - Japan Time (JT)

Asia/Seoul (GMT+09:00) Seoul - Korea Time (KT)

Australia/Adelaide (GMT+09:30) Adelaide - Central Time (South Australia) (CT)

Australia/Darwin (GMT+09:30) Darwin - Central Time (Northern Territory) (CT)

Asia/Vladivostok (GMT+10:00) Vladivostok - Vladivostok Time (VLAT)

Pacific/Guam (GMT+10:00) Guam - Chamorro Time (ChT)

Australia/Hobart (GMT+10:00) Hobart - Eastern Time (Tasmania) (ET)

Australia/Sydney (GMT+10:00) Sydney - Eastern Time (New South Wales) (ET)

Australia/Brisbane (GMT+10:00) Brisbane - Eastern Time (Queensland) (ET)

Asia/Magadan (GMT+11:00) Magadan - Magadan Time (MAGT)

Pacific/Auckland (GMT+12:00) Auckland - New Zealand Time (NZT)

Pacific/Fiji (GMT+12:00) Fiji - Fiji Time (FJT)

Asia/Kamchatka (GMT+12:00) Kamchatka - Petropavlovsk-Kamchatski Time (PETT)

Etc/GMT-12 (GMT+12:00) Dateline Standard Time (UTC+12:00)

Pacific/Tongatapu (GMT+13:00) Tongatapu - Tonga Time (TOT)

PK_ӨW׮ͮPKRwEOEBPS/reporting.htm Configuring BI Publisher Reports

25 Configuring BI Publisher Reports

This chapter describes how to configure reporting and how to view Oracle Adaptive Access Manager reports. It contains these topics:

25.1 Oracle Business Intelligence Publisher Reports

Oracle Adaptive Access Manager utilizes Business Intelligence Publisher for the majority of reporting functions. All OAAM customers are recommended to replicate production data into a reporting database and to provide a dedicated reporting environment for BI Publisher.

Oracle BI Publisher is an Oracle's enterprise reporting solution and provides a single reporting environment to author, manage, and deliver all of your reports and business documents. Utilizing a set of familiar desktop tools, such as Microsoft Word, Microsoft Excel, or Adobe Acrobat, you can create and maintain report layouts based on data from diverse sources, including Oracle Identity Management products.

25.2 Investigation and Forensics

Oracle Adaptive Access Manager provides access to a rich set of forensic data to power investigations and auditing. Business Intelligence Publisher provides the reporting engine allowing reporting to be fully customized to meet requirements. Out of the box report templates are included that can be used as is or altered. The intuitive administration console interface makes it quick and easy to narrow in on the important data and relationships. This allows a security analyst to find related situations that otherwise might not be identified and better understand the relationships between various security events. Oracle Adaptive Access Manager leverages the common audit framework from Oracle Platform Security Services to capture full audit trails for administration console users.

25.2.1 Session Activity Aggregates

BI Publisher reports can be used to show the results of checkpoints.

  • Total number of each action by checkpoint

  • Total number of each alert by checkpoint

  • Total number of sessions with risk score ranges (0 - 600, 601 - 800, 801 - 1000) by checkpoint

Login Analysis Aggregates Report

For example, George is a security and compliance officer. He has been asked to configure a solution to run login risk evaluations offline that are deemed too expensive to run in real-time. He is using the out of the box run task to perform the whole login chain of checkpoints on every session in the selection. After the load and run are complete George generates an aggregate report showing metrics for total numbers of each action, alert, risk scores in pre-auth and post-auth data.

For example, George is a security and compliance officer. He has been asked to configure a solution to run login risk evaluations offline to test new policies before they are rolled out to production. When testing to see the difference in results between one policy configuration and another he performs a run with policy set A then he runs this report and exports to HTML. Next he does the same with policy set B and compares the two reports to see if policy changes are behaving as expected.

25.2.2 Search Sessions By Case Disposition

As Investigation Managers and business analysts, you can assess the effectiveness of OAAM and your fraud team. As part of investigating, you can run a report that returns all sessions that have been linked to a case with a specified disposition. The results will show the case IDs each session is linked to.

Search sessions by case disposition Report

At the end of the week a manager runs the report to find a list of all sessions with organization ID "Sears" and that have been linked to a case with a "confirmed fraud" disposition.

25.2.3 Audit

In Oracle Fusion Middleware 11g Release 1 (11.1.1), auditing provides a measure of accountability and answers to the "who has done what and when" types of questions.

Audit is used for tracking OAAM Admin operations, such as creating policy, deleting group, and so on. OAAM collects audit information and it is sent to the audit database. The user can view audit data through BI Publisher, which reads the audit database. You can control the audit functionality through Enterprise Manager where you can choose which events to audit, key in users to always audit, or audit only failure events. So Audit involves: EM (audit setting), OAAM (audit event generation), BI (audit report viewing). For information on setting up audit data sources, refer to "Configuring and Managing Auditing" in the Oracle Fusion Middleware Application Security Guide. For information on setting up Oracle Business Intelligence Publisher for use with audit reports, refer to "Using Audit Analysis and Reporting" in the Oracle Fusion Middleware Application Security Guide.

25.3 Setting up Oracle Business Intelligence Publisher for Oracle Adaptive Access Manager Reports

When your data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher (BI Publisher) reports and create your own reports on the data. This section contains these topics about configuring your environment for reports:

25.3.1 Installing BI Publisher

OAAM uses Oracle BI Publisher to generate your OAAM reports.

Perform the following steps to acquire and install Oracle BI Publisher:

  1. Go to Oracle Technology Network web site at http://www.oracle.com/technetwork/index.html

  2. Locate the Oracle BI Publisher Download page by searching on the key words Oracle BI Publisher or Oracle BI Publisher Download.

  3. Review the Oracle Technology Network License Agreement that appears on the Oracle BI Publisher Download page. You must accept the Oracle Technology Network License Agreement to download Oracle BI Publisher.

  4. Download the version of Oracle BI Publisher that is appropriate for your operating system by clicking on the appropriate link.

  5. Install Oracle BI Publisher by referring to the Oracle Business Intelligence Publisher Installation Guide. Refer to Oracle Business Intelligence Publisher Documentation for information about accessing the Oracle Business Intelligence Publisher Installation Guide.

  6. Verify your Oracle BI Publisher is operational before installing and configuring the OAAM reports.

25.3.2 Installing Oracle Adaptive Access Manager BI Publisher Reports

This section explains how to install BI Publisher Reports. You must install Oracle BI Publisher and verify it is operational before installing the BI Publisher Reports. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.

Perform the following steps to install the reports:

  1. Stop the Oracle BI Publisher server. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.

  2. On your OAAM host, locate the OAAM products reports package from the /IAM_HOME/oaam/reports directory and extract the contents to a location on your Oracle BI Publisher server. For example:

    /ORACLE_BI_PUBLISHER_HOME/xmlp/XMLP/reports

  3. Copy the properties.xml file to any directory in Oracle BI Publisher server's file system.

  4. Start the Oracle BI Publisher server. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.

25.3.3 Configuring Oracle Adaptive Access Manager BI Publisher Reports

Perform the following steps to configure the Oracle Adaptive Access Manager reports:

  1. Configure the JDBC Data Source for Oracle Adaptive Access Manager by performing the following steps:

    1. Log in to Oracle BI Publisher from a web browser as an Administrator. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.

    2. Click the Admin tab, then click JDBC Connection under Data Source, and then click the Add Data Source button. The Add Data Source screen appears.

    3. Enter the following information in the fields on the Add Data Source screen. Replace the variable values in the following examples with the actual values for your Oracle Adaptive Access Manager database.

      FieldData to Enter

      Data Source Name

      ARM

      For the Oracle Adaptive Access Manager reports to work out-of-the-box, the JDBC data source must be named as "ARM". If you choose a different name, you must modify the data source property in all reports.

      Connection String

      jdbc:oracle:thin:@host:port:sid

      User Name

      User name for a database schema user that has access to Oracle Adaptive Access Manager.

      Password

      Password for user identified in the User Name field.

      Database Driver Class

      oracle.jdbc.driver.OracleDriver


  2. Configure AdminProperties Data Source for Oracle Adaptive Access Manager by performing Steps a and b. The AdminProperties contains configuration information that Oracle Adaptive Access Manager will need to read when generating the reports.

    1. Click the Admin tab, then click File under Data Source, and then click the Add Data Source button. The Add Data Source screen appears.

    2. Enter the following information in the fields on the Add Data Source screen:

      FieldData to Enter

      Data Source Name

      AdminProperties

      You must name this Data Source AdminProperties.

      Full Path of Top-level Directory

      Path must be the directory where you placed properties.xml.


The configuration for Oracle Adaptive Access Manager reports is complete. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.

25.3.4 Testing Oracle Adaptive Access Manager BI Publisher Configuration

Perform the following steps to test whether the configuration of the Oracle Adaptive Access Manager reports has been successful:

  1. Log in to Oracle BI Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  2. On the main page, click OAAM under Shared Folders and then oradb.

    The Oracle Adaptive Access Manager reports are now available.

  3. Select any report.

  4. Select any output type and click the View button.

25.4 Setting Preferences

You can set the Report Locale, User Interface Language, Time Zone, and Accessibility Mode for BI Publisher.

  • Report Locale- A locale is a language and territory combination (for example, English (United States) or French (Canada)). BI Publisher uses the report locale selection to determine the template translation to apply, the number formatting and date formatting to apply to the report data.

  • User Interface Language- The User Interface language is the language that your user interface displays in. The language that you selected at login will be selected as the default. However, you can choose from the languages that are available for your installation through this option.

  • Time Zone - Select the time zone to apply to your reports. Reports run by you (this user) will display the time according to the time zone preference selected here.

  • Accessibility Mode- Setting this to "On" will display the report catalog in a tree structure that is accessible via keyboard strokes

For more information on setting preferences, refer to the "Setting My Account Preferences and Viewing My Groups" chapter of the Oracle Fusion Middleware Report Designer's Guide for Oracle Business Intelligence Publisher.

25.5 BI Publisher's Users, Roles, and Permissions

In BI Publisher, a user is assigned one or multiple Roles. A Role can grant any or all of the following:

  • privileges to use functionality

  • permissions to perform actions on catalog objects

  • access to data sources

For information on setting users, roles, and permissions, refer to the "Alternative Security Options" chapter of the Oracle Fusion Middleware Administrator's and Developer's Guide for Oracle Business Intelligence Publisher.

25.6 Scheduling a Report

Oracle BI Publisher Enterprise enables you to schedule reports, and deliver the executed output to various destinations. BI Publisher Scheduler is configured as a part of Oracle BI Enterprise Edition installation process. Ensure that the scheduler is configured properly, before you start scheduling the reports.

For information on scheduling reports, refer to "Creating Report Jobs" in the Oracle Fusion Middleware Report Designer's Guide for Oracle Business Intelligence Publisher.

25.7 Viewing/Running Reports

This section explains how to view/run reports.

Take these steps to view/run a report:

  1. Log in to Oracle BI Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  2. On the main page, click OAAM under Shared Folders and then oradb.

  3. Navigate to the report of interest.

    The report is displayed.

  4. The report display page contains these major areas:

    • Filters at the top of the page enable you to determine the records to include in the report.

    • Format control buttons enable you to determine:

      • the template type, which can be:

        HTML - This is the default display format.

        PDF - Displays a printable PDF view.

        RTF - Displays a document in Rich Text Format.

        Excel2000 - Displays a spreadsheet.

        Data - Displays an unformatted XML data set.

        To change the template type while viewing a report, select the type from the list and click View.

      • output format

      • delivery options

      • range in which to view the data

  5. View, save or export the report as desired.

25.8 Create Oracle BI Publisher Reports on Data in the OAAM Schema

This section contains instructions on creating Oracle BI Publisher reports on data in the OAAM schema.

In code listings OAAM table and field names are bold and italic.

25.8.1 Create a Data Model

Refer to the instructions in Creating a New Report in the Oracle Business Intelligence Publisher Report Designer's Guide.

25.8.2 Map User Defined Enum Numeric Type Codes to Readable Names

Several fields in many tables are numeric type codes, which correspond to OAAM User Defined Enums. Refer to the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager for more information about OAAM User Defined Enums. Information on how to map those type codes to readable names is presented in this section.

There are two methods for resolving these names, and the one to choose depends on whether you need to display English only or you need to display internationalized strings.

25.8.2.1 Results Display

To display a readable string rather than a type code value in the report output, the report writer will need to add a join to the tables that hold the User Defined Enums, and then add the field to the select clause.

25.8.2.2 English Only User Defined Enum Result Display

The following SQL code shows how to add the join criteria to the query:

SELECT …
FROM …
LEFT OUTER JOIN (
      SELECT enumElement.num_value, enumElement.label
      FROM v_b_enum enum
             INNER JOIN v_b_enum_elmnt enumElement ON on enum.enum_id = enum_element.enum_id
      WHERE enum.prop_name = 'enum name') alias
      ON table.type_field = alias.num_value
…

In this code, table.type_field is the field containing a type code value that you want to replace with a string. Alias is the name you are giving the inner select clause. Finally, enum_name is the property name of the User Defined Enum.

To display in the report, you need to add alias.label to the select clause.

25.8.2.3 Internationalized User Defined Enum Result Display

The following SQL code shows how to add the join criteria to the query:

SELECT …
FROM …
LEFT OUTER JOIN (
      SELECT t0.config_value, element.num_value
      FROM v_b_config_rb t0
      INNER JOIN (
             SELECT enum_element.num_value, enum_element.str_value, enum.prop_name
             FROM v_b_enum enum
                   INNER JOIN v_b_enum_elmnt enum_element ON enum.enum_id = enum_element.enum_id
             WHERE enum.prop_name = 'enum name') element
             ON t0.config_name=element.prop_name || '.' || element.str_value || '.name'
      WHERE t0.locale_id = (
             SELECT locale_id FROM v_b_locale
             WHERE language = substr(:xdo_user_ui_locale, 1, 2)
                   AND country = substr(:xdo_user_ui_locale, 4, 2)
                   AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko')
                         OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR')
                         OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW')))
             UNION SELECT locale_id FROM v_b_locale
             WHERE language = substr(:xdo_user_ui_locale, 1, 2)
                   AND NOT EXISTS(SELECT locale_id FROM v_b_locale
                   WHERE language = substr(:xdo_user_ui_locale, 1, 2)
                         AND country = substr(:xdo_user_ui_locale, 4, 2))
                         AND country IS NULL
                         AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko')
                               OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR')
                               OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))) 
             UNION SELECT locale_id FROM v_b_locale
             WHERE language = 'en'
                   AND NOT (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko')
                         OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR')
                         OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))))
      ORDER BY t0.config_name) alias
      ON table.type_field = alias.num_value
…

In this code, table.type_field is the field containing a type code value that you want to replace with a string. Alias is the name you want to give the inner select clause. Finally, enum_name is the property name of the User Defined Enum.

To display in the report, you need to add alias.config_value to the select clause.

25.8.3 Adding Lists of Values

Add parameters to your report definition to enable your users to interact with the report and specify the data of interest from the data set.

To allow a user to select from a list of readable strings representing type codes, the report writer will need to create a List of Values (LOV) from a query on the User Defined Enums tables, filtered by the enum name.

25.8.3.1 User Defined Enums as List of Values for Filtering, English Only

The following listing shows how to write the query to populate the list of values.

SELECT enumElement.label, enumElement.num_value
FROM v_b_enum enum
      INNER JOIN v_b_enum_elmnt enumElement ON on enum.enum_id = enumElement.enum_id
WHERE enum.prop_name = 'enum name'
ORDER BY enumElement.label

The following listing shows how to filter the report based on this LOV.

WHERE …
AND (:parameter IS NULL OR :parameter = table.type_field)

In these listings, enum_name is the property name of the User Defined Enum, table.type_field is the field containing a type code value that you want to replace with a string, and parameter is the named parameter. Review the Oracle BI Publisher User's Guide for information about creating and setting up report parameters.

25.8.3.2 User Defined Enums as List of Values for Filtering, Internalized

The following listing shows how to write the query to populate the list of values.

SELECT t0.config_value, element.num_value
FROM v_b_config_rb t0
INNER JOIN (
      SELECT enum_element.num_value, enum_element.str_value, enum.prop_name
      FROM v_b_enum enum
             INNER JOIN v_b_enum_elmnt enum_element ON enum.enum_id = enum_element.enum_id
      WHERE enum.prop_name = 'enum name') element
      ON t0.config_name=element.prop_name || '.' || element.str_value || '.name'
WHERE t0.locale_id = (
      SELECT locale_id FROM v_b_locale
      WHERE language = substr(:xdo_user_ui_locale, 1, 2)
             AND country = substr(:xdo_user_ui_locale, 4, 2)
             AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko')
                   OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR')
                   OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW')))
      UNION SELECT locale_id FROM v_b_locale
      WHERE language = substr(:xdo_user_ui_locale, 1, 2)
             AND NOT EXISTS(SELECT locale_id FROM v_b_locale
             WHERE language = substr(:xdo_user_ui_locale, 1, 2)
                   AND country = substr(:xdo_user_ui_locale, 4, 2))
                   AND country IS NULL
                   AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko')
                         OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR')
                         OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))) 
      UNION SELECT locale_id FROM v_b_locale
      WHERE language = 'en'
             AND NOT (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko')
                   OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR')
                   OR (substr(:xdo_user_ui_locale, 1, 2)Pj = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))))
ORDER BY t0.config_name

The filtering is done in the same manner as the English Only version.

25.8.4 Adding Geolocation Data

The OAAM schema includes tables that map IP address ranges to location data including city, state, and country. The relevant tables are VCRYPT_IP_LOCATION_MAP, VCRYPT_CITY, VCRYPT_STATE, and VCRYPT_COUNTRY. Many tables contain IP addresses, and VCRYPT_IP_LOCATION_MAP contains foreign keys to each of VCRYPT_CITY, VCRYPT_STATE, and VCRYPT_COUNTRY.

In OAAM, IP addresses are stored as long numerals. The following listing shows how join a table containing an IP address to the VCRYPT_IP_LOCATION_MAP.

SELECT ...
FROM vcrypt_tracker_usernode_logs logs
      INNER JOIN vcrypt_ip_location_map loc ON (
             logs.remote_ip_addr >= loc.from_ip_addr AND logs.remote_ip_addr <= loc.from_ip_addr
      )

For user input and display purposes, you will normally want to use the standard four-part IP address. The following listing shows how to display a numeric IP address as a standard IP, where ipField is the field or parameter containing the numeric IP address you want to display.

…
to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 1, 3), 'XX')) || '.' ||
      to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 4, 2), 'XX')) || '.' ||
      to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 6, 2), 'XX')) || '.' ||
      to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 8, 2), 'XX'))
...

The following listing shows how to convert a standard IP address to the long numeric format.

…
to_number(substr(ipField, 1, instr(ipField, '.')-1))*16777216 +
      to_number(substr(ipField, instr(ipField, '.', 1, 1)+1, instr(ipField, '.', 1, 2)-instr(ipField, '.', 1, 1)-1))*65536 +
      to_number(substr(ipField, instr(ipField, '.', 1, 2)+1, instr(ipField, '.', 1, 3)-instr(ipField, '.', 1, 2)-1))*256 +
      to_number(substr(ipField, instr(ipField, '.', 1, 3)+1))

25.8.5 Adding Sessions and Alerts

Sessions and alerts exist in the VCRYPT_TRACKER_USERNODE_LOGS and VCRYPT_ALERT tables, respectively. They join to each other via the REQUEST_ID field, and they each join to the geolocation data via the VCRYPT_IP_LOCATION_MAP table via the BASE_IP_ADDR field.

25.8.5.1 Type Code Lookups

The session table and the alert table have several type code fields that may be translated into readable text by following the instructions to look up the user defined enums by name. The following tables will list the type code fields and the name of the user defined enum.

Table 25-1 VCRYPT_TRACKER_USERNODE_LOGS

Field NameUser Defined Enum Name

AUTH_STATUS

auth.status.enum

AUTH_CLIENT_TYPE_CODE

auth.client.type.enum


Table 25-2 VCRYPT_ALERT

Field NameUser Defined Enum Name

ALERT_LEVEL

alert.level.enum

ALERT_TYPE

alert.type.enum

ALERT_STATUS

alert.status.enum

RUNTIME_TYPE

profile.type.enum


25.8.6 Example

This report will show a list of sessions, with user id, login id, auth status, and location. To start with, you will need to create two date parameters, fromDate and toDate. The query will look like this:

SELECT s.request_id, s.user_id, s.user_login_id, auth.label, country.country_name, state.state_name,
city.city_name
FROM vcrypt_tracker_usernode_logs s
      INNER JOIN vcrypt_ip_location_map loc ON s.base_ip_addr = loc.base_ip_addr
      INNER JOIN vcrypt_country country ON loc.country_id = country.country_id
      INNER JOIN vcrypt_state loc ON loc.state_id = country.state_id
      INNER JOIN vcrypt_city city ON loc.city_id = city.city_id
      LEFT OUTER JOIN (
             SELECT enumElement.num_value, enumElement.label
             FROM v_b_enum enum
                   INNER JOIN v_b_enum_elmnt enumElement ON on enum.enum_id = enum_element.enum_id
             WHERE enum.prop_name = 'auth.status.enum') auth
             ON s.auth_status = auth.num_value
WHERE (:fromDate IS NULL OR s.create_time >= :fromDate)
      AND (:toDate IS NULL OR s.create_time <= :toDate)
ORDER BY s.create_time DESC

25.8.7 Adding Layouts to the Report Definition

BI Publisher offers several options for designing templates for your reports. Refer to the Oracle Business Intelligence Publisher Report Designer's Guide for instructions.

25.9 Building OAAM Transactions Reports

This section explains how you can build transaction reports. It contains the following topics:

25.9.1 Get Entities and Transactions Information

To get the Transaction Definition key and Entity Definition keys, follow these steps:

  1. Log into OAAM Admin application and go to Transactions menu and search for the transaction definitions you are interested in.

  2. Go to the General tab and note down the Definition Key of the transaction. This is the "Transaction Definition Key" of the transaction.

  3. Go to the Entities tab of the transaction and note down distinct list Entity Name.

  4. Choose the Entities menu option to search for Entities and note the Key of each of those entities. That is the "Entity Definition Key" of the entities.

25.9.2 Discover Entity Data Mapping Information

To discover entity data mapping information that you will need to create your report, follow the procedures in this section.

25.9.2.1 Information about Data Types

For your reference, number data types are listed in the following table.

Table 25-3 Information about Data Types

Data TypeDescription

1

Represents String data

2

Represents Numeric data. Data stored is equal to (Original value * 1000).

3

Date type data. Store the data in "'YYYY-MM-DD HH24:MI:SS TZH:TZM" format and also retrieve it using same format.

4

Boolean data. Stored as strings. "True" represents TRUE and "False" represents FALSE


25.9.2.2 Discover Entity Data Details Like Data Type, Row and Column Mappings

To get the entity data details that you will need to construct your report, follow these steps:

  1. Get the Entity Definition Key by looking at the entity definition using the OAAM Admin Console.

  2. Get details of how entity data is mapped using the SQL Query:

    SELECT label,
      data_row,
      data_col,
      data_type
    FROM vt_data_def_elem
    WHERE status =1
    AND data_def_id =
      (SELECT data_def_id
      FROM vt_data_def_map
      WHERE relation_type   ='data'
      AND parent_obj_type   =3
      AND parent_object_id IN
        (SELECT entity_def_id
        FROM vt_entity_def
        WHERE entity_def_key=<Entity Definition Key>
        AND status =1
        )
      )
    ORDER BY data_row ASC,
      data_col ASC;
    

25.9.2.3 Build Entity Data SQL Queries and Views

The above SQL query gives a list of data fields of the entity with data type and row, column position. Using that information, build a SQL query based on the following information that represents data of the given entity. It is also recommended to create/build a view based on this SQL query that represents data of the given entity.


Note:

EntityRowN represents an entity data row. If your entity has 3 distinct data_row values from the above query then you would have 3 EntityRows, name the aliases as EntityRow1, EntityRow2, and so on, and similarly take care of the corresponding joins as shown below.


SELECT ent.ENTITY_ID,
    ent.EXT_ENTITY_ID,
    ent.ENTITYNAME,
    ent.ENTITY_KEY,
    ent.ENTITY_TYPE,
    EntityRowN<row>.DATA<col> <column_name>,
    (EntityRowN<row>.NUM_DATA<col>/ 1000.0) <numeric_column_name>,
    to_timestamp_tz(EntityRowN<row>.DATA<col>, 'YYYY-MM-DD HH24:MI:SS TZH:TZM') <date_column_name>,
    ent.CREATE_TIME,
    ent.UPDATE_TIME,
    ent.EXPIRY_TIME,
    ent.RENEW_TIME
  FROM 
    VT_ENTITY_DEF entDef,
    VT_ENTITY_ONE ent
    LEFT OUTER JOIN VT_ENTITY_ONE_PROFILE EntityRowN
          ON (EntityRowN.ENTITY_ID    = ent.ENTITY_ID
          AND EntityRowN.ROW_ORDER    = <row>
          AND EntityRowN.EXPIRE_TIME IS NULL)
    LEFT OUTER JOIN VT_ENTITY_ONE_PROFILE EntityRowN+1
        ON (EntityRowN+1.ENTITY_ID    = ent.ENTITY_ID
          AND EntityRowN+1.ROW_ORDER    = <row+1>
        AND row1.EXPIRE_TIME IS NULL)
  WHERE 
        ent.ENTITY_DEF_ID      = entDef.ENTITY_DEF_ID and 
        entDef.ENTITY_DEF_KEY=<Entity Definition Key>

25.9.3 Discover Transaction Data Mapping Information

To discover transaction data mapping information that you will need to create your report, follow the procedures in this section.

25.9.3.1 Discover Transaction data details like Data Type, Row and Column mappings

To get entity data details you will need to construct your report, follow these steps:

  1. Get list of transaction to entity definition mapping Ids using the following SQL:

    SELECT map_id
    FROM 
    vt_trx_ent_defs_map,
            vt_trx_def
    WHERE 
    vt_trx_ent_defs_map.trx_def_id = vt_trx_def.trx_def_id
    AND vt_trx_def.trx_def_key  =<Transaction Definition Key>
    
  2. Use the following SQL query to get details of all transaction data fields, their data type and their row, column mapping:

    SELECT label,
      data_row,
      data_col,
      data_type
    FROM vt_data_def_elem
    WHERE status    =1
    AND data_def_id =
      (SELECT data_def_id
      FROM vt_data_def_map
      WHERE relation_type   ='data'
      AND parent_obj_type   =1
      AND parent_object_id IN
        (SELECT trx_def_id
        FROM vt_trx_def
        WHERE trx_def_key='mayo_pat_rec_acc'
        AND status       =1
        )
      )
    ORDER BY data_row ASC,
      data_col ASC;
    

25.9.3.2 Build Transaction Data SQL Queries and Views

Use the information from the previous section and build a SQL query that represents transaction data based on the following:

Note: It is recommended to build a view based on this Query so that it is easier to build reports

SELECT trx.LOG_ID,
    trx.USER_ID,
    trx.REQUEST_ID,
    trx.EXT_TRX_ID,
    trx.TRX_TYPE,
    trx.STATUS,
    trx.SCORE,
    trx.RULE_ACTION,
    trx.TRX_FLAG,
    trx.POST_PROCESS_STATUS,
    trx.POST_PROCESS_RESULT,
    TxnDataRowN<row>.DATA<col> <data_column_name>,
   (TxnDataRowN<row>.NUM_DATA<col>/ 1000.0) <numeric_column_name>,
    to_timestamp_tz(TxnDataRowN<row>.DATA<col>, 'YYYY-MM-DD HH24:MI:SS TZH:TZM') <date_column_name>,
    (SELECT entTrxMap.MAP_OBJ_ID
    FROM VT_ENT_TRX_MAP entTrxMap
    WHERE entTrxMap.DEF_MAP_ID = <Transaction to Entity Mapping Id of Entity1_Name>
    AND entTrxMap.TRX_ID       = trx.LOG_ID
    ) <EntityN_Name>,
    (SELECT entTrxMap.MAP_OBJ_ID
    FROM VT_ENT_TRX_MAP entTrxMap
    WHERE entTrxMap.DEF_MAP_ID = <Transaction to Entity Mapping Id of Entity2_Name>
    AND entTrxMap.TRX_ID       = trx.LOG_ID
    ) <EntityN+1_Name>,
    trx.CREATE_TIME,
    trx.UPDATE_TIME,
    TRUNC(trx.create_time, 'HH24') created_hour,
    TRUNC(trx.create_time, 'DDD') created_day,
    TRUNC(trx.create_time, 'DAY') created_week,
    TRUNC(trx.create_time, 'MM') created_month,
    TRUNC(trx.create_time, 'YYYY') created_year
  FROM VT_TRX_DEF trxDef,
    VT_TRX_LOGS trx
  LEFT OUTER JOIN VT_TRX_DATA TransactionDataRowN
  ON (TransactionDataRowN.TRX_ID         = trx.LOG_ID
  AND TransactionDataRowN.ROW_ORDER      = <rowN>)
LEFT OUTER JOIN VT_TRX_DATA TransactionDataRowN+1
  ON (TransactionDataRowN+1.TRX_ID         = trx.LOG_ID
  AND TransactionDataRowN+1.ROW_ORDER      = <rowN+1>)
  WHERE trx.TRX_DEF_ID      = trxDef.TRX_DEF_ID  and
trxDef.TRX_DEF_KEY=<Transaction Definition Key>

25.9.4 Build Reports

Follow the instructions in this section to build reports for entities and transactions.

25.9.4.1 Building Entity Data Reports

Use the SQL Queries or Views built using the information mentioned in Section 25.9.2.3, "Build Entity Data SQL Queries and Views."

25.9.4.2 Building Transaction Data Reports

Use the SQL Queries or Views built using the information mentioned in Section 25.9.3.2, "Build Transaction Data SQL Queries and Views."

25.9.4.3 Joining Entity Data Tables and Transaction data tables

You can join the transaction data views you built with entity data view using VT_ENT_TRX_ MAP.MAP_OBJ_ID which is indicated using the pseudo column <EntityN_Name>.

25.10 Adding Translations for the BI Publisher Catalog and Reports

In release 11g, BI Publisher supports two types of translation:

  • Catalog Translation

  • Template (or layout) Translation

Catalog translation enables the extraction of translatable strings from all objects contained in a selected catalog folder into a single translation file; this file can then be translated and uploaded back to BI Publisher and assigned the appropriate language code.

Catalog translation extracts not only translatable strings from the report layouts, but also the user interface strings that are displayed to users, such as catalog object descriptions, report parameter names, and data display names.

Users viewing the catalog will see the item translations appropriate for the user interface Language they selected in their My Account preferences. Users will see report translations appropriate for the Report Locale they selected in their My Account preferences.

Template translation enables the extraction of the translatable strings from a single RTF-based template (including sub templates and style templates) or a single BI Publisher layout template (.xpt file). Use this option when you only need the final report documents translated. For example, your enterprise requires translated invoices to send to German and Japanese customers.

For information describing the process of downloading and uploading translation files, refer to the "Adding Translations for the BI Publisher Catalog and Reports" of the Oracle Fusion Middleware Administrator's and Developer's Guide for Oracle Business Intelligence Publisher.

25.11 Use Cases

The following section provides a scenario of how Oracle Adaptive Access Manager's reports are used.

25.11.1 Use Case: BIP Reports

You are Marty, a business analyst for Acme Corp. You have been asked to gather some aggregate data on the impact to customers by the Oracle Adaptive Access Manager security system.

Directions: Run the KBA challenge statistics report and rules aggregate breakdown report. Also run the recent logins report, filtering for sessions that resulted in a block. Run all the reports with XLS output so you can share the results with your business unit.

25.11.1.1 Description

This use case demonstrates how to use BI Publisher.

25.11.1.2 Steps

This use case demonstrates how to use BI Publisher reports.

  1. Log in to the BI Publisher as an Analyst.

  2. Select OAAM under Shared Folders.

  3. Under oaam folder, select oradb.

  4. Locate the report to run.

    1. Under the Common folder, click RecentLogins to view the RecentLogins report.

    2. Under the KBA folder, click ChallengeStatistics to view the Challenge Statistics report.

    3. Under the KBA folder, click QuestionStatistics to view the QuestionStatistics report

    4. Under the Security folder, click RulesBreakdown to view the RulesBreakdown report.

  5. For the RecentLogins report, select Blocked in Auth Status as a search criteria.

  6. Repeat the following steps for each report.

    1. Click View.

    2. In Template menu, select Excel2000 and click Export.

25.11.2 Use Case: LoginSummary Report

The LoginSummary displays login aggregate summary for the designated date range.

  1. Log in to Oracle BI Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  2. On the main page, click OAAM under Shared Folders and then oradb.

  3. Under the Security folder, click LoginSummary to view the LoginSummary report.

    The Login Summary Report opens with the default time range of one month.

    The summary graph shows the following:

    • The count of sessions

    • The count of users

    • The count of registrations

    • The count of blocks

  4. Save or export the report as desired.

PKgsZPPKRwE OEBPS/lot.htm][ List of Tables

List of Tables

PKp ]]PKRwEOEBPS/dashboard.htm Using the Dashboard

24 Using the Dashboard

The Oracle Adaptive Access Manager Dashboard is an application that provides a high-level view of real monitor data.

This chapter provides detailed instructions on how to use the dashboard to monitor real-time performance and activity. It contains the following topics:

24.1 Introduction

This section introduces you to the dashboard and how it is used.

24.1.1 What is a Dashboard?

The Oracle Adaptive Access Manager Dashboard is an application that provides a high-level view of real monitor data. Monitor data is a representative sample of data.

It presents a real-time view of activity via aggregates and trending.

The Dashboard is comprised of three sections that enable you to focus your review on relevant data, such as the following:

  • Performance statistics

  • Expanded summary data

  • Statistics based on location, scoring, device, security, and performance

Dashboard reports that are presented help you visualize and track trends. With a dashboard report you could check the frauds/alerts in your system. The dashboard also helps you make decisions based on user/location/devices profile allowing easy identification of risks taking place in the system.

The level of access to the dashboard (user interface views and controls) is based according to roles and company requirements.

24.1.2 Common Terms and Definitions

This section contains common dashboard terms and definitions.

Table 24-1 Common Dashboard Terms and Definition

TermDefinition

Refresh

Rate to update Dashboard with new data. The choices are 30 seconds, 1 minute, and 10 minutes.

Performance Panel

Section 1 of the Dashboard shows real-time data.

Summary Panel

Section 2 of the Dashboard shows aggregate data.

Dashboard Panel

Section 3 of the Dashboard shows historical data.

Data type

Type of information in the Oracle Adaptive Access Manager system.

Range

Time frame. The choices are Today, Last 1 day, Last 7 days, Last 30 days, and Last 90 days.

Average Process Time

Average number of milliseconds for execution.

Blocked Transactions

Transactions that were blocked during the transaction checkpoint.

High Alert (Logins)

High level alerts triggered during the login checkpoint.

High Alert (Transactions)

High level alerts triggered during the transaction checkpoint.

KBA Challenges

Challenge question responses.

OTP Challenges

OTP challenge responses


24.2 Navigation

From the Navigation tree, double-click Dashboard. The Dashboard will appear in OAAM Admin's right side.

The dashboard is divided into three sections:

  • The performance panel (Section 1) presents real-time data. It shows the performance of the traffic that is entering the system. A trending graph is shown of the different types of data based on performance.

  • The summary panel (Section 2) presents aggregate data based on time range and different data types.

  • The dashboard panel (Section 3) presents historical data. The detailed dashboards are used for trending data over time ranges.

24.3 Using the Dashboard in Oracle Adaptive Access Manager

The Oracle Adaptive Access Manager Dashboard uses real-time data to provide a quick, overview of users and devices that have generated alerts and of all alerts by geographic location. It displays different levels of security to help you analyze online traffic, identify suspicious behavior, and design rules for fraud prevention. The dashboard also offers both total time views and trending views of performance levels.

24.3.1 Performance

This section provides information on viewing the total view and trending views.

24.3.1.1 Viewing Statistics in Total View and Trending View

The Performance panel (Section 1) displays a total view on the left and a trending view on the right.

  • The total view shows the statistics on the current volume or rate of logins at the present time versus the maximum.

    Max - the maximum number of logins per minute

    Current - the current number of logins per minute

  • The trending view provides statistics on the selected data (how the data progresses) during the past hour.

24.3.1.2 Viewing Performance Data

To view the performance data:

  1. Select the data type you want from the Data list.

    The data types provided are:

    Table 24-2 Performance Data Types

    Data TypeDefinition

    Logins per minute

    Number of successful login per minute

    KBA challenges per minute

    Number of challenge question responses per minute

    OTP challenges per minute

    Number of OTP challenge responses per minute

    Blocked logins per minute

    Number of blocked logins per minute

    Blocked transactions per minute

    Number of blocked transactions per minute

    Transactions per minute

    Number of successful transactions per minute

    High Alerts (Logins) per minute

    Number of high alerts triggered during the login checkpoint per minute

    High Alert (Transactions) per minute

    Number of high alerts triggered during the transaction checkpoint per minute


  2. To select more than one data type, control-click the types you want.

    Note: The Performance panel is intended for viewing between 1 and 3 data points at a time.

  3. To change the refresh rate, select the refresh rate from the Refresh list.

Figure 24-1 Performance Panel

The Performance panel is shown.

Graphs are shown in different colors, which are generated on the fly, to distinguish the data schemes that are represented.

The performance panel also provides tooltips so that you can view more detailed information about the data points you are interested in. To view information using tooltips, move the mouse to the desired data point.

24.3.1.3 Difference Between Performance Panel and Performance Dashboard

The Performance panel (Section 1) displays real-time interpolations that are updated at the selected rate. The numbers displayed are not totals even though they may correspond numerically to totals in many instances.

The Performance dashboard is one of the five detailed dashboards in Section 3. Section 3 provides accurate totals and trends them over time.

A good analogy to the difference between these two views is a speedometer. Section 1 is like a speedometer. While driving, a speedometer may display 60 m.p.h. This does not mean that during the hour you have traveled 60 miles. In reality you, would have traveled 25 miles if the speed fluctuated or you stopped for gas. If Section 1 shows the rate at which you are traveling, Section 3 shows your actual distance traveled.

24.3.2 Summary

The Summary panel displays an overview or aggregate of the selected data type for the specified range or time fame.

Data Types

Table 24-3 presents the data types in the Summary panel.

Table 24-3 Summary Data Types

Data TypeDefinition

Login Sessions

Login sessions

Success Logins

Successful logins

Temporary Allow Logins

Logins that occurred while a temporary allow was active

Blocked Logins

Logins that were blocked during the login checkpoint

High Alert (Logins)

High level alerts triggered during the login checkpoint

KBA Challenges

Challenge question responses

OTP Challenges

OTP challenge responses

Transaction Sessions

Transaction ID

Success Transactions

Successful transactions

Blocked Transactions

Transactions that were blocked during the transaction checkpoint.

High Alert (Transactions)

High level alerts triggered during the transaction checkpoint

Average Rule Process Time

Average number of milliseconds for rule execution

Average Policy Process Time

Average number of milliseconds for policy execution

Average Checkpoint Process Time

Average number of milliseconds for checkpoint execution


To select a data type, click the one you want from the Data list.

To select more than one data type, control-click the types you want.

Figure 24-2 Summary panel

The Summary panel is shown.

Refresh

To change the refresh rate, click the Refresh list and then click the refresh rate you want.

Range

To change the range or timeframe, click the Range list and then click the range you want.

24.3.3 Dashboards

Section 3 provides access to five different dashboard types:

Figure 24-3 Five Dashboards

The dashboard choices are shown.

For each dashboard type you can select the type of data you want to see from a menu of data types. For example, if you select the Location dashboard, a Country list appears that enables you to select the country you want.

Figure 24-4 Choices After Data Type Selection

The screen shows the choices for a data type.

24.3.3.1 Viewing Data Type by Location

You can view data type by location.

  1. In Section 3, in the Dashboard drop-down menu, select Location.

    The section becomes a Location dashboard.

  2. In the Data drop-down menu, select the data type you want to view by location.

    The data types you can select to view by country are the following:

    Table 24-4 Data Types by Location

    Data Types by LocationDefinition

    Alerts

    Alert that have been triggered by country

    Actions

    Actions that have been taken by country

    KBA Challenges

    KBA challenges that have been triggered by challenge result and country

    OTP Challenges

    OTP challenges that have been triggered by challenge result and country

    Routing Type

    Routing types by country

    Sessions

    Sessions by country

    Temporary Allow

    Temporary allows that have been made by country


  3. To narrow the list to a specific Organization ID, select an application from the Organization ID drop-down menu

  4. To narrow the list to a specific timeframe, select a ranges from the Range drop-down menu.

  5. To narrow the list to a specific checkpoint, select a checkpoint from the Checkpoint drop-down menu.

  6. To narrow the list to a specific country, select a country from the Country list, click the country you want.

  7. If you selected the alerts data type, you can narrow the list further by selecting the alert level you want from the Alert Level box.

  8. If you selected the alerts or temporary allow data type, you can narrow the list further by selecting the checkpoint you want from the Checkpoint list.


Note:

For KBA challenges from phone challenges, the country will be listed as "Data Not Available". For these records, the trending graph will not be displayed.


24.3.3.2 Viewing a List of Scoring Breakdowns

To view a list of scoring breakdowns:

  1. In the Dashboard list, click Scoring.

    The Scoring dashboard appears and defaults to risk score.

  2. To narrow the list to a specific checkpoint, in the Checkpoint list, click the Checkpoint you want.

  3. To narrow the list to a specific timeframe, in the Ranges list, click the range you want.

  4. Click Refresh.

24.3.3.3 Security Dashboard

Items in the Dashboard list are accessible based on your role. Only fraud investigators can access the Security dashboard.

24.3.3.4 Viewing a List of Rules or Alerts by Security

To view a list of rules or alerts by security:

  1. In the Dashboard list, click Security.

    The Security dashboard appears and defaults to rules.

  2. To specify a different data type, on the Data list, click the data type you want.

    The data types provided.

    • Rules

    • Alerts

  3. To narrow the list to a specific Organization ID, on the Organization ID list, click the Organization ID you want.

  4. To narrow the list to a specific checkpoint, in the Checkpoint list, click the range you want.

  5. To narrow the list to a specific timeframe, in the Ranges list, click the range you want.

  6. Click Refresh.

24.3.3.5 Viewing Browser and Operating System Data by Device

To view browser and operating system data by device:

  1. In the Dashboard list, click Device.

    The Device dashboard appears and defaults to browser/operating system.

  2. To narrow the list to a specific Organization ID, in the Organization ID list, click the Organization ID you want.

  3. To narrow the list to a specific timeframe, in the Ranges list, click the range you want.

  4. Click Refresh.

24.3.3.6 Viewing a Data Type by Performance

To view a data type by performance:

  1. In the Dashboard list, click Performance.

    The Performance dashboard appears and defaults to rules.

  2. To specify a different data type, in the Data list, click the data type you want.

    The data types provided are:

    Table 24-5 Data Type by Performance

    Data Type by PerformanceDefinition

    Rules

    Rules currently in the system

    Policies

    Policies currently in the system

    Checkpoints

    Points in a session when rule is run

    APIs

    Calls into the system through the soap interface

    Tracker APIs

    Calls into the tracker subsystem

    Authorization APIs

    Calls into the authorization subsystem

    Common APIs

    Miscellaneous calls

    CC APIs

    Calls into the Cases subsystem

    Rules APIs

    Calls to the rules processor


    Figure 24-5 Viewing Data Type by Performance

    This illustrates viewing a data type by performance
  3. If you selected the rules or policies data type, you can narrow the list further by selecting the checkpoint you want from the Checkpoint list.

  4. To view data trended over a specific timeframe, in the Ranges list, click the range you want.

  5. To trend data for a specific data type item, select the row from the Performance table.

  6. Click Refresh.

24.3.3.7 Using the Total and Trending Views

The left side of the dashboard panel displays a total view and the right side displays a trending view of the selected data type.

The total and trending view sections are placed side by side, and you can toggle between the views to look at the details of one more clearly. For example, you can expand the trending view section to see the entire legend instead of a portion of it.

You must select a row from the table in the total view to see data in the trending view. After selecting a row or more, the trending view will show you the corresponding graph(s) of the data. Graphs are shown in different colors to distinguish the data schemes that are represented. The colors are generated on the fly; they are not predefined.

Figure 24-6 Total and trending views

The screenshot shows the total and trending views.

24.3.3.8 Viewing the Trending View Graph

The graph in the trending view adjusts accordingly based on the information being shown. The Y-coordinate will adjust depending on the highest data point. The sample will adjust based on the range. Also, whether you can choose to see data by hours, days, weeks, or months will depend on what is selected for the range.

24.3.3.9 View by Range

To narrow the data gathered to a specific time frame, from the Range list, select Today, Last 1 day, Last 7 days, Last 30 days, or Last 90 days.

24.3.3.10 View by Sample

To view data by a periodic interval, from the Samples list, select hourly, daily, weekly, or monthly. The choices available will depend on the range selected.

An example would be that if you have collected data over a period of six months, and you want to show how much data was collected every day using last month's data, you would choose to show daily samples trended over a month.

24.3.3.11 Last Updated

The "Last Updated" field, which also appears in the performance panel (Section 1), is updated when you select a different data type.

24.3.3.12 Using Tooltips

Tooltips are particularly useful if the data points are shown closely together (packed); you can use the tooltip to gather information. For example, you may want to view data for every 1-hour sample.

Figure 24-7 Tooltips

Dashboard tooltips are shown.

24.4 Use Cases

This section provides a scenario of how Oracle Adaptive Access Manager's dashboards are used.

24.4.1 Use Case: Trend Rules Performance on Dashboard

Through using the dashboard, Security Administrators--who plan, configure and deploy policies--can monitor the performance of rules and modify if necessary.

Rules and policies can potentially have a performance impact. For example, if the Security Administrator defines a new policy to check for a user, who is not using an email address that had been used before (ever). If the bank has more than 1 billion records in the database, performing that check against all the records for every transaction has great impact on performance.

To trend rule performance on the dashboard (find the average rule processing times for the past week with daily samples):

  1. Log in to OAAM Admin.

  2. In the Navigation tree, select Dashboard. The dashboard is displayed.

    The dashboard is divided into three sections:

    • The performance panel on the top presents real-time data. It shows the performance of the traffic that is entering the system. A trending graph is shown of the different types of data based on performance.

    • The summary panel in the middle presents aggregate data based on time range and different data types.

    • The dashboard at the bottom presents historical data. The detailed dashboards are used for trending data over time ranges.

  3. In the performance dashboard in Section 3, select Performance from the Dashboard list.

  4. Select Rules from the Data list.

    You have selected Rules to view rule performance.

    The rules appear in the Performance - Rules table.

  5. Narrow the data to view by a specific time frame. To view average rule processing times for the past week, in the Range list, select Last 7 Days.

    The average processing time for each rule is shown in the Average Processing Time column of the Performance-Rules table.

  6. Select the sample to use to trend the data. To specify that you want to use daily samples to trend the performance data, select Daily from the Sample list.

  7. View the specific trend graph. Click a specific rule in the Performance - Rules table to see the performance trend graph.

24.4.2 Use Case: View Current Activity

Business Analyst, Security Administrators, and Fraud Investigators are interested in actions that affect the user.

The Dashboard panel (Section 3) displays a total view and a trending view of the selected data type.

To monitor actions:

  1. View the number of blocks

  2. View the number of KBA challenges

  3. View the number of OTP challenges

  4. Trend the information over time, taking note of spikes and number of customers affected.

24.4.3 Use Case: View Aggregate Data

Business Analyst, Security Administrators, and Fraud Investigators are interested in actions that affect the user.

To obtain up-to-date numbers for user access and actions, view the Summary panel (Section 2), which provide an aggregate of the data.

24.4.4 Use Cases: Additional Security Administrator and Fraud Investigator Use Cases

Security Administrators and Fraud Investigators are interested in viewing:

  • Current activity and trended activity over time

  • Average performance numbers and trended performance averages over time

  • Distribution of events trended by geography

  • Security events trended over time

Viewing Current Activity and Trended Over Time

Security Administrators and Fraud Investigators are interested in viewing current activity and trended over a short period of time.

  1. Log in to OAAM Admin.

  2. Navigate to the Dashboard.

  3. In the Performance Panel (Section 1) select a data type from the Data list.

  4. View statistics in total view and trending view.

    • Total view - current activity over short period of time

    • Trending view - current activity trended over a short period of time

  5. In the Summary Panel (Section 2), view a summary of the current activity for a range.

    • Sessions

    • Actions

    • Alerts

    • and others

Average Performance Numbers and Trended Performance Averages Over Time

Security Administrators and Fraud Investigators are interested in viewing average performance numbers and trended performance averages over time

  1. Log in to OAAM Admin.

  2. Navigate to the Dashboard.

  3. In the Performance dashboard (in Section 3), view the following by performance.

    • Rules

    • APIs

    • and others

Distribution of Events Trended by Geography

Security Administrators and Fraud Investigators are interested in viewing a distribution of events trended by geography.

  1. Log in to OAAM Admin.

  2. Navigate to the Dashboard.

  3. In the Performance dashboard (in Section 3), view events by location.

    • Sessions

    • Actions

    • Alerts

    • and others

Security Events Trended Over Time

Security Administrators and Fraud Investigators are interested in viewing security events trended over time.

  1. Log in to OAAM Admin.

  2. Navigate to the Dashboard.

  3. In the Performance dashboard (in Section 3), view security events.

    • Rules

    • Alerts

    • and others

24.4.5 Use Cases Additional Business Analyst Use Cases

Business Analyst are interested in viewing:

  • Customer behavior trend

    • Operating system browser combinations

    • KBA challenges

    • Blocks

  • Distribution of events trended by geography

    • sessions

    • actions

    • alerts

    • and so on

24.4.6 Use Case: Viewing OTP Performance Data

  1. In the Navigation tree, double-click Dashboard.

  2. Check Section I of the Dashboard for OTP Challenges per minute.

    The graph displays the OTP Challenges per minute statistics

  3. Check Section II of the Dashboard

    The summary table of the Dashboard displays the Count of OTP Challenges for the specified time period.

  4. Check Section III of the Dashboard under Locations.

    The Location Dashboard displays performance statistics, such as count, percentage, and others.

PK_3_UPKRwEOEBPS/ootbpolicy.htm OAAM Security and Autolearning Policies

11 OAAM Security and Autolearning Policies

This chapter describes the flows for the main scenarios in authentication and the policies and rules that are shipped with the product as part of the OAAM base snapshot. This chapter also includes autolearning policies that are shipped out of the box.

Policies are also included as separate policy files to import but they require that you import questions, entities, and patterns, and set up autolearning related properties.

11.1 Authentication Flow

Figure 11-1 shows the authentication flow of OAAM server when a user logs in to an application that is protected by Oracle Adaptive Access Manager.

Figure 11-1 Authentication Flow

The authentication flow is shown.

11.2 Forgot Password Flow

The Forgot Password flow allows the users to reset their password after successfully answering all challenge questions.


Note:

The Forgot Password feature requires Oracle Identity Manager integration.


Figure 11-2 Forgot Password Flow

The Forgot Password flow is shown.

11.3 Reset Password (KBA-Challenge) Flow

Challenge Reset enables users to reset their challenge registration.

Figure 11-3 shows the Reset Password flow.

Figure 11-3 Reset Password

Reset password flow is shown.

11.4 OAAM Checkpoints and Responsibilities

The following table lists the OAAM checkpoints and their responsibilities.

Table 11-1 OAAM Checkpoints and Responsibilities

CheckPoint NameResponsibilities

Pre-Authentication

Determine if the request has to be BLOCKED

Device Identification

Determine how to identify the device

AuthentiPad

Determine which authentication pad to use

Post Authentication

Determine if the user has to be ALLOWED or BLOCKED

Registration

Determine which pieces of user information is pending registration

Challenge

Determine which mechanism to use to challenge the user

CSR KBA Challenge

Applicable when customer calls in for service. Reset settings is performed through CSR KBA Challenge.

Forgot Password

Activity to reset password performed based on challenge

Preferences

Sets the user information (Image, phrase, OTP settings, and so on)


11.5 Out-of-the-Box OAAM Policies

OAAM comes standard with out-of-the-box policies pre-built to detect suspicious activity.

11.5.1 OAAM Pre-Authentication

This policy stops fraudulent login attempts before the password is entered.

11.5.1.1 Policy Summary

Table 11-2 provides a general summary of the OAAM Pre-Authentication policy.

Table 11-2 OAAM Pre-Authentication Policy Summary

SummaryDetails

Purpose

Stops fraudulent login attempts before the password is entered.

Scoring Engine

Maximum

Weight

100

Group Linking

All Users


11.5.1.2 OAAM Pre-Authentication Flow Diagram

Figure 11-4 illustrates the OAAM Pre-Authentication flow.

Figure 11-4 OAAM Pre-Authentication Flow

OAAM Pre-Authentication Block is shown.

11.5.1.3 OAAM Pre-Authentication: Details of Rules

The table below shows the rule conditions and parameters in the OAAM Pre-Authentication Policy.

Table 11-3 OAAM Pre-Authentication Policy Rules Details

RuleRule Condition and ParametersResults

Blacklisted Countries

Location: In Country group

Is In List = TRUE

Country in country Group=OAAM Restricted Countries

Action = OAAM Block

Alert = OAAM Restricted Country

Score = 1000

Weight = 100

Blacklisted devices

Device: Device in group

Is in group = TRUE

Device in group = OAAM Restricted Devices

Action = OAAM Block

Alert = OAAM Restricted Device

Score = 1000

Weight = 100

WEBZIP used

Device: Browser header substring

Substring to check = WEBZIP

Action = OAAM Block

Alert = OAAM Restricted Software

Score =1000

Weight = 100

Blacklisted IPs

Location: IP in group

Is in List = TRUE

IP List = OAAM Restricted IPs

Action = OAAM Block

Alert = OAAM Restricted IP

Score = 1000

Weight = 100

Blacklisted ISPs

Location: ISP in group

Is in List = TRUE

ISP List = OAAM Restricted ISPs

Action = OAAM Block

Alert = OAAM Restricted ISP

Score = 1000

Weight = 100

Blacklisted users

User: In Group

Is in group = TRUE

User Group = OAAM Restricted Users

Action = OAAM Block

Alert = OAAM Restricted User

Score = 1000

Weight = 100


11.5.1.4 Trigger Combinations

None

11.5.2 OAAM AuthenticationPad

This policy determines the OAAM Authentication Pad to use.

11.5.2.1 OAAM AuthenticationPad Policy Summary

Table 11-4 provides a general summary of the OAAM AuthentiPad Policy.

Table 11-4 OAAM AuthenticationPad Policy Summary

SummaryDetails

Purpose

Determines which OAAM Authentication Pad to use.

Scoring Engine

Average

Weight

100

Group Linking

All Users


11.5.2.2 OAAM AuthenticationPad Flow Diagram

Figure 11-5 shows the OAAM AuthentiPad flow.

Figure 11-5 OAAM AuthenticationPad Flow

OAAM Authentication Pad is shown.

11.5.2.3 OAAM AuthenticationPad: Details of Rules

Table 11-5 shows the rule conditions and parameters in the OAAM AuthenticationPad Policy.

Table 11-5 OAAM Authentication Pad Policy Rules Details

RuleRule Condition and ParametersResults

Challenge SMS

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeSMS

Return if in list = TRUE

Action = OAAM Text Pad

Alert = NONE

Score = 0

Registered Image and Caption

User: Authentication Image Assigned

Is Assigned = TRUE

Action = OAAM Personalized Pad

Alert = NONE

Score = 0

Key Pad User

User: Authentication Mode

Authentication Mode is = Full Keypad

Action = OAAM KeyPad

Alert = NONE

Score = 0

Challenge Email

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeEmail

Return if in list = TRUE

Action = OAAM Text Pad

Alert = NONE

Score = 0

Register Challenge Question

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = RegisterChallengeQuestion

Return if in list = TRUE

Action = OAAM Question Pad

Alert = NONE

Score = 0

Check if mobile browser is used

DEVICE: Check if device is using Mobile Browser

Mobile Browsers Group = OAAM Mobile Browsers Group

Default Return Value = FALSE

Action = NONE

Alert =OAAM Mobile Users

Score = 0

Challenge Question

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeQuestion

Return if in list = TRUE

Action = OAAM Question Pad

Alert = NONE

Score = 0


11.5.2.4 OAAM AuthenticationPad: Trigger Combinations

Table 11-6 describes the OAAM Authentipad trigger combinations.

Table 11-6 OAAM AuthenticationPad Policy Trigger Combinations

DescriptionCombination DetailResult

Empty in the snapshot (Detect Mobile Browser)

Check if Mobile Browser is Used = TRUE

Challenge SMS = Any

Registered Image and Caption =Any

Key Pad User = Any

Challenge Email = Any

Challenge Question = Any

Register Challenge Question = Any

Action = OAAM HTML Pad

Alert = NONE

Score = 0

Empty in the snapshot (Unregistered Users)

Check if Mobile Browser is Used = Any

Register Challenge Question = Any

Challenge SMS = FALSE

Registered Image and Caption = FALSE

Key Pad User = FALSE

Challenge Email = FALSE

Challenge Question = FALSE

Action = OAAM Text Pad

Alert = NONE

Score = 0

Empty in the snapshot (Registered Users)

Register Challenge Question = Any

Check if Mobile Browser is Used = Any

Challenge SMS = FALSE

Registered Image and Caption = TRUE

Key Pad User = FALSE

Challenge Email = FALSE

Challenge Question = FALSE

Action = OAAM Text Pad Personalized

Alert = NONE

Score = 0


11.5.3 OAAM Post-Authentication Security

This policy evaluates the level of risk after authentication is successful. The possible actions are Allow, Block, or Challenge.

11.5.3.1 OAAM Post-Authentication Security Policy Summary

Table 11-7 provides a summary of the Post-Authentication Security Policy.

Table 11-7 OAAM Post-Authentication Security Policy Summary

SummaryDetails

Purpose

Evaluates the level of risk after authentication is successful. The possible actions are Allow, Block, or Challenge.

Scoring Engine

Maximum

Weight

100

Group Linking

All Users


11.5.3.2 OAAM Post-Authentication Security Flow Diagram

Figure 11-6 shows the Post-Authentication Security flow.

Figure 11-6 OAAM Post Authentication Security Flow

OAAM Post Authentication Security is shown.

11.5.3.3 OAAM Post-Authentication Security: Details of Rules

Table 11-8 shows the rule conditions and parameters in the OAAM Post-Authentication Security Policy.

Table 11-8 OAAM Post Authentication Security Policy Rules Details

RuleRule Condition and Parameter ValuesResults

Active Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_active

Action = OAAM Block

Alert = OAAM Active Anonymizer IP

Score = 1000

Suspect Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_suspect

Action = OAAM Challenge

Alert = OAAM Suspected Anonymizer IP

Score = 700

Unknown Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_active

Action = OAAM Challenge

Alert = OAAM Unknown Anonymizer IP

Score = 600

Private Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_private

Action = OAAM Challenge

Alert = OAAM Private Anonymizer IP

Score = 700

Risky Connection Type

Location: IP Connection Type in Group

Is in List = TRUE

Connection type in group = OAAM High Risk Connection Types

Action = OAAM Challenge

Alert = OAAM Risky Connection type

Score = 700

User Blocked Recently

User: Action Timed

Check Action = BLOCK

In seconds = 28800

More than = 2

Action = OAAM Challenge

Alert = User Blocked Recently

Score = 700

Maximum Users per Device

Device: User Count

Seconds Elapsed = 2592000

Max number of users allowed = 5

Action = OAAM Challenge

Alert = OAAM Device Multiple Users

Score = 500

Dormant IP

Location: IP Connection type in group

Is in List = FALSE

Connection type group = OAAM Mobile Connections

Location: IP Excessive Use

Number of Users = 4

Within (hours) = 24

And not used in days = 30

Action = OAAM Challenge

Alert = OAAM Dormant IP

Score = 500

Surge of Users from IP

Location: IP Connection type in group

Is in List = FALSE

Connection type group = OAAM Mobile Connections

Location: IP is AOL

Is AOL = False

Location: IP Maximum Users

Seconds Elapsed = 300

Max number of users = 3

Action = OAAM Challenge

Alert = OAAM IP Multiple Users

Score = 600

Risky countries

Location: In Country Group

Is in List = TRUE

Country in country group = OAAM Monitoring Countries

Action = OAAM Challenge

Alert = OAAM Monitored Country

Score = 500

Dormant Device

Device: Excessive Use

Number of Users = 4

Within (hours) = 24

And not used in (days) = 30

Action = OAAM Challenge

Alert = OAAM Dormant Device

Score = 500

Device with Many Failures

Device: Timed not status

Authentication status is not = SUCCESS

Within duration (seconds) = 28800

For more than 4 (times)

Action = OAAM Challenge

Alert = OAAM Many Failures from Device

Score =600

Maximum Devices per User

User: Check Devices Used

Maximum number of devices = 2

Within duration (seconds) = 28800

Action = OAAM Challenge

Alert = OAAM Max Devices for User

Score =300

Risky Device

Device: In List

Is in group= TRUE

Device in group = OAAM Risky Devices

Action = OAAM Challenge

Alert = OAAM Risky Device

Score = 700

Device Maximum Velocity

Device: Velocity from last login

Last Login within (Seconds) = 72000

Miles per Hour is more than = 600

Action = OAAM Challenge

Alert = OAAM Device Maximum Velocity

Score =700

Risky IP

Location: IP in group

Is in List = TRUE

IP List = OAAM Risky IPs

Action = OAAM Challenge

Alert = OAAM Risky IP

Score = 700


11.5.3.4 OAAM Post-Authentication Security: Trigger Combinations

None

11.5.4 OAAM Predictive Analysis

This policy harnesses the predictive capabilities of Oracle Data Miner. The rules in this policy are only functional if Oracle Data Miner is configured.

11.5.4.1 OAAM Predictive Analysis Policy Summary

Table 11-9 provides a summary of the OAAM Predictive Analysis Policy.

Table 11-9 OAAM Predictive Analysis Policy Summary

SummaryDetails

Purpose

Harnesses the predictive capabilities of Oracle Data Miner. These rules are only functional if Oracle Data Miner is configured.

Scoring Engine

Maximum

Weight

100

Group Linking

Linked Users


11.5.4.2 OAAM Predictive Analysis Flow Diagram

Figure 11-7 shows the OAAM Predictive Analysis flow.

Figure 11-7 OAAM Predictive Analysis Policy Flow

OAAM Predictive Analysis Policy is shown.

11.5.4.3 OAAM Predictive Analysis Policy: Details of Rules

Table 11-10 shows the rule conditions and parameters in the OAAM Predictive Analysis Policy.

Table 11-10 OAAM Predictive Analysis Policy Rules Details

RuleRule Condition and ParametersResults

Predict if current session is fraudulent

USER: Check Fraudulent User Request

Classification Model = OAAM Fraud Request Model

Required Classification = Fraud

Minimum Value of Probability required = 0.70

Maximum Value of Probability required = 1.00

Default Value to return if error = FALSE

Action = NONE

Alert = OAAM Suspected Fraudulent request

Score = 700

Predict if current session is anomalous

USER: Check Anomalous User Request

Anomaly Model = OAAM Anomalous Request Model

Minimum Value of Probability required = 0.60

Maximum Value of Probability required = 1.00

Default Value to return if error = FALSE

Action = NONE

Alert = OAAM Anomalous Request

Score = 600


11.5.4.4 OAAM Predictive Analysis Policy: Trigger Combination

None

11.5.5 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile

This policy checks if pattern autolearning is enabled and if a user has past behavior recorded. Users with enough recorded behavior are evaluated against their own profile while users without enough recorded behavior are evaluated against the profiles of all other users.

11.5.5.1 OAAM Does User Have Profile Policy Summary

Table 11-11 provides a summary of the OAAM Does User Have Profile Policy.

Table 11-11 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile Summary

SummaryDetails

Purpose

Checks if pattern autolearning is enabled and if a user has past behavior recorded. Users with enough recorded behavior are evaluated against their own profile while users without enough recorded behavior are evaluated against the profiles of all other users.

Scoring Engine

Maximum

Weight

100

Group Linking

All Users


11.5.5.2 OAAM Does User Have Profile Flow Diagram

Figure 11-8 shows the OAAM Does User Have Profile flow.

Figure 11-8 Autolearning (Pattern-Based) Policy: OAAM Does User Have Profile Flow

The OAAM Does User Have Profile policy is shown.

11.5.5.3 OAAM Does User Have Profile: Details of Rules

Table 11-12 shows the rule conditions and parameters in the OAAM Does User Have Profile Policy.

Table 11-12 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Does User Have Profile

RuleRule Condition and ParametersResults

Does user have a profile

System - Check Boolean Property

Property = vcrypt.tracker.autolearning.enabled

Value = True

Default Return Value = True

System - Check Boolean Property

Property = vcrypt.tracker.autolearning.use.auth.status.for.analysis

Value = True

Default Return Value = False

User - Check Login Count

Check only current user = True

Authentication Status = Success

In seconds = 0

With Login more than = 7

If Error return = False

Consider current request or not = True

Action = None

Alert = None

Score = 0


11.5.5.4 OAAM Does User Have Profile: Trigger Combination

Table 11-13 describes the OAAM Does User Have Profile trigger combinations.

Table 11-13 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile Trigger Combination

DescriptionCombination DetailResult

If a user has enough recorded behavior in his profile he is evaluated by this policy.

Does User have profile = TRUE

Policy = OAAM users vs. themselves

Alert = NONE

If a user does not have enough recorded behavior in his profile he is evaluated by this policy.

Does User have profile = ANY

Policy = OAAM users vs. all users

Alert = NONE


11.5.6 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves

If a user has a sufficient amount of historical data captured, this policy is used to evaluate his current behavior against his own historical behavior. This policy uses pattern-based rules to evaluate risk.

11.5.6.1 OAAM Users vs. Themselves Policy Summary

Table 11-14 provides a summary of the OAAM Users vs. Themselves Policy.

Table 11-14 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves Summary

SummaryDetails

Purpose

Used to evaluate a user's current behavior against his own historical behavior. This policy uses pattern-based rules to evaluate risk.

Scoring Engine

Maximum

Weight

100

Group Linking

Linked Users (It is a nested policy)


11.5.6.2 OAAM Users vs. Themselves Flow Diagram

Figure 11-9 shows the OAAM Users vs. Themselves flow.

Figure 11-9 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves Flow

The OAAM Users vs. Themselves policy is shown.

11.5.6.3 OAAM Users vs. Themselves: Details of Rules

Table 11-15 shows the rule conditions and parameters in the OAAM Users vs. Themselves Policy.

Table 11-15 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Users vs. Themselves

RuleRule Condition and ParametersResults

ISP

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: ISP profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: ISP

Score = 600

Connection type

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: ASN profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: connection type

Score = 600

Routing type

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: Routing type profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: Routing type

Score = 600

Device

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 10

Pattern name for membership = User: Device profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: Device

Score = 700

Day of the week

ENTITY: Entity is member of pattern bucket for first time in certain time period

Pattern name for membership = User: Day of Week profiling pattern

Is ConditionTrue = True

Time period type for pattern membership = Months

Time period for pattern membership = 3

Member type for pattern membership = User

First time count = 1

Action = OAAM Challenge

Alert = OAAM User: day of the week

Score = 500

Country and State

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 10

Pattern name for membership = User: State profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: state

Score = 600

Time of Day

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 3

Pattern name for membership = User: time range profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: time of day

Score = 500

ASN

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: ASN profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: ASN

Score = 600

Country

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 20

Pattern name for membership = User: Country profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 3

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: Country

Score = 700


11.5.6.4 OAAM Users vs. Themselves: Trigger Combinations

None

11.5.7 Autolearning (Pattern-Based) Policy: OAAM Users vs. All Users

If a user does not have a sufficient amount of historical data captured this policy is used to evaluate his current behavior against the historical behavior of all other users. This policy uses pattern-based rules to evaluate risk.

11.5.7.1 OAAM Users vs. All Users Policy Summary

Table 11-16 provides a summary of the OAAM Users vs. All Users Policy.

Table 11-16 Auto-learning (Pattern-Based) Policy: OAAM users vs. All Users Summary

SummaryDetails

Purpose

Evaluates the user's current behavior against the historical behavior of all other users. This policy uses pattern-based rules to evaluate risk.

Scoring Engine

Maximum

Weight

100

Group Linking

Linked Users (It is a nested policy)


11.5.7.2 OAAM Users vs. All Users Flow Diagram

Figure 11-10 shows the OAAM Users vs. All Users flow.

Figure 11-10 Auto-learning (Pattern-Based) Policy: OAAM Users vs. All Users Flow

The OAAM Users vs. All Users flow is shown.

11.5.7.3 OAAM Users vs. All Users: Details of Rules

Table 11-17 shows the rule conditions and parameters in the OAAM Users vs. All Users Policy.

Table 11-17 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Users vs. All User

RuleRule Condition and ParametersResults

Users: Day of the week

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 5

Pattern name for membership= User: Day of the week profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Day of the week

Score = 300

Users: Country

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 3

Pattern name for membership= User: Country profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Country

Score = 500

Users: Time of Day

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 5

Pattern name for membership= User: Time of day profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Time of day

Score = 300

Users: Connection type

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 5

Pattern name for membership= User: Connection type profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Connection type

Score = 500

Users: Locale

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 3

Pattern name for membership= User: Time of day profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Years

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Locale

Score = 500


11.5.7.4 OAAM Users vs. All Users: Trigger Combinations

None

11.5.8 OAAM Registration

This policy is used to determine the user information that needs to be registered.

11.5.8.1 OAAM Registration Policy Summary

Table 11-18 provides a summary of the OAAM Registration Policy.

Table 11-18 OAAM Registration Policy Summary

SummaryDetails

Purpose

Determines what parts of user information has to be registered

Scoring Engine

Weighted Average

Weight

100

Group Linking

All Users


11.5.8.2 OAAM Registration Flow Diagram

Figure 11-11 shows the OAAM Registration flow.

Figure 11-11 OAAM Registration Flow

The OAAM Registration flow is shown.

11.5.8.3 OAAM Registration: Details of Rules

Table 11-19 shows the rule conditions and parameters in the OAAM Registration Policy.

Table 11-19 OAAM Registration Policy Rules Details

RuleRule Condition and ParametersResults

Check Registration

User: Account Status

User Account Status = ACTIVE

Is = FALSE

Action = OAAM Register

Alert = NONE

Score = 0

Register Questions

User: Question Status

User Question Status = Set

Is = FALSE

Action = OAAM Register Challenge Questions

Alert = NONE

Score = 0

Skipped registration more than 3 times

User: Action Count Timed

Checkpoint (Optional) = NONE

Action = Register User Optional

In seconds = 300

Count Action only once per session? = TRUE

More Than = 3

Action = OAAM Registration Required

Alert = NONE

Score = 0

Register User Information

User: Check Information

Key to comma separated values to check = RequiredChallengeInfo

If Information is set, return = FALSE

Action = OAAM Register User Information

Alert = NONE

Score = 0

Register Image and Caption

User: Authentication Image Assigned

Is Assigned = FALSE

Action = OAAM Register Preferences

Alert = NONE

Score = 0


11.5.8.4 OAAM Registration: Trigger Combinations

None

11.5.9 OAAM Challenge

This policy determines how the user has to be challenged. All the decision making in this policy is achieved using trigger combinations.

11.5.9.1 OAAM Challenge Policy Summary

Table 11-20 provides a summary of the OAAM Challenge Policy.

Table 11-20 OAAM Challenge Policy Summary

SummaryDetails

Purpose

Determines how the user has to be challenged. All the decision making in this policy is achieved using trigger combinations.

Scoring Engine

Weighted Average

Weight

100

Group Linking

All Users


11.5.9.2 OAAM Challenge Flow Diagram

Figure 11-12 shows the OAAM Challenge flow.

Figure 11-12 OAAM Challenge Flow

OAAM Challenge flow is shown.

11.5.9.3 OAAM Challenge: Details of Rules

Table 11-21 shows the rule conditions and parameters in the OAAM Challenge Policy.

Table 11-21 OAAM Challenge Policy Rules Details

RuleRule Condition and ParametersResults

Max failed SMS attempts

User: Check OTP failures

OTP Challenge Type = ChallengeSMS

Failure More than or Equal To = 3

If above or equal = TRUE

Action = NONE

Alert = NONE

Score = 0

Max failed Email attempts

User: Check OTP failures

OTP Challenge Type = ChallengeEmail

Failure More than or Equal To = 3

If above or equal = TRUE

Action = NONE

Alert = NONE

Score = 0

Max failed Question attempts

User: Challenge Maximum Failures

Number of Failures More than or equal to = 3

Current Question Count only? = False

If above or equal, return = True

Action = NONE

Alert = NONE

Score = 0

Questions Active

User: Question Status

User Question Status = Set

Is = True

Action = NONE

Alert = NONE

Score = 0

Challenge Email Available

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeEmail

Return if in list = True

Action = NONE

Alert = NONE

Score = 0

Challenge SMS Available

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeSMS

Return if in list = True

Action = NONE

Alert = NONE

Score = 0

Check for HIGH Risk Score

Session: Check Risk Score Classification

Risk score classification to check = High Risk

Default value to return in case of errors = False

Action = NONE

Alert = NONE

Score = 0


11.5.9.4 OAAM Challenge: Trigger Combinations

Table 11-22 describes the OAAM Challenge trigger combinations.

Table 11-22 OAAM Challenge Trigger Combinations

DescriptionCombination DetailResult

Allow the user to register if the risk score is not High and if the user is not registered

Check for High Risk Score = False

Questions Active = False

Challenge Email Available = False

Challenge SMS Available = False

Max failed Question Attempts = Any

Max failed Email Attempts = Any

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Allow

Alert = NONE

Score = 0

Challenge the user with SMS if the risk score is High and he is registered for SMS and has not failed the maximum number of SMS challenges.

Check for High Risk Score = TRUE

Questions Active = Any

Challenge Email Available = Any

Challenge SMS Available = TRUE

Max failed Question Attempts = Any

Max failed Email Attempts =Any

Max failed SMS Attempts = False

Policy = NONE

Action = OAAM Challenge SMS

Alert = NONE

Score = 0

Challenge the user with email if the risk score is High and he has registered for email and he did not fail the email challenge the maximum number of times yet.

Check for High Risk Score = HIGH

Questions Active = Any

Challenge Email Available = TRUE

Challenge SMS Available = Any

Max failed Question Attempts = Any

Max failed Email Attempts = FALSE

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Challenge Email

Alert = NONE

Score = 0

Challenge the user with questions if he has challenge questions active and has not failed the maximum number of challenges for questions

Check for High Risk Score = Any

Questions Active = TRUE

Challenge Email Available = Any

Challenge SMS Available = Any

Max failed Question Attempts = TRUE

Max failed Email Attempts = Any

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Challenge Question

Alert = NONE

Score = 0

Challenge the user with OTP via SMS if he has not failed Challenge SMS and he is registered for SMS.

Check for High Risk Score = Any

Questions Active = Any

Challenge Email Available = Any

Challenge SMS Available = TRUE

Max failed Question Attempts = Any

Max failed Email Attempts = Any

Max failed SMS Attempts = FALSE

Policy = NONE

Action = OAAM Challenge SMS

Alert = NONE

Score = 0

Challenge the user with email if he is registered for email and he did not fail the email challenge the maximum number of times yet.

Check for High Risk Score = Any

Questions Active = Any

Challenge Email Available = TRUE

Challenge SMS Available = Any

Max failed Question Attempts = Any

Max failed Email Attempts = FALSE

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Challenge Email

Alert = NONE

Score = 0

Block the user if he has not registered for questions or OTP and the risk score is High. This block can be overridden using the "Temp Allow" functionality.

Check for High Risk Score = TRUE

Questions Active = FALSE

Challenge Email Available = FALSE

Challenge SMS Available = FALSE

Max failed Question Attempts = Any

Max failed Email Attempts = Any

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM BLOCK

Alert = NONE

Score = 0

Challenge Block the user if he failed to answer all types of challenge mechanisms. Note: This block cannot be overridden through the "Temp Allow" functionality.

All rules with result = ANY

Policy = NONE

Action = OAAM Challenge BLOCK

Alert = NONE

Score = 0


11.5.10 OAAM Customer Care Ask Question

This policy determines if the user has active questions, more questions left for the challenge, and how many challenges have failed.

11.5.10.1 OAAM Customer Care Ask Question Policy Summary

Table 11-23 provides a summary of the OAAM Customer Care Ask Questions Policy.

Table 11-23 OAAM Customer Care Ask Question Policy

SummaryDetails

Purpose

Determines if the user has active questions, more questions remaining for challenges, and how many challenges have failed.

Scoring Engine

Weighted Maximum

Weight

100

Group Linking

All Users


11.5.10.2 OAAM Customer Care Ask Question: Details of Rules

Table 11-24 shows the rule conditions and parameters in the OAAM Customer Care Ask Questions Policy.

Table 11-24 OAAM Customer Care Ask Question Rule Details

RuleRule Condition and ParametersResults

No Questions

USER: Question Status

Triggers when users do not have questions registered. Two possible scenarios are un-registered users and users with questions reset by customer care.

Question status of the user

User Question Status=Not Set

Is=True

Action = OAAM No User Questions

Alert = NONE

Score = 0

Weight=100

Maximum Answers Failed

USER: Challenge Channel Failure

Triggers when user failed maximum allowed answers with current question. Count is combination of customer care and online challenge.

If a user has a failure counter value over a specified value from specific channel

Challenge Channel=<select>

Current Question Count only? = true

Failures greater than or equal to = 3

Action = OAAM Next Question

Alert = NONE

Score = 0

Weight=100

Question Blocked

User: Challenge Question Failure

Checks how many questions have failures

Failure more than or equal to=1

Action = OAAM Reset Question

Alert = NONE

Score = 0

Weight=100

Maximum Questions Failed

User: Question Failure

Triggers when user fails the maximum allowed questions.

Failure more than or equal to=3

Action = NONE

Alert = NONE

Score = 0

Weight=100


11.5.10.3 OAAM Customer Care Ask Question: Trigger Combinations

None

11.6 Use Cases

The following sections provide security policy use case scenarios.

11.6.1 Use Case: WebZIP Browser

All users using a WebZIP browser must be blocked from attempting a login.

  1. user1 uses WebZip and tries to log in to the application.

  2. user1 is blocked.

  3. The administrator logs in to OAAM Admin.

  4. The administrator views the session for user1.

  5. The administrator sees that Rule: "WEBZIP" used was triggered.

11.6.2 Use Case: IP Risky User OTP Challenge

User "test user" is a registered user. He is traveling on business to a different country and does not have access to email or phone. The IP he logs in from is considered a risky IP and hence, he is challenged by SMS. Since he cannot access his OTP, he fails to answer the OTP challenge by SMS. He is now challenged via KBA and unfortunately, he forgot the answers to his challenge questions. He guesses and answers the questions incorrectly. He is now locked out of the system. He calls the CSR and proves his identity. The CSR unlocks the user so he can log in again.

  1. OTP is set up for SMS and Email.

  2. The auto-learning policy (OAAM does user have profile) is disabled.

  3. The user is registered as testuser.

  4. His IP is in the Risky IP group.

  5. testuser tries to log in to the application.

  6. testuser is challenged via SMS.

  7. testuser answers incorrectly 3 times.

  8. testuser is challenged via KBA.

  9. testuser answers challenge question incorrectly 3 times.

  10. testuser is locked out.

  11. CSR must create a case and then unlock challenge questions for the user.

  12. testuser is able to log in to the application successfully.

11.6.3 Use Case: Anonymizer IP - From the Group

User "anonymizer" logs in using an IP which is considered an anonymizer in the Quova geolocation database. The user is blocked and a case is automatically created with the proper information. The investigator works on the case, adds a disposition, and closes the case.

Administrator

  1. The administrator logs in to OAAM Admin.

  2. He creates a new action instance using the action template "Create customer care case".

  3. He selects the "post -authentication" checkpoint, the Block action, a score of "1000," and case type "2".

User

  1. New user "anonymizer" tries to log in to the application.

  2. The user is blocked.

    A fraud case is automatically created.

Investigator

  1. The investigator logs in to OAAM Admin as an Investigator.

  2. He opens the case and adds notes.

  3. He closes the case with a disposition.

11.6.4 Use Case: Pattern Based Evaluation

User "test user2" is a registered user. He resides in the United States and hence, all his logins are typically from the United States. He is traveling on business to China and performs a few logins from there. Since OAAM identifies that this is not the normal behavior, it challenges the user.

Rules:

  • The rule only triggers when the device used appears to have traveled faster than 600 MPH in the last 20 hours. A trigger results in a challenge action and appropriate and informative alerts sufficient enough to determine why the challenge was generated.

  • The following rule only triggers a challenge action when both conditions are false: Has this user used this country more than 2 times ever?

    AND

    Has this user used this country more than 10% in the last month?

  • If a user is challenged post-authentication, and he has KBA active, and he does not have OTP active and the risk is above 600, then he should be asked a KBA question.

PKPKRwEOEBPS/part_trans.htmP Managing Transactions

Part VI

Managing Transactions

This part of the book contains information about managing transactions in Oracle Adaptive Access Manager.

It contains the following chapters:

PKyhUPPKRwEOEBPS/archpurg.htm Setting Up Archive and Purge Procedures

I Setting Up Archive and Purge Procedures

Archiving is the process of backing up the obsolete data that will be deleted during the purge process. During the archive process, data will be moved from the main transactional tables to the backup tables. By default the Oracle Adaptive Access Manager purge scripts will archive data that will be deleted during the purge process.

Purging is the process of freeing up space in the database or of deleting obsolete data that is not required by the system. The purge process can be based on the age of the data or the type of data.

This chapter describes how to archive and purge data from the OAAM database using SQL scripts.

A DBA or system administrator, who performs routine maintenance and the archiving and purging of the Oracle Adaptive Access Manager database, should follow the instructions in this chapter.

This chapter contains the following sections:

I.1 Overview

The archive and purge process allows the releasing of data that is not required anymore for rules evaluation or fraud investigation.

  • Archiving is the process of moving data from main transactional tables to the archive tables.

  • Purging is the process of deleting obsolete data that is not required by the system.

    Not all the tables are purged since many of them do not have data growth issues.

"Purging data" is different from "backing up data". A data backup is for the recovery of data if loss occurs; purges are for keeping the runtime tables free of old data. Regardless, to protect your data, database backups should be performed on a regular basis with the help of a database administrator.

The following data can be archived or purged using the scripts provided in the archive IDM_ORACLE_HOME/oaam/oaam_db_scripts/oaam_db_purging_scripts.zip:

  • Login and devices data

  • Rule Logs data

  • Auto Learning data

  • Transactions and Entities data

  • Profile data

Archive and purge criteria is based on the create/update timestamp of the records. This is specified using the retention period described using number of days.

The following is the overview of the archive and purge process:

  1. Determine the retention period (usually 180 days; that is 6 months)

  2. Determine whether to purge or archive.

  3. Deploy the purge related stored procedures into the OAAM database. This is a one-time job.

  4. Determine what types of data have to be archived and purged.

  5. Schedule the related scripts to run on regular intervals or manually run the scripts when required.

  6. Check for entries where the LOG_TYPE is 99 in the database table V_SYS_LOGS.

The next sections describe the above in detail.

I.2 Setting Up the Scripts in Database

To archive and purge OAAM data, you must set up the one-time scripts.

  1. Create a scripts directory oaam_purge_script.

  2. Unzip the scripts archive IDM_ORACLE_HOME/oaam/oaam_db_scripts/oaam_db_purging_scripts.zip to the scripts directory.

  3. Log in to the database using the sys or sysdba account.

  4. Grant the following privileges to the OAAM schema so that stored procedures can be created and executed:

    GRANT create any procedure TO <schema_name>;

    GRANT create any table TO <schema_name>;

    GRANT create any index TO <schema name>;

    GRANT create procedure TO <schema_name>;

    GRANT execute any procedure TO <schema_name>;

  5. Now connect to the OAAM schema using the OAAM user name and password. For example:

    sqlplus <oaam_db_user_name>/<oaam_db_password>

  6. Run the create_purge_proc.sql script

    SQL> @oracle_db/create_purge_proc.sql

  7. Validate the stored procedures to make sure they are valid and without errors.


Note:

The purging/archiving scripts need the CREATE Any privilege to create and execute purge related stored procedures.

Since the purging/archiving scripts use custom rebuild index stored procedures for a given table, this stored procedure requires CREATE Any Table and Create Any index privileges granted to the Oracle Adaptive Access Manager schema. If these privileges are not granted, the rebuild_oaam_index stored procedure will not work.

These privileges must be granted to set up and execute the Oracle Adaptive Access Manager purging/archiving routines and must be revoked after the purging/archiving process is completed.


I.3 Best Practices/Guidelines for Running Purge Scripts

Best/practices guidelines for running purge scripts are as follows:

  • Determine the retention period based on the business requirements and rules and policies used

  • Perform regular purge/archive

  • Make sure replication is not enabled during the window when these scripts are run

  • Run these during off peak load hours which Oracle recommends you do. Archive and purge could be resource (like CPU) intensive.

  • If archiving is required, make sure there is enough disk space available on the database server since the data would be moved to archive tables instead of simply purging. Archival space should be equal to or greater than the current table's storage.

  • Plan your purging strategy since purging requires a significant amount of time if there are millions of rows that need to be deleted or copied from the database.

  • In a multi-data center, it is recommended that you run purges at low data flow since the data in tables is replicated. You should consult your database administrator if you have multidimensional clustering (MDC) set up and require purging.

  • Oracle recommends that custom purging scripts only include the tables used by the standard purging scripts provided. The alterations to the provided purge scripts can include parameterization for user ID. Such alterations should be thoroughly tested before being used in production to ensure they function as expected.

I.4 Running the Scripts

To run the archive and purge scripts, proceed as follows:

  1. Set the p_days1 and p_archived parameters. All the scripts have these two parameters that you can set. Table I-1 describes these parameters.

    Table I-1 Archive and Purge Routine Parameters

    Variable NameDefault ValueDescription

    p_days1

    180

    Retention period in days. Data older than this many number of days will be archived or purged.

    p_archived

    Y

    Y or N for Yes and No respectively. If "Y" then data will be archived (in archive tables), otherwise data will be purged based on the retention period.


  2. Select the scripts to run based on the data that has to be archived or purged. Table I-2 lists the types of data and corresponding script name.

    Table I-2 Archive and Purge Scripts Based on Types of Data

    Type of DataCorresponding Script

    Login, Device Data

    exec_sp_purge_tracker_data.sql

    Rules, Policy Log Data

    exec_sp_purge_rule_log.sql

    Transactions, Entities Data

    exec_sp_purge_txn_log.sql

    Autolearning Data

    exec_sp_purge_workflow_data.sql

    Profile Data

    exec_sp_purge_profile_data.sql

    Cases related Data

    exec_sp_purge_case_data.sql

    Monitor Data

    exec_v_monitor_purge_proc.sql


  3. Log in to the OAAM database using OAAM database user name and password and execute the selected scripts.

  4. Check the corresponding log file and see if there are any errors or warnings.

  5. If archiving is selected, then make sure to take a backup of the archive tables so that data can be restored if needed.

Registration of Safe Devices

The OAAM purge/archive process does not remove registration of "safe" devices and cause users to have to re-register safe devices unless the device has not been used for six months.

Purge scripts unregister the devices when the devices are purged as part of tracker_purge_job.sql). As part of tracker_purge_job.sql, all the unused devices (that are not referred by any record in VCRYPT_TRACKER_USERNODE_LOGS) are purged and also the related records in VT_USER_DEVICE_MAP are purged.

Automatic Scheduling

Archive and purge jobs should be part of a routine schedule. These jobs can be scheduled using database jobs or OS-based scheduling utilities (crontab, at) or scheduler software (autosys, appworx).

It is recommended that these scripts are scheduled to run on regular intervals and only during off-peak hours.

I.5 Validating Archive and Purge

To determine if the archive and purge was successful, check the log files (for example scheduler log, script output log, and others) for any errors. When the archive and purge process has completed, users can also query the transactional log and its related purged tables to validate that the data was archived and purged.

I.6 Restoring Archived Data

As recommended, users should take an export backup of archived tables after the archive process has completed in case they should need to perform troubleshooting in the future.

When performing a restoration, the user should restore the desired date's data to a temporary table using Oracle's database Import feature.

Contact Oracle Support Services if any data restoration is required.

I.7 Running Partition Maintenance Scripts

In case the partitioned version of OAAM database is used, there are related scripts to drop the partitions.

I.7.1 Dropping Weekly Partitions

To drop weekly partitions, proceed as follows:

  1. Run this script at the end of every two weeks starting from your database creation date.

  2. To change the default retention period, open the script Drop_Weekly_Partition_tables.sql and set the retention period in days. Default is set to 15 days (two weeks).

  3. Log in to the OAAM database using the OAAM database user name and password.

  4. Execute the script Drop_Weekly_Partition_tables.sql.

I.7.2 Dropping Monthly Partitions

To drop monthly partitions, proceed as follows:

  1. Run this script at the end of each month to drop partitions that are older than the sixth month.

  2. To change the default retention period, open the script Drop_Monthly_Partition_tables.sql and set the retention period in days. Default is set to 180 days (6 months).

  3. Log in to the OAAM database using the OAAM database user name and password.

  4. Execute the script Drop_Monthly_Partition_tables.sql.

I.8 Details of Data that is Archived and Purged

Details of data that is purged and the corresponding archived tables are presented in the following sections.

I.8.1 Login and Device Data

Table I-3 Login and Device

Login and Device TablesCorresponding Archived Tables

VCRYPT_TRACKER_NODE

VCRYPT_TRACKER_NODE_PURGE

VCRYPT_TRACKER_NODE_HISTORY

VCRYPT_TRACKER_NODE_HISTORY_PURGE

VCRYPT_TRACKER_USERNODE_LOGS

VCRYPT_TRACKER_USERNODE_LOGS_PURGE

VT_DYN_ACT_EXEC_LOG

VT_DYN_ACT_EXEC_LOG_PURGE

VT_SESSION_ACTION_MAP

VT_SESSION_ACTION_MAP_PURGE

VT_USER_DEVICE_MAP

VT_USER_DEVICE_MAP_PURGE



Note:

The VT_SESSION_ACTION_MAP table is not purged using the partition drop maintenance script. This table stores the device fingerprinting session information; therefore the purging of this table is performed using the manual purge stored procedure (SP_SESS_ACT_MAP_PROC) which is called by the exec_sp_purge_tracker_data.sql script.


I.8.2 Rules and Policy Log Data

Table I-4 Rules and Policy Log Data Tables

Rules, Policy Log TablesCorresponding Archived Tables

VR_POLICYSET_LOGS

VR_POLICYSET_LOGS_PURGE

VR_RULE_LOGS

VR_RULE_LOGS_PURGE

VR_MODEL_LOGS

VR_MODEL_LOGS_PURGE

VR_POLICY_LOGS

VR_POLICY_LOGS_PURGE


I.8.3 Transactions and Entities Data

Table I-5 Transactions and Entity Data Tables

Transaction TablesCorresponding Archived Tables

VT_ENTITY_ONE

VT_ENTITY_ONE_PURGE

VT_ENTITY_ONE_PROFILE

VT_ENTITY_ONE_PROFILE_PURGE

VT_USER_ENTITY1_MAP

VT_USER_ENTITY1_MAP_PURGE

VT_ENT_TRX_MAP

VT_ENT_TRX_MAP_PURGE

VT_TRX_DATA

VT_TRX_DATA_PURGE

VT_TRX_LOGS

VT_TRX_LOGS_PURGE


I.8.4 Autolearning Data

Table I-6 Autolearning Data Tables

Autolearning Transactional TablesCorresponding Archived Tables

VT_WF_DAYS

VT_WF_DAYS_PURGE

VT_WF_HOURS

VT_WF_HOURS_PURGE

VT_WF_MONTHS

VT_WF_MONTHS_PURGE

VT_WF_YEARS

VT_WF_YEARS_PURGE

V_FPRINTS

V_FPRINTS_PURGE

V_FP_MAP

V_FP_MAP_PURGE


I.8.5 Profile Data

Table I-7 Profile Data Tables

Transactional TablesCorresponding Archived Tables

VT_USER_PROFILE

VT_USER_PROFILE_PURGE

VT_DEVICE_PROFILE

VT_DEVICE_PROFILE_PURGE

VT_BASE_IP_PROFILE

VT_BASE_IP_PROFILE_PURGE

VT_IP_PROFILE

VT_IP_PROFILE_PURGE

VT_STATE_PROFILE

VT_STATE_PROFILE_PURGE

VT_CITY_PROFILE

VT_CITY_PROFILE_PURGE

VT_COUNTRY_PROFILE

VT_COUNTRY_PROFILE_PURGE


I.8.6 Cases-Related Data

Table I-8 Case-Related Data Tables

Transaction TablesCorresponding Archived Tables

V_CASE

V_CASE_PURGE

V_CASE_HIST

V_CASE_HIST _PURGE

V_ACTION_LOG_SESS_MAP

V_ACTION_LOG_SESS_MAP_PURGE

V_ACTION_LOG_SESS

V_ACTION_LOG_SESS

V_CASE_MAP

V_CASE_MAP_PURGE

V_CASE_MAP_HIST

V_CASE_MAP_HIST_PURGE


I.8.7 Monitor Data

Table I-9 Monitor Data Tables

Transaction TableCorresponding Archived Table

V_MONITOR_DATA

V_MONITOR_DATA_PURGE


I.9 Archive and Purge Criteria

Archive and purge criteria is presented in the following table.

Table I-10 Archive and Purge Criteria

Type of DataPurge Criteria

Device Fingerprinting Data

The purge process archives and purges device fingerprinting data based on the following criteria:

  • Device fingerprinting logs that are older than a specified period first.

  • User device maps that are not used after the data from the device fingerprinting logs

  • Device history that is not used after the data from the device fingerprinting logs

  • Device data that is not used after the data from the device fingerprinting logs

Transaction In-Session Based Data

The purge process archives and purges in-session transaction data based on the following criteria:

  • In-session transactional-based data that is older than a specified period first

  • Transaction data that is not used in the transaction data after the transactions logs are purged for a specific time period

  • Entity, entity profile, user entity map and entity transaction map after the transactions logs are purged for a specific time period

Autolearning Profile Data

Archive and purge the following tables based on a specific time period.

  • HOURS based tables will retain 3 days worth of data.

  • DAYS based tables will retain 32 days worth of data.

  • MONTHS based tables will retain 1 years worth of data.

  • YEARS based tables will retain 5 years worth of data.

Archive and purge fingerprint data for AUTH and TRANSACTION fingerprint types. Fingerprint data to be purged in this way is in fingerprint table and fp_map table. HOURS, DAYS, MONTHS, and YEARS tables described above also have references to fingerprint. Before purging fingerprint data, make sure that archiving and purging of HOURS, DAYS, MONTHS, and YEARS tables is performed.

vcrypt.fingerprint.type.enum.autolearning.auth=11
vcrypt.fingerprint.type.enum.autolearning.transaction=12

11 is the enumeration value for the autolearning AUTH type. Change these values in the script if another value was used during integration.

12 is enumeration value for the autolearning TRANSACTION type. Change these values in the script if another value was used during integration.

Rule Log Data

The rule log transaction data that is 30 days old is archived and purged.

This retention value should be set based on the customer care requirements. If the reporting database is used, then, rule logging data retention should be less than 30 days.

Registration of Safe Devices

The OAAM purge/archive process does not remove registration of "safe" devices and cause users to have to re-register safe devices unless the device has not been used for six months.

Purge scripts unregister the devices when the devices are purged (as part of tracker_purge_job.sql). As part of tracker_purge_job.sql, all the unused devices (that are not referred by any record in VCRYPT_TRACKER_USERNODE_LOGS) are purged and also the related records in VT_USER_DEVICE_MAP are purged.


I.9.1 Minimum Data Retention Policy

Based on the Oracle Adaptive Access Manager system requirement, the minimum data retention policy for various OLTP tables are shown below, but users should determine the data retention period based on their business requirements. For more information, review the information in this chapter.

I.9.1.1 Device Fingerprinting Data

Minimum of 6 months or 180 days

I.9.1.2 In-session Transactional Tables

Minimum of 6 months or 180 days

I.9.1.3 Auto-learning and Workflow Tables

  • HOURS based Workflow tables will retain 3 days' worth of data.

  • DAYS based Workflow tables will retain 32 days' worth of data.

  • MONTHS based Workflow tables will retain 1 year's worth of data.

  • YEARS based Workflow tables will retain 5-years' worth of data.

I.9.1.4 Rule Log Data

The script will archive and purge all rule log data that is 30 days older (This value should be set based on the customer care requirement. If the reporting database is used, then, rule logging data retention should be less than 30 days.

I.10 List of Related Stored Procedures

The archive and purge setup scripts for the Oracle Database are listed in this subsection.

I.10.1 create_purge_proc.sql

The create_purge_proc.sql script creates the following stored procedures to archive and purge data from the transaction tables:

  • SP_RULE_ PROC

  • SP_MODEL_ PROC

  • SP_POLICYSET_ PROC

  • SP_POLICY_ PROC

  • SP_NODE_HISTORY_ PROC

  • SP_NODE_PROC

  • SP_USER_NODE_PROC

  • SP_USER_DVC_PROC

  • SP_SESS_ACT_MAP_PROC

  • SP_WF_YEARS_PROC

  • SP_WF_MONTHS_PROC

  • SP_WF_DAYS_PROC

  • SP_WF_HOURS_PROC

  • SP_V_FPRINTS_PROC

  • SP_V_FP_MAP_PROC

  • SP_VT_DY_ACT_EX_LOG_PRO

  • SP_VT_TRX_LOGS_PROC

  • SP_VT_TRX_DATA_PROC

  • SP_VT_ENT_TRX_MAP_PROC

  • SP_VT_ENT_ONE_PRF_PROC

  • SP_VT_ENT_ONE_PROC

  • SP_VT_ENT_ONE_MAP_PROC

  • SP_VT_USER_PRF_PROC

  • SP_VT_DEVICE_PRF_PROC

  • SP_VT_IP_PRF_PROC

  • SP_VT_BASE_IP_PRF_PROC

  • SP_VT_CITY_PRF_PROC

  • SP_VT_COUNTRY_PRF_PROC

  • SP_VT_STATE_PRF_PROC

I.10.2 create_case_purge_proc.sql

The create_case_purge_proc.sql script creates the following stored procedures to archive and purge data from the transaction tables:

  • SP_V_CASE_PROC

  • SP_V_CASE_HIST_PROC

  • SP_V_CASE_MAP_PROC

  • SP_V_CASE_MAP_HIST_PROC

  • SP_V_ACTION_LOG_SESS_MAP_PROC

  • SP_V_ACTION_LOG_SESS_PROC

I.10.3 create_v_monitor_purge_proc.sql

The create_v_monitor_purge_proc.sql script creates the following stored procedure, SP_V_MON_DATA_PURGE_PROC, to archive and purge data from the transaction table.

PK' nޮPKRwEOEBPS/chquest.htmAm Enabling Challenge Questions

8 Enabling Challenge Questions

Oracle Adaptive Access Manager uses knowledge-based authentication (KBA) to prompt users for information by using challenge questions. An individual must provide previously registered answers during authentication.

This section provides guidelines for enabling challenge questions. Topics include

8.1 What is KBA?

Knowledge-based authentication (KBA) is a form of secondary authentication where during authentication, the user is prompted by challenge questions and must provide previously registered answers.

Since KBA is a secondary authentication method it should only be presented after successful primary authentication. KBA challenge is necessary in medium to high risk situations. Challenging users too often and without significant risk degrades the user experience and possibly the security. The goal is to challenge users often enough so they can successfully recall their answers but not so often that they view it as a hindrance. As well, displaying the questions excessively increases the slim possibility of exposure to fraudsters through over-the-shoulder or some other attack. In general, a challenge roughly every month for a normal user is a good rate. Suspicious users should be blocked and should not have access to the system.

8.2 Phased Approach for Registration

A phased rollout KBA is necessary to help ease the transition for the organization and the users. Spacing out the rollout allows for an important learning period and lessens the impact to customer service.

  • The user is not registered and there is little change to the user experience.

  • The user can choose to register.

  • The user must register an image, a phrase, and challenge questions to be stored in a customer profile.

The most successful phased approach generally includes these phases. The first two generally last between one and three months each depending on user population size and composition.

8.2.1 Phase 1 - No Registration

Phase one generally consists of Oracle Adaptive Access Manager risk evaluation. In this phase there is little change to user experience. Users continue to access through the existing methods. The only slight change to user experience is a block. Blocking is recommended in the phase for extremely high-risk situations. With blocking actions applied OAAM Admin can start to prevent fraud from day one. Since only very severe security violations are blocked normal users should not experience issues with them. Phase one can last any length of time desired by the business. Generally organizations stay in phase one for one to three months.

8.2.2 Phase 2 - Optional Registration

Phase two is the gradual introduction of the virtual devices and secondary authentication to the user population. In this phase registration is made available to the population or sub-populations of existing users on an optional basis. This opt-in allows users to register when they have time and feel comfortable. Brand new users should be given the option to register as soon as they are created. This strategy helps to distribute load on support over a period and to add convenience for users.

User Experience

The user is prompted to register for challenge questions after successfully authenticating at sign-on. The user can choose to bypass registration and then proceed into the session.

Staggered Rollout

Breaking up a rollout phase into sub-groups can further ease efforts. In large deployments staggering is advised. Phase two is generally the best time to implement staggering. The most common staggering has the following steps.

  • The user population is broken into groups. Geographic region is the most often used basis for this grouping

  • Staggered start dates are configured for each group.

Enable Optional Registration

To enable optional registration, link the Post-Auth Flow Phase 2 policy to the user group that you want KBA to be enabled for.

8.2.3 Phase 3 - Required Registration

Phase three closes the door on the opt-in registration process. This phase is the transition to normal registration procedure that is used going forward for all users. For this reason phase three has no end. Any existing users that have not registered yet must complete registration before they can access the protected applications.

User Experience

The user is prompted to register for challenge questions after successfully authenticating at sign-on. User proceeds into session after registration is complete.

Enable Required Registration

To enable required registration, link the Post-Auth Flow Phase 3 policy to the user group that you want KBA to be enabled for.

If the user group was linked to "Post-Auth Flow Phase 2" policy earlier, that linkage should be removed.

8.3 Checklist for Enabling Challenge Questions

The following chart presents a checklist for enabling challenge questions.

Task[ ]

Import the OAAM Snapshot

[ ]

Link the appropriate policies to the user group that you want KBA to be enabled for.

[ ]

Ensure KBA properties are set

[ ]

Change the rules within the registration and challenge policies with appropriate actions

[ ]

Configure the challenge question answer validation using OAAM Admin

[ ]

Configure the Answer Logic using OAAM Admin

[ ]


8.4 Ensure Policies are Available

A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The snapshot is in the oaam_base_snapshot.zip file and located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.

If you are using pre-packaged policies, ensure that the OAAM snapshot has been imported. If you are not using pre-packaged policies, use this chapter as a guideline for enabling challenge questions.

To import the snapshot, refer to the instructions in Section 2.6, "Importing the OAAM Snapshot."

8.5 Ensuring KBA Properties/Default Properties are Set

Ensure the bharosa.kba.active property is set to true. For instruction on how to set properties, refer to Section 28.6, "Editing the Values for Database and File Type Properties."

8.6 Ensure Challenge Questions are Available

The challenge questions must be present in Oracle Adaptive Access Manager before the users can be asked to register. Challenge questions are included in the OAAM snapshot. For information on importing the snapshot which contains the questions, see Section 2.6, "Importing the OAAM Snapshot."

8.7 Enabling Policies

Ensure that KBA security policies that pertain to your business and security needs are loaded on your system. Link them to a user group to which you want KBA to be enabled.

For example, if you want the system to be able to challenge a user over the phone through a Customer Service Representative (CSR), you must import and enable the System CC Challenge Policy.


Note:

If you have a policy customized, ensure that you do not import that policy again. Doing so breaks the policy that you had customized.


If you are using OAAM pre-package policies, enable phase 2 scenarios by adding the user group to which you want KBA to be enabled to Phase 2 pre- and post- authentication policies.

Phase 2 provides optional registration scenarios that you may want to try out with users. If you find that the users like to use the registration process, you may add the scenarios to your authorization process.

Phase 2 introduces much more user experience changes and includes the use of virtual authenticators for credential input. They are in charge of securely collecting the login details, and facilitating registration/challenge.

To enable Phase 2 scenarios

  1. Ensure that "Active" has been chosen for the status of the policy.

    Refer to Section 10.11, "Activate/Disable Policies."

  2. Ensure that all the rules in the policy are active.

    Refer to Section 10.23, "Activate/Disable Rule."

  3. Ensure that the user group to which you want KBA to be enabled has been selected for the Run Mode option.

    Refer to Section 10.9.1, "Linking a Policy to a Group."

    Note that it is important to ensure that the phase you are in corresponds to the policies you have your users linked to within OAAM Admin.

8.8 Configuring Rules for Policies

Change the rules within the registration and challenge policies with appropriate actions.

For example, assign a challenge action as one of the actions you want triggered.

For information, refer to Section 10.12.5, "Specifying Results for the Rule."

8.9 Configuring the Challenge Question Answer Validation

Validations are used to validate the answers given by a user at the time of registration. For answers, you can restrict the users to alphanumeric and a few specific special characters by adding a Regex validation.

For information, see Section 7.6, "Setting Up Validations for Answer Registration."

8.10 Configuring the Answer Logic

The Answer Logic settings can be configured for the exactness required for challenge question answers. For example, high risk transactions such as wire transfers may require a high degree of certainty (i.e. exact match) whereas accessing personal, non-sensitive information may require a lower degree of response certainty.

Configure the Answer Logic for answering threshold/tolerance, such as the level of fat fingering, typos, abbreviations, and so on.

For information, see Section 7.9, "Adjusting Answer Logic."

PKcAAPKRwEOEBPS/entity.htm Creating and Managing Entities

20 Creating and Managing Entities

A transaction is a process such as bill pay, wire transfer, address change, and so on. The core elements of an Oracle Adaptive Access Manager transaction are entities and transaction data. Entities can be defined and associated as an instance of a transaction.

This chapter provides information on creating, editing, activating and deactivating, and importing and exporting entities.

20.1 Introduction and Concepts

This section introduces you to the concept of entities.

20.1.1 Entities

An Entity is a user-defined data structure, which comprises of a set of attributes. The entity can be re-used across different transactions. An example of an entity is an address. When associating the entity with a transaction you can create a shipping address and billing address from the address entity.

Figure 20-1 Address Entity

This diagram illustrates the Address entity

20.1.2 Data Elements

Data elements are used to describe the attributes that make up an entity. For example, the credit card entity has attributes such as address line 1, address line 2, city, zip, and state. Data elements, such as description, length, type, and so on, are used to describe each attribute.

20.1.3 Display Element

Display elements are the elements you want to present and the order in which you want to present the value of an entity in a user interface. For example, if you want to display an address, you would want to show address line 1 as the first item, address line 2 as the second item, city as the third item, state as the fourth item, and zipcode as the fifth item.

20.1.4 ID Scheme

An ID scheme consists of the data elements that can uniquely identify an entity, in other words, you are defining the unique combination that identifies the entity. For example, the credit card entity has many attributes, but the way to uniquely identify a credit card is by using the 16-digit credit card number. In that case, the ID scheme is just the credit card number.

Another example, the address entity has address line 1, address line 2, city, state, and zipcode as attributes. Address line 1, address line 2, and zipcode, without the state and city attributes, can still be used to identify the address uniquely.

20.1.5 Internal ID

The internal identifier used to identify a data element in the entity. It is created based on the display name. For example, if Address Line 1 is the display name, spaces between words are replaced by decimals to create an internal ID.

Examples of internal IDs are Address.Line.1, Address.Line.2, or Zip.Code.

The IDs are automatically created for you.

20.1.6 External ID

The client supplies the Ext ID value. Oracle Adaptive Access Manager can either store this value for the client or use it to identify the entity. For example, a client may send merchant, product, and customer entities. These entities already have IDs with the client.

20.2 Navigating to the Entities Search Page

To navigate to the Entities Search page, double-click Entities in the Navigation tree.

Alternatively, you can:

  • Right-click Entities in the Navigation tree and select List Entities from the context menu.

  • Select Entities in the Navigation tree and then choose List Entities from the Actions menu.

  • Click the List Entities button in the Navigation tree toolbar.

The Entities Search page is the starting place for managing entities. From the Entities Search page, you can:

  • Search for entities

  • Create new entities

  • Import/export entities

  • Activate/deactivate entities

  • Delete entities

  • Open the Entity Details page

An example of an Entities Search page is shown in Figure 20-2.

Figure 20-2 Entities Search page

The Entities search page is shown.

20.3 Searching for Entities

To search for entities:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. Specify criteria in the Search Filter to locate the entity.

    The search filter criteria are described in Table 20-1.

    Table 20-1 Search Filter Criteria

    FieldDescription

    Name

    The name of the entity.

    Description keyword

    The description keyword

    Status

    The status of the entity.


  3. Click Search.

The Search Results table displays a summary of entities that match the criteria specified in the Name, Description Keyword, and Status fields.

There is a link on the entity name. To view the entity details, click the link.

20.4 Creating an Entity

Follow the steps in this section to create a new entity. You will have to provide the required information for all tabs of the Entities Details page before you can activate the entity.


Note:

After creating an entity, you must activate it if you want to use it in a transaction. Only active entities can be used in a transaction. By default an entity is disabled when it is created. For information on activating an entity, refer to Section 20.9, "Activating Entities."


20.4.1 Initial Steps

To create an entity, follow these steps.

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. In the Entities Search page, click the New Entity button.

    Alternative methods to open create pages are listed in Section 3.9, "Search, Create, and Import."

    An example of a New Entity page is shown in Figure 20-3.

    Figure 20-3 New Entity Page

    The New Entity page is shown.
  3. In the New Entity page, enter a unique entity name.

  4. Enter a description about the data element. For example, you can enter "Credit card number of customer" or "Account number of customer."

  5. Click Apply.

    A confirmation dialog appears with a message that the entity was created successfully.

  6. Click OK to dismiss the dialog.

    The Entity Details page appears for the entity that you have just created.

    The page contains four tabs:

    • Summary - General Details

    • Data - Data Elements (Used for adding and editing data elements of entity)

    • ID Scheme - Data Elements (Used for adding and editing data elements of an entity)

    • Display - Display Elements (Used for adding and editing display elements of the entity based on the Identification Scheme)

    The tab titles for Data, ID Scheme, and Display will show the number of data elements present, in parenthesis, when you have added your elements.

20.4.2 Adding and Editing Data Elements

The Data tab is used for adding and editing data elements of an entity.

In the Data tab, specify the data elements that are part of that entity.

For example, for an entity like Address, the elements are Address Line 1, Address Line 2, City, State and Zip code. Metadata elements, such as a label, description, data type, and so on, describe these elements of the entity.

Define the data elements for each element by following these instructions:

  1. Enter a label.

    For example, Address Line 1, Address Line 2, City, or Zip code.

  2. Enter a description about the data element.

    Data elements are the attributes of an entity.

    For example, the address of the customer logging in.

  3. Specify whether the element is required.

    Some data elements are not populated all the time because the entity can function without this data. Those elements are marked as "not required." For example "Address Line 2" in an address is not required since many addresses do not have "Address Line 2."

  4. Specify whether the element should be encrypted.

    If Is Encrypted? is set to True, data is encrypted so that it can be stored securely in the database; thereby protecting sensitive data.

    Encrypted fields have the following constraints:

    • These fields should not be used in rules. If they are used, you cannot specify regular values for comparing against these fields; the values will have to be encrypted values.

    • These fields cannot be used in the search criteria while querying for transactions through the query screen.

      Numeric fields cannot be encrypted.

    Encrypted fields can be displayed in OAAM Admin.

  5. Specify the data element Data Type.

    For example, String.

  6. If you want to add another element, click the Add button on the toolbar and repeat Steps 1 through 7.

  7. Click Save.

You can use the Delete button to delete the data elements within the entity.


Note:

The Row and Column values are automatically assigned based on the data type and should not be changed unless you want to rearrange values in the database.


20.4.3 Selecting Elements for the ID Scheme

In the ID Scheme tab, select the elements that you want to use to uniquely identify an entity.

For example, the credit card entity has many attributes, but the way to uniquely identify a credit card is by using the 16-digit credit card number. In that case, the ID scheme is just the credit card number.

Another example, the address entity has Address Line 1, Address Line 2, City, State, and Zip code as attributes. The Address Line 1, Address Line 2, and Zip code attributes can be used to identify the address uniquely. The State and City attributes are not necessary.

Address Line 1 alone would not uniquely identify an address. For example, 150 Main Street can exist in more than one location.

An example of a ID Scheme tab is shown in Figure 20-4.

Figure 20-4 ID Scheme tab

The entity ID Scheme page is shown
  1. Select the Data Identification Scheme.

    Identification Scheme determines how an entity is uniquely identified using the elements that are part of the entity. The elements that are selected should be stored as plain text (key) or encrypted (digest).

    • By Key: This scheme creates a unique identifier by simply concatenating the selected elements of the entity.

    • By Digest: This scheme creates a unique identifier by hashing the values of the selected elements of the entity. The resultant key is usually cryptic. Use this scheme when the data values are large or if they need to be secured.

  2. Click the Add button on the toolbar to add a data element.

  3. In the Add Data Elements screen, select the data elements to add to the ID Scheme and click Add.

    You can select one or several data elements to add to the identification scheme.

    For example, you only need the 16-digit credit card number to identify the credit card.

    After the data elements are added, they are not available in the list for further selection.

  4. Select the order of the elements

    The order determines how the data is concatenated while forming the data that identifies the entity. Order is not required and is automatically pre-filled if you do not fill in that information.

You can use the Delete button to delete the data elements within the entity.

20.4.4 Specifying Data for the Display Scheme

In the Display tab, define the display scheme. The display scheme specifies the data elements to present and their order when you display the value of the entity in reports:

  • The data elements form the entity data that can be displayed.

  • The order determines how the data is concatenated while forming the data to be displayed for the entity

An example of a Display tab is shown in Figure 20-5.

Figure 20-5 Display tab

The entity Display page is shown.

The Data elements that you have selected to present are shown in the Transaction Details page.

To select the data elements, follow these steps.

  1. Click the Add button to add a data element.

  2. In the Add Data Elements screen, select the data elements to add for displaying and click Add.

    For example, for an address, you can choose to present Address Line 1, City, State, and Zip code.

  3. Select the order of the elements

    The order determines what is shown first, second, third, and so on when the data is displayed for the entity. Order is not required and is automatically pre-filled if you do not fill in that information.

    For example, if you want to display an address, you would want to show address line 1 as the first item, address line 2 as the second item, city as the third item, state as the fourth item, and Zip code as the fifth item.

You can use the Delete button to delete the display elements.

20.4.5 Activating the Entity

After creating an entity, you must activate it if you want to use it in a transaction. Only active entities can be used in a transaction. By default an entity is disabled when it is created. For information on activating an entity, refer to Section 20.9, "Activating Entities."

20.5 Viewing Details of a Specific Entity

To view the details of a specific entity:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. From the Entities Search page, search for the entity you want.

    The filters are described in Table 20-1.

  3. In the Results table, click the entity name.

    An example of an Entity Details page is shown in Figure 20-6.

    Figure 20-6 Entity Details page

    The Entity Details page is shown.

20.6 Editing the Entity

To edit the details of a specific entity:


Note:

Be cautious when editing entities. If you edit an entity and it is in several transactions, then the edits are applied to all instances of the entity in the different transactions.


  1. If you are not on the Entity Details page of the entity you want to edit, follow the instructions in Section 20.5, "Viewing Details of a Specific Entity."

  2. From the Summary tab, you can modify the name and description of the entity; and activate or deactivate the entity.

  3. From Data and ID Schemes tabs, you can modify the data elements of the entity.

    If you delete a data element from the scheme, it is added to the Add list and available the next time you select Add Data Elements.

  4. From the Display tab, you can edit the way the entity is displayed.

  5. Click Apply.

20.7 Exporting Entities

To export entities:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. In the Entities Search page, enter the search criteria you want and click Search. Refer to Section 20.3, "Searching for Entities."

  3. Select the row for each entity you want to export.

  4. Click the Export button or select Export Selected from the Actions menu.

  5. In the Export Entities screen, click Export.

  6. In the Save screen, click OK.

20.8 Importing Entities

To import entities:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. In the Entities Search page, click Import.

  3. In the Entities Import screen, click Browse and locate the entity file you want to import.

  4. Click OK.

20.9 Activating Entities

To activate entities:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. In the Entities Search page, enter the search criteria you want and click Search. Refer to Section 20.3, "Searching for Entities."

  3. Select the row for each entity you want to activate.

  4. Press the Activate button.

    When you press Activate, the entity is validated for errors (if data elements are present). If there are any errors, they must be fixed before the entity is activated.

    Only active entities can be used in a transaction. Make sure to activate an entity definition if you want to use it in a transaction.

20.10 Deactivating Entities

To deactivate entities:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. In the Entities Search page, enter the search criteria you want and click Search. Refer to Section 20.3, "Searching for Entities."

  3. Select the row for each entity you want to deactivate.

  4. Press the Deactivate button.

20.11 Deleting Entities

To delete entities:

  1. Navigate to the Entities Search page, as described in Section 20.2, "Navigating to the Entities Search Page."

  2. In the Entities Search page, enter the search criteria you want and click Search. Refer to Section 20.3, "Searching for Entities."

  3. Select the row for each entity you want to delete and select the Delete button from the toolbar.

    If the entities selected for deletion are not used or linked to a transaction, a warning message is shown asking for confirmation.

    If an entity is used, you will not be allowed to delete it.

  4. Click Delete to delete the entities.

  5. In the confirmation dialog, click Yes.

When multiple entities are selected for deletion and if there are transactions that contain the instances of some of the entities selected, a warning message is provided, stating "The following instances are linked to transactions and cannot be deleted. Do you want to delete the other entities?" If you click Delete, the unlinked entities are deleted.

If you deactivate an entity, it will not be available for you to use in transactions.

20.12 Re-ordering the Rows in the ID Scheme and Display tabs

After adding all the elements, you can reorder the columns by dragging and dropping the rows for the ID scheme and Display tabs. Both in ID Scheme and Display tabs, order is important.

The order of the rows in the ID scheme tab determines how information is stored in database and used uniquely identify.

The order of the rows in the Display tab determines the order in which information is presented.

For example, in the display, you may want "City, State, Zip code" for addresses in the UK and USA.

20.13 Best Practices

This section outlines some best practices for entity creation.

  • Any sensitive data, such as credit card and social security numbers, should be encrypted in the database.

  • Do not change the external ID. The external ID references how data is identified in the application.

  • In order for Oracle Adaptive Access Manager to perform analysis on transactions, you must determine how to represent the transactions in Oracle Adaptive Access Manager, how to process the data coming in, how to use the data, and how to display the data. For example, in an eCommerce transaction, the data involved are credit card numbers, shipping and billing addresses, names, dollar amounts and so on; for a wire transfer, the data involved are Amount, Name, To account, From account, Routing Number, Bank Address, Bank Phone, and so on. Determining which items in a transaction are entities and creating the entities saves time, improves performance in the system, decreases the amount of data created, and enables rules using the entity to run faster than if they had used transactional data.

    An entity can be used and reused in multiple places, which makes creating transaction definitions much easier. An example of an entity that can be reused is an address. A shipping address and billing address can be created for different transactions from the address entity. If you had defined address as transactional data, you would have to define it twice.

  • If you want to rearrange the fields in the database for performance purposes, you can modify the row and column values. Only the first 3 columns out of the ten are indexed by default. Rearranging the fields impacts performance.

PK{)PKRwEOEBPS/part_report.htm Reporting

Part IX

Reporting

This part contains information about reporting features in Oracle Adaptive Access Manager 11g.

It contains the following chapters:

PKF!PKRwEOEBPS/loader.htm Scheduling and Processing Jobs in OAAM

23 Scheduling and Processing Jobs in OAAM

The chapter describes how to define, schedule, and run Oracle Adaptive Access Manager batch jobs. This chapter contains the following topics:

23.1 Access Control

Access permissions for the online scheduling system and offline environment are detailed in the following tables.

Table 23-1 Online Job Scheduling System

RoleAccess

CSR and CSR Managers

No access

Fraud investigators and Investigation Managers

No access

System Administrators

Full access

Security Administrator

No access


Table 23-2 Offline Environment

RoleAccess

CSR and CSR Managers

No access

Fraud investigators and Investigation Managers

Same access as online including security dashboard

System Administrators

Same access as online (Environment node) and full access to scheduler node

Security Administrator

Same access as online (everything except Environment Node) and full access to scheduler node


23.2 Introduction to OAAM Jobs

For security administration, it is often required to run evaluations to detect high risk situations. For system administration, running a job to consolidate data is key to maintaining optimal performance of a system. Oracle Adaptive Access Manager provides the ability to configure batch jobs and schedule them.

A job is a collection of tasks that can be run by OAAM. You can perform a variety of jobs such as load data, run risk evaluation, roll up monitor data, and other jobs.

Table 23-3 provides descriptions for these jobs.

Table 23-3 Jobs

JobsApplicable DeploymentDescriptions

Load

offline

A Load Job records from a remote data source, converts the data into OAAM login sessions, and stores the login sessions in the OAAM offline datastore.

Run

offline

A Run Job performs risk analysis on a set of OAAM sessions.

Load and Run

offline

A Load and Run Job is a combination of a Load Job and a Run Job. After each record is processed by the Load Job, the result is fed directly into the Run Job.

Monitor Data Rollup

online and offline

A Monitor Data Rollup Job consolidates monitor data utilized in the dashboard and some risk evaluations on a regular basis. This job consolidates data to optimize the database when processed.


23.2.1 Job Interface

The Jobs search page enables you to search for jobs to view details. Actions that you can perform on jobs are listed in this table.

Table 23-4 Job Actions

ActionDescription

Search

Search for jobs.

Create

Create jobs.

Execute

Start running a job

View logs

View the log of a job

View execution queue

View the processing order of jobs

View progress of jobs

View the percentage complete and estimated time for completion

Pause and resume

Stop a job and start it again

Cancel jobs

Stop a job


The Job Creation wizard is invoked by clicking the New Job icon and provides a step-by-step guide through the job definition and scheduling process. The wizard prompts you for information as you go. If you are using a standard loading process, you configure your database connection URL for the Data Loader to access the offline data in the remote database, the characteristics of the run session, a filter for the data to be loaded in the database, and schedule to run the job.

The Job Queue page displays the job currently processing and progress in terms of estimated completion time and percentage complete progress. You can cancel or pause and resume a job processing from the queue. If a job is not set to process via scheduling it will not appear in the Job Queue.

23.2.2 Job Queue

When a job is created and scheduled, a single instance of the job is added to the Job Queue. The Job Queue is the order of job execution. Processing order is based on scheduled start time, priority and date/time added to the queue. Jobs are displayed in the queue according to the order they will process.

For example, if Job A is configured with a High priority and set to process immediately, and then Job B is configured with a High priority and set to process immediately, an instance of A will appear in the queue above B. The jobs will process in that order.

23.2.3 Searching for Jobs

Using the Jobs search page, you can search for jobs and view their details.

  1. From the Navigation tree, double-click Jobs to open the Jobs search page.

  2. Specify criteria in the search filter to locate the job and click Search.

    Table 23-5 Search Filters

    FilterDefinition

    Job Type

    The specific task that a job performs.

    Job Status

    Enabled or Disabled. A disabled job will not run.

    Job Priority

    Priority for the job: High, Low, Medium

    Created Date

    Date job was created.

    By default, the Created Date is set to last 1 month.

    Schedule Type

    Once or Recurring.

    Recurrence Interval

    Hourly, Daily, Weekly, or Monthly

    Last Start Date

    The last start time of the job execution. When you set the "from" section of this field, the "to" section is automatically populated to the current time.

    Last End Date

    By default, the Last End Date is set to 24 hours after the Last Start Date.


    Clicking a job name opens the corresponding Job Details page in a new tab.


    Note:

    The standard jobs packaged with Oracle Adaptive Access Manager support a number of languages. However, the job name, Default Monitor Data Rollup Task, is displayed in English, even if you are viewing non-English content.


    From the Jobs search page, you can perform the following tasks from the toolbar:

    Table 23-6 Results Table Toolbar Actions

    ActionDescription

    Open

    Open the job to see details.

    Delete

    Delete the job.

    Enable

    Enable the job.

    Disable

    Disable the job.

    Process Now

    Process the job immediately.

    Launch the Job Creation wizard

    Launch the Job Creation wizard so that you can define and schedule a job.


23.3 Launching the Job Creation Wizard

Use the Job Creation wizard to create a new job. Jobs are created by the Security Administrator in Online application or by the Security Administrator or System Administrator in Offline application. The Monitor Data Rollup Job is created by the System Administrator.

To open the Job Creation wizard, perform the following steps:

  1. From the Navigation tree, double-click Jobs to open the Jobs search page.

  2. Click the New Job button on the upper right of the Console or the New Job button on the toolbar or select New Job from the Actions menu.

    The New Job dialog appears with the available job types to select from.


    Note:

    All jobs listed in the table are available in OAAM Offline. Only Monitor Data Rollup is available for OAAM Online.


    Table 23-7 OAAM Job Types

    Job TypeDefinitions

    Load

    Read data to create OAAM sessions.

    Load and Run

    Create and read OAAM sessions in one step.

    Monitor Data Rollup

    Monitor data consolidation

    Run

    Perform bulk risk analysis on OAAM sessions


  3. Select the job you want to create and click Continue.

    The General page opens by default as the first page of the Job Creation wizard.

    The following sections describe the pages of the Job Creation wizard. On these pages, required settings are identified by the asterisk (*).

23.3.1 Create Job: General

The General page displays general information about the job such as job type, job name, and job status. Use this page to name and describe the job. The Job Name field can take alphanumeric characters. The job is enabled by default.


Note:

The job type cannot be changed.


23.3.2 Create Job: Load Details (for Load and Load and Run Jobs)

The Load Details page allows you to control which records will be processed.

You can choose between the Custom Loader and the OAAM Loader.

Table 23-8 Custom and OAAM Loaders

LoadersDescription

Custom Loader

A Custom Loader is a user-defined loader that defines how to accomplish complex and custom scenarios.

For the custom loader, you must provide the fully qualified class name for the custom loader class.

OAAM Loader

The OAAM Loader is the default loader that defines how the records are read from the remote data source and how they are converted into OAAM sessions.

The OAAM Data Loader loads login data from a relational database.


By default, the OAAM Loader is selected. It requires information on the data source, data mapping, and miscellaneous properties.

Table 23-9 OAAM Loader Details

PanelsDescription

Data Source

This panel contains the information about the data source and connection information.

Data Mapping

This panel provides information about the mapping between the OAAM offline database and the database from which the data is loaded. This is usually pre-populated for OAAM schemas.

Miscellaneous properties

This panel contains other information such as transaction size, memory buffer size, and write pool size and the values can be adjusted to improve performance.


23.3.3 Create Job: Run Details (for Run and Load and Run Jobs)

The Run Details page lets you choose the Custom Run Type or the OAAM Run Type. The Run type defines how and under what conditions the OAAM policies are applied to the sessions.

23.3.4 Create Job: Data Filters

The Data Filters page allows you to choose the filter that decides which set of data to load into the offline system or process. If the job type is Load and Run, then the same data filter applies for both load and run.

The Auto Increment filter defines the set of records as all records created after the date specified in the From Date field. The Date Range filter defines the set of records as all records that were created between the dates specified in the From Date and To Date fields.

23.3.5 Create Job: Schedule

The Schedule page allows you to specify the scheduling options for the job. You provide the following information:

Table 23-10 Schedule Page Options

This is the date range for job execution. The job will continue execution between the Start date and End Date at intervals specified by you. For a recurring job, the Start Date is the date and time at which the job will first executes. The End Date is the date and time after which there will be no more recurrences. If left blank, the job will recur indefinitely until it is manually removed from the Job Queue. End Date is not applicable for a nonrecurring job.

OptionsDescription

Job Priority

The job priority determines the importance of the job and the job will be added to the job execution queue based on the priority. For additional information, refer to Section 23.3.5.1, "Job Priority."

Schedule Type

You can choose to run the job immediately or you can schedule the job to run in the future. For information, refer to Section 23.3.5.2, "Schedule Type."

Start Date and Start Time (Once)

The job runs at the Start Date and Time.

Recurrence Interval (Recurring)

Daily Hourly, Weekly, Monthly

The job repeats execution based on your selection.

Execute Every (Recurring)

Recurrence frequency of the recurrence interval. For example if the Recurrence Interval is Weekly, you could enter 2 for Execute Every. The job will execute every 2 weeks

Start Time (Recurring)

The recurring job starts at the time you specified on the Start Date given in the Recurrence Range.

You can pick the day of the week by selecting a begin time that is on the day of the week that you want.

Start Date and End Date for Recurrence Range (Recurring)

Cancel execution if job runs longer than

The job cancels if it runs longer than a certain time. For example: 60 seconds. The job cancels execution if runtime exceeds 60 seconds. For information, refer to Section 23.3.5.3, "Cancel Time."


23.3.5.1 Job Priority

Job priority indicates the importance of the job. Job priority can be set to low, medium and high. If two jobs are in conflict the higher priority job will process first. If two jobs are in conflict and they have the same priority, OAAM will randomly select one of the jobs to process first.

Table 23-11 Job Priority Examples

ExampleSet to ProcessPriorityResult when administrator clicks Submit at exactly the same time

1

Job A: Immediately

Job B: Immediately

Job A: High

Job B: Medium

Instance of A will show up in the queue above Instance of B and will process in that order because Job A is higher priority

2

Exactly the same start time/date

Job A: Medium

Job B: Low

Instance of A will show up in the queue above Instance of B and will process in that order because Job A is higher priority.

3

Exactly the same start time/date

Both are Medium

Job queue logic will select either A or B randomly to process first and instances will display in the Job Queue in the randomly determined order


23.3.5.2 Schedule Type

Schedule Type determines how often and when a particular job will be run. Schedule Type is either Once or Recurring.

Table 23-12 Scheduling Types

TypeDefinitionFields RequiredFields that Do Not Apply

Once

Run the job once and only once at the date and time specified in the future.

If the schedule type is set to Once, the execution time (Start Date and Start Time) is set to the current date and time by default and the job processes at once ("now").

Start Date and Start Time

Recurrence/Interval Type, Recurrence Frequency, or End Time

Recurring

Run the job multiple times on a schedule

All

Frequency is how often the execution recurs.

None


Examples of scheduling types are shown in the following table.

Table 23-13 Scheduling Type Examples

If I wantValues to set areNotes

A group of related and dependent jobs to run every two weeks

  • Recurrence/Interval Type: Weekly

  • Recurrence Frequency: 2

Job to run every two weeks on a Monday at 3:00PM, from August 30, 2010 until October 25, 2010

  • Schedule Type: Recurring

  • Begin Time: 08/30/2010 3:00 PM

  • End Time: 10/25/2010 3:00 PM

  • Interval: Weekly

  • Frequency: 2

  • Time: 3:00 PM

The user does not specify the day of week directly. For weekly recurrence, the user indirectly picks the day of week by selecting a begin time that is on the day of week that she wants. This example the job will run on Mondays because 08/30/2010 is a Monday.


23.3.5.3 Cancel Time

As part of your job definition, you can specify an optional Cancel Time. The Cancel Time determines the maximum amount of time a job is allowed to run before the system automatically stops it. In this way, users can avoid the problem of having jobs run at times that may conflict with other activities. This option is not required, and if a job has no cancel time, it will run until it finishes or until a user manually stops it. If the job is currently executing, then changing the cancel time will only affect future recurrences. The currently executing job instance will use the original setting.

23.3.6 Create Job: Summary

The Summary page displays the choices made and information entered on the previous wizard pages.

23.4 Creating Jobs

Create new jobs by following the instructions in this section. Topics covered in this section are:

23.4.1 Creating Load Jobs

A Load Job reads records from a remote data source, converts the data into OAAM login sessions, and stores the login sessions in the OAAM offline datastore.


Note:

If you are loading from a non-OAAM schema, you must set up a database view. For instructions, refer to "Creating a View of a Non-OAAM Database" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.


The process for creating a Load Job is:

  1. Select Job Type and provide job details. See Section 23.4.1.1, "Selecting Load Job Type and Providing Job Details."

  2. Enter Load Details.

    The Loader type defines how the records are read from the remote data source and how they are converted into OAAM sessions.

    If you want to load data from a database, choose the OAAM Loader Type that is shipped with OAAM. See Section 23.4.1.3, "Providing Load Details for OAAM Data Loader."

    If you want to perform any other type of task, choose a Custom Loader Type. See Section 23.4.1.2, "Providing Load Details for Custom Loader."

    If using the OAAM Loader Type, the following steps are needed:

  3. Set up the data filter.

    The data filter defines a criteria to define the set of records in the database to be loaded or run.

    If you want to define the set of records as all records created after a given date, choose Auto Increment as the data filter type. See Section 23.4.1.4, "Specifying to Load All Data Created After a Given Date."

    If you want to define the set of records as all records that were created between a From Date and a To Date, choose Date Range. See Section 23.4.1.5, "Specifying to Load Data Created within a Date Range."

  4. Set up the scheduling.

    If you want to schedule a Load Job that runs once, choose Once as the schedule type. See Section 23.4.1.6, "Scheduling a Load Job that Runs Once."

    If you want to schedule a Load Job that runs on a regular basis, choose Recurring as the schedule type. See Section 23.4.1.7, "Scheduling a Load Job that Runs on a Regular Basis (Recurring)."

  5. Confirm details. See Section 23.4.1.8, "Checking the Summary Details of Load Job."

23.4.1.1 Selecting Load Job Type and Providing Job Details

To create a Load Job:

  1. From the Jobs search page, click the New Job button.

    The Choose Job Type dialog appears with the available job types to select from.

  2. Select Load and click the Continue button

    The Create Job page opens to the General page where you can specify the name and description for the Load Job.

    By default the status is Enabled and the Job Type field displays Load.

    The Job Type field is not editable.

  3. Decide on a name for the job you are defining and enter it in the Job Name field.

    The Job Name can only contain alphanumeric characters.

  4. Enter a description for the Load Job.

    The Next button is enabled after the job name and description have been entered.

  5. Click the Next button to create the Load Job.

    The job is created and you are directed to the Load Details page.

23.4.1.2 Providing Load Details for Custom Loader

A Custom Loader is a user-defined loader that defines how to accomplish complex and custom scenarios. After creating the job, you are directed to the Load Details page where you can start defining the job.

If you want to use a custom loader to load the data source, follow these steps:

  1. In the Load Details page, select Custom Loader.

    This is the custom loader you developed to accomplish complex and custom scenarios specific to your deployment. You will have written a custom class to define this loader.

  2. To select a custom loader, click the Update Class Path... button.

    A dialog appears where you must enter the exact path of a Java class that implements the custom loader specification.

  3. Enter the exact path of a Java class that implements the custom loader specification and press OK.

    If the system cannot find the class, or if the class is not a properly defined custom loader, an error occurs.

23.4.1.3 Providing Load Details for OAAM Data Loader

The loader type defines how the records are read from the remote data source and how they are converted into OAAM sessions. After creating the job, you are directed to the Load Details page where you can start defining the job.

The OAAM Data Loader loads login data from a relational database. If you want the OAAM Loader as the data loader type for your data source, follow these steps.

  1. In the Load Details page, ensure that the OAAM Loader type is selected.

  2. Under Data Source Details, enter the database connection parameters for the source database.

    The Database Connection and Data Mapping sections of Data Source Details only exist for the OAAM Loader.

    The database connection parameters define how to connect to the remote database.

    Table 23-14 Database Connection Parameters

    ParameterDescription

    Database Platform

    The type of database from which you will be loading.

    JDBC URL

    The connection string for the database.

    Database User Schema

    The user name for the database.

    Database Password

    The password for the database.


  3. Enter values for the miscellaneous properties.

    This panel contains information that can be adjusted to improve performance such as transaction size, memory buffer size, and write pool size.

    Table 23-15 Characteristics of the Load Job

    PropertyDescription

    Write Pool Size

    Defines the number of threads dedicated to processing the incoming records. The optimal value will depend on the users' systems, so users may have to experiment to find the value that gives them the best performance on their system.

    Memory Buffer Size

    Defines the size of the buffer that holds yet-to-be processed records in memory. When pausing or suspending a job that is meant to restart, all records in this buffer must be processed before the job can stop. The higher this value is, the longer the shutdown procedure will take.

    Transaction Size

    Defines how records are processed as a batch, and also controls the logging frequency.


  4. Click the Next button.

    After providing the database connection details and adjusting various properties in the Load Details page, you are ready to apply data filters for the Load Job.

23.4.1.4 Specifying to Load All Data Created After a Given Date

After entering the required database connection parameters and miscellaneous properties in the Load Details page, you are directed to the Data Filters page where you can specify which set of data to load. Data filters determine which set of records should be loaded into the offline system.

If you want to define the set of records as all records created after a given, follow these steps.

  1. Select Auto Increment as the filter type.

  2. Enter a From Date.

  3. Click the Next button.

    You are directed to the Schedule page where you can specify to run the job once or on a recurring basis.

    A recurring Load Job with an Auto Increment filter will suspend itself after it processes all records that meet its criteria, and the next recurrence will process any new records that have been added in the mean time. If you decide to apply the Auto Increment filter, then the best practice is to use a Recurring schedule for the Load Job.

23.4.1.5 Specifying to Load Data Created within a Date Range

After entering the required database connection parameters and miscellaneous properties in the Load Details page, you are directed to the Data Filters page where you can specify the data filter to use to define the set of records to be loaded. A Date Range filter defines the set of records as all records that were created between a From Date and a To Date.

If you want data within a date range to be loaded from the data source, follow these steps.

  1. Select Date Range as the filter type.

  2. Enter a From Date and To Date.

    Only data that falls within that specific date range is loaded. You will need to enter the From and To Date for data collection. All data processed within these dates are loaded into the offline system.

  3. Click the Next button.

    You are directed to the Schedule page where you can specify to run the job once or on a recurring basis.

23.4.1.6 Scheduling a Load Job that Runs Once

After specifying the data filter, you are directed to the Schedule page where you can define the priority and schedule type for your job.

If you want the job to run immediately, follow these steps:

  1. In the Schedule page, select a job priority: High, Medium or Low.

    Job priority determines the importance of the job.

  2. Select Once as the Schedule Type.

    The job runs at the start date and start time specified by you or the job can be run immediately. This job is run only once and there is no recurrence. If the schedule type is set to Once, the execution time (Start Date and Start Time) is set to the current date and time and the job at once ("now").

  3. Enter the Start Date and Start Time under Schedule Details.

  4. Choose the Cancel execution if runs longer than option.

    The job cancels if it runs longer than a certain time.

    For example: 60 seconds. The job cancels execution if runtime exceeds 60 seconds.

  5. Click Next.

23.4.1.7 Scheduling a Load Job that Runs on a Regular Basis (Recurring)

After specifying the data filter, you are directed to the Schedule page where you can define the priority and schedule type for your job.

If you want the job to run on a regular basis, follow these steps:

  1. In the Schedule page, select the job priority.

    Job priority determines the importance of the job.

  2. Select Recurring as the schedule type.

    Although the schedule type can be set or modified later, you must specify a schedule type now; otherwise, you will not be able to execute the job.

    The job should run repeatedly based on the recurring interval specified.

    If a job is recurring, then only one job instance for a particular job may execute at once. If the previous recurrence is still running, paused, or waiting in the Job Queue to execute, then this job instance is skipped. The job instance is moved to the job log with a status of Skipped, and the next recurrence, if any, is placed into the Job Queue.

  3. Set the schedule details to the desired values.

    Table 23-16 Schedule Details

    ParametersDescription

    Recurrence Interval

    Daily Hourly, Weekly, Monthly,

    The job repeats execution based on your selection.

    Execute Every

    Recurrence frequency of the recurrence interval. For example if the Recurrence Interval is Weekly, you could enter 2 for Execute Every. The job will execute every 2 weeks

    Start Time

    The recurring job starts at the time you specified on the Start Date given in the Recurrence Range.

    Start Date and End Date for Recurrence Range

    This is the date range for job execution. The job will continue execution between the Start date and End Date at intervals specified by you. For a recurring job, the Start Date is the date and time at which the job will first executes. The End Date is the date and time after which there will be no more recurrences. If left blank, the job will recur indefinitely until it is manually removed from the Job Queue. End Date is not applicable for a nonrecurring job.

    Cancel execution if job runs longer than

    The job cancels if it runs longer than a certain time.

    For example: 60 seconds. The job cancels execution if runtime exceeds 60 seconds.


  4. Click Next if you want to see the Summary page or click Finish to process the job.

23.4.1.8 Checking the Summary Details of Load Job

If you clicked Next on the Schedule page, you are directed to the Summary page. This page displays the choices made and information entered on the previous wizard pages.

If you are not satisfied with the choices and entries shown on the Summary page, use the Back button to return to the wizard pages and make changes.

If you are satisfied with the choices and entries shown on the Summary page, create the job by clicking the Finish button. A success confirmation message is presented and the Job Edit page is launched. The Job Edit page allows you to modify and reschedule a job.

23.4.2 Creating Run Jobs

A Run Job performs risk analysis on a set of OAAM sessions. A Run Job using the OAAM Load type reads the session records from the database, applies policies for pre-authentication and post-authentication checkpoints where the user is successfully authenticated.


Note:

You can change which checkpoint is pre-authentication or post-authentication by creating or editing the following properties using the Properties Editor:

profile.type.enum.[checkpoint-key].isPreAuth

profile.type.enum.[checkpoint-key].isPostAuth

For information on checkpoint creation, refer to Section 15.1, "Creating a New Checkpoint."

A Custom Run Job may perform other tasks or resolve the checkpoints to be run in a different fashion.


The process for creating a Run Job is:

  1. Select Job Type and provide job details. See Section 23.4.2.1, "Selecting Run Job Type and Providing Job Details."

  2. Enter Run Details. See Section 23.4.2.2, "Choosing Default or Custom Run as Run Type."

    The Run Type defines how and under what conditions the OAAM policies are applied to the sessions.

    If using the OAAM Run Type, the following steps are needed:

  3. Set up the data filter.

    The data filter defines a criteria to define the set of records in the database to be loaded or run.

    If you want to define the set of records as all records created after a given date, choose Auto Increment as the data filter type. See Section 23.4.2.3.2, "Specifying to Run Analysis on All Data Created After a Given Date."

    If you want to define the set of records as all records that were created between given dates, choose Date Range. See Section 23.4.2.3.1, "Specifying to Run Analysis on Data Created Within a Date Range."

  4. Set up the scheduling.

    If you want to schedule analysis to run once, choose Once as the schedule type. See Section 23.4.2.4.1, "Scheduling Analysis to Run Once."

    If you want to schedule analysis to run on a regular basis, choose Recurring as the schedule type. See Section 23.4.2.4.2, "Scheduling Analysis to Run on a Regular Basis (Recurring)."

  5. Confirm details. See Section 23.4.2.5, "Checking the Summary Details of the Run Job."

23.4.2.1 Selecting Run Job Type and Providing Job Details

To create a Run Job, follow these steps:

  1. From the Jobs search page, click the New Job button.

    The Choose Job Type dialog appears with the available job types to select from.

  2. Select Run and click the Continue button.

    The Create Job page is opened by default to the General page where you can specify the name and description for the Run Job.

  3. Enter a name and description for the Run Job.

    The Next button is enabled only after the job name and description are entered.

  4. Click the Next button.

    The Run Job is created and you are directed to the Run Details page.

23.4.2.2 Choosing Default or Custom Run as Run Type

After creating the job, you are directed to the Run Details page where you can select the Run type. The Run type defines how and under what conditions the OAAM policies are applied to the sessions.

  1. In the Run details page, select the Run Type from the following two options:

    Table 23-17 Run Type

    Run TypeDescription

    Default

    By default the OAAM Run type is selected. The Pre-Authentication and Post-Authentication checkpoints which are enabled by default are run. If you select the default run type, you will need to specify the Transaction Size and Memory Buffer Size.

    Custom Run

    To select a Custom Run type, click the Update Class Path... button, then enter the fully qualified class name for the custom run class. If it is valid, you will be able to proceed to next page; otherwise, an error message is displayed. The custom run class path is usually different from the Custom Load Class path.


  2. Click the Next button.

    You are directed to the Data Filters page.

23.4.2.3 Specifying Which Set of Records to Analyze

After selecting the Run type, you are directed to the Data Filters page where you can:

  • Specify how much data to load and run by specifying a date range, or

  • Choose to load a selection and run checkpoints on only a sub-selection of that data

23.4.2.3.1 Specifying to Run Analysis on Data Created Within a Date Range

If you want to define the set of records as all records that were created between given dates, follow these steps:

  1. Select Date Range as the filter type.

  2. Enter the From and To Date for data processing.

    All data loaded within these dates will be processed.

  3. Click Next.

    You are directed to the Schedule page.

23.4.2.3.2 Specifying to Run Analysis on All Data Created After a Given Date

If you want to define the set of records as all records created after a given, follow these steps.

  1. Select Auto Increment as the filter type.

  2. Enter From Date.

    This is the date from when data should be run.

    All data from the given date will be processed with the current policies and rules.

  3. Click Next.

    You are directed to the Schedule page.

23.4.2.4 Scheduling Analysis to Run

After specifying the data filter, you are directed to the Schedule page where you can define the priority and schedule type for your job.

You can choose to:

  • Configure a single date/time to load and run

  • Configure a recurring load and run

  • Click Start to start the load and run now

23.4.2.4.1 Scheduling Analysis to Run Once

To configure a single date/time to load and run:

  1. In the Schedule page, select a job priority.

    Job priority determines the importance of the job.

  2. Select Once as the Schedule Type.

    The job runs at the start date and start time specified by you or the job can be run immediately. This job is run only once and there is no recurrence. If the Schedule Type is set to Once, the execution time (Start Date and Start Time) is set to the current date and time and the job at once ("now").

  3. Set the schedule details to the desired values.

    Table 23-18 Schedule Details for a Run Job that Executes Once

    PropertyDescription

    Start Date and Start Time

    The job will run at the Start Date and Time.

    Cancel Execution if job runs longer than

    The maximum amount of time a job is allowed to run before the system automatically stops it. This option is not required, and if a job has no cancel time, it will run until it finishes or until a user manually stops it.


  4. Click Next.

23.4.2.4.2 Scheduling Analysis to Run on a Regular Basis (Recurring)

To configure a recurring load and run:

  1. At the Schedule page, select the job priority.

  2. Select the Schedule Type as Recurring.

    The job should run repeatedly based on the recurring interval specified. If a job is recurring, then only one job instance for a particular job may execute at once. If the previous recurrence is still running, paused, or waiting in the Job Queue to execute, then this job instance is skipped. The job instance is moved to the job log with a status of Skipped, and the next recurrence, if any, is placed into the Job Queue.

  3. Set the schedule details to the desired values.

    The Run Job will execute as per the Schedule Details.

    Table 23-19 Schedule Details for Recurring Run Job

    PropertiesDescription

    Recurrence Interval

    Hourly, Daily, Weekly or Monthly

    Execute Every

    Frequency in the recurrence pattern

    Start Time

    The recurring job starts at the time you specified on the Start Date given in the Recurrence Range.

    Start Date and End Date

    This is the date range for job execution. The job will continue execution between the Start date and End Date at intervals specified by you. For a recurring job, the Start Date is the date and time at which the job will first executes. The End Date is the date and time after which there will be no more recurrences. If left blank, the job will recur indefinitely until it is manually removed from the Job Queue. End Date is not applicable for a nonrecurring job.

    Cancels execution if runtime exceeds

    The maximum amount of time a job is allowed to run before the system automatically stops it. This option is not required, and if a job has no cancel time, it will run until it finishes or until a user manually stops it.


  4. Click Next to proceed to the summary page or Finish to process the job.

23.4.2.5 Checking the Summary Details of the Run Job

If you clicked Next on the Schedule page, you are directed to the Summary page.

This page displays the choices made and information entered on the previous wizard pages. If you are not satisfied with the choices and entries shown on the Summary page, use the Back button to return to the wizard pages and make changes. If you are satisfied with the choices and entries shown on the Summary page, create the job by clicking the Finish button. A success confirmation message is presented and the Job Edit page is launched. The Job Edit page allows you to modify and reschedule a job.

Data Clean Up

When a Run begins executing, it performs a clean up for the records in the job's data filter. This clean up involves deleting rule logs, alerts, and actions and resetting risk scores and authentication statuses. This ensures that this data created from a run will not affect other runs on the same data. Pattern and group updates will not be reset between runs so these features are not intended for use cases where the same data is run multiple times.

For example, if you create a Run Job named "R&D Run" and you process it three times, the results (actions, alerts and score) from "R&D Run_090820100429" will not effect "R&D Run_090820100715" and "R&D Run_090920100807" will ignore outcomes of the previous two.

23.4.3 Creating Load and Run Jobs

A Load and Run Job is a combination of a Load Job and a Run Job. After each record is processed by the Load Job, the result is fed directly into the Run Job. In a Load and Run Job, patterns will be processed for successful logins after the post-authentication rules are processed.


Note:

If you are loading from a non-OAAM schema, you must set up a database view. For instructions, refer to "Creating a View of a Non-OAAM Database" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.


23.4.3.1 Selecting Load and Run Job Type and Providing Details

  1. From the Jobs search page, click the Create Job button.

    The Choose Job Type dialog appears with the available job types to select from.

  2. Select Load and Run and click the Continue button.

    The Create Job page is opened by default to the General page where you have to specify the name and description for the Load and Run Job.

    By default the Status should be Enabled.

  3. Select Load and Run as the job type.

  4. Enter a name and description for the Load and Run Job and select the status.

    The job type, name and description for the Load and Run Job and the status should be displayed in the General page. By default the status should be Enabled.

  5. Click the Next button.

    The Load and Run Job is created and you are directed to the Load Details page.

23.4.3.2 Selecting Loader Type for Load and Run Job

After creating the job, you are directed to the Load Details page where you can start defining the job.

  1. In the Load Details page, select the Loader type from the following two options: OAAM and Custom Loader.

    By default the OAAM Loader type is selected. You can select the custom loader if you choose to write a custom class.

  2. Under Data Source Details, enter the database connection parameters for the source database. The following parameters have to be entered:

    Table 23-20 Database Connection Parameters

    ParameterDescription

    Database Platform

    The type of database from which you will be loading.

    JDBC URL

    The connection string for the database.

    Database User Schema

    The user name for the database.

    Database Password

    The password for the database.


  3. Verify miscellaneous properties.

    This panel contains information that can be modified to improve performance such as transaction size, memory buffer size, and so on.

  4. Click the Next button.

    You are directed to the Run Details page.

23.4.3.3 Specifying Data Filters for Load and Run Job

After entering the required database connection parameters and miscellaneous properties in the Load Details page, you are directed to the Data Filters page where you can specify the data filter to be used for the data to be loaded.

  1. Select Auto Increment or Date Range as the filter type. If Auto Increment is selected, enter date from when data should be loaded and run.

    The data filter selected is applied for both the Load and Run Job. All data from the given date is loaded. All data from the given date is processed with the current policies and rules.

  2. If Date Range Filter type is selected, enter the From and To Date for data processing.

    All data loaded within these dates will be processed.

23.4.3.4 Scheduling a Load and Run Job that Runs Once

After specifying the data filter, you are directed to the Schedule page where you can define the priority and schedule type for your job.

  1. In the Schedule page, select a job priority.

    Job priority determines the importance of the job.

  2. Select Once as the Schedule Type.

    The job runs at the start date and start time specified by you or the job can be run immediately. This job is run only once and there is no recurrence. If the schedule type is set to Once, the execution time (Start Date and Start Time) is set to the current date and time and the job at once ("now").

  3. Set the schedule details to the desired values.

    Table 23-21 Schedule Details for a Run Job that Executes Once

    PropertyDescription

    Start Date and Start Time

    The job will run at the Start Date and Time.

    Cancel Execution if job runs longer than

    The maximum amount of time a job is allowed to run before the system automatically stops it. This option is not required, and if a job has no cancel time, it will run until it finishes or until a user manually stops it.


  4. Click Next.

23.4.3.5 Scheduling a Load and Run Job that Runs on a Regular Basis (Recurring)

After specifying the data filter, you are directed to the Schedule page where you can define the priority and schedule type for your job.

  1. In the Schedule page, select the job priority and select schedule type as Recurring.

    The job should run repeatedly based on the recurring interval specified.

    If a job is recurring, then only one job instance for a particular job may execute at once. If the previous recurrence is still running, paused, or waiting in the Job Queue to execute, then this job instance is skipped. The job instance is moved to the job log with a status of Skipped, and the next recurrence, if any, is placed into the Job Queue.

  2. Set the schedule details to the desired values.

    The Load and Run Job executes as per the Schedule Details. The Load Job runs first and then the Run Job as per the schedule details.

    Table 23-22 Schedule Details

    ParametersDescription

    Recurrence Interval

    Daily Hourly, Weekly, Monthly

    The job should repeat execution based on your selection.

    Execute Every

    Recurrence frequency of the recurrence interval. For example if the Recurrence Interval is Weekly, you could enter 2 for Execute Every. The job will execute every 2 weeks

    Start Time

    The recurring job starts at the time you specified on the Start Date given in the Recurrence Range.

    Recurrence Range: Start Date and End Date

    This is the date range for job execution. The job will continue execution between the Start date and End Date at intervals specified by you. For a recurring job, the Start Date is the date and time at which the job will first executes. The End Date is the date and time after which there will be no more recurrences. If left blank, the job will recur indefinitely until it is manually removed from the Job Queue. End Date is not applicable for a nonrecurring job.

    Cancel execution if job runs longer than

    The job cancels if it runs longer than a certain time.

    For example: 60 seconds. The job cancels execution if runtime exceeds 60 seconds.


  3. Click Next.

    You are directed to a summary details page.

23.4.3.6 Checking the Summary Details of the Load and Run Job

If you clicked Next on the Schedule page, you are directed to the Summary page.

This page displays the choices made and information entered on the previous wizard pages. If you are not satisfied with the choices and entries shown on the Summary page, use the Back button to return to the wizard pages and make changes.

If you are satisfied with the choices and entries shown on the Summary page, create the job by clicking the Finish button. A success confirmation message is presented and the Job Edit page is launched. The Job Edit page allows you to modify and reschedule a job.

23.4.4 Creating Monitor Data Rollup Jobs

This section shows how Monitor Data Rollup Jobs can be created. The topics in this section are the following:

23.4.4.1 About Monitor Data Rollup Jobs

The Monitor Data Rollup Job reclaims space in the database by merging redundant records in the V_MONITOR_DATA table. If Monitor Data records are of the same type, with the same data value and fingerprint, and fall within the same period on a trending graph for a particular scale, then those records are considered to be redundant for that scale.

A Monitor Data Rollup Job with a daily scale, for example, will merge all of the redundant records from each day into single records for each day.

Monitor Data records may be redundant on one scale, but not redundant on a more granular scale. For example, if there are two Monitor Data records of the same type and with the same data value and fingerprint, one created on a Monday and one created two days later, then those two records would be redundant on a weekly scale, but would not be redundant on a daily scale.

When Monitor Data records are merged, each set of redundant Monitor Data records is taken and a new record is created using the earliest begin date, the latest end date, the sum of the counts and running times, the smallest minimum running time, and the largest maximum running time of each set. Then the entire set of redundant Monitor Data records is deleted and the new merged Monitor Data record is inserted to take their place. Depending on the scale at which to roll up, there will be at most one Monitor Data record for each time period for each unique combination of Monitor Type, data value, and fingerprint.

23.4.4.2 Selecting Monitor Data Rollup Type and Providing Details

To create a Monitor Data Rollup Job, follow these steps:

  1. From the Navigation tree, double-click Jobs to open the Jobs search page.

  2. From the Jobs search page, click the Create Job button.

    The Choose Job Type dialog appears with the available job types to select from.

  3. Select Monitor Data Rollup and click the Continue button.

    The Create Job page is opened by default to the General page.

  4. Select Monitor Data Rollup as the job type.

  5. Enter a name and description for the Monitor Data Rollup Job.

  6. Select the status.

    By default the status should be Enabled.

  7. Click the Next button.

    The Monitor Data Rollup Job is created and you are directed to the Rollup Details page.

23.4.4.3 Specifying Rollup Unit and Cutoff Time

After creating the Monitor Data Rollup Job, you are directed to the Rollup Details page where you can specify Rollup options for this job. All records within the specified unit size will be rolled up (compacted) into a single record.

  1. In the Rollup Details page, select the rollup unit.

    The rollup unit defines the scale at which the Monitor Data records will be rolled up.

    Choices are Hourly, Days, Weekly, and Monthly.

  2. Select the Cutoff Time.

    This value determines which records should be compacted. For example, if the 6 Months is specified for the Cutoff Time, all records older than 6 months will be compacted to a single record. The Cutoff Time property tells the job which records to leave alone and not roll up.

    It is recommended that the Cutoff Time remains at the default value because if the Cutoff Time value is below the default value, the dashboard graphs may not be accurate.

    Table 23-23 Default Value for Cutoff Time

    RollupCutoff Time

    Hourly

    1 hour

    Days

    2 days

    Weekly

    13 weeks

    Monthly

    6 months


  3. Click Next.

23.4.4.4 Scheduling a Monitor Data Rollup Job that Runs Once

After specifying the Rollup options for the job, you are directed to the Schedule page where you can define the priority and schedule type for your job.

To specify for the Monitor Data Rollup Job to occur once, follow these steps:

  1. In the Schedule page, select a job priority.

    Job priority determines the importance of the job.

  2. Select Once as the schedule type.

    The job runs at the start date and start time specified by you or the job can be run immediately. This job is run only once and there is no recurrence. If the schedule type is set to Once, the execution time (Start Date and Start Time) is set to the current date and time and the job processes at once ("now") by default.

  3. Set the schedule details to the desired values.

    Table 23-24 Schedule Details for a Run Job that Executes Once

    PropertyDescription

    Start Date and Start Time

    The job will run at the Start Date and Time.

    Cancel Execution if job runs longer than

    The maximum amount of time a job is allowed to run before the system automatically stops it. This option is not required, and if a job has no cancel time, it will run until it finishes or until a user manually stops it.


  4. Click Next.

23.4.4.5 Scheduling a Monitor Data Rollup that Runs on a Regular Basis (Recurring)

After specifying the Rollup options for the job, you are directed to the Schedule page where you can define the priority and schedule type for your job.

To specify for the Monitor Data Rollup Job to be recurring, follow these steps:

  1. In the Schedule page, select the job priority.

    The job priority for the rollup job is set which determines the order of execution when two jobs have same schedule date and time.

  2. Select Recurring as the schedule type.

    The job should run repeatedly based on the recurring interval specified. If a job is recurring, then only one job instance for a particular job may execute at once. If the previous recurrence is still running, paused, or waiting in the Job Queue to execute, then this job instance is skipped. The job instance is moved to the job log with a status of Skipped, and the next recurrence, if any, is placed into the Job Queue.

  3. Set the schedule details to the desired values.

    Table 23-25 Schedule Details

    ParametersDescription

    Recurrence Interval

    Daily Hourly, Weekly, Monthly,

    The job should repeat execution based on your selection.

    Execute Every

    Recurrence frequency of the recurrence interval. For example if the Recurrence Interval is Weekly, you could enter 2 for Execute Every. The job will execute every 2 weeks

    Start Time

    The recurring job starts at the time you specified on the Start Date given in the Recurrence Range.

    Recurrence Range: Start Date and End Date

    This is the date range for job execution. The job will continue execution between the Start date and End Date at intervals specified by you. For a recurring job, the Start Date is the date and time at which the job will first executes. The End Date is the date and time after which there will be no more recurrences. If left blank, the job will recur indefinitely until it is manually removed from the Job Queue. End Date is not applicable for a nonrecurring job.

    Cancel execution if job runs longer than

    The job cancels if it runs longer than a certain time.

    For example: 60 seconds. The job cancels execution if runtime exceeds 60 seconds.


    The Monitor Data Rollup Job should execute as per the Schedule Details.

  4. Click Next.

    You are directed to the Monitor Data Rollup Job Summary Details page

23.4.4.6 Checking the Summary Details of the Monitor Data Rollup

If you clicked Next on the Schedule page, you are directed to the Summary page. This page displays the choices made and information entered on the previous wizard pages.

If you are not satisfied with the choices and entries shown on the Summary page, use the Back button to return to the wizard pages and make changes.

If you are satisfied with the choices and entries shown on the Summary page, create the job by clicking the Finish button. A success confirmation message is presented and the Job Edit page is launched.

23.5 Managing Jobs

This section shows how jobs can be managed in OAAM. The topics in this section are the following:

23.5.1 About Running Jobs

When the scheduled start time for a job instance arrives, the system checks to see if it is allowed to execute it. If a job is recurring, then only one job instance for a particular job may execute at once, so if the previous recurrence is still running, paused, or sitting in the Job Queue waiting to execute, then this job instance will be skipped. The job instance will be moved to the job log with a status of Skipped, and the next recurrence, if any, will be placed into the Job Queue.

If the server stops while a job instance is executing, that job instance will automatically restart at the point where it stopped when the server starts up. In a clustered environment, if the server where a job instance is running fails, another server in the cluster will automatically restart it.

If the job was scheduled with a Cancel Time, and the server starts some time later, the time during which the server was down will not count against the elapsed time for purposes of determining when the job should auto-suspend. For example, if a job is scheduled to start at 12:00 am and cancel after two hours, but the server stops at 1:30 am and is not restarted until 7:00 am, then the job will restart where it left off at 7:00 with 30 minutes remaining, and will auto cancel at 7:30.

23.5.1.1 Bulk Risk Analytics Job Execution

The Load, Run, and Load and Run Job types are all mutually exclusive with each other. No Load, Run, or Load and Run Job may execute at the same time as another Job of either Job Type.

23.5.1.2 Run Data Reset

Actions, alerts and rule log data will be deleted if the same selection of data has another run processed on it. This ensures that this data created from a run will not affect other runs on the same data. Pattern and group updates will not be reset between runs so these features are not intended for use cases where the same data is run multiple times.

For example, if an administration console user creates a Run Job named "R&D Run" and he processes it three times, the results (actions, alerts and score) from "R&D Run_090820100429" will not effect "R&D Run_090820100715" and "R&D Run_090920100807" will ignore outcomes of the previous two.

23.5.1.3 Group Populations

If a configurable action adds or removes members to or from a group as a result of a run these changes will be available for use by subsequent runs.

For information on groups, refer to Chapter 12, "Managing Groups."

23.5.1.4 Pattern Buckets and Memberships

Pattern buckets created and membership count updates that occur as a result of a run are available for use by subsequent runs.

For information on pattern buckets and membership, refer to Section 17.1.2, "Patterns."

23.5.1.5 Actions, Alerts, Scores

Rule outcomes from a run will be deleted before subsequent runs on the same data.

For information on actions, alerts, and scores as outcomes, refer to Section 10.1, "Introduction to Policies, Rules, and Conditions."

23.5.2 Notes About Rescheduling Jobs

OAAM does not reschedule a job unless the start time is changed. When changing the recurrence pattern for a job (recurrence interval and/or recurrence frequency), the best practice is to also change the start date and time to be explicit about when you want the next recurrence to occur. Otherwise, the next scheduled recurrence, if any, will proceed as scheduled, and the next recurrence after that will be calculated from that point. If the job does not have any future recurrences scheduled, then modifying the recurrence pattern without changing the start time will have no effect -- after the change is saved, the job will still not have any future recurrences scheduled.

23.5.3 Processing a Job Immediately

To process a job immediately:

  1. Search for the jobs that you want to enable by performing the procedure described in Section 23.2.3, "Searching for Jobs."

  2. Select the job from the Search Results table and click Process Now.

    Alternatively, you can select Process Now from the Actions menu.

    If there are no other jobs that are currently running, the job is placed as a job instance in the queue. The job status is "Running" and the Start time is set to the current time.

    If another job is currently running that prevents the selected job from executing, a message informs you that the job could not be started and the queue will be unchanged.

23.5.4 Pausing a Job

To pause a job, if it is running, or prevent execution of a job, but leave it in the queue, follow these steps:

  1. From the Job Queue page, select the job.

  2. Press the Pause icon on the Results toolbar.

    The job instance is suspended. The next job in the queue is run. Pausing the job does not affect the order of the job instances in the execution queue.

    If a recurring job instance that has not yet started is paused, the job instance is suspended and remains paused in the queue until it is resumed or canceled.

    If a recurring job instance is paused and then resumed when another job is scheduled to run, the job that is resumed has higher priority.

23.5.5 Resuming a Paused Job

To resume a paused job, follow these steps:

  1. From the Job Queue page, select the paused job.

    The Process button is enabled when a job instance is paused.

  2. Press the Process icon on the Results toolbar.

    The job instance resumes processing from where it was paused if no other job is currently running. The process start time shows the original process Start Time and not the Start Time when the job instance was resumed.

    If a job is resumed when another job is scheduled to run, the job that is scheduled is skipped.

    If another job is already running, resuming the paused job places the job in the Job Queue and it will be executed after the current job completes running.

23.5.6 Canceling a Job

To stop the job instance if it is running and remove the job instance from the Job Queue, perform the following steps:

  1. From the Job Queue page, select the job.

  2. Press the Cancel icon on the Results toolbar.

    The job instances that were selected are suspended and removed from the Job Queue.

    If the job is recurring, the next instance will be added to the Job Queue.

23.5.7 Enabling Jobs

In addition to creating and modifying jobs, you can enable jobs that are currently disabled. If the Enable button is enabled, it means that jobs are currently disabled and you can enable them by clicking Enable. If there are no disabled jobs listed in the search results table, then the Enable button is disabled.

To enable jobs:

  1. Search for the jobs that you want to enable by performing the procedure described in Section 23.2.3, "Searching for Jobs."

  2. In the search results table, select the jobs and click Enable.

    Alternatively, you can select Enable from the Actions menu.

    A message indicating that the jobs have been successfully enabled is displayed.

  3. Click OK to close the dialog.

23.5.8 Disabling Jobs

You can disable jobs that are currently enabled. If the Disable button is enabled, it means that jobs are currently enabled and you can disable them by clicking Disable. If all the jobs in the search results table are disabled then the Disable button will not be enabled.

Only jobs that are processed can be disabled. The jobs that are running or scheduled to run in the future cannot be disabled.

To disable jobs:

  1. Search for the jobs that you want to disable by performing the procedure described in Section 23.2.3, "Searching for Jobs."

  2. In the search results table, select the jobs and click Disable.

    Alternatively, you can select Disable from the Actions menu.

    A message indicating that the jobs have been successfully disabled is displayed.

  3. Click OK to close the dialog.

23.5.9 Deleting Jobs

To delete jobs, follow these steps:

  1. Search for the jobs that you want to delete by performing the procedure described in Section 23.2.3, "Searching for Jobs."

  2. Select the jobs from the Search Results table and click the Delete button.

    Alternatively, you can select Delete from the Actions menu.

    Only the jobs that are not processed can be deleted. The jobs that are processed (finished) contain logs and references to job instances and cannot be deleted. Error messages are displayed when you try to delete these jobs. Processed jobs can only be disabled. Jobs with the In Process status cannot be deleted. If multiple jobs are selected, and if any one of them cannot be deleted, none of the selected jobs will be deleted.

    Table 23-26 Deleting Jobs

    StatusCan Be Deleted

    Not Processed

    Yes

    Processed

    No. They can only be disabled.

    In Process

    No


23.5.10 Viewing Job Details

Clicking the job name in the Search Results table opens the corresponding Job Details page. The following information is displayed in the Job Details page:

  • The General page displays general information about the job such as job type, job name, and job status.

  • The Load Details page shows the loader that controls which records will be processed.

  • The Rollup Details page shows the monitor rollup details.

  • The Run Details page shows the run type details.

  • The Data filters tab shows which set of data to load into the offline system or process.

  • The Schedule page shows the scheduling options chosen for the job.

23.5.11 Viewing Instances of a Job

The Instances tab of the Job Details page shows all past and present job instances for a job. There is a panel at the top that allows the user to filter the job instances shown. The panel at the top allows you to filter the job instances shown.

Table 23-27 Filter Job Instances

FilterDescription

State

Show only those job instances that are in a particular state, such as Running, Skipped, Completed, or Canceled

Process Message

Show only those job instances that match on the process message.

Process Start Time

Show only job instances that started processing in the specified timestamp range

Process End Time

Show only job instances that stopped processing (whether successfully or unsuccessfully) in the specified timestamp range


The Process Now button allows you to start executing jobs that were skipped or not executed because of errors. If this job is already running and another job of the same job type is already running, you will be informed that this job cannot be started now.

23.5.12 Viewing the Job Log

To view the job log, open the Job Log page from the Job Queue page. This page shows past job instances. The top panel allows the user to filter the results.

Table 23-28 Job Log Filters

FiltersDescription

Job Instance Name

Show only job instances that match on job instance name.

Job Type

Show only job instances of the specified job type

State

Show only those job instances that are in a particular state, such as Running, Skipped, Completed, or Canceled.

Process Message

Show only those job instances that match on the process message.

Process Start Time

Show only job instances that started processing in the specified timestamp range

Process End Time

Show only job instances that stopped processing (whether successfully or unsuccessfully) in the specified timestamp range.


23.5.13 Viewing and Sorting the Job Queue

You can view and sort jobs.

23.5.13.1 Viewing the Job Queue

From the Navigation tree, double-click <elspan class="bold">Job Queue to open the Job Queue page.

This page shows a listing of currently processing and future jobs. The job instances are displayed in the exact order of execution in the execution queue. There is only one job instance per job.

The recurring job instances have the job name followed by the date and time when the current instance started or the date and time when it will occur next.

The process start time is the exact time when the job started running for current jobs and an estimated start time for the future jobs. Process Duration is shown only for currently processing jobs.

You can filter based on job type, status, start/complete date, name and description. The queue displays which jobs are currently running and what their status is in terms of estimated completion time and percentage progress. Completed jobs will display as such.

The Job Instance Name in the table is a link to the Job Details page for the job.

23.5.13.2 Sorting the Job Queue

To sort the Job Queue:

  1. From the Navigation tree, double-click Job Queue to open the Job Queue page.

  2. From the Job Queue page, click the Sort Ascending icon on the Priority column or the Start Time column to sort the list.

    Sorting is not allowed on other data points since the job records are placed in the order of execution and this cannot be edited.

    If two jobs have the same start date and time, but different job priority, the higher job priority would be listed first in the Job Queue

23.6 Editing Jobs

This section contains instructions to edit jobs.

23.6.1 Editing Jobs

The Job Edit page allows you to modify and reschedule a job.

Table 23-29 summarizes the Job Edit tabs.

Table 23-29 Edit Job

Edit Job TabsDescription

General

General information for the job: job type, name, and status. The Job Name field cannot be modified.

Job Type

The fields on this tab are specific to the job type.

Schedule

Similar to Schedule page of the Job Creation wizard.

Instances

This tab shows all past and present job instances for a job.


You can make the following changes:

  1. Enable or disable a job from the General tab.

  2. Change the Transaction and Memory Buffer Size from the Run Details tab.

  3. Change the job schedule from the Schedule tab.

Only the job instance for next occurrence are affected by the edits. The ones that are currently processing are not affected.

23.6.2 Editing the Monitor Data Rollup

To edit a Monitor Data Rollup Job, follow these steps:

  1. Make the following changes:

    1. Enable or disable a job from the General tab.

    2. Change the Transaction and Memory Buffer Size from the Run Details tab.

    3. Change the job schedule from the Schedule tab.

  2. Click the Process Now button.

    The Monitor Data Rollup Job is processed on a one time basis. The regular schedule of this job is not affected by the one-time job execution. The job will be executed again at its regular scheduled date and time.

23.7 Migration

If you are loading from a non-OAAM schema, you must set up the required database view. Refer to "Creating a View of a Non-OAAM Database" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.

23.8 Use Cases

Use cases are presented below.

23.8.1 Use Case: Load OAAM Login Data and Run Checkpoints on a Recurring Basis

  1. Security Administrator activates the option to create a new job.

  2. Security Administrator selects the Load and Run Job from a dialog.

  3. Security Administrator fills in the general information and clicks Next.

  4. Security Administrator is presented with the Load Details page. Security Administrator selects OAAM Loader, fills in the Database Connection information, accepts the default Data Mappings, and, if desired, modifies the miscellaneous properties. Security Administrator then clicks Next.

  5. Security Administrator is presented with the Run Details page. Security Administrator selects Default Run Type and, if desired, modifies the Run Properties. Security Administrator then clicks Next.

  6. Security Administrator is presented with the Data Filters page. Security Administrator selects Auto Increment and selects the desired From Date.

  7. Security Administrator is presented with the Schedule page of the wizard. The default Schedule Type should be Once, and the Start Date and Start Time should be set to the current date and time by default.

  8. Security Administrator selects the Recurring Schedule Type and sets the schedule details to the desired values. Security Administrator may also change the job priority and set the Cancel Time, if desired.

  9. Security Administrator clicks Next, confirms the information on the Summary, and clicks Finish.

Alternate Courses of Action 1: If the remote database is not an OAAM schema, then in step 4, the Security Administrator will be required to change the default values for the Data Mappings to match the database schema.

Alternate Courses of Action 2: If the data to be loaded is in a file rather than a database, then the Security Administrator may write a custom loader to load the data from the file, but a better practice would be to import the file data into a database table and follow Alternate Courses of Action 1.

Alternate Courses of Action 3: The job instance is placed into the Job Queue and is scheduled to start at the desired time. When complete, the next job instance is placed into the Job Queue. The loaded data will be available in the sessions list.

23.8.2 Use Case: Load Transaction Data and Run Checkpoints on a Recurring Basis

Pre-conditions: Security Administrator is in OAAM Admin and has the appropriate permissions. A custom loader has been written and the resulting classes have been specified in the OAAM Offline application's classpath. Any needed properties have been set in the OAAM Environment Manager.

  1. Security Administrator activates the option to create a new job.

  2. Security Administrator selects the Load and Run Job Type from a dialog.

  3. Security Administrator fills in the general information and clicks Next.

  4. Security Administrator is presented with the Load Details page. Security Administrator selects Custom Loader Type and clicks Update Class Path.

  5. Security Administrator types in the fully qualified Java class name for the Custom Loader Type and clicks OK.

  6. Security Administrator modifies the miscellaneous properties if desired and clicks Next.

  7. Security Administrator is presented with the Run Details page. Security Administrator selects Default Run Type and, if desired, modifies the Run Properties. Security Administrator then clicks Next.

  8. Security Administrator is presented with the Data Filters page. Security Administrator selects Auto Increment and selects the desired From Date.

  9. Security Administrator is presented with the Schedule page of the wizard. The default Schedule Type should be Once, and the Start Date and Start Time should be set to the current date and time by default.

  10. Security Administrator selects the Recurring Schedule Type and sets the schedule details to the desired values. Security Administrator may also change the Job Priority and set the Cancel Time, if desired.

  11. Security Administrator clicks Next, confirms the information on the Summary, and clicks Finish.

    The job instance is placed into the Job Queue and is scheduled to start at the desired time. When complete, the next job instance is placed into the Job Queue. The loaded data will be available in the sessions list.

Alternate Courses of Action: An error will occur at step 5 if there is a problem instantiating the Custom Loader. One possible problem is that the system cannot find the class. Another possible problem is that the class exists, but an error occurred when instantiating the class. The final possible problem is that the system was able to instantiate the class, but it does not properly implement the custom loader specification. The user will receive a different error message depending on the problem.

23.8.3 Use Case: Create a Job for Immediate Execution

Preconditions: Security Administrator is in the OAAM Admin Console and has the appropriate permissions.

Actors: Security Administrator

Steps:

  1. The Security Administrator activates the option to create a new Job.

  2. The Security Administrator selects the desired Job Type from a dialog.

  3. The Security Administrator fills in the general information and clicks Next.

  4. The Security Administrator fills in the Job Type specific information and clicks Next (this may be multiple screens, depending on the Job Type).

  5. The Security Administrator is presented with the Schedule screen of the wizard. The default Schedule Type should be Once, and the Start Date and Start Time should be set to the current date and time by default.

  6. The Security Administrator ensures that the Schedule Type is set to Once and that the Start Date and Start Time are set to the current date and time. The Security Administrator may also change the Job Priority and set the Suspend Time, if desired.

  7. The Security Administrator clicks Next, confirms the information on the Summary, and clicks Finish.

Alternate Courses of Action:

Alternate Courses of Action 1: If the selected Job Type is mutually exclusive, and another Job of the same Job Type is currently executing, this new job will be placed into the Job Queue, but will not begin executing until the currently executing Job is completed.

Post-conditions: The Job begins executing, and the Job Instance is visible in the Job Queue.

23.8.4 Use Case: Create a Job for Future Execution

Preconditions: The Security Administrator is in the OAAM Admin Console and has the appropriate permissions.

Actors: Security Administrator

Steps:

  1. The Security Administrator activates the option to create a new Job.

  2. The Security Administrator selects the desired Job Type from a dialog.

  3. The Security Administrator fills in the general information and clicks Next.

  4. The Security Administrator fills in the Job Type specific information and clicks Next (this may be multiple screens, depending on the Job Type).

  5. The Security Administrator is presented with the Schedule screen of the wizard. The default Schedule Type should be Once, and the Start Date and Start Time should be set to the current date and time by default.

  6. The Security Administrator ensures that the Schedule Type is set to Once. The Security Administrator sets the Start Date and Start Time to the desired date and time. The Security Administrator may also change the Job Priority and set the Suspend Time, if desired.

  7. The Security Administrator clicks Next, confirms the information on the Summary, and clicks Finish.

Alternate Courses of Action: None.

Post-conditions: The Job Instance is placed into the Job Queue and is scheduled to start at the desired time.

23.8.5 Use Case: Create a Job With Recurring Execution

Preconditions: Security Administrator is in the OAAM Admin Console and has the appropriate permissions.

Actors: Security Administrator

Steps:

  1. The Security Administrator activates the option to create a new Job.

  2. The Security Administrator selects the desired Job Type from a dialog.

  3. The Security Administrator fills in the general information and clicks Next.

  4. The Security Administrator fills in the Job Type specific information and clicks Next (this may be multiple screens, depending on the Job Type).

  5. The Security Administrator is presented with the Schedule screen of the wizard.

  6. The Security Administrator sets the Schedule Type to Recurring and sets the Start Date and Start Time to the desired date and time. The Security Administrator may also change the Job Priority and set the End Time and Suspend Time, if desired.

  7. The Security Administrator clicks Next, confirms the information on the Summary, and clicks Finish.

Alternate Courses of Action: None.

Post-conditions: The Job Instance is placed into the Job Queue and is scheduled to start at the desired time. When complete, the next Job Instance is placed into the Job Queue.

23.8.6 Use Case: View the Job Queue

Preconditions: Security Administrator is in the OAAM Admin Console and has the appropriate permissions.

Actors: Security Administrator

Security Administrator activates the option to display the Job Queue, and clicks the Current Queue tab, if necessary.

Alternate Courses of Action:

Alternate Courses of Action 1: If the Security Administrator wishes to pause a Job Instance, then she will click the desired Job Instance (or multi-select the Job Instances) and click the Pause button. The Job Instance will remain in the Job Queue, but the State will be changed to Paused. If the Job Instance was executing, it will stop, and if another Job Instance was blocked on this one, it will begin executing.

Alternate Courses of Action 2: If the Security Administrator wishes to resume a paused Job Instance, then she will click the desired Job Instance (or multi-select the Job Instances) and click the Resume button. If the scheduled start time for this Job Instance has passed and there are no other conflicting Jobs already running, this Job Instance will go into Running state and will begin executing. Otherwise this Job Instance will go into Scheduled state. If multiple Job Instances are resumed at the same time, then the one with the earliest scheduled start time will go first.

Alternate Courses of Action 3: If the Security Administrator wishes to cancel a Job Instance, then she will click the desired Job Instance (or multi-select the Job Instances) and click the Cancel button. The selected Job Instance(s) will be removed from the Job Queue. If the Job is recurring, then the next Job Instance will be placed into the Job Queue.

Post-conditions: The system displays all currently executing and upcoming Job Instances. If a Job is recurring, only the next instance is displayed.

23.8.7 Use Case: View the Logs from a Job Execution

Preconditions: Security Administrator is in the OAAM Admin Console and has the appropriate permissions.

Actors: Security Administrator

To view the logs from a job execution:

  1. Double click Job Queue in the Navigation tree.

  2. Click the Job Log tab.

    This page tab past job instances. The top panel allows the user to filter the results.

  3. Search for the Job Instance.

This page shows past job instances. The top panel allows the user to filter the results.

Table 23-30 Job Log Filters

FiltersDescription

Job Instance Name

Show only job instances that match on job instance name.

Job Type

Show only job instances of the specified job type

Job State

Show only those job instances that are in a particular state, such as Running, Skipped, Completed, or Canceled.

Process Message

Show only those job instances that match on the process message.

Process Start Time

Show only job instances that started processing in the specified timestamp range

Process End Time

Show only job instances that stopped processing (whether successfully or unsuccessfully) in the specified timestamp range.

Completed %

The percentage of the job that completed.

Process Duration

The time in seconds for completion


Alternate Courses of Action: None.

Post-conditions: The system displays the filtered list of past Job Instances.

23.8.8 Use Case: Check If the Job Ran Successfully

To check if the job ran successfully:

  1. Open the Job Details page of the newly created job.

  2. Click the Instances tab to check for job completion.

    If the Run Job schedule time has elapsed, search for the job instance. Its State should be Completed with a Process Start Time and a Process End Time. The Process Message should show the number of records processed and the Completed % should show the percentage completed. The Process Duration should show the time in seconds for completion.

  3. Verify job completion by opening to the Sessions page and searching by the same time period as the job.

    For a Run Job, the Count of Sessions should be the same as that of after the load completion. For a Load Job, the Count of Sessions should have increased by the number shown in the job instances page. For a Load and Run Job, the Count of Sessions should have increased by the number of records processed as shown in the job instance.

  4. Open a Session Details page.

    For a Run Job and a Load and Run Job, the Sessions details page should show that policies and rules have been processed on the records. For a Load Job, you should see that the record is loaded but no policies and rules have been processed on the session record.

23.8.9 Use Case: View the Order of Execution of Jobs

From the Navigation tree, double-click Job Queue to open the Job Queue page. This page shows a listing of currently processing and future jobs. The job instances are displayed in the exact order of execution in the execution queue. There is only one job instance per job.

The recurring job instances have the job name followed by the date and time when the current instance started or the date and time when it will occur next.

The process start time is the exact time when the job started running for current jobs and an estimated start time for the future jobs. Process Duration is shown only for currently processing jobs.

You can filter based on job type, status, start/complete date, name and description. The queue displays which jobs are currently running and what their status is in terms of estimated completion time and percentage progress. Completed jobs will display as such.

The Job Instance Name in the table is a link to the Job Details page for the job.

PK~lelPKRwEOEBPS/part_app.htm  Appendixes PK19 PKRwEOEBPS/tree.htm Oracle Adaptive Access Manager Navigation

3 Oracle Adaptive Access Manager Navigation

OAAM Admin is a Web application that you can use to manage all environment, and Adaptive Strong Authenticator, and Adaptive Risk Manager features. Oracle Adaptive Access Manager 11g provides superior protection for businesses and their customers through strong yet easy-to-deploy multi-factor authentication and proactive, real-time fraud prevention.

This chapter describes the navigation panel, major nodes, and pages available in Oracle Adaptive Access Manager, and it also includes instructions on signing in to the application.

The chapter contains the following sections:

3.1 Signing In to Oracle Adaptive Access Manager 11g

This section describes how to sign in to OAAM Admin.

The features available when you sign in are based according to roles and business requirements.

An Oracle Adaptive Access Manager Sign In page is shown in Figure 3-1.

Figure 3-1 Oracle Adaptive Access Manager Sign In

OAAM login

To sign in to OAAM Admin, follow these steps:

  1. In a browser window, enter the URL to the Oracle Adaptive Access Manager 11g Sign In page.

    http://host:port/oaam_admin/
    

    where

    • host refers to the Oracle Adaptive Access Manager managed server host

    • port refers to the OAAM Admin managed server port

    • /oaam_admin/ refers to the OAAM Admin Sign In page

  2. On the Sign In page, enter your credentials.

  3. Click the Sign In button.

    If you have logged in successfully, the Fraud Prevention tab appears on the left with an expanded navigation tree.

To sign out, select the Sign Out link in the upper-right corner of OAAM Admin.

3.2 OAAM Admin Console and Controls

Upon a successful sign in, Oracle Adaptive Access Manager displays the OAAM Admin Console.

The Console is divided into the following areas: navigation panel on the left and the main, active page on the right.

The navigation panel helps users access all environment, Adaptive Strong Authenticator, and Adaptive Risk Manager features of Oracle Adaptive Access Manager. Named nodes in the panel identifies these items.

Initially, no active page is opened on the right side of OAAM Admin. You must open a node first.

Figure 3-2 shows OAAM Admin with an active page opened.

Figure 3-2 OAAM Admin Console

Navigation Tree

When you open a node, a new tab opens with the corresponding details or search page. A named tab identifies each open page. The active page generally enables you to create, view, and modify items.

You can have up to ten pages open at one time, which enables multitasking.


Note:

If you try to open more than ten tabs, an error appears with the message that only ten tabs are allowed to be kept open. You can manually close one or more tabs and then try to open the new tab.


When multiple pages are open, only the active page and named tabs of other open pages are visible. You can click a named tab to return to the corresponding page.

The following sections provide more information about OAAM Admin:

3.3 Navigation Panel

OAAM Admin provides navigators for easy access to different features of Oracle Adaptive Access Manager.

The Navigation panel in OAAM Admin contains the following trees:

3.4 Navigation Tree

The Navigation tree, illustrated in Figure 3-3, is a collapsible and expandable tree that provides quick and visible access to features of Oracle Adaptive Access Manager.

3.4.1 Navigation Tree Structure

The Navigation tree includes named nodes that identify the individual features and groups of items within the Oracle Adaptive Access Manager product on which you can take action.

Figure 3-3 illustrates the Navigation tree.

Figure 3-3 Navigation tree

Navigation tree

Depending on your access level, the Navigation tree can display the following nodes:

Table 3-1 OAAM Features

FeaturesFunction

Dashboard

Access feature, which provides a high-level view of real customer data.

Cases

Access tools for creating and supporting Customer Service Representative (CSR). Cases not available in offline.

Policies

Access feature for designing policies to evaluate and handle business activities or potentially risky activities

Groups

Access feature to create groups for simplifying workload.

Sessions

Access feature to view the forensic record of a session

Patterns

Access feature to create patterns used for profiling behavior

Entities

Access feature to create data structure, which comprises of a set of attributes, that can be re-used across different transactions.

Transactions

Access feature to create transaction definitions so that client-specific transactions and parameters can be captured for monitoring

KBA

Access framework to manage tasks that impact challenge questions, validations and levels of logic algorithms used for answers, question categories, and levels of logic algorithms used for registration.

Scheduler

Access feature to manage jobs.

Environment

Access feature to manage Oracle Adaptive Access Manager environment.

Configurable Actions

Access feature to create custom actions


3.4.2 Navigation Tree Menu and Toolbar

A menu and toolbar appears above the Navigation tree, as shown Figure 3-3. Menus provide commands that you can use to take action on the selected item in the Navigation tree. Many menu commands are also provided as command buttons in the toolbar for quick access.

Figure 3-4 Menu and Toolbar

Menu and tool bar

Create New

Create New

Create New opens the corresponding create page of the selected node. Create New is available only for certain nodes where applicable. See Table 3-2, "Create New of Selected Nodes" for a list of pages that can be opened by clicking Create New.

Table 3-2 Create New of Selected Nodes

NodeSubnodeCreate Page or Dialog

Dashboard


N/A

Sessions


Not available

Cases


Create Case

Policy Sets


Not available

Policies


New Policy


Rules

Not available


Conditions

Not available

Groups


Create Group

Patterns


New Pattern

Entities


New Entity

Transactions


New Transaction

Configurable Actions




Action Templates

New Action Template


Action Instances

New Action Instance

KBA


Not available


Questions

New Questions


Validations

Not Available


Categories

New Category


Registration Logic

Not available


Answer Logic

Not available

Scheduler


Not available


Jobs

Jobs search


Job Queue

Job Queue

Environment


Not available


Snapshots

Not available


Properties

New Property


Open

Open

Open opens the corresponding page for the node you have selected.

Import

Import

Import opens the Import dialog for the node you have selected.

View Menu

Figure 3-5, "View Menu" illustrates the View menu and commands. Menu items that cannot be used on the selection in the Navigation tree appear in grey.

Figure 3-5 View Menu

View menu in Navigator

The View menu command descriptions are provided in Figure 3-3.

Table 3-3 View Menu Commands

CommandDescription

Collapse

Immediately closes the node.

Expand All Below

Immediately reveals all items below the selection.

Collapse All Below

Immediately closes the node and all items below the selection.

Expand All

Immediately reveals all the nodes and subnodes along with their leaf nodes in the Navigation tree.

Collapse All

Immediately closes all the nodes and subnodes along with their leaf nodes in the Navigation tree.

Scroll to First

Scrolls to the first node

Scroll to Last

Scrolls to the last node


Actions Menu

Figure 3-6 illustrates the Actions menu, which provides appropriate commands for the selection in the Navigation tree. For instance, if you have Policies selected in the Navigation tree, one of the commands, New Policy..., on the Actions menu enables you to open the New Policy page for creating a new policy.

Figure 3-6 Action Menu

Navigation Action menu

Table 3-4 Actions Commands

CommandDescription

Open

Opens the search or details page for the selected item in the Navigation tree.

List

Opens the item, search, or details page.

New

Activates a new page that you can fill in to define a new item.

Import

Displays the Import dialog, which enables you to locate and import the item.


3.5 Policy Tree

The Policy tree gives a visual representation of the policy hierarchy and the relationship between different policies, user groups, and the checkpoints.

Double-clicking an item in the Policy tree opens a dynamic tab for that item. This enables administrators to view and edit the configurations in context.

You can expand the Policy tree to view the details about the user groups and policies under each checkpoint.

For example the Forgot Password policy is under the Forgot Policy Checkpoint and All Users is assigned to the policy.

Figure 3-7 Policy Tree

Policy tree

Policy is the last level in the Policy tree. You cannot drill down further except to see nested policies.

Table 3-5 provides a legend for the icons which appear on the Policy tree.

Table 3-5 Policy Tree Legend

IconDefinitionDescription
Checkpoint

Checkpoint

The checkpoint is a decision and enforcement point when policies are call to run their rules.

Policy

Policy

The policies available in the system.

Disabled policies are grayed out.

Policies linked to multiple user groups are bolded and highlighted.

To open the Policy Details page of a policy, double-click the Policy node. The Policy Details page can also be opened by clicking Open Selected from the context menu.

To view nested policies, expand the policy node.

All Users

All Users

Policy is linked to All Users.

One user


User Groups

Policy is linked to Users

No Users

No user group

No users are associated with the policy.

Trigger combination

Trigger combination

Trigger combinations exist in the policy.

More

More...

Summary information is available about the policy.


From the Policy tree, you can click the More icon for summary information on the policy.

More details option

3.6 Management Pages

The individual features and groups of items are organized on the Navigation tree. To open a component, double-click its node in the Navigation tree. The details of that node or a search page opens in a new tab on the right side of the console. A named tab identifies each open page, like the tabs on manila folders.

Only the active page is visible, with as many named tabs of other open pages that can fit on one line. You can click a named tab to return to the corresponding page.

The nodes and their corresponding pages are listed in Table 3-6.

Table 3-6 Open Pages

NodeSubnodePages

Dashboard


Dashboard

Sessions


Sessions

Cases


Cases search page

Policy Sets


Policy Sets page

Policies


Policies search page


Rules

Rules search page


Conditions

Conditions search page

Groups


Groups search page

Patterns


Pattern search page

Entities


Entities search page

Transactions


Transactions search page

Configurable Actions


Not available


Action Templates

Action Templates search page


Action Instances

Action Instance search page

KBA


Not available



Note: KBA is not available in offline mode.


Questions

Questions search page


Validations

Validations search page


Categories

Categories search page


Registration Logic

Registration Logic page


Answer Logic

Answer Logic page

Environment


Not available


System Snapshot

Snapshots search page


Properties

Properties search page

Scheduler




Jobs

New Job


Job Queue



3.6.1 Search Pages

The search page is the starting place for managing the environment, adaptive strong authentication, and adaptive risk management features, and groups of like items.

You can open a search page by:

  • Double-clicking a node in the Navigation tree

  • Right-clicking a node in the Navigation tree and selecting the List command from the context menu that appears

  • Selecting the node in the Navigation tree and then choosing the List command from the Actions menu

When a search page first appears, you see a search filter and a Search Results table. The Search Results table is initially empty. You must click the Search button to see a list of items.

To search for items:

  1. Select the criteria to search from the pull-down lists. The lists of available criteria varies according to the feature.

  2. Enter strings to match in the text boxes.

  3. Select or specify filters to narrow the search scope.

  4. Click the Search button to trigger the search and to display the results in the Search Results table.

The search returns all items that match the specified criteria; leave the fields empty to obtain the list of all items of the type.

3.6.1.1 Elements in the Search Form

This section describes the elements in the search forms.

Search

You can search for items using the attribute search criteria fields.

Reset

The Reset button enables you to reset the search criteria.

Saved Searches

You can create saved searches that persist for the duration of your session. You would enter the search criteria, then click the Save button to open the Personalize Saved Search dialog. The Personalize Saved Search dialog is used to specify how you want to save the search criteria you entered. You can name the search, for example, myspecialsearch, so that it displays in the Saved Search list.

Create Saved Search page

3.6.1.2 Search Results Table

The Search Results table shows at most the first 200 matches found by the search.

You can sort the results by using the Sort Ascending and Sort Descending buttons next to the column name.

Sort buttons

If the description of an item is too long to be fully shown, positioning the cursor over the visible text displays the entire description.

Description tooltip

Once an item is selected in the Search Results table, an action can be performed on it by clicking one of the icons on the toolbar or by selecting a command from the Actions menu.

If you want to see more details, click the available link for the item.

3.6.1.3 Search Results Menu and Toolbar

A menu and toolbar appears above the Search Results table. Figure 3-8 shows the Search Results Menu and Toolbar from the Patterns Search page.

Figure 3-8 Results Menu and Toolbar

Results Menu and Toolbar

The Actions menu and command buttons provide appropriate commands for the selection in the Navigation tree and Search Results table.

Figure 3-8 shows command buttons that may be available, depending on the selection.

Table 3-7 Results Menu and Toolbar

ButtonDefinitionDescription
Create action

Create

Opens a new page, which you can fill in to add a new item of the selected type. The new page opens as the active page on the right side of the Navigation tree.

Delete action

Delete

Removes the selected item.

Create Like action

Create Like

Creates a new item that is similar— or "like"—the existing one.

Activate action

Activate

Activates the selected item.

Deactivate action

Deactivate

Deactivates the selected item.

Detach action

Detach

Detaches the Results table.


3.6.1.4 Select All

You can select all the results to perform actions on by clicking the header of the Row column in the upper-left corner of the Search Results table.

Row header

3.6.1.5 Create and Import

Generally, buttons to create new items or import items are in the upper-right corner of the console.

Import and Create buttons

3.6.1.6 Close Multiple Tabs

The small close tabs button in the upper-right corner of the console enables you to close the tabs you are viewing.

Close tabs button

If you have multiple tabs open, a Close Multiple Tabs dialog appears. To close multiple tabs, highlight the names of the tabs, and press OK.

Close Multiple Tabs dialog

3.6.2 Detail Pages

You can view details of a specific item by opening its details page.

A Case Details page is shown in Figure 3-9.

Figure 3-9 Case Details

Case Details page

3.7 Dashboard

The dashboard presents a real-time view of activity via aggregates and trending.

The dashboard is divided into three sections:

  • The performance panel (Section 1) presents real-time data. It shows the performance of the traffic that is entering the system. A trending graph is shown of the different types of data based on performance.

  • The summary panel (Section 2) presents aggregate data based on time range and different data types.

  • The dashboard panel (Section 3) presents historical data. The detailed dashboards are used for trending data over time ranges.

3.8 Online Help

To access online help documentation, on the upper right corner of any window, click Help to bring up the help window. A help topic for the relevant top-level search or details page is displayed. These help topics contain links to information in an online version of the Oracle Fusion Middleware Administrator's Guide for Adaptive Access Manager.

Selecting Managing Oracle Adaptive Access Manager 11g Online Help displays several topics in the online documentation.

Topics that are displayed by selecting Help appear in only English and Japanese languages. Online Help is not translated into the nine Admin languages.

Refer to the following illustration for an example of an online help window.

Online help dialog

3.9 Search, Create, and Import

Oracle Adaptive Access Manager provides more than one way to search, create, and import.

Search

Depending on the selection, you can open a Search page by:

  • Double-clicking the node in the Navigation tree.

  • Right-clicking the node in the Navigation tree and selecting List <item> from the context menu.

  • Selecting the node in the Navigation tree and then choosing List <item> from the Actions menu.

  • Clicking the List <item> button in the Navigation tree toolbar.

Create

Depending on the selection, you can open a Create page by:

  • Clicking the New <item> button in the upper right of the console.

  • Right-clicking the node in the Navigation tree and selecting New <item> from the context menu.

  • Selecting the node in the Navigation tree and then choosing New <item> from the Actions menu.

  • Clicking the Create new <items> button in the Navigation tree toolbar.

  • Selecting the Create New <item> button from the Search Results toolbar.

  • Selecting New <item> from the Actions menu in Search Results.

Import

Depending on the selection, you can open a Import page by:

  • Clicking the Import <item> button in the upper right of the console.

  • Right-clicking the node in the Navigation tree and selecting Import <item> from the context menu.

  • Selecting the node in the Navigation tree and then choosing Import <item> from the Actions menu.

  • Clicking the Import <items> button in the Navigation tree toolbar.

3.10 Export to Excel

You can generate a report of the results from the Search pages for policies, questions, validations, snapshots, properties, entities, transactions, conditions, groups, patterns, and so on.

To export results to an Excel report:

  1. Ensure the oaam.export.max.rows.allowed property is configured so that you are able to export all the rows needed. This property limits the maximum row selection.

  2. In a search page, select rows the rows of interest from the search results.

  3. Click the Export To Excel button.

    When the export confirmation dialog is shown, you can view the selected list. The export table with the selected rows shows the ID number and display name columns, so that you can easily identity and verify the selected rows before the export.

  4. Click Export to export the rows to Excel.

3.11 Access Level to OAAM Admin

OAAM Admin provides functions for security investigators and customer service representatives (CSRs), business and security analysts, security administrators, system administrators, and quality assurance. The functions and navigation that are available depend on the roles.

Refer to Table 3-8 for conceptual roles. These example roles are for reference only and do not refer to official OAAM out-of-the-box roles.

For information on the Navigation and Policy trees, see Section 3.4, "Navigation Tree" and Section 3.5, "Policy Tree."

Table 3-8 Access Level

Oracle Adaptive Access Manager Conceptual RolesDescriptionsAccess

Security investigators and customer service representatives (CSR)

Security investigators and customer service representatives (CSR) use Oracle Adaptive Access Manager's case management tools to handle security and customers cases daily. They have detailed knowledge about user activity and security issues.

Customer support representatives can search, open and create CSR type cases. They do not have any access to the Navigation tree.

Security investigators have wide access to OAAM Admin.

Security administrators

Security administrators plan, configure and deploy policies based on the requirements from analysts.

Security administrators configure such items as policy set, patterns, rules, groups, and so on. They do not have access to environment properties, system snapshots, or the OAAM dashboard, and view-only access to cases.

They can access the Navigation tree.

Business and security analysts

Analysts gather intelligence from various sources to identify business and security needs and develop requirements to address them. Their sources for intelligence include investigators, industry reports, antifraud networks, compliance mandates, and company policies.

Analysts work with security investigators and CSRs to identify the policies that require adjustment and new policies that must be created.

Business analysts do not have access to environment properties and system snapshots. They have read-only access the Navigation tree and cases.

System administrator

A system administrator configures environment-level properties and transactions.

System administrators have limited access to OAAM Admin to manage the server environment and Scheduler: Jobs/Scheduler: Job Queue. The server environment includes logging, properties, and enumerations.

QA

QA tests the policies to confirm that they meet requirements.

QA have access to all the functionality.


Oracle Adaptive Access Manager 11g users must be defined using the Oracle WebLogic Administration Console.

For information on defining Oracle Adaptive Access Manager users, see the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

PK PKRwEOEBPS/access.htmd( Access Roles

A Access Roles

The Oracle Adaptive Access Manager users can access functionality based on the roles they are assigned. Oracle Adaptive Access Manager ships the following default administrator roles: support personnel, investigators, security administrators, and system administrators. You can also create new users and assign roles appropriately.

This section summarizes the main user groups, their roles, functionality and level of access in OAAM.

A.1 Support Representative (Group #1)

Support Representatives (Group #1) have very limited access to the OAAM Administration Console.

Table A-1 Support Representatives

ItemsSupport Representatives (CSR) have access to these featuresNotes

Users with the Support Representative role have very limited access to the OAAM Administration Console.


Cases

CSRs have access to search, open and create CSR type cases. There are no outward facing hyperlinks in any of the pages CSRs have access to. They have access to a limited list of actions. They have no access to bulk edit functions on search cases page.

Search cases

  • They can search for CSR cases; They cannot search for agent and escalated cases

  • They can search for open and closed cases but they cannot reopen closed cases; They can only add notes.

  • They can search for expired cases and view details but they cannot perform any actions



New cases

  • They can open only CSR cases



View case details

  • They can view expired case details

  • They cannot view escalated cases or agent cases

  • They can view closed case details and add notes

  • They can view transactions in sessions tab



Edit case

  • They can change case status and severity

  • They cannot add public notes to Escalated Cases

  • They cannot bulk edit cases

  • They can escalate cases

  • They cannot perform a temporary allow for a user

  • They cannot OTP bypass users

  • They cannot extend expiration

  • All customer and KBA resets

  • KBA phone challenge

  • They can perform Customer Resets - a. Image and Phrase.

  • Challenge Questions

    Reset Questions

    Reset Question Set

    Unlock Customer

    Ask Question

  • Expired status cases - Search Access; No access to open

  • OTP Actions

    Reset Email

    Reset Phone

    Reset All

    Unlock OTP


A.2 Support Manager (Group #2)

Groups #2 members will have the access privileges of Group #1 plus some other limited functionality.

Table A-2 Support Manager

ItemsSupport Managers have access to these featuresNotes

Support Managers have the access privileges of the Support Representative and some other limited functionality.


Cases

No create agent type cases. Hide actions, log and linked/related tabs in agent cases

Search Cases

  • They can search for CSR, Agent and Escalated cases

  • They can search for open and closed cases.

  • They can search for expired cases.



New Case

  • Only CSR cases



View Case Details

  • They can view Escalated Case details (including logs and sessions); but cannot perform any actions

  • They can view closed case details (They can only add notes or change status)

  • They can view Transactions in sessions tab

  • They can view expired case details (They can only add notes and extend expiration date)



Edit cases

  • They cannot perform any actions on Escalated Cases

  • They can

    Re-open closed cases

    Add notes in CSR cases

    Change status and severity

    Bulk edit CSR cases

    Escalate cases

    Grant temporary allow to users

    OTP bypass users

    Extend expiration

    Perform all customer and KBA resets

    Perform KBA phone challenge

    Change Status

    Change Severity

  • Temporary Allow

    Single login

    2 hours

    Set end date

  • Customer Resets

    Image

    Phrase

    Image and phrase

    Customer (all)

  • Challenge Questions

    Unlock Customer

    Reset Questions

    Reset Question Set

    Next Question

    Ask Question

  • Closed status cases - Search and open Access

  • Expired status cases - Search and Open Access

  • Escalate a CSR case - Full Access

  • Link Sessions tab in escalated status

  • OTP Actions

  • Can search for and view session details; but no access to detail pages or policy explorer


A.3 Fraud Investigator

Fraud Investigators have wide access to the OAAM Administration Console.

Table A-3 Fraud Investigator

ItemsGroup has access to these featuresNotes

Fraud Investigators have wide access to the OAAM Administration Console.




Also access to add /remove/delete group memberships from details pages

Navigation Tree

Full Access (ready only except environment)

  • No access to bulk editing of cases.

  • Full access for CSR, Agents and Escalated cases

Cases

Full access.


Search page

Search Agent Cases


Scheduler

No access


Environment

No access



A.4 Fraud Investigation Manager

Fraud Investigation Managers have wide access to the OAAM Administration Console.

Table A-4 Fraud Investigation Manager

ItemsGroup has access to these featuresNotes

Fraud Investigation Managers have wide access to the OAAM Administration Console.




Also Access to add /remove/delete group memberships from other pages

Navigation tree

Full Access (ready only except environment)

  • Full access to bulk editing of cases

  • Full access to CSR, Agent and Escalated cases

Cases

Full access.


Scheduler

No access


Environment

No access


Home Page

Search Agent Cases



A.5 Security Administrator

Security Administrators have wide access to the OAAM Administration Console.

Table A-5 Security Administrator

ItemsGroup has access to these featuresNotes

Security Administrators have wide access to the OAAM Administration Console.




Except Environment node and security dashboard (should be hidden by default)

Navigation Tree

Full Access

Not closable

Home Page

Search Policies


Cases

View only access


Scheduler

Access for Offline Security Administrators


Environment

No access



A.6 System Administrator

Limited access to the OAAM Administration Console for system administration duties

Table A-6 System Administrator

ItemsGroup has access to these featuresNotes

Limited access to the OAAM Administration Console for system administration duties




  • No access to cases

  • Full access to Environment

  • Read-only access to everything else

Navigation Tree

Partial access


Scheduler

Access to Online and Offline System Administrators


Environment

Full access


Home Page

Search Properties



A.7 Auditor

Auditor has no access to the OAAM Administration Console. They will do their audit work in BIP.

Table A-7 Auditor