37 Developing Entitlements

An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function. An entitlement can be a role, responsibility, or group membership. For example, if user Richard is granted the Inventory Analyst role on a target system, then Richard can use that entitlement to access and generate inventory-related reports from the target system.

In Oracle Identity Manager, there is one process form for each account (resource) provisioned to an OIM User. Entitlement data is stored in child process forms of the process form. In the example described earlier, the process form for Richard's account on the target system has a child process form that holds Inventory Manager role data.

Attributes that constitute entitlement data stored on a child process form may vary from one target system to another. In addition, different types of entitlements, such as roles and responsibilities, may have different attributes. For example, Target System A contains the following role data attributes:

• Role Name

• Role Description

• Start Date

• End Date

The same target system can have a different set of attributes for responsibility data:

• Responsibility ID

• Date Assigned

• Proxy User

• Escalation User

You can mark or highlight the attribute that uniquely identifies an entitlement on a target system. For the sample role and responsibility data attributes listed earlier, the Role Name and Responsibility ID attributes uniquely identify the role and responsibility entitlements on Target System A. By marking attributes that uniquely identify entitlements, you enable the capture of entitlement data that can be used by other identity management solutions and also displayed in reports.

This chapter discusses the following sections:

• Available Entitlements and Assigned Entitlements

• Entitlement Data Capture Process

• Marking Entitlement Attributes on Child Process Forms

• Configuring Scheduled Tasks for Working with Entitlement Data

• Disabling the Capture of Modifications to Assigned Entitlements

• Entitlement-Related Reports

37.1 Available Entitlements and Assigned Entitlements

A target system can have a set of entitlements defined and ready for assignment to accounts (users) on the target system. When you integrate this target system with Oracle Identity Manager, you can import (synchronize) entitlement data from the target system into the LKV table on Oracle Identity Manager.

Note:

If you use a predefined connector to integrate the target system, then you can use scheduled tasks to fetch entitlement data into this table.

Entitlements in the LKV table are available for assignment to accounts. In this guide, these entitlements are called available entitlements.

During a provisioning operation, you select the entitlement that you want to assign from a lookup field on the child process form. In this guide, entitlements assigned to accounts are called assigned entitlements. Data about assigned entitlements is stored in child process form tables.

37.2 Entitlement Data Capture Process

After you mark the entitlement attribute in each child process form, the following processes take place:

• Capture of Data About Available Entitlements

• Capture of Data About Assigned Entitlements

37.2.1 Capture of Data About Available Entitlements

The following steps describe how data about available entitlements is captured:

Note:

You must mark the entitlement attribute in each child process form to enable the process described in these steps. The procedure is described later in this chapter.

1. Data about available entitlements is stored in the LKV table through synchronization with the target system.

2. You schedule and run the Entitlement List scheduled task.

3. The scheduled task identifies the entitlement attribute from the UD_ tables.

4. The scheduled task copies data about available entitlements from the LKV table to the ENT_LIST table.

37.2.2 Capture of Data About Assigned Entitlements

This section describes how data about assigned entitlements is captured.

Note:

You must mark the entitlement attribute in each child process form UD_ table to enable the process described in these steps. The procedure is described later in this chapter.

To perform first-time synchronization of assigned entitlements:

1. You schedule the Entitlement Assignments scheduled task to run once.

2. The scheduled task identifies the entitlement attribute from the child process form (UD_) tables.

3. The scheduled task creates INSERT, UPDATE, and DELETE triggers on each UD_ table. The scheduled task also creates triggers on the OIU table.

4. The scheduled task copies data about assigned entitlements from the UD_ tables to the ENT_ASSIGN table.

   Note:

   The ENT_ASSIGN table holds data about entitlement currently assigned to resources (users). When an entitlement is revoked, the record for that entitlement is moved out of this table to history data. Details are given in the "Entitlement Updates" section.

To perform incremental synchronization of assigned entitlements:

1. When a change is made to assigned entitlements through provisioning operations or reconciliation, the INSERT, UPDATE, or DELETE trigger copies the added, modified, or deleted row from the UD_ table to a staging table.

2. You configure and run the Entitlement Updates scheduled task.

3. For each record in the staging (ENT_ASSIGN_DELTA) table, the action taken by the scheduled task depends on the type of operation that was performed to the assigned entitlement:

   Note:

   The type of operation (INSERT, UPDATE, or DELETE) is one of the data items stored in the staging table.

   • Event: The entitlement was newly assigned to the account.

     Action: A new record is created (copied from the staging table) in the ENT_ASSIGN table.

   • Event: An existing entitlement was modified.

     Action: The existing record is copied from the ENT_ASSIGN table into the ENT_ASSIGN_HIST table. The existing record is deleted from the ENT_ASSIGN table. A record corresponding to the newly modified entitlement is created in the ENT_ASSIGN table.

   • Event: An existing entitlement was revoked.

     Action: The existing record is copied from the ENT_ASSIGN table into the ENT_ASSIGN_HIST table. The existing record is deleted from the ENT_ASSIGN table.

37.3 Marking Entitlement Attributes on Child Process Forms

You must mark the entitlement attribute in the child process form UD_ table for resources for which you want to capture entitlement data. Suppose there are 15 target systems in your operating environment. If you want to capture entitlement data from 12 of 15 resources, then you must mark the entitlement attribute in those 12 resources.

Apply the following guidelines while performing the procedure described in this section:

• On a child process form, only one attribute holding entitlement data can be marked.

• The attribute that you mark must be of the LookupField type and its property must be one of the following:

  • Lookup code

  • Lookup query

    The Lookup query must satisfy the following conditions:

    • The query uses the LKU and LKV tables

    • The Lookup code in the query is from the LKU table

    • The LKV_ENCODED column value is used for saving

    • The LKV_DECODED column value is used for display purposes

To mark a field as an entitlement in a child process form:

1. Log in to the Design Console.

2. Expand Development Tools, and then double-click Form Designer.

3. Search for and open the child form on which you want to mark an entitlement.

   For example, you might want to mark an entitlement on the UD_ADUSRC child form.

4. Click Create New Version.

5. Enter a label for the new version, click the Save icon, and then close the dialog box.

6. From the Current Version list, select the version that you create.

7. On the Properties tab, select the field that you want to mark as an entitlement and then click Add Property.

8. From the Property Name list in the Add Property dialog box, select Entitlement.

   Note:

   You can set Entitlement as the property of a field only if the column type is set to LookupField and the property name is set to Lookup Code.

9. In the Property Value field, enter true.

   You need not specify values for any of the other fields in the dialog box.

   The following screenshot shows the Edit Property dialog box for the lookup field:

   
   

10. Click the Save icon and then close the dialog box.

11. If you want to enable the capture of Start Date and End Date values for the entitlement, then:

    Note:

    You can enable the capture of the Start Date and End Date values only if the column type for both fields is DateFieldDlg.

    1. On the Properties tab, select the Start Date field and then click Add Property.

    2. From the Property Name list in the Add Property dialog box, select Entitlement Valid From.

    3. In the Property Value field, enter true.

    4. Click the Save icon and then close the dialog box.

    5. On the Properties tab, select the End Date field and then click Add Property.

    6. From the Property Name list in the Add Property dialog box, select Entitlement Valid To.

    7. In the Property Value field, enter true.

       The following screenshot shows the Edit Property dialog box for the Start Date field:

       
       

    8. Click the Save icon, and then close the dialog box.

12. Click the Save icon to save the changes made to the child process form.

    The following screenshot shows the Properties tab of the child process form:

    
    

    Note:

    Marking Start Date and End Date are optional.

13. Click Make Version Active.

37.4 Configuring Scheduled Tasks for Working with Entitlement Data

You configure the following scheduled tasks for working with entitlement data:

• Entitlement List

• Entitlement Assignments

• Entitlement Updates

37.4.1 Entitlement List

The Entitlement List scheduled task identifies the entitlement attribute from the child process form table and then copies entitlement data from the LKV table into the ENT_LIST table. A record created in the ENT_LIST table corresponds to an entitlement defined on a particular target system.

You must set a schedule for this task depending on how frequently new entitlements are defined on the target systems in your operating environment. In addition, you must run this scheduled task when new target systems are integrated with Oracle Identity Manager. In other words, you must run this task each time you mark a new entitlement. After the connector scheduled tasks fetch lookup field data from the target system into the LKV table, you can run the Entitlement List scheduled task to copy that entitlement data into the ENT_LIST table.

This scheduled task also handles updates to or deletion of entitlements from the target system. For example, if the Senior Accounts Analyst role is removed from the target system, then the connector scheduled task removes the entry for that role from the LKV table. When the Entitlement List scheduled task is run, it marks the row containing the role in the ENT_LIST table as a deleted row.

37.4.2 Entitlement Assignments

The Entitlement Assignments scheduled task is used for copying data about assigned entitlements into the ENT_ASSIGN table for the first time. This task identifies the entitlement attribute from the child process form table, and then copies data about assigned entitlements from the child process form table into the ENT_ASSIGN table. A record created in the ENT_ASSIGN table corresponds to an entitlement assigned to a particular user on a particular target system.

In addition, it creates INSERT, UPDATE, and DELETE triggers on the child process form tables from which it copies entitlement data. See "Capture of Data About Assigned Entitlements" for information about the function of these triggers.

You can use the RECORDS_TO_PROCESS_IN_BATCH attribute of this scheduled task to specify the number of records in each batch. The default batch size is 5000.

You must run this scheduled task the first time you start using entitlement data and whenever you mark a new child process form field as an entitlement.

37.4.3 Entitlement Updates

The Entitlement Updates scheduled task updates the ENT_ASSIGN table with changes to entitlement assignment data in the child process form tables. Triggers created by the Entitlement Assignments scheduled task copy changes made to entitlement assignment data into a staging table. The Entitlement Updates scheduled task processes data in the staging table and makes the required changes to data in the ENT_ASSIGN table. See "Capture of Data About Assigned Entitlements" for information about the function of the INSERT, UPDATE, and DELETE triggers on the child process form tables.

37.5 Disabling the Capture of Modifications to Assigned Entitlements

You can manually disable incremental synchronization of assigned entitlement data in the ENT_ASSIGN table. In other words, you can disable the capture of modifications to assigned entitlements. To achieve this, you create and run an SQL script to drop the following triggers created on the child process form tables:

Note:

These triggers are created by the Entitlement Assignments scheduled task.

• The OIU_U_TRG trigger created on the OIU table

• The following triggers created on the UD_ tables:

  • UD_TABLE_NAME_I_TRG

  • UD_TABLE_NAME_D_TRG

  • UD_TABLE_NAME_U_TRG

After you run the script, modifications to assigned entitlements are not copied into the staging table.

The following is a sample SQL script to drop the triggers on the child process form tables:

create or replace
TRIGGER UD_REQENTC_I_TRG
  AFTER INSERT ON UD_REQENTC
  FOR EACH ROW
  BEGIN
    INSERT INTO ENT_ASSIGN_DELTA(ENT_ASSIGN_DELTA_KEY, orc_obi_key,ENT_OPERATION,DELTA_TABLE_OST_STATUS,DELTA_ENT_CODE,valid_from_date,OIU_KEY,SDK_TYPE  )
      VALUES(ENT_ASSIGN_DELTA_SEQ.nextval,:new.orc_key,'grant',(select sdk_key from sdk where sdk_name='UD_REQENTC'),:new.UD_REQENTC_LKUP,sysdate,(select oiu.OIU_KEY from OIU oiu where oiu.ORC_KEY =:new.orc_key),'P');
 END

UD_REQENTC is the child form name that contains the entitlement field. It is dynamically generated.

37.6 Entitlement-Related Reports

The following predefined reports provide data about assigned entitlements:

Note:

You must be a member of the ADMINISTRATORS group to be able to view these reports.

Duplicate assignments of the same entitlement to a particular user are suppressed in the reports because they are not copied to the ENT_ tables. For example, if user John Doe has been assigned the Sales Superintendent role twice on a target system, then the reports show only one instance of this entitlement.

• Entitlement Access List

• Entitlement Access List History

• User Resource Entitlement

• User Resource Entitlement History

37.6.1 Entitlement Access List

The Entitlement Access List report lists users who are currently assigned the entitlements that you specify while generating the report. The report provides basic information about the entitlements and the list of users to whom the entitlements are assigned.

37.6.2 Entitlement Access List History

The Entitlement Access List History report lists users who had been assigned the entitlements that you specify while generating the report. The report provides basic information about the entitlements and the list of users to whom the entitlements were assigned.

37.6.3 User Resource Entitlement

The User Resource Entitlement report lists the current entitlements of users whom you specify while generating the report. The report displays basic user information and entitlement details.

37.6.4 User Resource Entitlement History

The User Resource Entitlement History report lists details of past entitlements assigned to users whom you specify while generating the report. The report displays basic user information and entitlement details.