Oracle Identity Manager provides user interfaces that you can use to perform various tasks. These are Oracle Identity Manager Administrative and User Console and Oracle Identity Manager Design Console. These interfaces are located in the Presentation or Client tier of Oracle Identity Manager. Oracle Identity Manager also provides the SPML Web Service interface that supports inbound provisioning requests.
This chapter introduces Oracle Identity Manager interfaces and briefly describes the functionality of each. This chapter also provides a brief introduction to the SPML Web Service. The chapter contains the following topics:
Oracle Identity Manager is an advanced, flexible provisioning system for automatically granting and revoking access to organization applications and managed systems. Oracle Identity Manager Administrative and User Console can provide the staff and partners of an organization with access to the organization's resources, and enforce access policies that are associated with these resources.
Oracle Identity Manager Administrative and User Console enables you to perform various functions, such as viewing user accounts, modifying profiles, viewing request status, and changing passwords. You can also customize Oracle Identity Manager Administrative and User Console, as explained at the end of this section.
Not all functions are available to all users. The features that you can view and use in Oracle Identity Manager depend on the privileges that you are assigned.
Oracle Identity Manager Administrative and User Console consists of the following main areas:
If you are using Microsoft Internet Explorer versions 8 or 9 to access Oracle Identity Manager Administrative and User Console, then it is highly recommended to disable the compatibility view for the UI elements to be displayed correctly. Depending on the web browser version that you are using, perform one of the following procedures to disable the compatibility view:
For Microsoft Internet Explorer version 8:
Open Microsoft Internet Explorer.
From the Tools menu, select Compatibility View Settings. The Compatibility View Settings dialog box is displayed.
Remove the host name or domain name of the Oracle Identity Manager server from the Websites you've added to Compatibility View section, if present.
Ensure the Display intranet sites in Compatibility View checkbox is deselected.
For Microsoft Internet Explorer version 9:
Open Microsoft Internet Explorer.
From the Tools menu, select Developer Options.
In the Developer Options window that is displayed, from the Browser Mode: IE9 menu, select Internet Explorer 9.
Unauthenticated user self service or Oracle Identity Manager login page allows the unauthenticated user to perform self service operations. In other words, a user who is not logged in to Oracle Identity Manager can use the login page to perform Oracle Identity Manager Self Service operations such as self registering to Oracle Identity Manager, tracking the self registration request, logging in to Oracle Identity Manager, and retrieve a forgotten password.
When you login to Oracle Identity Manager Administrative and User Console, Oracle Identity Manager Self Service is displayed. Oracle Identity Manager Self Service allows the authenticated or logged in user to perform various self service operations. This section describes the features of Oracle Identity Manager Self Service.
Use the Oracle Identity Manager Self Service to perform the following functions:
Self Registering to Oracle Identity Manager
If you do not have an account in Oracle Identity Manager, you must create one by self registering to Oracle Identity Manager from the unauthenticated user self service. Depending on how your system is configured, you might need your manager to create an account for you.
When you login to Oracle Identity Manager for the first time, provide answers to the challenge questions when prompted. These challenge questions and answers will be used to authenticate your account if you forget your password.
Tracking Self Registration Request
You can track the self registration request with the help of the registration tracking ID that is generated when you submit the self registration request.
Retrieving Forgotten Password
If you forget your password, you can retrieve the forgotten password by correctly answering the challenge questions.
Chapter 7, "Configuring and Using Self-Service Registration" for detailed information about the unauthenticated user self service interface
Managing Self Profile
Using the user self service, you can modify basic information associated with your Oracle Identity Manager user profile. Managing self profile includes updating user attributes for self, and requesting and removing roles and resources.
The user self service lets you delegate your task approval responsibilities to another user if you are unavailable because of illness or vacation.
You can also change passwords at will, or from time to time depending on system requirements.
Viewing and Resources and Requests
The user self service lets you view resources that have been provisioned to you. This Web client also lets you view all resource requests that you have submitted for yourself and those made by other users for you. You can also request provisioning of a new resource. You can request for resources or roles for other users as well. In addition, depending on the privileges, you can raise a request for creating and modifying users.
Managing Tasks in the Tasklist
The process for approving requests and their associated resources consists of multiple tasks, so as the process for making a request and resources available for provisioning. The TaskList consists of the following:
Approval Tasks: Related to any type of request (not just related to provision resource) assigned to you or pending your actions
Provisioning Tasks: Related to provisioning tasks that are assigned to you or pending your actions
Attestation Tasks: Related to attestation processes assigned to you or pending your actions
Part II, "Oracle Identity Manager Self Service" for detailed information about completing tasks using Oracle Identity Manager Self Service
Oracle Identity Administration enables you to perform identity management tasks such as creating and managing users, roles, and organizations. It also lets you define authorization policies to control the access of various components and features in Oracle Identity Manager.
Use Oracle Identity Administration to perform the following functions:
Many fields in Oracle Identity Manager have lookup capabilities. You use them when you want to locate a record. To locate a record, you must enter data in one or more fields to limit the records retrieved by your search. You can also use wildcard characters in addition to the data that you enter in the fields.
The manner in which the search is constructed and run depends on the type of search you perform. The results retrieved are based on the context in which you are conducting the search.
Oracle Identity Manager supports simple and advanced search. Simple search operation lets you search records based on the search strings that you specify as search attributes. This operation is also referred to as simple search or quick search. Advanced search operation presents a form, which allows you to specify more complex search criteria than the simple search operation.
Creating and Managing User Records
Using Oracle Identity Administration, you can create and manage user records.
Creating and Managing Organizations
Using Oracle Identity Administration, you can create and manage organization records. You can also enable, disable, revoke, and provision resources, organizations, and suborganizations.
Creating and Managing Roles
Using Oracle Identity Administration, you can define roles that represent logical groupings of users to whom you can assign access rights within Oracle Identity Manager, provision resources automatically, or use in common tasks such as approval and attestation. Roles can be independent of organizations, span multiple organizations, or can contain users from a single organization.
Creating and Managing Authorization Policies
Authorization policy management is centralized as an administrative feature. This is achieved by integrating Oracle Identity Manager with Oracle Entitlements Server (OES) as the authorization system, which secures the access control to the application. In addition, you can create context-sensitive authorization policies for various features in Oracle Identity Manager. Authorization policies control access to the application by the users to allow or prevent the users to perform various operations in the application.
Use Oracle Identity Manager Advanced Administration to perform the following functions:
Creating and Tracking Requests
Oracle Identity Manager enables you to create and manage requests for various operations or actions, such as provisioning resources and creating and managing users and roles for other users. Based on the privileges granted to you by Oracle Identity Manager, you can use Advanced Administration to create and track requests. Request tracking is to be able to view the request details including basic information, request history, request comments, and the request approval tasks.
Based on your requirement, you can use Advanced Administration to generate reports in BI Publisher, which is the reporting solution in Oracle Identity Manager 11g Release 1 (11.1.1). The reports are classified based on functional areas, such as Access Policy Reports, Attestation Reports, Request and Approval Reports, and Password Policy Reports.
Event management features:
Managing Reconciliation Events
The reconciliation process involves generation of events to be applied to Oracle Identity Manager. These events reflect atomic changes in the target system, and contain the data that has changed, the type of change, along with other information. Advanced Administration allows you to manage the reconciliation events by querying the events stored, displaying event details, and performing the actions required to resolve event issues.
Viewing Attestation Tasks and Processes
You can use Advanced Administration to view attestation reports assigned to you, and provide your attestation response to each individual item within the report.
In Oracle Identity Manager, attestation is supported through the definition of scheduled attestation processes. It is implemented as a configurable business process in Oracle Identity Manager, and it creates an attestation task for a user. The user acts as a reviewer, and must complete this process to provide correct audit information.
Creating and Managing Access Policies
You can create and manage access policies that define how resources are to be automatically provisioned or deprovisioned for users based on business rules. The Access Policy Wizard in Advanced Administration helps you define an access policy for provisioning resources to users that are members of the roles to which the access policy is attached. The access policy can also specify the entitlements to be provisioned to the account created during provisioning. Advanced Administration also enables you to modify information in existing access policies.
Creating and Managing Approval Policies
Approval policy is a configurable entity of request management that helps associate various request types with approval processes defined in the request service only for request and operation level approvals. You can use Advanced Administration to create, modify, and delete approval policies.
Creating and Managing Attestation Processes
Advanced Administration allows you to define new attestation processes, manage existing attestation processes, and start ad-hoc attestation processes. The Attestation Dashboard feature in Advanced Administration allows you to create, modify, disable, enable, run, and delete attestation processes.
Configuring User Management
Oracle Identity Manager user management feature is configured and customized by using the configuration management feature. Configuration management helps customize the way in which the user records are displayed in Oracle Identity Manager Administrative and User Console and configure the user entity operations and attributes. Based on the operations performed on an entity, a set of attributes is displayed to the user in Oracle Identity Manager Administration. You can use Advanced Administration to define user entity data structure and configure user management operations and operational attributes.
You can use the Resource Management feature of Advanced Administration to manage resource objects for an organization or an individual user. Managing resources includes the following activities:
Search for a resource and view its details
Manage Resource Administrator and Authorizer groups
View and edit the workflow
Define Resource audit objectives
Define and manage IT Resources
Define and manage scheduled tasks
Creating and Managing Request Templates
Request templates allow you to customize a request type for a purpose. Every request type has a default template, which cannot be deleted or renamed. Name of the default template is same as the request type. Advanced Administration allows you to create and manage custom request templates to customize the request types based on requirement.
Creating and Managing Generic Connectors
You can quickly and easily build a basic connector without advanced features and customized behavior by using generic connectivity technologies such as SPML and JDBC. You can use Advanced Administration to create and modify generic technology connectors, and to import and export connector XML files that contain definitions for all the objects that are part of the connector.
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about how to create and manage generic technology connectors
System management features:
Creating and Managing Scheduler Jobs
In Oracle Identity Manager, it is often required to run jobs at specified times on a regular basis to manage various activities. A job is a task that can be scheduled to run at the specified interval. The scheduler feature enables you to schedule jobs that automatically run predefined scheduled tasks at the specified time. Advanced Administration allows you to create, modify, disable, enable, and delete jobs.
Creating and Managing Notification Templates
A notification template is used to send notification e-mail messages to requesters, beneficiaries, or administrators about events occurring in Oracle Identity Manager. These templates contain variables that refer to available data to provide more context to the notifications. Using Advanced Administration, you can create, modify, delete notification templates, and add or remove locales from notification templates.
Creating and Managing System Properties
The system configuration service enables you to manage system properties used by Oracle Identity Manager. System properties define the characteristics that control the behavior of Oracle Identity Manager. You can define the administration and self-service functionalities of Oracle Identity Manager by using system properties. The system configuration service in Advanced Administration allows you to create, modify, delete, and search existing system properties depending on their roles.
Using the Deployment Manager
The Deployment Manager tool, accessed through Advanced Administration, helps you to export and import Oracle Identity Manager configurations. The Deployment Manager enables you to export the objects that form your Oracle Identity Manager configuration. Usually, you use the Deployment Manager to migrate a configuration from one deployment to another.
You can customize the various aspects of Oracle Identity Manager Administrative and User Console. Oracle Identity Manager allows you to customize UI elements, such as branding information, menu options, and columns in search result tables, to be customized to meet the requirement of the organization.
Branding information, such as branding text, logo image, and logo mouseover text
Menus and Tabs
Columns in search result tables
Colors, font, and alignment
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about how to customize the different components of Oracle Identity Manager Administrative and User Console
Oracle Access Manager (OAM) protected environments - If OAM login screen provides a language selection option and the user selects a language, then it is provided the highest preference.
Browser locale, if there is an issue in retrieving this locale, then the next option is evaluated.
Server locale, the locale with which the server is installed.
"Setting the Language for Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information on localizing user interfaces
Oracle Identity Manager Design Console is mainly used to configure the system settings. These settings control the systemwide behavior of Oracle Identity Manager and affect its users. This section describes the basic features of Oracle Identity Manager Design Console.
The following features of Oracle Identity Manager Design Console let you perform different tasks:
The behavior of the basic features of Oracle Identity Manager Design Console is standard for all forms to enable ease of use. You can view records that are displayed in the data fields. You can also search for values by using the lookup fields. For example, the Date & Time window enables you to select a date, month, year, and time.
In addition, you can enter supplemental information about a record in the notes window. Oracle Identity Manager Design Console also lets you select and assign available entities to a record.
Using Oracle Identity Manager Design Console, you can perform searches for records in a database, also known as queries. Every form in Oracle Identity Manager Design Console provides a search function. You can filter the search criteria in a form field. This limits the results that are returned to only the records that match the criteria you entered.
You can also use a wildcard in a search. The asterisk (*) wildcard character represents unspecified portions of the search criteria. For example, if you enter B* in the Location field of a Oracle Identity Manager Design Console form and execute a search, you retrieve all records with locations that begin with the letter B, for example, Burbank, Boston, Bristol, and so on.
If multiple records in the database match your search criteria, then you can view details of each record.
Oracle Identity Manager Design Console lets you perform the following user management functions:
Define default values for certain process form parameters at the organizational level
Display resources that are allowed or disallowed by policies for each user
Define what forms and folders on Oracle Identity Manager Design Console are allowed for which roles
It also enables you to view, analyze, correct, link, and manage information in reconciliation events received from target resources and the trusted source.
Create resource types that appear as lookup values on IT resources from.
Create rules that can be applied to password policy selection, auto-group membership, provisioning process selection, task assignment, and pre-populating adapters.
Create and manage resource objects.
An Oracle Identity Manager process is the mechanism for representing a logical workflow for approvals or provisioning. Process definitions consist of tasks that you must perform to complete a process. Using Oracle Identity Manager Design Console, you can create and manage the provisioning processes that are associated with the resource objects.
Oracle Identity Manager Administration
Oracle Identity Manager Design Console provides you with tools to manage Oracle Identity Manager administrative features. You can perform various administrative tasks for Oracle Identity Manager by using these tools. Oracle Identity Manager Design Console also lets you create and manage lookup fields and their values, and user-defined fields.
Using this console, you can specify the value of properties that control the behavior of the client and server. You can also display information about servers that Oracle Identity Manager uses to communicate with third-party programs. In addition, you can set up schedules for when tasks should be run.
You can create and manage the code that enables Oracle Identity Manager to communicate with any IT Resource by connecting to that resource's API. This code is known as an adapter. You can also compile multiple adapters simultaneously.
Oracle Identity Manager Design Console lets you create error messages that are displayed when certain problems occur. In addition, you can create and manage event handlers, data objects, and reconciliation rules that are used in Oracle Identity Manager.
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the features and functions of Oracle Identity Manager Design Console
Oracle Identity Manager provides client applications with the Identity Management service, which makes use of the Service Provisioning Markup Language (SPML). The SPML Web Service is an interface for inbound SPML-based provisioning requests. SPML has two profiles: the XSD profile and the DSML profile. This release of Oracle Identity Manager makes use of the XSD profile. It provides features for managing references (for example, assignment and revocation of role memberships, and role hierarchy changes such as adding or removing parent roles via SPML), resetting user passwords, and disabling and re-enabling user accounts.
"SPML Services" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for details about the SPML Web Service