10 Managing Disconnected Resources

Disconnected resources are targets for which there is no connector. Therefore, the provisioning fulfillment for disconnected resources is not automated, but manual. In earlier releases of Oracle Identity Manager, disconnected provisioning is not supported as a first class use case, it is supported by using manual tasks in the provisioning process. This approach has a number of limitations, which are taken care in Disconnected Resources model. In Oracle Identity Manager 11g Release 2 (11.1.2.2.0), disconnected resources are an enhanced configuration for manual provisioning that leverage SOA integration to provide higher flexibility and configurability of the manual provisioning workflow.

Some examples of disconnected resources include a Badge, Laptop, Pager, or any such item wherein the fulfillment is manual.

This chapter enlists the following topics:

• Section 10.1, "Disconnected Resources Architecture"

• Section 10.2, "Managing Disconnected Application Instance"

• Section 10.3, "Provisioning Operations on a Disconnected Application Instance"

• Section 10.4, "Managing Entitlement for Disconnected Resource"

• Section 10.5, "Status Changes in Manual Process Task Action"

• Section 10.6, "Customizing Provisioning SOA Composite"

• Section 10.7, "Troubleshooting Disconnected Resources"

10.1 Disconnected Resources Architecture

The Disconnected Resource feature makes use of the existing Oracle Identity Manager provisioning engine artifacts such as the Provisioning Process, Process Task, Adapters and so on while providing BPEL Integration in a seamless and configurable manner.

When a Disconnected Application Instance is created from the UI, it automatically seeds a number of backend configuration artifacts, including a resource object (of type Disconnected), a provisioning process with tasks for the basic provisioning operations, an IT resource, and a process form with the minimal fields (which can be further customized).

Figure 10-1 illustrates the provisioning process architecture for disconnected resources.

Figure 10-1 Disconnected Resource Architecture

Description of "Figure 10-1 Disconnected Resource Architecture"

When a disconnected application instance is provisioned to a user (via request or otherwise), the specific workflow in the provisioning process is triggered. This fires the corresponding process task and executes the manual provisioning adapter that invokes the out of the box disconnected provisioning SOA composite. A SOA manual task is assigned to System Administrator by default. When the assignee acts on the manual task, the provisioningcallback webservice is invoked with the assignee specified response and it then completes or aborts the provisioning operation and updates the account appropriately.

Table 10-1 displays the attributes for manual provisioning SOA composite payload that is available in the composite.

Table 10-1 Manual Provisioning SOA Composite Payload Attributes

Attribute	Description
Account ID	Account ID (oiu_key) for the account under consideration
AppInstance Name	Disconnected Application Instance Display Name
Resource Object Name	Disconnected Resource Object Name
ITResource Name	Disconnected ITResource Name
Beneficiary Login	Login of the account beneficiary
Entity Key	Application Instance Key in case of Provision, Revoke, Disable, and Enable account operations.
Entity Type	Type is set to ApplicationInstance, in case of Provision, Revoke, Disable, and Enable account operations.
Beneficiary First Name	First name of the account beneficiary
Beneficiary Last Name	Last name of the account beneficiary
Descriptive Field	Account descriptive field for the account under consideration
URL	Oracle Identity Manager callback URL for the webservice.
Request Key	Request Key if operation is through request.
Requester Login	Login of the requester if operation is through request.

10.2 Managing Disconnected Application Instance

Managing disconnected application instance includes the following tasks:

• Section 10.2.1, "Creating a Disconnected Application Instance"

• Section 10.2.2, "Creating a Disconnected Application Instance for an Existing Disconnected Resource"

10.2.1 Creating a Disconnected Application Instance

Note:

Before creating the application instance, you must create a new sandbox and publish it after creating the application instance. See "Managing Sandboxes" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about creating and publishing a sandbox.

To create disconnected application instance:

1. Log in to Oracle Identity System Administration.

2. Create and activate a sandbox.

3. In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.

4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.

5. In the respective attribute fields, enter the values as shown in the following table:

   Attribute	Value
   Name	Enter the name of the application instance. This is a required field.
   Display Name	Enter the display name of the application instance. This is a required field.
   Description	Specify a description of the application instance.
   Disconnected	Select the checkbox. This is the flag to indicate whether the application instance is not connected. Note: This is a UI only flag and is not persisted in the backend. Checking this flag will disable Resource Object and ITResource Instance fields, as these will be automatically created in the back end.

   
   

   Figure 10-2 shows the attributes for Create Application Instance attributes:

   Figure 10-2 Create Application Instance Attributes

   
   

6. Click Save, and then click OK on the information dialog box. The application instance is created, and the details of the application instance is displayed.

7. Publish the sandbox.

8. The UI form for the disconnected resource is automatically created and set, click Apply.

9. In addition to the application instance, in the back end, the following provisioning artifacts are automatically created:

   • Resource object of type Disconnected

   • ITresource type definition with the following parameters:

     • Configuration Lookup

     • Connector Server Name

     • Identity Gateway Name

       Note:

       IT resource type definition parameters are for future use and the values for the same need not be set.

   • IT resource of type definition

   • Parent process form with the following fields:

     • Account ID

     • Password

     • Account login

     • IT resource

   • Process definition with workflows for the following operations:

     • Provision Account

     • Enable Account

     • Disable Account

     • Revoke Account

     • Modify Account Attributes

   • Adapters

     • Manual Provisioning

     • Manual Entitlement Provisioning

10. From the System Administration UI, search for schedule job called "Catalog Synchronization Job" and execute it.

10.2.2 Creating a Disconnected Application Instance for an Existing Disconnected Resource

To create a disconnected application instance for an existing disconnected resource, see Section 9.2.1, "Creating Application Instances".

Note:

You must not select the Disconnected option, as this will create artifacts including the resource object and IT resource in the backend.

10.3 Provisioning Operations on a Disconnected Application Instance

When provisioning process is triggered for Enable, Disable, Revoke, or Provision operations, the corresponding process task is inserted which runs the Manual Provisioning adapter. This adapter invokes the out of the box provisioning SOA composite. A SOA Human Task is assigned to the System Administrator by default.

From the Inbox in Oracle Identity Self Service, the System Administrator can:

• Check the task details

• Check the account details

• Change process form data in OIM by changing data and clicking the Fulfill button

• Perform the operation manually in the target

• Act on the pending task by clicking Complete or Reject.

When the assignee acts on the pending manual tasks, the provisioning callback webservice is invoked which continues with the Oracle Identity Manager operation and updates the account appropriately. See Section 10.5, "Status Changes in Manual Process Task Action" for details on changes to account status based on assignee action.

10.3.1 Process Form Updates

When a process form field of a disconnected resource is updated, the "<FORM_NAME> Updated" process task will be inserted into the provisioning process. This would generate a manual SOA human task, so that the assignee can manually update the changes in the corresponding target.

Note:

The "<FORM_NAME> Updated" task will be inserted irrespective of whether updates are to a single process form field or multiple process form field. This behavior is different from that of a connected resource. In addition, note that the individual process form field update tasks need not be configured for a disconnected resource.

10.4 Managing Entitlement for Disconnected Resource

Managing entitlement for disconnected resource includes the following:

• Section 10.4.1, "Configuring Entitlement Grant"

10.4.1 Configuring Entitlement Grant

Configuring entitlement grant for disconnected resource involves creating a child form and configuring the lookup definition for entitlements, which is as follows:

Note:

Before creating child forms, create and activate a sandbox.

1. Go to Oracle Identity System Administration. Under Configuration, click Form Designer and perform the following steps:

   1. Click on the Resource Type and search for the Disconnected Resource.

   2. From the search result, click on the disconnected application instance form name.

2. Go to Child Objects tab and click Add to add a child form.

3. In the Name field, provide a name to the child table and click OK.

4. Click the name link to open it for editing.

5. Click Create. In the Select Field Type dialog box, select Lookup, and click OK.

6. Provide the following values for the entitlement field:

   1. In the Display Label field, enter a display name.

   2. In the Name field, enter a name for the lookup.

7. Select the following check boxes:

   • Searchable

   • Entitlement

   • Searchable Picklist

     Note:

     It is mandatory that you must select Searchable, Entitlement, and Searchable Picklist check boxes to create an entitlement field on the child form.
     
     

8. Create a new custom field of Lookup Type and click OK.

9. In the List of Values section, click the create a new lookup type icon and provide values for Meaning (for example, Lookup.Laptop.apps), Code (for example, Lookup.Laptop.apps) and description as follows:

   1. Click new to add entitlement values to add Lookup Codes. The value in the Code and Meaning columns should have the following format:

      Code	Meaning
      <ENTITTLEMENT_NAME>	<ENTITLEMENT_DESCRIPTION>

      
      

   2. Click Save. The Create Lookup Type dialog box closes.

   3. Click Save and Close.

10. Click Back to Parent Object to return to the parent form.

11. Click Regenerate View to regenerate UI artifacts and dataset, and confirm by clicking OK.

    See "Modifying Forms By Using the Form Designer" for information about the options available in the Regenerate View popup window.

12. Publish the sandbox.

13. Go back to Oracle Identity System Administration, System Management, Scheduler.

14. Search for a scheduled job called Entitlement List and execute it.

15. After the scheduled job execution completes, search for another schedule job called Catalog Synchronization Job and execute it.

10.5 Status Changes in Manual Process Task Action

Table 10-2 provides details about status changes based on manual task action:

Table 10-2 Manual Process Task Action Statuses

Provisioning Operation	Manual Task Action	Provisioning Action
Provision	Complete	Account status will be set to Provisioned.
Provision	Reject	Account status will not be updated.
Disable	Complete	Account status will be set to Disabled.
Disable	Reject	Account status will not be updated.
Enable	Complete	Account status will be set to Enabled.
Enable	Reject	Account status will not be updated.
Revoke	Complete	Account status will be set to Revoked.
Revoke	Reject	Account status will not be updated.
Update	Complete	No Operation
Update	Reject	No Operation
Grant Entitlement	Complete	Completes the child table insert trigger process task and sets entitlement status to Provisioned.
Grant Entitlement	Reject	Cancels the child table insert trigger process task, which deletes the child table entry.
Revoke Entitlement	Complete	Deletes the child table entry from Oracle Identity Manager.
Revoke Entitlement	Reject	No Operation

10.6 Customizing Provisioning SOA Composite

Provisioning SOA composite includes the following customizations:

• Section 10.6.1, "Customizing Human Task Assignment via SOA Composer"

• Section 10.6.2, "Customizing by Modifying the Out of the Box Composite"

10.6.1 Customizing Human Task Assignment via SOA Composer

The manual disconnected provisioning SOA composite, has a default rule, ManualProvisioningRule, which assigns the human task to the System Administrator.

A custom rule with higher priority, based on the payload, for example Application Instance Name, can be created from the SOA Composer UI, based on which the manual task assignment can be customized.

To add a custom rule:

1. Access Oracle SOA Composer by navigating to the following URL:

   http://SOA_HOST:SOA_PORT/soa/composer

2. Log in to the SOA Composer UI and click Open Task and select DisconnectedProvisioning_rev1.0 composite.

3. From the ManualProvisioningTaskRules.rules tab, click Edit to add a custom rule.

4. Add Rule by providing the rule name and the conditional assignment rule.

5. Using the Up arrow, move the custom rule above the ManualProvisioningRule.

6. Save and commit changes. The manual provisioning rule is added.

   See Also:

   SOA Composer documentation for more information about creating rules

10.6.2 Customizing by Modifying the Out of the Box Composite

To modify the out of the box Disconnected Provisioning composite:

1. Copy the composite from OIM_HOME/workflows/composites/DisconnectedProvisioning.zip to a local JDeveloper working location. Unzip it in the same directory to create the DisconnectedProvisioning directory.

2. Open the composite in JDeveloper in Default Role.

   Note:

   You must install the version of JDeveloper that is compatible with the Oracle Identity Manager deployment. In addition, install any patches for JDeveloper so that JDeveloper works correctly with the SOA composites.

3. As part of customization do not alter the following:

   • Payload attributes defined in DisconnectedProvisioning\xsd\ManualProvisioningTaskPayload.xsd

   • ProvisioningCallbackService partnerlink and mappings

4. Double-click composite.xml to open the composite and modify as per your requirements.

5. Deploy the SOA composite from Jdeveloper to Oracle SOA server. Make sure that you do not update the Revision ID and select the Overwrite any existing composites with the same revision ID option.

10.7 Troubleshooting Disconnected Resources

Table 10-3 displays the common problems that you may encounter while performing provisioning and other tasks for disconnected resources.

Table 10-3 Troubleshooting Disconnected Resources

Problem	Solution
Upon provisioning disconnected application instance, manual task is not assigned to assignee.	Perform the following steps: Make sure that the SOA server is running. Check Open tasks page for rejected process tasks, and check the error information in the task, if it exists. Check Oracle Identity Manager logs to check if adapter is running.
Upon manual task completion, account status is not modified.	Perform the following steps: Make sure that the provisioning callback webservice, Provcallback is deployed. Test the Webservice from the application server console.