Disconnected resources are targets for which there is no connector. Therefore, the provisioning fulfillment for disconnected resources is not automated, but manual. In earlier releases of Oracle Identity Manager, disconnected provisioning is not supported as a first class use case, it is supported by using manual tasks in the provisioning process. This approach has a number of limitations, which are taken care in Disconnected Resources model. In Oracle Identity Manager 11g Release 2 (11.1.2.2.0), disconnected resources are an enhanced configuration for manual provisioning that leverage SOA integration to provide higher flexibility and configurability of the manual provisioning workflow.
Some examples of disconnected resources include a Badge, Laptop, Pager, or any such item wherein the fulfillment is manual.
This chapter enlists the following topics:
Section 10.3, "Provisioning Operations on a Disconnected Application Instance"
Section 10.4, "Managing Entitlement for Disconnected Resource"
Section 10.5, "Status Changes in Manual Process Task Action"
The Disconnected Resource feature makes use of the existing Oracle Identity Manager provisioning engine artifacts such as the Provisioning Process, Process Task, Adapters and so on while providing BPEL Integration in a seamless and configurable manner.
When a Disconnected Application Instance is created from the UI, it automatically seeds a number of backend configuration artifacts, including a resource object (of type Disconnected), a provisioning process with tasks for the basic provisioning operations, an IT resource, and a process form with the minimal fields (which can be further customized).
Figure 10-1 illustrates the provisioning process architecture for disconnected resources.
Figure 10-1 Disconnected Resource Architecture
When a disconnected application instance is provisioned to a user (via request or otherwise), the specific workflow in the provisioning process is triggered. This fires the corresponding process task and executes the manual provisioning adapter that invokes the out of the box disconnected provisioning SOA composite. A SOA manual task is assigned to System Administrator by default. When the assignee acts on the manual task, the provisioningcallback webservice is invoked with the assignee specified response and it then completes or aborts the provisioning operation and updates the account appropriately.
Table 10-1 displays the attributes for manual provisioning SOA composite payload that is available in the composite.
Table 10-1 Manual Provisioning SOA Composite Payload Attributes
Attribute | Description |
---|---|
Account ID |
Account ID (oiu_key) for the account under consideration |
AppInstance Name |
Disconnected Application Instance Display Name |
Resource Object Name |
Disconnected Resource Object Name |
ITResource Name |
Disconnected ITResource Name |
Beneficiary Login |
Login of the account beneficiary |
Entity Key |
Application Instance Key in case of Provision, Revoke, Disable, and Enable account operations. |
Entity Type |
Type is set to ApplicationInstance, in case of Provision, Revoke, Disable, and Enable account operations. |
Beneficiary First Name |
First name of the account beneficiary |
Beneficiary Last Name |
Last name of the account beneficiary |
Descriptive Field |
Account descriptive field for the account under consideration |
URL |
Oracle Identity Manager callback URL for the webservice. |
Request Key |
Request Key if operation is through request. |
Requester Login |
Login of the requester if operation is through request. |
Managing disconnected application instance includes the following tasks:
Section 10.2.1, "Creating a Disconnected Application Instance"
Section 10.2.2, "Creating a Disconnected Application Instance for an Existing Disconnected Resource"
Note:
Before creating the application instance, you must create a new sandbox and publish it after creating the application instance. See "Managing Sandboxes" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about creating and publishing a sandbox.To create disconnected application instance:
Log in to Oracle Identity System Administration.
Create and activate a sandbox.
In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
In the respective attribute fields, enter the values as shown in the following table:
Attribute | Value |
---|---|
Name | Enter the name of the application instance. This is a required field. |
Display Name | Enter the display name of the application instance. This is a required field. |
Description | Specify a description of the application instance. |
Disconnected | Select the checkbox. This is the flag to indicate whether the application instance is not connected.
Note: This is a UI only flag and is not persisted in the backend. Checking this flag will disable Resource Object and ITResource Instance fields, as these will be automatically created in the back end. |
Figure 10-2 shows the attributes for Create Application Instance attributes:
Click Save, and then click OK on the information dialog box. The application instance is created, and the details of the application instance is displayed.
Publish the sandbox.
The UI form for the disconnected resource is automatically created and set, click Apply.
In addition to the application instance, in the back end, the following provisioning artifacts are automatically created:
Resource object of type Disconnected
ITresource type definition with the following parameters:
Configuration Lookup
Connector Server Name
Identity Gateway Name
Note:
IT resource type definition parameters are for future use and the values for the same need not be set.IT resource of type definition
Parent process form with the following fields:
Account ID
Password
Account login
IT resource
Process definition with workflows for the following operations:
Provision Account
Enable Account
Disable Account
Revoke Account
Modify Account Attributes
Adapters
Manual Provisioning
Manual Entitlement Provisioning
From the System Administration UI, search for schedule job called "Catalog Synchronization Job" and execute it.
To create a disconnected application instance for an existing disconnected resource, see Section 9.2.1, "Creating Application Instances".
Note:
You must not select the Disconnected option, as this will create artifacts including the resource object and IT resource in the backend.When provisioning process is triggered for Enable, Disable, Revoke, or Provision operations, the corresponding process task is inserted which runs the Manual Provisioning adapter. This adapter invokes the out of the box provisioning SOA composite. A SOA Human Task is assigned to the System Administrator by default.
From the Inbox in Oracle Identity Self Service, the System Administrator can:
Check the task details
Check the account details
Change process form data in OIM by changing data and clicking the Fulfill button
Perform the operation manually in the target
Act on the pending task by clicking Complete or Reject.
When the assignee acts on the pending manual tasks, the provisioning callback webservice is invoked which continues with the Oracle Identity Manager operation and updates the account appropriately. See Section 10.5, "Status Changes in Manual Process Task Action" for details on changes to account status based on assignee action.
When a process form field of a disconnected resource is updated, the "<FORM_NAME> Updated" process task will be inserted into the provisioning process. This would generate a manual SOA human task, so that the assignee can manually update the changes in the corresponding target.
Note:
The "<FORM_NAME> Updated" task will be inserted irrespective of whether updates are to a single process form field or multiple process form field. This behavior is different from that of a connected resource. In addition, note that the individual process form field update tasks need not be configured for a disconnected resource.Managing entitlement for disconnected resource includes the following:
Configuring entitlement grant for disconnected resource involves creating a child form and configuring the lookup definition for entitlements, which is as follows:
Note:
Before creating child forms, create and activate a sandbox.Go to Oracle Identity System Administration. Under Configuration, click Form Designer and perform the following steps:
Click on the Resource Type and search for the Disconnected Resource.
From the search result, click on the disconnected application instance form name.
Go to Child Objects tab and click Add to add a child form.
In the Name field, provide a name to the child table and click OK.
Click the name link to open it for editing.
Click Create. In the Select Field Type dialog box, select Lookup, and click OK.
Provide the following values for the entitlement field:
In the Display Label field, enter a display name.
In the Name field, enter a name for the lookup.
Select the following check boxes:
Searchable
Entitlement
Searchable Picklist
Note:
It is mandatory that you must select Searchable, Entitlement, and Searchable Picklist check boxes to create an entitlement field on the child form.Create a new custom field of Lookup Type and click OK.
In the List of Values section, click the create a new lookup type icon and provide values for Meaning (for example, Lookup.Laptop.apps), Code (for example, Lookup.Laptop.apps) and description as follows:
Click new to add entitlement values to add Lookup Codes. The value in the Code and Meaning columns should have the following format:
Code | Meaning |
---|---|
<ENTITTLEMENT_NAME> | <ENTITLEMENT_DESCRIPTION> |
Click Save. The Create Lookup Type dialog box closes.
Click Save and Close.
Click Back to Parent Object to return to the parent form.
Click Regenerate View to regenerate UI artifacts and dataset, and confirm by clicking OK.
See "Modifying Forms By Using the Form Designer" for information about the options available in the Regenerate View popup window.
Publish the sandbox.
Go back to Oracle Identity System Administration, System Management, Scheduler.
Search for a scheduled job called Entitlement List and execute it.
After the scheduled job execution completes, search for another schedule job called Catalog Synchronization Job and execute it.
Table 10-2 provides details about status changes based on manual task action:
Table 10-2 Manual Process Task Action Statuses
Provisioning Operation | Manual Task Action | Provisioning Action |
---|---|---|
Provision |
Complete |
Account status will be set to Provisioned. |
Provision |
Reject |
Account status will not be updated. |
Disable |
Complete |
Account status will be set to Disabled. |
Disable |
Reject |
Account status will not be updated. |
Enable |
Complete |
Account status will be set to Enabled. |
Enable |
Reject |
Account status will not be updated. |
Revoke |
Complete |
Account status will be set to Revoked. |
Revoke |
Reject |
Account status will not be updated. |
Update |
Complete |
No Operation |
Update |
Reject |
No Operation |
Grant Entitlement |
Complete |
Completes the child table insert trigger process task and sets entitlement status to Provisioned. |
Grant Entitlement |
Reject |
Cancels the child table insert trigger process task, which deletes the child table entry. |
Revoke Entitlement |
Complete |
Deletes the child table entry from Oracle Identity Manager. |
Revoke Entitlement |
Reject |
No Operation |
Provisioning SOA composite includes the following customizations:
Section 10.6.1, "Customizing Human Task Assignment via SOA Composer"
Section 10.6.2, "Customizing by Modifying the Out of the Box Composite"
The manual disconnected provisioning SOA composite, has a default rule, ManualProvisioningRule, which assigns the human task to the System Administrator.
A custom rule with higher priority, based on the payload, for example Application Instance Name, can be created from the SOA Composer UI, based on which the manual task assignment can be customized.
To add a custom rule:
Access Oracle SOA Composer by navigating to the following URL:
http://SOA_HOST:SOA_PORT/soa/composer
Log in to the SOA Composer UI and click Open Task and select DisconnectedProvisioning_rev1.0 composite.
From the ManualProvisioningTaskRules.rules tab, click Edit to add a custom rule.
Add Rule by providing the rule name and the conditional assignment rule.
Using the Up arrow, move the custom rule above the ManualProvisioningRule.
Save and commit changes. The manual provisioning rule is added.
See Also:
SOA Composer documentation for more information about creating rulesTo modify the out of the box Disconnected Provisioning composite:
Copy the composite from OIM_HOME/workflows/composites/DisconnectedProvisioning.zip to a local JDeveloper working location. Unzip it in the same directory to create the DisconnectedProvisioning directory.
Open the composite in JDeveloper in Default Role.
Note:
You must install the version of JDeveloper that is compatible with the Oracle Identity Manager deployment. In addition, install any patches for JDeveloper so that JDeveloper works correctly with the SOA composites.As part of customization do not alter the following:
Payload attributes defined in DisconnectedProvisioning\xsd\ManualProvisioningTaskPayload.xsd
ProvisioningCallbackService partnerlink and mappings
Double-click composite.xml to open the composite and modify as per your requirements.
Deploy the SOA composite from Jdeveloper to Oracle SOA server. Make sure that you do not update the Revision ID and select the Overwrite any existing composites with the same revision ID option.
Table 10-3 displays the common problems that you may encounter while performing provisioning and other tasks for disconnected resources.
Table 10-3 Troubleshooting Disconnected Resources
Problem | Solution |
---|---|
Upon provisioning disconnected application instance, manual task is not assigned to assignee. |
Perform the following steps:
|
Upon manual task completion, account status is not modified. |
Perform the following steps:
|