1 Product Overview for Oracle Identity Governance

Oracle Identity Governance overview includes understanding the purpose and major features of the product, the different modes in which it can be deployed, and its interaction with other products, IT systems, and users.

This chapter describes the purpose of Oracle Identity Governance and highlights the major features. It includes the following topics:

Note:

Oracle Identity Governance and Oracle Identity Manager product name references in the documentation mean the same.

1.1 What is Oracle Identity Governance?

Oracle Identity Governance is a solution that provides self service, compliance, provisioning and password management services for applications residing on-premise or on the Cloud.

Oracle Identity Manager is a Governance solution that makes it possible for enterprises to manage the identities and access privileges of their customers, business partners, and employees, all on a single platform. It allows these users to manage their own identities as well as those of others by using delegated administration. It allows enterprises to setup delegated administrators, who are users empowered to manage the identities, passwords, password policies, and access of other users. Business users can create and manage the lifecycle of enterprise roles, which grant access to end-users. These roles can be granted automatically by using rules. With the help of roles and access policies, organizations can ensure that their users are on-boarded and off-boarded in a timely and automated manner.

Oracle Identity Manager enables end-users to get the access they need to do their jobs in a simple and user-friendly manner. End-users use the access catalog, which presents available access in a non-technical, user-friendly manner, to request the access they need. They submit their requests, which are routed to approvers and managers for approval.

Oracle Identity Manager automates the process of creating, updating, and deleting user accounts, provisioning of passwords, and granting/revoking of entitlements across applications hosted on the Cloud or on-premise. This process is known as provisioning and de-provisioning. Oracle Identity Manager makes use of connectors to do provisioning and de-provisioning with connected applications. It also supports manual provisioning and de-provisioning in applications that do not support a connector. Such applications are called disconnected applications.

Oracle Identity Manager can synchronize identities from authoritative sources, such as HR applications and accounts and access privileges from applications including LDAP and databases. Identity lifecycle events, such as hire, transfer, manager change, and separation from the organization, can be synchronized with Oracle Identity Manager, which can then take appropriate action including revoking access. This mechanism of synchronizing identity information with an authoritative source of identity data is known as trusted reconciliation. Oracle Identity Manager can also synchronize account information, including access privileges, and entitlements from applications that it manages. This mechanism is known as target reconciliation.

Oracle Identity Manager helps managers, authorized users, and compliance administrators to review and certify user access, in a user-friendly manner, by a process known as identity certification. Authorized administrators can create and configure certification campaigns, on a scheduled or ad-hoc basis, by using simple wizards. Certifiers, who have to certify the user access, are presented the information in a simple manner. They can either approve the access or reject it. When a violation is detected and the access is rejected, Oracle Identity Manager initiates a process that enables administrators to correct the violation. It can also directly deprovision the access privileges from the target platform or application, while maintaining a comprehensive trail of the actions taken. This is known as closed-loop remediation. Oracle Identity Manager supports different types of certifications, based on various user personas, such as business managers, role owners, application owners, and entitlement owners.

Oracle Identity Manager makes it possible for organizations to meet their compliance objectives by allowing business users to define audit policies. Audit policies specify what type of access a user may or may not have. For example, a user who has access to both Accounts Payables and Accounts Receivables is violating Sarbanes-Oxley guidelines. This is known as a Segregation of Duties (SoD) violation. Oracle Identity Manager allows organizations to define SoD policies that can be enforced during access request and can also be used to scan existing access to identify toxic combinations of access privileges, known as policy violations. Oracle Identity Manager identifies the violations and initiates a workflow allowing remediators, who could be business manager or administrators to fix these violations. This process is known as remediation. All actions taken by remediators are recorded and a comprehensive audit trail is maintained.

Oracle Identity Manager provides comprehensive auditing capabilities that allow auditors and security staff to keep track of who initiated what change, on whom, when and in what context. It allows the creation of custom audit events. This enables customers to audit their workflows and processes. All audit information is available in a manner that can be reported on using standard reporting tools. Oracle Identity Manager provides an embedded reporting server, which delivers print-quality reports for most product areas including request and approvals, password management, identity certification, and identity audit. Customers have the flexibility of using their own enterprise reporting tool as well.

1.2 What are the Different Modes of Oracle Identity Governance?

Oracle Identity Governance provides the flexibility to use functionality based on your identity management requirements. You can enable specific functionality by picking specific deployment options.

Oracle Identity Manager can be configured in three deployment modes:

  • Oracle Identity Manager in database mode

    Oracle Identity Manager is a highly scalable identity administration and provisioning solution that is capable of managing millions of identities, roles, and entitlements, and thousands of applications that are stored in a database. This mode should be used when identity administration, access request, account, and entitlement provisioning and reconciliation is the main business driver and simple Single Sign On (SSO) with a SSO solution is adequate.

  • Oracle Identity Manager with Identity Auditor mode enabled

    Oracle Identity Manager with the Identity Auditor mode enabled provides the ability to run certification campaigns, manage and make use of identity audit policies, and carry out role mining to detect clusters of roles and policies.

    Identity Auditor mode enables you to use the role LCM, Segregation of Duties (Identity Audit), and Access Certification features. You must be licensed to use the Identity Auditor features.

Note:

Identity Auditor mode can be enabled after installing Oracle Identity Manager. See "Enabling Identity Audit" in Performing Self Service Tasks with Oracle Identity Governance for information about enabling the Identity Auditor mode.

Table 1-1 provides a summary of the features that are available in each deployment mode of Oracle Identity Manager.

Table 1-1 Summary of Features

Feature Oracle Identity Manager in DB mode Oracle Identity Manager with Identity Auditor mode enabled

Access policy management

Yes

Yes

Access request

Yes

Yes

Approvals

Yes

Yes

Auditing

Yes

Yes

Delegated administration

Yes

Yes

Identity audit (SoD)

No

Yes

Identity certification

No

Yes

Identity store

Database

Database

Lost password, forgot user ID, self registration

Yes

Yes

OAM/OAAM/OMSS integration

Yes

Yes

Organization management

Yes

Yes

Password synchronization

Yes

Yes

Provisioning

Yes

Yes

Reconciliation

Yes

Yes

Reporting

Yes

Yes

Role management

Yes

Yes

User management

Yes

Yes

User password management

Yes

Yes

Note:

1.3 How does Oracle Identity Governance Interact with Other IT Systems?

Oracle Identity Governance interacts with various applications and IT systems to manage the application instances and accounts by using connectors.

In Oracle Identity Manager, applications and other IT systems are called IT resources. The IT resources expose various objects that can be managed by Oracle Identity Manager. These objects are called resource objects. The objects that represent accounts are called application instances, and the objects that represent access within an application are known as entitlements.

Oracle Identity Manager interacts with various applications and IT systems to manage the application instances and accounts by using connectors. Connectors are installed on the Oracle Identity Manager Server. Oracle provides several connectors for common technologies, such as JDBC, LDAP, SPML, SOAP, and REST, and for common business applications, such as SAP, eBusiness Suite, and PeopleSoft. New connectors can be developed by using the Identity Connector Framework (ICF).

Some IT systems cannot be communicated with directly and require the use of a lightweight component called the Connector Server. Examples of applications that require the use of the Connector Server include Microsoft products, such as Exchange and Active Directory, Novell eDirectory, IBM Lotus Notes, and others. In such scenarios, the connector is deployed on the Connector Server, and it communicates using native protocols with the application. Oracle Identity Manager communicates with the Connector Server, which then communicates with the connector.

1.4 How does Oracle Identity Governance Interact with Other Oracle Identity and Access Management Products?

Oracle Identity Governance integrates with other Oracle and third-party Identity and Access Management products via standards-based integration.

When integrated with OAM, Oracle Identity Manager provides forgot user ID, forgot password, challenge questions and responses, password and password policy management, account locking, self registration, and user, role, and organization management services. OAM provides Single Sign On services for Oracle Identity Manager. OAM also provides real-time session kill if the user is locked and auto-unlock features.

Oracle Identity Manager requires the use of the LDAP synchronization feature. This feature allows Oracle Identity Manager to push users, user passwords, and changes to user attributes, groups, and group memberships to the LDAP directory. Oracle Identity Manager reconciles the changes from the LDAP directory including the account lock status.

Oracle Identity Manager supports a reduced and simplified integration with OAM as well, where OAM provides Single Sign On for Oracle Identity Manager. In this approach, there is no synchronization of the state attributes or of OIM users and groups. You can make use of provisioning and connectors to provision and reconcile LDAP users and groups.

Note:

See Integrating Access Manager and Oracle Identity Governance in the Integration Guide for Oracle Identity Management Suite for information about integration with OAM.

1.5 How do Users Interact with Oracle Identity Governance?

Oracle Identity Governance provides an end-user interface, called Identity Self Service, and a system administrator interface, called Identity System Administration. Both end-users and system administrators use the web browser to log on to Oracle Identity Governance.

The interface for end-users is used:

  • To manage your user profile, passwords, challenge questions, and account passwords.

  • To view, request, and approve access for self and others, certify users, and process policy violations and manual provisioning tasks.

  • To setup organizations and administration roles and to configure delegated administration. It is also used by delegated administrators to create and manage users, organizations, and password policies.

  • By authorized users to compose roles, create and run certification campaigns, configure SoD rules and policies, and create and run compliance scans.

The interface for system administrators is used:

  • To define workflow policies, home organization policies, and user capabilities

  • To manage the schema of system entities, such as user, role, and organization

  • To manage provisioning end-points and the schema of the supported objects

  • To import/export Oracle Identity Manager configuration objects

  • To install/uninstall/upgrade connectors

You can also use the REST services to either create your own user interface or to integrate other applications with Oracle Identity Manager.

Developers can also use:

  • The JDeveloper IDE to create custom UI by using the Oracle Application Development Framework (ADF) and to create custom workflows by using Business Process Execution Language (BPEL)

  • The Design Console, which is a Java thick client, to create provisioning workflows

  • The embedded BI Publisher reporting server to create custom reports