Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Oracle Directory Provisioning Integration Service, 2 of 5
This section describes how the components of an Oracle Directory Provisioning Integration Service environment interact throughout the provisioning process. It contains these topics:
Provisioning involves:
At times, you may want to synchronize all entities in an application-specific directory with those in the central directory, but provision the application to receive notification about only some of them. For example, the directory for Oracle Human Resources typically contains data for all employees in an enterprise, and you would probably want to synchronize all of that data with the central directory. However, you might want to provision a given application to be notified only when members join or leave a particular group.
When it is first installed, an application subscribes to provisioning by creating a provisioning profile in the directory. There must be a profile for each application in each identity management realm.
In a directory-enabled environment, provisioning involves:
For example, provisioning a user to access an e-mail application involves:
You can change information for users, groups, and user subscriptions from any of the following:
User enrollment in an application can happen either automatically or manually.
This method is sometimes called "on-demand enrollment." Instead of continuously synchronizing with the central directory, the application creates the user footprint when the user first accesses the application. Oracle Application Server Single Sign-On uses this method to enroll a user accessing an application.
In this method, an administrator provides application-specific information by using an application-specific administrative tool.
For example, you might want users to obtain their manager's approval before enrollment. In this case, rather than use on-demand enrollment, you might want the application administrator, after the necessary approvals are complete, to enroll the user manually.
Provisioning a user typically involves creating two kinds of information:
This data includes the user's identity, credentials, profiles, and preferences. It is represented by standard directory user attributes--for example, mailing address or language preferences.
This could include, for example, data in the user's e-mail message folder, or, for the calendaring application, the user's appointment data. It is typically represented by using application-specific conventions either in the directory or in application-specific repositories.
In an Oracle Directory Provisioning Integration Service environment:
To retrieve changes from Oracle Internet Directory, the Oracle Directory Provisioning Integration Service subscribes to the Oracle Internet Directory change log. The changes in the change log are filtered so that only the needed changes get passed to the applications. If an application is interested only in the events of a particular subtree, then the Oracle Directory Provisioning Integration Service notifies it of those changes only.
Figure 34-1 shows the relation between components in an Oracle Directory Provisioning Integration Service environment.
As Figure 34-1 shows:
The Oracle Internet Directory change log records these changes.
After the application is installed and an application identity has been created in Oracle Internet Directory, application registration with the Oracle Directory Provisioning Integration Service can occur in one of two ways:
This registration information includes:
Appendix A, "Syntax for LDIF and Command-Line Tools" for instructions about how to use the Provisioning Subscription Tool
See Also:
The Oracle Directory Provisioning Integration Service monitors Oracle Internet Directory for any changes to user, group or user subscription information. It conveys these changes to applications in the form of provisioning events.
Figure 34-3 shows how an application receives the provisioning events from Oracle Internet Directory.
Provisioning information is sent from Oracle Internet Directory to an application by using the following process:
The way Oracle Internet Directory receives provisioning information from an application is the reverse of the way an application receives it from Oracle Internet Directory. That latter process was described in the previous section, "How an Application Receives Provisioning Information from Oracle Internet Directory".
Figure 34-3 shows how an application sends notifications of provisioning events to Oracle Internet Directory.
Provisioning information is sent from an application to Oracle Internet Directory by using the following process:
You can unsubscribe an application from the Oracle Directory Provisioning Integration Service in one of two ways:
"The Provisioning Subscription Tool (oidprovtool) Syntax" for instructions about how to use the Provisioning Subscription Tool
See Also:
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|