D Case Study: A Deployment of Oracle Directory Integration and Provisioning

This appendix describes a deployment in which Directory Integration and Provisioning integrates various applications in the MyCompany enterprise.

This section contains these topics:

• Components in the MyCompany Enterprise

• Requirements of the MyCompany Enterprise

• Overall Deployment in the MyCompany Enterprise

• User Creation and Provisioning in the MyCompany Enterprise

• Modification of User Properties in the MyCompany Enterprise

• Deletion of Users in the MyCompany Enterprise

Components in the MyCompany Enterprise

This hypothetical enterprise has the following components:

• Oracle Human Resources, in which all employees and contractors are managed

• An SunONE Directory Server, which is being used by certain applications

• An installation of OracleAS Portal, which is used as the intranet portal for all employees

• An installation of Oracle Content Management Software Development Kit, which is used as a document repository for all corporate documents

Requirements of the MyCompany Enterprise

The MyCompany enterprise requires that:

• All employees and contractors are created in Oracle Human Resources. Once created, all applications in the enterprise must share this information through Oracle Internet Directory.

• All applications in the enterprise, including single sign-on services, can honor any employee created in Oracle Human Resources

• All applications interested in changes to user properties are notified when such changes occur

• A user's access rights are revoked when the user is terminated in Oracle Human Resources

Overall Deployment in the MyCompany Enterprise

Figure D-1 illustrates the various components and their relationships to each other.

Figure D-1 Example of Oracle Directory Integration and Provisioning in the MyCompany Deployment

Description of the illustration oidag075.gif

In the example in Figure D-1:

• Oracle Internet Directory is the central user repository for all enterprise applications.

• Oracle Human Resources is the source of truth for all user-related information. It is synchronized with Oracle Internet Directory by using the Oracle Directory Synchronization Service.

• SunONE Directory Server, which is already deployed in the enterprise, is synchronized with Oracle Internet Directory by using the Oracle Directory Synchronization Service

• OracleAS Portal is notified of changes in Oracle Internet Directory by using the Oracle Provisioning Service

• Oracle Content Management Software Development Kit is notified of changes in Oracle Internet Directory by using the Oracle Provisioning Service.

User Creation and Provisioning in the MyCompany Enterprise

In this example, the MyCompany enterprise requires that all users be created in Oracle Human Resources. Directory Integration and Provisioning must propagate new user records to all other repositories in the enterprise.

Figure D-2 shows how Directory Integration and Provisioning performs this task.

Figure D-2 User Creation and Provisioning

Description of the illustration oidag076.gif

Figure D-2 shows the creation of a new user in Oracle Human Resources, which, in turn, causes an entry for that user to be created in Oracle Internet Directory and the SunONE Directory Server. It also shows the process of provisioning the user to access two applications in the enterprise: OracleAS Portal and Oracle Content Management Software Development Kit. User creation and provisioning occur in the following manner:

1. The Oracle Human Resources administrator creates the user in the Oracle Human Resources database.

2. Directory Integration and Provisioning, through the Oracle Directory Synchronization Service, detects the new-user creation.

3. Directory Integration and Provisioning, through the Oracle Directory Synchronization Service creates the entry for the user in Oracle Internet Directory.

4. Directory Integration and Provisioning, through the Oracle Directory Synchronization Service, creates an entry in the SunONE Directory Server.

5. Because the user entry is available in Oracle Internet Directory, the OracleAS Portal administrator can now provision the user to use the services of OracleAS Portal. During this task, the OracleAS Portal software automatically retrieves the user details from Oracle Internet Directory.

6. The Oracle Content Management Software Development Kit administrator also provisions the user to use Oracle Content Management Software Development Kit services by using a similar process.

Note that Directory Integration and Provisioning does not directly notify OracleAS Portal or Oracle Content Management Software Development Kit about new users. This is because not all users created in Oracle Human Resources need access to all services. In this case, the deployment must explicitly provision the users to use these services, as in steps 5 and 6.

Modification of User Properties in the MyCompany Enterprise

In this example, the MyCompany enterprise requires that any modification to user properties must be communicated to all components interested in such changes. Figure D-3 illustrates the actions that Directory Integration and Provisioning takes to meet this requirement.

Figure D-3 Modification of User Properties

Description of the illustration oidag077.gif

The process is as follows:

1. The user is first modified in Oracle Human Resources.

2. Directory Integration and Provisioning retrieves these changes through the Oracle Directory Synchronization Service.

3. Directory Integration and Provisioning makes the corresponding user modification in Oracle Internet Directory.

4. The Oracle Directory Synchronization Service modifies the user in the SunONE Directory Server.

5. Directory Integration and Provisioning, through the Oracle Provisioning Service, notifies OracleAS Portal about the change in user properties.

6. Directory Integration and Provisioning, through the Oracle Provisioning Service, notifies Oracle Content Management Software Development Kit about the same change in user properties.

Deletion of Users in the MyCompany Enterprise

In this example, the MyCompany enterprise requires that a user being deleted or terminated in Oracle Human Resources be automatically denied access to all enterprise resources that are based on the directory service.

Figure D-4 shows the flow of events during the deletion of users:

Figure D-4 Deletion of Users from the Corporate Human Resources

Description of the illustration oidag078.gif

Figure D-4 shows the process by which Directory Integration and Provisioning communicates the deletion of users to all systems in the enterprise. The process is as follows:

1. The user is first deleted in the Oracle Human Resources.

2. Directory Integration and Provisioning retrieves these changes through the Oracle Directory Synchronization Service.

3. Directory Integration and Provisioning, through the Oracle Directory Synchronization Service, makes the corresponding user deletion in Oracle Internet Directory.

4. Directory Integration and Provisioning, through the Oracle Directory Synchronization Service, deletes the users in the SunONE Directory Server.

5. Directory Integration and Provisioning, through the Oracle Provisioning Service, notifies OracleAS Portal about the deletion of the user.

6. Directory Integration and Provisioning, through the Oracle Provisioning Service, notifies Oracle Content Management Software Development Kit about the deletion of the user.

Once all of the steps are completed, a deleted user in Oracle Human Resources can no longer access OracleAS Portal or Oracle Content Management Software Development Kit.