12.6 Understanding Provisioning Flow

This section discusses the flow of information and control in various provisioning scenarios. It contains these topics:

• Creating/Modifying Users with the Provisioning Console

• Deleting Users with the Provisioning Console

• User Provisioning From an External Source

12.6.1 Creating/Modifying Users with the Provisioning Console

You can use the Provisioning Console to create and provision new user entries in Oracle Internet Directory. The console uses a wizard-based interface to perform the following steps:

1. The initial user creation screen shows a list of required base user attributes. The base user attributes are populated after the Provisioning Console invokes the Pre-Data Entry plug-in. For user creation, the plug-in processes the base user attributes and generates the application's default provisioning policy and attributes. For user modification, the Provisioning Console retrieves user information from Oracle Internet Directory and the plug-in retrieves application information.

2. The next step in the wizard displays how a user will be provisioned in each application, based on the application's default provisioning policy. For user modification, this step displays one list with applications for which the user is currently provisioned and another list in which the user can be provisioned. You can select one of the following values for application in which the user is not yet provisioned:

   • User Policy. The selected value for this field is based on each application's default provisioning policy. This field can display one of two values: Provision or Do Not Provision.

   • Override Policy to perform Provision. Selecting this option overrides the application's default policy and provisions the user.

   • Override Policy NOT to perform Provision. Selecting this option override the application's default policy and does not provision the user.

   For applications in which the user is currently provisioned, there will be an option for deprovisioning the user.

3. For applications in which the user is not provisioned, the next step in the wizard displays attributes for the applications to be provisioned, with the default values returned by the Pre-Data Entry plug-in. For applications in which the user is provisioned, current application information is listed. You can make any necessary changes to the attributes in this step before clicking the Next button. When you click the Next button, the Post-Data Entry plug-in is invoked, which validates the data you entered.

4. The final step in the wizard enables you to review application attributes and values. After you click the Finish button, the Provisioning Console creates or updates the user information in Oracle Internet Directory, and then invokes the Data Access Java plug-in for applications that are provisioned synchronously to create or update the application

12.6.2 Deleting Users with the Provisioning Console

Before a user is deleted, the Provisioning Console displays a read-only page listing the base user and the application attributes. After the user confirms the deletion, the Provisioning Console deletes the base user information and any application-specific information or invokes the Data Access Java plug-in for applications that are provisioned synchronously. For asynchronous applications, a USER_DELETE event is propagated.

12.6.3 User Provisioning From an External Source

The majority of the deployments are expected to provision users from an external source, such a third-party enterprise user repository. In these types of deployments, the third-party repository bootstraps Oracle Internet Directory. Oracle Directory Integration and Provisioning will provide ongoing synchronization between Oracle Internet Directory and the third-party repository. Example of third-party user repositories include Oracle Human Resources and LDAP directories such as Microsoft Active Directory, and SunONE Directory Server.

The Oracle Directory Synchronization Service will create the user entry in Oracle Internet Directory. Since the information coming from the external source may not be sufficient to provision the user in various applications, the application defaults will be used to create the application information. User creation by the Oracle Directory Synchronization Service occurs as follows:

1. The Oracle Directory Synchronization Service evaluates the provisioning policies specified by the applications to determine whether the user should be provisioned in the application.

2. The Oracle Directory Synchronization Service evaluates any other plug-ins that the application has registered.

3. The Oracle Provisioning Service invokes the PL/SQL plug-in or the Data Access Java plug-in to deliver the user information to the application.

4. The provisioning status of the user is returned by the application using the event interfaces.

5. The Oracle Provisioning Service updates the provisioning status of the user for the application.