| Oracle® Identity Manager Administrative and User Console Guide Release 9.0 B25936-01 |
|
 Previous |
 Next |
| Oracle® Identity Manager Administrative and User Console Guide Release 9.0 B25936-01 |
|
Previous |
Next |
The Resource Management feature enables you to mange resource objects for an entire organization or an individual user. Managing resources include:
Ability to search for a resource and view its details
Ability to disable, enable, revoke a resource from user(s) or organization(s)
Manage Resource Administrator and Authorizer groups
This chapter covers the following topics related to managing resources:
To manage resources:
Click Resource Management then on the Manage link. The Resource Search page appears.
|
Note: When searching, if you select a value from the drop-down list and do not enter a corresponding search value, an error will occur. Also, if you select the same value twice, from the drop-down menu, an error will occur. |
Use the pull-down menu to select search criteria. In the next field, enter the corresponding attribute. In this example, the wildcard asterisk (*) is used. Click Search.
This page displays the Results table.
Select a resource by clicking on the name. The Resource Detail page appears. In this example, the resource name, Oracle Identity Manager User is selected.
You can view additional detail information about the resource by using the pull-down menu.
In this example, the resource target is set to ÒOÓ for organization, meaning that when you make a selection for additional details, the child table that appears will be for organization results. Likewise, if the resource target is set to ÒUÓ for users, any child table that appears based on your selection for additional details will be for user results.
Therefore, depending on the value of the resource target (O or U) the pull-down menu will display either Users Associated with This Resource or Organizations Associated with This Resource option.
The Organizations Associated with This Resource page shows a list of organizations to whom this resource is provisioned or is being provisioned (revoked, enabled, disabled, and so on). This page will only display the organization details.
Likewise, the Users Associated with This Resource page shows a list of users to whom this resource is provisioned or is being provisioned (revoked, enabled, disabled, and so on). This page will only display the user details.
The additional details include the following options:
Organization Associated With This Resource
Resource Administrators
Resource Authorizers
In this example, the Organization Associated For the Resource option is selected for the Oracle Identity Manager User resource.
The Organization Associated For the Resource page appears. The display radio buttons provide a way to filter through the list of associated organizations. The All radio button lists all the organizations, while the By Status radio button filters the organizations on the Resource Status column. The organizations associated with the resource are listed under the Organization Name column. For example, the Resource Status in this case, indicates that the resource is provisioning for each of the organizations listed. You can then modify the resource for the organization by either:
Enable
Disable
Revoke
The value in the Identifier column corresponds with a field type that you can map from the Process Definition Form in the Oracle Identity Manager Design Console using the Map Descriptive Field. This value lets you distinguish which mapping category is defined (Process Type, Organization Name, or Request Key) when the same resource has been provisioned several times to the same organization.
In the Resource Detail page, select the Resource Administrator option. The Resource Administrators page displays the names of groups who are assigned as administrators to this resource. This page also displays the Write Access and Delete Access permissions. The Write Access and Delete Access permissions are permissions that the administrator groups have on the resource (but not with resource parameters). The Write Access permission allows the group to make changes to the resource, while the Delete Access permission allows the group to delete the resource.
You can perform the following operations:
To assign a user group as administrator for a resource, do the following:
Click Assign. The Assign Administrators page appears.
This page displays all group names that can be assigned to this resource. Use the check boxes to activate the Write Access and Delete Access as well as assign the group to this resource.
Afterwards, click Assign. The Confirm Assign page appears.
This page displays the new user group(s) assigned to this resource. If you need to make changes to the information, click Cancel. Otherwise, click Confirm Assign.
The Resource Administrators page appears with a list of all group names associated with this resource. You can make modifications to this information if desired.
The Create New Group option enables you to create a new group to administrate the resource. Clicking this button initiates the ÒDelegated Admin WizardÓ.
Click Create New Group. The Assign Administrators – STEP 1: Assign Administrators page appears.
In the Results table, click the desired User Login (names) that you want in your administrator group. Then click the Add button. The names will appear in the Selected display panel. Click Continue. Otherwise click Exit to end the wizard.
The Assign Administrators – STEP 2: Specify Alias page appears.
Enter the alias name for the administrator group. Then click Continue. Otherwise click Back to return to the previous page or Exit to end the wizard.
The Assign Administrators – STEP 3: Specify Permissions page appears.
Click Write and Delete checkboxes to enable the administrator group to have these permissions. Then click Continue. Otherwise click Back to return to the previous page or Exit to end the wizard.
The Assign Administrators – STEP 4: Verify Delegation Information page appears.
This page enables you to make any changes to the delegated information displayed. To make a change, click the desired category Change link and the corresponding (step) page will appear. However, if you verified that there is no change, then click Continue. Otherwise click Back to return to the previous page or Exit to end the wizard.
The Resource Administrator page appears. Note that the new group is added to the Results table.
|
Note: If a user creates a new group, and the user belongs to certain other groups with Write and Delete access, then these other groups become administrative groups for the new group. This is also true when the user creates a new organization. |
The Update Permissions option enables you to update the permissions of an administrator group.
Click Update Permissions. The Resource Detail >> Resource Administrators >> Update Administrators page appears.
To change the permission setting for an administrative group, click the desired checkboxes for Write Access and Delete Access. Click Update to make the modifications. Otherwise, click Cancel. The Confirmation page appears.
The Confirmation page displays the administrative group names that you have updated. If these are the correct names, then click Confirm Update. Otherwise, click Cancel.
In the Resource Detail page, select the Resource Authorizer option from the pull-down menu. The Resource Detail >> Resource Authorizers page appears.
The Resource Detail >> Resource Authorizers page lists all of the user groups that are authorized to provision the resource. You can also set the level of priority for authorizing this resource by selecting on the Increase/Decrease Priority radio button. If you wish to delete the authorizer of this resource, you can select the appropriate Group Name checkbox and click Delete.
To add additional user groups to authorize resources, click Assign. The Resource Detail >> Resource Authorizers >> Assign Authorizers page appears.
Select the desired Group Name checkbox, then click Assign. Otherwise, click Cancel. The Confirmation page appears. If this is correct, click Confirm Assign. Otherwise, click Cancel. The Resource Detail >> Resource Authorizers page appears.
Note that the Group Name that you assigned to this resource is added in the Results table.
The Graphical Workflow Visualizer tool provides a visual representation of your task sequences, dependencies, and other components that make up your workflow definition. The tool takes your complex workflow definition and renders it into an easy-to-understand visual representation. The graphic representation gives you an intuitive overview of the workflow, its relationships, and the task components that make up the flow. You can manipulate the workflow view and arrange it to your desire. Also, this tool enables you to print the workflow view. There are two Oracle Identity Manager process types that the Graphical Workflow Visualizer tool will display; the Approval and Provisioning types. The Approval type of process is generally used to approve the provisioning of Oracle Identity Manager resources to users or organizations. Unlike provisioning processes, approval processes are usually comprised of tasks that must be manually completed. The other process type is the Provisioning type. This type of process is used to provision Oracle Identity Manager resources to users or organizations.
|
Note: To access the Workflow Visualizer, the Nexaweb applet requires your web browser configuration to use Java Virtual Machine 1.4.2.x.x. |
This section covers the following topics:
In the Resource Detail page, select the Resource Workflows option from the pull-down menu. The Resource Detail >> Resource Workflows page appears. This page displays the Resource Name and a table that lists all the names of the workflow definitions for this resource.To render the workflow definition into a graphic flowchart, click the link of the desired Workflow Name. A new web browser window is launched and a graphical representation of the workflow definition is displayed.
The Approval Workflow Definition is displayed as one flow that represents the entire approval process. The workflow details header shows no information on the form since the approval process has no form of its own. Therefore, the Workflow Visualizer does not display the Name of Process Form information field.
The Information Fields of the Workflow Visualizer are:
| Field Name | Description |
|---|---|
| Workflow Name | This is the name of the Process Definition. |
| For Resource | This is the name of the Object Name (resource object that is either approved or provisioned). |
| Workflow Type | This is the name of the Process Definition type (Approval or Provisioning). The type also indicates whether the workflow is the default for the resource. |
The Toolbar Menu Items of the Workflow Visualizer are:
| Field Name | Description |
|---|---|
| Display Option | Display Unknown Response Code – The ÒUnknownÓ response code is defined for every single task in the workflow. It is not used within the logic of the workflow. However, you have the option of showing them (Unknown Response Code) or not.
Display Adapter Name On-Screen – You can display the name of the automated adapter name. Display Undo Tasks – You can display the undo tasks for the tasks on-screen. Display Recovery Tasks – You can display the recovery tasks for the tasks on-screen. |
| Generate Image | This option enables you to save the workflow view as an image that can be printed at a later time. Upon clicking on this menu item, a new browser window is launched and displays a JPEG formatted image. The entire workflow is displayed, even parts of the flowchart that are hidden due to scrolling limitations of the display area. You can then use the standard web browser mechanisms to save the image locally on your machine by right-clicking on the image and selecting the ÒSave Picture As…Ó in the menu item. |
| Reload Workflow | This option refreshes the workflow view. |
| Legend | This option provides an explanation of all visual components that are used to create the flowchart of the workflow definition.
Markers The Markers Nodes represent position markers for special conditions. These conditions are: Start Point – The Start Maker represents the logical start point within the workflow. It is not an actual task within the workflow definition. On-Page Reference – The On-Page Reference Marker represents a task node that has already been drawn somewhere else in the workflow chart. It is used to show connectivity to other tasks without crowding the workflow view with crossing links. Response Sub-Tree – The Response Sub-Tree (Expansion Nodes) help keep the workflow controllable by hidden significant sub-trees of responses nodes. Double click the Expansion Node marker and the workflow view will redraw the flowchart with the responses. Tasks The Tasks Nodes represent the tasks in the workflow. They are: Manual Tasks – The Manual Tasks represents any task within a process that requires user action in order to be completed. Approval processes are generally comprised of manual tasks. Automated Tasks – The Automated Tasks represents any task within a process that does not require user-interaction for completion. Automated tasks always require a process task adapter. Provisioning processes are generally comprised of automated tasks. Responses The Response Nodes represent the Response Codes that are defined on the tasks. The Response Node shows the actual Response Code within it. The Response Code is based on the status that the response is set on the task. Completes Task – The process task has been completed and is indicated by a green color. Rejected Task – The process task has been rejected and is indicated by a red color. Cancels Task – The process task has been cancelled and is indicated by a blue color. Links Direction arrows lines connect the (task and response) nodes and indicate the flow of the workflow. The color of the link indicates the type of relationship between two nodes that it connects. Initial Task – The Initial Task is the first process task in the workflow definition. Response Generated Task – The Response Generate Task is defined as a process task that is triggered when the current task is Completed. Generally, a new process task can then be triggered when the conditional task receives a particular response code in conjunction with the execution of the process task. Recovery Task – The Recovery Task is defined as process task that is triggered when the current process task is Rejected. Undo Task – The Undo Task is defined as process task that is triggered when the current process task is Cancelled. Dependent Task – The Dependent Task is defined as a process task that is dependent upon another process. Oracle Identity Manager can only initiate this type of task once the process task on which it is dependent is completed. |
The Workflow Visualizer enables you to manipulate the workflow view by using the following features:
Drag and Drop
Display Option (menu item)
Task Node (right-click menu)
Expansion Nodes (Response Sub-Tree)
To illustrate how you can manipulate your workflow definition, the Corporate DB Provisioning workflow definition is shown. Selecting an event tab displays the appropriate sequence of task(s) for that event. These event tabs are discussed in the Using the Provisioning Workflow Definition Event Tabs.
Figure 12-1 Using the Workflow Visualizer
You can rearrange the graphical workflow by dragging and dropping the icon components that make up the workflow definition to any location in the workflow view. As you move an icon component, the direction arrow will continue to associate the link.
Figure 12-2 Using Drag and Drop in the Workflow Visualizer
You can also use the Display Options toolbar menu item to display or hide Unknown Response code, Adapter Name, Undo Tasks, and Recovery Tasks. Thus, the workflow will automatically display (paint) the workflow based on your criteria.
When you right click the task node, the Hide Responses option appears. When you click this option the response sub-tree will collapse and replace it with an expansion node. The task node name (label) is highlighted in yellow to denote that it was collapsed. Once collapsed, the Hide Responses action option will not appear.
Figure 12-3 Using the Task Node (Right-Click Menu)
Task Nodes with more than five response codes (not including the ÒUnknown ResponseÓ code) will not be drawn with their responses in the flowchart. Instead, an expansion node replaces the entire response sub-tree. When you double-click the expansion node, the flowchart will be redrawn to display the response sub-tree for the parent task (node). The label of the task node is highlighted in yellow.
Figure 12-4 Collapsed Response Subtree in the Workflow Visualizer
|
Note: When you place your cursor over the Expansion Node, it will indicate how many response codes are associated with it. Unknown Response Codes are hidden by default. |
As previously mentioned, the Provisioning Workflow Definition is displayed with associated event tabs of the logical flow. The event tabs represent the various task sequences for a specific event of the workflow definition. By clicking on a event tab, it will display the appropriate task(s) for the workflow event of the process. You can arrange the flowchart to your desired view. If there is no task defined for the workflow event, the tab will display a blank view. On the other hand, if there are more than one task sequence for the workflow event type, then the tab will display a pull-down menu where you can select the desired process flowchart.
The Provisioning tab shows the task that will provision a resource. Since the process type is Provisioning, the process flowchart will show all task in order to provision a resource.
The Reconciliation tab shows the reconciliation event for the provisioning process with marker tasks inserted into it – either Reconciliation Insert Received or Reconciliation Update Received. These tasks could have adapters attached to them to initiate some provisioning action. If no adapters are attached to it, then a response code of ÒEvent ProcessedÓ is assigned to that task. Additional provisioning process tasks could be generated based on this response code in order to initiate a provisioning flow due to the reconciliation event.
The Service Account tab shows all the provisioning processes of service accounts for users (administrators). When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. When the resource is "revoked" or the user gets "deleted", the provisioning process for the service account does not get cancelled. Instead, a task is inserted into the provisioning process to removes the mapping from the user to the service account. The provisioning processes of service account are: Service Account Changed, Service Account Alert, and Service Account Moved.
The User Event tab shows the workflows that respond to changes to the user record (such as updating the password and updating the user ID).
The Org Event tab shows the workflows that respond to changes to the organization record (such as updating the organization name and updating the organization's parent name or key) of the organization the resource is provisioned to or the organization of the user that the resource is provisioned to.
The Resource Event tab shows the workflows that respond to state changes of the provisioned resource instance, such as being enabled or disabled.
To view the detailed information of a particular task, double click the desired task (icon). The Task Detail pop-up window is similar to task definition window in the Process Definition Form of the Oracle Identity Manager Design Console. The Task Detail window displays information about the task definition, which is presented in logical grouping of tabs. The tabs include:
General – This tab displays the Task Information, such as Name and Description.
Automation – This tab provides information about any adapter automating the task; its status and variable mappings.
Task Assignment – This tab displays information controlling on how the task gets assigned and all associated information.
Depends On – The tab lists all task that the selected task depends on.
Resource Status Management - This tab shows the mapping between the task status and the resource status.
| Field Name | Description |
|---|---|
| Task Name | The name of the process task. |
| Task Description | Explanatory information about the process task. |
| Task Effect | This field indicates the process action for this task. It can be ENABLED, DISABLED, or NONE. A process is enabled or disabled for a user's access to a resource. A disabled action will also disable all associated tasks. The NONE action indicates that this task is not associated with a particular process action. |
| Retry Interval | This field indicates the time in minutes that you want to wait before adding this process task instance. |
| Retry Attempt Limit | This field indicates the number of times Oracle Identity Manager will retry a rejected task. |
| Conditional Task | This field specifies any condition that must be met for the process task. |
| Complete On Recovery | This field indicates that Oracle Identity Manager will change the status of the current process task from Rejected to Unsuccessfully Completed upon completion of all recovery tasks that are generated. This flag triggers other dependent process tasks. |
| Allow Cancellation While Pending | This field indicates whether the process task can be cancelled if its status is Pending. |
| Allow Multiple | This field indicates if the task is allowed to be inserted multiple times within a single process instance. |
| Required For Workflow Completion | This fields indicates that the process cannot be completed if the process task does not have a status of Completed. |
| Manual Insert | This field indicates whether a user can manually add the current process task to the process. |
Tasks belonging to provisioning processes are usually automated.
| Field Name | Description |
|---|---|
| Adapter Name | This is the name of the adapter. |
| Adapter Status | This indicates if the adapter is completely mapped or not. |
| Adapter Variable | This is a user-defined placeholder within the adapter that contains runtime application data used by its adapter tasks. |
| Mapped? | This indicates if the adapter variable is mapped or not. |
|
Note: If the task is not automated then this tab is not displayed. |
This tab specifies the assignment rules for the process task. These rules will determine how the process task will be assigned.Task Assignment Rules are associated with tasks of approval processes, since these tasks are usually completed manually. Tasks belonging to provisioning processes are usually automated. As a result, they do not need task assignment rules.
A resource is provided with pre-defined provisioning statuses, which represent the various statuses of the resource object throughout its lifecycle as it is being provisioned to the target user or organization. This tab displays the link between the status of a process task (Task Status) and the provisioning status of the resource (Resource Status) to which it is assigned
| Field Name | Description |
|---|---|
| Task Status | This is one of the pre-defined provisioning status. |
| Resource Status | The status can be one of the following: Waiting, Provisioning, None, Ready, Enabled, Disabled, Revoked, Provisioned, and Provide Information |
