| Oracle® Identity Manager Design Console Guide Release 9.0 B25940-01 |
|
 Previous |
 Next |
| Oracle® Identity Manager Design Console Guide Release 9.0 B25940-01 |
|
Previous |
Next |
This chapter describes the resource management in Oracle Identity Manager. It contaisn the following topics:
The Resource Management folder provides System Administrators with the tools necessary to manage Oracle Identity Manager resources. This folder contains the following forms:
IT Resources Type Definition: This form is used to create the resource types that appear as lookup values on the IT Resources form.
IT Resources: This form is used to define and manage IT resources.
Rule Designer: This form is used to create rules that can be applied to password policy selection, auto-group membership, provisioning process selection, task assignment, and prepopulate adapters.
Resource Objects: This form is used to create and manage resource objects. These objects represent the resources that you wish to make available to users and organizations.
|
Note: Throughout this chapter, you will read about prepopulate adapters and Java tasks. To learn more about adapters and adapter tasks, refer to Oracle Identity Manager Tools Reference Guide. |
The IT Resources Type Definition form, as shown in Figure 6-1, is located in the Resource Management folder. It is used to specify the types of IT resources that are to be associated with the resource objects that can be provisioned to target users and organizations.
The IT resource types defined here will be available for selection (using the Type field) when defining IT resources in the IT Resources form. IT resource types serve as a template for all IT resource definitions that reference them.
|
Note: Each IT resource definition must be associated with an IT resource type. |
Figure 6-1 The IT Resources Type Definition Form
|
Note: If the IT resource you are defining must access an external resource but cannot reach that resource using the network, you must associate it with a remote manager. For more information on defining remote managers (and their association with IT resources), refer to Oracle Identity Manager Tools Reference Guide. |
As mentioned, the IT Resources Type Definition form is used to classify the IT resource types (for example, AD, MS Exchange, Solaris) that Oracle Identity Manager can associate with the resources objects it will be provisioning. The IT resource type serves as the general IT classification (such as Solaris), whereas the IT resource designates a particular instance of that resource type (Solaris for Statewide Investments). The parameters and values defined for an IT resource type are inherited by all IT resource definitions that reference it.
Now that we have reviewed IT resource types, you will learn about the data fields of the IT Resources Type Definition form. The following table describes the fields of this form.
| Field Name | Description |
|---|---|
| Server Type | The name of the IT resource type. |
| Insert Multiple | This checkbox is used to specify whether this IT resource type may be referenced by more than one IT resource. |
Now that we have reviewed about types of IT resources, you are ready to define a template for IT resources.
To define a template for the IT Resouces, perform the following steps:
Enter the name of the IT resource type in the Server Type field (for example, Solaris).
When you want this IT resource type to be available for multiple IT resources, select the Insert Multiple checkbox.
If you wish this IT resource type to be available for only one IT resource, clear the Insert Multiple checkbox.
Click Save. The IT resource template is defined. It can now be selected (using the Type field) when defining IT resources from within the IT Resources form.
Once you save the preliminary information for a new IT resource type, or query for an existing IT resource type, the fields within the tabs of the IT Resources Type Definition form's lower region are enabled.
The IT Resources Type Definition form is comprised of the following tabs:
IT Resource Type Parameter
IT Resource
Each of these tabs is covered in greater detail in the sections that follow.
IT Resource Type Parameter tab is used to specify the default values and encryption settings for all connection parameters that are associated with the IT resource type, as shown in Figure 6-1. Any parameters specified on this tab will automatically be inherited by all IT resources that reference this IT resource type.
|
Note: The default values and encryption settings supplied for these parameters may be customized within each IT resource. |
Now that we have reviewed about the IT Resource Type Parameter tab, you will learn how to add a parameter to an IT resource type, and remove a parameter from an IT resource type.
Add a Parameter to an IT Resource Type
To add a parameter to an IT Resource Type, perform the following steps:
Click Add. A new row is displayed within the IT Resource Type Parameter tab.
Enter the name of the parameter in the Field Name field.
Enter a value into the Default Field Value field. This default value will be inherited by all IT resources that reference this IT resource type.
Select or clear the Encrypted checkbox. This checkbox is used to specify whether this parameter's value should be masked (i.e., represented with **** symbols) within any form fields.
When you want this parameter's value to be visible within Oracle Identity Manager fields, clear the Encrypted checkbox. Otherwise, if you want this parameter's value to be masked within Oracle Identity Manager form fields, select this checkbox.
Click Save. The specified parameter, along with its associated values and encryption settings, are added to the current IT resource type. As a result, this parameter will now be added to any new or existing IT resource definitions that reference this IT resource type. In other words, for that resource definition, the parameter you added appears within the Parameters tab of the IT Resources form.
Remove a Parameter From an IT Resource Type
To remove a parameter from an IT Resource Type, perform the following steps:
Highlight the parameter you want to remove.
Click Delete. The parameter and its associated value will be removed from both the IT resource type, and any IT resource definitions that reference this type.
The IT Resource Type Definition Table displays the following information:
| Field Name | Description |
|---|---|
| Server Type | This is the name of the resource asset type (as defined in the IT Resource Type Definition form). |
| Insert Multiple | This checkbox indicates whether multiple instance of this IT Resource Definition can be created or not. |
The IT Resources form is located in the Resource Management folder. It is used to display (and specify the parameter values for) the IT resources that you wish to make available within Oracle Identity Manager.
IT resource definitions generally represent the hardware (i.e., a Server or a machine) on which one or more resources reside. These IT resource definitions are then referenced by your resource objects during the execution of provisioning processes. A resource object cannot be provisioned without an association with an IT resource definition, which specifies where that resource is located and how to connect to it.
In addition, the variables of an Oracle Identity Manager adapter can be mapped to the values of any parameters defined for an IT resource. These parameters can represent information pertaining to the hardware itself (for example, a Server's domain name) or other information, such as the ID of the user who accesses this IT resource.
|
Note: For more information about adapters and their mappings, refer to Oracle Identity Manager Tools Reference Guide. |
Each IT resource definition represents a particular instance of an IT resource type. In the above example, the ramone definition belongs to the IT resource type named Database.
Now that we have reviewed IT resources, you will learn about the data fields of the IT Resources form. The following table describes the fields of this form.
| Field Name | Description |
|---|---|
| Name | The name of the IT resource. |
| Type | This classification type of the IT Resource (as defined in the IT Resources Type Definition form). |
| Remote Manager | When the IT resource can be accessed using a remote manager, this field displays the name of the remote manager. Otherwise, this field is empty. |
Now that we have reviewed about IT resources, you are ready to define an IT resource.
To define an IT Resource, perform the following steps:
Enter the name of the IT resource in the Name field.
Double click the Type lookup field. From the Lookup dialog box that is displayed, select the IT resource type that is to be associated with this IT resource. Click OK.
|
Note: IT resource types are defined using the IT Resource Type definition form. |
The IT resource will inherit the parameters and values that were defined for the IT resource type you select.
If the IT resource is to be accessed using a remote manager (i.e., the IT resource type has been defined as a remote manager), double-click the Remote Manager lookup field. From the Lookup dialog box that is displayed, select the desired remote manager. Click OK.
If the IT resource will not be accessed using a remote manager, proceed to Step 4.
Click Save. The IT resource is defined. The parameters and default values associated with this IT resource classification type appear within the Parameters tab. In addition, this IT resource will now be displayed on the IT Resource tab of the IT Resources Type Definition form for the associated IT resource type.
Optional. To specify IT resource-specific values for the parameters that are listed on the Parameters tab, select the Value field for the parameter you wish to edit, and enter the desired value. Then, click Save.
Use the Administrators tab to set the access permissions to specified administrative groups and have a level of security for the IT Resource APIs.
Click the Administrators tab. By default, administrator group associated with this IT Resource Instance is displayed automatically.
Click Assign to add a new administrative group.
In this example, G2 is assigned as a administrative group for the ramone IT Resource instance.
Click the desired checkbox to give Read, Write, or Delete permissions.
Click the Save button.
Rules are criteria that enable Oracle Identity Manager to match conditions and take action based on them.
Rules can be used for various purposes, such as:
Determining which password policy will be applied to a resource object of type Application.
Enabling users to be added to user groups automatically.
Specifying which approval and provisioning processes will be selected for a resource object, once that resource object is assigned to a request.
Determining how a process task will be assigned to a user.
Specifying which prepopulate adapter will be executed for a given form field.
|
Note: To learn more about prepopulate adapters and their usage with form fields, refer to Oracle Identity Manager Tools Reference Guide. |
The Rule Designer form, as shown in Figure 6-2, is located in the Resource Management folder. It is used to create and manage the rules that are used with the resources in Oracle Identity Manager.
There are four types of rules:
General. This type of rule enables Oracle Identity Manager to add a user to a user group automatically. It can also be used to determine the password policy that will be assigned to a resource object.
Process Determination. This type of rule determines the standard approval process that will be associated with a request, as well as the approval and provisioning processes that will be selected for a resource object.
Task Assignment. This type of rule specifies which user and/or user group will be assigned to a process task.
Prepopulate. This type of rule determines which prepopulate adapter will be executed for a given form field.
|
Note: A rule can be assigned to either a specific resource object or process, or it can be applied to all resource objects or processes. |
A rule can be comprised of the following items:
A rule element. A rule element consists of an attribute, an operator, and a value. For this example, the attribute is User Login, the operator is ==, and the value is XELSYSADM.
A nested rule. Sometimes, for logic purposes, one rule must be contained inside of another rule. The internal rule is known as the nested rule. In this example, the Rule to Prevent Solaris Access rule is nested inside of the Rule for Solaris rule.
An operation. When a rule is comprised of multiple rule elements or nested rules, an operation is needed to show the relationship among the rule elements and/or nested rules. For this example, the AND operation is selected, signifying that the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule must both be true for the rule to be successful.
You will now learn about the data fields of the Rule Designer form. The following table describes the data fields of this form.
| Field Name | Description |
|---|---|
| Name | The rule's name. |
| AND/OR | These radio buttons are used to specify the operation for the rule.
To stipulate that a rule will be successful only when all of its outer rule elements and/or nested rules are TRUE, select the AND radio button. To indicate that a rule is to be successful if any of its outer rule elements and/or nested rules are TRUE, select the OR radio button. Important: These radio buttons do not reflect the operations for rule elements that are contained within nested rules. For the above graphic, the AND operation applies to the User Login == XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. However, this operation has no bearing on the Object Name != Solaris rule element (which is contained within the Rule to Prevent Solaris Access rule). |
| Type | The rule's classification status. A rule can belong to one of four types:
|
| Sub-Type | For organizational purposes, when a rule's type is Process Determination, Task Assignment, or Prepopulate, it can be further categorized into one of four sub-types:
Note: If a rule's type is Task Assignment or Prepopulate, the Approval and Standard Approval items will not appear within the Sub-Type combo box. Furthermore, when a rule's type is General, the Sub-Type combo box will be disabled. |
| Object | The resource object to which this rule is assigned. |
| All Objects | By selecting this check box, the rule can be assigned to all resource objects. |
| Process | The process to which this rule is assigned. |
| All Processes | By selecting this check box, the rule can be assigned to all processes. |
| Description | Explanatory information about the rule. |
Now that we have reviewed the data fields of this form, you will learn how to create a rule.
To create a rule, perform the following steps:
Open the Rule Designer form.
In the Name field, enter the name of the rule.
If you want to stipulate that a rule will be successful only when all of its rule elements and/or nested rules are TRUE, select the AND radio button. If you want to indicate that a rule is to be successful if any of its rule elements and/or nested rules are TRUE, select the OR radio button.
|
Caution: These radio buttons do not reflect the operations for rule elements that are contained within nested rules. Figure 6-2 the AND operation applies to the User Login == XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. However, this operation has no bearing on the Object Name != Solaris rule element (which is contained within the Rule to Prevent Solaris Access rule). |
Click the Type combo box. From the custom menu that appears, select the classification status (General, Process Determination, Task Assignment, or Prepopulate) that will be associated with the rule.
If you select Process Determination from the Type combo box, click the Sub-Type combo box. From the drop-down menu that is displayed, select the specific classification status (Organizational Provisioning, User Provisioning, Approval, or Standard Approval) that will be associated with the rule.
If you select Task Assignment or Prepopulate from the Type combo box, click the Sub-Type combo box. From the drop-down menu that is displayed, select the specific classification status (Organization Provisioning or User Provisioning) that will be associated with the rule.
If you select General from the Type combo box, proceed to Step 8.
If you want to associate the rule with a single resource object, double-click the Object lookup field. From the Lookup dialog box that is displayed, select the resource object that will be associated with the rule.
If you want the rule to be accessible with all resource objects, select the All Objects check box.
When you want to assign the rule to one process, double-click the Process lookup field. From the Lookup dialog box that is displayed, select the process that will be associated with the rule.
|
Caution: The only processes that appears within this Lookup window are ones that are associated with the resource object you selected in Step 6. |
If you want the rule to be accessible with all processes, select the All Processes check box.
|
Caution: If you have selected a resource object in Step 6, by selecting the All Processes check box, this rule will be accessible with every process that is associated with the selected resource object. |
In the Description field, enter explanatory information about the rule.
Click Save. The rule is created. In addition, the tabs of this form are now functional.
Once you launch the Rule Designer form, and create a rule, the tabs of this form become operational.
The Rule Designer form contains the following tabs:
Rule Elements
Usage
Each of these tabs is covered in greater detail in the following sections.
Figure 6-3 displays the Rule Elements tab of the Rule Designer form.
Figure 6-3 The Rule Elements Tab of the Rule Designer Form
Within this tab, you can create and manage the rule elements and/or the nested rules for a rule. For this example, the Rule for Solaris rule contains the User Login==XELSYSADM rule element. It also has the Rule to Prevent Solaris Access rule nested within it.
This rule is to be applied to a provisioning process that is associated with the Solaris resource object. Once this resource object is assigned to a request, the rule will be triggered. If the target user's login is XELSYSADM, and the name of the resource object is Solaris, the Solaris resource object will be provisioned to the user. Otherwise, the user will not be able to access Solaris.
When a rule element or nested rule is no longer valid, you need to remove it from the rule.
The following procedures will demonstrate how to:
Add a rule element to a rule
Add a nested rule to a rule
Remove a rule element or nested rule from a rule
Add a Rule Element to a Rule
To add a rule element to a rule, perform the following steps:
Click Add Element. The Edit Rule Element dialog box is displayed.
The following table will help you understand the various data fields of the Edit Rule Element dialog box.
| Name | Description |
|---|---|
| Attribute Source | From this combo box, select the source of the attribute. For example, if the attribute you wish to select is Object Name, the attribute source to select would be Object Information. |
| User-Defined Form | This field displays the user-created form that is associated with the attribute source that appears within the adjacent combo box.
Note: If Object Data or Process Data do not appear within the Attribute Source combo box, the User-Defined Form field will be empty. |
| Attribute | From this combo box, select the attribute for the rule. |
| Operation | From this combo box, select the relationship between the attribute and the attribute value (== or !=) |
| Attribute Value | In this text box, enter the value for the attribute.
Note: The attribute's value is case-sensitive. |
|
Note: The custom menus of the combo boxes of the Edit Rule Element dialog box will reflect the items that appear in the Type and Sub-Type combo boxes of the Rule Designer form. |
Set the parameters for the rule you are creating, as shown in Figure 6-4.
Figure 6-4 Edit Rule Element Window -- Filled
For this example, if the Login ID of the target user is equal to XELSYSADM, the rule element is TRUE. Otherwise, it is FALSE.
From the Toolbar of the Edit Rule Element dialog box, click Save. Then, click Close. The rule element you created is displayed within the Rule Elements tab of the Rule Designer form.
From the main screen's Toolbar, click Save. The rule element is added to the rule.
Add a Nested Rule to a Rule
To add a nested rule to a rule, perform the following steps:
Click Add Rule. the Select Rule dialog box is displayed.
Select the desired nested rule and Click Save.
|
Caution: Only rules that are of the same type and sub-type, as the parent rule appears within the Select Rule window. |
Then, click Close. The nested rule you selected appears within the Rule Elements tab of the Rule Designer form.
From the main screen's Toolbar, click Save. The nested rule is added to the rule.
Remove a Rule Element or Nested Rule From a Rule
To remove a rule elemenet or nested rule from a rule, perform the following steps:
Highlight the rule element or nested rule that you want to remove.
Click Delete. The rule element or nested rule is removed from the rule.
Figure 6-5 displays the Usage tab of the Rule Designer form.
Figure 6-5 Usage Tab of the Rule Designer Form
Within this tab, you can see the following:
The password policy, resource object, process, process task, auto-group membership criteria, user group, Oracle Identity Manager form field, and/or pre-populate adapter with which a rule is associated.
A one-letter code, signifying the rule's classification type (A=Approval; P=Provisioning). This code appears for process determination rules only.
The rule's priority number.
|
Note: The type of information you can see within the Usage tab reflects the rule's classification type. For example, if the rule's type is Pre-Populate, the user-created field to which this rule is applied appears within this tab. |
For this example, the Rule to Approve Solaris rule has been assigned to The Solaris Resource Object and the Process to Approve Solaris. Since this is an approval rule, its classification type is A. Lastly, the priority of this rule is 1, indicating that it was the first approval rule that Oracle Identity Manager was scheduled to evaluate, once the corresponding resource object was assigned to a request.
The Rule Designer Table, as shown in Figure 6-6, displays all available rules that were defined in the Rule Designer form.
The Rule Designer Table displays the following information:
| Field Name | Description |
|---|---|
| Rule Name | This is the name of the rule. |
| Rule Type | The rule's classification status. A rule can belong to one of four types:
|
| Rule Sub-Type | For organizational purposes, when a rule's type is Process Determination, Task Assignment, or Pre-Populate, it can be further categorized into one of four sub-types:
|
| Rule Operator | This is the relationship between the attribute and the attribute value (== or !=) |
| Description | Explanatory information about the rule. |
| Last Updated | This is the date when the rule was last updated. |
The Resource Objects form is located in the Resource Management folder. It is used to create and manage the resource objects that represent the Oracle Identity Manager resources you want to provision for organizations or users.
|
Note: These definitions serve as templates to be used when provisioning the resource. How the resource is actually approved and provisioned will depend on the design of the approval and provisioning processes that you link to it. |
|
Note: For more information on requests, and their relationship with resource objects, refer to "The Administrative Queues Form". |
The following table describes the data fields of the Resource Objects form.
| Field Name | Description |
|---|---|
| Name | The resource object's name. |
| Table Name | The name of the resource object form (i.e. the name of the table which represents that form) associated with this resource. |
| Order For User/Order For Organization | These radio buttons are used to specify whether the resource object can be requested for users or organizations.
To request the resource object for a user, select the Order For User radio button. To request the resource object for an organization, select the Order For Organization radio button. |
| Auto Pre-Populate | This check box designates whether a custom form, which:
Will be populated by Oracle Identity Manager or a user. If the Auto Pre-Populate check box is selected, once the associated custom form appears, the fields that have pre-populate adapters attached to them will be populated by Oracle Identity Manager. When this check box is cleared, these fields must be populated by a user (by clicking the Pre-Populate button on the Toolbar). Important: This setting does not control the triggering of the pre-populate adapter. It merely determines whether the contents resulting from the execution of the adapter appear within the associated field because of Oracle Identity Manager or a user. For more information on pre-populate adapters, refer to Oracle Identity Manager Tools Reference Guide. Note: Setting this checkbox is only relevant if you have created a form that is to be associated with the resource object. |
| Type | The resource object's classification status. A resource object can belong to one of three types:
|
| Allow Multiple | This check box is used to designate whether the resource may be provisioned more than once to any given user or organizations. If it is selected, the resource object can be provisioned more than once per user or organization. |
| Auto Save | By selecting this check box, Oracle Identity Manager saves the data in any resource-specific form, created using the Form Designer form, without first displaying the form.
If you select this checkbox, you must supply system data, a rule generator adapter, or an entity adapter to populate the form with the required data (since the user will not be able to access the form). Note: Setting this checkbox is only relevant if you have created a form for the provisioning of the resource object. |
| Self Request Allowed | By selecting this check box, users as well as the System Administrator can request the resource object for him/herself.
Note: This functionality currently exists only for the Java version of Oracle Identity Manager. It is not applicable for the Oracle Identity Manager Administrative and User Console. |
| Allow All | By selecting this check box, the resource object can be requested for all Oracle users. This setting takes precedence over whether the organization to which a user belongs has allowed the resource to be requestable for its users. |
| Auto Launch | By default, this checkbox is checked at the time of object creation. Oracle Identity Manager will automatically initiate the provisioning process once the resource's approval process has achieved a status of Completed.
Oracle Identity Manager automatically makes all resource objects set to Auto Launch, even though this checkbox is cleared. |
| Provision by Object Admin Only | This check box is used to designate who may provision this resource (either using direct provisioning or by manually initiated the provisioning process when the Auto Launch check box is cleared).
If this check box is selected, only users who are members of the groups listed on the Object Administrators tab will be allowed to provision this resource object (either directly or by manually initiating the provisioning process from the request). If this check box is cleared, no restriction will be placed on who can direct provision this resource. |
Now that we have reviewed the data fields of this form, you will learn how to create a resource object.
To create a resource object, perform the following steps:
Open the Resource Objects form.
In the Name field, enter the name of the resource object.
Double-click the Table Name lookup field. From the Lookup dialog box that is displayed, select the table, which represents the form that will be associated with the resource object.
If you want to request the resource object for a user, then select the Order For User radio button. If you want to request the resource object for an organization, select the Order For Organization radio button.
|
Note: A resource object can be requested for either one user or one organization. |
If a custom form is to be associated with the resource object, this form contains fields that have pre-populate adapters attached to them, and you want these fields to be populated automatically by Oracle Identity Manager, select the Auto Pre-Populate check box.
If the fields of this form are to be populated manually (by a user clicking the Pre-Populate button on the Toolbar), clear the Auto Pre-Populate check box.
|
Note: If the resource object has no custom form associated with it, or this form's fields have no pre-populate adapters attached to them, clear the Auto Pre-Populate check box. For more information on pre-populate adapters, refer to Oracle Identity Manager Tools Reference Guide. |
Double-click the Type lookup field. From the Lookup dialog box that is displayed, select the classification status (Application, Generic, or System) that will be associated with the resource object.
If you want multiple instances of the resource object to be requested for a user or an organization, select the Allow Multiple check box. Otherwise, proceed to Step 8.
When you want Oracle Identity Manager to save the data in any resource-specific form (created using the Form Designer form) without first displaying the form, select the Auto Save check box. Otherwise, proceed to Step 9.
|
Caution: If you select this check box, you must supply system data, a rule generator adapter, or an entity adapter to populate the form with the required data (since the user will not be able to access the form).Setting this checkbox is only relevant if you have created a form for the provisioning of the resource object. |
If you want the System Administrator to be able to request the resource object for him/herself, select the Self Request Allowed check box. Otherwise, proceed to Step 10.
When you want the resource object to be provisioned for all users, regardless of whether the organization to which the user belongs has the resource object assigned to it, select the Allow All check box. Otherwise, proceed to Step 11.
If you want Oracle Identity Manager to automatically initiate the provisioning process when the resource object's approval process has achieved a status of Completed, select the Auto Launch check box. Otherwise, proceed to Step 12.
|
Caution: By default, Oracle Identity Manager automatically makes all resource objects set to Auto Launch, even though this checkbox is cleared. |
When you want to restrict the user groups that can provision this resource object, either directly or by assigning it to a request, to those groups that appear within the Object Authorizers tab of the Resource Objects form, select the Provision by Object Admin Only check box. Otherwise, proceed to Step 13.
Click Save. The resource object is created.
Once you launch the Resource Objects form, and create a resource object, the tabs of this form become functional.
The Resource Objects form contains the following tabs:
Each of these tabs is covered in greater detail in the following sections.
From this tab, you can select other resource objects that Oracle Identity Manager will need to provision before the current resource object can be provisioned. In addition, when Oracle Identity Manager can provision the current resource object without first provisioning the resource object that appears in the Depends On tab, you need to remove that resource object from the tab.
The following procedures will demonstrate how to:
Select a resource object on which the current resource object is dependent
Remove the dependent resource object
Select a Dependent Resource Object
To select a dependent resource object, perform the following steps:
Click Assign. The Assignment dialog box is displayed.
Select the resource object, and assign it to the request.
Click OK. The dependent resource object is selected.
Remove a Dependent Resource Object
To remove a dependent resource object, perform the following steps:
Highlight the dependent resource object you want to remove.
Click Delete. The resource object has been removed from the Depends On tab.
This tab is used to specify the user groups that are the Object Authorizers for this resource. The users who are members of these Object Authorizers groups can be selected as targets for task assignments. If you no longer want a user group to be an Object Authorizer, delete it from the list.
Each user group that appears within the Object Authorizers tab has a priority number assigned to it. The priority number is evaluated when Oracle Identity Manager is determining the user to whom to assign a task (when the task assignment target is Object Authorizer user with highest priority). Alternately, the priority value can be referenced when a task assigned to a group is escalated due to lack of action. You can also increase or decrease the priority number for any user group that is displayed within this tab.
As an example, assume that members of the SYSTEM ADMINISTRATORS user groups have been specified as Object Authorizers. If a process task associated with this resource object has a task assignment rule attached to it, and the assignment criteria is Object Authorizer User with Highest Priority, the first user who is authorized to complete this process task is the user with the highest priority who belongs to the SYSTEM ADMINISTRATORS user group (since its priority number is 1). If this user does not complete this process task within a user-specified time, Oracle Identity Manager will reassign the task to the user in the SYSTEM ADMINISTRATORS group who has the next highest priority.
|
Note: For more information on task assignment rules and their relationship with completing process tasks, refer to "The Rule Designer Form" and "Assignment". |
The following procedures will show how to:
Assign a user group to a resource object
Remove a user group from a resource object
Change the priority number for a user group
Assign a User Group to a Resource Object
To assign a user group to a resource object, perform the following steps:
Click Assign. The Assignment dialog box is displayed.
Select a user group, and assign it to the resource object.
Click OK. The user group is selected.
Remove a User Group From a Resource Object
To remove a user group from a resource object, perform the following steps:
Highlight the desired user group.
Click Delete. The user group is removed from the Object Authorizers tab.
Change a User Group's Priority Number
To change a user group's priority number, perform the following steps:
Highlight the user group whose priority number you wish to change.
To raise the selected user group's priority number by one, click Increase. To lower this user group's priority by one, click Decrease.
|
Note: To increase or decrease a user group's priority number by more than one, click the appropriate button repeatedly. As an example, to raise the priority number of a user group by two, click the Increase button twice. |
Click Save. The user group's priority number is now changed to the value you selected.
A request is one mechanism used to provision Oracle Identity Manager resources to users or organizations. Through a request, a user can approve the provisioning of these resources to the target users or organizations. However, a request cannot be acted on until a resource object is assigned to it. Each resource object is comprised of one (or more) provisioning process and potentially one (or more) approval process.
As mentioned, the resource object definition serves as a template to be referenced when the resource is being provisioned to users or organizations. Since the resource definition may be linked to multiple approval and provisioning processes, Oracle Identity Manager must know which approval process and provisioning process to execute when the resource is requested or direct provisioned to users or organizations. This determination is made using the use of process determination rules.
Process determination rules are criteria. These rules are used by Oracle Identity Manager to determine which:
Approval and provisioning process to select when a resource is requested
Provisioning process to select when a resource is direct provisioned
Usually, each approval process and provisioning process has a process determination rule associated with it. In addition, every rule/process combination has a priority number, which indicates the order in which Oracle Identity Manager will evaluate it.
For this example, when the resource is requested or direct provisioned, Oracle Identity Manager will evaluate the Rule to See if Solaris is Needed and Rule to Check Provisioning of Solaris for IT Dept. rules (since they both have the highest priority). If the conditions of these rules were TRUE, Oracle Identity Manager will execute the processes associated with them (the Check if Solaris is Needed approval process and the Provision Solaris for IT Dept. provisioning process).
If the condition of a rule is FALSE, Oracle Identity Manager will then evaluate the rule with the next highest priority. If that rule is TRUE, Oracle Identity Manager will execute the process associated it.
So, in this example, if the resource was requested or direct provisioned and the Rule to Check Provisioning of Solaris for IT Dept. rule FALSE, Oracle Identity Manager would evaluate the Rule to Check Provisioning of Solaris for Developers rule. If this rule were TRUE, Oracle Identity Manager would execute the process associated with that rule (the Provision Solaris for Devel. provisioning process).
Now that we have reviewed process determination rules, you will learn how to add a process determination rule to a resource object. In addition, when an existing rule is no longer valid, you will learn how to remove it from the resource object.
Add a Process Determination Rule to a Resource Object
To add a process determination rule to a resource object, perform the following steps:
Click Add in either the Approval Processes or Provisioning Processes region, depending on the rule/process combination you intend to create.
From the row that is displayed, double-click the Rules lookup field.
From the Lookup dialog box that is displayed, select a rule, and assign it to the resource object only rules of type Process Determination is available for selection).
Click OK.
Within the adjacent column, double-click the Processes lookup field.
From the Lookup dialog box that is displayed, select the desired process, and assign it to the rule.
Click OK.
Enter a numeric value in the Priority field. This will determine the order in which Oracle Identity Manager evaluates the rule/process combination.
Click Save. The rule/process combination is added to the resource object.
Remove a Process Determination Rule From a Resource Object
To remove a process determination rule from a resource object, perform the following steps:
Highlight the desired rule/process combination.
Click Delete. The rule/process combination is removed from the resource object.
Sometimes, a resource object may have data that needs to be handled in a particular fashion. For example, a resource object's provisioning process may contain tasks, which must be completed automatically.
When this occurs, you must assign either an event handler or an adapter to the resource object. An event handler is a software routine that provides the processing of this specialized information. An adapter is a specialized type of event handler that generates the Java code, which enables Oracle Identity Manager to communicate and interact with external resources.
Also, when an event handler or adapter, which has been assigned to a resource object, is no longer valid, you must remove it from the resource object.
For this example, the adpAUTOMATEPROVISIONINGPROCESS adapter has been assigned to the Solaris resource object. Once this resource object is assigned to a request, Oracle Identity Manager will trigger the adapter, and the associated provisioning process is executed automatically.
The following procedures demonstrate how to assign an event handler or adapter to a resource object, and remove an event handler or adapter from a resource object.
Assign an Event Handler or Adapter to a Resource Object
To assign an event handler or adapter to a resource object, perform the following steps:
Click Assign. The Assignment dialog box is displayed.
Select an event handler, and assign it to the resource object.
Click OK. The event handler is assigned to the resource object.
Remove an Event Handler or Adapter From a Resource Object
To remove an event handler or adapter from a resource object, perform the following steps:
Highlight the desired event handler.
Click Delete. The event handler is removed from the resource object.
This tab is used to set the provisioning statuses for a resource object. A provisioning status indicates the status of the resource object throughout its entire lifecycle, until it is provisioned to the target user or organization. Once this occurs, you can see the provisioning status of the resource object from within the Status region of the Currently Provisioned tab.
Every provisioning status of a resource object is associated with a task status of the relevant provisioning process (which Oracle Identity Manager selects when the resource object is assigned to a request). For example, if the Provision for Developers process is selected, and a task within this process achieves a status of Completed, the corresponding status of the resource object can be set to Provisioned. This way, you can see how the resource object relates to the provisioning process, quickly and easily.
Currently, a resource object has eight pre-defined statuses:
Waiting: Oracle Identity Manager has checked and has found that there are other resource objects upon which this resource object depends. However, these resource objects have not yet been provisioned.
Revoked: The resources, represented by the resource object, have been provisioned to the target users or organizations. However, these users or organizations have been permanently de-provisioned from using the resources.
Ready: Oracle Identity Manager has checked and has found that [a] this resource object is not dependent upon any other resource objects; or [b] all resource objects, upon which this resource object depends, have been provisioned.
Once the resource object's status is Ready, it evaluates the process determination rules to determine the approval and provisioning processes once the resource object is assigned to a request. When this happens, the status of the resource object changes to Provisioning.
Provisioning: The resource object has been assigned to a request, and an approval process and a provisioning process have been selected.
Provisioned: The resources, represented by the resource object, have been provisioned to the target users or organizations.
Provide Information: Additional information is required before the resources, represented by the resource object, can be provisioned to the target users or organizations.
None: This status does not represent the provisioning status of the resource object. Rather, it signifies that a task, which belongs to the provisioning process that Oracle Identity Manager selects, has no effect on the status of the resource object.
Enabled: The resources, represented by the resource object, have been provisioned to the target users or organizations. In addition, these users or organizations have access to the resources.
Disabled: The resources, represented by the resource object, have been provisioned to the target users or organizations. However, these users or organizations have temporarily lost access to the resources.
Each provisioning status has a corresponding Launch Dependent check box. If a check box is selected, and the resource object achieves that provisioning status, Oracle Identity Manager enables other, dependent resource objects to launch their own provisioning processes.
For this example, the Exchange resource object has the Launch Dependent check box selected for the Provisioned and Enabled provisioning statuses. Once the provisioning status of this resource object changes to Provisioned and Enabled, Oracle Identity Manager checks to see if there are other resource objects, upon which the Exchange resource object depends. If this is so, Oracle Identity Manager first launches the approval and provisioning processes of these dependent objects. Then, Oracle Identity Manager selects an approval and provisioning process for the Exchange.
You may want to add additional provisioning statuses to a resource object to reflect the various task statuses of a provisioning process. For example, when the status of a task that belongs to a provisioning process is Rejected, you may want to set the corresponding provisioning status of the resource object to Revoked.
Similarly, when an existing provisioning status is no longer valid, you need to remove it from the resource object.
The following procedures demonstrate how to add a provisioning status to a resource object, and remove a provisioning status from a resource object.
Add a Provisioning Status to a Resource Object
To add a provisioning status to a resource object, perform the following steps:
Click Add.
Add a provisioning status in the Status field.
When you want other, dependent resource objects to launch their own approval and provisioning processes once the resource object achieves the provisioning status you are adding, select the Launch Dependent check box. Otherwise, proceed to Step 4.
Click Save. The provisioning status is added to the resource object.
Remove a Provisioning Status from a Resource Object
To remove a provisioning status from a resource object, perform the following steps:
Highlight the desired provisioning status.
Click Delete. The provisioning status is removed from the resource object.
This tab is used to select the user groups that can view, modify, and delete the current resource object.
The Write and Delete check boxes are visual indicators of the privileges that a user group has with the resource object. When the Write check box is selected, the corresponding user group can modify the current resource object. If this check box is cleared, the user group cannot edit the resource object.
Similarly, when the Delete check box is selected, the associated user group can delete the current resource object. If this check box is cleared, the user group cannot delete the resource object.
For this example, the SYSTEM ADMINISTRATORS user group can view, modify, and delete the Solaris resource object. The OPERATORS user group can only view and modify this resource object (Its Delete check box is cleared.).
The following sections describe how to assign a user group to a resource object, and remove a user group from a resource object.
Assign a User Group to a Resource Object
To assign a user group to a resource object, perform the following steps:
Click Assign. The Assignment dialog box is displayed.
Select the user group, and assign it to the resource object.
Click OK. The user group appears in the Administrators tab. By default, all members of this group can view the active record.
If you want this user group to be able to modify the current resource object, double-click the corresponding Write check box. Otherwise, proceed to Step 5.
If you want this user group to be able to delete the current resource object, double-click the associated Delete check box. Otherwise, proceed to Step 6.
Click Save. The user group is assigned to the resource object.
Remove a User Group from a Resource Object
To remove a user group from a resource object, perform the following steps:
Highlight the user group that you want to remove.
Click Delete. The user group is removed from the resource object.
If a resource object is of type Application, and you want to provision the resource object to a user or organization, you may want that user or organization to meet password criteria before accessing the resource object. This password criteria is created and managed in the form of password policies. These policies are created using the Password Policies form.
As the resource object definition is only a template for governing how a resource is to be provisioned, Oracle Identity Manager must be able to make determinations about how to provision the resource based on actual conditions and rules. These conditions may not be known until the resource is actually requested. Therefore, rules must be linked to the various processes and password policies associated with a resource to allow Oracle Identity Manager to decide which ones to invoke in any given context.
Oracle Identity Manager determines which password policy to apply to the resource when creating (or updating) a particular user's account by evaluating the password policy rules of the resource and applying the criteria of the policy associated with the first rule that is satisfied. Each rule has a priority number, which indicates the order in which Oracle Identity Manager will evaluate it.
For this example, Oracle Identity Manager will trigger the Rule to Prevent Solaris Access rule (since it has the highest priority). If this rule were TRUE, Oracle Identity Manager would apply the criteria of the Restrict Solaris password policy to the password of the account being created or updated.
If the rule is FALSE, Oracle Identity Manager will then evaluate the rule with the next highest priority. If this rule is TRUE, Oracle Identity Manager will apply the password policy associated with it to the password of the account being created or updated.
Now that we have reviewed about password policy rules, you will learn how to add a password policy rule to a resource object. In addition, when an existing rule is no longer valid, you will learn how to remove it from the resource object.
Add a Password Policy Rule to a Resource Object
To add a password policy rule to a resource object, perform the following steps:
Click Add.
From the row that appears, double-click the Rule lookup field.
From the Lookup dialog box that is displayed, select a rule, and assign it to the resource object.
Click OK.
Within the adjacent column, double-click the Policy lookup field.
From the Lookup dialog box that is displayed, select an associated password policy, and assign it to the resource object.
Click OK.
Add a numeric value in the Priority field. This field contains the rule's priority number.
Click Save. The password policy rule is added to the resource object.
Remove a Password Policy Rule From a Resource Object
To remove a password policy rule from a resource object, perform the following steps:
Highlight the desired password policy rule.
Click Delete. The password policy rule is removed from the resource object.
This tab is used to view and access any user-defined fields that have been created for the Resource Objects form. Once a user-defined field has been created, it appears on this tab and be able to accept and supply data. For instructions on how to create user-defined fields on existing Oracle Identity Manager forms, refer to "The User Defined Field Definition Form".
The Process tab displays all of the approval and provisioning processes that are associated with the current resource object. In addition, this tab indicates (using the Default check boxes), which approval or provisioning processes have been designated as the default process of each type for the resource.
|
Note: Approval and provisioning processes are created and associated with a resource using the Process Definition form. Each process can then be linked to a process determination rule using the Process Determination Rules tab of the Resource Object form. |
For this example, the Solaris resource object has one approval processes assigned to it. It also has the provisioning processes (Provision Solaris for Devel.) associated with it. The Provision Solaris for Devel. provisioning process has been designated as the default processes for this resource object.
This tab contains two sub-tabs, Reconciliation Fields and Reconciliation Action Rules.
The Reconciliation Fields tab is used to define the fields on the target resources/trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager
The Reconciliation Action Rules tab is used to specify the actions Oracle Identity Manager is to take when particular matching conditions are met.
Reconciliation Fields Tab
This tab is used to define the fields on the target resources/trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager. For each field on the target system/trusted source, the following information will be listed:
Name of the field on the target resource/trusted source that is to be reconciled with data in Oracle Identity Manager (for example, targetfield1)
Data type associated with the field (for example, String). Possible values are Multi-Valued, String, Number, Date, IT resource
Indicator designating whether this field is required within a reconciliation event
|
Note: Oracle Identity Manager will not begin to match potential provisioning processes, users or organizations to the reconciliation event until all fields which have been set as required are processed on the Reconciliation Data tab of the Reconciliation Manager form. |
An example of a target system field definition might appears as follows:
TargetField1 [String], Required
Add a Reconciliation Field
The following steps are used to add a field from the target system/trusted source to the list of fields that are to be reconciled with information within Oracle Identity Manager.
|
Note: For a trusted source, this must be the user resource definition. |
Click Add Field. The Add Reconciliation Field dialog box is displayed.
Enter the name of the field on the target resource/trusted source in the Field Name field. This is the name by which you wish to reference the target resource/trusted source field within Oracle Identity Manager.
Select one of the following values from the menu in the Field Type field:
Multi-Valued (for use with fields that contain one or more component fields)
String
String
Date
IT resource (only to be used with fields that will reference the machine on the user account is provisioned)
Set the Required check box. If this checkbox is selected, this field must be processed on the Reconciliation Data tab of the Reconciliation Manager form before Oracle Identity Manager will begin attempting to match a provisioning process or user/organization to the reconciliation event. If this checkbox is cleared, the inability to process this field within a reconciliation event will not prevent matching from occurring.
Click Save. The field will be available for mapping within the resource's default provisioning process.
|
Note: Before Oracle Identity Manager can successfully perform reconciliation with an external target resource/target source, the fields you have defined on this tab must be mapped to the appropriate Oracle Identity Manager fields using the Field Mappings tab of the resource's default provisioning process. |
Delete a Reconciliation Field
The following steps are used to remove a target system field from the list of fields that are to be reconciled with information within Oracle Identity Manager.
|
Note: For a trusted source, this must be the user resource definition. |
Select the field you wish to remove.
Click Delete Field. The selected field will be removed from the list of fields with which Oracle Identity Manager attempts to reconcile data on the target system (this will have no affect on the data in the target system itself).
Reconciliation Action Rules Tab
This tab is used to specify the actions Oracle Identity Manager is to take when particular matching conditions are met. Oracle Identity Manager allows you to specify what action(s) it should automatically take when certain matches within reconciliation event records are encountered. Each record within this tab is a combination of:
The matching condition criteria
The action to take
The conditions and actions from which you may select are pre-defined. Depending on the matching conditions, certain actions may not be applicable. A complete list of the available options is provided below:
| Rule Condition | Possible Rule Actions |
|---|---|
| No matches found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group Create User (only available with the trusted source) |
| One Process Match Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group Establish Link |
| Multiple Process Matches Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group |
| One Entity Match Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group Establish Link |
| Multiple Entity Matches Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group |
Add a Reconciliation Action Rule
To add a reconciliation action rule, perform the following steps:
Click Add Field. The Add a new Action Rule dialog box is displayed.
Select the desired value from the Rule Condition menu. This is the matching condition that will cause the associated action to be executed. Each match condition can only be assigned to a single rule action.
Select the desired value from the Rule Action menu. This is the action that will be executed if the matching condition is satisfied.
Click Save, and close the Add a new Action Rule dialog box.
Delete a Reconciliation Action Rule
Select the matching condition/action combination you wish to delete.
Click Delete. The reconciliation action rule will be removed and the action associated with its condition will not be executed automatically.
Oracle Identity Manager supports service accounts. Service accounts are general administrator accounts (for example, admin1, admin2, admin3, etc.) that are used for maintenance purposes, and are typically shared by a set of users. The model for managing and provisioning service accounts is slightly different from normal provisioning.
Service accounts are requested, provisioned, and managed in the same manner as regular accounts. They use the same resource objects, provisioning processes, and process/object forms as regular accounts. A service account is distinguished from a regular account by an internal flag.
When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. When the resource is "revoked", or the user gets "deleted", the provisioning process for the service account does not get cancelled (which would cause the undo tasks to fire). Instead, a task is inserted into the provisioning process (the same way Oracle Identity Manager handles Disable/Enable actions). This task removes the mapping from the user to the service account, and returns the service account to the pool of available accounts.
This management capability is exposed through APIs.
