| Oracle® Identity Manager Design Console Guide Release 9.0.3 Part Number B32453-01 |
|
|
View PDF |
| Oracle® Identity Manager Design Console Guide Release 9.0.3 Part Number B32453-01 |
|
|
View PDF |
This chapter describes resource management in Design Console. It contains the following topics:
The Resource Management folder provides System Administrators with tools for managing Oracle Identity Manager resources. This folder contains the following forms:
IT Resources Type Definition: Use this form to create resource types that appear as lookup values on the IT Resources form.
IT Resources: Use this form to define and manage IT resources.
Rule Designer: Use this form to create rules that can be applied to password policy selection, auto-group membership, provisioning process selection, task assignment, and prepopulating adapters.
Resource Objects: Use this form to create and manage resource objects. These objects represent resources that you want to make available to users and organizations.
See also:
This chapter discusses prepopulating adapters and Java tasks. To learn more about adapters and adapter tasks, see the Oracle Identity Manager Tools Reference Guide.The IT Resources Type Definition form is in the Resource Management folder. You use the IT Resources Type Definition form to classify IT resource types, for example, AD, MS Exchange, Solaris. Oracle Identity Manager associates resource types with resource objects that it provisions to users and organizations.
After you define an IT resource type on this form, it becomes available for selection when you define a resource. The type appears in the Type field on the IT Resources form.
IT resource types serve as templates for the IT resource definitions that reference them. If an IT resource definition references an IT resource type, the resource inherits all of the parameters and values in the IT resource type. The IT resource type serves as the general IT classification, for example, Solaris. The resource is an instance of the type, for example, Solaris for Statewide Investments. You must associate every IT resource definition with an IT resource type.
The IT Resources Type Definition form is shown in Figure 6-1.
Figure 6-1 The IT Resources Type Definition Form
The following table describes the fields of the IT Resources Type Definition form.
| Field Name | Description |
|---|---|
| Server Type | The name of the IT resource type. |
| Insert Multiple | This checkbox specifies whether this IT resource type may be referenced by more than one IT resource. |
Note:
If an IT resource must access an external resource, but it cannot reach that resource using the network, you must associate it with a remote manager. For more information, see the Oracle Identity Manager Tools Reference Guide.The following procedure describes how to define an IT resource type.
To define an IT resource type:
Enter the name of the IT resource type in the Server Type field, for example, Solaris.
To make the IT resource type available for multiple IT resources, check the Insert Multiple checkbox.
Click Save.
The IT resource type is defined. You can select it from the Type field when defining IT resources in the IT Resources form.
After you save the basic information for a new IT resource type, and when an IT resource type is returned on a query, the fields on the tabs of the IT Resources Type Definition form's lower region are enabled.
The IT Resources Type Definition form contains the following tabs:
IT Resource Type Parameter tab
IT Resource tab
You use the IT Resource Type Parameter tab to specify default values and encryption settings for all connection parameters for the IT resource type, as shown in Figure 6-1. Parameters and values on this tab are inherited by all IT resources that reference this IT resource type.
When you define a new parameter, the parameter and its values and encryption settings are added to the current IT resource type and to any new or existing IT resource definitions that reference this IT resource type. For any applicable resource definition, the new parameter appears in the Parameters tab of the IT Resources form.
Note:
You can customize the values and encryption settings for these parameters within each IT resource.Adding a Parameter to an IT Resource Type
The following procedure describes how to add a parameter to an IT Resource Type.
To add a parameter to an IT Resource Type:
Click Add.
A new row appears in the IT Resource Type Parameter tab.
In the Field Name field, enter the name of the parameter.
In the Default Field Value field, enter a default value.
This value is inherited by all IT resources that reference this IT resource type
Select or clear the Encrypted checkbox.
This checkbox determines if this parameter's value is be masked, that is, represented with **** symbols, in a form field.
If you want the parameter's value to be masked, select this checkbox.
Click Save.
Removing a Parameter From an IT Resource Type
The following procedure describes removing a parameter from an IT Resource Type.
To remove a parameter from an IT Resource Type:
Highlight the parameter you want to remove.
Click Delete.
The parameter and its associated value are removed from the IT resource type and from IT resource definitions that reference this type.
The IT Resource Type Definition Table displays the following information:
| Field Name | Description |
|---|---|
| Server Type | This is the name of the resource asset type, as defined in the IT Resource Type Definition form. |
| Insert Multiple | This checkbox indicates whether multiple instance of this IT Resource Definition can be created or not. |
The IT Resources form is located in the Resource Management folder. You use this form to view and configure IT resources. IT resource definitions usually represent hardware, for example, a server or a computer where one or more resources reside. Each IT resource definition represents an instance of an IT resource type.
During a provisioning event, resource objects reference IT resource definitions. The definition specifies where the resource is located and how to connect to it. A resource object must be associated with an IT resource definition.
You can map the variables of an Oracle Identity Manager adapter to the values of any parameters for an IT resource. The parameters can represent information about the hardware, for example, a server domain name or the ID of the user who accesses this IT resource.
See also:
For more information about adapters and their mappings, see the Oracle Identity Manager Tools Reference Guide.The following table describes the fields of the IT Resources form.
| Field Name | Description |
|---|---|
| Name | The name of the IT resource. |
| Type | The classification type of the IT Resource, as defined in the IT Resources Type Definition form. |
| Remote Manager | If the IT resource can be accessed using a remote manager, this field displays the name of the remote manager. Otherwise, this field is empty. |
The following procedure describes how to define an IT Resource.
To define an IT Resource:
Enter the name of the IT resource in the Name field.
Double click the Type lookup field, and in the Lookup dialog box, select the IT resource type to associate with this IT resource.
You define the IT resource types using the IT Resource Type definition form.
Click OK.
If the IT resource is to be accessed using a remote manager, that is, if the IT resource type was defined as a remote manager, double-click the Remote Manager lookup field, and in the Lookup dialog box select a remote manager.
If the IT resource will not be accessed using a remote manager, proceed to Step 6.
Click OK.
Click Save
The saved IT resource appears on the IT Resource tab of the IT Resources Type Definition form for the associated IT resource type. The parameters and default values for the IT resource classification type appear in the Parameters tab.
Optionally, to specify IT resource-specific values for the parameters on the Parameters tab, select the Value field for the parameter you want to edit, enter the new value, and click Save.
Use the Administrators tab to set access permissions for administrative groups and to set a level of security for the IT Resource APIs.
To set access permissions:
Click the Administrators tab.
By default, administrator group associated with this IT Resource Instance is displayed.
Click Assign to add a new administrative group.
For example, you can assign G2 as an administrative group for the ramone IT Resource instance.
Click a checkbox for the following permissions:
Click the Save button.
Rules are criteria that enable Oracle Identity Manager to match conditions and take action based on them. A rule can be assigned to a specific resource object or process, or a rule can apply to all resource objects or processes.
The following are examples of rule usage:
Determining a password policy to apply to a resource object of type Application.
Enabling users to be added to user groups automatically.
Specifying the approval and provisioning processes that apply to a resource object after that resource object is assigned to a request.
Determining how a process task is assigned to a user.
Specifying which prepopulate adapter is executed for a given form field.
Tip:
For more information about prepopulate adapters, see the Oracle Identity Manager Tools Reference Guide.The Rule Designer form shown in Figure 6-2 is located in the Resource Management folder. You use this form to create and manage rules that are used with resources.
There are four types of rules:
General: Enables Oracle Identity Manager to add a user to a user group automatically and to determine the password policy that is assigned to a resource object.
Process Determination: Determines the approval process for a request, and the approval and provisioning processes for a resource object.
Task Assignment: Specifies the user or user group that is assigned to a process task.
Prepopulate: Determines what prepopulate adapter is executed for a form field.
A rule contains the following items:
A rule element: Consists of an attribute, an operator, and a value. In Figure 6-2, the attribute is User Login, the operator is ==, and the value is XELSYSADM.
A nested rule: If one rule must be placed inside another rule for logic purposes, the internal rule is known as a nested rule. In Figure 6-2, a Rule to Prevent Solaris Access is nested in a Rule for Solaris.
An operation: When a rule contains multiple rule elements or nested rules, an operation shows the relationship among the components. In Figure 6-2, if the AND operation is selected, the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule must both be true for the rule to be successful.
The following table describes the fields of the Rule Designer form.
| Field Name | Description |
|---|---|
| Name | The rule's name. |
| AND/OR | These radio buttons specify the operation for the rule.
To stipulate that a rule is successful only when all the outer rule elements and nested rules are true, select the AND radio button. To indicate that a rule is successful if any of its outer rule elements or nested rules are TRUE, select the OR radio button. Important: These radio buttons do not reflect the operations for rule elements that are contained within nested rules. In Figure 6-2, the AND operation applies to the User Login == XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. However, this operation has no bearing on the Object Name != Solaris rule element within the Rule to Prevent Solaris Access rule. |
| Type | The rule's classification status. A rule can belong to one of four types:
|
| Sub-Type | A rule of type Process Determination, Task Assignment, or Prepopulate can be categorized into one of four sub-types:
For Task Assignment or Prepopulate rule types, the Approval and Standard Approval items do not appear in the Sub-Type box. The Sub-Type box is disabled for a General rule type. |
| Object | The resource object that this rule is assigned to. |
| All Objects | If you select this check box, the rule can be assigned to all resource objects. |
| Process | The process that this rule is assigned to. |
| All Processes | If you select this check box, the rule can be assigned to all processes. |
| Description | Explanatory information about the rule. |
The following procedure describes how to create a rule.
Caution:
In the following procedure, note that the radio buttons do not apply to rule elements within nested rules. For example, in Figure 6-2 the AND operation applies to the User Login==XELSYSADM rule element and the Rule to Prevent Solaris Access nested rule. But this operation has no bearing on the Object Name != Solaris rule element in the Rule to Prevent Solaris Access rule.To create a rule:
Open the Rule Designer form.
In the Name field, enter the name of the rule.
To stipulate that a rule is successful only when all of its rule elements or nested rules are true, select the AND radio button.
To indicate that a rule is successful if any of its rule elements or nested rules are true, select the OR radio button.
Click the Type box, and in the custom menu select the classification status (General, Process Determination, Task Assignment, or Prepopulate) to associate with the rule.
For Process Determination, click Sub-Type and select the classification status (Organizational Provisioning, User Provisioning, Approval, or Standard Approval) to associate with the rule.
For Task Assignment or Prepopulate, click Sub-Type and select the classification status (Organization Provisioning or User Provisioning) to associate with the rule.
If you select General from the Type box, proceed to Step 7.
To associate the rule with a single resource object, double-click the Object lookup field, and in the Lookup dialog box select a resource object.
If you want the rule to be accessible to all resource objects, select the All Objects check box.
To assign a rule to one process, double-click the Process lookup field, and from the Lookup dialog box select the process to associate with the rule.
Caution:
The only processes that appear in this Lookup window are ones that are associated with the resource object you selected in Step 5.If you want the rule to be accessible with all processes, select the All Processes check box.
Caution:
If you have selected a resource object in Step 5 by selecting the All Processes check box, this rule is accessible by every process that is associated with the selected resource object.In the Description field, enter explanatory information about the rule.
Click Save.
The rule is created and the tabs of this form become functional.
After you launch the Rule Designer form, and create a rule, the tabs of this form become operational.
The Rule Designer form contains the following tabs:
Rule Elements tab
Usage tab
Each of these tabs is discussed in the following sections.
From this tab, you can create and manage elements and nested rules for a rule. For example, in Figure 6-3, the Rule for Solaris contains the User Login==XELSYSADM rule element. It also has a nested Rule to Prevent Solaris Access. Figure 6-3 displays the Rule Elements tab of the Rule Designer form.
Figure 6-3 The Rule Elements Tab of the Rule Designer Form
The rule in Figure 6-3 can be applied to a provisioning process for the Solaris resource object. After this resource object is assigned to a request, the rule is triggered. If the target user's login is XELSYSADM, and the name of the resource object is Solaris, the Solaris resource object is provisioned to the user. Otherwise, the user will not be able to access Solaris.
When a rule element or nested rule is no longer valid, you need to remove it from the rule.
The following procedures describe how to:
Add a rule element to a rule
Add a nested rule to a rule
Remove a rule element or nested rule from a rule
Adding a Rule Element to a Rule
The following procedure describes how to add a rule element to a rule.
To add a rule element to a rule:
Click Add Element.
The Edit Rule Element dialog box appears.
The custom menus in the boxes on the Edit Rule Element dialog box reflect the items in the Type and Sub-Type boxes of the Rule Designer form.
The following table describes the data fields in the Edit Rule Element dialog box.
| Name | Description |
|---|---|
| Attribute Source | From this box, select the source of the attribute. For example, if the attribute you wish to select is Object Name, the attribute source to select would be Object Information. |
| User-Defined Form | This field displays the user-created form that is associated with the attribute source that appears in the adjacent box.
Note: If Object Data or Process Data do not appear in the Attribute Source box, the User-Defined Form field will be empty. |
| Attribute | From this box, select the attribute for the rule. |
| Operation | From this box, select the relationship between the attribute and the attribute value (== or !=) |
| Attribute Value | In this text box, enter the value for the attribute.
Note: The attribute's value is case-sensitive. |
Set the parameters for the rule you are creating, as shown in Figure 6-4.
Figure 6-4 Edit Rule Element Window -- Filled
In this example, if the Login ID of the target user is XELSYSADM, the rule element is true. Otherwise, it is false.
See also:
For more information on what parameters to select, see "Rule Elements Tab".From the Toolbar of the Edit Rule Element dialog box, click Save, then click Close.
The rule element appears in the Rule Elements tab of the Rule Designer form.
From the main screen's toolbar, click Save.
The rule element is added to the rule.
Adding a Nested Rule to a Rule
The following procedure describes how to nest a rule within a rule.
Caution:
In the following procedure only rules of the same type and sub-type as the parent rule appears in the Select Rule window.To add a nested rule:
Click Add Rule.
The Select Rule dialog box appears.
Select the desired nested rule and click Save.
Click Close.
The nested rule appears in the Rule Elements tab of the Rule Designer form.
From the main screen's Toolbar, click Save.
The nested rule is added to the rule.
Removing a Rule Element or Nested Rule From a Rule
The following procedure describes removing a rule element or a nested rule.
To remove a rule element or nested rule from a rule:
Highlight the rule element or nested rule that you want to remove.
Click Delete.
The rule element or nested rule is removed from the rule.
This tab appears on the Rule Designer form. The information in the Usage tab reflects the rule's classification type. For example, if a rule type is Pre-Populate, the user-created field that this rule is applied to appears in this tab.
Figure 6-5 illustrates the Usage tab.
Figure 6-5 Usage Tab of the Rule Designer Form
This tab displays the following items:
The password policy, resource object, process, process task, auto-group membership criteria, user group, Oracle Identity Manager form field, and pre-populate adapter associated with a rule.
A one-letter code, signifying the rule's classification type (A=Approval, P=Provisioning).
This code appears for process determination rules only.
The rule's priority number.
In Figure 6-5, the Rule to Approve Solaris has been assigned to the Solaris Resource Object and the Process to Approve Solaris. Since this is an approval rule, its classification type is A. The priority of this rule is 1, indicating that it was the first approval rule that Oracle Identity Manager was scheduled to evaluate, once the corresponding resource object was assigned to a request.
The Rule Designer Table, as shown in Figure 6-6, displays all available rules defined in the Rule Designer form.
The Rule Designer Table displays the following information:
| Field Name | Description |
|---|---|
| Rule Name | The name of the rule. |
| Rule Type | A rule can belong to one of four types:
|
| Rule Sub-Type | A rule of type Process Determination, Task Assignment, or Pre-Populate can be categorized into one of four sub-types:
|
| Rule Operator | The relationship between the attribute and the attribute value (== or !=) |
| Description | Explanatory information about the rule. |
| Last Updated | The date when the rule was last updated. |
The Resource Objects form is located in the Resource Management folder. You use this form to create and manage the resource objects for the Oracle Identity Manager resources that you want to provision for organizations or users. Resource object definitions serve as templates when provisioning the resource. However, how the resource is approved and provisioned depends on the design of the approval and provisioning processes that you link to the resource object.
Note:
For more information on requests, and their relationship with resource objects, refer to "The Administrative Queues Form".The following table describes the data fields of the Resource Objects form.
| Field Name | Description |
|---|---|
| Name | The resource object's name. |
| Table Name | The name of the resource object form that is associated with this resource. (This is actually the name of the table that represents the form.) |
| Order For User/Order For Organization | Use these radio buttons to determine if the resource object can be requested for users or organizations.
To request the resource object for a user, select the Order For User radio button. To request the resource object for an organization, select the Order For Organization radio button. |
| Auto Pre-Populate | This check box designates whether a custom form will be populated by Oracle Identity Manager or a user. This applies to the following kinds of forms:
If the Auto Pre-Populate check box is selected, after the associated custom form appears, the fields with pre-populate adapters are populated with data. If this check box is cleared, a user must populate the fields by clicking the Pre-Populate button on the toolbar. Important: This setting does not control the triggering of the pre-populate adapter. It determines if the contents resulting from the execution of the adapter appear in the associated field because of Oracle Identity Manager or a user. For more information on pre-populate adapters, refer to Oracle Identity Manager Tools Reference Guide. Note: This checkbox is only relevant if you have created a form that is to be associated with the resource object. |
| Type | The resource object's classification status. A resource object can belong to one of three types:
|
| Allow Multiple | Designates if the resource may be provisioned more than once to a user or organization. If it is selected, the resource object can be provisioned more than once per user or organization. |
| Auto Save | By selecting this check box, Oracle Identity Manager saves the data in any resource-specific form that was created using the Form Designer form without first displaying the form.
If you select this checkbox, you must supply system data, a rule generator adapter, or an entity adapter to populate the form with the required data. This is required because the user will not be able to access the form. Note: This checkbox is only relevant if you have created a form for the provisioning of the resource object. |
| Self Request Allowed | By selecting this check box, users as well as the System Administrator can request the resource object for themselves.
Note: This functionality only applies to Oracle Identity Manager Design Console. It is not applicable to the Oracle Identity Manager Administrative and User Console. |
| Allow All | By selecting this check box, the resource object can be requested for all Oracle users. This setting takes precedence over whether the organization to which a user belongs has allowed the resource to be requestable for its users. |
| Auto Launch | By default, this checkbox is checked at the time of object creation. Oracle Identity Manager automatically initiates the provisioning process when the resource's approval process has achieved a status of Completed.
Oracle Identity Manager automatically makes all resource objects set to Auto Launch, even though this checkbox is cleared. |
| Provision by Object Admin Only | This check box is used to designate who may provision this resource, either using direct provisioning or by manually initiated the provisioning process when the Auto Launch check box is cleared.
If this check box is selected, only users who are members of the groups listed on the Object Administrators tab will be allowed to provision this resource object (either directly or by manually initiating the provisioning process from the request). If this check box is cleared, no restriction will be placed on who can direct provision this resource. |
The following procedure describes how to create a resource object.
To create a resource object:
Open the Resource Objects form.
In the Name field, enter the name of the resource object.
Double-click the Table Name lookup field.
From the Lookup dialog box, select the table that represents the form that will be associated with the resource object.
To request the resource object for a user, select the Order For User radio button.
To request the resource object for an organization, select the Order For Organization radio button.
Note:
A resource object can be requested for either one user or one organization.If a custom form is to be associated with the resource object, this form contains fields that have pre-populate adapters attached to them, and you want these fields to be populated automatically by Oracle Identity Manager, select the Auto Pre-Populate check box.
If the fields of this form are to be populated manually (by a user clicking the Pre-Populate button on the Toolbar), clear the Auto Pre-Populate check box.
Note:
If the resource object has no custom form associated with it, or this form's fields have no pre-populate adapters attached to them, clear the Auto Pre-Populate check box. For more information on pre-populate adapters, refer to Oracle Identity Manager Tools Reference Guide.Double-click the Type lookup field.
From the Lookup dialog box that is displayed, select the classification status (Application, Generic, or System) to associate with the resource object.
If you want multiple instances of the resource object to be requested for a user or an organization, select the Allow Multiple check box.
Otherwise, proceed to Step 8.
When you want Oracle Identity Manager to save the data in any resource-specific form (created using the Form Designer form) without first displaying the form, select the Auto Save check box.
Otherwise, proceed to Step 9.
Caution:
If you select this check box, you must supply system data, a rule generator adapter, or an entity adapter to populate the form with the required data, since the user will be unable to access the form.Set this checkbox only if you have created a form for provisioning the resource object.
If you want the System Administrator to be able to request the resource object for himself or herself, select the Self Request Allowed check box.
Otherwise, proceed to Step 10.
To provision the resource object for all users, regardless of whether the organization to which the user belongs has the resource object assigned to it, select the Allow All check box.
Otherwise, proceed to Step 11.
If you want Oracle Identity Manager to automatically initiate the provisioning process when the resource object's approval process has achieved a status of Completed, select the Auto Launch check box.
Otherwise, proceed to Step 12.
Caution:
By default, Oracle Identity Manager automatically sets all resource objects to Auto Launch, even though this checkbox is cleared.To restrict the user groups that can provision this resource object to groups that appear in the Object Authorizers tab of the Resource Objects form, select the Provision by Object Admin Only check box.
This applies to resource objects that are provisioned directly or by assignment to a request.
Otherwise, proceed to Step 13.
Click Save.
The resource object is created.
Once you launch the Resource Objects form, and create a resource object, the tabs of this form become functional.
The Resource Objects form contains the following tabs:
From this tab, you can select resource objects that Oracle Identity Manager must provision before provisioning the current resource object. If Oracle Identity Manager can provision the current resource object without first provisioning a resource object that appears in the Depends On tab, you must remove that resource object from the tab.
The following topics are related to the Depends On tab:
Selecting a resource object on which the current resource object is dependent
Remove the dependent resource object
Selecting a Dependent Resource Object
The following procedure describes how to select a dependent resource object.
To select a dependent resource object:
Click Assign.
The Assignment dialog box appears.
Select the resource object, and assign it to the request.
Click OK.
The dependent resource object is selected.
Removing a Dependent Resource Object
The following procedure describes how to remove a dependent resource object.
To remove a dependent resource object:
Highlight the dependent resource object that you want to remove.
Click Delete.
The resource object is removed from the Depends On tab.
Use this tab to specify user groups that are the Object Authorizers for this resource. You can select users who are members of the Object Authorizers groups as targets for task assignments.
Each user group on the Object Authorizers tab has a priority number. When a task assignment target is Object Authorizer user with highest priority, Oracle Identity Manager uses the priority number to determine what user to assign to a task. The priority number can also be referenced when a task assigned to a group is escalated due to lack of action. You can increase or decrease the priority number for any user group on this tab.
For example, suppose that you configure members of the SYSTEM ADMINISTRATORS user groups to be Object Authorizers. Also suppose that a process task associated with this resource object has a task assignment rule attached to it, and the assignment criteria is Object Authorizer User with Highest Priority. The first user who is authorized to complete this process task is the user with the highest priority who belongs to the SYSTEM ADMINISTRATORS user group since its priority number is 1. If the user does not complete the process task in a user-specified time, Oracle Identity Manager reassigns the task to the user with the next highest priority in the SYSTEM ADMINISTRATORS group.
See also:
For more information on task assignment rules and process tasks, see "The Rule Designer Form" and "Assignment Tab of the Editing Task Window".The following sections discuss the following:
Assigning a user group to a resource object
Removing a user group from a resource object
Changing the priority number for a user group
Assigning a User Group to a Resource Object
The following procedure describes how to assign a user group to a resource object.
To assign a user group to a resource object:
Click Assign.
The Assignment dialog box appears.
Select a user group, and assign it to the resource object.
Click OK.
The user group is selected.
Removing a User Group From a Resource Object
The following procedure describes how to remove a user group from a resource object.
To remove a user group from a resource object:
Highlight the desired user group.
Click Delete.
The user group is removed from the Object Authorizers tab.
Changing a User Group's Priority Number
The following procedure describes changing a user group's priority number.
To change a user group's priority number:
Highlight the user group whose priority number you wish to change.
To raise the selected user group's priority number by one, click Increase.
To lower this user group's priority by one, click Decrease.
To increase or decrease a user group's priority number by more than one, click the appropriate button repeatedly. For example, to raise the priority number of a user group by two, click the Increase button twice.
Click Save.
The user group's priority number is changed to the value you selected.
A request is a mechanism for provisioning resources to users or organizations. A user interacts with a request to approve the provisioning of resources to target users or organizations. Each request must have a resource object assigned to it. Each resource object consists of one or more provisioning processes and one or more approval process.
A resource object acts as a template when the resource is provisioned to users or organizations. This template can be linked to multiple approval and provisioning processes. Oracle Identity Manager uses process determination rules to select an approval and provisioning process when a resource is requested or directly provisioned.
Process determination rules provide the following criteria:
What approval and provisioning process to select when a resource is requested
What provisioning process to select when a resource is provisioned directly
Each approval process and provisioning process usually has a process determination rule. Each rule and process combination has a priority number that indicates the order in which Oracle Identity Manager will evaluate it.
If the condition of a rule is false, Oracle Identity Manager evaluates the rule with the next highest priority. If a rule is true, Oracle Identity Manager executes the process associated it. For example, when a resource is requested or provisioned directly, Oracle Identity Manager evaluates a Rule to See if Solaris is Needed and Rule to Check Provisioning of Solaris for IT Dept. Both rules have the highest priority. If the conditions of these rules are true, Oracle Identity Manager executes the processes associated with them—in this example, these are the Check if Solaris is Needed approval process and the Provision Solaris for IT Dept. provisioning process.
As a variation of the example, if the resource is requested or provisioned directly and the Rule to Check Provisioning of Solaris for IT Dept. rule is false, Oracle Identity Manager would evaluate the Rule to Check Provisioning of Solaris for Developers rule. If this rule were true, Oracle Identity Manager would execute the Provision Solaris for Devel. provisioning process associated with that rule.
Adding a Process Determination Rule to a Resource Object
The following procedure describes how to add a process determination rule to a resource object.
To add a process determination rule to a resource object:
Click Add in either the Approval Processes or Provisioning Processes region, depending on the rule/process combination you intend to create.
From the row that is displayed, double-click the Rules lookup field.
From the Lookup dialog box that is displayed, select a rule, and assign it to the resource object only rules of type Process Determination is available for selection).
Click OK.
In the adjacent column, double-click the Processes lookup field.
From the Lookup dialog box, select the desired process, and assign it to the rule.
Click OK.
Enter a numeric value in the Priority field.
This determines the order in which Oracle Identity Manager evaluates the rule and process combination.
Click Save.
The rule and process combination is added to the resource object.
Remove a Process Determination Rule From a Resource Object
To remove a process determination rule from a resource object, perform the following steps:
Highlight the desired rule and process combination.
Click Delete.
The rule and process combination is removed from the resource object.
A resource object may have data that needs to be handled in a particular fashion. For example, a resource object's provisioning process may contain tasks that must be completed automatically.
When this occurs, you must assign an event handler or an adapter to the resource object. An event handler is a software routine that provides the processing of this specialized information. An adapter is a specialized type of event handler that generates the Java code, which enables Oracle Identity Manager to communicate and interact with external resources.
When an event handler or adapter that has been assigned to a resource object is no longer valid, you must remove it from the resource object.
For this example, the adpAUTOMATEPROVISIONINGPROCESS adapter has been assigned to the Solaris resource object. Once this resource object is assigned to a request, Oracle Identity Manager triggers the adapter, and the associated provisioning process is executed automatically.
Assigning an Event Handler or Adapter to a Resource Object
The following procedure describes how to assign an event handler to an adapter or a resource object.
To assign an event handler or adapter to a resource object, perform the following steps:
Click Assign.
The Assignment dialog box appears.
Select an event handler, and assign it to the resource object.
Click OK.
The event handler is assigned to the resource object.
Remove an Event Handler or Adapter From a Resource Object
To remove an event handler or adapter from a resource object, perform the following steps:
Highlight the desired event handler.
Click Delete.
The event handler is removed from the resource object.
You use this tab to set provisioning status for a resource object. A provisioning status indicates the status of a resource object throughout its lifecycle, until it is provisioned to the target user or organization. You can view the provisioning status of a resource object from the Status region of the Currently Provisioned tab.
Every provisioning status of a resource object is associated with a task status for the relevant provisioning process. Oracle Identity Manager selects the provisioning process when the resource object is assigned to a request. For example, if the Provision for Developers process is selected, and a task in this process achieves a status of Completed, the corresponding status of the resource object can be set to Provisioned. This way, you can see how the resource object relates to the provisioning process, quickly and easily.
A resource object the following pre-defined statuses:
Waiting: This resource object depends on other resource objects that have not yet been provisioned.
Revoked: The resources represented by the resource object are provisioned to target users or organizations that have been permanently de-provisioned from using the resources.
Ready: This resource object either does not depend on any other resource objects, or all resource objects upon which this resource object depends are provisioned.
After a resource is assigned to a request and the resource object's status is Ready, Oracle Access Manager evaluates the process determination rules to determine the approval and provisioning processes. When this happens, the status of the resource object changes to Provisioning.
Provisioning: The resource object is assigned to a request, and an approval process and a provisioning process have been selected.
Provisioned: The resources represented by the resource object are provisioned to the target users or organizations.
Provide Information: Additional information is required before the resources represented by the resource object can be provisioned to the target users or organizations.
None: This status does not represent the provisioning status of the resource object. Rather, it signifies that a task that belongs to the provisioning process that Oracle Identity Manager selects has no effect on the status of the resource object.
Enabled: The resources represented by the resource object are provisioned to the target users or organizations and these users or organizations have access to the resources.
Disabled: The resources represented by the resource object are provisioned to the target users or organizations, but these users or organizations have temporarily lost access to the resources.
Each provisioning status has a corresponding Launch Dependent check box. If the check box is selected and the resource object achieves that provisioning status, Oracle Identity Manager enables dependent resource objects to launch their own provisioning processes.
For example, suppose that the Exchange resource object has the Launch Dependent check box selected for the Provisioned and Enabled provisioning statuses. Once the provisioning status of this resource object changes to Provisioned and Enabled, Oracle Identity Manager checks to see if there are other resource objects upon which the Exchange resource object depends. If there are, Oracle Identity Manager launches the approval and provisioning processes of the dependent objects. Then Oracle Identity Manager selects an approval and provisioning process for the Exchange.
You may want to add additional provisioning statuses to a resource object to reflect the various task statuses of a provisioning process. For example, when the status of a task that belongs to a provisioning process is Rejected, you may want to set the corresponding provisioning status of the resource object to Revoked.
Similarly, when an existing provisioning status is no longer valid, you need to remove it from the resource object.
The following sections discuss how to add a provisioning status to a resource object and remove a provisioning status from a resource object.
Adding a Provisioning Status to a Resource Object
The following procedure describes how to add a provisioning status to a resource object.
To add a provisioning status to a resource object:
Click Add.
Add a provisioning status in the Status field.
When you want other, dependent resource objects to launch their own approval and provisioning processes once the resource object achieves the provisioning status you are adding, select the Launch Dependent check box.
Otherwise, proceed to Step 4.
Click Save.
The provisioning status is added to the resource object.
Removing a Provisioning Status from a Resource Object
The following procedure describes removing a provisioning status from a resource object.
To remove a provisioning status from a resource object:
Highlight the desired provisioning status.
Click Delete.
The provisioning status is removed from the resource object.
This tab is used to select user groups that can view, modify, and delete the current resource object.
When the Write check box is selected, the corresponding user group can modify the current resource object. When the Delete check box is selected, the associated user group can delete the current resource object.
For example, the SYSTEM ADMINISTRATORS user group can view, modify, and delete the Solaris resource object. The OPERATORS user group can only view and modify this resource object—its Delete check box is cleared.
The following sections describe how to assign a user group to a resource object, and remove a user group from a resource object.
Assigning a User Group to a Resource Object
The following procedure describes how to assign a user group to a resource object.
To assign a user group to a resource object:
Click Assign.
The Assignment dialog box appears.
Select the user group, and assign it to the resource object.
Click OK.
The user group appears in the Administrators tab. By default, all members of this group can view the active record.
If you want this user group to be able to modify the current resource object, double-click the corresponding Write check box.
Otherwise, proceed to Step 5.
If you want this user group to be able to delete the current resource object, double-click the associated Delete check box.
Otherwise, proceed to Step 6.
Click Save.
The user group is assigned to the resource object.
Removing a User Group from a Resource Object
The following procedure describes how to remove a user group from a resource object.
To remove a user group from a resource object:
Highlight the user group that you want to remove.
Click Delete.
The user group is removed from the resource object.
If a resource object is of type Application, and you want to provision the resource object to a user or organization, you may want that user or organization to meet password criteria before accessing the resource object. This password criteria is created and managed in the form of password policies. These policies are created using the Password Policies form.
As the resource object definition is only a template for governing how a resource is to be provisioned, Oracle Identity Manager must be able to make determinations about how to provision the resource based on actual conditions and rules. These conditions may not be known until the resource is actually requested. Therefore, rules must be linked to the various processes and password policies associated with a resource to allow Oracle Identity Manager to decide which ones to invoke in any given context.
Oracle Identity Manager determines which password policy to apply to the resource when creating or updating a particular user's account by evaluating the password policy rules of the resource and applying the criteria of the policy associated with the first rule that is satisfied. Each rule has a priority number, which indicates the order in which Oracle Identity Manager will evaluate it.
For this example, Oracle Identity Manager will trigger the Rule to Prevent Solaris Access rule (since it has the highest priority). If this rule were TRUE, Oracle Identity Manager would apply the criteria of the Restrict Solaris password policy to the password of the account being created or updated.
If the rule is false, Oracle Identity Manager will evaluate the rule using the next highest priority. If this rule is true, Oracle Identity Manager applies the password policy associated with it to the password of the account being created or updated.
Now that we have reviewed about password policy rules, you will learn how to add a password policy rule to a resource object. In addition, when an existing rule is no longer valid, you will learn how to remove it from the resource object.
Adding a Password Policy Rule to a Resource Object
The following procedure describes how to add a password policy rule to a resource object.
To add a password policy rule to a resource object:
Click Add.
From the row that appears, double-click the Rule lookup field.
From the Lookup dialog box that is displayed, select a rule, and assign it to the resource object.
Click OK.
In the adjacent column, double-click the Policy lookup field.
From the Lookup dialog box that is displayed, select an associated password policy, and assign it to the resource object.
Click OK.
Add a numeric value in the Priority field.
This field contains the rule's priority number.
Click Save.
The password policy rule is added to the resource object.
Removing a Password Policy Rule From a Resource Object
The following procedure describes how to remove a password policy from a resource object.
To remove a password policy rule from a resource object:
Highlight the desired password policy rule.
Click Delete.
The password policy rule is removed from the resource object.
You use this tab to view and access user-defined fields that were created for the Resource Objects form. Once a user-defined field is created, it appears on this tab and can accept and supply data.
See also:
For instructions on how to create user-defined fields on existing Oracle Identity Manager forms, see "The User Defined Field Definition Form".The Process tab displays all approval and provisioning processes that are associated with the current resource object. The Default check boxes on this tab indicate what approval or provisioning processes are the defaults for the resource.
Note:
You create approval and provisioning processes and associate them with a resource using the Process Definition form. Each process can then be linked to a process determination rule using the Process Determination Rules tab of the Resource Object form.For example, suppose that the Solaris resource object has one approval processes assigned to it and one provisioning processes (Provision Solaris for Devel.) associated with it. The Provision Solaris for Devel. has been designated as the default provisioning process for this resource object.
This tab contains two sub-tabs, Reconciliation Fields and Reconciliation Action Rules.
The Reconciliation Fields tab is used to define the fields on the target resources/trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager
The Reconciliation Action Rules tab is used to specify the actions Oracle Identity Manager is to take when particular matching conditions are met.
Reconciliation Fields Tab
This tab is used to define the fields on the target resources/trusted sources that are to be reconciled with (for example, mapped to) information in Oracle Identity Manager. For each field on the target system/trusted source, the following information will be listed:
Name of the field on the target resource/trusted source that is to be reconciled with data in Oracle Identity Manager (for example, targetfield1)
Data type associated with the field (for example, String). Possible values are Multi-Valued, String, Number, Date, IT resource
Indicator designating whether this field is required in a reconciliation event
Note:
Oracle Identity Manager will not begin to match potential provisioning processes, users or organizations to the reconciliation event until all fields which have been set as required are processed on the Reconciliation Data tab of the Reconciliation Manager form.An example of a target system field definition might appears as follows:
TargetField1 [String], Required
Adding a Reconciliation Field
The following procedure add a fields from the target system or trusted source to the list of fields that are to be reconciled with information in Oracle Identity Manager. For a trusted source, this must be the user resource definition.
Note:
Before Oracle Identity Manager can successfully perform reconciliation with an external target resource or target source, the fields you have defined on this tab must be mapped to the appropriate Oracle Identity Manager fields using the Field Mappings tab of the resource's default provisioning process.To add a reconciliation field:
Click Add Field.
The Add Reconciliation Field dialog box appears.
Enter the name of the field on the target resource/trusted source in the Field Name field.
This is the name by which you wish to reference the target resource/trusted source field in Oracle Identity Manager.
Select one of the following values from the menu in the Field Type field:
Multi-Valued (for use with fields that contain one or more component fields)
String
String
Date
IT resource (only to be used with fields that will reference the machine on the user account is provisioned)
Set the Required check box.
If this checkbox is selected, this field must be processed on the Reconciliation Data tab of the Reconciliation Manager form before Oracle Identity Manager will begin attempting to match a provisioning process or user/organization to the reconciliation event. If this checkbox is cleared, the inability to process this field in a reconciliation event will not prevent matching from occurring.
Click Save.
The field will be available for mapping in the resource's default provisioning process.
Deleting a Reconciliation Field
Use the following procedure to remove a target system field from the list of fields that are to be reconciled with information in Oracle Identity Manager. For a trusted source, this must be the user resource definition.
To delete a reconciliation field:
Select the field you wish to remove.
Click Delete Field.
The selected field will be removed from the list of fields with which Oracle Identity Manager attempts to reconcile data on the target system (this will have no affect on the data in the target system itself).
Reconciliation Action Rules Tab
This tab is used to specify the actions Oracle Identity Manager is to take when particular matching conditions are met. Oracle Identity Manager allows you to specify what action(s) it should automatically take when certain matches within reconciliation event records are encountered. Each record in this tab is a combination of:
The matching condition criteria
The action to take
The conditions and actions from which you may select are pre-defined. Depending on the matching conditions, certain actions may not be applicable. A complete list of the available options is provided below:
| Rule Condition | Possible Rule Actions |
|---|---|
| No matches found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group Create User (only available with the trusted source) |
| One Process Match Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group Establish Link |
| Multiple Process Matches Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group |
| One Entity Match Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group Establish Link |
| Multiple Entity Matches Found | None
Assign to Administrator with Least Load Assign to Authorizer with Highest Priority Assign to Authorizer with Least Load Assign to User Assign to Group |
See Also:
"Assignment Tab of the Editing Task Window" for a description of the classification types for the users and groups listed in the preceding tableAdding a Reconciliation Action Rule
The following procedure describes adding a reconciliation action rule
To add a reconciliation action rule:
Click Add Field.
The Add a new Action Rule dialog box appears.
Select the desired value from the Rule Condition menu.
This is the matching condition that will cause the associated action to be executed. Each match condition can only be assigned to a single rule action.
Select the desired value from the Rule Action menu.
This is the action that will be executed if the matching condition is satisfied.
Click Save, and close the Add a new Action Rule dialog box.
Deleting a Reconciliation Action Rule
The following procedure describes deleting a reconciliation action rule
To delete a reconciliation action rule:
Select the matching condition/action combination you wish to delete.
Click Delete.
The reconciliation action rule will be removed and the action associated with its condition will not be executed automatically.
Oracle Identity Manager supports service accounts. Service accounts are general administrator accounts (for example, admin1, admin2, admin3, etc.) that are used for maintenance purposes, and are typically shared by a set of users. The model for managing and provisioning service accounts is slightly different from normal provisioning.
Service accounts are requested, provisioned, and managed in the same manner as regular accounts. They use the same resource objects, provisioning processes, and process and object forms as regular accounts. A service account is distinguished from a regular account by an internal flag.
When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. When the resource is "revoked", or the user gets "deleted", the provisioning process for the service account does not get cancelled (which would cause the undo tasks to fire). Instead, a task is inserted into the provisioning process (the same way Oracle Identity Manager handles Disable and Enable actions). This task removes the mapping from the user to the service account, and returns the service account to the pool of available accounts.
This management capability is exposed through APIs.
