7 Testing the Oracle Role Manager Integration Library Installation

After you deploy and configure the Oracle Role Manager (Role Manager) Integration Library, you must test it to ensure that it functions as expected. This chapter discusses the following topics related to testing the Integration Library:

Testing User Reconciliation
Testing Role and Role Membership Reconciliation
Testing Approval Role Resolution

It is recommended to test your installation following the steps in the order they are presented in this chapter.

Note:

Some of the tests in this chapter use the sample data provided with Role Manager. If you did not load the sample data, you can still use these tests but you must create objects in Role Manager similar to those described in each test.

7.1 Testing User Reconciliation

When changes to user data are made in Oracle Identity Manager (Identity Manager), messages are sent to Role Manager so that data is synchronized in real time.

Because there may be situations when the Role Manager system is unavailable, such as for scheduled maintenance down time, the default configuration provides predefined tasks to be scheduled for user reconciliation to ensure that any user data updates, when connectivity to Role Manager is not available, are later propagated to Role Manager.

There are two scheduled tasks for user reconciliation provided as part of the Integration Library configuration imported into Identity Manager: User Reconciliation and Full User Reconciliation. The difference between these reconciliation tasks is that full reconciliation also inspects users in Role Manager (who are also Identity Manager users) to check if any users were either removed or made inactive in Identity Manager, and properly reflect their status in Role Manager.

You might want to use reserve Full User Reconciliation for less frequent schedules or at times when there is less activity for performance reasons.

7.1.1 Real-Time User Synchronization

The test in this section verifies that the event handlers are functioning and messages are sent and received by creating a user in Identity Manager who appears in Role Manager.

To test user reconciliation:

If not currently running, start Identity Manager and then Role Manager.
Using the Identity Manager Administrative and User Console, create at least one user.

For purposes of performing other tests later in this section, create at least one user whose first name begins with the letter C.
Find the new user or users in Role Manager as follows:
1. Select Organizations & People, then select People.
2. In the tree view, select Unassigned, then click Filter to display results.
The new user from Identity Manager should display in the search results.

7.1.2 Scheduled Tasks for User Reconciliation

The test in this section verifies that messages from the scheduled tasks are able to communicate effectively between the two systems by testing that a user modification made in Identity Manager while Role Manager was inaccessible is synchronized after connectivity is restored when a scheduled task for user reconciliation is run.

To test the scheduled task for user reconciliation:

Shut down the Role Manager application server.
Using the Identity Manager Administrative and User Console, edit the name of a user you just created.
Start Role Manager and log in to the application.
Find the user in Role Manager.

Note that the name change from Identity Manager has not been updated.
Enable the user reconciliation task as follows:
1. In the Identity Manager Design Console (Identity Manager Client), expand Administration, then double-click Task Scheduler.
2. Click the Lookup button, and then the Go to End button to go to the last defined task.
3. Click the left arrow button until you see the RoleManagerUserReconciliation_Full task.
4. Clear the Disabled box then click the Save button.
5. In the Status field, change the status to ACTIVE.
6. In the Start Time field, enter the timestamp of the current date and time plus one minute.
7. Click the Save button.
After a minute, in Role Manager, click Filter again to refresh the search results.

Note that Role Manager now shows the name change that was done in Identity Manager while the Role Manager server was unavailable.

7.2 Testing Role and Role Membership Reconciliation

Updates to user groups in Identity Manager (groups that correspond to Business Roles and IT Roles in Role Manager) occur when the role membership update timer triggers Role Manager to send synchronization messages. Along with membership changes, new roles created in Role Manager are also received in Identity Manager as part of batch role resolution and role membership update timer processes. There is no real-time role or role membership resolution.

To ensure that there are no invalid user groups or memberships as a result of roles having been deleted or made inactive in Role Manager, there is a scheduled task to use to correct user groups in Identity Manager. This task can be enabled and configured in the same way as the user reconciliation tasks described in Section 7.1.

Note:

The names of user groups in Identity Manager that correspond with roles in Role Manager by default begins with ORM_. This configurable naming helps administrators identify the user groups that are modified only in the Role Manager system. Any changes made to these user groups in Identity Manager could cause synchronization between the systems to fail. It is recommended not to change role names in Role Manager after initial reconciliation has occurred.

Note:

Because the name attribute for user groups in Identity Manager is limited to 30 characters and is required to be unique, the names of roles reconciled from Role Manager may be truncated, thus potentially causing uniqueness constraint violations. You may want to check the Identity Manager console after running role reconciliation processes.

7.2.1 User Provisioning through Role/User Group Membership

The test in this section verifies that a user added as a member of a role in Role Manager is provisioned for the corresponding user group in Identity Manager.

To test role membership reconciliation:

If not currently running, start Identity Manager and then Role Manager.
Log in to the Identity Manager Administrative and User Console and search for the Telecom Provisioner user group as follows:
1. Select User Groups, then select Manage.
2. Select Group Name from the list, enter ORM_T* in the field, then click Search.
3. Click ORM_Telecom_Provisioner.
4. Select Member and Sub-Groups from the list.
  
  Note that no memberships exist for this role.
Log in to the Role Manager application and add an Identity Manager user to the Telecom Provisioner IT Role as follows:
1. Select Organizations & People, then select People.
2. For a new user created in "Testing User Reconciliation", click the Details icon in the Actions column.
3. Click the IT Roles tab.
4. Click Grant Role.
5. Search for and select the Telecom Provisioner IT Role, then click Finish.
6. Click Submit.
Depending on the role membership update timer configuration in Role Manager, wait that amount of time until the role membership update job has completed.

For more information about timer configuration repeat interval and cron job configuration, see Oracle Role Manager Administrator's Guide.
After the Role Manager role membership update job has run, search for and select the ORM_Telecom_Provisioner group in the Identity Manager Administrative and User Console.

Note that the new membership now displays in the Member and Sub-Groups results.

7.2.2 User De-provisioning by Deleted or Inactivated Roles

The test in this section verifies that a role made inactive in Role Manager de-provisions membership in the corresponding user group in Identity Manager. It also tests that a new role created in Role Manager creates a user group in Identity Manager using batch role resolution and role membership updates.

To test role reconciliation and de-provisioning:

If not currently running, start Identity Manager and then Role Manager.
Using the Identity Manager Administrative and User Console, create a user.
Make an active role in Role Manager inactive as follows:
1. Select Roles, then select IT Roles.
2. Search for and select the Telecom Provisioner role, then click the Details icon in the Actions column.
3. On the Attributes tab, change the status from Active to Inactive, then click Submit.
Create a Business Role in Role Manager as follows:
1. Select Roles, then select Business Roles.
2. In the tree view, right-click Office of the CEO, then select New Business Role from the context menu.
3. In the Display Name field, enter Test Business Role.
4. In the Status list, select Active.
5. Click Submit.
Depending on the batch resolution timer configuration in Role Manager, wait that amount of time until the batch resolution job has completed.

For more information about timer configuration repeat interval and cron job configuration, see Oracle Role Manager Administrator's Guide.
After the Role Manager role membership update job has run, search for and select the ORM_Telecom_Provisioner user group in the Identity Manager Administrative and User Console.
Select Member and Sub-Groups from the list.

Note that no memberships exist for this role.
Search for the new Test Business Role user group.

The new user group should display in the search results as "ORM_Test Business Role."

Note:

The names of user groups in Identity Manager that correspond with roles in Role Manager by default begins with ORM_. This naming helps administrators identify the user groups that are modified only in the Role Manager system. Any changes made to these user groups in Identity Manager could cause synchronization between the system to fail.

7.3 Testing Approval Role Resolution

Testing the way Approver Roles in Role Manager are used with processes in Identity Manager involves several preparatory steps as described in the following sections.

For information about creating and editing roles in Role Manager, see Oracle Role Manager User's Guide.

7.3.1 Role Manager Setup

The steps in this section are necessary to prepare Role Manager with the Approver Role whose grant policy defines the possible people qualified to act as approvers.

Note:

It is recommended that any Approver Roles in Role Manager that are referenced by processes in Identity Manager should have narrowly defined grant policies to reduce the number of returned records. Identity Manager supports only a single record to be considered as the approver, so the first member that meets the grant policy (determined by object key in ascending order) is sent through the Integration Library.

To set up the Approver Role in Role Manager:

Select Roles, then select Approver Roles.
In the tree view, right-click Office of the CEO, then select New Approver Role from the context menu.
In the Display Name field, enter OIM Approver.
In the Status list, select Active.
On the Grant Policy tab, copy and paste the following rule example that determines which users are qualified to be approvers as members of this Approver Role.

This rule finds all users in Role Manager who are also users in Identity Manager and whose name begins with the letter C.

Note:
Although the second condition in this example is provided only to narrow the results of this grant policy, the policy must include a condition using the attribute oimID. If Role Manager returns an approver who does not have an OIM ID, the approval process will fail.
```
<?xml version="1.0" encoding="UTF-8"?>
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
<and-expression>
  <expressions>
    <attribute-expression>
      <attribute attribute-id="oimId" />
       <greater-than>
          <integer-constant>0</integer-constant>
       </greater-than>
    </attribute-expression>
    <attribute-expression>
      <attribute attribute-id="displayName"/>
        <starts-with>
              <string-constant>C</string-constant>
        </starts-with>
    </attribute-expression>
  </expressions>
</and-expression>
</predicate>
```
For details about how to define membership rules and grant policies, see Oracle Role Manager User's Guide.
On the Members tab, click Recalculate.

You should see the user created in Section 7.1.1 whose name begins with C in the search results.
Click Submit.

7.3.2 Identity Manager Setup

The steps in this section set up the sample resources and approval process that was imported into Identity Manager so that the display values match those referenced in Section 7.3.3 that are more suitable for demonstration purposes.

To create an approval process:

Rename the sample resource as follows:
1. In the Identity Manager Design Console (Identity Manager client), expand Resource Management.
2. Double-click Resource Objects.
3. Click the Lookup button, and then the Go to End button to go to the last defined task.
  
  You should see the ORM Samples task.
4. In the Name field, change ORM Samples to Oracle Financials.
5. Click the Save icon.
Map the sample form to the renamed resource as follows:
1. Expand Development Tools, then double-click Form Designer.
2. Click the Lookup button, and then the Go to End button to go to the last defined form.
  
  You should see the form for the UD_ORAFIN table. If you do not, click the right arrow button until you see it display.
3. Double-click in the Object Name field.
4. Select Oracle Financials in the Lookup window, then click OK.
5. Click the Save icon.
Go back to the Oracle Financials resource object you created previously, then double-click the Table Name field to add UD_ORAFIN.
Click the Save icon.
Rename the sample provisioning process as follows:
1. Expand Process Management, then double-click Process Definition.
2. Click the Lookup button, and then the Go to End button to go to the last defined process.
  
  You should see the process ORM Samples Provisioning. If you do not, click the left arrow button until you see it display.
3. In the Name field, rename ORM Samples Provisioning to Oracle Financials Provisioning.
4. Click the Save icon.
Rename the sample approval process as follows:
1. Click the left arrow until the ORM Sample Approval displays.
2. In the Name field, rename it to Oracle Financials Approval.
3. Click the Save icon.

7.3.3 Performing the test

The test in this section verifies that the approval process in Identity Manager uses the Approver Role from Role Manager to get an appropriate approver based on the role's grant policy.

To run the approver test:

Using the Identity Manager Administrative and User Console, assign the Oracle Financials resource to the user created in Section 7.1.1 as follows:
1. Select Requests, then select Resources.
2. Choose Grant Resource, then click Continue.
3. Choose Users, then click Continue.
4. Select the user created in Section 7.1.1 and optionally any other users that you know also exist in the Role Manager system (non administrative or system users)
5. Click Add to move them to Selected box, then click Continue.
6. Select Oracle Financials.
7. Click Add to move it to the Selected box, then click Continue.
  
  You should see the users and resource displayed.
Click Submit Now.
Click the link of the Request ID.
Select Approval Details from the list.
Select the box in the Action column, then click Approve.
Click Confirm.

The page should refresh with the status of the approval process.
Note the user assigned to the Get Role Manager Approval Task to use in the next steps.

This is the user who is automatically resolved as the resource approver after referencing the OIM Approver role in Role Manager.
Log out of the Administrative and User Console and log back in as the user identified in the previous step.
Select To-Do List, then select Pending Approvals.

You should see the request listed as pending, available to be approved.