Oracle® Role Manager Integration Guide Release 10g (10.1.4) Part Number E12030-05 |
|
|
View PDF |
This chapter provides an overview of the Oracle Role Manager Integration Library and includes the following sections:
The section outlines the features available in the Oracle Role Manager Integration Library (Integration Library) used to integrate Oracle Role Manager (Role Manager) with provisioning systems.
Role Manager manages roles and resolves role memberships, both memberships that result from direct grants and those that are derived based on rules and grant policies. Through the Integration Library, external systems can use these roles for role-based provisioning.
The Integration Library is currently available for Oracle Identity Manager (Identity Manager) and includes the following features:
User provisioning and reconciliation
Real-time creation of an account (person) in Role Manager for every Identity Manager user.
Users must have Role Manager accounts before they can be granted roles in Role Manager and this feature automates the process.
Real-time update of user data from Identity Manager.
For all user attributes configured in XML to be sent to Role Manager, changes made to those values are sent as soon as they are submitted in Identity Manager. This ensures that for all people in the Role Manager system who are also users in Identity Manager, Identity Manager remains the authoritative system of record for users and user attributes.
Scheduled tasks for user reconciliation.
Scheduled tasks ensure that user data in both systems is synchronized. This consists of sending all user records from Identity Manager to Role Manager and ensuring that all users denoted as originating from Identity Manager have a corresponding Identity Manager user record.
Roles and role membership reconciliation
Scheduled creation of user groups in Identity Manager for all Business Roles and IT roles in Role Manager.
Business Roles and IT roles from Role Manager are represented in Identity Manager as user groups. System Roles and Approver Roles in Role Manager do not have corresponding user groups in Identity Manager.
Scheduled updates to status of user groups and membership lists in Identity Manager that have corresponding Business Roles or IT roles in Role Manager.
Any status changes to roles in Role Manager that affect user groups in Identity Manager are reflected in Identity Manager. For example, if a Business Role or IT role is deleted in Role Manager, the corresponding user group in Identity Manager is deleted. In addition, if a Business Role or IT Role in Role Manager has been made inactive, the membership lists of the corresponding user group in Identity Manager is updated to remove invalid memberships.
Scheduled updates to user group membership lists in Identity Manager based on both directly granted and dynamically derived role memberships in Role Manager.
Approver roles for approval processes
Real-time queries from Identity Manager for approvers in Role Manager.
Identity Manager can dynamically query Approver Roles in Role Manager to find qualified approvers to use in approval processes.
Figure 1-1illustrates the deployment and communication architecture of the Integration Library architecture with Role Manager and Identity Manager.
The Integration Library is run in the same application server as Identity Manager. It communicates with Identity Manager through the Identity Manager Java API and a JMS message bus. It communicates with Role Manager through the EJB-based Role Manager Java API.