In online provisioning, multiple provisioning operations are performed in sequence. For example, if you create a request to allocate (provision) five resources to five OIM User, then the system:
Treats the provisioning of one resource to one user as a provisioning operation
Processes provisioning operations in sequence, one after the other
Provisioning is treated as a single transaction. This approach could cause performance issues under certain conditions. In addition, there is a higher probability of transaction timeout and, therefore, the entire transaction being rolled back.
In offline provisioning, provisioning operations are converted into JMS messages. One JMS message is submitted for each resource provisioned to each user. For example, if you create a request to provision five resources to five OIM Users, then 25 JMS messages are generated. Processing of each JMS message is treated as a single transaction, and it is asynchronous and independent of other JMS messages. Processing of the other messages continues even if one transaction times out. This approach offers better performance and a lower probability of transaction timeout.
This section discusses the following topics:
The following are features of offline provisioning:
The offline provisioning approach is applied only during Provision (Create Target System Account) Resource, Enable Resource, Disable Resource, and Revoke Resource operations. The offline provisioning approach is not applied in a provisioning operation that involves modification of an allocated (provisioned) resource.
Offline provisioning is not applied during organization provisioning.
You enable offline provisioning at the resource object level. The procedure is described later in this chapter.
JMS messages generated during offline provisioning are processed in parallel. Processing of each JMS message is treated as a single transaction, and it is asynchronous and independent of other JMS messages. This approach provides better performance over the online provisioning approach in which provisioning operations are processed in sequence.
The response to a provisioning operation is displayed almost immediately after the provisioning data is submitted. This response is not dependent on the processing of each operation.
When you view the resource details for a resource instance of an OIM User, you can view the "Provisioning in Queue", "Enable in Queue", "Disable in Queue" and "Revoke in Queue" statuses for Provision, Enable, Disable, and Revoke operations respectively if provisioning for a particular resource has not yet been processed.
The final status of the resource instance is the same as the status for online provisioning. For example, if a message for a resource is processed successfully, then the Provisioned status is displayed. The same status is displayed for online provisioning.
Within offline provisioning, processing of each message is treated as an independent transaction. Rejection or failure of a single message does not affect processing of the remaining messages in provisioning.
During offline provisioning, details of a failed message (along with an explanation) are not displayed on the console. This behavior is different from that of online provisioning in which details of a failed operation are displayed on the console. In offline provisioning, details of failed messages are stored in the Off-line Persistent Store (OPS) table. You can view these details by running the Off-line Resource Provisioning Messages report. See "Reports Related to Offline Provisioning" for information about this report.
When you disable or delete an OIM User, all the resources provisioned to the user must be disabled or revoked, respectively. This is the expected outcome in both online and offline provisioning. The outcome is the same if provisioning succeeds, regardless of the type of provisioning. However, the outcome is different if an exception is encountered during the operation.
Online provisioning treats a Disable or Delete OIM User operation as one transaction. If even a single resource cannot be successfully disabled or revoked on the target system, then the entire transaction is rolled back.
Note:
A rollback in Oracle Identity Manager does not affect the status of the resource on the target systems. For example, suppose an OIM User is assigned Resource A, Resource B, and Resource C. If this OIM User is deleted, then the system first tries to delete the resources from the respective target systems. Suppose Resources A and B are deleted but problems are encountered on attempting to delete Resource C. In this case, the entire transaction is rolled back and the status of Resources A, B, and C on Oracle Identity Manager is set to whatever it was at the start of the transaction. However, the actual status of Resources A and B on their target systems is that they have been deleted.In offline provisioning, the following JMS messages are generated in response to a Disable or Delete OIM User operation:
JMS message to disable or delete the OIM User
JMS messages to disable or revoke each resource assigned to the OIM User
If the OIM User is successfully disabled or deleted, then a message (statement) to this effect is displayed on the console. The display of this message (statement) is independent of the success or failure of the JMS messages generated to disable or revoke each resource. If the JMS message for a particular resource fails, then that resource becomes a rogue account in Oracle Identity Manager. You can identify these rogue accounts by running the Off-line Resource Provisioning Messages report. For each of the remaining resources, the status of the resource (Disabled or Revoked) in Oracle Identity Manager is the same as the status of the resource (Disabled or Deleted) on the target system.
As mentioned earlier, you enable offline provisioning at the resource object level. Off-line provisioning is applicable only when the Auto Save Form option is already selected in the Process Definition form.
To enable offline provisioning:
Log in to Oracle Identity Manager Design Console.
Expand Resource Management, and double-click Resource Objects.
Search for and open the resource object for which you want to enable offline provisioning.
On the Resource Object form, select Off-line Provisioning. This enables off-line provisioning for enable, disable, and revoke resource operations.
When the Off-line Provisioning option is not selected, the specific resource provisioning, enable, disable, and revoke operations occur online.
Click the Save icon.
To disable offline provisioning:
Log in to Oracle Identity Manager Design Console.
Expand Resource Management, and double-click Resource Objects.
Search for and open the resource object for which you want to enable offline provisioning.
On the Resource Object form, deselect the Off-line Provisioning check box.
Click the Save icon.
When an online provision, enable, disable, or revoke operation fails, the error messages and other information about the operation are displayed on the UI. When an off-line operation fails, the information about the failure are updated in the OPS table. The Offline Resource Provisioning Messages report in Oracle BI Publisher stores all the error messages.
Configure the Remove Failed Off-line Messages scheduled task to schedule deletion of failed provisioning operations from the OPS table. While configuring this scheduled task, set a value for the Remove Failed Messages Older Than (days) attribute.
See Chapter 2, "Managing Scheduled Tasks" for information about working with scheduled tasks.