1. Oracle Identity Analytics Overview
Introducing the Role-Based Access Control Model
Understanding Oracle Identity Analytics Benefits
Understanding the Oracle Identity Analytics Model
Role Engineering and Management
Understanding Oracle Identity Analytics Components and Terminology
Understanding Resources and Resource Types
This section introduces Oracle Identity Analytics components and defines terminology that you need to know in order to be successful with the software.
A user is defined as a discrete, identifiable entity that has a business need to access or modify enterprise information assets. Typically a user is an individual, but a user can also be a program, a process, or a piece of computer hardware.
Users are associated with business structures in various ways. A user can be assigned to several business structures based on access level and other details within an organization. A business user has a manager or an application approver who is tasked with carrying out various user- and role-management functions on the user.
Resources are the applications and enterprise information assets that users need to do their jobs. In Oracle Identity Analytics, a resource is an instance of a resource type, which is a grouping of like resources. For example, multiple Oracle® database instances may compose a resource type named Oracle. Each database instance is a resource.
Common resource types include platforms (Windows 2000, UNIX®, Mainframe) or business applications (such as, billing and accounts payable applications). Each resource has an owner who handles the various operations on the resource, such as reviewing user entitlements. The user entitlements are collected from different resources and stored in a central repository.
Note - In previous releases, the term endpoint was used to denote a resource, while the term namespace was used to denote a resource type.
A business structure in Oracle Identity Analytics is defined as a department or sub-department within an organization. An organization can be segregated into as many business structures, with as many levels of hierarchy as is required to represent teams and sub-teams within the organization. There is no limit to the number of users that can be assigned to a business structure. All operations in Oracle Identity Analytics such as identity auditing and identity certification are performed on the basis of a business structure.
The user store is the central platform or database or directory where user records are stored. Commonly used user stores include Active Directory, Exchange, ORACLE, SAP, UNIX, and RDBMS Tables.
Initially, an organization in Oracle Identity Analytics is populated with users using a feed from an HR system. The HR system is used to create all the global identities in Oracle Identity Analytics. Alternatively, the global identities can be created from a provisioning system such as Oracle Identity Manager or Oracle Waveset (Sun Identity Manager).
The entitlements from the various applications are stored in a centralized user store in Oracle Identity Analytics. The user store can be a relational database that handles the various user entitlements. Once the entitlements are in the user store, the role engineering and management, identity certification, and identity auditing pieces can be carried out on them.
A user is a global identity to which various accounts are associated. A user can have multiple accounts, but all of the accounts are associated with a single global identity in Oracle Identity Analytics. This global identity is defined under the Users View, which shows the entire list of users that belong to the organization.
A naming convention for all users needs to be established. A common naming convention is a combination of a user's name in lowercase letters and a set of numbers. For example, John Smith's user name might be josmit01. User names must be unique.
A role represents a job function. Roles contain policies that describe the access that individuals have on a directory. Roles represent unique job functions performed by users in the domain. For example, a person can function as a manager, a developer, and a trainer. In this case, there are three roles that represent each job function because each requires different privileges and access to different resources.
Roles give you the flexibility and power to enforce enterprise standards, so that you can do the following:
Manage users who perform the same tasks the same way no matter where they are located in the enterprise.
Perform less work when managing users because you do not have to manually specify privileges every time a change is made to a person's job function.
A role can be embedded inside a role as a nested role. Role hierarchy can be defined to any level required in an organization.
Policies define account attributes and privileges that users have on different platforms or applications. A policy has a specific privilege on a specific data resource. Policies are assigned to roles, and roles are assigned to users. Policies provide consistent directory permissions and user rights across and within the organization for all of the users in a role.
An orphan account is an account that belongs to a user who is no longer with the organization or controlling business unit. (The user may have left the organization or shifted departments, but the account was not deactivated when the user left or moved.)