1/61
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Part I Concepts
1
Product Overview
1.1
Key Features and Benefits
1.1.1
Ease of Deployment
1.1.2
Simplified UI Customization
1.1.3
Simplified Configuration
1.1.4
Flexibility and Resilience
1.1.5
Maximum Reuse of Existing Infrastructure
1.1.6
Extensive User Management
1.1.7
Web-Based User Self-Service
1.1.8
Modular and Scalable Architecture
1.1.9
Based on Leading Software Development Standards
1.1.10
Powerful and Flexible Process Engine
1.1.11
Built-In Change Management
1.1.12
Workflow and Policy
1.1.13
Audit and Compliance Management
1.1.14
Integration Solutions
1.1.15
User Provisioning
1.2
System Requirements and Certification
2
Product Architecture
2.1
How Oracle Identity Manager Works: The Tiers of Oracle Identity Manager
2.1.1
Presentation Tier
2.1.2
Business Services Tier
2.1.2.1
The API Services
2.1.2.2
Integration Services
2.1.2.3
Platform Services
2.1.3
Middleware Tier
2.1.3.1
Request Service and Approval Workflow
2.1.3.2
Authorization Service
2.1.3.3
UI Customization Framework
2.1.3.4
Scheduler Service
2.1.3.5
Reporting
2.1.4
The Data Tier
2.1.4.1
Oracle Identity Manager Database
2.1.4.2
The Metadata Store
2.1.4.3
The Identity Store
2.1.4.4
Integration Between LDAP Identity Store and Oracle Identity Manager
2.2
System Components
3
Security Architecture
3.1
Security Model
3.1.1
Admin Role Assignment
3.1.2
Attribute-Level Security for the User Attributes
3.1.2.1
Using Plug-ins to Pass Attributes for Policy Evaluation
3.1.3
Policy Obligations
3.2
Functional and Data Security Mapping
3.3
Publishing Entities to Organizations
3.4
Managing OES Policies
3.4.1
Customizing the Authorization Policies
3.4.1.1
Controlling Who can View Which Users
3.4.1.2
Controlling Who can Modify Which Users
3.4.1.3
Controlling Who can View Which Links
3.4.1.4
Controlling Who can Request an Account in an Application Instance
3.4.1.5
Controlling Who can Modify an Account
3.4.1.6
Controlling Who can Manage an Application Instance
3.4.1.7
Controlling Who can Change User Password
3.4.1.8
Controlling Who can Change Account Password
3.4.1.9
Controlling Which Operations Are Direct or Request-Based
3.4.1.10
Controlling the Denied Attributes for Self
3.5
Enforcing Functional Security
3.5.1
Implementing Task Flow or Region
3.5.2
Defining Actions
3.5.3
Implementing Field-Level Security
Part II Application Provisioning
4
Developing Application Instances
4.1
Creating IT Resources
4.2
Managing IT Resources
4.2.1
Viewing IT Resources
4.2.2
Modifying IT Resources
4.2.3
Deleting IT Resources
4.3
Managing Resources By Using the Design Console
4.3.1
Overview of Resource Management
4.3.2
IT Resources Type Definition Form
4.3.2.1
Defining a Template (a Resource Type) for IT Resources
4.3.2.2
Tabs on the IT Resource Type Definition Form
4.3.2.3
IT Resource Type Definition Table
4.3.3
Rule Designer Form
4.3.3.1
Creating a Rule
4.3.3.2
Tabs on the Rule Designer Form
4.3.3.3
Rule Designer Table
4.3.4
Resource Objects Form
4.3.4.1
Creating a Resource Object
4.3.4.2
Tabs on the Resource Objects Form
4.3.4.3
Multiple Trusted Source Reconciliation
4.3.5
Service Account Management
4.4
Converting a Disconnected Application Instance to Connected Application Instance
4.4.1
Creating a Disconnected Application Instance in the Production Environment
4.4.2
Exporting Disconnected Application Instance From Production Environment
4.4.3
Importing the Disconnected Application Instance in Test Environment
4.4.4
Modifying the Application Instance from Disconnected to Connected
4.4.5
Testing the Connected Application Instance
5
Developing Provisioning Processes
5.1
Overview of Process Management
5.2
Email Definition Form
5.2.1
Specifying the E-Mail Server
5.2.2
Email Definition Form
5.2.3
Creating an E-Mail Definition
5.3
Process Definition Form
5.3.1
Creating a Process Definition
5.3.2
Tabs on the Process Definition Form
5.3.2.1
Tasks Tab
5.3.2.2
Reconciliation Field Mappings Tab
5.3.2.3
Administrators Tab
5.3.3
Modifying Process Tasks
5.3.3.1
General Tab
5.3.3.2
Integration Tab
5.3.3.3
Task Dependency Tab
5.3.3.4
Responses Tab
5.3.3.5
Undo/Recovery Tab
5.3.3.6
Notification Tab
5.3.3.7
Task to Object Status Mapping Tab
5.3.3.8
Assignment Tab of the Editing Task Window
6
Developing Process Forms
6.1
Creating a Form
6.2
Tabs of the Form Designer Form
6.2.1
Additional Columns Tab
6.2.1.1
Adding a Data Field to a Form
6.2.1.2
Removing a Data Field From a Form
6.2.1.3
Setting the Value of the AccountPassword Property
6.2.2
Child Table(s) Tab
6.2.2.1
Assigning a Child Table to a Form
6.2.2.2
Removing a Child Table from a Form
6.2.3
Object Permissions Tab
6.2.3.1
Assigning a User Group to a User-Created Form
6.2.3.2
Removing a User Group From a User-Created Form
6.2.4
Properties Tab
6.2.4.1
Adding a Property and Property Value to a Data Field
6.2.4.2
Adding a Property and Property Value for Customized Look up Query
6.2.4.3
Removing a Property and Property Value From a Data Field
6.2.5
Administrators Tab
6.2.5.1
Assigning Privileges to a User Group for a Record of a User-Created Form
6.2.5.2
Removing User Group Privileges for a Record of a User-Created Form
6.2.6
Usage Tab
6.2.7
Pre-Populate Tab
6.2.8
Default Columns Tab
6.2.9
User Defined Fields Tab
6.3
Creating an Additional Version of a Form
7
Managing Lookup Definitions and Remote Manager
7.1
Overview
7.2
Lookup Definition Form
7.2.1
Creating a Lookup Definition
7.2.2
Lookup Code Information Tab
7.2.2.1
Creating and Modifying a Lookup Value
7.2.2.2
Deleting a Lookup Value
7.2.3
Configuring Challenge Questions for the User
7.3
Remote Manager Form
Part III Connectors
8
Using the Adapter Factory
8.1
Introduction to Adapters
8.2
Types of Adapters
8.3
Adapter Environment and Tools
8.3.1
Configuring the Adapter Environment
8.3.2
Remote Manager
8.3.3
The Adapter Factory
8.3.4
Compiling Adapters
8.3.4.1
Automatic Compilation of Adapters
8.3.4.2
Compiling Adapters Manually
8.4
Defining Adapters
8.5
Tabs of the Adapter Factory Form
8.5.1
Adapter Tasks
8.5.2
Execution Schedule
8.5.3
Resources
8.5.4
Variable List
8.5.5
Usage Lookup
8.5.6
Responses
8.6
Disabling and Re-enabling Adapters
8.7
About Adapter Variables
8.7.1
Creating an Adapter Variable
8.7.2
Modifying an Adapter Variable
8.7.3
Deleting an Adapter Variable
8.8
Creating Adapter Tasks
8.8.1
Types of Adapter Tasks
8.8.2
Creating a Java Task
8.8.3
Creating a Remote Task
8.8.4
Creating a Stored Procedure Task
8.8.5
Creating a Utility Task
8.8.6
To Create an Oracle Identity Manager API Task
8.8.7
Reassigning the Value of an Adapter Variable
8.8.8
Adding an Error Handler Task
8.8.9
Creating a Logic Task
8.9
Modifying Adapter Tasks
8.10
Changing the Order and Nesting of Tasks
8.11
Deleting Adapter Tasks
8.12
Working with Responses
8.12.1
To Create a Response
8.12.2
To Modify a Response
8.12.3
To Delete a Response
8.13
Scheduling Rule Generators and Entity Adapters
8.13.1
Scheduling Rule Generators and Entity Adapters
8.14
Working with Rule Generator Adapters
8.14.1
Mapping Rule Generator Adapter Variables
8.14.2
Associating Rule Generators with Processes
8.14.3
Removing Rule Generators from Form Fields
8.15
Working with Entity Adapters
8.16
Working with Task Assignment Adapters
8.16.1
Attaching Task Assignment Adapters to Process Tasks
8.16.2
Removing Task Assignment Adapters from Process Tasks
8.16.2.1
To Remove a Task Assignment Adapter from a Process Task
8.17
Working with Prepopulate Adapters
8.17.1
Attaching Prepopulate Adapters to Form Fields
8.17.2
Removing Prepopulate Adapters from Form Fields
8.18
Working with Process Task Adapters
8.18.1
Guidelines for Working with a Process Task Adapter
8.18.2
Attaching Process Task Adapters to Process Tasks
8.18.3
Removing Process Task Adapters from Process Tasks
8.18.3.1
To Remove a Process Task Adapter from a Process Task
8.19
Adapter Mapping Information
8.19.1
Adapter Task Mapping Information
8.19.1.1
Adapter Variables
8.19.1.2
Adapter Task
8.19.1.3
Literal
8.19.1.4
Adapter References
8.19.1.5
Organization Definition
8.19.1.6
Process Definition
8.19.1.7
User Definition
8.19.2
Adapter Variable Mapping Information
8.19.2.1
From the Variable List Tab
8.19.2.2
Process Task Adapter Variable Mappings
8.19.2.3
Task Assignment Adapter Variable Mappings
8.19.2.4
Rule Generator and Entity Adapter Variable Mappings
8.19.2.5
Prepopulate Adapter Variable Mappings
8.20
Defining Error Messages
9
Understanding the Identity Connector Framework
9.1
Advantages of ICF
9.2
Introducing the ICF Architecture
9.3
Using the ICF API
9.3.1
The ConnectorInfoManagerFactory Class
9.3.2
The ConnectorInfoManager Interface
9.3.3
The ConnectorKey Class
9.3.4
The ConnectorInfo Interface
9.3.5
The APIConfiguration Interface
9.3.6
The ConfigurationProperties Interface
9.3.7
The ConnectorFacadeFactory Class
9.3.8
The ConnectorFacade Interface
9.4
Introducing the ICF SPI
9.4.1
Implementing the Required Interfaces
9.4.1.1
org.identityconnectors.framework.spi.Connector
9.4.1.2
org.identityconnectors.framework.spi.Configuration
9.4.2
Implementing the Feature-based Interfaces
9.4.2.1
org.identityconnectors.framework.spi.PoolableConnector
9.4.2.2
org.identityconnectors.framework.spi.AttributeNormalizer
9.4.3
Implementing the Operation Interfaces
9.4.3.1
Implementing the SchemaOp Interface
9.4.3.2
Implementing the CreateOp Interface
9.4.3.3
Implementing the DeleteOp Interface
9.4.3.4
Implementing the SearchOp Interface
9.4.3.5
Implementing the UpdateOp Interface
9.4.4
Common Classes
9.5
Extending an Identity Connector Bundle
9.6
Using an Identity Connector Server
9.6.1
Using the Java Connector Server
9.6.1.1
Installing and Configuring a Java Connector Server
9.6.1.2
Running the Java Connector Server on Microsoft Windows
9.6.1.3
Running the Java Connector Server on Solaris and Linux
9.6.1.4
Installing an Identity Connector in a Java Connector Server
9.6.1.5
Using SSL to Communicate with a Connector Server
9.6.2
Using the Microsoft .NET Framework Connector Server
9.6.2.1
Installing the .NET Connector Server
9.6.2.2
Configuring the .NET Connector Server
9.6.2.3
Configuring Trace Settings
9.6.2.4
Running the .NET Connector Server
9.6.2.5
Installing Multiple Connectors on a .NET Connector Server
10
Developing Identity Connectors Using Java
10.1
Developing a Flat File Connector
10.1.1
Supporting Classes for File Input and Output Handling
10.2
Uploading the Identity Connector Bundle to Oracle Identity Manager Database
10.2.1
Registering the Connector Bundle with Oracle Identity Manager
10.2.2
Creating Basic Identity Connector Metadata
10.2.2.1
Creating the IT Resource Type Definition
10.2.2.2
Creating the Resource Object
10.2.2.3
Creating Lookups
10.2.3
Creating Provisioning Metadata
10.2.3.1
Creating a Process Form
10.2.3.2
Creating Adapters
10.2.3.3
Creating A Process Definition
10.2.3.4
Creating a Provisioning Attribute Mapping Lookup
10.2.4
Creating Reconciliation Metadata
10.2.4.1
Creating a Reconciliation Schedule Task
10.2.4.2
Creating a Reconciliation Profile
10.2.4.3
Setting a Reconciliation Action Rule
10.2.4.4
Creating Reconciliation Mapping
10.2.4.5
Defining a Reconciliation Matching Rule
10.3
Provisioning a Flat File Account
10.4
Configuring SSL for Java Connector Server
11
Developing Identity Connectors Using .NET
11.1
Developing a Flat File .NET Connector
11.2
Deploying the Identity Connector Bundle on .NET Connector Server
11.2.1
Registering the Connector Bundle with .NET Connector Server
11.2.2
Creating Basic Identity Connector Metadata
11.2.2.1
Creating the IT Resource Type Definition
11.2.2.2
Creating the Resource Object
11.2.2.3
Creating Lookups
11.2.3
Creating Provisioning Metadata
11.2.3.1
Creating a Process Form
11.2.3.2
Creating Adapters
11.2.3.3
Creating A Process Definition
11.2.3.4
Creating a Provisioning Attribute Mapping Lookup
11.2.4
Creating Reconciliation Metadata
11.2.4.1
Creating a Reconciliation Schedule Task
11.2.4.2
Creating a Reconciliation Profile
11.2.4.3
Setting a Reconciliation Action Rule
11.2.4.4
Creating Reconciliation Mapping
11.2.4.5
Defining a Reconciliation Matching Rule
11.3
Provisioning a Flat File Account
12
Integrating ICF with Oracle Identity Manager
12.1
ICF Common
12.2
Integration Architecture
12.3
Global Oracle Identity Manager Lookups
12.3.1
Main Lookup Configuration
12.3.2
User Management Configuration
12.3.3
Recon Transformation Lookup (Lookup.CONNECTOR_NAME.UM.ReconTransformation)
12.3.4
Recon Validation Lookup (Lookup.CONNECTOR_NAME.UM.ReconValidation)
12.3.5
Optional Defaults Lookup
12.4
IT Resource
12.5
Provisioning
12.5.1
ICF Provisioning Manager
12.5.1.1
APIs for Provisioning
12.5.1.2
Account Related Operations
12.5.1.3
Multivalued Operations
12.5.1.4
Other operations
12.5.2
Provisioning Lookup
12.5.3
Non-User Object Types
12.5.4
Optional Lookups for Provisioning
12.5.4.1
Provisioning Validation Lookup
12.5.5
Optional Flags in Lookups for Provisioning Attribute Map
12.5.6
Compound attributes in Provisioning Attribute Map
12.6
Concepts of Reconciliation in ICF Common
12.6.1
Types of Reconciliation
12.6.1.1
Target and Trusted Reconciliation
12.6.1.2
Full, Incremental Reconciliation
12.6.1.3
Advanced Incremental Reconciliation
12.6.1.4
Delete Reconciliation
12.6.1.5
Group Lookup Reconciliation
12.6.2
List of Reconciliation Artifacts in Oracle Identity Manager
12.6.2.1
Lookups for Reconciliation
12.7
Predefined Scheduled Tasks
12.7.1
LookupReconTask
12.7.2
SearchReconTask
12.7.3
SearchReconDeleteTask
12.7.4
SyncReconTask
12.8
ICF Filter Syntax
13
Using Java APIs for ICF Integration
14
Configuring ICF Connectors
14.1
Configuring Connector Load Balancer
14.2
Configuring Validation of Data During Reconciliation and Provisioning
14.3
Configuring Transformation of Data During User Reconciliation
14.4
Configuring Resource Exclusion Lists
14.5
Setting SSL for Connector Server and OIM
14.5.1
Troubleshooting SSL
14.6
Adding Target System Attributes
14.6.1
Adding Target System Attributes for Provisioning
14.6.2
Adding Target System Attributes for Target Reconciliation
14.6.3
Adding Target System Attributes for Trusted Reconciliation
15
Understanding ICF Best Practices and FAQs
15.1
Best Practices for ICF
15.2
FAQs on ICF
16
Understanding Generic Technology Connectors
16.1
Requirement for Generic Technology Connectors
16.2
Functional Architecture of Generic Technology Connectors
16.2.1
Providers and Data Sets of the Reconciliation Module
16.2.2
Providers and Data Sets of the Provisioning Module
16.2.3
Oracle Identity Manager Data Sets
16.3
Features of Generic Technology Connectors
16.3.1
Features Specific to the Reconciliation Module
16.3.1.1
Trusted Source Reconciliation
16.3.1.2
Account Status Reconciliation
16.3.1.3
Full and Incremental Reconciliation
16.3.1.4
Batched Reconciliation
16.3.1.5
Reconciliation of Multivalued Attribute Data (Child Data) Deletion
16.3.1.6
Failure Threshold for Stopping Reconciliation
16.3.2
Other Features
16.3.2.1
Custom Data Fields and Field Mappings
16.3.2.2
Custom Providers
16.3.2.3
Multilanguage Support
16.3.2.4
Custom Date Formats
16.3.2.5
Propagation of Changes in Oracle Identity Manager User Attributes to Target Systems
16.4
Connector Objects Created by the Generic Technology Connector Framework
16.4.1
Both Reconciliation and Provisioning Are Selected
16.4.2
Only Reconciliation Is Selected
16.4.3
Only Provisioning Is Selected
16.5
Roadmap for Information on Generic Technology Connectors in This Guide
17
Predefined Providers for Generic Technology Connectors
17.1
Shared Drive Reconciliation Transport Provider
17.2
CSV Reconciliation Format Provider
17.3
SPML Provisioning Format Provider
17.3.1
Run-Time Parameters
17.3.2
Design Parameters
17.3.3
Nonmandatory Parameters
17.3.4
Parameters with Predetermined Values
17.4
Web Services Provisioning Transport Provider
17.4.1
Configuring SSL Communication Between Oracle Identity Manager and the Target System Web Service
17.5
Transformation Providers
17.5.1
Concatenation Transformation Provider
17.5.2
Translation Transformation Provider
17.5.2.1
Configuring Account Status Reconciliation
17.6
Validation Providers
18
Creating Custom Providers for Generic Technology Connectors
18.1
Role of Providers
18.1.1
Role of Providers During Generic Technology Connector Creation
18.1.2
Role of Providers During Reconciliation
18.1.3
Role of Providers During Provisioning
18.2
Creating Custom Providers
18.2.1
Determining Provider Requirements
18.2.1.1
Determining the Reconciliation Provider Requirements
18.2.1.2
Determining the Provisioning Provider Requirements
18.2.2
Identifying the Provider Parameters
18.2.3
Developing Java Code Implementations of the Value Objects
18.2.4
Developing Java Code Implementations of the Provider SPI Methods
18.2.5
Developing Java Code for Logging and Exception Handling
18.2.6
Creating the Provider XML File
18.2.7
Creating Resource Bundle Entries for the Provider
18.2.8
Deploying the Provider
18.3
Reusing Providers
18.3.1
Reusing Reconciliation Providers
18.3.2
Reusing Provisioning Providers
18.4
Deploying the Custom Providers
19
Creating and Managing Generic Technology Connectors
19.1
Overview
19.2
Creating Generic Technology Connectors
19.2.1
Determining Provider Requirements
19.2.2
Selecting the Providers to Include
19.2.3
Addressing the Prerequisites
19.2.4
Using Identity System Administration to Create the Connector
19.2.4.1
Step 1: Provide Basic Information Page
19.2.4.2
Step 2: Specify Parameter Values Page
19.2.4.3
Step 3: Modify Connector Configuration Page
19.2.4.4
Step 4: Verify Connector Form Names Page
19.2.4.5
Step 5: Verify Connector Information Page
19.2.5
Configuring Reconciliation
19.2.6
Configuring Provisioning
19.2.7
Creating the Form and Publishing the Application Instance
19.2.8
Enabling Logging
19.3
Managing Generic Technology Connectors
19.3.1
Modifying Generic Technology Connectors
19.3.2
Exporting Generic Technology Connectors
19.3.3
Importing Generic Technology Connectors
19.4
Using the Generic Connection Pool Framework in Custom Connectors
19.4.1
Providing concrete implementation for ResourceConnection interface
19.4.2
Defining Additional ITResource Parameters
19.4.3
Getting and Releasing Connections from the Pool
19.4.4
Using a Third-party Pool
19.4.5
Example: Implementation of ResourceConnection
19.5
Best Practices
19.5.1
Working with the Provide Basic Information Page
19.5.2
Working with the Specify Parameter Values Page
19.5.3
Working with the Modify Connector Configuration Page
19.5.3.1
Names of Fields
19.5.3.2
Password Fields
19.5.3.3
Password-Like Fields
19.5.3.4
Mappings
19.5.3.5
Oracle Identity Manager Data Sets
19.5.4
Working with Shared Drive Reconciliation Transport Provider
19.5.5
Working with Custom Providers
19.5.6
Working with Connector Objects
19.5.7
Modifying Generic Technology Connectors
20
Troubleshooting Generic Technology Connectors
20.1
General Issues for Generic Technology Connectors
20.1.1
Creation Issues
20.1.2
Multi-language Support
20.1.3
Other General Issues
20.2
Configuration Issues for Generic Technology Connectors
20.2.1
Names of Generic Technology Connectors and Connector Objects
20.2.2
Step 3: Modify Connector Configuration Page
20.2.3
Errors During Connector Creation
20.2.4
Errors During Reconciliation
20.2.5
Errors During Provisioning
Part IV Requests and Approval Processes
21
Developing Workflows for Approval and Manual Provisioning
21.1
Introducing Workflows
21.1.1
Overview of Workflows
21.1.2
Workflow Concepts
21.1.3
Workflow Architecture
21.2
Predefined SOA Composites
21.3
Creating New SOA Composites
21.3.1
Creating a New SOA Composite
21.3.2
Deploying a SOA Composite in Oracle SOA Server
21.3.3
Prerequisites for Communication to Oracle Identity Manager Through SSL Mode
21.4
Developing Workflows: Vision Request Tutorial
21.4.1
Introducing the Tutorial
21.4.2
Prerequisites
21.4.2.1
Deploying the Request Web Service
21.4.2.2
Securing the Web Service
21.4.3
Creating the Application Instance
21.4.3.1
Creating the FinApp Application Instance
21.4.3.2
Defining Application Instance Attributes and Creating a Form
21.4.3.3
Publishing the Application Instance to One or More Organizations
21.4.3.4
Linking Entitlements to the Application Instance
21.4.3.5
Publishing the Application Instance With Entitlements to the Catalog
21.4.4
Configuring FinApp in the Catalog
21.4.5
Creating and Configuring the SOA Composite for Approval
21.4.5.1
Creating the Approval Workflow
21.4.5.2
Copying the WSDL and XSD Files
21.4.5.3
Configuring Partner Links
21.4.5.4
Making Request and Catalog Data Available to the BPEL Process
21.4.5.5
Configuring Workflow Selection
21.4.5.6
Configuring Human Tasks
21.4.5.7
Configuring the Human Task and BPEL Mappings
21.4.5.8
Deploying the SOA Composite
21.4.5.9
Creating the Approval Policies
21.5
Configuring Default Request-Level and Operation-Level Approval Composites
21.6
Creating and Deploying Custom Task Details Taskflow
21.6.1
Prerequisites for Developing Custom Task Details Taskflow
21.6.2
Developing Custom Task Details Taskflow
21.6.3
Developing Custom Task Details for Email Notification (Optional)
21.6.4
Deploying the Task Details Taskflow
21.6.5
Configuring Human Task and Taskflow Permissions
21.6.6
Testing the Custom Taskflow
21.7
Understanding Request Datasets
21.8
Extending Request Management Operations
21.8.1
Running Custom Code Based on Request Status Change
21.8.2
Validating Request Data
21.8.3
Prepopulation of an Attribute Value During Request Creation
21.9
Enabling Auto-Approval for Self Registration Requests
22
Using Segregation of Duties (SoD)
22.1
Understanding the SoD Validation Process
22.2
Introducing the SoD Invocation Library
22.3
Installing the SoD-enabled Connectors
22.4
Deploying the SIL and SIL Providers
22.5
Configuring the SoD Engine
22.5.1
Configuring Oracle Application Access Controls Governor
22.5.2
Configuring SAP GRC
22.5.3
Configuring Oracle Identity Analytics
22.6
Enabling and Disabling SoD
22.6.1
Enabling SoD
22.6.2
Disabling SoD
22.7
Enabling SSL Communication
22.7.1
Enabling SSL Between Oracle Application Access Controls Governor and Oracle Identity Manager
22.7.2
Enabling SSL Between SAP GRC and Oracle Identity Manager
22.7.3
Calling SoD Check Web Service Over SSL
22.8
Configuring Workflows on Non SoD-enabled Connectors
22.8.1
Modifying the Approval Workflow for SoD
22.8.2
Modifying the Provisioning Workflow for SoD
22.9
Marking Child Process Form Tables That Hold Entitlement Data
22.9.1
Marking Request Dataset Attributes That Hold Entitlement Data
22.9.2
Marking Child Process Form Tables That Hold Entitlement Data
22.10
Custom Combination of Target Systems and SoD Engines
22.10.1
Using a Custom Target System
22.10.1.1
Addressing Prerequisites
22.10.1.2
Creating the Transformation Layer
22.10.1.3
Deploying the Transformation Layer
22.10.1.4
Modifying the Registration XML File
22.10.1.5
Registering the New Target System
22.10.2
Adding Custom SoD Engine
22.10.2.1
Addressing Prerequisites
22.10.2.2
Creating an IT Resource to Hold Information about the SoD Engine
22.10.2.3
Implementing the Service Components for the Provider
22.10.2.4
Deploying the Service Components
22.10.2.5
Modifying the Registration XML File for the New SoD Engine
22.10.2.6
Registering the New SIL Provider
22.11
Performing Role SoD Check with Oracle Identity Analytics
22.11.1
Enabling Role SoD Check
22.11.2
Using Role SoD Check
22.11.2.1
SoD Check When A User Requests a Role
22.11.2.2
SoD Check When A User Revokes a Role
22.11.2.3
SoD Check When an Administrator Requests To Assign Roles
22.11.2.4
SoD Check When an Administrator Requests To Revoke Roles
22.12
Using SoD in Provisioning Workflow
22.12.1
Provisioning Application Instance With Child Data
22.12.2
Modifying Application Instance to Add or Delete Child Data
22.12.3
Provisioning Entitlements to a User
22.12.4
Revoking Entitlements From a User
22.12.5
Requesting for Roles and Entitlements
22.12.6
Requesting for Roles and Application Instances With Child Data
22.12.7
Request Provisioning With the DefaultSODApproval Workflow
22.12.8
Requesting for Role With an Access Policy Attached
22.12.9
Provisioning Based on Access Policies Without Approval
22.12.10
Provisioning Based on Access Policies With Approval
22.12.11
Requesting for Entitlements From Two Application Instances
22.13
Enabling Logging for SoD-Related Events
22.14
Troubleshooting SoD Check
Part V Data Synchronization
23
Customizing Reconciliation
23.1
Reconciliation Features
23.1.1
Performance Enhancement Features
23.1.1.1
New Metadata Model - Profiles
23.1.1.2
Parameters to Control Flow and Processing of Events
23.1.1.3
Grouping of Events by Reconciliation Runs
23.1.1.4
Grouping of Events by Batches
23.1.1.5
Implementing Reconciliation Engine Logic in the Database
23.1.1.6
Improved Java Engine
23.1.1.7
Improved Database Schema
23.1.2
Web-Based Event Management Interface
23.1.3
Other Features
23.1.3.1
Staging Tables
23.1.3.2
Handling of Race Conditions
23.1.3.3
Ad Hoc Linking
23.2
Reconciliation Architecture
23.2.1
Reconciliation Profile
23.2.2
Reconciliation Metadata
23.2.3
Reconciliation Target
23.2.4
Reconciliation Run
23.2.5
Reconciliation APIs
23.2.6
Reconciliation Schema
23.2.7
Reconciliation Engine
23.2.7.1
Matching Module
23.2.7.2
Action Module
23.2.8
Connector for Reconciliation
23.2.9
Archival
23.2.10
Backward Compatibility
23.2.11
Reconciliation Event Management
23.3
Defining Reconciliation Rules
23.3.1
Defining a Reconciliation Rule
23.3.2
Adding a Rule Element
23.3.3
Nesting a Rule Within a Rule
23.3.4
Deleting a Rule Element or Rule
23.4
Developing Reconciliation Scheduled Tasks
23.5
Updating Reconciliation Profiles Manually
23.5.1
Creating and Updating Reconciliation Profiles
23.5.2
Changing the Profile Mode
23.6
Understanding Reconciliation APIs
23.6.1
The ReconOperationsService API
23.6.2
Invoking Non-scheduled Task-Based Reconciliation in a Multithreaded Environment
23.7
Postprocessing for Trusted Reconciliation
23.8
Troubleshooting Reconciliation
23.8.1
Troubleshooting General Reconciliation Issues
23.8.2
Troubleshooting Database-Related Reconciliation Issues
23.8.3
Troubleshooting Reconciliation Profile Configuration Failures
23.9
Populating Data in the RECON_EXCEPTIONS Table
23.10
Reconciliation Best Practices
23.10.1
Additional Indexes Requirement for Matching Module
23.10.2
Collecting Database Schema Statistics for Reconciliation Performance
23.11
Monitoring Reconciliation Performance Using DMS
24
Using the Bulk Load Utility
24.1
Features of the Bulk Load Utility
24.2
Prerequisites for Running the Bulk Load Utility
24.2.1
Installing the Bulk Load Utility
24.2.1.1
Scripts That Constitute the Utility
24.2.1.2
Temporary Tables Used During a Bulk Load Operation
24.2.1.3
Options Offered by the Utility
24.2.2
Preparing Your Database for a Bulk Load Operation
24.2.2.1
Creating a Tablespace for Temporary Tables
24.2.2.2
Creating a Datafile in the Oracle Identity Manager Tablespace
24.3
Running the Utility
24.4
Loading OIM User Data
24.4.1
Setting a Default Password for OIM Users Added by the Utility
24.4.2
Creating the Input Source for the Bulk Load Operation
24.4.2.1
Using CSV Files As the Input Source
24.4.2.2
Creating Database Tables As the Input Source
24.4.3
Determining Values for the Input Parameters of the Utility
24.4.4
Monitoring the Progress of the Operation
24.4.5
Handling Exceptions Recorded During the Operation
24.4.6
Fixing Exceptions and Reloading Data Records
24.4.7
Verifying the Outcome of the Bulk Load Operation
24.4.8
Generating an Audit Snapshot
24.5
Loading Account Data
24.5.1
Creating the Input Source for the Bulk Load Operation
24.5.1.1
Using CSV Files As the Input Source
24.5.1.2
Creating Database Tables As the Input Source
24.5.2
Determining Values for the Input Parameters of the Utility
24.5.3
Monitoring the Progress of the Operation
24.5.4
Handling Exceptions Recorded During the Operation
24.5.5
Fixing Exceptions and Reloading Data Records
24.5.6
Verifying the Outcome of the Bulk Load Operation
24.6
Loading Role, Role Hierarchy, Role Membership, and Role Category Data
24.6.1
Creating the Input Source for the Bulk Load Operation
24.6.1.1
Using CSV Files As the Input Source
24.6.1.2
Creating Database Tables As the Input Source
24.6.1.3
Determining the UGP_NAME Generated After Role Load
24.6.2
Determining Values for the Input Parameters of the Utility
24.6.3
Monitoring the Progress of the Operation
24.6.4
Handling Exceptions Recorded During the Operation
24.6.5
Fixing Exceptions and Reloading Data Records
24.6.6
Verifying the Outcome of the Bulk Load Operation
24.7
Data Recorded During the Operation
24.8
Gathering Diagnostic Data from the Bulk Load Operation
24.9
Cleaning Up After a Bulk Load Operation
25
Configuring LDAP Container Rules
26
Developing Scheduled Tasks
26.1
Overview of Task Creation
26.1.1
Steps in Task Creation
26.1.2
Example of Scheduled Task
26.2
Defining the Metadata for the Scheduled Task
26.3
Configuring the Scheduled Task XML File
26.4
Developing the Scheduled Task Class
26.5
Configuring the Plug-in XML File
26.6
Creating the Directory Structure for the Scheduled Task
26.7
Scheduled Task Configuration File
26.7.1
Structure of the Scheduler XML File
26.7.2
The scheduledTasks Element
26.7.3
The task Element
26.7.4
The name Element
26.7.5
The class Element
26.7.6
The description Element
26.7.7
The retry Element
26.7.8
The parameters Element
26.7.9
The string-param Element
26.7.10
The number-param Element
26.7.11
The boolean-param Element
26.8
Best Practices for Creating Custom Scheduled Tasks
26.9
Using the isStop() Method
Part VI Custom Operations
27
Developing Plug-ins
27.1
Plug-ins and Plug-in Points
27.1.1
Plug-ins and Event Handlers
27.1.2
Plug-in Stores
27.1.2.1
File Store
27.1.2.2
Database Store
27.2
Using Plug-ins in Deployments
27.3
Plug-in Points
27.4
Configuring Plug-ins
27.5
Developing Custom Plug-ins
27.5.1
Developing Plug-ins
27.5.2
Declaring Plug-ins
27.6
Registering Plug-ins
27.6.1
Registering and Unregistering Plug-ins By Using APIs
27.6.2
Registering and Unregistering Plug-ins By Using the Plugin Registration Utility
27.7
Migrating Plug-ins
28
Developing Event Handlers
28.1
Orchestration Concepts
28.2
Using Custom Event Handlers
28.3
Developing Custom Event Handlers
28.3.1
Implementing the SPI and Creating a JAR
28.3.1.1
Development Considerations
28.3.1.2
Methods and Arguments
28.3.1.3
Code Samples
28.3.1.4
Creating a JAR File With Custom Event Handler Code
28.3.1.5
Handling Exceptions
28.3.1.6
Managing Transactions
28.3.2
Defining Custom Events Definition XML
28.3.2.1
Elements in the Event Handler XML Files
28.3.2.2
Sample Event Definitions
28.3.3
Creating and Registering a Plug-in ZIP
28.4
Sequencing the Execution of Event Handlers
28.5
Writing Custom Validation Event Handlers
28.6
Best Practices
28.7
Migrating Event Handlers
28.8
Troubleshooting Event Handlers
28.9
Managing Event Handlers Using the Design Console
28.9.1
Event Handler Manager Form
28.9.2
Data Object Manager Form
28.9.2.1
Tabs of the Data Object Manager Form
29
Understanding Context
29.1
Child Context
29.2
Context Types
Part VII Customization
30
Customizing the Interface
30.1
Customization Concepts
30.1.1
Deployment of UI Libraries and Applications
30.1.2
Overview of MDS Customization
30.1.3
Overview of the Web Composer
30.2
Managing Sandboxes
30.2.1
Handling Concurrency Conflicts
30.2.1.1
Troubleshooting Concurrency Issues
30.2.2
Creating a Sandbox
30.2.3
Activating and Deactivating a Sandbox
30.2.4
Viewing and Modifying Sandbox Details
30.2.5
Exporting and Importing a Sandbox
30.2.6
Publishing a Sandbox
30.2.7
Checking Out an Item from Cart
30.2.8
Deleting a Sandbox
30.2.9
Reverting Changes to Default Settings
30.3
Skin Customization in Oracle Identity Manager
30.3.1
Configuring a New Skin
30.3.2
Configuring Skin for Legacy Advance Console
30.3.3
Changing Branding and Logo
30.4
Customizing Pages at Runtime
30.4.1
Using Expression Language in UI Customization
30.4.1.1
Avaliable EL Expressions in the User Context
30.4.1.2
Available EL Expressions in the RequestFormContext
30.4.1.3
Internationalization for Resource Strings
30.4.2
Showing or Hiding UI Components Conditionally
30.4.3
Showing Request Profiles Conditionally
30.4.4
Validating Input Data Using ADF Validators
30.4.5
Marking Input Attribute as Required
30.4.6
Adding a Link or Button
30.4.7
Hiding and Deleting an ADF Component
30.4.8
Showing and Hiding Attributes
30.4.9
Customizing the User Registration and Other Unauthenticated Pages
30.4.10
Customizing Certification Pages
30.5
Securing UI Components
30.5.1
Securing a Custom Taskflow Using APM
30.5.2
Securing a Task Flow Region Using EL Expressions
30.6
Customizing Oracle Identity Manager Help
30.6.1
Adding Custom Help Topics
30.6.2
Adding Inline Help
30.7
Customizing the Home Page
30.8
Customizing Challenge Questions
30.9
Customizing the Transitional UI
30.9.1
Customizing Search Drop-Down Item
30.9.2
Customizing Number of Search Drop-Down Items and Search Results
30.10
Developing Managed Beans and Task Flows
30.10.1
Setting Up the ViewController Project
30.10.2
Setting Up a Model Project
30.10.3
Adding Custom Managed Bean
30.10.4
Deploying Custom Code to Oracle Identity Manager
30.10.5
Using Managed Beans
30.10.5.1
Showing Components Conditionally
30.10.5.2
Prepopulating Fields Conditionally
30.10.5.3
Setting a Conditional Mandatory Field
30.10.5.4
Implementing Custom Field Validation
30.10.5.5
Implementing Custom Cascading LOVs
30.10.5.6
Customizing Forms By Using RequestFormContext
30.10.5.7
Overriding the Submit Button in Request Catalog
30.10.5.8
Developing Home Page Portlets
30.10.5.9
Launching Taskflows
30.10.5.10
Creating an External Link
30.10.6
Using Managed Beans to Populate Request Attributes
30.10.6.1
Populating Request Attributes Using Managed Beans
30.10.6.2
Populating Request Attributes by Using the Prepopulate Plug-in
30.11
Migrating UI Customizations
30.12
UI Customization Best Practice
30.13
Rolling Back UI Customization
Part VIII Interfaces to Integrate With Other Applications
31
Using APIs
31.1
Accessing Oracle Identity Manager Services
31.1.1
Using OIMClient
31.1.2
Using the tcUtilityFactory
31.2
Oracle Identity Manager Services
31.2.1
Services in Oracle Identity Manager 11
g
31.2.2
Legacy Services or Utilities
31.3
Commonly Used Services
31.3.1
Mapping Between Legacy and New Services
31.4
Developing Clients for Oracle Identity Manager
31.4.1
Prerequisites for Developing Clients
31.4.2
Setup and Configuration
31.5
Working With Legacy Oracle Identity Manager APIs
31.5.1
Using a Result Set Object
31.5.2
Handling Oracle Identity Manager Exceptions
31.5.3
Cleaning Up
31.6
Code Sample
32
Using SPML Services
32.1
Introduction
32.1.1
About SPML Interactions
32.1.2
Integration Interface
32.2
General Considerations
32.2.1
Assigning SPML Admin Role to the User
32.2.2
Creating Autoapproval Policies
32.3
Create Identity (SPML Core Service: addRequest)
32.4
Modify Users, Roles, Change Attributes and Role Memberships (SPML Core Service: modifyRequest)
32.5
Delete an Identity or Role (SPML Core Service: deleteRequest)
32.6
Check Request Status (SPML Core Service: statusRequest)
32.7
List Available Targets (SPML Core Service: listTargets)
32.8
Disable a User (SPML Suspend Service: suspendRequest)
32.9
Enable a User (SPML Suspend Service: resumeRequest)
32.10
Check if User is Active (SPML Suspend Service: activeRequest)
32.11
Validate a Username (SPML Username Service: validateUsername)
32.12
Obtain a Username (SPML Username: suggestUsername)
32.13
Lookup an Identity or Role (SPML Core Service: lookupRequest)
32.14
Reset Password (SPML Core Service: resetPasswordRequest)
32.15
Lookup Username Policy (SPML Username Service: lookupUsernamePolicy)
32.16
Cancel/Withdraw Request (SPML Async Service: cancelRequest)
32.17
Batch Request (SPML Batch Request Service: batchRequest)
32.18
Securing SPML Web Services
32.18.1
About Web Services Security
32.18.2
A Request Example
32.18.3
Applying Policies
32.19
Operations Not Supported
32.20
SPML Attributes and LDAP Mappings, and Oracle Identity Manager Attributes
32.20.1
Identity PSO Attributes
32.20.1.1
Custom Identity Attributes
32.20.2
Role PSO Attributes
32.20.2.1
Custom Role Attributes
32.20.3
Preference Attributes
32.20.4
Special Character Restrictions in Oracle Identity Manager Attributes
32.20.4.1
Characters Available in All Attributes
32.20.4.2
Special Characters in the Password Field
32.20.4.3
Usage of Single Quotation Mark
32.20.4.4
Usage of Semicolon
32.20.4.5
Unsupported Special Characters
32.20.5
Operation Data
32.20.5.1
Passing Operation Data
32.20.5.2
Passing Reference Data
32.21
SPML Examples
32.21.1
SPML Example - Add User
32.21.2
SPML Example - Delete User
32.21.3
SPML Example - Modify User
32.21.4
SPML Example - Resume User
32.21.5
SPML Example - Suggest User Name
32.21.6
SPML Example - Suspend User
32.21.7
SPML Example - Validate User Name
32.21.8
SPML Example - Check If User is Active
32.21.9
SPML Example - Lookup Username Policy
32.21.10
SPML Example – Add User with Role Assignment
32.21.11
SPML Example - Assign Role Membership
32.21.12
SPML Example – Revoke Role Membership
32.21.13
SPML Example - Add Role
32.21.14
SPML Example - Add Role with Parent
32.21.15
SPML Example - Modify Role
32.21.16
SPML Example - Add Parent to a Role
32.21.17
SPML Example - Role Grant
32.21.18
SPML Example - Delete Role
32.21.19
SPML Example - Status Request
32.21.20
SPML Example - Identity/Role Lookup
32.21.21
SPML Example - Reset Password
32.21.22
SPML Example - Reset Password with Notification
32.21.23
SPML Example - Lookup User Name Policy
32.21.24
SPML Example - Cancel Request
32.21.25
SPML Example - Batch Request
33
Using URLs
Part IX Notification Service
34
Developing Notification Events
34.1
Notification Concepts
34.2
Developing Custom Notification
34.2.1
Building the Notification Logic
34.2.1.1
Defining Event Metadata
34.2.1.2
Creating the Resolver Class
34.2.2
Creating Plug-in Pack Containing the Resolver Class
34.2.3
Building the Invocation Logic
34.2.4
Configuring the Notification Service
34.3
Troubleshooting Notification
34.3.1
Issues Related to Incorrect URL
34.3.2
Incorrect Outgoing Server EMail Driver Properties
34.3.3
Error Generated at the SOA Server
34.3.4
Authentication Failure
34.3.5
Issues Related to Failed Email Delivery Not Reported Through EM
35
Using the Callback Service
35.1
Introducing the Callback Service
35.1.1
Using Callbacks
35.1.2
Understanding Event Processing
35.1.3
Retrying Callbacks
35.2
Mapping Oracle Identity Manager Attributes
35.3
Sending Event Callbacks
35.4
Configuring the Callback Service
35.4.1
Understanding CallbackConfiguration.xml
35.4.2
Importing CallbackConfiguration.xml
35.4.3
Adding the OIM.DefaultTenantGUID System Property
35.5
Troubleshooting the Callback Service
Part X Customization Lifecycle
36
Understanding Customization Types
37
Deploying and Undeploying Customizations
37.1
Migrating User Modifiable Metadata Files
37.1.1
Exporting Metadata Files to MDS
37.1.2
Importing Metadata Files from MDS
37.1.3
Deleting Metadata Files from MDS
37.1.4
User Modifiable Metadata Files
37.1.5
Creating MDS Backup
37.2
Migrating JARs and Resource Bundle
37.2.1
Upload JAR Utility
37.2.2
Download JAR Utility
37.2.3
Delete JAR Utility
37.2.4
Upload Resource Bundle Utility
37.2.5
Download Resource Bundle Utility
37.2.6
Delete Resource Bundle Utility
38
Migrating Configurations and Customizations
38.1
Using the Deployment Manager
38.1.1
Features of the Deployment Manager
38.1.2
Exporting Deployments
38.1.3
Importing Deployments
38.1.4
Best Practices Related to Using the Deployment Manager
38.1.4.1
Export System Objects Only When Necessary
38.1.4.2
Export Related Groups of Objects
38.1.4.3
Group Definition Data and Operational Data Separately
38.1.4.4
Use Logical Naming Conventions for Versions of a Form
38.1.4.5
Export Root to Preserve a Complete Organizational Hierarchy
38.1.4.6
Provide Clear Export Descriptions
38.1.4.7
Check All Warnings Before Importing
38.1.4.8
Check Dependencies Before Exporting Data
38.1.4.9
Match Scheduled Task Parameters
38.1.4.10
Deployment Manager Actions on Reimported Scheduled Tasks
38.1.4.11
Compile Adapters and Enable Scheduled Tasks
38.1.4.12
Export Entity Adapters Separately
38.1.4.13
Check Permissions for Roles
38.1.4.14
Back Up the Database
38.1.4.15
Import Data When the System Is Quiet
38.1.4.16
Migrating Custom Data Objects
38.1.4.17
Remove Data Object Fields Before Importing Event Handlers as Dependencies
38.1.5
Troubleshooting the Deployment Manager
38.1.5.1
Troubleshooting Deployment Manager Issues
38.1.5.2
Enabling Logging for the Deployment Manager
38.2
Moving from a Test to a New Production Environment Using Movement Scripts
38.3
Migrating the Policies
38.3.1
Troubleshooting Migration of Policies
Part XI Reports and Audit
39
Configuring Reports
39.1
What is Oracle Identity Manager Reports?
39.2
What is Oracle BI Publisher?
39.3
Licensing
39.4
Deploying Oracle Identity Manager Reports
39.4.1
Creating the Metadata Repository
39.4.2
Installing BI Publisher 11
g
(11.1.1.6)
39.5
Configuring Oracle Identity Manager Reports
39.5.1
Configuring Security on BI Publisher 11
g
(11.1.1.6)
39.5.2
Configuring Data Sources for Running Oracle Identity Manager Reports
39.5.2.1
Configuring Oracle Identity Manager JDBC Connection
39.5.2.2
Configuring BPEL-Based JDBC Connection
39.6
Generating Oracle Identity Manager Reports
39.6.1
Generating Sample Reports Against the Sample Data Source
39.6.2
Generating Reports Against the Oracle Identity Manager JDBC Data Source
39.6.3
Generating Reports Against the BPEL-Based JDBC Data Source
40
Understanding Auditing
40.1
Audit Levels
40.2
Tables Used for Storing Information About Auditors
40.3
Issuing Audit Messages
Part XII Appendixes
A
General Customization Concepts
A.1
Rule Elements, Variables, Data Types, and System Properties
A.2
Service Accounts
A.2.1
Service Account Customization: Scenario One
A.2.2
Service Account Customization: Scenario Two
A.3
Design Console Actions
B
The FacesUtils Class
Index
Scripting on this page enhances content navigation, but does not change the content in any way.