Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Identity Manager
11
g
Release 1 (11.1.1)
Part Number E14309-09
Home
Book List
Index
Master Index
Contact Us
Next
PDF
·
Mobi
·
ePub
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Part I Concepts
1
Design Console Overview
1.1
Starting the Design Console
1.2
Navigating Around the Design Console
1.2.1
Design Console Menu Bar
1.2.1.1
File Menu
1.2.1.2
Edit Menu
1.2.1.3
Toolbar Menu
1.2.1.4
Help Menu
1.2.1.5
Keyboard Shortcuts in the Design Console
1.2.2
Design Console Toolbar
1.2.3
Design Console Explorer
1.2.3.1
Starting a Form
1.2.3.2
Refreshing the List of Forms
1.2.4
Design Console Workspace
1.2.4.1
The Form View
1.2.4.2
The Table View
1.3
Special Field and Form Types
1.3.1
Data Fields
1.3.2
Lookup Fields
1.3.3
Date and Time Fields
1.3.4
List
1.3.5
Notes Window
1.3.6
Tabs on Forms
1.4
Assignment Windows
1.5
Search Operations
1.5.1
Starting a Search
1.5.2
Constructing a Search Filter
1.5.3
Results of a Search
1.5.4
Working with a Set of Query Results
1.5.5
Optimizing Query Performance
1.5.6
Exceeding the Limit for a Result Set
1.6
Forms Accessible from the Design Console
1.6.1
User Management
1.6.2
Resource Management
1.6.3
Process Management
1.6.4
Administration
1.6.5
Development Tools
1.6.5.1
Business Rule Definition
2
Developing Adapters
2.1
Introduction to Adapters
2.2
Types of Adapters
2.3
Adapter Environment and Tools
2.3.1
Configuring the Adapter Environment
2.3.2
Remote Manager
2.3.3
The Adapter Factory
2.3.4
Compiling Adapters
2.3.4.1
Automatic Compilation of Adapters
2.3.4.2
Compiling Adapters Manually
2.4
Defining Adapters
2.5
Tabs of the Adapter Factory Form
2.5.1
Adapter Tasks
2.5.2
Execution Schedule
2.5.3
Resources
2.5.4
Variable List
2.5.5
Usage Lookup
2.5.6
Responses
2.6
Disabling and Re-enabling Adapters
2.7
About Adapter Variables
2.7.1
Creating an Adapter Variable
2.7.2
Modifying an Adapter Variable
2.7.3
Deleting an Adapter Variable
2.8
Creating Adapter Tasks
2.8.1
Types of Adapter Tasks
2.8.2
Creating a Java Task
2.8.3
Creating a Remote Task
2.8.4
Creating a Stored Procedure Task
2.8.5
Creating a Utility Task
2.8.6
To Create an Oracle Identity Manager API Task
2.8.7
Reassigning the Value of an Adapter Variable
2.8.8
Adding an Error Handler Task
2.8.9
Creating a Logic Task
2.9
Modifying Adapter Tasks
2.10
Changing the Order and Nesting of Tasks
2.11
Deleting Adapter Tasks
2.12
Working with Responses
2.12.1
To Create a Response
2.12.2
To Modify a Response
2.12.3
To Delete a Response
2.13
Scheduling Rule Generators and Entity Adapters
2.13.1
Scheduling Rule Generators and Entity Adapters
3
Using Adapters
3.1
Working with Rule Generator Adapters
3.1.1
Mapping Rule Generator Adapter Variables
3.1.2
Associating Rule Generators with Processes
3.1.3
Removing Rule Generators from Form Fields
3.2
Working with Entity Adapters
3.3
Working with Task Assignment Adapters
3.3.1
Attaching Task Assignment Adapters to Process Tasks
3.3.2
Removing Task Assignment Adapters from Process Tasks
3.3.2.1
To Remove a Task Assignment Adapter from a Process Task
3.4
Working with Prepopulate Adapters
3.4.1
Attaching Prepopulate Adapters to Form Fields
3.4.2
Removing Prepopulate Adapters from Form Fields
3.5
Working with Process Task Adapters
3.5.1
Guidelines for Working with a Process Task Adapter
3.5.2
Attaching Process Task Adapters to Process Tasks
3.5.3
Removing Process Task Adapters from Process Tasks
3.5.3.1
To Remove a Process Task Adapter from a Process Task
3.6
Adapter Mapping Information
3.6.1
Adapter Task Mapping Information
3.6.1.1
Adapter Variables
3.6.1.2
Adapter Task
3.6.1.3
Literal
3.6.1.4
Adapter References
3.6.1.5
Organization Definition
3.6.1.6
Process Definition
3.6.1.7
User Definition
3.6.2
Adapter Variable Mapping Information
3.6.2.1
From the Variable List Tab
3.6.2.2
Process Task Adapter Variable Mappings
3.6.2.3
Task Assignment Adapter Variable Mappings
3.6.2.4
Rule Generator and Entity Adapter Variable Mappings
3.6.2.5
Prepopulate Adapter Variable Mappings
4
Using the Callback Service
4.1
Introducing the Callback Service
4.1.1
Using Callbacks
4.1.2
Understanding Event Processing
4.1.3
Retrying Callbacks
4.2
Mapping Oracle Identity Manager Attributes
4.3
Sending Event Callbacks
4.4
Configuring the Callback Service
4.4.1
Understanding CallbackConfiguration.xml
4.4.2
Importing CallbackConfiguration.xml
4.5
Troubleshooting the Callback Service
5
Developing Rules
5.1
Overview of Business Rule Definition
5.2
Event Handler Manager Form
5.3
Data Object Manager Form
5.3.1
Tabs of the Data Object Manager Form
5.3.1.1
Attach Handlers Tab
5.3.1.2
Map Adapters Tab
5.4
Reconciliation Rules Form
5.4.1
Defining a Reconciliation Rule
5.4.2
Adding a Rule Element
5.4.3
Nesting a Rule Within a Rule
5.4.4
Deleting a Rule Element or Rule
6
Developing Scheduled Tasks
6.1
Overview of Task Creation
6.1.1
Steps in Task Creation
6.1.2
Example of Scheduled Task
6.2
Define the Metadata for the Scheduled Task
6.3
Configure the Scheduled Task XML File
6.4
Develop the Scheduled Task Class
6.5
Configure the Plug-in XML File
6.6
Create the Directory Structure for the Scheduled Task
7
Developing Plug-ins
7.1
Background of the Plug-in Framework
7.1.1
About the Plug-in Framework
7.1.2
About Plug-in Stores
7.1.2.1
File Store
7.1.2.2
Database Store
7.1.3
Steps for Developing Plug-ins
7.2
Configuring Plug-ins
7.3
Defining and Using Plug-ins
7.3.1
Declaring Plug-ins
7.3.2
Specifying Plug-in Metadata
7.3.3
Developing Plug-ins
7.4
Registering Plug-ins
7.4.1
Registering and Unregistering Plug-ins By Using APIs
7.4.2
Registering and Unregistering Plug-ins By Using the Plugin Registration Utility
7.5
About Mapped Values
7.5.1
Accessing Mapped Values
7.6
Plug-in Points
8
Developing Event Handlers for Extending User Management Operations
8.1
An Overview of User Management Operations
8.2
Extending User Management Operations with Event Handlers
8.2.1
Understanding Elements in Event Handlers XML Files
8.2.2
Writing Custom Event Handlers
8.2.2.1
Implementing Custom Event Handlers
8.2.2.2
Creating Plug-ins for Custom Event Handlers
8.2.2.3
Defining Custom Events
8.3
Troubleshooting an Event Handler
9
Configuring LDAP Container Rules
10
Understanding Context
10.1
Child Context
10.2
Context Types
Part II Application-Specific Connectors
11
Developing Resource Objects
11.1
Viewing Resource Details
11.2
Working with Users and Organizations Associated with Resources
11.3
Using the Resource Administrator Option
11.3.1
Assigning Roles as Administrators for Resources
11.3.2
Updating Permissions of an Administrative Role
11.4
Using the Resource Authorizers Option
11.5
Using the Resource Workflows Option to View Workflows
11.5.1
Opening the Workflow Visualizer
11.5.2
Elements of the Workflow Visualizer
11.5.2.1
Using the Provisioning Workflow Definition Event Tabs
11.5.3
Operations on the Workflow Visualizer
11.5.3.1
Rearranging Elements
11.5.3.2
Using the Expansion Nodes
11.5.3.3
Accessing the Task Details
11.6
Using the Resource Workflows Option to Create and Modify Workflows
11.6.1
Opening the Workflow Designer
11.6.2
Creating a Workflow
11.6.3
Workflow Designer Main Page
11.6.3.1
Information
11.6.3.2
Toolbar
11.6.3.3
Designer Page
11.6.3.4
Menu Section
11.6.4
Creating and Configuring Tasks and Responses
11.6.4.1
General Menu Options
11.6.4.2
Task Options
11.6.4.3
Response Options
11.6.4.4
Link Options
11.6.4.5
Configuring Tasks
11.6.4.6
Configuring Responses
11.6.5
Configuring Data Flows
11.7
Creating IT Resources
11.8
Managing IT Resources
11.8.1
Viewing IT Resources
11.8.2
Modifying IT Resources
11.8.3
Deleting IT Resources
11.9
Managing Resources By Using the Design Console
11.9.1
Overview of Resource Management
11.9.2
IT Resources Type Definition Form
11.9.2.1
Defining a Template (a Resource Type) for IT Resources
11.9.2.2
Tabs on the IT Resource Type Definition Form
11.9.2.3
IT Resource Type Definition Table
11.9.3
Rule Designer Form
11.9.3.1
Creating a Rule
11.9.3.2
Tabs on the Rule Designer Form
11.9.3.3
Rule Designer Table
11.9.4
Resource Objects Form
11.9.4.1
Creating a Resource Object
11.9.4.2
Tabs on the Resource Objects Form
11.9.4.3
Multiple Trusted Source Reconciliation
11.9.5
Service Account Management
12
Developing Provisioning Processes
12.1
Overview of Process Management
12.2
Email Definition Form
12.2.1
Specifying the E-Mail Server
12.2.2
Email Definition Form
12.2.3
Creating an E-Mail Definition
12.3
Process Definition Form
12.3.1
Creating a Process Definition
12.3.2
Tabs on the Process Definition Form
12.3.2.1
Tasks Tab
12.3.2.2
Reconciliation Field Mappings Tab
12.3.2.3
Administrators Tab
12.3.3
Modifying Process Tasks
12.3.3.1
General Tab
12.3.3.2
Integration Tab
12.3.3.3
Task Dependency Tab
12.3.3.4
Responses Tab
12.3.3.5
Undo/Recovery Tab
12.3.3.6
Notification Tab
12.3.3.7
Task to Object Status Mapping Tab
12.3.3.8
Assignment Tab of the Editing Task Window
13
Developing Process Forms
13.1
Form Designer Form
13.1.1
Creating a Form
13.1.2
Tabs of the Form Designer Form
13.1.2.1
Additional Columns Tab
13.1.2.2
Child Table(s) Tab
13.1.2.3
Object Permissions Tab
13.1.2.4
Properties Tab
13.1.2.5
Administrators Tab
13.1.2.6
Usage Tab
13.1.2.7
Pre-Populate Tab
13.1.2.8
Default Columns Tab
13.1.2.9
User Defined Fields Tab
13.1.3
Creating an Additional Version of a Form
13.2
Error Message Definition Form
13.2.1
Creating an Error Message
14
Customizing Reconciliation Operations
14.1
Developing Reconciliation Scheduled Tasks
14.2
Understanding Reconciliation APIs
14.3
Postprocessing for Trusted Reconciliation
14.4
Troubleshooting Reconciliation
14.4.1
Troubleshooting General Reconciliation Issues
14.4.2
Troubleshooting Trusted Source Reconciliation
14.4.3
Troubleshooting Target Resource Reconciliation
14.4.4
Troubleshooting Database-Related Reconciliation Issues
15
Developing Lookup Definitions, UDFs, and Remote Manager
15.1
Overview
15.2
Lookup Definition Form
15.2.1
Creating a Lookup Definition
15.2.2
Lookup Code Information Tab
15.2.2.1
Creating and Modifying a Lookup Value
15.2.2.2
Deleting a Lookup Value
15.2.3
Configuring Challenge Questions for the User
15.3
User Defined Field Definition Form
15.3.1
Selecting the Target Form for a User-Defined Field
15.3.2
Tabs on the User Defined Field Definition Form
15.3.2.1
User Defined Columns Tab
15.3.2.2
Properties Tab
15.3.2.3
Administrators Tab
15.4
Remote Manager Form
Part III Identity Connector Framework
16
Understanding the Identity Connector Framework
16.1
Introducing the ICF Architecture
16.2
Using the ICF API
16.2.1
The ConnectorInfoManagerFactory Class
16.2.2
The ConnectorInfoManager Interface
16.2.3
The ConnectorKey Class
16.2.4
The ConnectorInfo Interface
16.2.5
The APIConfiguration Interface
16.2.6
The ConfigurationProperties Interface
16.2.7
The ConnectorFacadeFactory Class
16.2.8
The ConnectorFacade Interface
16.3
Introducing the ICF SPI
16.3.1
Implementing the Required Interfaces
16.3.1.1
org.identityconnectors.framework.spi.Connector
16.3.1.2
org.identityconnectors.framework.spi.Configuration
16.3.2
Implementing the Feature-based Interfaces
16.3.2.1
org.identityconnectors.framework.spi.PoolableConnector
16.3.2.2
org.identityconnectors.framework.spi.AttributeNormalizer
16.3.3
Implementing the Operation Interfaces
16.3.3.1
Implementing the SchemaOp Interface
16.3.3.2
Implementing the CreateOp Interface
16.3.3.3
Implementing the DeleteOp Interface
16.3.3.4
Implementing the SearchOp Interface
16.3.3.5
Implementing the UpdateOp Interface
16.3.4
Common Classes
16.4
Extending an Identity Connector Bundle
16.5
Using an Identity Connector Server
16.5.1
Using the Java Connector Server
16.5.1.1
Installing and Configuring a Java Connector Server
16.5.1.2
Running the Java Connector Server on Microsoft Windows
16.5.1.3
Running the Java Connector Server on Solaris and Linux
16.5.1.4
Installing an Identity Connector in a Java Connector Server
16.5.1.5
Using SSL to Communicate with a Connector Server
16.5.2
Using the Microsoft .NET Framework Connector Server
16.5.2.1
Installing the .NET Connector Server
16.5.2.2
Configuring the .NET Connector Server
16.5.2.3
Configuring Trace Settings
16.5.2.4
Running the .NET Connector Server
16.5.2.5
Installing Multiple Connectors on a .NET Connector Server
17
Developing Identity Connectors
17.1
Developing a Flat File Connector
17.1.1
Supporting Classes for File Input and Output Handling
17.2
Uploading the Identity Connector Bundle to Oracle Identity Manager Database
17.2.1
Registering the Connector Bundle with Oracle Identity Manager
17.2.2
Creating Basic Identity Connector Metadata
17.2.2.1
Creating the IT Resource Type Definition
17.2.2.2
Creating the Resource Object
17.2.2.3
Creating Lookups
17.2.3
Creating Provisioning Metadata
17.2.3.1
Creating a Process Form
17.2.3.2
Creating Adapters
17.2.3.3
Creating A Process Definition
17.2.3.4
Creating a Provisioning Attribute Mapping Lookup
17.2.4
Creating Reconciliation Metadata
17.2.4.1
Creating a Reconciliation Schedule Task
17.2.4.2
Creating a Reconciliation Profile
17.2.4.3
Setting a Reconciliation Action Rule
17.2.4.4
Creating Reconciliation Mapping
17.2.4.5
Defining a Reconciliation Matching Rule
17.3
Provisioning a Flat File Account
Part IV Generic Technology Connectors
18
Understanding Generic Technology Connectors
18.1
Requirement for Generic Technology Connectors
18.2
Functional Architecture of Generic Technology Connectors
18.2.1
Providers and Data Sets of the Reconciliation Module
18.2.2
Providers and Data Sets of the Provisioning Module
18.2.3
Oracle Identity Manager Data Sets
18.3
Features of Generic Technology Connectors
18.3.1
Features Specific to the Reconciliation Module
18.3.1.1
Trusted Source Reconciliation
18.3.1.2
Account Status Reconciliation
18.3.1.3
Full and Incremental Reconciliation
18.3.1.4
Batched Reconciliation
18.3.1.5
Reconciliation of Multivalued Attribute Data (Child Data) Deletion
18.3.1.6
Failure Threshold for Stopping Reconciliation
18.3.2
Other Features
18.3.2.1
Custom Data Fields and Field Mappings
18.3.2.2
Custom Providers
18.3.2.3
Multilanguage Support
18.3.2.4
Custom Date Formats
18.3.2.5
Propagation of Changes in Oracle Identity Manager User Attributes to Target Systems
18.4
Connector Objects Created by the Generic Technology Connector Framework
18.4.1
Both Reconciliation and Provisioning Are Selected
18.4.2
Only Reconciliation Is Selected
18.4.3
Only Provisioning Is Selected
18.5
Roadmap for Information on Generic Technology Connectors in This Guide
19
Predefined Providers for Generic Technology Connectors
19.1
Shared Drive Reconciliation Transport Provider
19.2
CSV Reconciliation Format Provider
19.3
SPML Provisioning Format Provider
19.3.1
Run-Time Parameters
19.3.2
Design Parameters
19.3.3
Nonmandatory Parameters
19.3.4
Parameters with Predetermined Values
19.4
Web Services Provisioning Transport Provider
19.4.1
Configuring SSL Communication Between Oracle Identity Manager and the Target System Web Service
19.5
Transformation Providers
19.5.1
Concatenation Transformation Provider
19.5.2
Translation Transformation Provider
19.5.2.1
Configuring Account Status Reconciliation
19.6
Validation Providers
20
Creating Custom Providers for Generic Technology Connectors
20.1
Role of Providers
20.1.1
Role of Providers During Generic Technology Connector Creation
20.1.2
Role of Providers During Reconciliation
20.1.3
Role of Providers During Provisioning
20.2
Creating Custom Providers
20.2.1
Determining Provider Requirements
20.2.1.1
Determining the Reconciliation Provider Requirements
20.2.1.2
Determining the Provisioning Provider Requirements
20.2.2
Identifying the Provider Parameters
20.2.3
Developing Java Code Implementations of the Value Objects
20.2.4
Developing Java Code Implementations of the Provider SPI Methods
20.2.5
Developing Java Code for Logging and Exception Handling
20.2.6
Creating the Provider XML File
20.2.7
Creating Resource Bundle Entries for the Provider
20.2.8
Deploying the Provider
20.3
Reusing Providers
20.3.1
Reusing Reconciliation Providers
20.3.2
Reusing Provisioning Providers
20.4
Deploying the Custom Providers
21
Creating and Managing Generic Technology Connectors
21.1
Overview
21.2
Creating Generic Technology Connectors
21.2.1
Determining Provider Requirements
21.2.2
Selecting the Providers to Include
21.2.3
Addressing the Prerequisites
21.2.4
Using the Administrative and User Console to Create the Connector
21.2.4.1
Step 1: Provide Basic Information Page
21.2.4.2
Step 2: Specify Parameter Values Page
21.2.4.3
Step 3: Modify Connector Configuration Page
21.2.4.4
Step 4: Verify Connector Form Names Page
21.2.4.5
Step 5: Verify Connector Information Page
21.2.5
Configuring Reconciliation
21.2.6
Configuring Provisioning
21.2.7
Enabling Logging
21.3
Managing Generic Technology Connectors
21.3.1
Modifying Generic Technology Connectors
21.3.2
Exporting Generic Technology Connectors
21.3.3
Importing Generic Technology Connectors
21.4
Using the Generic Connection Pool Framework in Custom Connectors
21.4.1
Providing concrete implementation for ResourceConnection interface
21.4.2
Defining Additional ITResource Parameters
21.4.3
Getting and Releasing Connections from the Pool
21.4.4
Using a Third-party Pool
21.4.5
Example: Implementation of ResourceConnection
21.5
Best Practices
21.5.1
Working with the Provide Basic Information Page
21.5.2
Working with the Specify Parameter Values Page
21.5.3
Working with the Modify Connector Configuration Page
21.5.3.1
Names of Fields
21.5.3.2
Password Fields
21.5.3.3
Password-Like Fields
21.5.3.4
Mappings
21.5.3.5
Oracle Identity Manager Data Sets
21.5.4
Working with Shared Drive Reconciliation Transport Provider
21.5.5
Working with Custom Providers
21.5.6
Working with Connector Objects
21.5.7
Modifying Generic Technology Connectors
22
Troubleshooting Generic Technology Connectors
22.1
General Issues for Generic Technology Connectors
22.1.1
Creation Issues
22.1.2
Multi-language Support
22.1.3
Other General Issues
22.2
Configuration Issues for Generic Technology Connectors
22.2.1
Names of Generic Technology Connectors and Connector Objects
22.2.2
Step 3: Modify Connector Configuration Page
22.2.3
Errors During Connector Creation
22.2.4
Errors During Reconciliation
22.2.5
Errors During Provisioning
Part V Requests and Approval Processes
23
Configuring Requests
23.1
Step 1: Creating a Request Dataset for the Resources
23.1.1
Elements and Properties
23.1.1.1
The request-data-set Element
23.1.1.2
The DataSetValidator Element
23.1.1.3
The AttributeReference Element
23.1.1.4
The Attribute Element
23.1.2
Sample Request Dataset
23.1.3
Child Data
23.1.4
Common Request Dataset
23.1.5
Configuring Localized Values for Request Datasets
23.1.5.1
Localization for Request Dataset Attributes
23.1.5.2
Localization of Column Names in LookupQuery for Dataset Attributes
23.2
Step 2: Uploading Request Datasets into MDS
23.3
Step 3: Creating SOA Composites Required for Approval
23.4
Step 4: Registering the SOA Composites in Oracle Identity Manager
23.5
Step 5: Defining Request Approvals
23.5.1
Approval Workflows
23.5.2
Approval Levels
23.5.2.1
Template-Level Approval
23.5.2.2
Request-Level Approval
23.5.2.3
Operation-Level Approval
23.5.3
Creating Approval Policies
23.6
Step 6: Creating Request Templates
23.7
Extending Request Management Operations
23.7.1
Running Custom Code Based on Request Status Change
23.7.2
Validating Request Data
23.7.3
Prepopulation of an Attribute Value During Request Creation
24
Understanding Approval Process Development in Oracle SOA Suite
24.1
Integration with Oracle SOA Suite
24.1.1
Integration Prerequisites
24.1.2
Integration Components
24.2
Predefined SOA Composites
24.3
Developing an Approval Process for Oracle Identity Manager
24.4
Monitoring Oracle Identity Manager SOA Composites
24.5
Enabling Oracle Identity Manager to Connect to SOA
25
Developing SOA Composites
25.1
Creating New SOA Composites
25.1.1
Creating a New SOA Composite
25.1.2
Deploying a SOA Composite in Oracle SOA Server
25.1.3
Prerequisites for Communication to Oracle Identity Manager Through SSL Mode
25.1.4
Registering a SOA Composite with Oracle Identity Manager
25.2
Modifying Existing SOA Composites
25.2.1
Modifying a SOA Project in JDeveloper
25.2.2
Disabling a SOA Composite on Oracle Identity Manager
25.2.3
Deploying a SOA Composite in Oracle SOA Server
25.2.4
Enabling a SOA Composite with Oracle Identity Manager
26
Using Oracle Identity Manager APIs in SOA Composites
26.1
Software Prerequisites
26.2
Configuring the SOA Composite By Using JDeveloper
26.2.1
Setting an Application Server Connection in JDeveloper
26.2.2
Setting Up the SOA Composite in JDeveloper
26.2.3
Updating the SOA Composite
26.2.4
Deploying the SOA Composite
26.2.5
Testing the Setup
Part VI Segregation of Duties
27
Using Segregation of Duties (SoD)
27.1
Understanding the SoD Validation Process
27.2
Introducing the SoD Invocation Library
27.3
Installing the SoD-enabled Connectors
27.4
Deploying the SIL and SIL Providers
27.5
Configuring the SoD Engine
27.5.1
Configuring Oracle Application Access Controls Governor
27.5.2
Configuring SAP GRC
27.5.3
Configuring Oracle Identity Analytics
27.6
Enabling and Disabling SoD
27.6.1
Enabling SoD
27.6.2
Disabling SoD
27.7
Enabling SSL Communication
27.7.1
Enabling SSL Between Oracle Application Access Controls Governor and Oracle Identity Manager
27.7.2
Enabling SSL Between SAP GRC and Oracle Identity Manager
27.7.3
Calling SoD Check Web Service Over SSL
27.8
Configuring Workflows on Non SoD-enabled Connectors
27.8.1
Modifying the Approval Workflow for SoD
27.8.2
Modifying the Provisioning Workflow for SoD
27.9
Marking Fields as Entitlements
27.9.1
Marking Request Dataset Attributes That Hold Entitlement Data
27.9.2
Marking Child Process Form Tables That Hold Entitlement Data
27.10
Custom Combination of Target Systems and SoD Engines
27.10.1
Using a Custom Target System
27.10.1.1
Addressing Prerequisites
27.10.1.2
Creating the Transformation Layer
27.10.1.3
Deploying the Transformation Layer
27.10.1.4
Modifying the Registration XML File
27.10.1.5
Registering the New Target System
27.10.2
Adding Custom SoD Engine
27.10.2.1
Addressing Prerequisites
27.10.2.2
Creating an IT Resource to Hold Information about the SoD Engine
27.10.2.3
Implementing the Service Components for the Provider
27.10.2.4
Deploying the Service Components
27.10.2.5
Modifying the Registration XML File for the New SoD Engine
27.10.2.6
Registering the New SIL Provider
27.11
Performing Role SoD Check with Oracle Identity Analytics
27.11.1
Enabling Role SoD Check
27.11.2
Using Role SoD Check
27.11.2.1
SoD Check When A User Requests a Role
27.11.2.2
SoD Check When A User Revokes a Role
27.11.2.3
SoD Check When an Administrator Requests To Assign Roles
27.11.2.4
SoD Check When an Administrator Requests To Revoke Roles
27.11.2.5
SoD Check for Assigning/Revoking Roles with Callback Policy Request
27.12
Using SoD in Provisioning Workflow
27.12.1
Direct Provisioning
27.12.2
Updating Entitlements
27.12.3
Request Provisioning
27.12.4
Creating a Request to Modify Provisioned Resource
27.12.5
Request Provisioning With the DefaultSODApproval Workflow
27.12.6
Request Provisioning with Approver-Only Field and With the DefaultSODApproval Workflow
27.12.7
Requesting for Self
27.12.8
Provisioning Based on Access Policies
27.12.9
Updating Entitlements By Using Provisioning Based on Access Policies
27.13
Enabling Logging for SoD-Related Events
27.14
Troubleshooting SoD Check
Part VII Customization
28
Customizing Oracle Identity Manager Interfaces
28.1
Branding Customization
28.1.1
Login Page
28.1.2
Identity Administration
28.1.3
Unauthenticated Self-Service
28.1.4
Authenticated Self Service
28.1.5
Advanced Administration
28.2
Style Sheet Modifications
28.2.1
Introduction to the Style Sheets
28.2.2
Creating Custom Skins and Overriding Style Sheets
28.2.3
Style Sheets in Transitional UI
28.2.3.1
Files to Modify
28.2.3.2
Customizing the Appearance of the Transitional UI
28.3
Renaming Button Labels
28.3.1
Identity Administration
28.3.2
Other Consoles
28.3.3
Transitional UI Pop-ups
28.3.3.1
Files to Modify
28.3.3.2
Customizing Descriptive Text and Labels
28.4
Working with Menus and Tabs
28.4.1
Oracle Identity Administration
28.4.2
Other Consoles
28.5
Disabling Features
28.5.1
Disabling Access to Features Through the Authorization Policies
28.5.2
Other Administration Features
28.5.3
Other Consoles
28.6
Adding or Deleting Columns in Console Tables
28.6.1
Identity Administration
28.6.2
Transitional UI
28.6.2.1
Customizing Search Drop-Down Item
28.6.2.2
Customizing Number of Search Drop-Down Items and Search Results
28.7
Data Customization
28.7.1
Advanced Administration
28.7.2
Unauthenticated Self Service
28.7.3
Authenticated Self Service
28.8
Injecting Custom URLs
28.8.1
Custom URLs for the Identity Administration
28.8.2
Custom URLs for Other Consoles
28.9
Changing Popup Properties
28.10
Customizing the Workflow Designer
29
Adding Custom ADF Tabs to Self Service
30
General Customization Concepts
30.1
Rule Elements, Variables, Data Types, and System Properties
30.2
Service Accounts
30.2.1
Service Account Customization: Scenario One
30.2.2
Service Account Customization: Scenario Two
30.3
Design Console Actions
Part VIII APIs and Web Services
31
Using APIs
31.1
Accessing Oracle Identity Manager Services
31.1.1
Using OIMClient
31.1.2
Using the tcUtilityFactory
31.2
Oracle Identity Manager Services
31.2.1
Services Introduced in Oracle Identity Manager
11
g
Release 1 (11.1.1)
31.2.2
Legacy Services or Utilities
31.3
Commonly Used Services
31.3.1
Mapping Between Legacy and New Services
31.4
Developing Clients for Oracle Identity Manager
31.4.1
Prerequisites for Developing Clients
31.4.2
Setup and Configuration
31.5
Working With Legacy Oracle Identity Manager APIs
31.5.1
Using a Result Set Object
31.5.2
Handling Oracle Identity Manager Exceptions
31.5.3
Cleaning Up
31.6
Code Sample
32
Using SPML Services
32.1
Introduction
32.1.1
About SPML Interactions
32.1.2
Integration Interface
32.2
Create Identity (SPML Core Service: addRequest)
32.3
Modify Users, Roles, Change Attributes and Role Memberships (SPML Core Service: modifyRequest)
32.4
Delete an Identity or Role (SPML Core Service: deleteRequest)
32.5
Check Request Status (SPML Core Service: statusRequest)
32.6
List Available Targets (SPML Core Service: listTargets)
32.7
Disable a User (SPML Suspend Service: suspendRequest)
32.8
Enable a User (SPML Suspend Service: resumeRequest)
32.9
Check if User is Active (SPML Suspend Service: activeRequest)
32.10
Validate a Username (SPML Username Service: validateUsername)
32.11
Obtain a Username (SPML Username: suggestUsername)
32.12
Reset Password (SPML Core Service: resetPasswordRequest)
32.13
Lookup Username Policy (SPML Username Service: lookupUsernamePolicy)
32.14
Cancel/Withdraw Request (SPML Async Service: cancelRequest)
32.15
Batch Request (SPML Batch Request Service: batchRequest)
32.16
Securing SPML Web Services
32.16.1
About Web Services Security
32.16.2
A Request Example
32.16.3
Applying Policies
32.17
Operations Not Supported
Part IX Utilities
33
MDS Utilities and User Modifiable Metadata Files
33.1
Setting up the Environment for MDS Utilities
33.2
Structure of Properties File
33.3
User Modifiable Metadata Files
33.4
Example of MDS Utility Usage
34
Using the Bulk Load Utility
34.1
Features of the Bulk Load Utility
34.2
Installing the Bulk Load Utility
34.2.1
Scripts That Constitute the Utility
34.2.2
Temporary Tables Used During a Bulk Load Operation
34.2.3
Options Offered by the Utility
34.3
Preparing Your Database for a Bulk Load Operation
34.3.1
Creating a Tablespace for Temporary Tables
34.3.2
Creating a Datafile in the Oracle Identity Manager Tablespace
34.4
Running the Utility
34.5
Loading OIM User Data
34.5.1
Setting a Default Password for OIM Users Added by the Utility
34.5.2
Creating the Input Source for the Bulk Load Operation
34.5.2.1
Using CSV Files As the Input Source
34.5.2.2
Creating Database Tables As the Input Source
34.5.3
Determining Values for the Input Parameters of the Utility
34.5.4
Monitoring the Progress of the Operation
34.5.5
Handling Exceptions Recorded During the Operation
34.5.6
Fixing Exceptions and Reloading Data Records
34.5.7
Verifying the Outcome of the Bulk Load Operation
34.6
Loading Account Data
34.6.1
Creating the Input Source for the Bulk Load Operation
34.6.1.1
Using CSV Files As the Input Source
34.6.1.2
Creating Database Tables As the Input Source
34.6.2
Determining Values for the Input Parameters of the Utility
34.6.3
Monitoring the Progress of the Operation
34.6.4
Handling Exceptions Recorded During the Operation
34.6.5
Fixing Exceptions and Reloading Data Records
34.6.6
Verifying the Outcome of the Bulk Load Operation
34.7
Loading Role, Role Hierarchy, Role Membership, and Role Category Data
34.7.1
Creating the Input Source for the Bulk Load Operation
34.7.1.1
Using CSV Files As the Input Source
34.7.1.2
Creating Database Tables As the Input Source
34.7.2
Determining Values for the Input Parameters of the Utility
34.7.3
Monitoring the Progress of the Operation
34.7.4
Handling Exceptions Recorded During the Operation
34.7.5
Fixing Exceptions and Reloading Data Records
34.7.6
Verifying the Outcome of the Bulk Load Operation
34.8
Data Recorded During the Operation
34.9
Gathering Performance Data from the Bulk Load Operation
34.10
Cleaning Up After a Bulk Load Operation
34.11
Generating an Audit Snapshot
35
Upload JAR and Resource Bundle Utilities
35.1
Upload JAR Utility
35.2
Download JAR Utility
35.3
Delete JAR Utility
35.4
Upload Resource Bundle Utility
35.5
Download Resource Bundle Utility
35.6
Delete Resource Bundle Utility
Part X Reporting
36
Configuring Reports
36.1
What is Oracle Identity Manager Reports?
36.2
What is Oracle BI Publisher?
36.3
Supported Products
36.4
Licensing
36.5
Prerequisites for Deploying Oracle Identity Manager Reports
36.5.1
Creating the Metadata Repository
36.5.2
Installing BI Publisher 11
g
(11.1.1.6)
36.6
Configuring Oracle Identity Manager Reports
36.6.1
Deploying Oracle Identity Manager Reports on BI Publisher 11
g
(11.1.1.6)
36.6.2
Configuring Data Sources for Running Oracle Identity Manager Reports
36.6.2.1
Configuring Oracle Identity Manager JDBC Connection
36.6.2.2
Configuring BPEL-Based JDBC Connection
36.7
Generating Oracle Identity Manager Reports
36.7.1
Generating Sample Reports Against the Sample Data Source
36.7.2
Generating Reports Against the Oracle Identity Manager JDBC Data Source
36.7.3
Generating Reports Against the BPEL-Based JDBC Data Source
37
Developing Entitlements
37.1
Available Entitlements and Assigned Entitlements
37.2
Entitlement Data Capture Process
37.2.1
Capture of Data About Available Entitlements
37.2.2
Capture of Data About Assigned Entitlements
37.3
Marking Entitlement Attributes on Child Process Forms
37.4
Configuring Scheduled Tasks for Working with Entitlement Data
37.4.1
Entitlement List
37.4.2
Entitlement Assignments
37.4.3
Entitlement Updates
37.5
Disabling the Capture of Modifications to Assigned Entitlements
37.6
Entitlement-Related Reports
37.6.1
Entitlement Access List
37.6.2
Entitlement Access List History
37.6.3
User Resource Entitlement
37.6.4
User Resource Entitlement History
Part XI Appendixes
A
Scheduled Task Configuration File
A.1
Structure of the Scheduler XML File
A.2
The scheduledTasks Element
A.3
The task Element
A.4
The name Element
A.5
The class Element
A.6
The description Element
A.7
The retry Element
A.8
The parameters Element
A.9
The string-param Element
A.10
The number-param Element
A.11
The boolean-param Element
B
SPML Attributes and LDAP Mappings, and Oracle Identity Manager Attributes
B.1
Identity PSO Attributes
B.1.1
Custom Identity Attributes
B.2
Role PSO Attributes
B.2.1
Custom Role Attributes
B.3
Preference Attributes
B.4
Special Character Restrictions in Oracle Identity Manager Attributes
B.4.1
Characters Available in All Attributes
B.4.2
Special Characters in the Password Field
B.4.3
Usage of Single Quotation Mark
B.4.4
Usage of Semicolon
B.4.5
Unsupported Special Characters
B.5
Operation Data
B.5.1
Passing Operation Data
B.5.2
Passing Reference Data
C
SPML Examples
C.1
SPML Example - Add User
C.2
SPML Example - Delete User
C.3
SPML Example - Modify User
C.4
SPML Example - Resume User
C.5
SPML Example - Suggest User Name
C.6
SPML Example - Suspend User
C.7
SPML Example - Validate User Name
C.8
SPML Example - Check If User is Active
C.9
SPML Example - Lookup Username Policy
C.10
SPML Example – Add User with Role Assignment
C.11
SPML Example - Assign Role Membership
C.12
SPML Example - Add User Request with Notification
C.13
SPML Example – Revoke Role Membership
C.14
SPML Example - Add Role
C.15
SPML Example - Add Role with Parent
C.16
SPML Example - Modify Role
C.17
SPML Example - Add Parent to a Role
C.18
SPML Example - Role Grant
C.19
SPML Example - Delete Role
C.20
SPML Example - Status Request
C.21
SPML Example - Reset Password
C.22
SPML Example - Reset Password with Notification
C.23
SPML Example - Lookup User Name Policy
C.24
SPML Example - Cancel Request
C.25
SPML Example - Batch Request
Index
Scripting on this page enhances content navigation, but does not change the content in any way.