2 Product Architecture

This chapter provides an overview of Oracle Identity Manager product architecture. It consists of the following topics:

• Oracle Identity Manager Components

• Multi-tiered Architecture

2.1 Oracle Identity Manager Components

Oracle Identity Manager is a J2EE web application. The J2EE platforms consists of a set of industry-standard services, APIs, and protocols that provide the functionality for developing multi-tiered and web-based enterprise applications.

Figure 2-1 shows the various components of Oracle Identity Manager.

Figure 2-1 Oracle Identity Manager Components

Description of ''Figure 2-1 Oracle Identity Manager Components''

2.2 Multi-tiered Architecture

The system architecture of Oracle Identity Manager is distributed across logical tiers, as described in the following sections:

• Understanding the User Interface Tier

• Understanding the Application Tier

• Understanding the Database Tier

• Understanding the Connector Tier

2.2.1 Understanding the User Interface Tier

The user-interface tier (or the user tier) consists of administrators and end-users who interact with Oracle Identity Manager through one of the user interfaces. The main user interface for Oracle Identity Manager is web-based, which communicates with Oracle Identity Manager over HTTP/S. There are two browser-based UIs, the end-user facing Oracle Identity Self Service and the administrator facing Oracle Identity System Administration. These UIs are developed by using the Oracle Application Development Framework (ADF).

Identity Self Service can be customized via the web browser, by system administrators who can add links, add business logic to show/hide form fields, extend shipped forms, and perform several other common UI customization tasks. Administrators perform UI customization tasks in UI sandboxes. These sandboxes can be exported and imported into higher environments. The use of Oracle ADF and UI customization framework allows administrators to customize Identity Self Service in an upgrade-safe manner.

Identity System Administration allows administrators to perform typical system administration functions including scheduling jobs, onboarding applications, and managing schemas. This UI is not customizable.

Developers can use the Design Console to create provisioning workflows and Oracle JDeveloper to create BPEL workflows for manual fulfillment, approval, identity certification, and identity audit.

2.2.2 Understanding the Application Tier

Oracle Identity Manager Server is a J2EE application. It is deployed on Oracle WebLogic Server. The server consists of the Identity Self Service and Identity System Administration web applications, SPML XSD, and REST services, and the EJBs and related Java classes that provide the core functionality. Connectors, which interact with other IT systems, are deployed on the Oracle Identity Manager Server.

Note:

Oracle recommends that you use REST services instead of SPML.

The server comprises of the following functional components:

• Identity administration

  This includes self-registration, lost password and forgotten user ID, user, role, and organization management, and password management.

  The user management engine allows administrators to manage users; reset their passwords and grant/revoke/modify access. When integrated with Oracle Access Manager (OAM), the changes in the user profile are synchronized with the LDAP directory used by OAM using a feature called LDAP synchronization.

  The role management engine allows business users and administrators to create static and dynamic roles, associate access via access policies, and make the role available to various organizations. These operations can go through approval. After approval, the changes are committed to the Oracle Identity Manager repository. This feature is known as role lifecycle management.

  The organization management engine allows administrators to create and manage static or rule-based dynamic organizations. Administrators can define password policies and associate them with organizations, which allows different user communities to have different password policies.

• Authorization

  The authorization engine in Oracle Identity Manager allows granular delegated administration by allowing administrators to define admin roles and associate them with functional capabilities. The authorization engine enforces the policies, which in turn leverage the admin role memberships of the user. Administrators can also define attribute-level permissions for users and specify who can see and modify user attributes.

• Provisioning and reconciliation

  Oracle Identity Manager provides a highly scalable provisioning engine that provides account management and account password management capabilities. Oracle Identity Manager allows administrators to manage accounts and grant/revoke/modify additional access (entitlements). Administrators and end-users can also reset account passwords or configure Oracle Identity Manager so that the user password is synchronized with the accounts provisioned to a user. The provisioning engine supports two types of provisioning, connected provisioning using connectors and disconnected provisioning (or manual fulfillment) where a user has to take some action.

  The reconciliation engine allows changes in target applications to be detected and synchronized with Oracle Identity Manager. It can retrieve changes from an authoritative source or from a target resource. In the former scenario, changes are synchronized with the user, while in the latter, with the account.

• Access request and approvals

  The request engine allows end-users to submit requests for new and modified access, either for themselves or for others. They can use the access catalog to search and browse in a manner similar to online shopping and submit their requests. The requests are routed to the appropriate approvers and fulfilled either in an automated manner by using connectors, or manually by using disconnected provisioning.

• Identity certification

  The identity certification engine allows administrators to define certification campaigns. These campaigns allow managers and authorized users to review and certify the access granted to users. They can delegate certain users or process them themselves. They can reject a user's access, which can trigger a provisioning action to revoke the access. This is called closed-loop remediation.

• Identity audit or Segregation of Duties (SoD)

  The SoD engine allows administrators to define rules and group them into policies. These rules and policies, known as identity audit rules and policies, allow Oracle Identity Manager to detect access that violates compliance rules. Administrators can specify which policies should be enforced during access request, while allowing other policies to be enforced retroactively. When a policy violation is found, the engine assigns the violation to a user for remediation.

• Auditing

  The auditing engine audits (or logs) various actions in Oracle Identity Manager. Administrators can also add custom audit events. The audit data can be reported on using the reporting capabilities of Oracle Identity Manager.

• Embedded reporting server

  The embedded reporting server, based on Oracle BI Publisher, provides operational and historical reports. Administrators can also use standalone BI Publisher or use the schema information to create reports using any other reporting tool.

• BPEL workflow engine

  Oracle Identity Manager uses BPEL to provide workflow orchestration for approval, manual fulfillment, identity certification, and identity audit. Administrators or developers can define BPEL workflows or SOA composites and use workflow rules to dynamically invoke these workflows. BPEL provides data-driven approver resolution, task expiration, and escalation and email-based actionable notification. Oracle JDeveloper can be used to create new workflows and register them in Oracle Identity Manager.

2.2.3 Understanding the Database Tier

Oracle Identity Manager stores all its information in the Oracle Identity Manager repository. The repository is comprised of tables that store the configuration, state, and other data. Oracle Identity Manager keeps a copy of the account and entitlement data that is provisioned to the user, allowing it to be the source of truth for identity and account data.

Oracle Identity Manager also makes use of other schemas to store metadata about the workflows, approvals, configuration, and authorization policies.

Because Oracle Identity Manager can accumulate state data, it provides archival and purge utilities to manage data growth. Administrators must follow the product recommendations to manage data growth for optimal performance.

2.2.4 Understanding the Connector Tier

The connector tier consists of applications and IT systems to which you provision and deprovision user accounts, change the account password, and grant/revoke entitlements. It includes the connector Server, which is a lightweight application that allows Oracle Identity Manager to manage applications that do not provide remote APIs or require native integration.

Typically, Oracle Identity Manager connectors are developed by using the Identity Connector Framework and are deployed with the server. In some cases, where a connector server is required, they are deployed on the connector server.

You can create your own connectors by using the Identity Connector Framework, a lightweight and easy to use framework for developing connectors.