Configure Settings for an Orchestrated System
With Oracle Access Governance, you can configure an orchestrated system by editing the integration settings, configuring notification settings, transforming inbound and outbound data for identity and account attributes, and applying matching or correlation rules to ensure integrated components work seamlessly together.
Modify Integration Settings for an Orchestrated System
You can configure the integration settings for your orchestrated system, using the Oracle Access Governance Console.
To update the integration details used by Oracle Access Governance to connect to an orchestrated system, perform the following tasks.
- From the Oracle Access Governance navigation menu icon
, select Service Administration → Orchestrated Systems.
- Select one of the following to view the configuration of a specific
orchestrated system:
- The orchestrated system link in the Name column.
- Manage connection from the
navigation menu.
- From the Configurations section of the page, select Manage on the Integration settings tile. This will display the Integration settings page for your orchestrated system. The integration settings displayed are dependent on the type of orchestrated system you are updating.
- Update the integration settings as required, and click Save.
Modify Account Settings for an Orchestrated System
You can configure the account settings for your orchestrated system to send notifications either to User or User manager whenever a new account is created. You can also choose to either disable or delete the account whenever an identity move or leaves your enterprise.
To update the account details used by Oracle Access Governance to connect to an orchestrated system, perform the following tasks.
- From the Oracle Access Governance navigation menu icon
, select Service Administration → Orchestrated Systems.
- Select one of the following to view the configuration of a specific
orchestrated system:
- The orchestrated system link in the Name column.
- Manage integration from the
navigation menu.
- From the Configurations section of the page, select
Manage on the Account settings tile. This will display the
Account settings page for your orchestrated system.
Enter details of how you would like to manage accounts with Oracle Access Governance when configured as a managed system:
Select where to send notification emails when an account is created. The default setting is User. You must select at least one of these options.- User
- User manager
When an identity moves within your enterprise, for example when moving from one department to another, you may need to adjust what accounts the identity has access to. In some cases the identity will no longer require certain accounts which are not relevant to their new role in the enterprise. You can select what to do with the account when this happens. Select one of the following options:- Disable
- Delete
When an identity leaves your enterprise you should remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:- Disable: This sends an Update Account provisioning request to disable the accounts
- Delete: This sends a Revoke account provisioning request to delete the accounts
Note:
If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.Note:
If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables (Oracle) integrations, then only the notification email destination can be set (User, User Manager) when creating the orchestrated system. To update account settings for movers and leavers, you first need to create the orchestrated system, and then update the account settings.If your orchestrated system is managing permissions then you can enable or disable Segregation of Duty violation checks. To do this select or unset the Enable Risk Management and Compliance (RMC) integration for separation of duties check checkbox.
- Update the account settings as required, and click Save.
Configure Data Load Schedule Settings for Orchestrated Systems
Set how often data should be loaded and updated in Oracle Access Governance from the orchestrated system. Schedule timing and frequency by choosing specific days, hours, or minutes.
Navigate to Data Load Settings
Select Frequency
Select Start Date
Add Primary and Additional Owners
You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.
Configure Identities or Email for Sending Orchestrated System Related Notifications
If an issue occurs in an orchestrated system during dataload, you want to be notified in good time so that you can investigate and resolve the issue. You can configure identities or an external email, to route notifications regarding your orchestrated system to assist with this.
- From the Oracle Access Governance service home page click on the
icon, and select Service Administration → Orchestrated Systems.
- Select the orchestrated system you want to configure notifications for.
- From the tiles in the Configuration section of the page, select Manage on the Notification settings tile.
- In the Which identities? field, use the drop-down list to select identities in your Oracle Access Governance instance to send orchestrated system-related notifications to. You can have multiple identities as required.
- In the Email field, add an email for any person external to your Oracle Access Governance instance (who does not have an identity in your system) who you would like to receive notifications. You can only add one external email address for orchestrated system-related notifications.
Match Identity and Account Attributes using Correlation Rules
Oracle Access Governance leverages correlation or matching rules to match the identity and account data and build a composite identity profile. To configure matching rules in Oracle Access Governance perform the following steps:
- From the Oracle Access Governance navigation menu icon
, select Service Administration → Orchestrated Systems.
- Select one of the following to view the configuration of a specific orchestrated system:
- The connected system link in the Name column.
- Manage connection from the
navigation menu.
- From the Configurations section of the page, select Manage on the Matching rules tile. This will display the Matching rules page for your orchestrated system.
- The tabs displayed depend on the configuration mode you selected when creating the
orchestrated system, and by whether any unmatched accounts have been manually matched for this
integration.
- If you selected This is the authoritative source for my identities. then the Identity matching tab is displayed to set the matching rule for incoming identities.
- If you selected I want to manage permissions for this system. then the Account matching tab is displayed to set the matching rule for incoming accounts.
- If you selected both This is the authoritative source for my identities. and I want to manage permissions for this system. then both tabs are displayed.
- If the orchestrated system selected has accounts which were unmatched, but have been manually
matched, then the Manually matched accounts tab is displayed. You can
unlink an account with the associated identity by selecting the
Disconnect icon, or you can update the manual match by selecting theEdit icon.
- Select the tab you require to update identity matching rules or account matching rules.
- Select one of the following conditions:
- All: All rules must be matched in this case so order of the rules is not significant.
- Any: Any rule can, when met, produce a match. In this case order is significant as the matching rule will exit when a match is found. If you need to move a rule up the list you can select the
menu for the rule, and select Move up.
- Add a rule by selecting an Equals or Not equals operator.
- Update the matching rules as required, and click Save.
Apply Inbound Transformations for Identity and Account Attributes
To modify the incoming data ingested into Oracle Access Governance, you need to apply inbound data transformations. To do so, perform the following tasks:
- In the Oracle Access Governance Console, access the navigation menu by selecting the
icon. Select Service Administration → Orchestrated Systems .
- Select the orchestrated system from the list which you want to configure inbound data transformation rules for.
- Expand the Configurations drop-down menu and select the Manage button on the Inbound data transformations tile. The Inbound data transformations page displays a list of any rules that you have configured, and an option to add new attribute rules.
- To create an attribute rule for your orchestrated system, select the Add attribute rule button.
- In the Add attribute rule panel enter the following information to configure your rule.
- Which configuration mode?: Select one configuration mode, from the drop down list, that you want this attribute rule to apply to.
- Authoritative source: Authoritative Sources that contain identity data and its attributes.
- Managing permissions: Managed Systems containing account information and permissions.
- Which attribute?: Select the Oracle Access Governance attribute you want to apply the transformation to from the drop down list. The list of attributes available will depend on the orchestrated system type, and configuration mode you choose.
- Rule: Enter the rule you want to apply to this operation/attribute.
- Click the Validate button to check your rule. If the rule is valid then you will see a confirmation message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.
- When your rule is valid click Add to save your configuration.
- Which configuration mode?: Select one configuration mode, from the drop down list, that you want this attribute rule to apply to.
Apply Outbound Transformations for Identity Attributes
To modify the outgoing data provisioned in Oracle Access Governance, you need to apply outbound data transformations. To do so, perform the following tasks:
- In the Oracle Access Governance Console, access the navigation menu by selecting the
icon. Select Service Administration → Orchestrated Systems.
- Select the orchestrated system from the list for which you want to configure the outbound data transformation rules.
- Expand the Configurations drop-down menu and select the Manage button on the Outbound data transformations tile. The Outbound data transformations page displays a list of any rules that you have configured, and an option to create attribute rules.
- To create an attribute rule for your orchestrated system, select the Add attribute rule button.
- In the Add attribute rule panel enter the following information to configure your rule.
- Which operations: Select one or more of the operations from the drop down list that you want this attribute rule to apply to.
- Create Account
- Change Password
- Which attribute?: Select the attribute in the orchestrated system you want to apply the transformation to from the drop down list. The list of attributes available will depend on the orchestrated system type.
- Rule: Enter the rule you want to apply to this operation/attribute.
- Click the Validate button to check your rule. If the rule is valid then you will see a confirmation pop-up message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error pop-up message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.
- When your rule is valid click Add to save your configuration.
- Which operations: Select one or more of the operations from the drop down list that you want this attribute rule to apply to.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customer access to and use of Oracle support services will be pursuant to the terms and conditions specified in their Oracle order for the applicable services.