Configure Settings for an Orchestrated System

With Oracle Access Governance, you can configure an orchestrated system by editing the integration settings, configuring notification settings, transforming inbound and outbound data for identity and account attributes, and applying matching or correlation rules to ensure integrated components work seamlessly together.

Modify Integration Settings for an Orchestrated System

You can configure the integration settings for your orchestrated system, using the Oracle Access Governance Console.

To update the integration details used by Oracle Access Governance to connect to an orchestrated system, perform the following tasks.

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select one of the following to view the configuration of a specific orchestrated system:
    • The orchestrated system link in the Name column.
    • Manage connection from the navigate navigation menu.
    This displays the configuration page for the selected orchestrated system.
  3. From the Configurations section of the page, select Manage on the Integration settings tile. This will display the Integration settings page for your orchestrated system. The integration settings displayed are dependent on the type of orchestrated system you are updating.
  4. Update the integration settings as required, and click Save.

Modify Account Settings for an Orchestrated System

You can configure the account settings for your orchestrated system to send notifications either to User or User manager whenever a new account is created. You can also choose to either disable or delete the account whenever an identity move or leaves your enterprise.

To update the account details used by Oracle Access Governance to connect to an orchestrated system, perform the following tasks.

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select one of the following to view the configuration of a specific orchestrated system:
    • The orchestrated system link in the Name column.
    • Manage integration from the navigate navigation menu.
    This displays the configuration page for the selected orchestrated system.
  3. From the Configurations section of the page, select Manage on the Account settings tile. This will display the Account settings page for your orchestrated system.

    Enter details of how you would like to manage accounts with Oracle Access Governance when configured as a managed system:

    Select where to send notification emails when an account is created. The default setting is User. You must select at least one of these options.
    • User
    • User manager
    When an identity moves within your enterprise, for example when moving from one department to another, you may need to adjust what accounts the identity has access to. In some cases the identity will no longer require certain accounts which are not relevant to their new role in the enterprise. You can select what to do with the account when this happens. Select one of the following options:
    • Disable
    • Delete
    When an identity leaves your enterprise you should remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:
    • Disable: This sends an Update Account provisioning request to disable the accounts
    • Delete: This sends a Revoke account provisioning request to delete the accounts

    Note:

    If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.

    Note:

    If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables (Oracle) integrations, then only the notification email destination can be set (User, User Manager) when creating the orchestrated system. To update account settings for movers and leavers, you first need to create the orchestrated system, and then update the account settings.

    If your orchestrated system is managing permissions then you can enable or disable Segregation of Duty violation checks. To do this select or unset the Enable Risk Management and Compliance (RMC) integration for separation of duties check checkbox.

  4. Update the account settings as required, and click Save.

Configure Data Load Schedule Settings for Orchestrated Systems

Set how often data should be loaded and updated in Oracle Access Governance from the orchestrated system. Schedule timing and frequency by choosing specific days, hours, or minutes.

You can configure the timing and frequency for all orchestrated system except generic integration of Flat File and Oracle Cloud Infrastructure.
To configure data load settings:

Navigate to Data Load Settings

  1. From the Oracle Access Governance navigation menu icon, select Service Administration, and then Orchestrated Systems.
  2. For an orchestrated system, click the more actionsMore Actions icon, and then select Manage Integrations.

Select Frequency

  1. In the Run every field, choose a number to specify how often the data load should occur
  2. In the Frequency drop-down, select one:
    • Hours
    • Minutes
    • Days
    Limits have been applied to ensure reliable data is available and prevent outdated data. For example, the frequency cannot be less than 5 minutes.

Select Start Date

  1. In the Starting on field, select the date-time date time icon to specify when the data load should begin, and then click Done.
  2. Click Save. To save your settings for the orchestrated system, in the conformation pop-up box, click Confirm.
If the previous data load takes longer to complete, the next schedule load will be skipped. To avoid skipped syncs, ensure your settings allow enough time for each load to finish before the next one starts.

Add Primary and Additional Owners

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

No special application roles are necessary for assigning resource ownership. Any Oracle Access Governance active user can be assigned as the owner of the resources. All the owners can read, update, or delete the resources that they own. However, the Primary Owner is assigned as the access reviewer when you choose the Owner template in the approval workflow for performing Ownership reviews in Campaigns. For more information, refer Types of Access Reviews Offered by Oracle Access Governance.
For assigning resource ownership, you must have active Oracle Access Governance users. When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
    You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Configure Identities or Email for Sending Orchestrated System Related Notifications

If an issue occurs in an orchestrated system during dataload, you want to be notified in good time so that you can investigate and resolve the issue. You can configure identities or an external email, to route notifications regarding your orchestrated system to assist with this.

To send orchestrated system-related notifications to your preferred identities or an external email address, you can configure Oracle Access Governance as required:
  1. From the Oracle Access Governance service home page click on the Navigation Menu icon, and select Service Administration → Orchestrated Systems.
  2. Select the orchestrated system you want to configure notifications for.
  3. From the tiles in the Configuration section of the page, select Manage on the Notification settings tile.
  4. In the Which identities? field, use the drop-down list to select identities in your Oracle Access Governance instance to send orchestrated system-related notifications to. You can have multiple identities as required.
  5. In the Email field, add an email for any person external to your Oracle Access Governance instance (who does not have an identity in your system) who you would like to receive notifications. You can only add one external email address for orchestrated system-related notifications.

Match Identity and Account Attributes using Correlation Rules

Oracle Access Governance leverages correlation or matching rules to match the identity and account data and build a composite identity profile. To configure matching rules in Oracle Access Governance perform the following steps:

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select one of the following to view the configuration of a specific orchestrated system:
    • The connected system link in the Name column.
    • Manage connection from the navigate navigation menu.
    This displays the configuration page for the selected orchestrated system.
  3. From the Configurations section of the page, select Manage on the Matching rules tile. This will display the Matching rules page for your orchestrated system.
  4. The tabs displayed depend on the configuration mode you selected when creating the orchestrated system, and by whether any unmatched accounts have been manually matched for this integration.
    • If you selected This is the authoritative source for my identities. then the Identity matching tab is displayed to set the matching rule for incoming identities.
    • If you selected I want to manage permissions for this system. then the Account matching tab is displayed to set the matching rule for incoming accounts.
    • If you selected both This is the authoritative source for my identities. and I want to manage permissions for this system. then both tabs are displayed.
    • If the orchestrated system selected has accounts which were unmatched, but have been manually matched, then the Manually matched accounts tab is displayed. You can unlink an account with the associated identity by selecting the
      disconnect

      Disconnect icon, or you can update the manual match by selecting the EditEdit icon.
  5. Select the tab you require to update identity matching rules or account matching rules.
  6. Select one of the following conditions:
    • All: All rules must be matched in this case so order of the rules is not significant.
    • Any: Any rule can, when met, produce a match. In this case order is significant as the matching rule will exit when a match is found. If you need to move a rule up the list you can select the Navigation menu for the rule, and select Move up.
  7. Add a rule by selecting an Equals or Not equals operator.
  8. Update the matching rules as required, and click Save.

Apply Inbound Transformations for Identity and Account Attributes

To modify the incoming data ingested into Oracle Access Governance, you need to apply inbound data transformations. To do so, perform the following tasks:

  1. In the Oracle Access Governance Console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Orchestrated Systems .
  2. Select the orchestrated system from the list which you want to configure inbound data transformation rules for.
  3. Expand the Configurations drop-down menu and select the Manage button on the Inbound data transformations tile. The Inbound data transformations page displays a list of any rules that you have configured, and an option to add new attribute rules.
  4. To create an attribute rule for your orchestrated system, select the Add attribute rule button.
  5. In the Add attribute rule panel enter the following information to configure your rule.
    • Which configuration mode?: Select one configuration mode, from the drop down list, that you want this attribute rule to apply to.
      • Authoritative source: Authoritative Sources that contain identity data and its attributes.
      • Managing permissions: Managed Systems containing account information and permissions.
    • Which attribute?: Select the Oracle Access Governance attribute you want to apply the transformation to from the drop down list. The list of attributes available will depend on the orchestrated system type, and configuration mode you choose.
    • Rule: Enter the rule you want to apply to this operation/attribute.
    • Click the Validate button to check your rule. If the rule is valid then you will see a confirmation message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.
    • When your rule is valid click Add to save your configuration.

Apply Outbound Transformations for Identity Attributes

To modify the outgoing data provisioned in Oracle Access Governance, you need to apply outbound data transformations. To do so, perform the following tasks:

  1. In the Oracle Access Governance Console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Orchestrated Systems.
  2. Select the orchestrated system from the list for which you want to configure the outbound data transformation rules.
  3. Expand the Configurations drop-down menu and select the Manage button on the Outbound data transformations tile. The Outbound data transformations page displays a list of any rules that you have configured, and an option to create attribute rules.
  4. To create an attribute rule for your orchestrated system, select the Add attribute rule button.
  5. In the Add attribute rule panel enter the following information to configure your rule.
    • Which operations: Select one or more of the operations from the drop down list that you want this attribute rule to apply to.
      • Create Account
      • Change Password
    • Which attribute?: Select the attribute in the orchestrated system you want to apply the transformation to from the drop down list. The list of attributes available will depend on the orchestrated system type.
    • Rule: Enter the rule you want to apply to this operation/attribute.
    • Click the Validate button to check your rule. If the rule is valid then you will see a confirmation pop-up message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error pop-up message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.
    • When your rule is valid click Add to save your configuration.