Access Governance Integration with Connected Systems
Connected Systems Overview
Oracle Access Governance can be integrated with target identity systems by defining a connected system.
A connected system allows you to load data from a remote target identity system into Oracle Access Governance. The connected system will define parameters such as connection details that are required to access remote identity data. Where a direct connection between Oracle Access Governance and the target identity system is not possible, an agent may be deployed to bridge between the two.
Integration Concepts
Identity Orchestration in Oracle Access Governance is made up of the following components:
- Connected System: A connected system is the footprint definition for a target
identity system that can be integrated with and provide data to Oracle Access Governance. Once defined, the connected system enables integration and data synchronization
between target identity systems and Oracle Access Governance, through either a direct connection or an agent.
Note:
a connected system contains the configuration (connection details, agent) to connect to one target system only. If an agent is required, the agent download only has the connection details for a single target system. If you want to connect to another target system (indirectly or directly) you must create another connected system. - Oracle Access Governance Console: The Oracle Access Governance Console allows users with the Administrators application role, to register the connected system, download the agent docker image where connection to the target system is indirect, and configure and monitor the progress of the connected system in real-time. The Oracle Access Governance Console also supports life cycle activity such as resetting the connected system status to trigger full or incremental synchronization, or disable or enable the connected system.
- Agent:
The Oracle Access Governance agent is a docker image-based agent, which allows Oracle Access Governance to synchronize continuously or periodically with target identity systems where a direct connection is not available. The agent runs scheduled distributed extract-transform-load (ETL) jobs to perform full or incremental synchronization of remote identity data, such as users, roles, application instances, entitlements, and entitlement assignments, to Oracle Access Governance. Once registered and installed, the agent can be monitored via the Oracle Access Governance Console. The agent runs in a docker environment located at the customer. This environment should meet the following prerequisites:
- Installation of Docker or Podman
- Allow connection to the customer's target identity database
- Allow connection to the customer's Oracle Access Governance instance hosted in Oracle Cloud. If required, this connection can be made through a web proxy.
The agent uses the configuration entered in Oracle Access Governance to connect to the connected system. The agent extracts data from the connected system, transforms it, and then pushes it to Oracle Cloud Infrastructure Object Storage over HTTPS. Once transferred to object storage, the data is then picked up by the Oracle Access Governance ingestion service and is loaded into Oracle Access Governance for consumption. On completion of access review campaigns, any permissions that have been revoked in Oracle Access Governance will be remediated by raising a revoke operation in the connected system. This revoke request will be passed to the connected system via the agent.
Agents are applicable only in cases where a direct connection cannot be established with Oracle Access Governance. Typically, you will need an agent when integrating with the on-premises target systems. The Oracle Access Governance agent acts as an arbitrator supporting synchronization of identity data between target systems and Oracle Access Governance.
Manage the Connected System
Connected systems can be created, configured, and managed from the Oracle Access Governance Console.
Create Connected Systems
You can connect to a number of target types, such as database, directory, cloud provider, and so on. Within each target type, a number of systems are available to connect with, as detailed in the table.
Table - Connected System Types/Systems
| Type | System | Connection Type |
|---|---|---|
|
Identity Governance System |
||
|
Oracle Identity Governance |
Indirect |
|
|
Cloud Service Provider |
||
|
Oracle Cloud Infrastructure |
Direct |
|
| Directory | ||
|
Oracle Internet Directory |
Indirect |
|
|
Oracle Unified Directory |
Indirect |
|
|
Microsoft Active Directory |
Indirect |
|
|
Microsoft Azure Active Directory |
Direct |
|
| Oracle Application | ||
|
Oracle E-Business Suite HRMS |
Indirect |
|
|
Oracle E-Business Suite User Management |
Indirect |
|
|
Oracle NetSuite |
Direct |
|
|
Eloqua |
Direct |
|
| Database Management System | ||
|
Oracle DB |
Indirect |
|
|
Microsoft SQL Server |
Indirect |
|
|
MySQL |
Indirect |
|
|
DB2 |
Indirect |
|
| Other | ||
|
Flat File |
Direct |
The connection details depends on the type of connected system. This article explains the Manage Connected System screen, and lists the general steps to manage the connected systems. Refer to documentation on integration with target systems to connect to a specific target system.
- Integrate with Oracle Identity Governance
- Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM)
- Integrate with Database User Management (Oracle)
- Integrate with Database User Management (DB2)
- Integrate with Database User Management (MSSQL)
- Integrate with Database User Management (MySQL)
- Integrate with Oracle Unified Directory
- Integrate with Oracle Internet Directory
- Integrate with Active Directory
- Integrate with Microsoft Azure Active Directory
- Integrate with Oracle e-Business User Management (UM)
- Integrate with Oracle e-Business Employee Reconciliation (HRMS)
- Integrate with Oracle NetSuite
- Integrate with Eloqua
- Integrate with Flat File
Manage Connected Systems
In the Oracle Access Governance Console, from the navigation menu, select Service Administration → Connected Systems, and then select Add a connected system to add a new connected system, or select Service Administration → Connected Systems to manage the existing connected systems.On the Manage Connected System screen, for each connected system, you can view a list of activities, their statuses, when they were initiated, total time taken to complete each activity, and name of the user who performed that activity. You can also initiate a data load, update connection settings, and disable the connected system.
- Data load: Initiates when the data is either run on-demand by the Administrator, or when data is auto-synced as per the system settings. Currently, the data automatically refreshes after 24 hours from the previous data load activity.
- Full data load: Initiates when the data is synced for the first time after the new connection is established.
- Validate: Initiates when a new connection is established or when you update the connection settings.
- Revoke: Initiates when an access reviewer revokes one or more user privileges in the access review tasks. This activity occurs to support closed-loop access remediation.
- Schema discovery: Initiates when a new connection is established, or when you select the Fetch attributes button in the Identity Attributes page.
- Provisioning: Create Account, Update Account, Add Child Data, Remove Child Data.
Data Load
To initiate a data load from the target connected system instance, perform the following tasks.
- In the Oracle Access Governance Console, access the navigation menu by selecting the
icon. Select Service Administration → Connected Systems.
- In the Connected Systems screen, select the Manage button for the Oracle Access Governance connected system you want to manage.
- Select the Load data now option from the Actions drop-down menu in the top right-hand corner. This will initiate a data load and you can track the status in the Activity Log.
Update Connection Details
To update the connection details used by the connected system to connect to the target identity system perform the following tasks.
- In the Oracle Access Governance console, access the navigation menu by selecting the icon. Select Service Administration → Connected Systems.
- In the Connected Systems screen, select the Manage connection button for the connected system you want to update.
- Select the Change Settings option from the Actions drop-down menu in the top right-hand corner. Update connection settings and click Save.
Resource Manager for Governance Connected Systems
You can manage which resources are populated from governance connected systems, such as Oracle Identity Governance. A typical use-case might be where you have identity data managed by Oracle Identity Governance, and you want to run in a hybrid fashion for a time as you migrate fully to the cloud environment. By default all resources ingested from a target governance system will be available to Oracle Access Governance. As you add direct connections between Oracle Access Governance and target systems and resources, you can remove these from your governance connected system to avoid duplication of data. An example might be that you on-board identities from Oracle Unified Directory by populating Oracle Access Governance using the Oracle Identity Governance connected system. To migrate your Oracle Unified Directory identities to populate directly, you would setup the Oracle Unified Directory connected system in Oracle Access Governance. Once you have tested and implemented this direct configuration, you can disable the Oracle Unified Directory resource in the Oracle Identity Governance connected system. Any resources still enabled in the Oracle Identity Governance connected system will continue as before.
To manage resources:
- In the Oracle Access Governance console, access the navigation menu by selecting the icon. Select Service Administration → Connected
Systems.
- In the Connected Systems page, click on
the
icon for the governance connected system you want to update, and
select Manage connection from the drop-down list.
- On the Resources page, you can see a list of Connected resources and Disconnected resources.
- To disable a connected resource:
- Select the Disconnect icon,
, for the resource you want to disable.
- A confirmation dialog displays, asking you if you are sure you want
to disconnect the resource from the governance connected system.
Note:
All information related to the resource will be removed, and you cannot reconnect the resource once it is disconnected. - If you want to remove the resource, click Disconnect. If not, select No, keep connected.
- If the resource is disconnected, it will now display in the Disconnected resources section.
- Select the Disconnect icon,
Disable the Connected System
To disable the agent from running, perform the following tasks.
- In the Oracle Access Governance Console, access the navigation menu by selecting the icon. Select Service Administration → Connected Systems.
- In the Connected Systems screen, select the Manage button for the connected system you want to disable.
- Select the Disable button in the top right-hand corner. The agent will display a status of Disabled on the Connected Systems page.
Access Governance Integration with Connected Systems
Copyright © 2023, Oracle and/or its affiliates.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.