Table of Contents
- List of Figures
- List of Tables
- Title and Copyright Information
- Preface
-
What's New In This Guide
- Updates in April 2021 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in January 2021 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in July 2020 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in October 2019 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in October 2018 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in July 2018 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in April 2018 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in January 2018 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in December 2017 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in November 2017 Documentation Refresh for 12c (12.2.1.3.0)
- Updates in September 2017 Documentation Refresh for 12c (12.2.1.3.0)
- New and Changed Features for 12c (12.2.1.3.0)
- Other Significant Changes in this Document for 12c (12.2.1.3.0)
-
Part I Overview
-
1
Product Overview for Oracle Identity Governance
- 1.1 What is Oracle Identity Governance?
- 1.2 What are the Different Modes of Oracle Identity Governance?
- 1.3 How does Oracle Identity Governance Interact with Other IT Systems?
- 1.4 How does Oracle Identity Governance Interact with Other Oracle Identity and Access Management Products?
- 1.5 How do Users Interact with Oracle Identity Governance?
- 2 Product Architecture of Oracle Identity Governance
-
3
Oracle Identity System Administration Interface
- 3.1 Logging in to Oracle Identity System Administration
- 3.2 Oracle Identity System Administration
-
1
Product Overview for Oracle Identity Governance
-
Part II Policy Administration
-
4
Managing Workflows
- 4.1 Understanding Workflow Rules
-
4.2
Configuring Approval Workflow Rules
- 4.2.1 About Approval Workflow Rules
- 4.2.2 About Rule Conditions
- 4.2.3 About System-Defined Operations and Rules
- 4.2.4 Creating Approval Workflow Rules
- 4.2.5 About Custom Rule Conditions
- 4.2.6 Modifying Approval Workflow Rules
- 4.2.7 Deleting Approval Workflow Rules
- 4.2.8 About Approval Workflow Rule Evaluation
- 4.3 Managing Request Approval in an Upgraded Deployment of Oracle Identity Governance
- 4.4 Migrating Workflow Rules From Test to Production
- 4.5 Running Oracle Identity Governance Without Workflows
- 4.6 Use Cases for Disabled or Deleted Proxy Users
-
4
Managing Workflows
- Part III Form Management
-
Part IV System Entities
-
6
Configuring Custom Attributes
- 6.1 Creating a Custom Attribute
- 6.2 Creating a Custom Child Form
- 6.3 Creating a Custom Child Form Attribute
- 6.4 Modifying a Custom Attribute
- 6.5 Adding a Custom Attribute
- 6.6 Adding a Custom Attribute to an Application Instance Form
- 6.7 Moving UDFs from Test to Production
- 6.8 Synchronizing User-Defined Fields Between Oracle Identity Governance and LDAP
- 6.9 Creating Cascaded LOVs
- 6.10 Specifying Cascaded LOVs Without NULL Value
- 6.11 Localizing Display Labels of UDFs
- 6.12 Configuring a Field as Mandatory Attribute in the Request Catalog
-
6
Configuring Custom Attributes
-
Part V Application Management
- 7 Managing IT Resources
-
8
Managing Generic Connectors
-
8.1
Creating Generic Technology Connectors
- 8.1.1 Determining Provider Requirements for Creating Generic Technology Connectors
- 8.1.2 Selecting the Providers for Creating Generic Technology Connectors
- 8.1.3 Addressing the Prerequisites for Creating Generic Technology Connectors
- 8.1.4 Creating the Connector Using Identity System Administration
- 8.1.5 Configuring Reconciliation
- 8.1.6 Configuring Provisioning
- 8.1.7 Creating the Form and Publishing the Application Instance
- 8.1.8 Enabling Log for the Generic Technology Connector
-
8.2
Using Identity System Administration to Create the Connector
- 8.2.1 Providing Basic Information for Generic Technology Connector
- 8.2.2 Specifying Parameter Values for the Providers
-
8.2.3
Modifying Connector Configuration
- 8.2.3.1 About Metadata for Generic Technology Connector
- 8.2.3.2 Data Set for Generic Technology Connectors
- 8.2.3.3 Mapping Parameters for Data Sets
- 8.2.3.4 About Adding or Editing Fields in Data Sets
- 8.2.3.5 Adding or Editing Fields in Data Sets
- 8.2.3.6 Removing Fields from Data Sets
- 8.2.3.7 Removing Mappings Between Fields
- 8.2.3.8 Removing Child Data Sets
- 8.2.4 Verifying Connector Form Names
- 8.2.5 Verifying Connector Information
- 8.3 Managing Generic Technology Connectors
-
8.1
Creating Generic Technology Connectors
-
9
Managing Application Instances
- 9.1 About Application Instances
- 9.2 Application Instance Concepts
-
9.3
Managing Application Instances
- 9.3.1 Creating Application Instances
- 9.3.2 Searching Application Instances
- 9.3.3 Modifying Application Instances
- 9.3.4 Understanding the Deletion of Application Instances
- 9.3.5 Creating and Modifying Forms Associated With the Application Instances
- 9.4 Configuring Application Instances
-
9.5
Developing Entitlements
- 9.5.1 About Entitlements
- 9.5.2 Available Entitlements and Assigned Entitlements
- 9.5.3 Entitlement Data Capture Process
- 9.5.4 Marking Entitlement Attributes on Child Process Forms
- 9.5.5 Duplicate Validation for Entitlements or Child Data
- 9.5.6 Configuring Scheduled Tasks for Working with Entitlement Data
- 9.5.7 Deleting Entitlements
- 9.5.8 Refreshing the Entitlement List Post Delete for New Entries
- 9.5.9 Disabling the Capture of Modifications to Assigned Entitlements
- 9.5.10 Entitlement-Related Reports
-
9.6
Managing Disconnected Resources
- 9.6.1 About Disconnected Resources
- 9.6.2 Disconnected Resources Architecture
- 9.6.3 Managing Disconnected Application Instance
- 9.6.4 Provisioning Operations on a Disconnected Application Instance
- 9.6.5 Configuring Entitlement Grant
- 9.6.6 Status Changes in Manual Process Task Action
- 9.6.7 Customizing Provisioning SOA Composite
- 9.6.8 Troubleshooting Disconnected Resources
-
10
Managing Connector Lifecycle
- 10.1 Lifecycle of a Connector
- 10.2 Change Management Terminology
- 10.3 Viewing Connector Details
- 10.4 Installing Connectors
- 10.5 Defining Connectors With Oracle Identity Governance
- 10.6 Cloning Connectors
- 10.7 Exporting Connector Object Definitions in Connector XML Format
-
10.8
Upgrading Connectors
- 10.8.1 About Upgrading Connectors
- 10.8.2 Upgrade Use Cases Supported by the Connector Upgrade Feature
-
10.8.3
Connector Object Changes Supported by the Upgrade Connectors Feature
- 10.8.3.1 Resource Object Changes
- 10.8.3.2 Process Definition Changes
- 10.8.3.3 Resource Bundle Changes
- 10.8.3.4 Process Form Changes
- 10.8.3.5 Lookup Definition Changes
- 10.8.3.6 Adapter Changes
- 10.8.3.7 Rule Changes
- 10.8.3.8 IT Resource Type Changes
- 10.8.3.9 IT Resource Changes
- 10.8.3.10 Scheduled Task Changes
- 10.8.4 What Happens When You Upgrade a Connector
- 10.8.5 Summary of the Upgrade Procedure
- 10.8.6 Procedure to Upgrade a Connector
-
10.8.7
Postupgrade Procedure
- 10.8.7.1 Connector Code File Changes
- 10.8.7.2 Running the PurgeCache Utility
- 10.8.7.3 Running cancelProcessTask Utility
- 10.8.7.4 Updating Access Policies
- 10.8.7.5 Configuring the IT Resource
- 10.8.7.6 Configuring the Scheduled Tasks
- 10.8.7.7 Updating Adapters for Changes in IT Resource Type Definition Parameter
- 10.8.7.8 Other Postupgrade Steps
- 10.8.8 Procedure to Upgrade a 9.x Connector Version to an ICF Based Connector
-
10.9
Uninstalling Connectors
- 10.9.1 About Uninstalling Connectors Utility
- 10.9.2 Use Cases Supported by the Uninstall Connectors Utility
- 10.9.3 Overview of the Connector Uninstall Process
- 10.9.4 Setting Up the Uninstall Connector Utility
- 10.9.5 Uninstalling Connectors and Removing Connector Objects
- 10.9.6 Running the Script to Uninstall Connectors and Connector Objects
- 10.10 Troubleshooting Connector Management Issues
-
11
Managing Reconciliation
- 11.1 About Reconciliation
- 11.2 Reconciliation Based on the Object Being Reconciled
- 11.3 Mode of Reconciliation
- 11.4 Approach Used for Reconciliation
- 11.5 Managing Reconciliation Events
-
Part VI Requests
-
12
Managing the Access Request Catalog
- 12.1 Access Request Catalog
- 12.2 Configuring the Access Request Catalog
-
12.3
Administering the Access Request Catalog
- 12.3.1 Prerequisites of Catalog Administration
- 12.3.2 Common Tasks to be Performed by the Catalog Administrator
- 12.3.3 Catalog Auditing
- 12.3.4 Configuring Hierarchical Attributes of Entitlements
- 12.3.5 Database Best Practices for Access Request Catalog
-
12.4
Managing the Lifecycle of the Catalog
- 12.4.1 Overview of Catalog Customization
- 12.4.2 Test to Production Procedures for Catalog Customizations
- 12.4.3 Limitations of the Test to Production Procedures
- 12.5 Troubleshooting Access Request Catalog
-
12
Managing the Access Request Catalog
-
Part VII System Configuration
- 13 Managing the Home Organization Policy
-
14
Managing Self Service Capability Policy
- 14.1 About Self Service Capability Rule
- 14.2 Default Self Service Capability Rule
- 14.3 Example of Self Service Capability Rules and Rule Evaluation Order
- 14.4 Creating a Rule in Self Service Capability Policy
- 14.5 Modifying a Rule in Self Service Capability Policy
- 14.6 Deleting a Rule in Self Service Capability Policy
- 15 Managing Lookups
- 16 Managing Role Categories
-
17
Managing the Scheduler
- 17.1 About Scheduler
- 17.2 Configuring the oim-config.xml File
- 17.3 Start and Stop the Scheduler
- 17.4 Scheduled Tasks
- 17.5 Managing Jobs
- 17.6 Diagnosing Scheduled Jobs
-
18
Managing Notification Service
- 18.1 About Notification Providers
-
18.2
Managing Notification Providers
- 18.2.1 Using UMS for Notification
- 18.2.2 Using SMTP for Notification
- 18.2.3 Using SOA Composite for Notification
- 18.2.4 Configuring Custom Notification Provider
- 18.2.5 Disabling and Enabling Notification Providers
-
18.3
Managing Notification Templates
- 18.3.1 Default Notification Template
- 18.3.2 Searching for a Notification Template
- 18.3.3 Creating a Notification Template
- 18.3.4 Modifying a Notification Template
- 18.3.5 Disabling a Notification Template
- 18.3.6 Enabling a Notification Template
- 18.3.7 Adding Locales to a Notification Template
- 18.3.8 Removing Locales from a Notification Template
- 18.3.9 Deleting a Notification Template
- 18.3.10 Configuring Notification for a Proxy
- 18.4 Configuring Email in Provisioning Workflow
- 18.5 Configuring SOA Email Notification
- 18.6 Disabling Oracle Identity Governance Email Notifications
- 18.7 Troubleshooting Notification
- 19 Configuring Oracle Identity Governance
-
20
Moving From Test to Production
- 20.1 About Test to Production Migration
-
20.2
Migrating Incrementally Using the Deployment Manager
- 20.2.1 About the Deployment Manager
- 20.2.2 Features of the Deployment Manager
- 20.2.3 Enabling Deployment Manager in SSL Mode
- 20.2.4 About Exporting Deployments
- 20.2.5 Exporting Deployments
- 20.2.6 About Importing Deployments
- 20.2.7 Importing Deployments
-
20.2.8
Best Practices for Using the Deployment Manager
- 20.2.8.1 Do Not Export System Objects
- 20.2.8.2 Exporting Related Groups of Objects
- 20.2.8.3 Using Logical Naming Conventions for Versions of a Form
- 20.2.8.4 Exporting Root to Preserve a Complete Organizational Hierarchy
- 20.2.8.5 Providing Clear Export Descriptions
- 20.2.8.6 Checking Dependencies Before Exporting Data
- 20.2.8.7 Matching Scheduled Task Parameters
- 20.2.8.8 Deployment Manager Actions on Reimported Scheduled Tasks
- 20.2.8.9 Compiling Adapters and Enable Scheduled Tasks
- 20.2.8.10 Checking Permissions for Roles
- 20.2.8.11 Creating a Backup of the Database
- 20.2.8.12 Importing Data When the System Is Quiet
- 20.2.8.13 Exporting and Importing Data in Bulk
- 20.2.8.14 Exporting Entity Publications
- 20.2.9 Troubleshooting the Deployment Manager
- 21 Migrating Application and Database Binaries
-
Part VIII Auditing and Reporting
-
22
Configuring Auditing
- 22.1 About Auditing
- 22.2 User Profile Auditing
- 22.3 Role Profile Auditing
- 22.4 Catalog Auditing
- 22.5 Enabling and Disabling Auditing in Oracle Identity Governance
- 22.6 Lightweight Audit
-
23
Using Reporting Features
- 23.1 About Reporting in Oracle Identity Governance
- 23.2 Supported Output Formats for Reports
-
23.3
Classification of Oracle Identity Governance Reports
- 23.3.1 Access Policy Reports
- 23.3.2 Request and Approval Reports
- 23.3.3 Role and Organization Reports
- 23.3.4 Password Reports
-
23.3.5
Resource and Entitlement Reports
- 23.3.5.1 Account Activity In Resource
- 23.3.5.2 Delegated Admins and Permissions by Resource
- 23.3.5.3 Delegated Admins by Resource
- 23.3.5.4 Entitlement Access List
- 23.3.5.5 Entitlement Access List History
- 23.3.5.6 Financially Significant Resource Details
- 23.3.5.7 Resource Access List History
- 23.3.5.8 Resource Access List
- 23.3.5.9 Resource Account Summary
- 23.3.5.10 Resource Activity Summary
- 23.3.5.11 User Resource Access History
- 23.3.5.12 User Resource Access
- 23.3.5.13 User Resource Entitlement
- 23.3.5.14 User Resource Entitlement History
- 23.3.6 User Reports
- 23.3.7 Certification Reports
- 23.3.8 Identity Audit Reports
- 23.3.9 Exception Reports
- 23.4 Required Scheduled Tasks for BI Publisher Reports
- 23.5 Best Practices for Running Oracle Identity Governance Reports
-
24
Using the Archival and Purge Utilities for Controlling Data Growth
- 24.1 About Archival and Purge Utilities
-
24.2
Archival and Purge Concepts
- 24.2.1 Purge Only Solution Versus Purge and Archive Solution for Entities
- 24.2.2 Archival of Data in Oracle Identity Governance
- 24.2.3 Purging of Data in Oracle Identity Governance
- 24.2.4 Real-Time Purging in Oracle Identity Governance
- 24.2.5 Retention Period in Oracle Identity Governance
- 24.2.6 Modes of Archival Purge Operations
- 24.3 Using Real-Time Purge and Archival Option in Oracle Identity Governance
-
24.4
Using Command-Line Option of the Archival Purge Utilities in Oracle Identity Governance
- 24.4.1 About Command-Line Utilities
-
24.4.2
Using the Reconciliation Archival Utility
- 24.4.2.1 About the Reconciliation Archival Utility
- 24.4.2.2 Prerequisite for Running the Reconciliation Archival Utility
- 24.4.2.3 Archival Criteria for Reconciliation Data
- 24.4.2.4 Running the Reconciliation Archival Utility
- 24.4.2.5 Log File Generated by the Reconciliation Archival Utility
- 24.4.2.6 Troubleshooting Scenario for Reconciliation Archival Utility
- 24.4.3 Using the Task Archival Utility
- 24.4.4 Using the Requests Archival Utility
-
24.5
Using the Audit Archival and Purge Utility
- 24.5.1 About Audit Archival and Purge Utility
-
24.5.2
Audit Data Growth Control Measures in Lightweight Audit Framework
- 24.5.2.1 About Audit Data Growth Control Measures in Lightweight Audit Framework
- 24.5.2.2 Overview of Partition Based Approach
- 24.5.2.3 Prerequisites for Partitioning the AUDIT_EVENT Table
- 24.5.2.4 Preparing the AUDIT_EVENT Table for Archival and Purge
- 24.5.2.5 Archiving or Purging the AUDIT_EVENT Data Using Partitions
- 24.5.2.6 Ongoing Partition Maintenance
- 24.5.3 Partition-Based Approach for Audit Growth Control Measures in Legacy Audit (UPA) Framework
- 24.6 Using the Real-Time Certification Purge in Oracle Identity Governance
-
22
Configuring Auditing
-
Part IX Lifecycle Management
-
25
Handling Lifecycle Management Changes
-
25.1
URL Changes Related to Oracle Identity Governance
- 25.1.1 Oracle Identity Governance Host and Port Changes
-
25.1.2
Oracle Identity Governance Database Host and Port Changes
- 25.1.2.1 Modifying Datasource oimJMSStoreDS Configuration
- 25.1.2.2 Modifying Datasource soaOIMLookupDB Configuration
- 25.1.2.3 Modifying Datasource oimOperationsDB Configuration
- 25.1.2.4 Modifying Datasource ApplicationDB Configuration
- 25.1.2.5 Modifying Datasource Related to Oracle Identity Governance Meta Data Store
- 25.1.2.6 Modifying OIMAuthenticationProvider Configuration
- 25.1.2.7 Modifying DirectDB Configuration
- 25.1.2.8 Modifying the Oracle Identity Governance Database Host and Port in BI Publisher
- 25.1.2.9 Changing Incorrect Database Configuration
- 25.1.3 Changing Oracle Virtual Directory Host and Port
- 25.1.4 Changing BI Publisher Host and Port
- 25.1.5 Changing SOA Host and Port
- 25.1.6 Changing OAM Host and Port
-
25.2
Password Changes Related to Oracle Identity Governance
- 25.2.1 Updating Oracle WebLogic Administrator Credentials
- 25.2.2 Changing Oracle WebLogic Administrator Password
- 25.2.3 Changing Oracle Identity Governance Administrator Password
- 25.2.4 Changing Oracle Identity Governance Administrator Database Password
-
25.2.5
Changing Oracle Identity Governance Database Password
- 25.2.5.1 Changing Datasource oimJMSStoreDS Configuration
- 25.2.5.2 Changing Datasource ApplicationDB Configuration
- 25.2.5.3 Changing Datasource soaOIMLookupDB Configuration
- 25.2.5.4 Changing Datasource oimOperationsDB Configuration
- 25.2.5.5 Changing Datasource Related to Oracle Identity Governance Meta Data Store
- 25.2.5.6 Changing OIMAuthenticationProvider Configuration
- 25.2.5.7 Changing Domain Credential Store Configuration
- 25.2.5.8 Changing the Oracle Identity Governance Database Password in BI Publisher
- 25.2.6 About Credential Store Framework Keys
- 25.2.7 Changing Oracle Identity Governance Passwords in the Credential Store Framework
- 25.2.8 Changing OVD Password
- 25.2.9 Changing Oracle Identity Governance Administrator Password in LDAP
- 25.2.10 Unlocking Oracle Identity Governance Administrator Password in LDAP
- 25.2.11 Changing Schema Passwords
-
25.3
Configuring SSL for Oracle Identity Governance
- 25.3.1 Generating Custom Key Stores (Optional)
- 25.3.2 Configuring Custom Key Stores (Optional)
- 25.3.3 Enabling SSL for Oracle Identity Governance and SOA Servers
- 25.3.4 Enabling SSL for Oracle Identity Governance DB
- 25.3.5 Enabling SSL for SOA Approval Composites
- 25.3.6 Configuring SSL for Design Console
- 25.3.7 Configuring SSL for Oracle Identity Governance Utilities
- 25.4 Using Ready App
-
25.1
URL Changes Related to Oracle Identity Governance
- 26 Securing a Deployment
-
25
Handling Lifecycle Management Changes
-
Part X Diagnostics and Troubleshooting
-
27
Using Enterprise Manager for Managing Oracle Identity Governance
- 27.1 Managing Oracle Identity Governance Configuration
- 27.2 Using the OrchestrationEngine MBean
-
27.3
Configuring Log Services for Oracle Identity Governance
-
27.3.1
Logging in Oracle Identity Governance By Using ODL
- 27.3.1.1 About Oracle Diagnostic Logging
- 27.3.1.2 Message Types and Levels in Oracle Identity Governance
- 27.3.1.3 Log Handler and Logger Configuration
- 27.3.1.4 Configuring Log Handlers
- 27.3.1.5 Log Handler Configuration Tools
- 27.3.1.6 About Configuring Loggers
- 27.3.1.7 Configuring Loggers in Oracle Identity Governance
- 27.3.1.8 Sample ODL Log Output
- 27.3.2 Logging in Oracle Identity Governance By Using log4j
- 27.3.3 Setting Warning State
- 27.3.4 Switching Down the Log Level
-
27.3.1
Logging in Oracle Identity Governance By Using ODL
-
28
Using the PL/SQL Unified Diagnostic Logging and Debugging Framework
- 28.1 Understanding the PL/SQL Unified Diagnostic Logging and Debugging Framework
- 28.2 Configuring the Diagnostic Level
- 28.3 Understanding the Data Captured by PL/SQL Diagnostic Logging Tables
- 28.4 Collecting Data Captured by PL/SQL Diagnostic Logging Tables
- 28.5 Controlling Data Growth of PL/SQL Diagnostic Logging Tables
-
27
Using Enterprise Manager for Managing Oracle Identity Governance
- Part XI Appendixes
- A Default User Accounts
-
B
Configuring SSO Providers for Oracle Identity Governance
- B.1 Common Prerequisites for Integration With Third-Party SSO Solutions
- B.2 Enabling Oracle Identity Governance to Work With OpenSSO
- B.3 Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manager
- B.4 Enabling Oracle Identity Governance to Work With CA SiteMinder
- B.5 Configuring Basic SSO Using OAM
- B.6 Simplifying Third-Party SSO Integration
- B.7 Using Configurable Login ID Support for SSO Integration
- B.8 Configuring Login ID Support for SSO Integration
-
B.9
Integrating Oracle Identity
Governance with Identity Providers using SAML2 Asserter
- B.9.1 Prerequisites for Integrating Oracle Identity Governance with Identity Providers
- B.9.2 Configuring the SAML2 Asserter in the Oracle Identity Governance Domain
- B.9.3 Configuring Identity Federation Settings on Oracle Identity Goverance
- B.9.4 Exporting the Identity Federation Document
- B.9.5 Configuring the Identity Provider for Federation With Oracle Identity Governance
- B.9.6 Exporting the Identity Provider Metadata
- B.9.7 Configuring the Identity Provider Metadata on Oracle Identity Governance
- B.9.8 Updating Identity Self Service, System Administration, and FacadeWebApp to Change the Session Cookie
- B.9.9 Testing the SAML2.0 Flow with Identity Self Service and System Administration Pages
- C Using Database Roles/Grants for Oracle Identity Governance Database
- D Enabling Transparent Data Encryption
-
E
Troubleshooting Clustered OIM and Eclipselink Cache Coordination
- E.1 Startup Procedure for Clustered Installation of Oracle Identity Governance
- E.2 Setting Deployment Mode to Cluster
- E.3 Configuring Multicast Addressing for Oracle Identity Governance
- E.4 Multicast Addressing for Eclipselink
- E.5 Testing Multicast Network Testing
- E.6 Enabling Additional Logging for Eclipselink
- E.7 Testing Multicast Connectivity Between Oracle Identity Governance Nodes