Table of Contents
- List of Figures
- List of Tables
- Title and Copyright Information
- Preface
-
What's New In This Guide
- Updates in October 2023 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in April 2023 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in October 2022 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in April 2022 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in October 2021 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in July 2021 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in April 2021 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in October 2020 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in June 2020 Documentation Refresh for 12c (12.2.1.4.0)
- Updates in March 2020 Documentation Refresh for 12c (12.2.1.4.0)
- New and Changed Features for 12c (12.2.1.4.0)
-
Part I Overview
-
1
Product Overview for Oracle Identity Governance
- 1.1 What is Oracle Identity Governance?
- 1.2 What are the Different Modes of Oracle Identity Governance?
- 1.3 How does Oracle Identity Governance Interact with Other IT Systems?
- 1.4 How does Oracle Identity Governance Interact with Other Oracle Identity and Access Management Products?
- 1.5 How do Users Interact with Oracle Identity Governance?
- 2 Product Architecture of Oracle Identity Governance
-
3
Oracle Identity System Administration Interface
- 3.1 Logging in to Oracle Identity System Administration
- 3.2 Oracle Identity System Administration
-
1
Product Overview for Oracle Identity Governance
-
Part II Policy Administration
-
4
Managing Workflows
- 4.1 Understanding Workflow Rules
-
4.2
Configuring Approval Workflow Rules
- 4.2.1 About Approval Workflow Rules
- 4.2.2 About Rule Conditions
- 4.2.3 About System-Defined Operations and Rules
- 4.2.4 Creating Approval Workflow Rules
- 4.2.5 About Custom Rule Conditions
- 4.2.6 Modifying Approval Workflow Rules
- 4.2.7 Deleting Approval Workflow Rules
- 4.2.8 About Approval Workflow Rule Evaluation
- 4.3 Managing Request Approval in an Upgraded Deployment of Oracle Identity Governance
- 4.4 Migrating Workflow Rules From Test to Production
- 4.5 Running Oracle Identity Governance Without Workflows
- 4.6 Use Cases for Disabled or Deleted Proxy Users
-
4
Managing Workflows
- Part III Form Management
-
Part IV System Entities
-
6
Configuring Custom Attributes
- 6.1 Creating a Custom Attribute
- 6.2 Creating a Custom Child Form
- 6.3 Creating a Custom Child Form Attribute
- 6.4 Modifying a Custom Attribute
- 6.5 Adding a Custom Attribute
- 6.6 Adding a Custom Attribute to an Application Instance Form
- 6.7 Moving UDFs from Test to Production
- 6.8 Synchronizing User-Defined Fields Between Oracle Identity Governance and LDAP
- 6.9 Creating Cascaded LOVs
- 6.10 Specifying Cascaded LOVs Without NULL Value
- 6.11 Localizing Display Labels of UDFs
- 6.12 Configuring a Field as Mandatory Attribute in the Request Catalog
-
6
Configuring Custom Attributes
-
Part V Application Management
- 7 Managing IT Resources
-
8
Managing Application Instances
- 8.1 About Application Instances
- 8.2 Application Instance Concepts
-
8.3
Managing Application Instances
- 8.3.1 Creating Application Instances
- 8.3.2 Searching Application Instances
- 8.3.3 Modifying Application Instances
- 8.3.4 Understanding the Deletion of Application Instances
- 8.3.5 Creating and Modifying Forms Associated With the Application Instances
- 8.4 Configuring Application Instances
-
8.5
Developing Entitlements
- 8.5.1 About Entitlements
- 8.5.2 Available Entitlements and Assigned Entitlements
- 8.5.3 Entitlement Data Capture Process
- 8.5.4 Marking Entitlement Attributes on Child Process Forms
- 8.5.5 Duplicate Validation for Entitlements or Child Data
- 8.5.6 Configuring Scheduled Tasks for Working with Entitlement Data
- 8.5.7 Deleting Entitlements
- 8.5.8 Refreshing the Entitlement List Post Delete for New Entries
- 8.5.9 Disabling the Capture of Modifications to Assigned Entitlements
- 8.5.10 Entitlement-Related Reports
-
8.6
Managing Disconnected Resources
- 8.6.1 About Disconnected Resources
- 8.6.2 Disconnected Resources Architecture
- 8.6.3 Managing Disconnected Application Instance
- 8.6.4 Provisioning Operations on a Disconnected Application Instance
- 8.6.5 Configuring Entitlement Grant
- 8.6.6 Status Changes in Manual Process Task Action
- 8.6.7 Customizing Provisioning SOA Composite
- 8.6.8 Troubleshooting Disconnected Resources
-
9
Managing Connector Lifecycle
- 9.1 Lifecycle of a Connector
- 9.2 Change Management Terminology
- 9.3 Viewing Connector Details
- 9.4 Installing Connectors
- 9.5 Defining Connectors With Oracle Identity Governance
- 9.6 Cloning Connectors in Oracle Identity Governance
- 9.7 Exporting Connector Object Definitions in Connector XML Format
-
9.8
Upgrading Connectors
- 9.8.1 About Upgrading Connectors
- 9.8.2 Upgrade Use Cases Supported by the Connector Upgrade Feature
- 9.8.3 Connector Object Changes Supported by the Upgrade Connectors Feature
- 9.8.4 What Happens When You Upgrade a Connector
- 9.8.5 Summary of the Upgrade Procedure
- 9.8.6 Procedure to Upgrade a Connector
-
9.8.7
Postupgrade Procedure
- 9.8.7.1 Connector Code File Changes
- 9.8.7.2 Running the PurgeCache Utility
- 9.8.7.3 Running cancelProcessTask Utility
- 9.8.7.4 Updating Access Policies
- 9.8.7.5 Configuring the IT Resource
- 9.8.7.6 Configuring the Scheduled Tasks
- 9.8.7.7 Updating Adapters for Changes in IT Resource Type Definition Parameter
- 9.8.7.8 Other Postupgrade Steps
- 9.8.8 Procedure to Upgrade a 9.x Connector Version to an ICF Based Connector
-
9.9
Uninstalling Connectors
- 9.9.1 About Uninstalling Connectors Utility
- 9.9.2 Use Cases Supported by the Uninstall Connectors Utility
- 9.9.3 Overview of the Connector Uninstall Process
- 9.9.4 Setting Up the Uninstall Connector Utility
- 9.9.5 Uninstalling Connectors and Removing Connector Objects
- 9.9.6 Running the Script to Uninstall Connectors and Connector Objects
- 9.10 Troubleshooting Connector Management Issues
-
10
Managing Reconciliation
- 10.1 About Reconciliation
- 10.2 Reconciliation Based on the Object Being Reconciled
- 10.3 Mode of Reconciliation
- 10.4 Approach Used for Reconciliation
- 10.5 Managing Reconciliation Events
-
Part VI Requests
-
11
Managing the Access Request Catalog
- 11.1 Access Request Catalog
- 11.2 Configuring the Access Request Catalog
-
11.3
Administering the Access Request Catalog
- 11.3.1 Prerequisites of Catalog Administration
- 11.3.2 Common Tasks to be Performed by the Catalog Administrator
- 11.3.3 Catalog Auditing
- 11.3.4 Configuring Hierarchical Attributes of Entitlements
- 11.3.5 Database Best Practices for Access Request Catalog
-
11.4
Managing the Lifecycle of the Catalog
- 11.4.1 Overview of Catalog Customization
- 11.4.2 Test to Production Procedures for Catalog Customizations
- 11.4.3 Limitations of the Test to Production Procedures
- 11.5 Troubleshooting Access Request Catalog
-
11
Managing the Access Request Catalog
-
Part VII System Configuration
- 12 Managing the Home Organization Policy
-
13
Managing Self Service Capability Policy
- 13.1 About Self Service Capability Rule
- 13.2 Default Self Service Capability Rule
- 13.3 Example of Self Service Capability Rules and Rule Evaluation Order
- 13.4 Creating a Rule in Self Service Capability Policy
- 13.5 Modifying a Rule in Self Service Capability Policy
- 13.6 Deleting a Rule in Self Service Capability Policy
- 14 Managing Lookups
- 15 Managing Role Categories
-
16
Managing the Scheduler
- 16.1 About Scheduler
- 16.2 Configuring the oim-config.xml File
- 16.3 Start and Stop the Scheduler
- 16.4 Scheduled Tasks
- 16.5 Managing Jobs
- 16.6 Diagnosing Scheduled Jobs
-
17
Managing Notification Service
- 17.1 About Notification Providers
- 17.2 Managing Notification Providers
-
17.3
Managing Notification Templates
- 17.3.1 Default Notification Template
- 17.3.2 Searching for a Notification Template
- 17.3.3 Creating a Notification Template
- 17.3.4 Modifying a Notification Template
- 17.3.5 Disabling a Notification Template
- 17.3.6 Enabling a Notification Template
- 17.3.7 Adding Locales to a Notification Template
- 17.3.8 Removing Locales from a Notification Template
- 17.3.9 Deleting a Notification Template
- 17.3.10 Configuring Notification for a Proxy
- 17.4 Configuring Email in Provisioning Workflow
- 17.5 Configuring SOA Email Notification
- 17.6 Disabling Oracle Identity Governance Email Notifications
- 17.7 Troubleshooting Notification
- 18 Configuring Oracle Identity Governance
-
19
Moving From Test to Production
- 19.1 About Test to Production Migration
-
19.2
Migrating Incrementally Using the Deployment Manager
- 19.2.1 About the Deployment Manager
- 19.2.2 Features of the Deployment Manager
- 19.2.3 Enabling Deployment Manager in SSL Mode
- 19.2.4 About Exporting Deployments
- 19.2.5 Exporting Deployments
- 19.2.6 About Importing Deployments
- 19.2.7 Importing Deployments
- 19.2.8 About Export/Import of Identity Audit Rules
- 19.2.9 About Export/Import of Role UDF Data
-
19.2.10
Best Practices for Using the Deployment Manager
- 19.2.10.1 Do Not Export System Objects
- 19.2.10.2 Exporting Related Groups of Objects
- 19.2.10.3 Using Logical Naming Conventions for Versions of a Form
- 19.2.10.4 Exporting Root to Preserve a Complete Organizational Hierarchy
- 19.2.10.5 Providing Clear Export Descriptions
- 19.2.10.6 Checking Dependencies Before Exporting Data
- 19.2.10.7 Matching Scheduled Task Parameters
- 19.2.10.8 Deployment Manager Actions on Reimported Scheduled Tasks
- 19.2.10.9 Compiling Adapters and Enable Scheduled Tasks
- 19.2.10.10 Checking Permissions for Roles
- 19.2.10.11 Creating a Backup of the Database
- 19.2.10.12 Importing Data When the System Is Quiet
- 19.2.10.13 Exporting and Importing Data in Bulk
- 19.2.10.14 Exporting Entity Publications
- 19.2.11 Troubleshooting the Deployment Manager
-
Part VIII Auditing and Reporting
-
20
Configuring Auditing
- 20.1 About Auditing
- 20.2 User Profile Auditing
- 20.3 Role Profile Auditing
- 20.4 Catalog Auditing
- 20.5 Enabling and Disabling Auditing in Oracle Identity Governance
- 20.6 Lightweight Audit
-
21
Using Reporting Features
- 21.1 About Reporting in Oracle Identity Governance
- 21.2 Supported Output Formats for Reports
-
21.3
Classification of Oracle Identity Governance Reports
- 21.3.1 Access Policy Reports
- 21.3.2 Request and Approval Reports
- 21.3.3 Role and Organization Reports
- 21.3.4 Password Reports
-
21.3.5
Resource and Entitlement Reports
- 21.3.5.1 Account Activity In Resource
- 21.3.5.2 Delegated Admins and Permissions by Resource
- 21.3.5.3 Delegated Admins by Resource
- 21.3.5.4 Entitlement Access List
- 21.3.5.5 Entitlement Access List History
- 21.3.5.6 Financially Significant Resource Details
- 21.3.5.7 Resource Access List History
- 21.3.5.8 Resource Access List
- 21.3.5.9 Resource Account Summary
- 21.3.5.10 Resource Activity Summary
- 21.3.5.11 User Resource Access History
- 21.3.5.12 User Resource Access
- 21.3.5.13 User Resource Entitlement
- 21.3.5.14 User Resource Entitlement History
- 21.3.6 User Reports
- 21.3.7 Certification Reports
- 21.3.8 Identity Audit Reports
- 21.3.9 Exception Reports
- 21.4 Required Scheduled Tasks for Oracle Analytics Server Reports
- 21.5 Best Practices for Running Oracle Identity Governance Reports
-
22
Using the Archival and Purge Utilities for Controlling Data Growth
- 22.1 About Archival and Purge Utilities
-
22.2
Archival and Purge Concepts
- 22.2.1 Purge Only Solution Versus Purge and Archive Solution for Entities
- 22.2.2 Archival of Data in Oracle Identity Governance
- 22.2.3 Purging of Data in Oracle Identity Governance
- 22.2.4 Real-Time Purging in Oracle Identity Governance
- 22.2.5 Retention Period in Oracle Identity Governance
- 22.2.6 Modes of Archival Purge Operations
- 22.3 Using Real-Time Purge and Archival Option in Oracle Identity Governance
-
22.4
Using Command-Line Option of the Archival Purge Utilities in Oracle Identity Governance
- 22.4.1 About Command-Line Utilities
-
22.4.2
Using the Reconciliation Archival Utility
- 22.4.2.1 About the Reconciliation Archival Utility
- 22.4.2.2 Prerequisite for Running the Reconciliation Archival Utility
- 22.4.2.3 Archival Criteria for Reconciliation Data
- 22.4.2.4 Running the Reconciliation Archival Utility
- 22.4.2.5 Log File Generated by the Reconciliation Archival Utility
- 22.4.2.6 Troubleshooting Scenario for Reconciliation Archival Utility
- 22.4.3 Using the Task Archival Utility
- 22.4.4 Using the Requests Archival Utility
-
22.5
Using the Audit Archival and Purge Utility
- 22.5.1 About Audit Archival and Purge Utility
-
22.5.2
Audit Data Growth Control Measures in Lightweight Audit Framework
- 22.5.2.1 About Audit Data Growth Control Measures in Lightweight Audit Framework
- 22.5.2.2 Overview of Partition Based Approach
- 22.5.2.3 Prerequisites for Partitioning the AUDIT_EVENT Table
- 22.5.2.4 Preparing the AUDIT_EVENT Table for Archival and Purge
- 22.5.2.5 Archiving or Purging the AUDIT_EVENT Data Using Partitions
- 22.5.2.6 Ongoing Partition Maintenance
- 22.5.3 Partition-Based Approach for Audit Growth Control Measures in Legacy Audit (UPA) Framework
- 22.6 Using the Real-Time Certification Purge in Oracle Identity Governance
- 22.7 Using the Real-time Entitlement Assignment History Purge in Oracle Identity Governance
- 22.8 Using the Real-time Provisioning Status Accounts Purge in Oracle Identity Governance
- 23 Using the Offline Data Purge Framework
- 24 Using the Complete Nuke Cleanup Utility
-
20
Configuring Auditing
-
Part IX Lifecycle Management
-
25
Handling Lifecycle Management Changes
-
25.1
URL Changes Related to Oracle Identity Governance
- 25.1.1 Oracle Identity Governance Host and Port Changes
-
25.1.2
Oracle Identity Governance Database Host and Port Changes
- 25.1.2.1 Modifying Datasource oimJMSStoreDS Configuration
- 25.1.2.2 Modifying Datasource soaOIMLookupDB Configuration
- 25.1.2.3 Modifying Datasource oimOperationsDB Configuration
- 25.1.2.4 Modifying Datasource ApplicationDB Configuration
- 25.1.2.5 Modifying Datasource Related to Oracle Identity Governance Meta Data Store
- 25.1.2.6 Modifying OIMAuthenticationProvider Configuration
- 25.1.2.7 Modifying DirectDB Configuration
- 25.1.2.8 Modifying the Oracle Identity Governance Database Host and Port in BI Publisher
- 25.1.2.9 Changing Incorrect Database Configuration
- 25.1.2.10 Updating the jps-config.xml and jps-config-jse.xml Files
- 25.1.3 Changing Oracle Virtual Directory Host and Port
- 25.1.4 Changing BI Publisher Host and Port
- 25.1.5 Changing SOA Host and Port
- 25.1.6 Changing OAM Host and Port
-
25.2
Password Changes Related to Oracle Identity Governance
- 25.2.1 Updating Oracle WebLogic Administrator Credentials
- 25.2.2 Changing Oracle WebLogic Administrator Password
- 25.2.3 Changing Oracle Identity Governance Administrator Password
- 25.2.4 Changing Oracle Identity Governance Administrator Database Password
-
25.2.5
Changing Oracle Identity Governance Database Password
- 25.2.5.1 Changing Datasource oimJMSStoreDS Configuration
- 25.2.5.2 Changing Datasource ApplicationDB Configuration
- 25.2.5.3 Changing Datasource soaOIMLookupDB Configuration
- 25.2.5.4 Changing Datasource oimOperationsDB Configuration
- 25.2.5.5 Changing Datasource Related to Oracle Identity Governance Meta Data Store
- 25.2.5.6 Changing OIMAuthenticationProvider Configuration
- 25.2.5.7 Changing Domain Credential Store Configuration
- 25.2.5.8 Changing the Oracle Identity Governance Database Password in BI Publisher
- 25.2.6 About Credential Store Framework Keys
- 25.2.7 Changing Oracle Identity Governance Passwords in the Credential Store Framework
- 25.2.8 Changing OVD Password
- 25.2.9 Changing Oracle Identity Governance Administrator Password in LDAP
- 25.2.10 Unlocking Oracle Identity Governance Administrator Password in LDAP
- 25.2.11 Changing Schema Passwords
-
25.3
Configuring SSL for Oracle Identity Governance
- 25.3.1 Generating Custom Key Stores (Optional)
- 25.3.2 Configuring Custom Key Stores (Optional)
- 25.3.3 Enabling SSL for Oracle Identity Governance and SOA Servers
- 25.3.4 Enabling SSL for Oracle Identity Governance DB
- 25.3.5 Enabling SSL for SOA Approval Composites
- 25.3.6 Configuring SSL for the Design Console
- 25.3.7 Configuring SSL for Oracle Identity Governance Utilities
- 25.3.8 Updating the System Properties for SSL Enabled Servers
- 25.3.9 Enabling FIPS Mode on Oracle Identity Governance
- 25.3.10 Changing Client Policies to Create Custom Policy for FIPS
- 25.3.11 TLS 1.3 Support in Oracle Identity Governance
- 25.3.12 Troubleshooting SSL Enablement with TLSv1.3
- 25.4 Using Ready App
-
25.1
URL Changes Related to Oracle Identity Governance
- 26 Securing a Deployment
-
25
Handling Lifecycle Management Changes
-
Part X Diagnostics and Troubleshooting
-
27
Using Enterprise Manager for Managing Oracle Identity Governance
- 27.1 Managing Oracle Identity Governance Configuration
- 27.2 Using the OrchestrationEngine MBean
-
27.3
Configuring Log Services for Oracle Identity Governance
-
27.3.1
Logging in Oracle Identity Governance By Using ODL
- 27.3.1.1 About Oracle Diagnostic Logging
- 27.3.1.2 Message Types and Levels in Oracle Identity Governance
- 27.3.1.3 Log Handler and Logger Configuration
- 27.3.1.4 Configuring Log Handlers
- 27.3.1.5 Log Handler Configuration Tools
- 27.3.1.6 About Configuring Loggers
- 27.3.1.7 Configuring Loggers in Oracle Identity Governance
- 27.3.1.8 Sample ODL Log Output
- 27.3.2 Logging in Oracle Identity Governance By Using log4j
- 27.3.3 Setting Warning State
- 27.3.4 Switching Down the Log Level
-
27.3.1
Logging in Oracle Identity Governance By Using ODL
- 27.4 Handling Cache
-
28
Using the PL/SQL Unified Diagnostic Logging and Debugging Framework
- 28.1 Understanding the PL/SQL Unified Diagnostic Logging and Debugging Framework
- 28.2 Configuring the Diagnostic Level
- 28.3 Understanding the Data Captured by PL/SQL Diagnostic Logging Tables
- 28.4 Collecting Data Captured by PL/SQL Diagnostic Logging Tables
- 28.5 Controlling Data Growth of PL/SQL Diagnostic Logging Tables
- 29 Using the Identity Management Diagnostic Framework
-
27
Using Enterprise Manager for Managing Oracle Identity Governance
- Part XI Appendixes
- A Default User Accounts
-
B
Configuring SSO Providers for Oracle Identity Governance
- B.1 Common Prerequisites for Integration With Third-Party SSO Solutions
- B.2 Enabling Oracle Identity Governance to Work With OpenSSO
- B.3 Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manager
- B.4 Enabling Oracle Identity Governance to Work With CA SiteMinder
- B.5 Configuring Basic SSO Using OAM
- B.6 Simplifying Third-Party SSO Integration
- B.7 Using Configurable Login ID Support for SSO Integration
- B.8 Configuring Login ID Support for SSO Integration
-
B.9
Integrating Oracle Identity
Governance with Identity Providers using SAML2 Asserter
- B.9.1 Prerequisites for Integrating Oracle Identity Governance with Identity Providers
- B.9.2 Configuring the SAML2 Asserter in the Oracle Identity Governance Domain
- B.9.3 Configuring Identity Federation Settings on Oracle Identity Goverance
- B.9.4 Exporting the Identity Federation Document
- B.9.5 Configuring the Identity Provider for Federation With Oracle Identity Governance
- B.9.6 Exporting the Identity Provider Metadata
- B.9.7 Configuring the Identity Provider Metadata on Oracle Identity Governance
- B.9.8 Updating Identity Self Service, System Administration, and FacadeWebApp to Change the Session Cookie
- B.9.9 Testing the SAML2.0 Flow with Identity Self Service and System Administration Pages
- C Using Database Roles/Grants for Oracle Identity Governance Database
- D Enabling Transparent Data Encryption
-
E
Troubleshooting Clustered OIM and Eclipselink Cache Coordination
- E.1 Startup Procedure for Clustered Installation of Oracle Identity Governance
- E.2 Setting Deployment Mode to Cluster
- E.3 Configuring Multicast Addressing for Oracle Identity Governance
- E.4 Multicast Addressing for Eclipselink
- E.5 Testing Multicast Network Testing
- E.6 Enabling Additional Logging for Eclipselink
- E.7 Testing Multicast Connectivity Between Oracle Identity Governance Nodes
- F Scheduler and System Properties do not come up in the Integrated Environment