Managing Application Instances

9 Managing Application Instances

Managing application instances involves understanding the concepts related to application instances, managing and configuring application instances, developing entitlements, and managing disconnected resources.

This chapter contains the following sections:

9.1 About Application Instances

Application instance is an abstraction that combines an IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism).

In earlier releases, requests creation is based on name of resources, and it was administrator-centric, which requires good knowledge of technology. However, in this release of Oracle Identity Manager, accounts and entitlements of users are associated with application instances, and not with the IT resource instance or resource object. This makes it easier for an end user to operate.

Application instance will be published to organizations and can be requested by users of those organizations. Supposing Microsoft Active Directory (AD) is to be provisioned to users across different organizations or departments across the world, you can define application instances consisting of the following:

AD as the resource object
Each AD server instance with the connectivity information, such as URL and password, as IT resources

This is because the resource object is same for all users, but the connectivity information, such as port number, can be different for users who are part of different organizations. Therefore, the AD resource object can be provisioned as an application instance without the user being aware of the connectivity information.

Application Instance is the provisionable entity. In order to get an account in a specific target, end users will need to request for the application instance. Instead of requesting for a resource and configuring IT resource instance separately, end user can request for an application instance. The request is subject to approval by an approver. When the request is approved, the resource is provisioned to the user, and an account is created in the target system.

Note:

If the request is coming from an authorizer, then it may not require approval, where as a request coming from an end user needs approval by approver.

9.2 Application Instance Concepts

Understand the concepts related to application instances, such as multiple accounts per application instance, entitlements, disconnected application instances, and application instance security.

The application instance concepts are described in the following sections:

9.2.1 Multiple Accounts Per Application Instance

Users in an enterprise can have multiple accounts in a single application instance.

This is required in a scenario in which an HR administrator performs various tasks for other employees in the organization by using an administrative account. The same HR administrator logs in by using a separate user account when performing certain tasks for self. In this example, the same user requires two different accounts for logging in to the system and performs different types of operations.

In addition, supporting multiple accounts for users is required to prevent potential security threats. Suppose a user uses the same account for logging in to the environment, and performs administrative tasks, regular business tasks for self and others, and tasks related to IT infrastructure. If there is an intrusion in the system and the account is hacked, the hacker can access infrastructure data and other confidential information. If the user has multiple accounts for each type of task and the regular account is hacked, the confidential information related to IT infrastructure and other sensitive resources are secured from the hacker.

Oracle Identity Manager supports multiple accounts in a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The subsequent accounts created on the same application instance would be tagged as Other.

When the user gets provisioned to an application instance, the Oracle Identity Manager checks if it is the first account getting provisioned for the user in that application instance. If it is the first account, then the account is marked as primary. When existing user accounts are reconciled from application instances, the first account that gets reconciled is marked as primary. If the account marked as primary is not the actual primary account, then you can manually change the primary tag for the account and mark another account as primary.

9.2.2 Entitlements

An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function.

An entitlement can be a role, responsibility, or group membership. For example, if user Richard is granted the Inventory Analyst role on a target system, then Richard can use that entitlement to access and generate inventory-related reports from the target system.

In Oracle Identity Manager, there is one process form for each account (resource) provisioned to an Oracle Identity Manager User. Entitlement data is stored in child process form. In the example described earlier, the process form for Richard's account on the target system has a child process form that holds Inventory Manager role data.

Note:

To reconcile entitlements created in the target system into Oracle Identity Manager, you must first run the scheduled job for lookup field synchronization, and then run the Entitlement List scheduled job.

Attributes that constitute entitlement data stored on a child process form may vary from one target system to another. In addition, different types of entitlements, such as roles and responsibilities, may have different attributes.

Entitlements can be requested directly instead of first requesting a modify resource on user accounts. Entitlements are not part of the account data as the child forms are handled independently. A user can provision, modify, or revoke an entitlement. For the requested entitlements, the user can provide additional information that might help an approver during the approval process.

All types of entitlements are available for request in the request catalog. If the request for an administrative entitlement is approved, then it is associated to the primary account. In addition, the requester can select target accounts, and approvers can also modify the target account.

You can edit the entitlements by using the Application Instances section of the Oracle Identity System Administration.

See Developing Entitlements for detailed information about entitlements.

9.2.3 Disconnected Application Instances

You can manually perform provisioning in the target application instance when the application instance is of the disconnected type.

You might deploy self service, delegated administration, request management, and role-based provisioning features in Oracle Identity Manager, and might not deploy provisioning and reconciliation connectors to automate provisioning. After completion of delegated administration operation, request-approval, or role-based provisioning, a manual provisioning task is assigned to an administrator. The administrator then manually performs the provisioning in the target application instance. An example of this is provisioning of an access card, which is physical. Because Oracle Identity Manager cannot provision a physical access card, the application instance of the disconnected resource is to be provisioned.

To achieve provisioning of disconnected resource, you can create application instances of the disconnected type. The manual provisioning administrator can use the Inbox section of the Oracle Identity Self Service to update all fields in the request. After the manual provisioning administrator submits the manual provisioning worklist item, the provisioning infrastructure marks the underlying provisioning task to be completed based on the response of the manual provisioning administrator. If the administrator specifies that task is manually completed, then the status is changed to provisioned.

9.2.4 Application Instance Security

The application instance is an entity with which security primitives are associated via the organization publishing mechanism.

Only those organizations that have the application instance published to them are able to provision to the targets.

9.3 Managing Application Instances

You manage application instances by using Oracle Identity System Administration. It involves searching, creating, modifying, and deleting application instances, and creating and modifying forms associated with application instances.

This section contains the following topics:

9.3.1 Creating Application Instances

Use the Application Instances page of the Identity System Administration to create application instances by specifying attributes, such as application instance name and display name, whether or not disconnected, resource object, IT resource instance, form, and parent application instance.

To create an application instance:

Login to Oracle Identity System Administration.
In the left pane, under Provisioning Configuration, click Application Instances. The Application Instances page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.

Enter the values of the attributes, as listed in Table 9-1:

Table 9-1 Fields in the Create Application Instance Page

Attribute	Description
Name	The name of the application instance. This is a required field. Note: If you enter non-ASCII characters in the Name field, then an error message is displayed when you try to save the application instance. It is recommended that you enter only ASCII or alphanumeric characters in the Name field.
Display Name	The display name of the application instance. This is a required field.
Description	A description of the application instance.
Disconnected	Select if you want to specify the application instance as disconnected. Selecting this option creates a new approval process that is assigned to the manual provisioning administrator. See "Disconnected Application Instances" for more information. Note: Disconnected application instance can only be created when a sandbox is active. See "Managing Sandboxes" in Developing and Customizing Applications for Oracle Identity Governance for more information about sandbox.
Resource Object	The resource object name. You can click the search icon next to this field to search and select a resource object.
IT Resource Instance	The IT resource instance name. You can click the search icon next to this field to search and select an IT resource instance.
Form	Select the form or dataset name. The forms associated with the selected resource object are populated in the Forms list. Here, only pre-existing forms can be selected.
Parent AppInstance	The application instance name that you want to specify as a parent to the new application instance. The new application instance inherits all the properties of the parent application instance. Resource must be assigned as 'Depends on' in the Design Console to populate this lookup.

Click Save. The application instance is created, and the details of the application instance is displayed in a page.

9.3.2 Searching Application Instances

You can search application instances based on application instance attributes that you can include in various search conditions.

To search for application instances:

In the Oracle Identity System Administration, under Provisioning Configuration, click Application Instances. The Application Instances page is displayed.
Select any one of the following:
- All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
- Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the searchable application instance attribute fields, such as Display Name, specify a value.

For some attributes, select the attribute value from the lookup. For example, to search all application instances with a particular resource object, specify the resource object name in the Resource Object field.
For each attribute value that you specify, select a search operator from the list. The following search operators are available:
- Starts with
- Ends with
- Equals
- Does not equal
- Contains
To add a searchable application instance attribute to the Application Instances page, click Add Fields, and select the attribute from the list of attributes.

For example, if you want to search all application instances under a parent application instance, then you can add the Parent AppInstance attribute as a searchable field and specify a search condition.
Optionally click Reset to reset the search conditions that you specified. Typically, you perform this step to remove the specified search conditions and specify a new search condition.
Click Search. The search result is displayed in a tabular format.

Tip:

You can use the Query By Example feature to refine your search based on specific values. For more information, see Using Query By Example in Performing Self Service Tasks with Oracle Identity Governance.

9.3.3 Modifying Application Instances

You can open an application instance and modify the attributes, assign and revoke organizations to which the application instance is available, and edit the entitlements associated with the application instance.

These tasks are described in the following sections:

9.3.3.1 Modifying Application Instance Attributes

You can modify application instance attributes by opening the application instance details, and then by running the Catalog Synchronization Job scheduled job.

To modify the attributes of an application instance:

In the Application Instances page, search and select the application instance that you want to open.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. You can also click the Display Name of the application instance.

The Application Instance details page is displayed.
Ensure that the Attributes tab is displayed. The fields that you are not allowed to modify are grayed out.
Edit the values in the fields, such as Display Name, Description, Form, and Parent AppInstance.
Click Apply. The attribute modifications are saved.
Run the Catalog Synchronization Job scheduled job.

Note:

The Catalog Synchronization Job should be run preferably in Incremental mode so that changes, such as add, update, and delete, in base entity application instance and entitlements are synced to catalog DB.

9.3.3.2 Managing Organizations Associated With Application Instances

You must make an application instance available for requesting and subsequent provisioning to users by publishing the application instance to an organization. Managing the organizations associated with application instances are done by publishing the application instances to organizations or revoking them.

This section describes about managing organizations associated with application instances in the following tasks:

9.3.3.2.1 About Organizations Associated With Application Instances

You must make an application instance available for requesting and subsequent provisioning to users by publishing the application instance to an organization. The users in that organization or the users who has User Viewer role in that organization or the users who has Application Instance Viewer role + User Viewer Role in that organization can request for application instance.

In the Organizations tab of the Application Instance details page, you can publish the application instance to organizations, and revoke organizations from the application instance.

In addition, you can publish the application instance to an organization and its suborganizations so that users of the suborganizations can also request for the application instance. You can also publish an application instance to organizations with entitlements so that users of the organization can request for the application instance with the entitlements associated with it.

Note:

An administrator user can publish an entity to any organization that the administrator can view. For example, an Entitlement Administrator can publish entitlements with administrative permissions to any organization on which the Entitlement Administrator has view permission.

9.3.3.2.2 Publishing an Application Instance to Organizations

To publish an application instance to organizations:

In the Application Instance details page, click the Organizations tab. A list of organizations to which the open application instance is published is displayed.

For each organization, the include sub-orgs option is displayed in the Hierarchy Aware column. Select this option to make the open application instance available to the organization and its suborganizations. Deselect this option to make the open application instance available to the organization only.
From the Actions menu, click Assign. Alternatively, click Assign on the toolbar. The Select Organizations dialog box is displayed.
Search for the organizations to which you want to publish to the open application instance.

Note:

If you are using Oracle Identity System Administration in French on Google Chrome web browser, the right arrow may be missing or truncated in the search panel of the Select Organizations dialog box. To fix this issue, verify the display language setting in Chrome and change it to French if necessary.
Click Add Selected. The selected organizations are added to the Selected Organizations table.

If you want the select all organizations, then click Add All.
For each organization added to the Selected Organizations table, a checkbox is displayed in the Hierarchy column. Select the Hierarchy option to publish the open application instance to the suborganizations of the selected organization.

To publish the open application instance to the selected organizations only, leave the Hierarchy option deselected.
Select the Apply to Entitlement option to publish the open application instance to the selected organizations with the entitlements associated with the application instance. Otherwise, leave this option deselected.
Click Select. The application instance is published to the selected organizations.

The include sub-orgs option is displayed for the organizations for which you selected the Hierarchy option in the Select Organizations dialog box.

9.3.3.2.3 Revoking Organizations From an Application Instance

To revoke an organization from an application instance:

In the Organizations tab, select an organization that you want to revoke from the open application instance.
From the Action menu, select Revoke. Alternatively, click Revoke on the toolbar. A confirmation box is displayed with the selected organization.
Click Yes to confirm. The organization is revoked from the application instance.

Tip:

To revoke from suborganization of the organization to which the application instance is published, deselect the corresponding include sub-orgs option, and click Apply.

9.3.3.3 Managing Entitlements Associated With Application Instances

You modify the entitlements associated with application instances to change the entitlement attribute values, and publish or revoke the entitlements to organizations.

This section contains the following topics:

9.3.3.3.1 Modifying Entitlement Attributes

To modify the attributes of an entitlement associated with an application instance:

In the Application Instance details page, click the Entitlements tab. A list of entitlements associated with the open application instance is displayed.
Select the entitlement that you want to modify.
From the Actions menu, select Edit. Alternatively, click Edit on the toolbar. The details of the selected entitlement is displayed in a page.
Change the values of the attributes, such as Display Name and Description, and click Save. The entitlement modifications are saved.
Run the Catalog Synchronization Job scheduled job.

9.3.3.3.2 Publishing an Entitlement to an Organization

To publish an entitlement associated with an application instance to an organization:

In the Application Instance details page, click the Entitlements tab. A list of entitlements associated with the open application instance is displayed.
Select the entitlement that you want to publish. The entitlement details is displayed at the bottom of the page.
From the Actions menu, select Assign. Alternatively, click Assign on the toolbar. The Select Organizations dialog box is displayed.
Search and select the organization to which you want to publish the entitlement.
Click Add Selected. The organization is added to the Selected Organizations list.

If you want to publish the entitlement to all organizations, then click Add All.
Optionally, select the Hierarchy option if you want to publish the entitlement to the suborganizations of the selected organization.
Click Select.
Run the Catalog Synchronization Job scheduled job.

9.3.3.3.3 Revoking an Entitlement from an Organization

To revoke an entitlement associated to an application instance from an organization:

In the Application Instance details page, click the Entitlements tab. A list of entitlements associated with the open application instance is displayed.
Select the entitlement that you want to revoke. The entitlement details is displayed at the bottom of the page.
If you want to revoke the entitlement from the suborganizations of the organization, then keep the include sub-orgs option selected.
From the Actions menu, select Revoke. Alternatively, click Revoke on the toolbar. A warning is displayed asking for confirmation.
Click Yes.
Run the Catalog Synchronization Job scheduled job.

9.3.4 Understanding the Deletion of Application Instances

You can delete application instances from the Application Instances page and then by running the Application Instance Post Delete Processing Job scheduled job.

This section describes how application instance can be deleted. This is described in the following sections:

9.3.4.1 About Deleting Application Instances

An application instance can be deleted in any one of the following ways:

Deleting the application instance from the Application Instances section of the Oracle Identity System Administration.
Deleting the IT resource, which is a constituent of the application instance.

When you delete an application instance by using any one these methods, the application instance is not hard-deleted from Oracle Identity Manager. The application instance is soft-deleted. This is because accounts provisioned as a result of the application instance might exist in the target system. Therefore, after deleting an application instance, you must run a scheduled job to achieve the following:

Unpublish the application instance from the entity publication
Unpublish the associated entitlements from the entity publication
Revoke, or hard-delete, or mark as deleted all the accounts for the application instance

9.3.4.2 Deleting an Application Instance

To delete an application instance:

In Oracle Identity System Administration, under Provisioning Configuration, click Application Instances. The Application Instances page is displayed with a list of application instances that are published to your organization.
Search and select the application instance that you want to delete.
From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message box is displayed asking for confirmation.
Click Delete to confirm. The application instance is soft-deleted in Oracle Identity Manager.

You can also delete an application instance by deleting the IT resource of the application instance. For information about deleting IT resources, see Managing IT Resources in Developing and Customizing Applications for Oracle Identity Governance.
Run the Application Instance Post Delete Processing Job scheduled job. This scheduled job can be run in any one of the following modes:
- Revoke: This mode is used when the application instance is deleted, but the provisioned accounts in the target system still exist. Using the Revoke mode deletes the accounts from the target system.
- Delete: This mode is used when the target system no longer exists, and there are no traces of the accounts in Oracle Identity Manager. Using the Delete mode hard-deletes the accounts from all provisioning tasks and targets, and subsequently from Oracle Identity Manager.
- Decommission: This mode is used when the target system no longer exists and the provisioned accounts cannot be revoked from the target system. Using the Decommission mode changes the account status to Revoke without keeping the accounts in Oracle Identity Manager in provisioned state.
For information about scheduled jobs, see Managing the Scheduler.

Note:

The Application Instance Post Delete Processing Job scheduled job can be run after deleting each application instance.
Run the Catalog Synchronization Job scheduled job. This scheduled job identifies the soft-deleted application instances, and removes them from the catalog.
Note:
- The Catalog Synchronization Job scheduled job run is independent of the Application Instance Post Delete Processing Job run. This means that the Catalog Synchronization Job scheduled job removes the soft-deleted application instances from the catalog even if Application Instance Post Delete Processing Job is not run after soft-deleting the application instances.
- Catalog Synchronization Job should be run preferably in Incremental mode so that changes, such as add, update, and delete, in base entity application instance and entitlements are synced to catalog DB.

9.3.5 Creating and Modifying Forms Associated With the Application Instances

In the Application Instances page of the Identity System Administration, you can create and modify forms associated with the resource objects, and subsequently with the application instances.

9.3.5.1 Creating Forms Associated With Application Instances

To create a form associated with an application instance:

Note:

You cannot create forms directly. Before creating forms, you must create a sandbox and activate it. See Managing Sandboxes in Developing and Customizing Applications for Oracle Identity Governance for information about creating and activating a sandbox.

Login to Oracle Identity System Administration.
Create and activate a sandbox. A warning message is displayed if no sandbox is activated. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes in Developing and Customizing Applications for Oracle Identity Governance.
In the left pane, under Provisioning Configuration, click Form Designer. The Form Designer page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Form page is displayed.
In the Resource Type field, specify a resource object with which you want to associate the form. To do so:
1. Click the lookup icon next to the Name field. The Search and Select: Name dialog box is displayed.
2. In the Name field, enter the name of the resource object you want to search. You can leave this field blank if you want to display all resource objects.
3. Click Search. The resource objects that match the search condition are displayed.
4. Select the resource object that you want to associate with the form, and click OK. The resource object name is displayed in the Name field of the Create Form page.
In the Form Name field, enter a form name.
(Optional) Select any one of the available options for Form Type:
- Parent Form + Child Tables (Master/Detail)
- Parent Form (Master)
- Parent Form + Child Tables for Non Entitlement (Master/Detail)
(Optional) Select the Generate Entitlement Forms option if you want to associate the new form with the entitlements. Using this form, users can provide additional information that might help an approver during the approval process.
In the Available form fields section, a list of form field names along with description and Display Name are displayed. These fields are available for the form you are creating. For each available form field, you can select the Bulk Update option. Selecting this option makes the form field available for updating the entities in bulk.
In the Create Application Instance page or the Attributes tab of the Application Instance details page, click Refresh adjacent to the Form field.
Select the newly created form in the Form list and click Apply.

9.3.5.2 Modifying Forms Associated With Application Instances

Note:

You cannot modify forms directly. Before creating forms, you must create a sandbox and activate it. See Managing Sandboxes in Developing and Customizing Applications for Oracle Identity Governance for information about modifying and activating a sandbox.

To modify a form associated with an application instance:

Open the Create Application Instance page or the Attributes tab of the Application Instance details page.
From the Form list, select the form you want to modify.
Click Edit to right of the Form field. The Manage Form page is displayed, as shown in Figure 9-1:

Figure 9-1 The Manage Form Page

Description of "Figure 9-1 The Manage Form Page"

For information about creating and editing custom fields, see Configuring Custom Attributes.
(Optional) If you want to associate a form with an entitlement, then you can regenerate the form to allow users to provide additional information that might help the approver during the approval process. To do so, click Regenerate View. In the Regenerate View popup window, select the Generate Entitlement Forms checkbox. See Modifying Forms By Using the Form Designer for information about the options available in the Regenerate View popup window.

Note:

If you have upgraded Oracle Identity Manager, then you must regenerate all the forms to use this feature.

9.3.5.3 Localizing Application Instance Form

To localize the application instance form:

Create an application instance of connector with a form attached to it.
Login to Oracle Enterprise Manager.
Go to Application Deployments, oracle.iam.console.identity.sysadmin.ear, MDS Configuration.
Click Export and save the archive to the host.
Unzip the archive, and open the SAVE_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf file in a text editor.

Note:

This file may not exist in MDS. If it does not exist, then create a new one, but the path must be the same.

Edit the BizEditorBundle.xlf file in the following way:

Search and replace the following:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

With the following for Japanese language:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for JDE application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_JDE_LANGUAGE__c_description']}">
<source>Language</source>
</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.JDEArj.entity.JDEArjEO.UD_JDE_LANGUAGE__c_LABEL">
<source>Language</source>
</target>
</trans-unit>

Open the resource file from the connector package, for example JDEdwards_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_JDE_LANGUAGE=\u8A00\u8A9E.

Replace the original code shown in step 6b with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_JDE_LANGUAGE__c_description']}">
<source>Language</source>
<target>\u8A00\u8A9E</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.JDEArj.entity.JDEArjEO.UD_JDE_LANGUAGE__c_LABEL">
<source>Language</source>
<target>\u8A00\u8A9E</target>
</trans-unit>

Repeat steps 6a through 6d for all attributes of the process form.
Save the file as BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it to MDS.

See Also:

Deploying and Undeploying Customizations chapter in Developing and Customizing Applications for Oracle Identity Governance, for more information about exporting and importing metadata files.
Logout or Oracle Identity Manager and login again.

9.4 Configuring Application Instances

After creating application instances, you need to configure application instances, which involves configuring resource objects, IT resources, and password policies for the application instances.

This section contains the following topics:

9.4.1 Configuring a Resource Object

Use the Design Console to configure resource objects.

For information about configuring a resource object, see Resource Objects Form in Developing and Customizing Applications for Oracle Identity Governance.

9.4.2 Configuring IT Resource

An application instance can be configured for only one IT resource. If the process form requires value of two or more IT resources for provisioning an account, then it cannot be configured directly from the UI.

To configure two or more IT resources for provisioning an account:

Note:

For information about configuring an IT resource, see Managing IT Resources.

Identify the main IT resource for the account and configure the application instance with that.
Use entity adapter to populate the value for other required IT resources. For example, the Microsoft Exchange connector 9.1.1.7 requires an IT resource value of AD IT resource and Exchange IT resource to provision Exchange account. Perform Step 3 and 4 to make it work in R2.
Create an application instance with Exchange IT resource, and choose AD application instance as parent application because it is a dependent resource for Exchange.
Configure an entity adapter to pass the value of the AD IT resource to the process form. To do so:
1. Keep a track of the dependent IT resource name, such as Exchange, and independent IT resource name, such as AD. This can be in the code, or externalized in a lookup and then initialized in the code.
2. Create an entity adapter that takes long as a parameter. This is the parent IT resource key that will be populated.
3. In the adapter code, find the parent IT resource name and do a reverse lookup on the child IT resource name by using the map mentioned in step i.
4. From the child IT resource name, get the child IT resource key as a long and return it. The entity adapter return value gets set on the child IT resource field on the process form.

9.4.3 Configuring Password Policies for Application Instances

You can create a password policy for an application instance. This is done by setting a new rule for the password in the Design Console.

Perform the following steps to configure the password policy for application instances:

Login to Oracle Identity Self Service.
Create a password policy for the application instance by setting a new rule for the password. See Managing Password Policies in Performing Self Service Tasks with Oracle Identity Governance for information about creating and managing password policies.
After you set the password policy for an Application Instance, you need to attach the new policy to the connected (AD User) application instance. To do so:
1. Go to Design Console.
2. Under Resource Management, click Resource Objects.
3. Click on Password Policies Rule tab.
4. Select the new password policy (AD pwdpolicy) that you created to attach it to the connected application instance.
5. Click Add.
  
  Figure 9-2shows the Password Policies Rule tab of the Resource Object form.
  
  Figure 9-2 Attach Password Policy to Application Instance
  
  Description of "Figure 9-2 Attach Password Policy to Application Instance"

9.5 Developing Entitlements

Concepts related to developing entitlements are entitlement data capture process, marking entitlement attributes on child process forms, duplicate validation for entitlements, configuring scheduled tasks for working with entitlement data, deleting entitlements, refreshing the entitlement list post delete for new entries, disabling the capture of modifications to assigned entitlements, and generating entitlement-related reports.

This section discusses about developing entitlements in the following topics:

9.5.1 About Entitlements

An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function.

In Oracle Identity Manager, there is one process form for each account (resource) provisioned to an Oracle Identity Manager User. Entitlement data is stored in child process forms of the process form. In the example described earlier, the process form for Richard's account on the target system has a child process form that holds Inventory Manager role data.

Role Name
Role Description
Start Date
End Date

The same target system can have a different set of attributes for responsibility data:

Responsibility ID
Date Assigned
Proxy User
Escalation User

You can mark or highlight the attribute that uniquely identifies an entitlement on a target system. For the sample role and responsibility data attributes listed earlier, the Role Name and Responsibility ID attributes uniquely identify the role and responsibility entitlements on Target System A. By marking attributes that uniquely identify entitlements, you enable the capture of entitlement data that can be used by other identity management solutions and also displayed in reports.

Note:

If you are using the SAP User Management connector release 9.x with this release of Oracle Identity Manager, then perform the following steps for the Roles and Profiles entitlements to work correctly:

In the Role Child Form, from the Role System Name field, remove the Entitlement and Required properties.
In the Profiles Child Form, from the Profile System Name field, remove the Entitlement and Required properties.

9.5.2 Available Entitlements and Assigned Entitlements

The target system provides a list of preconfigured entitlements that are available along with an assigned entitlement list. You can use these entitlements and assign them to users on the target system.

A target system can have a set of entitlements defined and ready for assignment to accounts (users) on the target system. When you integrate this target system with Oracle Identity Manager, you can import (synchronize) entitlement data from the target system into the LKV table on Oracle Identity Manager.

Note:

If you use a predefined connector to integrate the target system, then you can use scheduled tasks to fetch entitlement data into this table.

The Entitlement List scheduled job is run synchronize the entitlements to the request catalog. An entitlement is available when it can be found in the request catalog. See Ongoing Synchronization for more information about configuring Catalog Synchronization.

During a provisioning operation, you request the entitlement through the Catalog. You can also populate the entitlement data along with the parent data as request data set when submitting a request for an application instance. In this guide, entitlements assigned to accounts are called assigned entitlements. Data about assigned entitlements is stored in child process form tables.

9.5.3 Entitlement Data Capture Process

After you mark the entitlement attribute in each child process form, capture of data about available entitlements take place.

The following steps describe how data about available entitlements is captured:

Note:

You must mark the entitlement attribute in each child process form to enable the process described in these steps. The procedure is described later in this chapter.
Make sure that the parent form has the latest child form version. It does not automatically happen when you create, edit, and activate the child parent without doing the same with the parent form. The Entitlement field can be marked from the Form Designer, which takes care of activating the parent/child forms.

Data about available entitlements is stored in the LKV table through synchronization with the target system.
You schedule and run the Entitlement List scheduled task.
The schedule task identifies the entitlement through the entitlement property in process form.
The scheduled task copies data about available entitlements from the LKV table to the ENT_LIST table.

9.5.4 Marking Entitlement Attributes on Child Process Forms

You must mark the entitlement attribute in the child process form UD_ table for resources for which you want to capture entitlement data.

Suppose there are 15 target systems in your operating environment. If you want to capture entitlement data from 12 of 15 resources, then you must mark the entitlement attribute in those 12 resources.

Apply the following guidelines while performing the procedure described in this section:

On a child process form, only one attribute holding entitlement data can be marked.
The attribute that you mark must be of the LookupField type and its property must be one of the following:
- Lookup code
- Lookup query
  
  The Lookup query must satisfy the following conditions:
  - The query uses the LKU and LKV tables
  - The Lookup code in the query is from the LKU table
  - The LKV_ENCODED column value is used for saving
  - The LKV_DECODED column value is used for display purposes

To mark a field as an entitlement in a child process form:

Login to Identity System Administration.
Using the Form Designer, create a child form attribute, as described in Creating a Custom Child Form Attribute. Make sure that the Entitlement and Searchable options are selected when creating an attribute for entitlement.

9.5.5 Duplicate Validation for Entitlements or Child Data

Duplicate entitlement or child data are validated based on the Key attribute or the Entitlement attribute, whichever is set.

The configuration of the above mentioned attributes are checked prior to validating duplicates in the child data. Table 9-2 summarizes the possible valid and invalid configurations.

Table 9-2 Possible Scenarios and Duplicate Validation Basis

Entitlement Attribute	Key Attribute for Reconciliation Field Mapping	Configuration Validation
Entitlement Attribute	Key Attribute for Reconciliation Field Mapping	Connected Application Instance	Disconnected Application Instance
Not defined Note: In this scenario, the user is at a risk of adding duplicate entitlements or child data as the configurations are not defined properly. A warning message is logged on the server asking the user to define entitlement attribute and matching reconciliation field mapping.	Not defined	Valid	Valid
Defined.One attribute, say UD_CHILD1_ENT1 has Entitlement=true Note: Entitlement attribute does not have a matching key attribute defined in reconciliation field mapping.	Not defined	Invalid	Valid
Not defined	Defined. One attribute, say UD_CHILD1_ENT1 is set as the key attribute in recon field mapping.	Valid	Valid
Defined. One attribute, say UD_CHILD1_ENT1 has Entitlement=true	Defined. One attribute, say UD_CHILD1_ENT1 is set as the key attribute in recon field mapping.	Valid	Valid
Defined. One attribute, say UD_CHILD1_ENT1 has Entitlement=true Note: Entitlement attribute is a subset of the reconciliation field mapping key attributes.	Defined. Two or more attributes, say UD_CHILD1_ENT1 and UD_CHILD1_ENT2 are defined as key attributes in recon field mapping for child table UD_CHILD1.	Valid	Valid
Defined. One attribute, say UD_CHILD1_ENT1 has Entitlement=true Note: Entitlement attribute does not have a matching key attribute defined in reconciliation field mapping.	Defined. One or more attributes, say UD_CHILD1_ENT2 and UD_CHILD1_ENT3 are defined as key attributes in recon field mapping	Invalid	Invalid

Oracle recommends configuring both the entitlement attribute and the matching key attribute for the child data in reconciliation field mappings to enable effective validation.

Once a valid configuration is detected, duplicates are validated based on the operation as listed in Table 9-3.

Table 9-3 Duplicate Validation Based on Operation

Operation	Duplicate Validation Description
Adding entitlement(s)	The attribute for which "Entitlement=true" property is defined.
Adding child data	The attribute that is the key attribute in the reconciliation field mappings.

Note:

Oracle recommends configuring both the entitlement attribute and the key attribute for the child data in reconciliation field mappings to enable effective duplicate entitlement or child data validation.

9.5.6 Configuring Scheduled Tasks for Working with Entitlement Data

The Entitlement List and Entitlement Assignments scheduled tasks must be configured to work with entitlement data.

You configure the following scheduled tasks for working with entitlement data:

9.5.6.1 Entitlement List

The Entitlement List scheduled task identifies the entitlement attribute from the child process form table and then copies entitlement data from the LKV table into the ENT_LIST table. A record created in the ENT_LIST table corresponds to an entitlement defined on a particular target system.

You must set a schedule for this task depending on how frequently new entitlements are defined on the target systems in your operating environment. In addition, you must run this scheduled task when new target systems are integrated with Oracle Identity Manager. In other words, you must run this task each time you mark a new entitlement. After the connector scheduled tasks fetch lookup field data from the target system into the LKV table, you can run the Entitlement List scheduled task to copy that entitlement data into the ENT_LIST table.

This scheduled task also handles updates to or deletion of entitlements from the target system. For example, if the Senior Accounts Analyst role is removed from the target system, then the connector scheduled task removes the entry for that role from the LKV table. When the Entitlement List scheduled task is run, it marks the row containing the role in the ENT_LIST table as a deleted row.

9.5.6.2 Entitlement Assignments

The Entitlement Assignments scheduled task is used for copying data about assigned entitlements into the ENT_ASSIGN table, in case when triggers fail to synchronization entitlement from UD table to ENT_ASSIGN. This task identifies the entitlement attribute from the child process form table, and then copies data about assigned entitlements from the child process form table into the ENT_ASSIGN table. A record created in the ENT_ASSIGN table corresponds to an entitlement assigned to a particular user on a particular target system.

You can use the RECORDS_TO_PROCESS_IN_BATCH attribute of this scheduled task to specify the number of records in each batch. The default batch size is 5000.

In addition, it creates INSERT, UPDATE, and DELETE triggers on the child process form tables from which it copies entitlement data.

9.5.7 Deleting Entitlements

When you delete entitlements, they are marked as soft-deleted. You must perform post-process the deletion tasks to delete the entitlement permanently.

This section describes how to delete entitlements. This is described in the following section:

9.5.7.1 About Entitlement Deletion

Entitlements can get deleted in any one of the following ways:

Deleting the Entitlement in the target, followed by synchronizing it via lookup reconciliation and further by the Entitlement List schedule job.
Direct deletion of the Entitlement from Entitlement List via APIs.
Deleting via corresponding application instance.

In all the ways of deleting, the Entitlement will be marked as soft-deleted, that is, the "valid" flag on the Entitlement will be updated to mark it as soft-deleted.

In all the cases of deleting, you need to perform the following post-processing.

Unpublish the entitlement from the organization to which it is published
Update the Modify_date on the Entitlement in Entitlement List to the current date
Purge the instances of the Entitlement in the child table and Entitlement Assign
Remove the Entitlements that are picked up by Catalog harvesting, that are marked as soft-deleted, and all request profiles.

Note:

In-flight requests that have references to soft-deleted Entitlements will fail.
Access Policies having deleted Entitlements should be manually updated to remove the same.

9.5.7.2 Deleting Entitlement Post-Processing

To perform post-processing of Entitlement soft-deletion in the provisioning component:

Run the Entitlement Post Delete Processing Job scheduled job.

This task will take the following inputs:
- Application Instance Name/ALL
- Mode: Revoke/Delete
The task will perform the following functionality:
1. Revoke mode: The scheduled task will revoke the entitlement-grant for all the accounts in Oracle Identity Manager, which have that specific entitlement granted.
2. Delete mode: The schedules task will simply hard-delete the entitlements from Oracle Identity Manager database in the UD_CHILD table.
3. In both the above cases, the Entitlement grant entry will be removed from ENT_ASSIGN.
Note:
The Mode flag must be set to Delete, and not Revoke, when you want to compensate for the post deletion of the entitlements. If you want that the entitlements being deleted from the backend through the Design Console should also be removed from the request details, and the Grand task and the Revoke task should not appear in the user's inbox, then you must run the Entitlement Post Delete Processing Job scheduled job with the Mode flag set to Delete.
Run the Entitlement List scheduled task. This is an existing schedule task that will go to all the resources that have an entitlement field, get the corresponding lookup definition and populate ENT_LIST with the values from the lookup definition, setting the correct SVR_KEY in the process.

9.5.8 Refreshing the Entitlement List Post Delete for New Entries

Synchronizing data to the entitlement list is done by running the Entitlement List and Entitlement Post Delete Processing Job scheduled jobs.

When an entry with the same encoded value is deleted and added consecutively in a lookup code, you need to perform the following steps to synchronize the data to the entitlement list:

Login to Oracle Identity System Administration.
Run the Entitlement List job to soft delete the existing entry.
Run the Entitlement Post Delete Processing Job scheduled job with Delete mode to clean up soft deleted items.
Run Entitlement List job again to add the new entry.

9.5.9 Disabling the Capture of Modifications to Assigned Entitlements

You can manually disable incremental synchronization of assigned entitlement data in the ENT_ASSIGN table. In other words, you can disable the capture of modifications to assigned entitlements.

To achieve this, you create and run an SQL script to drop the following triggers created on the child process form tables:

Note:

These triggers are created by the Entitlement Assignments scheduled task.

The OIU_UDPATE trigger created on the OIU table
The TABLE_NAME_ENT_TRG triggers created on the UD_ tables:

After you run the script, modifications to assigned entitlements are not copied into the staging table.

The following is a sample SQL script to drop the triggers on the child process form tables:

create or replace
TRIGGER UD_LDAP_GRP_ENT_TRG
AFTER INSERT
OR DELETE
OR UPDATE OF UD_LDAP_GRP_GROUP_NAME
ON UD_LDAP_GRP
FOR EACH ROW
BEGIN
CASE
WHEN INSERTING THEN
OIM_SP_MANAGEENTITLEMENT('UD_LDAP_GRP',:NEW.UD_LDAP_GRP_GROUP_NAME,NULL,
:NEW.UD_LDAP_GRP_KEY,:NEW.ORC_KEY,NULL,NULL,NULL,
NULL,NULL,'INSERT');
WHEN UPDATING THEN
IF :NEW.UD_LDAP_GRP_GROUP_NAME != :OLD.UD_LDAP_GRP_GROUP_NAME
THEN
OIM_SP_MANAGEENTITLEMENT('UD_LDAP_GRP',:NEW.UD_LDAP_GRP_GROUP_NAME,
:OLD.UD_LDAP_GRP_GROUP_NAME,:NEW.UD_LDAP_GRP_KEY,:NEW.ORC_KEY,NULL,
NULL,NULL,
NULL,NULL,'UPDATE');
END IF;
WHEN DELETING THEN
OIM_SP_MANAGEENTITLEMENT('UD_LDAP_GRP',:OLD.UD_LDAP_GRP_GROUP_NAME,
NULL,NULL,:OLD.ORC_KEY,NULL,NULL,NULL,
NULL,NULL,'DELETE');
END CASE;
END;

9.5.10 Entitlement-Related Reports

Predefined reports that provide data about assigned entitlements are Entitlement Access List, Entitlement Access List History, User Resource Entitlement, and User Resource Entitlement History.

The following predefined reports provide data about assigned entitlements:

Note:

You must be a member of the ADMINISTRATORS group to be able to view these reports.

Duplicate assignments of the same entitlement to a particular user are suppressed in the reports because they are not copied to the ENT_ tables. For example, if user John Doe has been assigned the Sales Superintendent role twice on a target system, then the reports show only one instance of this entitlement.

9.5.10.1 Entitlement Access List

The Entitlement Access List report lists users who are currently assigned the entitlements that you specify while generating the report. The report provides basic information about the entitlements and the list of users to whom the entitlements are assigned.

9.5.10.2 Entitlement Access List History

The Entitlement Access List History report lists users who had been assigned the entitlements that you specify while generating the report. The report provides basic information about the entitlements and the list of users to whom the entitlements were assigned.

9.5.10.3 User Resource Entitlement

The User Resource Entitlement report lists the current entitlements of users whom you specify while generating the report. The report displays basic user information and entitlement details.

9.5.10.4 User Resource Entitlement History

The User Resource Entitlement History report lists details of past entitlements assigned to users whom you specify while generating the report. The report displays basic user information and entitlement details.

9.6 Managing Disconnected Resources

Managing disconnected resources include understanding disconnected resources, managing disconnected application instance, provisioning operations on a disconnected application instance, configuring entitlement grant, understanding the status changes in manual process task action, customizing provisioning SOA composite, and troubleshooting disconnected resources.

This section describes about disconnected resources. This is described in the following section:

9.6.1 About Disconnected Resources

Disconnected resources are targets for which there is no connector. Therefore, the provisioning fulfillment for disconnected resources is not automated, but manual.

In earlier releases of Oracle Identity Manager, disconnected provisioning is not supported as a first class use case, it is supported by using manual tasks in the provisioning process. This approach has a number of limitations, which are taken care in Disconnected Resources model. Disconnected resources are an enhanced configuration for manual provisioning that leverage SOA integration to provide higher flexibility and configurability of the manual provisioning workflow.

Some examples of disconnected resources include a Badge, Laptop, Pager, or any such item wherein the fulfillment is manual.

9.6.2 Disconnected Resources Architecture

The Disconnected Resource feature makes use of the existing Oracle Identity Manager provisioning engine artifacts such as the Provisioning Process, Process Task, Adapters and so on while providing BPEL Integration in a seamless and configurable manner.

When a Disconnected Application Instance is created from the UI, it automatically seeds a number of backend configuration artifacts, including a resource object (of type Disconnected), a provisioning process with tasks for the basic provisioning operations, an IT resource, and a process form with the minimal fields (which can be further customized).

Figure 9-3 illustrates the provisioning process architecture for disconnected resources.

Figure 9-3 Disconnected Resource Architecture

Description of "Figure 9-3 Disconnected Resource Architecture"

When a disconnected application instance is provisioned to a user (via request or otherwise), the specific workflow in the provisioning process is triggered. This fires the corresponding process task and executes the manual provisioning adapter that invokes the out of the box disconnected provisioning SOA composite. A SOA manual task is assigned to System Administrator by default. When the assignee acts on the manual task, the provisioningcallback webservice is invoked with the assignee specified response and it then completes or aborts the provisioning operation and updates the account appropriately.

Table 9-4 displays the attributes for manual provisioning SOA composite payload that is available in the composite.

Table 9-4 Manual Provisioning SOA Composite Payload Attributes

Attribute	Description
Account ID	Account ID (oiu_key) for the account under consideration
AppInstance Name	Disconnected Application Instance Display Name
Resource Object Name	Disconnected Resource Object Name
ITResource Name	Disconnected ITResource Name
Beneficiary Login	Login of the account beneficiary
Entity Key	Application Instance Key in case of Provision, Revoke, Disable, and Enable account operations.
Entity Type	Type is set to ApplicationInstance, in case of Provision, Revoke, Disable, and Enable account operations.
Beneficiary First Name	First name of the account beneficiary
Beneficiary Last Name	Last name of the account beneficiary
Descriptive Field	Account descriptive field for the account under consideration
URL	Oracle Identity Manager callback URL for the webservice.
Request Key	Request Key if operation is through request.
Requester Login	Login of the requester if operation is through request.

9.6.3 Managing Disconnected Application Instance

Managing disconnected application instance includes creating a disconnected application instance and creating a disconnected application instance for an existing disconnected resource.

Managing disconnected application instance includes the following tasks:

9.6.3.1 Creating a Disconnected Application Instance

Note:

You must create a new sandbox before creating the application instance. You must publish the sandbox after creating the application instance. See Managing Sandboxes in Developing and Customizing Applications for Oracle Identity Governance for information about creating and publishing a sandbox.

To create disconnected application instance:

Log in to Oracle Identity System Administration.
Create and activate a sandbox.
In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.

In the respective attribute fields, enter the values as shown in the following table:

Attribute	Value
Name	Enter the name of the application instance. This is a required field.
Display Name	Enter the display name of the application instance. This is a required field.
Description	Specify a description of the application instance.
Disconnected	Select the checkbox. This is the flag to indicate whether the application instance is not connected. Note: This is a UI only flag and is not persisted in the backend. Checking this flag will disable Resource Object and ITResource Instance fields, as these will be automatically created in the back end.

Figure 9-4 shows the attributes in the Create Application Instance page.

Figure 9-4 Create Application Instance Attributes

Description of "Figure 9-4 Create Application Instance Attributes"

Click Save, and then click OK on the information dialog box. The application instance is created, and the details of the application instance is displayed.
Publish the sandbox.
The UI form for the disconnected resource is automatically created and set, click Apply.
In addition to the application instance, in the back end, the following provisioning artifacts are automatically created:
- Resource object of type Disconnected
- ITresource type definition with the following parameters:
  - Configuration Lookup
  - Connector Server Name
  - Identity Gateway Name
    
    Note:
    
    IT resource type definition parameters are for future use and the values for the same need not be set.
- IT resource of type definition
- Parent process form with the following fields:
  - Account ID
  - Password
  - Account login
  - IT resource
- Process definition with workflows for the following operations:
  - Provision Account
  - Enable Account
  - Disable Account
  - Revoke Account
  - Modify Account Attributes
- Adapters
  - Manual Provisioning
  - Manual Entitlement Provisioning
From the System Administration UI, search for scheduled job called Catalog Synchronization Job and execute it.

9.6.3.2 Creating a Disconnected Application Instance for an Existing Disconnected Resource

To create a disconnected application instance for an existing disconnected resource, see Creating Application Instances.

Note:

You must not select the Disconnected option, as this will create artifacts including the resource object and IT resource in the backend.

9.6.4 Provisioning Operations on a Disconnected Application Instance

When provisioning process is triggered for Enable, Disable, Revoke, or Provision operations, the corresponding process task is inserted which runs the Manual Provisioning adapter. This adapter invokes the out of the box provisioning SOA composite. A SOA Human Task is assigned to the System Administrator by default.

From the Inbox in Oracle Identity Self Service, the System Administrator can:

Check the task details
Check the account details
Change process form data in Oracle Identity Manager by changing data and clicking the Fulfill button
Perform the operation manually in the target
Act on the pending task by clicking Complete or Reject.

When the assignee acts on the pending manual tasks, the provisioning callback web service is invoked which continues with the Oracle Identity Manager operation and updates the account appropriately. See Status Changes in Manual Process Task Action for details on changes to account status based on assignee action.

Oracle Identity Manager does not support the following provisioning operations on a disconnected application instance:

Password operations
Provisioning process customization operations

When a process form field of a disconnected resource is updated, the "<FORM_NAME> Updated" process task will be inserted into the provisioning process. This would generate a manual SOA human task, so that the assignee can manually update the changes in the corresponding target.

Note:

The "<FORM_NAME> Updated" task will be inserted irrespective of whether updates are to a single process form field or multiple process form field. This behavior is different from that of a connected resource. In addition, note that the individual process form field update tasks need not be configured for a disconnected resource.

9.6.5 Configuring Entitlement Grant

Configuring entitlement grant for disconnected resource involves creating a child form and configuring the lookup definition for entitlements.

To configure an entitlement grant:

Note:

Before creating child forms, create and activate a sandbox.

Go to Oracle Identity System Administration. Under Configuration, click Form Designer and perform the following steps:
1. Click on the Resource Type and search for the Disconnected Resource.
2. From the search result, click on the disconnected application instance form name.
Go to Child Objects tab and click Add to add a child form.
In the Name field, provide a name to the child table and click OK.
Click the name link to open it for editing.
Click Create. In the Select Field Type dialog box, select Lookup, and click OK.
Provide the following values for the entitlement field:
1. In the Display Label field, enter a display name.
2. In the Name field, enter a name for the lookup.
Select the following check boxes:
- Searchable
- Entitlement
- Searchable Picklist
  
  Note:
  
  It is mandatory that you must select Searchable, Entitlement, and Searchable Picklist check boxes to create an entitlement field on the child form.
Create a new custom field of Lookup Type and click OK.

In the List of Values section, click the create a new lookup type icon and provide values for Meaning (for example, Lookup.Laptop.apps), Code (for example, Lookup.Laptop.apps) and description as follows:

Click new to add entitlement values to add Lookup Codes. The value in the Code and Meaning columns should have the following format:

Code	Meaning
<ENTITTLEMENT_NAME>	<ENTITLEMENT_DESCRIPTION>

Click Save. The Create Lookup Type dialog box closes.
Click Save and Close.

Click Back to Parent Object to return to the parent form.
Click Regenerate View to regenerate UI artifacts and dataset, and confirm by clicking OK.

See Modifying Forms By Using the Form Designer for information about the options available in the Regenerate View popup window.
Publish the sandbox.
Go back to Oracle Identity System Administration, System Management, Scheduler.
Search for a scheduled job called Entitlement List and execute it.
After the scheduled job execution completes, search for another schedule job called Catalog Synchronization Job and execute it.

Note:

Customization of the provisioning process is not supported, but you can customize the Disconnected Provisioning Composite.

9.6.6 Status Changes in Manual Process Task Action

Provisioning action statuses change based on each manual task action on provisioning operations.

Table 9-5 provides details about status changes based on manual task action:

Table 9-5 Manual Process Task Action Statuses

Provisioning Operation	Manual Task Action	Provisioning Action
Provision	Complete	Account status will be set to Provisioned.
Provision	Reject	Account status will not be updated.
Disable	Complete	Account status will be set to Disabled.
Disable	Reject	Account status will not be updated.
Enable	Complete	Account status will be set to Enabled.
Enable	Reject	Account status will not be updated.
Revoke	Complete	Account status will be set to Revoked.
Revoke	Reject	Account status will not be updated.
Update	Complete	No Operation
Update	Reject	No Operation
Grant Entitlement	Complete	Completes the child table insert trigger process task and sets entitlement status to Provisioned.
Grant Entitlement	Reject	Cancels the child table insert trigger process task, which deletes the child table entry.
Revoke Entitlement	Complete	Deletes the child table entry from Oracle Identity Manager.
Revoke Entitlement	Reject	No Operation

9.6.7 Customizing Provisioning SOA Composite

Customizing the provisioning SOA composite involves customizing the Human Task Assignment via SOA Composer and modifying the predefined composite.

Provisioning SOA composite includes the following customizations:

9.6.7.1 Customizing Human Task Assignment via SOA Composer

The manual disconnected provisioning SOA composite, has a default rule, ManualProvisioningRule, which assigns the human task to the System Administrator.

A custom rule with higher priority, based on the payload, for example Application Instance Name, can be created from the SOA Composer UI, based on which the manual task assignment can be customized.

To add a custom rule:

Access Oracle SOA Composer by navigating to the following URL:

http://SOA_HOST:SOA_PORT/soa/composer
Log in to the SOA Composer UI and click Open Task and select DisconnectedProvisioning_rev1.0 composite.
From the ManualProvisioningTaskRules.rules tab, click Edit to add a custom rule.
Add Rule by providing the rule name and the conditional assignment rule.
Using the Up arrow, move the custom rule above the ManualProvisioningRule.
Save and commit changes. The manual provisioning rule is added.

See Also:

SOA Composer documentation for more information about creating rules

9.6.7.2 Customizing by Modifying the Predefined Composite

To modify the default and predefined Disconnected Provisioning composite:

Copy the composite from OIM_HOME/workflows/composites/DisconnectedProvisioning.zip to a local JDeveloper working location. Unzip it in the same directory to create the DisconnectedProvisioning directory.
Open the composite in JDeveloper in Default Role.

Note:

You must install the version of JDeveloper that is compatible with the Oracle Identity Manager deployment. In addition, install any patches for JDeveloper so that JDeveloper works correctly with the SOA composites.
As part of customization do not alter the following:
- Payload attributes defined in DisconnectedProvisioning\xsd\ManualProvisioningTaskPayload.xsd
- ProvisioningCallbackService partnerlink and mappings
Double-click composite.xml to open the composite and modify as per your requirements.
Deploy the SOA composite from Jdeveloper to Oracle SOA server. Make sure that you do not update the Revision ID and select the Overwrite any existing composites with the same revision ID option.

9.6.8 Troubleshooting Disconnected Resources

Common problems that you may encounter while performing provisioning and other tasks for disconnected resources are manual tasks not assigned to assignee or account status not modified.

Table 9-6 displays the common problems that you may encounter while performing provisioning and other tasks for disconnected resources.

Table 9-6 Troubleshooting Disconnected Resources

Problem	Solution
Upon provisioning disconnected application instance, manual task is not assigned to assignee.	Perform the following steps: Make sure that the SOA server is running. Check Open tasks page for rejected process tasks, and check the error information in the task, if it exists. Check Oracle Identity Manager logs to check if adapter is running.
Upon manual task completion, account status is not modified.	Perform the following steps: Make sure that the provisioning callback webservice, Provcallback is deployed. Test the Webservice from the application server console.

Problem

Solution

Upon provisioning disconnected application instance, manual task is not assigned to assignee.

Perform the following steps:

Make sure that the SOA server is running.
Check Open tasks page for rejected process tasks, and check the error information in the task, if it exists.
Check Oracle Identity Manager logs to check if adapter is running.

Upon manual task completion, account status is not modified.

Perform the following steps:

Make sure that the provisioning callback webservice, Provcallback is deployed.
Test the Webservice from the application server console.