Oracle Identity Manager Administration

Oracle Identity Manager: Administration
Volume I Student Guide
D46308GC10 Edition 1.0 January 2007 D48930
Oracle Identity Manager: Administration

Electronic Presentation
D46308GC10 Edition 1.0 January 2007 D48932
Authors
Robert La Vallie
Copyright 2007, Oracle. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Technical Contributors and Reviewers

John Aisien Rhonda Bassett Mary Bryksa Eugene Choi Usha George Rohit M Gupta Susan Jang Pavana Jain Nishant Kaushik Ed King Svetlana Kolomeyskaya Su Lim Bruce Lowenthal Todd Morrissette Naga Nagarajan Holger Dindler Rasmussen Vickie Reed Stanislav Sadykov Mohit Singh Adam Skaffloth Jayanthan Thomas Trent Watkins
Editors
Richard Wallis Daniel Milne
Graphic Designer
Steve Elwood Satish Bettegowda
Publisher
Jobi Varghese
Authors
Robert La Vallie
Copyright 2007, Oracle. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Technical Contributors and Reviewers

John Aisien Rhonda Bassett Mary Bryksa Eugene Choi Usha George Rohit M Gupta Pavana Jain Susan Jang Nishant Kaushik Ed King Svetlana Kolomeyskaya Su Lim Bruce Lowenthal Todd Morrissette Naga Nagarajan Holger Dindler Rasmussen Vickie Reed Stanislav Sadykov Mohit Singh Adam Skaffloth Jayanthan Thomas Trent Watkins
Editors
Richard Wallis Daniel Milne
Graphic Designer
Steve Elwood Satish Bettegowda
Publisher
Jobi Varghese
Introduction
Copyright 2007, Oracle. All rights reserved.
Course Objectives
After completing this course, you should be able to: Explain Oracle Identity Manager and its role in identity management Identify the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning Describe how Oracle Identity Manager handles reconciliation and provisioning
1-2
Course Objectives
Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector Prepare a predefined database for Oracle Identity Manager Install and deploy your Oracle Identity Manager Diagnostic Dashboard
1-3
Course Objectives
Use the dashboard tool to verify that Oracle Database is prepared properly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server Install the Oracle Identity Manager Design Console Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly Launch the Oracle Identity Manager Server Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console)
1-4 Copyright 2007, Oracle. All rights reserved.
Course Objectives
Differentiate between the two consoles Explain the links in the Administrative Console Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups) Differentiate between an organization and a user group Create records for an organization, the three types of Oracle Identity Manager users, and a user group
1-5
Course Objectives
Assign an Oracle Identity Manager user to a user group Explain the following:
How administrators view and modify their profiles in Oracle Identity Manager How administrators change their challenge questions and, as a result, reset their passwords What a proxy is How administrators assign, modify, and remove proxies How administrators see the resources that are provisioned to them How administrators see requests that are initiated by them and requests that require their approval
1-6
Course Objectives
Identify resources and Oracle Identity Manager connectors Explain how Oracle Identity Manager connectors differ from resources Discuss the three ways that a connector can be assigned to an Oracle Identity Manager user See how an administrator of an Oracle Identity Manager connector can view a graphical representation of a provisioning workflow Analyze what approval processes are and how they affect a provisioning workflow Identify the key features of autoprovisioning
Course Objectives
Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:
Temporarily deactivating an end users account with a resource Reinstating an end users account Modifying the password of an end users account Permanently revoking the access rights that an end user has with the resource
Identify the two levels of customization for the Oracle Identity Manager Administrative Console Modify the look and feel of the console (that is, brand it)
Course Objectives
Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another Identify the different ways that connectors can be transported between environments Explain how to export a connector Discuss how to import a different connector and configure it so that it is operable in your environment
1-9
Course Objectives
Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports Differentiate between these two types of reports List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created using a third-party tool (such as Oracle Discoverer) Create operational and historical reports with the Oracle Identity Manager Administrative Console
1 - 10
Course Objectives
Define attestation and attestation processes, including the fundamental components of an attestation process Describe the types of users who analyze, create, and manage attestation processes Identify the types of data that can be attested Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes) Explain the workflow of an attestation process from beginning to end Configure your Oracle Identity Manager environment so that it can handle attestation processes
1 - 11 Copyright 2007, Oracle. All rights reserved.
Course Objectives
Create an attestation process by using the Oracle Identity Manager Administrative Console Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer Access this console as a process owner and view information about the attestation process, including its status (certified, rejected, declined, or delegated to another reviewer) Troubleshoot Oracle Identity Manager
1 - 12
Course Units
This course is divided into the following units: 1. Product Overview 2. Installing, Configuring, and Launching Oracle Identity Manager 3. Managing Users, User Entities, and Resources 4. Modifying the Oracle Identity Manager Administrative Console 5. Deploying Resources 6. Constructing Reports 7. Using Attestation 8. Performing Advanced Functions with Oracle Identity Manager
Unit 1: Product Overview
This unit has a single lesson titled Understanding Oracle Identity Manager.
1 - 14
Unit 2: Installing, Configuring, and Launching Oracle Identity Manager

This unit comprises the following lessons: Installing and Configuring Oracle Identity Manager Starting and Understanding Oracle Identity Managers Consoles
1 - 15
Unit 3: Managing Users, User Entities, and Resources

This unit comprises the following lessons: Managing Users and User Entities Assigning Oracle Identity Manager Connectors to Users Provisioning Resources to Users
1 - 16
Unit 4: Modifying the Oracle Identity Manager Administrative Console

This unit has a single lesson titled Customizing the Oracle Identity Manager Administrative Console.
1 - 17
Unit 5: Deploying Resources
This unit has a single lesson titled Transferring Oracle Identity Manager Connectors.
1 - 18
Unit 6: Constructing Reports
This unit has a single lesson titled Creating Reports.
1 - 19
Unit 7: Using Attestation
This unit comprises the following lessons: Understanding Attestation Creating, Managing, and Reviewing Attestation Processes
1 - 20
Unit 8: Performing Advanced Functions with Oracle Identity Manager

This unit has a single lesson titled Troubleshooting Oracle Identity Manager.
1 - 21
Summary
In this introductory lesson, you should have learned about the course units and lessons.
1 - 22
Understanding Oracle Identity Manager
Objectives
After completing this lesson, you should be able to: Explain Oracle Identity Manager and its role in identity management Identify the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: Reconciliation and provisioning Describe how Oracle Identity Manager handles reconciliation and provisioning
2-2
Objectives
Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector
2-3
Oracle Identity Manager
Oracle Identity Manager is an application that handles and selectively automates tasks that manage a users access privileges. Such tasks include: Creating access privileges to resources for users Modifying these privileges dynamically based on changes to user and business requirements Removing these access privileges from users
2-4
Oracle Identity Manager Architecture
The architecture for Oracle Identity Manager: Is based on a Java 2 Enterprise Edition (J2EE) environment Separates the platforms Presentation, Server, and Data & Enterprise Integration tiers Enables the creation of n levels of layers
2-5
Oracle Identity Manager Architecture: Advantages
The advantages of this architecture include: Scalability Flexibility Variety
2-6
Oracle Identity Manager Architecture: Tiers

The Oracle Identity Manager architecture has three tiers:
Presentation tier
2-7
Server tier
Data & Enterprise Integration tier
Tier 1: Presentation Tier
The Presentation tier of Oracle Identity Manager has two layers: Presentation layer
Two consoles for Oracle Identity Manager: Administrative Console and Design Console
Dynamic Presentation Logic layer

Logic for generating dynamic pages for the Administrative Console by using JSPs, Java Servlets, XML, and JavaBeans
2-8
Tier 2: Server Tier
The Server tier of Oracle Identity Manager is the interface between the Presentation and Data & Enterprise Integration tiers. The application server for Oracle Identity Manager:
Resides in the Server tier Provides the life-cycle management, security, deployment, and run-time services to the logical components that support Oracle Identity Manager
2-9
Tier 2: Server Tier
The Server tier of Oracle Identity Manager supports: Clustering Load balancing Security management Scheduling
2 - 10
Tier 3: Data & Enterprise Integration Tier
The Data & Enterprise Integration tier of Oracle Identity Manager has two layers: Data Access layer
Layer that has components, which Oracle Identity Manager needs to communicate with its database
Back-end Database layer

Layer where the database resides
2 - 11
Tier 3: Data & Enterprise Integration Tier
The Back-end Database layer leverages the following capabilities: Clustering Standby database Replication
2 - 12
Reconciliation and Provisioning: Overview

Reconciliation is the process by which Oracle Identity Manager receives information from an external resource. Provisioning is the process by which Oracle Identity Manager sends information to a target resource. By using reconciliation and provisioning, Oracle Identity Manager can perform the following actions:
Create a user record in a resource Modify the privileges that the user has with the resource Remove the user record from the resource
2 - 13
Reconciliation: Types
There are two types of reconciliation that Oracle Identity Manager performs: Trusted source reconciliation Targeted resource reconciliation
2 - 14
2 - 15
Reconciliation: Events
Oracle Identity Manager can perform three types of reconciliation events with an external resource: Reconciliation Insert Reconciliation Update Reconciliation Delete
2 - 16
Provisioning: Types
There are two types of provisioning that Oracle Identity Manager performs: Day-one provisioning
Initial creation of access privileges to resources for users Removal of these privileges from users
Day-two provisioning
Dynamic modification of user privileges with resources, based on changes to user and business requirements
2 - 17
Trusted Source Reconciliation: Conceptual Diagram

Via provisioning and reconciliation, Oracle Identity Manager can build an accurate picture of the user identities that it manages in both a trusted source and a target resource.
Reconciliation flow Provisioning flow
Administrator
Trusted source (for example, a corporate directory)
Target resource (for example, an Oracle database)
End user
2 - 18
Targeted Resource Reconciliation: Conceptual Diagram

Via provisioning and reconciliation, Oracle Identity Manager can build an accurate picture of the user identities it manages in both a trusted source and a target resource.
Reconciliation flow Provisioning flow
End user
Trusted source (for example, a corporate directory)
Target resource (for example, an Oracle database)
Administrator
2 - 19
Oracle Identity Manager Connector: Overview

An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to: Reconcile with an external resource Provision a user with a target resource
2 - 20
Oracle Identity Manager Connector: Components
A connector must have the following seven components: IT resource type IT resource Process form Process task adapter Resource object Provisioning process Process task
2 - 21
2 - 22
Constructing an Oracle Identity Manager Connector: Step 1

Create an IT resource type. This record represents the classification type, parameter fields, and encryption settings that are associated with a resource.
IT resource type
2 - 23
This screenshot illustrates an IT resource type for an Oracle database. There is a one-to-one relationship between the IT resource type and the connector. That is, each connector should have only one IT resource type.
2 - 24

Define an IT resource. This record contains the values that Oracle Identity Manager needs to communicate with a resource and access it as a system administrator (for provisioning or reconciliation purposes).
IT resource type
IT resource
2 - 25

This screenshot illustrates an IT resource for an Oracle database. There is a one-to-one relationship between the IT resource and the system, service, or application that it represents. If you have four resources, you would thus have four IT resources.
2 - 26

Create a custom process form. This record is a central housing mechanism that holds everything that Oracle Identity Manager needs to either provision a user to a target resource or reconcile a user with an external resource.
IT resource type
IT resource
Custom process form
2 - 27

This screenshot illustrates a custom process form for an Oracle database.
2 - 28

Build a process task adapter. This piece of Java code is used by Oracle Identity Manager to automate the completion of a provisioning process task.
IT resource type
IT resource
Custom process form Process task adapter
2 - 29

A process task adapter automates the creation of a users account in an Oracle database. There is a one-to-one relationship between the adapter and a process task: each task can be associated with only one adapter.
2 - 30

Define a resource object. This record is a virtual representation of a resource and contains everything needed to either provision a user to that resource or reconcile a user with it.
IT resource type
IT resource
Resource object
5
Custom process form
Process task adapter
2 - 31

Example of a resource object for an Oracle database
2 - 32

Create a provisioning process. This record contains the steps that Oracle Identity Manager must complete to perform provisioning or reconciliation with a particular resource.
IT resource type
IT resource
Resource object
Provisioning process Process task adapter
Custom process form
2 - 33

There is a 1-to-1 relationship between a provisioning process and the workflow that it represents. If you have two resourcerelated workflows, you should have two processes.
2 - 34

Create a process task.
IT resource type
IT resource
Resource object
Provisioning process
Custom process form
7
2 - 35
Process task
Process task adapter
Example of a process task that Oracle Identity Manager uses to create a users account in an Oracle database
2 - 36

Attach the process task adapter to the process task.
IT resource type
IT resource
Resource object
Provisioning process
Custom process form
8
Process task Process task adapter
2 - 37
Example of a process task adapter being connected to a process task to create a users account in an Oracle database
2 - 38
Summary
In this lesson, you should have learned how to: Describe Oracle Identity Manager and its role in identity management Explain the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning Explain how Oracle Identity Manager handles reconciliation and provisioning
2 - 39
Summary
In this lesson, you should have learned how to: Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector
2 - 40
Installing and Configuring Oracle Identity Manager
Objectives
After completing this lesson, you should be able to: Prepare a predefined database for Oracle Identity Manager Install and deploy your Oracle Identity Manager Diagnostic Dashboard Use the dashboard tool to verify that your Oracle database is prepared properly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server Install the Oracle Identity Manager Design Console Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console
Objectives
Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly
3-3
Preparing a Database for Oracle Identity Manager
Oracle Identity Manager requires a database. To use Oracle Database, you must: Install Oracle Database Create a database instance Prepare this database
3-4
Preparing a Database for Oracle Identity Manager
With the prepare_xl_db.bat script, administrators can prepare a database for Oracle Identity Manager.
E:\OIM901_Installation\installServer\ Xellerate\db\oracle> prepare_xl_db.bat train91 E:\orant\ora92 sysadm sysadm train91tbs E:\orant\ora92\oradata train91tbs_01 TEMP sys
3-5
3-6
Oracle Identity Manager Diagnostic Dashboard (Preinstallation)

The Oracle Identity Manager Diagnostic Dashboard is a Web application that can be used to check the preinstallation requirements for Oracle Identity Manager. These requirements include whether: An Oracle database is created and prepared properly Oracle Identity Manager can establish a connection to this database
3-7
3-8
Launching the Oracle Identity Manager Diagnostic Dashboard

To launch this tool, enter the appropriate URL in the Address field.
3-9
Using the Oracle Identity Manager Diagnostic Dashboard (Preinstallation)
To use this tool, select the check boxes for the tests that you want to perform, enter the test parameters (where applicable), and click Verify.
3 - 10
Using the Oracle Identity Manager Diagnostic Dashboard (Preinstallation)
Test passed Test failed
3 - 11
Installing the Oracle Identity Manager Server
The following slides illustrate how to install the Oracle Identity Manager Server. You must install this server on the same machine that is running the JBoss application server.
3 - 12
Installing the Oracle Identity Manager Server: Steps 14

Select Oracle Identity Manager with Audit and Compliance module to use the attestation features for audit and compliance purposes.
3 - 13
Installing the Oracle Identity Manager Server: Steps 56

Enter the base directory where you install the Oracle Identity Manager Server: E:\OIM901_server.
3 - 14
Installing the Oracle Identity Manager Server: Step 7

Select the Oracle option to configure Oracle Identity Manager to work with an Oracle database.
3 - 15

Populate the Database Information screen with values that Oracle Identity Manager uses to connect to your Oracle database.
3 - 16

Select the Oracle Identity Manager Default Authentication option to use predefined settings to authenticate the Administrative Console.
3 - 17
Installing the Oracle Identity Manager Server: Steps 10-11

Select the JBoss option to configure Oracle Identity Manager to work with a JBoss application server.
3 - 18
Installing the Oracle Identity Manager Server: Steps 12-15

Configure Oracle Identity Manager to work with your JBoss application server.
3 - 19
Installing the Oracle Identity Manager Design Console

The following slides illustrate how to install the Oracle Identity Manager Design Console. Note: You do not have to install the Administrative Console. To launch it, start the Oracle Identity Manager Server, open a Web browser, and enter the appropriate URL in the Address field.
3 - 20
Installing the Oracle Identity Manager Design Console: Steps 1-5

Enter the base directory where you install the Design Console: E:\OIM901_client.
3 - 21
Installing the Oracle Identity Manager Design Console: Step 6

Select the JBoss option to configure the Design Console to work with a JBoss application server.
3 - 22

Select this option to configure the Design Console to use the JRE that is packaged with Oracle Identity Manager.
3 - 23

Populate the Application Server configuration screen so that the Design Console works with your JBoss application server.
3 - 24
Installing the Oracle Identity Manager Design Console: Steps 9-12

Configure the Design Console to display approval and provisioning processes in a Web browser.
3 - 25
3 - 26
Performing Postinstallation Tasks for Oracle Identity Manager

The following section covers postinstallation tasks for the Oracle Identity Manager Server and Design Console. In this section of the lesson, you learn about the following tasks: Specifying an Oracle Identity Manager log level for the JBoss application server Making the Design Console operable by copying a JAR file into the appropriate Oracle Identity Manager directory
3 - 27
Setting Oracle Identity Manager Log Levels for JBoss

Oracle Identity Manager supports five log levels: DEBUG INFO WARN ERROR FATAL The levels are listed here in descending order according to the amount of information logged. Thus, DEBUG logs the most information and FATAL logs the least information.
3 - 28
Setting Oracle Identity Manager Log Levels for JBoss

In the priority value tag, you can set the log level for the JBoss application server to DEBUG, INFO, WARN, ERROR, or FATAL.
<category name =XELLERATE> <priority value=WARN /> </category>
3 - 29
Making the Design Console Functional
Copy the jbossall-client.jar file and paste it into the E:\OIM901_client\xlclient\ext directory.
3 - 30
Oracle Identity Manager Diagnostic Dashboard (Postinstallation)

The Diagnostic Dashboard can be used to: Check preinstallation requirements for Oracle Identity Manager Perform postinstallation checks and create reports to ensure that the Oracle Identity Manager environment is installed and configured properly
3 - 31
Diagnostic Dashboard: Postinstallation Checks
You can use the Diagnostic Dashboard after installation to determine whether: An Oracle Identity Manager user account is locked because of successive invalid login attempts The data encryption key in your Oracle Identity Manager installation is identical to the one used to encrypt the data in your Oracle Identity Manager database The scheduler service is running Oracle Identity Manager can communicate with remote managers
3 - 32
Diagnostic Dashboard: Postinstallation Checks
You can use the Diagnostic Dashboard after installation to determine whether: Oracle Identity Manager can submit and process a Java Messaging Service (JMS) message Single Sign-On (SSO) is configured properly for Oracle Identity Manager
3 - 33
Diagnostic Dashboard: Reports
You can use the Diagnostic Dashboard to create reports that display the following information about your Oracle Identity Manager environment: System properties that are associated with all Java Virtual Machines Information about the version numbers of the library and extension files Detailed (or manifest) information about the library and extension files
3 - 34
Using the Oracle Identity Manager Diagnostic Dashboard (Postinstallation)

To use the Diagnostic Dashboard, launch it. Select the check boxes for the tests that you want to perform, and then click Verify.
Test passed Test failed
3 - 35
Summary
In this lesson, you should have learned how to: Configure a preexisting Oracle database so that it works properly with Oracle Identity Manager Load and start the Oracle Identity Manager Diagnostic Dashboard Use the dashboard to ensure that the database is prepared correctly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server and Design Console Set an Oracle Identity Manager log level for the JBoss application server
Summary
In this lesson, you should have learned how to: Make the Design Console functional by copying a JAR file into an Oracle Identity Manager directory Use the Diagnostic Dashboard to verify that your Oracle Identity Manager environment is installed and configured correctly
3 - 37
Practice 3 Overview: Installing and Configuring Oracle Identity Manager

This practice covers the following topics: Preparing a database for Oracle Identity Manager Installing and deploying the Oracle Identity Manager Diagnostic Dashboard Using the dashboard to verify that the database is prepared properly and that Oracle Identity Manager can connect to it Installing and configuring an Oracle Identity Manager Server and an Oracle Identity Manager Design Console Using the Diagnostic Dashboard to verify that the Oracle Identity Manager environment is installed and configured properly
Starting and Understanding Oracle Identity Managers Consoles
Objectives
After completing this lesson, you should be able to: Launch the Oracle Identity Manager Server Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console) Differentiate between the two consoles Explain the links on the Administrative Console
4-2
Launching the Oracle Identity Manager Server

Double-click the xlStartServer.bat command script, which resides in the E:\OIM901_server\ xellerate\bin directory on your machine.
4-3
Launching the Oracle Identity Manager Administrative Console

Open the login page and enter the appropriate credentials in the User ID and Password fields. Then click Login.
4-4
4-5
Launching the Oracle Identity Manager Design Console

Open the login window and enter the appropriate credentials in the User ID and Password fields. Then click Login.
4-6
Oracle Identity Manager Consoles
Developers use the Design Console to build Oracle Identity Manager connectors.
4-7
Oracle Identity Manager Consoles
Administrators use the Administrative Console to manage Oracle Identity Manager connectors.
4-8
Administrative Console: My Account Link
With the My Account link, administrators view and modify their account information, reset a password, and designate a proxy.
4-9
Administrative Console: My Resources Link
With the My Resources link, administrators view, create, and modify information about requests and resources.
4 - 10
Administrative Console: Requests Link

With the Requests link, administrators create and track requests of resources for other Oracle Identity Manager users, as well as manage approval tasks.
4 - 11
Administrative Console: To-Do List Link
With the To-Do List link, administrators can handle all tasks that require their attention.
4 - 12
Administrative Console: Users Link
With the Users link, administrators create and manage records for Oracle Identity Manager users.
4 - 13
Administrative Console: Organizations Link

With the Organizations link, administrators create and manage records for Oracle Identity Manager organizational units.
4 - 14
Administrative Console: User Groups Link
With the User Groups link, administrators create and manage records for user groups.
4 - 15
Administrative Console: Access Policies Link
With the Access Policies link, administrators create and manage access policies.
4 - 16
Administrative Console: Resource Management Link

With the Resource Management link, administrators manage resources for a user or organization.
4 - 17
Administrative Console: Deployment Management Link

With the Deployment Management link, administrators transfer connectors from one environment to another.
4 - 18
Administrative Console: Reports Link
With the Reports link, administrators create operational and historical reports.
4 - 19
4 - 20
Administrative Console: Attestation Link
With the Attestation link, administrators can create and manage an attestation process.
4 - 21
Administrative Console: Help Link

With the Help link, administrators can view an online version of the Oracle Identity Manager Administrative Console and User Guide.
4 - 22
Summary
In this lesson, you should have learned how to: Start the Oracle Identity Manager Server, the Administrative Console, and the Design Console Identify the two consoles, including the differences between them Provide a thorough discussion of the links on the Administrative Console
4 - 23
Practice 4 Overview: Starting and Understanding Oracle Identity Managers Consoles

This practice covers the following topics: Launching the Oracle Identity Manager Server Launching the Oracle Identity Manager Administrative Console Launching the Oracle Identity Manager Design Console
4 - 24
Managing Users and User Entities
Objectives
After completing this lesson, you should be able to: Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups) Differentiate between an organization and a user group Create records for an organization, the three types of Oracle Identity Manager users, and a user group Assign an Oracle Identity Manager user to a user group
5-2
Objectives
In addition, you should be able to explain: How administrators view and modify their profiles in Oracle Identity Manager How administrators change their challenge questions and, as a result, reset their passwords What a proxy is How administrators assign, modify, and remove proxies How administrators see the resources that are provisioned to them How administrators see requests that are initiated by them and requests that require their approval
Oracle Identity Manager Users: Three Types
System administrators: Users who have both read access and write access to all forms and records in Oracle Identity Manager Administrators of Oracle Identity Manager connectors: Users who have read- and write-access rights to their own user profiles (and the records associated with them), as well as the profiles and records of any end users whom they supervise End users: Users who are recipients of the resources that are provisioned to them by Oracle Identity Manager. They have read-access rights to their own user profile (and the records associated with it).
5-4
5-5
Oracle Identity Manager User Entities: Two Types

Organization: Record that represents a unit in a companys hierarchy (for example, a department, division, or cost center) Organization User group: Collection of one or more Oracle Identity Manager users who share some common functionality, such as access rights, roles, or permissions for resources
User groups
User
Creating Oracle Identity Manager Users and User Entities

The following slides illustrate how to create:
Organizations Three types of Oracle Identity Manager users User groups
In addition, you learn how to assign a user to a group and perform various administrative functions for a user.
5-7
Creating an Organization
Example: Creating an organization named Curriculum Dev. The organizations classification type is Department.
5-8
5-9
Creating a User
Example: Creating a user named Robert La Vallie
5 - 10
5 - 11
Creating a User Group
Example: Creating a user group named Oracle 10g Approvers
5 - 12
Assigning a User to a User Group
Example: Assigning the user named Robert La Vallie to the ORACLE 9i USERS group
5 - 13
5 - 14
Viewing Your Profile
Administrators can see basic information about their user accounts. This example shows the profile of the administrator named Pauline Sammut.
5 - 15
Modifying Your Profile
Administrators can change basic information about their user accounts. This example illustrates modifying the profile of the administrator named Pauline Sammut.
5 - 16
Changing Your Challenge Questions and Answers

Administrators can change their challenge questions and answers.
5 - 17
5 - 18
Resetting Your Password
Administrators can reset their passwords. This example illustrates resetting an administrators password.
5 - 19
Proxies: Overview
Administrators can delegate any task approval responsibilities for which they are unavailable (because of illness, vacation, and so on) to another administrator. This delegated administrator is known as a proxy.
5 - 20
Assigning a Proxy
Administrators can assign proxies. This example illustrates assigning a proxy named Leonard Agneta to an administrator.
5 - 21
Modifying a Proxy
Administrators can modify their proxies. This example illustrates modifying the proxy named Leonard Agneta for an administrator.
5 - 22
Removing a Proxy
Administrators can remove their proxies. This example illustrates removing the proxy named Leonard Agneta from an administrator.
5 - 23
Viewing Your Resources
Administrators can see the resources that are provisioned to them. This example shows that a resource named Oracle RO is provisioned to an administrator.
5 - 24
Viewing Your Requests
Administrators can see the requests that they initiate as well as requests that require their approval.
5 - 25
Summary
In this lesson, you should have learned how to: Create system administrators, administrators of Oracle Identity Manager connectors, and end users Create organizations and user groups Differentiate between an organization and a user group Assign a user to a user group View and modify an administrators profile in Oracle Identity Manager Change an administrators challenge questions and answers Reset an administrators password
5 - 26
Summary
In this lesson, you should have learned how to: Assign, modify, and remove a proxy for an administrator See the resources that are provisioned to an administrator View, track, and approve requests generated by and for an administrator
5 - 27
Practice 5 Overview: Managing Users and User Entities

This practice covers the following topics: Creating records for an organization, a user group, and the three types of Oracle Identity Manager users Assigning an Oracle Identity Manager user to a group Viewing and modifying the profile of an Oracle Identity Manager administrator Changing challenge questions and answers and, as a result, resetting the password of an administrator Assigning, modifying, and removing a proxy for an administrator Viewing the resources and requests that are associated with an administrator
Assigning Oracle Identity Manager Connectors to Users
Objectives
After completing this lesson, you should be able to do the following: Identify resources and Oracle Identity Manager connectors Explain how Oracle Identity Manager connectors differ from resources Discuss the three ways in which a connector can be assigned to an Oracle Identity Manager user
6-2
Resources
A resource is an external system, service, or application with which Oracle Identity Manager communicates to perform either provisioning or reconciliation.
Server
Messaging applications
Operating systems
6-3
Examples of Resources
Examples of resources include the following: Collaboration and messaging applications: Microsoft Exchange 3.3; Novell GroupWise 2.1 Database servers: Oracle9i Database Enterprise Edition; Oracle Database 10g; MS SQL Server 2000 Directory servers: MS Active Directory 4.4; Novell eDirectory 2.1; Oracle Internet Directory 1.1; Sun Java System Directory Server 4.1 Enterprise applications: Oracle E-Business Suite 2.1; PeopleSoft Enterprise Applications 3.0; SAP Enterprise Applications 3.0 Operating systems: Microsoft Windows 2.1; UNIX 4.1
Examples of Resources
Security managers: IBM RACF 1.1; RSA Authentication Manager 4.1 Web access control applications: RSA ClearTrust 3.0
6-5
Oracle Identity Manager Connectors
An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to:
Reconcile with an external resource Provision a user with a target resource
In short, each resource is represented in Oracle Identity Manager by a corresponding connector.
6-6
How Connectors Differ from Resources
Assigning a connector to a user does not necessarily mean that the related resource is provisioned to the user. For provisioning to occur, you must:
Populate the fields of the custom process form that is contained in your connector Save this information to your Oracle Identity Manager database
6-7
How Connectors Are Assigned to Users
There are three ways that an Oracle Identity Manager connector can be assigned to a user:
Through direct provisioning Via criteria (autogroup membership rules and access policies) By requests
The following slides illustrate the three ways that a connector can be assigned to a user.
6-8
Assigning Connectors to Users: Direct Provisioning

The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user through direct provisioning.
Administrator
Connector
End user
6-9
Assigning Connectors to Users: Criteria
The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user via criteria (autogroup membership rules and access policies).
Administrator
Autogroup rule
User group
Access policy
Approver
End user
6 - 10
Connector
Approval process
Assigning Connectors to Users: Requests
The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user by a request.
Request Administrator Approver Approval process
End user
6 - 11
Connector
Direct-Provisioning a Connector to a User
This example illustrates using direct provisioning to assign a connector to the end user named Leonard Agneta.
6 - 12
6 - 13
Using Criteria to Assign a Connector to a User
Another way to assign a connector to an end user is for Oracle Identity Manager to evaluate criteria about the user. These criteria include an autogroup membership rule and an access policy. For this to occur, you need to complete the following steps: Assign an autogroup membership rule to a user group. As a result, Oracle Identity Manager can add the end user to the group. Build the access policy. Oracle Identity Manager allocates the connector to the user because the user belongs to the user group.
6 - 14
Assigning an Autogroup Membership Rule to a User Group

This example illustrates assigning an autogroup membership rule to the Developers user group.
6 - 15
Creating an Access Policy
This example illustrates creating an access policy for the Developers user group.
6 - 16
6 - 17
Using a Request to Assign a Connector to a User
This example illustrates using a request to assign the Oracle RO connector to the user with the ID of LAGNETA.
6 - 18
6 - 19
Summary
In this lesson, you should have learned how to: Identify resources and Oracle Identity Manager connectors Differentiate between Oracle Identity Manager connectors and resources Assign an Oracle Identity Manager connector to a user through direct provisioning, criteria (specifically, autogroup membership rules and access policies), and requests
6 - 20
Practice 6 Overview: Assigning Oracle Identity Manager Connectors to Users

This practice covers assigning an Oracle Identity Manager connector to a user in three ways: Direct provisioning Autogroup membership rules and access policies Requests
6 - 21
6 - 22
Provisioning Resources to Users
Objectives
After completing this lesson, you should be able to: See how administrators of Oracle Identity Manager connectors can view a graphical representation of a provisioning workflow Analyze what approval processes are and how they impact a provisioning workflow Identify the key features of autoprovisioning
7-2
Objectives
Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:
Temporarily deactivating an end users account with a resource Reinstating an end users account Modifying the password of an end users account Permanently revoking the access rights that an end user has with the resource
7-3
Graphical Workflow Definition Renderer: Overview

The Graphical Workflow Definition Renderer tool enables Oracle Identity Manager administrators to see a visual representation of the connectors provisioning workflow.
7-4
Viewing a Graphical Representation of a Provisioning Workflow

This screenshot is a visual representation of the DataBase Access (Login) provisioning process via the Graphical Workflow Definition Renderer.
7-5
7-6
Graphical Workflow Definition Renderer: High-Level Information

This example shows top-level information about the DataBase Access (Login) provisioning process.
7-7
Graphical Workflow Definition Renderer: Features
Features of the Graphical Workflow Definition Renderer include: Dragging and dropping the components that appear in the workflow (for visibility purposes) Customizing the items that can be displayed in the workflow Saving the current state of the workflow as an image Refreshing the workflow
7-8
7-9
Graphical Workflow Definition Renderer: Provisioning Tab

This tab displays all process tasks that are used to give a user access rights to a resource. In this example, the Create Login task is used to provision a user to an Oracle database.
7 - 10
Graphical Workflow Definition Renderer: Reconciliation Tab

This tab displays the tasks and flow of the reconciliation events associated with a provisioning process. In this example, the Reconciliation Insert event is displayed.
7 - 11
7 - 12
Graphical Workflow Definition Renderer: Resource Event Tab

This tab displays all workflows associated with changes to a users access rights with a resource. The Enable Login workflow reinstates the users access to the resource.
7 - 13
Graphical Workflow Definition Renderer: Form Event Tab

This tab displays workflows associated with changes to data in the process form attached to the provisioning process. The Password Updated workflow modifies the users password on the target resource.
7 - 14
Approval Processes: Overview
An approval process is used to approve the provisioning of a representative resource for a user. Approval processes are usually completed manually whereas provisioning processes are typically completed automatically. To complete an approval process, certain tasks must be completed. Although a connector is not required to have an approval process, it must have at least one provisioning process.
7 - 15
7 - 16
Completing an Approval Process
In this example, the user who belongs to the US_ORACLE_ RO_APPROVERS group approves the allocation of the Oracle RO connector for the user named Jill James.
7 - 17
Types of Provisioning
Manual provisioning Autoprovisioning
7 - 18
Manual Provisioning
An administrator of an Oracle Identity Manager connector completes the custom process form and saves the values to the database. Manual intervention is required by the administrator for provisioning to occur.
7 - 19
Autoprovisioning
Autoprovisioning is the Oracle Identity Manager process of:

Populating a custom process form of a connector Saving the values in the form to its database Using these values to provision an end user with a resource
With autoprovisioning, Oracle Identity Manager provisions the corresponding resource to an end user after the connector is assigned to the user.
7 - 20
Day-Two Provisioning Functions
Oracle Identity Manager is an application that can handle day-two provisioning functions, including: Temporarily disabling an end users account with an external resource Reinstating the users account with the resource Modifying the password of the users account Permanently revoking the access rights that the user has with the resource
7 - 21
Day-Two Provisioning Functions: Disabling a Users Account

In this example, an administrator disables Robert La Vallies account with an external resource. As a result, Oracle Identity Manager temporarily deactivates this users account.
7 - 22
Day-Two Provisioning Functions: Reinstating the Users Account

In this example, an administrator enables Robert La Vallies account with an external resource. As a result, Oracle Identity Manager reinstates this users account.
7 - 23
Day-Two Provisioning Functions: Modifying the Users Password

In this example, an administrator modifies the password of Robert La Vallies account with an external resource.
7 - 24
Day-Two Provisioning Functions: Deleting the Users Account

In this example, an administrator deletes Robert La Vallies account with an external resource. As a result, Oracle Identity Manager permanently revokes the access rights that this user has with the resource.
7 - 25
Summary
In this lesson, you should have learned how to: View a graphical representation of a provisioning workflow in Oracle Identity Manager Discuss approval processes, including how they affect a provisioning workflow Complete an approval process Analyze autoprovisioning Perform day-two provisioning functions, including:
Disabling an end users account with an external resource Reinstating the account Modifying the password of the user who is accessing the account Deleting the users account with the resource
Practice 7 Overview: Provisioning Resources to Users

This practice covers the following topics: Completing the approval process of an Oracle Identity Manager connector Direct-provisioning a connector to an end user Temporarily disabling an end users account with an external resource Reinstating the users account with the resource Modifying the password of the users account Permanently revoking the access rights that the user has with the account
7 - 27
7 - 28
Customizing the Oracle Identity Manager Administrative Console
Objectives
After completing this lesson, you should be able to: Identify the two levels of customization for the Oracle Identity Manager Administrative Console Modify the look and feel of the console to brand it for your company Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed
8-2
Levels of Customization
There are two levels of customization that an administrator should perform with the Oracle Identity Manager Administrative Console: Modifying the look and feel of the console (that is, branding it) Changing the functionality of the console without modifying the Oracle Identity Manager code
8-3
8-4
Branding the Console
There are different ways to brand the Administrative Console, including: Customizing the overall layout of the Web pages of the console Modifying the descriptive text and labels that appear on the Web pages of the console Replacing company and product logos with your own icons Changing the color, font, and alignment of text
8-5
Changing the Functionality
There are different ways to change the functionality of the Administrative Console without changing the code, including: Customizing the self-registration process for creating a users account Configuring how users can modify the profiles of their accounts Customizing the behavior of the fields that appear on the Web pages of this console Setting the menu items that are available to users who belong to a particular group Customizing search pages
Customizing the Overall Layout of a Web Page
In this example, you customize the general layout of a Web page by displaying the company logo at the right side of the header banner.
8-7
Adding Logos
In this example, you replace the products default logo with your own company logo.
8-8
Modifying Text and Labels
In this example, you modify the text and label of the Search User button that appears on the Manage User form.
8-9
8 - 10
Customizing Colors, Font, and Alignment of Text

In this example, you modify the color, font, and alignment of the text that appears in the footer banner of the console.
8 - 11
8 - 12
Customizing the Self-Registration Process
In this example, you change the Middle Name field of the User Self-Registration form from optional to mandatory.
8 - 13
8 - 14
Customizing the Behavior of a Form Field
In this example, you change the Email Address field of the Create User form from optional to mandatory.
8 - 15
8 - 16
Customizing Menu Items for User Groups
In this example, you add menu items associated with deploying Oracle Identity Manager connectors to users (such as Dawn Jones) who belong to a particular group.
8 - 17
8 - 18
Customizing Search Pages
In this example, you customize the search pages of your console by reducing (from 10 to 5) the maximum number of search results that can appear on a Web page.
8 - 19
Summary
In this lesson, you should have learned how to: Differentiate between the two levels of customization for the Oracle Identity Manager Administrative Console Brand the console Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed
8 - 20
Practice 8 Overview: Customizing the Oracle Identity Manager Administrative Console

This practice covers the following topics: Branding the Oracle Identity Manager Administrative Console Changing the functionality of the console without modifying the Oracle Identity Manager code
8 - 21
8 - 22
Transferring Oracle Identity Manager Connectors
Objectives
After completing this lesson, you should be able to do the following: Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another Identify the different ways that connectors can be transported between environments Explain how to export a connector Discuss how to import a different connector and configure it so that it is operable in your environment
9-2
Transferring Oracle Identity Manager Connectors: Benefits

Benefits of transferring Oracle Identity Manager connectors from one environment to another: Efficiency Error reduction
9-3
Transferring Oracle Identity Manager Connectors: Ways

Transfer a component of a connector or an entire connector from one environment to another Transport multiple Oracle Identity Manager connectors between environments simultaneously
9-4
Exporting Oracle Identity Manager Connectors
To export an Oracle Identity Manager connector so that it is operable in another environment: 1. Build an *.xml file that contains the components of your connector. 2. Export this file into a designated location that can be accessed from your home or office environment.
9-5
Exporting Oracle Identity Manager Connectors
In this example, you export the Oracle RO connector.
9-6
9-7
Using Oracle Identity Manager Connectors: Setup

The following steps show you how to set up and run an Oracle Identity Manager connector so that it is operable in your environment. 1. Import the *.xml file that contains the designated Oracle Identity Manager connector. 2. Paste any external JAR files into their designated locations. 3. Recompile the adapters that are contained in your Oracle Identity Manager connector. 4. Define IT resources for the specific machines, applications, or services that are represented by your connector.
9-8
Using Oracle Identity Manager Connectors: Run Time

5. Assign the Oracle Identity Manager connector to a user. 6. Populate the fields of the custom process form that is contained in your connector. Then save this information to the database. 7. Verify that the login credentials you entered in the custom form can be used to access the external resource (that is, an Oracle database).
9-9
Step 1: Importing Oracle Identity Manager Connectors

In this example, you import a connector into your Oracle Identity Manager environment.
9 - 10
9 - 11
Step 2: Pasting the JAR Files

Copy the xliDatabaseAccess.jar file (which resides in your E:\OIM901_files directory) and paste it into your E:\OIM901_server\xellerate\JavaTasks directory.
9 - 12
Step 3: Recompiling the Adapters
The Adapter Manager form is used to compile multiple adapters simultaneously.
9 - 13
Step 4: Defining the IT Resources

An IT resource is an instance that contains the values that Oracle Identity Manager needs to: Communicate with an external resource (in this case, an Oracle database) Access the external resource as an administrator (for provisioning purposes)
9 - 14
9 - 15
Step 5: Assigning a Connector to a User
In this example, you assign an Oracle Identity Manager connector to a user.
9 - 16
Step 6: Completing the Custom Process Form
The values in the custom process form represent the login credentials of the target user that Oracle Identity Manager passes into the corresponding external resource (in this case, an Oracle database).
9 - 17
Step 7: Accessing the Database
This screenshot illustrates a successful login to your Oracle SQL*Plus client. It indicates that the designated user is provisioned with the external resource (in this case, an Oracle database).
9 - 18
Summary
In this lesson, you should have learned how to: Describe the benefits and different ways of transferring Oracle Identity Manager connectors between environments Discuss how to export an Oracle Identity Manager connector Explain how to import a different Oracle Identity Manager connector and configure it so that it works in your environment
9 - 19
Practice 9 Overview: Transferring Oracle Identity Manager Connectors

This practice covers exporting an *.xml file that contains your Oracle Identity Manager connector.
9 - 20
Creating Reports
Objectives
After completing this lesson, you should be able to do the following: Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports Differentiate between these two types of reports List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports) Create operational and historical reports with the Oracle Identity Manager Administrative Console
Operational and Historical Reports
An administrator can create two types of reports for Oracle Identity Manager users: Operational reports: Information about resources that a user can access (current data) Historical reports: Information about resources that are associated with a user throughout that users employment with the company (life-cycle data)
10 - 3
Operational Reports: Types
There are four types of operational reports: Who Has What Resource Access List Entitlements Summary Policy List
10 - 4
Historical Reports: Types
There are five types of historical reports: User Resource Access History Resource Access List History User Profile History User Membership History Group Membership History
10 - 5
Other Reports: Types
An administrator can create the following eight additional reports by using a third-party reporting tool. Who Has What: Lists the users and the resources with which they are provisioned Direct Provisioned: Shows the following information:
Resources that are directly provisioned to the target users User who directly provisioned the resources for the target users Users who received the resources
10 - 6
Other Reports: Types

Requests Made: Displays requests that are created by users Active Queue: Subset of the Requests Made report; lists the requests that are approved by users Requests Executed: Subset of the Active Queue report; shows the requests that are executed by Oracle Identity Manager Reconciled Apps: Lists the successful events that are associated with reconciliation Reconciled Users: Displays the users who are added to Oracle Identity Manager through reconciliation Unreconciled Data: Shows the reconciliation events that could not be matched to a specific user, organization, or provisioning process
Creating a Who Has What Operational Report
In this example, you create a Who Has What operational report for the user with the ID of RLAVALLI.
10 - 8
Creating a Resource Access List Operational Report

In this example, you create a Resource Access List operational report for the Oracle RO resource.
10 - 9
Creating an Entitlements Summary Operational Report

In this example, you create an Entitlements Summary operational report. DataBase Access (Login) is the designated resource and Revoked is the associated status level (or entitlement).
10 - 10
Creating a Policy List Operational Report
In this example, you create a Policy List operational report. Users Access Policy is the designated policy and Oracle 9i Users is the target user group.
10 - 11
Creating a User Resource Access History Historical Report

In this example, you create a User Resource Access History historical report for the user with the ID of RLAVALLI.
10 - 12
Creating a Resource Access List History Historical Report

In this example, you create a Resource Access List History historical report for the Oracle RO resource.
10 - 13
Creating a User Profile History Historical Report

In this example, you create a User Profile History historical report for the user with the ID of RLAVALLI.
Current e-mail address Original e-mail address
10 - 14
Creating a User Membership History Historical Report

In this example, you create a User Membership History historical report for the user with the ID of RLAVALLI.
10 - 15
Creating a Group Membership History Historical Report

In this example, you create a Group Membership History historical report for the Oracle 9i Approvers user group.
10 - 16
Summary
In this lesson, you should have learned how to: Identify operational reports and historical reports (and the differences between them) List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports) Create operational and historical reports with the Oracle Identity Manager Administrative Console
10 - 17
Practice 10 Overview: Creating Reports

This practice covers creating the following types of reports: Operational reports

10 - 18
Who Has What Resource Access List Entitlements Summary Policy List User Resource Access History Resource Access List History User Profile History User Membership History Group Membership History
Historical reports
Understanding Attestation
Objectives
After completing this lesson, you should be able to: Define attestation and attestation processes, including the fundamental components of an attestation process Describe the types of users who analyze, create, and manage attestation processes Identify the types of data that can be attested Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes) Explain the workflow of an attestation process from beginning to end
11 - 2
Attestation
Mechanism by which Oracle Identity Manager users are notified periodically of a report they must review
This report outlines the provisioned resources that certain users have.
Process of authorizing established internal controls, processes, and policies for user-related and transactional-related data
11 - 3
Attestation Processes
An attestation process is the framework by which an attestation workflow is set up and created. It contains the following run-time components:
+
User Data
+
Schedule
11 - 4
Attestation Process: Users
Four types of users analyze, create, and manage attestation processes:
Compliance manager
System administrator
Process owner
Reviewer
11 - 5
11 - 6
Attestation Process: Data
Two types of data can be attested: Oracle Identity Manager users and the resources they can access Fine-grained privileges that determine how a user should be entitled to a resource
11 - 7
Attestation Process: Schedule
All activities that are associated with an attestation process can be: Run at a periodic interval (for example, every three months) Executed on demand
11 - 8
Attestation Process: Workflow

Oracle Identity Manager repository
4
Certify
Schedule Data E-mail Reviewer notification
Decline
Reject
Delegate
E-mail notification
E-mail notification Reviewer Process owner
11 - 9
Summary
In this lesson, you should have learned how to: Identify attestation and attestation processes, including the primary components of an attestation process Describe the users, data, and schedules that are associated with attestation processes Explain how an attestation process works from beginning to end
11 - 10
Creating, Managing, and Reviewing Attestation Processes
Objectives
After completing this lesson, you should be able to: Configure your Oracle Identity Manager environment so that it can handle attestation processes Create an attestation process through the Oracle Identity Manager Administrative Console Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer Access this console as a process owner and view information about the attestation process, including its status: whether it is certified, rejected, declined, or delegated to another reviewer
Configuring an Attestation Process
There are six steps in setting up an attestation process: 1. Configuring your Oracle Identity Manager environment so that its attestation features are available 2. Configuring the resource object of your connector so that its data can be reviewed during an attestation process 3. Configuring the process form of your connector so that its data is available for review during an attestation process 4. Assigning a manager to the user who is the recipient of the target resource (This manager is responsible for reviewing the attestation process for the user.)
12 - 3
Configuring an Attestation Process
5. Assigning menu items to the following user groups:

User group that is responsible for creating and managing the attestation process (that is, the process owner group) User group that is responsible for reviewing the attestation process (the reviewer group)
6. Assigning administrative privileges and permissions to each of these groups
12 - 4
Installing the Oracle Identity Manager Server
By selecting this option, you can use the attestation features of Oracle Identity Manager for audit and compliance purposes.
12 - 5
Configuring the Resource Object
Select the Financially Significant check box of your connectors representative resource object in the Design Console.
12 - 6
Configuring the Process Form
Set the value of this record to Resource Form in the Design Console.
12 - 7
Assigning a Manager to a User
Assign the manager with the ID of TJONES to the end user named Robert La Vallie. This manager is responsible for reviewing the attestation process for the user.
12 - 8
Assigning Menu Items to User Groups
Assign menu items to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.
12 - 9
Assigning Menu Items to User Groups
Assign a menu item to users who belong to the Managers group. This group represents the users who are responsible for reviewing attestation processes.
12 - 10
12 - 11
Assigning Administrative Privileges and Permissions for User Groups

Assign administrative privileges and permissions to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.
12 - 12
12 - 13
Creating an Attestation Process
There are five stages in creating an attestation process: 1. Defining high-level information about the attestation process 2. Defining the scope and reviewer for the attestation process 3. Defining the administrative details of the attestation process 4. Verifying the information of the attestation process 5. Assigning groups of users to the attestation process who are responsible for reviewing and managing it
12 - 14
12 - 15
Stage 1: Defining High-Level Information
On the Define Process screen, you specify highlevel information about the attestation process.
12 - 16
Stage 2: Defining the Scope and Reviewer

On the Define Attestation Scope And Reviewer screen, you specify how a user should have access rights to a resource (that is, the scope) and the reviewer for the attestation process.
12 - 17
Stage 3: Defining the Administrative Details
On the Define Administrative Details screen, you specify how often the attestation process should be run. You also specify its process owner group.
12 - 18
12 - 19
Stage 4: Verifying the Information
On the Verify Info Page screen, you ensure that the information in the attestation process is correct.
12 - 20
Stage 5: Assigning Groups
On the Administrative Groups screen, you assign groups of users who are responsible for reviewing and managing the attestation process.
12 - 21
Reviewer Actions for an Attestation Process
As a reviewer of an attestation process, you can perform one of the following actions with it: Delegate it to another reviewer Reject it Certify it Decline to act on it
12 - 22
Reviewing an Attestation Process
As a reviewer, you perform an action on an attestation process. You can certify, reject, or decline an attestation process or can delegate it to another reviewer.
12 - 23
12 - 24
Process Owner Actions for an Attestation Process

As the owner of an attestation process, you can view the following information about it: High-level and detailed information The date and time when the attestation process is submitted to a reviewer The reviewer who received the attestation process The status of the attestation process (that is, whether the reviewer certified it, rejected it, declined it, or delegated it to another reviewer) The delegation path (if the attestation process is delegated to another reviewer)
12 - 25
Viewing an Attestation Process
As a process owner, you can view both high-level and detailed information about an attestation process.
12 - 26
12 - 27
Summary
In this lesson, you should have learned how to: Configure your Oracle Identity Manager environment so that it can handle attestation processes Create an attestation process with the Oracle Identity Manager Administrative Console Act on an attestation process as a reviewer: certify it, decline it, reject it, or delegate it to another reviewer View information about an attestation process as a process owner, including its status: whether it is certified, rejected, declined, or delegated to another reviewer
12 - 28
Practice 12 Overview: Creating, Managing, and Reviewing Attestation Processes

This practice covers the following topics: Setting up your environment so that you can create attestation processes Using the Oracle Identity Manager Administrative Console to create an attestation process Acting on an attestation process (for example, certifying it) Viewing both high-level and detailed information about an attestation process
12 - 29
12 - 30
Troubleshooting Oracle Identity Manager
Objectives
After completing this lesson, you should be able to troubleshoot problems that administrators commonly encounter with Oracle Identity Manager. These problems are fixed through the use of disaster-recovery procedures.
13 - 2
Increasing the Size of the Java Pool
Problem: After launching the Oracle Identity Manager Diagnostic Dashboard, the Database Prerequisites Check fails.
The reason for the failure is that the current Java pool size of your Oracle database is 32 MB. As a result, it does not meet the minimum requirement of 60 MB.
Solution:
1. Stop the Oracle Identity Manager Server. 2. Access the database by using the Oracle Enterprise Manager Console. 3. Click the Instance subnode. A Configuration form is nested in this node.
13 - 3
Increasing the Size of the Java Pool
4. Click the Configuration form (to make it active). 5. In this form, select the Memory tab. In the Java Pool field, enter 60. Then click the Apply button that appears on this tab. A Shutdown Options window appears. 6. In the Shutdown Options window, select the Immediate option. Then click OK. Your database is shut down and restarted so that the changes to your Java pool can be registered. 7. Close the Oracle Enterprise Manager Console. 8. Restart the Oracle Identity Manager Server.
13 - 4
Changing the Authentication Mode
Problem: After installing Oracle Identity Manager, you want to change the authentication mode from the applications default setting to Single Sign-On (SSO). Solution:
1. Stop the Oracle Identity Manager Server. 2. Use a text editor to open the xlconfig.xml file, which is located in the E:\OIM901_Server\xellerate\config directory. 3. Look for the following piece of code: <Authentication> Default </Authentication>
13 - 5
Changing the Authentication Mode
4. Replace the Default value with the name of the header value configured in the SSO system. 5. Save your changes. 6. Restart the Oracle Identity Manager Server.
13 - 6
Exporting a File Properly
Problem: Exporting a file via the Deployment Manager form (which can be found in the Oracle Identity Manager Administrative Console) results in an invalid file, a corrupted XML file, or a file created with 0 KB. Solution:
1. When you export your file, make sure that no other users are also attempting to export a file. 2. At the same time, verify that no reconciliation workflows or scheduled tasks are being run. 3. Reconfigure the minimum and maximum memory parameters of the JBoss application server to 512 MB and 1,024 MB, respectively.
13 - 7
Verifying That the Oracle Identity Manager Scheduler Is Running

Problem: You want to verify that the service that programs events to be executed at periodic intervals (that is, the Oracle Identity Manager Scheduler) is running. Solution:
1. Launch a Web browser. 2. In the Address field, enter the following URL: http://localhost:8087/xlScheduler/status (localhost is the machine name for the application server, and 8087 is this servers port number.)
13 - 8
Customizing the Login Page of the Administrative Console

Problem: You want to customize the Login page of the Administrative Console. Solution: Open the tjspLoginTiles.jsp file, which is located in the following directory: E:\jboss-4.0.2\server\default\deploy\ XellerateFull.ear\xlWebApp.war\xlWebApp\ tiles This file contains the properties that pertain to the Login page.
13 - 9
Changing the Background Color of Oracle Identity Manager Explorer

Problem: You want to customize the Administrative Console so that the background color for the header is different from the background color that appears in your Oracle Identity Manager Explorer. Solution:
1. Stop the Oracle Identity Manager Server. 2. Use a text editor to open the Xellerate.css file, which is located in the E:\jboss-4.0.2\server\default\ deploy\XellerateFull.ear\xlWebApp.war\css directory.
13 - 10

3. In this file, create a new class called ExplorerMenu and add the new background color. To do so, add this piece of code to it: .ExplorerMenu { BACKGROUND-COLOR: <color>; } In the code, <color> represents the new color. 4. Use a text editor to open the tjspClassicLayout.jsp file, which is located in the E:\jboss4.0.2\server\default\deploy\ XellerateFull.ear\xlWebApp.war\layouts directory.
13 - 11

5. Replace the Sidebar element with the ExplorerMenu class. 6. Save your changes. 7. Restart the Oracle Identity Manager Server.
13 - 12
Unlocking the xelsysadm User Account
Problem: The xelsysadm user account is locked and cannot be unlocked because an Oracle Identity Manager user exceeded the maximum number of login attempts. Solution:
1. Stop the Oracle Identity Manager Server. 2. Open a DOS window. 3. In the DOS prompt that appears, enter sqlplus /nolog. A SQL prompt appears. 4. Connect to the Oracle database as an administrator (for example, connect sys/sys@train91 as sysdba, where sys is the system user and password and train91 is the name of the database).
13 - 13
Unlocking the xelsysadm User Account
5. Run the following query: SQL>UPDATE SYS.USR SET USR_LOCKED=0, USR_LOGIN_ATTEMPTS_CTR=0 WHERE USR_LOGIN=XELSYSADM; 6. After you see that the row is updated, commit the changes to the database. To do so, enter the following at the SQL prompt: SQL>commit; 7. Restart the Oracle Identity Manager Server.
13 - 14
Summary
In this lesson, you should have learned how to use disaster-recovery procedures to fix common problems that administrators encounter with Oracle Identity Manager.
13 - 15
13 - 16

Oracle Identity Manager Administration

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Oracle Identity Manager Administration

Hochgeladen von

Copyright:

Verfügbare Formate

Oracle Identity Manager: Administration

Volume I Student Guide

D46308GC10 Edition 1.0 January 2007 D48930

Oracle Identity Manager: Administration

D46308GC10 Edition 1.0 January 2007 D48932

Technical Contributors and Reviewers

Technical Contributors and Reviewers

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Unit 1: Product Overview

Copyright 2007, Oracle. All rights reserved.

Unit 2: Installing, Configuring, and Launching Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Unit 3: Managing Users, User Entities, and Resources

Copyright 2007, Oracle. All rights reserved.

Unit 4: Modifying the Oracle Identity Manager Administrative Console

Copyright 2007, Oracle. All rights reserved.

Unit 5: Deploying Resources

Copyright 2007, Oracle. All rights reserved.

Unit 6: Constructing Reports

This unit has a single lesson titled Creating Reports.

Copyright 2007, Oracle. All rights reserved.

Unit 7: Using Attestation

Copyright 2007, Oracle. All rights reserved.

Unit 8: Performing Advanced Functions with Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Understanding Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Architecture

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Architecture: Advantages

The advantages of this architecture include: Scalability Flexibility Variety

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Architecture: Tiers

Data & Enterprise Integration tier

Copyright 2007, Oracle. All rights reserved.

Tier 1: Presentation Tier

Dynamic Presentation Logic layer

Copyright 2007, Oracle. All rights reserved.

Tier 2: Server Tier

Copyright 2007, Oracle. All rights reserved.

Tier 2: Server Tier

Copyright 2007, Oracle. All rights reserved.

Tier 3: Data & Enterprise Integration Tier

Back-end Database layer

Copyright 2007, Oracle. All rights reserved.

Tier 3: Data & Enterprise Integration Tier

Copyright 2007, Oracle. All rights reserved.

Reconciliation and Provisioning: Overview

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.

Copyright 2007, Oracle. All rights reserved.