Beruflich Dokumente
Kultur Dokumente
Authors
Robert La Vallie
Copyright 2007, Oracle. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Editors
Richard Wallis Daniel Milne
Graphic Designer
Steve Elwood Satish Bettegowda
Publisher
Jobi Varghese
Authors
Robert La Vallie
Copyright 2007, Oracle. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Editors
Richard Wallis Daniel Milne
Graphic Designer
Steve Elwood Satish Bettegowda
Publisher
Jobi Varghese
Introduction
Course Objectives
After completing this course, you should be able to: Explain Oracle Identity Manager and its role in identity management Identify the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning Describe how Oracle Identity Manager handles reconciliation and provisioning
1-2
Course Objectives
Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector Prepare a predefined database for Oracle Identity Manager Install and deploy your Oracle Identity Manager Diagnostic Dashboard
1-3
Course Objectives
Use the dashboard tool to verify that Oracle Database is prepared properly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server Install the Oracle Identity Manager Design Console Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly Launch the Oracle Identity Manager Server Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console)
1-4 Copyright 2007, Oracle. All rights reserved.
Course Objectives
Differentiate between the two consoles Explain the links in the Administrative Console Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups) Differentiate between an organization and a user group Create records for an organization, the three types of Oracle Identity Manager users, and a user group
1-5
Course Objectives
Assign an Oracle Identity Manager user to a user group Explain the following:
How administrators view and modify their profiles in Oracle Identity Manager How administrators change their challenge questions and, as a result, reset their passwords What a proxy is How administrators assign, modify, and remove proxies How administrators see the resources that are provisioned to them How administrators see requests that are initiated by them and requests that require their approval
1-6
Course Objectives
Identify resources and Oracle Identity Manager connectors Explain how Oracle Identity Manager connectors differ from resources Discuss the three ways that a connector can be assigned to an Oracle Identity Manager user See how an administrator of an Oracle Identity Manager connector can view a graphical representation of a provisioning workflow Analyze what approval processes are and how they affect a provisioning workflow Identify the key features of autoprovisioning
1-7 Copyright 2007, Oracle. All rights reserved.
Course Objectives
Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:
Temporarily deactivating an end users account with a resource Reinstating an end users account Modifying the password of an end users account Permanently revoking the access rights that an end user has with the resource
Identify the two levels of customization for the Oracle Identity Manager Administrative Console Modify the look and feel of the console (that is, brand it)
1-8 Copyright 2007, Oracle. All rights reserved.
Course Objectives
Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another Identify the different ways that connectors can be transported between environments Explain how to export a connector Discuss how to import a different connector and configure it so that it is operable in your environment
1-9
Course Objectives
Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports Differentiate between these two types of reports List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created using a third-party tool (such as Oracle Discoverer) Create operational and historical reports with the Oracle Identity Manager Administrative Console
1 - 10
Course Objectives
Define attestation and attestation processes, including the fundamental components of an attestation process Describe the types of users who analyze, create, and manage attestation processes Identify the types of data that can be attested Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes) Explain the workflow of an attestation process from beginning to end Configure your Oracle Identity Manager environment so that it can handle attestation processes
1 - 11 Copyright 2007, Oracle. All rights reserved.
Course Objectives
Create an attestation process by using the Oracle Identity Manager Administrative Console Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer Access this console as a process owner and view information about the attestation process, including its status (certified, rejected, declined, or delegated to another reviewer) Troubleshoot Oracle Identity Manager
1 - 12
Course Units
This course is divided into the following units: 1. Product Overview 2. Installing, Configuring, and Launching Oracle Identity Manager 3. Managing Users, User Entities, and Resources 4. Modifying the Oracle Identity Manager Administrative Console 5. Deploying Resources 6. Constructing Reports 7. Using Attestation 8. Performing Advanced Functions with Oracle Identity Manager
1 - 13 Copyright 2007, Oracle. All rights reserved.
This unit has a single lesson titled Understanding Oracle Identity Manager.
1 - 14
1 - 15
1 - 16
1 - 17
This unit has a single lesson titled Transferring Oracle Identity Manager Connectors.
1 - 18
1 - 19
This unit comprises the following lessons: Understanding Attestation Creating, Managing, and Reviewing Attestation Processes
1 - 20
1 - 21
Summary
In this introductory lesson, you should have learned about the course units and lessons.
1 - 22
Objectives
After completing this lesson, you should be able to: Explain Oracle Identity Manager and its role in identity management Identify the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: Reconciliation and provisioning Describe how Oracle Identity Manager handles reconciliation and provisioning
2-2
Objectives
Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector
2-3
Oracle Identity Manager is an application that handles and selectively automates tasks that manage a users access privileges. Such tasks include: Creating access privileges to resources for users Modifying these privileges dynamically based on changes to user and business requirements Removing these access privileges from users
2-4
The architecture for Oracle Identity Manager: Is based on a Java 2 Enterprise Edition (J2EE) environment Separates the platforms Presentation, Server, and Data & Enterprise Integration tiers Enables the creation of n levels of layers
2-5
2-6
Presentation tier
2-7
Server tier
The Presentation tier of Oracle Identity Manager has two layers: Presentation layer
Two consoles for Oracle Identity Manager: Administrative Console and Design Console
2-8
The Server tier of Oracle Identity Manager is the interface between the Presentation and Data & Enterprise Integration tiers. The application server for Oracle Identity Manager:
Resides in the Server tier Provides the life-cycle management, security, deployment, and run-time services to the logical components that support Oracle Identity Manager
2-9
The Server tier of Oracle Identity Manager supports: Clustering Load balancing Security management Scheduling
2 - 10
The Data & Enterprise Integration tier of Oracle Identity Manager has two layers: Data Access layer
Layer that has components, which Oracle Identity Manager needs to communicate with its database
2 - 11
The Back-end Database layer leverages the following capabilities: Clustering Standby database Replication
2 - 12
2 - 13
Reconciliation: Types
There are two types of reconciliation that Oracle Identity Manager performs: Trusted source reconciliation Targeted resource reconciliation
2 - 14
2 - 15
Reconciliation: Events
Oracle Identity Manager can perform three types of reconciliation events with an external resource: Reconciliation Insert Reconciliation Update Reconciliation Delete
2 - 16
Provisioning: Types
There are two types of provisioning that Oracle Identity Manager performs: Day-one provisioning
Initial creation of access privileges to resources for users Removal of these privileges from users
Day-two provisioning
Dynamic modification of user privileges with resources, based on changes to user and business requirements
2 - 17
Administrator
End user
2 - 18
End user
Administrator
2 - 19
2 - 20
A connector must have the following seven components: IT resource type IT resource Process form Process task adapter Resource object Provisioning process Process task
2 - 21
2 - 22
2 - 23
This screenshot illustrates an IT resource type for an Oracle database. There is a one-to-one relationship between the IT resource type and the connector. That is, each connector should have only one IT resource type.
2 - 24
IT resource
2 - 25
2 - 26
IT resource
2 - 27
2 - 28
IT resource
2 - 29
2 - 30
IT resource
Resource object
5
Custom process form
2 - 31
2 - 32
IT resource
Resource object
2 - 33
2 - 34
IT resource
Resource object
Provisioning process
7
2 - 35
Process task
Example of a process task that Oracle Identity Manager uses to create a users account in an Oracle database
2 - 36
IT resource
Resource object
Provisioning process
8
Process task Process task adapter
2 - 37
Example of a process task adapter being connected to a process task to create a users account in an Oracle database
2 - 38
Summary
In this lesson, you should have learned how to: Describe Oracle Identity Manager and its role in identity management Explain the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning Explain how Oracle Identity Manager handles reconciliation and provisioning
2 - 39
Summary
In this lesson, you should have learned how to: Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector
2 - 40
Objectives
After completing this lesson, you should be able to: Prepare a predefined database for Oracle Identity Manager Install and deploy your Oracle Identity Manager Diagnostic Dashboard Use the dashboard tool to verify that your Oracle database is prepared properly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server Install the Oracle Identity Manager Design Console Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console
3-2 Copyright 2007, Oracle. All rights reserved.
Objectives
Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly
3-3
Oracle Identity Manager requires a database. To use Oracle Database, you must: Install Oracle Database Create a database instance Prepare this database
3-4
With the prepare_xl_db.bat script, administrators can prepare a database for Oracle Identity Manager.
E:\OIM901_Installation\installServer\ Xellerate\db\oracle> prepare_xl_db.bat train91 E:\orant\ora92 sysadm sysadm train91tbs E:\orant\ora92\oradata train91tbs_01 TEMP sys
3-5
3-6
3-7
3-8
3-9
To use this tool, select the check boxes for the tests that you want to perform, enter the test parameters (where applicable), and click Verify.
3 - 10
3 - 11
The following slides illustrate how to install the Oracle Identity Manager Server. You must install this server on the same machine that is running the JBoss application server.
3 - 12
3 - 13
3 - 14
3 - 15
3 - 16
3 - 17
3 - 18
3 - 19
3 - 20
3 - 21
3 - 22
3 - 23
3 - 24
3 - 25
3 - 26
3 - 27
3 - 28
3 - 29
Copy the jbossall-client.jar file and paste it into the E:\OIM901_client\xlclient\ext directory.
3 - 30
3 - 31
You can use the Diagnostic Dashboard after installation to determine whether: An Oracle Identity Manager user account is locked because of successive invalid login attempts The data encryption key in your Oracle Identity Manager installation is identical to the one used to encrypt the data in your Oracle Identity Manager database The scheduler service is running Oracle Identity Manager can communicate with remote managers
3 - 32
You can use the Diagnostic Dashboard after installation to determine whether: Oracle Identity Manager can submit and process a Java Messaging Service (JMS) message Single Sign-On (SSO) is configured properly for Oracle Identity Manager
3 - 33
You can use the Diagnostic Dashboard to create reports that display the following information about your Oracle Identity Manager environment: System properties that are associated with all Java Virtual Machines Information about the version numbers of the library and extension files Detailed (or manifest) information about the library and extension files
3 - 34
3 - 35
Summary
In this lesson, you should have learned how to: Configure a preexisting Oracle database so that it works properly with Oracle Identity Manager Load and start the Oracle Identity Manager Diagnostic Dashboard Use the dashboard to ensure that the database is prepared correctly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server and Design Console Set an Oracle Identity Manager log level for the JBoss application server
3 - 36 Copyright 2007, Oracle. All rights reserved.
Summary
In this lesson, you should have learned how to: Make the Design Console functional by copying a JAR file into an Oracle Identity Manager directory Use the Diagnostic Dashboard to verify that your Oracle Identity Manager environment is installed and configured correctly
3 - 37
Objectives
After completing this lesson, you should be able to: Launch the Oracle Identity Manager Server Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console) Differentiate between the two consoles Explain the links on the Administrative Console
4-2
4-3
4-4
4-5
4-6
Developers use the Design Console to build Oracle Identity Manager connectors.
4-7
Administrators use the Administrative Console to manage Oracle Identity Manager connectors.
4-8
With the My Account link, administrators view and modify their account information, reset a password, and designate a proxy.
4-9
With the My Resources link, administrators view, create, and modify information about requests and resources.
4 - 10
4 - 11
With the To-Do List link, administrators can handle all tasks that require their attention.
4 - 12
With the Users link, administrators create and manage records for Oracle Identity Manager users.
4 - 13
4 - 14
With the User Groups link, administrators create and manage records for user groups.
4 - 15
With the Access Policies link, administrators create and manage access policies.
4 - 16
4 - 17
4 - 18
With the Reports link, administrators create operational and historical reports.
4 - 19
4 - 20
With the Attestation link, administrators can create and manage an attestation process.
4 - 21
4 - 22
Summary
In this lesson, you should have learned how to: Start the Oracle Identity Manager Server, the Administrative Console, and the Design Console Identify the two consoles, including the differences between them Provide a thorough discussion of the links on the Administrative Console
4 - 23
4 - 24
Objectives
After completing this lesson, you should be able to: Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups) Differentiate between an organization and a user group Create records for an organization, the three types of Oracle Identity Manager users, and a user group Assign an Oracle Identity Manager user to a user group
5-2
Objectives
In addition, you should be able to explain: How administrators view and modify their profiles in Oracle Identity Manager How administrators change their challenge questions and, as a result, reset their passwords What a proxy is How administrators assign, modify, and remove proxies How administrators see the resources that are provisioned to them How administrators see requests that are initiated by them and requests that require their approval
5-3 Copyright 2007, Oracle. All rights reserved.
System administrators: Users who have both read access and write access to all forms and records in Oracle Identity Manager Administrators of Oracle Identity Manager connectors: Users who have read- and write-access rights to their own user profiles (and the records associated with them), as well as the profiles and records of any end users whom they supervise End users: Users who are recipients of the resources that are provisioned to them by Oracle Identity Manager. They have read-access rights to their own user profile (and the records associated with it).
5-4
5-5
User
In addition, you learn how to assign a user to a group and perform various administrative functions for a user.
5-7
Creating an Organization
Example: Creating an organization named Curriculum Dev. The organizations classification type is Department.
5-8
5-9
Creating a User
5 - 10
5 - 11
5 - 12
Example: Assigning the user named Robert La Vallie to the ORACLE 9i USERS group
5 - 13
5 - 14
Administrators can see basic information about their user accounts. This example shows the profile of the administrator named Pauline Sammut.
5 - 15
Administrators can change basic information about their user accounts. This example illustrates modifying the profile of the administrator named Pauline Sammut.
5 - 16
5 - 17
5 - 18
Administrators can reset their passwords. This example illustrates resetting an administrators password.
5 - 19
Proxies: Overview
Administrators can delegate any task approval responsibilities for which they are unavailable (because of illness, vacation, and so on) to another administrator. This delegated administrator is known as a proxy.
5 - 20
Assigning a Proxy
Administrators can assign proxies. This example illustrates assigning a proxy named Leonard Agneta to an administrator.
5 - 21
Modifying a Proxy
Administrators can modify their proxies. This example illustrates modifying the proxy named Leonard Agneta for an administrator.
5 - 22
Removing a Proxy
Administrators can remove their proxies. This example illustrates removing the proxy named Leonard Agneta from an administrator.
5 - 23
Administrators can see the resources that are provisioned to them. This example shows that a resource named Oracle RO is provisioned to an administrator.
5 - 24
Administrators can see the requests that they initiate as well as requests that require their approval.
5 - 25
Summary
In this lesson, you should have learned how to: Create system administrators, administrators of Oracle Identity Manager connectors, and end users Create organizations and user groups Differentiate between an organization and a user group Assign a user to a user group View and modify an administrators profile in Oracle Identity Manager Change an administrators challenge questions and answers Reset an administrators password
5 - 26
Summary
In this lesson, you should have learned how to: Assign, modify, and remove a proxy for an administrator See the resources that are provisioned to an administrator View, track, and approve requests generated by and for an administrator
5 - 27
Objectives
After completing this lesson, you should be able to do the following: Identify resources and Oracle Identity Manager connectors Explain how Oracle Identity Manager connectors differ from resources Discuss the three ways in which a connector can be assigned to an Oracle Identity Manager user
6-2
Resources
A resource is an external system, service, or application with which Oracle Identity Manager communicates to perform either provisioning or reconciliation.
Server
Messaging applications
Operating systems
6-3
Examples of Resources
Examples of resources include the following: Collaboration and messaging applications: Microsoft Exchange 3.3; Novell GroupWise 2.1 Database servers: Oracle9i Database Enterprise Edition; Oracle Database 10g; MS SQL Server 2000 Directory servers: MS Active Directory 4.4; Novell eDirectory 2.1; Oracle Internet Directory 1.1; Sun Java System Directory Server 4.1 Enterprise applications: Oracle E-Business Suite 2.1; PeopleSoft Enterprise Applications 3.0; SAP Enterprise Applications 3.0 Operating systems: Microsoft Windows 2.1; UNIX 4.1
6-4 Copyright 2007, Oracle. All rights reserved.
Examples of Resources
Security managers: IBM RACF 1.1; RSA Authentication Manager 4.1 Web access control applications: RSA ClearTrust 3.0
6-5
An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to:
Reconcile with an external resource Provision a user with a target resource
6-6
Assigning a connector to a user does not necessarily mean that the related resource is provisioned to the user. For provisioning to occur, you must:
Populate the fields of the custom process form that is contained in your connector Save this information to your Oracle Identity Manager database
6-7
There are three ways that an Oracle Identity Manager connector can be assigned to a user:
Through direct provisioning Via criteria (autogroup membership rules and access policies) By requests
The following slides illustrate the three ways that a connector can be assigned to a user.
6-8
Administrator
Connector
End user
6-9
The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user via criteria (autogroup membership rules and access policies).
Administrator
Autogroup rule
User group
Access policy
Approver
End user
6 - 10
Connector
Approval process
The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user by a request.
Request Administrator Approver Approval process
End user
6 - 11
Connector
This example illustrates using direct provisioning to assign a connector to the end user named Leonard Agneta.
6 - 12
6 - 13
Another way to assign a connector to an end user is for Oracle Identity Manager to evaluate criteria about the user. These criteria include an autogroup membership rule and an access policy. For this to occur, you need to complete the following steps: Assign an autogroup membership rule to a user group. As a result, Oracle Identity Manager can add the end user to the group. Build the access policy. Oracle Identity Manager allocates the connector to the user because the user belongs to the user group.
6 - 14
6 - 15
This example illustrates creating an access policy for the Developers user group.
6 - 16
6 - 17
This example illustrates using a request to assign the Oracle RO connector to the user with the ID of LAGNETA.
6 - 18
6 - 19
Summary
In this lesson, you should have learned how to: Identify resources and Oracle Identity Manager connectors Differentiate between Oracle Identity Manager connectors and resources Assign an Oracle Identity Manager connector to a user through direct provisioning, criteria (specifically, autogroup membership rules and access policies), and requests
6 - 20
6 - 21
6 - 22
Objectives
After completing this lesson, you should be able to: See how administrators of Oracle Identity Manager connectors can view a graphical representation of a provisioning workflow Analyze what approval processes are and how they impact a provisioning workflow Identify the key features of autoprovisioning
7-2
Objectives
Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:
Temporarily deactivating an end users account with a resource Reinstating an end users account Modifying the password of an end users account Permanently revoking the access rights that an end user has with the resource
7-3
7-4
7-5
7-6
7-7
Features of the Graphical Workflow Definition Renderer include: Dragging and dropping the components that appear in the workflow (for visibility purposes) Customizing the items that can be displayed in the workflow Saving the current state of the workflow as an image Refreshing the workflow
7-8
7-9
7 - 10
7 - 11
7 - 12
7 - 13
7 - 14
An approval process is used to approve the provisioning of a representative resource for a user. Approval processes are usually completed manually whereas provisioning processes are typically completed automatically. To complete an approval process, certain tasks must be completed. Although a connector is not required to have an approval process, it must have at least one provisioning process.
7 - 15
7 - 16
In this example, the user who belongs to the US_ORACLE_ RO_APPROVERS group approves the allocation of the Oracle RO connector for the user named Jill James.
7 - 17
Types of Provisioning
7 - 18
Manual Provisioning
An administrator of an Oracle Identity Manager connector completes the custom process form and saves the values to the database. Manual intervention is required by the administrator for provisioning to occur.
7 - 19
Autoprovisioning
With autoprovisioning, Oracle Identity Manager provisions the corresponding resource to an end user after the connector is assigned to the user.
7 - 20
Oracle Identity Manager is an application that can handle day-two provisioning functions, including: Temporarily disabling an end users account with an external resource Reinstating the users account with the resource Modifying the password of the users account Permanently revoking the access rights that the user has with the resource
7 - 21
7 - 22
7 - 23
7 - 24
7 - 25
Summary
In this lesson, you should have learned how to: View a graphical representation of a provisioning workflow in Oracle Identity Manager Discuss approval processes, including how they affect a provisioning workflow Complete an approval process Analyze autoprovisioning Perform day-two provisioning functions, including:
Disabling an end users account with an external resource Reinstating the account Modifying the password of the user who is accessing the account Deleting the users account with the resource
7 - 26 Copyright 2007, Oracle. All rights reserved.
7 - 27
7 - 28
Objectives
After completing this lesson, you should be able to: Identify the two levels of customization for the Oracle Identity Manager Administrative Console Modify the look and feel of the console to brand it for your company Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed
8-2
Levels of Customization
There are two levels of customization that an administrator should perform with the Oracle Identity Manager Administrative Console: Modifying the look and feel of the console (that is, branding it) Changing the functionality of the console without modifying the Oracle Identity Manager code
8-3
8-4
There are different ways to brand the Administrative Console, including: Customizing the overall layout of the Web pages of the console Modifying the descriptive text and labels that appear on the Web pages of the console Replacing company and product logos with your own icons Changing the color, font, and alignment of text
8-5
There are different ways to change the functionality of the Administrative Console without changing the code, including: Customizing the self-registration process for creating a users account Configuring how users can modify the profiles of their accounts Customizing the behavior of the fields that appear on the Web pages of this console Setting the menu items that are available to users who belong to a particular group Customizing search pages
8-6 Copyright 2007, Oracle. All rights reserved.
In this example, you customize the general layout of a Web page by displaying the company logo at the right side of the header banner.
8-7
Adding Logos
In this example, you replace the products default logo with your own company logo.
8-8
In this example, you modify the text and label of the Search User button that appears on the Manage User form.
8-9
8 - 10
8 - 11
8 - 12
In this example, you change the Middle Name field of the User Self-Registration form from optional to mandatory.
8 - 13
8 - 14
In this example, you change the Email Address field of the Create User form from optional to mandatory.
8 - 15
8 - 16
In this example, you add menu items associated with deploying Oracle Identity Manager connectors to users (such as Dawn Jones) who belong to a particular group.
8 - 17
8 - 18
In this example, you customize the search pages of your console by reducing (from 10 to 5) the maximum number of search results that can appear on a Web page.
8 - 19
Summary
In this lesson, you should have learned how to: Differentiate between the two levels of customization for the Oracle Identity Manager Administrative Console Brand the console Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed
8 - 20
8 - 21
8 - 22
Objectives
After completing this lesson, you should be able to do the following: Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another Identify the different ways that connectors can be transported between environments Explain how to export a connector Discuss how to import a different connector and configure it so that it is operable in your environment
9-2
9-3
9-4
To export an Oracle Identity Manager connector so that it is operable in another environment: 1. Build an *.xml file that contains the components of your connector. 2. Export this file into a designated location that can be accessed from your home or office environment.
9-5
9-6
9-7
9-8
9-9
9 - 10
9 - 11
9 - 12
9 - 13
9 - 14
9 - 15
9 - 16
The values in the custom process form represent the login credentials of the target user that Oracle Identity Manager passes into the corresponding external resource (in this case, an Oracle database).
9 - 17
This screenshot illustrates a successful login to your Oracle SQL*Plus client. It indicates that the designated user is provisioned with the external resource (in this case, an Oracle database).
9 - 18
Summary
In this lesson, you should have learned how to: Describe the benefits and different ways of transferring Oracle Identity Manager connectors between environments Discuss how to export an Oracle Identity Manager connector Explain how to import a different Oracle Identity Manager connector and configure it so that it works in your environment
9 - 19
9 - 20
Creating Reports
Objectives
After completing this lesson, you should be able to do the following: Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports Differentiate between these two types of reports List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports) Create operational and historical reports with the Oracle Identity Manager Administrative Console
10 - 2 Copyright 2007, Oracle. All rights reserved.
An administrator can create two types of reports for Oracle Identity Manager users: Operational reports: Information about resources that a user can access (current data) Historical reports: Information about resources that are associated with a user throughout that users employment with the company (life-cycle data)
10 - 3
There are four types of operational reports: Who Has What Resource Access List Entitlements Summary Policy List
10 - 4
There are five types of historical reports: User Resource Access History Resource Access List History User Profile History User Membership History Group Membership History
10 - 5
An administrator can create the following eight additional reports by using a third-party reporting tool. Who Has What: Lists the users and the resources with which they are provisioned Direct Provisioned: Shows the following information:
Resources that are directly provisioned to the target users User who directly provisioned the resources for the target users Users who received the resources
10 - 6
In this example, you create a Who Has What operational report for the user with the ID of RLAVALLI.
10 - 8
10 - 9
10 - 10
In this example, you create a Policy List operational report. Users Access Policy is the designated policy and Oracle 9i Users is the target user group.
10 - 11
10 - 12
10 - 13
10 - 14
10 - 15
10 - 16
Summary
In this lesson, you should have learned how to: Identify operational reports and historical reports (and the differences between them) List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports) Create operational and historical reports with the Oracle Identity Manager Administrative Console
10 - 17
Who Has What Resource Access List Entitlements Summary Policy List User Resource Access History Resource Access List History User Profile History User Membership History Group Membership History
Copyright 2007, Oracle. All rights reserved.
Historical reports
Understanding Attestation
Objectives
After completing this lesson, you should be able to: Define attestation and attestation processes, including the fundamental components of an attestation process Describe the types of users who analyze, create, and manage attestation processes Identify the types of data that can be attested Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes) Explain the workflow of an attestation process from beginning to end
11 - 2
Attestation
Mechanism by which Oracle Identity Manager users are notified periodically of a report they must review
This report outlines the provisioned resources that certain users have.
Process of authorizing established internal controls, processes, and policies for user-related and transactional-related data
11 - 3
Attestation Processes
An attestation process is the framework by which an attestation workflow is set up and created. It contains the following run-time components:
+
User Data
+
Schedule
11 - 4
Compliance manager
System administrator
Process owner
Reviewer
11 - 5
11 - 6
Two types of data can be attested: Oracle Identity Manager users and the resources they can access Fine-grained privileges that determine how a user should be entitled to a resource
11 - 7
All activities that are associated with an attestation process can be: Run at a periodic interval (for example, every three months) Executed on demand
11 - 8
4
Certify
Schedule Data E-mail Reviewer notification
Decline
Reject
Delegate
E-mail notification
11 - 9
Summary
In this lesson, you should have learned how to: Identify attestation and attestation processes, including the primary components of an attestation process Describe the users, data, and schedules that are associated with attestation processes Explain how an attestation process works from beginning to end
11 - 10
Objectives
After completing this lesson, you should be able to: Configure your Oracle Identity Manager environment so that it can handle attestation processes Create an attestation process through the Oracle Identity Manager Administrative Console Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer Access this console as a process owner and view information about the attestation process, including its status: whether it is certified, rejected, declined, or delegated to another reviewer
12 - 2 Copyright 2006, Oracle. All rights reserved.
There are six steps in setting up an attestation process: 1. Configuring your Oracle Identity Manager environment so that its attestation features are available 2. Configuring the resource object of your connector so that its data can be reviewed during an attestation process 3. Configuring the process form of your connector so that its data is available for review during an attestation process 4. Assigning a manager to the user who is the recipient of the target resource (This manager is responsible for reviewing the attestation process for the user.)
12 - 3
12 - 4
By selecting this option, you can use the attestation features of Oracle Identity Manager for audit and compliance purposes.
12 - 5
Select the Financially Significant check box of your connectors representative resource object in the Design Console.
12 - 6
Set the value of this record to Resource Form in the Design Console.
12 - 7
Assign the manager with the ID of TJONES to the end user named Robert La Vallie. This manager is responsible for reviewing the attestation process for the user.
12 - 8
Assign menu items to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.
12 - 9
Assign a menu item to users who belong to the Managers group. This group represents the users who are responsible for reviewing attestation processes.
12 - 10
12 - 11
12 - 12
12 - 13
There are five stages in creating an attestation process: 1. Defining high-level information about the attestation process 2. Defining the scope and reviewer for the attestation process 3. Defining the administrative details of the attestation process 4. Verifying the information of the attestation process 5. Assigning groups of users to the attestation process who are responsible for reviewing and managing it
12 - 14
12 - 15
On the Define Process screen, you specify highlevel information about the attestation process.
12 - 16
12 - 17
On the Define Administrative Details screen, you specify how often the attestation process should be run. You also specify its process owner group.
12 - 18
12 - 19
On the Verify Info Page screen, you ensure that the information in the attestation process is correct.
12 - 20
On the Administrative Groups screen, you assign groups of users who are responsible for reviewing and managing the attestation process.
12 - 21
As a reviewer of an attestation process, you can perform one of the following actions with it: Delegate it to another reviewer Reject it Certify it Decline to act on it
12 - 22
As a reviewer, you perform an action on an attestation process. You can certify, reject, or decline an attestation process or can delegate it to another reviewer.
12 - 23
12 - 24
12 - 25
As a process owner, you can view both high-level and detailed information about an attestation process.
12 - 26
12 - 27
Summary
In this lesson, you should have learned how to: Configure your Oracle Identity Manager environment so that it can handle attestation processes Create an attestation process with the Oracle Identity Manager Administrative Console Act on an attestation process as a reviewer: certify it, decline it, reject it, or delegate it to another reviewer View information about an attestation process as a process owner, including its status: whether it is certified, rejected, declined, or delegated to another reviewer
12 - 28
12 - 29
12 - 30
Objectives
After completing this lesson, you should be able to troubleshoot problems that administrators commonly encounter with Oracle Identity Manager. These problems are fixed through the use of disaster-recovery procedures.
13 - 2
Problem: After launching the Oracle Identity Manager Diagnostic Dashboard, the Database Prerequisites Check fails.
The reason for the failure is that the current Java pool size of your Oracle database is 32 MB. As a result, it does not meet the minimum requirement of 60 MB.
Solution:
1. Stop the Oracle Identity Manager Server. 2. Access the database by using the Oracle Enterprise Manager Console. 3. Click the Instance subnode. A Configuration form is nested in this node.
13 - 3
4. Click the Configuration form (to make it active). 5. In this form, select the Memory tab. In the Java Pool field, enter 60. Then click the Apply button that appears on this tab. A Shutdown Options window appears. 6. In the Shutdown Options window, select the Immediate option. Then click OK. Your database is shut down and restarted so that the changes to your Java pool can be registered. 7. Close the Oracle Enterprise Manager Console. 8. Restart the Oracle Identity Manager Server.
13 - 4
Problem: After installing Oracle Identity Manager, you want to change the authentication mode from the applications default setting to Single Sign-On (SSO). Solution:
1. Stop the Oracle Identity Manager Server. 2. Use a text editor to open the xlconfig.xml file, which is located in the E:\OIM901_Server\xellerate\config directory. 3. Look for the following piece of code: <Authentication> Default </Authentication>
13 - 5
4. Replace the Default value with the name of the header value configured in the SSO system. 5. Save your changes. 6. Restart the Oracle Identity Manager Server.
13 - 6
Problem: Exporting a file via the Deployment Manager form (which can be found in the Oracle Identity Manager Administrative Console) results in an invalid file, a corrupted XML file, or a file created with 0 KB. Solution:
1. When you export your file, make sure that no other users are also attempting to export a file. 2. At the same time, verify that no reconciliation workflows or scheduled tasks are being run. 3. Reconfigure the minimum and maximum memory parameters of the JBoss application server to 512 MB and 1,024 MB, respectively.
13 - 7
13 - 8
13 - 9
13 - 10
13 - 11
13 - 12
Problem: The xelsysadm user account is locked and cannot be unlocked because an Oracle Identity Manager user exceeded the maximum number of login attempts. Solution:
1. Stop the Oracle Identity Manager Server. 2. Open a DOS window. 3. In the DOS prompt that appears, enter sqlplus /nolog. A SQL prompt appears. 4. Connect to the Oracle database as an administrator (for example, connect sys/sys@train91 as sysdba, where sys is the system user and password and train91 is the name of the database).
13 - 13
5. Run the following query: SQL>UPDATE SYS.USR SET USR_LOCKED=0, USR_LOGIN_ATTEMPTS_CTR=0 WHERE USR_LOGIN=XELSYSADM; 6. After you see that the row is updated, commit the changes to the database. To do so, enter the following at the SQL prompt: SQL>commit; 7. Restart the Oracle Identity Manager Server.
13 - 14
Summary
In this lesson, you should have learned how to use disaster-recovery procedures to fix common problems that administrators encounter with Oracle Identity Manager.
13 - 15
13 - 16