Академический Документы
Профессиональный Документы
Культура Документы
Identity
An identity is a virtual representation of resource user by including
employees, customers, partners and vendors.
Identity Management
Identity Management shows the rights, relationships the user has when
interacting with a companys network.
Benefits of Identity Management
a) Centralized auditing and reporting: Know who did what and report on
system usage.
b) Reduced IT generation cost: Immediate return on investment is realized by
eliminating the use of paper forms, phone calls and wait time for new account
generation and enabling users self-service and password management.
c) Minimized Security Risk: Control access to the network and is instantly and
update accounts in a complex enterprise environment including layoffs,
acquisition, partner changes temporary and contact workers.
d) Legal Complaints: Many governments mandates require secure control of
access.
User profile to tell the company who they are, What they are entitled to do,
When they are allow to perform specific function, where they are allow to
perform functions from and why they have been granted permission.
Identity Management Implemented Solution Steps:
Step 1: Inventory and access investment and processes.
Clean and console date identity data store.
Create virtual identities for enterprise users.
Step 2: Design and deployee the identity infrastructure component (RAM,
HARD DISKS, and OS).
Create the identity provisioning and deployee password management user
self-service and regulatory complaints.
Step 3: Delivery application and services.
Access management deployee to the clean environment.
Leverage predicated identity for improving supply change and employee
efficiency.
2.OIM Architecture
Presentation tier:
It consists of oracle identity self-service, oracle identity system
administration, OIM design console and system application [JAVA, DOT NET
etc]
Users login by using OIM client, the OIM client interacts with OIM manager
server providing it with the users login credentials.
Business tier: The core functionality for OIM platform is implemented in JAVA using a highly
modular object oriented methodology.
This makes OIM flexible and extensible.
Core Components:API Services: API is supported by OIM that allow custom clients to integrate
with OIM.
Core Services: OIM offered below core services:
1. User Management.
2. Policy Management Services.
3. Provisioning and Reconciliation Services.
Integration Services: Integration services based on the adaptor factory and
connector framework, which dynamically generate the integration code
based on the Meta data definition of the adaptors.
Platform Services: OIM offered request management service, entity manager
service and the scheduler service.
Business service tier implement the business logic, which resides in the java
data object that are manage by the support to the J2EE application server.
(JBOS application server, BEA web logic server and IBM web-spear).
The java data object implement the business logic of the OIM application,
however they are not expose to any application from the outside world.
Therefore to access the business functionality of OIM, we can use the API with
in the J2EE infrastructure which provides the lookup and communication
mechanism.
Data tier:
OIM data tier consist of data repository or database which manages and
stores OIM data metadata in an ANSI SQL 92 compliment relational database
and identity store.
directory.
Embedded Libovd for H/A.
DBAs transactional and metadata repository:
OIM, SOA schema for transaction DB.
MDS schema for storing configuration.
External Dependencies: NEXA web for deployment manager capabilities to
import export OIM artifex.
OCS catch and Jgroup and catch management.
3.OIM Terminologies:
1.OIM user
It is an account which helps in managing the compliance of any organization
and helps in providing the access rights according to its identity in the related
organization.
OIM user entity describes the user with in the OIM namespace. User entity
includes the users first name, middle name, last name, the users displayed
name and user login id to OIM, and Email address for the user. Other
attributes also associated to user.
Entity to resources application name (sibyl, Salesforce), Roles accessing
(bank update role, invoice process role), organization (company name) and
other OIM objects.
A user is associated with a single user entity within OIM environment.
OIM maintains 2 types of status information an user account.
1. Is Identity Status.
2. Account Status.
User entity is tied to the identity status.
The identity status for an account can be one of active, disabled and deleted.
Account status locked or unlocked.
User:
into.
3.Roles
An OIM roles is used to define access rights that an entity may have.
These defined roles use unique role names to differentiate them with in the
OIM environment.
A role may be associated with one or more access rights to OIM function.
Roles are closely related to access rights of users to use resources.
4.Role hierarchy
It describes the relationship between two or more roles defined with in OIM.
A role may be act as a both parent and child to other roles.
5.Role Category
Roles can be grouped into a category, organizing the roles for the purpose of
navigation and authorization. Two categories exists by default in an out of the
box installation of OIM.
Difference between OIM 10g and OIM 11g
OIM 10g OIM 11g
Reconciliation manager in design console. Event management in admin
console.
Object form Request data set
Creation of new IT resource from design and admin console. Create new IT
resource from admin console.
Struts based UI ADF based UI
Approval workflow creation from design/admin console Approval workflow
creation from IDC using SOA plugin.
Custom work flow engine. Using BPEL as workflow engine.
No notification task Notification tasks which are separate from schedule task
jobs.
No approval policies Approval policies
No need of BI publishers Need BI publisher for OOTB reporting
4.Connector
It is a container that holds the information that OIM needs to reconcile user
identity with external source and provisioning using with target resource.
The Connector Components are:
Resource Definition:
This is a virtual representation of target application on which we want to
provisioning account.
It is a parent record with which provision process (process definition) and
process form.
Process Definition:
It is used to create, update and delete accounts on target system.
5.Adapter
This is a small components in IDM which is used to perform particular
function in IDM.
It can attached with a form, task depends on its type of adapters. It performs
various operations In OIM.
The biggest advantage of adapter is reusable component.
6.Provisioning
It is a process to create user, modify user or delete user information in target
resource is initiated by OIM data flows from OIM to resource.
Provisioning of users can be achieved by using connectors and other
configurations in OIM to save their information in target system.
Types of Provisioning:
There are two ways in which the attributes of a custom process form are
populated with information and corresponding data used by OIM to
provisioning a user with a resource.
Manual Provisioning:
OIM administrator completes the form and saves the values into database.
Manual intervention is require by the administrator for provisioning to occur.
Manual provisioning is the process by which an OIM administrator.
Populate the process form of the connector that represents the resource to be
provisioned. Save form values to database.
Auto Provisioning:
OIM fills out the process form, saves information to its database and uses this
data to provision the user with the resource.
OIM completes these actions (Instead of administrator) with no manual
intervention required.
OIM populate the process form through adaptors that are activated when
certain rules or conditions are met. OIM itself completes these three actions
(Instead of an admin).
Auto provisioning eliminates the manual steps performed by an admin to fill
out the custom process form and save form values into database.
Resource Level Provisioning in OIM:
Day 1 Provisioning:
It involves initial creation of access privileges to resource for users and
Direct Provisioning:
This provisioning is provided by system administrators if users request any
access on target system accounts using OIM self-service console and
administrator provide the access as requested by the user.
Policy Based Provisioning:
When you use access policies for auto provisioning then it is called as policy
based provisioning.
There are 3 types of objects required to perform automatic provisioning
based on access policies.
The main objects required for policy based provisioning are:
Rules
Groups
Access Policies
We can use rules for placing users to some specific OIM groups.
Once a user is a number of a group then access policies can be used to
perform policy based provisioning in OIM.
Rules get evaluated whenever an update is made to the user attributes
(Password Change, Email Address Change) also we can use OIM API update
user () to re-evaluate users.
There is a schedule task called Evaluate User Policies delivered OOTB (Out
of the Box). This task will be useful if you want to provision users by
validating all the rules then automatically adding/removing groups, finally
7.Reconciliation
It is the process by which OIM receives information from resources.
Reconciliation is the process by which an action to create, modify or delete an
identity for a designated resource in OIM is initiated from another external
resource. OIM communicates with this resource to receive user information.
The reconciliation process compares user entries into OIM repository and the
target system repository, determines the difference between two repositories
and apply the latest changes to the OIM repository.
In terms of dataflow, reconciliation provides an inward flow of user
information into OIM by using either push model or pull model, through which
it learns about any activity on external resource.
Reconciliation roles, role membership and role hierarchy changes or handle
as separate reconciliation events.
Reconciliation Architecture?
Reconciliation is a process of pulling user data from target system into OIM to
keep the entity data in consistent state between the two systems.
The reconciliation architecture is described in the following steps:
Each connector as schedule tasks associated with it. The scheduler trigger
In trusted resource reconciliation, process form is not used because this is not
supported to provisioning process.
Modes of Reconciliation
Regular Mode: Reconciliation event would contain all data and will be handled
without additional processing. Performance benefits.
Change Log: Reconciliation event should contain only that data that got
changed and will be handled with required processing. Mode can be
configured in reconciliation profile or as a flag with reconciliation event
creation API.
create Reconciliation Profile
Reconciliation profile is the configuration define to govern how reconciliation
is run for a particular resource.
A particular resource has multiple reconciliation profiles each of which defines
multiple matching rules, action rules and field mappings, which can differ in
each profile corresponding to the resource.
The reconciliation profile is an XML based configuration file stored in OIM MDS
(Metadata store).
The use of create reconciliation button is to update the changes (Adding of
new attributes) in reconciliation profile present in the MDS.
Approaches of reconciliation
FULL: This is first time reconciliation.
Incremental: This is based on Schedule time.
Reconciliation Events:
Update Received, Create Received and Delete Received.
8.LDAP
Directory Servers: (Basic Concept of LDAP):
Directory: It is a difficult structure database that stores data (user entries),
through which we can search easily for special purpose.
LDAP: (Light Weight Directory Access Protocol).
It is internet engineering task force (IETF) standard, an LDAP directory is
organized in the form simple hierarchical tree known as directory information
tree.
DAP: It is a protocol to access database directory.
DN (Distinguished Names):
Each user entry in an online directory is uniquely identified by distinguished
name. The DN tells you exactly where the user entry resides in the directory
hierarchy. This hierarchy is represented by directory information tree (DIT).
Directory Information Tree
O = Organization
C = Country
OU = Organization Unity
CN = Common Name
SN = Sur Name
DC = Direct Component
Attribute Syntax: Attribute syntax is the format of the data that can be loaded
into each attribute.
Example: Telephone Number attribute syntax contain string of numbers
containing spaces and hyphens.
Object Classes of directory server: An object class is a group of attributes that
defines the structure of an user entry. When we define the structure of an
user entry. When we define user entry in directory we assign one or more
object classes to it.
Example: Organizational Person object class includes mandatory attributes
common name and sur name and optional attributes Telephone Number
Address.
Sub Class: It is an object class derived from another object class.
Super Class: The object class from which a sub class is derived is called super
class.
Example: organizational person-superclass.
Person-subclass.
Inherit: Subclasses inherit all of the attributes belonging to their super
classes.
Different types of OCS in LDAP
There are three types of object classes:
Structural, Auxiliary and Abstract.
Structural Object Class: It describes the basic aspects of an object. The most
of the object classes that we use are structural object classes and every user
entry belongs to at least once structural object class.
Example: These object classes model real world entities and their physical or
logical attributes. Examples include people, printers and database
connections.
Auxiliary Object Class: An abstract object classes are grouping of optional
attributes that expand the exact list of attributes in an user entry.
6. Active Directory:
It has user entries.
AD is a special purpose database.
The directory is designed to handle large number of read and search
operations and significantly smaller number of changes and updates.
AD user data is hierarchical, replicated and extentionable.
AD LDAP port numbers 389, 636 (SSL).
LDAP Synchronization
OIM LDAP synchronization is process to integrate OIM with LDAP servers (OID,
AD, ODSEE, OVD, OUD), so that users/groups/roles created In OIM are
synchronized automatically with LDAP server.
LDAP synchronization can be configured during OIM configuration phase.
OVD is mandatory to integrate with OIM LDAP synchronization with version
number 11.1.1.3 and above versions OVD is optional.
LDAP synchronization is enabled in OIM, four default jobs are enabled.
LDAP synchronization post enable provision user to LDAP.
LDAP synchronization post enable provision roles to LDAP.
LDAP synchronization post enable provision role membership to LDAP.
LDAP synchronization post enable provision role hierarchy to LDAP.
OIM LDAP synchronization creates OIM users in LDAP server under default
user container configured during LDAP configuration.
Example: Users with attribute value C=US, should go to container C=US,
CN=user, DC= Domain.
User with attribute value country=UK should go to container C=UK,
CN=user, DC=Domain.
User creation in LDAP Directory:
Cd LDAP BIN PATH
./ldapmodify v a h (hostname) p (portnumber) D cn=DirectoryManager
W (Working Directory Password) =oracle123.
9.UI Customization
The identity self-service user interface (UI) in OIM is based on application
development framework which ensures consistent customization.
ADF allows UI customization that is safe from patches and upgrades.
ADF supports in built customization and MDS customization.
Types of Customization:
User Customization: Allows an end user to change the content of the
application at runtime to suit individual preferences and have those changes
retain the next time the user opens the application. It is nothing but
personalization.
Example: Re arranging sections in homepage, add, delete them.
Saved Searches.
Personalized view of search result table.
Runtime Customization: Done on browser itself activating without server
restarting.
Example: Change logo and banner.
Change x*X dimensions for anything.
Change font colour, background colour for anything.
Add/Remove fields/buttons/links/table columns/menu items.
Seeded Customization: Adding task flows, changing skin, deployed and
restart, exist as part of the deployed application.
Example: Using ADF data validations.
Building a custom ADF task flow.
Adding one or more custom region to the home page.
Creating external link.
Sand Box: Sand Box is an area where meta-data objects can be modified
without effecting their main line usage page.
In simple words, Sandbox is a temporary storage area to save a group of
page customizations before they are either saved and published to other
users or discarded.
Sandbox is a logical start and logical end.
Customizing the UI by using web browser, (runtime customization) the
sandbox activation is mandatory.
Before doing any UI customization of below activities its always require the
sandbox activation.
Create/Modify forms.
Custom attributes adding to user form.
Creating application instances.
Adding role/attributes to request catalog.
We can have multiple sandboxes in OIM but only one sand box can be active
at any given time.
We can export and import the sandboxes to move the changes from test
environment to production environment.
Operations can be performed on the sandbox are:
Active.
Publish.
De Active.
Import/Export.
Before publishing the sandbox to close all open tabs.
Before publishing the sandbox to export the sandbox.
sand box back up of MDS
Login into SOA admin console (em console) as administrator.
On landing page, click on oracle, iam, console, identity, self-service, ear
version 2.0
From the application deployment menu at the top select MDS configuration.
Under export select the meta data documents to an archive on the machine
where is this web browser running option and then click export. All the
metadata exported in zip file.
Explain about the Expression Language?
Using EL to write the expression to assign the roles in end-user self-service
console.
Out of the box expression language available in
User Context:
1. #{oimcontext.connectuser.adminroles[orclOIMsystemAdminsitrator]!
=NULL}
2. #{oimcontext.currentuser[ATTRIBUTE_NAME]}
Request Form Context:
1.
#{pageflowscope.requestformcontext.requestentrytype==APP_INSTANCE}
2. #{pageflowscope.requestformcontext.beneficiarylds}
Application Instance:
Application Instance is a combination of resource object plus IT resource.
Application Instance is a new entity introduce in OIM 11g R2.
Application Instance is the entity that can be provisioning to users.
Application Instance are published to catalog and users can access
application instance via catalog.
In OIM 11g R2 resource and entitlements bundled in application instance
which user can select via catalog.
We can create application instance without connector installation for
disconnected application instance.
Example: UNIX, Linux and Windows can create application instance with
connector installation for connected application instance.
Example: Flat File, Seibel, Salesforce etc.
Application instance are created when a sandbox is active.
Application instance are published to organizations in OIM these application
instance requested can be via catalog by user belonging to organization to
which the application instances are published.
Application instance can be associated with multiple organizations.
Application instance can have entitlements associated with the (Role, Group,
and Responsibility).
Two application instance does not have same IT resource.
Two application instance does not have same IT resource and resource object.
Application instance can have parent application instance and in such case
child application instance inherts the properties of parent application
instance.
When you delete application instance it does a soft delete. For hard delete
run schedule job Application instance post delete processing job. (With
mode delete).
All the application instances will be published to catalog by running a
schedule job Catalog Synchronization Job.
Predefined Roles of Application Instance:
Application instance viewer, application instance administrator, Application
instance authorizer.
Connected Application Instance
1. Install Connector.
1. Tag properties. IT resource = true, Account Name = true, Tag Entitlement =
true in child process form.
2. Create Sand box.
3. Create Application Instance.
4. Create form and associate to application instance.
5. On board entitlements.
6. Run lookup recon schedule job.
7. Run entitlement synch scheduled job/Run catalog synchronization job
(Automatic).
8. Publish application instance (and its entitlements) to organization.
Disconnected Application Instance
1. Create Sandbox.
2. Create Application Instance (Check Disconnected).
3. Create form/child forms and associate to application instance.
4. OIM artifacts created behind the scene.
5. Publish application instance to organization.
6. Use entitlement loader schedule task in flat file connector to load
lookups/entitlements.
Catalog:
Request Catalog: This is web based interface that allows business users to
request roles, application instances and entitlements. (With in application).
Catalog Items: Roles application instances and entitlements can be requested
via catalog are called catalog items.
Category: Each catalog item is associated with one and only one category
catalog administrator can provide a value for catalog items.
Tags: Very important for searching catalog when the users search the access
request the catalog the search is performed against tags. These tags are 3
types.
1. Auto Generated Tags: The catalog synchronization process auto tags the
catalog item using the item type, item name and item display name.
2. User defined tags: are additional keywords entered by the catalog
administrator.
3. Arbitrary tags: While defining a meta data if the user has mark that meta
data as a searchable then that will also mark as tags.
4. Catalog Administrator: is a global role that grants privileges to load and
manage the catalog.
Note: User with system administrative privileges like xelsysadm can also
load and manage the catalog.
Catalog Synchronization Job: It is a schedule job that loads roles, application
instances and entitlements in catalog. Run the catalog synchronization job to
populate the all the items to catalog.
10.Policies in OIM
What is Access Policy?
Access policies are list of user groups and resources with which users in the
group are to be provisioned or di-provisioned.
Access policies are created using access policy menu item in OIM
administrator and user console.
Note: If you select retrofit flag in access policies the resources are provisioned
to groups and sub groups also.
Access Policy Priority:
Policy priority is a numeric number that is unique for each access policy you
create.
1 is the highest priority, higher number 1 is the lowest priority.
Access Policy Data:
There are multiple ways in which process form data is supplied for resources
during provisioning.
The following is the order of preference built into OIM:
Default value from the form definition.
Organization defaults.
Values obtained through data flow from object form to process form.
Prepopulation adaptors.
Access policy data if resource is provisioned because of a policy.
Data updated by process task or entity adaptors.
Password Policies:
Organization administrators can associate a password policy to an
organization.
All password policies are created by system administrators only.
A password policy set for an organization is applicable for that organization
and its sub organizations.
Password policy priority determines which password policy is applicable for a
user, if the user is number of multiple organization, if the organizations are in
the hierarchy, then the password policy of the organization, that is close to
the user is applicable.
.
11.Certification
Process of reviewing user entitlements and access privileges with in an
enterprise to ensure that user not acquired entitlements that they are not
authorized to have.
Certifications are 4 types in OIM:
1. User Certification.
2. Role Certification.
3. Application Instance Certification.
4. Entitlement Certification.
Certifications can be scheduled, monitored, delicated and audited.
Supports both online and offline certification.
Multi-face review can be enabled.
Generate user certifications or application certifications base on event.
Generate certificate reports using vi publisher at run time.
User Certification:
Allows manager to certify employee access to roles, accounts and
entitlements.
Role Certification:
Allows role owners to certify role content and/or role numbers.
Application Instance Certification:
Allows the person who is responsible for a particular system or application to
review the set of users who have accounts on that system or application.
Entitlement Certification:
Allows entitlement owners to certify user accounts that have a particular
privilege.
Type of Certification Paradigm Actor Line Items Details
User Certification User Centric Line of Business Manager. Users Role
assignments, accounts and entitlement_assignments for each user.
Role Certification Privilege Centric Role Owner Roles Two type of details:
a. Assignments of each role to users.
b. Access policies associated with each role.
Certification Concepts:
Line Item: Line item collects are groups together according to the type of
certification the set of privilege assignments related to a particular identity or
privilege.
Line of Business: A category of industry or business function.
Certification Task: A line item specific SOA task which consists of a set of work
to be done with in a certification process.
Certification Object: A generated certification that is assigned to particular
certifier or primary reviewer consists of certificate id and set of line items.
Certification Definition: It contains set of parameters (Certificate type)
selection criteria, restrictions etc. that is used as input to a certification job to
generate certification objects.
Certification Jobs: Used to create certifications as requested or as requested
or as scheduled.
Event Listener: A service that responds to changes in users supported for
user and application instance certifications.
Certification Security: OIM admin roles administrate the certification feature
and monitor the progress of certification instances.
a. Certificate Administrator: Grants the assignee super user privileges for the
certification feature. Grant access to the certification configuration, scheduler
and full access to certification where you can view or take action on any
certifications.
b. Certification Viewer: A read only role, allowing a compliance administrator
to view new in progress and completed certifications.
Both are global admin roles can be spoked only to top organization.
Mapped with corresponding OES application roles to be used in OES
authorization policies.
Certification Process Overview:
1. Preparing Environment.
2. Configure the risk.
3. Global Configuration.
4. Define Certification Campaign.
5. Launch and sign of certificate campaign.
6. Audit and reporting.
1. Preparing Environment:
Attribute tagging: IT Resource and accounts in design console.
Turn certification on/off.
System configuration. Display certification: Attestation//Certification.
2. Configure the Risk: Define the default risk values assign to new catalog
entries during imports.
Configure the default risk values each provisioning scenario, recon, direct
provisioning, request based provisioning, access policy based provisioning, a
harvesting, role based rule.
Define risk for the last action performed against a certification entry.
3. Global Configuration:
Interaction Behaviour: Password sign off Required password sign off.
Turn on/Turn off comments.
Employee Access Access to page one or directly to page2.
Filtering: Self certification prevent reviewer self-certification.
Users and accounts to consider - > Active users and accounts.
4. Define certification Campaign:
Define the certification type:
Define the certification pages.
12.Scheduler
Scheduler Task: In OIM metadata is predefined for default schedule task.
New task can be added by the user with new metadata or the existing task
can be updated to add or update the parameter or configuration details.
Schedule task can contain the meta data information.
a. Name of the schedule task.
b. Description.
c. Name of the java class that runs the schedule task.
d. Retry.
e. Parameter. (Optional).
1. Name
2. Data type
3. Required/Optional
4. Help text.
5. Encryption.
Schedule tasks are mainly 3 types:
1. Predefined Scheduler Task:
These schedule task are present in the OIM by default.
Example: 1 - Password expiration task. (By default is enabled).
Example: 2 - Disable/delete user after end date.
Example: 3 Enable user after start date.
Example: 4 Run future dated reconciliation dated reconciliation event.
2. LDAP Schedule Task: The scheduler triggers the directory server data
synchronization using LDAP scheduler task.
Example: LDAP user create/update/delete reconciliation.
3. Custom Scheduler: These scheduler jobs are created by using java.
13.Event Handler
In OIM or any identity system, any action performed by a user or system is
called an operation.
Example of the operation:
1) Creating Users.
2) Modifying Roles.
3) Password Policies.
Note: In OIM 11g entity adaptor cant be attached to the process form so
instead of you will have to re implement the entity adaptors as event
handlers.
Orchestration: The process of any OIM operation that goes through
predefined set of stages and execute business logic in each stage is called as
orchestration.
The stages of orchestration:
Validation: To perform the validation on attestation.
Pre-process: To perform orchestration parameter manipulations or get
approvals.
Action: In which the action takes place.
Audit: In which the auditing of operation is performed.
Post Process: In which consequent operations related to the current operation
takes place.
Finalization: The process to perform any clean up.
result.
If it is executed in asynchronous mode it must return the NULL values.
If the event handlers in other combination we move the process to fail state.
Post-Process Event Handler:
The post process event handlers evaluated after user record created into OIM
database.
(Trigger after the transaction is executed but within the transaction).
Example 1: Password generation using custom policies.
Example 2: Random password generation and send to the email notifications
to the user.
For post process event handlers to extended the below class.
Oracle.IAM.Platform.kernel.SPI.postprocesseventhandler
Post process event handlers are synchronous to the main transaction, In
otherwords, they dont impact the main transaction performance.
Validate Event Handler: Trigger before the actual transaction starts and can
prevent the transaction from happening if the validation failed.
Validate event handler extend the below class:
Oracle.IAM.Platform.kernel.SPI.ValidateEvent Handler
Custom Event Handler: Event handlers are tied to specific entities in OIM like
users and groups. There also tied to specific transactions like create, delete
and modify.
In OIM 11g event handlers are implemented through the plugin framework.
1. Write the steps for Custom Event Handler Scheduler?
Create Java code and package into a Jar file.
Create the zip folder in directory and copy the Jar file.
Create the plugin.xml file.
Create the eventhandler.xml file.
Zip the Jar file plugin.xml and event handler.xml file.
Register the zip file using ANT script.
Event Result: Any user can created from GUI it will trigger the event result for
the single user.
Bulk Event Result: Users are created from target system in the event handlers
the bulk event result is executed.
Difference between scheduler and event handler?
Scheduler Event Handler
It will trigger the process for reconciliation or notifications. Event handlers are
performed based on action rules. It is used for user creation and password
generation.
In scheduler, the plugin point is oracle.iam.scheduler.view.tasksupport. In the
event handler plugin point is oracle.iam.platform.kernel.SPI.Eventhandler.
In scheduler.xml file it mention only retry count. Event handler.xml file will
mention entity type, stages, order of the event handler execution.
Implementation Steps:
1. Implement the configuration class for connector to extending the below
class.
Org.Identityconnector.Framework.AbstractConfiguration
2. To implement the implementation class for connector to extend the below
class.
Org.Identityconnector.Framework.SPI.connectorinterface
Note: This class implements the create, update and delete operation,
interfaces and support all the operations.
3. Implement the filters.
Note: Connector supports only the all value filter operations.
4. Upload connector bundle to OIM database.
5. Prepare the Meta data for connector.
6. Prepare the data for provisioning and reconciliation process.
7. Resource object, Process form and Process Definition, IT Resource Type, IT
Resource and Scheduler.
USG Defines which users are in which groups and list of priorities for the
users in the specific group.
User Policy Profile
UPD Stores user policy profile data.
UPP Stores user policy profile related details.
User Resource Profile
OBI Stores the resource object instance information.
OBJ Represents the resource object data.
OIU User information to the resource object instance.
Provisioning Process
MIL Defines process task definitions.
ORC Stores the process instance information when provisioning takes place.
PKG Defines provisioning process or work flows in OIM.
OSI Stores information about task created for process instance.
SEH Stores specific information related to running of a specific task instance.
TOS Stores atomic process information
Process Form Tables
UD The information stored in the UD parent.
UD_* Stores the information to the child table.
Auditing
AUD Stores detail information about the all of the auditions.
AUD_JMS Staging table that stores information about changes made as a part
of any business transaction.
UPA Main auditing table for storing all snapshots and changes made to the
user profiles.
UPA_FIELDS Stores user profile audit history changes in de normalized mode.
UPA_GRP_MEMBERSHIP Stores group membership history in de normalized
mode.
17.Notifications:
OIM 11g provide the notification framework, based on events, notification
template and template resolver. They are depend as follows:
1. Events are defined in XML file and must be loaded into MDS database in
order to be available for use.
2. Notification templates are defined to the OIM admin console. The template
contains text and the substitution variable that will be substituted by the data
provided by the template resolver. Template supports HTML and text based
emails and multiple languages.
3. Template resolver is a java class that is responsible for providing the data
to be used to pass the template. It must be deployed as an OIM plugin. The
data provided by the resolver class will be used by OIM in the template
substitution variables.
The main steps for defining custom notifications in OIM are:
a. Define events and meta data.
b. Create template with notification contents to be sent to recipients.
c. Create custom notification resolver class.
d. Trigger the event.
<StaticData>
<Attribute Data type=X2-Entity Entityname=User Name=User Login/>
</Static Data>
<Resolver
Class=com.oracle.demo.oim.notification.demonotificationeventresolver>
<param data type=X2-Entity EntityName=User Name=usr_login/>
</Resolver>
</Eventtype>
</Events>
Line # Description
1 XML file notification tag.
2 Events is root tag.
3 Event type tag is to declare a unique event name which will be available for
template designing and this is used in the OIM advanced administration UI.
4 The static data element lists a set of parameters which allow user to add
parameters that are not data dependent. In other words, this element defines
the static data to be displayed when notification is to configured. An example
of static data is the user entity, which is not dependent on any other data and
has the same set of attribute for all event instances and notification
templates. Available attributes are used to be defined as substitution tokens
in the template.
5 Attribute tag is child tag for static data to declare the entity and its data
type with unique reference name. User entity is most commonly used entity
as static data.
6 Static data closing tag.
7 Resolver class must be defined for each notification. It defines what
parameters are available in the notification creation screen and how those
parameters are replaced when the notification is to be sent. Resolver class
resolves the data dynamically at run time and displays the attribute in the UI.
8 The param data type element lists or set of parameters which allow user to
add parameters that are data dependent. An example of the data dependent
or a dynamic entity is a resource object which user can select at run time. A
notification templates is to be configures for the resource object
Note: Data type needs to be declared as X2-Entity for user entity and 91Entity for resource or organization entities. The dynamic entities supported
for lookup are user, resource and organization.
5. How to find user and manager details in USR table?
SELECT USR_FIRST_NAME|||||USR_LAST_NAME|||||USR_LOGIN|||||(select
u2, USR_LOGIN from USR R2 WHERE u2.USR_KEY=u1.usr_MANAGER_KEY and
rownum<2) as MANAGER_NAME from USR u1;
If only user management connector installed and configured for the target
resource mode.
Depending upon the allow password IT resource parameter, the user
management connector propagates to the active directory and allocated to
the OIM, password changes made to OIM users.
The user management connector can be configured to run either trusted
source or target source reconciliation.
2. Active Directory Password Management Connector:
Password changes on active directory or propagated to OIM.
Password Synchronization Process Work:
The following is the sequence of events that takes place in the during
password sync.
A user changes the user password on Microsoft active directory the user
can change the password in the following ways:
a. Using Microsoft Management Console.
b. Pressing CTRL+ALT+DEL and then using the change password option on
one of the client computers for the Microsoft Active Directory Server.
c. Using a third party application or custom utility for changing passwords on
Microsoft Active Directory.
The password change is successful on Microsoft Active Directory only when
the password clears all the password checks on Microsoft Active Directory.
The local security authority (LSA) component of Microsoft Windows
intercepts the password change on Microsoft Active Directory and passes the
password (In plain text format) and required user information to the password
filter (oimadpwdsync10.dll file). The oimadpwdsync10.dll file is one of the
files copied to the target system when you install the password
synchronization connector.
The password filter encrypts the password and user information in a
password change record and stores this record in the password change record
queue.
The password update thread is created when the password filter is
initialized. This thread performs the following tasks:
Post a Comment
CH V Madhusudhan Rao
TUTORIAL
2016 ( 6 )
May ( 1 )
April ( 5 )
OIM 11GPS2 Basic
Oracle Data Integrator (ODI) - Frequently Asked Qu...
Oracle Data Integrator (ODI) - Frequently Asked Qu...
Oracle Data Integrator (ODI) - Frequently Asked Qu...
Oracle Data Integrator (ODI) - Frequently Asked Qu...
2014 ( 18 )