Oracle Identity Manager Administration

Oracle Identity Manager:
Administration
Volume I Student Guide
D46308GC10
Edition 1.0
J anuary 2007
D48930
Oracle Identity Manager:

Administration
Electronic Presentation
D46308GC10
Edition 1.0
J anuary 2007
D48932
Copyright 2007, Oracle. All rights reserved.

Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual
property laws. You may copy and print this document solely for your own use in an Oracle training
course. The document may not be modified or altered in any way. Except where your use constitutes
"fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part
without the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you find any
problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway,
Redwood Shores, California 94065 USA. This document is not warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the
documentation on behalf of the United States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these
training materials are restricted by the terms of the applicable Oracle license agreement and/or the
applicable U.S. Government contract.
Trademark Notice
Oracle, J D Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or
its affiliates. Other names may be trademarks of their respective owners.
Authors
Robert La Vallie
Technical Contributors and
Reviewers
J ohn Aisien
Rhonda Bassett
Mary Bryksa
Eugene Choi
Usha George
Rohit M Gupta
Susan J ang
Pavana J ain
Nishant Kaushik
Ed King
Svetlana Kolomeyskaya
Su Lim
Bruce Lowenthal
Todd Morrissette
Naga Nagarajan
Holger Dindler Rasmussen
Vickie Reed
Stanislav Sadykov
Mohit Singh
Adam Skaffloth
J ayanthan Thomas
Trent Watkins
Editors
Richard Wallis
Daniel Milne
Graphic Designer
Steve Elwood
Satish Bettegowda
Publisher
J obi Varghese
Disclaimer
This document contains proprietary information and is protected by copyright and
other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle, J D Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle
Corporation and/or its affiliates. Other names may be trademarks of their respective
owners.
Authors
Robert La Vallie
Technical Contributors
and Reviewers
J ohn Aisien
Rhonda Bassett
Mary Bryksa
Eugene Choi
Usha George
Rohit M Gupta
Pavana J ain
Susan J ang
Nishant Kaushik
Ed King
Svetlana Kolomeyskaya
Su Lim
Bruce Lowenthal
Todd Morrissette
Naga Nagarajan
Holger Dindler Rasmussen
Vickie Reed
Stanislav Sadykov
Mohit Singh
Adam Skaffloth
J ayanthan Thomas
Trent Watkins
Editors
Richard Wallis
Daniel Milne
Graphic Designer
Steve Elwood
Satish Bettegowda
Publisher
J obi Varghese
Introduction
Copyright 2007, Oracle. All rights reserved. 1 - 2
Course Objectives
After completing this course, you should be able to:
Explain Oracle Identity Manager and its role in identity
management
Identify the three tiers and components of the Oracle
Identity Manager architecture
List the key features of Oracle Identity Manager with
respect to identity management: reconciliation and
provisioning
Describe how Oracle Identity Manager handles
reconciliation and provisioning
Course Objectives
Identify what an Oracle Identity Manager connector is
and how it is used by Oracle Identity Manager to
perform provisioning and reconciliation actions
List the components that this connector must have
Explain the steps that need to be completed to build an
Oracle Identity Manager connector
Prepare a predefined database for Oracle Identity
Manager
Install and deploy your Oracle Identity Manager
Diagnostic Dashboard
Course Objectives
Use the dashboard tool to verify that Oracle Database
is prepared properly and that Oracle Identity Manager
can connect to it
Install the Oracle Identity Manager Server
Install the Oracle Identity Manager Design Console
Perform postinstallation tasks for the Oracle Identity
Manager Server and Design Console
Use the Diagnostic Dashboard to verify that Oracle
Identity Manager is loaded and configured properly
Launch the Oracle Identity Manager Server
Start the two Oracle Identity Manager consoles (the
Administrative Console and the Design Console)
Course Objectives
Differentiate between the two consoles
Explain the links in the Administrative Console
Explain the three types of Oracle Identity Manager
users: system administrators, administrators of Oracle
Identity Manager connectors, and end users
Discuss the entities of which an Oracle Identity
Manager user can be a member (that is, organizations
and user groups)
Differentiate between an organization and a user group
Create records for an organization, the three types of
Oracle Identity Manager users, and a user group
Course Objectives
Assign an Oracle Identity Manager user to a user group
Explain the following:
How administrators view and modify their profiles in
Oracle Identity Manager
How administrators change their challenge questions
and, as a result, reset their passwords
What a proxy is
How administrators assign, modify, and remove proxies
How administrators see the resources that are
provisioned to them
How administrators see requests that are initiated by
them and requests that require their approval
Course Objectives
Identify resources and Oracle Identity Manager
connectors
Explain how Oracle Identity Manager connectors differ
from resources
Discuss the three ways that a connector can be
assigned to an Oracle Identity Manager user
See how an administrator of an Oracle Identity Manager
connector can view a graphical representation of a
provisioning workflow
Analyze what approval processes are and how they
affect a provisioning workflow
Identify the key features of autoprovisioning
Course Objectives
Discuss other day-two provisioning functions that an
administrator of an Oracle Identity Manager connector
can perform. These functions include:
Temporarily deactivating an end users account with a
resource
Reinstating an end users account
Modifying the password of an end users account
Permanently revoking the access rights that an end user
has with the resource
Identify the two levels of customization for the Oracle
Identity Manager Administrative Console
Modify the look and feel of the console (that is, brand
it)
Course Objectives
Change the functionality of the console without
modifying the Oracle Identity Manager code
Explain why the code should never be changed
Describe the benefits of transferring Oracle Identity
Manager connectors from one environment to another
Identify the different ways that connectors can be
transported between environments
Explain how to export a connector
Discuss how to import a different connector and
configure it so that it is operable in your environment
Course Objectives
Identify the two types of reports that an administrator
can create for Oracle Identity Manager users:
operational reports and historical reports
Differentiate between these two types of reports
List the different operational and historical reports that
are available with Oracle Identity Manager
Discuss additional reports that can be created using a
third-party tool (such as Oracle Discoverer)
Create operational and historical reports with the
Oracle Identity Manager Administrative Console
Course Objectives
Define attestation and attestation processes, including
the fundamental components of an attestation process
Describe the types of users who analyze, create, and
manage attestation processes
Identify the types of data that can be attested
Discuss the different ways that attestation processes
can be executed (that is, the schedule for attestation
processes)
Explain the workflow of an attestation process from
beginning to end
Configure your Oracle Identity Manager environment so
that it can handle attestation processes
Course Objectives
Create an attestation process by using the Oracle
Access the Administrative Console as a reviewer and
act on an attestation process that is assigned to you:
certify it, decline it, reject it, or delegate it to another
reviewer
Access this console as a process owner and view
information about the attestation process, including its
status (certified, rejected, declined, or delegated to
another reviewer)
Troubleshoot Oracle Identity Manager
Course Units
This course is divided into the following units:
1. Product Overview
2. Installing, Configuring, and Launching Oracle Identity
Manager
3. Managing Users, User Entities, and Resources
4. Modifying the Oracle Identity Manager Administrative
Console
5. Deploying Resources
6. Constructing Reports
7. Using Attestation
8. Performing Advanced Functions with Oracle Identity
Manager
Unit 1: Product Overview
This unit has a single lesson titled Understanding Oracle
Identity Manager.
Unit 2: Installing, Configuring, and Launching
This unit comprises the following lessons:
Installing and Configuring Oracle Identity Manager
Starting and Understanding Oracle Identity Managers
Consoles
Unit 3: Managing Users, User Entities,
and Resources
Managing Users and User Entities
Assigning Oracle Identity Manager Connectors to
Users
Provisioning Resources to Users
Unit 4: Modifying the Oracle Identity Manager
Administrative Console
This unit has a single lesson titled Customizing the
Oracle Identity Manager Administrative Console.
Unit 5: Deploying Resources
This unit has a single lesson titled Transferring Oracle
Identity Manager Connectors.
Unit 6: Constructing Reports
This unit has a single lesson titled Creating Reports.
Unit 7: Using Attestation
Understanding Attestation
Creating, Managing, and Reviewing Attestation
Processes
Unit 8: Performing Advanced Functions
with Oracle Identity Manager
This unit has a single lesson titled Troubleshooting
Oracle Identity Manager.
Summary
In this introductory lesson, you should have learned about
the course units and lessons.
Understanding Oracle Identity Manager
Objectives
After completing this lesson, you should be able to:
Explain Oracle Identity Manager and its role in identity
management
Identify the three tiers and components of the Oracle
respect to identity management: Reconciliation and
provisioning
Describe how Oracle Identity Manager handles
Objectives
Oracle Identity Manager is an application that handles and
selectively automates tasks that manage a users access
privileges. Such tasks include:
Creating access privileges to resources for users
Modifying these privileges dynamically based on
changes to user and business requirements
Removing these access privileges from users
Oracle Identity Manager Architecture
The architecture for Oracle Identity Manager:
Is based on a Java 2 Enterprise Edition (J2EE)
environment
Separates the platforms Presentation, Server, and
Data & Enterprise Integration tiers
Enables the creation of n levels of layers
Oracle Identity Manager Architecture: Advantages
The advantages of this architecture include:
Scalability
Flexibility
Variety
Oracle Identity Manager Architecture: Tiers
The Oracle Identity Manager architecture has three tiers:
Presentation tier Server tier
Data & Enterprise
Integration tier
The Presentation tier of Oracle Identity
Manager has two layers:
Presentation layer
Two consoles for Oracle Identity
Manager: Administrative Console and
Design Console
Dynamic Presentation Logic layer
Logic for generating dynamic pages
for the Administrative Console by
using JSPs, Java Servlets, XML, and
JavaBeans
Tier 1: Presentation Tier
The Server tier of Oracle Identity
Manager is the interface between the
Presentation and Data & Enterprise
Integration tiers.
The application server for Oracle
Identity Manager:
Resides in the Server tier
Provides the life-cycle management,
security, deployment, and run-time
services to the logical components
that support Oracle Identity Manager
Tier 2: Server Tier
Tier 2: Server Tier
The Server tier of Oracle Identity
Manager supports:
Clustering
Load balancing
Security management
Scheduling
Tier 3: Data & Enterprise Integration Tier
The Data & Enterprise Integration tier
of Oracle Identity Manager has two
layers:
Data Access layer
Layer that has components, which
Oracle Identity Manager needs to
communicate with its database
Back-end Database layer
Layer where the database resides
Tier 3: Data & Enterprise Integration Tier
The Back-end Database layer leverages
the following capabilities:
Clustering
Standby database
Replication
Reconciliation and
Provisioning: Overview
Reconciliation is the process by which Oracle Identity
Manager receives information from an external
resource.
Provisioning is the process by which Oracle Identity
Manager sends information to a target resource.
By using reconciliation and provisioning, Oracle
Identity Manager can perform the following actions:
Create a user record in a resource
Modify the privileges that the user has with the resource
Remove the user record from the resource
Reconciliation: Types
There are two types of reconciliation that Oracle Identity
Manager performs:
Trusted source reconciliation
Targeted resource reconciliation
Reconciliation: Events
Oracle Identity Manager can perform three types of
reconciliation events with an external resource:
Reconciliation Insert
Reconciliation Update
Reconciliation Delete
Provisioning: Types
There are two types of provisioning that Oracle Identity
Manager performs:
Day-one provisioning
Initial creation of access privileges to resources for users
Removal of these privileges from users
Day-two provisioning
Dynamic modification of user privileges with resources,
based on changes to user and business requirements
Trusted Source Reconciliation:
Conceptual Diagram
Via provisioning and reconciliation, Oracle Identity
Manager can build an accurate picture of the user
identities that it manages in both a trusted source
and a target resource.
1
Reconciliation flow
Provisioning flow
Target
resource
(for example, an
Oracle database)
Administrator End user
Trusted
source
(for example, a
corporate directory)
Targeted Resource Reconciliation:
Conceptual Diagram
Via provisioning and reconciliation, Oracle Identity
Manager can build an accurate picture of the user
identities it manages in both a trusted source and a target
resource.
Reconciliation flow
Provisioning flow
2
End user Administrator
Trusted
source
(for example, a
corporate directory)
Target
resource
(for example, an
Oracle database)
Oracle Identity Manager Connector:
Overview
An Oracle Identity Manager connector is a container that
holds all of the information that Oracle Identity Manager
needs to:
Reconcile with an external resource
Provision a user with a target resource
Oracle Identity Manager Connector: Components
A connector must have the following seven components:
IT resource type
IT resource
Process form
Process task adapter
Resource object
Provisioning process
Process task
Constructing an
Oracle Identity Manager Connector: Step 1
IT resource type
1
Create an IT resource type. This record represents the
classification type, parameter fields, and encryption
settings that are associated with a resource.
Constructing an
This screenshot illustrates an IT resource type for an
Oracle database. There is a one-to-one relationship
between the IT resource type and the connector. That is,
each connector should have only one IT resource type.
Constructing an
IT resource
IT resource type
2
Define an IT resource. This record contains the values
that Oracle Identity Manager needs to communicate with
a resource and access it as a system administrator (for
provisioning or reconciliation purposes).
Constructing an
This screenshot illustrates an IT resource for an Oracle
database. There is a one-to-one relationship between the IT
resource and the system, service, or application that it
represents. If you have four resources, you would thus
have four IT resources.
Constructing an
IT resource type
Custom
process
form
3
IT resource
Create a custom process form. This record is a central
housing mechanism that holds everything that Oracle
Identity Manager needs to either provision a user to a
target resource or reconcile a user with an external
resource.
Constructing an
This screenshot illustrates a custom process form for an
Oracle database.
Constructing an
IT resource
IT resource type
Custom
process
form
4
Build a process task adapter. This piece of Java code
is used by Oracle Identity Manager to automate the
completion of a provisioning process task.
Constructing an
A process task adapter automates the creation of a users
account in an Oracle database. There is a one-to-one
relationship between the adapter and a process task: each
task can be associated with only one adapter.
Constructing an
Define a resource object. This record is a virtual
representation of a resource and contains everything
needed to either provision a user to that resource or
reconcile a user with it.
IT resource
IT resource type
Resource object
Custom
process
form
5
Constructing an
Example of a resource object for an Oracle database
Constructing an
Create a provisioning process. This record contains the
steps that Oracle Identity Manager must complete to
perform provisioning or reconciliation with a particular
resource.
IT resource
IT resource type
Resource object
Custom
process
form
6
Constructing an
There is a 1-to-1
relationship between
a provisioning
process and the
workflow that it
represents. If you
have two resource-
related workflows,
you should have two
processes.
Constructing an
Create a process task.
IT resource
IT resource type
Resource object
Custom
process
form
Process task adapter Process task
7
Constructing an
Example of a
process task that
Oracle Identity
Manager uses to
create a users
account in an Oracle
database
Constructing an
Attach the process task adapter to the process task.
IT resource
IT resource type
Resource object
Custom
process
form
Process task adapter Process task
8
Constructing an
Example of a process
task adapter being
connected to a
process task to
create a users
account in an Oracle
database
Summary
In this lesson, you should have learned how to:
Describe Oracle Identity Manager and its role in identity
management
Explain the three tiers and components of the Oracle
respect to identity management: reconciliation and
provisioning
Explain how Oracle Identity Manager handles
Summary
Installing and Configuring
Objectives
Prepare a predefined database for Oracle Identity
Manager
Install and deploy your Oracle Identity Manager
Use the dashboard tool to verify that your Oracle
database is prepared properly and that Oracle Identity
Manager can connect to it
Install the Oracle Identity Manager Server
Install the Oracle Identity Manager Design Console
Perform postinstallation tasks for the Oracle Identity
Manager Server and Design Console
Objectives
Use the Diagnostic Dashboard to verify that Oracle
Identity Manager is loaded and configured properly
Preparing a Database for Oracle Identity Manager
Oracle Identity Manager requires a database. To use Oracle
Database, you must:
Install Oracle Database
Create a database instance
Prepare this database
Preparing a Database for Oracle Identity Manager
With the prepare_xl_db.bat script, administrators can
prepare a database for Oracle Identity Manager.
E:\OIM901_Installation\installServer\
Xellerate\db\oracle> prepare_xl_db.bat
train91 E:\orant\ora92 sysadm sysadm
train91tbs E:\orant\ora92\oradata
train91tbs_01 TEMP sys
Oracle Identity Manager Diagnostic Dashboard
(Preinstallation)
The Oracle Identity Manager Diagnostic Dashboard is a
Web application that can be used to check the
preinstallation requirements for Oracle Identity Manager.
These requirements include whether:
An Oracle database is created and prepared properly
Oracle Identity Manager can establish a connection to
this database
Launching the Oracle Identity Manager
To launch this tool, enter the appropriate URL in the
Address field.
Using the Oracle Identity Manager
Diagnostic Dashboard (Preinstallation)
To use this tool, select
the check boxes for the
tests that you want to
perform, enter the test
parameters (where
applicable), and click
Verify.
Test passed
Test failed
Diagnostic Dashboard (Preinstallation)
Installing the Oracle Identity Manager Server
The following slides illustrate how to install the Oracle
Identity Manager Server. You must install this server on
the same machine that is running the JBoss application
server.
Installing the Oracle Identity Manager Server:
Steps 14
Select Oracle Identity Manager with Audit and Compliance
module to use the attestation features for audit and
compliance purposes.
Steps 56
Enter the base directory where you install the Oracle
Identity Manager Server: E:\OIM901_server.
Step 7
Select the Oracle option to configure Oracle Identity
Manager to work with an Oracle database.
Step 8
Populate the Database Information screen with values that
Oracle Identity Manager uses to connect to your Oracle
database.
Step 9
Select the Oracle Identity Manager Default
Authentication option to use predefined settings to
authenticate the Administrative Console.
Steps 10-11
Select the JBoss option to configure Oracle Identity
Manager to work with a JBoss application server.
Steps 12-15
Configure Oracle Identity Manager to work with your JBoss
application server.
Installing the Oracle Identity Manager
Design Console
The following slides illustrate how to install the Oracle
Identity Manager Design Console.
Note: You do not have to install the Administrative
Console. To launch it, start the Oracle Identity Manager
Server, open a Web browser, and enter the appropriate
URL in the Address field.
Design Console: Steps 1-5
Enter the base directory where you install the Design
Console: E:\OIM901_client.
Design Console: Step 6
Select the JBoss option to configure the Design Console
to work with a JBoss application server.
Select this option to configure the Design Console to use
the JRE that is packaged with Oracle Identity Manager.
Populate the Application Server configuration screen so
that the Design Console works with your JBoss application
server.
Design Console: Steps 9-12
Configure the Design Console to display approval and
provisioning processes in a Web browser.
Performing Postinstallation Tasks
for Oracle Identity Manager
The following section covers postinstallation tasks for the
Oracle Identity Manager Server and Design Console.
In this section of the lesson, you learn about the following
tasks:
Specifying an Oracle Identity Manager log level for the
JBoss application server
Making the Design Console operable by copying a JAR
file into the appropriate Oracle Identity Manager
directory
Setting Oracle Identity Manager Log Levels
for JBoss
Oracle Identity Manager supports five log levels:
DEBUG
INFO
WARN
ERROR
FATAL
The levels are listed here in descending order according to
the amount of information logged. Thus, DEBUG logs the
most information and FATAL logs the least information.
Setting Oracle Identity Manager Log Levels
for JBoss
In the priority value tag, you can set the log level for
the JBoss application server to DEBUG, INFO, WARN, ERROR,
or FATAL.
<category name =XELLERATE>
<priority value=WARN />
</category>
Making the Design Console Functional
Copy the jbossall-client.jar file and paste it into the
E:\OIM901_client\xlclient\ext directory.
Oracle Identity Manager Diagnostic Dashboard
(Postinstallation)
The Diagnostic Dashboard can be used to:
Check preinstallation requirements for Oracle Identity
Manager
Perform postinstallation checks and create reports to
ensure that the Oracle Identity Manager environment is
installed and configured properly
Diagnostic Dashboard: Postinstallation Checks
You can use the Diagnostic Dashboard after installation to
determine whether:
An Oracle Identity Manager user account is locked
because of successive invalid login attempts
The data encryption key in your Oracle Identity
Manager installation is identical to the one used to
encrypt the data in your Oracle Identity Manager
database
The scheduler service is running
Oracle Identity Manager can communicate with remote
managers
Diagnostic Dashboard: Postinstallation Checks
You can use the Diagnostic Dashboard after installation to
determine whether:
Oracle Identity Manager can submit and process a Java
Messaging Service (JMS) message
Single Sign-On (SSO) is configured properly for Oracle
Identity Manager
Diagnostic Dashboard: Reports
You can use the Diagnostic Dashboard to create reports
that display the following information about your Oracle
Identity Manager environment:
System properties that are associated with all Java
Virtual Machines
Information about the version numbers of the library
and extension files
Detailed (or manifest) information about the library and
extension files
Test passed
Test failed
Diagnostic Dashboard (Postinstallation)
To use the Diagnostic Dashboard, launch it. Select the
check boxes for the tests that you want to perform, and
then click Verify.
Summary
Configure a preexisting Oracle database so that it
works properly with Oracle Identity Manager
Load and start the Oracle Identity Manager Diagnostic
Dashboard
Use the dashboard to ensure that the database is
prepared correctly and that Oracle Identity Manager
can connect to it
Install the Oracle Identity Manager Server and Design
Console
Set an Oracle Identity Manager log level for the JBoss
application server
Summary
Make the Design Console functional by copying a JAR
file into an Oracle Identity Manager directory
Use the Diagnostic Dashboard to verify that your
Oracle Identity Manager environment is installed and
configured correctly
Practice 3 Overview: Installing and Configuring
This practice covers the following topics:
Preparing a database for Oracle Identity Manager
Installing and deploying the Oracle Identity Manager
Using the dashboard to verify that the database is
prepared properly and that Oracle Identity Manager can
connect to it
Installing and configuring an Oracle Identity Manager
Server and an Oracle Identity Manager Design Console
Using the Diagnostic Dashboard to verify that the
Oracle Identity Manager environment is installed and
configured properly
Starting and Understanding
Oracle Identity Managers Consoles
Objectives
Launch the Oracle Identity Manager Server
Start the two Oracle Identity Manager consoles (the
Administrative Console and the Design Console)
Differentiate between the two consoles
Explain the links on the Administrative Console
Launching the Oracle Identity Manager Server
Double-click the xlStartServer.bat command script,
which resides in the E:\OIM901_server\
xellerate\bin directory on your machine.
Open the login page and enter the appropriate credentials
in the User ID and Password fields. Then click Login.
Design Console
Open the login window and enter
the appropriate credentials in the
User ID and Password fields.
Then click Login.
Oracle Identity Manager Consoles
Developers use the Design Console to build Oracle Identity
Manager connectors.
Oracle Identity Manager Consoles
Administrators use the Administrative Console to manage
Oracle Identity Manager connectors.
Administrative Console: My Account Link
With the My Account link, administrators view and modify
their account information, reset a password, and designate
a proxy.
Administrative Console: My Resources Link
With the My Resources link, administrators view, create,
and modify information about requests and resources.
Administrative Console: Requests Link
With the Requests link, administrators create and track
requests of resources for other Oracle Identity Manager
users, as well as manage approval tasks.
Administrative Console: To-Do List Link
With the To-Do List link, administrators can handle all
tasks that require their attention.
Administrative Console: Users Link
With the Users link, administrators create and manage
records for Oracle Identity Manager users.
Administrative Console: Organizations Link
With the Organizations link, administrators create and
manage records for Oracle Identity Manager organizational
units.
Administrative Console: User Groups Link
With the User Groups link, administrators create and
manage records for user groups.
Administrative Console: Access Policies Link
With the Access Policies link, administrators create and
manage access policies.
Administrative Console:
Resource Management Link
With the Resource Management link, administrators
manage resources for a user or organization.
Deployment Management Link
With the Deployment Management link, administrators
transfer connectors from one environment to another.
Administrative Console: Reports Link
With the Reports link, administrators create operational
and historical reports.
Administrative Console: Attestation Link
With the Attestation link, administrators can create and
manage an attestation process.
Administrative Console: Help Link
With the Help link, administrators can view an online
version of the Oracle Identity Manager Administrative
Console and User Guide.
Summary
Start the Oracle Identity Manager Server, the
Administrative Console, and the Design Console
Identify the two consoles, including the differences
between them
Provide a thorough discussion of the links on the
Practice 4 Overview: Starting and Understanding
Oracle Identity Managers Consoles
Launching the Oracle Identity Manager Server
Launching the Oracle Identity Manager Administrative
Console
Launching the Oracle Identity Manager Design Console
Objectives
Explain the three types of Oracle Identity Manager
users: system administrators, administrators of Oracle
Discuss the entities of which an Oracle Identity
Manager user can be a member (that is, organizations
and user groups)
Create records for an organization, the three types of
Oracle Identity Manager users, and a user group
Assign an Oracle Identity Manager user to a user group
Objectives
In addition, you should be able to explain:
How administrators view and modify their profiles in
How administrators change their challenge questions
and, as a result, reset their passwords
What a proxy is
How administrators assign, modify, and remove
proxies
How administrators see the resources that are
provisioned to them
How administrators see requests that are initiated by
them and requests that require their approval
Oracle Identity Manager Users: Three Types
System administrators: Users who have both read
access and write access to all forms and records in
Administrators of Oracle Identity Manager connectors:
Users who have read- and write-access rights to their
own user profiles (and the records associated with
them), as well as the profiles and records of any end
users whom they supervise
End users: Users who are recipients of the resources
that are provisioned to them by Oracle Identity
Manager. They have read-access rights to their own
user profile (and the records associated with it).
User Entities: Two Types
Organization: Record that represents
a unit in a companys hierarchy (for
example, a department, division, or
cost center)
User group: Collection of one or more
Oracle Identity Manager users who
share some common functionality,
such as access rights, roles, or
permissions for resources
User groups
User
Organization
Creating Oracle Identity Manager
Users and User Entities
The following slides illustrate how to create:
Organizations
Three types of Oracle Identity Manager users
User groups
In addition, you learn how to assign a user to a group
and perform various administrative functions for a
user.
Creating an Organization
Example: Creating an organization named Curriculum Dev.
The organizations classification type is Department.
Creating a User
Example: Creating a user named Robert La Vallie
Creating a User Group
Example: Creating a user group named Oracle 10g
Approvers
Assigning a User to a User Group
Example: Assigning the user named Robert La Vallie to the
ORACLE 9i USERS group
Viewing Your Profile
Administrators can see basic information about their user
accounts. This example shows the profile of the
administrator named Pauline Sammut.
Modifying Your Profile
Administrators can change basic information about their
user accounts. This example illustrates modifying the
profile of the administrator named Pauline Sammut.
Changing Your Challenge
Questions and Answers
Administrators can change their challenge questions and
answers.
Resetting Your Password
Administrators can reset their passwords. This example
illustrates resetting an administrators password.
Proxies: Overview
Administrators can delegate any task approval
responsibilities for which they are unavailable (because of
illness, vacation, and so on) to another administrator. This
delegated administrator is known as a proxy.
Assigning a Proxy
Administrators can assign proxies. This example
illustrates assigning a proxy named Leonard Agneta to an
administrator.
Modifying a Proxy
Administrators can modify their proxies. This example
illustrates modifying the proxy named Leonard Agneta for
an administrator.
Removing a Proxy
Administrators can remove their proxies. This example
illustrates removing the proxy named Leonard Agneta from
an administrator.
Viewing Your Resources
Administrators can see the resources that are provisioned
to them. This example shows that a resource named
Oracle RO is provisioned to an administrator.
Viewing Your Requests
Administrators can see the requests that they initiate as
well as requests that require their approval.
Summary
Create system administrators, administrators of Oracle
Create organizations and user groups
Assign a user to a user group
View and modify an administrators profile in Oracle
Identity Manager
Change an administrators challenge questions and
answers
Reset an administrators password
Summary
Assign, modify, and remove a proxy for an
administrator
See the resources that are provisioned to an
administrator
View, track, and approve requests generated by and for
an administrator
Practice 5 Overview:
Creating records for an organization, a user group, and
the three types of Oracle Identity Manager users
Assigning an Oracle Identity Manager user to a group
Viewing and modifying the profile of an Oracle Identity
Manager administrator
Changing challenge questions and answers and, as a
result, resetting the password of an administrator
Assigning, modifying, and removing a proxy for an
administrator
Viewing the resources and requests that are associated
with an administrator
Assigning Oracle Identity Manager
Connectors to Users
Objectives
After completing this lesson, you should be able to do the
following:
connectors
Explain how Oracle Identity Manager connectors differ
from resources
Discuss the three ways in which a connector can be
assigned to an Oracle Identity Manager user
Resources
A resource is an external system, service, or application
with which Oracle Identity Manager communicates to
perform either provisioning or reconciliation.
Server Messaging
applications
Operating
systems
Examples of Resources
Examples of resources include the following:
Collaboration and messaging applications: Microsoft
Exchange 3.3; Novell GroupWise 2.1
Database servers: Oracle9i Database Enterprise
Edition; Oracle Database 10g; MS SQL Server 2000
Directory servers: MS Active Directory 4.4; Novell
eDirectory 2.1; Oracle Internet Directory 1.1; Sun Java
System Directory Server 4.1
Enterprise applications: Oracle E-Business Suite 2.1;
PeopleSoft Enterprise Applications 3.0; SAP Enterprise
Applications 3.0
Operating systems: Microsoft Windows 2.1; UNIX 4.1
Examples of Resources
Security managers: IBM RACF 1.1; RSA Authentication
Manager 4.1
Web access control applications: RSA ClearTrust 3.0
Oracle Identity Manager Connectors
An Oracle Identity Manager connector is a container
that holds all of the information that Oracle Identity
Manager needs to:
Reconcile with an external resource
Provision a user with a target resource
In short, each resource is represented in Oracle Identity
Manager by a corresponding connector.
How Connectors Differ from Resources
Assigning a connector to a user does not necessarily
mean that the related resource is provisioned to the
user.
For provisioning to occur, you must:
Populate the fields of the custom process form that is
contained in your connector
Save this information to your Oracle Identity Manager
database
How Connectors Are Assigned to Users
There are three ways that an Oracle Identity Manager
connector can be assigned to a user:
Through direct provisioning
Via criteria (autogroup membership rules and access
policies)
By requests
The following slides illustrate the three ways that a
connector can be assigned to a user.
Assigning Connectors to Users:
Direct Provisioning
The graphic in this slide illustrates how a connector can
be assigned to an Oracle Identity Manager user through
direct provisioning.
Administrator Connector End user
Assigning Connectors to Users: Criteria
be assigned to an Oracle Identity Manager user via criteria
(autogroup membership rules and access policies).
Administrator User group
Access
policy
Approver
Autogroup
rule
Approval
process
Connector End user
Assigning Connectors to Users: Requests
be assigned to an Oracle Identity Manager user by a
request.
Request
Administrator
Approval
process
Connector End user
Approver
Direct-Provisioning a Connector to a User
This example illustrates using direct provisioning to assign
a connector to the end user named Leonard Agneta.
Using Criteria to Assign a Connector to a User
Another way to assign a connector to an end user is for
Oracle Identity Manager to evaluate criteria about the user.
These criteria include an autogroup membership rule and
an access policy.
For this to occur, you need to complete the following
steps:
Assign an autogroup membership rule to a user group.
As a result, Oracle Identity Manager can add the end
user to the group.
Build the access policy. Oracle Identity Manager
allocates the connector to the user because the user
belongs to the user group.
Assigning an Autogroup Membership Rule
to a User Group
This example illustrates assigning an autogroup
membership rule to the Developers user group.
Creating an Access Policy
This example illustrates creating an access policy for the
Developers user group.
Using a Request to Assign a Connector to a User
This example illustrates using a request to assign the
Oracle RO connector to the user with the ID of LAGNETA.
Summary
connectors
Differentiate between Oracle Identity Manager
connectors and resources
Assign an Oracle Identity Manager connector to a user
through direct provisioning, criteria (specifically,
autogroup membership rules and access policies), and
requests
Practice 6 Overview: Assigning
Oracle Identity Manager Connectors to Users
This practice covers assigning an Oracle Identity Manager
connector to a user in three ways:
Direct provisioning
Autogroup membership rules and access policies
Requests
Objectives
See how administrators of Oracle Identity Manager
connectors can view a graphical representation of a
provisioning workflow
Analyze what approval processes are and how they
impact a provisioning workflow
Identify the key features of autoprovisioning
Objectives
Discuss other day-two provisioning functions that an
administrator of an Oracle Identity Manager connector
can perform. These functions include:
Temporarily deactivating an end users account with a
resource
Reinstating an end users account
Modifying the password of an end users account
Permanently revoking the access rights that an end user
Graphical Workflow Definition Renderer:
Overview
The Graphical Workflow Definition Renderer tool enables
Oracle Identity Manager administrators to see a visual
representation of the connectors provisioning workflow.
Viewing a Graphical Representation
of a Provisioning Workflow
This screenshot is a visual representation of the DataBase
Access (Login) provisioning process via the Graphical
Workflow Definition Renderer.
High-Level Information
This example shows top-level information about the
DataBase Access (Login) provisioning process.
Graphical Workflow Definition Renderer: Features
Features of the Graphical Workflow Definition Renderer
include:
Dragging and dropping the components that appear in
the workflow (for visibility purposes)
Customizing the items that can be displayed in the
workflow
Saving the current state of the workflow as an image
Refreshing the workflow
Provisioning Tab
This tab displays all process tasks that are used to give a
user access rights to a resource. In this example, the
Create Login task is used to provision a user to an Oracle
database.
Reconciliation Tab
This tab displays the tasks and flow of the reconciliation
events associated with a provisioning process. In this
example, the Reconciliation Insert event is displayed.
Resource Event Tab
This tab displays all workflows associated with changes to
a users access rights with a resource. The Enable Login
workflow reinstates the users access to the resource.
Form Event Tab
This tab displays workflows associated with changes to
data in the process form attached to the provisioning
process. The Password Updated workflow modifies the
users password on the target resource.
Approval Processes: Overview
An approval process is used to approve the
provisioning of a representative resource for a user.
Approval processes are usually completed manually
whereas provisioning processes are typically
completed automatically.
To complete an approval process, certain tasks must
be completed.
Although a connector is not required to have an
approval process, it must have at least one
provisioning process.
Completing an Approval Process
In this example, the user who belongs to the US_ORACLE_
RO_APPROVERS group approves the allocation of the
Oracle RO connector for the user named Jill James.
Types of Provisioning
Manual provisioning
Autoprovisioning
Manual Provisioning
An administrator of an Oracle Identity Manager
connector completes the custom process form and
saves the values to the database.
Manual intervention is required by the administrator for
provisioning to occur.
Autoprovisioning
Autoprovisioning is the Oracle Identity Manager
process of:
Populating a custom process form of a connector
Saving the values in the form to its database
Using these values to provision an end user with a
resource
With autoprovisioning, Oracle Identity Manager
provisions the corresponding resource to an end user
after the connector is assigned to the user.
Day-Two Provisioning Functions
Oracle Identity Manager is an application that can handle
day-two provisioning functions, including:
Temporarily disabling an end users account with an
external resource
Reinstating the users account with the resource
Modifying the password of the users account
Permanently revoking the access rights that the user
Day-Two Provisioning Functions:
Disabling a Users Account
In this example, an administrator disables Robert La
Vallies account with an external resource. As a result,
Oracle Identity Manager temporarily deactivates this users
account.
Reinstating the Users Account
In this example, an administrator enables Robert La
Vallies account with an external resource. As a result,
Oracle Identity Manager reinstates this users account.
Modifying the Users Password
In this example, an administrator modifies the password of
Robert La Vallies account with an external resource.
Deleting the Users Account
In this example, an administrator deletes Robert La Vallies
account with an external resource. As a result, Oracle
Identity Manager permanently revokes the access rights
that this user has with the resource.
Summary
View a graphical representation of a provisioning
workflow in Oracle Identity Manager
Discuss approval processes, including how they affect
a provisioning workflow
Complete an approval process
Analyze autoprovisioning
Perform day-two provisioning functions, including:
Disabling an end users account with an external
resource
Reinstating the account
Modifying the password of the user who is accessing the
account
Deleting the users account with the resource
Completing the approval process of an Oracle Identity
Manager connector
Direct-provisioning a connector to an end user
Temporarily disabling an end users account with an
external resource
Reinstating the users account with the resource
Modifying the password of the users account
Permanently revoking the access rights that the user
has with the account
Customizing the Oracle Identity Manager
Objectives
Identify the two levels of customization for the Oracle
Modify the look and feel of the console to brand it for
your company
There are two levels of customization that an administrator
should perform with the Oracle Identity Manager
Modifying the look and feel of the console (that is,
branding it)
Changing the functionality of the console without
Levels of Customization
Branding the Console
There are different ways to brand the Administrative
Console, including:
Customizing the overall layout of the Web pages of the
console
Modifying the descriptive text and labels that appear on
the Web pages of the console
Replacing company and product logos with your own
icons
Changing the color, font, and alignment of text
Changing the Functionality
There are different ways to change the functionality of the
Administrative Console without changing the code,
including:
Customizing the self-registration process for creating a
users account
Configuring how users can modify the profiles of their
accounts
Customizing the behavior of the fields that appear on
the Web pages of this console
Setting the menu items that are available to users who
belong to a particular group
Customizing search pages
Customizing the Overall Layout of a Web Page
In this example, you customize the general layout of a Web
page by displaying the company logo at the right side of
the header banner.
Adding Logos
In this example, you replace the products default logo with
your own company logo.
Modifying Text and Labels
In this example, you modify the text and label of the Search
User button that appears on the Manage User form.
Customizing Colors, Font,
and Alignment of Text
In this example, you modify the color, font, and alignment
of the text that appears in the footer banner of the console.
Customizing the Self-Registration Process
In this example, you change the Middle Name field of the
User Self-Registration form from optional to mandatory.
Customizing the Behavior of a Form Field
In this example, you change the Email Address field of the
Create User form from optional to mandatory.
Customizing Menu Items for User Groups
In this example, you add menu items associated with
deploying Oracle Identity Manager connectors to users
(such as Dawn Jones) who belong to a particular group.
Customizing Search Pages
In this example, you customize the search pages of your
console by reducing (from 10 to 5) the maximum number
of search results that can appear on a Web page.
Summary
Differentiate between the two levels of customization
for the Oracle Identity Manager Administrative Console
Brand the console
Practice 8 Overview: Customizing the Oracle
Branding the Oracle Identity Manager Administrative
Console
Changing the functionality of the console without
Transferring Oracle Identity Manager
Connectors
Objectives
following:
Describe the benefits of transferring Oracle Identity
Manager connectors from one environment to another
Identify the different ways that connectors can be
transported between environments
Explain how to export a connector
Discuss how to import a different connector and
configure it so that it is operable in your environment
Transferring Oracle Identity Manager Connectors:
Benefits
Benefits of transferring Oracle Identity Manager
connectors from one environment to another:
Efficiency
Error reduction
Transferring Oracle Identity Manager Connectors:
Ways
Transfer a component of a connector or an entire
connector from one environment to another
Transport multiple Oracle Identity Manager connectors
between environments simultaneously
Exporting Oracle Identity Manager Connectors
To export an Oracle Identity Manager connector so that it
is operable in another environment:
1. Build an *.xml file that contains the components of
your connector.
2. Export this file into a designated location that can be
accessed from your home or office environment.
Exporting Oracle Identity Manager Connectors
In this example, you export the Oracle RO connector.
Using Oracle Identity Manager Connectors:
Setup
The following steps show you how to set up and run an
Oracle Identity Manager connector so that it is operable in
your environment.
1. Import the *.xml file that contains the designated
Oracle Identity Manager connector.
2. Paste any external JAR files into their designated
locations.
3. Recompile the adapters that are contained in your
Oracle Identity Manager connector.
4. Define IT resources for the specific machines,
applications, or services that are represented by your
connector.
Using Oracle Identity Manager Connectors:
Run Time
5. Assign the Oracle Identity Manager connector to a
user.
6. Populate the fields of the custom process form that is
contained in your connector. Then save this
information to the database.
7. Verify that the login credentials you entered in the
custom form can be used to access the external
resource (that is, an Oracle database).
Step 1: Importing Oracle Identity Manager
Connectors
In this example, you import a connector into your Oracle
Identity Manager environment.
Step 2: Pasting the JAR Files
Copy the xliDatabaseAccess.jar file (which resides in
your E:\OIM901_files directory) and paste it into your
E:\OIM901_server\xellerate\JavaTasks directory.
Step 3: Recompiling the Adapters
The Adapter Manager form is used to compile multiple
adapters simultaneously.
1
2
Step 4: Defining the IT Resources
An IT resource is an instance that contains the values that
Oracle Identity Manager needs to:
Communicate with an external resource (in this case,
an Oracle database)
Access the external resource as an administrator (for
provisioning purposes)
Step 5: Assigning a Connector to a User
In this example, you assign an Oracle Identity Manager
connector to a user.
Step 6: Completing the Custom Process Form
The values in the custom
process form represent the
login credentials of the
target user that Oracle
Identity Manager passes
into the corresponding
external resource (in this
case, an Oracle database).
Step 7: Accessing the Database
This screenshot illustrates a successful login to your
Oracle SQL*Plus client. It indicates that the designated
user is provisioned with the external resource (in this case,
an Oracle database).
Summary
Describe the benefits and different ways of transferring
Oracle Identity Manager connectors between
environments
Discuss how to export an Oracle Identity Manager
connector
Explain how to import a different Oracle Identity
Manager connector and configure it so that it works in
your environment
Transferring Oracle Identity Manager Connectors
This practice covers exporting an *.xml file that contains
your Oracle Identity Manager connector.
Creating Reports
Objectives
following:
Identify the two types of reports that an administrator
can create for Oracle Identity Manager users:
operational reports and historical reports
Differentiate between these two types of reports
Discuss additional reports that can be created by using
a third-party tool (such as Crystal Reports)
Operational and Historical Reports
An administrator can create two types of reports for Oracle
Identity Manager users:
Operational reports: Information about resources that a
user can access (current data)
Historical reports: Information about resources that are
associated with a user throughout that users
employment with the company (life-cycle data)
Operational Reports: Types
There are four types of operational reports:
Who Has What
Resource Access List
Entitlements Summary
Policy List
Historical Reports: Types
There are five types of historical reports:
User Resource Access History
Resource Access List History
User Profile History
User Membership History
Group Membership History
Other Reports: Types
An administrator can create the following eight additional
reports by using a third-party reporting tool.
Who Has What: Lists the users and the resources with
which they are provisioned
Direct Provisioned: Shows the following information:
Resources that are directly provisioned to the target
users
User who directly provisioned the resources for the
target users
Users who received the resources
Other Reports: Types
Requests Made: Displays requests that are created by
users
Active Queue: Subset of the Requests Made report;
lists the requests that are approved by users
Requests Executed: Subset of the Active Queue report;
shows the requests that are executed by Oracle Identity
Manager
Reconciled Apps: Lists the successful events that are
associated with reconciliation
Reconciled Users: Displays the users who are added to
Oracle Identity Manager through reconciliation
Unreconciled Data: Shows the reconciliation events
that could not be matched to a specific user,
organization, or provisioning process
Creating a Who Has What Operational Report
In this example, you create a Who Has What operational
report for the user with the ID of RLAVALLI.
Creating a Resource Access List
Operational Report
In this example, you create a Resource Access List
operational report for the Oracle RO resource.
Creating an Entitlements Summary
Operational Report
In this example, you create an Entitlements Summary
operational report. DataBase Access (Login) is the
designated resource and Revoked is the associated status
level (or entitlement).
Creating a Policy List Operational Report
In this example, you create a Policy List operational report.
Users Access Policy is the designated policy and Oracle 9i
Users is the target user group.
Creating a User Resource Access History
Historical Report
In this example, you create a User Resource Access History
historical report for the user with the ID of RLAVALLI.
Creating a Resource Access List History
Historical Report
In this example, you create a Resource Access List History
historical report for the Oracle RO resource.
Creating a User Profile History Historical Report
Current e-mail address
Original e-mail address
In this example, you create a User Profile History
Creating a User Membership History
Historical Report
In this example, you create a User Membership History
Creating a Group Membership History
Historical Report
In this example, you create a Group Membership History
historical report for the Oracle 9i Approvers user group.
Summary
Identify operational reports and historical reports (and
the differences between them)
Discuss additional reports that can be created by using
a third-party tool (such as Crystal Reports)
Practice 10 Overview: Creating Reports
This practice covers creating the following types of
reports:
Operational reports
Who Has What
Resource Access List
Entitlements Summary
Policy List
Historical reports
User Resource Access History
Resource Access List History
User Profile History
User Membership History
Group Membership History
Understanding Attestation
Objectives
Define attestation and attestation processes, including
the fundamental components of an attestation process
Describe the types of users who analyze, create, and
manage attestation processes
Identify the types of data that can be attested
Discuss the different ways that attestation processes
can be executed (that is, the schedule for attestation
processes)
Explain the workflow of an attestation process from
beginning to end
Attestation
Mechanism by which Oracle Identity Manager users are
notified periodically of a report they must review
This report outlines the provisioned resources that
certain users have.
Process of authorizing established internal controls,
processes, and policies for user-related and
transactional-related data
Attestation Processes
An attestation process is the framework by which an
attestation workflow is set up and created. It contains the
following run-time components:
User Data Schedule
+ +
Attestation Process: Users
Four types of users analyze, create, and manage
attestation processes:
Reviewer System
administrator
Compliance
manager
Process
owner
Attestation Process: Data
Two types of data can be attested:
Oracle Identity Manager users and the resources they
can access
Fine-grained privileges that determine how a user
should be entitled to a resource
Attestation Process: Schedule
All activities that are associated with an attestation
process can be:
Run at a periodic interval (for example, every three
months)
Executed on demand
Reviewer
Attestation Process: Workflow
1
Schedule Data
2
E-mail
notification
3
4
E-mail
notification
Process
owner
E-mail
notification
Reviewer
Oracle Identity Manager repository
Reject
Certify
Delegate
Decline
Summary
Identify attestation and attestation processes, including
the primary components of an attestation process
Describe the users, data, and schedules that are
associated with attestation processes
Explain how an attestation process works from
beginning to end
Creating, Managing, and Reviewing
Attestation Processes
Objectives
Create an attestation process through the Oracle
Access the Administrative Console as a reviewer and
act on an attestation process that is assigned to you:
certify it, decline it, reject it, or delegate it to another
reviewer
Access this console as a process owner and view
information about the attestation process, including its
status: whether it is certified, rejected, declined, or
delegated to another reviewer
Configuring an Attestation Process
There are six steps in setting up an attestation process:
1. Configuring your Oracle Identity Manager environment
so that its attestation features are available
2. Configuring the resource object of your connector so
that its data can be reviewed during an attestation
process
3. Configuring the process form of your connector so
that its data is available for review during an
attestation process
4. Assigning a manager to the user who is the recipient
of the target resource (This manager is responsible for
reviewing the attestation process for the user.)
Configuring an Attestation Process
5. Assigning menu items to the following user groups:
User group that is responsible for creating and managing
the attestation process (that is, the process owner
group)
User group that is responsible for reviewing the
attestation process (the reviewer group)
6. Assigning administrative privileges and permissions to
each of these groups
Installing the Oracle Identity Manager Server
By selecting this option, you can use the attestation
features of Oracle Identity Manager for audit and
compliance purposes.
Select the Financially Significant check box of your
connectors representative resource object in the
Design Console.
Configuring the Resource Object
Configuring the Process Form
Set the value of this record to Resource Form in the
Design Console.
Assign the manager with the ID of TJONES to the
end user named Robert La Vallie. This manager is
responsible for reviewing the attestation process for
the user.
Assigning a Manager to a User
Assign menu items to users who belong to the IT
group. This group represents the users who are
responsible for creating and managing attestation
processes.
Assigning Menu Items to User Groups
Assign a menu item to users who belong to the
Managers group. This group represents the users
who are responsible for reviewing attestation
processes.
Assigning Menu Items to User Groups
Assigning Administrative Privileges and
Permissions for User Groups
Assign administrative privileges and permissions to
users who belong to the IT group. This group
represents the users who are responsible for creating
and managing attestation processes.
Creating an Attestation Process
There are five stages in creating an attestation process:
1. Defining high-level information about the attestation
process
2. Defining the scope and reviewer for the attestation
process
3. Defining the administrative details of the attestation
process
4. Verifying the information of the attestation process
5. Assigning groups of users to the attestation process
who are responsible for reviewing and managing it
Stage 1: Defining High-Level Information
On the Define Process screen, you specify high-
level information about the attestation process.
Stage 2: Defining the Scope and Reviewer
On the Define Attestation Scope And Reviewer
screen, you specify how a user should have access
rights to a resource (that is, the scope) and the
reviewer for the attestation process.
Stage 3: Defining the Administrative Details
On the Define Administrative Details screen,
you specify how often the attestation process should be
run. You also specify its process owner group.
Stage 4: Verifying the Information
On the Verify Info Page screen, you ensure that the
information in the attestation process is correct.
Stage 5: Assigning Groups
On the Administrative Groups screen, you assign groups
of users who are responsible for reviewing and managing
the attestation process.
Reviewer Actions for an Attestation Process
As a reviewer of an attestation process, you can perform
one of the following actions with it:
Delegate it to another reviewer
Reject it
Certify it
Decline to act on it
Reviewing an Attestation Process
As a reviewer, you perform an action on an attestation
process. You can certify, reject, or decline an
attestation process or can delegate it to another
reviewer.
Process Owner Actions
for an Attestation Process
As the owner of an attestation process, you can view the
following information about it:
High-level and detailed information
The date and time when the attestation process is
submitted to a reviewer
The reviewer who received the attestation process
The status of the attestation process (that is, whether
the reviewer certified it, rejected it, declined it, or
delegated it to another reviewer)
The delegation path (if the attestation process is
delegated to another reviewer)
Viewing an Attestation Process
As a process owner, you can view both high-level and
detailed information about an attestation process.
Summary
Create an attestation process with the Oracle Identity
Manager Administrative Console
Act on an attestation process as a reviewer: certify it,
decline it, reject it, or delegate it to another reviewer
View information about an attestation process as a
process owner, including its status: whether it is
certified, rejected, declined, or delegated to another
reviewer
Practice 12 Overview: Creating, Managing, and
Reviewing Attestation Processes
Setting up your environment so that you can create
attestation processes
Using the Oracle Identity Manager Administrative
Console to create an attestation process
Acting on an attestation process (for example,
certifying it)
Viewing both high-level and detailed information about
an attestation process
Troubleshooting Oracle Identity Manager
Objectives
After completing this lesson, you should be able to
troubleshoot problems that administrators commonly
encounter with Oracle Identity Manager. These problems
are fixed through the use of disaster-recovery procedures.
Increasing the Size of the Java Pool
Problem: After launching the Oracle Identity Manager
Diagnostic Dashboard, the Database Prerequisites
Check fails.
The reason for the failure is that the current Java pool
size of your Oracle database is 32 MB. As a result, it does
not meet the minimum requirement of 60 MB.
Solution:
1. Stop the Oracle Identity Manager Server.
2. Access the database by using the Oracle Enterprise
Manager Console.
3. Click the Instance subnode. A Configuration form is
nested in this node.
Increasing the Size of the Java Pool
4. Click the Configuration form (to make it active).
5. In this form, select the Memory tab. In the Java Pool field,
enter 60. Then click the Apply button that appears on
this tab. A Shutdown Options window appears.
6. In the Shutdown Options window, select the Immediate
option. Then click OK. Your database is shut down and
restarted so that the changes to your Java pool can be
registered.
7. Close the Oracle Enterprise Manager Console.
8. Restart the Oracle Identity Manager Server.
Changing the Authentication Mode
Problem: After installing Oracle Identity Manager, you
want to change the authentication mode from the
applications default setting to Single Sign-On (SSO).
Solution:
2. Use a text editor to open the xlconfig.xml file, which is
located in the E:\OIM901_Server\xellerate\config
directory.
3. Look for the following piece of code:
<Authentication>
Default
</Authentication>
Changing the Authentication Mode
4. Replace the Default value with the name of the header
value configured in the SSO system.
5. Save your changes.
Exporting a File Properly
Problem: Exporting a file via the Deployment Manager
form (which can be found in the Oracle Identity
Manager Administrative Console) results in an invalid
file, a corrupted XML file, or a file created with 0 KB.
Solution:
1. When you export your file, make sure that no other users
are also attempting to export a file.
2. At the same time, verify that no reconciliation workflows
or scheduled tasks are being run.
3. Reconfigure the minimum and maximum memory
parameters of the JBoss application server to 512 MB
and 1,024 MB, respectively.
Verifying That the Oracle Identity Manager
Scheduler Is Running
Problem: You want to verify that the service that
programs events to be executed at periodic intervals
(that is, the Oracle Identity Manager Scheduler) is
running.
Solution:
1. Launch a Web browser.
2. In the Address field, enter the following URL:
http://localhost:8087/xlScheduler/status
(localhost is the machine name for the application
server, and 8087 is this servers port number.)
Customizing the Login Page
of the Administrative Console
Problem: You want to customize the Login page of the
Administrative Console.
Solution:
Open the tjspLoginTiles.jsp file,
which is located in the following directory:
E:\jboss-4.0.2\server\default\deploy\
XellerateFull.ear\xlWebApp.war\xlWebApp\
tiles
This file contains the properties that pertain to the
Login page.
Changing the Background Color
of Oracle Identity Manager Explorer
Problem: You want to customize the Administrative
Console so that the background color for the header is
different from the background color that appears in
your Oracle Identity Manager Explorer.
Solution:
2. Use a text editor to open the Xellerate.css file, which
is located in the E:\jboss-4.0.2\server\default\
deploy\XellerateFull.ear\xlWebApp.war\css
directory.
3. In this file, create a new class called ExplorerMenu and
add the new background color. To do so, add this piece
of code to it:
.ExplorerMenu
{
BACKGROUND-COLOR: <color>;
}
In the code, <color> represents the new color.
4. Use a text editor to open the tjspClassicLayout.jsp
file, which is located in the E:\jboss-
4.0.2\server\default\deploy\
XellerateFull.ear\xlWebApp.war\layouts
directory.
5. Replace the Sidebar element with the ExplorerMenu
class.
6. Save your changes.
Unlocking the xelsysadm User Account
Problem: The xelsysadm user account is locked and
cannot be unlocked because an Oracle Identity
Manager user exceeded the maximum number of login
attempts.
Solution:
2. Open a DOS window.
3. In the DOS prompt that appears, enter
sqlplus /nolog. A SQL prompt appears.
4. Connect to the Oracle database as an administrator
(for example, connect sys/sys@train91 as sysdba,
where sys is the system user and password and
train91 is the name of the database).
Unlocking the xelsysadm User Account
5. Run the following query:
SQL>UPDATE SYS.USR SET USR_LOCKED=0,
USR_LOGIN_ATTEMPTS_CTR=0 WHERE
USR_LOGIN=XELSYSADM;
6. After you see that the row is updated, commit the
changes to the database. To do so, enter the following at
the SQL prompt:
SQL>commit;
Summary
In this lesson, you should have learned how to use
disaster-recovery procedures to fix common problems that
administrators encounter with Oracle Identity Manager.

Oracle Identity Manager Administration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Identity Manager Administration

Uploaded by

Copyright:

Available Formats

Oracle Identity Manager:

Oracle Identity Manager:

Copyright 2007, Oracle. All rights reserved.

You might also like