1. What is an Identity?
An
identity is the virtual representation of an enterprise resource user including
employees, customers, partners and vendors. Identity Management shows the
rights and relationships the user has when interacting with a company’s
network.
2. Why we need Identity.
Identity helps/provides users/organization keep
constant control and visibility over your company’s/users/Group/organization
most critical data and systems. Identity helps us in a way it is protected
against the accidental misuse of privileged access by streamlining the authorization
and monitoring of privileged users
Imagine a situation when your organization start
growing. The bigger and more complex your organization’s IT systems get, the
more privileged users include employees, contractors, remote or automated
users, as well. Then you start wondering what access has been
granted and what users are actually doing. Consequently this complicated moment
makes it difficult to understand security risks. What you need is to track the
provision, management and retirement of these critical account entitlements
3. How does Identity Management (IDM) work?
The process involves creating user accounts that are
able to be modified, disabled or deleted. Delegated workflows, rules and
policies are applied to the users account. A user profile will tell the
company: who they are, what they are entitled to do, when they are allowed to
perform specific functions, where they are allowed to perform functions from
and why they have been granted permissions.
4.
What Is Identity Certification?
Identity Certification is the
process of reviewing user entitlements and access-privileges within an
enterprise to ensure that users have not acquired entitlements that they are
not authorized to have. It also involves either approving (certifying) or
rejecting (revoking) each access-privilege.
User
Certification
Role
Certification
Application
Instance Certification
Entitlement
Certification
5.
What is OIM
Oracle Identity Manager (OIM )
is a highly flexible and scalable enterprise identity management system that is
designed to administer user access privileges across a company's resources
throughout the entire identity management life cycle, from initial on-boarding
to final de-provisioning of an identity.
OIM can be used as the single
point of management for the IT resources in your organization. An integration
of target systems in an enterprise with OIM is done using reconciliation and
provisioning.
6.
Why Need OIM:
OIM Manages the identity of
resources of an organization fro pre-hire to post hire and life cycle of
resources until resource quits organization. Oracle Identity Manager (OIM)
enables enterprises to manage the entire user life cycle across all enterprise
resources both within and beyond a firewall. An Oracle identity management
solution provides a mechanism for implementing the user management aspects of a
corporate policy. It can also be a means to audit users and their access
privileges.
7.
What does User De-Provisioning mean?
User de-provisioning is the
process of removing access of an individual user to an organization’s
resources. This can include removing user accounts on individual machines or
servers, or from authentication servers like Active Directory etc. It can also
include removing a user’s machine entirely. De-provisioning is usually done
when a user leaves an organization.
8. Explain the Architecture of Oracle Identity
Manager?
The Oracle Identity
Manager architecture consists of three tiers
·
Tier 1:
Client:
The Oracle Identity
Manager application GUI component reside in this tier. Users log in by using
the Oracle Identity Manager client.The Oracle Identity Manager client interacts
with the Oracle Identity Manager server, providing it with the user's login
credentials.
·
Tier 2:
Application Server:
The second tier
implements the business logic, which resides in the Java Data Objects that are
managed by the supported J2EE application server (JBoss application server, BEA
WebLogic, and IBM WebSphere). The Java Data Objects implement the business
logic of the Oracle Identity Manager application, however, they are not exposed
to any methods from the outside world. Therefore, to access the business
functionality of Oracle Identity Manager, you can use the API layer within the
J2EE infrastructure, which provides the lookup and communication mechanism.
·
Tier 3:
Database:
The third tier
consists of the database. This is the layer that is responsible for managing
the storage of data within Oracle Identity Manager.
9. OIM Terminologies
The following terminologies
are associated with access policies:
Resource : A resource is a logical entity in Oracle Identity
Manager that can be provisioned to a user or an organization in Oracle Identity
Manager. For example, Microsoft Active Directory (AD), Microsoft Exchange, SAP,
UNIX, and Database is modeled as a resource in Oracle Identity Manager.
Resources are templates definitions that are associated with one or more
workflows called Provisioning Process in Oracle Identity Manager, which model
the lifecycle management, such as how to provision, revoke, enable, and
disable. Resources also have entities called forms associated with them. Forms
represent a collection of attributes associated with the resource. For
instance, a form associated with AD server includes attributes such as SAM
Account Name, Common Name, and User Principal Name. Forms also contain an
attribute of type IT Resource (see "IT Resource Type" for
details).Resources can be marked Allow Multiple, which would multiple instances
of a resource to be provisioned to a user or an organization.
Account : Accounts are actual instances of a resource that are created
and provisioned to a user or organization in Oracle Identity Manager. For
example, an e-mail account on an Exchange server is an account (instance) of
resource type Exchange. Accounts have
specific values for the attributes of the associated form.
IT Resource Type : IT resource type is a logical entity in Oracle
Identity Manager used to model a physical target and all its attributes
including (but not limited to) the connectivity information and the credentials required to connect to
the physical computer. For example, IT resource type AD server is used to model
an actual AD server. IT Resource Instance . These are actual instances of
specific IT resource type that represent the actual physical target. They also have specific
values for all the attributes of the physical target, such as IP address, port,
user name, and password. Two physical AD servers in a deployment are
represented by two instances of IT resource type AD Server.
Account Discriminator : Account discriminator is a collection of
attributes on a form that uniquely identify the logical entity on which
accounts are created. This term is sometimes loosely referred to as a target.
For instance, for an AD server, an account discriminator can be a combination
of AD server (an attribute of type IT Resource) and Organization Name.
Typically account discriminators are attributes of type IT Resource. Attributes
are marked as account discriminators by
setting the Account Discriminator property of a Form field to True
Application Instances: An application instance is a provision-able
entity, and a combination of IT resource instance (target connectivity and
connector configuration) and resource object (provisioning mechanism). Application
instances have business-friendly names that are easier to remember. Creating
and managing application instances are performed by using the Application
Instance section of Oracle Identity System Administration. Application
instances can be connected or disconnected. A connected application instance has
a connector defined for the provisioning of entities. A disconnected
application instance is used for the provisioning of a disconnected resource,
for which a connector is not defined,
and therefore, the provisioning is performed manually by the administrator
10. Benefits of OIM
Centralized auditing and reporting: Know who did what and report on
system usage. Reduce IT operating costs – Immediate return on investment is
realized by eliminating the use of paper forms, phone calls and wait time for
new account generation and enabling user self service and password management.
Minimize Security Risk: Control access to the network and
instantaneously update accounts in a complex enterprise environment including:
layoffs, acquisitions, partner changes, temporary and contract workers.
Improved quality of IT services.
Legal compliance: Many government mandates require secure control
of access.
Automation: Automated solution lowers costs, boosts overall
productivity, and optimizes security protocols.
Role-based access: No need to provide domain credentials to
outsiders and access will be limited based on administrator map user roles.
Certification: Process of reviewing user entitlements and
access-privileges within an enterprise to ensure that users have not acquired
entitlements that they are not authorized to have. It also involves either
approving (certifying) or rejecting (revoking) each access-privilege.
Reconciliation: Reconciliation provides the inward flow into OIM.
Reconciliation is based on either a “push” or a “pull” model, using which OIM
finds out about any identity-related activity on the target system. In other
words, the process by which OIM receives information’s from target/resource. It
is the process of bringing identities and accounts into OIM from some resource
is also known as reconciliation.
Provisioning: In data flow terms, provisioning provides the outward
flow from OIM. Provisioning is based on a “push” model, using which OIM
communicates changes to the target system. In other words, the process by which
OIM sends information's to
target/resource.
Access Policy: Access
policies are a list of roles and the resources with which roles are to be
provisioned or deprovisioned. Access policies are used to automate the
provisioning of target systems to users.
Password Management: Centralized password management for enterprise
applications, a feature that you can leverage by provisioning through its
connectors.
Work flows
Export/Imports
Connectors integration
Bulk Operations
There are two types of
Reconciliation:
·
Trusted Reconciliation (Authoritative)
·
Target Reconciliation (Non Authoritative)
Trusted Reconciliation: Process of loading identities into IDM is
known as Trusted or Authoritative Reconciliation. In the process we load user
profiles into IDM. User gets created into IDM. If we run trusted reconciliation
against any Target then user will get created into OIM. If user already exists
in OIM with that user id then his profile will get updated with new values from
target (If any).
Target Reconciliation: Process of loading account profile into OIM
is known as Target or Non Authoritative Reconciliation. In this process OIM
load user’s account profile i.e. user’s target account information. In this
reconciliation only Resource profile of user is created not user profile.
If we run target
reconciliation against targets then Resource Profile will get created into OIM.
Resource profile shows that User has account into Target. For creation of
resource profile, it is required that user must be present in IDM before.
11. What is OIM User?
OIM User: OIM user is an Entity/account which helps in
managing the compliance of any organization and helps in providing the access
rights according to its identity in the related organization.
How many Types of
users are there in oracle identity manager?
End-User Administrator: An end-user administrator is a user who has
access to both the Administrative and User Console and the Design Console. An
end-user administrator may be tasked with managing access rights for users,
changing the status of process tasks, or other tasks that include managing the
Oracle Identity Manager environment from higher levels.
End-User: End users are normally recipients of resources
provisioned to them by Oracle Identity Manager. They have the ability to log in
to the Oracle Identity Manager Administrative and User Console to perform tasks
such as viewing their user profiles, allocated resources, and assigned roles.
By default, they can perform self-service tasks from the console.
12. What are Organizations in OIM?
An organization is a
logical container of entities including users and other organizations defined within
Oracle Identity Manager.
Oracle Identity
Manager can have a flat organizational structure or a hierarchical structure,
which means that an organization can contain other organizations. These child
organizations are known as sub-organizations.
13. What are Roles in OIM?
An Role is used to
define the access rights that an entity may have. These defined roles use
unique role names to differentiate them within the Oracle Identity Manager
environment. A role may be associated with one or more access rights to Oracle
Identity Manager Function. For example, a single role enables a user to create
other Oracle Identity Manager user accounts and manage a specific organization.
Roles determine the
links and menus that are available to users when they log in to the console
14. Forms in OIM:
There are two types of
forms in OIM which are used for showing and storing user data for provisioning.
·
Object Form
·
Process Form
Object Form: Object form is
associated with Resource Object. It is visible at the time of provisioning/reconciliation.
It is used for getting some input from the user while provisioning.
Process Form: This form is
associated with provisioning process of any target resource. During a provisioning
process, data flows to the actual target resource from process form.
15. What is Resource Object (RO)?
Resource Object
is a virtual representation of an account on a target system. If an
OIM user has an account on the target system the user has an RO instance
associated with it.
16. What is Adapter? what Adapters available in
OIM?
An adapter is a Java
class which helps in automation of process within OIM and is created by an
Oracle Identity Manager user through the Adapter Factory.
Process Tasks adapters: It can be attached only in task. automate
completion of a process task and are attached to a Process Definition Form (AD
user, OID User, etc)
Entity Adapters: When you want to perform any operation on any
Entity like user/group then we use Entity Adapters. It can be attached only with
forms. These adapters can be used automatically populates a field on the OIM
User form or custom User Form on pre-update, pre-delete, pre-insert,
post-insert, post-update, or post-delete
Pre-Populate Adapter: specific type of rule generator attached to a
user-created form field that can automatically generate data to the 'Process
form' but does not save that data to the OIM database but does send that
information to appropriate directory user object. The data can come from manual
entry on a form or from automated entry from the OIM defined forms i.e This
adapter is used for populating any field on forms (Process/Object) with some
data.
Rule Generator: Can populate fields automatically on an OIM form or
a user-created form and save to the OIM database based on business rules
Task Assignment Adapter: Automates the assignment of a process task
to a user or group. It is used for assigning the task to any particular
user/group. Task assignment adapter is used when you want to perform some
operation to find the user to whom you want to assign task.
Some differences
between rule generators and entity adapters are:
Execution: Entity adapters can be triggered by Oracle Identity
Manager on preinsert, preupdate, predelete, postinsert, postupdate, and
postdelete. A rule generator adapter can be executed only on preinsert and
preupdate.
Field value modification: The adapter populates the form field
to which an entity adapter is attached. An Oracle Identity Manager user should
not edit this value because the entity adapter will overwrite this
modification. As a result, the modification will not be saved to the database.
The adapter also
populates the form field to which a rule generator adapter is attached.
However, an Oracle Identity Manager user can edit this value because this
modification will take precedence over the value that the rule generator
adapter generates. Because of this, the modification will be saved to the
database.
17. Difference between Event Handler and Entity
Adapter
Event Handler
·
Need to extend tcBaseEvent Class.
·
Can’t take any parameter from form
·
Can’t return any value on the form
·
Need to register EventHandler via register plug
in with Steps : Register Event Handler
Entity Adapter
·
No need to extend any class
·
Can take any field from form as parameter
·
Can return any value to any form field
·
depending upon the form
·
Usage is during any operation on any Entity like
user/group.
·
Easy to implement using design console using
steps
18. OIM – How to create and use entity adapter
·
Login into Java client with an admin user
·
Move to Development Tools -> Adapter Factory
·
Enter valid adapter name, description and select
“Entity” as adapter type
·
Save the adapter
·
In the Adapter Tasks tab, click on Assign to add
a task to the adapter
·
Select logic task -> SET VARIABLE and click
on continue
·
In Add Set Variable Task Parameter dialog,
select Adapter return value in
·
variable name drop down, Operand Type as
Literal, Operand Qualifier -> Text Literal and input any string
·
Save the settings
·
Compile the adapter
·
Move to Development Tools -> Business Rule
Definition -> Data Object Manager
·
Double click on the form designer field and
select users from the lookup
·
Perform query on the form using the main toolbar
·
The data object manager should be refreshed to
reflect the adapters/event handlers associated with the users form.
·
Associate the entity adapter in a relevant
pre/post section. For eg assign the adapter in the pre-insert section
·
Move to Map Adapter tab select the adapter from
the name drop down list.
·
Adapter return value should appear in the list
of adapter variables to map.
·
Map the return value to Entity Field ->
USR_FIRST_NAME and save
·
Now Launch the users form
Input
all required fields except “First Name” and save
No comments:
Post a Comment