Wednesday, September 19, 2012

New OIM 11GR2 Features


New Features

Access Request Catalog

In OIM 11GR2 a new UI based shopping cart based request model has been introduced where the users can request any catalog type item which includes roles,resources,entitlements or all clubbed together as a profile. There is no concept of direct provisioning any more. Everything is replaced via the catalog request. The following are the various catalog items that can be requested from the UI.

-          Roles
-          Application Instances
-          Entitlements

Catalog item also comes with tagging feature which form the key words in searching the catalog item. This feature becomes very handy to the administrators to easily search the catalog item.

The following are the various new concepts/key terms  introduced as part of the catalog:

Catalog
Catalog (aka Request Catalog) offers a consistent and intuitive request experience for customers to request Roles, Entitlements and Application Instances following the commonly used Shopping Cart paradigm. The catalog is a structured commodity with its own set of metadata.

Catalog Item
A Catalog Item is an item (Roles, Entitlements or Application Instances) that can be requested by a user, either for themselves or on behalf of other users.

Category
A Catalog Item Category is a way to organize the request catalog. Each catalog item is associated with one and only one category. A catalog item navigation category is an attribute of the catalog item. Catalog Administrators can edit a Catalog Item and provide a value for the category.

Application Instance
An Application Instance represents an account on particular target. When users request an application instance, they are requesting an account in a particular target. Application Instances can be connected, if fulfillment is automated via a Connector, or disconnected, if fulfillment is manual. Application Instances can have entitlements associated with them.

Enterprise Roles

Enterprise Roles are defined by customers. Enterprise Roles have policies associated with them. Users can request enterprise roles via the Catalog. When a role is granted, application instances or entitlements are provisioned to the user.

Entitlement
Entitlements are privileges in an application that govern what a user of the application can do.

Tags
Tags are search keywords. When users search the Access Request Catalog, the search is performed against the tags. Tags are of three types
  • Auto-generated: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name
  • User-defined: User-defined Tags are additional keywords entered by the Catalog Administrator
  • Arbitrary tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags.

Shopping Cart
The Shopping Cart refers to the collection of Catalog Items that are being requested. A user can have only one cart active at any given time and the cart can contain roles, application instances, entitlements, or any combination of the three.

Catalog synchronization
Catalog synchronization refers to the process of loading roles, application instances, and entitlements into the Catalog. There is a scheduled task that comes OOTB to synchronize the newly created roles,app instances and entitlements to the catalog.

Catalog Security Model:

Catalog security is driven by two factors:
  • The security model that uses Organization-based scoping for users, roles, application instances and entitlements. This security model controls what items a requester can see in the Catalog search results and the users who can be added as target users.
  • The security model that is not scoped by organization and is used for global Admin Roles such as Catalog Administrator.





Application Instance

Application instance is a new abstraction used in 11g Release 2 (11.1.2). It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism).

Application instance will be published to organizations and can be requested by users of those organizations. Suppose Microsoft Active Directory (AD) is to be provisioned to users across different organizations or departments across the world. You can define application instances consisting of the following:
  • AD as the resource object
  • Each AD server instance with the connectivity information, such as URL and password, as IT resources

Multiple Accounts Per Application Instance

Oracle Identity Manager supports multiple accounts in a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The subsequent accounts created on the same application instance would be tagged as Other. When the user requests entitlements, the entitlements are appended to the primary account.

When the user gets provisioned to an application instance, the Oracle Identity Manager checks if it is the first account getting provisioned for the user in that application instance. If it is the first account, then the account is marked as primary. When existing user accounts are reconciled from application instances, the first account that gets reconciled is marked as primary. If the account marked as primary is not the actual primary account, then you can manually change the primary tag for the account and mark another account as primary.

Disconnected Application Instances

Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.

Example:

Oracle Identity Manager cannot provision a physical access card, the application instance of the disconnected resource is to be provisioned.

-          To create a disconnected app instance:

To achieve provisioning of disconnected resource, you can create application instances of the disconnected type. The manual provisioning administrator can use the Pending Approvals section of the Oracle Identity Self Service to update all fields in the request. After the manual provisioning administrator submits the manual provisioning worklist item, the provisioning infrastructure marks the underlying provisioning task to be completed based on the response of the manual provisioning administrator. If the administrator specifies that task is manually completed, then the status is changed to provisioned.

Application Instance Security

The Application Instance is also the entity with which security primitives are associated via the organization publishing mechanism. In multi-tenant environments, resource definitions can be shared by multiple organizations, but only those organizations that have the application instance published to them will be actually able to provision to the targets.

App Instance and Forms

There is an option to create a new version of the form for each app instance. It allows to add,modify,delete the existing fields from the form and all this can be done from the UI.

Deleting Application Instances

Application instances can be deleted(hard delete or soft delete) from oracle identity manager. The app instance can also be marked as revoked incase the target system is decommissioned. The scheduled task to perform the deletion of the application instances allows the following modes:

  • Revoke: This mode is used when the application instance is deleted, but the provisioned accounts in the target system still exist. Using the Revoke mode deletes the accounts from the target system.
  • Delete: This mode is used when the target system no longer exists, and there are no traces of the accounts in Oracle Identity Manager. Using the Delete mode hard-deletes the accounts from all provisioning tasks and targets, and subsequently from Oracle Identity Manager.
  • Decommission: This mode is used when the target system no longer exists and the provisioned accounts cannot be revoked from the target system. Using the Decommission mode changes the account status to Revoke without keeping the accounts in Oracle Identity Manager in provisioned state.

After deleting the app instances we should run the Catalog Synchronization Job scheduled job to make sure the soft deleted application instances do not appear in the catalog any more.


Different Web Consoles for Administration and Self Service

  • OIM 11GR2 has introduced 2 different consoles:
    • Self Service[http://host:port/identity]
    • Identity System Administration[http://host:port/sysadmin]

New UI Features ported from Design Console
The following features have been ported to the web UI from the design console:
-          Form Designer
-          Lookups
-          IT Resource
-          Password Policies

Web Center Based UI Customizations
OIM 11GR2 features a very user friendly GUI based UI customization based on the Oracle web center. All the changes are stored in a temporary metadata storage area called as sandbox. Once the changes are completed the sandbox needs to be published which will deploy all the changes.


-          Sandboxes
A sandbox represents an area where metadata objects can be modified without affecting their mainline usage. In other words, a sandbox is a temporary storage area to save a group of runtime page customizations before they are either saved and published to other users, or discarded.

Admin Roles and User Roles

OIM 11GR2 has classified the roles as admin roles and user roles. The detailed explanation for these is as follows:

-          Admin Roles
These are the predefined roles in OIM which are used to restrict the level of access. The organization “Top” has all the admin roles. Any new user who requires admin level access has to be made a member of this Admin role from the organization. These roles can’t be searched from the roles and are only accessible from the organizationàAdmin Roles.
-          Roles
These are the basic user roles and can be used to associate with the access policies and membership rules. The users can be added directly to these roles from rolesàmembers. In OIM 11GR2 authorization policies has been removed. So we cannot restrict the access based on the user roles. The access can only be restricted based on the admin roles which are predefined.