New Features
Access
Request Catalog
In OIM 11GR2 a new UI based shopping cart based request
model has been introduced where the users can request any catalog type item
which includes roles,resources,entitlements or all clubbed together as a
profile. There is no concept of direct provisioning any more. Everything is
replaced via the catalog request. The following are the various catalog items
that can be requested from the UI.
-
Roles
-
Application Instances
-
Entitlements
Catalog item also comes with tagging feature which form the
key words in searching the catalog item. This feature becomes very handy to the
administrators to easily search the catalog item.
The following are the various new concepts/key terms
introduced as part of the catalog:
Catalog
Catalog (aka Request Catalog) offers a consistent and
intuitive request experience for customers to request Roles, Entitlements and
Application Instances following the commonly used Shopping Cart paradigm. The
catalog is a structured commodity with its own set of metadata.
Catalog Item
A Catalog Item is an item (Roles, Entitlements or
Application Instances) that can be requested by a user, either for themselves
or on behalf of other users.
Category
A Catalog Item Category is a way to organize the request
catalog. Each catalog item is associated with one and only one category. A catalog
item navigation category is an attribute of the catalog item. Catalog
Administrators can edit a Catalog Item and provide a value for the category.
Application Instance
An Application Instance represents an account on particular
target. When users request an application instance, they are requesting an
account in a particular target. Application Instances can be connected, if
fulfillment is automated via a Connector, or disconnected, if fulfillment is
manual. Application Instances can have entitlements associated with them.
Enterprise Roles
Enterprise Roles are defined by customers. Enterprise Roles
have policies associated with them. Users can request enterprise roles via the
Catalog. When a role is granted, application instances or entitlements are
provisioned to the user.
Entitlement
Entitlements are privileges in an application that govern
what a user of the application can do.
Tags
Tags are search keywords. When users search the Access
Request Catalog, the search is performed against the tags. Tags are of three
types
- Auto-generated: The
Catalog synchronization process auto-tags the Catalog Item using the Item
Type, Item Name and Item Display Name
- User-defined:
User-defined Tags are additional keywords entered by the Catalog
Administrator
- Arbitrary tags: While
defining a metadata if user has marked that metadata as searchable, then
that will also be part of tags.
Shopping Cart
The Shopping Cart refers to the collection of Catalog Items
that are being requested. A user can have only one cart active at any given
time and the cart can contain roles, application instances, entitlements, or
any combination of the three.
Catalog synchronization
Catalog synchronization refers to the process of loading
roles, application instances, and entitlements into the Catalog. There is a
scheduled task that comes OOTB to synchronize the newly created roles,app
instances and entitlements to the catalog.
Catalog Security Model:
Catalog security is driven by two factors:
- The security model that uses
Organization-based scoping for users, roles, application instances and
entitlements. This security model controls what items a requester can see
in the Catalog search results and the users who can be added as target
users.
- The security model that
is not scoped by organization and is used for global Admin Roles such as
Catalog Administrator.
Application
Instance
Application instance is a new
abstraction used in 11g Release 2 (11.1.2). It is a combination of
IT resource instance (target connectivity and connector configuration) and
resource object (provisioning mechanism).
Application instance will be published to organizations and
can be requested by users of those organizations. Suppose Microsoft Active
Directory (AD) is to be provisioned to users across different organizations or
departments across the world. You can define application instances consisting
of the following:
- AD as the resource
object
- Each AD server instance
with the connectivity information, such as URL and password, as IT resources
Multiple Accounts Per Application Instance
Oracle Identity Manager supports multiple accounts in a
single application instance. The first account that is created is tagged as
primary account, and there can be only one primary account for a user. The subsequent
accounts created on the same application instance would be tagged as Other.
When the user requests entitlements, the entitlements are appended to the
primary account.
When the user gets provisioned to an application instance,
the Oracle Identity Manager checks if it is the first account getting
provisioned for the user in that application instance. If it is the first
account, then the account is marked as primary. When existing user accounts are
reconciled from application instances, the first account that gets reconciled
is marked as primary. If the account marked as primary is not the actual
primary account, then you can manually change the primary tag for the account
and mark another account as primary.
Disconnected Application Instances
Oracle Identity Manager supports provisioning of
disconnected resources by using the SOA worklist for manual provisioning of
disconnected resources. After the role-based provisioning decision or SOA
request approval is complete and the corresponding application instance is
determined to be a disconnected application instance, a new SOA workflow is
started. This new SOA workflow is assigned to the manual provisioning
administrator.
Example:
Oracle Identity Manager cannot provision a physical access
card, the application instance of the disconnected resource is to be
provisioned.
-
To create a disconnected app instance:
To achieve provisioning of
disconnected resource, you can create application instances of the disconnected
type. The manual provisioning administrator can use the Pending Approvals
section of the Oracle Identity Self Service to update all fields in the
request. After the manual provisioning administrator submits the manual
provisioning worklist item, the provisioning infrastructure marks the
underlying provisioning task to be completed based on the response of the
manual provisioning administrator. If the administrator specifies that task is
manually completed, then the status is changed to provisioned.
Application Instance Security
The Application Instance is also the entity with which
security primitives are associated via the organization publishing mechanism.
In multi-tenant environments, resource definitions can be shared by multiple
organizations, but only those organizations that have the application instance
published to them will be actually able to provision to the targets.
App Instance and Forms
There is an option to create a new version of the form for
each app instance. It allows to add,modify,delete the existing fields from the
form and all this can be done from the UI.
Deleting Application Instances
Application instances can be deleted(hard delete or soft
delete) from oracle identity manager. The app instance can also be marked as
revoked incase the target system is decommissioned. The scheduled task to
perform the deletion of the application instances allows the following modes:
- Revoke: This mode is used
when the application instance is deleted, but the provisioned accounts in
the target system still exist. Using the Revoke mode deletes the accounts
from the target system.
- Delete: This mode is used
when the target system no longer exists, and there are no traces of the
accounts in Oracle Identity Manager. Using the Delete mode hard-deletes
the accounts from all provisioning tasks and targets, and subsequently
from Oracle Identity Manager.
- Decommission: This mode is used
when the target system no longer exists and the provisioned accounts
cannot be revoked from the target system. Using the Decommission mode
changes the account status to Revoke without keeping the accounts in
Oracle Identity Manager in provisioned state.
After deleting the app instances we should run the Catalog
Synchronization Job scheduled job to make sure the soft deleted application
instances do not appear in the catalog any more.
Different
Web Consoles for Administration and Self Service
- OIM 11GR2 has introduced
2 different consoles:
- Self
Service[http://host:port/identity]
- Identity System Administration[http://host:port/sysadmin]
New UI
Features ported from Design Console
The following features have been ported to the web UI from
the design console:
-
Form Designer
-
Lookups
-
IT Resource
-
Password Policies
Web Center
Based UI Customizations
OIM 11GR2 features a very user friendly GUI based UI
customization based on the Oracle web center. All the changes are stored in a
temporary metadata storage area called as sandbox. Once the changes are
completed the sandbox needs to be published which will deploy all the changes.
-
Sandboxes
A sandbox represents an area where
metadata objects can be modified without affecting their mainline usage. In
other words, a sandbox is a temporary storage area to save a group of runtime
page customizations before they are either saved and published to other users,
or discarded.
Admin Roles
and User Roles
OIM 11GR2 has classified the roles as admin roles and user
roles. The detailed explanation for these is as follows:
-
Admin Roles
These are the predefined roles in
OIM which are used to restrict the level of access. The organization “Top” has
all the admin roles. Any new user who requires admin level access has to be
made a member of this Admin role from the organization. These roles can’t be
searched from the roles and are only accessible from the organizationàAdmin Roles.
-
Roles
These are the basic user roles and
can be used to associate with the access policies and membership rules. The
users can be added directly to these roles from rolesàmembers. In OIM 11GR2 authorization policies has been
removed. So we cannot restrict the access based on the user roles. The access
can only be restricted based on the admin roles which are predefined.