Oracle Identity Manager (OIM) is an identity management product that automates user provisioning, identity administration, and password management through a comprehensive workflow engine. It is a powerful and flexible enterprise identity management system that automatically manages users' access privileges within enterprise IT resources both within and beyond the firewall and into the cloud. The OIM architecture consists of three tiers - a presentation tier for the GUI, a middleware tier that implements the business logic, and a data tier responsible for data storage.
2. What is OIM?
Oracle Identity Manager is an identity management product that automates
user provisioning, identity administration, and password management,
integrated in a comprehensive workflow engine
Why OIM ?
Oracle Identity Manager is a powerful and flexible enterprise identity
management system that automatically manages users' access privileges
within enterprise IT resources
Oracle Identity Management enables organizations to effectively manage the
end-to-end lifecycle of user identities across all enterprise resources, both
within and beyond the firewall and into the cloud
3. Features of OIM
Identity life-cycle management for the heterogeneous enterprise
Approval and provisioning workflows
Role based access control
Complete integration solutions: OOTB connectors & Adapter
Factory
Deep integration to ERP and HRMS
Audit and compliance reporting and process automation
5. The Oracle Identity Manager architecture consists of three tiers
Tier 1: Presentation Tier:
The Oracle Identity Manager application GUI component reside in this tier.
Users log in by using the Oracle Identity Manager client. The Oracle Identity
Manager client interacts with the Oracle Identity Manager .
Tier 2: Middleware Tier:
The second tier implements the business logic, which resides in the Java Data
Objects that are managed by the supported J2EE application server The Java
Data Objects implement the business logic of the Oracle Identity Manager
application, however, they are not exposed to any methods from the outside
world. Therefore, to access the business functionality of Oracle Identity
Manager, you can use the API layer within the J2EE infrastructure, which
provides the lookup and communication mechanism
Tier 3: Data Tier:
The third tier consists of the database. This is the layer that is responsible
for managing the storage of data within Oracle Identity Manager.
7. Default User Id’s in OIM : Xelsysadm
Default User Id’s in Weblogic : Weblogic
Default Port no’s in OIM : 14000/sysadmin/identity
Default Port no’s in Weblogic : 7001/console/em
Default Port no’s in SOA : 8001/soa-infra
Basic url is http://hostname:portnumber/----
8. Identity
An identity is the virtual representation of an enterprise resource user
including employees, customers, partners and vendors. Identity
Management shows the rights and relationships the user has when
interacting with a company’s network.
Account:
OIM Account is an abstraction representing a means to be authenticated
to access Oracle Identity Manager.
9. Provisioning:
Provisioning is a process by which an action to create, modify, or delete
user information in an external resource is initiated from Oracle Identity
Manager and passed into the resource. In terms of data flow,
provisioning provides an outward flow of user information from Oracle
Identity Manager. The provisioning system communicates with the
external resource and specifies changes to make to the user record
residing in it.
Reconciliation :
Reconciliation is a process by which an action to create, modify, or
delete user information for a designated resource is initiated from another
external resource. Oracle Identity Manager communicates with this
external resource to receive user information. In terms of data flow,
reconciliation provides an inward flow of user information into Oracle
Identity Manager, through which it learns about any activity on the
external resource
10. The following figure shows that provisioning or reconciliation involves
synchronization from OIM to the target system, or from the target system
to OIM:
11. Type of Provisioning in OIM
Direct Based Provisioning:
Authorized Administrator can create a user account on the target System Without any
approval polices
Request based Provisioning :
Request can be manually created by the administrator or by the users themselves to
provision the account in the target system. Approval Workflows are started after the
provisioning request is submitted and after the approval , the account provisioned to the
target system
policy based Provisioning:
In policy based provisioning the user is provisioned in the target resource automatically
based on defined polices. Polices are used to define associations between the role and
the target system. By default each member of these roles sets a predefined account in
the target system.
12. Type of OIM reconciliation – Two Type
a) Trusted Source Reconciliation – External Source is authoritative source (eg.
HR), External Source drives creation, modification and deletion of user in Oracle
Identity Manager.
b) Target resource reconciliation – external Source is non-authoritative source with
which user is already provisioned.
Events in Reconciliation – Three type of events
a) Reconciliation Insert – OIM detects a user which does not exists in OIM
b) Reconciliation Update – OIM detects a modification to user which already exists
in OIM
a) Reconciliation Delete – OIM decides that user present in OIM should be removed
13. What is Connector ?
An Oracle Identity Manager connector is used to integrate Oracle Identity Manager
with a specific third-party application, such as Microsoft Exchange or Novell directory.
Oracle Identity Manager is packaged with a number of predefined connectors.
Types Of Connectors:
1.OOTB (Out of The Box)
2. GTC (Generic Technology Connector)
3. Custom Connectors
14. Connector Deployment
Copy the Connector software and paste into the given path
C:OracleMiddlwareOracle_IDM1serverConnectorDefaultD
irectory
Go to SYS Admin console and Click on Manage Connector
15. Connector components
Resource Object This is a virtual representation of the target
application on which you want to provision
accounts. It is the parent record with which
the provisioning process and process form
are associated
Provisioning Process This process definition is used to create,
maintain, and delete accounts on the target
system. It consists of definitions of the
individual tasks that are used to perform
automated functions on the target system.
Each connector is packaged with a single
provisioning process. You can manually create
additional provisioning processes.
Process Form This form is used to provide information
about user accounts to be created, updated, or
deleted on the target system. This form is also
used to capture data that can be used by
provisioning process tasks or to provide a
mechanism for users to provide real-time
data.
16. IT Resource Type This component is a template for all IT
resource definitions associated with the
connector. An IT resource type specifies the
parameters that are common to all IT
resource instances, such as host servers and
computers, of that particular IT resource
type.
Adapters This includes all adapters that are required to
perform common functions on the target
application. Each adapter is predefined with
certain mappings and functionality. These
adapters are capable of interacting with the
tasks in the provisioning process and the
fields of the process form.
Scheduled Task (where applicable) If the connector that you want to use is
shipped with a predefined reconciliation
module, then you are provided with a
scheduled task definition. You use this
component to control the frequency at which
the target system is polled for changes to
tracked data.
17. Provisioning Work Flow
Target System
Process Form
Process Task
Adapters(Process
Definition)
Lookups(Configuration Lookup for
provisioning)
OIM
Pre populate Adapters
18. OIM creates User
Process Definition
Resource Object
Trusted /Target Configuration Look up For Reconciliation)
Reconciliation Rules & Action rules
Trusted /Target Source
Trusted / Target Source Reconciliation Work Flow
19. Custom Attributes Creation
Entity attributes are properties of the entity. The information about the user entity is
stored in the form of attributes, such as first name, last name, user login, and password.
There are default user attributes in Oracle Identity Manager. However, you can create
custom user attributes by using the User form under System Entities in the Oracle
Identity System Administration. The custom attributes are referred to as user defined
fields (UDFs). Oracle Identity Manager lets you create UDFs for the user, role,
resource, organization, and catalog entities.
20. Create a user:
Add content– Data component -- Catalog– User Vo– Select
attribute– ADF input w/label
View a user:
Add content– Data component– Manager users– user vo1—ADF
Output w/label
Modify a User:
Add content– Data component—catalog—user Vo—ADF Input
text w/label
21. Generic Technology Connectors
A generic technology connector is a collection of components.
A component provides a service that is used by another
component, the target system, or Oracle Identity Manager.
Together, these components can be linked to support a wide
variety of data formats and data transport mechanisms.
22. Flat file Reconciliation
The Flat File connector is a generic solution to retrieve records
from flat files that are exported from various enterprise target
systems. These flat files can be of various formats such as CSV,
LDIF, XML, and so on. The connector focuses only on the
reconciliation of records from a flat file. The installation media
contains scheduled jobs that can be used to load users, accounts,
and entitlements from a flat file into an existing resource in Oracle
Identity Manager.
23. Orchestration
The process of any Oracle Identity Manager operation that goes through a
predefined set of stages and executes some business logic in each stage is
called an orchestration.
The type of object that is changed by the orchestration is called an
orchestration target.
Orchestration is divided into predefined steps called stages. Every operation
moves through these stages until it reaches finalization. Orchestration has the
following stages:
24. Validation: Stage to perform validation on the orchestration, such as
validity of orchestration parameters. Orchestration parameter is the data
that is required to carry out the orchestration operation.
Preprocess: Stage to perform orchestration parameter manipulations or
get approvals or perform Segregation of Duties (Sod) checks.
Action: Stage in which the action takes place.
Audit: Stage in which the auditing of operation is performed.
Post process: Stage in which consequent operations related to the
current operation takes place. Examples of consequent operations are
auto role membership and policy evaluation on a user creation.
Finalization: Last stage in the process to perform any clean up