This OBE tutorial describes and shows you how to use Oracle Identity Manager to provision a user with an external resource automatically. For this tutorial, Robert functions as the user, and an Oracle database serves as the resource.
Approximately 2 hours
This OBE tutorial covers the following topics:
Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.
The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Identity Manager.
Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that controls user accounts and access privileges within enterprise IT resources centrally. It provides the functionalities of provisioning, identity and role administration, approval and request management, policy-based entitlement management, technology integration, and audit and compliance automation.
Features and benefits of Oracle Identity Manager include identity and role administration (user and group management, self-service functionalities for users, and delegated administration), provisioning (approval and request management, and configurable workflow models), policy-based entitlements, reconciliation, and attestation support (for audit and compliance purposes).
Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, Linda is responsible for performing identity and access management tasks on various users within the organization. To perform these tasks, she needs to use Oracle Identity Manager to first create records for these users and then assign Oracle Identity Manager Connectors to them. These connectors represent the external resources that are to be provisioned to them.
Robert works within the Engineering department of Mydo Main Corporation. Because all employees within this department have access rights to an Oracle database, Linda needs to assign the connector, which represents this resource, to Robert. When this occurs, Oracle Identity Manager (and not Linda) fills out the electronic form that is associated with the connector. After the fields of this form are populated automatically, Oracle Identity Manager saves the corresponding values to its database, and uses these values to provision Robert to the external resource (that is, an Oracle database).
Before starting this tutorial, you should complete the OBE titled "Installing Oracle Identity Manager."
Within Oracle Identity Manager, all users must belong to an organization. Therefore, before you can create a record for Robert, the user who is to be the recipient of a designated resource (for example, an Oracle database), you must first create an organization for this user.
For this OBE, the organization to which Robert is to belong is the Engineering department.
To create an organization within Oracle Identity Manager, perform the following steps:
1. |
Launch your Oracle Identity Manager Server, Administrative Console, and Design Console. Note: For more information about loading, setting up, or starting Oracle Identity Manager, refer to the OBE titled "Installing Oracle Identity Manager."
|
2. |
Log in to your Administrative Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).
Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of your Oracle Identity Manager Administrative Console. For more information about selecting and answering "challenge" questions, refer to the OBE titled "Installing Oracle Identity Manager."
|
3. |
Open the Create Organization form in the Organizations folder.
|
| 4. | Enter Engineering in the Name field. Select Department from the Type drop-down list. Click Create Organization.
The Engineering organization is created. Oracle Identity Manager sets the status of this organization to Active automatically.
You can now create the record for the target user, and assign this user to the Engineering organization. This user, Robert, is to be the recipient of the external resource (that is, an Oracle database). |
You are now ready to create a record for the target user, and assign this user to the Engineering organization you created. This user, Robert, is to be the recipient of the external resource (that is, an Oracle database).
To create a user, perform the following steps:
1. |
Open the Create User form in the Users folder.
|
||||||||||||||||||||||
2. |
Complete the Create User form, as follows:
|
||||||||||||||||||||||
| 3. | Click Create User.
The User Detail form appears.
This signifies that the record for the target user is created and assigned to the Engineering organization. You are now ready to import an *.xml file, which represents an Oracle Identity Manager Connector for an Oracle database, into your environment. As a result, you can assign this connector to Robert to provision this user with the associated resource (that is, an Oracle database). |
You created a record for Robert, the user who is to be the recipient of the external resource (that is, an Oracle database). For Robert to receive this resource, you must import an *.xml file, which represents an Oracle Identity Manager Connector for this type of database, into your environment. Then, you can assign this connector to Robert to provision this user with the external resource.
To import a connector, perform the following steps:
1. |
Open the Import form in the Deployment Management folder.
Note: If the Warning – Security window appears, click the Yes or Grant This Session button, depending on which version of the Web browser is installed on your machine.
|
2. |
The “Please choose a file for import” window appears. In this window, select the folder path where the export file resides, along with the name of the *.xml file. For this OBE, you are selecting the xliDBAccessLogin_DM.xml file, which can be found in the E:\OIM_Installs\OIM_CP_900\Database Servers\Database User Management\Database Rev 3.1.0\xml directory (after unzipping the Database Rev 3.1.0.zip file).
|
| 3. | Select the xliDBAccessLogin_DM.xml file. Click Open.
|
| 4. | The Deployment Manager window appears. In this window, click Add File.
|
| 5. | The Deployment Manager – Import window appears. Click Next.
|
| 6. | A Confirmation window appears. Click Next.
|
| 7. | You do not need to provide the parameter values at this time. Click Skip.
|
| 8. | A final Confirmation window appears. Click View Selections.
|
| 9. | The Deployment Manager – Import window appears. Click Import.
|
| 10. | A Confirmation window appears. Click Import.
|
| 11. | A Success window appears, indicating that the *.xml file is imported successfully (that is, the xliDBAccessLogin_DM.xml file). As a result, the corresponding connector for an Oracle database, which is represented by this file, is also imported. Click OK.
Now that you imported an Oracle Identity Manager Connector for an Oracle database, you are ready to configure it so that it is operable with your environment. |
In the previous section of this OBE, you imported an Oracle Identity Manager Connector for an Oracle database into your environment. Now, you must configure this connector so that it is operable within your environment.
This includes the following:
| Parameter | Value |
| DataBaseType | Oracle |
| DataBaseName | orcl |
| Driver | oracle.jdbc.driver.OracleDriver |
| Password | abcd1234 |
| URL | jdbc:oracle:thin:@ten.mydomain.com:1521:orcl |
| User ID | system |
To make your connector operable, perform the following steps:
1. |
Copy the xliDatabaseAccess.jar file (which resides within your E:\OIM_Installs\OIM_CP_900\Database Servers\Database User Management\Database Rev 3.1.0\lib directory) into your E:\oracle\oim_server\xellerate\JavaTasks directory.
|
||||||||||||||
2. |
Log in to your Design Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).
Note: In the previous section of this OBE, you imported an Oracle Identity Manager Connector. Two components of this connector are the DataBase Access form and the DB Prepopulate UserLogin adapter. This adapter populates the Login/User field of the form. For this OBE, the goal of the adapter is to populate three form fields: Login/User, Password, and IT Resource. To have the adapter accurately reflect its revised purpose, change its name from DB Prepopulate UserLogin to DB Prepopulate.
|
||||||||||||||
| 3. | Expand the Development Tools folder, and double-click the Adapter Factory node.
|
||||||||||||||
| 4. | In the Name field, enter DB Prepopulate UserLogin. Click the Query button on the toolbar.
The DB Prepopulate UserLogin adapter appears.
|
||||||||||||||
| 5. | Change the value in the Name field from DB Prepopulate UserLogin to DB Prepopulate. Click Save.
|
||||||||||||||
| 6. | Double-click the Adapter Manager node.
|
||||||||||||||
| 7. | The list of adapters you imported earlier appears. Select the Compile All option. Click Start.
|
||||||||||||||
| 8. | Oracle Identity Manager begins to recompile your adapters.
After all adapters are recompiled, an OK message is displayed in the Status column for each adapter. This signifies that your adapters are recompiled successfully, and can be used within your Oracle Identity Manager environment.
|
||||||||||||||
| 9. | Expand the Resource Management folder, and double-click the IT Resources node.
|
||||||||||||||
| 10. | In the Name field, enter Database IT Resource.
|
||||||||||||||
| 11. | Double-click the Type lookup field (in the Type text field). From the Lookup window that appears, select Database. Click OK.
|
||||||||||||||
| 12. | Click Save.
|
||||||||||||||
| 13. | The parameters for your IT resource type appear. Enter the values for the parameters, as follows (double-click each Value field to enter the value):
|
||||||||||||||
| 14. | Click Save.
You configured your Oracle Identity Manager Connector so that it is operable with your environment. Now, you are ready to modify an additional component of this connector: the provisioning process. By doing so, Oracle Identity Manager (and not Linda, the network administrator of Mydo Main Corporation) populates the fields of the connector's process form with data and saves this information to the database. After this occurs, Oracle Identity Manager can use this data to provision Robert with the corresponding resource (that is, an Oracle database). |
In the previous section of this OBE, you configured your connector so that it works with your environment. In this section, you are ready to modify an additional component of this connector: the provisioning process. By doing so, Oracle Identity Manager (and not Linda, the network administrator for Mydo Main Corporation) populates the fields of the connector's process form with data and saves this information to the database. After this occurs, Oracle Identity Manager can use this data to provision Robert with the corresponding resource (that is, an Oracle database).
To set up Oracle Identity Manager so that it can perform these actions, you must select the Auto Pre-populate and Auto Save Form check boxes of the record that represents the provisioning process. For this OBE, that record is titled DataBase Access (Login).
To modify the DataBase Access (Login) provisioning process,
perform the following steps:
1. |
Expand the Process Management folder of the Design Console, and double-click the Process Definition node.
|
2. |
Enter DataBase Access (Login) in the Name field and click Query.
|
3. |
Select the Auto Pre-populate and Auto Save Form check boxes.
|
4. |
Click Save.
In the section of this OBE titled "Importing a Connector," you imported an Oracle Identity Manager Connector for an Oracle database into your environment. One component of this connector that you imported is the DB Prepopulate adapter. Oracle Identity Manager uses this adapter to populate the fields of the custom process form automatically. You are now ready to create the criteria that Oracle Identity Manager evaluates to determine whether the DB Prepopulate adapter is to be used to populate the fields of the custom process form. This criteria is known as a prepopulate rule. If the criteria of the rule evaluates to true, Oracle Identity Manager uses the adapter to populate the fields of the custom process form automatically, so that the information can be saved to the database. After this occurs, Oracle Identity Manager can provision Robert with the corresponding resource (that is, an Oracle database). |
You are now ready to create the criteria that Oracle Identity Manager evaluates to determine whether the DB Prepopulate adapter, which you imported along with the other components of your Oracle Identity Manager Connector, is to be used to populate the fields of the connector's custom process form. This criteria is known as a prepopulate rule.
If the criteria of the rule evaluates to true, Oracle Identity Manager uses the adapter to populate the fields of the custom process form automatically, so that the information can be saved to the database. As a result, Oracle Identity Manager can provision Robert with the corresponding resource (that is, an Oracle database).
For this OBE, create a prepopulate rule that evaluates the name of the organization to which users belong. For those users who are members of the Engineering organization (including Robert), Oracle Identity Manager assigns the DB Prepopulate adapter to the designated fields of the custom process form, so that these fields can be populated automatically.
To create a prepopulate rule, perform the following steps:
1. |
Expand the Resource Management folder of the Design Console, and double-click the Rule Designer node.
|
||||||||||||||
2. |
The fields of the Rule Designer form appear. Populate this form, as follows:
|
||||||||||||||
3. |
Click Save. The tabs within the Rule Designer form are active.
|
||||||||||||||
4. |
Click the Add Element button. The Edit Rule Element window appears.
|
||||||||||||||
5. |
The parameters for your prepopulate rule appear. In The Edit Rule Element window, specify the values for the parameters, as follows:
|
||||||||||||||
6. |
Click Save. Then, click Close.
Note: If a Closing Form window appears, click Yes. The main screen is active again.
The outcome of this rule element is true for all users who belong to the Engineering organization (including Robert). As a result, Oracle Identity Manager assigns the associated prepopulate adapter (that is, the DB Prepopulate adapter) to the designated fields of the custom process form. |
You are now ready to configure Oracle Identity Manager to populate specific fields of the custom process form automatically, via prepopulate adapters and rules. When this occurs, Oracle Identity Manager can save the values, which are contained within these fields, to its database. Then, it can use this information to provision Robert with an external resource (that is, an Oracle database).
For this to happen, Oracle Identity Manager needs to know the following:
After setting the field-rule-adapter association for a particular form field, you must specify the priority number of the rule. Otherwise, Oracle Identity Manager cannot know the order in which to examine the field-rule-adapter combination.
As a final step, you have to map the variables of the prepopulate adapter to their proper locations. Otherwise, the adapter cannot be functional.
Note: Because the custom process form is active, it cannot be modified. So, to assign prepopulate adapters and rules to the fields that make up this form, you must create an additional version. Then, after you associate the adapters and rules to the designated form fields, you must make the alternate version of the form active.
To assign a prepopulate adapter and rule to particular fields of a custom process form, perform the following steps:
1. |
Expand the Development Tools folder of the Design Console, and double-click the Form Designer node.
|
||||||||||
2. |
Enter DB in the Table Name field (it appears as UD_DB). Click Query.
Note: The UD_DB value represents how the custom process form is recognized within the database.
|
||||||||||
3. |
Click Create New Version. The "Create a new version" window appears.
|
||||||||||
4. |
In the Label field, enter Version 2 (which signifies the alternate version of the form).
|
||||||||||
5. |
On the "Create a new version" window's toolbar, click Save. Then, click Close.
The "Create a new version" window closes, and the Additional Columns tab of the Form Designer form is active again.
|
||||||||||
6. |
From the Current Version combo box, select Version 2.
|
||||||||||
7. |
Click the Pre-Populate tab.
|
||||||||||
8. |
Click Add. The Pre-Populate Adapters window appears.
|
||||||||||
9. |
Populate the fields of the Pre-Populate Adapters window, as follows:
|
||||||||||
10. |
On the Pre-Populate Adapters window’s toolbar, click Save.
Important: Mapping Incomplete appears within the Adapter Status field. This signifies that the DB Prepopulate adapter contains variables that are not mapped correctly. These variables need to be mapped to their proper locations. Otherwise, the adapter cannot work.
|
||||||||||
11. |
Select the inputValue adapter variable and click Map.
The Map Adapter Variables window appears.
|
||||||||||
12. |
Populate the fields of the Map Adapter Variables window, as follows:
|
||||||||||
13. |
On the Map Adapter Variables window’s toolbar, click Save. Then, click Close.
The Map Adapter Variables window disappears, and the Pre-Populate Adapters window is active again.
|
||||||||||
14. |
From the Pre-Populate Adapters window’s toolbar, click Save. Then, click Close.
The Pre-Populate Adapters window disappears, and the Pre-Populate tab of the Form Designer form is active again. You are now ready to set the field-rule-adapter association for the Login/User field of the custom process form.
|
||||||||||
15. |
Click Add. The Pre-Populate Adapters window appears.
|
||||||||||
16. |
Populate the fields of the Pre-Populate Adapters window, as follows:
|
||||||||||
17. |
On the Pre-Populate Adapters window’s toolbar, click Save.
|
||||||||||
18. |
Select the inputValue adapter variable and click Map.
The Map Adapter Variables window appears.
|
||||||||||
19. |
Populate the fields of the Map Adapter Variables window, as follows:
|
||||||||||
20. |
On the Map Adapter Variables window’s toolbar, click Save. Then, click Close.
The Map Adapter Variables window disappears, and the Pre-Populate Adapters window is active again.
|
||||||||||
21. |
On the Pre-Populate Adapters window’s toolbar, click Save. Then, click Close.
The Pre-Populate Adapters window disappears, and the Pre-Populate tab of the Form Designer form is active again. You are now ready to set the field-rule-adapter association for the Password field of the custom process form.
|
||||||||||
22. |
Click Add. The Pre-Populate Adapters window appears.
|
||||||||||
23. |
Populate the fields of the Pre-Populate Adapters window, as follows:
|
||||||||||
24. |
On the Pre-Populate Adapters window’s toolbar, click Save.
|
||||||||||
25. |
Select the inputValue adapter variable and click Map.
The Map Adapter Variables window appears.
|
||||||||||
26. |
Populate the fields of the Map Adapter Variables window, as follows:
|
||||||||||
27. |
On the Map Adapter Variables window’s toolbar, click Save. Then, click Close.
The Pre-Populate Adapters window disappears, and the Pre-Populate Adapters window is active again.
|
||||||||||
28. |
On the Pre-Populate Adapters window’s toolbar, click Save. Then, click Close.
The Pre-Populate Adapters window disappears, and the Pre-Populate tab of the Form Designer form is active again.
|
||||||||||
29. |
Select the Login/User - Default - DB Prepopulate field-adapter-rule relationship and click Delete.
|
||||||||||
30. |
Click the Make Version Active button.
|
||||||||||
31. |
In the Warning window that appears, click OK.
Note: If a Closing Form window appears, click Yes. In the Active Version field, Version 2 now appears.
You defined a field-rule-adapter association for designated fields of the custom process form. In addition, you made the alternate version of the form active. You are now ready to assign the connector you imported to a target user (that is, Robert). After this happens, Oracle Identity Manager fills out the custom process form, saves the values to its database, and uses these values to provision this user with the corresponding external resource (that is, an Oracle database). |
You are now ready to assign the connector you imported to a target user (that is, Robert). After this occurs, Oracle Identity Manager:
In short, these three actions are completed by Oracle Identity Manager, not by Linda, the network administrator for Mydo Main Corporation. That is, no manual intervention is required.
To assign a connector to a user, perform the following steps:
1. |
Open the Manage User form in the Users folder.
|
2. |
Select User ID from the combo box that appears in this form. Then, in the text box that appears to the right of the combo box, enter the ID of the target user (that is, RLAVALLI). Click Search User.
|
| 3. | From the result set that appears, click the link that represents the ID of the target user.
|
| 4. | The User Detail form is displayed. Select Resource Profile from the combo box that is displayed within this form.
The Resource Profile form appears.
|
| 5. | Click the Provision New Resource button that appears within this form.
|
| 6. | Select and assign your connector to this user (that is, DataBase Access (Login)). Click Continue.
|
| 7. | Click Continue again.
|
| 8. | The "Provisioning successfully initiated" message appears, along with a "Back to User Resource Profile" link.
This signifies that the connector you imported is assigned to the user. Oracle Identity Manager fills out the custom process form, saves the values to its database, and uses these values to provision this user with the corresponding external resource (that is, an Oracle database). You are now ready to verify that the login credentials for Robert can be used to access this database. For this OBE, this is accomplished by using Oracle SQL*Plus Client. |
In this OBE, you learned how to use Oracle Identity Manager to provision an external resource (in this case, an Oracle database) to a designated user, whose login credentials are specified in the custom process form.
Now, you must ensure that these credentials can be used to access the external database. For this OBE, this is accomplished by using Oracle SQL*Plus Client.
To access the external resource, perform the following steps.
1. |
To start Oracle SQL*Plus Client, navigate to SQL Plus (via Start > Programs > Oracle - OraDb10g_home1 > Application Development > SQL Plus).
An Oracle SQL*Plus window and a Log On window appear.
|
||||||||
2. |
Populate the fields of the Log On window, as follows:
|
||||||||
| 3. | Click OK.
The following text appears within the Oracle SQL*Plus window:
This signifies that Robert's login credentials can be used to access the Oracle database. That is, this Oracle Identity Manager user is autoprovisioned with the external resource. |
In this lesson, you learned how to:
|
Create an organization | |
|
Create a user | |
|
Import a connector | |
|
Make a connector operable | |
|
Modify a provisioning process | |
|
Create a prepopulate rule | |
|
Assign a prepopulate adapter and rule to custom process form fields | |
|
Assign a connector to a user | |
|
Access a resource | |
|
To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum. |
Place the cursor over this icon to hide all screenshots.