Creating, Managing, and Reviewing Reports and Attestation Processes

Purpose

This OBE tutorial describes and shows you how to use Oracle Identity Manager to create reports for a company�s employees. In addition, through this tutorial, you understand attestation and attestation processes, including how they can be used to establish internal controls, processes, and policies for a company�s user-related and transactional-related data. Lastly, you learn how to create, manage, and review attestation processes.

For this tutorial, Robert and Jane function as the users, and Sun Java Directory Server acts as the resource.

Time to Complete

Approximately 2 hours

Topics

This OBE tutorial covers the following topics:

 Overview
 Scenario
 Prerequisites
 Creating Reports
 Understanding Attestation Processes
 Assigning a Reviewer to a User
 Creating an Attestation Process
 Reviewing an Attestation Process
 Viewing an Attestation Process
 Summary
 Related information

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: Because this action loads all screenshots simultaneously, response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Identity Manager.

Overview

Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that controls user accounts and access privileges within enterprise IT resources centrally. It provides the functionalities of provisioning, identity and role administration, approval and request management, policy-based entitlement management, technology integration, and audit and compliance automation.

Features and benefits of Oracle Identity Manager include identity and role administration (user and group management, self-service functionalities for users, and delegated administration), provisioning (approval and request management, and configurable workflow models), policy-based entitlements, reconciliation, and attestation support (for audit and compliance purposes).

Back to Topic List

Scenario

Linda is employed as a network administrator for Mydo Main Corporation. In Mydo Main, she is responsible for performing identity and access management tasks on various users within the organization. To perform these tasks, she uses Oracle Identity Manager to create reports for the employees in her company. In addition, she needs to learn about attestation, which is a process of authorizing established internal controls, processes, and policies for user-related and transactional-related data. By understanding attestation, she can create and manage an attestation process, which is the framework for setting up and building an attestation workflow.

Jane is employed in the Product Management department of Mydo Main Corporation. She is a full-time employee, and is provisioned with the Sun Java Directory Server resource. Jane is managed by Robert, who is also a full-time employee for Mydo Main. As her manager, Robert is responsible for examining any attestation processes for Jane and acting upon them (that is, certifying, rejecting, or declining them, or delegating them to another reviewer). In short, Robert must decide whether Jane should be provisioned with the Sun Java Directory Server resource.

Back to Topic List

Prerequisites

Before starting this tutorial, you should:

1.

Complete the OBE titled "Installing Oracle Identity Manager."

2.

Complete the OBE titled "Integrating Oracle Identity Manager with Oracle Database: Performing User Management and Provisioning."

3.

Complete the OBE titled "Integrating Oracle Identity Manager with Sun Java Directory Server: Performing Reconciliation."

Back to Topic List

Creating Reports

Linda is an administrator of the Oracle Identity Manager environment that is installed and configured for Mydo Main Corporation. As this administrator, one of her responsibilities is to create reports for the employees in this company.

There are two types of reports that she can create for an employee:

There are four types of operational reports that Linda can create:

There are also five types of historical reports that Linda can create:

For this OBE, Linda needs to create one operational report and one historical report. First, she must create the Who Has What operational report. By creating this report, she can verify that Jane, a full-time employee of Mydo Main Corporation, is provisioned with the Sun Java Directory Server resource. Then, Linda needs to create the Resource Access List History historical report. By doing so, she can query all existing users who are provisioned with the Sun Java Directory Server resource.

To create reports, perform the following steps:

1.

Launch your Oracle Identity Manager Server and Administrative Console.

Note: For more information about loading, setting up, or starting Oracle Identity Manager, refer to the OBE titled "Installing Oracle Identity Manager."

 

2.

Log in to your Administrative Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of your Oracle Identity Manager Administrative Console.

For more information about selecting and answering "challenge" questions, refer to the OBE titled "Installing Oracle Identity Manager."

 

3.

Open the Operational Reports form in the Reports folder.

The list of operational reports that Linda can create appears.

 

4.

From the list of reports that appears, click the link that represents the name of the desired operational report (that is, select the Who Has What operational report).

The Who Has What – Input Parameters form appears.

 

5.

For this OBE, Linda is searching for users by their respective IDs. Therefore, in the Userid field, enter the ID of the target user (that is, enter JANE.FULLTIME in this field). Then, click Submit.

The Who Has What � Report Display form appears, showing the resources to which this user has access rights.

As you can see, the iPlanet User connector is assigned to Jane. This connector represents the resource with which she is provisioned (that is, the Sun Java Directory Server resource).

Linda is now ready to create the Resource Access List History historical report. By doing so, she can query all existing users who are provisioned with the Sun Java Directory Server resource.

 

6.

Open the Historical Reports form in the Reports folder.

The list of historical reports that Linda can create appears.

 

7.

From the list of reports that appears, click the link that represents the name of the desired historical report (that is, select the Resource Access List History historical report).

The Resource Access List History – Input Parameters form appears.

 

8.

For this OBE, Linda is searching for resources by their respective names. Therefore, click the magnifying glass that appears to the right of the Resource Name field.

 

9.

In the Lookup window that appears, select the option that is displayed to the left of the designated connector (that is, select the iPlanet User option). Click Select.

The selected resource appears in the Resource Name field of the Resource Access List History – Input Parameters form.

 

10.

Click Submit.

The Resource Access List History – Report Display form appears, showing all the users who are provisioned with the designated resource throughout the resource’s life cycle.

Linda created an operational report and a historical report. By creating the Who Has What operational report, she verified that Jane, a full-time employee of Mydo Main Corporation, is provisioned with the Sun Java Directory Server resource. By creating the Resource Access List History historical report, she queried all existing users who are provisioned with this resource.

Now that Linda understands how to create reports to see the association that users have with resources, she needs to understand attestation and attestation processes. Attestation is the process of authorizing established internal controls, processes, and policies for user-related and transactional-related data. An attestation process is the framework for setting up and creating an attestation workflow.

In the next section of this OBE, Linda learns about attestation and attestation processes, so that she can create them.

Back to Topic List

Understanding Attestation Processes

Linda is now ready to learn about attestation. Attestation is the process of authorizing established internal controls, processes, and policies for user-related and transactional-related data. In addition, it provides an audit trail of people who sign off on data or processes that exist in an IT environment, particularly:

An attestation process is the framework for setting up and creating an attestation workflow. This process contains the following run-time components:

Now that Linda understands attestation and attestation processes, she is ready to create an attestation process. However, currently, the Oracle Identity Manager Connector for the Sun Java Directory Server resource does not have the necessary components for an attestation process to be completed. To rectify this, Linda needs to execute the 90_dml_insert_attestation.sql script. This script adds the components to the connector so that the attestation process can be completed.

To execute this script, perform the following steps:

1.

Stop your Oracle Identity Manager Server and Administrative Console.

Note: For more information about closing Oracle Identity Manager, refer to the OBE titled "Installing Oracle Identity Manager."

When you stop your JBoss application server, the following window appears:

Do not click any buttons in this window. By doing so, you stop your application server abruptly (that is, before it can perform its closing operations). Instead, wait a few seconds, and the window closes automatically.

 

2.

Click the Start button that appears in the lower left corner of your desktop. From the pop-up menu that appears, click the Run menu item.

The Run window appears.

 

3.

Enter cmd in the Open field. Click OK.

A DOS window appears.

 

4.

Navigate to the E:\OIM_Installs\Attestation_Fix directory. At the DOS prompt, enter sqlplus oimuser/abcd1234 @90_dml_insert_attestation.sql .

 

5.

Press [Enter]. The 90_dml_insert_attestation.sql script is executed. When the script is completed, a SQL prompt appears.

 

6.

Type exit at the SQL prompt.

 

7.

Press [Enter]. The SQL prompt is replaced by a DOS prompt.

 

8.

Type exit at the DOS prompt.

 

9.

Press [Enter]. The DOS window closes.

This signifies that the 90_dml_insert_attestation.sql script is executed. As a result, Linda can create an attestation process for the Oracle Identity Manager Connector that is associated with the Sun Java Directory Server resource.

One of the run-time components of an attestation process is a user who is responsible for reviewing the process. For this OBE, the reviewer is Robert, Jane's manager. However, currently, Jane does not have a manager assigned to her. Therefore, Linda must assign Robert to be Jane's manager. Robert is then responsible for examining any attestation processes for Jane and acting upon them (that is, certifying, rejecting, or declining them, or delegating them to another reviewer).

In the next section of this OBE, Linda assigns Robert to be Jane's manager. As a result, he is responsible for reviewing any attestation processes for Jane and acting upon them.

Back to Topic List

Assigning a Reviewer to a User

Linda is now ready to create an attestation process for the connector that is associated with the Sun Java Directory Server resource. One of the components of this process is a user who is responsible for reviewing the process. For this OBE, the reviewer is Robert, Jane's manager.

However, currently, Jane does not have a manager assigned to her. Therefore, Linda must assign Robert to be Jane's manager. Robert is then responsible for examining any attestation processes for Jane and acting upon them (that is, certifying, rejecting, or declining them, or delegating them to another reviewer).

To assign a reviewer to a user, perform the following steps:

1.

Launch your Oracle Identity Manager Server and Administrative Console.

2.

Log in to your Administrative Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

3.

Open the Manage User form in the Users folder.

The Manage User form appears.

 

4.

Select User ID from the combo box that is displayed within this form. Then, in the text box that appears to the right of the combo box, enter the ID of the designated user (that is, enter JANE.FULLTIME in the text box). Finally, click Search User.

 

5.

From the result set that is displayed, click the link that contains the ID of this user.

The User Detail form appears.

 

6.

Click Edit.

The Edit User form appears.

 

7.

Click the magnifying glass that appears to the right of the Manager ID lookup field.

 

8.

In the Lookup window that appears, select the option that is associated with the ID of the user who is to be Jane's manager (that is, RLAVALLI). Click Select.

The Edit User form is active again. However, now, the Manager ID field is populated with the ID of the manager that you assigned to this user.

 

9.

Click Save.

The User Detail form appears, displaying the ID of the manager for this user.

Linda assigned Robert to be Jane's manager. Robert is now responsible for examining any attestation processes for Jane and acting upon them (that is, certifying, rejecting, or declining them, or delegating them to another reviewer).

In the next section of this OBE, Linda creates an attestation process for Jane. Robert, Jane's manager, then reviews this process, and verifies whether Jane should have access rights to the resource with which she is provisioned (that is, the Sun Java Directory Server resource).

Back to Topic List

Creating an Attestation Process

Linda is now ready to create an attestation process for Jane. Robert, Jane's manager, then reviews this process, and verifies whether Jane should have access rights to the Sun Java Directory Server resource. This is the resource with which Jane is provisioned.

There are four stages in creating an attestation process:

  1. Defining high-level information about the attestation process. This information includes a name, unique identification code, and explanatory information for the process.

  2. Defining the scope and reviewer for the attestation process. This information includes:

    • How a user should be entitled to have access rights to resources (this is known as the attestation data scope). Currently, a user can have access to resources based on the user�s manager, group, or organization. Or, Linda can specify that a user can have access rights to a single resource.

    • The user who should review the attestation process. Currently, the reviewer can be the manager of each user who is to be the recipient of the resource, or it can be one reviewer for all users who are to receive the resource.

  3. Defining the administrative details of the attestation process. These details include how often the attestation process should be run (that is, the attestation schedule) and the process owner group for the attestation process. This group is notified by email if a reviewer is invalid (that is, if the reviewer�s status is either Disabled or Deleted) or if a reviewer rejects the attestation process. You can also configure the attestation process so that the process owner group is notified if the reviewer declines to handle this process.

  4. Verifying the information of the attestation process

To create an attestation process, perform the following steps:

1.

Open the Create Attestation Process form in the Attestation folder.

The Define Process panel of the Create Attestation Process form appears.

 

2.

In the Define Process panel of this form, enter the values for the attestation process, as follows:

Field Value
Name iPlanet Resource
Code 0001A
Description Attestation process for users who are provisioned with the Sun Java Directory Server resource.

Note: The maximum length of the code for the attestation process is 32 characters.

 

3.

Click Continue.

The Define Attestation Scope And Reviewer panel of the Create Attestation Process form appears.

 

4.

In the Define Attestation Scope And Reviewer panel of this form, enter the values for the attestation scope and reviewer, as follows:

Field Value
User access for a single resource iPlanet User
Each user’s manager option [selected]

 

5.

Click Continue.

The Define Administration Details panel of the Create Attestation Process form appears.

 

6.

In the Define Administration Details panel of this form, enter the values for the administrative details, as follows:

Field Value
Run every 3 months option [selected]
Process owner group SYSTEM ADMINISTRATORS
" Email process owner if reviewer refuses attestation request" check box [selected]
Starting on field [Select a future date.]

 

7.

Click Continue.

The Verify Info Page panel of the Create Attestation Process form appears.

 

8.

Check that all of the information of the attestation process is correct. Then, click Create Process.

A confirmation message appears.

When the current date matches the date that the attestation process is scheduled to run (that is, May 21, 2007 for this OBE), Oracle Identity Manager sends the process to Robert. Robert is the manager of Jane, who is provisioned with the Sun Java Directory Server resource. As a result, Robert can review this attestation process for Jane.

Although Linda set a scheduled date for the attestation process to run, to verify that it is operable, she needs to execute it on demand.

 

9.

Click the iPlanet Resource link. This link contains the name of the attestation process.

The Attestation Process Details form appears.

 

10.

Click Run Now.

A second confirmation message appears.

 

11.

Click Confirm Run Now.

The Attestation Process Details form is active again. This indicates that the attestation process is executed.

Linda created an attestation process for Jane. Robert, Jane's manager, must now review this process, and verify that Jane should have access rights to the Sun Java Directory Server resource. This is the resource with which Jane is provisioned.

In the next section of this OBE, Robert reviews the attestation process for Jane.

Back to Topic List

Reviewing an Attestation Process

In the previous section of this OBE, Linda created an attestation process for Jane, an employee of Mydo Main Corporation who is provisioned with the Sun Java Directory Server resource. Robert, Jane's manager, must now review the attestation process, and verify that Jane should have access rights to this resource.

To review an attestation process, perform the following steps:

1.

Log out of your Oracle Identity Manager Administrative Console.

2.

Log in to your Administrative Console with the account for Robert, Jane's manager (that is, enter RLAVALLI in the User ID field and rlavalli in the Password field).

The SELECT CHALLENGE QUESTIONS form appears.

 

3.

Select all check boxes that appear within this form. Click Select.

The PROVIDE CHALLENGE ANSWERS form appears.

 

4.

Add the following values to this form:

Field Value
What is the name of your pet? Matty
What is the city of your birth? New York
What is your favorite color? Black
What is your mother's maiden name? Agneta

 

5.

Click Save.

The CHALLENGE QUESTION AND ANSWER CONFIRMATION form appears.

 

6.

Click OK.

The Home page of Robert's Administrative Console appears.

 

7.

Open the Attestation Request Inbox form in the To-Do List folder.

The Attestation Request Inbox form appears.

 

8.

Click the iPlanet Resource link. This link contains the name of the attestation process Robert needs to review.

The Attestation Request form appears.

 

9.

For this OBE, Robert believes that Jane should be provisioned with the Sun Java Directory Server resource. Therefore, select the Certify option. Click Save.

The Save Actions form appears.

 

10.

In the Comments text field, enter the following text: The user is entitled to this resource. This represents explanatory information about the action Robert is performing. Then, click Save Actions.

The Attestation Request form is active again.

Note: The Comments column is now populated with a graphic, representing the explanatory information that is entered. To view this information, place the cursor over the graphic. It appears as a tool tip.

 

11.

Click Submit Attestation.

The Attestation Request Confirmation form appears.

 

12.

Click Confirm Submit.

The Attestation Request Inbox form is active again.

The attestation process no longer appears. This means Robert reviewed it.

Now that Robert reviewed the attestation process, Linda can log in to Oracle Identity Manager to view high-level and detailed information about it. This information includes the status of the attestation process (that is, Robert certified that Jane should have access to the Sun Java Directory Server resource).

In the next section of this OBE, Linda views information about the attestation process.

Back to Topic List

Viewing an Attestation Process

In the previous section of this OBE, Robert reviewed an attestation process for Jane and acted upon it. That is, he certified that Jane should have access to the Sun Java Directory Server resource.

Linda can now log in to Oracle Identity Manager to view high-level and detailed information about this attestation process, including its status (that is, Robert certified the process for Jane).

To view an attestation process, perform the following steps:

1.

Log out of your Oracle Identity Manager Administrative Console.

2.

Log in to your Administrative Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

3.

Open the Attestation Dashboard form in the Attestation folder.

The Attestation Dashboard form appears.

From this form, Linda can see information about the attestation process, including:

  • Its name and unique identification code
  • The date and time when it is submitted to Robert, the reviewer
  • The date and time when he acted upon it
  • The total number of instances that are run
  • The status for each instance (that is, whether it is certified, rejected, declined, or delegated to another reviewer)

Note: By clicking the iPlanet Resource link, Linda can see detailed information about the attestation process, including its scope, reviewer, and administrative details.

Tip: To return to the Attestation Dashboard form, click the Back To Search Results link.

 

4.

Click the date and time stamp that is contained in the Current Request Date column. This stamp represents the date and time when Robert received the attestation process.

The Attestation Request Detail form appears.

From this form, Linda can see additional information about the attestation process, including:

  • The target user who is the recipient of the designated resource. For this OBE, the target user is Jane.
  • The resource that is provisioned to the user. For this OBE, the provisioned resource is the Sun Java Directory Server resource.
  • The status of the attestation process and the reviewer who handled it. For this OBE, Robert, the reviewer, certified the attestation process.
  • The delegation path (if the attestation process is delegated to another reviewer). For this OBE, there is no delegation path.
  • Any comments that the reviewer added to the attestation process. For this OBE, Robert added the following comment: The user is entitled to this resource.

Note: To see more detailed information about Jane (the target user), iPlanet User (the resource provisioned to this user), or Robert (the reviewer), click the links that appear directly below their respective names.

Back to Topic List

Summary

In this lesson, you learned how to:

 Create reports
 Understand attestation processes
 Assign a reviewer to a user
 Create an attestation process
 Review an attestation process
 View an attestation process

Back to Topic List

Related Information

 To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum.

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

Left Curve
Popular Downloads
Right Curve
Untitled Document