Integrating Oracle Identity Manager with Oracle Database: Performing User Management and Provisioning

Purpose

This OBE tutorial describes and shows you how to use Oracle Identity Manager to provision a user with an external resource automatically. For this tutorial, Robert functions as the user, and an Oracle database serves as the resource.

Time to Complete

Approximately 2 hours

Topics

This OBE tutorial covers the following topics:

 Overview
 Scenario
 Prerequisites
 Creating an Organization
 Creating a User
 Importing a Connector
 Making the Connector Operable
 Modifying the Provisioning Process
 Creating the Prepopulate Rule
 Assigning the Prepopulate Adapter and Rule to the Custom Process Form Fields
 Assigning the Connector to the User
 Accessing the Resource
 Summary
 Related information

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: Because this action loads all screenshots simultaneously, response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Identity Manager.

Overview

Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that controls user accounts and access privileges within enterprise IT resources centrally. It provides the functionalities of provisioning, identity and role administration, approval and request management, policy-based entitlement management, technology integration, and audit and compliance automation.

Features and benefits of Oracle Identity Manager include identity and role administration (user and group management, self-service functionalities for users, and delegated administration), provisioning (approval and request management, and configurable workflow models), policy-based entitlements, reconciliation, and attestation support (for audit and compliance purposes).

Back to Topic List

Scenario

Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, Linda is responsible for performing identity and access management tasks on various users within the organization. To perform these tasks, she needs to use Oracle Identity Manager to first create records for these users and then assign Oracle Identity Manager Connectors to them. These connectors represent the external resources that are to be provisioned to them.

Robert works within the Engineering department of Mydo Main Corporation. Because all employees within this department have access rights to an Oracle database, Linda needs to assign the connector, which represents this resource, to Robert. When this occurs, Oracle Identity Manager (and not Linda) fills out the electronic form that is associated with the connector. After the fields of this form are populated automatically, Oracle Identity Manager saves the corresponding values to its database, and uses these values to provision Robert to the external resource (that is, an Oracle database).

Back to Topic List

Prerequisites

Before starting this tutorial, you should complete the OBE titled "Installing Oracle Identity Manager."

Back to Topic List

Creating an Organization

Within Oracle Identity Manager, all users must belong to an organization. Therefore, before you can create a record for Robert, the user who is to be the recipient of a designated resource (for example, an Oracle database), you must first create an organization for this user.

For this OBE, the organization to which Robert is to belong is the Engineering department.

To create an organization within Oracle Identity Manager, perform the following steps:

1.

Launch your Oracle Identity Manager Server, Administrative Console, and Design Console.

Note: For more information about loading, setting up, or starting Oracle Identity Manager, refer to the OBE titled "Installing Oracle Identity Manager."

 

2.

Log in to your Administrative Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of your Oracle Identity Manager Administrative Console.

For more information about selecting and answering "challenge" questions, refer to the OBE titled "Installing Oracle Identity Manager."

 

3.

Open the Create Organization form in the Organizations folder.

 

4.

Enter Engineering in the Name field. Select Department from the Type drop-down list. Click Create Organization.

The Engineering organization is created. Oracle Identity Manager sets the status of this organization to Active automatically.

You can now create the record for the target user, and assign this user to the Engineering organization. This user, Robert, is to be the recipient of the external resource (that is, an Oracle database).

Back to Topic List

Creating a User

You are now ready to create a record for the target user, and assign this user to the Engineering organization you created. This user, Robert, is to be the recipient of the external resource (that is, an Oracle database).

To create a user, perform the following steps:

1.

Open the Create User form in the Users folder.

 

2.

Complete the Create User form, as follows:

Field Name Field Value
User ID RLAVALLI
First Name Robert
Middle Name Paul
Last Name La Vallie
Organization Engineering
User Type End-User
Employee Type Full-Time Employee
Email Address robert.lavallie@oracle.com
Password rlavalli
Confirm Password rlavalli

 

3.

Click Create User.

The User Detail form appears.

This signifies that the record for the target user is created and assigned to the Engineering organization.

You are now ready to import an *.xml file, which represents an Oracle Identity Manager Connector for an Oracle database, into your environment. As a result, you can assign this connector to Robert to provision this user with the associated resource (that is, an Oracle database).

Back to Topic List

Importing a Connector

You created a record for Robert, the user who is to be the recipient of the external resource (that is, an Oracle database). For Robert to receive this resource, you must import an *.xm l file, which represents an Oracle Identity Manager Connector for this type of database, into your environment. Then, you can assign this connector to Robert to provision this user with the external resource.

To import a connector, perform the following steps:

1.

Open the Import form in the Deployment Management folder.

Note: If the Warning – Security window appears, click the Yes or Grant This Session button, depending on which version of the Web browser is installed on your machine.

 

2.

The “Please choose a file for import” window appears. In this window, select the folder path where the export file resides, along with the name of the *.xml file.

For this OBE, you are selecting the xliDBAccessLogin_DM.xml file, which can be found in the E:\OIM_Installs\OIM_CP_900\Database Servers\Database User Management\Database Rev 3.1.0\xml directory (after unzipping the Database Rev 3.1.0.zip file).

 

3.

Select the xliDBAccessLogin_DM.xml file. Click Open.

 

4.

The Deployment Manager window appears. In this window, click Add File.

 

5.

The Deployment Manager – Import window appears. Click Next.

 

6.

A Confirmation window appears. Click Next.

 

7.

You do not need to provide the parameter values at this time. Click Skip.

 

8.

A final Confirmation window appears. Click View Selections.

 

9.

The Deployment Manager – Import window appears. Click Import.

 

10.

A Confirmation window appears. Click Import.

 

11.

A Success window appears, indicating that the *.xml file is imported successfully (that is, the xliDBAccessLogin_DM.xml file). As a result, the corresponding connector for an Oracle database, which is represented by this file, is also imported. Click OK.

Now that you imported an Oracle Identity Manager Connector for an Oracle database, you are ready to configure it so that it is operable with your environment.

Back to Topic List

Making the Connector Operable

In the previous section of this OBE, you imported an Oracle Identity Manager Connector for an Oracle database into your environment. Now, you must configure this connector so that it is operable within your environment.

This includes the following:

To make your connector operable, perform the following steps:

1.

Copy the xliDatabaseAccess.jar file (which resides within your E:\OIM_Installs\OIM_CP_900\Database Servers\Database User Management\Database Rev 3.1.0\lib directory) into your E:\oracle\oim_server\xellerate\JavaTasks directory.

 

2.

Log in to your Design Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

Note: In the previous section of this OBE, you imported an Oracle Identity Manager Connector. Two components of this connector are the DataBase Access form and the DB Prepopulate UserLogin adapter. This adapter populates the Login/User field of the form.

For this OBE, the goal of the adapter is to populate three form fields: Login/User, Password, and IT Resource. To have the adapter accurately reflect its revised purpose, change its name from DB Prepopulate UserLogin to DB Prepopulate.

 

3.

Expand the Development Tools folder, and double-click the Adapter Factory node.

 

4.

In the Name field, enter DB Prepopulate UserLogin . Click the Query button on the toolbar.

The DB Prepopulate UserLogin adapter appears.

 

5.

Change the value in the Name field from DB Prepopulate UserLogin to DB Prepopulate . Click Save.

 

6.

Double-click the Adapter Manager node.

 

7.

The list of adapters you imported earlier appears. Select the Compile All option. Click Start.

 

8.

Oracle Identity Manager begins to recompile your adapters.

After all adapters are recompiled, an OK message is displayed in the Status column for each adapter. This signifies that your adapters are recompiled successfully, and can be used within your Oracle Identity Manager environment.

 

9.

Expand the Resource Management folder, and double-click the IT Resources node.

 

10.

In the Name field, enter Database IT Resource .

 

11.

Double-click the Type lookup field (in the Type text field). From the Lookup window that appears, select Database. Click OK.

 

12.

Click Save.

 

13.

The parameters for your IT resource type appear. Enter the values for the parameters, as follows (double-click each Value field to enter the value):

Parameter Value
DataBaseType Oracle
DataBaseName orcl
Driver oracle.jdbc.driver.OracleDriver
Password abcd1234
URL jdbc:oracle:thin:@ten.mydomain.com:1521:orcl
User ID system

 

14.

Click Save.

You configured your Oracle Identity Manager Connector so that it is operable with your environment. Now, you are ready to modify an additional component of this connector: the provisioning process.

By doing so, Oracle Identity Manager (and not Linda, the network administrator of Mydo Main Corporation) populates the fields of the connector's process form with data and saves this information to the database. After this occurs, Oracle Identity Manager can use this data to provision Robert with the corresponding resource (that is, an Oracle database).

Back to Topic List

Modifying the Provisioning Process

In the previous section of this OBE, you configured your connector so that it works with your environment. In this section, you are ready to modify an additional component of this connector: the provisioning process. By doing so, Oracle Identity Manager (and not Linda, the network administrator for Mydo Main Corporation) populates the fields of the connector's process form with data and saves this information to the database. After this occurs, Oracle Identity Manager can use this data to provision Robert with the corresponding resource (that is, an Oracle database).

To set up Oracle Identity Manager so that it can perform these actions, you must select the Auto Pre-populate and Auto Save Form check boxes of the record that represents the provisioning process. For this OBE, that record is titled DataBase Access (Login).

To modify the DataBase Access (Login) provisioning process, perform the following steps:

1.

Expand the Process Management folder of the Design Console, and double-click the Process Definition node.

 

2.

Enter DataBase Access (Login) in the Name field and click Query.

 

3.

Select the Auto Pre-populate and Auto Save Form check boxes.

 

4.

Click Save.

In the section of this OBE titled " Importing a Connector," you imported an Oracle Identity Manager Connector for an Oracle database into your environment. One component of this connector that you imported is the DB Prepopulate adapter. Oracle Identity Manager uses this adapter to populate the fields of the custom process form automatically.

You are now ready to create the criteria that Oracle Identity Manager evaluates to determine whether the DB Prepopulate adapter is to be used to populate the fields of the custom process form. This criteria is known as a prepopulate rule.

If the criteria of the rule evaluates to true, Oracle Identity Manager uses the adapter to populate the fields of the custom process form automatically, so that the information can be saved to the database. After this occurs, Oracle Identity Manager can provision Robert with the corresponding resource (that is, an Oracle database).

Back to Topic List

Creating the Prepopulate Rule

You are now ready to create the criteria that Oracle Identity Manager evaluates to determine whether the DB Prepopulate adapter, which you imported along with the other components of your Oracle Identity Manager Connector, is to be used to populate the fields of the connector's custom process form. This criteria is known as a prepopulate rule.

If the criteria of the rule evaluates to true, Oracle Identity Manager uses the adapter to populate the fields of the custom process form automatically, so that the information can be saved to the database. As a result, Oracle Identity Manager can provision Robert with the corresponding resource (that is, an Oracle database).

For this OBE, create a prepopulate rule that evaluates the name of the organization to which users belong. For those users who are members of the Engineering organization (including Robert), Oracle Identity Manager assigns the DB Prepopulate adapter to the designated fields of the custom process form, so that these fields can be populated automatically.

To create a prepopulate rule, perform the following steps:

1.

Expand the Resource Management folder of the Design Console, and double-click the Rule Designer node.

 

2.

The fields of the Rule Designer form appear. Populate this form, as follows:

Field Value
Name Oracle Prepopulate Rule
Type Pre-Populate
Sub-Type User Provisioning
Object DataBase Access (Login)
Process DataBase Access (Login)
Description If the outcome of this rule is true, Oracle Identity Manager uses the DB Prepopulate adapter, which is associated with this rule, to populate a field of the custom process form.

 

3.

Click Save. The tabs within the Rule Designer form are active.

 

4.

Click the Add Element button. The Edit Rule Element window appears.

 

5.

The parameters for your prepopulate rule appear. In The Edit Rule Element window, specify the values for the parameters, as follows:

Parameter Value
Attribute Source Request Target Information
Attribute Organization Name
Operation = =
Attribute Value Engineering

 

6.

Click Save. Then, click Close.

Note: If a Closing Form window appears, click Yes.

The main screen is active again.

The outcome of this rule element is true for all users who belong to the Engineering organization (including Robert). As a result, Oracle Identity Manager assigns the associated prepopulate adapter (that is, the DB Prepopulate adapter) to the designated fields of the custom process form.

Back to Topic List

Assigning the Prepopulate Adapter and Rule to the Custom Process Form Fields

You are now ready to configure Oracle Identity Manager to populate specific fields of the custom process form automatically, via prepopulate adapters and rules. When this occurs, Oracle Identity Manager can save the values, which are contained within these fields, to its database. Then, it can use this information to provision Robert with an external resource (that is, an Oracle database).

For this to happen, Oracle Identity Manager needs to know the following:

After setting the field-rule-adapter association for a particular form field, you must specify the priority number of the rule. Otherwise, Oracle Identity Manager cannot know the order in which to examine the field-rule-adapter combination.

As a final step, you have to map the variables of the prepopulate adapter to their proper locations. Otherwise, the adapter cannot be functional.

Note: Because the custom process form is active, it cannot be modified. So, to assign prepopulate adapters and rules to the fields that make up this form, you must create an additional version. Then, after you associate the adapters and rules to the designated form fields, you must make the alternate version of the form active.

To assign a prepopulate adapter and rule to particular fields of a custom process form, perform the following steps:

1.

Expand the Development Tools folder of the Design Console, and double-click the Form Designer node.

 

2.

Enter DB in the Table Name field (it appears as UD_DB). Click Query.

Note: The UD_DB value represents how the custom process form is recognized within the database.

 

3.

Click Create New Version. The "Create a new version" window appears.

 

4.

In the Label field, enter Version 2 (which signifies the alternate version of the form).

 

5.

On the "Create a new version" window's toolbar, click Save. Then, click Close.

The "Create a new version" window closes, and the Additional Columns tab of the Form Designer form is active again.

 

6.

From the Current Version combo box, select Version 2.

 

7.

Click the Pre-Populate tab.

 

8.

Click Add. The Pre-Populate Adapters window appears.

 

9.

Populate the fields of the Pre-Populate Adapters window, as follows:

Field Value
Field Name IT Resource
Rule Oracle Prepopulate Rule
Adapter DB Prepopulate
Order 1

 

10.

On the Pre-Populate Adapters window�s toolbar, click Save.

Important: Mapping Incomplete appears within the Adapter Status field. This signifies that the DB Prepopulate adapter contains variables that are not mapped correctly. These variables need to be mapped to their proper locations. Otherwise, the adapter cannot work.

 

11.

Select the inputValue adapter variable and click Map.

The Map Adapter Variables window appears.

 

12.

Populate the fields of the Map Adapter Variables window, as follows:

Field Value
Map To IT Resources
Qualifier Database IT Resource

 

13.

On the Map Adapter Variables window�s toolbar, click Save. Then, click Close.

The Map Adapter Variables window disappears, and the Pre-Populate Adapters window is active again.

 

14.

From the Pre-Populate Adapters window�s toolbar, click Save. Then, click Close.

The Pre-Populate Adapters window disappears, and the Pre-Populate tab of the Form Designer form is active again.

You are now ready to set the field-rule-adapter association for the Login/User field of the custom process form.

 

15.

Click Add. The Pre-Populate Adapters window appears.

 

16.

Populate the fields of the Pre-Populate Adapters window, as follows:

Field Value
Field Name Login/User
Rule Oracle Prepopulate Rule
Adapter DB Prepopulate
Order 2

 

17.

On the Pre-Populate Adapters window�s toolbar, click Save.

 

18.

Select the inputValue adapter variable and click Map.

The Map Adapter Variables window appears.

 

19.

Populate the fields of the Map Adapter Variables window, as follows:

Field Value
Map To User Definition
Qualifier User Login

 

20.

On the Map Adapter Variables window�s toolbar, click Save. Then, click Close.

The Map Adapter Variables window disappears, and the Pre-Populate Adapters window is active again.

 

21.

On the Pre-Populate Adapters window�s toolbar, click Save. Then, click Close.

The Pre-Populate Adapters window disappears, and the Pre-Populate tab of the Form Designer form is active again.

You are now ready to set the field-rule-adapter association for the Password field of the custom process form.

 

22.

Click Add. The Pre-Populate Adapters window appears.

 

23.

Populate the fields of the Pre-Populate Adapters window, as follows:

Field Value
Field Name Password
Rule Oracle Prepopulate Rule
Adapter DB Prepopulate
Order 3

 

24.

On the Pre-Populate Adapters window�s toolbar, click Save.

 

25.

Select the inputValue adapter variable and click Map.

The Map Adapter Variables window appears.

 

26.

Populate the fields of the Map Adapter Variables window, as follows:

Field Value
Map To User Definition
Qualifier Password

 

27.

On the Map Adapter Variables window�s toolbar, click Save. Then, click Close.

The Pre-Populate Adapters window disappears, and the Pre-Populate Adapters window is active again.

 

28.

On the Pre-Populate Adapters window�s toolbar, click Save. Then, click Close.

The Pre-Populate Adapters window disappears, and the Pre-Populate tab of the Form Designer form is active again.

 

29.

Select the Login/User - Default - DB Prepopulate field-adapter-rule relationship and click Delete.

 

30.

Click the Make Version Active button.

 

31.

In the Warning window that appears, click OK.

Note: If a Closing Form window appears, click Yes.

In the Active Version field, Version 2 now appears.

You defined a field-rule-adapter association for designated fields of the custom process form. In addition, you made the alternate version of the form active.

You are now ready to assign the connector you imported to a target user (that is, Robert). After this happens, Oracle Identity Manager fills out the custom process form, saves the values to its database, and uses these values to provision this user with the corresponding external resource (that is, an Oracle database).

Back to Topic List

Assigning the Connector to the User

You are now ready to assign the connector you imported to a target user (that is, Robert). After this occurs, Oracle Identity Manager:

  1. Fills out the custom process form by:
    • Evaluating the prepopulate rule for the designated fields of the form
    • Populating each field with a value (which is generated by the associated prepopulate adapter)
  2. Saves the values to its database
  3. Uses these values to provision Robert with the corresponding external resource (that is, an Oracle database)

In short, these three actions are completed by Oracle Identity Manager, not by Linda, the network administrator for Mydo Main Corporation. That is, no manual intervention is required.

To assign a connector to a user, perform the following steps:

1.

Open the Manage User form in the Users folder.

 

2.

Select User ID from the combo box that appears in this form. Then, in the text box that appears to the right of the combo box, enter the ID of the target user (that is, RLAVALLI). Click Search User.

 

3.

From the result set that appears, click the link that represents the ID of the target user.

 

4.

The User Detail form is displayed. Select Resource Profile from the combo box that is displayed within this form.

The Resource Profile form appears.

 

5.

Click the Provision New Resource button that appears within this form.

 

6.

Select and assign your connector to this user (that is, DataBase Access (Login)). Click Continue.

 

7.

Click Continue again.

 

8.

The "Provisioning successfully initiated" message appears, along with a " Back to User Resource Profile" link.

This signifies that the connector you imported is assigned to the user. Oracle Identity Manager fills out the custom process form, saves the values to its database, and uses these values to provision this user with the corresponding external resource (that is, an Oracle database).

You are now ready to verify that the login credentials for Robert can be used to access this database. For this OBE, this is accomplished by using Oracle SQL*Plus Client.

Back to Topic List

Accessing the Resource

In this OBE, you learned how to use Oracle Identity Manager to provision an external resource (in this case, an Oracle database) to a designated user, whose login credentials are specified in the custom process form.

Now, you must ensure that these credentials can be used to access the external database. For this OBE, this is accomplished by using Oracle SQL*Plus Client.

To access the external resource, perform the following steps.

1.

To start Oracle SQL*Plus Client, navigate to SQL Plus (via Start > Programs > Oracle - OraDb10g_home1 > Application Development > SQL Plus).

An Oracle SQL*Plus window and a Log On window appear.

 

2.

Populate the fields of the Log On window, as follows:

Field Value
User Name RLAVALLI
Password RLAVALLI
Host String orcl

 

3.

Click OK.

The following text appears within the Oracle SQL*Plus window:

This signifies that Robert's login credentials can be used to access the Oracle database. That is, this Oracle Identity Manager user is autoprovisioned with the external resource.

Back to Topic List

Summary

In this lesson, you learned how to:

 Create an organization
 Create a user
 Import a connector
 Make a connector operable
 Modify a provisioning process
 Create a prepopulate rule
 Assign a prepopulate adapter and rule to custom process form fields
 Assign a connector to a user
 Access a resource

Back to Topic List

Related Information

 To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum.

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

Left Curve
Popular Downloads
Right Curve
Untitled Document