Creating a Location-Based Policy for a Business Role

Purpose

This OBE tutorial describes and shows you how to:

  • Create a dynamic business role in Oracle Role Manager
  • Create a business policy that gives a user access rights to the role, based on the user's location

Time to Complete

Approximately 1 hour

Topics

This OBE tutorial covers the following topics:

 Overview
 Scenario
 Prerequisites
 Creating a Business Role and Policy
 Changing a User's Location
 Summary
 Related Information

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: Because this action loads all screenshots simultaneously, response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Role Manager.

Overview

Oracle Role Manager is an enterprise-class application for managing business and organizational relationships, roles, and entitlements. An authoritative source for role life-cycle management, it drives automation of role-based provisioning and access control across the IT infrastructure.

Features and benefits of Oracle Role Manager include:

Back to Topic List

Scenario

Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, she creates roles within the company and assigns users to these roles. One of her responsibilities is to assign users to business roles, based on the location of the users.

A business role is a collection of business duties or responsibilities to be granted to users in an organization. Business roles are defined using business policies. Business policies are used to determine who is to receive the company's business roles. For example, Linda can create a business role for the Marketing department of Mydo Main Corporation. Then, she can create a business policy that gives Oracle Role Manager users access rights to the role, based on the users' location. When this policy is run, Oracle Role Manager retrieves these users from its database.

By creating business roles and policies in Oracle Role Manager, Linda can manage users, roles, and resources across the enterprise setup of Mydo Main.

Back to Topic List

Prerequisites

Before starting this tutorial, you should:

1.

Complete the OBE titled Installing, Configuring, and Launching Oracle Role Manager.

2.

Complete the OBE titled Creating an Approver Role in Oracle Role Manager.

3.

Complete the OBE titled Creating and Editing a Business Role in Oracle Role Manager.

 

Back to Topic List

Creating a Business Role and Policy

As a network administrator for Mydo Main Corporation, Linda is responsible for creating business roles and policies in Oracle Role Manager, and assigning users to these roles and policies.

A business role is a collection of business duties or responsibilities to be granted to users in an organization. Business roles are defined using business policies. Business policies are used to determine who is to receive the company's business roles. For example, Linda can create a business role for the Marketing department of Mydo Main Corporation. Then, she can create a business policy that gives Oracle Role Manager users access rights to the role, based on the users' location. When this policy is run, Oracle Role Manager retrieves these users from its database.

To create a business role and policy in Oracle Role Manager, perform the following steps:

1.

If the application server that Oracle Role Manager uses is not running, start it. For this OBE, JBoss is the application server for Oracle Role Manager.

To start this application server, double-click the run.bat file, found in the application server's bin directory. For this OBE, the file is located in the C:\stage\jboss-4.0.5.GA\bin directory.

 

2.

Open a Microsoft Internet Explorer Web browser. In the Address field, enter the following:

  • localhost (JBoss Application Server and Oracle Role Manager reside on the same computer.)
  • 8087 (the port number for JBoss Application Server)
  • webui (A literal that is case-sensitive.)

As a result, the URL should have the following naming convention:

http://localhost:8087/webui

 

3.

Populate the fields of the Oracle Role Manager login page, as follows (and click Sign In):

Field Value
User ID admin
Password dead_line1

Note: The login credentials Linda enters are for the Oracle Role Manager system administrator. Also, the password in encrypted for security purposes.

The Home page of Oracle Role Manager appears:

Linda is ready to assign two Oracle Role Manager users, Alverta Rowell and Angelyn Ramos, to the location titled Americas. This location corresponds to data Linda uploaded into Oracle Role Manager in the OBE titled Creating an Approver Role in Oracle Role Manager.

After Linda assigns the users to the location titled Americas, she can create a business policy that gives these users access rights to a business role, based on the users' location.

 

4.

On the Oracle Role Manager navigation bar, click Organizations & People.

 

5.

On the Oracle Role Manager subnavigation bar, click People.

Note: Linda clicks Organizations & People on the navigation bar and People on the subnavigation bar because she is assigning two Oracle Role Manager users, Alverta Rowell and Angelyn Ramos, to the location titled Americas.

 

6.

On the People page, click Search.

A list of Oracle Role Manager users appears:

Note: The Oracle Role Manager users correspond to data Linda uploaded into Oracle Role Manager in the OBE titled Creating an Approver Role in Oracle Role Manager.

 

7.

Select a user with a location to be assigned. For this OBE, Linda is assigning Angelyn Ramos to the location titled Americas . Therefore, click the magnifying glass to the right of her name.

 

8.

On the Person page, click Memberships.

 

9.

On the Memberships tab, click Move.

Note: Linda clicks the Memberships tab and the Move button because she is changing the user's location (from 1 Market Street to Americas) .

 

10.

On the Search for Location window, click Search.

 

11.

Select the location where the user is to reside. For this OBE, Linda is assigning Angelyn Ramos to the location titled Americas . Therefore, select the Americas option. Click OK.

The location Linda selected for the user appears in the Memberships tab of the Person page.

 

12.

Click Submit.

A message appears, indicating information about the user is updated.

 

13.

Repeat steps 4-12 to assign Alverta Rowell to the location titled Americas.

Linda is ready to create a business role for the Marketing department of Mydo Main Corporation. Then, she can create a business policy that gives Alverta Rowell and Angelyn Ramos access rights to the role because these users reside at the location titled Americas.

 

14.

On the Oracle Role Manager navigation bar, click Roles.

 

15.

On the Oracle Role Manager subnavigation bar, verify that Business Roles is selected.

Note: Linda clicks Roles on the navigation bar and confirms that Business Roles is selected on the subnavigation bar because she is creating a business role.

 

16.

On the left pane, expand the Office of the CEO node. Then, expand the Office of the EVP node. Next, expand the Business Development node. The Marketing item appears.

Note: For this OBE, Linda is to create a business role for the Marketing department of Mydo Main Corporation. Also, the existing business roles correspond to data Linda uploaded into Oracle Role Manager in the OBE titled Creating an Approver Role in Oracle Role Manager.

 

17.

Right-click the Marketing item. Select New Business Role from the popup menu that appears.

 

18.

On the popup window that appears, specify the type of business role to be created (that is, a dynamic business role or a static business role). For this OBE, Linda is to create a dynamic business role. Therefore, select Dynamic from the Business Role Type combo box. Click Submit.

Note: Dynamic business roles determine role membership through business policies. Static business roles determine role membership through manual role grants. That is, the business role must be granted manually to one user at a time.

 

19.

Populate the fields of the New Business Role page, as follows (and click Submit):

Field Description
Display Name The name of the business role. For this OBE, the name of the role is Marketing Business Role.
Description Explanatory information about the business role. For this OBE, Linda enters " Business role for the Marketing department of Mydo Main." into the Description field.
Responsibilities The responsibilities for the business role. For this OBE, Linda enters " Provide the Marketing department with access rights to the company's resources." into the Responsibilities field.
Status The status of the business role. For this OBE, set the status of the role to be Active.
Owner The owner of the business role. For this OBE, specify Beckie Champagne as the owner of this role (by clicking Edit, selecting the user from the Search for Person window that appears, and clicking OK).
Administrative Organization The organization to which the business role must belong. For this OBE, specify Marketing as the administrative organization for this role (by clicking Edit, selecting the organization from the Search for Organization window that appears, and clicking OK).

A message appears, indicating the business role is created.

Linda created the Marketing Business Role. She is ready to create a business policy that gives Alverta Rowell and Angelyn Ramos access rights to the role because these users reside at the location titled Americas.

 

20.

On the left pane, select the Marketing item (by expanding the Office of the CEO, Office of the EVP, and Business Development nodes). Click the magnifying glass that appears to the right of the business role Linda created in this procedure (the Marketing Business Role).

 

21.

On the Business Role: Marketing Business Role page, click the Grant Policy tab.

 

22.

Enter the following code in the text area of the Grant Policy tab (and click Submit):

<?xml version="1.0" encoding="UTF-8"?>
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
<relative-object-expression subject-type="person" relationship-path-id="parent_location_organization" relative-object-type="abstractOrg">
<attribute-expression>
<attribute object-type="locality" attribute-id="displayName"></attribute>
<equals>

<string-constant>Americas</string-constant>

</equals>
</attribute-expression>
</relative-object-expression>
</predicate>

Note: By entering this code into the text area of the Grant Policy tab, Linda creates a business policy. Oracle Role Manager uses this policy to provide all users who reside at the location titled Americas with access rights to the Marketing Business Role.

A message appears, indicating the business role is updated.

Tip: To verify that users are assigned to the Marketing Business Role:

  1. Select the Marketing item (by expanding the Office of the CEO, Office of the EVP, and Business Development nodes).
  2. Click the magnifying glass that appears to the right of the business role.
  3. On the Business Role: Marketing Business Role page, click the Members tab.

  4. On the Members tab, click Search.
  5. The users assigned to the Marketing Business Role appear.

    Note: Alverta Rowell and Angelyn Ramos are assigned to the Marketing Business Role because they reside at the location titled Americas.

Linda created a business role and policy in Oracle Role Manager. She is ready to change a user's location (from Americas to EMEA). Because this user no longer resides at the location titled Americas, Oracle Role Manager revokes the user's access rights to the Marketing Business Role.

 

Back to Topic List

Changing a User's Location

In the previous section of this OBE, Linda created a business role and policy in Oracle Role Manager. First, she created a business role for the Marketing department of Mydo Main Corporation. Then, she created a business policy that gives Oracle Role Manager users who reside at the location titled Americas access rights to the business role.

Linda is ready to change a user's location (from Americas to EMEA). Because this user no longer resides at the location titled Americas, Oracle Role Manager revokes the user's access rights to the business role.

To change a user's location, perform the following steps:

1.

On the Oracle Role Manager navigation bar, click Organizations & People.

 

2.

On the Oracle Role Manager subnavigation bar, click People.

Note: Linda clicks Organizations & People on the navigation bar and People on the subnavigation bar because she is changing the location of an Oracle Role Manager user (from Americas to EMEA) .

 

3.

On the People page, click Search. A list of Oracle Role Manager users appears.

 

4.

Select the user with a location to be changed. For this OBE, Linda is to change Angelyn Ramos' location (from Americas to EMEA) . Therefore, click the magnifying glass to the right of her name.

 

5.

On the Person page, click Memberships.

 

6.

On the Memberships tab, click Move.

Note: Linda clicks the Memberships tab and the Move button because she is changing the user's location (from Americas to EMEA) .

 

7.

On the Search for Location window, click Search.

 

8.

Select the location where the user is to reside. For this OBE, Angelyn Ramos is changing locations (from Americas to EMEA) . Therefore, select the EMEA option. Click OK.

The location Linda selected for the user appears in the Memberships tab of the Person page.

 

9.

Click Submit.

A message appears, indicating information about the user is updated.

Linda changed Angelyn Ramos' location (from Americas to EMEA) . Because this user no longer resides at the location titled Americas, Oracle Role Manager revokes her access rights to the Marketing Business Role.

To verify Angelyn can no longer access the role:

  1. On the Oracle Role Manager navigation bar, click Roles.
  2. On the Oracle Role Manager subnavigation bar, verify that Business Roles is selected.
  3. Select the Marketing item (by expanding the Office of the CEO, Office of the EVP, and Business Development nodes).
  4. Click the magnifying glass that appears to the right of the Marketing Business Role.
  5. On the Business Role: Marketing Business Role page, click the Members tab.
  6. On the Members tab, click Search. Users who can access the Marketing Business Role appear.
  7. Note: In this procedure, Linda changed Angelyn Ramos' location (from Americas to EMEA) . As a result, Angelyn no longer has access rights to the Marketing Business Role.

In this OBE, Linda:

  • Created a business role in Oracle Role Manager
  • Created a business policy that grants Oracle Role Manager users access rights to the role, based on the users' location
  • Verified the functionality of the policy by:
    • Changing the location of a user who could access the business role
    • Confirming the user no longer has access rights to the role

 

Back to Topic List

Summary

In this lesson, you learned how to:

 Create a business role and policy
 Change a user's location

Back to Topic List

Related Information

 To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum.

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

Left Curve
Popular Downloads
Right Curve
Untitled Document