Creating, Managing, and Reviewing Reports and Attestation Processes
Creating, Managing, and Reviewing Reports and Attestation
Processes This OBE
tutorial describes and shows you how to use Oracle Identity Manager to create
reports for a company’s employees. In addition, through this tutorial, you understand
attestation and attestation processes, including how they can be used to establish
internal controls, processes, and policies for a company’s user-related and transactional-related
data. Lastly, you learn how to create, manage, and review attestation processes.
For this tutorial, Robert and Jane function as the users,
and Sun Java Directory Server acts as the resource. Approximately 2 hours
This
OBE tutorial covers the following topics:  Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response time
may be slow depending on your Internet connection.)
Note:
Alternatively, you can place the cursor over each individual icon in the following
steps to load and view only the screenshot associated with that step. The
screenshots will not reflect the specific environment you are using. They are
provided to give you an idea of where to locate specific functionality in Oracle
Identity Manager.
Oracle
Identity Manager is a highly flexible and scalable enterprise identity management
system that controls user accounts and access privileges within enterprise IT
resources centrally. It provides the functionalities of provisioning, identity
and role administration, approval and request management, policy-based entitlement
management, technology integration, and audit and compliance automation. Features
and benefits of Oracle Identity Manager include identity and role administration
(user and group management, self-service functionalities for users, and delegated
administration), provisioning (approval and request management, and configurable
workflow models), policy-based entitlements, reconciliation, and attestation support
(for audit and compliance purposes). Back
to Topic List
Linda
is employed as a network administrator for Mydo Main Corporation. In Mydo Main,
she is responsible for performing identity and access management tasks on various
users within the organization. To perform these tasks, she uses Oracle Identity
Manager to create reports for the employees in her company. In addition, she needs
to learn about attestation, which is a process of authorizing
established internal controls, processes, and policies for user-related and transactional-related
data. By understanding attestation, she can create and manage an attestation
process, which is the framework for setting up and building an attestation
workflow. Jane is employed in the Product Management department
of Mydo Main Corporation. She is a full-time employee, and is provisioned with
the Sun Java Directory Server resource. Jane is managed by Robert, who is also
a full-time employee for Mydo Main. As her manager, Robert is responsible for
examining any attestation processes for Jane and acting upon them (that is, certifying,
rejecting, or declining them, or delegating them to another reviewer). In short,
Robert must decide whether Jane should be provisioned with the Sun Java
Directory Server resource. Back
to Topic List
Before starting this tutorial, you should: Back to Topic
List
Linda is an
administrator of the Oracle Identity Manager environment that is installed and
configured for Mydo Main Corporation. As this administrator, one of her responsibilities
is to create reports for the employees in this company. There
are two types of reports that she can create for an employee: - Operational
reports: These reports contain information about the resources this user
can access. That is, the reports illustrate the current relationship that users
have with their resources.
- Historical
reports: These reports contain information pertaining to resources that
are associated with this user throughout the user’s employment with the
company. That is, they have life-cycle data about the historical association of
users and their resources.
There
are four types of operational reports that Linda can create: - Who
Has What: This “snapshot” report provides Linda with a list of resources
to which a user has access rights. It gives her the ability to query the Oracle
Identity Manager repository in an Oracle database for the resources that a specific
user can currently access. This report can also be used for compliance purposes.
- Resource
Access List: This snapshot report provides Linda with the ability to
query the Oracle Identity Manager repository for all existing users who are currently
provisioned to a resource. This report can also be used for compliance purposes.
- Entitlements
Summary: This snapshot report provides Linda with a list of status levels
(or entitlements) for each Oracle Identity Manager user who is provisioned with
a particular resource. This report can also be used for compliance purposes.
- Policy
List: This snapshot report provides Linda with a list of all access policies
that are created for a particular user group in Oracle Identity Manager. This
report can also be used for compliance purposes.
There
are also five types of historical reports that Linda can create:
- User Resource Access History:
With this report, Linda can view the resources that a user has permission to access
over the lifetime of the user. Unlike the “Who Has What” operational report, this
report is not a snapshot report of the resources the user can currently access.
This report can be used for audit and compliance purposes.
- Resource
Access List History: With this lifetime report, Linda can query all existing
users provisioned to a resource. This report is different from the Resource Access
List operational report because it is not a snapshot report of the users who are
currently provisioned to a resource. This report can also be used for audit and
compliance purposes.
- User
Profile History: With this lifetime report, Linda can view a user’s profile
history. This report is different from a snapshot report of the user’s most recent
profile. This report can also be used for audit and compliance purposes.
- User
Membership History: With this report, Linda can view the groups to which
a particular user is a member over the lifetime of the user. This report can also
be used for audit and compliance purposes.
- Group
Membership History: With this lifetime report, Linda can view all of
the users that belong to a particular group (since the group’s inception). This
report can also be used for audit and compliance purposes.
For
this OBE, Linda needs to create one operational report and one historical report.
First, she must create the Who Has What operational report. By
creating this report, she can verify that Jane, a full-time employee of Mydo Main
Corporation, is provisioned with the Sun Java Directory Server resource. Then,
Linda needs to create the Resource Access List History historical
report. By doing so, she can query all existing
users who are provisioned with the Sun Java Directory Server resource. To
create reports, perform the following steps:
1. | Launch
your Oracle Identity Manager Server and Administrative Console. Note:
For more information about loading, setting up, or starting Oracle Identity Manager,
refer to the OBE titled "Installing
Oracle Identity Manager." |
2. | Log
in to your Administrative Console with the "superuser" account for Oracle
Identity Manager (that is, enter xelsysadm in the
User ID field and abcd1234 in the
Password field). Note:
The first time you log in to Oracle Identity Manager with a particular account,
you must select and answer "challenge" questions. These questions are
used to verify your identity if you need to reset your password. However, for
all subsequent logins with that account, these questions do not appear. Instead,
you are taken directly to the Home page of your Oracle Identity Manager Administrative
Console. For more information about selecting and answering
"challenge" questions, refer to the OBE titled "Installing
Oracle Identity Manager." |
3. | Open
the Operational Reports form in the Reports
folder. The
list of operational reports that Linda can create appears. |
4. |
From the list of reports that appears, click the link that represents the name
of the desired operational report (that is, select the Who Has What
operational report). The
Who Has What – Input Parameters form appears.
|
| 5. | For
this OBE, Linda is searching for users by their respective IDs. Therefore, in
the Userid field, enter the ID of the target user (that is, enter
JANE.FULLTIME in this field). Then,
click Submit. The
Who Has What – Report Display form appears, showing the resources
to which this user has access rights. As
you can see, the iPlanet User connector is assigned to Jane.
This connector represents the resource with which she is provisioned (that is,
the Sun Java Directory Server resource). Linda is now ready
to create the Resource Access List History historical report.
By doing so, she can query all existing users who
are provisioned with the Sun Java Directory Server resource. |
6. | Open
the Historical Reports form in the Reports
folder. The
list of historical reports that Linda can create appears. |
7. |
From the list of reports that appears, click the link that represents the name
of the desired historical report (that is, select the Resource Access
List History historical report). The
Resource Access List History – Input Parameters form appears.
|
| 8. | For
this OBE, Linda is searching for resources by their respective names. Therefore,
click the magnifying glass that appears to the right of the Resource Name
field. |
| 9. | In
the Lookup window that appears, select the option that is displayed to the left
of the designated connector (that is, select the iPlanet User
option). Click Select. The
selected resource appears in the Resource Name field of the Resource
Access List History – Input Parameters form. |
| 10. | Click
Submit. The
Resource Access List History – Report Display form appears,
showing all the users who are provisioned with the designated resource throughout
the resource’s life cycle. Linda
created an operational report and a historical report. By creating the Who
Has What operational report, she verified that Jane, a full-time employee
of Mydo Main Corporation, is provisioned with the Sun Java Directory Server resource.
By creating the Resource Access List History historical report,
she queried all existing users who are provisioned with this resource. Now
that Linda understands how to create reports to see the association that users
have with resources, she needs to understand attestation and attestation processes.
Attestation is the process of authorizing established internal
controls, processes, and policies for user-related and transactional-related data.
An attestation process is the framework for setting up and creating
an attestation workflow. In the next section of
this OBE, Linda learns about attestation and attestation processes, so that she
can create them. | Back
to Topic List
Linda is now ready to learn
about attestation. Attestation is the process of authorizing
established internal controls, processes, and policies for user-related and transactional-related
data. In addition, it provides an audit trail of people who sign off on data or
processes that exist in an IT environment, particularly: - Oracle
Identity Manager users who have access to resources (the “who”)
- The
reason that these users are able to access their resources (the “why”)
- The
date and time that these users can access their resources (the “when”)
An
attestation process is the framework for setting up and creating
an attestation workflow. This process contains the following run-time components:
- User: This user is responsible
for reviewing the attestation process. The user can be a specific Oracle Identity
Manager user, a user who belongs to a particular group, a delegated user, or a
user’s manager. In addition, Linda can configure Oracle Identity Manager to automate
the allocation of a reviewer for an attestation process.
- Data:
The data to be attested can range from basic user profile data to access privileges
and entitlements for resources that are assigned to users. These privileges and
entitlements can be based on the user’s manager or on the organization or group
of which the user is a member, or they can be specific to a particular resource.
- Schedule:
An attestation process can be scheduled to run at a periodic interval (for example,
every three months), or can be executed on demand.
Now
that Linda understands attestation and attestation processes, she is ready to
create an attestation process. However, currently, the Oracle Identity Manager
Connector for the Sun Java Directory Server resource does not have the necessary
components for an attestation process to be completed. To rectify this, Linda
needs to execute the 90_dml_insert_attestation.sql
script. This script adds the components to the connector so that the attestation
process can be completed. To execute this script, perform
the following steps:
1. | Stop
your Oracle Identity Manager Server and Administrative Console. Note:
For more information about closing Oracle Identity Manager, refer to the OBE titled
"Installing
Oracle Identity Manager." When you stop your JBoss
application server, the following window appears: Do
not click any buttons in this window. By doing so, you stop your application server
abruptly (that is, before it can perform its closing operations). Instead, wait
a few seconds, and the window closes automatically. |
2. | Click
the Start button that appears in the lower left corner of your
desktop. From the pop-up menu that appears, click the Run menu
item.
The
Run window appears.
|
| 3. |
Enter cmd in the Open
field. Click OK.
A
DOS window appears.
|
| 4. | Navigate
to the E:\OIM_Installs\Attestation_Fix directory. At the DOS
prompt, enter sqlplus oimuser/abcd1234 @90_dml_insert_attestation.sql.
|
| 5. | Press
[Enter]. The 90_dml_insert_attestation.sql
script is executed. When the script is completed, a SQL prompt appears. |
| 6. | Type
exit at the SQL prompt. | | 7. | Press
[Enter]. The SQL prompt is replaced by a DOS prompt. |
| 8. | Type
exit at the DOS prompt. | | 9. | Press
[Enter]. The DOS window closes. This
signifies that the 90_dml_insert_attestation.sql script is executed.
As a result, Linda can create an attestation process for the Oracle Identity Manager
Connector that is associated with the Sun Java Directory Server resource. One
of the run-time components of an attestation process is a user who is responsible
for reviewing the process. For this OBE, the reviewer is Robert, Jane's manager.
However, currently, Jane does not have a manager assigned to her. Therefore, Linda
must assign Robert to be Jane's manager. Robert is then responsible for examining
any attestation processes for Jane and acting upon them (that is, certifying,
rejecting, or declining them, or delegating them to another reviewer). In
the next section of this OBE, Linda assigns Robert to be Jane's manager. As a
result, he is responsible for reviewing any attestation processes for Jane and
acting upon them. | Back
to Topic List
Linda is now ready to create
an attestation process for the connector that is associated with the Sun Java
Directory Server resource. One of the components of this process is a user who
is responsible for reviewing the process. For this OBE, the reviewer is Robert,
Jane's manager. However, currently, Jane does not have
a manager assigned to her. Therefore, Linda must assign Robert to be Jane's manager.
Robert is then responsible for examining any attestation processes for Jane and
acting upon them (that is, certifying, rejecting, or declining them, or delegating
them to another reviewer). To assign a reviewer to a user,
perform the following steps:
1. | Launch
your Oracle Identity Manager Server and Administrative Console. |
2. | Log
in to your Administrative Console with the "superuser" account for Oracle
Identity Manager (that is, enter xelsysadm in the
User ID field and abcd1234 in the
Password field). | | 3. | Open
the Manage User form in the Users folder.
The
Manage User form appears. |
| 4. | Select
User ID from the combo box that is displayed within this form. Then, in the text
box that appears to the right of the combo box, enter the ID of the designated
user (that is, enter JANE.FULLTIME
in the text box). Finally, click Search User. |
| 5. | From
the result set that is displayed, click the link that contains the ID of this
user.
The
User Detail form appears. |
6. | Click
Edit. The
Edit User form appears. |
7. | Click
the magnifying glass that appears to the right of the Manager ID
lookup field. |
8. | In
the Lookup window that appears, select the option that is associated with the
ID of the user who is to be Jane's manager (that is, RLAVALLI). Click Select.
The
Edit User form is active again. However, now, the Manager
ID field is populated with the ID of the manager that you assigned to
this user. |
9. | Click
Save.
The User Detail form appears, displaying the ID of the manager
for this user. Linda
assigned Robert to be Jane's manager. Robert is now responsible for examining
any attestation processes for Jane and acting upon them (that is, certifying,
rejecting, or declining them, or delegating them to another reviewer). In
the next section of this OBE, Linda creates an attestation process for Jane. Robert,
Jane's manager, then reviews this process, and verifies whether Jane should have
access rights to the resource with which she is provisioned (that is, the Sun
Java Directory Server resource). | Back
to Topic List
Linda is now ready to create
an attestation process for Jane. Robert, Jane's manager, then reviews this process,
and verifies whether Jane should have access rights to the Sun Java Directory
Server resource. This is the resource with which Jane is provisioned. There
are four stages in creating an attestation process: - Defining
high-level information about the attestation process. This information
includes a name, unique identification code, and explanatory information for the
process.
- Defining the scope and reviewer
for the attestation process. This information includes:
- How a user should be entitled to have access rights to resources (this is
known as the attestation data scope). Currently, a user can have
access to resources based on the user’s manager, group, or organization. Or, Linda
can specify that a user can have access rights to a single resource.
- The user who should review the attestation process. Currently, the reviewer
can be the manager of each user who is to be the recipient of the resource, or
it can be one reviewer for all users who are to receive the resource.
- Defining the administrative details
of the attestation process. These details include how often the attestation
process should be run (that is, the attestation schedule) and
the process owner group for the attestation process. This group is notified by
email if a reviewer is invalid (that is, if the reviewer’s status is either Disabled
or Deleted) or if a reviewer rejects the attestation process. You can also configure
the attestation process so that the process owner group is notified if the reviewer
declines to handle this process.
- Verifying
the information of the attestation process
To
create an attestation process, perform the following steps:
| 1. | Open
the Create Attestation Process form in the Attestation
folder. The
Define Process panel of the Create Attestation Process
form appears. |
2. | In
the Define Process panel of this form, enter the values for the
attestation process, as follows: | Field | Value |
| Name | iPlanet
Resource | | Code | 0001A |
| Description | Attestation
process for users who are provisioned with the Sun Java Directory Server resource.
| Note: The maximum
length of the code for the attestation process is 32 characters. |
3. | Click
Continue. The
Define Attestation Scope And Reviewer panel of the Create
Attestation Process form appears. |
4. | In
the Define Attestation Scope And Reviewer panel of this form,
enter the values for the attestation scope and reviewer, as follows:
| Field | Value |
| User access for a single resource | iPlanet
User | | Each user’s manager
option | [selected] | |
5. | Click
Continue. The
Define Administration Details panel of the Create Attestation
Process form appears. |
6. | In
the Define Administration Details panel of this form, enter the
values for the administrative details, as follows:
| Field | Value |
| Run every 3 months option | [selected] |
| Process owner group | SYSTEM
ADMINISTRATORS | | "Email
process owner if reviewer refuses attestation request" check box | [selected] |
| Starting on field | [Select
a future date.] | |
7. | Click
Continue. The
Verify Info Page panel of the Create Attestation Process
form appears. |
8. | Check
that all of the information of the attestation process is correct. Then, click
Create Process. A
confirmation message appears. When
the current date matches the date that the attestation process is scheduled to
run (that is, May 21, 2007 for this OBE), Oracle Identity Manager sends the process
to Robert. Robert is the manager of Jane, who is provisioned with the Sun Java
Directory Server resource. As a result, Robert can review this attestation process
for Jane. Although Linda set a scheduled date for the attestation
process to run, to verify that it is operable, she needs to execute it on demand.
| 9. | Click
the iPlanet Resource link. This link contains the name of the
attestation process. The
Attestation Process Details form appears. |
10. | Click
Run Now. A
second confirmation message appears. |
11. | Click
Confirm Run Now. The
Attestation Process Details form is active again. This indicates
that the attestation process is executed. Linda created
an attestation process for Jane. Robert, Jane's manager, must now review this
process, and verify that Jane should have access rights to the Sun Java Directory
Server resource. This is the resource with which Jane is provisioned. In
the next section of this OBE, Robert reviews the attestation process for Jane.
| Back
to Topic List
In the previous section
of this OBE, Linda created an attestation process for Jane, an employee of Mydo
Main Corporation who is provisioned with the Sun Java Directory Server resource.
Robert, Jane's manager, must now review the attestation process, and verify that
Jane should have access rights to this resource. To review
an attestation process, perform the following steps:
1. | Log
out of your Oracle Identity Manager Administrative Console. |
2. | Log
in to your Administrative Console with the account for Robert, Jane's manager
(that is, enter RLAVALLI in the User ID
field and rlavalli in the Password
field). The
SELECT CHALLENGE QUESTIONS form appears. |
3. | Select
all check boxes that appear within this form. Click Select. The
PROVIDE CHALLENGE ANSWERS form appears. |
4. | Add
the following values to this form: | Field |
Value | | What is the name of your pet? | Matty |
| What is the city
of your birth? | New
York | | What
is your favorite color? | Black |
| What is your mother's
maiden name? | Agneta |
| 5. | Click
Save. The
CHALLENGE QUESTION AND ANSWER CONFIRMATION form appears. |
6. | Click
OK. The
Home page of Robert's Administrative Console appears. |
7. |
Open the Attestation Request Inbox form in the To-Do
List folder. The
Attestation Request Inbox form appears. |
8. |
Click the iPlanet Resource link. This link contains the name
of the attestation process Robert needs to review. The
Attestation Request form appears. |
9. |
For this OBE, Robert believes that Jane should be provisioned with the Sun Java
Directory Server resource. Therefore, select the Certify option.
Click Save. The
Save Actions form appears. |
10. |
In the Comments text field, enter the following text: The
user is entitled to this resource. This represents explanatory information
about the action Robert is performing. Then, click Save Actions. The
Attestation Request form is active again. Note:
The Comments column is now populated with a graphic, representing
the explanatory information that is entered. To view this information, place the
cursor over the graphic. It appears as a tool tip. |
11. |
Click Submit Attestation. The
Attestation Request Confirmation form appears. |
12. |
Click Confirm Submit. The
Attestation Request Inbox form is active again. The
attestation process no longer appears. This means Robert reviewed it. Now
that Robert reviewed the attestation process, Linda can log in to Oracle Identity
Manager to view high-level and detailed information about it. This information
includes the status of the attestation process (that is, Robert certified that
Jane should have access to the Sun Java Directory Server resource). In
the next section of this OBE, Linda views information about the attestation process.
| Back
to Topic List
In the previous section of
this OBE, Robert reviewed an attestation process for Jane and acted upon it. That
is, he certified that Jane should have access to the Sun Java Directory Server
resource. Linda can now log in to Oracle Identity Manager
to view high-level and detailed information about this attestation process, including
its status (that is, Robert certified the process for Jane). To
view an attestation process, perform the following steps:
1. | Log
out of your Oracle Identity Manager Administrative Console. |
2. | Log
in to your Administrative Console with the "superuser" account for Oracle
Identity Manager (that is, enter xelsysadm in the
User ID field and abcd1234 in the
Password field). | | 3. | Open
the Attestation Dashboard form in the Attestation
folder.
The
Attestation Dashboard form appears.
From
this form, Linda can see information about the attestation process, including:
- Its name and unique identification code
- The
date and time when it is submitted to Robert, the reviewer
- The
date and time when he acted upon it
- The total number
of instances that are run
- The status for each instance
(that is, whether it is certified, rejected, declined, or delegated to another
reviewer)
Note: By clicking the
iPlanet Resource link, Linda can see detailed information about the attestation
process, including its scope, reviewer, and administrative details.
Tip:
To return to the Attestation Dashboard form, click the Back
To Search Results link. |
| 4. | Click
the date and time stamp that is contained in the Current Request Date
column. This stamp represents the date and time when Robert received the attestation
process.
The
Attestation Request Detail form appears.
From
this form, Linda can see additional information about the attestation process,
including: - The target user who is the recipient
of the designated resource. For this OBE, the target user is Jane.
- The
resource that is provisioned to the user. For this OBE, the provisioned resource
is the Sun Java Directory Server resource.
- The status
of the attestation process and the reviewer who handled it. For this OBE, Robert,
the reviewer, certified the attestation process.
- The
delegation path (if the attestation process is delegated to another reviewer).
For this OBE, there is no delegation path.
- Any comments
that the reviewer added to the attestation process. For this OBE, Robert added
the following comment: The user is entitled to this resource.
Note:
To see more detailed information about Jane (the target user), iPlanet User (the
resource provisioned to this user), or Robert (the reviewer), click the links
that appear directly below their respective names. | Back
to Topic List In
this lesson, you learned how to:
 | Create
reports | |
Understand attestation processes | | Assign
a reviewer to a user | |
Create an attestation process | | Review
an attestation process | | View
an attestation process | Back
to Topic List Back
to Topic List
Place the cursor over this icon to hide
all screenshots.
|
Bookmark
