Create a Custom Approval Process for Role Assignment

<Do not delete this text because it is a placeholder for the generated list of "main" topics when run in a browser>

Purpose

This OBE tutorial describes and shows you how to use Oracle Identity Manager 11.1.1.5.0 to create a custom approval process and use it to approve a request for role assignment for a user.

In the request and approval process, you have seven main actors who fall into four categories: administrators, requesters, approvers, and beneficiaries. These actors are:

Time to Complete

Approximately 3 hours.

Overview

Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that manages the access privileges of users within enterprise IT resources. It helps to answer the critical compliance questions of "Who has access to What, When, How, and Why?"

Oracle Identity Managerís flexible architecture can handle the most complex IT and business requirements without requiring changes to existing infrastructure, policies, or procedures. With this hallmark flexibility, Oracle Identity Manager excels at handling the constant flow of business changes that impact real-world identity management deployments. This flexibility is derived from the productís architecture, which abstracts core provisioning functions into discrete layers.

Changes to workflow, policy, data flow, or integration technology are isolated within the respective functional layers of Oracle Identity Manager, thus minimizing application-wide impact. In addition, Oracle Identity Manager is flexible because all configurations are done via its powerful user interface. The product does not rely on any scripting language for setup, configuration, or process modeling. As a result, Oracle Identity Manager is the most-advanced enterprise identity management solution available.

Scenario

Shirley Schmidt is employed as a system administrator for Mydo Main Corporation. In Mydo Main, she is responsible for performing identity and access management tasks on various users in the organization. One such task is customizing approval processes for role assignment requests. As a result, this custom approval process can be used to approve a request for assigning a user to a role in Oracle Identity Manager.

Clark Brown also works for Mydo Main Corporation and makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role. As a result, Oracle Identity Manager uses the custom approval process to assign this request to four other Mydo Main users:

After all four users approve the request, Oracle Identity Manager assigns Dennis Bauer to the BUSINESS_ANALYST role of Mydo Main Corporation.

Software Requirements

Before starting this tutorial, you should have:

Note: Screen captures for this tutorial were taken in a Windows XP Professional environment; therefore, Start menu options will vary.

Creating and Assigning Organizations, Roles, and Users

In this section of the OBE, you create and assign organizations, roles, and users in Oracle Identity Manager. You need these records to create a custom approval process for a request for role assignment for a user. Specifically, you:

To create and assign organizations, roles, and users in Oracle Identity Manager, perform the following steps:

.

Launch the Oracle Identity Manager Server, Administrative and User Console, and Design Console.

 

.

Log in to the Administrative and User Console with the "superuser" account for Oracle Identity Manager. For this tutorial, enter xelsysadm in the User ID field, Welcome1 in the Password field, and click Sign In.

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of the Administrative and User Console.

 

.

Click the Create Organization link on the home page of the Delegated Administration Console.

Note: If you see the Self Service Console or Advanced Administration Console instead of the Delegated Administration Console, click the Administration link in the upper-right corner of the active console's Home page.

 

.

On the Create Organization page, enter FINANCE in the Name field, select Department from the Type drop-down menu, and click Save.

Note: The Parent Organization field indicates the parent organization of your organization (that is, your organization is a suborganization). Because your organization is a parent organization, and is not a suborganization, leave this field empty.

 

.

Repeat steps 3 and 4 of this procedure to create the BUSINESS and ADMINISTRATION organizations.

You created the FINANCE, BUSINESS, and ADMINISTRATION organizations. You are ready to create the FINANCE_ADMINISTRATORS and BUSINESS_ANALYST_APPROVERS roles.

 

.

Click the Create Role link on the home page of the Delegated Administration Console.

 

.

On the Create Role page, enter FINANCE_ADMINISTRATORS in the Name field and click Save.

 

.

Repeat steps 6 and 7of this procedure to create the BUSINESS_ANALYST_APPROVERS role.

You created the FINANCE_ADMINISTRATORS and BUSINESS_ANALYST_APPROVERS roles. You are ready to create user records for Danny Crane and Dennis Bauer, and assign both Mr. Crane and Mr. Bauer to the FINANCE organization.

For this tutorial, Dennis Bauer is the beneficiary, or end-user who is to be assigned to the BUSINESS_ANALYST role. Danny Crane is responsible for approving requests for all users who belong to the FINANCE organization (including Dennis Bauer).

 

.

Click the Create User link on the home page of the Delegated Administration Console.

 

.

Use the following screenshot to populate the Basic User Information region of the Create User page.

 

.

On the Account Settings region of the Create User page, enter DCRANE in the User Login field, and Welcome1 in both the Password and Confirm Password fields. Click Save.

Note: For security purposes, the password is displayed as a series of bullets (·). For this example, because the password is Welcome1, it appears as ········.

 

.

Click the Create User link on the home page of the Delegated Administration Console.

 

.

Use the following screenshot to populate the Basic User Information region of the Create User page.

 

.

On the Account Settings region of the Create User page, enter DBAUER in the User Login field, and Welcome1 in both the Password and Confirm Password fields. Click Save.

You created user records for Danny Crane and Dennis Bauer, and assigned both Mr. Crane and Mr. Bauer to the FINANCE organization. You are ready to create user records for Brad Chase, Edwin Poole, Jerry Espenson, and Clark Brown, and assign all four users to the BUSINESS organization.

 

.

Use the following tables to create user records for Jerry Espenson, Brad Chase, Clark Brown, and Edwin Poole.

Field Value
First Name Jerry
Last Name Espenson
Design Console access check box [selected]
Email jerry.espenson@mydomain.com
Organization BUSINESS
User Type Full-Time Employee
Display Name Jerry Espenson
User Login JESPENSON
Password Welcome1
Confirm Password Welcome1

 

Field Value
First Name Brad
Last Name Chase
Design Console access check box [selected]
Email brad.chase@mydomain.com
Manager Jerry Espenson
Organization BUSINESS
User Type Full-Time Employee
Display Name Brad Chase
User Login BCHASE
Password Welcome1
Confirm Password Welcome1

 

Field Value
First Name Clark
Last Name Brown
Design Console access check box [selected]
Email clark.brown@mydomain.com
Manager Brad Chase
Organization BUSINESS
User Type Full-Time Employee
Display Name Clark Brown
User Login CBROWN
Password Welcome1
Confirm Password Welcome1

 

Field Value
First Name Edwin
Last Name Poole
Design Console access check box [selected]
Email edwin.poole@mydomain.com
Organization BUSINESS
User Type Full-Time Employee
Display Name Edwin Poole
User Login EPOOLE
Password Welcome1
Confirm Password Welcome1

Note: For this tutorial, Brad Chase is the manager of Clark Brown and Jerry Espenson is the manager of Brad Chase. As a result, the Manager fields for the user accounts of Mr. Brown and Mr. Chase are populated accordingly.

You created user records for Brad Chase, Edwin Poole, Jerry Espenson, and Clark Brown, and assigned all four users to the BUSINESS organization. You are ready to create a user record for Shirley Schmidt and assign Ms. Schmidt to the ADMINISTRATION organization. For this tutorial, she is the administrator responsible for creating the custom approval process.

 

.

Use the following table to create a user record for Shirley Schmidt.

Field Value
First Name Shirley
Last Name Schmidt
Design Console access check box [selected]
Email shirley.schmidt@mydomain.com
Organization ADMINISTRATION
User Type Full-Time Employee
Display Name Shirley Schmidt
User Login SSCHMIDT
Password Welcome1
Confirm Password Welcome1

You created a user record for Shirley Schmidt, and assigned Ms. Schmidt to the ADMINISTRATION organization. For this tutorial, she is the administrator responsible for creating the custom approval process.

You are ready to assign the FINANCE_ADMINISTRATORS role to Danny Crane, and designate the FINANCE_ADMINISTRATORS role as an Administrative role for the FINANCE organization.

 

.

On the page that contains the user record for Danny Crane, click the Roles tab.

 

.

On the Roles tab, click Assign.

 

.

On the Add Role window, enter FINANCE_ADMINISTRATORS in the Display Name field. Click Search.

 

.

On the Search Results region of the Add Role window, select the FINANCE_ADMINISTRATORS role. Click Add.

The FINANCE_ADMINISTRATORS role appears in the Roles tab.

You assigned the FINANCE_ADMINISTRATORS role to Mr. Crane. You are ready to designate the FINANCE_ADMINISTRATORS role as an Administrative role for the FINANCE organization.

 

.

On the page that contains the FINANCE organization, click Administrative Roles.

 

.

On the Administrative Roles window, click Assign.

 

.

On the Assign window, select the Assign check box to the right of the FINANCE_ADMINISTRATORS role (because you want to designate the FINANCE_ADMINISTRATORS role as an Administrative role for the FINANCE organization). Click Assign.

 

.

A Confirmation window appears. Click Confirm.

 

.

The FINANCE_ADMINISTRATORS role appears in the Administrative Roles window.

You designated the FINANCE_ADMINISTRATORS role as an Administrative role for the FINANCE organization. You are ready to assign the REQUEST ADMINISTRATORS role to Clark Brown, and the BUSINESS_ANALYST_APPROVERS role to Edwin Poole.

By assigning the REQUEST ADMINISTRATORS role to Clark Brown, Mr. Brown is able to make requests. This includes a request for Dennis Bauer, a member of the FINANCE organization, to be assigned to the BUSINESS_ANALYST role. Also, by assigning the BUSINESS_ANALYST_APPROVERS role to Mr. Poole, he is responsible for approving requests for all users who want to belong to the BUSINESS_ANALYST role (including Dennis Bauer).

 

.

Use steps 17-25 of this procedure to:

  • Assign the REQUEST ADMINISTRATORS role to Clark Brown
  • Assign the BUSINESS_ANALYST_APPROVERS role to Edwin Poole, and designate the role as an Administrative role for the BUSINESS organization

You are ready to assign the SYSTEM ADMINISTRATORS role to Shirley Schmidt.

Note: You did not create the REQUEST ADMINISTRATORS or SYSTEM ADMINISTRATORS roles. Rather, these roles are created automatically when Oracle Identity Manager is installed.

 

.

On the page that contains the user record for Shirley Schmidt, click the Roles tab.

 

.

On the Roles tab, click Assign.

 

.

On the Add Role window, enter SYSTEM ADMINISTRATORS in the Display Name field. Click Search.

 

.

On the Search Results region of the Add Role window, select the SYSTEM ADMINISTRATORS role. Click Add.

The SYSTEM ADMINISTRATORS role appears in the Roles tab.

You assigned the SYSTEM ADMINISTRATORS role to Ms. Schmidt. You created and assigned organizations, roles, and users in Oracle Identity Manager. You need these records to create a custom approval process for a request for assigning a user to a role in Oracle Identity Manager.

For this tutorial, Shirley Schmidt acts as the administrator responsible for creating the custom approval process. You are ready to authorize Ms. Schmidt so that she can create custom approval processes in Oracle Identity Manager.

 

Authorizing an Administrator to Create Custom Approval Processes

In the previous section of this OBE, you created a user account for Shirley Schmidt. For this tutorial, Ms. Schmidt is the administrator responsible for creating the custom approval process.

However, just because a user is an Oracle Identity Manager administrator does not mean that the user is authorized to create custom approval processes. Approval processes determine how Oracle Identity Manager is to provision Mydo Main Corporation's resources to the company's users and organizations. Therefore, by ensuring that only those administrators who have the proper credentials to create custom approval processes can do so, you prevent potential security violations, which can include unauthorized users having access to the company's resources.

In this section of the OBE, you authorize Ms. Schmidt so that she can create custom approval processes in Oracle Identity Manager. To do so, you use the Oracle Enterprise Manager Fusion Middleware Control 11g.

To authorize an administrator to create approval processes in Oracle Identity Manager, perform the following steps:

.

Launch Oracle Enterprise Manager Fusion Middleware Control 11g.

 

.

Log in to Oracle Enterprise Manager Fusion Middleware Control 11g with the "superuser" account for Oracle WebLogic Server. For this tutorial, enter weblogic in the User Name field, Welcome1 in the Password field, and click Login.

Note: For security purposes, the password is displayed as a series of bullets (·).

 

.

On the home page of Oracle Enterprise Manager Fusion Middleware Control 11g, expand the WebLogic Domain folder (by clicking the plus icon to the left of the folder).

 

.

Select the base domain for Oracle WebLogic Server. For this OBE, the base domain is base_domain.

Note: You select the base domain for Oracle WebLogic Server (base_domain) because, for this section of the OBE, you authorize Ms. Schmidt so that she can create custom approval processes in Oracle Identity Manager.

Approval processes are created in containers known as Service Oriented Architecture (SOA) composites. Therefore, you must authorize Ms. Schmidt for both Oracle Identity Manager and SOA.

By selecting the base domain for Oracle WebLogic Server, you are authorizing Ms. Schmidt for all administrative and managed servers associated with Oracle WebLogic Server, including the servers for Oracle Identity Manager and SOA.

 

.

From the base_domain menu, select Security > Credentials.

Note: You select Security > Credentials from the base_domain menu because you are storing the login credentials of Shirley Schmidt into the Oracle Identity Manager database for security purposes. By doing so, you are authorizing Ms. Schmidt so that she can create custom approval processes in Oracle Identity Manager.

 

.

On the Credentials page, click Create Map.

 

.

On the Create Map window, enter oracle.oim.sysadminMap in the the Map Name field and click OK.

Note: You click Create Map on the Credentials page and enter oracle.oim.sysadminMap in the the Map Name field of the Create Map window because you want to create a dynamic data structure known as a hash map. This type of map uses hash functions to map identifying values, known as keys, to their associated values.

For this type of map (oracle.oim.sysadminMap), you are mapping key-value pairs for Oracle Identity Manager system administrators. You assigned the SYSTEM ADMINISTRATORS role to Shirley Schmidt; therefore, she is a system administrator.

For this example, you are to map two keys (the login ID and password for an administrator who is authorized to create custom approval processes in Oracle Identity Manager) to the login credentials of Ms. Schmidt. For this OBE, these credentials are SSCHMIDT and Welcome1.

By mapping key-value pairs for Ms. Schmidt in the oracle.oim.sysadminMap map, Oracle Identity Manager can verify that she is authorized to create custom approval processes.

 

.

On the Credentials page, select the map you created (oracle.oim.sysadminMap). Click Create Key.

Note: You click Create Key because you want to map key-value pairs for Ms. Schmidt in the oracle.oim.sysadminMap map. For this example, you map two key-value pairs:

Key Value
sysadmin SSCHMIDT
Password Welcome1

 

.

Use the following screenshot to populate the Create Key window, and click OK.

 

.

The Credentials page appears. The sysadmin key, which represents the two key-value pairs you mapped, is created.

You mapped two keys (the login ID and password for an administrator who is authorized to create custom approval processes in Oracle Identity Manager) to the login credentials of Shirley Schmidt. As a result, Oracle Identity Manager can verify that she is authorized to create custom approval processes.

You are ready to construct a user-defined field (UDF) to create and assign a custom attribute for an Oracle Identity Manager entity (for this tutorial, a role).

 

Creating and Assigning a User-Defined Field (UDF)

In this section of the OBE, you construct a user-defined field (UDF). You define a UDF when you want to create and assign a custom attribute for an Oracle Identity Manager entity (for this tutorial, a role).

For this section, you are to create a UDF titled Role Approver and assign it to the Create Role page in Oracle Identity Manager. Then, you are to create the BUSINESS_ANALYST role and designate the BUSINESS_ANALYST_APPROVERS role as the value for the Role Approver UDF.

As a result, after Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role, Oracle Identity Manager sends the request to Edwin Poole, a member of the BUSINESS_ANALYST_APPROVERS role, so he can approve it.

To create and assign a UDF in Oracle Identity Manager, perform the following steps:

.

Log in to the Oracle Identity Manager Design Console with the "superuser" account for Oracle Identity Manager. For this tutorial, enter xelsysadm in the User ID field, Welcome1 in the Password field, and click LogIn.

 

.

On the main screen of the Oracle Identity Manager Design Console, expand the Administration folder. Then, double-click the User Defined Field Definition entry.


.

Enter Roles in the Form Name field. Click Query.

Note: You enter Roles in the Form Name field because, for this tutorial, you are creating and assigning a user-defined field (UDF) for a role.

 

.

On the User Defined Columns tab, click Add.

 

.

Use the following screenshot to populate the User Defined Fields window. Click Save. Then, click Close.

 

Note: If a Closing Form window appears, click Yes. Also, For more information about the fields and values of the User Defined Fields window, click here.

 

.

Click Save.

You created a UDF titled Role Approver and assigned it to the Create Role page in Oracle Identity Manager. You are ready to create the BUSINESS_ANALYST role and designate the BUSINESS_ANALYST_APPROVERS role as the value for the Role Approver UDF.

 

.

Log out of the Oracle Identity Manager Administrative and User Console.

 

.

Then, log back in to the console with the "superuser" account for Oracle Identity Manager. For this tutorial, enter xelsysadm in the User ID field, Welcome1 in the Password field, and click Sign In.

Note: You have to log out and log in to the Administrative and User Console for the changes you made to the Create Role page to take effect.

 

.

Click the Create Role link on the home page of the Delegated Administration Console.

 

.

On the Create Role page, enter BUSINESS_ANALYST in the Name field.

 

.

Scroll to the bottom of the Create Role page. You see a new Custom Attributes section on this page with one custom attribute: Role Approver.

Note: The Custom Attributes section and Role Approver attribute appear because you created a custom attribute (or UDF) titled Role Approver and assigned it to the Create Role page..

 

.

Enter BUSINESS_ANALYST_APPROVERS in the Role Approver field. Click Save.

Important: The value that you enter in the Role Approver field is case-sensitive.

You created a UDF titled Role Approver and assigned it to the Create Role page in Oracle Identity Manager. Then, you created the BUSINESS_ANALYST role and designated the BUSINESS_ANALYST_APPROVERS role as the value for the Role Approver UDF.

As a result, after Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role, Oracle Identity Manager sends the request to Edwin Poole, a member of the BUSINESS_ANALYST_APPROVERS role, so he can approve it.

You are ready to access Oracle Identity Manager as Shirley Schmidt to create a custom approval process.

 

Creating a Custom Approval Process

In the section of this OBE titled Authorizing an Administrator to Create Custom Approval Processes, you used Oracle Enterprise Manager Fusion Middleware Control 11g to authorize Ms. Schmidt so that she can create custom approval processes in Oracle Identity Manager. You are now ready to create a custom approval process.

For Oracle Identity Manager, approval processes are created in containers known as Service Oriented Architecture (SOA) composites. Therefore, you must use the Oracle SOA application to create the custom SOA composite that holds the custom approval process.

To facilitate matters, Oracle Identity Manager has a helper utility for creating custom SOA composites. This utility creates a SOA template that is to be used for the custom approval process. This template adheres to all the necessary standards.

In this section of the OBE, you create the custom SOA composite that holds the custom approval process. To do so, you use the helper utility.

To use the helper utility to create a custom SOA composite for the custom approval process, perform the following steps:

.

Download the developing_oim_custom_approval_process_for_role_request.zip file.

Note: This zip file contains the files that you need to create a custom approval process.

 

.

Open a Terminal window.

 

.

Navigate to the <MIDDLEWARE_HOME>/wlserver_10.3/server/bin directory.

Note: <MIDDLEWARE_HOME> represents the base directory for the Oracle Fusion Middleware suite of products, including Oracle Identity Manager and Oracle SOA. For this tutorial, <MIDDLEWARE_HOME> is represented by /opt/oracle/Middleware/.

 

.

At the prompts, enter the following commands (and press Enter after each command):

  • bash
  • source setWLSEnv.sh

Note: By entering the bash and source setWLSEnv.sh commands, you call the setWLSEnv.sh script that comes with Oracle WebLogic Server. This script sets up all of the environment variables so that you can run the helper utility.

 

.

At the prompt, enter ant -f <OIM_HOME>/server/workflows/new-workflow/new_project.xml (and press Enter).

Note: ant represents the ant.sh file. This shell script file supplies built-in tasks used to run Java applications, such as the helper utility. By using the –f command, you are forcing the utility to run. <OIM_HOME> represents the base directory for Oracle Identity Manager. For this tutorial, <OIM_HOME> is represented by /opt/oracle/Middleware/Oracle_IDM1. new_project.xml is the name of the XML file associated with the helper utility.

 

.

Enter values for the prompts that appear, as follows (and press Enter after each value):

Prompt Value
Please enter application name AssignRoleApprovalApp
Please enter project name AssignRoleApproval
Please enter the service name for the composite. This needs to be unique across applications. AssignRoleApprovalService

Important: The application, project, and service names that you enter are case-sensitive.

Note: The project name you define (AssignRoleApproval) is the name of the SOA composite, and eventually forms the name of the custom approval process. It should be a descriptive name so that it is easily recognizable when you are ready to use it as an approval process. The service name (AssignRoleApprovalService) is the ADF binding name used for this specific SOA composite. It must be unique to this composite.

Oracle Identity Manager creates the custom SOA composite that holds the custom approval process. After the SOA composite is created, a BUILD SUCCESSFUL message appears.

By default, Oracle Identity Manager saves the custom SOA composite you created using the helper utility to the <OIMHOME>/server/workflows/new-workflow/process-template directory. This SOA composite contains the custom approval aprocess.

You are ready to modify this approval process.

 

Modifying the Custom Approval Process

In the previous section of this OBE, you used the helper utility to create a custom SOA composite for a custom approval process. This process is to be used to approve a request for role assignment for a user. For this tutorial:

By default, a task associated with the approval process is assigned to xelsysadm: an Oracle Identity Manager superuser account. You want to modify this approval process task so that the task is assigned to the following individuals:

Because you assigned Shirley Schmidt to the ADMINISTRATION organization in the section of this OBE titled Creating and Assigning Organizations, Roles, and Users, she can create the custom approval process. As a result, after Clark Brown makes a request for Dennis Bauer to be a member of the BUSINESS_ANALYST role, Oracle Identity Manager sends the request to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane, so they can approve it. After all four users approve the request, Oracle Identity Manager assigns Dennis Bauer to the BUSINESS_ANALYST role.

In this section of the OBE, you use JDeveloper to modify the custom approval process so that the approval process task is assigned to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane, instead of the xelsysadm superuser account.

.

Launch JDeveloper.

 

.

Select the Application navigation panel, if not already selected.

Note: If the Application navigation panel is not visible, select View > Application Navigator from the menu bar.

 

.

Click Open Application ...

 

.

On the Open Application(s) window, change to the <OIMHOME>/server/workflows/new-workflow/process-template/AssignRoleApprovalApp directory, select the AssignRoleApprovalApp.jws file, and click Open.

Note: For this tutorial, <OIM_HOME> is represented by /opt/oracle/Middleware/Oracle_IDM1.

 

.

On the Open Warning window, click Yes.

 

.

On the Migration Status window, click OK.

Note: By clicking Yes on the Open Warning window and OK on the Migration Status window, you are loading the AssignRoleApprovalApp application into JDeveloper. This application contains the custom approval process that you are to modify.

 

.

On the Application Navigator panel, expand the AssignRoleApproval > SOA Content directory.

 

.

Open the composite.xml file (by double-clicking it).

The contents of the composite.xml file are loaded into the editor of JDeveloper.

You open this file because you want to add a property to it. This property is associated with the URL for the Oracle Identity Manager Administrative and User Console. By adding this property in the composite.xml file, instead of hard-coding a value for the property, you can change its value at runtime (through the Oracle Enterprise Manager 11g Fusion Middleware Control).

Tip: You can minimize the Resource Palette tab to the right of the editor to extend the width of the editor.

 

.

On the JDeveloper editor, click the Source tab.

Note: By clicking the Source tab, the source code for the composite.xml file appears. By accessing this code, you can add a value to a property in the file quickly and easily.

 

.

Locate the following lines of code:

<component name="ApprovalProcess">
<implementation.bpel src="ApprovalProcess.bpel"/>
</component>

Add the following line of code after the <implementation> line of code:

<property name="bpel.preference.oimurl">t3://localhost:14000</property>

The composite.xml file should appear, as follows:

Note: You can specify localhost because, for this tutorial, Oracle Identity Manager and SOA reside on the same machine. Also, 14000 is the port number reserved for Oracle Identity Manager.

 

.

Save and close the composite.xml file.

 

.

On the Application Navigator panel, open the ApprovalProcess.bpel file (by double-clicking it).

Note: The ApprovalProcess.bpel file contains the code for the custom approval process you created. For this section of the OBE, you are to modify this approval process so that a task associated with the process is assigned to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane, instead of the xelsysadm superuser account.

 

.

On the JDeveloper editor, click the Design tab. Click (x) in the editor.

 

.

On the Variables window, click the green plus icon (+).

Note: You click (x) in the JDeveloper editor and (+) on the Variables window to add variables to the custom approval process.

 

.

Populate the Create Variable window, as follows (and click OK):

Field Value
Name oimurl
Type option string

Note: The oimurl variable is associated with the property you defined in step 10 of this procedure. Also, to select string as the data type for the variable, click the magnifying glass to the right of the Type option, select string from the Type Chooser window, and click OK.

 

.

Repeat steps 14-15 of this procedure to create two other variables: orgAdmin and roleApprover. Both variables should have a data type of string. All three variables should appear in the Variables window.

Note: The orgAdmin variable is a placeholder for the administrator who approves any requests for users who belong to a particular organization (for example, the FINANCE organization). For this, tutorial, Danny Crane is responsible for approving requests for all users who are members of the FINANCE organization (including Dennis Bauer).

The roleApprover variable is a placeholder for the approver of the role to which a user wants to belong. For this tutorial, Edwin Poole is a member of the BUSINESS_ANALYST_APPROVERS role. Because he belongs to this role, Mr. Poole is responsible for approving a request for Mr. Bauer to assigned to the BUSINESS_ANALYST role.

 

.

Click OK to close the Variables window.

You are ready to add two tasks to the custom approval process:

  • AssignOimUrl. Oracle Identity Manager uses this approval process task to obtain the URL for the Administrative and User Console. This URL is to be used by the person creating a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role. For this tutorial, Clark Brown is the requester.
  • GetAssigneesInfo. Oracle Identity Manager uses this task to assign the approval process to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane (instead of the xelsysadm superuser account). Because you assigned these four users to the BUSINESS organization, they can approve the workflow.

 

.

Open the Component Palette of JDeveloper.

Note: The Component Palette is where you are to add the AssignOimUrl and GetAssigneesInfo tasks to the custom approval process.

 

.

On the Component Palette, drag and drop the Assign activity so that it rests in between the receiveInput activity and the ApprovalTask_1 activity.

Note: By default, JDeveloper assigns a name of Assign1 to the activity (because this is the first Assign activity you are adding to the custom approval process). This activity represents a task you are adding to the custom approval process.

You are ready to change the name of the approval process task from Assign1 to a more descriptive name (AssignOimUrl). Oracle Identity Manager uses this task to obtain the URL for the Administrative and User Console.

 

.

Right-click the Assign1 task. Select Edit from the menu that appears.

 

.

[Click the General tab on the Edit Assign window. In the Name field, replace the existing name of the approval process task (Assign1) with the desginated name (AssignOimUrl).

You are ready to use the Expression Builder feature of JDeveloper to create an expression that is used to fetch the URL associated with Oracle Identity Manager. This URL is to be used by the person creating a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role. For this tutorial, Clark Brown is the requester.

 

.

Click the Copy Rules tab on the Edit Assign window.

Note: The Copy Rules tab is where you access the Expression Builder feature of JDeveloper.

 

.

Click the Expression icon (which resembles a calculator) and drag it onto the target variable for which you want to create an expression. For this example, you click and drag the Expression icon onto the oimurl variable because you want to create an expression that is used to fetch the URL associated with Oracle Identity Manager.

Note: The green box around the oimurl variable signifies that you can now create an expression for this variable. As a result, the Expression Builder window appears automatically for the variable.

 

.

Select BPEL XPath Extension Functions from the Functions area of the Expression Builder window.

 

.

Select the getPreference function and click Insert Into Expression.

The Expression area of the Expression Builder window contains the function you created.

Note: You select BPEL XPath Extension Functions from the Functions area of the Expression Builder window because you want to use BPEL capabilities and XPath standards predefined in JDeveloper. You select the getPreference function because this function returns the value of a property. For this example, the value to be returned is the URL associated with Oracle Identity Manager.

 

.

Click inside the parenthetical portion of the expression ( ). Enter 'oimurl' inside of the parenthesis. The expression should appear, as follows:

Important: Make sure you include the single quotation marks around the oimurl variable.

Note: You enter 'oimurl' into the expression because you want the getPreference function to return the value of the URL associated with Oracle Identity Manager.

 

.

Click OK to close the Expression Builder window.

 

.

Click OK to close the Edit Assign window.

You are ready to add the GetAssigneesInfo task to the custom approval process. Oracle Identity Manager uses this task to assign the approval process to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane (instead of the xelsysadm superuser account). Because you assigned these four users to the BUSINESS organization, they can approve the workflow.

 

.

On the Component Palette, select the Oracle Extensions menu. Select the Java Embedding activity.

Note: You select the Java Embedding activity because you want to include some "inline" Java code into the GetAssigneesInfo task that you are adding to the custom approval process.

 

.

Drag and drop this activity so that it rests directly below the AssignOimUrl activity.

Note: By default, JDeveloper assigns a name of Java_Embedding1 to the activity (because this is the first Java Embedding activity you are adding to the custom approval process).

You are ready to change the name of the approval process task from Java_Embedding1 to a more descriptive name (GetAssigneesInfo). Oracle Identity Manager uses this task to assign the approval process to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane (instead of the xelsysadm superuser account).

 

.

Right-click the Java_Embedding1 task. Select Edit from the menu that appears.

 

.

Click the General tab on the Edit Java Embedding window. In the Name field, replace the existing name of the approval process task (Java_Embedding1) with the desginated name (GetAssigneesInfo).

 

.

Remove all code that appears in the Code Snippet text area. Then, enter the code contained in this file.

Note: Oracle Identity Manager uses this code to access its internal APIs to assign the approval process to the Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane (instead of the xelsysadm superuser account). Because you assigned these four users to the BUSINESS organization, they can approve the workflow.

 

.

Click OK to close the Edit Java Embedding window.

Note: Oracle Identity Manager uses the code you entered to access its internal APIs to assign the approval process to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane (instead of the xelsysadm superuser account).

To enable Oracle Identity Manager to use these APIs, the approval process must be able to reference the oimclient.jar file. Oracle Identity Manager requires this jar file to compile the code you entered properly. As a result, Oracle Identity Manager can access the APIs.

 

.

Open File Browser. Copy the oimclient.jar file in the <MIDDLEWARE_HOME>/Oracle_IDM1/server/client directory. Paste this jar file into the <MIDDLEWARE_HOME>/Oracle_IDM1/server/workflows/new-workflow/process-template/AssignRoleApprovalApp/AssignRoleApproval/SCA-INF/lib directory.

Note: For this tutorial, <MIDDLEWARE_HOME> is represented by /opt/oracle/Middleware/.

You are ready to make Oracle Platform Security Services (OPSS) available for the custom approval process. OPSS is the underlying security platform that provides security to Oracle Fusion Middleware products and services, including approval workflows created through SOA.

To make OPSS available for the approval process, you must add the jps-manifest.jar file to the project library files associated with the process.

 

.

In JDeveloper, right-click the AssignRoleApproval project. Select Project Properties... from the menu that appears.

 

.

Select Libraries and Classpath from the left pane of the Project Properties window. Click Add JAR/Directory...

 

Note: You select Libraries and Classpath from the left pane of the Project Properties window and click Add JAR/Directory... because you want to add the jps-manifest.jar file to the project library files associated with the custom approval process.

 

.

On the Add Archive or Directory window, select the jps-manifest.jar file from the <MIDDLEWARE_HOME>/oracle_common/modules/oracle.jps_11.1.1 directory. Click Select.

 

.

Click OK.

You added the jps-manifest.jar file to the project library files associated with the custom approval process. As a result, you made OPSS available for the approval process.

You are ready to create two parameters: OrganizationAdmin and RoleApprover.

The OrganizationAdmin parameter is to contain the value for the administrator who approves any requests for users who belong to a particular organization (for example, the FINANCE organization). For this, tutorial, Danny Crane is responsible for approving requests for all users who are members of the FINANCE organization (including Dennis Bauer).

The RoleApprover parameter is to contain the value for the approver of the role to which a user wants to belong. For this tutorial, Edwin Poole is a member of the BUSINESS_ANALYST_APPROVERS role. Because he belongs to this role, Mr. Poole is responsible for approving a request for Mr. Bauer to assigned to the BUSINESS_ANALYST role.

Oracle Identity Manager is to retrieve these values by referencing its internal APIs.

 

.

On the Application Navigator panel, expand the AssignRoleApproval > SOA Content directory. Open the ApprovalTask.task file (by double-clicking it).

 

.

On the Create Form pane, select Data.

 

.

On the Data page, click the green plus icon. Select Add string parameter from the menu that appears.

 

.

On the Add Task Parameter window, enter OrganizationAdmin in the Parameter Name field. Click OK.

 

.

Repeat steps 42 and 43 of this procedure to create the RoleApprover parameter.

You created the OrganizationAdmin and RoleApprover parameters. The OrganizationAdmin parameter is to contain the value for the administrator who approves any requests for users who belong to a particular organization (for example, the FINANCE organization). The RoleApprover parameter is to contain the value for the approver of the role to which a user wants to belong. Oracle Identity Manager is to retrieve these values by referencing its internal APIs.

You are ready to associate these two parameters with the task of the custom approval process used to assign the process to the designated organization (the ApprovalTask_1_AssignTaskAttributes task). For this example, Oracle Identity Manager uses this task to assign the approval process to the FINANCE or BUSINESS organization (instead of the xelsysadm superuser account).

You use the ApprovalProcess.bpel file to associate the OrganizationAdmin and RoleApprover parameters with the ApprovalTask_1_AssignTaskAttributes task.

 

.

Make the ApprovalProcess.bpel file active (by clicking the ApprovalProcess.bpel tab).

 

.

Expand the ApprovalTask_1 task by clicking the plus icon to the left of the task.

Note: By expanding the ApprovalTask_1 task, the ApprovalTask_1_AssignTaskAttributes task appears.

 

.

Click the ApprovalTask_1_AssignTaskAttributes task. Select the Source tab.

Note: By selecting the Source tab, you can modify the ApprovalTask_1_AssignTaskAttributes task directly through the source code. This is a quicker and more efficient way to modify code associated with an approval process task.

 

.

Locate the following lines of code:

<payload xmlns="http://xmlns.oracle.com/bpel/workflow/task">
<RequestID xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<RequestModel xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<RequestTarget xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<url xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<RequesterDetails xmlns="http://xmlns.oracle.com/request/RequestDetails"/>
<BeneficiaryDetails xmlns="http://xmlns.oracle.com/request/RequestDetails"/>
<ObjectDetails xmlns="http://xmlns.oracle.com/request/RequestDetails"/>
<OtherDetails xmlns="http://xmlns.oracle.com/request/RequestDetails"/>
<RequesterDisplayName xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<BeneficiaryDisplayName xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<Requester xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
</payload>

Add the following lines of code after the <Requester xmlns="http://xmlns.oracle.com/bpel/workflow/task"/> line of code:

<OrganizationAdmin xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
<RoleApprover xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>

The ApprovalTask_1_AssignTaskAttributes task should appear, as follows:

You are ready to associate the initiate task condition with the OrganizationAdmin and RoleApprover parameters. By doing so, Oracle Identity Manager can inititate the allocation of the custom approval process to the FINANCE or BUSINESS organization (instead of the xelsysadm superuser account).

 

.

Select the Design tab. Right-click the ApprovalTask_1_AssignTaskAttributes task. Select Edit from the menu that appears.

 

.

On the Edit Assign window, click the Copy Rules tab.

 

.

Click the orgAdmin variable on the left pane of the Copy Rules tab. Drag this variable to the /ns2:initiateTask/task:task/task:payload item (on the right pane). The Copy Rules tab should appear, as follows:

 

.

In the To Xpath field, append /task:OrganizationAdmin to the xpath (and click OK). The path should appear, as follows: /ns2:initiateTask/task:task/task:payload/task:OrganizationAdmin.

Tip: To verify that you have the correct path, click the Source tab. Verify that you see the following lines of code:

<copy>
<from variable="orgAdmin"/>
<to variable="initiateTaskInput" part="payload"
query="/ns2:initiateTask/task:task/task:payload/task:OrganizationAdmin"/>
</copy>

 

.

Open the Edit Assign window. In the lower region of the Edit Assign window, click the orgAdmin copy operation (to select it). Click the blue down arrow button repeatedly until the orgAdmin copy operation appears after the inputVariable/payload//ns3:process/ns4:RequesterDetails copy operation. Click OK.

 

 

.

Select the Design tab. Right-click the ApprovalTask_1_AssignTaskAttributes task. Select Edit from the menu that appears.

 

.

On the Edit Assign window, click the Copy Rules tab.

 

.

Click the roleApprover variable on the left pane of the Copy Rules tab. Drag this variable to the /ns2:initiateTask/task:task/task:payload item (on the right pane).

 

.

In the To Xpath field, append /task:RoleApprover to the xpath (and click OK). The path should appear, as follows: /ns2:initiateTask/task:task/task:payload/task:RoleApprover.

Tip: To verify that you have the correct path, click the Source tab. Verify that you see the following lines of code:

<copy>
<from variable="roleApprover"/>
<to variable="initiateTaskInput" part="payload"
query="/ns2:initiateTask/task:task/task:payload/task:roleApprover"/>
</copy>

 

.

Open the Edit Assign window. In the lower region of the Edit Assign window, click the roleApprover copy operation (to select it). Click the blue down arrow button repeatedly until the roleApprover copy operation appears after the orgAdmin copy operation. Click OK.

 

You associated the initiate task condition with the orgAdmin and roleApprover parameters. By doing so, Oracle Identity Manager can inititate the allocation of the custom approval process to the BUSINESS and FINANCE organizations (instead of the xelsysadm superuser account).

You are ready to specify that the tasks of the custom approval process are to be assigned to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane. These four users are responsible for approving the request Clark Brown makes for Dennis Bauer, a member of the FINANCE organization, to be assigned to the BUSINESS_ANALYST role.

 

.

Make the ApprovalTask.task file active (by clicking the ApprovalTask.task tab).

 

.

On the Create Form pane, select Assignment.

Note: You select the Assignment item because you want to assign the custom approval process to the BUSINESS organization (of which Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane are members) instead of the xelsysadm superuser account.

First, you want to create a task in the approval process titled Management Chain. Oracle Identity Manager uses this task to assign the approval process to two individuals after Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role:

  • Brad Chase, Clark Brown's manager, responsible for approving the request
  • Jerry Espenson, Brad Chase's manager, also responsible for approving the request.

As a result, you create a request management chain in the custom approval process that ascends to two levels above the user making the request (Clark Brown).

 

.

Double-click the Stage1.Participant1 icon.

Note: The Stage1.Participant1 icon represents the entity in Oracle Identity Manager to which the custom approval process is to be assigned.

 

.

On the Edit Participant Type window, select Serial from the Type menu and enter Management Chain in the Label field. Then, select Management Chain from the Build a list of participants using menu.

 

.

On the Starting Participants table, click the green plus icon. Then, select Add User from the popup menu that appears.

 

.

Select User from the Identification Type menu and By Expression from the Data Type menu. Click the ellipsis button [...] to the right of the Value field.

 

.

In the Expression Builder window, select the /task:task/task:payload/ns1:RequesterDetails/ns1:ManagerLogin expression in the Schema pane, and click Insert Into Expression.

Note: You select the/task:task/task:payload/ns1:RequesterDetails/ns1:ManagerLogin expression because you want Oracle Identity Manager to assign the custom approval process to:

  • Brad Chase, the manager of Clark Brown (the requester)
  • Jerry Espenson, Brad Chase's manager

 

.

Click OK to close the Expression Builder window.

 

.

Enter 2 in the Number of Levels field.

Note: By entering 2 in the Number of Levels field, you create a request management chain in the custom approval process that ascends to two levels above the user making the request (Clark Brown)

 

.

Click OK to close the Edit Participant Type window.

You created a task in the approval process titled Management Chain. Oracle Identity Manager uses this task to assign the approval process to two individuals after Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role:

  • Brad Chase, Clark Brown's manager, responsible for approving the request
  • Jerry Espenson, Brad Chase's manager, also responsible for approving the request.

You are ready to create a second task in the approval process titled Role Approver. Oracle Identity Manager uses this task to assign the approval process to Edwin Poole, a member of the BUSINESS_ANALYST_APPROVERS role. Because he belongs to this role, Mr. Poole is responsible for approving requests for all users who want to be assigned to the BUSINESS_ANALYST role (including the request Clark Brown makes for Dennis Bauer).

 

.

On the Create Form pane, select the Management Chain task.

 

.

Click the green plus icon, and select Parallel particpant block from the popup menu that appears.

Note: You select the Management Chain task and select the Parallel particpant block item from the popup menu because you want Oracle Identity Manager to trigger the Management Chain and Role Approver approval process tasks in parallel.

 

.

Use the following table to populate the Add Participant Type window:

Field Value
Type menu Single
Label Role Approver
"Build a list of participants" menu Names and expressions
"Specify attributes using" option Value-based
Identification Type menu Group
Data Type menu By Expression
Value /task:task/task:payload/task:RoleApprover

Note: You select Single from the Type menu and specify the /task:task/task:payload/task:RoleApprover expression because you want Oracle Identity Manager to assign the custom approval process to one user: Edwin Poole, a member of the BUSINESS_ANALYST_APPROVERS role.

 

.

Click OK.

You created a second task in the approval process titled Role Approver. Oracle Identity Manager uses this task to assign the approval process to Edwin Poole, a member of the BUSINESS_ANALYST_APPROVERS role. Because he belongs to this role, Mr. Poole is responsible for approving requests for all users who want to be assigned to the BUSINESS_ANALYST role (including the request Clark Brown makes for Dennis Bauer).

You are ready to create a third task in the approval process titled Organization Admins. Oracle Identity Manager uses this task to assign the approval process to Danny Crane, a member of the FINANCE_ADMINISTRATORS role. Because he belongs to this role, Mr. Crane is responsible for approving requests for all users who belong to the FINANCE organization (including Mr. Bauer).

 

.

On the Create Form pane, select the Role Approver task.

 

.

Click the green plus icon, and select Sequential particpant block from the popup menu that appears.

Note: You select the Role Approver task and select the Sequential particpant block item from the popup menu because you want Oracle Identity Manager to trigger the Organization Admins approval process task only after Edwin Poole completes the Role Approver task.

 

.

Use the following table to populate the Add Participant Type window:

Field Value
Type menu Single
Label Organization Admins
"Build a list of participants" menu Names and expressions
"Specify attributes using" option Value-based
Identification Type menu Group
Data Type menu By Expression
Value /task:task/task:payload/task:OrganizationAdmin

Note: You select Single from the Type menu and specify the /task:task/task:payload/task:RoleApprover expression because you want Oracle Identity Manager to assign the custom approval process to one user: Danny Crane, a member of the FINANCE organization.

 

.

Click OK.

The ApprovalTask.task tab should appear, as follows:

You are ready to create a Vote Outcome and assign it to the custom approval process. The Vote Outcome is used to specify the percentage of votes required for an outcome to take effect. For this example, the Vote Outcome is used to verify that all four users (Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane) approved the request Clark Brown makes for Dennis Bauer to be assigned to the BUSINESS_ANALYST role.

 

.

Double-click the Edit icon (which appears as a pencil).

 

.

Use the following table to populate the Vote Outcome window:

Field Value
Voted Outcomes menu APPROVE
Outcome Type menu By Percentage
Value 100
Default Outcome menu REJECT
"Wait until all votes are in before triggering outcome" option [selected]

Note: By selecting APPROVE from the Voted Outcomes menu, By Percentage from the Outcome Types menu, and entering 100 in the Value field, Oracle Identity Manager is to add Dennis Bauer to the BUSINESS_ANALYST role only after Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane (or 100% of the users) approve Clark Brown's request for Mr. Bauer to be assgined to the role.

If all four users do not approve the request, Oracle Identity Manager rejects it (because you selected REJECT from the Default Outcome menu). Also, because you selected the "Wait until all votes are in before triggering outcome" option, Oracle Identity Manager does not add Mr. Bauer to the BUSINESS_ANALYST role until after Mr. Chase, Mr. Espenson, Mr. Poole, and Mr. Crane approve the request.

 

.

Click OK.

 

.

Click Save All on the JDeveloper toolbar to save your work.

You used JDeveloper to modify the custom approval process so that the approval process task is assigned to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane, instead of the xelsysadm superuser account.

You are ready to deploy the custom approval process directly to SOA. After the approval process is deployed, you then register the approval process to Oracle Identity Manager.

 

Deploying the Custom Approval Process

In the previous section of this OBE, you modifed the custom approval process so that it is assigned to the ADMINISTRATION organization instead of the xelsysadm superuser account.

Two actions you completed to modify the approval process were:

You must include these two jar files as part of the classpath so that they can be referenced by SOA. Then, you can use JDeveloper to deploy the approval process to SOA.

To deploy the custom approval process, perform the following steps:

.

Launch Oracle Enterprise Manager Fusion Middleware Control 11g.

 

.

Log in to Oracle Enterprise Manager Fusion Middleware Control 11g with the "superuser" account for Oracle WebLogic Server. For this tutorial, enter weblogic in the User Name field, Welcome1 in the Password field, and click Login.

 

.

On the home page of Oracle Enterprise Manager Fusion Middleware Control 11g, expand the WebLogic Domain folder (by clicking the plus icon to the left of the folder).

 

.

Select the base domain for Oracle WebLogic Server. For this OBE, the base domain is base_domain.

 

.

From the base_domain menu, select System MBean Browser.

 

.

On the System MBean Browser page, expand the Application Defined MBeans folder (by clicking the plus icon to the left of the folder). Then, expand the oracle.as.soainfra.config, Server: <SOA_SERVER>, and BPELConfig folders. Lastly, click the bpel item.

Note: For this tutorial, <SOA_SERVER> represents the base directory for Oracle SOA, and is represented by soa_server1.

 

.

On the Attributes tab , click the BpelcClasspath item.

Note: You click the BpelcClasspath item because you want to include the oimclient.jar and
jps-manifest.jar
files
as part of the classpath so that they can be referenced by SOA.

 

.

On the Attribute: BpelcClasspath page, click Use Multiple Line Editor.

Note: You click Use Multiple Line Editor because you are to include both the oimclient.jar and jps-manifest.jar files as part of the classpath. This information you are to add occupies more than one line of code.

 

.

In the text area, provide the full path for the oimclient.jar and jps-manifest.jar files. To do so, enter the following lines of code in the text area:

<MIDDLEWARE_HOME>/Oracle_IDM1/server/client/oimclient.zip:<MIDDLEWARE_HOME>/ oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar

Important: For a Microsoft Windows environment, separate the full paths for the oimclient.jar and
jps-manifest.jar files
with a semicolon instead of a colon.

Note: <MIDDLEWARE_HOME> represents the base directory for the Oracle Fusion Middleware suite of products, including Oracle Identity Manager and Oracle SOA. For this tutorial, <MIDDLEWARE_HOME> is represented by /opt/oracle/Middleware/.

 

.

Click Apply.

A Confirmation message appears.

You include the oimclient.jar and jps-manifest.jar files as part of the classpath so that they can be referenced by SOA. You are ready to use JDeveloper to deploy the custom approval process to SOA.

 

.

Make JDeveloper active.

 

.

From the Projects tab, right-click the project name, AssignRoleApproval, and select Deploy > AssignRoleApproval...

 

.

On the Deployment Action screen, select the Deploy to Application Server deployment action. Click Next.

Note: The Deploy to Application Server deployment action creates a JAR file for the custom approval process and deploys it to SOA. The Deploy to SAR deployment action creates a SAR (JAR) file of the approval process, but does not deploy it.

 

.

On the Deploy Configuration screen, select the Overwrite any existing composites with the same revision ID check box. Click Next.

Note: You select this check box because you want the custom approval process you are deploying to SOA to replace any existing approval workflows that may have the same revision identification number. For this tutorial, this ID is 1.0.

 

.

On the Select Server screen, click the green plus icon.

Note: You click this icon to add <SOA_SERVER> to the list of application servers to which JDeveloper can connect. JDeveloper must communicate with SOA for the custom approval process, which you created and modified in JDeveloper, to be deployed to SOA. For this tutorial, <SOA_SERVER> is represented by soa_server1.

 

.

On the Name and Type screen, enter a unique name for the connection between JDeveloper and SOA in the Connection Name field, and click Next. For this tutorial, soaserver represents the name of the connection.

 

.

On the Authentication screen, enter the login credentials of the "superuser" account for Oracle WebLogic Server. For this tutorial, enter weblogic in the Username field, Welcome1 in the Password field, and click Next.

Note: For security purposes, the password is displayed as a series of bullets (·). For this example, because the password is Welcome1, it appears as ·······.

 

.

On the Configuration screen, enter the base domain for Oracle WebLogic Server in the Weblogic Domain field, and click Next. For this OBE, the base domain is base_domain.

 

.

On the Test screen, click Test Connection.

Note: You click Test Connection to verify that JDeveloper can connect to SOA successfully.

 

.

After confirming that all nine connection tests are successful, click Finish.

 

.

On the Select Server screen, select the name you provided for the connection between JDeveloper and SOA in step 16 of this procedure, and click Finish. For this tutorial, soaserver represents the name of the connection.

 

.

After two minutes, click the Deployment tab in JDeveloper. Verify that you see the following message:

Successfully deployed archive sca_AssignRoleApproval_rev1.0.jar

This message signifies you deployed the approval process successfully.

In this section of the OBE, you deployed the custom approval process to SOA. You are ready to register this approval process so that Oracle Identity Manager can use it.

 

Registering the Custom Approval Process

In the previous section of this OBE, you included the oimclient.jar and jps-manifest.jar files as part of the classpath so that they can be referenced by SOA. Then, you used JDeveloper to deploy the custom approval process to SOA.

You are ready to register the custom approval process so that Oracle Identity Manager can use it. This includes creating a properties file for this approval process and then using the Register utility to register the process.

The properties files for all approval processes are found in the <MIDDLEWARE_HOME>/Oracle_IDM1/server/workflows/registration directory. The file name is the same as the approval process, followed by a PROPS extension. For example, the properties file for the AssignRoleApproval custom approval process is AssignRoleApproval.props.

To register the custom approval process, perform the following steps:

.

Using File Browser, navigate to the <MIDDLEWARE_HOME>/Oracle_IDM1/server/workflows/registration directory.

Note: You navigate to this directory because you are creating a properties file for the custom approval process, and properties files for all approval processes are found in the <MIDDLEWARE_HOME>/Oracle_IDM1/server/ workflows/registration directory. Also, <MIDDLEWARE_HOME> represents the base directory for the Oracle Fusion Middleware suite of products, including Oracle Identity Manager and Oracle SOA. For this tutorial, <MIDDLEWARE_HOME> is represented by /opt/oracle/Middleware/.

 

.

Right-click the ResourceAuthorizerApproval.props file, and select Copy from the menu that appears.

Note: You are copying this file because it is easier to modify an existing properties file than it is to create it from scratch.

 

.

[Select Edit from the menu bar. Select Paste from the menu that appears.

 

.

Rename the copied file to AssignRoleApproval.props.

Note: The properties file for the custom approval process has the same name as the approval process, followed by a PROPS extension. For this example, the properties file for the AssignRoleApproval custom approval process is AssignRoleApproval.props.

The properties file sets the parameters required for registering the AssignRoleApproval custom approval process to Oracle Identity Manager. It defines the name, the type of approval process, the provider information, the service name used to access the process, the default domain associated with the process, the version deployed, the packet name for the payload information, the operation, and finally, the list of approval tasks available in the process.

 

.

Using a text editor, open the AssignRoleApproval.props file. To do so, right-click the file, and select Open with "Text Editor" from the popup menu that appears.

 

.

Locate the following lines of code:

# ResourceAuthorizerApproval
name=ResourceAuthorizerApproval

 

.

Modify these lines of code, as follows:

# AssignRoleApproval
name=AssignRoleApproval

The AssignRoleApproval.props file should appear, as follows:

 

.

Save and close the AssignRoleApproval.props file.

You created a properties file for the custom approval process. You are ready to use the Register utility to register the custom approval process so that Oracle Identity Manager can use it.

 

.

Open a Terminal window.

 

.

Navigate to the <MIDDLEWARE_HOME>/wlserver_10.3/server/bin directory.

Note: <MIDDLEWARE_HOME> represents the base directory for the Oracle Fusion Middleware suite of products, including Oracle Identity Manager and Oracle SOA. For this tutorial, <MIDDLEWARE_HOME> is represented by /opt/oracle/Middleware/.

 

.

At the prompts, enter the following commands (and press Enter after each command):

  • bash
  • source setWLSEnv.sh

Note: By entering the bash and source setWLSEnv.sh commands, you call the setWLSEnv.sh script that comes with Oracle WebLogic Server. This script sets up all of the environment variables so that you can run the Register utility.

 

.

At the prompt, enter ant -f <OIM_HOME>/server/workflows/registration/registerworkflows-mp.xml register (and press Enter).

Note: ant represents the ant.sh file. This shell script file supplies built-in tasks used to run Java applications, such as the Register utility. By using the –f command, you are forcing the utility to run.

<OIM_HOME> represents the base directory for Oracle Identity Manager. For this tutorial, <OIM_HOME> is represented by /opt/oracle/Middleware/Oracle_IDM1.

registerworkflows-mp.xml is the name of the XML file associated with the Register utility, and register is the command to register the custom approval process.

 

.

Enter values for the prompts that appear, as follows (and press Enter after each value):

Prompt Value
Enter the username xelsysadm
Enter the password Welcome1
Provide oim managed server t3 URL t3://localhost:14000
inputpath(complete file name) of the property file AssignRoleApproval.props

Important: The values passed to the Register utility include the username for the Oracle Identity Manager system administration account, the password for the account, the t3 URL to connect to Oracle Identity Manager, and the properties file created earlier in this procedure. Also, the values that you enter for the username, password, URL, and property file are case-sensitive. Lastly, the password value is hidden for security purposes.

The Register utility begins to register the custom approval process. After the approval process is registered, a BUILD SUCCESSFUL message appears.

In this section of the OBE, you created a properties file for the custom approval process and used the Register utility to register this process. As a result, Oracle Identity Manager can use this approval process.

You are ready to create the approval policy that is to be used by Oracle Identity Manager to invoke the approval process.

 

Creating Policies for the Custom Approval Process

In the previous section of this OBE, you registered the custom approval process. By doing so, Oracle Identity Manager can use this approval process.

You are ready to build two approval policies to support the custom approval process. Oracle Identity Manager uses the first approval policy to bypass the request level of approval. Oracle Identity Manager uses the second policy to assign the approval process to the BUSINESS_ANALYST_APPROVERS role, the FINANCE_ADMINISTRATORS role, and to the following individuals:

As a result, you create a request management chain in the custom approval process that ascends to two levels above the user making the request (Clark Brown).

Note: Oracle Identity Manager executes these approval policies sequentially.

At runtime, Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role. As a result, Oracle Identity Manager uses the custom approval process to assign this request to:

After all four users approve the request, Oracle Identity Manager assigns Dennis Bauer to the BUSINESS_ANALYST role.

To create policies for the custom approval process, perform the following steps:

.

Log in to the Administrative and User Console as Shirley Schmidt. For this tutorial, enter SSCHMIDT in the User ID field, Welcome1 in the Password field, and click Sign In.

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of the Administrative and User Console.

 

.

Click the Advanced link on the home page of the Authenticated Self Service Console.

Note: You click the Advanced link to access the Advanced Administration Console. This console is used to create policies for the custom approval process.

 

.

On the home page of the Advanced Administration Console, click the Policies tab.

 

.

On the Policies tab, click Create.

You are ready to configure the custom approval process so that it bypasses the request level of approval. As a result, at runtime, after Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role, Oracle Identity Manager assigns the request to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane.

 

.

Populate the "Set Approval Policy details" page, as follows:

Field Value
Policy Name AssignRoleApprovalPolicyOne
Request Type menu Assign Roles
Level menu Request Level
Auto Approval check box [selected]

Note: You select Assign Roles from the Request Type menu because the custom approval process is associated with a request for role assignment for a user. By selecting the Auto Approval check box, you are configuring the approval process so that it bypasses the request level of approval.

 

.

Click Next.

You are ready to create a rule for the approval policy. At runtime, Oracle Identity Manager evaluates the criteria of the rule. If the result of the evaluation is true, Oracle Identity Manager executes the approval policy, and bypasses the request level of approval.

As a result, at runtime, after Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role, Oracle Identity Manager assigns the request to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane.

 

.

On the Set Approval Rule and Component page, enter AssignRoleApprovalRuleOne in the Rule Name field. Click Add Simple Rule.

 

.

Populate the Add Simple Rule window, as follows:

Menu Value
Entity Request
Attribute Request Type
Condition Equals
Value Assign Roles
Parent Rule Container Approval Rule

Note: For this example, because the classification type of the request is associated with a request for role assignment for a user, Oracle Identity Manager evaluates the criteria of the rule to be true (because Clark Brown makes a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role). As a result, Oracle Identity Manager executes the approval policy, and bypasses the request level of approval.

 

.

Click Save.

 

.

On the Set Approval Rule and Component page, click Next.

 

.

On the Review Approval Policy Summary page, click Finish.

 

.

On the Message window, click OK.

You created an approval policy to support the custom approval process. Oracle Identity Manager uses this policy to bypass the request level of approval.

You are ready to create a second approval policy. Oracle Identity Manager uses this policy to assign the approval process to Brad Chase, Jerry Espenson, Edwin Poole, and Danny Crane.

 

.

On the Policies tab, click Create.

 

.

Populate the "Set Approval Policy details" page, as follows:

Field Value
Policy Name AssignRoleApprovalPolicyTwo
Request Type menu Assign Roles
Level menu Operation Level
All Scope check box [selected]
Approval Process default/AssignRoleApproval!1.0

Note: By selecting the All Scope check box, Oracle Identity Manager examines all entities that match the item that appears in the Scope Type field. For this example, Oracle Identity Manager evaluates this policy against every Oracle Identity Manager role (because Role is displayed in the Scope Type field).

AssignRoleApproval is the name of the custom approval process you created, deployed, and registered in this OBE.

 

.

Click Next.

You are ready to create a rule for the approval policy. At runtime, Oracle Identity Manager evaluates the criteria of the rule. If the result of the evaluation is true, Oracle Identity Manager executes the approval policy, and assigns the custom approval process to Brad Chase (Clark Brown's manager), Jerry Espenson (Brad Chase's manager), and both the BUSINESS_ANALYST_APPROVERS and FINANCE_ADMINISTRATORS roles.

Because Edwin Poole is a member of the BUSINESS_ANALYST_APPROVERS role and Danny Crane belong to the FINANCE_ADMINISTRATORS role, they can complete the approval process.

 

.

On the Set Approval Rule and Component page, enter AssignRoleApprovalRuleTwo in the Rule Name field. Click Add Simple Rule.

 

.

Populate the Add Simple Rule window, as follows:

Menu Value
Entity Request
Attribute Request Type
Condition Equals
Value Assign Roles
Parent Rule Container Approval Rule

 

.

Click Save.

 

.

On the Set Approval Rule and Component page, click Next.

 

.

On the Review Approval Policy Summary page, click Finish.

 

.

On the Message window, click OK.

You built two approval policies to support the custom approval process. Oracle Identity Manager uses the first approval policy to bypass the request level of approval. Oracle Identity Manager uses the second policy to assign the approval process to the BUSINESS_ANALYST_APPROVERS role, the FINANCE_ADMINISTRATORS role, and to the following individuals:

  • Brad Chase, Clark Brown's manager, responsible for approving the request
  • Jerry Espenson, Brad Chase's manager, also responsible for approving the request

As a result, you create a request management chain in the custom approval process that ascends to two levels above the user making the request (Clark Brown).

Oracle Identity Manager executes these approval policies sequentially.

You are ready to make a request to assign a role to a user. By doing so, you verify the custom approval process.

 

Completing the Custom Approval Process

In the previous section of this OBE, you created two approval policies for the custom approval process. Oracle Identity Manager uses the first approval policy to bypass the request level of approval. Oracle Identity Manager uses the second policy to assign the approval process to the BUSINESS_ANALYST_APPROVERS role, the FINANCE_ADMINISTRATORS role, and to. Brad Chase and Jerry Espenson. Oracle Identity Manager executes these approval policies sequentially.

You are ready to make a request as Clark Brown for Dennis Bauer to be assigned to the BUSINESS_ANALYST role. Oracle Identity Manager uses the custom approval process to assign the custom approval process to:

After all four users approve the request, Oracle Identity Manager assigns Dennis Bauer to the BUSINESS_ANALYST role.

To complete the custom approval process, perform the following steps:

.

Log in to the Administrative and User Console as Clark Brown. For this tutorial, enter CBROWN in the User ID field, Welcome1 in the Password field, and click Sign In.

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of the Administrative and User Console.

 

.

Click the Requests tab on the Authenticated Self Service Console.

Note: If you see the Advanced Administration Console instead of the Authenticated Self Service Console, click the Self-Service link in the upper-right corner of the active console's Home page.

 

.

On the Requests tab, click Create Request.

Note: You select the Requests tab and click Create Request because, as Clark Brown, you are making a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role.

 

.

On the Request Beneficiary page, select the Request for Others option. Click Next.

Note: You select the Request for Others option because you are making a request for another user (Dennis Bauer) to be assigned to the BUSINESS_ANALYST role.

 

.

On the Self Request Template page, select Assign Roles from the Request Template menu. Click Next.

 

.

On the Select Users page, select and assign Dennis Bauer. Click Next.

 

.

On the Select Roles page, select and assign the BUSINESS_ANALYST role. Click Next.

Note: You select Assign Roles from the Request Template menu on the Self Request Template page, select Dennis Bauer as the user on the Select Users page, and select BUSINESS_ANALYST as the role on the Select Roles page because you are making a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role.

 

.

Use the following screenshot to populate the Justification page (and click Finish):

The Create Request tab is active, and displays a message that is request is created and sent successfully.

Important: Specify today's date in the Effective Date field of the Justification page. For this OBE, the current date is December 07, 2011.

Note: 1 is the ID number of the role assignment request. By default, Oracle Identity Manager assigns the number one to the request (because this is the first request you made in Oracle Identity Manager).

As Clark Brown, you created a request for Dennis Bauer to be assigned to the BUSINESS_ANALYST role. As a result, Oracle Identity Manager uses the custom approval process to assign the request to four users:

  • Brad Chase: Clark Brown's manager
  • Jerry Espenson, Brad Chase's manager
  • Edwin Poole, a member of the BUSINESS_ANALYST_APPROVERS role (and responsible for approving the request for Mr. Bauer to be assigned to the BUSINESS_ANALYST role)
  • Danny Crane, a member of the FINANCE_ADMINISTRATORS role (and responsible for approving the request for Dennis Bauer because Mr. Bauer belongs to the FINANCE organization)

You are ready to log in to Oracle Identity Manager as each user to approve the request. After all four users approve the request, Oracle Identity Manager assigns Dennis Bauer to the BUSINESS_ANALYST role.

 

.

Log out of Oracle Identity Manager.

 

.

Log in to Oracle Identity Manager as Brad Chase. To do so, enter BCHASE in the User ID field, Welcome1 in the Password field, and click Sign In.

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of the Administrative and User Console.

 

.

On the home page of the Authenticated Self Service Console, click the Search Approval Tasks link.

Note: You click this link to see all approval process tasks assigned to Brad Chase.

 

.

On the Approvals tab, click the link that contains the number 1.

Note: 1 is the ID number of the role assignment request.

 

.

On the Task Details page, click Approve Task.

 

.

On the Message window , click OK.

 

.

Repeat steps 9-14 of this procedure to approve the request as Edwin Poole, Jerry Espenson, and Danny Crane.

Brad Chase, Edwin Poole, Jerry Espenson, and Danny Crane completed the custom approval process. As a result, the request for role assignment for a user is complete, and Oracle Identity Manager assigns Dennis Bauer to the BUSINESS_ANALYST role.

You are ready to verify that Mr. Bauer is assigned to the role in Oracle Identity Manager.

 

.

Log out of Oracle Identity Manager.

 

.

Log in to the Administrative and User Console with the "superuser" account for Oracle Identity Manager. For this tutorial, enter xelsysadm in the User ID field, Welcome1 in the Password field, and click Sign In.

 

.

On the home page of the Delegated Administration Console, enter DBAUER in the text field to the right of the Users menu. Click the right-arrow button.

Note: DBAUER is the ID of Dennis Bauer, the end-user for whom you made the role assignment request.

Also, If you see the Authenticated Self Service Console or Advanced Administration Console instead of the Delegated Administration Console, click the Administration link in the upper-right corner of the active console's Home page.

 

.

On the Search Results tab, click the link that contains the full name of Dennis Bauer.

 

.

On the page that contains the record for Dennis Bauer, click the Roles tab.

Verify that the BUSINESS_ANALYST role appears in the Roles tab.

Oracle Identity Manager assigned Dennis Bauer to the BUSINESS_ANALYST role. The request for role assignment for a user is complete.

 

Summary

In this tutorial, you used Oracle Identity Manager 11.1.1.5.0 to create a custom approval process and use it to approve a request for role assignment for a user.

In this tutorial, you should have learned how to:

Resources

Hardware and Software Engineered to Work Together Copyright © 2012, Oracle and/or its affiliates. All rights reserved