Thursday, November 13, 2014

OIM 11g R2 - Approval Policies deprecated request types

In this post I will cover some of the new request types that are introduced in Approval Policies which were not there in till 11g R1 (11.1.1.7.0) release.

Along with that there were some other changes like that we do not have Request Templates anymore in 11g R2.

There was also Template Level Approval Workflow setting that was available in 11g R1 which has been completely discarded in the newer release.

Since the Application Instances have been introduced all resource request types have replaced with the Application Instance request types.

11g R2 also has new set of request types for Entitlements.

Lets see the new request types in 11g R2.






















There is one more not captured in the above screenshot : Access Policy Based Application Instance Provisioning


The following request types have been deprecated and do not appear:

Provision Resource - Replaced by Provision Application Instance
De-Provision Resource - Replaced by Revoke Account
Enable Provisioned Resource - Replaced by Enable Account
Disable Provisioned Resource - Replaced by Disable Account
Modify Provisioned Resource - Replaced by Modify Account
Request types related to 'Self' like Self-Assign Resource and Self-Assign Role are replaced by generic type Provision Application Instance and Assign Roles

The complete new ones are :-

All Entitlement Specific
Application Instance specific replaced resource centric
Access Policy Based Application Instance Provisioning


Request templates are not supported from R2 onwards. The custom Request templates are not actually custom request types but are based on the standard request types with additional configuration. All the approval policy rules that are based on Request Templates need to be modified appropriately prior to upgrade. The recommendation is to model the approval task assignment rules in the SOA workflow. 'Resource' related request types are also deprecated. Corresponding approval configuration needs to be reconfigured for for "Application Instance" based request types.

Create/Modify/Delete Role request types are still supported in R2. Approval Policies can be created for these request types.

Note: Similar to R1, request creation and tracking support for these request types is only limited to backend. R2 UI doesn't support submission and tracking of Create/Modify/Delete Role requests.

Wednesday, November 12, 2014

OIM 11g R2 PS2 : SOA Approval Workflow Sample

In this post I am posting the sample code for a sample SOA approval workflow.

Some of the features that this workflow addresses are

  1. Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR".
  2. Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this. 
    •  manager-notify-only = TRUE or FALSE 
      • TRUE = only notify the manager no approval request sent.
      • FALSE = notify the manager and send an approval request. 
    •  roleowner-notify-only = TRUE or FALSE 
      • TRUE = only notify the role owner no approval request sent.
      • FALSE = notify the role owner and send an approval request.
  3. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this
    • sysadmin-notify-only = TRUE or FALSE
      • TRUE    notify the sys admin  
      • FALSE    Do not notify the sys admin
  4. If a manager makes the request on behalf of a subordinate then the approval is automatically skipped in the approval chain.
  5. If a role owner makes the request then the approval is automatically skipped if he/she is in the approval chain.
  6. Emails are triggered before and after the human approval task  from notification templates within OIM web console. OIM API's were used to send out the emails. This was done to ease the email body modification which was otherwise be required to be done from the JDeveloper and SOA composite being redeployed.


BPEL Process



                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                   
BPEL Workflow level global variables


























                                                                                                                                                       
                                                                                                                                                    
Java Code for the java embedding activity 1



try {
                  String oimUserName = "";
                  String oimPassword = "";
                  oracle.security.jps.JpsContext ctx = oracle.security.jps.JpsContextFactory.getContextFactory().getContext();
                  final oracle.security.jps.service.credstore.CredentialStore cs = (oracle.security.jps.service.credstore.CredentialStore) ctx
                              .getServiceInstance(oracle.security.jps.service.credstore.CredentialStore.class);
                  oracle.security.jps.service.credstore.CredentialMap cmap = cs.getCredentialMap("oracle.oim.sysadminMap");
                  oracle.security.jps.service.credstore.Credential cred = cmap.getCredential("sysadmin");
                  if (cred instanceof oracle.security.jps.service.credstore.PasswordCredential) {
                        oracle.security.jps.service.credstore.PasswordCredential pcred = (oracle.security.jps.service.credstore.PasswordCredential) cred;
                        char[] p = pcred.getPassword();
                        oimUserName = pcred.getName();
                        oimPassword = new String(p);
                  }
                 
                 
                  String oimURL = "t3s://localhost:443/oim";
                  String roleApprover = "xelsysadm";
                  java.util.Hashtable env = new java.util.Hashtable();
                  env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_FACTORY_INITIAL,oracle.iam.platform.OIMClient.WLS_CONTEXT_FACTORY);
                  env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_PROVIDER_URL,oimURL);
                  oracle.iam.platform.OIMClient client = new oracle.iam.platform.OIMClient(env);
                  System.out.println("Before Login");
                  client.login(oimUserName, oimPassword.toCharArray());
                  System.out.println("Login Successful");
                  //PROPERTY BLOCK
                  Thor.API.Operations.tcPropertyOperationsIntf propertyOperationsIntf = client.getService(Thor.API.Operations.tcPropertyOperationsIntf.class);
                  String approval_condition = "and";
                  approval_condition =    propertyOperationsIntf.getPropertyValue("approval-condition");
                  System.out.println("approval_condition---->"+ approval_condition);
                  int votedOutCome = 100;
                  String manager_notify_only = "false";
                  String roleowner_notify_only = "false";
                  //MANAGER BLOCK
                  manager_notify_only = propertyOperationsIntf.getPropertyValue("manager-notify-only");
                  System.out.println("manager_notify_only------>"+ manager_notify_only);             
                  if (manager_notify_only.equalsIgnoreCase("true")) {
                        setVariableData("manager-notify-only", 1);
                  } else {
                        setVariableData("manager-notify-only", 0);
                  }
                  //ROLE OWNER BLOCK
                  roleowner_notify_only = propertyOperationsIntf.getPropertyValue("roleowner-notify-only");
                  System.out.println("roleowner_notify_only----->"+ roleowner_notify_only);
                  if (roleowner_notify_only.equalsIgnoreCase("true")) {
                        setVariableData("roleowner-notify-only", 1);
                  } else {
                        setVariableData("roleowner-notify-only", 0);
                  }
                  //CHECK ALL TRUE
                  if ((manager_notify_only.equalsIgnoreCase("true")) && (roleowner_notify_only.equalsIgnoreCase("true"))) votedOutCome = 0;
                  //CHECK AND POSSIBILITIES
                  if (approval_condition.equalsIgnoreCase("and")) {
                        if ((manager_notify_only.equalsIgnoreCase("false")) && (roleowner_notify_only.equalsIgnoreCase("false"))) votedOutCome = 100;
                        if ((manager_notify_only.equalsIgnoreCase("false")) && (roleowner_notify_only.equalsIgnoreCase("true"))) votedOutCome = 50;
                        if ((manager_notify_only.equalsIgnoreCase("true")) && (roleowner_notify_only.equalsIgnoreCase("false"))) votedOutCome = 50;
                  }
                  //CHECK OR POSSIBILITIES
                  if (approval_condition.equalsIgnoreCase("or")) {
                        if ((manager_notify_only.equalsIgnoreCase("false")) && (roleowner_notify_only.equalsIgnoreCase("false"))) votedOutCome = 50;
                        if ((manager_notify_only.equalsIgnoreCase("false")) && (roleowner_notify_only.equalsIgnoreCase("true"))) votedOutCome = 50;
                        if ((manager_notify_only.equalsIgnoreCase("true")) && (roleowner_notify_only.equalsIgnoreCase("false"))) votedOutCome = 50;
                  }
                  System.out.println("votedOutCome  --->"+votedOutCome);
                  setVariableData("votedOutCome", votedOutCome);
                  //SYS ADMIN BLOCK
                  String sysadmin_notify_only = "true";
                  sysadmin_notify_only = propertyOperationsIntf.getPropertyValue("sysadmin-notify-only");
                  System.out.println("sysadmin_notify_only------->"+ sysadmin_notify_only);
                  if (sysadmin_notify_only.equalsIgnoreCase("true")) {
                        setVariableData("sysadmin-notify-only", "TRUE");
                  } else {
                        setVariableData("sysadmin-notify-only", "FALSE");
                  }
                   
                  oracle.iam.request.api.RequestService reqSvc = client.getService(oracle.iam.request.api.RequestService.class);
                  oracle.iam.identity.rolemgmt.api.RoleManager roleSvc = client.getService(oracle.iam.identity.rolemgmt.api.RoleManager.class);
                  oracle.iam.identity.usermgmt.api.UserManager usersvc = client.getService(oracle.iam.identity.usermgmt.api.UserManager.class);
                   
                  //NEW LINE ADDED
                  oracle.iam.notification.api.NotificationService notsvc = client.getService(oracle.iam.notification.api.NotificationService.class);
                  // END OF NEW LINE ADDED
                   
                   
                  Object reqIdXMLElem = getVariableData("inputVariable", "payload","/ns3:process/ns4:RequestID");
                  String reqId = ((oracle.xml.parser.v2.XMLElement) reqIdXMLElem).getText();
                  System.out.println("The request ID is " + reqId);
                  oracle.iam.request.vo.Request req = reqSvc.getBasicRequestData(reqId);
                  System.out.println("req--->" + req);
                  String requesterID = req.getRequesterKey();
                  System.out.println("requesterID ->" + requesterID);
                  java.util.List<oracle.iam.request.vo.Beneficiary> beneficiaries = req.getBeneficiaries();
                  System.out.println("beneficiaries----->" + beneficiaries);
                  if (beneficiaries != null) {
                        for (oracle.iam.request.vo.Beneficiary benf : beneficiaries) {
                              String beneficiaryID = benf.getBeneficiaryKey();
                              System.out.println(" beneficiaryID->" + beneficiaryID);
                              oracle.iam.identity.usermgmt.vo.User user1 = usersvc.getDetails(benf.getBeneficiaryKey(), null, false);
                              System.out.println("user1------>" + user1);
                              java.util.HashMap userMap = user1.getAttributes();
                              System.out.println("userMap ->" + userMap);
                              String mgrKey = userMap.get("usr_manager_key").toString();
                              System.out.println("mgrKey ->" + mgrKey);
                              if (mgrKey.equalsIgnoreCase(requesterID)) {
                                    System.out.println("requesterIsManager   is   true");
                                    setVariableData("requesterIsManager", 1);
                                    if (roleowner_notify_only.equalsIgnoreCase("true")) votedOutCome = 0;
                                     
                                    if (
                                                (approval_condition.equalsIgnoreCase("and")) &&
                                                (manager_notify_only.equalsIgnoreCase("false")) &&
                                                (roleowner_notify_only.equalsIgnoreCase("false"))
                                                ) votedOutCome = 50;
                                     
                                     
                                    if (
                                                (approval_condition.equalsIgnoreCase("or")) &&
                                                (manager_notify_only.equalsIgnoreCase("false")) &&
                                                (roleowner_notify_only.equalsIgnoreCase("false"))
                                                ) votedOutCome = 50;
                                     
                              } else {
                                    System.out.println("requesterIsManager   is   false");
                                    setVariableData("requesterIsManager", 0);
                              }
                              java.util.List<oracle.iam.request.vo.RequestBeneficiaryEntity> rbes = benf.getTargetEntities();
                              for (oracle.iam.request.vo.RequestBeneficiaryEntity rbe : rbes) {
                                    String key = rbe.getEntityKey();
                                    System.out.println("key---->" + key);
                                    String type = rbe.getEntityType();
                                    System.out.println("type---->" + type);
                                    if (type.equalsIgnoreCase("Role")) {
                                          System.out.println("type is role");
                                          oracle.iam.identity.rolemgmt.vo.Role role = roleSvc.getDetails(key, null);
                                          String roleOwnerKey = null;
                                          roleOwnerKey = role.getAttribute(oracle.iam.identity.rolemgmt.api.RoleManagerConstants.ROLE_OWNER_KEY).toString();
                                          System.out.println("roleOwnerKey--->"+ roleOwnerKey);
                                          if (roleOwnerKey.equalsIgnoreCase(requesterID)) {
                                                System.out.println("requesterIsRoleOwner   is   true");
                                                setVariableData("requesterIsRoleOwner", 1);
                                                if (manager_notify_only.equalsIgnoreCase("true")) votedOutCome = 0;
                                                 
                                                 
                                                if (
                                                            (approval_condition.equalsIgnoreCase("and")) &&
                                                            (manager_notify_only.equalsIgnoreCase("false")) &&
                                                            (roleowner_notify_only.equalsIgnoreCase("false"))
                                                            ) votedOutCome = 50;
                                                 
                                                 
                                                if (
                                                            (approval_condition.equalsIgnoreCase("or")) &&
                                                            (manager_notify_only.equalsIgnoreCase("false")) &&
                                                            (roleowner_notify_only.equalsIgnoreCase("false"))
                                                            ) votedOutCome = 50;
                                                 
                                                 
                                          } else {
                                                System.out.println("requesterIsRoleOwner   is   false");
                                                setVariableData("requesterIsRoleOwner", 0);
                                          }
                                          if  ((roleOwnerKey.equalsIgnoreCase(requesterID)) && (mgrKey.equalsIgnoreCase(roleOwnerKey))) votedOutCome = 0;
                                          if (mgrKey.equalsIgnoreCase(roleOwnerKey)) {
                                                System.out.println("managerIsRoleOwner   is   true");
                                                setVariableData("managerIsRoleOwner", 1);
                                                if ((manager_notify_only.equalsIgnoreCase("true")) && (roleowner_notify_only.equalsIgnoreCase("false"))) votedOutCome = 50;
                                                if ((manager_notify_only.equalsIgnoreCase("false")) && (roleowner_notify_only.equalsIgnoreCase("true"))) votedOutCome = 50;
                                          } else {
                                                System.out.println("managerIsRoleOwner   is   false");
                                                setVariableData("managerIsRoleOwner", 0);
                                          }
                                          oracle.iam.identity.usermgmt.vo.User user = usersvc.getDetails(roleOwnerKey, null, false);
                                          System.out.println("login is --->"+ user.getLogin());
                                          roleApprover = user.getLogin();
                                          setVariableData("roleApprover", roleApprover);
                                           
                                            // Code for sending e-mail Notification
                            String userLogin=userMap.get("User Login").toString();                        
                            System.out.println("usrLogin ->" +userLogin);
                            //get manager login
                            oracle.iam.identity.usermgmt.api.UserManager managerservice = client.getService(oracle.iam.identity.usermgmt.api.UserManager.class);
                            oracle.iam.identity.usermgmt.vo.User manager = usersvc.getDetails(mgrKey, null, false);
                            java.util.HashMap managerMap = manager.getAttributes();
                            System.out.println("mgrMap ->" + managerMap);
                            String managerLogin=managerMap.get("User Login").toString();
                            System.out.println("mgrLogin ->" +managerLogin);
                            
                            //get role name
                            String roleName=null;
                            roleName=role.getAttribute(oracle.iam.identity.rolemgmt.api.RoleManagerConstants.ROLE_DISPLAY_NAME).toString();
                            System.out.println("Role Name"+ roleName);
                            
                            //get requester display name
                            oracle.iam.identity.usermgmt.api.UserManager requesterservice = client.getService(oracle.iam.identity.usermgmt.api.UserManager.class);
                                System.out.println("Requester ID "+requesterID);
                                  
                            oracle.iam.identity.usermgmt.vo.User requester = usersvc.getDetails(requesterID, null, false);
                            java.util.HashMap requesterMap = requester.getAttributes();
                            System.out.println("requesterMap ->" + requesterMap);
                            String requesterDisplayName=requesterMap.get("First Name").toString()+" "+requesterMap.get("Last Name").toString();
                            System.out.println("requester Full Name ->" +requesterDisplayName);
                            
                            oracle.iam.notification.vo.NotificationEvent notevent = new  oracle.iam.notification.vo.NotificationEvent();
                            String[] receiverUserIds= {managerLogin,roleApprover};
                            notevent.setUserIds(receiverUserIds);
                            notevent.setTemplateName("RequestAssigned");
                            java.util.HashMap templateParams = new java.util.HashMap();
                            templateParams.put("usr_key",beneficiaryID);
                            templateParams.put("request_id",reqId);
                            templateParams.put("role_name",roleName);
                            templateParams.put("requester_name",requesterDisplayName);
                            notevent.setSender(null);
                            notevent.setParams(templateParams);
                            System.out.println("Sending Notification");
                            notsvc.notify(notevent);

                            //End of Code for sending e-mail notification
                                    }
                              }// End RequestBeneficiaryEntity for loop
                        } // End beneficiaries for loop
                  } // End if
                  System.out.println("Final votedOutCome  --->"+votedOutCome);
                  setVariableData("votedOutCome", votedOutCome);
            } catch (Exception e) {
                  System.out.println("----------------------");
                  e.printStackTrace();
                  System.out.println("----------------------");
            }




Approval Task Details.


  



                                                                                                                        

                                                                                                                                                        



 Manager Approval and Skip Condition



















                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
                                                                                                                                                     
                                                                                                                                                            
                                                                                                                
Role Owners Approval and Skip Condition



Dynamic Voted Outcome











Java Code for the java embedding activity 2



try {

                        String oimUserName = "";
                        String oimPassword = "";

                        oracle.security.jps.JpsContext ctx = oracle.security.jps.JpsContextFactory
                                        .getContextFactory().getContext();
                        final oracle.security.jps.service.credstore.CredentialStore cs = (oracle.security.jps.service.credstore.CredentialStore) ctx
                                        .getServiceInstance(oracle.security.jps.service.credstore.CredentialStore.class);
                        oracle.security.jps.service.credstore.CredentialMap cmap = cs
                                        .getCredentialMap("oracle.oim.sysadminMap");
                        oracle.security.jps.service.credstore.Credential cred = cmap
                                        .getCredential("sysadmin");
                        if (cred instanceof oracle.security.jps.service.credstore.PasswordCredential) {
                                oracle.security.jps.service.credstore.PasswordCredential pcred = (oracle.security.jps.service.credstore.PasswordCredential) cred;
                                char[] p = pcred.getPassword();
                                oimUserName = pcred.getName();
                                oimPassword = new String(p);
                        }

                       
                        String oimURL = "t3s://localhost:443/oim";
                        String roleApprover = "xelsysadm";
                        java.util.Hashtable env = new java.util.Hashtable();
                        env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_FACTORY_INITIAL,
                                        oracle.iam.platform.OIMClient.WLS_CONTEXT_FACTORY);
                        env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_PROVIDER_URL,
                                        oimURL);
                        oracle.iam.platform.OIMClient client = new oracle.iam.platform.OIMClient(
                                        env);
                        System.out.println("Before Login");
                        client.login(oimUserName, oimPassword.toCharArray());
                        System.out.println("Login Successful");
                        oracle.iam.request.api.RequestService reqSvc = client
                                        .getService(oracle.iam.request.api.RequestService.class);
                        oracle.iam.identity.rolemgmt.api.RoleManager roleSvc = client
                                        .getService(oracle.iam.identity.rolemgmt.api.RoleManager.class);
                        oracle.iam.identity.usermgmt.api.UserManager usersvc = client
                                        .getService(oracle.iam.identity.usermgmt.api.UserManager.class);
                            // Code for sending e-mail Notification

                            oracle.iam.notification.api.NotificationService notsvc = client
                                                .getService(oracle.iam.notification.api.NotificationService.class);
                            // Code for sending e-mail Notification

                        Object reqIdXMLElem = getVariableData("inputVariable", "payload",
                                        "/ns3:process/ns4:RequestID");
                        String reqId = ((oracle.xml.parser.v2.XMLElement) reqIdXMLElem)
                                        .getText();
                        System.out.println("The request ID is " + reqId);

                        oracle.iam.request.vo.Request req = reqSvc
                                        .getBasicRequestData(reqId);
                        System.out.println("req--->" + req);

                        String requesterID = req.getRequesterKey();
                        System.out.println("requesterID ->" + requesterID);

                        java.util.List<oracle.iam.request.vo.Beneficiary> beneficiaries = req
                                        .getBeneficiaries();
                        System.out.println("beneficiaries----->" + beneficiaries);
                        if (beneficiaries != null) {
                                for (oracle.iam.request.vo.Beneficiary benf : beneficiaries) {
                                        String beneficiaryID = benf.getBeneficiaryKey();
                                        System.out.println(" beneficiaryID->" + beneficiaryID);
                                        oracle.iam.identity.usermgmt.vo.User user1 = usersvc
                                                        .getDetails(benf.getBeneficiaryKey(), null, false);
                                        System.out.println("user1------>" + user1);

                                        java.util.HashMap userMap = user1.getAttributes();
                                        System.out.println("userMap ->" + userMap);
                                        String mgrKey = userMap.get("usr_manager_key").toString();

                                        System.out.println("mgrKey ->" + mgrKey);

                                        java.util.List<oracle.iam.request.vo.RequestBeneficiaryEntity> rbes = benf
                                                        .getTargetEntities();
                                        for (oracle.iam.request.vo.RequestBeneficiaryEntity rbe : rbes) {
                                                String key = rbe.getEntityKey();
                                                System.out.println("key---->" + key);
                                                String type = rbe.getEntityType();
                                                System.out.println("type---->" + type);
                                                if (type.equalsIgnoreCase("Role")) {
                                                        System.out.println("type is role");
                                                        oracle.iam.identity.rolemgmt.vo.Role role = roleSvc
                                                                        .getDetails(key, null);
                                                       

                                                        
                                                //setVariableData("sysadmin-notify-only", "true");



                            // Code for sending e-mail Notification
                                               
                                                String adminNotify="false";
                                                adminNotify=(String)getVariableData("sysadmin-notify-only");
                                               
                                                if(adminNotify.equalsIgnoreCase("true"))
                                                {
                                               
                                                String userLogin=userMap.get("User Login").toString();                       
                                                System.out.println("usrLogin ->" +userLogin);
                                                //get sysadmin login
                                                String sysAdminLogin="xelsysadm";
                                               
                                                //get role name
                                                String roleName=null;
                                                roleName=role.getAttribute(oracle.iam.identity.rolemgmt.api.RoleManagerConstants.ROLE_DISPLAY_NAME).toString();
                                                System.out.println("Role Name"+ roleName);
                                                
                                                //get requester display name
                                                oracle.iam.identity.usermgmt.api.UserManager requesterservice = client
                                                                .getService(oracle.iam.identity.usermgmt.api.UserManager.class);
                                                    System.out.println("Requester ID "+requesterID);
                                                     
                                                oracle.iam.identity.usermgmt.vo.User requester = usersvc.getDetails(requesterID, null, false);
                                                java.util.HashMap requesterMap = requester.getAttributes();
                                                System.out.println("requesterMap ->" + requesterMap);
                                                String requesterDisplayName=requesterMap.get("First Name").toString()+" "+requesterMap.get("Last Name").toString();
                                                System.out.println("requester Full Name ->" +requesterDisplayName);
                                               
                                                oracle.iam.notification.vo.NotificationEvent notevent = new  oracle.iam.notification.vo.NotificationEvent();
                                                String[] receiverUserIds= {sysAdminLogin};
                                                notevent.setUserIds(receiverUserIds);
                                                notevent.setTemplateName("SystemAdminNotification");
                                                java.util.HashMap templateParams = new java.util.HashMap();
                                                templateParams.put("usr_key",beneficiaryID);
                                                templateParams.put("request_id",reqId);
                                                templateParams.put("role_name",roleName);
                                                templateParams.put("requester_name",requesterDisplayName);
                                                notevent.setSender(null);
                                                notevent.setParams(templateParams);
                                                System.out.println("Sending Notification");
                                                notsvc.notify(notevent);

                                                //End of Code for sending e-mail notification
                                                } // End of adminNotify if condition
                                                }


                                       
                                        }// End RequestBeneficiaryEntity for loop
                                         
                                } // End beneficiaries for loop
                        } // End if


        } catch (Exception e) {
                        System.out.println("----------------------");
                        e.printStackTrace();
                        System.out.println("----------------------");
                }