Tuesday, October 28, 2014

Difference between OIM 11g R2/11g R2 PS1 and 11G R2 PS2

In this post, I will cover the difference between OIM 11g R2/11g R2 PS1 and 11G R2 PS2.

Oracle Identity Manager 11.1.2 and/or 11.1.2.1.0 Oracle Identity Manager 11.1.2.2.0
Oracle Identity Manager 11.1.2 provided Identity Attestation to periodically review users access. For advanced access review capabilities such as role or data owner certification, OIM 11.1.2 had to be integrated with Oracle Identity Analytics (OIA) to leverage the advanced access review capabilities that OIA provided. In Oracle Identity Manager 11.1.2.1.0 and 11.1.2.2.0, the advanced access review capabilities of OIA are converged into OIM to provide a complete identity governance platform that enables an enterprise to do enterprise grade access request, provisioning, and access review from a single product. After upgrading to Oracle Identity Manager 11.1.2.2.0, you can use the new access review capabilities. This feature is disabled by default. Therefore, you must ensure that you have relevant licenses before enabling this new feature.
In Oracle Identity Manager 11.1.2.1.0, certification was introduced and the workflow supported one level of access review in each phase. Certification workflow in 11.1.2.2.0 enables business to define more robust processes for compliance, enabling more granular oversight of "who has access to what". Certification reviews can mirror access request workflow, where they can be reviewed or approved by multiple sets of business and IT owners before they are deemed complete in each phase. This ensures improved visibility of user access privileges, and all review decisions are captured in a comprehensive audit trail that is recorded live during the certification as well as in reports.
In Oracle Identity Manager 11.1.2 and 11.1.2.1.0, users are assigned to organizations by specifying an organization name in the Organization attribute of the user details. This is a static organization membership. In Oracle Identity Manager 11.1.2.2.0, in addition to the existing feature, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. All users who satisfy the user-membership rule are dynamically associated with the organization, irrespective of the organization hierarchy the users statically belong to. With this new capability, a user can gain membership of one home organization via static membership and multiple secondary organizations via user-membership rules that are dynamically evaluated.
Oracle Identity Manager 11.1.2 and 11.1.2.1.0 uses the Fusion Fx skin which provides a rich look and feel. Oracle Identity Manager 11.1.2.2.0 uses Skyros skin. This is a light-weight skin that uses fewer background images and does not need gradients. This ensures that the UI renders allot faster and UI skinning becomes easier. After you upgrade to OIM 11.1.2.2.0, the Skyros skin will be enabled by default. There is also an option to revert back to the Fusion Fx skin post upgrade.
In Oracle Identity Manager 11.1.2 and 11.1.2.1.0, you had to explicitly request for an account and ensure it was provisioned before you could request for an entitlement in that account. If you requested for an entitlement and did not have the corresponding account, the request fails. In Oracle Identity Manager 11.1.2.2.0, entitlement and account dependency are introduced in the OIM catalog. After you upgrade to Oracle Identity Manager 11.1.2.2.0, this new feature allows you to request for the following: Entitlements even if you do not have the corresponding account. Entitlements for a specific account in addition to the primary account, if you have multiple account instances in the same application.
In Oracle Identity Manager 11.1.2, catalog was introduced to provide meaningful and contextual information to end users during the request and access review. The catalog allows you to associate meaningful metadata against any request able entity. In Oracle Identity Manager 11.1.2.2.0, in addition to the catalog metadata, you can enable the display of hierarchical attributes of entitlements to requesters, approvers, and certifiers to view additional details of entitlements (hierarchical attributes) in the catalog detail screen. The additional details of entitlements is called technical glossary. The technical glossary is displayed in a tree structure.
The catalog in Oracle Identity Manager 11.1.2 and 11.1.2.1.0 supports simple entitlements when you request for an entitlement. A simple entitlement has a single attribute. The catalog in Oracle Identity Manager 11.1.2.2.0 supports request for complex entitlements. A complex entitlement is an entitlement with more than one attribute. These attributes will be presented in an Entitlement Form on the request check out page.
In Oracle Identity Manager 11.1.2 and 11.1.2.1.0, you cannot save a request in draft mode. If you cannot complete the access request, you must start the entire request process from the beginning when you resume. In Oracle Identity Manager 11.1.2.2.0, you can use the draft request feature and save any request as a draft at any point of time. Once a request is saved as a draft, you can return to the self service console whenever required and continue with the data that you provided earlier.
The data rich and stateful nature of the Oracle Identity Manager causes state-related data to accumulate which in turn slows down the deployment. OIM customers are encouraged to run the archive and purge scripts frequently. The archive and purge utilities in Oracle Identity Manager 11.1.2 and 11.1.2.1.0 are command line based, and requires you to navigate through an interactive wizard. This requires manual intervention each time archive and purge is run. In Oracle Identity Manager 11.1.2.2.0, real time continuous archive and purge utilities are available. You can define the archive and purge thresholds and parameters, and schedule the utilities to run automatically in periodic intervals.
In Oracle Identity Manager 11.1.2 and 11.1.2.1.0, Diagnostic Dashboard is used to validate pre installation and post installation requirements. Diagnostic Dashboard is a standalone web application that runs on the application server. It also provides very rudimentary mechanisms to trace and diagnose orchestration errors. In Oracle Identity Manager 11.1.2.2.0, you can use the Fusion Middleware Enterprise Manager console to view the configuration and state of operations in Oracle Identity Manager.

Monday, October 27, 2014

OAAM Web Services

OAAM Web Services end points 

In this post, I will list down the web services that are available in OAAM Server.
This are not listed if you directly hit the http://host:port/oaam_server/services.
This can be found by opening web.xml in oaam_server.war in oaam_server.ear.
So here is the list.

<servlet-mapping>
        <servlet-name>PingServlet</servlet-name>
        <url-pattern>/ping</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptAuthRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptAuthWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptTrackerRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptTrackerWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptCommonRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptCommonWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptCCRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptCCWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptRulesEngineRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptRulesEngineWS</url-pattern>
    </servlet-mapping>

 

 

 

Using Enterprise Manager to debug Event Handlers

The basic premise of this method is to utilize Enterprise Manager to handle querying the MBean for the User and Operation.  I'll walk you through how to access the functionality (the screenshots are 11gR2 PS2 but the steps are applicable to any version of OIM 11gR2).  Open the Enterprise Manager that is associated with the Admin Server for your OIM domain.

In the tree view on the left, open Identity and Access  -> OIM and click on oim(11.1.2.0.0).  In the Oracle Identity Manager drop-down list near the center of the screen, select System MBean Browser.  For clusters, open Identity and Access  -> OIM and click on any of the entries that say oim(11.1.2.0.0).

The MBean Browser will open.  There are three root folders: Configuration MBeans, Runtime MBeans, and Application Defined MBeans.  We are concerned with the Application Defined MBeans folder so feel free to close the first two.

From here we will browse to: Application Defined MBean -> oracle.iam -> Server: (oim node) -> Application: oim -> IAMAppDesignMBean -> ConfigQueryMBeanName.  For clusters, you can just select the first node.  OIM replicates these changes across all of the nodes so the results will be the same.

(Note the screenshots also show OperationConfigMXBean but this may MBean not be present depending on the version of OIM that you are running this command upon.)
You will then select the Operations tab.  There is one Operation, getEventHandlers, click it. 







You will need to enter two parameters, p1 and p2.  p1 defines which entity you want to run the Operation on, and p2 defines the Entity Operation for which you want to see Event Handlers.






In our case, p1 will be "user" and p2 will be "create".




When those are entered, click Invoke and the Operation will be performed and results will be displayed below.

 


(Each line has the format: Stage,Order,Name,Location,Conditional)

You can find documentation of this Operation at: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#BGBHJDCI
The following entities and operations are ones that are either listed in the documentation or that I've discovered to produce valid results.  The parameters are NOT case-sensitive.
Entities (p1): User, Role, RoleUser, Organization, Rule
Operations (p2): create, modify, delete

Here is the generic output of a fresh instance:
Stage,Order,Name,Location,Conditional
Validation,FIRST,ChildRequestValidationHandler,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
Validation,1000,CreateUserValidationHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Validation,1005,UserCommonNameValidationHandler,/db/ldapMetadata/EventHandlers.xml,false
Validation,1020,CreateUserPasswordValidationHandler,/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml,false

Preprocess,-2147483648,GetCurrentUser,/metadata/iam-features-transUI/common/metadata/EventHandlers.xml,false
Preprocess,1000,CreateUserPreProcessHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Preprocess,1020,PostSubmissionDataActions,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
Preprocess,1040,UpdateUserPasswordFields,/metadata/iam-features-transUI/EventHandlers.xml,false
Preprocess,9978,InitiateOAACGSODCheck,/metadata/iam-features-rolesod/EventHandlers.xml,true
Preprocess,9979,UpdateRequestData,/metadata/iam-features-requestactions/common/metadata/event-definition/EventHandlers.xml,true
Preprocess,9980,ApprovalInitiation,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
Preprocess,9981,PostApprovalActions,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
Preprocess,10020,UserCreateLDAPPreProcessHandler,/db/ldapMetadata/EventHandlers.xml,true
Preprocess,2147483647,CustomPreProcessHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false

Action,1000,CreateUsersActionHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false

Audit,1000,UserAuditHandler,/metadata/iam-features-transUI/EventHandlers.xml,false

Postprocess,-2147483648,PostProcessingInitiation,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
Postprocess,1000,ReconUserLoginHandler,/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml,true
Postprocess,1020,ReconUserPasswordHandler,/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml,true
Postprocess,1040,ReconUserDisplayNameHandler,/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml,true
Postprocess,1050,CreateUserOrgChangeCalculator,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Postprocess,1060,CreateUserPostProcessHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Postprocess,1080,ProvisionXellerateUserResourcetoUserOrg,/metadata/iam-features-transUI/EventHandlers.xml,true
Postprocess,1100,ReconScheduledTaskUserHandler,/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml,true
Postprocess,1120,UserCreateLDAPPostProcessHandler,/db/ldapMetadata/EventHandlers.xml,true
Postprocess,1140,LDAPAddMissingObjectClasses,/db/ldapMetadata/EventHandlers.xml,true
Postprocess,1160,SelfServiceNotificationHandler,/metadata/iam-features-selfservice/event-definition/EventHandlers.xml,false
Postprocess,1180,CreateUserPasswordNotificationHandler,/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml,false
Postprocess,1230,CreateUserPostProcessActionHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Postprocess,1260,AsyncHandler,/metadata/iam-features-asyncwsclient/EventHandlers.xml,true
Postprocess,1000000,SelfServicePostHandler,/metadata/iam-features-selfservice/event-definition/EventHandlers.xml,false
Postprocess,2000000,CustomPostProcessHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Postprocess,2147483647,RequestCompleted,/metadata/iam-features-request/event-definition/EventHandlers.xml,true

Finalization,1000,CreateUserFinalizationHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
Finalization,3000000,CallBackOAACGWithReject,/metadata/iam-features-rolesod/EventHandlers.xml,true

Out-of-band Handlers
action,1000,CreateUserRequestFailedHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
preprocess,1000,CreateUserRequestFailedHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
postprocess,1000,CreateUserRequestFailedHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
action,9980,RequestFailed,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
preprocess,9980,RequestFailed,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
postprocess,9980,RequestFailed,/metadata/iam-features-request/event-definition/EventHandlers.xml,true
preprocess,1000000,UserPreProcessFailedHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
action,1000000,UserActionFailedHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
postprocess,1000000,UserPostProcessFailedHandler,/metadata/iam-features-identity/event-definition/EventHandlers.xml,false
postprocess,3000000,ReconFailedHandler,/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml,false