Sunday, October 9, 2016

Oracle Identity Manager (OIM) 11G R2 PS3 (11.1.2.3.0) Access Request Catalog

Oracle Identity Manager (OIM) 11G R2 PS3 (11.1.2.3.0) Access Request Catalog

Catalog Concepts

  1. Catalog : Catalog (aka Request Catalog) offers a consistent and intuitive request experience for customers to request Roles, Entitlements and Application Instances following the commonly used Shopping Cart paradigm. The catalog is a structured commodity with its own set of metadata.
  2. Catalog Item : A Catalog Item is an item (Roles, Entitlements or Application Instances) that can be requested by a user, either for themselves or on behalf of other users.
  3. Category : A Catalog Item Category is a way to organize the request catalog. Each catalog item is associated with one and only one category. A catalog item navigation category is an attribute of the catalog item. Catalog System Administrators can edit a Catalog Item and provide a value for the category.
  4. Note : You cannot leave Category field blank for a catalog item. Therefore, you must ensure that a value is present for the category.
  5. Application Instance : An Application Instance represents an account on particular target. When users request an application instance, they are requesting an account in a particular target. Application Instances can be connected, if fulfillment is automated via a Connector, or disconnected, if fulfillment is manual. Application Instances can have entitlements associated with them.
  6. Enterprise Roles : Enterprise Roles are defined by customers. Enterprise Roles have policies associated with them. Users can request enterprise roles via the Catalog. When a role is granted, application instances or entitlements are provisioned to the user.
  7. Entitlement : Entitlements are privileges in an application that govern what a user of the application can do.
  8. Catalog User-Defined Field : Catalog User-defined fields are additional attributes that are added by customers to the Catalog entity
  9. Catalog Item Metadata : Catalog Item Metadata refers to the values for the Catalog Item attributes. Metadata can be managed on a per-item basis by the Catalog System Administrator or can be populated in bulk.
  10. Tags : Tags are search keywords. When users search the Access Request Catalog, the search is performed against the tags. Tags are of three types
  11. Auto-generated: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name
  12. User-defined: User-defined Tags are additional keywords entered by the Catalog System Administrator
  13. Catalog System Administrator : The Catalog System Administrator is a global security role. The Catalog can be managed by members of this role only.
  14. Shopping Cart : The Shopping Cart refers to the collection of Catalog Items that are being requested. A user can have only one cart active at any given time and the cart can contain roles, application instances, entitlements, or any combination of the three.
  15. Catalog Synchronization : Catalog synchronization refers to the process of loading roles, application instances, and entitlements into the Catalog.



Access Request Catalog

  1. Extensible 
  2. Automated harvesting of roles, applications, and entitlements
  3. Automateic loading of Catalog metadata using a CSV file
  4. Powerful search using keywords - complex search operators
  5. Flexible categorization
  6. Catalog search results automatically based on user authorization
  7. Catalog item data exposed via a web service for use in workflows


Onboarding Roles
There are no onboarding steps for enterprise roles. Roles, belonging to a role category other than Oracle Identity Manager Roles are published directly to the Catalog when they are created.

Onboarding Application Instances
Application Instances require additional configuration before they can be requested by end users. Use the following checklist items to make sure that you have performed the configuration required to onboard application instances:
Catalog Synchronization Job
Process Application Instances
Mode = Incremental
Job Frequency = 5 minutes

Onboarding Entitlements
Use the following checklist items to make sure that you have performed the configuration required to onboard entitlements.

  1. Ensure that the Connector is installed (for new targets)
  2. Verify that the process forms have an IT resource field
  3. Verify that you have defined the form field properties correctly
  4. Verify that you have correctly associated the parent and child forms
  5. Verify that you have run the common lookup reconciliation job for ICF-based targets
  6. Verify that you have run the connector-specific lookup reconciliation jobs for non-ICF connectors
  7. Verify that you have created application instances correctly, corresponding to the resource object and IT resource instance specified in the Lookup Reconciliation job
  8. Verify that you have published entitlements to relevant organizations
  9. Verify that you have run the entitlement list loader job, so that data can be populated in ent_list table


  • Catalog Synchronization Job
  • Process Entitlements
  • Mode = Incremental
  • Job Frequency = 5 minutes



Bootstrapping the Catalog

Catalog Synchronization Job
Process Roles
Mode = Full
Job Frequency = 5 minutes

Catalog Synchronization Job
Process Application Instances
Mode = Full
Job Frequency = 5 minutes

Catalog Synchronization Job
Process Entitlements
Mode = Full
Job Frequency = 5 minutes


Catalog Synchronization Job
Process Roles, Process Application Instances, and Process Entitlements
Mode = Incremental
Job Frequency = 5 minutes




Enriching the Catalog

  1. Editing a Catalog Item Online
  2. Enriching the Catalog in bulk from external sources
  3. Loading data from an external source

Catalog Synchronization Job
File Path = Absolute Path
Process Entitlements
Mode = Metadata
Job Frequency = 5 minutes


Managing Catalog Items
Deleting a Catalog Items of Type Roles
Just Delete
Deleting Catalog Items of Type Application Instances
Delete and Run the Job
Deleting Catalog Items of type Entitlements
Run Entitlement List Load
Run Catalog Synchronization Job in Incremental Mode




Configuring Catalog Auditing

  1. A change in the value of a catalog UDF.
  2. Any value of a catalog item attribute is changed from the catalog UI or any other custom UI.
  3. Following is the list of consolidated catalog attributes that are part of auditing during updation of catalog item:


  • Category, Audit Objective, Approver User, Approver Role, Fulfillment User, Fulfillment role, Certifier User, Certifier Role, Item Risk, Certifiable



To Enable catalog auditing:

  1. Login to Oracle Identity System Administration.
  2. Under System Configuration, click Configuration Properties.
  3. Search for the Catalog Audit Data Collection system property with keyword XL.CatalogAuditDataCollection. The default value of this property is none, which specifies that catalog auditing is disabled.
  4. Set the value of the XL.CatalogAuditDataCollection system property to catalog. This enables catalog auditing.



Configuring Hierarchical Attributes of Entitlements

  1. You can enable the display of hierarchical attributes of entitlements to requesters, approvers, and certifiers to view additional details of entitlements (hierarchical attributes) in the catalog detail screen. The additional details of entitlements is called technical glossary. The technical glossary is displayed in a list view with bread crumbs at the top showing the navigational path.
  2. Catalog Synchronization Job
  3. Mode = Technical Glossary



Database Best Practices for Access Request Catalog

  1. One-Time Optimizations for Oracle Text Index
  2. Text Index Optimization
Posted by at
Labels: