Wednesday, November 2, 2016

OIM 11G R2 PS3 (11.1.2.3.0) User Guide - Doc Notes

------------------------------------12 Using Identity Certification---------------------------------------------


Note:
The option to download user certification data to your local computer and work on it in an offline mode is available for user certifications only. This functionality is not available for role, application instance, and entitlement certifications.

For this functionality to work, you must have Microsoft Excel 2007 or 2010. To configure Microsoft Excel for this functionality:

Ensure that the prerequisites described in "Configuring Excel to work with ADF Desktop Integration" in the Oracle Fusion Middleware Desktop Integration Developer's Guide for Oracle Application Development are met.

Perform the one-time configuration, as described in "How to Install Runtime Edition of ADF Desktop Integration" in the Oracle Fusion Middleware Desktop Integration Developer's Guide for Oracle Application Development.

For applications running in an environment using Oracle Access Manager, ensure that the URL for the ADF Desktop Integration Remote servlet is configured as a protected resource for Oracle Access Manager. The ADF Desktop Integration Remote servlet is:

http://IDM_HOST.domain.com:OIM_PORT/identity/adfdiRemoteServlet

Note:
User-defined field (UDF) data for both user and catalog will show up in the spreadsheet as read-only columns.


Note:
When you upload the spreadsheet data, if the application instance and entitlement decisions are different, the decisions for entitlements maybe be over-ridden on the server side depending on which data gets uploaded to the server first. In other words, data downloaded in a particular order is uploaded in that particular order.
For example, if you revoke an entitlement and certify the account as Certify Conditionally, the entitlement could also be certified as Certify Conditionally if the account is updated last in the server, after the entitlement has been updated.

As a work around, you can download the Excel file again to verify the final value updated on the server.


--------------------------------------13 Managing Identity Certification----------------------------------------------


Note:
Some of the preconfiguration steps require you to use the request catalog. For detailed information about the request catalog, see the following sections:
"Requesting Access"
"Managing the Access Request Catalog" in Administering Oracle Identity Manager


Note:
Setting the certifier in the request catalog is required if you want to use some of the options for selecting reviewers in the certification creation screen, such as Role Certifier or Application Instance Certifier.

Note:
The Certifier Role field available in the Detailed Information section of the catalog is not used in Oracle Identity Manager 11g Release 2 (11.1.2.3.0).

Note:
Setting the user manager or organization certifier is required if you want to use the Reviewer option of User Manager or Organization Certifier. Otherwise, this is not required.

Role organization certifier does not support the Hierarchy aware option. For the organization certifier, the role must be available in the organization. In other words, the specific organization must be specified for the role. Otherwise, certification will not be generated. Make sure that the role and organization are linked and organization has the certifier user assigned.


Note:
See "Understanding How Risk Summaries are Calculated" for information about the impact of setting risk levels and how Oracle Identity Manager processes risk levels to arrive at risk summaries.


Note:
If there are multiple child forms, update all of them by repeating steps 4 through 7 before going to the next step.

Note:
Setting the user manager or organization certifier is required if you want to use the Reviewer option of User Manager or Organization Certifier. Otherwise, this is not required.

Role organization certifier does not support the Hierarchy aware option. For the organization certifier, the role must be available in the organization. In other words, the specific organization must be specified for the role. Otherwise, certification will not be generated. Make sure that the role and organization are linked and organization has the certifier user assigned.


Note:
See "Understanding How Risk Summaries are Calculated" for information about the impact of setting risk levels and how Oracle Identity Manager processes risk levels to arrive at risk summaries.


Note:
All the options listed in Table 13-1 set the default configuration that is picked up during certification creation based on the type of certification. These can be changed during the certification creation process for each certification definition.


Note:
When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator for that organization. If the certifier is not the organization administrator, only the users in the organization are displayed.


Note:
For multi-phased review with advanced delegation:
The certification is not 100% complete till the Phase 2 reviewers or technical reviewers have completed all the reviews. The certification status displays the phase and percentage completion in each phase the certification is in during the two phased review. To view this status, click the In Progress certification in the Inbox or Dashboard.

The certification goes to the Phase 1 primary reviewer for final review. In Page 2, the Phase 1 primary reviewer can review the actions made by the users in the first and second phases (greyed out) as well as the system-generated default actions, which the Phase 1 primary reviewer can override.


Tip:
You can save the search and use it for specifying role criteria while creating another role certification definition. The saved search is not mapped to a specific certification. To use the role criteria saved search for another role certification definition:
During certification creation, after selecting the Role Criteria option and specifying the search condition, you must click Update and Preview Results. This associates the selected criteria with the definition.

If you want to save this search criteria as a template, then click Save. You are prompted to enter a name for the template that you are saving. You can then save this template and reuse it.

The saved template is not specific to a certification. While creating another certification, this template is displayed by default. If you create another new template, then that template is displayed. In other words, the latest template is displayed for all criteria screens associated with a type of certification.

If you do not want to use the generated template, then change the value in the Saved Search list to something else that you want to use.



Note:
If there is a periodic scheduled task tied to this definition, then the next execution of the scheduled task will be run by using the modified changes.


Note:
You must create a certification definition before you can schedule it. See "Creating Certification Definitions".

Note:
Roles, application instances, and entitlements are metadata objects, whereas users, accounts, and entitlement-assignments are instance-data objects.
Metadata objects are structural objects that represent and describe your information systems within Oracle Identity Manager, whereas instance-data objects are the individual instances of application data that populate the systems. For example, consider a customer service application (a resource) that has a predefined role that enables users to create trouble tickets (an entitlement). In this example, a single resource object represents the application and a single entitlement object represents a specific privilege within that application.

Now consider there might be thousands of user accounts on this resource, some subset of which has the entitlement-assignment that allows the user to create a trouble ticket. A single resource (metadata object) can have multiple accounts (instance-data objects), and a single entitlement (metadata object) can have multiple assignment instances (instance-data objects). Oracle Identity Manager calculates the risk levels for instance-data objects because it would not be feasible for a human to process risk levels for every user, account, and entitlement-assignment on a recurring basis.


Note:
Three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.


Note:
Changing Risk-Level mappings on the Risk Configuration page in the UI can cause major ripple effects that impact Risk Summaries throughout Oracle Identity Manager. During your initial setup you should configure mappings on the Risk Level configuration page, and then avoid making additional unnecessary changes. See "Understanding How Changing Risk Configuration Values Impacts the System" for more information about the ripple effects that impact Risk Summaries.


Note:
If a listener name appears in more than one Event Listener Name List, or if one of the trigger jobs has an empty Event Listener Name List, then the first of these jobs to run consumes all of that listener's triggers. Triggers are always discarded after the first time they are processed.



Note:
Before creating an event listener, you must create a user certification definition or an application instance definition that will be executed when the Certification Event Trigger job is run.



Note:
User-Defined Fields (UDFs) or custom attributes do not appear in ModifiedUser's lists of current and previous values, but these attributes can be specified in the Event Listener rule conditions. To do so, type an expression in the following format into the rule's condition field:
ModifiedUser.{current|previous}Value.get{String|Integer|Long|Date|Boolean}Attribute("NAME")
Here, NAME is the internal name of the UDF. For example, to retrieve the previous value of a string-valued UDF named FavoriteColor, insert the following expression:

ModifiedUser.previousValue.getStringAttribute("FavoriteColor")



Note:
Oracle Identity Manager supports TPAD for user certification only. TPAD is not supported for role certification, application instance certification, and entitlement certification.


Note:
In order to minimize the number of tasks, it is recommended that you select the set of line-items that you intend to delegate to a particular reviewer. Otherwise, the delegated reviewer can receive any number of tasks, each of which contains some subset of line-items from the same phase of the same certification object.



Note:
The Reassign operation in Phase Two does not generate a new certification. For example, if a primary technical reviewer reassigns a (rotated) line-item, then this does not split the certification.


----------------------------------------------------14 Managing Identity Audit------------------------------------------------------


Note:
See " Managing Administration Roles" for information about admin roles and admin role capabilities.

The following admin role capabilities related to identity audit policies cannot be used from Identity Self Service, but can be used through APIs:

Identity Audit Policy - Assign Rule
Identity Audit Policy - Unassign Rule
Identity Audit Policy - Disable
Identity Audit Policy - Enable
Identity Audit Policy - Assign Rule
Identity Audit Policy - Unassign Rule
Identity Audit Rule - Enable
Identity Audit Rule - Disable
Identity Audit Scan Run - Delete
For information about using APIs, see Developing and Customizing Applications for Oracle Identity Manager and Java API Reference for Oracle Identity Manager.


Note: See "Customizing the Identity Audit Composite" in Developing and Customizing Applications for Oracle Identity Manager for information about customizing and deploying the identity audit composite to use a custom identity audit flow.


Note:
If you select value, based on the left hand side, only the values for that field are displayed. However, the values are not displayed for all attributes. For some attributes, the value must be entered.


Note:
You can group only two conditions at a time. If you select more than two conditions, then the Group button is disabled. Alternatively, the Ungroup button is enabled only when you select one of the conditions that is grouped, but it is disabled when you select more than one group.

Note:
For application instances, there is no mechanism to filter out the attributes. All the attributes for application instances are displayed in the Condition Builder with which a rule can be written.
For roles, select the role name to display the list of attributes for the role entities. You can select the asterisk (*) wildcard character to display the list of attributes.


Note:
A maximum of two conditions can be grouped together. Therefore, if you create a rule with four conditions that are grouped together with the AND operator, then the conditions are grouped into two sets. But if one of the conditions are grouped with the OR operator, then rule is updated correctly.


Note:
When Risk attributes are used to define the conditions in a rule, for the rule to be evaluated correctly, the Risk Aggregation Job scheduled job must be run before the request is made.