Monday, 10 April 2017
Wednesday, 5 April 2017
OIM VIDEOS
oracle identity and access manager videos available if any one need mail me
oiamvideos@gmail.com
Saturday, 25 April 2015
Creating A Custom attribute in OIM 11gr2
1. Steps to add a new custom Field in OIM User Parent Form/screen (VIMP)
Adding building Name which is
available in OID to OIM User From
In OIM Admin Console:
a.
Create a sandbox as buildingSB, activate and
refresh.
b.
Go to Form Designer, select Type as user and Resource Type as OID
User then search
c.
Go to user form, in the custom Add buildingName
with constraint as searchable.
d.
Export the sandbox and then publish
e.
Sign out Admin console
In OIM self service console:
f.
Go to sandbox, import already exported
“buildingSB”, refresh and activate
g.
Go to users – create new user and fill all the
mandatory required fields
h.
Click on Customize link (on top). It prompts the
new layer. Here go to Source (not design) and move to the section where you to
place the new field. Here click on ‘Add Content’ – Data Component Catalog >
userVO > select buildingName > Add (ADF input Text w/label), then close
this layer.
i.
Publish the sandbox “buildingSB”
Note: When you want to modify user page and view user page here
need to select as Data component - Manage Users.
Go to the userModifyForm.jsff.xml
from
<SandBox>\oracle\iam\ui\runtime\form\view\pages\mdssys\cust\site\site
location and add the 2 attributes valueChangeListener="#
{pageFlowScope.cartDetailStateBean.attributeValueChangedListener}" autoSubmit="true"
In OIM Admin Console:
j.
Go to lookup > Lookup.OID.Configuration >Lookup.OID.UM.Configuration
> Lookup.OID.UM.ProvAttrMap. Here edit (pencil icon) > add the
buildingName both meaning and code.
k.
Go to lookup > Lookup.OID.Configuration >Lookup.OID.UM.Configuration
> Lookup.OID.UM.ReconAttrMap. Here edit (pencil icon) > add the
buildingName both meaning and code.
In OIM Design Console:
l.
Go to Resource Objects > Search > OID User
> Object Reconciliation/ Reconciliation Fields Tab > add field
‘buildingName’ and also click on “Create Reconciliation Profile” button (on
top).
m.
Go to Form Designer > Search> UD_OID_USR
> Create new version (buildingVer) > Select newly created version >
Add > give the new building details (UD_OID_USR_BUILDING) then save and Pre-Populate
tab (if required) add the new field details > make version active.
n.
Go to Process Definition > Search > OID
user > Reconciliation Field mappings > add field mapping >
buildingName with UD_OID_USR_BUILDING (column name in DB).
Click
on the Add under Task tab > Create a new task buildingName updated similar
to Last Name Updated (with all the required tab sections).
In OIM Admin Console:
o.
Create a sandbox "OIDProvUpdateSB",
activate and refresh
p.
Go to Application Instances > Search >
OIDUserProvAI > Create the new form (SOIDFormLatest) > Refresh and select
the newly created form and then Apply > Publish the sandbox
Note: We cannot create new Application
Instance (AI) with same IT Resource
In OIM self service Console:
q.
Create user (venkat.kumar) with all mandatory
fields including the newly added buildingName.
r.
Click on Request Accounts under Accounts Tab
> Add to Cart OIDUserProvAI > Checkout > Select the Container DN
(Hyderabad) > Ready to Submit > Submit
s.
Go to Accounts Tab of user and Refresh >
Status shown as Provisioned
In OID Console:
t.
Now go to OID > Data Browser tab > Under
Hyderabad you can see the newly created user
In OIM self service console:
u.
Now Modify the user account and change the
details (Chennai) > Ready to Submit > Submit
v.
Go to Accounts Tab of user and Refresh >
Status shown as Provisioned.
In
OID Console:
w. Now
go to OID > Data Browser tab > Under Chennai you can see the user with
the updated details.
x. Do
some updates on the buildingName field in OID and run the “OID Connector User
Search Reconciliation” scheduler job. The updates will be shown in OIM “Modify
Account” user.
Quick Flow process:
Constraints:
·
We cannot able to delete the existing entries in
the lookups.
·
We cannot able to delete the existing field in
the form designer of OIM Admin console.
Difference between OIM 10g and OIM 11g
1.
10g Request Management has been replaced by
SOA composite which has a customized schema accommodating BPEL and Human Task.
2.
Reconciliation engine has been re-written in
11g to enhance the performance by introducing the cache mechanism.
3.
OES libraries are used as an authorization engine
unlike 10g had its own object vs view based authorization.
4.
Plugin services platform is introduced in
11g to have easy customization in place which can be some what mapped to entity
adapter functionality in 10g.
5.
Groups in 10g are now called as Roles in 11g
with some modifications which makes it like ldap roles.
OIM 10g
|
OIM 11g
|
Reconciliation
Manager in Design Console
|
Event
Management in Admin Console.
|
Object
Form
|
Request
Dataset
|
Creation
of new IT Resource from Design/Admin Console.
|
Creation
of new IT Resource from Admin Console.
|
Struts
based UI.
|
ADF
based UI.
|
Approvalworkflow
creation from Design/Admin Console
|
Approval
workflow creation from IDE using SOA Plugin.
|
Custom
workflow engine
|
Using
BPEL as workflow engine.
|
No
Notification Tasks
|
Notification
tasks which are separate from Schedule Task’s jobs.
|
No
Approval Policies.
|
Approval
Policies
|
No Need
of BI Publishers.
|
Need BI
Publisher for OOTB reporting.
|
No need
of RCU (Repository Creation Utility)
|
Need of
RCU (Repository Creation Utility)
|
Groups
|
Roles
|
No
concept of Request Template.
|
Request
Template for controlling the Attributes of the request.
|
Entity
Adapters on User Form.
|
Event
Handlers on user form.
|
Support
only old APIs.
|
Support
old and new APIs.
|
DB Provisining
DB Provisioning
Creating DataBase table
First connect to SQLPLUS from cmd
c:\sqlplus
Username: sys as sysdba
give password
then connect as system/<pwd>
sql>connect system/<password>;
then create table using blow command
create table MY_USERTEST ( USER_ID varchar2(4000 BYTE) NOT NULL ENABLE,
FIRST_NAME varchar2(4000 BYTE),
LAST_NAME varchar2(4000 BYTE),
PASSWORD varchar2(4000 BYTE),
EMAIL varchar2(4000 BYTE),
PHONE_FIX varchar2(4000 BYTE),
PHONE_MOBILE varchar2(4000 BYTE),
USER_STATUS varchar2(4000 BYTE),
Location varchar2(4000 BYTE),
Country varchar2(4000 BYTE),
CONSTRAINT MY_USERTEST PRIMARY KEY (USER_ID));
then insert values into the table
INSERT INTO MY_USERTEST (USER_ID, FIRST_NAME, LAST_NAME, PASSWORD, EMAIL, PHONE_FIX, PHONE_MOBILE, USER_STATUS, Location, Country)
VALUES ('ruser10', 'ruser10', 'ruser10', 'Mvts1234', 'ruser10@rlabs.com', 2045455, 987878455, 'ENABLE', 'Hyd', 'India');
INSERT INTO MY_USERTEST (USER_ID, FIRST_NAME, LAST_NAME, PASSWORD, EMAIL, PHONE_FIX, PHONE_MOBILE, USER_STATUS, Location, Country)
VALUES ('ruser11', 'ruser11', 'ruser11', 'Mvts1234', 'ruser11@rlabs.com', 2045455, 987878455, 'ENABLE', 'Hyd', 'India');
then go Admin Console
create Lokuptable with user staus (Enable and Disable) fields.
then go copy the connector data base folder in shown path
C:\Oracle\Middleware\Oracle_IDM1\server\ConnectorDefaultDirectory
copy Database_App_Tables_9.1.0.5.0 folder
then go to Manager connctors in Admin Console and install the connetor
we have already insall DB connector so no need to install again
Creat a GTC using required data base parameters.
then create IT Resource and using sandbox create Application Instance and publish the sandbox
then run the catalog Synchronization schedular.
then go Identity self service
the create a user in OIM and provision to the DB table.(MY_USERTEST)
record updated
DB provisioning to the DB table is done.:):)
Creating DataBase table
First connect to SQLPLUS from cmd
c:\sqlplus
Username: sys as sysdba
give password
then connect as system/<pwd>
sql>connect system/<password>;
then create table using blow command
create table MY_USERTEST ( USER_ID varchar2(4000 BYTE) NOT NULL ENABLE,
FIRST_NAME varchar2(4000 BYTE),
LAST_NAME varchar2(4000 BYTE),
PASSWORD varchar2(4000 BYTE),
EMAIL varchar2(4000 BYTE),
PHONE_FIX varchar2(4000 BYTE),
PHONE_MOBILE varchar2(4000 BYTE),
USER_STATUS varchar2(4000 BYTE),
Location varchar2(4000 BYTE),
Country varchar2(4000 BYTE),
CONSTRAINT MY_USERTEST PRIMARY KEY (USER_ID));
then insert values into the table
INSERT INTO MY_USERTEST (USER_ID, FIRST_NAME, LAST_NAME, PASSWORD, EMAIL, PHONE_FIX, PHONE_MOBILE, USER_STATUS, Location, Country)
VALUES ('ruser10', 'ruser10', 'ruser10', 'Mvts1234', 'ruser10@rlabs.com', 2045455, 987878455, 'ENABLE', 'Hyd', 'India');
INSERT INTO MY_USERTEST (USER_ID, FIRST_NAME, LAST_NAME, PASSWORD, EMAIL, PHONE_FIX, PHONE_MOBILE, USER_STATUS, Location, Country)
VALUES ('ruser11', 'ruser11', 'ruser11', 'Mvts1234', 'ruser11@rlabs.com', 2045455, 987878455, 'ENABLE', 'Hyd', 'India');
then go Admin Console
create Lokuptable with user staus (Enable and Disable) fields.
then go copy the connector data base folder in shown path
C:\Oracle\Middleware\Oracle_IDM1\server\ConnectorDefaultDirectory
copy Database_App_Tables_9.1.0.5.0 folder
then go to Manager connctors in Admin Console and install the connetor
we have already insall DB connector so no need to install again
Creat a GTC using required data base parameters.
then create IT Resource and using sandbox create Application Instance and publish the sandbox
then run the catalog Synchronization schedular.
then go Identity self service
the create a user in OIM and provision to the DB table.(MY_USERTEST)
record updated
DB provisioning to the DB table is done.:):)
Friday, 24 April 2015
Bulkload in OIM
1.
The Object Classes and the Attributes in csv should follow the below standards .
2.
CSV
sample format to be specified .
3.
Below
mentioned details during the Bulk upload has to be specified, like for forcing
the user to change password during first login set the parameters.
4.
Username, Group name, Organization names
should be unique and should not exists in the OID already. If exists then
import of the groups / Users / Organizations would fail.
5.
The hierarchy of the Load should be maintained
such as
Organization
should be created first.
6.
User
cannot exist in multiple organizations.
7.
User
DIT Structure
alignment with the File being Uploaded .
The structure of
the DIT should align with the below
structure specified and the object classes and attributes should be align with
the above attached mapping document .
BulkLoad in OIM:
The Bulk Load utility is aimed at automating the process of loading a
large amount of data into Oracle Identity Manager. It helps reduce the downtime
involved in loading data. You can use this utility after you install Oracle
Identity Manager or at any time during the production lifetime of Oracle Identity
Manager. The Bulk Load utility can load users, accounts, roles, role hierarchy,
role membership, and role category data.
Creating the Input
Source for the Bulk Load Operation Using CSV Files As the Input Source:
If you want to use CSV files as the input source for the bulk load
operation, then apply the following guidelines while creating the CSV files:
·
The CSV
files must be placed in the oimbulkload/csv_files directory.
·
The first
line in the CSV file is called the control line. This line must contain a
comma-separated list of column names in the account (UD_*) table into which you
want to load the account data. To find out the UD_ table, go to the process
form in the Design Console.
Note:
Ensure that the Password column or any other
encrypted column is not included in the list of columns.
·
From the
second line onward, the file must contain values for the columns in the control
line. The order of columns in the first line and the values in the rest of the
lines must be the same.
·
If the
value in any column contains a comma, then that value must be enclosed in
double quotation marks (").
·
The CSV
file must contain values for all columns that are designated as mandatory in
the account table. The key mandatory columns in the account table must be
ignored.
·
If you want
to load account data into parent and child tables, then you must create one
parent CSV file and one child CSV file for each child table. For example if you
are loading data into one parent table and three child tables, then you must
create one parent CSV file and three child CSV files.
·
If you want
to load account data into parent and child tables, then at least one column
must be the same in both tables. This column corresponds to the link attribute
between the parent and child CSV files. The following example illustrates this:
The following are sample contents of a parent
CSV file:
UD_ADUSER_UID,UD_ADUSER_ORGNAME,UD_ADUSER_FNAME,UD_ADUSER_LNAME,UD_ADUSER_MNAME,UD_ADUSER_FULLNAME,UD_ADUSER_OBJECTGUID
ADTEST1,"7~CN=ForeignSecurityPrincipals,DC=vivek01,DC=com",adtest1,adtest1,,adtest1,102
Note:
The UD_ADUSER_OBJECTGUID column is mandatory in
the parent CSV file for loading accounts by using the bulk load operation. This
column must be added to the parent CSV file in spite of nullable column in the
database.
The following are sample contents of a child CSV
file:
UD_ADUSER_UID,UD_ADUSER_ORGNAME,UD_ADUSRC_GROUPNAME
ADTEST1,"7~CN=ForeignSecurityPrincipals,DC=vivek01,DC=com",group2
The UD_ADUSER_UID column is common to both the
parent file and the child file.
·
If the CSV
file is generated on Microsoft Windows and is to be loaded on Linux
environment, then remove the special characters, such as '\n\r', to avoid
run-time errors.
Verifying the Outcome of the Bulk Load Operation
To verify the outcome of the bulk load operation, check if you are able
to perform the following steps for one of the OIM Users for whom an account has
been added by the utility:
·
Log in as
the OIM User, and check if the newly created account is displayed in the
resource profile of the user.
·
Log in to
the target system by using the credentials of the newly created account.
Creating the Input Source for the Bulk Load Operation
Depending on the input source that you want to use, apply the guidelines
given in one of the following sections:
Using CSV Files As the Input Source
If you want to use CSV files as the input source for the bulk load
operation, then apply the following guidelines while creating the CSV files:
·
The CSV
files must be placed in the oimbulkload/csv_files directory.
·
The first
line in the CSV file is called the control line.
·
This line
must contain a comma-separated list of column names based on the selected role
upload (role, role hierarchy, role membership, and role category) in the Oracle
Identity Manager database.
·
From the
second line onward, the file must contain values for the columns in the control
line. The order of columns in the first line and the values in the rest of the
lines must be the same. The following is a sample content of a role (UGP) CSV
file:
UGP_ROLENAME,UGP_NAMESPACE,USR_LOGIN,ORG_NAME,INCLUDE_HIERARCHY
"Finance Controllers",Default,XELSYSADM,Finance,YES
"Finance Controllers",Default,XELSYSADM,Requests,YES
·
Role load
is capable of publishing the roles to organizations to follow the security
model in Oracle Identity Manager, with an option to include hierarchy.
As a value of the ORG_NAME parameter, specify
the organization name, such as Finance or Requests, to which you want to
publish the roles. Specify YES for INCLUDE_HIERARCHY if you want to publish the
roles to the specified organization and its suborganizations. Specify NULL or
NO for INCLUDE_HIERARCHY if you want to publish the roles only to the specified
organization and not its suborganizations. If you do not specify values for the
ORG_NAME and INCLUDE_HIERARCHY parameters, then by default, the roles are
published to the Top organization with hierarchy.
·
If the
value in any column contains a comma, then that value must be enclosed in
double quotation marks (").
·
The CSV
file must contain values for all columns that are designated as mandatory in
the respective role tables.
·
The CSV
file must contain values for all columns that are designated as mandatory
depending on the upload role data, role hierarchy data, role membership data,
and role category data.
o
Role UGP):
UGP_ROLENAME,UGP_NAMESPACE,USR_LOGIN,ORG_NAME,INCLUDE_HIERARCHY
(UGP_NAMESPACE,ORG_NAME,INCLUDE_HIERARCHY
INCLUDE_HIERARCHY can be left as null when not
required.
o
Role
Hierarchy (GPG): UGP_NAME, GPG_UGP_NAME
o
Role
Membership (USG): UGP_NAME, USR_LOGIN
o
Role
Category (ROLE_CATEGORY): ROLE_CATEGORY_NAME
Each row in the CSV file must have a unique
value for the combinationation of manadatory columns.
·
The
following default values are inserted into Oracle Identity Manager if the CSV
file does not contain values for these columns:
o For Role (UGP)
o ROLE_CATEGORY_NAME: Default
o UGP_DISPLAY_NAME: Defaults to UGP_NAME
o ORG_NAME: TOP
o INCLUDE_HIERARCHY: YES
o
For Role
Hierarchy (GPG)
None
o
For Role
Membership (USG)
RUL_KEY: RUL_KEY from RUL table with RUL_NAME as
'Default'
USG_PRIORITY: group and rank based on UGP_KEY
based on the rows given for upload.
o
Role
Category (ROLE CATEGORY)
None
·
Create a
master TXT file containing the names of the CSV files containing role data to
be loaded. You can specify any name for the file, for example, master.txt. Save
the master file in the oimbulkload/csv_files directory.
If you want to load multiple CSV files, then
enter the name of each data CSV file on a separate line in the master file.
Order the list of CSV file names in the sequence in which you want the utility
to load data from the files. For example, suppose you have created three data
CSV files, Role1.csv, Role2.csv, and Role3.csv. In the master file, enter the
names of the data CSV files in the following order:
Role1.csv
Role2.csv
Role3.csv
When you run the utility, data is loaded in this
order.
·
If the CSV
file is generated on Microsoft Windows and is to be loaded on Linux
environment, then remove the special characters, such as '\n\r', to avoid
run-time errors.
Verifying the Outcome of the Bulk Load Operation
To verify the outcome of the bulk load operation, check if you are able
to perform the following steps for one of the OIM Role added by the utility:
1. Log in to Oracle Identity Self Service, and
verify that the newly created role is displayed in the search result for roles.
2. For the newly created role hierarchy and role
members, click the Hierarchy and Members tabs respectively on the role details page.
3. To verify the newly created role category, in
the Welcome page of Oracle Identity Administration, click Advanced Search - Role
Categories. Then,
perform an advanced search to find the newly created role.
References:
Sunday, 19 April 2015
OIM - Adapters
there are 5 types adapters
To use adapters, they have to be attached to an OIM User Form or to a User-defined custom form.
Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)
Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete
Pre-Populate Adapter - specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
Task Assignment Adapter - automates the assignment of a process task to a user or group
To use adapters, they have to be attached to an OIM User Form or to a User-defined custom form.
Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)
Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete
Pre-Populate Adapter - specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
Task Assignment Adapter - automates the assignment of a process task to a user or group
Subscribe to:
Posts (Atom)