Saturday, 25 April 2015

Creating A Custom attribute in OIM 11gr2

1.     Steps to add a new custom Field in OIM User Parent Form/screen (VIMP)

Adding building Name which is available in OID to OIM User From
In OIM Admin Console:
a.       Create a sandbox as buildingSB, activate and refresh.
b.      Go to Form Designer,  select Type as user and Resource Type as OID User then search
c.       Go to user form, in the custom Add buildingName with constraint as searchable.
d.      Export the sandbox and then publish
e.      Sign out Admin console
In OIM self service console:
f.        Go to sandbox, import already exported “buildingSB”, refresh and activate
g.       Go to users – create new user and fill all the mandatory required fields
h.      Click on Customize link (on top). It prompts the new layer. Here go to Source (not design) and move to the section where you to place the new field. Here click on ‘Add Content’ – Data Component Catalog > userVO > select buildingName > Add (ADF input Text w/label), then close this layer.
i.         Publish the sandbox “buildingSB”
Note: When you want to modify user page and view user page here need to select as Data component - Manage Users.
Go to the userModifyForm.jsff.xml from <SandBox>\oracle\iam\ui\runtime\form\view\pages\mdssys\cust\site\site location and add the 2 attributes valueChangeListener="# {pageFlowScope.cartDetailStateBean.attributeValueChangedListener}" autoSubmit="true"
In OIM Admin Console:
j.        Go to lookup > Lookup.OID.Configuration >Lookup.OID.UM.Configuration > Lookup.OID.UM.ProvAttrMap. Here edit (pencil icon) > add the buildingName both meaning and code.
k.       Go to lookup > Lookup.OID.Configuration >Lookup.OID.UM.Configuration > Lookup.OID.UM.ReconAttrMap. Here edit (pencil icon) > add the buildingName both meaning and code.
In OIM Design Console:
l.         Go to Resource Objects > Search > OID User > Object Reconciliation/ Reconciliation Fields Tab > add field ‘buildingName’ and also click on “Create Reconciliation Profile” button (on top).
m.    Go to Form Designer > Search> UD_OID_USR > Create new version (buildingVer) > Select newly created version > Add > give the new building details (UD_OID_USR_BUILDING) then save and Pre-Populate tab (if required) add the new field details > make version active.
n.      Go to Process Definition > Search > OID user > Reconciliation Field mappings > add field mapping > buildingName with UD_OID_USR_BUILDING (column name in DB).
Click on the Add under Task tab > Create a new task buildingName updated similar to Last Name Updated (with all the required tab sections).
In OIM Admin Console:
o.      Create a sandbox "OIDProvUpdateSB", activate and refresh
p.      Go to Application Instances > Search > OIDUserProvAI > Create the new form (SOIDFormLatest) > Refresh and select the newly created form and then Apply > Publish the sandbox
Note: We cannot create new Application Instance (AI) with same IT Resource
                In OIM self service Console:
q.      Create user (venkat.kumar) with all mandatory fields including the newly added buildingName.
r.        Click on Request Accounts under Accounts Tab > Add to Cart OIDUserProvAI > Checkout > Select the Container DN (Hyderabad) > Ready to Submit > Submit
s.       Go to Accounts Tab of user and Refresh > Status shown as Provisioned
In OID Console:
t.        Now go to OID > Data Browser tab > Under Hyderabad you can see the newly created user
In OIM self service console:
u.      Now Modify the user account and change the details (Chennai) > Ready to Submit > Submit
v.       Go to Accounts Tab of user and Refresh > Status shown as Provisioned.

In OID Console:

w.     Now go to OID > Data Browser tab > Under Chennai you can see the user with the updated details.
x.       Do some updates on the buildingName field in OID and run the “OID Connector User Search Reconciliation” scheduler job. The updates will be shown in OIM “Modify Account” user.
Quick Flow process:
Constraints:
·         We cannot able to delete the existing entries in the lookups.
·         We cannot able to delete the existing field in the form designer of OIM Admin console.


Difference between OIM 10g and OIM 11g

1.        10g Request Management has been replaced by SOA composite which has a customized schema accommodating BPEL and Human Task.
2.        Reconciliation engine has been re-written in 11g to enhance the performance by introducing the cache mechanism.
3.        OES libraries are used as an authorization engine unlike 10g had its own object vs view based authorization.
4.        Plugin services platform is introduced in 11g to have easy customization in place which can be some what mapped to entity adapter functionality in 10g.

5.        Groups in 10g are now called as Roles in 11g with some modifications which makes it like ldap roles.


OIM 10g
OIM 11g
Reconciliation Manager in Design Console
Event Management in Admin Console.
Object Form
Request Dataset
Creation of new IT Resource from Design/Admin Console.
Creation of new IT Resource from Admin Console.
Struts based UI.
ADF based UI.
Approvalworkflow creation from Design/Admin Console
Approval workflow creation from IDE using SOA Plugin.
Custom workflow engine
Using BPEL as workflow engine.
No Notification Tasks
Notification tasks which are separate from Schedule Task’s jobs.
No Approval Policies.
Approval Policies
No Need of BI Publishers.
Need BI Publisher for OOTB reporting.
No need of RCU (Repository Creation Utility)
Need of RCU (Repository Creation Utility)
Groups
Roles
No concept of Request Template.
Request Template for controlling the Attributes of the request.
Entity Adapters on User Form.
Event Handlers on user form.
Support only old APIs.
Support old and new APIs.

DB Provisining

DB Provisioning


Creating DataBase table

First connect to SQLPLUS from cmd
c:\sqlplus

Username: sys as sysdba
give password

then connect as system/<pwd>

sql>connect system/<password>;

then create table using blow command

create table MY_USERTEST ( USER_ID varchar2(4000 BYTE) NOT NULL ENABLE,
FIRST_NAME varchar2(4000 BYTE),
LAST_NAME varchar2(4000 BYTE),
PASSWORD varchar2(4000 BYTE),
EMAIL varchar2(4000 BYTE),
PHONE_FIX varchar2(4000 BYTE),
PHONE_MOBILE varchar2(4000 BYTE),
USER_STATUS varchar2(4000 BYTE),
Location varchar2(4000 BYTE),
Country varchar2(4000 BYTE),
CONSTRAINT MY_USERTEST PRIMARY KEY (USER_ID));


then insert values into the table

INSERT INTO MY_USERTEST (USER_ID, FIRST_NAME, LAST_NAME, PASSWORD, EMAIL, PHONE_FIX, PHONE_MOBILE, USER_STATUS, Location, Country)
   VALUES ('ruser10', 'ruser10', 'ruser10', 'Mvts1234', 'ruser10@rlabs.com', 2045455, 987878455, 'ENABLE', 'Hyd', 'India');


INSERT INTO MY_USERTEST (USER_ID, FIRST_NAME, LAST_NAME, PASSWORD, EMAIL, PHONE_FIX, PHONE_MOBILE, USER_STATUS, Location, Country)
   VALUES ('ruser11', 'ruser11', 'ruser11', 'Mvts1234', 'ruser11@rlabs.com', 2045455, 987878455, 'ENABLE', 'Hyd', 'India');


then go Admin Console


create Lokuptable with user staus (Enable and Disable) fields.

then go copy the connector data base folder in shown path

C:\Oracle\Middleware\Oracle_IDM1\server\ConnectorDefaultDirectory

copy Database_App_Tables_9.1.0.5.0 folder

then go to Manager connctors in Admin Console and install the connetor

we have already insall DB connector so no need to install again

Creat a GTC using required data base parameters.

then create IT Resource and using sandbox create Application Instance and publish the sandbox
then run the catalog Synchronization schedular.

then go Identity self service

the create a user in OIM and provision to the DB table.(MY_USERTEST)

record updated

DB provisioning to the DB table is done.:):)





Friday, 24 April 2015

Bulkload in OIM

1.      The  Object Classes and the Attributes  in csv should follow the below standards .
2.      CSV sample format to be  specified .
3.      Below mentioned details during the Bulk upload has to be specified, like for forcing the user to change password during first login set the parameters.
4.       Username, Group name, Organization names should be unique and should not exists in the OID already. If exists then import of the groups / Users / Organizations would fail.
5.       The hierarchy of the Load should be maintained such as
Organization should be created first.
6.      User cannot exist in multiple organizations.
7.      User

DIT Structure alignment with the File being Uploaded .

The structure of the DIT should align with the  below structure specified and the object classes and attributes should be align with the above attached mapping document .

BulkLoad in OIM:
The Bulk Load utility is aimed at automating the process of loading a large amount of data into Oracle Identity Manager. It helps reduce the downtime involved in loading data. You can use this utility after you install Oracle Identity Manager or at any time during the production lifetime of Oracle Identity Manager. The Bulk Load utility can load users, accounts, roles, role hierarchy, role membership, and role category data.

Creating the Input Source for the Bulk Load Operation Using CSV Files As the Input Source:

If you want to use CSV files as the input source for the bulk load operation, then apply the following guidelines while creating the CSV files:
·         The CSV files must be placed in the oimbulkload/csv_files directory.
·         The first line in the CSV file is called the control line. This line must contain a comma-separated list of column names in the account (UD_*) table into which you want to load the account data. To find out the UD_ table, go to the process form in the Design Console.

Note:
Ensure that the Password column or any other encrypted column is not included in the list of columns.
·         From the second line onward, the file must contain values for the columns in the control line. The order of columns in the first line and the values in the rest of the lines must be the same.
·         If the value in any column contains a comma, then that value must be enclosed in double quotation marks (").
·         The CSV file must contain values for all columns that are designated as mandatory in the account table. The key mandatory columns in the account table must be ignored.
·         If you want to load account data into parent and child tables, then you must create one parent CSV file and one child CSV file for each child table. For example if you are loading data into one parent table and three child tables, then you must create one parent CSV file and three child CSV files.
·         If you want to load account data into parent and child tables, then at least one column must be the same in both tables. This column corresponds to the link attribute between the parent and child CSV files. The following example illustrates this:
The following are sample contents of a parent CSV file:
UD_ADUSER_UID,UD_ADUSER_ORGNAME,UD_ADUSER_FNAME,UD_ADUSER_LNAME,UD_ADUSER_MNAME,UD_ADUSER_FULLNAME,UD_ADUSER_OBJECTGUID
ADTEST1,"7~CN=ForeignSecurityPrincipals,DC=vivek01,DC=com",adtest1,adtest1,,adtest1,102
Note:
The UD_ADUSER_OBJECTGUID column is mandatory in the parent CSV file for loading accounts by using the bulk load operation. This column must be added to the parent CSV file in spite of nullable column in the database.
The following are sample contents of a child CSV file:
UD_ADUSER_UID,UD_ADUSER_ORGNAME,UD_ADUSRC_GROUPNAME
ADTEST1,"7~CN=ForeignSecurityPrincipals,DC=vivek01,DC=com",group2
The UD_ADUSER_UID column is common to both the parent file and the child file.
·         If the CSV file is generated on Microsoft Windows and is to be loaded on Linux environment, then remove the special characters, such as '\n\r', to avoid run-time errors.

Verifying the Outcome of the Bulk Load Operation

To verify the outcome of the bulk load operation, check if you are able to perform the following steps for one of the OIM Users for whom an account has been added by the utility:
·         Log in as the OIM User, and check if the newly created account is displayed in the resource profile of the user.
·         Log in to the target system by using the credentials of the newly created account.

Creating the Input Source for the Bulk Load Operation

Depending on the input source that you want to use, apply the guidelines given in one of the following sections:

 Using CSV Files As the Input Source

If you want to use CSV files as the input source for the bulk load operation, then apply the following guidelines while creating the CSV files:
·         The CSV files must be placed in the oimbulkload/csv_files directory.
·         The first line in the CSV file is called the control line.
·         This line must contain a comma-separated list of column names based on the selected role upload (role, role hierarchy, role membership, and role category) in the Oracle Identity Manager database.
·         From the second line onward, the file must contain values for the columns in the control line. The order of columns in the first line and the values in the rest of the lines must be the same. The following is a sample content of a role (UGP) CSV file:
        UGP_ROLENAME,UGP_NAMESPACE,USR_LOGIN,ORG_NAME,INCLUDE_HIERARCHY
               "Finance Controllers",Default,XELSYSADM,Finance,YES
               "Finance Controllers",Default,XELSYSADM,Requests,YES
·         Role load is capable of publishing the roles to organizations to follow the security model in Oracle Identity Manager, with an option to include hierarchy.
As a value of the ORG_NAME parameter, specify the organization name, such as Finance or Requests, to which you want to publish the roles. Specify YES for INCLUDE_HIERARCHY if you want to publish the roles to the specified organization and its suborganizations. Specify NULL or NO for INCLUDE_HIERARCHY if you want to publish the roles only to the specified organization and not its suborganizations. If you do not specify values for the ORG_NAME and INCLUDE_HIERARCHY parameters, then by default, the roles are published to the Top organization with hierarchy.
·         If the value in any column contains a comma, then that value must be enclosed in double quotation marks (").
·         The CSV file must contain values for all columns that are designated as mandatory in the respective role tables.
·         The CSV file must contain values for all columns that are designated as mandatory depending on the upload role data, role hierarchy data, role membership data, and role category data.
o    Role UGP): UGP_ROLENAME,UGP_NAMESPACE,USR_LOGIN,ORG_NAME,INCLUDE_HIERARCHY (UGP_NAMESPACE,ORG_NAME,INCLUDE_HIERARCHY
INCLUDE_HIERARCHY can be left as null when not required.
o    Role Hierarchy (GPG): UGP_NAME, GPG_UGP_NAME
o    Role Membership (USG): UGP_NAME, USR_LOGIN
o    Role Category (ROLE_CATEGORY): ROLE_CATEGORY_NAME
Each row in the CSV file must have a unique value for the combinationation of manadatory columns.
·         The following default values are inserted into Oracle Identity Manager if the CSV file does not contain values for these columns:
o    For Role (UGP)
o    ROLE_CATEGORY_NAME: Default
o    UGP_DISPLAY_NAME: Defaults to UGP_NAME
o    ORG_NAME: TOP
o    INCLUDE_HIERARCHY: YES
o    For Role Hierarchy (GPG)
None
o    For Role Membership (USG)
RUL_KEY: RUL_KEY from RUL table with RUL_NAME as 'Default'
USG_PRIORITY: group and rank based on UGP_KEY based on the rows given for upload.
o    Role Category (ROLE CATEGORY)
None
·         Create a master TXT file containing the names of the CSV files containing role data to be loaded. You can specify any name for the file, for example, master.txt. Save the master file in the oimbulkload/csv_files directory.
If you want to load multiple CSV files, then enter the name of each data CSV file on a separate line in the master file. Order the list of CSV file names in the sequence in which you want the utility to load data from the files. For example, suppose you have created three data CSV files, Role1.csv, Role2.csv, and Role3.csv. In the master file, enter the names of the data CSV files in the following order:
Role1.csv
Role2.csv
Role3.csv
When you run the utility, data is loaded in this order.
·         If the CSV file is generated on Microsoft Windows and is to be loaded on Linux environment, then remove the special characters, such as '\n\r', to avoid run-time errors.

Verifying the Outcome of the Bulk Load Operation

To verify the outcome of the bulk load operation, check if you are able to perform the following steps for one of the OIM Role added by the utility:
1.      Log in to Oracle Identity Self Service, and verify that the newly created role is displayed in the search result for roles.
2.      For the newly created role hierarchy and role members, click the Hierarchy and Members tabs respectively on the role details page.
3.      To verify the newly created role category, in the Welcome page of Oracle Identity Administration, click Advanced Search - Role Categories. Then, perform an advanced search to find the newly created role.
References:


Sunday, 19 April 2015

OIM - Adapters

there are 5 types adapters

To use adapters, they have to be attached to an OIM User Form or to a User-defined custom form.

Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)

Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete

Pre-Populate Adapter - specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.

Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules

Task Assignment Adapter - automates the assignment of a process task to a user or group