HAPPY NEW YEAR 2017

Identity And Access Management - Rajiv Dewan

Get Catalog Details Associated With Request (Request ID)



Sample Code To Get Catalog Details For A Particular Request ID:


List requestBeneficiaryEntityList = beneficiary.getTargetEntities();
for(RequestBeneficiaryEntity requestBeneficiaryEntity : requestBeneficiaryEntityList){
String entityKey = requestBeneficiaryEntity.getEntityKey();
OIMType entityType = requestBeneficiaryEntity.getRequestEntityType();

Catalog catalog = catalogService.getCatalogItemDetails(null, entityKey, entityType, null);
System.out.println("Approver Role :: " + catalog.getApproverRole());                   
System.out.println("Tags :: " + catalog.getTags());
}



Usage: 


Upgrade from OIM 11g R1 to OIM 11g R2


It will be useful while creating Approval Workflow in OIM 11g R2 iff you want to make use of the attached Metadata in your Approval Workflow .


You can also use the New Partner Link given by Oracle but if someone doesn't want to use that and wants to go with the existing approval workflow developed in older versions (old 11g R1) then they can just change the code little bit and everything will work for them

Catalog API: How To Get Metadata Associated with Catalog Item



Sample Code to print extended Metadata for Catalog Item:


List catalogMetadataList = catalog.getMetadata();

 for(MetaData metadataObject : catalogMetadataList){
String valueStored = metadataObject.getValue();
MetaDataDefinition metdataDefinition = metadataObject.getMetaDataDefinition();
                

String columnName = metdataDefinition.getDbColumnName();
 String description = metdataDefinition.getDescription();
String displayName = metdataDefinition.getDisplayName();
long id = metdataDefinition.getId();
System.out.println("Display Name :: " + displayName + " Value :: " + valueStored);
System.out.println("Column Name :: " + columnName + " Description :: " + description);
System.out.println("ID :: " + id);



Usage: 


Upgrade from OIM 11g R1 to OIM 11g R2


It will be useful while creating Approval Workflow in OIM 11g R2 iff you want to make use of the attached Metadata in your Approval Workflow .

You can also use the New Partner Link given by Oracle but if someone doesn't want to use that and wants to go with the existing approval workflow developed in older versions (old 11g R1) then they can just change the code little bit and everything will work for them.

 

Why most of IDM Projects don't succeed



 Why most of The IDM Projects don't succeed ?




Yesterday I was having a discussion with my friend on the topic "Why most of the IDM Projects don't succeed ?". I saw couple of discussions on LinkedIn on same topic as well. It's quite simple and interesting question but is it ?

There can be n number of answers for this question based on different client/vendor experience. So I would like to share something based on my experience. I worked mainly with OIM and little bit with SIM so my views will be based on these products only. 

IDM Projects don't succeed:

Just A Java Application:

IDM Projects don't succeed When people think, IDM is just a Java Application. They think that if they are good in Java, they can do anything in IDM. They implement the things based on their Java experience instead of using IDM features. Things look easier in the beginning but later client has to pay for this. And also we face lots of challenges at the time of upgrade of IDM environments.

Just A Database Application:

IDM Projects don't succeed When people think, IDM is just a Database Application. They make use of SQL Queries instead of using IDM Provided APIs/Components. They use direct queries for different operations and play around with Audit Data.

Just An Application (GUI) for Automation:

IDM Projects don't succeed When people think, IDM is just an Application which provides Graphical User Interface  to automate some process like Create User/Delete User/Provisioning Access etc. They care more about Look and Feel instead of its features.

Lack of IDM People:

IDM Projects don't succeed When we don't have proper IDM People at the time of Requirement Gathering/Design/Development/Testing and we give more responsibilities to people who are having good experience BUT in different domains.


Lack of IDM Knowledge:

IDM Projects don't succeed When client expects more than the product capability. I agree that they don't have much knowledge that's why they are asking others to implement the same but they should understand the boundaries of the product.

Example:

IDM needs at-least one unique field to map target users with IDM users. Unique field can be a combination of 2-3 fields as well. Without this field, IDM won't be able to link identities and accounts. So people should understand that Unique field is mandatory for running Reconciliation Job into IDM. If they don't provide such field(s) then IDM won't be able to link the users.


Oracle Product Development team has done a great job in OIM 11g R1, OIM 11g R2. Hats off to Product Development Team for coming up with such a great architecture.

Although there are some bugs but those will be found in each and every product. We should understand that these products are man made so nothing can be 100% perfect, so instead of blaming each other we should work together and come up with a stable product which will satisfy the need of today' world.
                                                        


                                                      Happy IDM !!!

OIM 11g R2 Bundle Patch



OIM 11g R2 Bundle Patch Released


Download Patch:14606628 from Metalink for upgrade from OIM 11g R2 to OIM 11g R2 BP01

Bundle Patch Number : 11.1.2.0.1

Release Date: 17-Oct-2012

 

 

Bundle Patch 5 is also released for OIM 11g PS1 (OIM 11.1.1.5)

 Patch Number: 14609562

 Bundle Patch Number: 11.1.1.5.5 

 Release Date: 17-Oct-2012

 

 

 

 Other OIM 11g R2 Related Posts:

OIM 11g R2 Features
OIM 11g R2 Upgrade
OIM 11g R2 Self Service Console Screens
OIM 11g R2 Wildcard Search
OIM 11g R2 Attestation
OIM 11g R2 Application URL

 

OIM 11g R2 Upgrade Path

 Other OIM 11g R2 Related Posts:

OIM 11g R2 Features
OIM 11g R2 Upgrade
OIM 11g R2 Self Service Console Screens
OIM 11g R2 Wildcard Search
OIM 11g R2 Attestation
OIM 11g R2 Application URL


OIM 11g R2 is released. Upgrade is available for below versions of OIM:
  1. OIM 9.x
  2. OIM 11.1.1.3.x
  3. OIM 11.1.1.5.x

If anyone is using OIM 11.1.1.3.x or OIM 9.x version of OIM, then they'll have to follow 2 Step Upgrade i.e. First Upgrade to OIM 11.1.1.5.x then to OIM 11g R2.

 We don't have direct upgrade from OIM 9.x, OIM 11.1.1.3.x to OIM 11g R2.
























Be Ready To Enjoy New Features of Oracle Identity Manager Release 2 !!!

Disclaimer
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

OIM 11g R2 Application: URL


 Other OIM 11g R2 Related Posts:

OIM 11g R2 Features
OIM 11g R2 Upgrade
OIM 11g R2 Self Service Console Screens
OIM 11g R2 Wildcard Search
OIM 11g R2 Attestation


In OIM 11g R2, URLs have been changed to access OIM Application. Earlier we used to have 3 views
  1. Self Service Console
  2. Administration Console
  3. Advance Console

But in OIM 11g R2, we are having two views
  1. Identity Console
  2. System Administration Console

URLs have been changed to access OIM 11g R2 Application. Here are the URLs which you'll have to use to access OIM 11g R2 Application:

















Disclaimer
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

OIM 11g R2 Upgrade: High Level Steps

Here are High Level steps for upgrading existing OIM Environments

OIM 11g R2 Upgrade
  1. Run PreUpgradeReport
  2. Analysis of PreUpgrade Report
  3. Take Backup of Existing Environment
  4. Upgrade Weblogic Server 10.3.6 - Optional
  5. Upgrade SOA to 11.1.1.6
  6. Upgrade OIM Home from OIM 11.1.1.5. to OIM 11.1.2.0
  7. Run RCU to Upgrade OIM Database Schema to load OPSS (Oracle Platform Security Services Schema)
  8. Extend Weblogic Domain to have OPSS
  9. Upgrade OPSS
  10. Configuration of OPSS Policy Store (configuresecuritystore.py)
  11. Upgrade OIM to 11.1.2.0
  12. Start the Admin Servers and Upgrade OIM Middle Tier (OIMupgrade.sh/bat)
  13. Restart Servers - Admin, SOA, OIM
  14. Post Upgrade Steps
  15. Upgrade Design Console
  16. Upgrade Remote Manager

 Other OIM 11g R2 Related Posts:

OIM 11g R2 Features
OIM 11g R2 Self Service Console Screens
OIM 11g R2 Wildcard Search
OIM 11g R2 Attestation





Disclaimer
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

OIM 11g R2 Wildcard Character for Search Operations

Hi All
I was trying some search operations into Oracle Identity Manager Release 2 (OIM 11g R2) and I found that we need to use "%" as Wildcard Character.

In the previous releases (Oracle Identity Manager 11g, Oracle Identity Manager 11 or Other Releases), we used to use "*"  for such operations.

I am not sure whether it's a Bug or we'll have to use "%" as Wildcard Character in future.

To me, it is a bug.



































Disclaimer
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

OIM 11g R2 Self Service Console

Hi All
Here are couple of screens from Oracle Identity Manager Release 2 (OIM 11g R2)



 






























Disclaimer
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

OIM 11g R2: Attestation Process


Oracle Identity Manager (OIM) provides a very good functionality called Attestation to re-certify access of any user on Schedule basis. OIM Attestation works either at User Level or Resource Level.

I saw a requirement where client wants Multilevel Approval for Attestation i.e. Attestation Decision should go to Multilevel Reviewers. OIM OOTB Attestation process doesn't provide this functionality and even we don't have a clean workaround for same.

I was expecting some new features from OIM 11g R2 Attestation Engine but it seems that we'll have to face same challenges in this version as well.

Did anyone face the same challenge ?




Disclaimer
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Oracle Identity Manager 11g R2 ( OIM 11g R2 Features )



                                     Expected Release Date: Mid of August 2012






 






















 

Disclaimer

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
























Access Policy Issue for Reconciliation

Requirement


For OIM Projects, we face a common requirement.

1) Link Access for existing users with OIM Users.
2) Provision access to new users as users get created into OIM based on some attributes.
3) Manage access for all users like Revoke, Enable and Disable

Expected Solution


1) For linking, we run Target Reconciliation
2) For New Access, we use Access Policy
3) For Revoke, we select "Revoke If No Longer" check-box while creating Access Policy

Known Issue


We have a known issue for managing access for existing users through Access Policy if we run Target Reconciliation

Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]

Workaround


After initial (full) Target Reconciliation, follow below steps for all users and their access:

Update USR set USR_POLICY_UPDATE=1 where USR_KEY =$USER_KEY ;
COMMIT;

Update OIU set OIU_POLICY_REVOKE=1, POL_KEY=$POLICY_KEY, OIU_POLICY_BASED=1 where ORC_KEY=$ORC_KEY;
COMMIT;




Disclaimer

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

OIM 11g API ISSUE

Two days back, I was using some basic API of 11g and got some exception. I tried with OIM 11.1.1.3 BP06 and I hope that this issue exists in OIM 11.1.1.5 as well.

Use Case:


I wanted to search details of a Role like Display Name, Description, Role Key etc. I was using the following code snippet:

for(int i =0; i < roleList.size(); i++){
String roleName = roleList.get(i).getName();
System.out.println("Role Name :: " + roleName );
String description = roleList.get(i).getDescription();
System.out.println("Description " + description );
}

It is printing the Role Name but it is giving me "java.lang.NullPointerException" for Description


Reason:


I don't have description for the first role which comes into that list.
getDescription() returns a String so it seems that they are trying to convert Null into String and it is throwing Exception.
I tried couple of more APIs where I was getting NPE.

So it is better to use getAttribute API rather than direct API (getDescription)

I saw some other exception while using some OIM 11g APIs.

OIM API ISSUE

Encountered New Bug in OIM

Today I was trying something and encountered a New Bug in OIM where an End User can do more than his access which are defined in OIM. Few days back I found one similar issue ( Biggest Bug ). It was quite interesting. I was not expecting few things but ....
  

If I logged-in as End User then I can't do few operations in OIM as  UI Option is disabled for me for those operations and these things are handled through Authorization Policies but when I tried to do those things programmatically then it is allowing me to do same.
 

First Question which came to my mind "Are Authorization Policies only handling UI things ?"


Ofcourse not, as sometimes if I don't give access through Authorization Policies then I can't do those operations programatically as well


Then where is the gap ?
It seems that still we have to use OLD APIs for so many operations in OIM 11g which are not evaluating Authorization Policies properly (at-least not for my one :-) )

I can't share the API details for security reasons :-)

Why I called it Interesting ?

We can't live without OLD APIs as if we do so then Upgrade for 10g to 11g won't work at all. It is necessary to provide support for 10 APIs in 11g for Upgrade.

What would be its solution then ? Will they add extra layer of Authorization in all 10g APIs (Will take time)?


I hope we will get solutions for these security issues in next release/patch

Metadata Returned by OIM 11g API

Here is the metadata which is used by Oracle Identity Manager 11g APIs :
                                             
FA Territory                                        
usr_pwd_warn_date                                   
Employee Number                                     
usr_locale                                          
Middle Name                                         
Manually Locked                                     
usr_disabled                                        
usr_update                                          
Date Format                                         
Display Name={base=}                  
Mobile                                              
usr_timezone                                        
usr_locked                                          
LDAP Organization                                   
usr_pwd_reset_attempts_ctr                          
Currency                                            
End Date                                            
usr_deprovisioned_date                              
Pager                                               
Time Format                                         
usr_created                                         
usr_deprovisioning_date                             
PO Box                                              
Color Contrast                                      
usr_create                                          
LDAP GUID                                           
Full Name ={base=}                    
Accessibility Mode                                  
Country                                             
Xellerate Type                                      
usr_change_pwd_at_next_logon                        
usr_pwd_expire_date                                 
usr_pwd_cant_change                                 
Email                                               
usr_provisioned_date                                
usr_data_level                                      
Common Name                                         
Automatically Delete On                             
Locked On                                           
Start Date                                          
Last Name                                           
usr_login_attempts_ctr                              
First Name                                          
Encryption test                                     
Locality Name                                       
usr_manager_key                                     
usr_policy_update                                   
Number Format                                       
Street                                              
Current Status                                      
Embedded Help                                       
usr_pwd_expired                                     
Department Number                                   
Hire Date                                           
usr_createby                                        
usr_pwd_warned                                      
Home Postal Address                                 
Telephone Number                                    
Font Size                                           
usr_updateby                                        
Description                                         
Home Phone                                          
LDAP Organization Unit                              
usr_pwd_min_age_date                                
Fax                                                 
Postal Code                                         
act_key                                             
usr_key                                             
User Login                                          
Title                                               
ObjectGUID                                          
Status                                              
Generation Qualifier                                
Postal Address                                      
State                                               
usr_pwd_nev                                       


For Printing ResultSet Returned by OIM 10g API, Click Here