Friday, December 15, 2017

Reconciliation


       Reconciliation is the process of synchronizing identities and accounts with Identity Manager.

       Reconciliation is a pull mechanism while Provisioning is a push mechanism.

       Oracle Identity Manager is used only as a single updated store for all users, user groups, and organization data of the target system.

       Reconciliation involves using the user discovery and account discovery features of Oracle Identity Manager. Configuring reconciliation involves selecting a combination of options from the following reconciliation parameters:

       Reconciliation Type: Trusted or Target Reconciliation

       Reconciliation Mode: Full or Incremental

       Batched or Nonbatched Reconciliation

       Limited or Regular Reconciliation

 Trusted/Authoritative Reconciliation:

       The Process of loading identities into IDM is known as Trusted or Authoritative Reconciliation. In this process we load user profiles into IDM. User gets created into IDM.

       User data is stored in Active Directory. If we run trusted reconciliation against Active Directory then user will get created into IDM. If the user already exists in IDM with that user id then his profile will get updated with new values from Active Directory (If any).

 The following are the process involved in trusted recon:

       A change(create, update, delete) is made on the target system.

       The change on the target system is detected and communicated to Oracle Identity Manager by the reconciliation APIs.

       A reconciliation event record is created for each target system record that is communicated to Oracle Identity Manager.

Events for which matches with existing OIM Users are found are forwarded for further processing. Events for which matches cannot be found can be further processed by an administrator.

       The reconciliation engine checks if there are values in each event for the attributes that are designated as mandatory attributes in Oracle Identity Manager.

       For each event, the reconciliation rules are evaluated to find the matching OIM User for the event.

       If a match is found, then the match is added to the list of matches that have been found up to this point.

       Depending on the state(matched , unmatched) of each event, reconciliation action rules are applied to it. If the action rule specifies assignment, then the event is assigned to an administrator or administrator group. If the action rule specifies linking, then the event is forwarded for linking.

Target/Non-Authoritative/Account Reconciliation:

       The Process of loading account profile into IDM is known as Target or Non Authoritative Reconciliation. In this process we load user’s account profile i.e. user’s target account information. In this reconciliation only Resource profile of user is created not user profile.

       User data is stored in Active Directory. If we run target reconciliation against Active Directory then his Resource Profile will get created into OIM. Resource profile shows that User has account into Active Directory. For creation of resource profile, it is required that user must be present in IDM before.

 The following are the process involved in target recon:

       A change(create, update, delete) is made on the target system.

       The change on the target system is detected and communicated to Oracle Identity Manager by the reconciliation APIs.

       A reconciliation event record is created for each target system record that is communicated to Oracle Identity Manager.

       Events for which matches with existing OIM Users are found are forwarded for further processing. Events for which matches cannot be found can be further processed by an administrator.
 
       The reconciliation engine checks if there are values in each event for the attributes that are designated as mandatory attributes in Oracle Identity Manager.

       For each event, the process matching rules (defined by the key field for reconciliation matching) are evaluated to find the provisioned resource that matches the event.

       If a match is found, then the match is added to the list of provisioned resource matches that have been found up to this point.

       Depending on the state(matched , unmatched) of each event, reconciliation action rules are applied to it. If the action rule specifies assignment, then the event is assigned to an administrator or administrator group. If the action rule specifies linking, then the event is forwarded for linking.

Reconciliation Mode: Full or Incremental

       The purpose of full recon mode is to reconcile all accounts on the target system into Oracle Identity Manager.

       Full reconciliation is performed by default during the first reconciliation run performed on a target system.

       For the next reconciliation run, only user account records that have been added, modified, or deleted after the first reconciliation run ended are fetched for reconciliation. Hence here we go for incremental recon.

       One can manually switch from incremental reconciliation to full reconciliation by setting the value of the timestamp parameter to 0.

 Batched or Nonbatched Reconciliation:

       In case of recon run all the target system changes are reconciled into OIM but in certain cases breakage of connection might occur in such cases it is advisable to go for batched recon.

       For Batched recon we need to specify the StartRecord, BatchSize and the NumberOfBatches.

       In case we don’t want to for batched recon we can avoid giving the batched size.

       In this case non-batched recon will occur.

Limited or Regular Reconciliation:

       One can implement limited recon by creating customized queries for Reconciliation.

       The sample query can be

                givenname=Roger&sn=Federer

   With this customized query, records of users whose first name is Roger and last name is Federer are reconciled.

       For any target system, if you do not specify a custom query, then a regular reconciliation takes place.


Components of the Reconciliation Module:

       Reconciliation APIs: APIs provide for the creation of both Regular and Delete Reconciliation events, and the mechanisms by which the appropriate data is provided for the events.

       Reconciliation Field Definitions: When you define a target system as a resource object in Oracle Identity Manager, you create reconciliation fields to represent the actual fields of the target system.

       Reconciliation Field Mappings: The reconciliation field mapping is used to map the process form fields with the reconciliation fields specified in the resource object.

       Reconciliation Matching Rules: The reconciliation matching rules are used by the reconciliation engine to determine the identity to which Oracle Identity Manager must assign a newly discovered account on the target system.

       Reconciliation Action Rules: After the match this specifies what action needs to be performed. Action can be create, update, delete an existing user.

       Reconciliation Engine: The reconciliation engine uses all configurable components and includes the data processor and rule evaluator that use these components to convert input data into a list of action items. 

       Reconciliation Event Manager: The Reconciliation Event Manager is a form in the Design Console. You can use this form to examine a reconciliation event and perform the required actions.

       Reconciliation Provisioning Tasks: In target resource reconciliation, if an event is linked to an existing instance of a provisioned resource, then the process form for that resource instance is updated.

If the account did not exist in Oracle Identity Manager before the reconciliation run, then the default provisioning process is initiated, adapters are suppressed, and all nonconditional tasks are completed automatically.

The marker task can be either Reconciliation Insert Received or Reconciliation Update Received.

 

Thursday, December 14, 2017

IDAM


Identity and Access Management
 

Oracle Identity Manager

(OIM)

Oracle Identity Manager is an enterprise/organization management system that automatically manages user’s access privileges. It has the following uses:

·         User Provisioning

·         Role & policy management

·         Reconciliation

·         Self service

1.      Provisioning

Process to create, update or delete user information in target resource. It is all done by OIM. Data flow from OIM to target resource.

Resource: Resources here means external source like E-directory, LDAP.
 

2.      Reconciliation

The process of comparing and synchronizing accounts information in target system with OIM. Here data flows from target resources (external) to Oracle Identity Manager.

a)      Trusted Source Reconciliation

The external source which is being used by OIM to pull the information has to be a trusted or Authoritative source (Eg. PeopleSoft, Workday).

b)     Full Reconciliation

The purpose of full recon is to reconcile all accounts on the target system into Oracle Identity Manager. It is mainly done when there is a migration from legacy system.

            Reconciliation can be done according to the need of enterprise/organization. Recon can be done on the weekly, regular or daily basis.

3.      Self Service

Oracle Identity Manager’s self-service capabilities allow users to manage their own passwords across managed resources. In case a user forgets his password, OIM presents questions which can be answered by user to enable identity verification and password retrieval. It is used as cost cutting service.

 OIM Overview

                        The OIM (Oracle Identity Manager) uses a trusted source to pull the data or information from it, which is known as Reconciliation. The data is stored in ODSEE (Oracle directory server enterprise edition). ODSEE is also called as E-directory server. The data is pushed to the target resources, which is known as Provisioning. ODSEE makes use of Connectors to map the data to target resources.

Connectors

            It holds the information that OIM needs to reconcile user identity with external source and provision user with target resource.

 Ø For validating user credentials, directory server/E-directory is being used. Whereas for application authentication ODSEE is used.
Ø  For protecting the application, the respective application “URL” has to be protected.

 

Oracle Access Manager

(OAM)

                    It is an access management tool which recommends Single Sign-On (SSO) solution. In simple words OAM is responsible for Authentication and Authorization. Where Authentication means validating the credentials and Authorization means what level of access to be authorized.

 

OAM Overview

                        When the user sends a request through the internet, the request goes to the WEB-GATE. Which is used to communicate between internet and OAM. The request which has come to the web-gate can be of two types i.e. Protected or Unprotected URL. Web-gate is the place where PEP (Policy enforcement point) is being used.

If it is an Unprotected URL then it goes to the OAM and the access is granted without asking any credentials but if the URL is a protected one, then the request flows to OAM which in turn goes to the ODSEE. Where ODSEE is connected to the OIM. Where the credentials are verified and access is given according to the roles and policy.

Load balancer is used to balance out the request which are coming from the users. It divides the load equally between the servers to execute the request as fast as possible. It the tool which is connected between the Web-gate and OAM.

Clustering is the other way of handling the load. It has a server and an instance of that server is made and its pre-defined how much load will be taken by which server. It is used for High Availability.

 

Disaster Recovery

            It is precautionary step which has to be implemented to safe guard the data or information. In case if one DC (data center) fails due to some unavoidable reasons then the data should be saved automatically to the backup DC, from where data can be retrieved at any given time.

 

Agents

            It is a tool which is used to communicate between Web-gate and OAM.

 

Oracle HTTPS Server (OHS)

            Every application needs a Web-gate. So instead of installing each Web-gate in front of each application, all the Web-gates are installed at a single point which is known as OHS.

 

Oracle Virtual Directory (OVD)

            It virtually collects or clusters all identity information from multiple directory servers or Database and gives back to OAM.

 

Session

            Same Idle time is maintained for all the application.

 

 

 

 

Application Domain

·         Resource policy

 

·         Authentication policy  and

 

·         Authorization policy

 

 

Resource policy

            A resource is a document entity, or content stored on the server that is available to users. Users/clients access the resources using a particular protocol (Eg. HTTP, HTTPS etc.). This resources are defined within the OAM.

 

Authentication policy 

            This mainly deals with how users/clients are authenticated i.e. against which source and for which all resources. Authentication policies are defined for resources in the application domain.

 

Authorization policy

            Authorization is the process of determining if a user has the right to access the requested page/resource. The Authorization is granted based on the roles and policy which are defined in the application domain.

 

 

 

Identity and Access Management


      Explain the Architecture of Oracle identity Manager?

Ans : The Oracle Identity Manager architecture consists of three tiers

Tier 1: Client:

The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user's login credentials.

Tier 2: Application Server:

The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.

Tier 3: Database: 
The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.

2.     What is Adapter? What Adapters available in OIM?


Ans : An adapter is a Java class that is created by an Oracle Identity Manager user through the Adapter Factory. Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc) Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete Pre-Populate Adapter - specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms. Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules Task Assignment Adapter - automates the assignment of a process task to a user or group

 2.     What do mean by Connectors?
Ans : Connectors are the plugins that helps in integrating OIM with External Sources or Target Systems. In any OIM implementation, Reconciliation and Provisioning is dependent on configuration provided by this Connectors.Connectors are the containers that consist of several components like IT Resources, Process Forms, Adapters, and Event Handlers which are needed to integrate the External Sources, Applications and Target Systems.Scalable and flexible integration architecture is critical for the successful deployment of a company’s provisioning solutions. Oracle Identity Manager offers proven integration architecture and predefined connectors for fast and low-cost deployments.
1.     What is Event Handler?
In an Identity Management system, any action performed by a user or system is called an operation or Event. Examples of Events are creating users, updating users, creating password policy, and so on.
Types:
1. Pre-process Event Handler
2. Post-Process Event Handler
Pre-process Event Handler  :Mostly Pre-process Event Handlers are used for Validation Purpose.
Post-process Event Handler :Post-process Event Handlers are written mainly when there is a need of making changes internally after any event is triggered in OIM. 
1.     For E.g.: Assign Role according to Organization, Auto Assign an email ID using Firstname and Lastname of user and so on.