Oracle Identity Manager customization is enabled by the Design Console that lets you deal with configuration and design functions, such as designing forms and workflows and creating and managing adapters. Using the Design Console, you can grant user privileges to work on particular areas of the application configuration.
This chapter discusses the following topics:
The Design Console lets you perform Oracle Identity Manager customization tasks such as adding and modifying rule elements for a rule, creating or editing e-mail definitions, and creating forms. For these customization tasks, you must set parameters, variables, and data types. This section describes these parameters, variables, and data types.
In the Rule Elements tab of the Rule Designer form, you can create and manage elements and nested rules for a rule. Table 30-1 lists the rule elements that can be used to create Oracle Identity Manager rules, by using the Rule Designer form.
Table 30-1 Rule Elements to Create Oracle Identity Manager Rules
| Type | Sub-Type | Attribute Source | Variable | 
|---|---|---|---|
| General | NA | User Profile Data |  | 
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Display Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| User Role Name | |||
| Start Date | |||
| General | NA | User Profile Data | User Type | 
| Identity Status | |||
| User Login | |||
| Design Console Access | |||
| Any fields that are displayed in the User Defined Fields region of the User Profile tab of the Users form. | |||
| Process Determination | Requester Information | Display Name | |
|  | |||
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| Start Date | |||
| Identity Status | |||
| User Role Name | |||
| User Login | |||
| Design Console Access | |||
| Any fields that are displayed in the User Defined Fields region of the User Profile tab of the Users form. | |||
| Process Determination | Organization Provisioning | Object Information | Object Name | 
| Object Type | |||
| Request Target Information | Organization Customer Type | ||
| Organization Name | |||
| Organization Status | |||
| Parent Organization | |||
| Any fields that are displayed in the User Defined Fields tab of the Organizations form. | |||
| Object Data Information | Any fields that are displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the resource object. | ||
| Process Data Information | Any fields that are displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the process. | ||
| User Provisioning | Requester Information | Display Name | |
|  | |||
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| User Type | |||
| Start Date | |||
| Identity Status | |||
| User Role Name | |||
| User Login | |||
| Design Console Access | |||
| Any field defined on the  | |||
| Object Information | Object Name | ||
| Object Type | |||
| Request Target Information | Display Name | ||
|  | |||
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| User Type | |||
| Start Date | |||
| Identity Status | |||
| User Role Name | |||
| User Login | |||
| Design Console Access | |||
| Any field defined on the  | |||
| Process Determination | User Provisioning | Requester Information; Request Target Information | Any fields that are displayed in the User Defined Fields region of the User Profile tab of the Users form. | 
| Object Information | Object Name | ||
| Object Type | |||
| Object Data Information | Any fields that are displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the resource object. | ||
| Process Data Information | Any fields that are displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the process. | ||
| Task Assignment | Organization Provisioning; User Provisioning | Task Information | Allow Cancellation while Pending | 
| Allow Multiple Instances | |||
| Assign Task to Manager | |||
| Disable Manual Insert | |||
| Task Conditional | |||
| Task Data Label | |||
| Task Default Assignee | |||
| Task Name | |||
| Task Required for Completion | |||
| Task Sequence | |||
| Process Information | Object Name | ||
| Process Name | |||
| Process Type | |||
| Object Information | Object Name | ||
| Object Type | |||
| Requester Information |  | ||
| End Date | |||
| First Name | |||
| Identity | |||
| Task Assignment | Organization Provisioning; User Provisioning | Requester Information | Display Name | 
|  | |||
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| User Type | |||
| Start Date | |||
| Identity Status | |||
| User Role Name | |||
| User Login | |||
| Design Console Access | |||
| Any field that is displayed in the User Defined Fields region of the User Profile tab of the Users form | |||
| Object Data Information | Any field that is displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the resource object | ||
| Process Data Information | Any field that is displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the process | ||
| Pre-Populate | Organization Provisioning; User Provisioning | Requester Information | Display Name | 
|  | |||
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| User Type | |||
| Start Date | |||
| Identity Status | |||
| User Role Name | |||
| User Login | |||
| Design Console Access | |||
| Any field that is displayed in the User Defined Fields region of the User Profile tab of the Users form | |||
| Request Information | Request Creation Date | ||
| Request ID | |||
| Request Object Action | |||
| Request Priority | |||
| Requestor | |||
| Object Information | Object Name | ||
| Object Type | |||
| Object Data Information | Any field that is displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the resource object | ||
| Process Data Information | Any field that is displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the process | ||
| Organization Provisioning | Request Target Information | Organization Customer Type | |
| Organization Name | |||
| Organization Status | |||
| Parent Organization | |||
| Any field that is displayed in the User Defined Fields tab of the Organizations form | |||
| User Provisioning | Request Target Information |  | |
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager Login | |||
| Pre-Populate | User Provisioning | Request Target Information | Display Name | 
|  | |||
| End Date | |||
| First Name | |||
| Identity | |||
| Last Name | |||
| Manager Full Name | |||
| Manager | |||
| Middle Name | |||
| Organization Name | |||
| User Type | |||
| Start Date | |||
| Identity Status | |||
| User Role Name | |||
| User Login | |||
| Design Console Access | |||
| Any field that is displayed in the User Defined Fields region of the User Profile tab of the Users form | 
You can use the Email Definition form to create templates for e-mail notifications to be sent to the users. Table 30-2 lists the variables that can be used to create e-mail templates by using the Email Definition form.
Table 30-2 Variables to Create Templates
| Type | Target | Location Type | Contact Type | Variable | 
|---|---|---|---|---|
| Provisioning Related | User Profile Information; Assignee Profile Information | NA | NA | First Name | 
| Identity | ||||
| Last Name | ||||
| Manager Login | ||||
| Middle Name | ||||
| Role | ||||
| Status | ||||
| End Date | ||||
| User Group Name | ||||
| User Login | ||||
| User Manager | ||||
| Start Date | ||||
| Oracle Identity Manager Type | ||||
| Manager Full Name | ||||
| Organization Name | ||||
|  | ||||
| Provisioning Related | User Profile Information; Assignee Profile Information | NA | NA | Any field that is displayed in the User Defined Fields region of the User Profile tab of the Users form | 
| Object Information | NA | NA | Object Name | |
| Object Target Type | ||||
| Object Type | ||||
| Process Information | NA | NA | Object Name | |
| Process Name | ||||
| Process Type | ||||
| Object Data Information | NA | NA | Any field that is displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the resource object | |
| Process Data Information | NA | NA | Any field that is displayed in the Additional Columns tab of the Form Designer form for the custom form associated with the process | |
| General | User Profile Information | NA | NA | First Name | 
| Identity | ||||
| Last Name | ||||
| Email Address | ||||
| Manager Login | ||||
| Middle Name | ||||
| Role | ||||
| Status | ||||
| User End Date | ||||
| User Group Name | ||||
| User Login | ||||
| User Manager | ||||
| User Start Date | ||||
| Oracle Identity Manager Type | ||||
| Any field that is displayed in the User Defined Fields region of the User Profile tab of the Users form | 
Table 30-3 describes the properties that can be associated with different data types used to create Oracle Identity Manager forms, by using the Form Designer form.
Table 30-3 Properties Associated with Data Types for Creating Oracle Identity Manager Forms
| Data Type | Data Property | Description | 
|---|---|---|
| Text Field | Required | If this text field must be populated for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: The default value for this data property is false. | 
| Is Visible | If you want this text field to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: The default value for this data property is true. | |
| Lookup Field | Auto Complete | By entering "true" in the corresponding Property Value field, Oracle Identity Manager filters the lookup field. A user can then add characters to the lookup field before double-clicking it. By doing so, only those Lookup values which match these characters are displayed in the Lookup window. As an example, for a State lookup field, a user can enter "new" into the field. Then, once the user double-clicks the lookup field, only those states that begins with the letters "new" (for example, New Hampshire, New Jersey, New Mexico, and New York) are displayed in the Lookup window. If you do not want Oracle Identity Manager to filter the lookup field, then enter "false" into the associated Property Value field. The default property value for the Auto Complete property is false. | 
| Column Captions | In the corresponding Property Value field, enter the name of the column heading that is displayed in the Lookup window when a user double-clicks the lookup field. If the Lookup window has multiple columns, then enter each column heading into the Property Value field, separating them with commas, for example, Organization Name, Organization Status. | |
| Lookup Field | Column Names | In the corresponding Property Value field, enter the name of the database column that represents the column caption that you want to be displayed in the Lookup window. If the Lookup window has multiple columns, then enter each database column into the Property Value field, separating them with commas. | 
| Column Widths | In the corresponding Property Value field, enter the width of the column that is displayed in the Lookup window. If the Lookup window has multiple columns, then enter each column width into the Property Value field, separating them with commas, for example, 20,20. | |
| Lookup Column Name | In the corresponding Property Value field, enter the name of the Lookup column as it is displayed in the database, which must be saved to the database. | |
| In the corresponding Property Value field, enter the name of the SQL query that runs when a user double-clicks the lookup field. As a result, the appropriate Lookup columns are displayed in the Lookup window. To correctly display the data returned from a query, you must add a  lookupfield.header.users.status=User Status If the xlWebAdmin_locale.properties file does not contain a  The syntax for a  
lookupfield.header.column_code=display value
The column_code portion of the entry must be lowercase and any space must be replaced by the underscore character (_). By default, the following entries for lookup field column headers are already available in the system resource bundle: lookupfield.header.lookup_definition.lookup_ code_information .code_key=Value lookupfield.header.lookup_definition.lookup_code_information .decode=Description lookupfield.header.users.manager_login=User ID lookupfield.header.organizations.organization_ name=Name lookupfield.header.it_resources.key=Key lookupfield.header.it_resources.name=Instance Name lookupfield.header.users.user_id=User ID lookupfield.header.users.last_name=Last Name lookupfield.header.users.first_name=First Name lookupfield.header.groups.group_name=Group Name lookupfield.header.objects.name=Resource Name lookupfield.header.access_policies.name=Access Policy Name | ||
| Lookup Field | Lookup Code | In the corresponding Property Value field, enter the lookup definition code. This code contains all information pertaining to the lookup field, including lookup values and the text that are displayed with the lookup field once a lookup value is selected. Important: The Lookup Code data property can be used in lieu of the Column Captions, Column Names, Column Widths, Lookup Column Name, and Lookup Query properties. In addition, the information contained in the Lookup Code property supersedes any values set in these five data properties. Tip: An easy way to enter a lookup code is by starting the Lookup Definition form, querying for the desired code, copying this code to the Clipboard, and pasting it into the Lookup Code field. Note: The classification type of the lookup definition code must be of Lookup Type (the Lookup Type radio button on the Lookup Definition form must be selected). | 
| Required | If this Lookup field must be populated for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: The default value for this data property is false. | |
| Visible Field | If you want this lookup field to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: The default value for this data property is true. | |
| Text Area | Number of Rows | In the corresponding Property Value field, enter the row length of the text area. So, if you want the text area to be five rows in length, then type "5" into the Property Value field. | 
| Required | If this text area must be populated for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: The default value for this data property is false. | |
| Visible Field | If you want this text area to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | |
| IT Resource Lookup Field | Type | If you select this data property, then a box is displayed in the Property Value field. From this box, select the type of Server for the IT Resource. Important: This property is required. | 
| Required | If this lookup field must be populated for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is false. | |
| Visible Field | If you want this lookup field to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: The default value for this data property is true. | |
| Date and Time Window | Required | If this text field must be populated for the form to be saved, enter "true" into the corresponding Property Value field. Otherwise, type "false" into this field. Note: To populate this text field, double-click it, and select a date and time from the Date & Time window that is displayed. Note: The default value for this data property is false. | 
| Visible Field | If you want this text field to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | |
| Password Field | Required | If this text field must be populated for the form to be saved, enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is false. | 
| Visible Field | If you want this text field to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | |
| Lookup Field | Lookup Code | In the corresponding Property Value field, enter the lookup definition code. This code contains all information pertaining to the lookup field, including lookup values and the text that are displayed with the lookup field once a lookup value is selected. | 
| Lookup Query | In the corresponding Property Value field, enter the name of the SQL query that runs when a user double-clicks the lookup field. As a result, the appropriate Lookup columns are displayed in the Lookup window. To correctly display the data returned from a query, you must add a  lookupfield.header.users.status=User Status If the xlWebAdmin_locale.properties file does not contain a  The syntax for a  
lookupfield.header.column_code=display value
The column_code portion of the entry must be lowercase and any space must be replaced by the underscore character (_). By default, the following entries for lookup field column headers are already available in the system resource bundle: lookupfield.header.lookup_definition.lookup_ code_information .code_key=Value lookupfield.header.lookup_definition.lookup_code_information .decode=Description lookupfield.header.users.manager_login=User ID lookupfield.header.organizations.organization_ name=Name lookupfield.header.it_resources.key=Key lookupfield.header.it_resources.name=Instance Name lookupfield.header.users.user_id=User ID lookupfield.header.users.last_name=Last Name lookupfield.header.users.first_name=First Name lookupfield.header.groups.group_name=Group Name lookupfield.header.objects.name=Resource Name lookupfield.header.access_policies.name=Access Policy Name | |
| Column Names | In the corresponding Property Value field, enter the name of the database column that represents the column caption that you want to be displayed in the Lookup window. If the Lookup window has multiple columns, then enter each database column into the Property Value field, separating them with commas. | |
| Radio Button | Required | If a radio button must be selected for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is false. | 
| Visible Field | If you want this radio button (or group of radio buttons) to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | |
| Check Box | Required | If this check box must be selected for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is false. | 
| Visible Field | If you want this check box to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | |
| Combo Box | Lookup Code | In the corresponding Property Value field, enter the Lookup definition code. This code contains all information pertaining to the box, including box items and the text that is displayed with the box once a lookup value is selected. Important: The Lookup Code data property can be used in lieu of the Column Captions, Column Names, Column Widths, Lookup Column Name, and Lookup Query properties. In addition, the information contained in the Lookup Code property supersedes any values set in these five data properties. Tip: An easy way to enter a lookup code is by starting the Lookup Definition form, querying for the desired code, copying this code to the Clipboard, and pasting it into the Lookup Code field. Note: The classification type of the lookup definition code must be of Lookup Type (the Lookup Type option on the Lookup Definition form must be selected). | 
| Required | If an item from this box field must be selected for the form to be saved, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is false. | |
| Visible Field | If you want this box to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | |
| Text Field (Display Only) | Visible Field | If you want this text field to be displayed when Oracle Identity Manager generates the form, then enter "true" into the corresponding Property Value field. Otherwise, type "false" in this field. Note: The default value for this data property is true. | 
Service accounts are general administrator accounts that are used for maintenance purpose. They are typically shared by a set of users. Service accounts are requested, provisioned, and managed in the same manner as regular accounts. A service account is distinguished from a regular account by an internal flag.
When a user is provisioned with a service account, Oracle Identity Manager manages a mapping from the user's identity to the service account. This user is considered the owner of the Service Account. When the user is deleted or the resource is revoked, the provisioning process for the service account does not get canceled, which would cause the undo tasks to fire. Instead, a task is inserted into the provisioning process in the same way Oracle Identity Manager handles Disable and Enable actions. This task removes the mapping from the user to the service account, and returns the service account to the pool of available accounts. This management capability is exposed through APIs.
Table 30-4 describes the service account management tasks and their corresponding APIs.
Table 30-4 Service Account Management Tasks and Corresponding APIs
| Tasks | Description | API Methods | 
|---|---|---|
| Service Account Change | You can change an existing regular account to be a service account or change an existing service account to be a regular account. Either way, the Service Account Change task is inserted into the provisioning process, becoming active in the Tasks tab of the Process Definition. Any adapter that is associated with this provisioning process runs. If there is no adapter, then a predefined response code is attached. | 
 
 | 
| Service Account Alert | When a user with a linked service account is deleted or disabled, the Service Account Alert task is inserted into the provisioning process of the service account instance. You can use this task to start the appropriate actions in response to the event that occurred for the user. | NA | 
| Service Account Moved | You can transfer ownership of a service account from one user to another. This translates into the provisioning instance showing up in the resource profile of the new owner, and no longer in the resource profile of the old user. The Service Account Moved task is inserted into the provisioning process of the resource instance after the account is moved. Any adapter associated with this provisioning process runs. If there is no adapter, then a predefined response code is attached. | 
 | 
The following scenario describes how to allow a user to request a service account on Active Directory. To create a service account, you first create a regular account, and then use the changeToServiceAccount API to change the regular account to a service account. The following is the process to achieve this:
The user logs in and requests a service account.
The system prompts the Active Directory supervisor for approval.
The Active Directory supervisor approves the request.
The service account is created.
Notification is sent to the employee that the request has been approved.
Later, when the service account owner is off-boarded, the owner's supervisor should be assigned as the new owner of the service account and a notification is sent to the owner.
To implement this scenario, perform the following steps:
On the Active Directory object form, add a check box field so that the user can select whether the requested account is a service account or a regular account.
Modify the Active Directory process form to incorporate the check box field and establish data-flow.
Grant the user permissions to update the object form.
The service account request process is the same as the user self-request process. The request is created and approved in the usual manner.
Add a conditional task to the provisioning process that will get inserted after the creation of the account and that will check the "is service account" flag on the process form and invoke the changeToServiceAccount() API by using the current account's oiu_key .
When provisioning starts, the provisioning process checks the flag and loads the changeToServiceAccount() API .
Note that tasks can send out e-mail notifications when the tasks are completed.
When the user is off-boarded, attach an adapter to the "Service Account Alert" task so that the system can identify the current user, look up that user's manager or supervisor, and load the tcUserOperationsIntf.moveServiceAccount() API to reassign ownership of the service account appropriately.
This section describes at a high level how to allow a user to request that service account ownership be transferred away from another user and to the requesting user. The following is the process to achieve this:
The user logs in to Oracle Identity Manager and requests a transfer of ownership for a particular Active Directory service account away from the current user and to the requesting user.
The request is forwarded to the current service account owner for approval.
The service account is transferred to the requesting user upon approval of the current owner.
To implement this scenario, perform the following steps:
Note:
This use case requires heavy customization.
Because the Oracle Identity Manager user interface does not support account ownership transfer requests, create a dummy resource with custom logic that will query the service accounts present in the system for particular resource objects.
The approver in this scenario is the service account owner. Therefore, use a task assignment adapter to first retrieve the service account owner, and then assign the task to that owner.
As noted in the previous scenario, tasks can send out e-mail notifications when tasks are completed.
After the approval goes through, load the moveServiceAccount() API to transfer ownership of the service account to the requester.
Table 30-5 lists the Oracle Identity Manager actions, and the conditions and results of these actions.
Table 30-5 Oracle identity Manager Actions, Conditions, and Results
| Action | Condition | Result | 
|---|---|---|
| A user is deleted. | Oracle Identity Manager cancels all the existing tasks in process instance and inserts undo tasks for these tasks, if they are defined. | If so, then the condition for this task has been met (the user has been revoked), and Oracle Identity Manager inserts the task into the existing process. If the task has an adapter attached to it, then it will run. | 
| A user is disabled. | Oracle Identity Manager checks each process for any tasks that display the Disable selection in the Task Effect combo box. | If so, then the condition for this task has been met (the user has been disabled), and Oracle Identity Manager inserts the task into the existing process. If the task has an adapter attached to it, then it will run. | 
| A user is enabled. | Oracle Identity Manager checks each process for any tasks that display the Enable selection in the Task Effect combo box. | If so, then the condition for this task has been met (the user has been enabled), and Oracle Identity Manager inserts the task into the existing process. If the task has an adapter attached to it, then it will run. | 
| A user's password has been modified on the Users form | Oracle Identity Manager checks each process to see if it has a Change User Password task. | If so, then the condition for this task has been met (the user's password has been modified), and Oracle Identity Manager inserts the task into all existing processes, which have that task defined. If the task has an adapter attached to it, then it will run. | 
| The data fields of an application process form have been modified. | Oracle Identity Manager checks each process to see if it has a task that starts with the  | The condition for this task is met (the process task begins with the  | 
| A user's profile information has been moved to a different organization. | Oracle Identity Manager checks each process to see if it has a task that begins with the words Move User. | The condition for this task is met (the user's profile information has been moved to a different organization). Oracle Identity Manager inserts the task into the existing process. If the task has an adapter attached to it, then it will run. |