Configure Integration Between Oracle Access Governance and Oracle EPM

You can establish a connection between Oracle Access Governance and Oracle Cloud Enterprise Performance Management application as a Managed System. To configure, use Orchestrated Systems in the Oracle Access Governance Console.

Prerequisites

Before you install and configure the Oracle Cloud Enterprise Performance Management orchestrated system. You should consider the following prerequisites and tasks.

  • You must have an existing active connection with Oracle Cloud Infrastructure for your Oracle Access Governance service instance.
  • You must have the Oracle Cloud Enterprise Performance Management Service Administrator service role to connect with Oracle Access Governance.

Create a Service User in OCI

Create a new service user in OCI as a Domain Administrator.

Create a service user account in an OCI IAM identity domain.
  1. Go to https://cloud.oracle.com.
  2. Navigate to Identity & Security, and click Domains.
  3. Choose a compartment where your Oracle Cloud Enterprise Performance Management service instance is located, and then select the domain.
  4. Select the User management tab.
  5. Click Create.
  6. In the First name and Last name fields enter the user's name.
  7. To have the user sign in with their email address, enable the Use the email address as the username check box and enter the email address for the user account.
  8. To have the user sign in with their user name, clear the Use the email address as the username check box and enter the user name for the user.

Assign Identity Administrator to the Service User

Assign Identity Domain Administrator role to the service user.

  1. On the Domains page, select the Administrators tab.
  2. In the Identity Domain Administrator section, click Add users.
  3. Search the service user.
  4. Select the service user check box and then click Add Users.

Assign EPM Roles

Assign Oracle EPM's Service Administrator application role to the service user.

  1. Go to the Oracle cloud services tab.
  2. Select the EPM Cloud service instance.
  3. Select the Application roles tab.
  4. Locate and select the Service Administrator role.
  5. For the Service Administrator role, select the Actions icon, and select Manage users.
  6. Select Assign users.
  7. Select the service user created in the previous step, and then click Assign.

Create Signing Certificates and Keys

Use a certificate issued by a trusted Certificate Authority (CA) in the PEM format for secure authentication and compatibility, or leverage OCI Certificate Service to generate and manage certificates efficiently.

To create a certificate, refer the steps as explained in Creating a Certificate in OCI IAM.

Import Certificate as the Trusted Partner Certificate

Import a certificate as trusted partner certificates in your OCI IAM Domain.

  1. Navigate to Identity & Security, and click Domains.
  2. Choose a compartment where your Oracle Access Governance service instance is located, and then select the domain.
  3. Select the Security tab.
  4. Click Import certificate.
  5. Enter the same alias name that you provided while generating the keystore file certificate alias, and import the .cer file
  6. Click Import.

Create an Integrated Confidential Type Application

To create an integrated application of Confidential type in OCI IAM, you must have the Identity Domain Administrator role.

  1. Navigate to Identity & Security, and click Domains.
  2. Select Domains.
  3. Click the Integrated applications tab.
  4. Click Add application.
  5. Select Confidential Application tile, and then click Launch workflow.
  6. In the Details page, enter the following:
    1. Enter name and description for the confidential application.
    2. Click Submit.

Edit OAuth configurations

  1. Select the OAuth configuration tab.
  2. Select Edit OAuth configuration.
  3. Select Configure this application as a client now.
  4. Select JWT assertion and Refresh token grant types:
  5. Choose Trusted as the Client type option.
  6. Import the certificate
  7. Select On behalf of as the Allowed operations.
  8. Select network perimeter to restrict login attempts to specific IPs or ranges, else select Anywhere.
  9. Under the Token Issuance Policy, select All.
  10. Click Submit.
  11. Activate the application, click the Actions icon and then select Activate. The status should change from Inactive to Active.

Configure

You can establish a connection between Oracle Cloud Enterprise Performance Management and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

The Orchestrated Systems page of the Oracle Access Governance Console is where you start configuration of your orchestrated system.

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of system you would like to integrate with Oracle Access Governance.

You can search for the required system by name using the Search field.

  1. Select Oracle Cloud Enterprise Performance Management.
  2. Click Next.

Add details

Add details such as name, description, and configuration mode.

On the Add Details step of the workflow, enter the details for the orchestrated system:
  1. Enter a name for the system you want to connect to in the Name field.
  2. Enter a description for the system in the Description field.
  3. For this orchestrated system, Oracle Access Governance can manage permissions
  4. Read and select the prerequisite check box: I have an active Oracle Cloud Infrastructure orchestrated system already, indicating that you must have an existing active connection with Oracle Cloud Infrastructure for your service instance.
  5. Click Next.

Add Owners

Add primary and additional owners to your orchestrated system to allow them to manage resources.

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

Note:

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
To add owners:
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Account settings

Outline details of how to manage account settings when setting up your orchestrated system including notification settings, and default actions when an identity moves or leaves your organization.

On the Account settings step of the workflow, enter details of how you would like to manage accounts with Oracle Access Governance when configured as a managed system:
  1. Select whether to allow Oracle Access Governance to create accounts when a permission is requested, if the account does not already exist. By default this option is selected meaning that an account will be created if it does not exist, when a request for a permission is made. If the option is unselected then permissions can only be provisioned where the account already exists in the orchestrated system. If permission is requested where no user exists then the operation will fail.
  2. Select where to send notification emails when an account is created. The default setting is User. You can select one, both, or none of these options. If you select no options then notifications will not be sent when an account is created.
    • User
    • User manager
  3. When an identity leaves your enterprise you should remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action
  4. When all permissions for an account are removed, for example when moving from one department to another, you may need to adjust what accounts the identity has access to. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action
  5. If you want Oracle Access Governance to manage accounts created directly in the orchestrated system you can select the Include accounts that are not created by Access Governance option. This will reconcile accounts created in the target system and will allow you to manage them from Oracle Access Governance.

Note:

If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.

Note:

If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables integrations, then only the notification email destination can be set (User, Usermanager) when creating the orchestrated system. You cannot set the disable/delete rules for movers and leavers. To do this you need to create the orchestrated system, and then update the account settings as described in Configure Orchestrated System Account Settings.

Integration settings

Enter details of the connection to your Oracle Cloud Enterprise Performance Management system.

  1. On the Integration settings step of the workflow, enter the details required to allow Oracle Access Governance to connect to your Oracle Cloud Enterprise Performance Management system.

    Table - Integration settings

    Parameter Name Description

    EPM Host Name

    URL to access your Oracle Cloud Enterprise Performance Management system. For example:
    <http|https://epm-test.example.com>
    OCI domain name Enter the OCI IAM Domain name where the integrated application is created.
    Domain URL Enter the OCI IAM Domain URL. To find your Domain URL, see Finding an Identity Domain URL.

    Oracle Cloud Service name for EPM application

    Oracle Cloud Enterprise Performance Management cloud service name.

    Client ID

    Client ID of the OCI IAM confidential application.

    Client secret

    Client secret of the OCI IAM confidential application .

    Private Key

    Enter the encrypted private key (.pem).

    Certificate Alias

    Enter the certificate alias configured while generating a certificate.

    What is the username?

    EPM username
    Which OCI orchestrated system should be used? Select the dependent OCI Orchestrated system name in the list.
  2. Click Add to create the orchestrated system.

Finish Up

Finish up configuration of your orchestrated system by providing details of whether to perform further customization, or activate and run a data load.

The final step of the workflow is Finish Up.

You are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults

Post Configuration

There are no post configuration steps associated with the Oracle Cloud Enterprise Performance Management system.