Event Data Publisher in Oracle Access Governance

Event Data Publishing is a process to export one-time and sequentially and continually publish ongoing data events to external systems, such as an Oracle Cloud Infrastructure (OCI) cloud account. With Oracle Access Governance, you have the flexibility to export one-off and continually publish data events, such as identity, identity collections, policy, resource, access to resources, and so on, to your cloud tenancy. You may use this data for deriving insights, storing data for compliance, or for analyzing access management and governance data.

An event refers to any change in data state that occurs when there's creation, modification, or deletion of Oracle Access Governance components, such as identity, policies, resources, and so on.

Using Event Data Publisher, administrators get the complete control over access and identity data and may use it to automate event logging, streamline compliance reporting. For example, you may enable Data Feed to view insights on access violations in real-time.

Understanding Data Event Publishing Flow

Let's understand the Data Event Publishing flow in Oracle Access Governance:

Data Event Publishing flow uses OCI Buckets for one-off export, and publish subsequent updates either to OCI Streams or OCI Buckets depending on the file size.

Perform preliminary steps within your OCI cloud account to receive the data. For details, see Set Up OCI Tenancy for Data Publisher and Streaming.
Use the Data Feed service of Oracle Access Governance to publish the data to your cloud system.
Establish a connection with Oracle Access Governance by entering the configuration details. For details, see Configure Event Data Publisher in Oracle Access Governance.
The Data Feed event publisher service extracts the data components available in Oracle Access Governance. On Day 0, the initial event, depending on the file size, it captures and exports a complete snapshot of data components either to OCI Object Storage Bucket as JSONL files or as stream message to the OCI Streams. Mostly, Day 0 events will be published to OCI Object Storage Bucket.
The Data Event Handler maintains the publishing status and returns a success or failure notification.
For Day N, whenever there's a change in the state of data components, related to creation, modification, or deletion of components, the Data Feed event publisher detects the change in real-time, and publishes the sequential messages to the OCI Streams. The maximum size of a message can be 1 MB.
For Day N, if the message size is greater than 1 MB, the Data Feed event publisher publishes the updates to OCI Buckets as a new version appending or replacing entries in the versioned JSONL file.

Initial Data Event and Incremental Data Events : Day 0 and Day N Events

You can export and publish Oracle Access Governance data to either to OCI Streams or OCI Buckets.

Day 0 Event Publishing with Buckets

On Day 0, which is the initial data export, if the file size if greater than one megabyte ( > 1MB), a complete snapshot for the supported data components in Oracle Access Governance is exported to the OCI Bucket as JSONL files (.jsonl). These files can handle multiple JSON objects in a single payload efficiently. You'll receive multiple files per data component. If the file size is less than one megabyte, then you'll receive OCI Stream messages.

On Day 0, the Data Feed event publisher sends the start message to OCI Bucket with messageType as Day0, operation CREATE and status START. Until all the data objects are exported, each of the Day 0 output object file contains the status In_PROGRESS. Once completed, the Data Feed event publisher sends the end message for Day 0. with the status either SUCCESS or FAILED. The success or failure status is displayed on the Oracle Access Governance Console, including the name of the administrator who performed the publishing operation.

Day N Event Publishing with OCI Streams or OCI Buckets

After Day 0, subsequent updates are published in real-time either to OCI Streams or to OCI Buckets. Each message published onto the streams has an eventTime attribute to help the consumer service manage the ordering of events.

Depending on the file size, the publishing destination is determined.

If the file size is less than one megabyte (< 1 MB), then updates are published to OCI Streams in the JSON format. The data in streams is base64 encoded, ensuring fast transmission. To consume the message, you need to decode the data, and then leverage it for further use.
If the file size is greater than one megabyte (> 1 MB), then updates are published to OCI Buckets as versions to Day 0 output files, in the JSONL format.

Available Data Components for Publishing

You can export and publish the following data components:

Identity

Scope: All Active Identities (Workforce or Consumers)

messageType: IDENTITY

All the active identities, workforce or consumers, are published as IDENTITY events to OCI Buckets and OCI streams. The output file contains the composite identity profile details, tagged as the globalIdentity attribute. It contains access profile details, including core and custom attributes. A composite identity profile in Oracle Access Governance is built up using attributes from one or more orchestrated systems. For example, jobCode of an identity may be ingested from PeopleSoft and identity profile details, such as firstName, lastName from Oracle Fusion Cloud Applications. Oracle Access Governance uses attributes listed in globalIdentity as a source of truth to perform various governance and provisioning operations.

Additionally, it contains an array of identity attributes incoming from other integrated orchestrated systems, tagged as targetIdentities matched with this composite identity profile . For example, a composite identity profile in Oracle Access Governance uses identity details from Oracle Fusion Cloud Applications, but if the same identity is available in PeopleSoft and matched with the composite identity, then the identity attributes available in PeopleSoft will be published as part of targetIdentities. For schema reference and attribute details, see Identity Reference Schema and Sample.

Identity collection

Scope: OCI IAM Groups

messageType: GROUP

All the available OCI IAM group ingested into Oracle Access Governance will be published as GROUP events. The output file contains OCI identifiers, such as domain id, compartment id, identity collection name, description, identity collections with an array of identities included in an identity collection. Update and Create operations share the same schema. However, when a new identity collection is created, you'll not receive any identities in remove attribute. For schema reference and attribute details, see Identity Collection Reference Schema and Samples.

Policy

Scope: OCI Policies

messageType: TARGET_ACCESS_POLICY_STATEMENT

All the available OCI policies ingested into Oracle Access Governance will be published as TARGET_ACCESS_POLICY_STATEMENT events. For an OCI policy, the output file contains OCI identifiers, such as domain id, compartment id, policy name, description. It contains policy details, including the subject to whom the access is granted, access type and scope of access granted. For schema reference and attribute details, see Policies Reference Schema and Sample.

Resource

Scope: All resources

messageType: RESOURCE

All available resources across all orchestrated systems ingested into Oracle Access Governance will be published as RESOURCE events. The output file contains resource identifiers within Oracle Access Governance and in OCI, resource name, description, and resource type. For schema reference and attribute details, see Resource Reference Schema and Sample.

Access

Scope: OCI policies and OCI resources

messageType: For policy to resource Mapping, it is POLICY_STATEMENT_RESOURCE_MAPPING. For resource to policy mapping, it is RESOURCE_POLICY_STATEMENT_MAPPING.

Access component contains two methods to see the same data:

Policy Granting Access to Resources: List of resources governed by a specific policy. Each JSON object contains a policy statement detailing a set of resources attached to it. In this data, the focus is on a specific policy governing a set of resources.
Resources Access using Policy Statements: List of policies associated with a resource. Each JSON object contains a resource detailing set of policies applied to it. It is the reverse process and focus is on a specific resource.

For schema reference and attribute details, see Access Policy to Resource Schema and Sample and Access Resource to Policy Schema and Sample.

Title and Copyright Information

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customer access to and use of Oracle support services will be pursuant to the terms and conditions specified in their Oracle order for the applicable services.