Configure Settings for an Orchestrated System

With Oracle Access Governance, you can configure an orchestrated system by editing the integration settings, configuring notification settings, transforming inbound and outbound data for identity and account attributes, and applying matching or correlation rules to ensure integrated components work seamlessly together.

Related Topics

Manage System Settings for Your Orchestrated System

Manage system settings for your orchestrated system using the Oracle Access Governance Console.

Modify Integration Settings for an Orchestrated System

You can configure the integration settings for your orchestrated system, using the Oracle Access Governance Console.

You can update the integration settings for a chosen orchestrated system by accessing the Manage Integration page in the Oracle Access Governance Console and performing the following tasks:

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. This displays the manage integration page for the selected orchestrated system.
  3. From the System settings section of the page, select Manage on the Integration settings tile. This will display the Integration settings page for the selected orchestrated system. The integration settings displayed are dependent on the type of orchestrated system you are updating.
  4. Update the integration settings as required, and click Save.

Configure Identities or Email for Sending Orchestrated System Related Notifications

If an issue occurs in an orchestrated system during dataload, you want to be notified in good time so that you can investigate and resolve the issue. You can configure identities or an external email, to route notifications regarding your orchestrated system to assist with this.

To send orchestrated system-related notifications to your preferred identities or an external email address, you can configure Oracle Access Governance as required:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. This displays the manage integration page for the selected orchestrated system.
  3. From the System settings section of the page, select Manage on the Notification settings tile. This will display the Notification settings page for the selected orchestrated system.
  4. In the Which identities? field, use the drop-down list to select identities in your Oracle Access Governance instance to send orchestrated system-related notifications to. You can have multiple identities as required.
  5. In the Email field, add an email for any person external to your Oracle Access Governance instance (who does not have an identity in your system) who you would like to receive notifications. You can only add one external email address for orchestrated system-related notifications.
  6. Update the notification settings as required, and click Save.

Add Primary and Additional Owners

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

No special application roles are necessary for assigning resource ownership. Any Oracle Access Governance active user can be assigned as the owner of the resources. All the owners can read, update, or delete the resources that they own. However, the Primary Owner is assigned as the access reviewer when you choose the Owner template in the approval workflow for performing Ownership reviews in Campaigns. For more information, refer Types of Access Reviews Offered by Oracle Access Governance.
For assigning resource ownership, you must have active Oracle Access Governance users. When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. This displays the manage integration page for the selected orchestrated system.
  3. From the System settings section of the page, select Manage on the Ownership settings tile. This will display the Ownership settings page for the selected orchestrated system.
  4. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  5. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
    You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Configure Data Load Schedule Settings for Orchestrated Systems

Set how often data should be loaded and updated in Oracle Access Governance from the orchestrated system. Schedule timing and frequency by choosing specific days, hours, or minutes.

You can configure the timing and frequency for all orchestrated system except generic integration of Flat File and Oracle Cloud Infrastructure.
To configure data load settings:

Navigate to Data Load Settings

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. This displays the manage integration page for the selected orchestrated system.
  3. From the System settings section of the page, select Manage on the Data load settings tile. This will display the Data load settings page for the selected orchestrated system.
  4. If you want to run the data load one time only, select Only run the data load one time? and supply a date and time to run the data load. If you want to run the data load periodically, perform the steps that follow:

Select Frequency

  1. In the Run every field, choose a number to specify how often the data load should occur
  2. In the Frequency drop-down, select one:
    • Hours
    • Minutes
    • Days
    Limits have been applied to ensure reliable data is available and prevent outdated data. For example, the frequency cannot be less than 5 minutes.

Select Start Date

  1. In the Starting on field, select the date-time date time icon to specify when the data load should begin, and then click Done.
  2. Click Save. To save your settings for the orchestrated system, in the conformation pop-up box, click Confirm.
If the previous data load takes longer to complete, the next schedule load will be skipped. To avoid skipped syncs, ensure your settings allow enough time for each load to finish before the next one starts.

Manage Data Settings for Your Orchestrated System

Manage system settings for your orchestrated system using the Oracle Access Governance Console.

Apply Inbound Transformations for Identity and Account Attributes

To modify the incoming data ingested into Oracle Access Governance, you need to apply inbound data transformations. To do so, perform the following tasks:

  1. In the Oracle Access Governance Console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Orchestrated Systems .
  2. Select the orchestrated system from the list which you want to configure inbound data transformation rules for.
  3. Expand the Configurations drop-down menu and select the Manage button on the Inbound data transformations tile. The Inbound data transformations page displays a list of any rules that you have configured, and an option to add new attribute rules.
  4. To create an attribute rule for your orchestrated system, select the Add attribute rule button.
  5. In the Add attribute rule panel enter the following information to configure your rule.
    • Which configuration mode?: Select one configuration mode, from the drop down list, that you want this attribute rule to apply to.
      • Authoritative source: Authoritative Sources that contain identity data and its attributes.
      • Managing permissions: Managed Systems containing account information and permissions.
    • Which attribute?: Select the Oracle Access Governance attribute you want to apply the transformation to from the drop down list. The list of attributes available will depend on the orchestrated system type, and configuration mode you choose.
    • Rule: Enter the rule you want to apply to this operation/attribute.
    • Click the Validate button to check your rule. If the rule is valid then you will see a confirmation message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.
    • When your rule is valid click Add to save your configuration.

Apply Outbound Transformations for Identity Attributes

To modify the outgoing data provisioned in Oracle Access Governance, you need to apply outbound data transformations. To do so, perform the following tasks:

  1. In the Oracle Access Governance Console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Orchestrated Systems.
  2. Select the orchestrated system from the list for which you want to configure the outbound data transformation rules.
  3. Expand the Configurations drop-down menu and select the Manage button on the Outbound data transformations tile. The Outbound data transformations page displays a list of any rules that you have configured, and an option to create attribute rules.
  4. To create an attribute rule for your orchestrated system, select the Add attribute rule button.
  5. In the Add attribute rule panel enter the following information to configure your rule.
    • Which operations: Select one or more of the operations from the drop down list that you want this attribute rule to apply to.
      • Create Account
      • Change Password
    • Which attribute?: Select the attribute in the orchestrated system you want to apply the transformation to from the drop down list. The list of attributes available will depend on the orchestrated system type.
    • Rule: Enter the rule you want to apply to this operation/attribute.
    • Click the Validate button to check your rule. If the rule is valid then you will see a confirmation pop-up message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error pop-up message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.
    • When your rule is valid click Add to save your configuration.

Match Identity and Account Attributes using Correlation Rules

Oracle Access Governance leverages correlation or matching rules to match the identity and account data and build a composite identity profile. To configure matching rules in Oracle Access Governance perform the following steps:

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select one of the following to view the configuration of a specific orchestrated system:
    • The connected system link in the Name column.
    • Manage connection from the navigate navigation menu.
    This displays the configuration page for the selected orchestrated system.
  3. From the Configurations section of the page, select Manage on the Matching rules tile. This will display the Matching rules page for your orchestrated system.
  4. The tabs displayed depend on the configuration mode you selected when creating the orchestrated system, and by whether any unmatched accounts have been manually matched for this integration.
    • If you selected This is the authoritative source for my identities. then the Identity matching tab is displayed to set the matching rule for incoming identities.
    • If you selected I want to manage permissions for this system. then the Account matching tab is displayed to set the matching rule for incoming accounts.
    • If you selected both This is the authoritative source for my identities. and I want to manage permissions for this system. then both tabs are displayed.
    • If the orchestrated system selected has accounts which were unmatched, but have been manually matched, then the Manually matched accounts tab is displayed. You can unlink an account with the associated identity by selecting the
      disconnect

      Disconnect icon, or you can update the manual match by selecting the EditEdit icon.
  5. Select the tab you require to update identity matching rules or account matching rules.
  6. Select one of the following conditions:
    • All: All rules must be matched in this case so order of the rules is not significant.
    • Any: Any rule can, when met, produce a match. In this case order is significant as the matching rule will exit when a match is found. If you need to move a rule up the list you can select the Navigation menu for the rule, and select Move up.
  7. Add a rule by selecting an Equals or Not equals operator.
  8. Update the matching rules as required, and click Save.

Manage Account Settings for Your Orchestrated System

Manage system settings for your orchestrated system using the Oracle Access Governance Console.

Modify Account Settings for an Orchestrated System

You can configure the account settings for your orchestrated system to send notifications either to User or User manager whenever a new account is created. You can also choose to either disable or delete the account whenever an identity move or leaves your enterprise.

To update the account details used by Oracle Access Governance to connect to an orchestrated system, perform the following tasks.

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select one of the following to view the configuration of a specific orchestrated system:
    • The orchestrated system link in the Name column.
    • Manage integration from the navigate navigation menu.
    This displays the configuration page for the selected orchestrated system.
  3. From the Configurations section of the page, select Manage on the Account settings tile. This will display the Account settings page for your orchestrated system.

    Enter details of how you would like to manage accounts with Oracle Access Governance when configured as a managed system:

    Select where to send notification emails when an account is created. The default setting is User. You must select at least one of these options.
    • User
    • User manager
    When an identity moves within your enterprise, for example when moving from one department to another, you may need to adjust what accounts the identity has access to. In some cases the identity will no longer require certain accounts which are not relevant to their new role in the enterprise. You can select what to do with the account when this happens. Select one of the following options:
    • Disable
    • Delete
    When an identity leaves your enterprise you should remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:
    • Disable: This sends an Update Account provisioning request to disable the accounts
    • Delete: This sends a Revoke account provisioning request to delete the accounts

    Note:

    If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.

    Note:

    If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables (Oracle) integrations, then only the notification email destination can be set (User, User Manager) when creating the orchestrated system. To update account settings for movers and leavers, you first need to create the orchestrated system, and then update the account settings.

    If your orchestrated system is managing permissions then you can enable or disable Segregation of Duty violation checks. To do this select or unset the Enable Risk Management and Compliance (RMC) integration for separation of duties check checkbox.

  4. Update the account settings as required, and click Save.

Configure Account Attributes

You can configure account attributes for your orchestrated system in addition to the default account attributes supported out-of-the box. Values for your account attributes can come from a managed system, global key-values, transformations or defined when creating an access bundle. You can use and configure these attributes for inbound or outbound transformations, or for account provisioning operations, such as account creation. You can also use these account attributes to define the account profile required for provisioning. Oracle Access Governance supports simple and complex data types when defining account attributes.

Manage Simple Account Attributes

To create a simple account attribute:

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the navigate navigation menu. to view the configuration of a specific orchestrated system. This displays the configuration page for the selected orchestrated system.
  3. From the Account settings section of the page, select Manage on the Account attributes tile. This will display the Account attributes page for your orchestrated system, which displays default attributes created when you initialise your orchestrated system, as well as additional account attributes created by the user.
  4. Click on the Create an attribute button.
  5. In the Create a new account attribute flow, enter details of your simple account attribute:
    1. Enter values for the Add details step:

      Table - Add details

      Parameter Name Mandatory? Description
      What is the system attribute name? Yes The attribute name for the account attribute in the associated orchestrated system.
      What should AG call it? Yes The name for the account attribute in Oracle Access Governance.
      What is the display name? Yes The name for the account attribute when displayed in Oracle Access Governance.
      What is the data type? Yes Any of the simple data types listed in the drop-down, including:
      • String
      • Long
      • Double
      • Date
      • Sensitive string
      • Integer
      • Boolean
      Is there an associated identity attribute? No Name of any identity attribute that is associated with the account attribute. Any change in the value of the account attribute will be reflected in the identity attribute.
      Which key-values lookup should be used? No Name of any global key-values that can be used to populate the account attribute.
    2. Select the options that apply for the Setup usage step:

      Table - Setup usage

      Parameter Name Description
      Mandatory for account creation Is the account attribute a mandatory value when creating an account.
      Included in inbound data from the system Is the account attribute included in inbound data coming from the orchestrated system. If selected, this attribute will be available to inbound transformations.
      Populated in outbound data to the system Is the account attribute included in outbound data sent to the orchestrated system. If selected, this attribute will be used to provision and update account values in the orchestrated system.
      Supports multiple values Does the account attribute allow for multiple values.
      Value is provided after account creation The value will be populated from the orchestrated system after the account has been created.
    3. Select the options that apply for the Value source step:

      Table - Value source

      Parameter Name Description
      How will the value be provided? Select one of:
      • System provided: Value is populated by the managed system.
      • Access bundle definition: Value is populated as part of an access bundle definition.
      If you select Access bundle definition then you should enter values for the following additional parameters:
      • How should we ask for it?: Enter the text that the user will see when asked for the account attribute value, on requesting the access bundle.
      • Any tips to understand what it is?: Enter any help text that explains what the account attribute requested is. This will be displayed below the account attribute field next to the information icon.
      • What is the minimum length?: Enter the minimum length of the account attribute value.
      • What is the maximum length?: Enter the maximum length of the account attribute value.
  6. Complete the Review and submit step by checking the information you have provided for this account attribute, and if complete, select Create.
  7. You can view the full details of the account attribute you created from the Account attributes page, by selecting the View details option from the navigate navigation menu for the account attribute you created.
To edit a simple account attribute:
  1. Navigate to the Account attributes page for your orchestrated system
  2. Select the Edit option from the navigate navigation menu for the account attribute you want to edit.

    Note:

    The edit option is only available for user defined account attributes. Default account attributes created as part of the orchestrated system cannot be edited. If you select the navigation menu for a default attribute you will see the message This is a default attribute with restricted edits. The only option you have to edit a default account attribute is to select the option Edit associated identity attribute which allows you to modify the identity attribute which is associated with your default account attribute.
  3. In the Edit attribute flow, edit any of the values for your attribute.

    Note:

    You can edit any of the configuration values for your account attribute except for the Source attribute name. This value is set at create time and cannot be edited. If you need to change the Source attribute name value for any reason, you are required to delete the account attribute and recreate.
To delete a simple account attribute:
  1. Navigate to the Account attributes page for your orchestrated system
  2. Select the Delete option from the navigate navigation menu for the account attribute you want to edit.

    Note:

    The delete option is only available for user defined account attributes. Default account attributes created as part of the orchestrated system cannot be deleted.
  3. Confirm the deletion.

Manage Complex Account Attributes

To create a complex account attribute:

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the navigate navigation menu. to view the configuration of a specific orchestrated system. This displays the configuration page for the selected orchestrated system.
  3. From the Account settings section of the page, select Manage on the Account attributes tile. This will display the Account attributes page for your orchestrated system, which displays default attributes created when you initialise your orchestrated system, as well as additional account attributes created by the user.
  4. Click on the Create an attribute button.
  5. In the Create a new account attribute flow, enter details of your complex account attribute:
    1. Enter values for the Add details step:

      Table - Add details

      Parameter Name Mandatory? Description
      What is the system attribute name? Yes The attribute name for the account attribute in the associated orchestrated system.
      What should AG call it? Yes The name for the account attribute in Oracle Access Governance.
      What is the display name? Yes The name for the account attribute when displayed in Oracle Access Governance.
      What is the data type? Yes Complex
      What kind of complex type? Yes Each orchestrated system can have multiple complex attribute types (Entitlements) such as Role or Group. This dropdown lists any complex attributes that are not included by default, together with an option, Custom which allows you to define your own complex attribute type.

      If you select Custom for the complex type:

      Which attribute is it uniquely identified by?

      		 No The attribute name that uniquely identifies the complex attribute in the orchestrated system that supports the account attribute.

      If you select an entitlement such as group or role which is not currently used by any existing complex account attribute for the complex type:

      Which attribute should be used for reference?

      		   Select the entitlement to use from the list of values displayed. For example, if the Group entitlement is unused, then the user should select the group entitlement attribute such as UID or name from the list of values which defines the reference binding.
    2. Select the options that apply for the Setup usage step:

      Table - Setup usage

      Parameter Name Description
      Mandatory for account creation Is the account attribute a mandatory value when creating an account.
      Included in inbound data from the system Is the account attribute included in inbound data coming from the orchestrated system. If selected, this attribute will be available to inbound transformations.
      Populated in outbound data to the system Is the account attribute included in outbound data sent to the orchestrated system. If selected, this attribute will be used to provision and update account values in the orchestrated system.
      Supports multiple values For complex attributes this option is set to enabled by default and cannot be changed as complex attributes always support multiple values.
      Value is provided after account creation The value will be populated from the orchestrated system after the account has been created.
    3. Select the options that apply for the Value source step:

      No inputs are required for this step for complext attributes. Complex attributes do not have a direct value source. After creation, add child attributes and select value sources for them individually.

  6. Complete the Review and submit step by checking the information you have provided for this account attribute, and if complete, select Create.
  7. After selecting to create the attribute you navigate to the Complex attribute page, which allows you to enter details of the child attributes that make up the complex attribute you have created in the previous steps. So, for example, if you created a complex attribute Address, you would create the child attributes for that attribute which might include First address line, Second address line, Postcode. To do this select the Create a child attribute button. Steps are similar to those you have performed for simple attributes:
    1. Enter values for the Add details step as you would for a simple attribute.
    2. Select the options that apply for the Setup usage step:

      Table - Setup usage

      Parameter Name Description
      Mandatory for account creation Is the account attribute a mandatory value when creating an account.
      The following options are inherited from the parent attribute so the attribute will:
      • Be included in inbound data from the system
      • Be populated in outbound data to the system
      • Not have its value provided after account creation
    3. Select the options that apply for the Value source step:
      Child attribute values are always provided in access bundle definitions, so you should provide the following details on how to present the attribute when requesting an access bundle:
      • How should we ask for it?: Enter the text that the user will see when asked for the account attribute value, on requesting the access bundle.
      • Any tips to understand what it is?: Enter any help text that explains what the account attribute requested is. This will be displayed below the account attribute field next to the information icon.
      • What is the minimum length?: Enter the minimum length of the account attribute value.
      • What is the maximum length?: Enter the maximum length of the account attribute value.
    4. Complete the Review and submit step by checking the information you have provided for this account attribute, and if complete, select Create.
  8. Repeat this process for all child attributes.
To edit a complex account attribute:
  1. To edit the complex attribute values you can edit the complex attribute object in the same way you would a simple attribute.
  2. To edit the child attributes for the complex attribute object you should perform the following:
    1. On the Account attributes page select the complex attribute for which you want to edit the child attribute values.
    2. Select the View type link, which is displayed in the type column next to the
      Complex Type

      label. The child attributes page is displayed.
    3. Select the Edit option from the navigate navigation menu for the child account attribute you want to edit. Make any changes and save.

To delete a complex account attribute:

  1. To delete the complex attribute and all its child attributes, you can delete the complex attribute object in the same way you would a simple attribute, by selecting the Delete option from the navigate navigation menu on the Account attributes page.
  2. To delete child attributes for the complex attribute object you should perform the following:
    1. On the Account attributes page select the complex attribute for which you want to delete child attributes.
    2. Select the View type link, which is displayed in the type column next to the
      Complex Type

      label. The child attributes page is displayed.
    3. Select the Delete option from the navigate navigation menu for the child account attribute you want to remove. Make any changes and save.