Table of Contents
- List of Figures
- List of Tables
- Title and Copyright Information
- Preface
- What's New In This Guide
-
Part I Overview
-
1
Product Overview for Oracle Identity Governance
- 1.1 What is Oracle Identity Governance?
- 1.2 What are the Different Modes of Oracle Identity Governance?
- 1.3 How does Oracle Identity Governance Interact with Other IT Systems?
- 1.4 How does Oracle Identity Governance Interact with Other Oracle Identity and Access Management Products?
- 1.5 How do Users Interact with Oracle Identity Governance?
- 2 Product Architecture of Oracle Identity Governance
-
3
Oracle Identity System Administration Interface
- 3.1 Logging in to Oracle Identity System Administration
- 3.2 Oracle Identity System Administration
-
1
Product Overview for Oracle Identity Governance
-
Part II Policy Administration
-
4
Managing Workflows
- 4.1 Understanding Workflow Rules
-
4.2
Configuring Approval Workflow Rules
- 4.2.1 About Approval Workflow Rules
- 4.2.2 About Rule Conditions
- 4.2.3 About System-Defined Operations and Rules
- 4.2.4 Creating Approval Workflow Rules
- 4.2.5 About Custom Rule Conditions
- 4.2.6 Modifying Approval Workflow Rules
- 4.2.7 Deleting Approval Workflow Rules
- 4.2.8 About Approval Workflow Rule Evaluation
- 4.3 Managing Request Approval in an Upgraded Deployment of Oracle Identity Governance
- 4.4 Migrating Workflow Rules From Test to Production
- 4.5 Running Oracle Identity Governance Without Workflows
- 4.6 Use Cases for Disabled or Deleted Proxy Users
-
4
Managing Workflows
- Part III Form Management
-
Part IV System Entities
-
6
Configuring Custom Attributes
- 6.1 Creating a Custom Attribute
- 6.2 Creating a Custom Child Form
- 6.3 Creating a Custom Child Form Attribute
- 6.4 Modifying a Custom Attribute
- 6.5 Adding a Custom Attribute
- 6.6 Adding a Custom Attribute to an Application Instance Form
- 6.7 Moving UDFs from Test to Production
- 6.8 Synchronizing User-Defined Fields Between Oracle Identity Governance and LDAP
- 6.9 Creating Cascaded LOVs
- 6.10 Specifying Cascaded LOVs Without NULL Value
- 6.11 Localizing Display Labels of UDFs
- 6.12 Configuring a Field as Mandatory Attribute in the Request Catalog
-
6
Configuring Custom Attributes
-
Part V Application Management
- 7 Managing IT Resources
-
8
Managing Generic Connectors
-
8.1
Creating Generic Technology Connectors
- 8.1.1 Determining Provider Requirements for Creating Generic Technology Connectors
- 8.1.2 Selecting the Providers for Creating Generic Technology Connectors
- 8.1.3 Addressing the Prerequisites for Creating Generic Technology Connectors
- 8.1.4 Creating the Connector Using Identity System Administration
- 8.1.5 Configuring Reconciliation
- 8.1.6 Configuring Provisioning
- 8.1.7 Creating the Form and Publishing the Application Instance
- 8.1.8 Enabling Log for the Generic Technology Connector
-
8.2
Using Identity System Administration to Create the Connector
- 8.2.1 Providing Basic Information for Generic Technology Connector
- 8.2.2 Specifying Parameter Values for the Providers
-
8.2.3
Modifying Connector Configuration
- 8.2.3.1 About Metadata for Generic Technology Connector
- 8.2.3.2 Data Set for Generic Technology Connectors
- 8.2.3.3 Mapping Parameters for Data Sets
- 8.2.3.4 About Adding or Editing Fields in Data Sets
- 8.2.3.5 Adding or Editing Fields in Data Sets
- 8.2.3.6 Removing Fields from Data Sets
- 8.2.3.7 Removing Mappings Between Fields
- 8.2.3.8 Removing Child Data Sets
- 8.2.4 Verifying Connector Form Names
- 8.2.5 Verifying Connector Information
- 8.3 Managing Generic Technology Connectors
-
8.1
Creating Generic Technology Connectors
-
9
Managing Application Instances
- 9.1 About Application Instances
- 9.2 Application Instance Concepts
-
9.3
Managing Application Instances
- 9.3.1 Creating Application Instances
- 9.3.2 Searching Application Instances
- 9.3.3 Modifying Application Instances
- 9.3.4 Understanding the Deletion of Application Instances
- 9.3.5 Creating and Modifying Forms Associated With the Application Instances
- 9.4 Configuring Application Instances
-
9.5
Developing Entitlements
- 9.5.1 About Entitlements
- 9.5.2 Available Entitlements and Assigned Entitlements
- 9.5.3 Entitlement Data Capture Process
- 9.5.4 Marking Entitlement Attributes on Child Process Forms
- 9.5.5 Duplicate Validation for Entitlements or Child Data
- 9.5.6 Configuring Scheduled Tasks for Working with Entitlement Data
- 9.5.7 Deleting Entitlements
- 9.5.8 Refreshing the Entitlement List Post Delete for New Entries
- 9.5.9 Disabling the Capture of Modifications to Assigned Entitlements
- 9.5.10 Entitlement-Related Reports
-
9.6
Managing Disconnected Resources
- 9.6.1 About Disconnected Resources
- 9.6.2 Disconnected Resources Architecture
- 9.6.3 Managing Disconnected Application Instance
- 9.6.4 Provisioning Operations on a Disconnected Application Instance
- 9.6.5 Configuring Entitlement Grant
- 9.6.6 Status Changes in Manual Process Task Action
- 9.6.7 Customizing Provisioning SOA Composite
- 9.6.8 Troubleshooting Disconnected Resources
-
10
Managing Connector Lifecycle
- 10.1 Lifecycle of a Connector
- 10.2 Change Management Terminology
- 10.3 Viewing Connector Details
- 10.4 Installing Connectors
- 10.5 Defining Connectors With Oracle Identity Governance
- 10.6 Cloning Connectors in Oracle Identity Governance
- 10.7 Exporting Connector Object Definitions in Connector XML Format
-
10.8
Upgrading Connectors
- 10.8.1 About Upgrading Connectors
- 10.8.2 Upgrade Use Cases Supported by the Connector Upgrade Feature
-
10.8.3
Connector Object Changes Supported by the Upgrade Connectors Feature
- 10.8.3.1 Resource Object Changes
- 10.8.3.2 Process Definition Changes
- 10.8.3.3 Resource Bundle Changes
- 10.8.3.4 Process Form Changes
- 10.8.3.5 Lookup Definition Changes
- 10.8.3.6 Adapter Changes
- 10.8.3.7 Rule Changes
- 10.8.3.8 IT Resource Type Changes
- 10.8.3.9 IT Resource Changes
- 10.8.3.10 Scheduled Task Changes
- 10.8.4 What Happens When You Upgrade a Connector
- 10.8.5 Summary of the Upgrade Procedure
- 10.8.6 Procedure to Upgrade a Connector
-
10.8.7
Postupgrade Procedure
- 10.8.7.1 Connector Code File Changes
- 10.8.7.2 Running the PurgeCache Utility
- 10.8.7.3 Running cancelProcessTask Utility
- 10.8.7.4 Updating Access Policies
- 10.8.7.5 Configuring the IT Resource
- 10.8.7.6 Configuring the Scheduled Tasks
- 10.8.7.7 Updating Adapters for Changes in IT Resource Type Definition Parameter
- 10.8.7.8 Other Postupgrade Steps
- 10.8.8 Procedure to Upgrade a 9.x Connector Version to an ICF Based Connector
-
10.9
Uninstalling Connectors
- 10.9.1 About Uninstalling Connectors Utility
- 10.9.2 Use Cases Supported by the Uninstall Connectors Utility
- 10.9.3 Overview of the Connector Uninstall Process
- 10.9.4 Setting Up the Uninstall Connector Utility
- 10.9.5 Uninstalling Connectors and Removing Connector Objects
- 10.9.6 Running the Script to Uninstall Connectors and Connector Objects
- 10.10 Troubleshooting Connector Management Issues
-
11
Managing Reconciliation
- 11.1 About Reconciliation
- 11.2 Reconciliation Based on the Object Being Reconciled
- 11.3 Mode of Reconciliation
- 11.4 Approach Used for Reconciliation
- 11.5 Managing Reconciliation Events
-
Part VI Requests
-
12
Managing the Access Request Catalog
- 12.1 Access Request Catalog
- 12.2 Configuring the Access Request Catalog
-
12.3
Administering the Access Request Catalog
- 12.3.1 Prerequisites of Catalog Administration
- 12.3.2 Common Tasks to be Performed by the Catalog Administrator
- 12.3.3 Catalog Auditing
- 12.3.4 Configuring Hierarchical Attributes of Entitlements
- 12.3.5 Database Best Practices for Access Request Catalog
-
12.4
Managing the Lifecycle of the Catalog
- 12.4.1 Overview of Catalog Customization
- 12.4.2 Test to Production Procedures for Catalog Customizations
- 12.4.3 Limitations of the Test to Production Procedures
- 12.5 Troubleshooting Access Request Catalog
-
12
Managing the Access Request Catalog
-
Part VII System Configuration
- 13 Managing the Home Organization Policy
-
14
Managing Self Service Capability Policy
- 14.1 About Self Service Capability Rule
- 14.2 Default Self Service Capability Rule
- 14.3 Example of Self Service Capability Rules and Rule Evaluation Order
- 14.4 Creating a Rule in Self Service Capability Policy
- 14.5 Modifying a Rule in Self Service Capability Policy
- 14.6 Deleting a Rule in Self Service Capability Policy
- 15 Managing Lookups
- 16 Managing Role Categories
-
17
Managing the Scheduler
- 17.1 About Scheduler
- 17.2 Configuring the oim-config.xml File
- 17.3 Start and Stop the Scheduler
- 17.4 Scheduled Tasks
- 17.5 Managing Jobs
- 17.6 Diagnosing Scheduled Jobs
-
18
Managing Notification Service
- 18.1 About Notification Providers
-
18.2
Managing Notification Providers
- 18.2.1 Using UMS for Notification
- 18.2.2 Using SMTP for Notification
- 18.2.3 Using SOA Composite for Notification
- 18.2.4 Configuring Custom Notification Provider
- 18.2.5 Disabling and Enabling Notification Providers
-
18.3
Managing Notification Templates
- 18.3.1 Default Notification Template
- 18.3.2 Searching for a Notification Template
- 18.3.3 Creating a Notification Template
- 18.3.4 Modifying a Notification Template
- 18.3.5 Disabling a Notification Template
- 18.3.6 Enabling a Notification Template
- 18.3.7 Adding Locales to a Notification Template
- 18.3.8 Removing Locales from a Notification Template
- 18.3.9 Deleting a Notification Template
- 18.3.10 Configuring Notification for a Proxy
- 18.4 Configuring Email in Provisioning Workflow
- 18.5 Configuring SOA Email Notification
- 18.6 Disabling Oracle Identity Governance Email Notifications
- 18.7 Troubleshooting Notification
- 19 Configuring Oracle Identity Governance
- 20 Configuration of JCS
-
21
Moving From Test to Production
- 21.1 About Test to Production Migration
-
21.2
Migrating Incrementally Using the Deployment Manager
- 21.2.1 About the Deployment Manager
- 21.2.2 Features of the Deployment Manager
- 21.2.3 Enabling Deployment Manager in SSL Mode
- 21.2.4 About Exporting Deployments
- 21.2.5 Exporting Deployments
- 21.2.6 About Importing Deployments
- 21.2.7 Importing Deployments
-
21.2.8
Best Practices for Using the Deployment Manager
- 21.2.8.1 Do Not Export System Objects
- 21.2.8.2 Exporting Related Groups of Objects
- 21.2.8.3 Using Logical Naming Conventions for Versions of a Form
- 21.2.8.4 Exporting Root to Preserve a Complete Organizational Hierarchy
- 21.2.8.5 Providing Clear Export Descriptions
- 21.2.8.6 Checking Dependencies Before Exporting Data
- 21.2.8.7 Matching Scheduled Task Parameters
- 21.2.8.8 Deployment Manager Actions on Reimported Scheduled Tasks
- 21.2.8.9 Compiling Adapters and Enable Scheduled Tasks
- 21.2.8.10 Checking Permissions for Roles
- 21.2.8.11 Creating a Backup of the Database
- 21.2.8.12 Importing Data When the System Is Quiet
- 21.2.8.13 Exporting and Importing Data in Bulk
- 21.2.8.14 Exporting Entity Publications
- 21.2.9 Troubleshooting the Deployment Manager
- 22 Migrating Application and Database Binaries
-
Part VIII Auditing and Reporting
-
23
Configuring Auditing
- 23.1 About Auditing
- 23.2 User Profile Auditing
- 23.3 Role Profile Auditing
- 23.4 Catalog Auditing
- 23.5 Enabling and Disabling Auditing in Oracle Identity Governance
- 23.6 Lightweight Audit
-
24
Using Reporting Features
- 24.1 About Reporting in Oracle Identity Governance
- 24.2 Supported Output Formats for Reports
-
24.3
Classification of Oracle Identity Governance Reports
- 24.3.1 Access Policy Reports
- 24.3.2 Request and Approval Reports
- 24.3.3 Role and Organization Reports
- 24.3.4 Password Reports
-
24.3.5
Resource and Entitlement Reports
- 24.3.5.1 Account Activity In Resource
- 24.3.5.2 Delegated Admins and Permissions by Resource
- 24.3.5.3 Delegated Admins by Resource
- 24.3.5.4 Entitlement Access List
- 24.3.5.5 Entitlement Access List History
- 24.3.5.6 Financially Significant Resource Details
- 24.3.5.7 Resource Access List History
- 24.3.5.8 Resource Access List
- 24.3.5.9 Resource Account Summary
- 24.3.5.10 Resource Activity Summary
- 24.3.5.11 User Resource Access History
- 24.3.5.12 User Resource Access
- 24.3.5.13 User Resource Entitlement
- 24.3.5.14 User Resource Entitlement History
- 24.3.6 User Reports
- 24.3.7 Certification Reports
- 24.3.8 Identity Audit Reports
- 24.3.9 Exception Reports
- 24.4 Required Scheduled Tasks for Oracle Analytics Server Reports
- 24.5 Best Practices for Running Oracle Identity Governance Reports
-
25
Using the Archival and Purge Utilities for Controlling Data Growth
- 25.1 About Archival and Purge Utilities
-
25.2
Archival and Purge Concepts
- 25.2.1 Purge Only Solution Versus Purge and Archive Solution for Entities
- 25.2.2 Archival of Data in Oracle Identity Governance
- 25.2.3 Purging of Data in Oracle Identity Governance
- 25.2.4 Real-Time Purging in Oracle Identity Governance
- 25.2.5 Retention Period in Oracle Identity Governance
- 25.2.6 Modes of Archival Purge Operations
- 25.3 Using Real-Time Purge and Archival Option in Oracle Identity Governance
-
25.4
Using Command-Line Option of the Archival Purge Utilities in Oracle Identity Governance
- 25.4.1 About Command-Line Utilities
-
25.4.2
Using the Reconciliation Archival Utility
- 25.4.2.1 About the Reconciliation Archival Utility
- 25.4.2.2 Prerequisite for Running the Reconciliation Archival Utility
- 25.4.2.3 Archival Criteria for Reconciliation Data
- 25.4.2.4 Running the Reconciliation Archival Utility
- 25.4.2.5 Log File Generated by the Reconciliation Archival Utility
- 25.4.2.6 Troubleshooting Scenario for Reconciliation Archival Utility
- 25.4.3 Using the Task Archival Utility
- 25.4.4 Using the Requests Archival Utility
-
25.5
Using the Audit Archival and Purge Utility
- 25.5.1 About Audit Archival and Purge Utility
-
25.5.2
Audit Data Growth Control Measures in Lightweight Audit Framework
- 25.5.2.1 About Audit Data Growth Control Measures in Lightweight Audit Framework
- 25.5.2.2 Overview of Partition Based Approach
- 25.5.2.3 Prerequisites for Partitioning the AUDIT_EVENT Table
- 25.5.2.4 Preparing the AUDIT_EVENT Table for Archival and Purge
- 25.5.2.5 Archiving or Purging the AUDIT_EVENT Data Using Partitions
- 25.5.2.6 Ongoing Partition Maintenance
- 25.5.3 Partition-Based Approach for Audit Growth Control Measures in Legacy Audit (UPA) Framework
- 25.6 Using the Real-Time Certification Purge in Oracle Identity Governance
- Using the Offline Data Purge Framework
- Using the Complete Nuke Cleanup Utility
-
23
Configuring Auditing
-
Part IX Lifecycle Management
-
26
Handling Lifecycle Management Changes
-
26.1
URL Changes Related to Oracle Identity Governance
- 26.1.1 Oracle Identity Governance Host and Port Changes
-
26.1.2
Oracle Identity Governance Database Host and Port Changes
- 26.1.2.1 Modifying Datasource oimJMSStoreDS Configuration
- 26.1.2.2 Modifying Datasource soaOIMLookupDB Configuration
- 26.1.2.3 Modifying Datasource oimOperationsDB Configuration
- 26.1.2.4 Modifying Datasource ApplicationDB Configuration
- 26.1.2.5 Modifying Datasource Related to Oracle Identity Governance Meta Data Store
- 26.1.2.6 Modifying OIMAuthenticationProvider Configuration
- 26.1.2.7 Modifying DirectDB Configuration
- 26.1.2.8 Modifying the Oracle Identity Governance Database Host and Port in BI Publisher
- 26.1.2.9 Changing Incorrect Database Configuration
- 26.1.3 Changing Oracle Virtual Directory Host and Port
- 26.1.4 Changing BI Publisher Host and Port
- 26.1.5 Changing SOA Host and Port
- 26.1.6 Changing OAM Host and Port
-
26.2
Password Changes Related to Oracle Identity Governance
- 26.2.1 Updating Oracle WebLogic Administrator Credentials
- 26.2.2 Changing Oracle WebLogic Administrator Password
- 26.2.3 Changing Oracle Identity Governance Administrator Password
- 26.2.4 Changing Oracle Identity Governance Administrator Database Password
-
26.2.5
Changing Oracle Identity Governance Database Password
- 26.2.5.1 Changing Datasource oimJMSStoreDS Configuration
- 26.2.5.2 Changing Datasource ApplicationDB Configuration
- 26.2.5.3 Changing Datasource soaOIMLookupDB Configuration
- 26.2.5.4 Changing Datasource oimOperationsDB Configuration
- 26.2.5.5 Changing Datasource Related to Oracle Identity Governance Meta Data Store
- 26.2.5.6 Changing OIMAuthenticationProvider Configuration
- 26.2.5.7 Changing Domain Credential Store Configuration
- 26.2.5.8 Changing the Oracle Identity Governance Database Password in BI Publisher
- 26.2.6 About Credential Store Framework Keys
- 26.2.7 Changing Oracle Identity Governance Passwords in the Credential Store Framework
- 26.2.8 Changing OVD Password
- 26.2.9 Changing Oracle Identity Governance Administrator Password in LDAP
- 26.2.10 Unlocking Oracle Identity Governance Administrator Password in LDAP
- 26.2.11 Changing Schema Passwords
-
26.3
Configuring SSL for Oracle Identity Governance
- 26.3.1 Generating Custom Key Stores (Optional)
- 26.3.2 Configuring Custom Key Stores (Optional)
- 26.3.3 Enabling SSL for Oracle Identity Governance and SOA Servers
- 26.3.4 Enabling SSL for Oracle Identity Governance DB
- 26.3.5 Enabling SSL for SOA Approval Composites
- 26.3.6 Configuring SSL for the Design Console
- 26.3.7 Configuring SSL for Oracle Identity Governance Utilities
- 26.4 Using Ready App
-
26.1
URL Changes Related to Oracle Identity Governance
- 27 Securing a Deployment
-
26
Handling Lifecycle Management Changes
-
Part X Diagnostics and Troubleshooting
-
28
Using Enterprise Manager for Managing Oracle Identity Governance
- 28.1 Managing Oracle Identity Governance Configuration
- 28.2 Using the OrchestrationEngine MBean
-
28.3
Configuring Log Services for Oracle Identity Governance
-
28.3.1
Logging in Oracle Identity Governance By Using ODL
- 28.3.1.1 About Oracle Diagnostic Logging
- 28.3.1.2 Message Types and Levels in Oracle Identity Governance
- 28.3.1.3 Log Handler and Logger Configuration
- 28.3.1.4 Configuring Log Handlers
- 28.3.1.5 Log Handler Configuration Tools
- 28.3.1.6 About Configuring Loggers
- 28.3.1.7 Configuring Loggers in Oracle Identity Governance
- 28.3.1.8 Sample ODL Log Output
- 28.3.2 Logging in Oracle Identity Governance By Using log4j
- 28.3.3 Setting Warning State
- 28.3.4 Switching Down the Log Level
-
28.3.1
Logging in Oracle Identity Governance By Using ODL
- 28.4 Handling Cache
-
29
Using the PL/SQL Unified Diagnostic Logging and Debugging Framework
- 29.1 Understanding the PL/SQL Unified Diagnostic Logging and Debugging Framework
- 29.2 Configuring the Diagnostic Level
- 29.3 Understanding the Data Captured by PL/SQL Diagnostic Logging Tables
- 29.4 Collecting Data Captured by PL/SQL Diagnostic Logging Tables
- 29.5 Controlling Data Growth of PL/SQL Diagnostic Logging Tables
- Using the Identity Management Diagnostic Framework
- Browser Specific Known Issues
-
28
Using Enterprise Manager for Managing Oracle Identity Governance
- Part XI Appendixes
- A Default User Accounts
-
B
Configuring SSO Providers for Oracle Identity Governance
- B.1 Common Prerequisites for Integration With Third-Party SSO Solutions
- B.2 Enabling Oracle Identity Governance to Work With OpenSSO
- B.3 Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manager
- B.4 Enabling Oracle Identity Governance to Work With CA SiteMinder
- B.5 Configuring Basic SSO Using OAM
- B.6 Simplifying Third-Party SSO Integration
- B.7 Using Configurable Login ID Support for SSO Integration
- B.8 Configuring Login ID Support for SSO Integration
-
B.9
Integrating Oracle Identity
Governance with Identity Providers using SAML2 Asserter
- B.9.1 Prerequisites for Integrating Oracle Identity Governance with Identity Providers
- B.9.2 Configuring the SAML2 Asserter in the Oracle Identity Governance Domain
- B.9.3 Configuring Identity Federation Settings on Oracle Identity Goverance
- B.9.4 Exporting the Identity Federation Document
- B.9.5 Configuring the Identity Provider Metadata on Oracle Identity Governance
- B.9.6 Updating Identity Self Service, System Administration, and FacadeWebApp to Change the Session Cookie
- B.9.7 Testing the SAML2.0 Flow with Identity Self Service and System Administration Pages
- C Using Database Roles/Grants for Oracle Identity Governance Database
- D Enable Administration Port in Oracle Identity Governance
- E Enabling Transparent Data Encryption
-
F
Troubleshooting Clustered OIM and Eclipselink Cache Coordination
- F.1 Startup Procedure for Clustered Installation of Oracle Identity Governance
- F.2 Setting Deployment Mode to Cluster
- F.3 Configuring Multicast Addressing for Oracle Identity Governance
- F.4 Multicast Addressing for Eclipselink
- F.5 Testing Multicast Network Testing
- F.6 Enabling Additional Logging for Eclipselink
- F.7 Testing Multicast Connectivity Between Oracle Identity Governance Nodes
- G Scheduler and System Properties do not come up in the Integrated Environment