4. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 3
Overview
Over the last decade, the mission of identity and access management (IDM) systems has expanded to
include a range of business objectives. Whereas early identity systems served primarily to simplify
account management, today organizations are building IDM technologies into their controls
infrastructure. Oracle Identity Governance Suite enables organizations to simplify access grants and
review access by consolidating the key strengths of its industry leading and best-in-class provisioning
(Oracle Identity Manager), newly released privileged access (Oracle Privileged Access Manager), role,
policy and risk management (Oracle Identity Analytics) into a common, and consistent and unified
governance suite. With a single, converged platform, Oracle Identity Governance suite can provide
benefits like:
Increased end-user productivity - consistent and intuitive user interfaces, common business glossary,
immediate access to key applications, role lifecycle management
Reduced risk - guaranteed access revocation, detect and manage orphaned accounts, proactive and
reactive IT audit policies detection and enforcement, fine grained authorization controlling who can
do what, periodic re-certifications, continuous policy and role based access re-evaluation.
Increased operational efficiency - risk based identity certification reducing overall time to certify,
automated repeatable user administration tasks, role consolidation, and ease of deployment
Reduced total cost - single vendor platform for governance, flexible and simplified customization
framework, easily attest to regulatory requirements, common connector, standards based
technology.
Oracle Identity Management provides a unified, integrated security platform designed to manage user
identities, provision resources to users, secure access to corporate resources, and enable trusted
online business partnerships and support governance and compliance across the enterprise. It
provides increased efficiency through improved integration, automation, and increased effectiveness
in terms of application-centric security, risk management, and governance. OIM supports the full life
cycle of enterprise applications, from development to deployment and production.
Oracle Identity Manager (OIM) automates the administration of user access privileges across a
company's resources, throughout the entire identity management life cycle—from initial on-boarding
to final de-provisioning of an identity. OIM helps to answer critical compliance questions like "who has
access to what resources and when? How did users get access to resources and why?"
Key Features
Oracle Identity Management allows enterprises to manage the end-to-end life cycle of user identities
across enterprise resources and independently from enterprise applications. Its comprehensive set of
services include identity administration and role management; user provisioning and compliance; web
applications and web services access control; single sign-on and federated identities; fraud detection;
strong, multifactor authentication and risk management; role governance and identity analytics, audit
and reports. Some of its key features are listed below.
5. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 4
Simplified Self Service
OIM offers a wide range of self-service functions enabling business users to register for an account,
manage their own profiles and credentials. These self-service capabilities easily pay for it many times
over through reduced help desk calls and administrative costs.
Self-Registration
OIM provides a configurable interface where end users (typically in an extranet environment) can
submit a request for an account for themselves in the enterprise. A configurable workflow allows such
requests to be approved before actually granting and notifying the account details to the user.
Profile Management
Using OIM’s self-service interface, users can easily manage their own mutable profile data like
changing their email ID, postal address, telephone number, emergency contact info, their password
recovery questions and answers or set up a proxy/delegate user to act on their behalf for a specified
time period.
Password Management
OIM’s self-service interface enables users to manage their enterprise password that is used in single
sign-on (SSO). OIM then synchronizes this password across all target resources provisioned to the
user. OIM enforces compliance of this password with enterprise password policies, which may be
authored in OIM itself. For the recovery of forgotten passwords, OIM employs the security challenge
questions set during the user’s first login or captured during self-registration. OIM also provides
random password generation capabilities that may be invoked during registration or administrator-
based password reset.
Self-Service Access Request
OIM provides a browser-based tool to request access. The access request experience is similar to the
“shopping cart” metaphor used on commercial websites, so users are able to request access without
training on the tool and with only a basic understanding the organization’s roles and entitlements.
End users simply search for the roles and entitlements they require by entering keywords. They can
further refine and filter search results by using the tool’s automated suggestions. Once users find the
entitlements they need, they simply place the appropriate entitlements in a cart and submit the
request. OIM enables users to bundle frequently requested privileges and model them as a saved
shopping cart. In OIM, a saved shopping cart is called a “request profile” that can also be shared with
other users.
Tracking a Request
Users and helpdesk administrators can track the progress of their requests online through OIM’s
tracking tool. The tracking tool graphically displays the current state of the request approval in the
provisioning workflow. An image displays what steps are complete and what steps remain to fulfill
the request. Using this tool, users can then help ensure their requests are handled in a timely
fashion.
Handling Requests – Complex Workflows
OIM allows approvers to take various actions on an access request without significant difficulty. In
addition to approving or denying the request, the approver may delegate the approval step to
another person or role. As approvals may get critical in the overall user productivity, the system also
supports configurable approval reminders and escalations. As approval needs can change over the
period of time, policy owners can change the approval routing logic using a web interface.
6. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 5
Extensible User Interface
While OIM out of the box includes a complete self-service access request capability that is business
user friendly, organizations may want to customize the tool to cater to their organization specific
user interface standards and principles.
Global Customizations
OIM supports customizations that range from simple branding/logo/style-sheet changes to changing
the layout of the page or changing the labels of various widgets on the page. Some of the advanced
customizations may involve extending the out-of-box definition of various entities like users, roles,
organizations, catalog entities by defining additional attributes on them and deciding various UI
pages where the new attributes should appear. The system also provides a sandbox environment to
perform, test, commit or rollback all such customizations without impacting other users.
Personalization
OIM provides a powerful personalization framework as part of its business user interface. When
using OIM, each user sees a home page with multiple regions for the most commonly used features
and information. Business users can personalize the layout of the home page by rearranging or
hiding regions. Additionally, some of the non-technical users like helpdesk administrators or
delegated administrators may perform the same query over and over again on various entities.
Rather than entering the query criteria again and again, users can save their searches and reuse
them across sessions.
Advanced Identity and Role Administration
Users’ access rights are managed in OIM throughout the identity lifecycle. When new users are on-
boarded, they receive a set of accounts and entitlements based on any applicable “birthright
provisioning” policies. Account and entitlement assignments may change as users’ identity attributes
change in the enterprise as a result of promotions, transfers, or other organizational changes. OIM
automatically provisions these changes in the target systems. Users may also get additional access
by requesting roles, accounts, or entitlements using OIM’s self-service capabilities.
OIM Data Warehouse
The core of OIM is its centralized identity warehouse. The identity warehouse contains three key
types of data:
Identities: Users’ identities may be created based on authoritative systems or directly in OIM using
self-service or delegated administration features. OIM can create user accounts and reconcile
attributes and access based on data from any number of authoritative systems such as Oracle E-
Business HRMS, PeopleSoft HRMS etc.
OIM can synchronize the database with any number of LDAP directories. Many customers
synchronize the identities created in OIM into an LDAP to setup an enterprise LDAP that may be
wired to various authentication and authorization systems that may need access to user’s identity
attributes.
Connectors
OIM’s Connector Framework eliminates the complexity associated with creating and maintaining
connections to proprietary interfaces in business applications. The connector framework separates
connector code (integration libraries specific and optimized for the target system) from connector
meta-data (data models, forms, connectivity information and process). This separation makes
extending, maintaining, and upgrading connectors a manageable and straightforward process.
7. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 6
OIM provides the following integration technologies for the connector development.
Generic Technology Connector
The Adapter Factory enables customers to create new integrations or modify existing integrations
using a graphical user interface, without programming or scripting. Generic Technology Connector
can communicate with any target resource by using standard protocols such as HTTP, SMTP, FTP,
and Web Services combined with generic message formats such as CSV, SPML, and LDIF.
Identity Connector Framework
The Generic Technology Connector framework provides a complimentary solution for data flows to
applications that accept file formats. ICF provides Connector Servers which enables remote execution
of the Identity Connector. Connector servers are available for both Java and .NET. An ICF compliant
converged connector is a connector that can be commonly used for both Oracle Identity Manager and
Oracle Wave set.
OIM Architecture
Oracle Identity Management components integrate seamlessly with Oracle applications such
as Oracle’s PeopleSoft, Oracle’s Siebel, and other Oracle Fusion Middleware components such as
Oracle SOA, Oracle WebCenter, and Oracle Business Intelligence. OIM integrates with Oracle Database
through its own directory and identity virtualization services, thus providing scalability and lower cost
of ownership.
Oracle Identity Management is an integral part of Oracle Fusion Middleware. OIM leverages its
services such as Business Intelligence, Enterprise Management, and SOA and Process Management,
and it provides security services to multiple Oracle Fusion Middleware components and Oracle Fusion
Applications.
8. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 7
Oracle Identity Management Platform
Oracle’s identity platform consists of three functional pillars and underlying platform services, as
shown in the following figure.
Identity Governance involves setup of the environment in advance of access, as well as review of the
environment to ensure policies are enforced as intended.
The Access Management includes the technologies involved in run-time enforcement of access—that
is, when users are actively using the system.
Directory Services operate at the data layer to provide identity context to the other two pillars. Oracle
also provides Platform Security Services that enable developers to access any component in the pillars,
externalize security decisions, and take advantage of platform security features.
Oracle 11g R2 IDM Platform
Identity Governance products:
Oracle Identity Manager (OIM) is an identity provisioning product. OIM includes features for self-
service password management, access request forms, delegated administration, approval routing
workflows, and entitlement management across any number of connected systems.
Oracle Identity Analytics (OIA) collects logs from IdM products and other systems to report on
usage, build effective IT roles, and detect account-related audit issues such as orphaned accounts.
Oracle Privileged Account Manager (OPAM) secures accounts with elevated access, such as root
accounts on Unix systems and databases, by implementing a password checkout system
9. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 8
Access Management products:
Oracle Access Manager (OAM) is a Web Access Management (WAM) product that enables SSO
across an organization’s web presence.
Oracle Adaptive Access Manager (OAAM) enables organizations to apply stronger, risk-based, and
multi-factor access control to an organization’s web presence.
Oracle Enterprise Gateway (OEG) is a soft-appliance XML gateway for securing and managing
application and web access to an organizations web presence
Oracle Identity Federation (OIF) provides standards-based identity federation capabilities for
enabling SSO across websites.
Oracle Security Token Service (OSTS) is a WS-Trust compliant STS implementation. An STS converts
security tokens of various types, enabling compatibility and trust across federation boundaries.
Oracle Entitlements Server (OES) is a fine-grained entitlements service that supports a variety of
externalized authorization mechanisms including XACML 3.0.
Oracle Enterprise Single Sign-On (OeSSO) is a client-based SSO product that enables users to access
web, client-server, and legacy applications though a single, strong authentication “wallet” for
authentication.
Directory Services products
Oracle Unified Directory (OUD) includes both a highly scalable LDAP directory service based on Java
and the Oracle Virtual Directory (OVD) product. See the section below for more information on OVD.
Oracle Internet Directory (OID) is a scalable LDAP directory service based on Oracle database
technology.
Oracle Virtual Directory (OVD) enables efficient and elegant integration to data sources.
Platform Security services
Oracle Platform Security Services (OPSS) provide developer access to essential security functions.
Oracle Enterprise Gateway (OEG) enables SOA applications to establish an identity-based control at
the edge of enterprise networks. OEG also provides REST-ful interfaces to the identity platform for
mobile applications. And when combined with Oracle Web Services Manager (OWSM) also adds
encryption, PKI, and related policy control to web services.
Support for Open Standards
Oracle Identity Platform supports all relevant standards, including LDAP, SAML, WS-Trust, WS-
Federation, XACML, OpenID, OAuth, and SPML. Oracle also continues to innovate in the standards
community. The identity platform offers technologies that make it easy to integrate with partners,
suppliers, and cloud services. The access technologies support all the major federation standards,
including SAML 1.x and 2.x, WS-Federation, and OpenID
10. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 9
Oracle Identity Manager
Oracle Identity Manager (OIM), is central component of Oracle’s identity management strategy. It
provides a platform for designing provisioning processes for user and access information to solve the
challenge of getting the right accounts and privileges automatically set up for users across all
applications they need to
Access.
OIM is a fundamental building block for an overall identity management solution. Access
management, role management, directory services, and entitlement management all depend on
having a working user provisioning solution that ensures the right identity data exists in the right
location for other solutions to use. And with so many different types of policies, processes, and
integrations involved in a typical provisioning problem, the provisioning technology needs to support
a high level of flexibility and customization. However, with added flexibility comes complexity, so OIM
tries to achieve a balance between supporting customization of provisioning without making the
implementation process too difficult.
OIM User
In OIM, a user represents an entity in context of enterprise user provisioning and as such can be
provisioned to accommodate different applications. An OIM user defines a specific default data model
with certain standard identity attributes, such as First Name, Last Name, Employee Type, Title,
Organization, and so on, that can be extended as needed.
User Group
In many applications, users are grouped together based on common functions, organization, job level,
and so forth. OIM provides the user group object as a mechanism to support organizing users into
simple compartments according to certain rules and policies. A user can be associated to a group
either via direct membership assignments or rule driven memberships.
Direct assignments are performed in a discretionary manner by another privileged user (such as
administrators, managers, and so on), and the memberships are maintained in a static way
(memberships are also revoked in a discretionary way).
.
The other way of assigning groups is to use rule based membership which is a more automated
manner. Membership rules are simple conditional statements that are evaluated against each user to
determine whether or not the user belongs to a group. Figure below shows a membership rule,
“location == San Francisco.” This is an example of automating group memberships based a “location”
attribute value. User groups using membership rules are more dynamic in nature and provide
significant flexibility for managing who belongs to which groups and therefore should be granted what
resources.
Organization
An OIM organization is meant to represent a business function or regional department, such as Sales,
Product Development, North America Business Unit, and so on. OIM organization objects can be
nested and therefore represent real-world organizational hierarchies. An organization is different
from a user group because a user can have at most one organization, but it can have multiple user
group associations at the same time
Access Policy
An access policy is a way in OIM to map who should have access to what resource. The overall mapping
from the user to the resource can be made up of mappings from the user to user groups and from
user groups to resources. In addition to controlling the resource, it is possible to control each user’s
11. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 10
privileges within each resource by associating application-level privileges to user groups in the access
policy. For example, it is required that two user groups, “Data Analyst” and “Data Administrator,”
should both be provisioned to access the same database application but with different database roles
(such as analyst and DBA).Mapping of user group to database roles can be set inside an access policy.
Resource Object
A resource object is an OIM object representing a logical resource for which users need to have
accounts created. For instance, you can have OIM resource objects called “e-mail Server” and
“Customer Database.” A resource object can represent almost anything, from applications, databases,
and operating systems, to physical assets and any other entity relevant to provisioning.
A resource object is used to track which users are provisioned to what logical assets. It can report on
the current list of users who are provisioned to the E-mail Server resource in our example. Resource
objects are also used to design approval workflows and policies around those workflows that are
application-centric. So, for example, if a specific person is assigned to approve all new accounts to the
e-mail Server system, resource object can be set to that condition in workflow rule.
OIM resource objects do not represent the physical resources themselves and therefore do not
contain physical details (such as IP addresses, server hostnames, and so on). For physical server
representations and details, OIM provides the concept called IT resources.
IT Resource
An IT resource is a physical representation of a logical resource object. It holds all the physical details
of the resource for which a new user is provisioned. If, for example, you have a resource object called
Customer Database, you need to also define one or more corresponding IT resource objects that
representthe physical characteristics of the resource (suchas server hostnames,IPaddresses, physical
locations, and so on). This information is used by the OIM integration engine when it needs to
communicate with those servers to complete a provisioning-related task.
The specific set of attributes of an IT resource is highly dependent on the type of system on which the
account is being created (relational database IT Resources expect schema names and passwords; LDAP
servers IT Resources expect names places and directory information tree details).
OIM allows you to define an IT resource type that acts as a template to define a specific data model
for certain types of IT resources.
User Provisioning Process
A user provisioning process looks similar to any other business process. It represents a logical flow of
events that deal with creating accounts within enterprise resources to make a new user productive.
Every provisioning process uses some fundamental building blocks, and the following sections provide
different levels of sophistication in user provisioning. Choice of sophistication level should, obviously,
depend on the requirement and sensitivity of the particular resource.
Discretionary Account Provisioning
Discretionary account provisioning is a style of provisioning by which an existing OIM administrator or
privileged user can provision a user to an application in a discretionary manner. Inherently, a
discretionary methodis less consistent and leaves itup to the administrator to know what to do, rather
than using a codifying a policy in the provisioning process. By default, this style of provisioning is
automatically set up when an OIM is set up with an application using a packaged connector. And
typically enterprises use this as a baseline to start designing and implementing their automation rules
to make the process less discretionary.
12. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 11
Typically, discretionary provisioning is useful for enterprises that are looking to take the first step from
manual provisioning processes to a basic level of automation and centralization. Also, if the enterprise
lacks formal governance rules and policies around access to systems and information, handling
provisioning requests in a request-based manner might be the inevitable first step. However, if OIM
has been put in place, you can accelerate your path to better provisioning automation by leveraging a
lot of the built-in features of OIM, such as allowing users to make new requests through OIM and
performing basic maintenance tasks such as password resets.
Self Service Provisioning
The discretionary account provisioning requires an administrator or a privileged user to initiate the
provisioning process. In other words, users will still need to make a phone call or send an email to the
administrator to request a new account in an application. However, OIM can be easily configured so
that users can communicate entirely through the OIM framework when requesting access to new
resources.
Over the past few years, self-service user provisioning has been a popular solution especially when
delivering simple capabilities such as resetting passwords and requesting accounts in new systems and
applications. It can greatly reduce the burden on administrators for performing highly repetitive tasks
of manually inputting data from paper forms submitted by an end user. However, enabling the self-
service capabilities on resources usually leads to some manual oversight, typically enforced through
approval workflows that allow administrators to verify and sign-off on requests from end users.
Without such approvals, the resource might as well be a fully public resource.
Workflow-based provisioning
A workflow-based provisioning process gathers the required approvals from the designated approvers
before granting a user access to an application or another resource. For example, the Finance
application might require that every new account request be approved by the CFO to maintain tight
control of who gets to see sensitive financial information.
Access Policy Driven Provisioning
Access Policy Driven Provisioning is response to a basic question as in “Who should have access to
what resources?” Access policy can be implemented through OIM Admin console, and has four
facets - what is provisioned, when it is issued, what not to be provisioned, and who this is for. Steps
required to set up access policy are as follows
1. Create an select Access Policy under OIM Admin console
2. Select the resource(s) to be provisioned under the chosen access policy
3. Set the date this for which access needs to be issued
4. Select the resource(s) that should be denied to the user through this access policy
5. Select the user groups that apply to this access policy
OIM Provisioning Integration
User provisioning has become a critical problem for most enterprises looking to lower their
administrative burdens of account management while also trying to reduce risk by centralizing the
control for granting access to important applications. Instead, with a user provisioning solution, new
account creation tasks can execute in a consistent manner, whereby certain approvals and
verifications are mandated before access is provided to new users.
The other critical user provisioning challenge is a technical one—system integration. A typical
enterprise has a wide-ranging set of applications built on different technologies, standards, and
semantics and therefore centralizing the account creation process is often an integration nightmare.
13. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 12
Choice of integration between OIM and an external target systems falls into one of the following
categories:
Prebuilt connectors A specific connector implementation for a specific system or application (such
as Active Directory, PeopleSoft, SAP, DB2, Oracle Database, and so on).
Generic Technology Connector A connector for commonly-used formats and industry standards
(such as flat files, Web Services, and Service Provisioning Markup Language).
Prebuilt connectors
OIM provides a connector pack that bundles prebuilt and packaged connectors to most third-party
systems of all types, including databases, enterprise resource planning (ERP) applications, operating
systems, Lightweight Directory Access Protocol (LDAP) servers, and so on. Setting up these connectors
in OIM is a fairly straightforward process:
1. Copy the connector files to the OIM server.
2. Import the connector’s (XML-based) descriptor file into the OIM repository through the Deployment
Manager section in the OIM web console.
3. Define the IT resources associated to this connector
Through this connector install process, OIM automatically creates the foundational elements of the
new resource by creating the necessary resource, IT resource(s), and IT resource type objects
associated to the connector. At this point, the environment is ready for basic request driven
provisioning.
Generic Technology Connector
As enterprises are looking to automate provisioning to all types of applications (enterprise and
departmental), Oracle needed a solution that targeted those applications and systems with a simpler
approach to provisioning. The GTC supports simple integrations to custom-built applications or other
systems that rely on simpler data exchange formats such as comma-separated fields. It also supports
many industry standard protocols such as Service Provisioning Mark-up Language (SPML). The GTC is
an example of a packaged integration used for a common set of applications that can read and
exchange information in a standard format. While the GTC does not necessarily solve complex
integration scenarios, it does provide a quick integration to medium- to low-complexity applications.
A GTC-based integration provides a set of packaged functionalities, known as “providers,” to perform
the different types of actions needed to execute an end-to-end user provisioning process. The process
runs starting from identity data reconciliation from a source system to provisioning to a target
application.
The GTC is a useful choice whenever you’re dealing with applications that can support simpler or
standard data exchange formats, such as comma-separated files or the SPML format. The typical cost
to set up and maintain a GTC-based integration is much lower than that of other types of OIM
integrations. Unlike the prebuilt connectors, the GTC code is shipped with the OIM server so there is
no need to install additional software.
Conclusion
Oracle Identity Manager is the most flexible and scalable enterprise identity administration and user
provisioning application available on the market. With its innovative and advanced feature set, OIM
helps an enterprise to reduce security risk, reduce the cost of compliance, and greatly improve service
level and end-user experience. Its flexibility to integrate with Oracle and 3rd party applications and
14. BRISTLECONE INDIA PVT. LTD. | WHITEPAPER 13
being a part of the Oracle Identity Governance Suite makes it an ideal choice to start or compliment
an existing identity management deployment as an enterprise advances to reach its identity and
access governance goals.