Oracle Identity Governance Technical Overview - 11gR2PS3

Copyright © 2014, Oracleand/orits affiliates. Allrights reserved. |
Oracle Identity Governance
Unified Approach to Complete Identity Governance
Atul Goyal
Senior Principal Product Manager

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitmentto deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionalitydescribed for Oracle’s products remains at the sole discretion of Oracle.

• Who has access to what?
• Who has accessed what?
• Who has requested that access?
• Who has authorized/approved that
access?
• Who has certified that access?
• IdentityAdministration
• Role LCM/RBAC /Role Mining
• Access Warehouses
• Access Request Management
• Access Analytics and Intelligence
• Access Risk Management
• Access Provisioning/ Connectors
• Access Certification
• Segregation of Duties
• PrivilegedAccount Management
• Accountingand Reporting
Identity and Access Governance (IAG)
What is it about?

Challenges of the New Digital Economy
• Moreapplications to onboardand
manage
• Outdated Request & Fulfillment
processes
• Limited visibility across Enterprise,
Mobile& Cloud applications
• Manual access certification processes
• Delays revoking unauthorized access
Enabling Users and Maintaining Access Controls

Requirements for the New Digital Economy
• BusinessFriendly Access Request &
Approval Interfaces
• Scalable& Flexible Access
Certification
• Automated Provisioning & Closed
Loop Remediation
• Managementof standard and
privilegeduser accounts
• Common Connector Framework
Unified Identity Governance

Unified Approach to Complete Identity Governance
Self Service
Access Request, Password
Management
Platform& Integration Layer
Compliance
Access Certification, SOD,
Continuous Compliance
Identity Intelligence
OperationalReporting,
Access Dashboards
Privileged Access
Privileged Access, Privileged
Audit, Session Recording
Common Data Model Role & Policy Library
Workflows and Service
Desk Integration
Access Catalog
IdentityConnectorFramework
CloudOn-Premise
Managed Cloud
Cloud MobileEnterprise

Identity Governance Platform
TranslatingBusiness Needs to Repeatable Processes
Business-Friendly
Request Catalog
Streamlined Business
Process for Approvals
Intelligent and Flexible
Certification
Scalable and Rapid
Fulfillment
Modular and Pluggable
Architecture
Privileged Access and Audit

Architecture

Conceptual View
Development Tools
Design ConsoleOracle JDeveloper
Oracle Database 11g (Enterprise Edition)
Oracle WebLogic Server
Access Request and
Catalog
CertificationEngine
Identity Self Service
Console
Web-based
applications
Identity System
AdministrationConsole
Enterprise Manager
Console for Diagnostics
WebLogic
AdministrationConsole
Target IT Apps
Oracle Public Cloud
REVOKE
GRANT
Identity
Connector
Framework
.
.
.
.
.
Provisioning
and
Reconciliation
Engine
LDAP ID Store
AD, Exchange, ERP
Connector1
Connector nRole Engine
SOD Engine
Common Services
Audit & Reports–
Embedded BIP
JMSQueue
Connector2
Diagnostics – Enterprise Manager
Rule
Engine
Authorization
Layer
Notification
Engine
WorkflowEngine –
SOA/BPELScheduler
Interfaces & UI
REST & SCIM/
Java API
Layer
UIComponent
ADF, ALTA
Public
Taskflows

• Self Contained,standalone, J2EE Compliant application
• Weblogicas J2EE container
• Interfaces and UI Components
– Exposes interfaces as REST/SCIM and Java API
– ADF is the UI Framework
– Webcenter Composer is the tool used for runtime UI customization
• Runtime Engines
– Access Request, Access Certification, SoD, Role LCM
– Provisioningand Reconciliation Engine
Components

Interfaces
Self-Service Interfaces
• IdentitySelf Service Console
Login page / AuthenticatedServices
Unauthenticated SelfService Console
• Administration Console
Administrative Interface
• System Administration Console
Enterprise Manager UIfor configuration and diagnostics
API Clients
•REST Services based on SCIM 2.0
IdentityAdministrationfeatures supported
SelfRegistration,Forgot Password,User,Role, Organization,
NotificationTemplates,System Properties and Password
PolicyManagement
Nativesupport forCORSand JSONP
•JAVAAPI
Supports All Operations
Developer Tools
• Design Console
• JDeveloper
Oracle Identity
Manager
Interfaces

User Interface
• Cleaner UI with a Cloud look and
feel, with faster performance
• End-users get easy access to
businessfunctions without
requiring customization
• REST interfaces for custom UI that
can be integrated with external
Portals and OIM UI
Continued UI Simplification

• IdentityConnector Framework
– Declares API and SPI (Generic for all Targets), Building custom connector is very easy
– INDEPENDENT – No Dependency On Server/Works in Isolation
– Rich set of out of the box connectors
• Common Services
– Authorization Engine for security definition and enforcement point
– Quartz for schedule task management
– BIPublisher as Embedded Reporting Engine
– Common rule engine
– JMS infrastructure for async inter-process communication
Components

Authorization/Security
• Administrators can define custom
security roles to control who can
do what at an attribute level
• Users can be assigned security
roles via rules reducing
administration burden
• User actions and the context that
they used to perform the action
are audited
Simplified yet granular security

• WorkflowOrchestration and Notification via SOA Engine
– OracleIdentity Manager connects to the SOA managed servers over RMI to invoke the SOA EJBs.
– SOA calls back OIM via callback service deployed in OIM using OIMFrontEndURL
– SOA infrastructure is optional
• Customers with no Governance (IDA, Role LCM, Certification, Approvals) requirements can
disable SOA
• Reporting via BI Publisher as Embedded Reporting Engine
– Eliminates the need for separate BI Infrastructure
– BIis configured against OIM DB to fetch Audit Data
• Diagnostics via Enterprise Manager
– Monitoring, Helathcheck and Dashboard
– Configurations and Diagnostics
Component

• LDAP as persistent Identity Store
– LDAP Sync for data synchronization between OIM DB and LDAP
– Embedded LibOVD for H/A
• DB as Transactional and Metadata Repository
– OIM, SOA Schema for Transaction DB
– MDS Schema for storing configurations
Components

Identity Administration

Identity Administration
• What is it?
– Managing enterprise users and policies from a central place
– Single data centre for users and to apply organization policies for all users at one
place
• Benefits
– Manageability,single security check and Centralized data
– Secure Single ware house for users, managing and controllingusers access.

Business Challenges
• Excel sheets to users records
• Multiple Repository/Sets
• Each organization/application having
own set of users data
– Difficult to search and synch user
– Redundant users
– Inconsistent and Stale data
– InconsistentPolicies
– No single place to get correct and all
information about user

End User Challenges
• Forgot passwords
• Unlock Account
• Remember multiple passwords
• Helpdesk calls/Productivity loss
• Poor end user experience

Identity Administration – Oracle Solution
• Self Service
– Self Registration, Self profile management
– Self Password management – Reset/Forgot Password, Challenge Questions
• User Management
– User Life Cycle Mgt, Delegated Administration, Proxy User
– Configurable policies for UserName and Password generation
• Password Policy
– Global
– Organization Scoped
• Support for REST, SPML and Remote APIs
• Orchestration engine for extensibility – Plug-in and Event Handlers

Users
User Entity User Life Cycle

Organizations
Ex Corp.
Engineering HR Marketing
QA
Development ResourceHome Org
Dynamic Org
Rule BasedHome Org

Roles
• Granted
• Organization Scoped
• Controlsadministration
activities in OIM
• Used for Inter
Process/InterModule
communication
• Default User, System
Administrator, OIM
Internal, SPML etc
• Created via Role
Administrator
– Workflow driven
• Requestable, Rule Based,
Granted
• Hierarchical
• Controlsaccess to target
– what you can do in the
target
• Auditable
• Certifiable
• Created via Administrator
• Granted, Rule Based
• Controlswhat you can do
in OIM e.g. create,
update,request, approve
etc on different entities
– Group of OIM Capabilities
• Auditable
Default Roles BusinessRoles Admin Roles

Entity Relationship
Arole is published to an
organization.
Manyto Many
The user is assigned
to an organization.
One to Many
•Auser canrequest a Role which
is published in his home orgor
dynamic org.
The user is assigned
toa role via Request orRole
Membership Rule.
One to Many
•Auser inherits the role’s access
rights via Access Policy.(RBAC)

Access Provisioning

Access Provisioning
• What is it?
– Managing users life cycle in multiple systems via automated provisioning from
central provisioningengine
 Create, Update, Promotion,Transfer, Entitlement Grant/Revoke, Password
Change/Reset, Unlock, Disable, Rehire, Delete
– Enable user’s access in enterprise systems via role based access control
• Benefits
– Automation provisioning- More agility,
– Less human intervention - Better data quality,
– Reduce risk by immediate access termination, manage access via RBAC

Configuringthe Connector
Technology
Access Provisioning - Architecture
Access Policies

Access Provisioning
• Provisioning Engine
– Provideframework/data model for modeling target applications in OIM
– Run time environmentfor provisioningoperations
• Access policies – Define Role Based Access Control
– Defines access against business roles
• A business role “Sales Manager” will grant you access to EBS responsibility “Sales Manager Role”
and Active Directory group “Internet Access”.
– Asynchronous evaluation via schedule job
– Supports “Retrofit” accesses
• Accesses are automatically revoked when user is no longer part of the role
– Supports harvesting after initial data load
Components

Access Provisioning
• Identity Connectors
– Provideslast mile integration
– Containsbinaries – code and metadata – provisioning artifacts
– Invokedby both provisioningand recon engine to push and pull data into/from target
systems
– Uses Identity Connector framework – API, SPI model
• Connector implements ICF SPI and target API
• Connector client implements API (Already implemented generically in OIM, transparent to
customers)
– Out of the box connectors to all major targets
Components

Access Provisioning
• Reconciliation
– Providesruntime environmentto initiate pull and process changes from target systems
• Data is pulled by connector. Reconciliation engine process that data.
– Eventbased – each change in the target is convertedinto an OIM event
– Asynchronousevents processing
• Disconnected Application Framework
– UI based application configuration
– Uses SOA Workflow for assigning and tracking fulfillment
– Uses flat file connectorfor data loading
Components

• Application Instance – An entity representing an actual target server
instance. Abstraction of ITResource and Resource.
• Entitlement – First class entity representing privilege in target system.
• Admin Roles – OOTB roles having permissions for specific operations on
entities.
– Viewer – User who has this role ,when requests entity goes through via request &
approval
– Administrator – To manage (CRUD) entity via sys admin console.
– Authorizer – direct operation without request & approval.
Provisioning Engine
Artifacts

Provisioning Flow
• How to provision a resource to a user through criteria (auto-
membership rules and access policies):
Administrator Role Access
policy
ApproverAuto
membership
rule
Approval
processEnd user Resource
Policy based access grant

Provisioning Flow : Request
• How to provision a resource to a user by a request:
Request
Administrator Approval
process
End user
Approver
Resource
Request based access grant

Disconnected Application Framework
Any system for which OOTB connector not available e.g. Laptop,
Cellphone, Badge, Any custom application. And yes, no Design console
needed for Disconnected Application Instance & Entitlements.

Identity Connectors
• Connectors are packaged solutions that are used to integrate with target
applications for the purposes of managing identities in those applications.
• A connector can be predefined by Oracle for particular target systems or
can be custom developed.
• Predefined connector is designed specifically for the target application, it
offers the quickest integration method.
• Connectors use integration technologies recommended by target and are
preconfigured with application specific attributes.

Connectors
• Supported Frameworks
– IdentityConnector Framework (ICF)
– Adapter Factory
– Generic Technology
• Components of Connector
– Multiple connector-specificOracle Identity Manager entities such as resource objects,
data forms, provisioning workflows, and adapters
– Target-specificJava/.Net libraries that provide the underlying functions such as
connectivity,authenticationand user account management
– Eventtriggers that wire provisioning operations to both identity profile changes and
policyoperations

Connectors
• Common Connectors for all
Governance needs
• Supports multiple target versions
and multiple instances of a target
simultaneously
• Flexibledeployment options –
local and remote deployment
• Extensible– Administrators can
extend the capabilities without coding
• Connector for Web Services
Identity
Connector
Framework
Access
Request
Access
Certification
Privileged
Access
Identity
Connectors
Cloud Applications
EnterpriseApplications
Directories
Databases
Custom Applications
and Mainframes
P
R
O
V
I
S
I
O
N
I
N
G
E
N
G
I
N
E
SOD
Evaluation

Out of the Box Connectors
• ERPs: EBS, PeopleSoft,JD Edwards, SAP, Siebel
• CollaborationSuites: MS Exchange, Lotus Domino and Novell GroupWise
• Microsoft Family : AD User Mgt, AD Password Sync, Windows Local A/C Mgt
• Technology Connectors: LDAPv3 Directories, Databases,UNIX/SSH,
Webservice, SPML, Flat File
• Mainframes : RACF, TopSecret, ACF2, AS400
• Security Products : RSA Authentication Manager, RSA Clear Trust
• CloudConnectors : GoogleApps, CRM On Demand
• Ticket Management System: BMC Remedy
• Externally Managed Connectors : Primavera, OFSS/iFlex, Hyperion

Reconciliation: Overview
• The process of querying and reviewing data from
integrated systems, capture deltas, and taking action
Oracle IdentityManager
Server
Connector
Oracle IdentityManager database
Capture Deltas
(new, changed,anddeleteddata)
Take Action
Integrated
system
Supported Entities
•User
•Account
•Organization
•Role
•Role hierarchy
•Role membership

Reconciliation Approaches and Modes
– The reconciliation approaches include:
• Full reconciliation
• Incremental reconciliation
• Limited Recon
• Batch Recon
• Future Dated Recon
• Delete Recon
– The reconciliation modes (depending on connectorimplementation)can be:
• Push, initiated by the connector and reconciliation API calls
• Pull, initiated by using scheduled tasks
Note: The Scheduled tasks should be named to indicate the type of reconciliation and if it is
trusted or target based.

Reconciliation Profile Modes
• Choice of reconciliation profile modes are:
– Changelog (the default) mode: Reconciles only changed attributes of a resource
object that a connector knows about
– Regular mode: Reconciles all attributes as a snapshot replacing an existing
resource object’s details, when a connectorcannot determine the attributes to
be reconciled
Regular Changelog
Must pass full set of mapped attributes Must pass a subset of mapped attributes that are
required by the specific profile and used by matching a
rule
Better batch processing performance Inefficient batch processing performance
Creates and updates all fields Creates and updates only specified fields, and all other
fields remain unchanged

Types of Reconciliation
The reconciliation types that are supported by Oracle Identity Manager are:
• Authoritative (or trusted source) reconciliation: For driving creation of users,
roles, role memberships, groups, and organizations in Oracle Identity Manager
• Account (or target source) reconciliation: For managing creation, update, or
revocationof resources provisionedto a user in Oracle Identity Manager
Trusted source
(e.g. Microsoft Active
Directory) Target
resource
OracleIdentity
ManagerRole
User
Trusted source
reconciliation
Account
reconciliation
Provisioning

Reconciliation Scheduled Task
• Scheduled tasks:
– Are used to initiate reconciliation with a trusted source or target resource
– Can be scheduled to execute periodically, on a particular date and time, or on
demand
– Can be created as a plug-in or imported from an XML file
– Are often created when installing a connector
Scheduled task Scheduled TaskXMLImplementationclass
(SearchReconTask)
Connector
SearchOp export or
import

Role Life Cycle Management

Role Life Cycle Management
• What is it?
– Roles provide a powerful abstraction layer to help scale Identity Management
infrastructure by providing access rights grouping mechanism
– Containssystem and privileges
– Makes assignments based on job function
– Providesmechanism for detecting violations
• Benefits
– Providean understandable model for access
– Providean efficient definition of process and policies
– Reduce auditing efforts
– Providea common language between business and information technology
– Providesconsistent,known controls for defining access
– Facilitate access requests more easily

Oracle Solution
Control and provide information for activities related to the role life cycle, such as:
• Create roles.
• Modify role attributes.
• Modify role members.
• Delete roles.
You apply role lifecycle management by:
• Requiring approvals for any role lifecycle activity.
• Providingsupporting information about the role for administrators:
• Analytical information about a management operation user is about to perform or approve.
• Historical information for the role, simplifying auditing.

Comprehensive Role Lifecycle Management
• Business users can request creation
of new roles and changes to
existingones
• Role requests can leverage the
same request and approval
framework available for Access
Requests and Certification
• Role owners can see
comprehensiveauditing

• Comprehensiverole analytics allows
businessusers to see the impact of
new roles and changes to existing
ones
• Role owners can reduce role explosion
by review the effectiveness of the
roles and consolidatenew roles with
existingones
• Business users can create roles using
“model users”
Role Analytics

Access Request Management

Access Request Management
• What is it?
– Allowing users and administrators to request additional access for self and others
– Build a single repository of all accesses in enterprise
– Define approval workflow to control and audit access
• Benefits
– Reduce cost to organization via self service
– Faster adoption through shopping cart paradigm and business friendly glossary
– Policy Enforcement via approval workflow
– Improved Compliance via audit of who requested and who approved

Access Request Sans IAM
• Excel sheets to request and record
request
• Difficultrequest tracking
• Approvers have insufficient
context of user access needs
• Pass request to Application
Administration
• Manual provision
• Manual follow ups and escalations
• No audit, error prone
Manual Process
Challenges

Oracle Solution
• Access Weyerhaeuse/Request Catalog
– Consolidateall entities into a single weyerhouse called catalog
– Connectors/FlatFile based data loading
– Enrich entities with additional glossary
– Define hierarchical entitlements
– Define authorization/security – who can request what?
– Define tags and additional search controls
– Provideshopping cart experience
• SOA Based Approval Workflow
– Define business processes/approvalworkflows
– Define escalations/notifications

Access Catalog/Weyerhause
– Use connector framework to harvest the entitlements and populate catalog
– Enrich entities with additional glossary
– Shoppingcard paradigm
– User can search for the items and make request for himself and for others.

Access Catalog – Key Features
• ExtensibleCatalog schema that allows administrators to add additional
attributes and specify how the attribute is rendered using a simple browser-
based UI.
• Automated harvesting of roles, applications, and entitlements
• Automated loading of Catalog metadata using a CSV file
• Powerful search using keywords with support for complex search operators
• Flexible categorization model that allows the Catalog to be organized based
on customer choice
• Catalog search results secured based on viewer privileges of the requester
• Catalog item data available via a web service for use in workflows

ShoppingCart Paradigm
• Business-friendly Access Catalog
• Search, Browse And Contextual
Recommendations
• In-line Policy Checks To Prevent
SOD Violations
• FlexibleForms For Advanced Data
Capture
• End-to-endVisibility Into The
Approval And Fulfillment Process
Enabling end-users to get the access they need

SOA Based Approval Workflow
• BPEL Service for human
workflows
• Jdeveloperto design
workflow
• Rule based routing
• SOA Composer for editing
businessrule at run time via
browser
• Supports for all actions –
Approve, Reject, Escalate,
Notify, Reminder, Forward
etc.
• Supports serial, parallel and
complexworkflows

Streamlined Business Process for Approvals
• Using Oracle SOA, BPEL Compliant
Workflows
• View and take action on approval
tasksvia email, mobile (browser)
and self-service UI
• Track your request
• Add comments and attachments
• See current and future approvers
• Prioritize and organize tasks
Fully supporting and adapting to Customers Business Process

Access Certification

Access Certification
• What is it?
– Processof evaluation user’s accesses periodically
 Who has access to what?
 Ensuresthat users do not have unauthorized privileges
 Review contextual information about method of access grant
 Evaluate risk and take actions
• Benefits
– Reduce risk to organization by ensuring the just the right access
– Address Complaisance objectives – SOX, HIPPA, RBI, EUS

Access Certification Sans IAM
Results in
• High Cost
• High Risk
• Low Compliance
•Manual – Laborious and Error prone
•Get data from App owners and HR
•Manually correlate, apply Policy
related data
•Create excel sheets with data and
send to respective certifiers
•Manual follow ups and escalations
•Manual remediation's and verification
•No visibility into Risk and Provisioning
Context

Oracle Solution
• Configurable risk definition and scheduled task based periodic risk aggregation
• Four Types of Identity Certification (User, Role, App Instance,Entitlement).
• Certifications can be scheduled, monitored, delegated, audited.
• Supports both online and offline user certification.
• Multi Phased Review can be enabled
• Closed-loop remediation can be initiated. Can be challenged, tracked till closure.
• Generate user certifications or application instance certifications based on event.
• Generate certification reports.

Risk
Summary
User
Risk
Summary
Account
Risk
Summary
User-RoleAssignment
Risk
Summary
Entitlement
Assignment
Risk
Summary
LastCertification
Action
Provisioning/
Assignment
Scenario
Item
Risk= MAX of
Risk Factors
Risk Aggregation

Certification Type
Type of
Certification
Paradigm Actor (Reviewer) Line-Items Details
User Certification User-centric Line-of-Business
manager
(Business-oriented)
Users Role-assignments,accounts and
entitlement-assignments foreach
user.
Role Certification Privilege-centric Role-owner
(Technical)
Roles Two types of detail:
• Assignments of eachrole to
users (AKA membership of each
role).
• Access-policies associatedwith
eachrole.
App-Instance
Certification
Privilege-centric Application-owner
(Technical)
Application-
instances
Accounts (AKAassignments of)each
application-instance.
Entitlement
Certification
Privilege-centric Entitlement-owner
(Technical)
Entitlement-
definitions
Assignments of eachentitlement.

• Leverage Analytics To Expedite
And Highlight High Risk
• HighlightProvisioning Context
To Make Informed Decisions
• Time Or Event Based
Certification Campaigns
• Closed Loop Remediation With
No Delay
• Offline Mode To Complete
Certifications Wherever And
Whenever
Closed Loop
Remediation
Offline Mode Time or Event
Based Campaigns
Intelligent and Flexible Certifications
Designed for the Business User

Tasks
Final
Review
Phase 2
Phases
One
Phase
Two
Phase
Certification
Definition
Schedule
Job
Certifications
Inbox
Inbox
Tasks
Tasks
Inbox
Dashboard
Cert Admin
Primary
reviewers
Technical reviewer
– Collaborative
certification process
– Business and technical
review
– Three phases:
• Business review (required)
• Technical review (optional)
• Final review (optional)
– Delegation
• Lineitems can be delegated to
distribute certification workload.
Multi Phase Certification – Business , IT Collaboration

Triggering Certification with Event Listeners
– Eventlisteners detect user modification events (individual or bulk modification).
– Eventsare evaluated by a ruleset.
– Matchingevent details (Certification Event Triggers) are stored in the database.
– The Certification Trigger Job scheduled job periodically:
• Retrieves certification event triggers
• Creates user and application instance certifications
Event Listener
Ruleset
Usermodification Ruleset match Event details stored in
DB
Certification Trigger
Job
UserCertifications
Real Time Certification

Offline Certification – Excel Integration
Work while you are offline
• Download certification data to local computer and work on it by using
Microsoft Excel without having an active session.
• Functionality currently available only for User Certification.
• Use Download to Editable Excel option available in the Actions menu in
the certification detail and Open with Microsoft Office Excel
• Certification tab in the downloaded excel will have the certification task
details.
• Make your decisions and Save to Server

Certification Oversight
Business
reviewer
Begin
Complete
Reviewer
has a
manager?
Manager
oversees
certification
Certification
Oversight
– The activity of reviewing,
the decisions of the
reviewer within the
scopeof a particular
primary-review task.
– Supports rule based customization

Closed-Loop Remediation Workflow
– Automaticallyremoves roles and entitlements based on the certification process
– Occurs when certification is complete
– Remediation status is tracked in request catalog

Certification – Dashboards
Monitor Progress
• Provides an overview of in-progress and completed certifications
• Certifications displayed are restricted using user roles
– Only primary reviewers and certification admins can view Dashboard.
– Certification tasks can view only be viewed from Inbox for other users (phase 2
reviewers or delegates).

Certification – Reports
• Users BI Publisher for reports generation
• Certification reports can be saved in PDF, RTF, HTML, Microsoft Excel & CSV
• An in-progress certification task can also be exported in PDF or Excel from Inbox is
equivalent to Complete Certification Report
• OOTB Reports available for User, Role, Application Instance, Entitlement type
• Reports available for accesses which are Certified/Revoked/Abstained/Certified
conditionally,Complete Certification Report, Complete Certification Task Report for
all entities.

Identity Audit / Segregation of Duties

Identity Audit / Segregation of Duties
• What is it?
– A control process designed to prevent error and fraud by ensuring that at least two
individualsare responsible for the separate parts of any task
– IdentityAudit (IDA) is used to:
 Detectcombinationsof privileges held by users or roles thatcan lead to access violations
 Determine policy violations and their causes
 Detectand act upon Segregationof Duties (SoD) violations
• Benefits
– Prevent/detect fraud and risk
– To provide assurance that transactions/process are Valid and incompliance with
rules and regulations
Access Review
JDOE Accounts Payable
JDOE Accounts Receivable

Oracle Solution
SOD Detection and Closed Loop Remediation
• SOD Rule and Policy Definition
• Define rules across users,applications,roles and
entitlements
• DetectiveSOD Analysis
• DetectivePolicy Enforcement – Closed Loop
Remediation
• AccessHistory to audit all violations and
decisions
• Review High Risk policy violations in
Certifications
• PreventativeSOD Analysis
• EnforceSOD policies during access requests
• Review policy violations during approvals and
launchexception workflows

Detective IDA:
Running and Viewing Scan Definitions
1
2

Detective IDA: Remediate Violations
1
2

Preventative IDA: During request

Preventative IDA: During approval

IDA and Role Analytics

IDA during Certification review

Different types of reports capturing different
stages of policy violations
If user would like to filter based on Remediator ,
policy, user, manager etc
User can select different types of formats like
PDF, HTML or Excel
User can email the report to a specific email id
IDA Reports

Audit and Reporting

Audit and Reporting
Oracle
Identity
Manager
Database
Metadata
Audit/Compliance
BI Publisher
– EmbeddedBIP, No separate BIP infrastructure required
– New Lightweight Audit Engine
– Supports new entities and processes

Access Policy Reports
 Access Policy Details
 Access Policy List by Role
Attestation, Request, and Approval Reports
 Approval Activity
 Attestation Process List
 Attestation Request Details
 Attestation Requests by Process
 Attestation Requests by Reviewer
 Request Details
 Request Summary
 Task Assignment History
Role and Organization Reports
 Role Membership History
 Role Membership Profile
 Role Membership
 Organization Details
 User Membership History
 Account Activity In Resource
 Delegated Admins and Permissions by Resource
 Delegated Admins by Resource
 Entitlement Access List
Password Reports
 Password Expiration Summary
 Password Reset Summary
 Resource Password Expiration
Resource and Entitlement Reports
 Entitlement Access List History
 Financially Significant Resource Details
 Resource Access List History
 Resource Access List
 Resource Account Summary
 Resource Activity Summary
 User Resource Access History
 User Resource Access
 User Resource Entitlement
 User Resource Entitlement History
User Reports
 User Profile History
 User Summary
 Users Deleted
 Users Disabled
 Users Unlocked
Certification Reports
Exception Reports
 Fine Grained Entitlement Exceptions By Resource
 Orphaned Account Summary
 Rogue Accounts By Resource
OOB Reports – High Level Category

Reports and Dashboards
• Actionable dashboards for risk
analysis and compliance
• 80+ OOTB reports providing a 360
deg.
viewof users’ access
• Flexibledeployment options,
including
ability to schedule report runs
• Publiclyavailable schema

Oracle Identity Governance Technical Overview - 11gR2PS3

Oracle Identity Governance Technical Overview - 11gR2PS3

More Related Content

What's hot

Viewers also liked

Similar to Oracle Identity Governance Technical Overview - 11gR2PS3

Recently uploaded

Oracle Identity Governance Technical Overview - 11gR2PS3