Friday, April 25, 2014

OIM Concepts

What is Oracle Identity Manager (OIM)?
A system that manages the life-cycle of identities. An example of a life-cycle of an identity is when an employee joins an organization and later leaves an organization.


Conventional Model
This is a model where an Identity Manager is not involved. There are potential problems that arises from this model. The diagram given below describes the process of hiring a new employee. The removal of an employee should work similarly.




#1. A new employee is hired. The employee’s information is placed into a Human Resource Management System (HRMS) by the HR department to indicate the employee is active to work for the organization.

#2. HR notifies the manager via email that a new employee is ready to start.

#3. Then the manager requests several target accounts to be made for the new employee. These accounts can be for applications, access to operating systems, directories, and etc (E.g. Google Apps, PeopleSoft, Active Directory). The manager would send out emails to the administrators in charge of the target system to carry out their tasks.

#4. The administrators of each of the target systems (E.g. Admins for Google Apps, Admins for PeopleSoft and Admins for Active Directory) are responsible for manually creating the accounts. There can be a hierarchy workflow when creating an account on the target system (E.g. Google Admin sends a request to Google Admin 2 to enable specific privileges -> Say Google Admin 2 is on vacation, so the task is delegated to a Temporary Google Admin -> and so on … ).
Problems With the Conventional Model
- Too many of the tasks are done manually
- Employee’s data is distributed among many systems and there is no centralized place to look up data.
- There is no tracking of a given task (E.g. Has a Google account been created for the new employee ? If not, what is the progress and why is it being delayed?).
- Security breach with orphan/rogue accounts (E.g. There is a possible security breach if an employee has been fired and one of the employee’s account has not been revoked).

In the next section, you will see how including OIM can resolve many problems faced in the conventional model.


OIM Model
Before describing the OIM model, it is important to understand how an identity is represented in OIM.


An OIM Identity consists of user defined fields (UDFs), which are attributes that describe the identity, and accounts for specific access to applications. The accounts themselves have attributes and the data typically comes from external sources.


The diagram shows how OIM deals with managing identities. The diagram given below describes the process of hiring a new employee.




#1. A new employee is hired and the employee’s information is placed into HRMS.


#2. OIM is able to read in the new employee’s information from HRMS. With this information, OIM is able to create the identity in its own system. This process is known as Trusted User Reconciliation and this can be scheduled to run any time. (Side Note: Trusted User Reconciliation also handles updation. Say if an existing employee change his address, OIM is able to pick the changes in HRMS and update the identity with the appropriate value. Trusted User Reconciliation maps information from HRMS to User Defined Fields of an OIM Identity. OIM connectors allows the HRMS as well as the other target systems to be integrated with OIM).

#3. After the identity has been created for the new employee, OIM kicks off many other events to further process the new identity. Everything in OIM is event driven and many events are automated (Side Note: This involves configuring OIM components and writing custom code to achieve this).

#4. OIM communicates with the target systems in order to create the accounts for the new employee. (Side Note: OIM comes with predefined connectors which allows the target systems to be well integrated with OIM. These connectors allow OIM to perform many of the target system activities such creating, updating, and revoking accounts.)


OIM Advantages
- Centralized administration
- Easy to manage the identities and their associated accounts
- Flexible configurations to meet business requirements
- Automation of tasks
- Audits, Logs, Reports, Tracking requests (handling requests involve SOA)
- Rogue / Expired / Orphan accounts elimination via security policies

Terminology

Connectors
Used to integrate target resource systems into OIM. This allows OIM to manage all the identities as well as their target accounts.

Trusted User Reconciliation
Creation/Updation of identities in OIM by reading from an authoritative source. E.g. Users from HRMS

Target User Reconciliation (Account Reconciliation)
Read information from the target systems and synchronize the data in OIM. Also, linking of target accounts to an identity happens in this process.

Account Provisioning
Creation/Updation of target accounts for an OIM Identity on the target resource
Direct/Manual, Auto/Criteria, Request Based

Account Deprovisioning
Removal of target resource accounts from an OIM Identity. OIM can communicate with the target system to remove the account.

Friday, April 4, 2014

Upgrading JRockit Version For WebLogic Server Instances

Description: This post will show you the necessary steps to replace an old version of JRockit with a newer one.