Thursday, December 31, 2015

OIM API: Manual Complete Provisioning Tasks

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to mark rejected provisioning tasks as "manual complete" status via Oracle Identity Manager API. Provisioning tasks can also be marked manual completed through the Identity Self Service page.

Identity Self Service Home Page
Provisioning Tasks
References:
https://docs.oracle.com/cd/E52734_01/oim/OMJAV/toc.htm

Monday, December 21, 2015

Customizing User Lifecycle Events

Tested On: Oracle Identity Manager 11.1.2.3
Description: Demonstrates how to customize user lifecycle events such enable, disable, lock, and unlock user operations in Oracle Identity Manager. A custom event handler has been implemented to execute process tasks on specified resources defined in a custom lookup. 

Lookup.User.Lock.AppInstDisplayNameToProcessTasks
For example, the lookup given above is used on user lock operation. Upon locking a user, the custom event handler reads from this lookup to execute the process tasks (Decode; Comma delimited value of process task names) for the corresponding application instance (Code Key; Application Instance Display Name).

Lock User: OpenLDAP and DBAT Locked
Badge Disabled
 
References:
http://docs.oracle.com/cd/E52734_01/oim/OMJAV/toc.htm
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM885
http://oraclestack.blogspot.com/2015/12/oim-custom-resource-account-status.html

Wednesday, December 16, 2015

Tuesday, December 15, 2015

User Preprocess Event Handler Template

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: A sample template for creating user preprocess event handlers is given here. Both execute() methods, one for processing single event and the other for processing bulk events, are implemented. The example given here is a preprocess event handler on user lock operation. Also, a test driver is provided to perform lock on a single user and on multiple users.
References: https://docs.oracle.com/cd/E52734_01/oim/OMDEV/oper.htm#OMDEV3085
https://docs.oracle.com/cd/E52734_01/oim/OMJAV/toc.htm

Friday, November 20, 2015

OIM API: Calling Process Task Instance On User Resource Account

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to call a provisioning task on a user's resource account via Oracle Identity Manager API. Below are screen-shots to manually add a process task instance call to a resource account via Oracle Identity Manager Self Service User Interface.

Click >> for more options -> Resource History



Click "Add Task" button

Select a Process Task -> Click "Add"

Confirm Add Task

Provisioning Task Executed

References: http://docs.oracle.com/cd/E52734_01/oim/OMJAV/toc.htm

Sunday, October 25, 2015

Configure Password Policy for Application Instances

Version: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to create a password policy and attach it to a specific resource object. The password policy is applied to application instances that use that resource object.
References:
https://docs.oracle.com/cd/E52734_01/oim/OMUSG/pwdpolicy.htm#OMUSG5481
http://docs.oracle.com/cd/E52734_01/oim/OMADM/appinstance.htm#OMADM4925

Saturday, October 24, 2015

Wednesday, September 30, 2015

Giving an OIM User System Administrator Privileges

Version: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to give an OIM user system administrator privileges.

Sunday, August 30, 2015

Custom Error Message for Validation Handler

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to create custom error messages or use out of the box error messages in a validation event handler.


Saturday, August 29, 2015

Change Password Validation Event Handler: Adding Custom Password Requirements

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to add custom password requirements which are not covered by out of the box Oracle Identity Manager password policy. Implementation is handled by creating a custom validation event handler on change password operations. The example given here validates that the new password does not contain the user's middle name and email.

Validation on First Login Password Change

Validation on Forgot Password

Validation on Admin Changing User Password

References: https://docs.oracle.com/cd/E52734_01/oim/OMDEV/oper.htm#OMDEV3085
http://docs.oracle.com/cd/E52734_01/oim/OMUSG/pwdpolicy.htm#OMUSG5478
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/oracle/iam/platform/Platform.html#getServiceForEventHandlers_java_lang_Class__java_lang_String__java_lang_String__java_lang_String__java_util_HashMap_

Thursday, August 27, 2015

OIM Connector: PeopleSoft Employee Reconcilation 11.1.1.5.0

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to install and configure PeopleSoft Employee Reconciliation connector. This connector only uses trusted reconciliation (OIM users are created based on data from an authoritative source such as PeopleSoft).
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e25370/toc.htm

Monday, August 24, 2015

Oracle Identity Manager 11.1.2.3.0 Virtual Machine Template

Download Link: OIM 11g R2 PS3 VM Template
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Java Version: 6U38
WebLogic Server: 10.3.6
Service-Oriented Architecture (SOA): 11.1.1.9.0
Identity and Access Management (IAM): 11.1.2.3.0

Use Password1 for all logins.

Tuesday, August 11, 2015

OIM Reconciliation Event Data Validation Example

Tested On: Oracle Identity Manager 11.1.2.0 and Oracle Internet Directory 11.1.1.6.0 OIM connector
Description: Demonstrates how to configure validation of data during reconciliation. Most OIM connectors have this feature (Refer to the connector's documentation for specific instructions). The example given here validates a specific phone number format. A reconciliation event will not be created in OIM if validation fails.
References:  https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e28603/extnd_func.htm#BCGICJIB

Friday, August 7, 2015

OIM Reconciliation Event Data Transformation Example

Tested On: Oracle Identity Manager 11.1.2.0 and Oracle Internet Directory 11.1.1.6.0 OIM Connector
Description: Demonstrates how to manipulate reconciliation event data when running user reconciliation scheduled job for most Identity Connector Framework (ICF) connectors (Refer to the connector's documentation for specific instructions). The example given here uses the OID 11.1.1.6.0 connector (ODSEE/OUD/LDAPV3, Target System = OpenLDAP).
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e28603/extnd_func.htm#BGBBBCGE

Wednesday, July 22, 2015

OIM: How to Allow Duplicate Emails

Version: 11.1.2.2.0 or later
Description: Shows how to allow duplicate email in Oracle Identity Manager. By default Oracle Identity Manager has a validation check on the out of the box E-mail user attribute to ensure the provided value is unique. Below is a validation error message when trying to use an email that is already taken by another user.


Reference: http://docs.oracle.com/cd/E52734_01/oim/OMADM/system_props.htm#OMADM884

Monday, June 29, 2015

Creating Cascaded Lookups on Application Instance Form

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Demonstrates how to create cascaded lookups on an application instance form. With cascaded lookups, an application instance form can have a lookup field dependent on another lookup field (E.g. When a particular State is selected, display the cities available only for that State). Below are screen shots.

State: California
State: Texas

References: http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/customattr.htm#OMADM5034

Wednesday, June 24, 2015

OIM API: Change Regular Account to be a Service Account

Tested On: OIM 11.1.2.2.0
Description: Demonstrates how to convert a regular resource account into a service account. The sample code will convert all resource accounts for a particular application instance into service accounts. The tcUserOperationsIntf API is used. When a regular resource account is converted into a service account, OIU.OIU_SERVICEACCOUNT is set to 1 and OIU.ACCOUNT_TYPE is set to serviceaccount.
References:
http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm
http://docs.oracle.com/cd/B31081_01/idmgr/b25940/appb.htm#CHDDGIAA

Tuesday, June 23, 2015

OIM Bulk Load Utility: Loading Accounts

Tested On: OIM 11.1.2.2.0
Description: Demonstrates how to use the Bulk Load Utility to load accounts into OIM. A disconnected resource with a child form is used an example.
References:
http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/bulkload.htm#OMDEV1742

Monday, June 15, 2015

Event Handler Example: Application Instance

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Given here is a custom preprocess event handler set to trigger on the provisioning of a specific application instance. On the initial provisioning of an application instance, the event handler will populate the resource parent form using data from the target OIM user similar to how prepopulate adapters function. Also, this example shows populating a resource child form. You can download the plugin zip file here.

Monday, May 25, 2015

OIM API: Provisioning Resource Account to User

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: A utility to provision a resource account to an OIM User. The parent data and the child data can be provided to populate the process forms associated with the application instance.

Results of executing code
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm

Wednesday, April 1, 2015

Determine Execution Order of OIM Event Handlers

Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to check the execution order of out of the box and custom event handlers for a given entity type and operation. A mbean is invoked from Oracle Enterprise Manager to list existing event handlers and their order.
Reference: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#OMDEV5147

Monday, March 30, 2015

OIM API: Entitlements

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Given here is code that utilize the OIM Java API to grant, revoke, and update entitlements on a user. Entitlement data is stored in the child process form of a resource. In the test driver, a disconnected resource with multiple columns in the child table (entitlement with attributes) is used as an example.

Child Form with "Type" form field as the Entitlement attribute.

Lookup Definition for Entitlement attribute "Type".

User Entitlements View
User Resource Account View Includes:
Parent data in the Details section
Child data in Laptop_UD_LPTYPE table

Here are some useful OIM tables related to entitlements to look at:
ENT_LIST = List of Entitlement
ENT_ASSIGN = Entitlement Instances assigned to users
UD_* =  Resource account data: Look at the child UD table

References: Java API Reference for Oracle Identity Manager 11.1.2.2
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/appinstance.htm#OMADM4680

Saturday, March 21, 2015

OIM Event Handler: Implement Execute for Bulk Orchestration

Version: 11.1.2.2.0
Description: An example of implementing execute() for bulk orchestration in an event handler is given here. The example plug-in can be download here. The example event handler performs recalculation of department number user attribute whenever user type or manager user attribute is changed for target user(s). A test driver is given to perform modifications on multiple users on a single API call.
References: 
http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#OMDEV4741
http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm

Friday, March 13, 2015

OIM API: Create Reconciliation Event

Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to use the Oracle Identity Manager API to create reconciliation events. Below are screen shots of the end results of running the sample code given in this post on DBAT 11.1.1.5.0 connector.

Reconciliation Event Created by OIM API
Reconciliation Data
Resource History of Reconciled Account
Reconciliation Field Names to use in API
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm

Sunday, February 15, 2015

OIM UI: Making Field Required

Version: Oracle Identity Manager 11.1.2.2.0
Description: This post shows how to make a UI field on a resource process form required.
Reference: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#OMDEV2742

Saturday, February 14, 2015

Working with OIM Prepopulate Adapters

Version: Oracle Identity Manager 11g R2
Description: Prepopulate adapters are used to populate the fields on a resource form in Oracle Identity Manager. By having the resource form fields populated by prepopulate adapters, the provisioning process of a resource account to a user can be handled with ease rather than having someone manually enter values for the resource form fields. In Oracle Identity Manager, prepopoulate adapters are triggered on the initial assignment of the resource account to a user.  
References: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/creadp.htm#OMDEV2693

Tuesday, February 10, 2015

Using UploadJars.sh and UpdateJars.sh in Silent Mode

Description: This post shows how to use the out of the box Oracle Identity Manager JAR utilities (UploadJars.sh and UpdateJars.sh) in silent mode, which basically allows you to supply all the arguments in a single command rather than entering an input individually on each prompt.
Reference: http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/uploadutil.htm#OMDEV3205

Monday, February 9, 2015

JAR Utilities using OIM API

Description: The Oracle Identity Manager APIs contain utilities to upload, update, delete, and download JAR file. The entire project can be downloaded  here.
Reference: https://docs.oracle.com/cd/E37472_01/apirefs.1112/e28159/toc.htm

Sunday, January 18, 2015

Conditional Event Handler Example

Tested On: Oracle Identity Manager 11.1.2.2.0.
Description: This post demonstrates how to develop a conditional event handler in Oracle Identity Manager. To make a conditional event handler, your class must implement ConditionalEventHandler, and then write your conditions in the isApplicable method.

In this example, the postprocess event handler is triggered on the creation of employee users. The post process event handler populates the Employee Number field with the user's key (USR_KEY). The complete event handler plugin can be downloaded here.

Validation and preprocess  event handlers can also be conditional. You can inspect the ORCHEVENTS table in the OIM Schema to see the event handlers trigger sequences of an entire process. If the conditions are met in the conditional event handler, you should see a record inserted in the ORCHEVENTS table for that event handler.
References: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#OMDEV3085

Thursday, January 15, 2015

Generate Requests using OIM API

Version: Oracle Identity Manager 11.1.2.2.0
Description: Demonstrates how to use the Oracle Identity Manager API to generate a request. Given here is example code that makes a request to provision an entitlement to a user, makes a request to modify attributes on a user profile, or makes a request to disable a user. The entire project can be found here.

Request generated by API. This request needs to be
approved before the changes are applied to modify the user.