Monday, December 21, 2015

Customizing User Lifecycle Events

Tested On: Oracle Identity Manager 11.1.2.3
Description: Demonstrates how to customize user lifecycle events such enable, disable, lock, and unlock user operations in Oracle Identity Manager. A custom event handler has been implemented to execute process tasks on specified resources defined in a custom lookup. 

Lookup.User.Lock.AppInstDisplayNameToProcessTasks
For example, the lookup given above is used on user lock operation. Upon locking a user, the custom event handler reads from this lookup to execute the process tasks (Decode; Comma delimited value of process task names) for the corresponding application instance (Code Key; Application Instance Display Name).

Lock User: OpenLDAP and DBAT Locked
Badge Disabled
 
References:
http://docs.oracle.com/cd/E52734_01/oim/OMJAV/toc.htm
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM885
http://oraclestack.blogspot.com/2015/12/oim-custom-resource-account-status.html

Things to Consider:

* The following lookup definitions may need to be created in OIM: "Lookup.User.Lock.AppInstDisplayNameToProcessTasks", "Lookup.User.Unlock.AppInstDisplayNameToProcessTasks", "Lookup.User.Enable.AppInstDisplayNameToProcessTasks", "Lookup.User.Disable.AppInstDisplayNameToProcessTasks". If a lookup does not exist in your system when performing an operation, a warning is generated in the logs and the event handler continues the orchestration gracefully.

* In the custom lookups, the Code Key is the application instance display name and the decode is a comma string delimited value of process task names.

Code Key = Application Instance Display Name
Decode = Process Task Names Comma Delimited

*  This event handler can be used to specify which resource gets enabled on user enable operation. By default OIM, enables the user resources on user enable operation. To disable this out of the box event handler, set the "XL.EnableDisabledResources" system property to FALSE. In "Lookup.User.Enable.AppInstDisplayNameToProcessTasks" lookup, specify the application instance display name and the corresponding process tasks (E.g. Enable User, ManualEnableStart) to call. This can also be used in conjunction with access policy (E.g. Use access policy and membership rules to handle enabling resources and use the custom event handler to call process tasks that have complex logic).

"XL.EnableDisabledResources" System Property


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)