Upload
saulo-fernandes
View
33
Download
3
Tags:
Embed Size (px)
Citation preview
1 © 2009 Oracle Corporation – Proprietary and Confidential
2
FYI:
New Portal with same DocID
Archive 740964.1
Schedule 740966.1
Generic Advisor Webcast Note 740966.1
before
now
3
Future Advisor Webcasts
Day, Date, 2004
time p.m. ET
Teleconference Access:
North America: xxxx
International: xxxx
Password: Advisor
Upcoming live webcasts and recent recordings:
Fusion Applications
November 1 Fusion Applications Security: Troubleshoot Data Role Issues
Fusion Applications Technical Community
https://communities.oracle.com/portal/server.pt/community/technical_-_fa/531
Recent webcasts available in archives:
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
My Oracle Support: https://support.oracle.com
Doc ID 740966.1 - Current Advisor Webcast Schedule and Archived Recordings
© 2012 Oracle Corporation – Proprietary and Confidential
------------------------------------------------------- Teleconference Information ------------------------------------------------------ Conference ID: advisorsp
US/Canada Toll-Free Number: (866) 900-1292
International Dial-in Number: (706) 758-7504
For International Toll-Free:
Refer to Doc ID 1148600.1
VOICESTREAMING IS AVAILABLE
4 © 2012 Oracle Corporation – Proprietary and Confidential
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decision. The
development, release, and timing of any features
or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
Safe Harbor Statement
<Insert Picture Here>
Fusion Applications Security: User & Role
Management using Oracle Identity Manager
CHETAN GADKARI
Senior Principal Support Engineer
6
AGENDA
• What is Oracle Identity Manager (OIM)?
• Role of OIM in Fusion Applications
• High Level Architecture
• OIM SPML Orchestration Flow
• Synchronization & Reconciliation Processes
• Demonstration : OIM User Interface &
Features
© 2012 Oracle Corporation – Proprietary and Confidential
7
What is Oracle Identity Manager (OIM)
• Oracle Identity Manager is a user, role provisioning and administration
solution, which automates the process of adding, updating, and deleting
user accounts from applications and directories.
• Oracle Identity Manager is available as a stand-alone product or as part
of Oracle Identity and Access Management Suite.
© 2012 Oracle Corporation – Proprietary and Confidential
8
Role of OIM in Fusion Applications
• OIM 11g is used for Identity Administration tasks such as:
• User Administration (e.g. Creation, Self Registration, Modification and
Deletion)
• Role Administration (e.g. Creation, Modification, Deletion and Role
Assignment)
• Fusion HCM sends identity administration requests to OIM
• Using standards based Service Provisioning Markup Language
(SPML) and web services
• OIM accepts the requests and performs Identity Administration
tasks
• Results in LDAP Updates (e.g. OID)
© 2012 Oracle Corporation – Proprietary and Confidential
9
Role of OIM in Fusion Applications
• OIM is also used by Fusion Applications for Password
Management
• Change Password
• Forgot Password
• Password Resets
• Enforce Password Policy
• Initial password generation (for new user) and sending out email
notification to the user
• Email notification with system generated password is sent to the
newly created Fusion Application user
• Data synchronization (synchronize data to & from LDAP store)
• Integrate with Oracle Application Access Control Governor
(OAACG) for SoD (Segregation of Duties) check
© 2012 Oracle Corporation – Proprietary and Confidential
10
High Level Architecture – Fusion Security
Install
© 2012 Oracle Corporation – Proprietary and Confidential
ODS
OAM
IAU
ORASDPM
MDS
SOAINFRA
ID Store
ODS
Policy Store
Database Weblogic IDM WebTier SOA IAM
Auth OHS
7777
Admin Server
7001
ODSM + DIP
7006
IDStore
3060
Policy
3061
OVD
6051
OAM
14100
OIM
14000
SOA
8001
11
Fusion Applications – OIM Interaction
© 2012 Oracle Corporation – Proprietary and Confidential
12
OIM SPML Orchestration Flow
© 2012 Oracle Corporation – Proprietary and Confidential
13
Synchronization & Reconciliation
© 2012 Oracle Corporation – Proprietary and Confidential
• User & Role Provisioning
• LDAP Sync is used to make modifications to the LDAP store
• Reconciliation
• Pre-defined Scheduled Jobs are used to Synchronize the User and
Role related information from LDAP store into OIM
OIM LDAP LDAP Sync
OIM LDAP Recon
14
Helpful Resources
• Oracle Identity Manager 11g Documentation on OTN
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-
098451.html
• Product Information Center: Oracle Identity Manager Release 11g
and later (Doc ID 1346075.2)
• Fusion Applications - Product Information Center [Doc ID 100.1]
• Fusion Applications Security knowledge documents published on
My Oracle Support
• Login to My Oracle Support
• Click on the Knowledge tab
• In the Search & Browse tab select Product as Oracle Fusion Applications
and Task as Security
• Hit the Search button
© 2012 Oracle Corporation – Proprietary and Confidential
15
Demonstration
16
17
Questions submitted during Advisor Webcast session
© 2012 Oracle Corporation – Proprietary and Confidential
Q: Since OIM provisions access, what does Oracle Entitlement Server do that is different?
A: OIM provisions users, roles and defines what a user can do in Fusion Apps. OES is used for managing security policies
(data & functional) and entitlements, which defines what a user can do on which set of data.
Q: Which LDAP does it support?
A: OIM can be integrated with Oracle Internet Directory and MS Active Directory LDAP servers for use with Fusion Apps.
Q: Email notification setup, for OIM User creation passwords should be done on OIM side or Fusion App side.
A: Email Notifications are configured in OIM and not in Fusion Apps.
Q: Is OVD part of OIM pack?
A: No, OVD is not a part of OIM. It is a part of Oracle Identity & Access Management Pack.
Q: I need an explanation of the term 'user' in Fusion? So employee also be an user? or user mean only application
implementation consultant? As you see in the screen – (hiring manager user is created..for him to enter new employee
details). Is it IT security manger who creates hire manager user?
A: At a high level you can consider there are 2 kinds of users - Admin and End User. When Fusion Apps is installed we
provision certain 'super' users that have admin capabilities. These users are then used to create Application Users.
Q: What does SPML stand for?
A: SPML - Service Provisioning Markup Language
Q: What I read from docs of fusion security is that when we first install fusion apps a default user like xelsysadm will get
created.. and this user will be able to create IT security manager ... and then IT security manger logs into the fusion to
create Application Implementation Consultant and Application Implementation Manger users. Till now I am in
understanding that IT security manager is created in FA.
A: IT Security Manager is a job role that can be assigned to a super user who can then create other implementation users
that can be granted job roles like Application Implementation Consultant, Human Resource Specialist etc.
Q: Incase if customer users their own LDAP apps like Microsoft Active Directory can that be integrated with Oracle Fusion
Applications
A: Yes, MS Active Directory is certified with Fusion Apps.
18
Questions submitted during Advisor Webcast session
© 2012 Oracle Corporation – Proprietary and Confidential
Q: What is OIM*?
A: OIM - Oracle Identity Manager. OIM was formerly known as Xellerate and became a part of Oracle Identity Management
stack, as Oracle acquired Thor Technologies.
Q: Is this 11gR1 or 11gR2?
A: OIM 11gR1 is used with Fusion Apps.
Q: What are the membership rules? Under employee role?
A: OIM Role Membership Rules feature is not used with Fusion Apps.
Q:Regarding the user synchronization, I have been using fusion and have found that a user created in 2 ways
1)OIM Admin user->create implementation user->
2)HCM application->Manage users
I understand on a high level that both are different ways of creating user before doing the enterprise setup and after doing the
enterprise setup Through the manager user console, I can only provision few roles and not all roles are available.
I can add the additional roles through OIM for this user but this does not sync or get reflected on the screen in manager user
and vice versa. 2)Employee Id--- is it an Internally generated ID or can I manually enter the same?
A: You are right about user creation. The reason why the Roles are not shown as available on the Manage Users screen is
because you need to add a Role Mapping in Fusion Apps, for all the Roles that you want to auto-provision to a user during
the user creation request that is initiated from the Manage Users page. Refer: Doc ID 1448455.1. Employee ID/Number is
generated in Fusion Apps.
Q: In the SaaS instances , we don’t see the advanced link appearing for a initial user created in OIM. Could you please let
me know, what role do we have to give for such setup so that we can replicate in our on premise installs.
A: The OIM Advanced Administration console link is only available to the OIM super user that is controlled by the Cloud
Admins. This is not generally available to a regular SaaS/Cloud user.
Q: What's new in 11g Rel 2?
A: OIM 11g Rel 2 documentation can be found at http://www.oracle.com/technetwork/middleware/id-
mgmt/documentation/index.html . Kindly refer to the documentation.
19
Questions submitted during Advisor Webcast session
© 2012 Oracle Corporation – Proprietary and Confidential
Q: How do I map a role to a set of Fusion screens for access control ?
A: Job Roles are mapped to Duty Roles in order to provide access control. Refer: Mapping Of Duty Roles To Top Level Menu
Entries in Fusion Applications (Doc ID 1459828.1) * Mapping Of Roles, Duties and Privileges in Fusion Applications (Doc
ID 1460486.1)
Q: During fusion apps install is it mandatory to install OIM?
A: Yes, OIM has to be installed and configured first. In fact, the entire Fusion Security Install is done first and then the Fusion
Apps install follows.
Q: You spoke about integration between Fusion apps and OIM. Is OIM the *only* way to create users for Fusion apps, or one
of several options?
A: By architecture standards OIM is the only choice for User & Role management for Fusion Apps.
Q: If I want to create two different users can I do it directly in OIM?
A: Creation of Fusion Apps users should ONLY be done through the Fusion Apps Manager Users page. Creating users
directly in OIM is NOT recommended.
Q: Can you talk a bit about process forms- IHAC who does large migrations which involve updating these- is that a normal
thing to have to update periodically, and what else is then affected?
A: OIM Reconciliation process is a key to keep the data synchronized between OIM and the backend LDAP store. Running
the Recon jobs at a higher frequency on a periodic basis is recommended.
Q: OAACG comes along with Fusion Application or should we implement Oracle Governance, Risk and Compliance Controls
(GRCC) suite?
A: The OAACG is integrated with OIM. You do not need to install/implement it GRCC suite.
Q: I am currently installing fusion apps 11.1.4, so do we have to install another database for OIM or we can align with
transactional database(fusion apps database)?
A: OIM DB schema should be installed on a separate database instance. We do NOT recommend installing Fusion Security
component schemas into the Fusion Apps DB.
Q: What is that organization all about in OIM while creating a user?
A: The OIM 'Xellerate Users' Organization is just a place holder/ container for the OIM objects, it is not related to Fusion
Apps.
20
Questions submitted during Advisor Webcast session
© 2012 Oracle Corporation – Proprietary and Confidential
Q: What are the differences in implementation of OAM with EBS Rel 12 versus Fusion Apps?
A: The scope of this webcast session is to talk about OIM and Fusion Apps. Please refer to EBA Rel 12 documentation for
OAM implementation in EBS.
Q: If using just Fusion CRM, will you still need HCM to create employee record to initiate user setup flow (like in EBS)?
A: Yes, all the Fusion Apps Pillars e.g. CRM, SCM, FINs use HCM Core component for user creation.
Q: Can we create users in OIM directly and use it in Fusion apps. or we have to create it via HCM?
A: You can only create Fusion users via Fusion HCM. Creating them directly in OIM is NOT recommended.
Q: Some times when I login to FA , I get the error user is locked or disabled..but when I check the same user in OIM, the
status is unlocked..what exactly is happening?
A: In your case the user is locked in LDAP store, as during the login process OAM connects directly to OID/LDAP and if you
get multiple failed logins then it is very likely that OAM would prevent you from logging in and in the LDAP store the
account will be locked.
Q: Does Fusion application and/or OIM maintain their own separate store of User/role in addition to the directory (OID or
other LDAP)?
A: OIM stores the user and role information in its schema tables e.g. Table USR stores user info . Fusion Applications also
store information about users and roles in its schema for e.g. Table PER_USERS stores user info.
Q: Is OAAM used in Fusion Apps Security?
A: No, Oracle Adaptive Access Manager or OAAM is NOT used in Fusion Security.
Q: What is the difference between a policy and entitlement? How are they related?
A: Policy: A grant of entitlement to a role on an object or attribute group for a given condition.
Entitlement: Grants of access to functions and data. Oracle Fusion Middleware term for privilege.
Q: Can an Application or Duty role be directly assigned to a user or it can flow only through a job role?
A: No, an Application Role or Duty Role cannot be directly assigned to a user. They are mapped to appropriate Job Roles
which are then assigned to the users.
Q: Where is link the application role and Job role established? Does this link established automatically when a data role is
created?
A: Linking/ Mapping of Application Role to Job Role is done in a tool called Authorization Policy Manager (APM).
21
Are You Ready
To Get Proactive?
Avoid the unexpected
Don’t leave value on the table
Lower overall organizational costs through preventative
maintenance
Reduce risks and maximize uptime
Achieve resolution faster
Streamline and simplify your daily operations
Get even more through connection
Discover more about Get Proactive
https://support.oracle.com/CSP/main/article?cmd=show
&type=ATT&id=1385165.1:DISCOVER
ACT Get Proactive Access proactive capabilities available for your products
by visiting the product pages at My Oracle Support;
Article ID 432.1
Contact the Get Proactive team
today for help getting started [email protected]
22
FYI:
New Portal with same DocID
Archive 740964.1
Schedule 740966.1
Generic Advisor Webcast Note 740966.1
before
now
23
select your
product:
e.g.
Oracle Database
24
Archives Schedule
25
Future Advisor Webcasts
Upcoming live webcasts :
Fusion Applications
November 1 Fusion Applications Security: Troubleshoot Data Role Issues
Fusion Applications Technical Community
https://communities.oracle.com/portal/server.pt/community/technical_-_fa/531
Recent webcasts available in archives:
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
My Oracle Support: https://support.oracle.com
Doc ID 740966.1 - Current Advisor Webcast Schedule and Archived Recordings
© 2012 Oracle Corporation – Proprietary and Confidential
26 © 2012 Oracle Corporation – Proprietary and Confidential
THANK YOU
27 © 2009 Oracle Corporation – Proprietary and Confidential