2009 Oracle Corporation Proprietary and Confidential

FYI: New Portal with same DocID

Schedule 740966.1

Archive 740964.1

before

Generic Advisor Webcast Note 740966.1

now

Future Advisor Webcasts

Day, Date, IS 2004 VOICESTREAMING AVAILABLE time p.m. ET
Upcoming live webcasts and recent recordings:

Fusion Applications
November 1 Fusion Applications Security: Troubleshoot Data Role Issues

------------------------------------------------------Teleconference Information

Teleconference Access:
xxxx

Fusion Applications Technical Community https://communities.oracle.com/portal/server.pt/community/technical_-_fa/531

North America: xxxx -----------------------------------------------------Password: Advisor

International: Conference ID: advisorsp

US/Canada Toll-Free Number: (866) 900-1292

Recent webcasts available in archives: - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

International Dial-in Number: (706) 758-7504

For International Toll-Free: Refer to Doc ID 1148600.1

- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

My Oracle Support: https://support.oracle.com

Doc ID 740966.1 - Current Advisor Webcast Schedule and Archived Recordings

2012 Oracle Corporation Proprietary and Confidential

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

2012 Oracle Corporation Proprietary and Confidential

<Insert Picture Here>

Fusion Applications Security: User & Role Management using Oracle Identity Manager
CHETAN GADKARI Senior Principal Support Engineer

AGENDA
What is Oracle Identity Manager (OIM)? Role of OIM in Fusion Applications High Level Architecture OIM SPML Orchestration Flow Synchronization & Reconciliation Processes Demonstration : OIM User Interface & Features

2012 Oracle Corporation Proprietary and Confidential

What is Oracle Identity Manager (OIM)

Oracle Identity Manager is a user, role provisioning and administration solution, which automates the process of adding, updating, and deleting user accounts from applications and directories. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity and Access Management Suite.
2012 Oracle Corporation Proprietary and Confidential

Role of OIM in Fusion Applications

OIM 11g is used for Identity Administration tasks such as:
User Administration (e.g. Creation, Self Registration, Modification and Deletion) Role Administration (e.g. Creation, Modification, Deletion and Role Assignment)

Fusion HCM sends identity administration requests to OIM

Using standards based Service Provisioning Markup Language (SPML) and web services

OIM accepts the requests and performs Identity Administration tasks

Results in LDAP Updates (e.g. OID)

2012 Oracle Corporation Proprietary and Confidential

Role of OIM in Fusion Applications

OIM is also used by Fusion Applications for Password Management
Change Password Forgot Password Password Resets Enforce Password Policy

Initial password generation (for new user) and sending out email notification to the user
Email notification with system generated password is sent to the newly created Fusion Application user

Data synchronization (synchronize data to & from LDAP store) Integrate with Oracle Application Access Control Governor (OAACG) for SoD (Segregation of Duties) check

2012 Oracle Corporation Proprietary and Confidential

High Level Architecture Fusion Security Install

Database WebTier Weblogic IDM IAM SOA

ID Store

Auth OHS
ODS OAM IAU ORASDPM MDS SOAINFRA

7777

Admin Server 7001

IDStore
3060

OAM
14100

SOA
8001

ODSM + DIP
7006

Policy
3061

OIM
14000

Policy Store

ODS

OVD 6051

2012 Oracle Corporation Proprietary and Confidential

10

Fusion Applications OIM Interaction

2012 Oracle Corporation Proprietary and Confidential

11

OIM SPML Orchestration Flow

2012 Oracle Corporation Proprietary and Confidential

12

Synchronization & Reconciliation

User & Role Provisioning
LDAP Sync is used to make modifications to the LDAP store
LDAP Sync

OIM

LDAP

Reconciliation
Pre-defined Scheduled Jobs are used to Synchronize the User and Role related information from LDAP store into OIM
Recon

OIM

LDAP

2012 Oracle Corporation Proprietary and Confidential

13

Helpful Resources
Oracle Identity Manager 11g Documentation on OTN
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index098451.html

Product Information Center: Oracle Identity Manager Release 11g and later (Doc ID 1346075.2) Fusion Applications - Product Information Center [Doc ID 100.1] Fusion Applications Security knowledge documents published on My Oracle Support
Login to My Oracle Support Click on the Knowledge tab In the Search & Browse tab select Product as Oracle Fusion Applications and Task as Security Hit the Search button

2012 Oracle Corporation Proprietary and Confidential

14

Demonstration

15

16

Questions submitted during Advisor Webcast session

Q: Since OIM provisions access, what does Oracle Entitlement Server do that is different? A: OIM provisions users, roles and defines what a user can do in Fusion Apps. OES is used for managing security policies (data & functional) and entitlements, which defines what a user can do on which set of data. Q: Which LDAP does it support? A: OIM can be integrated with Oracle Internet Directory and MS Active Directory LDAP servers for use with Fusion Apps. Q: Email notification setup, for OIM User creation passwords should be done on OIM side or Fusion App side. A: Email Notifications are configured in OIM and not in Fusion Apps. Q: Is OVD part of OIM pack? A: No, OVD is not a part of OIM. It is a part of Oracle Identity & Access Management Pack. Q: I need an explanation of the term 'user' in Fusion? So employee also be an user? or user mean only application implementation consultant? As you see in the screen (hiring manager user is created..for him to enter new employee details). Is it IT security manger who creates hire manager user? A: At a high level you can consider there are 2 kinds of users - Admin and End User. When Fusion Apps is installed we provision certain 'super' users that have admin capabilities. These users are then used to create Application Users. Q: What does SPML stand for? A: SPML - Service Provisioning Markup Language Q: What I read from docs of fusion security is that when we first install fusion apps a default user like xelsysadm will get created.. and this user will be able to create IT security manager ... and then IT security manger logs into the fusion to create Application Implementation Consultant and Application Implementation Manger users. Till now I am in understanding that IT security manager is created in FA. A: IT Security Manager is a job role that can be assigned to a super user who can then create other implementation users that can be granted job roles like Application Implementation Consultant, Human Resource Specialist etc. Q: Incase if customer users their own LDAP apps like Microsoft Active Directory can that be integrated with Oracle Fusion Applications A: Yes, MS Active Directory is certified with Fusion Apps.

2012 Oracle Corporation Proprietary and Confidential

17

Questions submitted during Advisor Webcast session

Q: What is OIM*? A: OIM - Oracle Identity Manager. OIM was formerly known as Xellerate and became a part of Oracle Identity Management stack, as Oracle acquired Thor Technologies. Q: Is this 11gR1 or 11gR2? A: OIM 11gR1 is used with Fusion Apps. Q: What are the membership rules? Under employee role? A: OIM Role Membership Rules feature is not used with Fusion Apps. Q:Regarding the user synchronization, I have been using fusion and have found that a user created in 2 ways
1)OIM Admin user->create implementation user-> 2)HCM application->Manage users

I understand on a high level that both are different ways of creating user before doing the enterprise setup and after doing the enterprise setup Through the manager user console, I can only provision few roles and not all roles are available. I can add the additional roles through OIM for this user but this does not sync or get reflected on the screen in manager user and vice versa. 2)Employee Id--- is it an Internally generated ID or can I manually enter the same? A: You are right about user creation. The reason why the Roles are not shown as available on the Manage Users screen is because you need to add a Role Mapping in Fusion Apps, for all the Roles that you want to auto-provision to a user during the user creation request that is initiated from the Manage Users page. Refer: Doc ID 1448455.1. Employee ID/Number is generated in Fusion Apps. Q: In the SaaS instances , we dont see the advanced link appearing for a initial user created in OIM. Could you please let me know, what role do we have to give for such setup so that we can replicate in our on premise installs. A: The OIM Advanced Administration console link is only available to the OIM super user that is controlled by the Cloud Admins. This is not generally available to a regular SaaS/Cloud user. Q: What's new in 11g Rel 2? A: OIM 11g Rel 2 documentation can be found at http://www.oracle.com/technetwork/middleware/idmgmt/documentation/index.html . Kindly refer to the documentation.

2012 Oracle Corporation Proprietary and Confidential

18

Questions submitted during Advisor Webcast session

Q: How do I map a role to a set of Fusion screens for access control ? A: Job Roles are mapped to Duty Roles in order to provide access control. Refer: Mapping Of Duty Roles To Top Level Menu Entries in Fusion Applications (Doc ID 1459828.1) * Mapping Of Roles, Duties and Privileges in Fusion Applications (Doc ID 1460486.1) Q: During fusion apps install is it mandatory to install OIM? A: Yes, OIM has to be installed and configured first. In fact, the entire Fusion Security Install is done first and then the Fusion Apps install follows. Q: You spoke about integration between Fusion apps and OIM. Is OIM the *only* way to create users for Fusion apps, or one of several options? A: By architecture standards OIM is the only choice for User & Role management for Fusion Apps. Q: If I want to create two different users can I do it directly in OIM? A: Creation of Fusion Apps users should ONLY be done through the Fusion Apps Manager Users page. Creating users directly in OIM is NOT recommended. Q: Can you talk a bit about process forms- IHAC who does large migrations which involve updating these- is that a normal thing to have to update periodically, and what else is then affected? A: OIM Reconciliation process is a key to keep the data synchronized between OIM and the backend LDAP store. Running the Recon jobs at a higher frequency on a periodic basis is recommended. Q: OAACG comes along with Fusion Application or should we implement Oracle Governance, Risk and Compliance Controls (GRCC) suite? A: The OAACG is integrated with OIM. You do not need to install/implement it GRCC suite. Q: I am currently installing fusion apps 11.1.4, so do we have to install another database for OIM or we can align with transactional database(fusion apps database)? A: OIM DB schema should be installed on a separate database instance. We do NOT recommend installing Fusion Security component schemas into the Fusion Apps DB. Q: What is that organization all about in OIM while creating a user? A: The OIM 'Xellerate Users' Organization is just a place holder/ container for the OIM objects, it is not related to Fusion Apps.

2012 Oracle Corporation Proprietary and Confidential

19

Questions submitted during Advisor Webcast session

Q: What are the differences in implementation of OAM with EBS Rel 12 versus Fusion Apps? A: The scope of this webcast session is to talk about OIM and Fusion Apps. Please refer to EBA Rel 12 documentation for OAM implementation in EBS. Q: If using just Fusion CRM, will you still need HCM to create employee record to initiate user setup flow (like in EBS)? A: Yes, all the Fusion Apps Pillars e.g. CRM, SCM, FINs use HCM Core component for user creation. Q: Can we create users in OIM directly and use it in Fusion apps. or we have to create it via HCM? A: You can only create Fusion users via Fusion HCM. Creating them directly in OIM is NOT recommended. Q: Some times when I login to FA , I get the error user is locked or disabled..but when I check the same user in OIM, the status is unlocked..what exactly is happening? A: In your case the user is locked in LDAP store, as during the login process OAM connects directly to OID/LDAP and if you get multiple failed logins then it is very likely that OAM would prevent you from logging in and in the LDAP store the account will be locked. Q: Does Fusion application and/or OIM maintain their own separate store of User/role in addition to the directory (OID or other LDAP)? A: OIM stores the user and role information in its schema tables e.g. Table USR stores user info . Fusion Applications also store information about users and roles in its schema for e.g. Table PER_USERS stores user info. Q: Is OAAM used in Fusion Apps Security? A: No, Oracle Adaptive Access Manager or OAAM is NOT used in Fusion Security. Q: What is the difference between a policy and entitlement? How are they related? A: Policy: A grant of entitlement to a role on an object or attribute group for a given condition. Entitlement: Grants of access to functions and data. Oracle Fusion Middleware term for privilege. Q: Can an Application or Duty role be directly assigned to a user or it can flow only through a job role? A: No, an Application Role or Duty Role cannot be directly assigned to a user. They are mapped to appropriate Job Roles which are then assigned to the users. Q: Where is link the application role and Job role established? Does this link established automatically when a data role is created? A: Linking/ Mapping of Application Role to Job Role is done in a tool called Authorization Policy Manager (APM).

2012 Oracle Corporation Proprietary and Confidential

20

Are You Ready To Get Proactive?

Discover more about Get Proactive
https://support.oracle.com/CSP/main/article?cmd=show &type=ATT&id=1385165.1:DISCOVER

Avoid the unexpected Dont leave value on the table Lower overall organizational costs through preventative maintenance Reduce risks and maximize uptime Achieve resolution faster Streamline and simplify your daily operations Get even more through connection

ACT Get Proactive

Access proactive capabilities available for your products by visiting the product pages at My Oracle Support; Article ID 432.1

Contact the Get Proactive team

today for help getting started
get-proactive_ww@oracle.com

21

FYI: New Portal with same DocID

Schedule 740966.1

Archive 740964.1

before

Generic Advisor Webcast Note 740966.1

now

22

select your product: e.g. Oracle Database

23

Schedule

Archives

24

Future Advisor Webcasts

Upcoming live webcasts :

Fusion Applications
November 1 Fusion Applications Security: Troubleshoot Data Role Issues
Fusion Applications Technical Community https://communities.oracle.com/portal/server.pt/community/technical_-_fa/531

Recent webcasts available in archives: - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

My Oracle Support: https://support.oracle.com

Doc ID 740966.1 - Current Advisor Webcast Schedule and Archived Recordings

2012 Oracle Corporation Proprietary and Confidential

25

THANK YOU

2012 Oracle Corporation Proprietary and Confidential

26

 2009 Oracle Corporation Proprietary and Confidential

27