Professional Documents
Culture Documents
Schedule 740966.1
Archive 740964.1
before
now
Fusion Applications
November 1 Fusion Applications Security: Troubleshoot Data Role Issues
------------------------------------------------------Teleconference Information
Teleconference Access:
xxxx
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Fusion Applications Security: User & Role Management using Oracle Identity Manager
CHETAN GADKARI Senior Principal Support Engineer
AGENDA
What is Oracle Identity Manager (OIM)? Role of OIM in Fusion Applications High Level Architecture OIM SPML Orchestration Flow Synchronization & Reconciliation Processes Demonstration : OIM User Interface & Features
Oracle Identity Manager is a user, role provisioning and administration solution, which automates the process of adding, updating, and deleting user accounts from applications and directories. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity and Access Management Suite.
2012 Oracle Corporation Proprietary and Confidential
Initial password generation (for new user) and sending out email notification to the user
Email notification with system generated password is sent to the newly created Fusion Application user
Data synchronization (synchronize data to & from LDAP store) Integrate with Oracle Application Access Control Governor (OAACG) for SoD (Segregation of Duties) check
ID Store
Auth OHS
ODS OAM IAU ORASDPM MDS SOAINFRA
7777
IDStore
3060
OAM
14100
SOA
8001
ODSM + DIP
7006
Policy
3061
OIM
14000
Policy Store
ODS
OVD 6051
10
11
12
OIM
LDAP
Reconciliation
Pre-defined Scheduled Jobs are used to Synchronize the User and Role related information from LDAP store into OIM
Recon
OIM
LDAP
13
Helpful Resources
Oracle Identity Manager 11g Documentation on OTN
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index098451.html
Product Information Center: Oracle Identity Manager Release 11g and later (Doc ID 1346075.2) Fusion Applications - Product Information Center [Doc ID 100.1] Fusion Applications Security knowledge documents published on My Oracle Support
Login to My Oracle Support Click on the Knowledge tab In the Search & Browse tab select Product as Oracle Fusion Applications and Task as Security Hit the Search button
14
Demonstration
15
16
Q: Since OIM provisions access, what does Oracle Entitlement Server do that is different? A: OIM provisions users, roles and defines what a user can do in Fusion Apps. OES is used for managing security policies (data & functional) and entitlements, which defines what a user can do on which set of data. Q: Which LDAP does it support? A: OIM can be integrated with Oracle Internet Directory and MS Active Directory LDAP servers for use with Fusion Apps. Q: Email notification setup, for OIM User creation passwords should be done on OIM side or Fusion App side. A: Email Notifications are configured in OIM and not in Fusion Apps. Q: Is OVD part of OIM pack? A: No, OVD is not a part of OIM. It is a part of Oracle Identity & Access Management Pack. Q: I need an explanation of the term 'user' in Fusion? So employee also be an user? or user mean only application implementation consultant? As you see in the screen (hiring manager user is created..for him to enter new employee details). Is it IT security manger who creates hire manager user? A: At a high level you can consider there are 2 kinds of users - Admin and End User. When Fusion Apps is installed we provision certain 'super' users that have admin capabilities. These users are then used to create Application Users. Q: What does SPML stand for? A: SPML - Service Provisioning Markup Language Q: What I read from docs of fusion security is that when we first install fusion apps a default user like xelsysadm will get created.. and this user will be able to create IT security manager ... and then IT security manger logs into the fusion to create Application Implementation Consultant and Application Implementation Manger users. Till now I am in understanding that IT security manager is created in FA. A: IT Security Manager is a job role that can be assigned to a super user who can then create other implementation users that can be granted job roles like Application Implementation Consultant, Human Resource Specialist etc. Q: Incase if customer users their own LDAP apps like Microsoft Active Directory can that be integrated with Oracle Fusion Applications A: Yes, MS Active Directory is certified with Fusion Apps.
17
Q: What is OIM*? A: OIM - Oracle Identity Manager. OIM was formerly known as Xellerate and became a part of Oracle Identity Management stack, as Oracle acquired Thor Technologies. Q: Is this 11gR1 or 11gR2? A: OIM 11gR1 is used with Fusion Apps. Q: What are the membership rules? Under employee role? A: OIM Role Membership Rules feature is not used with Fusion Apps. Q:Regarding the user synchronization, I have been using fusion and have found that a user created in 2 ways
1)OIM Admin user->create implementation user-> 2)HCM application->Manage users
I understand on a high level that both are different ways of creating user before doing the enterprise setup and after doing the enterprise setup Through the manager user console, I can only provision few roles and not all roles are available. I can add the additional roles through OIM for this user but this does not sync or get reflected on the screen in manager user and vice versa. 2)Employee Id--- is it an Internally generated ID or can I manually enter the same? A: You are right about user creation. The reason why the Roles are not shown as available on the Manage Users screen is because you need to add a Role Mapping in Fusion Apps, for all the Roles that you want to auto-provision to a user during the user creation request that is initiated from the Manage Users page. Refer: Doc ID 1448455.1. Employee ID/Number is generated in Fusion Apps. Q: In the SaaS instances , we dont see the advanced link appearing for a initial user created in OIM. Could you please let me know, what role do we have to give for such setup so that we can replicate in our on premise installs. A: The OIM Advanced Administration console link is only available to the OIM super user that is controlled by the Cloud Admins. This is not generally available to a regular SaaS/Cloud user. Q: What's new in 11g Rel 2? A: OIM 11g Rel 2 documentation can be found at http://www.oracle.com/technetwork/middleware/idmgmt/documentation/index.html . Kindly refer to the documentation.
18
19
20
Avoid the unexpected Dont leave value on the table Lower overall organizational costs through preventative maintenance Reduce risks and maximize uptime Achieve resolution faster Streamline and simplify your daily operations Get even more through connection
21
Schedule 740966.1
Archive 740964.1
before
now
22
23
Schedule
Archives
24
Fusion Applications
November 1 Fusion Applications Security: Troubleshoot Data Role Issues
Fusion Applications Technical Community https://communities.oracle.com/portal/server.pt/community/technical_-_fa/531
25
THANK YOU
26
27