OIM Interview Questions

OIM INTERVIEW QUESTIONS
September 29, 2014

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
What is Identity
What is Identity Management
What is Oracle Identity Manager
Major Difference between OIM 10g, 11gR1, 11gR2
What is Reconciliation
Elaborate the types of Reconciliation in OIM
What is Provisioning
How many types of Provisioning is present in OIM
What are Connectors
Different Type of Connectors in OIM
What is GTC
What is Event Handlers
What is Adapter
Differentiate Adapters and Event Handlers
Different Types of Event Handlers
Different Types of Adapters
General Process of Creating any Event Handler
General Process of Creating any Adapter
General Process of Creating Connectors
In How many ways we can create a Connector
Access Policies in OIM
Approval Policies in OIM
What is Custom Approval Policies?
Explain the Life Cycle of Approval Process
Steps of creating a Custom Approval Policy.
Steps of Installing OIM
What is SPML
Explain Deployment Process of OOTB Connector
What are Resources?
Different type of Resources
What is High Availability Mode
Explain the Architecture of OIM in High Availability Mode
What is UDF?
Explain the process of creating any custom Attribute in OIM 11g R1 and 11g R2
What are Scheduler Tasks
Process of creating Scheduler Tasks
Ways of Triggering Event Handlers
What is Process Definition
What is Process Form
What is IT resource
What is cloning of Connectors? Why it is required?
What is Resource Object
What is the use of Deployment Manager
What is Application Instances in 11g R2
What is Sandbox in 11g R2
What is the use of Catalog Synchronization Job
What is Trusted Reconciliation?
In which Scenario Trusted Reconciliation is used?
Created By: Ritesh Maddala
Page 1
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
September 29, 2014
What is Target Reconciliation?

In which Scenario Target Reconciliation is used?
How can we achieve the Password Synchronization between Different Target systems in OIM
What are Look-Ups
What is the use of Look-Ups in OIM
What is Connector Server and in which scenario it is generally implemented
What is Flat File Reconciliation
How can we move our customized codes and functionality of OIM from Test to Production
What is RBAC (Role Based Access Policies)
What is OID
What is OVD
What is LDAP
Different types of Directory Servers
Explain the Difference between Identity, Role and Organization
What is the use of Bulk Upload Utility? How can we use it?
What is an Identity?
An identity is the virtual representation of an enterprise resource user including employees, customers, partners
and vendors. Identity Management shows the rights and relationships the user has when interacting with a
companys network.
What are the benefits of Identity Management?
Centralized auditing and reporting Know who did what and report on system usage.
Reduce IT operating costs Immediate return on investment is realized by eliminating the use of paper forms,
phone calls and wait time for new account generation and enabling user self service and password management.
Minimize Security Risk Control access to the network and instantaneously update accounts in a complex
enterprise environment including: layoffs, acquisitions, partner changes, temporary and contract workers.
Improved
quality
of
IT
services.
Legal compliance Many government mandates require secure control of access.
How does Identity Management (IDM) work?
The process involves creating user accounts that are able to be modified, disabled or deleted. Delegated
workflows,
rules
and
policies
are
applied
to
the
users
account.
A user profile will tell the company: who they are, what they are entitled to do, when they are allowed to perform
specific functions, where they are allowed to perform functions from and why they have been granted
permissions.
How are Identity Management Solutions Implemented?
Step One:
Inventory and assess current investments and processes. Clean and consolidate identity data stores. Create virtual
identities
for
enterprise
users.
Step Two:
Design and deploy identity infrastructure components. Create identity provisioning and deploy password
management,
user
self-service,
and
regulatory
compliance.
Step Three:
Page 2
September 29, 2014
Deliver applications and services. Access management deployed to a clean environment. Leverage federated
identity for improving supply chain and employee efficiencies.
Explain the Architecture of Oracle identity Manager?
The Oracle Identity Manager architecture consists of three tiers
Tier 1: Client:
The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle
Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server,
providing it with the user's login credentials.
Tier 2: Application Server:
The second tier implements the business logic, which resides in the Java Data Objects that are managed by the
supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java
Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not
exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle
Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and
communication mechanism.
Tier 3: Database: The third tier consists of the database. This is the layer that is responsible for managing the
storage of data within Oracle Identity Manager.
What is OIM user? How many Types of users are there in oracle identity manager?
OIM User:
OIM user is an account which helps in managing the compliance of any organization and helps in providing
the access rights according to its identity in the related organization.
An Oracle Identity Manager user entity describes the user within the Oracle Identity Manager namespace. The
attributes used to describe the user entity include the users first, middle, and last name, the users displayed
name, the users login ID to Oracle Identity Manager, and an email address for the user. Other attributes are
used to associate the user entity to resources, roles, organizations, and other Oracle Identity Manager objects. A
user is associated with a single user entity within the Oracle Identity Manager environment.
The life cycle of the user entity is tied to the identity status. Oracle Identity Manager maintains two types of
status information on an account. The first is the identity status, while the second is the account status. The
identity status for an account can be one of active, disabled, or deleted. The account status can be locked or
unlocked.
Types of Users:
Two types of Oracle Identity Manager users determine access rights to specific aspects of Oracle Identity
Manager. These types include:
End-User Administrator:
An end-user administrator is a user who has access to both the Administrative and User Console and the
Design Console. An end-user administrator may be tasked with managing access rights for users, changing the
status of process tasks, or other tasks that include managing the Oracle Identity Manager environment from
higher levels. These tasks are normally associated with system administrators, who are responsible for ensuring
Page 3
September 29, 2014
that Oracle Identity Manager continues to be operable. The need to access forms and troubleshooting Oracle
Identity Manager compels access to both the Oracle Identity Manager Administrative and User Console and
the Design Console. The user can access the Design Console through Design Console Access in the details
view for the user.
End-User:
End users are normally recipients of resources provisioned to them by Oracle Identity Manager. They have the
ability to log in to the Oracle Identity Manager Administrative and User Console to perform tasks such as
viewing their user profiles, allocated resources, and assigned roles. By default, they can perform self-service
tasks from the console.
What is the Life Cycle of Users? Or what is a User Entity Life Cycle?
A user entity can be created, managed, and terminated in the Oracle Identity Manager environment through a
concept known as the user life cycle. The stages within the user life cycle, known as the identity status, are
Non-existent, Disabled, Active, and Deleted. These states are managed by events or tasks performed within the
system, or are based on time factors.
A user entity can be created if it did not previously exist in the environment. This user entity can be active or
disabled. An active user is capable of logging in to the Oracle Identity Manager environment, whereas a
disabled account exists in the system, but the user cannot log in to the account. In a sample scenario of the
latter state, the user is a new employee whose account is being readied for a future start date. The account will
not become active until the day that the employees actual start date occurs.
An active user entity can be modified, disabled, or deleted. By disabling the account, the user cannot log in to
Oracle Identity Manager. Modification to a user entity may include new provisioning, for example, if the user
has been moved to a different job and requires access to new systems. Disabling an account might occur if the
employee is leaving the company for a specified period of time or permanently. This disabling prevents
unauthorized access after the employees termination, leave of absence, or retirement date. Deleting the
account removes the account from the Oracle Identity Manager environment.
A disabled user can be modified, enabled, or deleted from the environment. Remember, a disabled account
means that the user may not log in to their account. The account can still be modified to reflect changes to the
employees status and access to objects. Additionally, the account can be enabled to be made active, or deleted
to mark a user entity for removal from the environment.
A deleted user cannot be modified within the Oracle Identity Manager environment. You can specifically
search for users marked as deleted by using the Advanced Search capabilities within the Oracle Identity
Manager environment. Though the user status is deleted, the user entity data remains in the database until it has
been purged.
What is Oracle Identity Manager Organizations?
An Oracle Identity Manager organization is a logical container of entities including users and other
organizations defined within Oracle Identity Manager. Oracle Identity Manager can have a flat organizational
structure or a hierarchical structure, which means that an organization can contain other organizations. These
child organizations are known as suborganizations. An organization can mimic the hierarchical structure found
within a company, department, branch, division, cost center, or geographical regions. The organization
hierarchy should be designed to best manage the environment to which Oracle Identity Manager is being
deployed.
In addition to acting as a container for user and organization entities, resources can be provisioned to an
organization. Resources provisioned to the organization become available to members of the organization.
Page 4
September 29, 2014
Organizations are used not only as logical containers for organizing Oracle Identity Manager entities, but also to
support a delegated administrative model. In such a model, permissions associated with an organization within
the hierarchical structure are inherited by the organizations child entities.
Organizations
are
closely
related
to
Resources
and
User
getting
provisioned
into.
What is Oracle Identity Manager Roles?

An Oracle Identity Manager role is used to define the access rights that an entity may have. These defined roles
use unique role names to differentiate them within the Oracle Identity Manager environment. A role may be
associated with one or more access rights to Oracle Identity Manager Function. For example, a single role
enables a user to create other Oracle Identity Manager user accounts and manage a specific organization. Roles
determine the links and menus that are available to users when they log in to the console.
Roles assigned to organizations determine the access rights that members of that organization inherit. Users may
also be directly assigned to a role instead of inheriting the role through the organizational structure.
As with organizations, roles can be organized into a hierarchical structure. This hierarchical structure enables
roles to inherit access rights from other roles, creating parent and children roles.
Roles are closely related to Access Rights of users to use the Resources.
Explain Role Hierarchy?
Page 5
September 29, 2014
Role hierarchy describes the relationship between two or more roles defined within Oracle Identity Manager. A
role may act as both a parent and a child to other roles.
A child role would be considered a specialized role providing access rights to a smaller group of users. A child
role may therefore have one or more parents. The relationship between parent and child is one from
generalization to specialization. An example of a generalized role would be the employee role. An employee has
the ability to update or request access to resources. An employee may be an individual contributor or a manager.
The manager role is a more specialized role than the employee role. It assigns access rights allowing an individual
assigned to the manager role to manage requests from their employees, approving or rejecting requests. A director
is an even more specialized role in relation to the manager role. The director role provides the associated users
with the ability to manage their organization. As you move further down the tree, the role becomes more and
more specialized.
A child role inherits the permissions associated with its parent role or roles. In addition to its own access rights,
the director role inherits the access rights defined in the manager and employee roles.
A parent role differs from the child role in that it does not inherit the access rights defined for any of its children.
The parent role does, however, inherit the members of its child roles. Any users associated with the director role
are also members of the manager role. Members of the manager role are indirectly members of the employee role.
Explain Role Category?

Roles can be grouped into a category, organizing the roles for the purpose of navigation and authorization. Two
categories exist by default in an out-of-the-box installation of Oracle Identity Manager:
OIM Roles: The OIM Roles category contains the list of predefined roles that exist in Oracle Identity Manager
by default. These roles are primarily used for managing permissions and access rights to menu items, links, and
buttons within the Oracle Identity Manager environment.
Default: Any roles created within Oracle Identity Manager that are not assigned to a category at the time of
creation are assigned to the Default category by default.
Create role categories to organize the custom roles to be created for managing organizations.
Page 6
September 29, 2014
Explain the Provisioning process? What are the Types of Provisioning?

Resources:
To know about Provisioning, one should know about Resources. So, A resource is an external system, service, or
application with which Oracle Identity Manager communicates to perform either provisioning or reconciliation.
Provisioning:
Provisioning is a process where Users are created, maintained and deleted in Resources or Target Systems.
Provisioning of Users can be achieved by using connectors and other configuration in OIM to save their
information in Target Systems.
Oracle Identity Manager acts as the front-end entry point for managing user data on the target systems. After
accounts are provisioned, the users for whom the accounts have been provisioned can access the target systems
without any interaction with Oracle Identity Manager.
Oracle Identity Manager provisions the related resource to the user. For this to occur, fields in the custom process
form (contained in the connector that represents the resource and associated with the designated provisioning
workflow) must be populated with data. This information must then be saved to a database so that Oracle Identity
Manager can use it to provision a user with the corresponding resource.
The outward flow of User Information from OIM to Resources or Target Systems is known as Provisioning.
Types of Provisioning:
There are two ways in which the fields of a custom process form are populated with information and
corresponding data used by Oracle Identity Manager to provision a user with a resource:
Manual Provisioning:
An Oracle Identity Manager administrator completes the form and saves values to the database. Manual
intervention is required by the administrator for provisioning to occur.
Manual provisioning is the process by which an Oracle Identity Manager administrator:
Populates the process form of the connector that represents the resource to be provisioned
Saves form values to a database
Auto Provisioning:
Oracle Identity Manager fills out the form, saves information to its database, and uses this data to
provision the user with the resource. Oracle Identity Manager completes these actions (instead of an
administrator) with no manual intervention required.
Oracle Identity Manager populates this form through adapters that are activated when certain rules or conditions
are met. Oracle Identity Manager itself completes these three actions (instead of an administrator).
Autoprovisioning eliminates the manual steps performed by an administrator to fill out the custom process form
and save form values to the database.
What is De-provisioning? Explain auto-de-provisioning process?
Explain the Reconciliation Process?
Page 7
September 29, 2014
Oracle Identity Manager provides a centralized control mechanism to manage users and entitlements and to
control user access to resources. However, you can choose not to use Oracle Identity Manager as the primary
repository or the front-end entry point of your user accounts. Instead, you can use Oracle Identity Manager to
periodically poll your target systems for maintaining an up-to-date profile of all accounts that exist on those
systems.
Reconciliation is the process by which an action to create, modify, or delete an identity for a designated resource
(a target system identity) in Oracle Identity Manager is initiated from another external resource. Oracle Identity
Manager communicates with this resource to receive user information.
The reconciliation process compares the entries in the Oracle Identity Manager repository and the target system
repository, determines the difference between the two repositories, and applies the latest changes to the Oracle
Identity Manager repository.
Reconciliation of roles, role memberships, and role hierarchy changes are handled as separate reconciliation
events. The best practice is to submit role events first, followed by role membership events. This is done to avoid
dependency issues where one reconciliation event cannot be processed until another event is reconciled. These
dependency issues are called race conditions. For example, before the reconciliation engine can reconcile an
event that is supposed to create an account, the engine needs to reconcile an event that is supposed to create a
user.
In terms of data flow, reconciliation provides an inward flow of user information into Oracle Identity Manager by
using either a push model or a pull model, through which it learns about any activity on the external resource.
Types of Reconciliation:
Target Resource Reconciliation:
While configuring reconciliation, you can designate a target system as a target resource. In a target resource
reconciliation run, resources assigned to OIM Users are synchronized with target system accounts of the same
users.
The following example illustrates how target resource reconciliation works:
Page 8
September 29, 2014
Suppose an account is created for user John Doe on Microsoft Active Directory. After the next target resource
reconciliation run, the Microsoft Active Directory resource is allocated to the OIM User identity of John Doe.
The attributes of the resource allocated to the OIM User have the same values as the attributes of the account
created in Microsoft Active Directory.
If changes are made to the account in Microsoft Active Directory, then the same changes are made to the resource
allocated to the OIM User during subsequent reconciliation runs.
Trusted Resource Reconciliation:
An external resource functions as a trusted source (such as an HR system or corporate directory). In addition, it
drives the creation, modification, and deletion of users, roles, role memberships, or role hierarchies in the Oracle
Identity Manager repository.
In the operating environment of your organization, multiple target systems might act as trusted sources for the
various attributes that constitute the user account. For example, employees' first names and last names might
come from the HR system, and employees' e-mail addresses might come from Microsoft Active Directory. In
such a scenario, you can configure each target system as a trusted source for a specific attribute or set of attributes
of the user accounts. By doing this, you configure multiple trusted source reconciliation, which is a special
implementation of trusted source reconciliation.
Reconciliation Mode: Full or Incremental
You can use Oracle Identity Manager to perform full reconciliation with a target system. The purpose of this
mode of reconciliation is to fetch all target system accounts for processing during reconciliation. Full
reconciliation is performed by default during the first reconciliation run performed on a target system. The
timestamp at which this reconciliation run begins is recorded in Oracle Identity Manager. For the next
reconciliation run, accounts that have been added, modified, or deleted after the recorded time stamp are fetched
for reconciliation. In other words, from the second reconciliation run onward,incremental reconciliation becomes
the default reconciliation mode.
You can manually switch from incremental reconciliation to full reconciliation or from full reconciliation to
incremental reconciliation.
Reconciliation Events:
Update Received
Create Received
Delete Received
What is purpose of Reconciliation Manager?

You can look here for reconciliation data once reconciliation is complete. You can determine whether event
received and linked or not.
What do mean by Connectors?
Connectors are the plugins that helps in integrating OIM with External Sources or Target Systems. In any OIM
implementation, Reconciliation and Provisioning is dependent on configuration provided by this Connectors.
Page 9
September 29, 2014
Connectors are the containers that consist of several components like IT Resources, Process Forms, Adapters, and
Event Handlers which are needed to integrate the External Sources, Applications and Target Systems.
Scalable and flexible integration architecture is critical for the successful deployment of a companys
provisioning solutions. Oracle Identity Manager offers proven integration architecture and predefined connectors
for fast and low-cost deployments.
There are three types of integration solutions:
Predefined or OOTB (Out Of The Box) Connector.
Oracle Identity Manager offers an extensive library of predefined connectors for commercial applications and
other identity-aware systems that are used widely. By using these connectors, an organization can get a head start
on application integration. Each connector supports a wide range of identity management functions. These
connectors use the most appropriate integration technology recommended for the target resource, whether it is
proprietary or based on open standards. These connectors enable out-of-the-box integration between a set of
heterogeneous target systems and Oracle Identity Manager. Because the connectors provide a set of components
that were originally developed by using the Adapter Factory, you can further modify them with the Adapter
Factory to enable the unique integration requirements of each organization.
GTC Generic Technology Connector:
If you do not need the customization features of the Adapter Factory to create your custom connector, you can
use the Generic Technology Connector feature of Oracle Identity Manager to create the connector.
Adaptor Factory or Custom Connectors:
Integrating most provisioning systems with managed resources is not easy. Connecting to proprietary systems
might be difficult. The Adapter Factory eliminates the complexity associated with creating and maintaining these
connections. The Adapter Factory provided by Oracle Identity Manager is a code-generation tool that enables you
to create Java classes. The Adapter Factory provides rapid integration with commercial or custom systems. Users
can create or modify integrations by using the graphical user interface of the Adapter Factory, without
programming or scripting. When connectors are created, the Oracle Identity Manager repository maintains their
definitions, creating self-documenting views. You use these views to extend, maintain, and upgrade connectors.
Steps to Install OOTB Connectors:
o
o
o
o
o
o
o
Extract zip file

Copy the extracted folder in ConnectorDefaultDirectory under OIM_HOME/server/
Goto Administration Console of OIM
Click on Manage Connectors from the Left Pane.
Select Install Connector.
Select the Connector you want to install from list given.
Start Installation.
What is Event Handler?

In an Identity Management system, any action performed by a user or system is called an operation or Event.
Examples of Events are creating users, updating users, creating password policy, and so on. In a nutshell
whatever actions performed for a user or identity is an Event. Each Event goes through pre- and postprocessing stages.
Page 10
September 29, 2014
Each operation performed in an identity management environment can have consequences for users or other
entities. For example, creating a user might result in provisioning of resources to that user, updating the history
results in changes to the reporting tables, and creating a new password policy might make certain user passwords
invalid and require changes during next login.
Operations specific to a user, such as creation, modification, deletion, enable, disable, and so on are referred to
as user management operations. The lifecycle of an operation consists of these stages:
validation
pre-processing
audit
action
post-processing
compensation
finalization
You can customize the consequences of user management operations such as create, update, delete, enable,
disable, lock, unlock, and change password - also referred to as the post-processing functions of user
management operations - by writing event handlers.
Types:
1. Pre-process Event Handler
2. Post-Process Event Handler
Pre-process Event Handler
Mostly Pre-process Event Handlers are used for Validation Purpose.
Post-process Event Handler
Post-process Event Handlers are written mainly when there is a need of making changes internally after any event
is triggered in OIM. For E.g.: Assign Role according to Organization, Auto Assign an email ID using Firstname
and Lastname of user and so on.
General Steps to Create a Custom Event Handler:
1. Include the following JAR files in the class path to compile a custom class:
From OIM_INSTALL_HOME/server/platform
o
o
o
o
iam-platform-kernel.jar
iam-platform-utils.jar
iam-platform-context.jar
iam-plaftorm-authz-service.jar
From OIM_INSTALL_HOME/designconsole/lib
o
o
oimclient.jar
xlAPI.jar
Page 11
September 29, 2014
2. The following jar files are required to compile the Custom Scheduler Task Java file. They are
1)
wlfullclient.jar
2) wlclient.jar
Generating wlfullclient.jar
Go
to
the
WL_Home/server/lib
java -jar wljarbuilder.jar
directory
and
Run
the
following
command
It will generate the wlfullclient.jar file and set the class path for the wlfullclient.jar and wlclient.jar file.
3. Create a library of JAR
4. Write custom classes to achieve the purpose
5. Make
Jar
Jar cvf NamePreProcessEventHandlers.jar *
6. Develop the Custom Event Handler Config File or Metadata File.
File
<eventhandlers xmlns=http://www.oracle.com/schema/oim/platform/kernel
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
<action-handler class="test.eventhandlers.NamePreProcessEventHandlers" entity-type="User"
operation="CREATE" name="NamePreProcessEventHandlers" stage="preprocess" order="FIRST"
sync="TRUE"/>
</eventhandlers>
Save this file as EventHandlers.xml and the
/oracle/home/eventhandlers/metadata/EventHandlers.xml.
directory
structure
of
the
file
is
7. Create Plug-in (plugin.xml file) for Custom Event Handlers

<oimplugins>
<plugins
pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
<plugin
pluginclass="test.eventhandlers.NamePreProcessEventHandlers"
version="1.0"
name="NamePreProcessEventHandlers"/>
</plugins>
</oimplugins>
8. Make the EventHandler.zip File
plugin.xml
lib/NamePreProcessEventHandlers.jar
file
9. Register the Plug-in File into the OIM Server

ant -f pluginregistration.xml register
It will ask the following details after running the above command
1) OIM Admin User Name : xelsysadm
2) OIM Admin Password : xelsysadm password
3) OIM URL : t3://localhost:14000
4) Plugin Zip File absolute path.
Page 12
September 29, 2014
It will deploy the OIM Plugin without any issue. Some Times it will throw error if the class file is not found
in the jar file.
10. Importing the Custom Event into MDS Schema
Go to the OIM_HOME/bin directory and modify the following properties in the weblogic.properties file
wls_servername=oim_server1
application_name=OIMMetadata
metadata_from_loc=/home/oracle/eventhandlers
Event Handler Config file location as /home/oracle/eventhandlers/metadata/EventHandlers.xml
Run the weblogicImportmetada.sh file and will ask the following details
1) Weblogic Admin User Name : weblogic
2) Weblogic Admin Password : weblogic admin password
3) weblogic Admin URL : t3://localhost:7001
After running the above command the custom scheduler task will be imported into the MDS Schema.
11. Clear the OIM Cache
Run the PurgeCache.sh All file and it will ask the following details.
1) OIM Admin User Name : xelsysadm
2) OIM Admin Password : xelsysadm password
3) OIM URL : t3://localhost:14000
After running the above command and it will clear the OIM cache
12. Restart the OIM Server
Go to the WL_DOMAIN_HOME/bin direcory and run stopManagedServer.sh oim_server1 command
and it will stop the oim managed server.
Run the startManagedServer.sh oim_server1 and it will start the OIM Managed Server.
What is Adapter? What Adapters available in OIM?
An adapter is a Java class which helps in automation of process within OIM and is created by an Oracle Identity
Manager user through the Adapter Factory.
Process Tasks adapters - automate completion of a process task and are attached to a Process Definition
Form (AD user, OID User, etc)
Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update,
pre-delete, pre-insert, post-insert, post-update, or post-delete
Pre-Populate Adapter - specific type of rule generator attached to a user-created form field that can
automatically generate data to the Process form but does not save that data to the OIM database but does send
that information to appropriate directory user object. The data can come from manual entry on a form or from
automated entry from the OIM defined forms.
Page 13
September 29, 2014
Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the
OIM database based on business rules
Task Assignment Adapter - automates the assignment of a process task to a user or group
Types of Adapters
This section provides additional details about the five adapter types.
Rule Generator Adapters
Certain business rules must be applied to perform field validations and enter default values into the forms
which either come packaged with Oracle Identity Manager or are created by Oracle Identity Manager users. For
example, for the Users form, you might want Oracle Identity Manager to generate the User ID automatically by
concatenating the user's first name and last name.
To do this, you must create a specific type of adapter, which is designed to modify the field value in a
form. This type of adapter, which can generate, modify, or verify the value of a form field automatically, is called
a rule generator. Oracle Identity Manager triggers a rule generator on preinsert and preupdate.
After you create this adapter and attach it to a form, Oracle Identity Manager automatically updates the
field value for all records of that form, and saves this information to the Oracle Identity Manager database.
If you create a rule generator that contains adapter variables, you must map these adapter variables to
their proper locations. Otherwise, the adapter will not be functional.
You can also attach this type of adapter to a provisioning process. Once the process is provisioned to a
target user or organization, Oracle Identity Manager will trigger the associated rule generator.
On occasion, a rule generator which has been assigned to a provisioning process might no longer be
needed to complete the process. If this happens, you can remove the rule generator from the provisioning process.
Similarly, after you attach one rule generator to a form field, you can connect a different rule generator to that
form field. When this occurs, you must first remove the rule generator currently attached to the form field.
Entity Adapters
Similar to rule generator adapters, entity adapters are also responsible for generating, modifying, or
verifying the value of a form field automatically, and saving this information to the Oracle Identity Manager
database.
Some differences between rule generators and entity adapters are:
Execution schedule. Entity adapters can be triggered by Oracle Identity Manager on preinsert, preupdate,
predelete, postinsert, postupdate, and postdelete. A rule generator adapter can be executed only on preinsert and
preupdate.
Manual field value modification. The adapter populates the form field to which an entity adapter is attached. An
Oracle Identity Manager user should not edit this value because the entity adapter will overwrite this
modification. As a result, the modification will not be saved to the database.
Similarly, the adapter also populates the form field to which a rule generator adapter is attached. However, an
Oracle Identity Manager user can edit this value because this modification will take precedence over the value
that the rule generator adapter generates. Because of this, the modification will be saved to the database.
Page 14
September 29, 2014
Background color of form field. If a rule generator is attached to a form field, the field will appear in a particular
background color such as pink. This is a visual indicator that the field has a rule generator attached to it. On the
other hand, when an entity adapter is attached to a form field, the field will not have a distinct background color.
Task Assignment Adapters

For a process task that must be completed manually, you can configure Oracle Identity Manager to automate
the assignment of the task to either a specific user or a user who belongs to a particular role. This is achieved through
the use of a task assignment adapter. Task assignment adapters are used only for assigning a task to a particular user
or role.
When a task that is associated with specific provisioning process is created using the Tasks tab in the Process
Definition form of the Design Console, you can choose the rule that decides if adapter will be picked up for
execution. Note that this rule is defined in the Rule Definition form of the Design Console. An example of a rule is
"Target User's Org name is XYZ. If this rule is satisfied, then the corresponding task assignment is picked up.
However, you can have multiple rules defined and used while deciding task assignment. For multiple rules, Oracle
Identity Manager associates priority with the task assignment functionality to decide the order in which the rule
determination must occur. When the rule is determined, corresponding task assignment is run.
Note:
In other words, the task assignment rule allows Oracle Identity Manager to decide whether to assign a process
task to a user or role. The task assignment adapter enables Oracle Identity Manager to determine which user or role
will be the recipient of the process task.
For this example, Oracle Identity Manager will trigger the Associate Adapter with User rule first (because it
has the highest priority). If the condition of this rule is TRUE, it is successful. As a result, Oracle Identity Manager
will associate the related task assignment adapter (the Assign Task to User adapter) with the process task.
On the other hand, when the condition of a rule is FALSE, the rule has failed. Oracle Identity Manager
triggers the rule with the next highest priority. If this rule is successful, then Oracle Identity Manager assigns the
designated adapter to the target process task.
So, in this example, if the Associate Adapter with User rule fails, then Oracle Identity Manager triggers the
Associate Adapter with Role rule. If this rule is successful, then Oracle Identity Manager associates the related task
assignment adapter (the Assign Task to Role adapter) to the process task.
After assigning a rule to a task assignment adapter, if this type of adapter contains adapter variables, you must
map these variables to their proper locations. Otherwise, the adapter will not be functional.
Finally, when a task assignment adapter becomes invalid, or is no longer necessary for Oracle Identity
Manager to allocate the process task to a user or group, you must remove the adapter from the task.
Prepopulate Adapters
Sometimes a user-created form contains both fields that can be populated by Oracle Identity Manager and
fields into which an Oracle Identity Manager user must enter data. When the information that the user types into a
field is contingent upon the data that appears in a system-generated field, Oracle Identity Manager must first populate
this field. When the form is displayed, the user can view the system-generated data to enter information into the
appropriate fields.
Page 15
September 29, 2014
This is achieved by creating a type of rule generator known as a prepopulate adapter. By attaching it to a field
designated to be system-generated, you enable Oracle Identity Manager to automatically populate this field with the
appropriate information, without saving this information to the Oracle Identity Manager database.
The data generated by a prepopulate adapter can appear automatically or it can be manually entered. Oracle
Identity Manager displays this information automatically when the Auto-prepopulate check box is selected for a
provisioning process. When this check box is cleared, an Oracle Identity Manager user must manually generate the
displaying of the data that is generated by the prepopulate adapter. To do this, click the prepopulate button on the
form section of the Direct Provisioning wizard in the Web client, while provisioning the form to a user.
You can use the same prepopulate adapter for different form fields. In addition, you can designate multiple
prepopulate adapters to be associated with a particular field. As a result, Oracle Identity Manager must know which
prepopulate adapter it must select for the form field. This requires the use of prepopulate rules. These rules enable
Oracle Identity Manager to select one prepopulate adapter, which is associated with a form field, when this
prepopulate adapter is assigned to the field.
Each prepopulate adapter has a prepopulate rule associated with it. In addition every rule has a priority
number which indicates the order in which Oracle Identity Manager triggers it.
For example, Oracle Identity Manager can trigger the Rule for Uppercase User ID rule first because it has the
highest priority. If the condition of this rule is TRUE, it is successful. As a result, Oracle Identity Manager will attach
the related prepopulate adapter (the Display Uppercase Letters for User ID adapter) to the User ID field.
On the other hand, when the condition of a rule is FALSE, the rule has failed. Oracle Identity Manager will
trigger the rule with the next highest priority. If this rule is successful, Oracle Identity Manager will attach the
associated adapter to the designated field.
So, in this example, if the Rule for Uppercase User ID rule fails, Oracle Identity Manager will trigger the
Rule for Lowercase User ID rule. If this rule is successful, Oracle Identity Manager will attach the related prepopulate
adapter (the Display Lowercase Letters for User ID adapter) to the User ID field.
After assigning a rule to a prepopulate adapter, if this type of adapter contains adapter variables, you must
map these adapter variables to their proper locations. Otherwise, the adapter will not be functional.
Finally, when a prepopulate adapter associated with a field is no longer valid, you must remove the adapter
from the field.
Process Task Adapters
A process task adapter enables Oracle Identity Manager to automatically execute process tasks in
provisioning processes.
Each process and process task has a status, which indicates the stage of its completion. The statuses for a
process or process task are listed in the following table in order of importance.
Task Status
Description
Completed: This process/process task has been completed successfully.
MC
Manually Completed: This process task has been completed successfully by an Oracle Identity
Manager user (that is, manually).
Page 16
September 29, 2014
Task Status
Description
Pending: This process/process task is in the process of being completed. All preceding tasks and
processes, respectively, have been completed.
PX
Pending Cancellation: This process task will be canceled, but this task has to be completed first before
it can be canceled.
Rejected: This process/process task has not been completed successfully or has not been approved.
The status of rejected process tasks can only be changed to Canceled or Unsuccessfully Completed.
Suspended: This process/process task has been put on hold temporarily.
UC
Unsuccessfully Completed: This process task has been set to Completed. However, it had been
rejected before.
Waiting: This process/process task cannot be completed until all preceding process tasks or processes
are completed.
This process/process task has been stopped. Its status cannot change anymore
The status level of a process represents the most important status level of its process tasks, which must be
completed for the process to be completed. Suppose a process has three process tasks, each process task has a
different status level (Completed, Waiting, and Rejected), and all three process tasks must be completed for the
process to complete. Because the highest task status level is Rejected, the status level of the process is
also Rejected.
A process task can be managed in these ways:
It can be handled manually by using the Object Process Console tab of the Organizations or Users forms, or the
Oracle Identity Manager Web Application.
An Oracle Identity Manager process can be configured so that one (or more) of its tasks is triggered automatically
once it achieves a status of Pending.
What is Resource Object (RO)?

A RO is in its most basic form basically a virtual representation of an account on a target system. If an
OIM user has an account on the target system the user has an RO instance associated with it.
The most basic process that you do with ROs is to provision the account to a target system. The provisioning is
handled by a provisioning process. The provisioning processes usually consists of a number of provisioning tasks
that fires adapters that in turn calls code, often Java code, that actually does the provisioning work.
What is Application Server and Web server?
A Web server exclusively handles HTTP requests, whereas an application server serves business logic to
application programs through any number of protocols.
Webserver mainly handles the Http requests but app server can be used to handle the http, rmi, TCP/IP and many
more protocols. Webserver just handles the requests of the webpage means suppose, a html page(presentation
layer) requests a data - here script is written containing the business logic , then it just give the response with the
required data from the database. Then the html page with script is used to show the retrieved information. In case
of application server, it does the same thing, of getting and gives the response but it can process the requests. i.e.
in this case, instead of script know how to fetch the data, the script is simply used to call the applications server's
Page 17
September 29, 2014
lookup service to retrieve and process the data. i.e here, application server is used for processing/applying
logic. The web server can be considered as the subset of app server
The
basic
difference
between
a
web
server
and
an
application
server
is
WebServer can execute only web applications i.e. servlets and JSPs and has only a single container known as
Web container which is used to interpret/execute web applications
Application server can execute Enterprise application, i,e (servlets, jsps, and EJBs) it is having two containers 1.
WebContainer (for interpreting/executing servlets and jsps)
2. EJB container (for executing EJBs). It can perform operations like load balancing , transaction demarcation etc
What is the purpose of rule designer?
Use this form to create rules that can be applied to password policy selection, automatic group membership,
provisioning process selection, task assignment, and prepopulating adapters
General
Process Determination
Task Assignment
Pre-Populate
Explain the Approval process?
What is suppress standard approval process?
Have u involved to develop a custom connector?
Have u involved to develop a custom adapter?
Explain the attestation process?
What is clustering in IDM?
Explain the process of user defined field(Custome Field) provisioning process?
Explain the deligate administration process(Design console&Admin console)?
How do refer Logs for OIM Server?
Explain the password Sync?
How to configer the connector?
What is on boarding, off boarding process?
Explain the architecture of OVD,OID?
Can you Generate connector using GTC?
What is proxy,How to modify and remove proxy?
Page 18
September 29, 2014
Can you explain how to export aconnector?

What is report?what is difference between operational reports and historical reports?
Operational Report:
User Entitlements
Resource Access List
Group Membership
Policy List
OIM Password Expiration
Approval Status by Approver
Historical Reports:
User Access History
Resource Access List History
User Profile History
User Membership History
Group Membership History
User Lifecycle
Users Deleted
Task Assignment History
How to Change the functionality of the Administrative console without modifying the Oracle Identity Manager
code?
How to modify look and feel of Administrative console?
HOW to version Upgrade in OIM?
Difference between Object Form and Process Form?
Page 19

OIM Interview Questions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OIM Interview Questions

Uploaded by

Copyright:

Available Formats

OIM INTERVIEW QUESTIONS

September 29, 2014