Home‎ > ‎

Oracle Identity Manager

Before we try to understand what OIM is, let's try to understand some basics around Identity Management

What is Identity Management?

Identity Management is a combination of people, process and technology that allows an enterprise to manage the end-to-end lifecycle of user accounts across enterprise resources (and sometimes across their partners, service providers and business customers).

The definition above has a lot of words and it is important for us to define each of these item to ensure that all of us have same understanding

Users

Users are people and system (e.g. billing system that generates bill from the user's account data) who need to access (to perform operations or read data) to enterprise resources. People may include employees, contractors, partners, customers (business and/or single) and others.
  

Enterprise Resources

Enterprise Resources are applications (e.g. web application) or services (e.g. web services) that allow users to perform operations (e.g. transfer funds) and manage data(e.g. read account balance).
These applications and services are used by users if they are authorized (i.e. allowed) to use them.
 

Authentication and Authorization

In order to access the applications and services, users need to provide their identity (e.g. user login id) and, most of the time, credential (e.g. password, certificate, etc.) to authenticate themselves. Once the users have successfully authenticated themselves, the application and service uses this authenticated identity to authorize the operations the users can perform or the data they can manage.


In order to authenticate and authorize the users, application and services must have an account corresponding to the user.

User's Account


Account is a collection of various attributes that uniquely identifies an user in the enterprise resource. It would typically have an user ID/login ID and additional details like name, email address, address, etc associated with the user. 

The enterprise would need to manage the lifecycle of these accounts. 

Account Life-cycle


An account would typically go through the following lifecycle 
  1. Account Creation - The account may be created based on specific events like 
    1. On-boarding - e.g. LAN ID/Windows Login may be created when the user joins the company so that they can login to desktop)
    2. request for access - e.g. user may request a unix account so that they can run a script) 
  2. Account Update - The created accounts may be updated based on 
    1. Personal events - e.g. change of last name due to marriage 
    2. HR event - e.g. change in cost center of the user due to transfer
  3. Account Disable - The account may be disabled due to 
    1. Personal events - e.g. going on a long vacation
    2. HR events - e.g. the user leaves the company 
    3. Request - e.g. User's manager requests the account on a sensitive application to be disabled since the user may not need access to the same.
  4. Account Enable - The account may be enabled due to
    1. Personal events - e.g. user comes back from a long vacation
    2. HR events - e.g. user is rehired as a contractor after they left the company as employee
    3. Request - e.g. User may request the account to be enabled once they come back from a long vacation.
  5. Account Lock - The account may be locked due to 
    1. Specific Events - e.g. multiple login failures due to incorrect passwords
    2. Specific time event - e.g. account has been inactive for 6 months
  6. Account Unlock - The account may be unlocked due to 
    1. Specific time event - e.g. the locked accounts may be unlocked automatically after 30 minutes from the time of lockout.
    2. Request - e.g. User may request the account to be unlocked 
  7. Account Delete - The account may be deleted if the user has not been associated with the enterprise for a long time to free up resources on system.

Note 

Some of the events that have been described above may not be intuitive. For example why are the accounts disabled instead of being deleted when a person leaves the company. This is done to ensure that incase HR makes a mistake or the person is going through some transition, they do not loose all the accounts they have and can be productive immediately if needed instead of going through a cumbersome process of creating account on each and every system.
Please note that the list above will vary between different enterprises based on various factors like security policy, history.


Managing Identity

Managing large number of  accounts and associated entitlements

Over the life-time of relationship between the user and the enterprise, user may be assigned multiple accounts across various enterprise resources. For example user may have an Email ID, unix user id, timesheet user id, 401K account user id and so on.  With increasing number of users, the number of accounts that need to be managed increases significantly. In addition to that there may be specific authorization/entitlement associated with each of these accounts which exponentially increases the number of items associated with a user.


Auditing Requirements

A growing enterprise, due to multiple legal, operational and security requirements, needs to understand 
  1. Who has access to what?
  2. Why do they have the access?
  3. Who authorized the access?
  4. When was access assigned and when it was removed?

Increase productivity

Users and senior management are looking for ways and means to increase the productivity of the employees and in this regard there is significant push to automate the account management based on various events (e.g. for employees based on HR events) and reduce the dependence on manual intervention by exposing various account management features (like account provisioning, password reset) as self-service (e.g. request account, "forgot password").

Need for identity management

With the focus on the various requirements identified above, there is expectation to have a mature process and technology in place within the enterprise and this is where Oracle Identity Manager comes in.

What is Oracle Identity Manager?

Oracle Identity Manager enables organizations to effectively manage the end-to-end lifecycle of user identities across all enterprise resources. It is part of the Oracle Identity Governance toolset (Oracle Identity Management Solutions) in the Oracle Fusion Middleware family of Oracle Products.

What Next?

The next step could be to

Disqus for Google Sites