Home‎ > ‎Oracle Identity Manager‎ > ‎

OIM 11g R2 PS3

--> PS3 

what's new
Approval workflow policies 
-- Instead of Approval policy which was evaluated earlier, use Workflow policy which is of form
if (condition) then (Workflow ID). Workflow ID: <default/DefaultOperationalApproval!5.0>, DIRECT -> implies skip workflow

Condition Syntax : http://docs.oracle.com/cd/E52734_01/oim/OMADM/workflowrules.htm#CJAFACAE - UI gives idea about what can be used. Looks very flexible

The check works such that
1. Authorization - is operation allowed
2. SOA allowed (
2. Bulk or future dated --> triggers request
3. workflow evaluation 
a. evaluate each rule as defined in sequence one by one
b. if condition true, stop
c. if no match, defaultRequestApprovalComposite in SOAConfig for bulk & defaultOperationApprovalComposite for other
4. workflow result (Most of the items have default rule for DIRECT for sysadmin roles and )
a. In case of DIRECT, the operation is initiated directly (TODO: Need to find if it is just orchestration without request being created or something more esoteric)
b. If workflow, then request is created and then initiates the appropriate orchestration)
5. In the approval step in the orchestration, workflow is reevaluated and then SOA composite is triggered.

Please note that not all the use-cases are supported CUDED user, CUD role, CUD user-role, CUDED user-Account, CUD user-entitlement and bulk version. Other items like organization, proxy user, etc are not supported.
Please note that Workflow Policies Enabled is set to false in case OIM is upgraded to PS3. So, additional step is needed to enable this and then migrate the workflow policies.

Please note: migration of policy works by completely replacing all the policy associated with a particular operation when we import anything along with associated policy.

PS: With this release system can be configured to run without SOA server
Use: Workflows Enabled property = false to disable SOA
1. Disconnected application instance manual fulfillment tasks WILL FAIL.
2. If selected user has pending account request (when SOA was disabled), the request for entitlements will never get completed.
3. Bulk entitlement request for user with multiple accounts or no accounts will fail
4.  Certification, SOD, UMS Notification (which uses SOA), Web service connector do not work

Good documentation of the request flow available in http://docs.oracle.com/cd/E52734_01/oim/OMADM/workflowrules.htm#OMADM5364
TODO: Need to look at how the Request engine integrates with orchestration engine. Has there been any significant change in the approach?

Access Policy

Only direct provisioning is now supported. Request based access policy has been removed...
From ui perspective, AP -> role assignment is done in Role screen and NOT in AP screen.
Access Policy owner has been added but of no use.
As earlier, access policies are not applied to subroles
As earlier, Disable if no longer applies on any applicable policy with same resource object will supersede revoke of the applied policy for same resource object. this setting is stored at time of user creation; any changes to this flag at later time will not impact account that have been created before the change.
As earlier, resource deny takes precedence
Policy Evaluation Process - http://docs.oracle.com/cd/E52734_01/oim/OMADM/accesspolicies.htm#OMADM2255
As earlier, AP Harvesting looks similar
Harvesting is triggered by User-Role Membership bulk loaded/reconciled.
as earlier Multiple account - access policies can provision multiple accounts in the same target system [ each with different access policy] as well as a single account in multiple instance of the same target system - account discriminator along with OBJ_KEY  used to uniquely identify an account for the resource. 
TODO: Documentation still screwed up for this.
Identity Audit Policy (SOD) is not evaluated during access policy
ITResource field cannot be edited on the form once the policy has been created.
AP Troubleshooting:  1563379.1

Entitlement forms are supported (Generate Entitlement Forms)- TODO: check if this option was available earlier, Also if Bulk Update selection was available earlier. Entitlement forms are child object with one attribute marked as entilement

Home organization policies -> used for self-registration and other location to choose organization for the user, 
Self service capability policies -> what the user can do on self
Orchestration engine MBean

SCIM/REST Web service
Integrated BI Publisher to generate and display reports

Creating & Managing custom UI attributes

Remote manager not recommended
Form Upgrade Job and Form Version Control Utility - not supported

Oracle Identity Manager with Identity Auditor mode enabled --> Identity audit (SoD) & Identity certification
--> http://docs.oracle.com/cd/E52734_01/oim/OMUSG/idaudit.htm#OMUSG5312

OIM integrates with OPAM, OAM, OAM+OAAM, OMSS (it allows users to see their devices and applications. Administrators can manage devices, applications, and mobile policies. They can also configure the device remotely and applications to specific groups of users)