Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
OIM 11g PS1 Workshop - Lab2
1
Lab 2 - Enterprise User lifecycle influenced by Delegated
Administrators and End-users
Contents Lab 2 - Enterprise User lifecycle influenced by Delegated Administrators and End-users .......................... 1
1. Introduction ............................................................................................................................................. 1
2. Contents.................................................................................................................................................... 4
2.1. Extend OIM User schema ................................................................................................................. 5 2.2. Configure Helpdesk Users and Role Authorization ................................................................... 19 2.3. Practice Helpdesk communities actions to experience configured authorizations................. 67 2.4. Configure Managers authorization for the administration of their directs’ reports ............... 91 2.5. Practice Managers’ actions to experience configured authorizations on User Administration105 2.6. End-Users Self profile edit authorization ................................................................................... 116 2.7. Practice Self Profile Edit as an End-user to experience configured authorizations .............. 123
3. Conclusion ........................................................................................................................................... 134
Introduction
This use case will cover the configurations and usage of OIM features to model advanced user account management scenarios
within a controlled system driven by strong authorization policies. The use case will consider people with various personas -
Helpdesk personnel / IT Administrators, End-users and their Managers, interacting with OIM.
OIM 11g PS1 Workshop - Lab2
2
Due to some recent changes in ACME user provisioning context, current OIM user schema needs to be extended by more attributes:
Professional Qualifications
<Skillset> (text area)
<Work Experience> (LOV)
<Previous Job History Verified> (checkbox – Bulk updatable)
<Post Graduate> (checkbox – searchable)
<Contribution to Org KM portal> (text area)
Backend Attributes
<Employee from acquisition> (this one should not show up on UI, backend logic will use it)
1.1.In this use cases, ‚Helpdesk‛ staff needs to be created. To perform their duties, members of Helpdesk staff need to be assigned
authorization policies in OIM, which will be modeled as members of an appropriate OIM Role. For creating and managing the
lifecycle of such static roles, ACME has a process in place which is carried out by dedicated Role Owners and Access Administrators.
Members of a role named Role Owners have the rights to create any OIM role representing Helpdesk (ACME HelpDesk
Administrators role) and add it to a role category.
Once Role Owners would have created the Helpdesk role, another group of users (who would be members of a role named
Access Administrators), would have to add a specific OIM user to the Helpdesk role. Of course this would be done for
those users who need to be a part of Helpdesk team and needs certain authorization controls (described in the points
below). However, it is important to keep into consideration that Access Administrators cannot add members to all roles
OIM 11g PS1 Workshop - Lab2
3
defined in OIM deployment. If ACME wants them to be able to define members to Helpdesk role, they need to be
selectively given the privileges to do the same.
1.2.Helpdesk staff gets to access OIM admin console:
To create users directly (but they cannot delete) for only departments – ‚Public Finance‛ and its sub-department
‚Taxation‛.
They are also asked to execute some operations in Bulk on a number of users collectively (like - Enable, Disable). Also they
can update the ‚Previous Job History Verified‛ flag on a batch of recently hired users collectively once notified from HR
(thru an email).
They can only modify particular attributes of user profile but not all.
When they create users for department ‚Mergers and Acquisition‛, the user id, password will have to be generated. User id
should be generated as follows:
If e-mail is provided, then username is generated based on the e-mail. If e-mail is not available, then it generates username based on
firstname and lastname by appending a user domain to it. The user domain is configured as the Default user name domain system
property, and the default value is @oracle.com.
When Helpdesk reset the password for a user, it is communicated to him thru an email. Password should meet the
enterprise password policy requirements. When user logs into OIM with the helpdesk-reset password, he should enforced
to change the password.
1.3.Managers can login and interact with the user records
OIM 11g PS1 Workshop - Lab2
4
They can search for only their hierarchies, and only view their user details. They can go for a complicated search filter using
advanced search. They cannot view certain specific attributes like ‚Pay‛.
Senior managers can search users who are post-graduates in their departments.
1.4.End-Users themselves login to self-service
They can update attributes on their profile, which raises requests to User's manager. Manager approves it and the profile
gets updated.
Contents
2.1. Extend OIM User schema
2.2. Configure Helpdesk Users and Role Authorization
2.3. Practice Helpdesk communities actions to experience configured authorizations
2.4. Configure Managers authorization for the administration of their directs’ reports
2.5. Practice Managers’ actions to experience configured authorizations on User Administration
2.6. End-Users Self profile edit authorization
2.7. Practice Self Profile Edit as an End-user to experience configured authorizations
OIM 11g PS1 Workshop - Lab2
5
2.1.Extend OIM User schema
Purpose
This step includes the configuration required to extend OIM User schema as mentioned in section.
Steps
Login to the Oracle Identity Manager Administration console (use xelsysadm credentials unless specified otherwise).
In the Welcome page, under Advanced Administration, click User Configuration. Alternatively, you can click the Configuration
tab, and then click the User Configuration tab.
OIM 11g PS1 Workshop - Lab2
6
OIM 11g PS1 Workshop - Lab2
7
On the left pane of the console, from the Actions menu, select User Attributes. The User Attributes page is displayed with a
table containing all user attributes under the respective categories.
OIM 11g PS1 Workshop - Lab2
8
OIM 11g PS1 Workshop - Lab2
9
Click Add Category or select Add Category from Actions menu under User Attributes. Pop-up dialog box to create category
appears. Fill in the Category name as ‚Professional Qualifications‛. Click Save. Message confirming successful creation of
category appears.
OIM 11g PS1 Workshop - Lab2
10
Repeat the process to create another category ‚Backend Attributes‛
OIM 11g PS1 Workshop - Lab2
11
Click Create Attribute or Select Create Attribute form Actions menu. Pop-up dialog box to create attribute appears. Fill in the
details as following and Click Next
Attribute
Name
Category Name Back-end Attribute
Name
Display Type Properties
Skillset Professional
Qualifications
USR_UDF_SKILLSET Text Area Size: 200
OIM 11g PS1 Workshop - Lab2
12
OIM 11g PS1 Workshop - Lab2
13
Fill in Attribute Size as ‘200’ and Click Next
Click Save. Message confirming successful creation of attribute appears.
OIM 11g PS1 Workshop - Lab2
14
To add another attribute click Create Attribute or select Create Attribute from Actions menu. Pop-up dialog box to create
attribute appears. Fill in the details as:
Attribute
Name
Category Name Back-end Attribute
Name
Display Type Properties
Work
Experience
Professional
Qualifications
USR_UDF_WORKEXP List of values
(LOV)
On selecting the LOV as Display type, the display window changes and additional options appear. Select LOV Type as Admin
Configured, and use Lookup.Users.WorkExp as LOV Code.
OIM 11g PS1 Workshop - Lab2
15
OIM 11g PS1 Workshop - Lab2
16
Fill in LOV Options as ‘1’ and LOV Options Description as ‘0-2 Yrs’ and Click Add.
Note: You can scroll down this screen to see the values just added.
Repeat to Add LOV Options 2,3,4,5 with LOV Options Description as follows:
LOV
Options
LOV Options
Description
2 2-5 Yrs
OIM 11g PS1 Workshop - Lab2
17
LOV
Options
LOV Options
Description
3 5-10 Yrs
4 10-20 Yrs
5 20+ Yrs
This is how it looks after adding all LOV option and descriptions.
OIM 11g PS1 Workshop - Lab2
18
Click Next.
Fill in Attribute size as ‘10’ and Click Next and then Click Save. Message confirming successful creation of attribute appears.
Repeat the steps outlined in 2.1.6 to 2.1.8 to add more attribute as per following:
Attribute Name Category
Name
Back-end Attribute Name Display
Type
Properties
OIM 11g PS1 Workshop - Lab2
19
Attribute Name Category
Name
Back-end Attribute Name Display
Type
Properties
Previous Job
History Verified
Professional
Qualifications
USR_UDF_JOBHISTVER Checkbox Bulk
Updatable:
Yes
Post Graduate Professional
Qualifications
USR_UDF_POSTGRAD Checkbox Searchable:
Yes
Contribution to Org
KM portal
Professional
Qualifications
USR_UDF_CONTKMPORTAL Text Area Attribute
Size: 500
Employee from
acquisition
Backend
Attributes
USR_UDF_ACQ Checkbox Visible: No
Checkpoint
This completes the configuration of modifying OIM User schema. If at this point you, as ‘xelsysadm’ user, View existing Users, you
will not see their extended attributes as additional Auth Policies needs to be assigned to users to view these attributes, which we
will do in next section. If you create a new User, you will be presented with the new attributes as schema is extended.
2.2. Configure Helpdesk Users and Role Authorization
Purpose
We will configure HelpDesk User and Role authorizations in this section.
(A) Create ACME CAPITAL Organization Structure
(B) Create a Role Administrator user, an Access Administrator user and two HelpDesk Administrator users.
OIM 11g PS1 Workshop - Lab2
20
(C) Role Administrator user has specific responsibility to create and manage roles and role categories, so we will create a
corresponding role and auth policy to perform those duties.
(D) Helpdesk user performs specific helpdesk duties as outlined in use case and Access Administrator user has specific
responsibilities to manage membership of HelpDesk role to Helpdesk Administrator staff. To achieve that we will now have Role
Administrator log in create role for HelpDesk and Access Administrator. Auth Policies are still to be created by xelsysadm so we
will have xelsysadm create auth policies for both the roles. Once this is done we will have Access Administrator assign the
HelpDesk role to HelpDesk staff.
(E) Setup Email Notification (You may not get mails depending upon environment on which you are practicing these labs)
Steps
(A) Create ACME CAPITAL Organization Structure
An Organization with Name as ‘ACME CAPITAL’ is already pre-seeded in OIM VM. You will create all departments below ACME
CAPITAL Company:
OIM 11g PS1 Workshop - Lab2
21
In the Welcome tab of Oracle Identity Manager Administration page, under Organizations, click Create Organization.
Alternatively in the left pane, click the Browse tab. Under Organizations, from the Action menu, select Create. You can also click
the Create icon on the toolbar.
ACMECAPITAL
ACME HelpDeskACME Public
Finance
ACME Taxation
ACME Mergers and Aquisitions
OIM 11g PS1 Workshop - Lab2
22
Create ACME HelpDesk Organization. Enter ‘ACME HelpDesk’ as Name, select Department as Type. To choose previously
created ACME CAPITAL as Parent Organization, Click on Search.
OIM 11g PS1 Workshop - Lab2
23
OIM 11g PS1 Workshop - Lab2
24
A pop-up window appears from which search for Parent Organization that Begins with ACME. Select ACME CAPITAL from
Search Results and Click Add. Note: Screen shows contains, instead it should be Begins With
OIM 11g PS1 Workshop - Lab2
25
Click Save and then repeat the process to create rest of the Organization Structure as:
ACME CAPITAL (Company)
ACME CAPITAL -> ACME HelpDesk (Department)
ACME CAPITAL -> ACME Public Finance (Department)
ACME CAPITAL -> ACME Public Finance -> ACME Taxation (Department)
OIM 11g PS1 Workshop - Lab2
26
ACME CAPITAL -> ACME Mergers and Acquisitions (Department)
The Organization Structure for ACME CAPITAL will look like this:
OIM 11g PS1 Workshop - Lab2
27
(B) Create a Role Administrator user, an Access Administrator user and two HelpDesk Administrator users.
In the Welcome page of Identity Administration, under Users, click Create New User. Alternatively Click the Administration
tab on the toolbar, and then in the Browse tab, click Create New User.
OIM 11g PS1 Workshop - Lab2
28
In Create User Page enter ACME as First Name, RoleAdmin as Last Name. Choose ACME CAPITAL as Organization, Employee
as User Type and roleadmin as User Login. Enter Abcd123 as Password. Click Save.
OIM 11g PS1 Workshop - Lab2
29
Having created Role Administrator we will now create Access Administrator by following steps from 2.2.5 and 2.2.6. Enter
ACME as First Name, AccessAdmin as Last Name. Choose ACME CAPITAL as Organization, Employee as User Type and
accessadmin as User Login. Enter Abcd123 as Password. Click Save
Following steps from 2.2.5 and 2.2.6 again, we will now create two new user for HelpDesk staff.
For first user, enter Acme as First Name, HelpDesk1 as Last Name. Choose ‘ACME HelpDesk’ as Organization, Employee as
User Type and acmehelpdesk1 as User Login. Enter Abcd123 as Password. Click Save
Similarly for second user, enter Acme as First Name, HelpDesk2 as Last Name. Choose ‘ACME HelpDesk’ as Organization,
Employee as User Type and acmehelpdesk2 as User Login. Enter Abcd123 as Password. Click Save
(C) Role Administrator user has specific responsibility to create and manage roles and role categories, so we will
create a corresponding role for this user and also create auth policy for this user to perform those duties.
In the Welcome page of Administration tab, under Roles, click Create Role. Alternatively, in the Browse tab of the left pane,
expand Roles, and from the Actions menu, select Create Role. Otherwise, click the Create Role icon on the toolbar.
OIM 11g PS1 Workshop - Lab2
30
Enter ‘Role Owners’ as Name of the role and Click Save
OIM 11g PS1 Workshop - Lab2
31
Select Members tab of role "Role Owners" and then click Assign to assign user created in last step "ACME RoleAdmin" to this
role.
OIM 11g PS1 Workshop - Lab2
32
Search and Select User "ACME RoleAdmin" and click Save.
OIM 11g PS1 Workshop - Lab2
33
On the Welcome page, under Authorization Policy, click Create Authorization Policy. Alternatively, you can you can click the
Create Authorization Policy icon on the toolbar.
OIM 11g PS1 Workshop - Lab2
34
OIM 11g PS1 Workshop - Lab2
35
In the Policy Name field, enter the name of the authorization policy as ‚Role Owners - Manage Roles‛. In the Description field,
enter a description of the authorization policy ‚Auth Policy assigned to Role Owners to create and manage roles and role
categories‛. In the Entity Name field, select the name of the feature for which you want to create the authorization policy. To
create an authorization policy for role management, select Role Management. Click Next
OIM 11g PS1 Workshop - Lab2
36
OIM 11g PS1 Workshop - Lab2
37
The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization policy.
We will select ‚Create Role‛, ‚Delete Role‛, ‚Modify Role Detail‛, ‚Create Role Category‛, ‚Delete Role Category‛, ‚Modify
Role Category‛ and Click Next
We are not constraining Role Owners, so click Next.
OIM 11g PS1 Workshop - Lab2
38
The Assignment page of the Create Policy wizard is displayed. To assign roles to the authorization policy: Click Add. The
Assign Roles dialog box is displayed. Search for Role Name Beings with ‚Role‛. From Search Results select ‚Role Owners‛ and
Click Add.
OIM 11g PS1 Workshop - Lab2
39
OIM 11g PS1 Workshop - Lab2
40
Click Next
Click Finish to create the policy
OIM 11g PS1 Workshop - Lab2
41
OIM 11g PS1 Workshop - Lab2
42
(D) Helpdesk user performs specific helpdesk duties as outlined in use case and Access Administrator user has
specific responsibilities to manage membership of HelpDesk role to Helpdesk Administrator staff. To achieve
that we will first have xelsysadm create Access Administrator role and assign to ACME Access Admin user and
then we will have Role Administrator log in to create role for HelpDesk Administrator. Auth Policies are still to
be created by xelsysadm so we will have xelsysadm log back in to create auth policies for both the roles. Once
this is done we will have Access Administrator assign the helpdesk role to helpdesk staff.
Follow steps from 2.2.9 to 2.2.11 to create a role called "Access Administrators" and assign "ACME AccessAdmin" to this role
Now logout and login with roleadmin credentials (to create HelpDesk Role). Note: If you are logging it as roleadmin for first
time, you will be redirected to password management screen
Again follow steps from 2.2.9 and 2.2.10 to create a role called "ACME HelpDesk Administrators".
Please note that there is a pre-seeded role ‚ACME Help Desk Administrators which has a space between ‘Help’ and ‘Desk’. The
one to create here is without space.
Now log out and login with xelsysadm credentials to create Auth Policies.
OIM 11g PS1 Workshop - Lab2
43
Follow steps from 2.2.13 to 2.2.19 to Create Auth Policy per following for Access Administrator.
So far we have created Auth Policies for Role Management which were assigned to roleadmin and accessadmin through
respective roles. Now we will create some auth policies for User Management which will be assigned to acmehelpdesk1 and
acmehelpdek2 who are helpdesk users do user management for ACME.
The following image illustrates what ACME HelpDesk’s user can do:
Policy Name Description Entity Name Permissions Data
Constraints
Policy Assignments
Access
Administrators
- Manage Role
Membership
Auth Policy assigned to
Access Administrators to
View and Modify Role
Memberships
Role
Management
View Role
Membership
Modify Role
Membership
ACME
HelpDesk
Administrators
Role: Access
Administrators
OIM 11g PS1 Workshop - Lab2
44
On the Welcome page, under Authorization Policy, click Create Authorization Policy. Alternatively, you can you can click the
Create Authorization Policy icon on the toolbar
ACME
CAPITAL
ACME HelpDesk
ACME Public Finance
ACME Taxation
ACME Mergers and Aquisitions
ACME HelpDesk can:
Search and view details of users
Bulk update user status
ENABLE/DISABLE
Reset user password, modify
user profile Job History Verified
attribute (hierarchy aware)
ACME HelpDesk can create
users (hierarchy aware)
OIM 11g PS1 Workshop - Lab2
45
In the Policy Name field, enter the name of the authorization policy as ‚HelpDesk CreateUser - Public Finance‛. In the
Description field, enter a description of the authorization policy ‚Auth Policy assigned to ACME HelpDesk Administrators to
create users in Public Finance Org‛. In the Entity Name field, select the name of the feature for which you want to create the
authorization policy. To create an authorization policy for user management, select User Management. Click Next
OIM 11g PS1 Workshop - Lab2
46
OIM 11g PS1 Workshop - Lab2
47
The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization policy.
We will select ‚Create User‛ and Click Next.
OIM 11g PS1 Workshop - Lab2
48
The Data Constraints page of the Create Policy wizard is displayed. In this page, options for the feature selected on the Entity
Name field in previous step are displayed. Select option ’Users that are members of selected Organizations’ to specify
organizations for whose members you want to create the authorization policy. Click Add Organization.
OIM 11g PS1 Workshop - Lab2
49
OIM 11g PS1 Workshop - Lab2
50
Add Organization dialog box is displayed. Search for Organization name that Begins with ‚ACME Public Finance‚. Select
ACME Public Finance from Search Results and Click Add.
OIM 11g PS1 Workshop - Lab2
51
Select checkbox ‚Hierarchy Aware (include all Child Organizations)‛ and Click Next. This is done so that Helpdesk can create
user in Public Finance as well as in child organization of Public Finance (Taxation).
OIM 11g PS1 Workshop - Lab2
52
The Assignment page of the Create Policy wizard is displayed. To assign roles to the authorization policy: Click Add. The
Assign Roles dialog box is displayed. Search for Role Name that Begins with ‚ACME HelpDesk‛. From Search Results select
‚ACME HelpDesk Administrators‛ and Click Add.
Click Next.
OIM 11g PS1 Workshop - Lab2
53
Click Finish.
OIM 11g PS1 Workshop - Lab2
54
Create other Auth policies per table below by following steps from 2.2.26 to 2.2.35:
Policy Name Description Entity Name Permissions Attributes Data
Constraints
Policy Assignments
HelpDesk
Create User - M
& A
Auth Policy assigned to
ACME HelpDesk
Administrators to create
users in Mergers and
Acquisitions Org
User
Management
Create User ACME
Mergers and
Acquisitions
(Hierarchy
Aware)
Role: ACME
HelpDesk
Administrators
HelpDesk
SearchUser
Auth Policy assigned to
ACME HelpDesk
Administrators to Search
Users and View their Details
before Updating or
Modifying them
User
Management
- Search User
- View User
Details
ACME
CAPITAL
(Hierarchy
Aware)
Role: ACME
HelpDesk
Administrators
HelpDesk
UpdateUser
Auth Policy assigned to
ACME HelpDesk
Administrators to Update
User Status as Enable/Disable
User
Management
Modify User
Status
ACME
CAPITAL
(Hierarchy
Aware)
Role: ACME
HelpDesk
Administrators
HelpDesk
ModifyUser
Auth Policy assigned to
ACME HelpDesk
Administrators to Modify
User Profile attribute -
Previous job History Verified
User
Management
Modify User
Profile
Previous Job
History Verified
ACME
CAPITAL
(Hierarchy
Aware)
Role: ACME
HelpDesk
Administrators
HelpDesk
PasswordMgmt
Auth Policy assigned to
ACME HelpDesk
Administrators to reset user
User
Management
Change User
Password
ACME
CAPITAL
(Hierarchy
Role: ACME
HelpDesk
OIM 11g PS1 Workshop - Lab2
55
Now logout and login with accessadmin credentials to assign the role "ACME HelpDesk Administrator" to HelpDesk staff
(acmehelpdesk1 and acmehelpdesk2). Note: Since you are logging with accessadmin for first time, you will be redirected to
password management screen.
DON’T USE the pre-seeded role ‚ACME Help Desk Administrators‛. Note the space between ‘Help’ and ‘Desk’. The one to use
here is without space.
Workaround: Use URL http://<host>:<port/admin/faces/pages/Login.jspx> instead of http://<host>:<port>/oim
Search for role "ACME HelpDesk Administrator" and then follow the steps outlined in 2.2.11 to assign members acmehelpdesk1
and acmehelpdesk2 users to this role.
You will see that you are not able to search for users acmehelpdesk1 and acmehelpdesk2 (search doesn't return any user). This is
because of the fact that accessadmin is only authorized to change role membership but is not authorized to search user. To
workaround this issue create another auth policy per below (you need to log back as xelsysadm):
Now log back in as accessadmin and retry assigning the role "ACME HelpDesk Administrator" to HelpDesk staff (acmehelpdesk1
and acmehelpdesk2).
password Aware) Administrators
Policy Name Description Entity Name Permissions Attributes Data
Constraints
Policy Assignments
Access
Administrators
- Search users
Auth Policy assigned to
access administrtaors to
search users and thus be able
to change role meberships
User
Management
Search Users Role: Access
Administrators
OIM 11g PS1 Workshop - Lab2
56
DON’T USE the pre-seeded role ‚ACME Help Desk Administrators‛. Note the space between ‘Help’ and ‘Desk’. The one to use
here is without space.
Search for role "ACME HelpDesk Administrator" and then follow the steps outlined in 2.2.11 to assign members acmehelpdesk1
and acmehelpdesk2 users to this role.
Bug: System gives ADF error and UI doesn't show the members of this role but if you search for acmehelpdesk1 user and check his
role, you see the role is assigned.
OIM 11g PS1 Workshop - Lab2
57
(E) Email Notification setup
To setup Email Server, Login to the Oracle Identity Manager Administration Console. In the Welcome page, under Advanced
Administration, click Create IT Resource.
OIM 11g PS1 Workshop - Lab2
58
Note : If this training content is being used by people who do not work for Oracle and therefore do not have Oracle email ids,
should go for using a JES (Java Email Server) based mail server installed and configured in the Training VM environment. Lab 1
contains the details about running this particular Email Server and using it with OIM.
Create IT Resource dialog box appears. Enter ‘Email Server’ as IT Resource Name and select ‘Mail Server’ as IT Resource Type.
Click Continue.
OIM 11g PS1 Workshop - Lab2
59
The UI wizard has step numbers on the top, as shown in the screenshot. In Step 2 of Create IT Resource, enter ‘false’ as
Authentication, ‘mail.oracle.com’ as Server Name and enter your User Login and click Continue. Leave User Password blank.
Note: If mail.oracle.com as Server Name does not work for some reasons, another value that could be used is stbeehive.oracle.com. If
people not in oracle are doing these labs they need to use some mail server that they can reach to and doesn't require authnetication.
OIM 11g PS1 Workshop - Lab2
60
Leave everything else default in Step 3 and 4 and click Continue. From Step 5 click Continue. Steps 6 confirms the creation of IT
Resource and click Finish.
You should always ensure that the relevant system property is set to the right value for Email Server configuration to work.
OIM 11g PS1 Workshop - Lab2
61
Login to the Oracle Identity Manager Administration Console. In the Welcome page, under Advanced Administration, click
Search System Properties. Enter * under Search System Configuration and Click Search.
OIM 11g PS1 Workshop - Lab2
62
On the left pane of the window, scroll down to locate property Email Server and Click it. The System Property Detail: Email
Server window appears. Ensure that the Value field is set to as Email Server (same as IT Resource Name).
OIM 11g PS1 Workshop - Lab2
63
OIM 11g PS1 Workshop - Lab2
64
Setup UserID Generation Policy
To Setup UserId Generation Policy, select ‚Default policy for username generation‛ from the left pane above window. Make
sure the Value field is populated as ‘oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy’ which is the default
policy that we will use. If not change it and click Save.
OIM 11g PS1 Workshop - Lab2
65
OIM 11g PS1 Workshop - Lab2
66
To setup Default Domain for username generation, select ‘Default user name domain’ from the left pane above window. Make
sure the Value field is populated and has right domain. For our usecase we will use oracle.com, which is default. If not change it
and click Save.
We will use default password policy, which can be checked through Design Console, if required.
OIM 11g PS1 Workshop - Lab2
67
Login as xelsysadm Open Each Organization e.g ACME CAPITAL Click on Administrative Roles and Assign the Role ACME
HelpDesk Administrator. Provide Read Permission (which is by Default). Do this for each organization , so that when you
search as acmehelpdesk1, user you can see the organization and test creating the user.
Checkpoint
This completes the configurations for HelpDesk User authorizations. We created ACME Organization hierarchy, HelpDesk Role,
HelpDesk Administrator Users and Authorization Policies. We assigned all these Auth Policies to HelpDesk Administrators
through HelpDesk Role. We also did some misc configuration to setup Email Server etc.
2.3.Practice Helpdesk communities actions to experience configured authorizations
Purpose
This section, we will login as one of the HelpDesk admin and perform various actions authorized for HelpDesk per configuration in
previous section like: Create User, Search User, Update User Status, Bulk Modify User Details and Reset User Password. We will
also see what HelpDesk is not authorized to do like: Delete User and Create User in Org’s it is not authorized for. Apart from this
we will see how user Login is created as per User Id generation Policy.
Steps
2.3.1. Login as helpdesk user (either acmehelpdesk1 or acmehelpdesk2).
OIM 11g PS1 Workshop - Lab2
68
To execute all parts of this use case, login only as one of the two helpdesk users you’ve just created.
Create a User in ACME CAPITAL – NOT allowed
While creating the User choose Organization as ‘ACME CAPITAL’. Notice acmehelpdesk1 is NOT allowed to create a user.
OIM 11g PS1 Workshop - Lab2
69
OIM 11g PS1 Workshop - Lab2
70
Create a User in ACME Public Finance – allowed
Create a User with Organization ‘ACME Public Finance’. Choose User Login ‘acmefinuser1’ and Password ‘Abcd1234’. User
acmefinuser1 is created successfully.
OIM 11g PS1 Workshop - Lab2
71
OIM 11g PS1 Workshop - Lab2
72
Create a User in ACME Taxation which is child org of Acme Public Finance – allowed
Create a User with Organization ‘ACME Taxation’. Choose User Login ‘acmetaxuser1’ and Password ‘Abcd1234’. User
acmetaxuser1 is created successfully.
OIM 11g PS1 Workshop - Lab2
73
OIM 11g PS1 Workshop - Lab2
74
Delete the User(s) just created – NOT allowed
Search for User with search pattern as *tax*. A List of users are displayed and delete icon is grayed out indicating logged in user is
not allowed for this operation. Even the option to delete from Actions Menu is also grayed out.
OIM 11g PS1 Workshop - Lab2
75
OIM 11g PS1 Workshop - Lab2
76
Advanced Search Users
While logged in as acmehelpdesk1, from Welcome page of Identity Administration select Advanced Search. Put 2 search criteria
with Last Name. Last Name Begins With Fin and Last Name Begins With Tax. A list of User’s are displayed.
Bulk modify User Status (Disable, Enable) – allowed
Select all displayed users from above and click Action -> Disable.
OIM 11g PS1 Workshop - Lab2
77
A confirmation dialog box appears.
Click Yes.
All users are now Disabled.
To confirm this, perform same search again and now you can see Identity Status of all users is displayed as Disabled.
OIM 11g PS1 Workshop - Lab2
78
Note: Before moving ahead. Repeat the above process to Enable back all users that were disabled.
OIM 11g PS1 Workshop - Lab2
79
Bulk Modify User Profile attribute (Previous Job History Verified) – allowed
While logged in as acmehelpdesk1, from Welcome page of Identity Administration select Advanced Search. Put search criteria Last
Name begins with Tax and Last Name Begins with Fin. A list of users is displayed. Select all the uses and click Bulk Modify.
Bulk Modify tab opens up. Check attribute: Previous Job History Verified and click Save. A message confirming successful
modification of attribute appears at top of the window.
OIM 11g PS1 Workshop - Lab2
80
Bulk Modify User Profile attribute (others) – NOT allowed
Follow the above process, this time try changing some other attribute, let’s say Start Date and you will be presented with a message
saying ‚Access denied while trying to modify the user(s).‛
OIM 11g PS1 Workshop - Lab2
81
Note: The actual error in screenshot is not correct.
OIM 11g PS1 Workshop - Lab2
82
Create a User in Mergers & Acquisitions (auto-generation of User Login from firstname & lastname).
Create a User with First Name ‚John‛, Last Name ‚Roe‛, Organization ‚ACME Mergers and Acquisition‛, User Type
‚Employee‛, Password ‚Abcd1234‛.
OIM 11g PS1 Workshop - Lab2
83
The user is created with User Login [email protected] from <FirstName>.<LastName>@<domain>
OIM 11g PS1 Workshop - Lab2
84
OIM 11g PS1 Workshop - Lab2
85
Create a User in Mergers & Acquisitions (auto-generation of User Login from email)
Create a User with First Name ‚Jane‛, Last Name ‚Roe‛, Organization ‚ACME Mergers and Acquisition‛, User Type ‚Employee‛
and Email as your own email id (Example: Nalin Sardana - Oracle employee, practicing this lab will put his email as
[email protected]). Only then you can see the result of the configuration as an actual mail arriving at your inbox. Also we
use this user for reset password in later lab, so it is important the new password arrives to accessible email address.
OIM 11g PS1 Workshop - Lab2
86
OIM 11g PS1 Workshop - Lab2
87
User created with your User Login (specified as email) and not from Name, which is Jane Roe
Check your mailbox for mail with temporary password for your account Jane Roe.
OIM 11g PS1 Workshop - Lab2
88
Reset end-user password by HelpDesk (compliance of password policy, password delivery by email and end-user is forced to
change password on next login)
Search for User Jane. Open the User and click Reset Password. Reset Password window appears. Select Radio button Manually
change the Password and enter Abcd1234 as New Password. Check E-mail the new password to the user and Click Reset
Password.
OIM 11g PS1 Workshop - Lab2
89
Notice Password Policy (default) is displayed. Password must confirm to this policy. Also password can be auto generated by
selecting Auto-generate the Password (Randomly generated) radio button.
OIM 11g PS1 Workshop - Lab2
90
Check your mailbox for new password. Logout and Login with your User Login [email protected] with password
Abcd1234. You will be prompted to change the password and answer security questions.
OIM 11g PS1 Workshop - Lab2
91
Checkpoint
In last section we completed configuration for HelpDesk User authorizations. In this section, we logged in as one of the HelpDesk
admin and performed various actions authorized for HelpDesk like: Create User, Search User, Update User Status, Bulk Modify
User Details and Reset User Password. We also saw what HelpDesk was not authorized to do like: Delete User and Create User in
Org’s helpDesk is not authorized for. Apart from this we saw how user Login is created as per User Id generation Policy. We also
configured email server and demonstrated Reset Password functionality.
2.4.Configure Managers authorization for the administration of their directs’ reports
Purpose
The purpose of this section is to configure Managers Authorization for administration of their direct reports. We will create a 3-level
hierarchy of users. We will also create a Senior Manager role for 2nd level managers who can do specific searches, which first level
mangers can’t do. In this step you will:
Create ACME Taxation Users
Create ‘ACME SeniorManagers’ Role
Create ‘Search PostGrad’ Authorization Policy
At the end of this step, you will have the following organization structure:
OIM 11g PS1 Workshop - Lab2
92
OIM 11g PS1 Workshop - Lab2
93
Steps
Create ACME Taxation Users
2.4.1. Login as xelsysadm and create Users acmetaxexec reporting to user acmetaxmgr and who in turn reports to acmetaxdir (3 level
hierarchy) under organization ACME Taxation.
Create acmetaxdir (Acme Taxation Director)
OIM 11g PS1 Workshop - Lab2
94
Create acmetaxmgr (Acme Taxation Manager)
OIM 11g PS1 Workshop - Lab2
95
OIM 11g PS1 Workshop - Lab2
96
Create acmetaxexec (Acme Taxation Executive)
OIM 11g PS1 Workshop - Lab2
97
OIM 11g PS1 Workshop - Lab2
98
Create ACME SeniorManagers Role
Create ‘ACME SeniorManagers’ Role and assign the role to user ‘acmetaxdir’. Create Authorization Policy ‘Search PostGrad’ and
assign it to ‘ACME SeniorManagers’ Role. Configure Search to let ‘Post Graduate’ field be searchable.
In the Search Users, let the field empty and click the arrow icon.
Then select ‘Acme Taxation Director’ from the left list Available.
OIM 11g PS1 Workshop - Lab2
99
Click Save
OIM 11g PS1 Workshop - Lab2
100
Create ‘Search PostGrad’ Authorization Policy
Create ‘Search PostGrad’ Auth Policy with Policy Name ‘Search PostGrad’, Description ‘Auth Policy given to ACME Senior
Managers to search postgraduates in their own organizations’, Entity Name ‘User Management’. Give it Permissions to ‘Search
User’ and ‘View User Details’ (select only Post Graduate attribute). Specify Data Constraints as ‘ACME CAPITAL’ (Hierarchy
Aware). In Assignment specify Assign by Role as ‘ACME Senior Managers’ and Security Settings ‘Assignee must be a member
of the User’s Organization.
Click Next, Click Finish and then Click Apply
OIM 11g PS1 Workshop - Lab2
101
OIM 11g PS1 Workshop - Lab2
102
In the Welcome tab, under Advanced page, click User Configuration. On the left pane from the Actions menu, select Search
Configuration.
OIM 11g PS1 Workshop - Lab2
103
The User Search Configuration page is displayed. Scroll to Advanced Search: Search Attributes and select the attribute ‘Post
Graduate’ that you want to make available for advanced search. Click the Move buttons to add the attribute for advanced search.
Click Save.
OIM 11g PS1 Workshop - Lab2
104
Checkpoint
This finished the configuration of Managers Authorization for administration of their direct reports.
OIM 11g PS1 Workshop - Lab2
105
2.5.Practice Managers’ actions to experience configured authorizations on User Administration
Purpose
After configuring the Managers Authorization, we will now login as managers and perform the administration of direct reports. We
will first login as first level manager (acmetaxmgr) and then do some specific administration as second level manager (acmetaxdir).
A summary of the ‘Search PostGrad’ authorization policy is shown below:
Authorization policies for managers are shown below:
OIM 11g PS1 Workshop - Lab2
106
Steps
2.5.1. Login as acmetaxmgr (Acme Taxation Manager)
Acme Taxation Manager is first level manager
Search for Users – only direct reports are shown
Only person reporting to Acme Taxation Manager is Acme Taxation Executive, who is displayed. No other person in Acme
Taxation organization or any other organization is not displayed.
OIM 11g PS1 Workshop - Lab2
107
OIM 11g PS1 Workshop - Lab2
108
Advanced Search – allowed
Enter * as search filter in Display Name field and click Search. Acme Taxation Executive is the only report and hence the search
returns only one User. Note: Screens shows Contains but actually it should be Begins With
OIM 11g PS1 Workshop - Lab2
109
View User Details (few attributes are shown)
Click on the Acme Taxation Executive User to display the User profile. Notice a few attributes from Basic User Information and
Account Settings are displayed.
OIM 11g PS1 Workshop - Lab2
110
OIM 11g PS1 Workshop - Lab2
111
Search for User who are Postgraduates – NOT allowed
From Advanced Search window, click Add Fields and select Post Graduate. This will add Post Graduate field as search filter.
OIM 11g PS1 Workshop - Lab2
112
Enter ‘Post Graduate’ as search filter and click Search. An error message is popped up telling that you do not have the search
permission on Post Graduate attribute.
In later version of product you may see you can't add 'Post Graduate' for search as it is not allowed.
OIM 11g PS1 Workshop - Lab2
113
Logout and Login as Sr Manager ‘acmetaxdir’ (Acme Taxation Director)
Acme Taxation Director is second level manager.
Search for Users – only direct reports are shown
Acme Taxation Executive reports to Acme Taxation Manager who in turn reports to Acme Taxation Director. A search of User will
show both Executive and Manager and users below them
OIM 11g PS1 Workshop - Lab2
114
Search for Users who are Postgraduates – allowed
Using the procedure listed in previous step, add Post Graduate as search filter. Search for Users who are not Post Graduates: Post
Graduate Equals false. A list of users are displayed who are not Post Graduated.
OIM 11g PS1 Workshop - Lab2
115
Checkpoint
In this section we performed various administration functions carried out by Managers for their direct reports.
OIM 11g PS1 Workshop - Lab2
116
2.6.End-Users Self profile edit authorization
Purpose
In this section we will do configuration for modification of User Self Profile. We will create Approval policies, as profile attributes
will need approval before modification. In this procedure you will:
Create First Approval Policy (SSRUserProfileModify_RL)
Create Second Approval Policy (SSRUserProfileModify_OL)
Steps
Create First Approval Policy
The first approval policy will define which profile attributes end users can modify.
2.6.1. Login as xelsysadm. Create Approval Policies for request raised as a result of modifying attributes by a user on their profile.
Create Approval Policy from Advanced Identity Administration Page as follows:
OIM 11g PS1 Workshop - Lab2
117
First Approval Policy (SSRUserProfileModify_RL):
Policy Name SSRUserProfileModify_RL
Description Approval Policy to Approve Self Service
Request for User Profile Modification
Request Type Modify Self Profile
Level Request Level
OIM 11g PS1 Workshop - Lab2
118
Approval Process Auto Approval
Click Next.
Note: Update the screenshot below
OIM 11g PS1 Workshop - Lab2
119
Set Approval Rule and Component window appears. Set Rule Name as: ‘SSRUserProfileModify_RL_Rule’ and click Add
Simple Rule.
OIM 11g PS1 Workshop - Lab2
120
In Add Simple Rule window, select:
Entity Request
Attribute Request Type
Condition Equals
Value Modify Self Profile
Parent Rule Container Approval Rule
OIM 11g PS1 Workshop - Lab2
121
.
Click Save. Click Next.
Click Finish. Approval policy is created.
Create Second Approval Policy
The second approval policy will define manager’s approval for attributes modified by end users.
OIM 11g PS1 Workshop - Lab2
122
Following steps from above, create Second Approval Policy (SSRUserProfileModify_OL’):
Policy Name SSRUserProfileModify_OL
Description Approval Policy to Approve Self Service
Request for User Profile Modification
Request Type Modify Self Profile
Level Operation Level
All Scope checked
Approval Process default/RequesterManagerApproval!1.0
Click Next.
Set Approval Rule and Component window appears. Set: Rule Name as ‘SSRUserProfileModify_OL_Rule’ and click Add
Simple Rule
In Add Simple Rule window select:
Entity Request
Attribute Request Type
Condition Equals
Value Modify Self Profile
Parent Rule Container Approval Rule
Click Save.
Click Next.
Select this process
OIM 11g PS1 Workshop - Lab2
123
Click Finish. Approval policy is created.
Checkpoint
In this section we did configuration for modification of User Self Profile by creating Approval policies. We created Request Level
and Operation Level approval policies, which will be used for approval of request generated by end user upon modifying their own
profile.
2.7.Practice Self Profile Edit as an End-user to experience configured authorizations
Purpose
In this section we will login as end user and demonstrate the modification of User Self profile.
Steps
2.7.1. Login as acmetaxexec (Acme Taxation Executive)
Acme Taxation Executive is the end user
OIM 11g PS1 Workshop - Lab2
124
Update profile attributes to generate a request
Click Profile -> My Profile. Edit Middle Name, Email and Telephone Number. Click Apply
OIM 11g PS1 Workshop - Lab2
125
Notice a request is generated and none of the attributes modified in previous step are modified yet.
OIM 11g PS1 Workshop - Lab2
126
Click Requests -> My Requests and you will see that the generated request is in Status Obtaining Operation Approval. You can
select the request and click Open Request Details.
OIM 11g PS1 Workshop - Lab2
127
A new tab Request Detail: ID opens up. Click on Approval Tasks to see it is assigned to acmetaxmgr
OIM 11g PS1 Workshop - Lab2
128
Logout and Login as acmetaxmgr (Acme Tax Manager) to view/approve the request
OIM 11g PS1 Workshop - Lab2
129
Click Tasks -> Search Approvals Tasks. You will notice Request form previous step is waiting here for approval. Click Open
Task Detail
OIM 11g PS1 Workshop - Lab2
130
OIM 11g PS1 Workshop - Lab2
131
Task Details tab opens up. Click on View Details from Users tab to view more details
OIM 11g PS1 Workshop - Lab2
132
Verify the end user profile data user has requested for change
After checking the details close the popup dialog box and click Approve Task. A dialog box confirming approval of task
appears. Click OK
Logout and Login back as acmetaxexec to view updated attributes
Click Profile -> My Profile and verify that the changes made are reflected in the profile now.
OIM 11g PS1 Workshop - Lab2
133
Checkpoint
In this section we saw the modification of end-user Self-Profile. A request was raised upon changing attributes. Upon approval by
the users manager, attributes were modified and reflected in user profile.
OIM 11g PS1 Workshop - Lab2
134
Conclusion
In this lab, you accomplished the following:
Enhancing OIM User schema to add a custom attribute
Create Authorization policies for Helpdesk-oriented User Management
Create Authorization policies for Manager-oriented User Management
Create Authorization policies for Self-Service User Profile Management
Create Users, Roles and Organizations
Relevant features that you should explore further:
Extending/Customizing User Create-Update-Delete events by adding custom java code. This can be achieved by adding
pre-process, validation and post-process orchestration handlers on the OIM User entity