Oracle IDM Questions & Answers
Q: What is an Identity?
An identity is the virtual representation of an enterprise resource user including employees, customers, partners and vendors. Identity Management shows the rights and relationships the user has when interacting with a company’s network.
Q: What are the benefits of Identity Management?
Centralized auditing and reporting – Know who did what and report on system usage.
Reduce IT operating costs – Immediate return on investment is realized by eliminating the use of paper forms, phone calls and wait time for new account generation and enabling user self service and password management.
Minimize Security Risk – Control access to the network and instantaneously update accounts in a complex enterprise environment including: layoffs, acquisitions, partner changes, temporary and contract workers.
Improved quality of IT services
Legal compliance – Many government mandates require secure control of access.
Q: How does Identity Management (IDM) work?
The process involves creating user accounts that are able to be modified, disabled or deleted. Delegated workflows, rules and policies are applied to the users account. A user profile will tell the company: who they are, what they are entitled to do, when they are allowed to perform specific functions, where they are allowed to perform functions from and why they have been granted permissions.
Q4: How are Identity Management Solutions Implemented?
Step 1: Inventory and assess current investments and processes. Clean and consolidate identity data stores. Create virtual identities for enterprise users.
Step 2: Design and deploy identity infrastructure components. Create identity provisioning and deploy password management, user self-service, and regulatory compliance.
Step 3: Deliver applications and services. Access management deployed to a clean environment. Leverage federated identity for improving supply chain and employee efficiencies.
Q: Explain the Architecture of Oracle identity Manager?
The Oracle Identity Manager architecture consists of three tiers
Tier 1: Client: The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user's login credentials.
Tier 2: Application Server: The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.
Tier 3: Database: The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.
Q: What is purpose of Reconciliation Manager?
You can look here for recon data once reconciliation is complete. You can determine whether event received and linked for not.
Q: What is Application Server and Web server?
A Web server exclusively handles HTTP requests, whereas an application server serves business logic to application programs through any number of protocols. Webserver mainly handles the Http requests but app server can be used to handle the http, rmi, TCP/IP and many more protocols. Webserver just handles the requests of the webpage – means suppose, a html page(presentation layer) requests a data - here script is written containing the business logic , then it just give the response with the required data from the database. Then the html page with script is used to show the retrieved information. In case of application server, it does the same thing, of getting and gives the response but it can process the requests. i.e. in this case, instead of script know how to fetch the data, the script is simply used to call the applications server's lookup service to retrieve and process the data. i.e here, application server is used for processing/applying logic. The web server can be considered as the subset of app server
The basic difference between a web server and an application server is
WebServer can execute only web applications i.e. servlets and JSPs and has only a single container known as Web container which is used to interpret/execute web applications
Application server can execute Enterprise application, i,e (servlets, jsps, and EJBs) it is having two containers
1. WebContainer (for interpreting/executing servlets and jsps)
2. EJB container (for executing EJBs). It can perform operations like load balancing, transaction demarcation etc.
Q: What is the purpose of rule designer?
Use this form to create rules that can be applied to password policy selection, automatic group membership, provisioning process selection, task assignment, and prepopulating adapters.
Q: What is Adapter? What Adapters available in OIM?
An adapter is a Java class that is created by an Oracle Identity Manager user through the Adapter Factory.
Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)
Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post- update, or post-delete
Pre-Populate Adapter - specific type of rule generator attached to a user- created form field that can automatically generate data to the form but
does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
Task Assignment Adapter - automates the assignment of a process task to a user or group
Q: What is the difference between OIM 11g and 10g from the high level architecture perspective?
At high level below are the brief differences
a) 10g Request Management has been replaced by SOA composite which has a customized schema accommodating BPEL and Human Task.
b) Reconciliation engine has been re-written in 11g to enhance the performance by introducing the cache mechanism.
c) OES libraries are used as an authorization engine unlike 10g had its own object vs view based authorization.
d) Plugin services platform is introduced in 11g to have easy customization in place which can be somewhat mapped to entity adapter functionality in 10g.
e) Groups in 10g are now called as Roles in 11g with some modifications which makes it like ldap roles.
Some more differences related with notifications, schedulers and etc can be discussed if time permits.
Q: What are the steps to integrate Active Directory with Oracle Identity Manager?
1. Install Active directory connector by
a. Placing the extracted installable at
OIM_HOME/server/ConnectorDefaultDirectory b. Install Connector from sysadmin console
2. Install and Configure the Connector server in AD or in same domain a. Paste the extracted Connector Server installable in AD
b. Install Connector Server using the .msi file
c. Set handshake key using
$CONN_SERVER_HOME/ConnectorServer.exe /setkey d. Stop Connector server service
e. Paste the extracted Connector installable from Step1a to
$CONN_SERVER_HOME/
f. Update the Port in
$CONN_SERVER_HOME/ConnectorServer.exe.Config g. Enable logging if needed
h. Start the service
3. Configure the IT resource for AD connector
4. Configure the IT resource for AD connector server ,update key (2c)
and Port (2f)
5. Run the OU and Group lookup reconciliations
6. Create the Active directory application Instance using Sandbox
7. Run the Entitlement List(from Lookup tables to entitlement table)
and Catalog Sync Jobs
8. Test by provisioning user
Q: What are the possible ways to integrate Approval Workflow for various operations?
In OIM 11g R2 PS3,we can configure OIM to run with or without Approval WFs. This is set by a system property- “Workflows Enabled”. The default configuration being with Approval WFs.
Approval WF rules can be configured for a list of operations on core identity objects like Create User/Modify User/Disable or Enable User/Modify Role/Provision Account etc.
These admin/system defined rules will define which SOA Composite is to be invoked the predefined entity operations. The admin can configure rules with Workflow marked as “NO_WORKFLOW”, if the request is to be directly granted without approvals.
We can leverage a list of SOA composites that are already available with the fresh deployment.
Lifecycle of an operation level request (e.g. – Assign one Role for a single beneficiary)
1. Once the request is submitted/generated the request moves to
“Request Created” stage
2. When the approval workflow is invoked based on the WF rule ,the operation level request moves to “Request Waiting for Approval” stage
3. Approval completion will move the request status to “Request Approved” and Step-4 will follow, if request is rejected by the approver configured, then the request moves to “Request Rejected” state and request ends with no Step - 4
4. Then the requested operation is initiated
In the case of Bulk request that is request containing more than 1 entity, the request will first go for a request level approval (if configured) followed by individual operation level approval as described above.
Prior to this release, Approval policies were used for defining approval process for an operation. But this has now been deprecated.
If OIM has been upgraded from older versions that use Approval policies, it will continue to work.
Q: How Escalation and Reminders notification work in Oracle Identity Manager 11g ?
To enable identity governance functionality it is necessary to have approval process defined for various identity related operations. OIM leverages SOA features along with BPEL(Business Process Execution Language) for accomplishing the business process. Since manual (Approver/IT provisioner) intervention is required for the workflow completion, the business process must have the ability to assign task/request to users or groups, escalate, remind on timely basis, reassign etc. The BPEL process invokes a Human Task whenever a manual intervention is needed in the business process. The Human task contains the logic to escalate, notify, expire the approval task to users/groups. The Human task can send notifications to the configured assignee in the task.
Q: How will you add additional fields on Self Register Form (OIM 10g and OIM 11g) ?
Steps –
1. Login to admin console
2. Create and activate Sandboc
3. Browse to System Entities User
4. Add attribute
5. Export and Publish Sandbox
6. Logout
7. Login to identity console as admin
8. Create a Sandbox
9. Click on Self Service home
10. Click ‘Customize’ option
11. WebComposer is opened in customization page, choose
‘Structure’
12. Select structure close to My Access
13. Select the last gridRow and edit it and enable Show Component
14. List of all unauthenticated pages appear
15. Choose the screen to which we need to add this additional attribute
16. Open Data component – User Registration ->UserVO1
17. Search for the new attribute and add it in the form you wish to display
18. Export and Publish Sandbox
Q: How Approval Policies are different from Access Policies ?
Approval Policies are defined for ensuring the business process for identity governance is in place. Approval policy is a configurable entity of the request management, it maps the request type with a corresponding approval process/workflows. The approval policy can be defined at request level or operational level. Please note that this is been replaced by Approval Workflows in OIM 11g R2 PS3. Access Policies are rules that are assigned to roles, that determine which target system should the user be provisioned/de-provisioned to. It is an effective way to automate provisioning process.
Q: What is the significance of "Create Reconciliation Profile" Button in Oracle Identity Manager 11g ?
Clicking the “Create Reconciliation Profile” will result in copying the
Resource Object (modifications) to MDS
Q: What are Object Reconciliation Rule ?
Recon rules are configurable linking rules that can be defined in OIM for each target system. These are invoked during trusted recon as well as target based recon. Based on the link match, changes fetched from recon event are brought into OIM
Invoked when OIM tries to determine which user/org record is associated with an update during trusted/target recon. These rules are specific to the RO.
Q: Explain the Architecture of OIM ?
OIM is a J2EE web app deployed on Oracle WebLogic Server.Has 4 Tiers
User Interface Tier – 3 consoles (2 browser baser and 1 java thick client for development)
Application Tier – Consists of Identity Self Service and Admin web applications, SPML XSD and REST WS and Java classes that provide the core functionality like identity administration, authorization, provisioning and reconciliation etc
Database Tier -Repository to store identity, requests and other meta data
like access policies’
Connector Tier – Consists of applications and target systems to which you provision/de-provision user accounts, it also includes connector server etc.
Q: How will be remove Validation for duplicate email address ?
System Property – OIM.EmailUniqueCheck is available in OIM 11g
R2 which if set to FALSE , then uniqueness check is not done
Q: Difference between OIM 11g R1 and OIM 11g R2 ?
OIM 11g R2 PS3 has the below features that were not present in R1
1. New Look and feel for Identity console
2. Access Request catalog
3. Approval policies replaced by Approval workflow policies
4. Service capabilities
5. Admin roles for authorization control along with fine grained authz
6. Chained entity LCM introduced
7. Sunrise and Sunset scenarios for provisioned entities
8. Access Policy harvesting introduced
9. Home Organization Policy introduced
10. Lightweight auditing introduced
11. Enhanced self service password capabilities
12. System Property introduced to Enabled/Disable WF
13. Self
14. REST APIs replaces the old SPML interfaces
Q: Difference between OIM 10g and OIM 11g R2 ?
1. SOA replaced the 10g request management
2. Notification providers added like SOA UMS notification
3. ICF based connectors incorporated that helps in easier/flexible development for custom and decoupling for predefined OOTB connectors
4. Plugin services platform is introduced in 11g to have easy customization in place which can be somewhat mapped to entity adapter functionality in 10g.
5. Including the differences b/w 11gR1 & R2 mentioned in earlier question
Q: What is Request Catalog?
It provides a simple, easy to use, web based user interface that allows non-technical business/enterprise users to request access to entities like application instance, entitlements or account permissions, roles. These entities will be configured to be visible (based on business needs) by Catalog administrators (similar to sys admin and sys configurator role).The catalog approach of requesting entities is very similar to the “Shopping cart” experience that all users are well familiar with and hence extremely friendly even for a non technical end user.
Q: What is Request Profile?
Admin can create profiles using the access request catalog, this will enable to group or cluster all relevant entities that are required for a specific (commonly used) task. The end user can directly request for this grouped entities using the request profile and this will save time and avoid confusions.
The submitted request will then go in for a request level approval followed by individual child/operation approvals.
Q: Difference between Application Instance and Resource Object?
Application Instance is a provision-able entity and a new abstraction used in 11g Release 2 (11.1.2.3.0). It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism).App Instance will be published or made visible to organizations. They can be requested from the request catalog. Resource object is the virtual representation of the Target system containing all the attributes it holds for an account.
Q: What are Admin Roles?
The security model in OIM works on the basis of the admin role assignment to users. The authorization engine in OIM allows granular delegated administration by allowing administrators to define admin roles and associate them with specific functional capabilities. The custom admin roles can be configured to have definite attribute level permissions and control attribute level visibility. The admin roles are firsts class entity and is not same as enterprise roles.
Q: What are Archival utilities?
The application capabilities in OIM generate huge amount of data and they are managed by either purging or/and archival solutions provided by the product. The utility controls the growth of audit data by purging the data in a logical and consistent manner. Archival solutions are provided by OIM for its entities like Reconciliation, Provisioning tasks, Request, Orchestration, Lightweight audit, Legacy audit.
Q: How do you hide Admin Links for End users from Identity console?
Authorizations in OIM is controlled by Admin roles. Only when end Users are added to the admin roles for which privileges for administration are defined, will the end user get any Admin links.
No comments:
Post a Comment