Oracle Identity Manager 12c (New Features)

Oracle Identity Governance 12c has already been released. Similar to the last release it contains OIM with Identity Audit features and OPAM (Oracle Privilege Account Manager). There are some new features introduced in Identity manager part, and in this blog I will be highlighting some of them. From UI point of view, there is not major changes. End user experience will be same for access request catalog and approval/ certification.

New Configuration Features

1. OIG 12c infrastructure requires below components.

• WebLogic 12.2.1.3.0
• SOA 12.2.1.3.0
• OIG 12.1.2.3.0
• Oracle database (11.2.0.4, any 12c)

2. Now RCU (Repository Creation Utility) is in-built and can be run from oracle_common/bin.

3. If you do not have DBA privilege, then you can create a script for DBA to run. Once DBA completed running the RCU generated scripts, you can run the post process configuration. This is very helpful where Database is managed by different administrative team.

4. OIM 12c finally support encryption of database. During creation of OIM users in database, RCU can encrypt database table-space. TDE (Transparent Data Encryption) option must be enabled in Oracle 12c database. TDE allow application to encrypt the table-space using secret key. Data is transparently decrypted for database users and applications that access this data. Database users and applications do not need to be aware that the data they are accessing is stored in encrypted form.

If the TDE is enabled in Oracle 12c database, RCU will automatically provide you an option to make OIM table-space encrypted.

Functional Features

1. OIM 12c introduces custom reviewer option in certification. It is applicable for Identity certification. Custom reviewer for certifications can be specified by defining certification rules in the CERT_CUSTOM_ACCESS_REVIEWERS table.

The benefit of this feature is, can now assign certification request based on a rule defined for custom reviewer.

for example
All the user who are having VISDU1 application and "EntTestDB~CN=VISD,DC=abc,DC=com" entitlement, the certifier should be "John Clark"

And

For all the other user who are having application VISDU1 but not having "EntTestDB~CN=VISD,DC=abc,DC=com" entitlement, the certifier will be the users manager.

Define the rule on CERT_CUSTOM_ACCESS_REVIEWERS table with a map name. Assign the map name in certification definition

  2. OIM 12c now supports group of certifiers for Application Instance, Entitlement, Role and User certification. Till OIM 11gR2 PS3, single certifier was supported in the certification workflow.

**Group certifier assignments are not supported with CertificationProcess composite. from the configuration page CertificationOverseerProcess composite needs to be selected.

3. OIM 12c can Limit the entitlement-assignments, Role-assignment and Application-assignment to certify for each user option for creating a user certification definition. For example, while identity certification assigned to reviewer, only the selected roles, selected entitlements and selected Application instances will be visible for certification. In this way we can remove the birth rights for being certified.

  4. The Certification Dashboard enables sorting and listing the certifications by the percentage completion of the certifications

5. Another new feature of OIM 12c is Inheriting the access granted via access policies from the parent role to child role. This feature is enabled by setting XL.AllowRoleHierarchicalPolicyEval system property to TRUE. For example

a) Role1 contains Policy1 which contains account A1 and entitlement E1
b) Role2 contains Policy2 which contains account A1 and entitlement E2.

c) Now Role1 is parent role of Role 2.

If XL.AllowRoleHierarchicalPolicyEval is set to TRUE, then when you grant Role2 to User1, User1 will get account A1 and entitlements E1 and E2.

If XL.AllowRoleHierarchicalPolicyEval is set to FALSE, then when you grant Role2 to User 1, User1 will get account A1 and Entitlement E2 (which are part of Role2).

6. Access Policy can be created and managed from the Manage tab in Identity Self Service.

7. OIM 12c is now having Application Onboarding capability through GUI. It will allow you to create and manage applications, templates, and instances of applications, and clone applications. This will faster the on-boarding process of applications into OIM.

8. New interface for deployment manager for import and export any new development or migration.

  9. OIM 12c provides Real-Time Certification Purge Job capability, where old certification data can be continuously purged using this feature based on the options or choices made during configuration

10. in OIM 12c, now you can define your new connectors from all the available components. Below picture depicts the wizard, which allow you to choose components and create your new connector inside OIM.

   11. OIM 12c SCIM (System for Cross-Domain Identity Management) service is now secured with custom OWSM (Oracle Web Service manager) policy. There are 2 OOTB policies oracle/multi_token_rest_service_policy and oracle/no_authentication_service_policy which enforce one of the following authentication polices when a token is sent by the client or allows anonymous when no token is supplied

• HTTP Basic
• SAML 2.0 Bearer token in HTTP header
• HTTP OAM security
• SPNEGO over HTTP security
• JWT token in HTTP header

12. OIM 12c offering JSON Web Token (JWT) service to simplify the use of Oracle Identity Governance SCIM-REST service.

The JWT produced by the OIG token service, contains a subject claim for an OIM user that is signed by the Oracle Identity Governance server. This claim can be presented for authentication to the OWSM agent that protects the SCIM and REST API.

13. Multiple sandboxes can be published in bulk and in a specified sequence using CSV file.

I will be describing in details each of the new features with live example in my next post.

Develop Cascade Lookup in OIM 11gR2 PS3 without writing java code

Cascade lookup is a drop down fields (e.g. Country ->State ->City) by building parent-child relationships between columns so that values in the child field get filtered or scoped according to what was selected in the parent field, thus narrowing down your choices.

Starting from OIM 11gR2 PS2, oracle incorporated the cascade lookup features inside the for designer. Now developing cascade lookup in Application Instance for is very easy and no java code and managed bean is required to write. Below are the steps to develop the a cascade lookup in Application instance form.

1. Login to OIM sysadmin console.
2. Create a sandbox and activate the same.

      3. Go to form designer and search for the form where you need to add a cascade lookup.

4. Open the form and click on the New button to add a new field

5. Select the field type lookup and click Ok

6. In the Field details provide the display name of the field and create a new lookup (You can also use existing lookup)

7. Once done with the field details click on Save and Close

8. You can see the new lookup field gets created into the Application form. This lookup field we will be using as parent lookup.

9. Now we will be creating the dependent lookup. Similar to the parent lookup, follow the step 4, 5, 6

10. Once the lookup creating is done, click the check box named “Constrain list by parent field value selection”. Select the parent lookup created before.

11. Now click on the “Value Map” icon and map the parent data with dependent value, like below:

    

Select the parent data from left panel and shuttle all the corresponding dependent values from “Available Lookups” to “Selected Lookups”

Here in the example I had chosen Parent data as India (country) and all the corresponding cities Bangalore, Kolkata and Pune as dependent values.

Do the same for Other parent data.

12. Once the mapping is done click one the “Save and Close” button to save the field details

13. Now you can see both the lookup fields are now created. Now click on the “Regenerate View” to regenerate the form view in Application Instance during runtime.

14. Once all are done, take an export of the sandbox and publish the same.

15. Now Login to OIM Identity console

16. .  Create a new Sandbox and Activate the same.

17. Go to the Catalog and search for the Application Instance for any user

18. Add the Application to cart and click Next.

19. In the Cart Details page open the application form, and you can see both the lookup field are now added to for. This will still not work, until you made a small changes related to partial trigger.

20. Now click on the Customize Button

21. Go the Structure view and select the “Parent Lookup” field

22. From the Web Composer window (Right Panel) right click on the Parent Lookup component and click on Edit.

23. From the edit window just copy the Id value

24. Now close this window and right click on the Dependent Component and click on Edit

25. In the Edit window paste the copied value to the Partial Triggers field

26. Save the changes and Close the customize window.

27. Now Take an export the sandbox and Publish the same.

28. Now do a little testing. Open the catalog and select the Application Instance (For which the lookup fields are added)

29. Add the Application Instance to cart.

30. In the cart Item details Go to the Application form.

31. Now select some value from Parent Lookup field, and you will be able to see the Dependent lookup has been populated with corresponding dependent values.

Thank You!!!!!!!!!!!!!!!!

1