Oracle Identity and Access Management Practice

iWare Logic > Blog  > Oracle Identity and Access Management Practice

Oracle Identity and Access Management Practice

We offer a full range of services for Identity Governance and Identity management as follows.

Identity Management Suite Implementation

We provide end to end installation, configuration and implementation services. This includes web server front end layer, Application Server, Directories, SOA suite, Oracle Identity and Access Management and webgate Single-Sign-on solution.


We provide SSO services using Access Manager with webgate plugin. With the single-sign-on a user has the convenience to log in only once and access all their applications without being asked for a user login and password. This also helps in seamless integration of applications. An example is a seamless integration of BI applications and E-business suite with SSO. E-business suite pages can be seamlessly opened in BI Applications and vice-versa.

Integrating Systems with Identity Connectors

Identity connectors are used to integrate OIM with other software applications. There are several pre-built Identity connector bundles provided by Oracle. These connector bundles are a set java programs and connector metadata information files bundled as Java archive files. Connector bundles are implemented using the Identity Connector framework (ICF). We provide OIM integration services with Oracle Sun Directory Server Enterprise Edition (ODSEE), Oracle Internet Directory (OID), Oracle unified Directory (OUD), MS Active Directory, EBS Users and EBS Employee reconciliation and Remedy.


Provisioning is a process by which an action to create, modify, or delete user, role, and organizational information in a resource is initiated from an Oracle Identity Management product (for example, Oracle Identity Manager) and passed into the resource. In terms of data flow, provisioning provides an outward flow of user, role, or organizational information. The provisioning system communicates with the resource and specifies changes to be made to the account.We implement provisioning solutions tailored to specific requirements. This includes creating configurations for manual and automated provisioning, creating provisioning metadata required to integrate an ICF connector with Oracle Identity Manager. The metadata objects include, IT Resource Type, IT Resource, Resource Object, Provisioning process, process form, process task, adapter task and lookups and publishing the changed objects in Application instances using sandbox. Provisioning encompasses,

  • Access Policies: An access policy is a list of roles and the resources that users in each role receive. Oracle Identity Manager uses access policies to determine whether to assign a resource to a user or restrict the user from accessing the resource because the user is a member of a role.
  • Approval Policies: Provisioning requests may be either of the following: Completely automated or subject to manual intervention through approval processes. An approval policy associates a request with a request-level or operation-level approval workflow, which is handled by a SOA composite application that orchestrates the manual approval process. We implement request-level and operation-level approval workflow as per the business requirement.
  • Creating Provisioning SOA Approval Workflows: Generate a SOA composite application template, configure the BPEL process to invoke the request web service to get request details, user details and catalog owner as desired. Create and configure a Human Task component, Configure Oracle Universal Messaging Service (UMS), Deploy and secure the Request Web Service, Invoke the Request Web Service and deploy a SOA composite application.


A process by which an action to create, modify, or delete user-related, role-related, or organization-related information for a resource in an Oracle Identity Management product (for example, Oracle Identity Manager) and is initiated from another resource. The provisioning system communicates with this resource to receive this information. In terms of data flow, reconciliation provides inward flow of user, role, or organizational information into the provisioning system, through which it learns about any activity on the resource. We implement reconciliation by performing the following,

  1. Define the reconciliation process metadata, Create a reconciliation attribute map (lookup definition), Create a reconciliation profile based on Reconciliation fields defined in the Resource Object, Reconciliation user matching rules as a Reconciliation Rule, Reconciliation action rules defined in the Resource Object, Map reconciliation fields to process form fields in the Process Definition
  2. Create or modify a scheduled task for reconciliation events. Execute the scheduled task job to initiate reconciliation with the authoritative source or target resource

Entitlements in OIM

An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function. An entitlement in OIM can be a responsibility, role, or group membership. The process to create organization, role and group entitlements includes capturing entitlement values from the trusted source into a lookup table, Synchronize entitlements into the request catalog and verify that entitlements can be added to a provisioning request. We provide Entitlements server for fine grained entitlements.

Segregation of duties

Segregation of Duties (SoD) is used by a company to apply checks and balances on business processes and mitigate risks arising from misuse of a company’s resources. The SoD architecture comprises SoD enabled connectors, Service Invocation Library (SIL) and SIL providers and the S0D engine as depicted in the diagram below.

Segregation of duties

We implement segregation of duties in the following three steps,

  1. Install SoD-enabled connectors. For Oracle Identity Manager 11g R2, SoD-enabled connectors include Oracle e-Business User Management and SAP User Management
  2. Deploy the Service Invocation Library(SIL) and SIL providers. SIL registration is provided by default for some resources and SoD engines. No deployment steps are required for these default combinations of resources and SoD engines. These combinations include The EBS resource and OAACG engine, The PSFT resource and OAACG engine and The SAP resource and SAP-GRC engine
  3. Configure the SoD engine. Import entitlement data from the external resource to the SoD engine. For OIM 11g R2, SoD engines include Oracle Application Access Controls Governor (OAACG), SAP GRC, and Oracle Identity Analytics. Configure Oracle Identity Manager connector with the SAP GRC SIL Provider (GRC-Governance, Risk, and Compliance), the Oracle Applications Access Control Governor (OAACG) SIL Provider, or the OIA SIL Provider or create and use a SIL provider for a custom SoD engine. If required, you must also configure SoD validation rules on the associated SoD engine.


Oracle Identity & Access Management Products