The Oracle Identity Management Suite of products can be broadly classified under the following three categories.
|Identity Governance||Access Management||Directory Services|
A brief description of each of these products is given below.
Oracle Identity Manager
Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that controls user accounts and access privileges in enterprise IT resources centrally. It provides the functionalities of provisioning, identity and role administration, approval and request management, policy-based entitlement management, technology integration, and audit and compliance automation.
Oracle Role Manager
Oracle Role Manager is an authoritative source for role life-cycle management that leverages business policy and organizational data to automate role-based provisioning and access control.
Oracle Identity Analytics
Oracle Identity Analytics provides enterprises with the ability to define and manage roles and automate critical identity-based controls. Once roles are defined, certified, and assigned, the software continues to deliver scalable and sustainable identity governance and analytical solution throughout the user access lifecycle
Oracle Privileged Account Manager
Protecting, securing, managing, and auditing a company’s privileged and shared user accounts through role-based access control. Because most large organizations have multiple identity repositories, enterprise identity governance components must function with information from these repositories.
Oracle Access Manager
Oracle Access Manager provides user and group management, delegated administration, password management, and self-service functions necessary to manage large user populations. Access Management facilitates authentication of resource-related accounts for users and organizations, and authorizes the ability of users and organizations to access their accounts. Webgate a plug-in of Access management provides single-sign-on solution. Audit and compliance minimizes risk and reduces cost for an enterprise to meet internal and external governance and security audits
Oracle Adaptive Access Manager
Oracle Adaptive Access Manager is a Web-based solution that enables an enterprise to perform fraud detection and multifactor authentication security in real time. Oracle Adaptive Access Manager supports complex, heterogeneous enterprise environments.
Oracle Identity Federation
Oracle Identity Federation is an industry-leading, self-contained, and flexible multiprotocol federation server that is deployable with existing identity and access management systems.
Oracle Entitlements Server
Oracle Entitlements Server (OES) is a standards-based, policy-driven security solution that provides real time fine-grained authorization in Application, Service-Oriented Architecture (SOA) and Database environments.
Oracle Web Services Manager
Oracle Web Services Manager offers a comprehensive and easy-to-use solution for policy management and security of service infrastructure. It provides visibility and control of the policies through a centralized administration interface offered by Oracle Enterprise Manager.
Oracle Security Token Service
Oracle Security Token Service (OSTS) simplifies access control and identity propagation in deployment environments that span heterogeneous platforms, identity systems, and single sign-on protocols. OSTS enables a single thread of identity by propagating identity and security context between web services, each of which may be utilizing different credential types.
Oracle Internet Directory
Oracle Internet Directory is an LDAP v3 directory service that leverages the scalability, high availability, and security features of Oracle Database. It serves as the central user repository for Oracle Access Manager and other Oracle applications. Oracle Internet Directory includes the Oracle Directory Integration Platform (DIP), which enables directory synchronization between Oracle Internet Directory and other directories.
Formerly SUN Directory Server Enterprise Edition) is the best known directory server. ODSEE provides a core directory service with embedded database, directory proxy, Active Directory (AD) synchronization and a Web administration console.
Oracle Virtual Directory is an LDAP service that provides a single, abstracted view of enterprise directory servers and databases from a variety of vendors. Oracle Virtual Directory can serve as a single source of truth in an environment with multiple data sources.
Oracle Unified Directory is an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities.
Provides efficient storage, lookup, synchronization, replication, and virtualization of identity management data between directories.
We offer a full range of services for Identity Governance and Identity management as follows.
Identity Management Suite Implementation
We provide end to end installation, configuration and implementation services. This includes web server front end layer, Application Server, Directories, SOA suite, Oracle Identity and Access Management and webgate Single-Sign-on solution.
We provide SSO services using Access Manager with webgate plugin. With the single-sign-on a user has the convenience to log in only once and access all their applications without being asked for a user login and password. This also helps in seamless integration of applications. An example is a seamless integration of BI applications and E-business suite with SSO. E-business suite pages can be seamlessly opened in BI Applications and vice-versa.
Integrating Systems with Identity Connectors
Identity connectors are used to integrate OIM with other software applications. There are several pre-built Identity connector bundles provided by Oracle. These connector bundles are a set java programs and connector metadata information files bundled as Java archive files. Connector bundles are implemented using the Identity Connector framework (ICF). We provide OIM integration services with Oracle Sun Directory Server Enterprise Edition (ODSEE), Oracle Internet Directory (OID), Oracle unified Directory (OUD), MS Active Directory, EBS Users and EBS Employee reconciliation and Remedy.
Provisioning is a process by which an action to create, modify, or delete user, role, and organizational information in a resource is initiated from an Oracle Identity Management product (for example, Oracle Identity Manager) and passed into the resource. In terms of data flow, provisioning provides an outward flow of user, role, or organizational information. The provisioning system communicates with the resource and specifies changes to be made to the account.We implement provisioning solutions tailored to specific requirements. This includes creating configurations for manual and automated provisioning, creating provisioning metadata required to integrate an ICF connector with Oracle Identity Manager. The metadata objects include, IT Resource Type, IT Resource, Resource Object, Provisioning process, process form, process task, adapter task and lookups and publishing the changed objects in Application instances using sandbox. Provisioning encompasses,
Access Policies: An access policy is a list of roles and the resources that users in each role receive. Oracle Identity Manager uses access policies to determine whether to assign a resource to a user or restrict the user from accessing the resource because the user is a member of a role.
Approval Policies: Provisioning requests may be either of the following: Completely automated or subject to manual intervention through approval processes. An approval policy associates a request with a request-level or operation-level approval workflow, which is handled by a SOA composite application that orchestrates the manual approval process. We implement request-level and operation-level approval workflow as per the business requirement.
Creating Provisioning SOA Approval Workflows: Generate a SOA composite application template, configure the BPEL process to invoke the request web service to get request details, user details and catalog owner as desired. Create and configure a Human Task component, Configure Oracle Universal Messaging Service (UMS), Deploy and secure the Request Web Service, Invoke the Request Web Service and deploy a SOA composite application.
A process by which an action to create, modify, or delete user-related, role-related, or organization-related information for a resource in an Oracle Identity Management product (for example, Oracle Identity Manager) and is initiated from another resource. The provisioning system communicates with this resource to receive this information. In terms of data flow, reconciliation provides inward flow of user, role, or organizational information into the provisioning system, through which it learns about any activity on the resource. We implement reconciliation by performing the following,
- Define the reconciliation process metadata, Create a reconciliation attribute map (lookup definition), Create a reconciliation profile based on Reconciliation fields defined in the Resource Object, Reconciliation user matching rules as a Reconciliation Rule, Reconciliation action rules defined in the Resource Object, Map reconciliation fields to process form fields in the Process Definition
- Create or modify a scheduled task for reconciliation events. Execute the scheduled task job to initiate reconciliation with the authoritative source or target resource
Entitlements in OIM
An entitlement granted to an account on a target system enables the account owner (user) to perform a specific task or function. An entitlement in OIM can be a responsibility, role, or group membership. The process to create organization, role and group entitlements includes capturing entitlement values from the trusted source into a lookup table, Synchronize entitlements into the request catalog and verify that entitlements can be added to a provisioning request. We provide Entitlements server for fine grained entitlements.
Segregation of duties
Segregation of Duties (SoD) is used by a company to apply checks and balances on business processes and mitigate risks arising from misuse of a company’s resources. The SoD architecture comprises SoD enabled connectors, Service Invocation Library (SIL) and SIL providers and the S0D engine as depicted in the diagram below.
We implement segregation of duties in the following three steps,
- Install SoD-enabled connectors. For Oracle Identity Manager 11g R2, SoD-enabled connectors include Oracle e-Business User Management and SAP User Management
- Deploy the Service Invocation Library(SIL) and SIL providers. SIL registration is provided by default for some resources and SoD engines. No deployment steps are required for these default combinations of resources and SoD engines. These combinations include The EBS resource and OAACG engine, The PSFT resource and OAACG engine and The SAP resource and SAP-GRC engine
- Configure the SoD engine. Import entitlement data from the external resource to the SoD engine. For OIM 11g R2, SoD engines include Oracle Application Access Controls Governor (OAACG), SAP GRC, and Oracle Identity Analytics. Configure Oracle Identity Manager connector with the SAP GRC SIL Provider (GRC-Governance, Risk, and Compliance), the Oracle Applications Access Control Governor (OAACG) SIL Provider, or the OIA SIL Provider or create and use a SIL provider for a custom SoD engine. If required, you must also configure SoD validation rules on the associated SoD engine.