New Features and Changes in OIM11gR2
- by Abhishek Tripathi
WEB CONSOLEs in OIM 11gR2
** In 11gR1 there were 3 Admin Web Consoles :
· Self Service Console
· Administration Console and
· Advanced Administration Console accessible
Whereas in OIM 11gR2 , Self Service and Administration Console have are now combined and now called as Identity Self Service Console http://host:port/identity
This console has 3 features in it for managing self profile (My Profile), Managing Requests like requesting for App Instances and Approving requests (Requests) and General Administration tasks of creating/managing users, roles, organization, attestation etc (Administration)
** In OIM 11gR2 – new console sysadmin has been added Administrators which includes some of the design console functions apart from general administrations features. http://host:port/sysadmin
Application Instances
Application instance is the object that is to be provisioned to a user. Application Instances are checked out in the catalog and user can request for application instances via catalog.
· In OIM 11gR2 resources and entitlements are bundled in Application Instance which user can select and request from catalog.
· Application instance is a combination of IT Resource and RO. So, you cannot create another App Instance with the same RO & IT Resource if it already exists for some other App Instance. One of these ( RO or IT Resource) must have a different name.
· If you want that users of a particular Organization should be able to request for an Application instances through catalog then App Instances must be attached to that particular Organization.
· Application instance can be associated with multiple organizations.
· An application instance can also have entitlements associated with it. Entitlement can include Roles/Groups or Responsibility.
· Application Instance are published to the catalog by a scheduled task “Catalog Synchronization Job”
· Application Instance can have child/ parent application instance where child application instance inherits all attributes of parent application instance.
Important point to remember with Application Instance
If you delete the application Instance in OIM 11gR2 and create a new one with the same name, OIM will not allow doing so. It throws error saying Application Instance already exists with same Resource Object and IT resource.
This is because there is still some reference that is not removed in OIM for deleted application Instance. So to completely delete your application Instance from OIM, you must:
1. Delete the app Instance from sysadmin console.
2. Run the App Instance Post Delete Processing Job in Revoke/Delete mode.
3. Run the Catalog Synchronization job.
Once done, you should be able to create a new App instance with the previous RO & IT Resouce name.
Catalog
Catalog allows users to request Roles, Application Instance, and Entitlements in an Application.
Catalog Items – Roles, Application Instance and Entitlements that can be requested via catalog are called as catalog items.
Detailed Information ( attributes of Catalog item)
Category – Each catalog item is associated with one and only one category. Catalog Administrators can provide a value for catalog item.
· Tags – are search keywords helpful in searching Catalog. When users search the Catalog, the search is performed against the tags.
To define a tag, go to Catalog->Search the resource-> select the resource-> update the tag field with custom search keyword.
Tags are of three types:
a) Auto-generated Tags: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name
b) User-defined Tags: User-defined Tags are additional keywords entered by the Catalog Administrator.
c) Arbitrary Tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags.
Sandbox
Sanbox is a new feature introduced in OIM11gR2. This serves as a temporary development environment for UI customizations so that they don’t affect other users before they are published and linked to existing OIM UI.
All UI customizations should be done inside a sandbox, this ensures that your changes/modifications don’t affect other users until you have finalized the changes and customization is complete. Once UI customization is completed, the Sandbox must be published for the customizations to be merged into existing UI and available to other users.
Creating and activating a sandbox is mandatory for customizing the UI by .Without an active sandbox, OIM does not allow to customize any page.
a) Before you perform any activity in OIM (like Create/Modify Forms, Custom Attribute, creating application instances, adding roles/attributes to catalog) you must create a Sand Box and activate it.
b) One can create multiple sandboxes in OIM but only one sandbox can be active at any given time.
c) You can export/import the sandbox to move the changes from one environment to the other.
Creating Sandbox
To create sandbox, login to identity manager self service (/identity) or System Administration (/sysadmin) and click on top right of link “Sandboxes” and then click on Create SandBox.
Publishing Sandbox
Before you publish a sandbox, it is recommended to backup MDS. Use /EM to backup MDS by following the steps below :
Creating MDS Backup
1. Login to Oracle Enterprise Manager as the administrator.
2. On the landing page, click oracle.iam.console.identity.self-service.ear(V2.0).
3. From the Application Deployment menu at the top, select MDS configuration.
4. Under Export, select the Export metadata documents to an archive on the machine where this web browser is running option, and then click Export.
All the metadata is exported in a ZIP file.
Creating Password Policy through Admin Console :
In 11gR1 and previous versions password policies could be created & applied via OIM Design Console only. From OIM11gR2 onwards, Password Policies can be created and assigned using Admin Console as well.
