FAPPS_Security_User_Role_Mgmt_OIM-FINAL_with_QA.pdf

1 © 2009 Oracle Corporation – Proprietary and Confidential

2

FYI:

New Portal with same DocID

Archive 740964.1

Schedule 740966.1

Generic Advisor Webcast Note 740966.1

before

now

3

Future Advisor Webcasts

Day, Date, 2004

time p.m. ET

Teleconference Access:

North America: xxxx

International: xxxx

Password: Advisor

Upcoming live webcasts and recent recordings:

Fusion Applications

November 1 Fusion Applications Security: Troubleshoot Data Role Issues

Fusion Applications Technical Community

https://communities.oracle.com/portal/server.pt/community/technical_-_fa/531

Recent webcasts available in archives:

- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

My Oracle Support: https://support.oracle.com

Doc ID 740966.1 - Current Advisor Webcast Schedule and Archived Recordings

© 2012 Oracle Corporation – Proprietary and Confidential

------------------------------------------------------- Teleconference Information ------------------------------------------------------ Conference ID: advisorsp

US/Canada Toll-Free Number: (866) 900-1292

International Dial-in Number: (706) 758-7504

For International Toll-Free:

Refer to Doc ID 1148600.1

VOICESTREAMING IS AVAILABLE




https://support.oracle.com/


The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into

any contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decision. The

development, release, and timing of any features

or functionality described for Oracle’s products

remains at the sole discretion of Oracle.

Safe Harbor Statement

<Insert Picture Here>

Fusion Applications Security: User & Role

Management using Oracle Identity Manager

CHETAN GADKARI

Senior Principal Support Engineer

6

AGENDA

• What is Oracle Identity Manager (OIM)?

• Role of OIM in Fusion Applications

• High Level Architecture

• OIM SPML Orchestration Flow

• Synchronization & Reconciliation Processes

• Demonstration : OIM User Interface &

Features


7

What is Oracle Identity Manager (OIM)

• Oracle Identity Manager is a user, role provisioning and administration

solution, which automates the process of adding, updating, and deleting

user accounts from applications and directories.

• Oracle Identity Manager is available as a stand-alone product or as part

of Oracle Identity and Access Management Suite.


8

Role of OIM in Fusion Applications

• OIM 11g is used for Identity Administration tasks such as:

• User Administration (e.g. Creation, Self Registration, Modification and

Deletion)

• Role Administration (e.g. Creation, Modification, Deletion and Role

Assignment)

• Fusion HCM sends identity administration requests to OIM

• Using standards based Service Provisioning Markup Language

(SPML) and web services

• OIM accepts the requests and performs Identity Administration

tasks

• Results in LDAP Updates (e.g. OID)


9

Role of OIM in Fusion Applications

• OIM is also used by Fusion Applications for Password

Management

• Change Password

• Forgot Password

• Password Resets

• Enforce Password Policy

• Initial password generation (for new user) and sending out email

notification to the user

• Email notification with system generated password is sent to the

newly created Fusion Application user

• Data synchronization (synchronize data to & from LDAP store)

• Integrate with Oracle Application Access Control Governor

(OAACG) for SoD (Segregation of Duties) check


10

High Level Architecture – Fusion Security

Install


ODS

OAM

IAU

ORASDPM

MDS

SOAINFRA

ID Store

ODS

Policy Store

Database Weblogic IDM WebTier SOA IAM

Auth OHS

7777

Admin Server

7001

ODSM + DIP

7006

IDStore

3060

Policy

3061

OVD

6051

OAM

14100

OIM

14000

SOA

8001

11

Fusion Applications – OIM Interaction


12

OIM SPML Orchestration Flow


13

Synchronization & Reconciliation


• User & Role Provisioning

• LDAP Sync is used to make modifications to the LDAP store

• Reconciliation

• Pre-defined Scheduled Jobs are used to Synchronize the User and

Role related information from LDAP store into OIM

OIM LDAP LDAP Sync

OIM LDAP Recon

14

Helpful Resources

• Oracle Identity Manager 11g Documentation on OTN

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-

098451.html

• Product Information Center: Oracle Identity Manager Release 11g

and later (Doc ID 1346075.2)

• Fusion Applications - Product Information Center [Doc ID 100.1]

• Fusion Applications Security knowledge documents published on

My Oracle Support

• Login to My Oracle Support

• Click on the Knowledge tab

• In the Search & Browse tab select Product as Oracle Fusion Applications

and Task as Security

• Hit the Search button


http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-098451.html





https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1346075.2

https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=100.1

15

Demonstration

16

17

Questions submitted during Advisor Webcast session


Q: Since OIM provisions access, what does Oracle Entitlement Server do that is different?

A: OIM provisions users, roles and defines what a user can do in Fusion Apps. OES is used for managing security policies

(data & functional) and entitlements, which defines what a user can do on which set of data.

Q: Which LDAP does it support?

A: OIM can be integrated with Oracle Internet Directory and MS Active Directory LDAP servers for use with Fusion Apps.

Q: Email notification setup, for OIM User creation passwords should be done on OIM side or Fusion App side.

A: Email Notifications are configured in OIM and not in Fusion Apps.

Q: Is OVD part of OIM pack?

A: No, OVD is not a part of OIM. It is a part of Oracle Identity & Access Management Pack.

Q: I need an explanation of the term 'user' in Fusion? So employee also be an user? or user mean only application

implementation consultant? As you see in the screen – (hiring manager user is created..for him to enter new employee

details). Is it IT security manger who creates hire manager user?

A: At a high level you can consider there are 2 kinds of users - Admin and End User. When Fusion Apps is installed we

provision certain 'super' users that have admin capabilities. These users are then used to create Application Users.

Q: What does SPML stand for?

A: SPML - Service Provisioning Markup Language

Q: What I read from docs of fusion security is that when we first install fusion apps a default user like xelsysadm will get

created.. and this user will be able to create IT security manager ... and then IT security manger logs into the fusion to

create Application Implementation Consultant and Application Implementation Manger users. Till now I am in

understanding that IT security manager is created in FA.

A: IT Security Manager is a job role that can be assigned to a super user who can then create other implementation users

that can be granted job roles like Application Implementation Consultant, Human Resource Specialist etc.

Q: Incase if customer users their own LDAP apps like Microsoft Active Directory can that be integrated with Oracle Fusion

Applications

A: Yes, MS Active Directory is certified with Fusion Apps.

18



Q: What is OIM*?

A: OIM - Oracle Identity Manager. OIM was formerly known as Xellerate and became a part of Oracle Identity Management

stack, as Oracle acquired Thor Technologies.

Q: Is this 11gR1 or 11gR2?

A: OIM 11gR1 is used with Fusion Apps.

Q: What are the membership rules? Under employee role?

A: OIM Role Membership Rules feature is not used with Fusion Apps.

Q:Regarding the user synchronization, I have been using fusion and have found that a user created in 2 ways

1)OIM Admin user->create implementation user->

2)HCM application->Manage users

I understand on a high level that both are different ways of creating user before doing the enterprise setup and after doing the

enterprise setup Through the manager user console, I can only provision few roles and not all roles are available.

I can add the additional roles through OIM for this user but this does not sync or get reflected on the screen in manager user

and vice versa. 2)Employee Id--- is it an Internally generated ID or can I manually enter the same?

A: You are right about user creation. The reason why the Roles are not shown as available on the Manage Users screen is

because you need to add a Role Mapping in Fusion Apps, for all the Roles that you want to auto-provision to a user during

the user creation request that is initiated from the Manage Users page. Refer: Doc ID 1448455.1. Employee ID/Number is

generated in Fusion Apps.

Q: In the SaaS instances , we don’t see the advanced link appearing for a initial user created in OIM. Could you please let

me know, what role do we have to give for such setup so that we can replicate in our on premise installs.

A: The OIM Advanced Administration console link is only available to the OIM super user that is controlled by the Cloud

Admins. This is not generally available to a regular SaaS/Cloud user.

Q: What's new in 11g Rel 2?

A: OIM 11g Rel 2 documentation can be found at http://www.oracle.com/technetwork/middleware/id-

mgmt/documentation/index.html . Kindly refer to the documentation.

http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/index.html



19



Q: How do I map a role to a set of Fusion screens for access control ?

A: Job Roles are mapped to Duty Roles in order to provide access control. Refer: Mapping Of Duty Roles To Top Level Menu

Entries in Fusion Applications (Doc ID 1459828.1) * Mapping Of Roles, Duties and Privileges in Fusion Applications (Doc

ID 1460486.1)

Q: During fusion apps install is it mandatory to install OIM?

A: Yes, OIM has to be installed and configured first. In fact, the entire Fusion Security Install is done first and then the Fusion

Apps install follows.

Q: You spoke about integration between Fusion apps and OIM. Is OIM the *only* way to create users for Fusion apps, or one

of several options?

A: By architecture standards OIM is the only choice for User & Role management for Fusion Apps.

Q: If I want to create two different users can I do it directly in OIM?

A: Creation of Fusion Apps users should ONLY be done through the Fusion Apps Manager Users page. Creating users

directly in OIM is NOT recommended.

Q: Can you talk a bit about process forms- IHAC who does large migrations which involve updating these- is that a normal

thing to have to update periodically, and what else is then affected?

A: OIM Reconciliation process is a key to keep the data synchronized between OIM and the backend LDAP store. Running

the Recon jobs at a higher frequency on a periodic basis is recommended.

Q: OAACG comes along with Fusion Application or should we implement Oracle Governance, Risk and Compliance Controls

(GRCC) suite?

A: The OAACG is integrated with OIM. You do not need to install/implement it GRCC suite.

Q: I am currently installing fusion apps 11.1.4, so do we have to install another database for OIM or we can align with

transactional database(fusion apps database)?

A: OIM DB schema should be installed on a separate database instance. We do NOT recommend installing Fusion Security

component schemas into the Fusion Apps DB.

Q: What is that organization all about in OIM while creating a user?

A: The OIM 'Xellerate Users' Organization is just a place holder/ container for the OIM objects, it is not related to Fusion

Apps.

20



Q: What are the differences in implementation of OAM with EBS Rel 12 versus Fusion Apps?

A: The scope of this webcast session is to talk about OIM and Fusion Apps. Please refer to EBA Rel 12 documentation for

OAM implementation in EBS.

Q: If using just Fusion CRM, will you still need HCM to create employee record to initiate user setup flow (like in EBS)?

A: Yes, all the Fusion Apps Pillars e.g. CRM, SCM, FINs use HCM Core component for user creation.

Q: Can we create users in OIM directly and use it in Fusion apps. or we have to create it via HCM?

A: You can only create Fusion users via Fusion HCM. Creating them directly in OIM is NOT recommended.

Q: Some times when I login to FA , I get the error user is locked or disabled..but when I check the same user in OIM, the

status is unlocked..what exactly is happening?

A: In your case the user is locked in LDAP store, as during the login process OAM connects directly to OID/LDAP and if you

get multiple failed logins then it is very likely that OAM would prevent you from logging in and in the LDAP store the

account will be locked.

Q: Does Fusion application and/or OIM maintain their own separate store of User/role in addition to the directory (OID or

other LDAP)?

A: OIM stores the user and role information in its schema tables e.g. Table USR stores user info . Fusion Applications also

store information about users and roles in its schema for e.g. Table PER_USERS stores user info.

Q: Is OAAM used in Fusion Apps Security?

A: No, Oracle Adaptive Access Manager or OAAM is NOT used in Fusion Security.

Q: What is the difference between a policy and entitlement? How are they related?

A: Policy: A grant of entitlement to a role on an object or attribute group for a given condition.

Entitlement: Grants of access to functions and data. Oracle Fusion Middleware term for privilege.

Q: Can an Application or Duty role be directly assigned to a user or it can flow only through a job role?

A: No, an Application Role or Duty Role cannot be directly assigned to a user. They are mapped to appropriate Job Roles

which are then assigned to the users.

Q: Where is link the application role and Job role established? Does this link established automatically when a data role is

created?

A: Linking/ Mapping of Application Role to Job Role is done in a tool called Authorization Policy Manager (APM).

21

Are You Ready

To Get Proactive?

Avoid the unexpected

Don’t leave value on the table

Lower overall organizational costs through preventative

maintenance

Reduce risks and maximize uptime

Achieve resolution faster

Streamline and simplify your daily operations

Get even more through connection

Discover more about Get Proactive

https://support.oracle.com/CSP/main/article?cmd=show

&type=ATT&id=1385165.1:DISCOVER

ACT Get Proactive Access proactive capabilities available for your products

by visiting the product pages at My Oracle Support;

Article ID 432.1

Contact the Get Proactive team

today for help getting started [email protected]

mailto:[email protected]?subject=Oracle Support: Get Proactive Inquiry

22

FYI:

New Portal with same DocID

Archive 740964.1

Schedule 740966.1

Generic Advisor Webcast Note 740966.1

before

now

23

select your

product:

e.g.

Oracle Database

24

Archives Schedule

25

Future Advisor Webcasts

Upcoming live webcasts :

Fusion Applications

November 1 Fusion Applications Security: Troubleshoot Data Role Issues

Fusion Applications Technical Community


Recent webcasts available in archives:

- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

My Oracle Support: https://support.oracle.com

Doc ID 740966.1 - Current Advisor Webcast Schedule and Archived Recordings





https://support.oracle.com/


THANK YOU


Documents

FAPPS_Security_User_Role_Mgmt_OIM-FINAL_with_QA.pdf