Upload
mike-reams
View
335
Download
1
Embed Size (px)
Citation preview
OIM Identity
Store
Authorization Policy
Roles Assigned
Provision to
Resources
Scheduler Job Runs
Central Repository
Network User
Accounts
Corporate eMail
Digital Workplace
Remedy Prowatch
Employee Active
Directory
Department Roles
Retirement Portal
Home Drive
Corporate Portal
Global Address
Book “GAL”
Mobile MyPay
Org Charts 1
Org Charts 2
Salary Administration
File System“T Drive” (T:\
)
PeopleSoft
NOS Active Directory
Contact Information
Other Attributes
Authoritative Human Resource Records from Oracle Service Bus
Basic Information
User Type
Display Name
Organization
First Name
Middle Name
Manager
Last Name
Account Settings
User Login
Password
Account Effective Dates
Start Date
End Date
Postal Address
Postal Code
Pager
Home Phone
Fax
Mobile
Home Postal Address
Street
Country
State
PO Box
Extended Information
Retiree Code
fullOrPartTime
Retiree Status
Location Code
Location Description
Division Description
Per_Org
Job Code
Department Description
Manager Description
Manager Level
Manager Name
Initials
Title
Locality Name
Common Name
Department Number
Generation Qualifier
Hire Date
Employee Number
personOfOrigin
preferredFirstName + lastName
Division
preferredFirstName / firstName
middleName
supervisorId
lastName
If preferredname is not present then use firstName
Direct flow
Direct flow
Attribute will be derived by looking up the value of SUPERVISOR_ID with OIM
Division changes will trigger OIM to perform business logic
Logic will be based on if they are POI(Person of Interest), EMP(employees), CWR(Contingent worker)
If preferredname is not present then use firstName with lastName (ex: Mike Reams)
OSB Data Source Attributes
DeptId For CORPT employees, default AD groups will be provisioned for certain departments
employeeid Direct Flow: Unique Identifier (10 digit Alpha ID)
efftdate Direct flow: Will be used as Hire Date & Start Date for New Hires & Rehires only
jobTitle Only flow Title when primary flag is set
locationAddress.addressLine1
locationAddress.postalCode
locationAddress.country
locationAddress.state
Direct flow
Direct flow
Direct flow
Direct flow
locationCode
locationDescription
Division Description
Per_Org
jobCode
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow-Determines type of person in PeopleSoft
Future Flow with RTIP
Future Flow with RTIP
fullOrPartTime
deptDescription
managerLevel
supervisorName
Direct flow
Direct flow
Trigger for manager level of 20 or below will invoke Exception Rule#1
managerLevelDescription
Direct flow
Full or Part-time status in PeopleSoft ex: (FULL-TIME)
Employee’s management level in PeopleSoft ex: (50)
Employee’s management level description in PeopleSoft ex: (Senior Manager)
Value of time of provisioning for all users
Used only for non-employees
Direct flow
Authoritative Human Resource Records
PeopleSoft Data Attributes Business Logic in the Oracle Service Bus
Used only for non-employees in data flow
OIM Role to Application Mapping
suffix
prefix
preferredlastName
preferredFullName
businessUnit
businessUnitDescription
locationAddress.addressLine2
locationAddress.addressLine3
regularOrTemp
Oracle Identity Manager
Identity & Access Provisioning Architecture Data Flow
Provisioning Dates
Deprovisioning Date
Provisioning Date
FIRST_NAME_SRCH
employeeid
efftdate Direct flow: Will be used as Hire Date & Start Date for New Hires & Rehires only
Direct Flow: Unique Identifier (10 digit Alpha ID)
Random password generated and sent in email workflow
Email flows from Active Directory and lookup is based on “HomeEmployeeID”
Phone Number flows from Active Directory and lookup is based on “HomeEmployeeID”
Secondary TitlejobTitle Only flow Title when secondary flag is set
LAST_NAME_SRCH
BUSINESS_UNIT
NAME52
PER_ORG
DEPTID
EMPLID
BUSINESS_UNIT
CEH_BUS_ENT_DESCR
JOBTITLE
EMPLID
Authoritative Data from Active Directory
telephoneNumber
Basic Attributes
Telephone Number
Active Directory Attributes
PeopleSoft
Provision Phone & Email Information about User
EMGR
PAY
XX
CSUITE
BENFITS
XX
XX
XX
XX
XX
XX
PROFILE
OIM Role Names
REC
THM
XX
XX
XX
QUSER
EMANAGER
EVIEWER
MGR2
MGR1
Active Directory
Import all RolesProvision all Roles
Role Based Access “MGR1” & “MGR2”
Role Based Access “MANAGER” & “VIEWER”
Role Based Access “PAY”
Oracle Unified Directory
Provision all Roles
Oracle Unified Directory
Provision all “Active” Users & Roles
Corporate Portal
Mobile MyPay
Digital Workplace
Org Charts 1
Org Charts 2
Provision Phone & Email Information about User
OIM Role Names
Audit
Corporate Development
Accounting
Roles for Department Provisioning (OIM Business Logic)
SAP Support
LTD Employees
Benefits
Communications
AD Group SamAccountNames=Users1, Employees, PS Financial Users
AD Group SamAccountNames=Users1, Employees, PS Financial Users
AD Group SamAccountNames=Users1, Employees, PS Financial Users
AD Group SamAccountNames=Users1, Employees, PS Financial Users, 0BusDev
AD Group SamAccountNames=Users1, Employees, PS Financial Users, ATDept
AD Group SamAccountNames=Users1, Employees, PS Financial Users, PortalUsers
AD Group SamAccountNames=Users1, Employees, PS Financial Users, ATLCommunications
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ102”. If so then provision to this OIM Role
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ105”. If so then provision to this OIM Role
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ108”. If so then provision to this OIM Role
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ145”. If so then provision to this OIM Role
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ103Y”. If so then provision to this OIM Role
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQLTD”. If so then provision to this OIM Role
OIM reads in SOA data and looks at attribute “DeptId” to see if equals “CXHQ109”. If so then provision to this OIM Role
Active Directory Group Provisioning
OIM Role Names
Timesheet Manager
COMP Super User
Timesheet
Authoritative Roles for “On-Prem” Applications
Role Based Access
COMP Manager
Timesheet BOTH
Employees who have the “TIMESHEET” role in Kronos will have an OIM Authorization Policy applied
Employees who have the “TSMGR” role in Kronos will have an OIM Authorization Policy applied
Employees who have the “All” role in Kronos will have an OIM Authorization Policy applied
Employees who have the “Comp.SuperUser” role in Sal Admin will have an OIM Authorization Policy applied
Employees who have the “Comp.ManagerUser” role in Sal Admin will have an OIM Authorization Policy applied
Role Based Access
Oracle Unified Directory
Provision Roles
Corporate Portal
Salary Administration
Corporate Portal Employee
Retirement Portal Admin
Portal Admin
Retirement Portal MemberProvision Roles
Corporate Portal Contractor
This role will be managed only within OIM that will be mapped to the Portal Admin Group to grant Administrative access to the portal
This role will be managed real-time for people coming through SOA that have “Org” set to equal “EMP”. An OIM Authorization Policy will apply to these users
This role will be managed real-time for people coming through SOA that have “Org” set to equal “CWR”. An OIM Authorization Policy will apply to these users
This role will be managed only within OIM that will be mapped to the Retiree Portal Admin Group to grant Administrative access to the portal
This role will be managed real-time for retirees coming through SOA that have a value set. An OIM Authorization Policy will apply to these users
Retirement Portal
Oracle Unified Directory
Role Based Access
Timesheet Oracle Database
Timesheet contains a multi-value view in which the OIM GTC can connect against as the authoritative source of record for
Access Roles
Microsoft SQL Database
The Compensation App contains a multi-value view in SQL which the OIM GTC can connect against as the authoritative
source of record for Access Roles
Department Roles
NTFS Mappings
Role Based Access
PeopleSoft Oracle Database
HCM will send Department updates via the SOA layer
The OIM Authorization Policy for each OIM Role will kick in and then sync out change to the Active
Directory per defined Department ID
The Oracle Service Bus receives data from HCM and transform based on business logic
User data enters the Service Bus Queue and is sent to the OIM Java Web Service Listener
Provision All Roles
HCM Authoritative Roles
EMGR
PAY
XX
CSUITE
BENFITS
XX
XX
XX
XX
XX
XX
PROFILE
REC
THM
XX
XX
XX
QUSER
MANAGER
VIEWER
MGR2
MGR1
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
Direct flow
PeopleSoft Oracle Database
The HCM Stat executes business processes to populate views through Control-M
The OIM Authorization Policy for each OIM Role will kick in and then sync out change to AD and OUD. AD is
a short-term solution
The views called “EMP_GRP_VW” as the Base View and “EMP_MEM_VW” as the
multi-value view
Oracle Identity Manager runs via Control-M or manually, the job for the OIM HCM Role
Recon which then populates OIM with updated employee members from the
Oracle Database Views
PeopleSoft Role Names
OIM Role to Application Mapping
OIM Data Flow
Oracle Unified Directory
(dc=companyA,dc=com)
CitylocationAddress.city Direct flow
MIDDLE_INITIAL
STATE
POSTAL
ADDRESS1
LOCATION
LOCATION_DESCR
JOBCODE
Yammer
Active Directory “NOS”
HCM
NOS-networkID
PER_ORG
NOS-networkDomain
Project:
Oracle OAM/OIM
Revision:
1.13
Drawing #1.2
Date:12/6/2015
Size:Letter34x44
Technical Design By
Mike Reams
Out-of-the-boxCustom Attributes
Direct Flow EX: 000555
Direct Flow
Direct Flow EX: Reams
Direct Flow EX: Reams, Mike (Atlanta)
Direct Flow EX: Lead Solution Architect
Direct Flow EX: CORPT
Direct Flow EX: EMP | CWR |POI
EX: CN=ManagerName,OU=Users,OU=Enterprises,OU=CEI,DC=Company,DC=com
Direct Flow
Direct Flow EX: 2014-10-20
Direct Flow EX: 6205 Peachtree Dunwoody Rd NE
Direct Flow EX: 30328-4524
Direct Flow EX: GA
Direct Flow EX: United States
Direct Flow
Active Directory
File System“T Drive” (T:\)
User Type
Display Name
Division
givenName
middleName
Manager
sn
Direct Flow EX: Mike
Active Directory
employeeID
Title
cei-startDate
homeEmployeeIDDirect Flow
accountExpires
Password Sync Process password
Postal Address
Postal Code
Country
State
localID
Location Description
Division Description
Per_Org
Job Code
Department Description
City
networkID
networkDomain
Direct Flow-Location Code in PeopleSoft ex: (CXHQ)
Direct Flow-Location description in PeopleSoft ex: (CompanyA, Inc. Headqtrs)
Direct Flow-Job Code in PeopleSoft ex: (A148)
Data Provisioning to LDAP Directories
Direct Flow-Division description in PeopleSoft ex: (Television)
Direct Flow-Person of Origin in PeopleSoft ex: (POI(Person of Interest), EMP(employees), CWR(Contingent worker))
Direct Flow-Employee’s Business City in PeopleSoft ex: (Atlanta)
Direct Flow-Employee’s department description in PeopleSoft ex: (Product Management)
givenName
middleName
sn
Central Repository
UID
Title
accountExpires
password
Postal Address
Postal Code
Country
State
Retiree Code
fullOrPartTime
Retiree Status
localID
Division Description
Per_Org
Job Code
Department Description
Manager Description
Manager Name
City
networkID
networkDomain
Will have a value set to determine if the elig_config6 value is set or not. Value will either be Null or set to “Retired”
Value from HCM that shows retiree role to assign the user. Ex: (REMED)
EmployeeType
Display Name
cei-division & division
givenName
middleName
Manager
sn
Internet Directory
UID | cn
Title
cei-startDate
Cei-homeEmployeeID
userpassword
homePostalAddress
postalCode
Country
State
businessCategory
localID
company
divisionDescr
jobcode
department
physicalDeliveryOfficeName
networkID
networkDomain
For CORPT users, OIM will set this since it manages account creation
For CORPT users, OIM will set this to (DOMAIN) since it manages account creation
CORPT users will get this assigned by OIM
CORPT users will get a constant value by OIM
NOS-networkDomain
NOS-networkID