oig 11g r2 ps2 field enablement training -...
TRANSCRIPT
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 1 | P a g e
OIG 11G R2 PS2 Field Enablement Training
Lab 15.1 - Access Policy Harvesting
Disclaimer: The Virtual Machine Image and other software are provided for use only during
the workshop. Please note that you are responsible for deleting them from your computers
before you leave. If you would like to try out any of the Oracle products, you may download
them from the Oracle Technology Network (http://www.oracle.com/technology/index.html)
or the Oracle E-Delivery WebSite (http://edelivery.oracle.com)
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 2 | P a g e
Table of Contents
Table of Contents .......................................................................................................................................... 2
1. Introduction .......................................................................................................................................... 3
2. Illustrating AP Harvesting ...................................................................................................................... 4
2.1 Configure the needed parameters for AP Harvesting ..................................................................... 4
2.2 Create a user in OIM (directly from the UI but could be done via a reconciliation task)................ 6
2.3 Create a user in OUD (the account from OIM point of view) .......................................................... 7
2.4 Run a target resource scheduled task to get the account associated with the user ..................... 11
2.5 Give a role to a user ...................................................................................................................... 14
2.6 Create an access policy that associates the role and the target system (corresponding to the
account – OUD in our environment) ................................................................................................... 15
2.7 Run the access policy evaluation (that includes the AP Harvesting) so called Evaluate User
Policies for linking the Account and the Access Policy ........................................................................ 19
2.8 Check that the link has been done with no try for creating a second account for this user ........ 20
2.9 Drop the role for the user and check that the account is revoked (as specified in the access
policy) .................................................................................................................................................. 22
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 3 | P a g e
1. Introduction
During the on-boarding phase, a common use case is not to provision users to target systems (because
entries exist already) but in contrary to reconciliate such systems creating accounts in OIM. With the
previous release a conflict was taking place between regarding the auto-provisioning feature (through
Access Policies) and these reconciliated accounts. With the PS2 release we have now an Access Policy
Harvesting process (part of the Evaluate User Policies scheduled task) that is linking the account (loading
during the on-boarding phase) with the related access policy enabling the Access Policy for future
operations.
The use case that we are illustrating in this lab is the following:
1. Configure the needed parameters for AP Harvesting.
2. Create a user in OIM (directly from the UI but could be done via a reconciliation task).
3. Create a user in OUD (the account from OIM point of view).
4. Run a target resource scheduled task to get the account associated with the user.
5. Give a role to a user.
6. Create an access policy that associates the role and the target system (corresponding to the
account – OUD in our environment).
7. Run the access policy evaluation (that includes the AP Harvesting) so called Evaluate User
Policies for linking the Account and the Access Policy.
8. Check that the link has been done with no try for creating a second account for this user.
9. Drop the role for the user and check that the account is revoked (as specified in the access
policy).
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 4 | P a g e
2. Illustrating AP Harvesting
2.1 Configure the needed parameters for AP Harvesting
We will have to flag two system parameters and define the “Primary Key” of the account.
1. Launch the System Administration console.
2. Sign in as the Admin.
3. Click System Configuration under System Management.
4. Search for Allows* and update to TRUE the two properties:
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 5 | P a g e
5. Close the System Properties window and launch the Design Console. Connect as
xelsysadm, expand Development Tools and double-click on Form Designer.
6. Search the UD_LDAP_USR process form. Be sure to select the active version as the
current one and create a new version named AP Harvesting.
7. Click on the Properties tab and add for the Server (ITResourceLookupFile) component
the property Account Discriminator and set it to true.
8. Save and close the property creation window. The Properties tab should look like:
9. Save the Process Form and make this version active clicking on the related button. You
can close the Design Console.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 6 | P a g e
2.2 Create a user in OIM (directly from the UI but could be done via a
reconciliation task)
1. Launch the Identity Self Service console, connect as Admin and create this user:
2. Check that this user is not having any account associated.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 7 | P a g e
2.3 Create a user in OUD (the account from OIM point of view)
We will use for that operation an LDAP Browser.
1. Launch Apache Studio.
2. Click on the saved OUD connection.
3. Expand DIT -> Root (DSE 2) -> dc=example,dc=com and right-click on ou=people
selecting New → New Entry...
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 8 | P a g e
4. Click Browse. Select a user (used as a template), click on OK.
5. Click on Next two times.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 9 | P a g e
6. Change the uid value to EXIAO and click on Next.
7. Update the attributes with the following values:
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 10 | P a g e
8. Double-click on the userPassword attribute and in the New Password tab select Plaintext
for the Hash Method.
9. Click on OK and then on Finish.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 11 | P a g e
2.4 Run a target resource scheduled task to get the account associated with
the user
1. Open the scheduled task LDAP Connector User Search Reconciliation.
2. Change the IT Resource Name to Enterprise Directory – OUD.
3. Delete the data in the Latest Token field and click on Apply.
4. Click on Run Now.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 12 | P a g e
5. Click on Refresh and check that the scheduled task has finished running.
6. You can have a look to the details of the target reconciliation operation clicking on the
Event Management tab and on the arrow for searching the Reconciliation Events.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 13 | P a g e
7. Click on the last one (first entry in the list)...
8. You should see that the account has been reconciliated.
9. Close the scheduled task window.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 14 | P a g e
10. Back to Identity Self Service console, verify that your user has got the account (typical
on-boarding scenario where we don't provision but reconciliate existing accounts).
2.5 Give a role to a user
In this step we will give the role Submit Expense Reports to the user. This role will be
associated to an Access Policy to provision (in our case to link as the account has been
already reconciliated) OUD Account.
1. As Admin user, in the Identity Self Service console, go to the User Details screen for Erik
Xiao, click on the Roles tab and on Request Roles.
2. In the Catalog, click on Add to Cart for the Submit Expense Reports role.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 15 | P a g e
3. Click on Checkout and Submit.
4. Refresh the list or roles for viewing the added role.
2.6 Create an access policy that associates the role and the target system
(corresponding to the account – OUD in our environment)
1. In The System Administration console (as Admin), create a new Access Policy.
2. Step 1 - be sure to check Retrofit Access Policy as it is mandatory for AP Harvesting, leave
the default Priority:
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 16 | P a g e
3. Step 2 – select LDAP User:
4. Step 2 (cont) – select Enterprise Directory – OUD for the Server and Enterprise Directory
– OUD~people for the Container DN:
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 17 | P a g e
5. Step 2 (cont) – leave the default revoke flag:
6. Pass Step 3 clicking on Continue
7. Step 4 – select Expense Report Submission (Submit Expense Reports) role:
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 18 | P a g e
8. Step 5 - review the summary and click on Create Access Policy
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 19 | P a g e
2.7 Run the access policy evaluation (that includes the AP Harvesting) so
called Evaluate User Policies for linking the Account and the Access
Policy
1. In the System Administration console as Admin, run the Evaluate User Policies scheduled
task (check it is finished clicking on Refresh):
2. Close the Scheduled Task window.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 20 | P a g e
2.8 Check that the link has been done with no try for creating a second
account for this user
1. Back to the Identity Self Service console, refresh the Account tab of the EXIAO user.
Notice that we have only one entry (the Access Policy detects that the account has been
given to this user making the link rather than trying to provision the account again) and that
now instead of 443, we have EXIAO for the Account Name; this is the sign that the AP
Harvesting took place.
Another way to verify that the AP Harvesting has been done is through the certification. For
your information, in phase 1 on the certification, looking to the OUD Account item of the
EXIAO user, in the Risk Summary tab one could see for the Provisioning Method the value
AP Harvested.
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 21 | P a g e
Hereafter are the steps for creating such certification would you like to check this status:
1. As Admin in the System Administration console create a Certification:
Name = EXIAO
Type = User
Base Selection: Selected Users (add EXIAO)
Primary Reviewer: User Manager
2. As Dcrane (Erik Xiao’s manager) in the Self Service console:
Dashboard: click on the name of the pending certification
Click on EXIAO User Login link
Click on Enterprise Directory – OUD(EXIAO)
Select Risk Summary tab
OIG 11G R2 PS2 Training
Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 22 | P a g e
2.9 Drop the role for the user and check that the account is revoked (as
specified in the access policy)
1. In the Self Service console (as Admin), revoke the Submit Expense Reports role for the
user EXIAO
2. Run the scheduled task Evaluate User Policies and verify that the account has been
revoked in OIM:
3. You can check also in the LDAP server:
a) Before refreshing in Apache Studio: