oig 11g r2 ps2 field enablement training -...

OIG 11G R2 PS2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 1 | P a g e

OIG 11G R2 PS2 Field Enablement Training

Lab 15.1 - Access Policy Harvesting

Disclaimer: The Virtual Machine Image and other software are provided for use only during

the workshop. Please note that you are responsible for deleting them from your computers

before you leave. If you would like to try out any of the Oracle products, you may download

them from the Oracle Technology Network (http://www.oracle.com/technology/index.html)

or the Oracle E-Delivery WebSite (http://edelivery.oracle.com)

http://www.oracle.com/technology/index.html

http://edelivery.oracle.com/



Table of Contents

Table of Contents .......................................................................................................................................... 2

1. Introduction .......................................................................................................................................... 3

2. Illustrating AP Harvesting ...................................................................................................................... 4

2.1 Configure the needed parameters for AP Harvesting ..................................................................... 4

2.2 Create a user in OIM (directly from the UI but could be done via a reconciliation task)................ 6

2.3 Create a user in OUD (the account from OIM point of view) .......................................................... 7

2.4 Run a target resource scheduled task to get the account associated with the user ..................... 11

2.5 Give a role to a user ...................................................................................................................... 14

2.6 Create an access policy that associates the role and the target system (corresponding to the

account – OUD in our environment) ................................................................................................... 15

2.7 Run the access policy evaluation (that includes the AP Harvesting) so called Evaluate User

Policies for linking the Account and the Access Policy ........................................................................ 19

2.8 Check that the link has been done with no try for creating a second account for this user ........ 20

2.9 Drop the role for the user and check that the account is revoked (as specified in the access

policy) .................................................................................................................................................. 22



1. Introduction

During the on-boarding phase, a common use case is not to provision users to target systems (because

entries exist already) but in contrary to reconciliate such systems creating accounts in OIM. With the

previous release a conflict was taking place between regarding the auto-provisioning feature (through

Access Policies) and these reconciliated accounts. With the PS2 release we have now an Access Policy

Harvesting process (part of the Evaluate User Policies scheduled task) that is linking the account (loading

during the on-boarding phase) with the related access policy enabling the Access Policy for future

operations.

The use case that we are illustrating in this lab is the following:

1. Configure the needed parameters for AP Harvesting.

2. Create a user in OIM (directly from the UI but could be done via a reconciliation task).

3. Create a user in OUD (the account from OIM point of view).

4. Run a target resource scheduled task to get the account associated with the user.

5. Give a role to a user.

6. Create an access policy that associates the role and the target system (corresponding to the

account – OUD in our environment).

7. Run the access policy evaluation (that includes the AP Harvesting) so called Evaluate User

Policies for linking the Account and the Access Policy.

8. Check that the link has been done with no try for creating a second account for this user.

9. Drop the role for the user and check that the account is revoked (as specified in the access

policy).



2. Illustrating AP Harvesting

2.1 Configure the needed parameters for AP Harvesting

We will have to flag two system parameters and define the “Primary Key” of the account.

1. Launch the System Administration console.

2. Sign in as the Admin.

3. Click System Configuration under System Management.

4. Search for Allows* and update to TRUE the two properties:



5. Close the System Properties window and launch the Design Console. Connect as

xelsysadm, expand Development Tools and double-click on Form Designer.

6. Search the UD_LDAP_USR process form. Be sure to select the active version as the

current one and create a new version named AP Harvesting.

7. Click on the Properties tab and add for the Server (ITResourceLookupFile) component

the property Account Discriminator and set it to true.

8. Save and close the property creation window. The Properties tab should look like:

9. Save the Process Form and make this version active clicking on the related button. You

can close the Design Console.



2.2 Create a user in OIM (directly from the UI but could be done via a

reconciliation task)

1. Launch the Identity Self Service console, connect as Admin and create this user:

2. Check that this user is not having any account associated.



2.3 Create a user in OUD (the account from OIM point of view)

We will use for that operation an LDAP Browser.

1. Launch Apache Studio.

2. Click on the saved OUD connection.

3. Expand DIT -> Root (DSE 2) -> dc=example,dc=com and right-click on ou=people

selecting New → New Entry...



4. Click Browse. Select a user (used as a template), click on OK.

5. Click on Next two times.



6. Change the uid value to EXIAO and click on Next.

7. Update the attributes with the following values:



8. Double-click on the userPassword attribute and in the New Password tab select Plaintext

for the Hash Method.

9. Click on OK and then on Finish.



2.4 Run a target resource scheduled task to get the account associated with

the user

1. Open the scheduled task LDAP Connector User Search Reconciliation.

2. Change the IT Resource Name to Enterprise Directory – OUD.

3. Delete the data in the Latest Token field and click on Apply.

4. Click on Run Now.



5. Click on Refresh and check that the scheduled task has finished running.

6. You can have a look to the details of the target reconciliation operation clicking on the

Event Management tab and on the arrow for searching the Reconciliation Events.



7. Click on the last one (first entry in the list)...

8. You should see that the account has been reconciliated.

9. Close the scheduled task window.



10. Back to Identity Self Service console, verify that your user has got the account (typical

on-boarding scenario where we don't provision but reconciliate existing accounts).

2.5 Give a role to a user

In this step we will give the role Submit Expense Reports to the user. This role will be

associated to an Access Policy to provision (in our case to link as the account has been

already reconciliated) OUD Account.

1. As Admin user, in the Identity Self Service console, go to the User Details screen for Erik

Xiao, click on the Roles tab and on Request Roles.

2. In the Catalog, click on Add to Cart for the Submit Expense Reports role.



3. Click on Checkout and Submit.

4. Refresh the list or roles for viewing the added role.

2.6 Create an access policy that associates the role and the target system

(corresponding to the account – OUD in our environment)

1. In The System Administration console (as Admin), create a new Access Policy.

2. Step 1 - be sure to check Retrofit Access Policy as it is mandatory for AP Harvesting, leave

the default Priority:



3. Step 2 – select LDAP User:

4. Step 2 (cont) – select Enterprise Directory – OUD for the Server and Enterprise Directory

– OUD~people for the Container DN:



5. Step 2 (cont) – leave the default revoke flag:

6. Pass Step 3 clicking on Continue

7. Step 4 – select Expense Report Submission (Submit Expense Reports) role:



8. Step 5 - review the summary and click on Create Access Policy



2.7 Run the access policy evaluation (that includes the AP Harvesting) so

called Evaluate User Policies for linking the Account and the Access

Policy

1. In the System Administration console as Admin, run the Evaluate User Policies scheduled

task (check it is finished clicking on Refresh):

2. Close the Scheduled Task window.



2.8 Check that the link has been done with no try for creating a second

account for this user

1. Back to the Identity Self Service console, refresh the Account tab of the EXIAO user.

Notice that we have only one entry (the Access Policy detects that the account has been

given to this user making the link rather than trying to provision the account again) and that

now instead of 443, we have EXIAO for the Account Name; this is the sign that the AP

Harvesting took place.

Another way to verify that the AP Harvesting has been done is through the certification. For

your information, in phase 1 on the certification, looking to the OUD Account item of the

EXIAO user, in the Risk Summary tab one could see for the Provisioning Method the value

AP Harvested.



Hereafter are the steps for creating such certification would you like to check this status:

1. As Admin in the System Administration console create a Certification:

Name = EXIAO

Type = User

Base Selection: Selected Users (add EXIAO)

Primary Reviewer: User Manager

2. As Dcrane (Erik Xiao’s manager) in the Self Service console:

Dashboard: click on the name of the pending certification

Click on EXIAO User Login link

Click on Enterprise Directory – OUD(EXIAO)

Select Risk Summary tab



2.9 Drop the role for the user and check that the account is revoked (as

specified in the access policy)

1. In the Self Service console (as Admin), revoke the Submit Expense Reports role for the

user EXIAO

2. Run the scheduled task Evaluate User Policies and verify that the account has been

revoked in OIM:

3. You can check also in the LDAP server:

a) Before refreshing in Apache Studio:



b) After refreshing:

This last step concludes the lab illustrating the AP Harvesting feature which is closing the

gap between reconciliated accounts and Access Policies.

oig 11g r2 ps2 field enablement training -...

Documents