Oracle Identity Manager OIM User Provisioning
OIM User Provisioning
(For OIM Reconciliation refer here)
There are 3 types of provisioning in Oracle Identity Manager - Request-based, Policy-based and Direct.
What is Provisioning: Provisioning is creating user account in an external to OIM resource (directory or an application), called a Target resource. An example of Provisioning would be when a user who is already created or exists in OIM, this user account is created in say, OID or AD. The reverse of Provisioning is De-provisioning.
Here the identity data flow is from OIM to the external resource.
(1) Request-based provisioning: In request-based provisioning, an individual creates a request for a target system account. The provisioning process is completed when an OIM User with the required privileges approves the request and provisions the target system account to the requester.
(2) Policy-based provisioning: This type of provisioning refers to resources being granted to users automatically through access policies. Access policies define the association between user groups (or roles) and target resources. User groups are collections of users to whom you grant access to common functionality, such as access rights, roles, or permissions. Later use user groups to create and collectively manage records of group members. One has to configure and define the Access Policy upfront before this provisioning can be done.
You can also assign or remove membership rules to and from these groups. These rules define which users can be assigned to a particular user group. By default, each member of these user groups gets a predefined account in the target system. In addition, you can also use Oracle Identity Manager to create approval processes that can be run as part of the policy-based provisioning cycle.
Sometimes, the introduction of or change to an access policy may entail changes in privileges assigned to users who meet the criteria specified in the policy. For example, suppose the following policy is introduced:
All project managers working from the London office must have access to the SAP system.
When this policy is introduced in Oracle Identity Manager, SAP user accounts are automatically provisioned to all project managers. This is an example of Policy based provisioning.
(3) Direct provisioning: This type of provisioning is a special administrator-only function in which an Oracle Identity Manager administrator provisions a resource to an OIM User. The workflow for this form of provisioning does not include the request and approval steps. You perform direct provisioning by using the Oracle Identity Manager Administrative and User Console. There is no Request or Approval step, it is done right from the Admin and User console.
Provisioning with Oracle Identity Manager connector for Active Directory
Connector Guide for Active Directory User Management https://docs.oracle.com/cd/E22999_01/doc.111/e20347.pdf
Reconciliation and Provisioning processes with OIM AD Connector https://docs.oracle.com/cd/E11223_01/doc.910/e11217/processes.htm#CIHDBHFF
The OIM connector for AD User Management enables Microsoft Active Directory to function either as a managed (target) resource or as an authoritative (trusted) source of identity data for OIM. In addition to these two user management modes, the connector provides capability to manage AD groups in the target resource mode. (LINK for OIM connector for AD overview)
Auto assign AD user group - LINK to discussion group
Assign AD group as an Entitlement via an Access Policy in OIM - LINK to blog
(For OIM Reconciliation refer here)
There are 3 types of provisioning in Oracle Identity Manager - Request-based, Policy-based and Direct.
What is Provisioning: Provisioning is creating user account in an external to OIM resource (directory or an application), called a Target resource. An example of Provisioning would be when a user who is already created or exists in OIM, this user account is created in say, OID or AD. The reverse of Provisioning is De-provisioning.
Here the identity data flow is from OIM to the external resource.
(1) Request-based provisioning: In request-based provisioning, an individual creates a request for a target system account. The provisioning process is completed when an OIM User with the required privileges approves the request and provisions the target system account to the requester.
(2) Policy-based provisioning: This type of provisioning refers to resources being granted to users automatically through access policies. Access policies define the association between user groups (or roles) and target resources. User groups are collections of users to whom you grant access to common functionality, such as access rights, roles, or permissions. Later use user groups to create and collectively manage records of group members. One has to configure and define the Access Policy upfront before this provisioning can be done.
You can also assign or remove membership rules to and from these groups. These rules define which users can be assigned to a particular user group. By default, each member of these user groups gets a predefined account in the target system. In addition, you can also use Oracle Identity Manager to create approval processes that can be run as part of the policy-based provisioning cycle.
Sometimes, the introduction of or change to an access policy may entail changes in privileges assigned to users who meet the criteria specified in the policy. For example, suppose the following policy is introduced:
All project managers working from the London office must have access to the SAP system.
When this policy is introduced in Oracle Identity Manager, SAP user accounts are automatically provisioned to all project managers. This is an example of Policy based provisioning.
(3) Direct provisioning: This type of provisioning is a special administrator-only function in which an Oracle Identity Manager administrator provisions a resource to an OIM User. The workflow for this form of provisioning does not include the request and approval steps. You perform direct provisioning by using the Oracle Identity Manager Administrative and User Console. There is no Request or Approval step, it is done right from the Admin and User console.
Provisioning with Oracle Identity Manager connector for Active Directory
Connector Guide for Active Directory User Management https://docs.oracle.com/cd/E22999_01/doc.111/e20347.pdf
Reconciliation and Provisioning processes with OIM AD Connector https://docs.oracle.com/cd/E11223_01/doc.910/e11217/processes.htm#CIHDBHFF
The OIM connector for AD User Management enables Microsoft Active Directory to function either as a managed (target) resource or as an authoritative (trusted) source of identity data for OIM. In addition to these two user management modes, the connector provides capability to manage AD groups in the target resource mode. (LINK for OIM connector for AD overview)
Auto assign AD user group - LINK to discussion group
Assign AD group as an Entitlement via an Access Policy in OIM - LINK to blog
Comments
Post a Comment