(Some) Internals of Oracle Identity Manager Access Policies
Many enterprises are considering (or already deployed) an identity management solution either for effective IT automation to reduce costs and/or for compliance purposes. Oracle Identity Manager is part of the Oracle’s identity and Access Management (IAM) solution. It provides functionalities such as, automatic user provisioning, compliance reporting, etc.
In my personal opinion, Oracle Identity Manager (OIM) is a wonderful product from Oracle. Many people don’t understand the basic concepts behind how OIM works. Worst thing is, they complain about the vendor product for their own failures in understanding basic concepts.
If you are planning to work with Oracle Identity Manager, then get ready for learning a lot of new things. OIM requires knowledge and you should be familiar with following:
- LDAP Directory – especially Oracle Internet Directory or Oracle Directory Server (formerly Sun/Iplanet Directory)
- Basic understanding of XML
- Programming in Java
- Concepts of Microsoft Active Directory and Microsoft Exchange (if you are planning to integrate them)
- Most importantly, self-initiative and interest to research yourself for things you can’t find in “google”.
Oracle Identity Manager stores all the user information, metadata information, audit information, and everything related to data in the Database (similar to Oracle Internet Directory – OID). There are two supported database environments for OIM to store data. It can be:
- Oracle Database Server
- Microsoft SQL Server
The second major component of OIM is the connectors. OIM connectors provide functionality for connecting to various systems across an enterprise. Good thing about OIM is, there are many connectors available. Also, Oracle is standardizing some of the connector components to get the same feeling across all the connectors. So, if you can understand few connectors, then it will be easier for you to work with the remaining connectors.
Latest OIM connectors can be found here – You can download it as well.
OIM Connector Certification (supported systems for OIM for user provisioning) can be found here.
OIM Connector documentation can be found here.
Basic OIM Concepts
Before we talk about Access Policies, we need to understand few other OIM Concepts. OIM has various objects that work together to achieve the necessary functionality. In an ideal way, OIM should manage the complete lifecycle of user accounts in an enterprise – using automatic ways with no manual intervention during entire lifecycle of user creation, modification and deletion phases.
When a user is created in OIM, there will be corresponding entries available in USR table. USR table has many fields delivered OOTB (OOTB – Out of the box). However for some of the enterprises, this may not be sufficient. We can define additional fields as UDFs (User Defined Fields).
In OIM, almost everything revolves around the user account (I think that is what expected from an identity provisioning software such as OIM). User account is the central piece of data here.
In OIM, Users will be provisioned or de-provisioned with Resources. Resources are a target system, such as, Oracle Internet Directory or Active Directory.
What are OIM Access Policies?
There are three types of objects required to perform automatic provisioning based on policies. When you use Access Policies for auto-provisioning, then it is called as “Policy Based Provisioning”. The main objects required for policy based provisioning are:
- Access Policies
We can use Rules for placing users to some specific OIM Groups. Once a user is a member of a group, then, Access policies can be used to perform policy-based provisioning in OIM. That’s why we need to understand the dependencies between Rules, Groups and Access Policies.
Rules get evaluated whenever an update is made to the user attributes (such as a password change, email address change etc). Also, we can use the OIM API updateUser() function to re-evaluate rules.
In Design Console, you can use “Policy History” form to view the details of the access policies and resources related to users.
Starting from OIM 18.104.22.168 and later versions (in Fusion Middleware Identity and Access Management 11.1.1.x too), there is a scheduled task called “Evaluate User Policies” delivered OOTB. This task will be useful if you want to provision users by validating all the rules, then automatically adding/removing groups, finally provisioning/de-provisioning resources by access policies.
Some Internals of working
POL table holds details about the Access Policies in OIM database. There are other tables related to OIM Access Policies as well. Some of the interesting ones are:
- POP – data about parent table in Access Policies
- POC – data about child policies in Access Policies
- POG – mapping between access policies and OIM groups (based on pol_key and ugp_key)
- POF – Field Values in Access Policies
In USR Table, there is a field called “USR_POLICY_UPDATE”. I think the values can be null or 1. This field is used when “Evaluate user policies” task is run for the evaluate criteria. This field will determine whether the access policies will be reevaluated next time.
User Policy Profile tables – UPP and UPD tables are important user related tables that stores details about access policies for a user and relevant details. These tables normally referred when “Policy History” form is being used for a user in OIM Design Console.
There are two other history tables UPH and UHD. They are history tables for the corresponding User Policy Profile Tables UPP and UPD.
OIU table has two columns, OIU_POLICY_BASED and OIU_POLICY_REVOKE. Based on my understanding, these two columns are set based on the resources provisioned access policy and “Revoke if no longer applies” setting.
Process form tables (UD_ tables) will contain POL_KEY column populated with Access policy. This POL_KEY column is applicable for the OIM Child tables as well.
In OIM, updating the underlying tables are not recommended and not supported by Oracle. These tables will be used when you investigate to try to find out scenarios such as, why a user was not revoked automatically or why she was not provisioned to a resource automatically.
A Sample Implementation
I was thinking of a scenario to explain the usage of access policies for automatic provisioning of Resources in OIM. You can consider an enterprise trying to move to OIM. They have some of the rules based on which user account will be created or modified or deleted. I just have these few rules as an example (in real world, there can be many up to 100+ or even 200+ rules).
- All users in HR Department will be part of the AD Group “HR Department”
- All users with “IT Operations” should be having a unix account server in “exadata-200”
So, in first case, you can define an OIM Rule, that will place the users with “HR Department” value in an OIM Group “Group_HR_Department”. Then whenever user is part of that OIM Group, then the user can be provisioned to “HR Department” AD Group automatically.
In the second case, we can check for the department with the Rules, place the user in a group – then we can define an access policy to provision user account to “exadata-200” automatically.
Access Policies are just one of the features of OIM. There are many other features there in OIM. Implementing OIM is easy if you understand these underlying basic concepts. Also, understanding about the target systems will be useful when investigating issues during the implementation.
As in every project, collecting the requirements is important. In OIM implementations, this is really important, more than that, documenting the requirements is important. Also, sufficient amount of testing is another consideration for OIM implementation projects. I will cover the logistic details of an OIM implementation in another post.
As the saying goes “The more you know, the more you know what you don’t know”. This is true for OIM (for so many other things in IT too). There are still some things I don’t know about OIM Access Policies. I am just working with OIM on what I know now (and still learning). J
Okay. I hope that is it for this post. We will meet in another post with more interesting details about OIM. Until then