IDM 11gR2 changes/new features : OIM Catalog to create Accounts (Application Instances, Roles, Entitlements)

This post is fourth in series “Oracle Identity Management 11gr2 changes/new features” and covers new feature Catalog used during a provisioning operation (creating account in application like AD or EBS integrated with OIM). Users request the Application Instances, Entitlement, and Roles through the Catalog (aka Access Request Catalog).

For other new features in Oracle IdM 11gR2 like new console (System Administration) click here, Sandboxes here, and Applications Instances here.

1. Access Request Catalog (or Catalog) is a web based interface that allows business users to request Roles, Application Instance, and Entitlements (within applications).

 

2. Catalog Items – Roles , Application Instance and Entitlements that can be requested via catalog are called as catalog items

3. Category – Each catalog item is associated with one and only one category. Catalog Administrators can provide a value for catalog item.

 

4. Tags (very important in searching catalog) – are search keywords. When users search the Access Request Catalog, the search is performed against the tags. Tags are of three types
a) Auto-generated Tags: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name
b) User-defined Tags: User-defined Tags are additional keywords entered by the Catalog Administrator (check images below).
c) Arbitrary Tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags.

Note: Catalog uses “Oracle Text” option in Oracle database for text search capabilities.

5. Catalog Administrator is a global role (not assigned to Organization) that grants privileges to manage and load catalog.
Note: Users with System Administrators role (like xelsysadm) can also load & manage Catalog.

To access role Catalog Administrator : /sysadmin -> Organizations -> Top -> Admin Roles

6. Catalog Synchronization Job is a scheduled job that loads roles, application instances, and entitlements in catalog. Run the Catalog Synchronization Job scheduled job to populate catalog (Role are added into catalog immediately and does not need Job Catalaog Synchronization)

 


7. Tagging capabilities for catalog item allow business users to specify alternate terms to be used to search for the specific access. To add tag to a catalog item (Application Instance, Roles, Entitlements), search catalog and select catalog item. select catalog item and add tag under user defined.

 

References/Related

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

22 comments
Anton says September 12, 2012

Hi Atul,

Thank you for updating about the IAM products.

Currently I’m working witht he 11gR2 version and have one issue:

Is it possible to give the Application Instances, Roles or Entitlements an end date?

I think it can’t be done natively, but maybe you have an idea how to implement it.

Cheers,

Anton

Reply
    Atul Kumar says September 12, 2012

    @ Anton,
    Do you mean put an end date for catalog items during provsioning ? Interesting use case, Not tried myself but need to check (explore cusotmizing catalog to include this as UDF) . Next task is to take this end date and map it with process form associated with Application Instance (you will have to something similar for role and entitlements).

    Reply
Anton says September 12, 2012

Hi Atul,

Thank you for the quick response! We have a use case, where for an entitlement (roles and entitlement) an end date is needed: a) in the UI and b) should be provisioned to Active Directory.

I will check your advice tomorrow and let you know how it went!

Cheers,

Anton

Reply
Anton says September 13, 2012

Hi Atul,

Thank for your advice. I could add an end date to an entitlement/role requested from the catalog with the UDF customization.

I also need to implement, that once the end date is reached the entitlement must be revoked automatically. Have you any idea for this issue?

Again thanks a lot 🙂

Cheers,

Anton

Reply
brajeshr says September 18, 2012

Hi Atul,
I visited your page on onlineappsdba and came to know that you conduct online training on OIM. Please let us know if you are conducting any classrom training in INDIA. If no then please guide us who can provide us best training in OIM in INDIA (person or institute).

thanks
brajesh

Reply
Nash says October 1, 2012

Hi Atul,

I have OIM 11G R2 installed and configured. I have a role TestRole created and I want to assign it to say a user User1. I have run the Scheduled Job for catalog, yet when I want to assign role, the catalog opens up and I am unable to see anything on the catalog. Searches with *,% and *%* returns blank. Also tried adding the Catalog Role to xelsysadm (the id im logged in with) but the search is still empty.

AM I missing something ?

Reply
Atul Kumar says October 2, 2012

@ Nash,
You should use at least 2 characters of role in search. If you still can’t find that that role then create a tag like myrole and search using this tag i.e. myrole

Reply
Nash says October 2, 2012

Thanks Atul I am now able to view the entries in catalog.

Reply
Atul Kumar says October 2, 2012

@ Nash,
Good, did you add tag or did you use more than 2 characters in search for resource ?

Reply
Nash says October 9, 2012

I just used more than 2 characters to search, wierd how that works but…

Reply
NandhakumarVemban says November 1, 2012

Could you please explain the 11gR2 (11.1.2.0.0) provisioning process.

Reply
Sahil says December 20, 2012

I can’t see the Catalog Synchronization Job in the list. Any idea why that would be?

Reply
windy says February 6, 2013

Hi Atul,

We have OIM 11gR1 and plaaning to upgrade to OIM 11g R2, after upgrading to R2(not fresh installation), can I simply use the same deployed OIM11gR1 workflows/SOA composites with approval policies or need to redeploy it without any change. In case of change what will it be?

Reply
nand says February 8, 2013

when trying to access pending approvals on OIM11gr2 identity self service console.
SOA server is Up and running(EM,weblogic)

Error showing tasklist. Possible reasons could be : 1. SOA server connection information is not available. 2. If it is run in federated mode, the default server may be down.

Thanks

Reply
Atul Kumar says February 8, 2013

@Nand,
Chekc in SOA Server logs and see if there are any errors (It could be that SOA server is up but appplication deployed on SOA server i.e. soa-infra is down or there are errors. $DOMAIN_HOME/servers/[soa_server]/logs

Other possibility is that SOA host or soa port defined in OIM server is wrong. Check this value from EM

1. Navigate to Identity and Access, oim.
2. Right-click oim, and navigate to System MBean Browser.
3. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

4. Change the values of the Rmiurl and Soapurl attributes, and click Apply to save the changes.

Check here

http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/handlinglcm.htm#CIAICEBG

Reply
Guest says May 29, 2013

Hi..I also have a requirement like that of user Anton.

I need to give temporary access for certain roles for some days and then remove those after reaching the end date.Can you please tell me the process.

Also one more query that i am not able to submit my catalog item,Can you tell if I am missing anything.

Reply
Arunkumar R says November 16, 2013

Hi Atul,

I have one requirement in R2. I want to restrict the user for requesting entitlements by disabling entitlement entry in catalog search.

I have tried with deleting the entries from CATALOG table with having entity_type = ‘Entitlement’.
After that its not showing the entitlement entry in the catalog search. But while going to a responsibility owner approval, after open the approval page it’s showing error like requested responsibility not found(while placing the request we are passing responsibility through child objects). Application we are requesting is EBS.

can you please help out on this problem how to fix this.

Thanks,
Arunkumar R

Reply
Bobby says April 11, 2014

Hi Atul,

I want to implement one use that once the end date is reached the access to target system must be revoked automatically. Please see if you can suggest some solution to this.

Thanks
Bobby

Reply
Anand says May 5, 2014

Resources that require manual input such as (for eg: ‘X ‘Resource or ‘Y’ Resource etc) can’t be provisioned for multiple users. The manual input option disappear from the form.

Functionality exists ? or Is there any possibility of the customization .
Help is much appreciated.

Thanks

Reply
sunil says August 25, 2014

Hi Atul,
I have a scenario in which I want to provision user from on premise OIM to Oracle Fusion HCM OIM. Can you please help in finding my way out to solve this. I am using 11gr2. Any help will be very help full.

Thanks,
Sunil

Reply
bharath says November 26, 2014

Hi,
iam currently working in delhi,i want to know how to create auto provisioning in 11gR2 in oim

Reply
bhargav says February 6, 2017

Any limit of user defined tags for adding

Reply
Add Your Reply

Not found