[email protected] principal product manager, oracle ......configuration) and resource object...

<Insert Picture Here>

Oracle Identity Manager 11gR2-PS2 Hands-on Workshop Tech Deep Dive – DB Schema, Backup & Restore, Bulkload, Reports, Archival & Purge

[email protected]

Principal Product Manager, Oracle Identity Governance

mailto:[email protected]

This document is for informational purposes. It is not a

commitment to deliver any material, code, or

functionality, and should not be relied upon in making

purchasing decisions. The development, release, and

timing of any features or functionality described in this

document remains at the sole discretion of Oracle. This

document in any form, software or printed matter,

contains proprietary information that is the exclusive

property of Oracle. This document and information

contained herein may not be disclosed, copied,

reproduced or distributed to anyone outside Oracle

without prior written consent of Oracle. This document

is not part of your license agreement nor can it be

incorporated into any contractual agreement with Oracle

or its subsidiaries or affiliates.

Agenda

• DB Schema

• Backup and Restore

• Archival and Purge

• BIP Reports

• Bulkload

OIM R2PS2 DataModel

R2PS2 DB Data model Metalink Note

– MOS Note for OIM 11R2 PS2 Schema Documentation [External]

The MOS (Master Note) note [1612983.1] contains references

to Oracle Identity Manager 11g R2PS2 Database Schema

Documentation

– MOS Master Note for OIM 11g Schema Documentations

The MOS (Master Note) note [1541870.1] contains reference

links for all the OIM 11g Release 11.1.x – 11.1.2.x Database

Schema Documentations.

Backup and Restore

OIM11gR2 Schema Backup and Restoration

using Data Pump Client Utility

Logical Backup of OIM Schema

o For OIM11gR2 Schema(s) Logical Backup (and its subsequent Restoration),

the recommended tool is Oracle11g R1/R2 Data Pump Export utility.

Restoration of OIM Schema

o For the restoration of the Logical Backup (taken using the Oracle 11g/10g

Data Pump Export utility), the corresponding the Data Pump Import utility

is to be used.

Following are the possible scenarios of restoration based on the location of

restore:

a) Local restoration [Restoration in the same Database Instance]

b) Remote restoration [Restoration in a different Database Instance]



OIM 11gR2 Schema components

Metadata – User, Tablespace DDL, Stored Proc/Functions/Packages, GTT definitions etc

Data – Table data

Access on DB Objects like Oracle Text, XAVIEW,DBMS_SHARED_POOL etc

Access to SCHEMA VERSION REGISTRY and entry.


Generic High Level steps in Logical Export


Generic High Level steps in Logical Import


MOS Note for Schema Backup and Restoration using Data Pump

Client Utility note [1492129.1]

OIM Bulk Load Utility

• The Bulk load utility is aimed at automating the process of loading a large amount of

data into Oracle Identity Manager.

• It helps reduce the downtime involved in loading data. We can use this utility either

immediately after installation of Oracle Identity Manager or at any time during the

Production lifetime of Oracle Identity Manager.

Features of Bulk Load Utility

• The Bulk Load utility is compatible with OIM 9.1.0 and Above.

• Data can be loaded into OIM either as OIM users or as accounts allocated to OIM users or Roles assigned to users.

• Data can be loaded from single or multiple CSV files or a Database table.

• Data can be loaded from a single or multiple trusted sources.

• Exceptions generated during data loading are handled.

• Data can be loaded into either empty OIM repository or repository that already contains data.

• Easy exception handling and reloading of failed users and accounts

• Generate audit snapshots for loaded User.

• OIM should be down while using bulkload utility.

Entities of Bulk Load Utility

• This Entity is used to load OIM User data.

• In other words, data is imported into the USR table of Oracle Identity Manager.

• In addition, you can select the input source, CSV files or database tables, for the data that you want to load.

Load User Data

Load Account Data

• This Entity is used to load OIM account data.

• In other words, data is imported into the relevant UD_ tables of Oracle Identity Manager against a application instance.


Load Role Data

• This Entity is used to load OIM role data.

• In other words, data is imported into UGP table of Oracle Identity Manager.

• In this version, roles will be published to specified organization as per new authorization model.

Entities of Bulk Load Utility

Load Role Membership

• This Entity is used to load OIM role membership data.

• In other words, data is imported into USG table of Oracle Identity Manager.


Load Role Hierarchy

• This Entity is used to load OIM role hierarchy data.

• In other words, data is imported into GPG table of Oracle Identity Manager.


Load Role Category

• This Entity is used to load OIM role data.

• In other words, data is imported into ROLE_CATEGORY tables of Oracle Identity Manager.


What’s New in OIM11gR2 Bulkload Utility

• Application Instance support for provisioning

o In this version of OIM11gR2, Provisioning use application

instance for provisioning. Application instance is a new

abstraction used in 11g Release 2 (11.1.2). It is a combination of

IT resource instance (target connectivity and connector

configuration) and resource object (provisioning mechanism).

o In earlier version of Bulkload utility, Accounts gets provision

using IT resource and Resource object directly.

o In this release, Bulkload will prompts for application instance

name and proceed with the provisioning of accounts.

o If end user is not aware of application instance then he can fall

back on earlier mechanism of provisioning using IT resource and

Resource object directly.

What’s New in OIM11gR2 Bulkload Utility

• Publish roles to organization

o As per new authorization model in OIM11gR2, Request able

entities need to be published to a org then only entities will be

accessible/viewable.

o Enterprise roles: These are roles that users (depending on the

permissions granted) can create in Oracle Identity Manager and

request for by using the request catalog or Bulkload utility.

o In this version of Bulkload utility, we can publish the roles to

organization with include/exclude hierarchy option.

o This can be achievable via editing CSV file or DB table.

o By default, Bulkload publish roles to TOP with include

hierarchy.

BIP Reports

Reports Configuration Steps

• Create the Metadata Repository

• Matadata Store (MDS)

• Business Intelligence Platform (BI Platform)

• Install BI Publisher – 11.1.1.7.1

Setup BI Publisher

Deploy OOB Reports

• Deploy Reports

• Extract reports bundle (oim_product_BIP11gReports_11_1_2_1_0.zip) from OIM Installer package into Oracle_IDM1/Middleware/user_projects/domains/bi_domain/config/bipublisher/repository/Reports/ Oracle Identity Manager folder

• Import/Upload OIM Reports in BIP

• Configure Users and Groups in BIP

Configure Data Sources

• Configuring Oracle Identity Manager JDBC Connection

• Use OIM Schema Details

• Configuring BPEL-Based JDBC Connection

• Use SOA Schema Details

• Required for Task Assignment History, Request Details, Request Summary and Approval Activity

Reports Configuration Steps

Run OOB Reports

• Login to BIP

• Select Reports Category

• Select Individual Report

• Provide Input parameters such as date rage etc.

• Run Report

Design Custom Reports

• Identify underline data store/ tables

• Identify Datasource (OIM or SOA)

• Develop SQL Script

• Design UI

• Build and Deploy custom report.

Reports for Oracle Identity

Manager

Access Policy Reports

Access Policy Details

Access Policy List by Role

Attestation, Request, and

Approval Reports

Approval Activity

Attestation Process List

Attestation Request Details

Attestation Requests by

Process

Attestation Requests by

Reviewer

Request Details

Request Summary

Task Assignment History

Role and Organization Reports

Role Membership History

Role Membership Profile

Role Membership

Organization Details

User Membership History

Account Activity In Resource

Delegated Admins and

Permissions by Resource

Delegated Admins by

Resource

Entitlement Access List

Password Reports

Password Expiration

Summary

Password Reset Summary

Resource Password

Expiration

Resource and Entitlement

Reports

Entitlement Access List

History

Financially Significant

Resource Details

Resource Access List History

Resource Account Summary

Resource Activity Summary

User Resource Access

History

User Resource Access

User Resource Entitlement

User Resource Entitlement

History

User Reports

User Profile History

User Summary

Users Deleted

Users Disabled

Users Unlocked

Certification Reports

Exception Reports

Fine Grained Entitlement

Exceptions By Resource

Orphaned Account Summary

Rogue Accounts By Resource

OOB Reports – Just high level category.

Archival and Purge

Real-time Archival & Purge – Business Needs

• In the OIM world, with the growing enhancements in the application capabilities with each

release, we are generating more data than ever before.

• Expectations from our customers to meet higher standards of performance and scalability

with each release have made the management of OIM entity LCM data volumes an ever

increasing challenge.

• Continuous data purge assisted with database reorganization activities are a must to keep the

systems in good health, meeting the customer expectations for performance, scalability and

availability for OIM.

• Managing this phenomenal growth of data has been a hot topic recently and an optimal

strategy on a complete hands-off approach to purge data in OIM has come out to be the need

of the hour, this endeavor would definitely contribute towards OIM to consistently meet and

exceed business expectations not only for the R2 PS2 Release but also for the future Releases

to come.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

High Level Overview of the New Solution in R2 PS2


R2 PS2 Purge Utility Salient Features

Complete Hands-off and Automated approach

Entities now divided into two categories - ‘Purge Only’ and ‘Archive + Purge’

Fail Safe design for Purge operations

Maximum Run Time for Auto-Cutoff in Purge Run for each Entity

Single Threaded Batching

Better operational and maintainability features

Single unified interface at the DB Stored Programs level

Common Core Purge Logic

Purge run level metrics

Minimal Configuration

Configuration

Step#1

User decides on the Retention Period

(age of data to be purged) for the Entity.

This is entered via Scheduled Task UI.

Configuration

Step#2

User selects functional purge criteria for each entity like Request, Recon,

Prov. Tasks, Orch. for the continuous purge to happen via UI.

Configuration

Step#3

User defines other run specific Scheduled task level common parameters like periodicity, batch size, Max. Purge duration for each Entity etc. for each run.



Real-time Online OIM Data Purge Scheduled Task

Scenarios

Day 0 - Data setup in the System

10K users bulk-loaded with Post Processing -> Orchestration Data

GTC Trusted and Target Recon for 1.1 K users -> Recon, Orchestration and Prov.

Tasks Data

Requests created for 100-200 users for Role Assignment via Approval Policies.

Day n - Real Time Purge

Live OIM 11g R2 PS2 System with Request, Recon, Orchestration and

Provisioning Tasks Data.

Data of all the FOUR Entities segregated over functional criteria and dates aka

Retention Periods.

OIM Data Purge Sch. Task would delete data based on Entity Selection /Retention

Period and Purge criteria as in a real-time OIM system (with Recon/Orch/Prov.

Tasks activity going).


[email protected] principal product manager, oracle ......configuration) and resource object...

Documents