oim: cloud p6 and unifier user authentication and provisioning tips and tricks
TRANSCRIPT
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle Identity Manager (OIM) Oracle Cloud for Industry (OCI) Hosted Environments
Christina Biggs Program Manager Oracle Primavera Global Business Unit April 16th, 2015
Oracle Confidential – Internal/Restricted/Highly Restricted
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Oracle Confidential – Internal/Restricted/Highly Restricted 3
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Agenda
1
2
3
4
5
What is OIM?
How does it fit within my Cloud hosted environment?
Administrator Experience
End User Experience
Oracle system responsibilities
Important Information
Future Enhancements
Oracle Confidential – Internal/Restricted/Highly Restricted 4
6
7
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
What is OIM…and all other 3-letter words related to it?
• Oracle Identity Manager (OIM) is the front end interface for user account management and administration.
• Oracle Internet Directory (OID) is the directory store which maintains all the users and groups. The users created in OIM get stored in OID.
• Oracle Access Manager (OAM) validates user credentials in OID and whether access has been assigned to environment. Redirects user to application home page after authentication. * also used for external authentication (customer’s own SSO via SAML 2.0 protocol)
• Oracle Identity & Access Management (IDM) Term for complete stack
Oracle Confidential – Internal/Restricted/Highly Restricted 5
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
How does OIM fit within my hosted environment?
OIM falls within the Middleware component of the Oracle Red Stack
Technology.
Oracle Confidential – Internal/Restricted/Highly Restricted 6
Identity Management: Central user creation & provisioning
Business Intelligence Publisher: Reporting tool
Web Center Connect (UCM): File repository
Standard offerings in hosted environments and are mandatory.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Utilization within PGBU applications
• Our Primavera Cloud products utilize a small component of Oracle Identity Manager & Oracle Access Manager capabilities.
• Development team continues to look at application enhancements that will expand OIM capabilities such as but not limited to;
– Auditing
– Reporting
Reminder:
– All user account administration is handled via OIM and not within the applications themselves.
Oracle Confidential – Internal/Restricted/Highly Restricted 7
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Administrator Experience
Oracle Confidential – Internal/Restricted/Highly Restricted 8
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Access to OIM as Admin
• One OIM URL provided to company/customer. Same URL for admins and end users.
• Example of OIM URL: https://customernamehere-idm.unifier.oracleindustry.com/oim
• Admins login with generic ADMIN or named account w/admin rights assigned.
• Can perform tasks such as;
Oracle Confidential – Internal/Restricted/Highly Restricted 9
Create new users Unlock accounts
Inactivate users Modify user accounts
Reset user passwords Assign BI Publisher roles
Create additional organizations Manage Partner users
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Create new users
• To create a new user, click on the “Users” link under “Administration” located on the left menu.
• On the “Search Users” page, click on the “Create” link:
Oracle Confidential – Internal/Restricted/Highly Restricted 10
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Create new users
• A new tab with the User creation form will open up. Enter the mandatory fields on this form and click ‘Submit’.
• For random, auto generated password to be emailed to user, leave password field blank.
Oracle Confidential – Internal/Restricted/Highly Restricted 11
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
User Creation – Additional information on Bulk Import
• There is a bulk import process available
– Submit an SR via MyOracle Support (MOS) asking to have users bulk imported to OIM for your Cloud environment.
– A CSV template will be provided. Complete and attach to SR.
– Bulk import will be done by the Cloud Hosting team.
• Future release will give customer ability to bulk import.
Oracle Confidential – Internal/Restricted/Highly Restricted 12
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Default Password Policy
Oracle Confidential – Internal/Restricted/Highly Restricted 13
7 day password expiration warning
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Application Provisioning
• Once a user has been created, you can provision to desired application(s)/ environment(s).
• Search and open the user. Click on the ‘Accounts’ tab. Then click ‘Request Accounts below that.
Oracle Confidential – Internal/Restricted/Highly Restricted 14
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Application Provisioning
• On the Catalog page, select the required accounts.
• Click ‘Add Selected to Cart’ and click on ‘Checkout’ at the top right:
Oracle Confidential – Internal/Restricted/Highly Restricted 15
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Application Provisioning
• Click ‘Submit’. Message will indicate the operation completed successfully.
• The account tab for the user should also show status as “Provisioned”.
Oracle Confidential – Internal/Restricted/Highly Restricted 16
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Provisioning user to multiple accounts, same time
• A user can also be provisioned to multiple accounts at the same time.
• For example, Production and Stage environments or multiple products.
• Auto approval is now enabled, no workflow approval step
Oracle Confidential – Internal/Restricted/Highly Restricted 17
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Modify user account
• Search user login from ‘Search Users’ page. Highlight the user and click ‘Edit’ option from the Menu.
• Edit the required values (First name, Last Name, Email, Contact Info) and click ‘Submit’.
Oracle Confidential – Internal/Restricted/Highly Restricted 18
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Modify user account
• Edit desired values and click ‘Submit’.
NOTE: It is not advisable to change the Organization or User Login of a user.
It will lead to provisioning errors.
Oracle Confidential – Internal/Restricted/Highly Restricted 19
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Password Reset - another user
• Search and select the required user from ‘Search Users’ page.
• Click ‘Reset Password’ link.
Oracle Confidential – Internal/Restricted/Highly Restricted 20
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Password Reset - another user
• You can either enter a manual password or opt for a system generated password to be emailed to the user directly.
• You also have the choice of emailing the new password to the user or not.
Oracle Confidential – Internal/Restricted/Highly Restricted 21
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Unlocking user accounts
• Users may lock their accounts due to a number of reasons. Usually by entering an incorrect password too many times. As an admin, you can unlock the account.
• From the ‘Search Users’ page, locate the user account and click on ‘Lock Account’ option from the Menu.
Oracle Confidential – Internal/Restricted/Highly Restricted 22
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Locked user accounts
• Re-query the user again. The user status will be shown as “Locked”.
• Now click on the “Unlock Account” option from the Menu.
• Ask the user to re-try his login.
If the issue persists, enter an SR with user information asking for account to be unlocked.
Oracle Confidential – Internal/Restricted/Highly Restricted 23
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Disabling a provisioned user
• A user account can be “Disabled” from an application account(s).
• Search for the user and click on ‘Edit’. Click on the ‘Accounts’ tab.
• Highlight the Application account to be disabled and click on ‘Disable’ from the ‘Actions’ Menu.
Oracle Confidential – Internal/Restricted/Highly Restricted 24
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Re-Enabling a disabled user
• To re-enable a disabled Application account;
• From the accounts tab click on ‘Request Accounts’.
• In the next Catalog page, select the required account.
• Click on ‘Add Selected to Cart’.
• Click ‘Submit’.
Oracle Confidential – Internal/Restricted/Highly Restricted 25
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
BI Publisher Roles
• There are three default types of roles for BI Publisher:
– BI Consumer (Can run/view all reports made available to their folders)
– BI Author (Can run/view reports plus create new reports)
– BI Administrator (All above rights plus able to manage security settings on folders)
• All users are assigned by default the BI Consumer role at user provisioning.
• Roles can be assigned to the Organization level as well.
For P6 only, there is also a role for UCM (file repository).
This is included in P6 Cloud Admin guide.
Oracle Confidential – Internal/Restricted/Highly Restricted 26
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Creating a new Organization
• There will be a TOP organization already set up in OIM for your company. It is best practice to use that organization name for creating all your company users under.
• If the application you are using allows for Partner organizations to be created, you will follow these steps below to create in OIM. You will need to also follow steps to create in Unifier. (available in Unifier Admin doc)
• From the Home page, click on the ‘Organizations’ link from the Administration tab.
• In the Search Organizations page, click on Create.
Oracle Confidential – Internal/Restricted/Highly Restricted 27
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Creating a new Organization
• Enter the organization name and select a Password policy if required.
• Click on Save.
Oracle Confidential – Internal/Restricted/Highly Restricted 28
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
End User Experience
Oracle Confidential – Internal/Restricted/Highly Restricted 29
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
End Users
• Once a user has been provisioned in OIM, they receive an auto generated email notification containing account login information. (or via admin if manual option is selected)
• 1st screen will be a Single Sign On. They should enter username and temporary password.
Oracle Confidential – Internal/Restricted/Highly Restricted 30
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
End Users - continued
• Upon successful authentication, the user will be redirected to create new password and set challenge questions. Allows reset if password forgotten in the future.
• Once the password and challenge questions have been set, the user will be automatically redirected to the end Application – Unifier or OIM, based on the url that was originally accessed:
• If Unifier url was accessed, then the user will be redirected to Unifier Home page:
Oracle Confidential – Internal/Restricted/Highly Restricted 31
• Once the password and challenge questions have been set, the user will be automatically redirected to the application.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Change Password - Initiated by user
• The OIM URL should be communicated to end users.
• Accessible at any time to initiate their own password change or set new challenge questions.
• After login (current username/password), Click ‘My Information’ under section on the left menu called My Profile.
Oracle Confidential – Internal/Restricted/Highly Restricted 32
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Change Password - Initiated by user continued…
• Expand the selection in the main menu called ‘Change Password’.
• Enter new password and click ‘Apply’ to save changes.
Oracle Confidential – Internal/Restricted/Highly Restricted 33
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Change Security Questions - Initiated by user
• Scroll down and expand the selection in the main menu called ‘Challenge Questions’.
• Enter new values as desired and click ‘Apply’ to save changes.
Oracle Confidential – Internal/Restricted/Highly Restricted 34
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
System Level Actions – Oracle Only
Oracle Confidential – Internal/Restricted/Highly Restricted 35
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Actions that require SR to engage Oracle Cloud Support
• Change to your corporate password policy (if different than default required)
• Modify email notification that goes out to end users when account provisioned, password reset
• Change in application Authorization Code needs to be provided to Oracle so that OIM can be updated to match. (integration and provisioning issues if not the same)
• Bulk user import (more than 25 users)
• Changes to PARTNER license counts, allocation (Unifier)
Oracle Confidential – Internal/Restricted/Highly Restricted 36
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Important Tips, Information
Oracle Confidential – Internal/Restricted/Highly Restricted 37
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Important points to avoid issues
• Ensure users login into the Application URL the first time, not the OIM URL.
• Understand that OIM is used to provision users only. It is not a function of OIM to create security and user groups.
– The user groups and corresponding privileges for the user group is still handled within the applications (Unifier and P6). This is not driven from OIM.
• Very important to always include a VALID email address for the user accounts.
• OIM is case in-sensitive. (won’t recognize joesmart and Joesmart as unique user accounts.) Will cause provisioning issue.
• Special characters should be avoided in the organization name and login names.
Oracle Confidential – Internal/Restricted/Highly Restricted 38
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Future OIM Enhancements for 15.1
Oracle Confidential – Internal/Restricted/Highly Restricted 39
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Upcoming Enhancements to OIM
• New Primavera Cloud Administration Tool coming soon
• Targeted for 15.1 product versions
– Looking at back porting to previous versions, but not confirmed.
• Cleaner interface, user friendly
• Only includes key admin tasks
Oracle Confidential – Internal/Restricted/Highly Restricted 40
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Cloud User Administration – Home Screen
Oracle Confidential – Internal/Restricted/Highly Restricted 41
• Administrators will be able to quickly add users two ways;
• Directly into the data grid
• Import from CSV file
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Add Users by Importing from CSV or Typing in
Oracle Confidential – Internal/Restricted/Highly Restricted 42
• Administrators will be able to quickly assign users to various roles and application instances.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Select users to provision
Oracle Confidential – Internal/Restricted/Highly Restricted 43
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Assign Roles, Applications or OIM Profiles to users
Oracle Confidential – Internal/Restricted/Highly Restricted 44
• Will have the ability to review data before provisioning.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Steps 1 and 2 Complete – Final Step, Notification
Oracle Confidential – Internal/Restricted/Highly Restricted 45
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Email notifications
Oracle Confidential – Internal/Restricted/Highly Restricted 46
• This step allow Admin to select which accounts will receive the email notification that the user account was created.
• Can send to a single user or a group of users.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Summary Screen – Completion
Oracle Confidential – Internal/Restricted/Highly Restricted 47
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Additional Information Available
• Documentation for future application releases will have deeper content on OIM. Will be available in the Cloud Administrators Guide.
– Located in the Product Documentation Library on Oracle Tech Network (OTN) site.
– http://www.oracle.com/technetwork/documentation/default-1870233.html (Unifier)
– P6 Cloud Admin Document coming soon
• UPK being developed for release on OTN.
Oracle Confidential – Internal/Restricted/Highly Restricted 48
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 49
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 50