oim: cloud p6 and unifier user authentication and provisioning tips and tricks

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Oracle Identity Manager (OIM) Oracle Cloud for Industry (OCI) Hosted Environments

Christina Biggs Program Manager Oracle Primavera Global Business Unit April 16th, 2015

Oracle Confidential – Internal/Restricted/Highly Restricted


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Oracle Confidential – Internal/Restricted/Highly Restricted 3


Agenda

1

2

3

4

5

What is OIM?

How does it fit within my Cloud hosted environment?

Administrator Experience

End User Experience

Oracle system responsibilities

Important Information

Future Enhancements


6

7


What is OIM…and all other 3-letter words related to it?

• Oracle Identity Manager (OIM) is the front end interface for user account management and administration.

• Oracle Internet Directory (OID) is the directory store which maintains all the users and groups. The users created in OIM get stored in OID.

• Oracle Access Manager (OAM) validates user credentials in OID and whether access has been assigned to environment. Redirects user to application home page after authentication. * also used for external authentication (customer’s own SSO via SAML 2.0 protocol)

• Oracle Identity & Access Management (IDM) Term for complete stack



How does OIM fit within my hosted environment?

OIM falls within the Middleware component of the Oracle Red Stack

Technology.


Identity Management: Central user creation & provisioning

Business Intelligence Publisher: Reporting tool

Web Center Connect (UCM): File repository

Standard offerings in hosted environments and are mandatory.


Utilization within PGBU applications

• Our Primavera Cloud products utilize a small component of Oracle Identity Manager & Oracle Access Manager capabilities.

• Development team continues to look at application enhancements that will expand OIM capabilities such as but not limited to;

– Auditing

– Reporting

Reminder:

– All user account administration is handled via OIM and not within the applications themselves.



Administrator Experience



Access to OIM as Admin

• One OIM URL provided to company/customer. Same URL for admins and end users.

• Example of OIM URL: https://customernamehere-idm.unifier.oracleindustry.com/oim

• Admins login with generic ADMIN or named account w/admin rights assigned.

• Can perform tasks such as;


Create new users Unlock accounts

Inactivate users Modify user accounts

Reset user passwords Assign BI Publisher roles

Create additional organizations Manage Partner users


Create new users

• To create a new user, click on the “Users” link under “Administration” located on the left menu.

• On the “Search Users” page, click on the “Create” link:



Create new users

• A new tab with the User creation form will open up. Enter the mandatory fields on this form and click ‘Submit’.

• For random, auto generated password to be emailed to user, leave password field blank.



User Creation – Additional information on Bulk Import

• There is a bulk import process available

– Submit an SR via MyOracle Support (MOS) asking to have users bulk imported to OIM for your Cloud environment.

– A CSV template will be provided. Complete and attach to SR.

– Bulk import will be done by the Cloud Hosting team.

• Future release will give customer ability to bulk import.



Default Password Policy


7 day password expiration warning


Application Provisioning

• Once a user has been created, you can provision to desired application(s)/ environment(s).

• Search and open the user. Click on the ‘Accounts’ tab. Then click ‘Request Accounts below that.




• On the Catalog page, select the required accounts.

• Click ‘Add Selected to Cart’ and click on ‘Checkout’ at the top right:




• Click ‘Submit’. Message will indicate the operation completed successfully.

• The account tab for the user should also show status as “Provisioned”.



Provisioning user to multiple accounts, same time

• A user can also be provisioned to multiple accounts at the same time.

• For example, Production and Stage environments or multiple products.

• Auto approval is now enabled, no workflow approval step



Modify user account

• Search user login from ‘Search Users’ page. Highlight the user and click ‘Edit’ option from the Menu.

• Edit the required values (First name, Last Name, Email, Contact Info) and click ‘Submit’.



Modify user account

• Edit desired values and click ‘Submit’.

NOTE: It is not advisable to change the Organization or User Login of a user.

It will lead to provisioning errors.



Password Reset - another user

• Search and select the required user from ‘Search Users’ page.

• Click ‘Reset Password’ link.



Password Reset - another user

• You can either enter a manual password or opt for a system generated password to be emailed to the user directly.

• You also have the choice of emailing the new password to the user or not.



Unlocking user accounts

• Users may lock their accounts due to a number of reasons. Usually by entering an incorrect password too many times. As an admin, you can unlock the account.

• From the ‘Search Users’ page, locate the user account and click on ‘Lock Account’ option from the Menu.



Locked user accounts

• Re-query the user again. The user status will be shown as “Locked”.

• Now click on the “Unlock Account” option from the Menu.

• Ask the user to re-try his login.

If the issue persists, enter an SR with user information asking for account to be unlocked.



Disabling a provisioned user

• A user account can be “Disabled” from an application account(s).

• Search for the user and click on ‘Edit’. Click on the ‘Accounts’ tab.

• Highlight the Application account to be disabled and click on ‘Disable’ from the ‘Actions’ Menu.



Re-Enabling a disabled user

• To re-enable a disabled Application account;

• From the accounts tab click on ‘Request Accounts’.

• In the next Catalog page, select the required account.

• Click on ‘Add Selected to Cart’.

• Click ‘Submit’.



BI Publisher Roles

• There are three default types of roles for BI Publisher:

– BI Consumer (Can run/view all reports made available to their folders)

– BI Author (Can run/view reports plus create new reports)

– BI Administrator (All above rights plus able to manage security settings on folders)

• All users are assigned by default the BI Consumer role at user provisioning.

• Roles can be assigned to the Organization level as well.

For P6 only, there is also a role for UCM (file repository).

This is included in P6 Cloud Admin guide.



Creating a new Organization

• There will be a TOP organization already set up in OIM for your company. It is best practice to use that organization name for creating all your company users under.

• If the application you are using allows for Partner organizations to be created, you will follow these steps below to create in OIM. You will need to also follow steps to create in Unifier. (available in Unifier Admin doc)

• From the Home page, click on the ‘Organizations’ link from the Administration tab.

• In the Search Organizations page, click on Create.



Creating a new Organization

• Enter the organization name and select a Password policy if required.

• Click on Save.



End User Experience



End Users

• Once a user has been provisioned in OIM, they receive an auto generated email notification containing account login information. (or via admin if manual option is selected)

• 1st screen will be a Single Sign On. They should enter username and temporary password.



End Users - continued

• Upon successful authentication, the user will be redirected to create new password and set challenge questions. Allows reset if password forgotten in the future.

• Once the password and challenge questions have been set, the user will be automatically redirected to the end Application – Unifier or OIM, based on the url that was originally accessed:

• If Unifier url was accessed, then the user will be redirected to Unifier Home page:


• Once the password and challenge questions have been set, the user will be automatically redirected to the application.


Change Password - Initiated by user

• The OIM URL should be communicated to end users.

• Accessible at any time to initiate their own password change or set new challenge questions.

• After login (current username/password), Click ‘My Information’ under section on the left menu called My Profile.



Change Password - Initiated by user continued…

• Expand the selection in the main menu called ‘Change Password’.

• Enter new password and click ‘Apply’ to save changes.



Change Security Questions - Initiated by user

• Scroll down and expand the selection in the main menu called ‘Challenge Questions’.

• Enter new values as desired and click ‘Apply’ to save changes.



System Level Actions – Oracle Only



Actions that require SR to engage Oracle Cloud Support

• Change to your corporate password policy (if different than default required)

• Modify email notification that goes out to end users when account provisioned, password reset

• Change in application Authorization Code needs to be provided to Oracle so that OIM can be updated to match. (integration and provisioning issues if not the same)

• Bulk user import (more than 25 users)

• Changes to PARTNER license counts, allocation (Unifier)



Important Tips, Information



Important points to avoid issues

• Ensure users login into the Application URL the first time, not the OIM URL.

• Understand that OIM is used to provision users only. It is not a function of OIM to create security and user groups.

– The user groups and corresponding privileges for the user group is still handled within the applications (Unifier and P6). This is not driven from OIM.

• Very important to always include a VALID email address for the user accounts.

• OIM is case in-sensitive. (won’t recognize joesmart and Joesmart as unique user accounts.) Will cause provisioning issue.

• Special characters should be avoided in the organization name and login names.



Future OIM Enhancements for 15.1



Upcoming Enhancements to OIM

• New Primavera Cloud Administration Tool coming soon

• Targeted for 15.1 product versions

– Looking at back porting to previous versions, but not confirmed.

• Cleaner interface, user friendly

• Only includes key admin tasks



Cloud User Administration – Home Screen


• Administrators will be able to quickly add users two ways;

• Directly into the data grid

• Import from CSV file


Add Users by Importing from CSV or Typing in


• Administrators will be able to quickly assign users to various roles and application instances.


Select users to provision



Assign Roles, Applications or OIM Profiles to users


• Will have the ability to review data before provisioning.


Steps 1 and 2 Complete – Final Step, Notification



Email notifications


• This step allow Admin to select which accounts will receive the email notification that the user account was created.

• Can send to a single user or a group of users.


Summary Screen – Completion



Additional Information Available

• Documentation for future application releases will have deeper content on OIM. Will be available in the Cloud Administrators Guide.

– Located in the Product Documentation Library on Oracle Tech Network (OTN) site.

– http://www.oracle.com/technetwork/documentation/default-1870233.html (Unifier)

– P6 Cloud Admin Document coming soon

• UPK being developed for release on OTN.


http://www.oracle.com/technetwork/documentation/default-1870233.html



oim: cloud p6 and unifier user authentication and provisioning tips and tricks

Business

oracle andor

oracle access manager

sole discretion of oracle

oracle internet directory

oracle red stack technology

oim capabilities

oim url

identity management