Oracle Identity Manager 11g Essentials Activity Guide

Unauthorized reproduction or distribution prohibited Copyright 2011, Oracle and/or its affiliates
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
Oracle Identity
11g:
o Manager
n
e
@
d
3
Essentials
n
tu
o
S
t
e
dl
this
d
Activity Guide
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
D65160GC10
Edition 1.0
March 2011
D69804
Copyright 2011, Oracle and/or its affiliates. All rights reserved.
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted
by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
Authors
@
3
n
tud
Robert LaVallie, Terri Cantor
o
S
t
le this
d
d
i
Technical Contributors and Reviewers
e
m
s
u
d
Eswar Vandanapu, Raj Kuchi, RajeshvBhabu,
Sri
Gopal Kumarappan, Mario Lim,
toSubramanian,
a i Bitan
e
Ajay Keni, Brad Donison, Ashok(d
Maram,
Biswas,
Amol
Dharmadhikari,
Sharma,
ns Javed Beg, Jatan Rajvanshi,Abhishek
n SidicChoudhury,
Semyon Shulman, Vireshto
Garg,
Sidhartha Das,
e
l Sanjay Rallapalli, Srinivas Marni, Debapriya Datta,
leNarayanleSingh,
Ashutosh Pitre, Shyam
d
d
i DonrBiasotti,
Alexandre Babeanu,
ab Gururaj B.S.
M
e
d
f
vi ans
a
D
tr published using: Oracle Tutor
This book was
n
no
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
Table of Contents
Practices for Lesson 1 .....................................................................................................................................1-1

Practices for Lesson 1....................................................................................................................................1-2
Practice 3-1: Start Oracle WebLogic Server ..................................................................................................3-3
Practice 3-2: Start Oracle Identity Manager Server and Oracle SOA Server .................................................3-6
Practice 3-3: Launch the Oracle SOA and Oracle Identity Manager Administration Consoles .......................3-11
Practice 3-4: Navigate the Oracle Identity Manager Administrative and User Console ..................................3-17
Practice 3-5: Launch and Navigate the Oracle Identity Manager Design Console .........................................3-25
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i 6 .....................................................................................................................................6-1
Practices for Lesson
ab
M
r
e
d
f
Practices
6s
....................................................................................................................................6-2
vifor Lesson
n
a
Practice
Copy
Connector
and External Code Files .................................................................................6-3
Da 6-1:
r
t
n
Practiceo6-2: Configure Oracle Identity Manager Server ................................................................................6-7
n
Practice 6-3: Import an Oracle Identity Manager Connector ..........................................................................6-11

Practice 5-1: Create Organizations ................................................................................................................5-3
Practice 5-2: Create Suborganizations...........................................................................................................5-7
Practice 5-3: Create Users .............................................................................................................................5-10
Practice 5-4: Create a Role Category ............................................................................................................5-16
Practice 5-5: Create Roles .............................................................................................................................5-18
Practice 5-6: Assign Users to Roles ...............................................................................................................5-24
Practice 5-7: Use the Bulk Load Utility to Import a Role Category into Oracle Identity Manager ...................5-31
Practice 5-8: Use the Bulk Load Utility to Import Users into Oracle Identity Manager ....................................5-39
Practice 5-9: Use the Bulk Load Utility to Import and Assign Roles in Oracle Identity Manager ....................5-45
Practice 5-10: Use the Bulk Load Utility to Assign Users to Roles in Oracle Identity Manager ......................5-49
Practice 6-4: Define an IT Resource ..............................................................................................................6-18

Practice 6-5: Create a User ............................................................................................................................6-28
Practice 6-6: Assign the Connector to a User ................................................................................................6-29
Practice 6-7: Complete the Custom Process Form ........................................................................................6-33
Practice 6-8: Access the Resource ................................................................................................................6-38
Practice 7-1: Configure the Resource Object .................................................................................................7-3
Practice 7-2: Create an Auto Membership Rule .............................................................................................7-5
Practice 7-3: Assign an Auto Membership Rule to a Role..............................................................................7-8
Practice 7-4: Create an Access Policy ...........................................................................................................7-12
Practice 7-5: Create a User ............................................................................................................................7-17
Practice 7-6: Complete the Custom Process Form ........................................................................................7-21
Practice 7-7: Access the Resource ................................................................................................................7-24
Practice 7-8: Modify the Provisioning Process ...............................................................................................7-25
Practice 7-9: Modify the Custom Process Form .............................................................................................7-31
Oracle Identity Manager 11g: Essentials Table of Contents

i
Practice 7-10: Provision a Resource to a User...............................................................................................7-34

Practice 7-11: Access the Resource ..............................................................................................................7-44
Practice 8-1: Create Prerequisite Organizations, Role Categories, and Roles ..............................................8-3
Practice 8-2: Configuring the JDeveloper Environment..................................................................................8-6
Practice 8-3: Deploy and Register Custom SOA Composites ........................................................................8-24
Practice 8-4: Import the iPlanet User Resource Request Dataset..................................................................8-40
Practice 8-5: Configure Sun Java System Directory Server Group and Role .................................................8-45
Practice 8-6: Update Lookup Definitions ........................................................................................................8-51
Practice 8-7: Create a Request Template ......................................................................................................8-61
Practice 8-8: Create Approval Policies ...........................................................................................................8-67
Practice 8-9: Create Users for the Request ...................................................................................................8-81
Practice 8-10: Create a Request ....................................................................................................................8-82
Practice 8-11: Approve Tasks and Verify Provisioning...................................................................................8-91
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
Practices for Lesson 10 ...................................................................................................................................10-1
n ( icens
o
Practices for Lesson 10..................................................................................................................................10-2
t
le e l ....................................................................................................10-4
d
Practice 10-1: Create
Prerequisite lEntities
d
i and Associate
ab Membership Rules ...............................................................................10-5
M
r
Practice 10-2: Create
e
d
f
i CreatensHelpDesk, Human Resources, and Manager User Accounts ......................................10-12
Practice
av10-3:
D
ra the Oracle Identity Manager User Schema .................................................................10-16
tExtend
Practice 10-4:
n
Practice
no10-5: Create Authorization Policies ..................................................................................................10-29
Practice 9-1: Start Microsoft Active Directory and Sun Java System Directory Server ..................................9-4
Practice 9-2: Configure the External Resources ............................................................................................9-9
Practice 9-3: Copy Connector and External Code Files .................................................................................9-12
Practice 9-4: Configure Oracle Identity Manager Server ................................................................................9-15
Practice 9-5: Import Oracle Identity Manager Connectors .............................................................................9-18
Practice 9-6: Define IT Resources .................................................................................................................9-22
Practice 9-7: Modify Scheduled Jobs .............................................................................................................9-27
Practice 9-8: Reconcile with a Trusted Source and a Target Resource .........................................................9-33
Practice 10-6: Test and Verify Authorization Policies Implementation ...........................................................10-48

Practice 11-1: Configure the Oracle BI Publisher Environment ......................................................................11-3
Practice 11-2: Create Access Policy Reports .................................................................................................11-11
Practice 11-3: Create Request and Approval Reports ...................................................................................11-14
Practice 11-4: Create a Password Report ......................................................................................................11-18
Practice 11-5: Create a Resource Report ......................................................................................................11-20
Practice 11-6: Create Role and Organization Reports ...................................................................................11-22
Practice 11-7: Create a User Report ..............................................................................................................11-26
Practice 12-1: Access Oracle Identity Manager Log Configuration Details ....................................................12-4
Practice 12-2: Create an Oracle Identity Manager User .................................................................................12-11
Practice 12-3: View Provisioning Messages in the Oracle Identity Manager Log ...........................................12-15
Practice 12-4: Resolve Provisioning Issue .....................................................................................................12-20

ii
Practice 12-5: Monitor Scheduled Events ......................................................................................................12-27

Practice 13-1: Export and Re-import the OIM Configuration using the MDS Utility ........................................13-4
Practice 13-2: Exporting Deployment Configuration with the Deployment Manager ......................................13-11
Practice 13-3: Import an XML File Using the Deployment Manager...............................................................13-24
Practices for Lesson B ....................................................................................................................................14-1
Practices for Lesson B ...................................................................................................................................14-2
Practices for Lesson C ....................................................................................................................................15-1
Practices for Lesson C ...................................................................................................................................15-2
Practices for Lesson D ....................................................................................................................................16-1
Practices for Lesson D ...................................................................................................................................16-2
Practices for Appendix E .................................................................................................................................17-1
Practices for Appendix E ................................................................................................................................17-2
Practice E-1: Build an Oracle Identity Manager Connector ............................................................................17-3
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Appendix F .................................................................................................................................18-1

Practices for Appendix F ................................................................................................................................18-2
Practice F-1: Branding the Identity Administration Console ...........................................................................18-4
Practice F-2: Branding the Authenticated Self Service Console ....................................................................18-15
Practice F-3: Renaming Button Labels ...........................................................................................................18-20
Practice F-4: Creating Custom Skins and Style Sheets .................................................................................18-25

iii
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
s
a
h
a) e
c
rio Guid
a
t
t 1
Practices for
onLesson
n
e
@
3
tud
o
Chapter
1n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Lesson 1

Chapter 1 - Page 1

Practices Overview
There are no practices for Lesson 1.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 1 - Page 2
s
a
h
a) e
c
rio Guid
a
t
t 2
Practices for
onLesson
n
e
@
3
tud
o
Chapter
2n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 2 - Page 1

Practices Overview
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 2 - Page 2
s
a
h
a) e
c
rio Guid
a
t
t 3
Practices for
onLesson
n
e
@
3
tud
o
Chapter
3n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 1

Practices Overview
In these practices, you launch Oracle Identity Manager 11g. This includes completing the
following tasks:
Starting Oracle WebLogic Server (the Administration server)
Starting two servers managed by Oracle WebLogic Server: Oracle Identity Manager
Server and Oracle SOA Server
Launching the Oracle SOA Administration Consoles and the Oracle Identity Manager
Administration Console
Launching the Oracle Identity Manager Design Console
Important: For the practices in this lesson, <hostname> represents the host name of the
machine on which the practices are completed. Because the host name for your machine is
unique, replace all references of <hostname> with the host name of your machine.
To retrieve the host name of your machine:
1. Open a DOS window.
2. At the DOS prompt, enter hostname. The host name of your machine appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
nconsoles:
tud
o
S
Tip: In this practice, you launch the following Web-based
t
le this
d
d
Oracle WebLogic Server Administration

Console
i
e
m
s
u
d
Oracle SOA Platform Console

vi e to
a
d
Oracle BPM Worklist Console

(
s
n
n
e
o
t
c
Oracle Identity
Administrative
and User Console
li
leManager
d
e
l
d
For efficiency purposes,
add
the
URL
for
each
console
to your Favorites list in Microsoft Internet
i
b
a
M
r
Explorer. To
so: fe
s
viddoFavorites
a
1.
Select
D n-tran from the Menu Bar.
2. Select
o the Add to Favorites command from the menu that appears.
n
3. On the Add a Favorite window, click Add.

Chapter 3 - Page 2
Practice 3-1: Start Oracle WebLogic Server
Overview
With Oracle WebLogic Server, an administrator can define a domain for the server. A domain is
a basic administrative unit for Oracle WebLogic Server, and includes the following types of
servers:
An administrative server. This type of server is always included as part of a domain.

With an administrative server, an administrator can perform additional administration of
that domain, including creating and managing managed servers within the domain.
A managed server. This type of server is managed by the administrative server. A

managed server hosts application components and resources, which are also deployed
and managed as part of the domain.
In this practice, you start Oracle WebLogic Server. Oracle WebLogic Server is the
administrative server for your domain.
Note: In the next practice, you start two servers managed by Oracle WebLogic Server: Oracle
Identity Manager Server and Oracle SOA Server.
a
s
a
h
)
a
c ide
Assumptions
o
i
You installed and configured Oracle WebLogic Server 11g, Oracle

uManager
ar Identity
t
G
n
t
11g, and Oracle SOA Server 11g
o en
@
3
You created a domain for Oracle WebLogic Server

n 11g Stud
o
t
You created an administrative server fordOracle

le WebLogic
his Server 11g
t
d
i
e
You created two servers managed

by OraclesWebLogic Server: Oracle Identity
u
dm
i
Manager Server and OraclevSOA
Server
o
t
a
(d nse
n
Tasks
to lice
e
l
dthe startWebLogic.cmd
1. Double-click
file, found in the
le
d
i
b
a
M
D:\app\oracle\product\middleware\user_projects\domains\
d nsferfolder.
i
v
IDMDomain\bin
Da n-tra
no
Important: Before proceeding to step 2, ensure that you see <Server started in
RUNNING mode> in the DOS window used to launch Oracle WebLogic Server.

Chapter 3 - Page 3
2. Open an Internet Explorer Web browser.

Important: Ensure that the version of your Web browser is 7.0 (or higher).
3. Enter the following URL into the Address field:
http://<hostname>.us.oracle.com:7001/console/login/LoginForm.jsp
Tip: For efficiency purposes, Oracle strongly recommends that you bookmark this URL.
4. Log in to Oracle WebLogic Server, using the login credentials of weblogic for the User
Name and Welcome1 for the password.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l the password you enter appears as a series of bullets.
le purposes,
d
e
Note: For security
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 4
5. On the Home page of the Oracle WebLogic Server Administration Console, click the
Servers link.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n Console,
tudthe administrative
On the Summary of Servers page of the Administration
o
S
t
le this
server (AdminServer) has a status of RUNNING.
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Oracle WebLogic Server is started. In this practice, you started the administrative server
for your domain (Oracle WebLogic Server). You are ready to start two servers managed
by Oracle WebLogic Server: Oracle Identity Manager Server and Oracle SOA Server.

Chapter 3 - Page 5
Practice 3-2: Start Oracle Identity Manager Server and Oracle SOA
Server
Overview
In this practice titled Start Oracle WebLogic Server, you launched Oracle WebLogic Server.
Oracle WebLogic Server is the administrative server for your domain.
You are ready to start two servers managed by Oracle WebLogic Server: Oracle Identity
Manager Server and Oracle SOA Server.
Assumptions
You started Oracle WebLogic Server.
Tasks
2. Navigate to the D:\app\oracle\product\middleware\user_projects\
domains\IDMDomain\bin directory.
a
s
a
hfile is used
)
Note: This directory contains the startManagedWebLogic.cmd file. This
a
c ide
to start Oracle Identity Manager Server.

o
i
ar t Gu(and press
t
3. At the DOS prompt, enter startManagedWebLogic.cmd noim_server1
o en
Enter).
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: For this course, oim_server1 is the name of the Oracle Identity Manager
Server.

Chapter 3 - Page 6
4. At the username and password prompts, enter weblogic and Welcome1 (and press
Enter).
Note: weblogic and Welcome1 are the login credentials for Oracle WebLogic Server.
Also, the password is hidden for security purposes.
You started Oracle Identity Manager Server. You are ready to start Oracle SOA Server.
RUNNING mode> in the DOS window used to launch Oracle Identity Manager Server.
5. Open a second DOS window.
domains\IDMDomain\bin directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud file. This file is used
o
Note: This directory contains the startManagedWebLogic.cmd
S
t
le this
d
to start Oracle SOA Server.
d
i
e
m
s
7. At the DOS prompt, enter startManagedWebLogic.cmd

soa_server1 (and press
u
d
i
o
v
t
Enter).
(da nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
Note: For this course, soa_server1 is the name of the Oracle SOA Server.

Chapter 3 - Page 7
8. At the username and password prompts, enter weblogic and Welcome1 (and press
Enter).
Note: weblogic and Welcome1 are the login credentials for Oracle WebLogic Server.
Also, the password is hidden for security purposes.
You started Oracle SOA Server. You are ready to verify that both managed servers are
started.
RUNNING mode> in the DOS window used to launch Oracle SOA Server.
9. Make the Summary of Servers page of the Oracle WebLogic Server Administration
Console active. On this page, both the Oracle Identity Manager Server (oim_server1)
and the Oracle SOA Server (soa_server1) have a status of RUNNING.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Oracle Identity Manager Server and Oracle SOA Server are started.

Chapter 3 - Page 8
10. This is an optional step. Several shortcut scripts have been provided to start and stop
Oracle Identity Manager Server, Oracle SOA Server, and Oracle WebLogic server.
a. From a File Manager, change to the directory,
D:\stage\labs\lab_03\Shortcuts.
b. Copy all of the files located in the directory.
s
a
c. Paste these files to the desktop.
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Double-click the appropriate shortcut when you need to shut down or start the Oracle
WebLogic Administration Server, Oracle Identity Manager Server, or the Oracle SOA
Server.

Chapter 3 - Page 9
In the practice titled Start Oracle WebLogic Server, you started the administrative
server for your domain (Oracle WebLogic Server). In this practice, you started the two
servers managed by this administrative server: Oracle Identity Manager Server and
Oracle SOA Server. You are ready to launch the Administration Consoles associated
with Oracle Identity Manager and Oracle SOA.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 10
Practice 3-3: Launch the Oracle SOA and Oracle Identity Manager
Administration Consoles
Overview
In the practices titled Start Oracle WebLogic Server and Start Oracle Identity Manager Server
and Oracle SOA Server, you launched Oracle WebLogic Server, Oracle Identity Manager
Server, and Oracle SOA Server.
You are ready to launch three Administration Consoles associated with Oracle Identity Manager
and Oracle SOA. They are:
Oracle SOA Platform Console. The primary goal of any provisioning system is to
manage requests submitted by users and provision resources to users. Request
completion involves execution of associated approval processes. These approval
processes are deployed as Service Oriented Architecture (SOA) composites running
on the SOA Server.
The Oracle SOA Platform Console is a Web-based console that contains predefined
SOA composites in Oracle Identity Manager to be used for approval processes. Oracle
Identity Manager approvers and administrators are responsible for executing and
managing such approval processes.
a
s
a
h
)
a
c ide
o
i
u or
Oracle BPM Worklist Console. This Web-based console is used

ar by approvers
t
G
n
t
o their
administrators to manage approval process tasks that require
nattention, as well as
e
@
d
to view tasks that they initiate.
3
n
tu
o
S
t
Oracle Identity Manager Administrative and

User
Console.
This Web-based console
e
l
isself-service,
d
h
t
d
supports access to unauthenticated and
authenticated
as well as
i
e
m
s
delegated administration features

u Identity Manager.
id for Oracle
o
v
t
a
(d nse
Assumptions
n
to Server,
ceOracle Identity Manager Server, and Oracle SOA Server.
i
l
e
l
You started Oracle WebLogic
idd rable
M
vid ansfe
a
D n-tr
no

Chapter 3 - Page 11
Tasks
http://<hostname>.us.oracle.com:7006/soa-infra
3. On the Connect window, enter xelsysadm in the User Name field, Welcome1 in the
Password field, and click OK.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
dle purposes,
e
l
Note: Forisecurity
the password that you enter appears as a series of bullets.
d
b
a
M
r
vid ansfe
a
D n-tr
no

Chapter 3 - Page 12
The Home page of the Oracle SOA Platform Console appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
(
ns
n
e
o
t
c
The Oracle SOA
Console
contains predefined SOA composites in Oracle
li
lePlatform
d
e
l
Identity Manager
to
be
used
for
approval
processes. Oracle Identity Manager approvers
d
i
b
a
M
r
andd
administrators
are
responsible
for
executing
and managing such approval
e
f
i
s
v
processes.
DaYounlaunched
tran the Oracle SOA Platform Console. You are ready to launch the Oracle
o Worklist Console.
nBPM
Note: For more information about the SOA composites that compose this console, refer
to the lesson of the Oracle Identity Manager 11g: Essentials course titled Launching
Oracle Identity Manager.
http://<hostname>.us.oracle.com:7006/integration/worklistapp

Chapter 3 - Page 13
6. If prompted, on the login page, enter xelsysadm into the Username field, Welcome1
into the Password field, and click Login.
a
s
a
) h of bullets.
Note: For security purposes, the password that you enter appears as c
aa
series
e
o
d
i
i
The Home page of the Oracle BPM Worklist Console appears.ar
u
t
G
n
t
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The Oracle BPM Worklist Console is used by approvers or administrators to manage
approval process tasks that require their attention, as well as view tasks they initiate.
You launched the Oracle BPM Worklist Console. You are ready to launch the Oracle
Identity Manager Administrative and User Console.
Note: For more information about the features and functionalities of this console, refer to
the lesson of the Oracle Identity Manager 11g: Essentials course titled Launching
http://hostname.us.oracle.com:7007/oim.

Chapter 3 - Page 14
9. On the Oracle Identity Manager login page, enter xelsysadm into the User Name field,
Welcome1 into the Password field, and click Sign In.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o you
nmust log in to the
Note: Because you did not yet create an administrator@
account,
e
d
3
Oracle Identity Manager Administrative and User
nConsoleSwith
tuyour superuser account
o
t
e
(that is, xelsysadm). However, after you create
your
own
administrator
account, you
l
is
d
h
t
d
i thatsaccount.
can log in to Oracle Identity Manager with
ebullets. Also, for security purposes, the
m
u
password that you enter appears
as
a
series
of
d
to as follows:
avi sescreen,
10. Populate the Password (
Management
d
n Question
en
o
t
c
Challenge
Challenge Answer
i
l
e
l
d
e
l
d
i mothers
What is
your
agneta
ab maiden name?
M
r
e
d
f
vi isathensname of your pet?
matty
DaWhat
r
t
n- is the city of your birth?
new york
noWhat
Note: The first time that you log in to Oracle Identity Manager with a particular user
account, you must select and answer challenge questions. These questions are used
to verify your identity if you must reset your password. However, for all subsequent
logins with that account, these questions do not appear. Instead, you are taken directly
to the Home page of the Oracle Identity Manager Administrative and User Console.
11. Click Submit.

Chapter 3 - Page 15
The Home page of the Oracle Identity Manager Administrative and User Console
appears.
a
s
a
h to
)
The Oracle Identity Manager Administrative and User Console supportsa
access
c ide
unauthenticated and authenticated self-service, as well as delegated

administration
o
i
ar t Gu
features for Oracle Identity Manager.
t
n
o Consoles
n associated with
In this practice, you started three Web-based Administration
e
@
d
3
nSOA Platform
tu Console, Oracle BPM
Oracle Identity Manager and Oracle SOA: Oracle
o
S
t
e
Worklist Console, and Oracle Identity Manager
is and User Console.
dl Administrative
h
t
d
i
e
You are ready to navigate the Oracle
Manager
and User Console.
s withAdministrative
mIdentity
u
d
i
By navigating this console, you
familiarize
yourself
the
embedded
consoles and
o
v et
a
d
their features.
(
s
nOracle
nlaunch
e
o
Important: Whentyou
the
SOA Platform Console, Oracle BPM Worklist
c
li Manager Administrative
e Identity
l
d
e
Console, and
Oracle
and User Console, and log in with
l
id account
b
a
your superuser
(that
is,
xelsysadm),
you
have
read- and write-access rights for
M
r
e
d
f
i
all
of
the
links
that
compose
each
console.
s
v
Da n-tran
no

Chapter 3 - Page 16
Practice 3-4: Navigate the Oracle Identity Manager Administrative and

User Console
Overview
and Oracle SOA Server, you launched Oracle WebLogic Server and Oracle Identity Manager
Server.
In this practice, you perform a series of tasks to navigate the Oracle Identity Manager
Administrative and User Console. By navigating the console, you familiarize yourself with the
embedded consoles and their features.
There are three main embedded consoles within the Oracle Identity Manager Administrative and
User Console:
Oracle Identity Manager Authenticated Self Service Console
Oracle Identity Manager Administration Console

Oracle Identity Manager Advanced Administration Console
The fourth console, Oracle Identity Manager Unauthenticated Self Service interface, is
accessed directly from the Login page.
In this practice, you focus on the first three embedded consoles.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
Assumptions
3
ud
n
t
o
S
t
You started Oracle WebLogic Server and Oracle
le Identity
is Manager Server.
d
h
t
d
You have launched the Oracle IdentityiManagereAdministrative and User Console and
m xelsysadm.
us
have logged in as the superuserid
account,
o
v
t
(da nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

Chapter 3 - Page 17
Tasks
1. En sure that the Oracle Identity Manager Identity Administration Console is active.
2. From the Oracle Identity Manager Identity Administration Console, two main tabs are
displayed to the left-side of the console: Administration and Authorization Policy. When
initially accessing the Oracle Identity Administration Console, you are placed into the
Administration tab. From the Welcome tab on the right side of the console, you can
manage users, organizations, roles, role categories, and authorization policies.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l Browse panel, click the right-arrow to the right of the Search
leSearchland
3. In the left-hand
d
e
d
i forrallabusers for which the superuser account is allowed to search.
field toM
search
d
vi ansfe
a
D n-tr
no
Note: The left Search and Browse area enables you to not only search for Oracle
Identity Manager entities, but also allows you to either create or modify existing entities.

Chapter 3 - Page 18
4. Select the line for, but do not click the link for, System Administrator. By selecting the
line for an entity, you have several actions available to you in the area directly above the
search results.
a
s
a
h results.
5. Move your mouse cursor over each of the action buttons listed above the )search
a
cas wellidasereset
o
You have the ability to create (
), edit (
), and delete (
)rusers
i
u
acan modify
t
G
n
t
their passwords (
). If you have multiple users selected,
you
o en some of the
@
attributes of these users by clicking the Bulk Modify
n3UsersSbutton
tud ( ). You can refresh
o
t
s ( ) so that it launches the
le interface
your search results (
) and expand thedsearch
thithat
d
i
Advanced Search: Users window with
the
information
you specified in the regular
e
m
s
u
d
i replicated
search window. These actionsvare
in the Action drop-down list as well as on
toconsole.
a side
the Welcome tab on the(right
of
the
e
d
n icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: You can also search for Roles and Organizations from the Search field. The
action button and the Action drop-down menu change based on the type of entity that
you select.

Chapter 3 - Page 19
6. Click the Browse subtab in the Search and Browse area.
This area enables you to view the roles and organizations in a hierarchical view. Once
again, as with the user search, you have access to several actions including creating,
opening the details of, and deleting roles and role categories from the Roles subpanel.
The same actions are accessed for organizations through the Organizations subpanel.
7. Click on the Authorization Policy tab to access the Authorization Policies management
area. You can also access authorization policies from the Welcome tab from the
Administration tab.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
8. Access the Oracle Identity Manager Advanced Administration Console by clicking the
Advanced link on the right side of the banner area.

Chapter 3 - Page 20
9. You are presented with five main: Administration, Event Management, Policies,
Configuration, and System Management. You are automatically placed in the
Administration tab, where you can access, from the Welcome subtab, all of the features
for Advanced Administration.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
10. Click the Event Management
tab. s
Note that the navigation area directly below the
n
n ( Management
e
Administration andto
Event
updates according to the tab selected. The
c reflect thetabs
i
l
e
l
Search field is
also
updated
to
features
accessible from the tab.
d ble
d
i
M fera
d
i
s
v
Da n-tran
no
11. Click the remaining tabs to see the functions that are accessible from the navigation
area below the main tabs. These features match the features displayed in each of the
panels on the Welcome tab.

Chapter 3 - Page 21
12. Click the Self-Service link in the banner area to access the Oracle Identity Manager
Authenticated Self Service Console.
13. Once again, as with the other embedded consoles, several main tabs are available to
you: Tasks, Requests, and Profile. You automatically start in the Welcome tab for this
console. Click Tasks to access the Tasks tab.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 22
14. From the Tasks tab, you have access to several subtabs that match what was shown on
the Welcome tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
ud
n
t
o
S
t
In this case, you can search for any approval,
provisioning,
le search
is or attestation tasks based on
d
h
t
the subtab selected and the filters used
in
the
fields.
d
i
e to view the subtabs available to
m
s
u
15. Click the remaining main tabs, Requests
and
Profile,
d
vi e to
a
you.
d
s Identity Manager Administrative and User
nOracle
n ( icthe
16. Now that you haveto
navigated
e
l the Oracle SOA server, as it will no longer be required until
le shut ldown
Console, youdcan
e
d
b the Oracle SOA services:
a later M
lab.i To shut
adown
r
e
d
f
vi a. Atathe
nsDOS prompt, change to the directory,
Da n-trD:\app\oracle\product\middleware\user_projects\domains\
no IDMDomain\bin.
b. Enter stopManagedWebLogic.cmd soa_server1 (and press Enter).
Note: For this course, soa_server1 is the name of the Oracle SOA Server.

Chapter 3 - Page 23
c. At the username and password prompts, enter weblogic and Welcome1 (and
press Enter)
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o for Oracle
Note: weblogic and Welcome1 are the login credentials
n WebLogic
e
@
d
3
Server. Also, the password is hidden for security
purposes.
When
u stopping the server,
n
t
o
S
t
the default values of weblogic and welcome1
le tare
isprovided. At the minimum, you
h
must enter the correct password. idd
eserver. After the services have been
m
s
u
It may take a few minutes to shut down
Oracle
SOA
d
i youtmay
o proceed with the next practice.
vdown,
a
stopped and the server has shut
e
d
ns Manager Design Console. This console is a
nthe(Oracle
You are ready to launch
Identity
e
o
t
c
li provides the full range of the products system
le lethat
stand-alone Javadapplication
d
iand development
configuration
ab capabilities.
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 24
Practice 3-5: Launch and Navigate the Oracle Identity Manager Design
Console
Overview
and Oracle SOA Server, you launched Oracle WebLogic Server and Oracle Identity Manager
Server.
In this practice, you launch the Oracle Identity Manager Design Console: This console is a
stand-alone Java application that provides the full range of the products system configuration
and development capabilities, including Form Designer, Workflow Designer, and Adapter
Factory. After launching the console, you navigate one of the folders to familiarize yourself with
how to search for and access the features listed.
You can launch the Design Console through the Oracle Identity Manager Client icon on your
desktop.
a
s
a
h
You started Oracle WebLogic Server and Oracle Identity Manager Server.
)
a
c ide
o
i
Tasks
ar t Gu
t
n
1. Double-click the Oracle Identity Manager Client icon ono
your desktop.
n The Oracle
e
@
d
Identity Manager Design Console login window appears.
3
u
n
tPassword
o
S
t
2. Enter xelsysadm into the User ID field, Welcome1
into
the
field, and click
e
l
is
d
h
t
d
Login.
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Assumptions
Note: For security purposes, the password that you enter appears as a series of bullets.

Chapter 3 - Page 25
The Oracle Identity Manager Design Console appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
( Manager
You started the Oracle
ns Design Console.
n Identity
e
o
t
c
Important: When
you launch
li the Design Console, and log in with your superuser
lexelsysadm),
d
e
l
d
account (that
is,
you have read-access and write-access rights for all of the
i
b
a
M
r
forms
and
records
that
compose
this console.
d nsfe
i
v
Two
a other ways to display the Oracle Identity Manager Design Console login
DaNote:
r
t
window
are
by:
nonSelecting the Oracle Identity Manager Client command from your Windows Start
menu (that is, Start > Programs > Oracle IDM Suite 11g Home1 > Oracle
Identity Manager Client)
Double-clicking the xlclient.cmd file (which can be found in the

D:\app\oracle\product\middleware\iam_home\designconsole
directory).

Chapter 3 - Page 26
3. Expand the User Management folder.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
s
nseveral
ncan( manage
e
From this folder, you
features that affect users or roles.
o
t
c
li a blank Roles
e Thisleopens
l
d
4. Double-click
Roles.
form, enabling you to search for or create
d
i
b
a
M
a Roles form. er
sf for records button.
vidon athenQuery
5. aClick
D n-tr
no

Chapter 3 - Page 27
This searches through the Oracle Identity Manager repository for all records that match
this type of form.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
s
nform
n ( into
e
The first role is preloaded
the
on the Roles tab. In this example, the ACCESS
o
t
c
e le li role is loaded
l
POLICY ADMINISTRATORS
into the form.
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 3 - Page 28
6. Select the Roles Table tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
leroles that
d
e
This lists alldthe
you searched for by clicking the Query for Records button.
l
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 29
7. Select the field for the Administrators role.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 30
8. Select the Roles tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s is updated with the information related to the Administrators role. The
vi anform
DaThenRoles
r
-ttable enables you to select the item that you want to view for that form type.
Roles
o
n
9. You can change to the previous, next, first, or last record by using the directional arrows
in the menu bar. Click the Go to Last Record button.
This automatically preloads the form with the information for the last record listed in
Roles Table.
10. If you make any updates to the form, you can click the Save button to save your
changes. In this case, because you have made no changes, close the form by clicking
the Close this form button.
This closes the form and the correlating table tab.

Chapter 3 - Page 31
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 3 - Page 32
s
a
h
a) e
c
rio Guid
a
t
t 4
Practices for
onLesson
n
e
@
3
tud
o
Chapter
4n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 4 - Page 1

Practices Overview
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 4 - Page 2
s
a
h
a) e
c
rio Guid
a
t
t 5
Practices for
onLesson
n
e
@
3
tud
o
Chapter
5n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 1

Practices Overview
In these practices, you create and manage records for organizations, roles, and users. This
includes completing the following tasks:
Creating records and attributes for organizations, suborganizations, Oracle Identity

Manager users, and role categories
Creating roles and assigning them to role categories

Assigning roles to Oracle Identity Manager users
Using the Bulk Load utility to import predefined role categories, roles, and users into
Oracle Identity Manager
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 2
Practice 5-1: Create Organizations

Overview
In this practice, use the Oracle Identity Manager Identity Administration Console to create
organizations for the Curriculum, Process Owners, Reviewers, and Approvers departments.
Assumptions
You installed, configured, and launched the Administrative and User Console for Oracle Identity
Manager 11g.
Tasks
1. Click the Create Organization link on the Home page of the Identity Administration
Console.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans
DaNote:
tIfrthe Identity Administration Console does not appear, click the Administration
n
o in the upper-right corner of the active console.
nlink
2. Enter values for the organizational record that you are creating, as follows:
Field
Value
Name
Curriculum
Type
Department
Parent Organization
[leave blank]
Note: The Parent Organization field indicates the parent organization of your
organization (that is, your organization is a suborganization). Because your organization
is a parent organization, and is not a suborganization, leave this field empty.

Chapter 5 - Page 3
3. Click Save.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The organization is created. Oracle Identity Manager sets the organizations status to
Active automatically.
Note: The Status field indicates the current status of an organization (that is, whether it
is active, disabled, or deleted). Oracle Identity Manager sets this value automatically (to
Active).

Chapter 5 - Page 4
4. Repeat steps 1 through 3 to create the following organizations:
Field
Value
Name
Process Owners
Type
Department
Parent Organization
[leave blank]
Name
Reviewers
Type
Department
Parent Organization
[leave blank]
Name
Approvers
s
a
h
Parent Organization
[leave blank]
a) e
c
id
You can create suborganizations, and assign these suborganizations
rio toGparent
u
a
t
organizations that you created in this practice.
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Type
Department

Chapter 5 - Page 5
Tip: For efficiency, close all open tabs before beginning the next practice. To do so:
a. Click Close Multiple Tabs, located in the upper-right corner of the active tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o tabs (for
b. On the Close Multiple Tabs window, select all open
nthis example, select
e
@
d
3
the Curriculum, Process Owners, Reviewers,
and
Approvers
tabs).
n
tu
o
S
t
le this
c. Click OK.
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The Home page of the Identity Administration Console appears.

Chapter 5 - Page 6
Practice 5-2: Create Suborganizations
Overview
In this practice titled Create Organizations, you used the Oracle Identity Manager Identity
Administration Console to create parent organizations for the Curriculum, Process Owners,
Reviewers, and Approvers departments.
You are ready to use the Identity Administration Console to create a suborganization for the
Training department, and assign this suborganization to the Curriculum parent organization. In
addition, in this practice, you create a Legal suborganization for the Reviewers parent
organization.
Assumptions
You created parent organizations for the Curriculum, Process Owners, Reviewers, and
Approvers departments.
a
s
a
1. On the Home page of the Identity Administration Console, click the Create Organization
h
)
a
link.
c ide
o
i
r follows:
2. Enter values for the suborganizational record you are creating,a
as
u
t
G
n
t
o en
Field
Value
@
3
n
tud
Name
Training
o
S
t
le this
Type
Department idd
e
m
s
u
d
Parent Organization
Curriculum
vi e to
a
d
(
Note: The Parent Organization
field
ns indicates the parent organization of your
n
e
o
t
c
organization (that
organization
is a suborganization). Because you want the
li
le is, your
d
e
l
Training organization
to
be
a
suborganization
of the Curriculum organization, select and
d
i
b
a
M
r
assign
Curriculum
to
be
the
parent
organization
of Training. To do so:
d nsfe
i
v
a the magnifying glass to the right of the Parent Organization field.
Daa. n-trClick
no
Tasks

Chapter 5 - Page 7
b.
In the Search: Organizations window, enter Curriculum into the Organization

Name field (because you want Curriculum to be the parent organization for
Training). Click Search.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i Search:
e Organizations window, select the
c.
In the Search Results panem
of the
s
u
d
i youtosearched (for this practice, Curriculum). Click
parent organization forvwhich
a
d
Add.
(
se
n
n
e
eto le lic
l
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 5 - Page 8
d.
On the Create Organization page, click Save.
The suborganization is created. Oracle Identity Manager sets the

suborganizations status to Active automatically.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
3. Repeat steps 1 and 2 to create the following suborganization:

Field
Value
Name
Legal
Type
Department
Parent Organization
Reviewers
You can create records for Oracle Identity Manager users and assign these users to
their respective organizations.

Chapter 5 - Page 9
Practice 5-3: Create Users

Overview
In this practice, use the Oracle Identity Manager Identity Administration Console to create two
users and assign these users to the Curriculum organization.
Assumptions
You created a parent organization for the Curriculum department in the practice titled Create
Organizations.
Tasks
1. Close all open tabs.
2. On the Home page of the Identity Administration Console, click the Create User link.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
avi trans
D
-values for the user record that you are creating, as follows:
3. Enter
non
Field
Value
First Name
Robert
Last Name
La Vallie
Design Console Access check box
[selected]
User Login
RLAVALLI
Password
Welcome1
Confirm Password
Welcome1
Organization
Curriculum
User Type
Full-Time Employee
Note: For security purposes, the password is displayed as a series of bullets (). For
this example, because the password is Welcome1, it appears as .

Chapter 5 - Page 10
Also, to assign an organization to the user record, complete the following steps:
a.
Click the magnifying glass to the right of the Organization field.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 11
b.
On the Select and Search Organizations window, in the Search field, enter the
name of the organization that you want to assign to the user record. For this
practice, enter Curriculum into the Search field. Click the right arrow button.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 12
c.
Click the name of the organization in the Organization Name field to select it.
Click Add.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
s
The organization
to the user record appears in the
nassigned
nfield.(thaticyou
e
o
t
Organization
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 13
4. Click Save.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
ud status to Active and
nthe users
tidentity
The user is created. Oracle Identity Manager sets
o
S
t
the account status to Unlocked automatically.
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 14
5. Repeat steps 1 through 4 to create the following user:
Field
Value
First Name
Leonard
Last Name
Agneta
[selected]
User Login
LAGNETA
Password
Welcome1
Confirm Password
Welcome1
Organization
Curriculum
User Type
Full-Time Employee
You are ready to create a role category. A role category is a way of categorizing roles for
navigation and authorization purposes. Roles are used to create and manage records of
a collection of users to whom you want to permit access to common functionality, such
as access rights, roles, or permissions.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 15
Practice 5-4: Create a Role Category
Overview
In this practice, you create a role category. A role category is a way of categorizing roles for
navigation and authorization purposes. It is stored internally in Oracle Identity Manager as an
attribute of the role. Roles are used to create and manage records of a collection of users to
whom you want to permit access to common functionality, such as access rights, roles, or
permissions.
For this practice, use the Oracle Identity Manager Identity Administration Console to create the
Administrative role category.
Note: In the practice titled Using the Bulk Load Utility to Import a Role category into Oracle
Identity Manager, you are to use the Bulk Load utility to load a second role category into Oracle
Identity Manager (Technical). All roles that you are to create or import for this course are to
belong to one of these two role categories.
Assumptions
s
a
You created the user account specified in the practice titled Create Users.
h
a) e
c
Tasks
rio Guid
a
t
on ent
@
2. On the Home page of the Identity Administration Console,
n3 Sclick
tudthe Create Role
o
Category link.
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
3. Enter values for the role category record that you are creating, as follows:
Field
Value
Category Name
Administrative
Description
Role category for nontechnical roles

Chapter 5 - Page 16
4. Click Save.
s
a
h
a) e
c
rio Guid
a
t
on ent
The role category is created.
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You are ready to create roles and assign them to the Administrative role category that
you created in this practice.

Chapter 5 - Page 17
Practice 5-5: Create Roles
Overview
In this practice, you create roles. You use roles to create and manage the records of a collection
of users to whom you want to permit access to common functionality, such as access rights,
roles, or permissions. Roles can be independent of an organization, span across multiple
organizations, or contain users from a single organization.
For this practice, use the Oracle Identity Manager Identity Administration Console to create two
roles: Oracle 11g Approvers and Oracle 11g Users. You are to assign these roles to the
Administrative role category that you created in the practice titled Create a Role Category.
Assumptions
You created an Administrative role category.
Tasks

2. On the Home page of the Identity Administration Console, click the Create Role link.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
3. Enter values for the role you are creating, as follows:
Field
Value
Name
Oracle 11g Approvers
Description
This role is designated for users

who approve workflows.
Role Category Name
Administrative

Chapter 5 - Page 18
Note: To assign a role category to a role, complete the following steps:

a. Click the magnifying glass to the right of the Role Category Name field.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 19
b. On the Select and Search Category window, in the Search field, enter the name of the
role category that you want to assign to the role. For this practice, enter
Administrative into the Search field. Click the right arrow button.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 20
c. Click the name of the role category in the Category Name field to select it. Click Add.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 21
4. Click Save.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 22
The role is created.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
o
vi the
tfollowing
acreate
5. Repeat steps 1 through(4dto
role:
e
s
n
n
e
Field
Value
eto le lic
l
d
id rab
Name
Oracle 11g Users
M
e
d
f
vi ans
This role is designated for users
Da Description
r
t
provisioned with resources.
n
o
n Role Category Name
Administrative
You can now assign users to the roles that you created.

Chapter 5 - Page 23
Practice 5-6: Assign Users to Roles
Overview
In the practice titled Create Users, you created records for the following users: Robert La
Vallie and Leonard Agneta.
In the practice titled Create Roles, you created the following roles: Oracle 11g Approvers and
Oracle 11g Users.
In this practice, use the Oracle Identity Manager Identity Administration Console to assign the
following Oracle Identity Manager users to their associated roles:
User
Role
Robert La Vallie
Oracle 11g Users
Leonard Agneta
a
s
a
h and
You created all user accounts and roles specified in the practices titled Create Users
)
a
c ide
Create Roles.
o
i
ar t Gu
t
n
Tasks
o en
@
3
n
tud
o
S
t
2. On the Home page of the Identity Administration
le Console,
d
this click the Advanced Search d
i
Roles link.
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Assumptions

Chapter 5 - Page 24
3. Enter Oracle 11g Users in the text box to the right of the Name drop-down list. Click
Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 25
4. Click the name of the role for which you searched (for this practice, Oracle 11g Users).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le leofl the role for which you searched, move your mouse cursor
Tip: To see addescription
d
i name.rab
over the
role
M
d
vi ansfe
a
D n-tr
no

Chapter 5 - Page 26
5. Click the Members tab (because you want to assign a user to this role).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 27
6. Click Assign.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
s
7. In the Assign User window,
La Vallie (that is, the full name of the user
nRobert
n ( ienter
e
o
t
c
l
whom you wantle
to belong to
this role). Click the right arrow button.
idd rable
M
vid ansfe
a
D n-tr
no
Note: Clicking the right arrow button with a blank search field returns all Oracle Identity
Manager users that the administrator has the right to search for. From that list, you can
select multiple users to assign them to the role.

Chapter 5 - Page 28
8. In the Available Users pane, select the full name of the user whom you want to belong to
the role (for this practice, Robert La Vallie). Click the right arrow button.
s
a
h
a) e
c
rio Guid
a
t
9. Click Save.
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 29
The Oracle Identity Manager user is assigned to the role.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
avi trans
D
10. Repeat
on- stepsrole:1 through 9 to assign the following Oracle Identity Manager user to the
nassociated
User
Leonard Agneta
Role

Chapter 5 - Page 30
Practice 5-7: Use the Bulk Load Utility to Import a Role Category into
Overview
In this practice, use the Bulk Load utility to import the Technical role category into Oracle
Identity Manager.
Note: The Bulk Load utility is aimed at automating the process of loading a large amount of data
into Oracle Identity Manager. It helps reduce the down time involved in loading data. In addition,
it is less expensive and it requires fewer resources to import data into Oracle Identity Manager
with the utility than to reconstruct the data manually in the Oracle Identity Management product.
Lastly, if you manually re-create data in Oracle Identity Manager, you may inadvertently produce
an error. However, by using the Bulk Load utility to import data into Oracle Identity Manager,
you eliminate the chance for mistakes.
Assumptions
s
a
h
a) e
Tasks
c
id
rioManager
u
1. Shut down Oracle Identity Manager Server and the Oracle Identity
a
t
G
Administration Console.
on ent
@
2. From Windows Explorer, navigate to the D:\stage\labs\lab_05
n3 Stud directory.
o
t
le this Rolefinal.csv, and
3. Copy the master.txt, Rolecat.csv, usrfinal.csv,
d
d
iin this directory.
Rolemfinal.csv files, which reside
e
m
s
u
d
4. Paste these files into the D:\app\oracle\product\middleware\iam_home\
vi e to
a
d
server\db\oim\oracle\Utilities\oimbulkload\csv_files
directory.
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You created all user accounts specified in the practice titled Create Users.

Chapter 5 - Page 31
5. Navigate to the D:\app\oracle\product\middleware\oracle_common\

inventory\Scripts\ext\jlib directory.
6. Copy the ojdbc5.jar file that resides in this directory.
7. Paste this file into the D:\app\oracle\product\middleware\iam_home\server\

db\oim\oracle\Utilities\oimbulkload\lib directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s

u
d
i
toBulk Load utility. For this course, the utility is
avcontains
9. Navigate to the directory(d
that
the
e
n icens
located in the D:\app\oracle\product\middleware\iam_home\server\db\
o
t
le le l
oim\oracle\Utilities\oimbulkload\scripts
directory.
d
d
i
b
10. Enter oim_blkld.bat
M fera at the DOS prompt (and press Enter).
d
i
s
v
Da n-tran
no
Note: oim_blkld.bat is the name of the batch (bat) file used to run the Bulk Load
utility.

Chapter 5 - Page 32
11. On the Main Menu screen, press 6 (and press Enter).
a
s
a
h to load
)
Note: You select 6 because for this practice, you are using the Bulk Load
utility
a
c ide
o
Technical, a predefined role category, into Oracle Identity Manager.
i
ar t Gu
t
n
The following screen checks for the following prerequisites:
o en
Whether the ojdbc5.jar file is placed in the 3@
n
tud
o
S
D:\app\oracle\product\middleware\iam_home\server\db\oim\
t
le directory
d
oracle\Utilities\oimbulkload\lib
this
d
i
e
m usenvironment variable is set to the
JAVA_HOME
Whether the folder path of the
d
i
vJava JDK
to(for this course, D:\Program
a
directory that containsdthe
e
n ( icens
Files\Java\jdk1.6.0_18)
o
t
l 1.6.0_18 (or higher)
leJDK isleversion
Whether
the
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
12. Because all prerequisite checks pass, press Enter.

Chapter 5 - Page 33
13. On the Enter Database Details screen, specify the Home directory for Oracle Database
(and press Enter).
s
a
h
a) e
c
id
Note: For this course, the base directory for Oracle Database is rio
u
a
t
G
D:\app\oracle\product\11.1.0\db_1.
on ent
@
d
14. At the prompt, enter the connection string that Oracle
requires to
n3 Identity
tuManager
o
S
connect to Oracle Database (and press Enter).
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: The connection string (//LOCALHOST:1521/ORCL) consists of the IP address,

port number, and name of the Oracle Database instance to which Oracle Identity
Manager connects.

Chapter 5 - Page 34
15. At the prompt, enter the name of the user in Oracle Database who owns the schema for
Oracle Identity Manager (and press Enter).
a
s
a
h
)
a
c ide
o
i
Note: For this course, DEV_OIM represents this user.
u
arentertWelcome1,
t
G
n
16. At the Enter password for OIM database user prompt,
the
o en
@
d press Enter).
password for the DEV_OIM user that you specified in
n3stepS15tu(and
o
t
At the Enter password for OIM database
le user
is again prompt, enter
d
h
t
d
Welcome1 (and press Enter).
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 35
17. On the Select the input screen, enter the number that represents the classification type
of the file that contains the data you want to import into Oracle Identity Manager through
the Bulk Load utility (and press Enter).
Note: For this practice, enter 2 because the role category data that you want to import
into Oracle Identity Manager through the Bulk Load utility is contained in a commaseparated value (CSV) file.
18. At the prompt, enter master.txt (and press Enter).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
s
nname
n ( icthe
e
o
t
Note: master.txt
contains
of the CSV file that has the role category
l
e
l
d
e
l
information
want
idthat you
b to load into Oracle Identity Manager through the Bulk Load
a
M
r
utility.
d nsfe
vithe
19.aAt
prompt,
the name of the user in Oracle Database who owns the schema for
a enter
D Oracle
r
t
Identity
Manager
(and press Enter).
non
Note: This schema (DEV_OIM) is to be used to hold values associated with role
categories that are imported into Oracle Identity Manager through the Bulk Load utility.

Chapter 5 - Page 36
20. At the prompt, specify a date format for the role category data that is to be imported into
Oracle Identity Manager through the Bulk Load utility (and press Enter).
Note: The date format specified here is DDMMYYYY. This format represents and must
match any columns in your input source that use a date format. For this course, the Bulk
Load utility is used to load role category data into Oracle Identity Manager on September
21, 2010.
21. At the Do you wish to insert log msgs prompt, enter y (and press Enter).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
ns a log file is generated after role category data is
n y(at the
Note: When you enter
prompt,
e
o
t
c
i
lManager
le Identity
loaded into Oracle
through the Bulk Load utility. This log file can be
d
e
l
d
i
b
used toM
troubleshoot
any
problems
that
may occur with information being imported into
a
r
e
d
f
Oracle
s Manager through this utility.
vi Identity
n
a
DaThenBulk
r
Load
utility loads role category data into Oracle Identity Manager. When the
t
o prompt appears, the information is imported.
nDOS
You are ready to verify that the Bulk Load utility imported the Technical role category
into Oracle Identity Manager successfully.
22. Start Oracle Identity Manager Server and the Oracle Identity Manager Administration
Console.
Note: For more information about starting Oracle Identity Manager Server and the
Oracle Identity Manager Administration Console, refer to the document titled Practices
for Lesson 3.

Chapter 5 - Page 37
23. On the Home page of the Identity Administration Console, click the Advanced Search
Role Categories link.
24. In the text field to the right of the Category Name field, enter Technical, the name of
the role category that you imported into Oracle Identity Manager through the Bulk Load
utility. Click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e Results pane.
The Technical role category appears
in the Search
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This signifies that the Bulk Load utility loaded the Technical role category into Oracle
Identity Manager successfully.
In this practice, you used the Bulk Load utility to import a role category into Oracle
Identity Manager. You are ready to use this utility to load users into Oracle Identity
Manager.

Chapter 5 - Page 38
Practice 5-8: Use the Bulk Load Utility to Import Users into Oracle
Identity Manager
Overview
In this practice, use the Bulk Load utility to import users into Oracle Identity Manager and assign
them to the Curriculum, Process Owners, Reviewers, Approvers, and Xellerate Users
organizations, and the Training and Legal suborganizations.
Note: You did not create the Xellerate Users organization in the practice titled Create
Organizations. Rather, this organization is created automatically when Oracle Identity Manager
is installed.
Assumptions
You created parent organizations for the Curriculum, Process Owners, Reviewers, and
Approvers departments.
You created suborganizations for the Training and Legal departments.
a
s
a
Tasks
h
)
a
c ide
1. Shut down Oracle Identity Manager Server and the Oracle Identity Manager
o
i
ar t Gu
t
n
o en
2. Using Windows Explorer, navigate to the D:\app\oracle\product\middleware\
@
3
iam_home\server\db\oim\oracle\Utilities\oimbulkload\csv_files
ud
n
t
o
S
t
directory.
le this
d
d
3. Using Notepad, open the master.txti file. e
m us
the
d
i
Note: The master.txt file contains
name
of the CSV file that has the user records you
tothrough
av Manager
e
d
want to load into Oracle (Identity
the Bulk Load utility.
s
n
n
e
4. For this practice,
are stored in the usrfinal.csv file. Therefore,
to user records
litoc usrfinal.csv.
ethe
l
d
e
change the
value
in
this
file
l
id rab
M
vid ansfe
a
D n-tr
no
5. Save and close the master.txt file.
6. On the DOS window that you used to run the Bulk Load utility in the practice titled Use
the Bulk Load Utility to Import a Role Category into Oracle Identity Manager, navigate to
the directory that contains the Bulk Load utility. For this course, the utility is located in
the D:\app\oracle\product\middleware\iam_home\server\db\
oim\oracle\Utilities\oimbulkload\scripts directory.
7. Enter oim_blkld.bat at the DOS prompt (and press Enter).
Note: You select 1 because for this practice, you are using the Bulk Load utility to load
user records into Oracle Identity Manager.

Chapter 5 - Page 39
9. On the prerequisite check screen, press Enter.

Note: For more information about the prerequisites verified by the Bulk Load utility, refer
to the practice titled Use the Bulk Load Utility to Import a Role Category into Oracle
Identity Manager.
(and press Enter).
Note: For this course, the base directory for Oracle Database is
11. At the prompt, enter the connection string that Oracle Identity Manager requires to
Manager connects.
a
s
a
) h the
a
13. At the Enter password for OIM database user prompt, enterc
Welcome1,
o
i
password for the DEV_OIM user that you specified in step 12 (and
press Enter).
ide
r
u
a
t
Genter
n prompt,
t
At the Enter password for OIM database user again
o
n
@ tude
3
n
S
14. On the Select the input screen, enter the number
the classification type
eto tthat
srepresents
l
i
d
h
of the file that contains the data you want
to
import
into
Oracle
Identity
Manager through
d
i
e
m
s
the Bulk Load utility (and press iEnter).

d to u
v
a
Note: For this practice, enter
2
because
d nse the user data that you want to import into
(
n
through the Bulk Load utility is contained in a comma-separated
eto le lice
l
value (CSV) d
file.
id enter
b
amaster.txt
15. At the prompt,
(and press Enter).
M
r
e
d
f
i
s
v master.txt
contains the name of the CSV file that has the user records that you
an
DaNote:
r
t
want-to
load into Oracle Identity Manager through the Bulk Load utility.
onthe prompt, enter the name of the user in Oracle Database who owns the schema for
16.nAt
Note: This schema (DEV_OIM) is to be used to hold values associated with users who
are imported into Oracle Identity Manager through the Bulk Load utility.
17. At the prompt, specify a date format for the user data that is to be imported into Oracle
Identity Manager through the Bulk Load utility (and press Enter).

Chapter 5 - Page 40
18. At the Enter the batch size for processing prompt, enter 10000 (and press Enter).
Note: This value represents the number of user records that must be processed by the
Bulk Load utility as a single transaction.
Note: When you enter y at the prompt, a log file is generated after user data is loaded
into Oracle Identity Manager through the Bulk Load utility. This log file can be used to
troubleshoot any problems that may occur with information being imported into Oracle
Identity Manager through this utility.
20. At the prompt, enter the ID of the Oracle Identity Manager superuser account (and press
Enter).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi Foranthiss practice, XELSYSADM is the ID of the Oracle Identity Manager superuser.
DaNote:
tr Load utility loads user records into Oracle Identity Manager. When the DOS
The
Bulk
n
o appears, the information is imported.
nprompt
You are ready to verify that the Bulk Load utility imported user records into Oracle
Console.
Users link.

Chapter 5 - Page 41
23. In the text field to the right of the User Login field, enter KALLEN, the ID of a user that
you imported into Oracle Identity Manager through the Bulk Load utility. Click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to in the Search Results pane.
a
The user record of Kathleen
Allen appears
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This signifies that the Bulk Load utility loaded this user record into Oracle Identity
Manager successfully.

Chapter 5 - Page 42
24. Repeat steps 22 and 23 to verify that the following users are imported into Oracle
Identity Manager through the Bulk Load utility:
Field
Value
First Name
Sam
Last Name
Perkins
[selected]
User Login
SPERKINS
Organization
Process Owners
User Type
Full-Time Employee
First Name
Tom
Last Name
Jones
First Name
Theresa
Last Name
Smith
[selected]
User Login
TSMITH
Organization
Training
User Type
Full-Time Employee
s
a
Design Console Access check box [selected]
h
a) e
c
User Login
TJONES
rio Guid
a
t
Organization
Reviewers
on ent
@
3
User Type
Full-Time n
Employee
tud
o
S
t
le this
d
d
i
e
m
s
First Name
Valli
u
d
vi e Pataballa
to
a
d
Last Name
(
ns
n
e
o
t
c
Design Console
check
li box [selected]
le Access
d
e
l
d
i
UserM
Login
VPATABAL
ab
r
e
d
f
i
s
v an
Approvers
Da Organization
r
t
n- Type
Full-Time Employee
noUser

Chapter 5 - Page 43
Field
Value
First Name
Alan
Last Name
Kovacic
[selected]
User Login
AKOVACIC
Organization
Legal
User Type
Full-Time Employee
First Name
Admin
Last Name
User
[selected]
User Login
ADMINISTRATOR
a
s
a
h
)
a
Organization
Xellerate Users
c ide
o
i
u
User Type
Full-Time Employee tar
G
n
t
oin the practice
n titled Create
e
@
Note: You did not create the Xellerate Users organization
d
3
n automatically
tu when Oracle Identity
Organizations. Rather, this organization is created
o
S
t
e
Manager is installed.
dl
this
d
i
e
m utilityusto import users into Oracle Identity
In this practice, you used the Bulk Load
d
i
Manager. You are ready to a
use
this
v utility
toto load roles into Oracle Identity Manager and
e
d
assign the roles to the Administrative
n ( icens and Technical role categories.
o
t
l manage records of a collection of users to whom you want
Roles are usedle
to create and
d
e
l
d
to permit access
to
common
i
b functionality, such as access rights, roles, or permissions.
a
M
r
vid ansfe
a
D n-tr
no

Chapter 5 - Page 44
Practice 5-9: Use the Bulk Load Utility to Import and Assign Roles in
Overview
For this practice, use the Bulk Load utility to import roles into Oracle Identity Manager and
assign them to the role categories. Specifically, you:
Import the Oracle 11g Managers role into Oracle Identity Manager and assign this role to the
Administrative role category
Import the IT role into Oracle Identity Manager and assign this role to the Technical role
category
Assumptions
You created or imported two role categories in Oracle Identity Manager: Administrative and
Technical.
Note: You created the Administrative role category in Oracle Identity Manager in the practice
titled Create a Role Category. You used the Bulk Load utility to import the Technical role
category into Oracle Identity Manager in the practice titled Use the Bulk Load Utility to Import a
Role Category into Oracle Identity Manager.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
Tasks
@
3
1. Shut down Oracle Identity Manager Server ando
the
n OracleSIdentity
tud Manager
t
le this
d
d
i D:\app\oracle\product\middleware\
2. Using Windows Explorer, navigate m
to the
e
s
u
d
vi e to
a
directory.
d
ns file.
nthe( master.txt
e
o
3. Using Notepad, open
t
c
dle blefileli contains the name of the CSV file that has the roles you
Note: Theid
master.txt
ra Identity Manager through the Bulk Load utility.
want
toM
load into
Oracle
e
d
f
i
s
v an the roles are stored in the Rolefinal.csv file. Therefore, change the
For thisrpractice,
D4.avalue
-int this file to Rolefinal.csv.
n
o
n
6. On the DOS window that you used to run the Bulk Load utility in the practice titled Use
the Bulk Load Utility to Import a Role Category into Oracle Identity Manager, navigate to
the directory that contains the Bulk Load utility. For this course, the utility is located in
the D:\app\oracle\product\middleware\iam_home\server\db\
oim\oracle\Utilities\oimbulkload\scripts directory.
Note: You select 3 because for this practice, you are using the Bulk Load utility to load
roles into Oracle Identity Manager.
Identity Manager.

Chapter 5 - Page 45
(and press Enter).
11. At the prompt, enter the connection string that Oracle Identity Manager requires to
Manager connects.
13. At the Enter password for OIM database user prompt, enter Welcome1, the
password for the DEV_OIM user that you specified in step 12 (and press Enter).
a
s
a
h
)
a
14. On the Select the input screen, enter the number that represents the
classification
c ide type
o
i
of the file that contains the data you want to import into Oracle a
Identity
r Manager
u through
t
G
n
t
o en
@
Note: For this practice, enter 2 because the rolesn
that
you want
import into Oracle
3
tinuadtocomma-separated
o
S
t
Identity Manager through the Bulk Load utility
are
contained
le this
d
value (CSV) file.
d
i
e
m
s
15. At the prompt, enter master.txt

(and
press
Enter).
u
d
vthei name
tofothe CSV file that has the roles you want to
a
Note: master.txt contains
e
d
s the Bulk Load utility.
nthrough
n (Manager
load into Oracle Identity
e
o
t
c
li of the user in Oracle Database who owns the schema for
e thelename
lenter
16. At the prompt,
d
d
i
ab (and press Enter).
OracleM
Identity Manager
r
e
d
f
s (DEV_OIM) is to be used to hold values associated with roles that are
vi This
schema
n
a
DaNote:
r
imported
-t into Oracle Identity Manager through the Bulk Load utility.
n
o
17.nAt the prompt, specify a date format for the user data that is to be imported into Oracle
At the Enter password for OIM database user again prompt, enter
Identity Manager through the Bulk Load utility (and press Enter).
Note: When you enter y at the prompt, a log file is generated after roles are loaded into
Oracle Identity Manager through the Bulk Load utility. This log file can be used to
troubleshoot any problems that may occur with information being imported into Oracle
Identity Manager through this utility.
The Bulk Load utility loads roles into Oracle Identity Manager. When the DOS prompt
appears, the information is imported.
You are ready to verify that the Bulk Load utility imported roles into Oracle Identity
Manager successfully.
Console.
Roles link.

Chapter 5 - Page 46
21. Populate the fields of the Advanced Search: Roles form, as follows:
Field
Value
All option
[selected]
Name
Oracle 11g Managers
Role Category Name
Administrative
22. Click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 47
The Oracle 11g Managers role appears in the Search Results pane.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
miloadedusthise role into Oracle Identity Manager and
This signifies that the Bulk Loadid
utility
v roleecategory
to successfully.
a
assigned it to the Administrative
d
ns that the IT role is imported into Oracle Identity
n ( 22ictoeverify
23. Repeat steps 20 through
o
t
l Technical role category through the Bulk Load utility.
le ltoe the
Manager anddassigned
d
i
b the Bulk Load utility to import roles into Oracle Identity
aused
In this M
practice, you
r
e
d
f
Manager
sassign the roles to role categories. You are ready to use this utility to
vi aand
n
users
to the roles that you created and imported in Oracle Identity Manager.
Daassign
r
t
n
no

Chapter 5 - Page 48
Practice 5-10: Use the Bulk Load Utility to Assign Users to Roles in
Overview
In the practice titled Use the Bulk Load Utility to Import Users into Oracle Identity Manager,
you used the Bulk Load utility to import the following user records into Oracle Identity Manager:
Kathleen Allen, Theresa Smith, Sam Perkins, Alan Kovacic, Tom Jones, Valli Pataballa, and
Admin User.
In the practice titled Create Roles, you created the Oracle 11g Approvers role. In the practice
titled Use the Bulk Load Utility to Import and Assign Roles in Oracle Identity Manager, you
used the Bulk Load utility to import the Oracle 11g Managers and IT roles into Oracle Identity
Manager.
In this practice, use the Bulk Load utility to assign the following Oracle Identity Manager users to
their associated roles:
a
s
a
h
)
Kathleen Allen
a
c ide
o
i
Theresa Smith
ar t Gu
t
n
o en
Sam Perkins
IT
@
3
n
tud
Alan Kovacic
Oracle 11g Managers
o
S
t
dle this
Tom Jones
Oracle 11giManagers
d
e
m
s
u
d
Valli Pataballa
SYSTEM
vi eADMINISTRATORS
to
a
d
Admin User
ns POLICY ADMINISTRATORS
n ( ACCESS
e
o
t
c
i SYSTEM ADMINISTRATORS or ACCESS POLICY
lthe
le or import
d
e
Note: You did not d
create
l
i roles.raRather,
b these roles are created automatically when Oracle Identity
ADMINISTRATORS
M
e
d
f
Manager
visi installed.s
Da n-tran
Assumptions
no
User
Role
You created and imported all user accounts and roles specified in the practices titled Use the
Bulk Load Utility to Import Users into Oracle Identity Manager, Create Roles," and Use the
Bulk Load Utility to Import and Assign Roles in Oracle Identity Manager.
Tasks
1. Shut down Oracle Identity Manager Server and the Oracle Identity Manager
2. Using Windows Explorer, navigate to the D:\app\oracle\product\middleware\
directory.
3. Using Notepad, open the master.txt file.
Note: The master.txt file contains the name of the CSV file that has the users you
want to load to roles in Oracle Identity Manager through the Bulk Load utility.
4. For this practice, the user-role associations are stored in the Rolemfinal.csv file.
Therefore, change the value in this file to Rolemfinal.csv.

Chapter 5 - Page 49
6. In the DOS window you used to run the Bulk Load utility in the practice titled Use the
Bulk Load Utility to Import a Role Category into Oracle Identity Manager, navigate to the
directory that contains the Bulk Load utility. For this course, the utility is located in the
D:\app\oracle\product\middleware\iam_home\server\db\oim\oracle\
Utilities\oimbulkload\scripts directory.
Note: You select 5 because for this practice, you are using the Bulk Load utility to
assign roles to users in Oracle Identity Manager.
Identity Manager.
(and press Enter).
a
s
a
h
)
a
crequires
e
o
d
11. At the prompt, enter the connection string that Oracle Identity Manager
to
i
i
ar t Gu
t
n
oconsistseofnthe IP address,
@
Note: The connection string (//LOCALHOST:1521/ORCL)
3
n toSwhich
tud Oracle Identity
o
port number, and name of the Oracle Database
instance
t
le this
Manager connects.
d
d
i Oracle
e Database who owns the schema for
m
s
12. At the prompt, enter the name of the
user inu
d
i Enter).
vpress
Oracle Identity Manager (and
to
a
e
d
(
s
Note: For this course,
this user.
nrepresents
nDEV_OIM
e
o
t
c
i
l
e
l
13. At the Enterdpassword
e for OIM database user prompt, enter Welcome1, the
l
d
i
b
password
DEV_OIM
user that you specified in step 12 (and press Enter).
M for the
ra
e
d
f
i
s
vthe Enter
At
n password for OIM database user again prompt, enter
a
DaWelcome1
r
t
- (and press Enter).
n
o
14.nOn the Select the input screen, enter the number that represents the classification type
of the file that contains the data you want to import into Oracle Identity Manager through
Note: For this practice, enter 2 because the user-role associations that you want to
import into Oracle Identity Manager through the Bulk Load utility are contained in a
comma-separated value (CSV) file.
15. At the prompt, enter master.txt (and press Enter).
Note: master.txt contains the name of the CSV file that has the user-role
associations you want to load into Oracle Identity Manager through the Bulk Load utility.
Note: This schema (DEV_OIM) is to be used to hold values associated with user-role
associations that are imported into Oracle Identity Manager through the Bulk Load utility.
17. At the prompt, specify a date format for the user and role data that is to be imported into
Oracle Identity Manager through the Bulk Load utility (and press Enter).

Chapter 5 - Page 50
Note: By entering y at the prompt, a log file is generated after user-role associations are
loaded into Oracle Identity Manager through the Bulk Load utility. This log file can be
used to troubleshoot any problems that may occur with information being imported into
Oracle Identity Manager through this utility.
The Bulk Load utility assigns users to roles into Oracle Identity Manager. When the DOS
prompt appears, the information is imported.
You are ready to verify that the Bulk Load utility created user-role associations in Oracle
Console.
Roles link.
21. In the text field to the right of the Name field, enter Oracle 11g Approvers, the name
of a role that you imported into Oracle Identity Manager through the Bulk Load utility.
Click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 51
22. Click the link that contains the name of the role for which you searched (for this practice,
Oracle 11g Approvers).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 52
23. Click the Members tab (because you want to see users assigned to this role).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 5 - Page 53
Kathleen Allen and Theresa Smith are assigned to the Oracle 11g Approvers role.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi utilityeistoused to create user-role associations in Oracle
This signifies that the Bulk Load
a
d
n ( icens
o
t
l assigned to the Oracle 11g Approvers role. You assigned
e lisealso
Note: LeonardlAgneta
d
d
i the rolerainbthe practice titled Assign Users to Roles.
this user to
M
d
fethrough 23 to verify that the following Oracle Identity Manager users
i steps
24. Repeat
20
s
v
n
a
D arenassigned
tra to their associated roles through the Bulk Load utility:
User
Role
no
Sam Perkins
IT
Alan Kovacic
Oracle 11g Managers
Tom Jones
Oracle 11g Managers
Valli Pataballa
SYSTEM ADMINISTRATORS
Admin User
ACCESS POLICY ADMINISTRATORS
Note: You did not create or import the SYSTEM ADMINISTRATORS or ACCESS
POLICY ADMINISTRATORS roles. Rather, these roles are created automatically when
Oracle Identity Manager is installed.

Chapter 5 - Page 54
s
a
h
a) e
c
rio Guid
a
t
t 6
Practices for
onLesson
n
e
@
3
tud
o
Chapter
6n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 1
Practices Overview
In these practices, you become familiar with importing and using a predefined connector for
Oracle Identity Manager 11g.
Your tasks include:
1. Copying connector and external code files
2. Configuring Oracle Identity Manager Server
3. Importing the Oracle Identity Manager connector
4. Defining an IT resource
5. Creating a user
6. Assigning the connector to this user
7. Populating the fields of the custom process form contained within the connector and
saving this information to the database
8. Verifying that Oracle Identity Manager used the information you entered into the form to
provision the user with the associated external resource (for this practice, a Sun Java
System Directory Server)
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o the ehost
n name of the
Important: For the practices in this lesson, <hostname> represents
@
d
3
nthe hostSname
tu for your machine is
machine on which the practices are completed. Because
o
t
e
is of your machine.
unique, replace all references of <hostname> with
dl the hostthname
d
i
e
m us
d
i
v e to
a
d
ns The host name of your machine appears.
2. At the DOS prompt, enter
n ( hostname.
e
o
t
c
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 2
Practice 6-1: Copy Connector and External Code Files
Overview
In this practice, you transfer Oracle Identity Manager connector files and external code files for
Sun Java System Directory Server to folders on Oracle Identity Manager Server. By doing so,
you enable the associated connector to function with Oracle Identity Manager.
Important: The D:\app\oracle\product\middleware\iam_home\server\SJSDS\
test and D:\app\oracle\product\middleware\iam_home\server\SJSDS\xml
directories do not exist. You create them in this practice.
Assumptions
Oracle Identity Manager 11g is installed and configured.
Tasks
1. From Windows Explorer, navigate to the D:\stage\labs\lab_06 directory.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
2. Copy the ldap.jar, ldapbp.jar, and ldapsdk-4.1.jar file, which reside in this
directory.
server\ThirdParty directory.
Tip: You may find it easier to have two Windows Explorer windows open to perform the
copy and paste tasks.

Chapter 6 - Page 3
4. Copy the SJSDSProv.jar file, which resides in the

D:\stage\OIM_11g_Connectors\SJSDS\SJSDS_90440\lib directory.
5. Paste this file into the
D:\app\oracle\product\middleware\iam_home\server\JavaTasks directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
6. Copy the xlScheduler.jar file, which resides in the D:\stage\labs\lab_06
o en
@
directory.
3
n
tud
o
S
t
le this
d
D:\app\oracle\product\middleware\iam_home\server\ScheduleTask
d
i
e
m
directory.
s
u
d
o in the
vfile,i which
tresides
8. Copy the SJSDSRecon.jar
a
e
d
D:\stage\OIM_11g_Connectors\SJSDS\SJSDS_90440\lib
directory.
n ( icens
o
t
l
e
l the le
9. Paste this filedinto
d
i
ab
M
r
e
d
f
directory.
s
vi
Da n-tran
no

Chapter 6 - Page 4
10. Copy all files that reside in the

D:\stage\OIM_11g_Connectors\SJSDS\SJSDS_90440\resources directory.
11. Paste these files into the
D:\app\oracle\product\middleware\iam_home\server\
connectorResources directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
(
12. Create the SJSDS subdirectory
within
ns the D:\app\oracle\product\middleware\
n
e
o
t
c
iam_home\server
li
le directory.
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
13. Copy the D:\stage\OIM_11g_Connectors\SJSDS\SJSDS_90440\test directory.


Chapter 6 - Page 5
14. Paste this directory into the D:\app\oracle\product\middleware\iam_home\

server\SJSDS directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
server\SJSDS directory.
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
As a result, the test directory and all of its files and subdirectories are nested in the
D:\app\oracle\product\middleware\iam_home\server\SJSDS directory.
15. Copy the D:\stage\OIM_11g_Connectors\SJSDS\SJSDS_90440\xml directory.
As a result, the xml directory and all of its files are nested in the D:\app\oracle\
product\middleware\iam_home\server\SJSDS directory.

Chapter 6 - Page 6
Practice 6-2: Configure Oracle Identity Manager Server

Overview
In this practice, you configure Oracle Identity Manager Server. This includes performing the
following actions:
Clearing content related to connector files from the Server cache. In the practice titled
Copy Connector and External Code Files, you copied connector and external code
files to folders on Oracle Identity Manager Server. Some files are copied to the
connectorResources folder.
Whenever you add a new file or change an existing file in this folder, you must clear
content related to connector files from the Server cache.
Enabling logging. When you enable logging, Oracle Identity Manager stores
information in a log file about events that occur during the course of provisioning and
reconciliation operations. In addition, you customize the log level to specify the type of
event for which you want logging to take place.
Note: By setting the log level for Sun Java System Directory Server (SJSDS), Oracle
Identity Manager logs information about events that occur during provisioning and
reconciliation with this resource.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
Assumptions
3
ud
n
t
o
S
t
You completed the practice titled Copy Connectorland
e External
is Code Files.
d
h
t
d
i
e
m
s
Tasks
u
d
vi fromethetoWindows Start Menu, select Run.
1. Open a DOS window. Tod
doaso,
s
n ( cmd
2. In the Run window,
enter
in n
the Open field and click OK.
e
o
t
c
li to the D:\app\oracle\product\middleware\
le navigate
3. In the DOSdwindow,
d
e
l
i
ab directory.
iam_home\server\bin
M
r
e
d
f
s
vi setanWL_HOME=D:\app\oracle\product\middleware\wls_home
4. aEnter
at the
D
r
t
DOS
prompt
(and
press
Enter).
on You enter the command in step 4 to set the WL_HOME environment variable to the
nNote:
base directory of Oracle WebLogic Server.
5. Enter setEnv.bat at the DOS prompt (and press Enter).
Note: You enter the command in step 5 to set environment variables for Oracle Identity
Manager.
6. Enter PurgeCache.bat ConnectorResourceBundle at the DOS prompt (and press
Enter).

Chapter 6 - Page 7
7. Enter values for the prompts that appear, as follows (and press Enter after each value):
Prompt
Value
Enter the admin username
xelsysadm
Welcome1
Enter the service url
t3://localhost:7007
Note: For security purposes, the password you enter is hidden. Also, 7007 is the port
reserved for Oracle Identity Manager.
Oracle Identity Manager empties the content from its Server cache. After the cache is
cleared, a DOS prompt appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
ltoeenablelelogging
d
You are ready
and set the log level for Oracle Identity Manager.
d
i
b
a
M
r
8. In Windows
sfe navigate to the D:\app\oracle\product\middleware\
vid anExplorer,
a
user_projects\domains\IDMDomain\config\fmwconfig\servers\
D oim_server1
tr
directory.
n
o
n
9. Using a text editor, open the logging.xml file.
10. Scroll to the bottom of the file.

Chapter 6 - Page 8
Directly above the </loggers> end tag, add the following lines of code to this file:
<logger name=oracle.iam level=WARNING:1
useParentHandlers=false>
<handler name="odl-handler"/>
</logger>
<logger name=XL_INTG.SJSDS level=WARNING:1
useParentHandlers=false>
<handler name=odl-handler/>
</logger>
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
Note: When you enable(logging n
forsOracle Identity Manager, information about events
ncourseicofeprovisioning
o
that occur during the
and reconciliation operations is stored in a
t
l
e youlecustomize
l
d
log file. In addition,
the
log
level
to specify the type of event for which you
id to take
b
a
want logging
place.
M
r
eyou
dthis practice,
f
i
s
v
For
are setting the log level for Oracle Identity Manager to Warning
n
a
Da(WARNING:1).
r
t
This
level
designates potentially harmful situations.
n
o
11.nSave your changes to the logging.xml file. Close the file.
You are ready to set the log level for Sun Java System Directory Server.
12. In Windows Explorer, navigate to the D:\app\oracle\product\middleware\
iam_home\server\config directory.
13. Using Microsoft Wordpad, open the log.properties file.

Chapter 6 - Page 9
14. Add the following line of code to the end of this file:
log4j.logger.XL_INTG.SJSDS=WARN
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
to System Directory Server (SJSDS), Oracle
avfori Sun
Note: By setting the log (level
Java
e
d
s events that occur during provisioning and
nabout
ninformation
Identity Manager logs
e
o
t
c
li
reconciliationdwith
le this resource.
e
l
d
i changesratobthe log.properties file. Close the file.
15. Save your
M
e Manager Server.
d
fIdentity
s
vi Oracle
16.aRestart
n
D Note:
ramore information about restarting this server, refer to the document titled
tFor
n
o
for Lesson 3.
nPractices

Chapter 6 - Page 10
Practice 6-3: Import an Oracle Identity Manager Connector
Overview
In this practice, log in to the Oracle Identity Manager Advanced Administration Console with the
xelsysadm superuser account. Use the Connector Installer to import an Oracle Identity
Manager connector for Sun Java System Directory Server into your environment.
Assumptions
You completed the practices titled Copy Connector and External Code Files and Configure
Oracle Identity Manager Server.
Tasks
1. From Windows Explorer, navigate to the D:\stage\OIM_11g_Connectors\SJSDS
directory.
2. Copy the SJSDS_90440.zip file, which resides in this directory.
s
a
h
a) e
c
4. Unzip the SJSDS_90440.zip file into this directory.

rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o The SJSDS_90440 folder is automatically created and nested in the
nNote:

ConnectorDefaultDirectory directory.
5. Launch the Oracle Identity Manager Identity Administration Console.
6. Log in to this console with the xelsysadm superuser account.
Note: For more information about launching the Oracle Identity Manager Identity
Administration Console, refer to the document titled Practices for Lesson 3.

Chapter 6 - Page 11
7. On the Home page of the Oracle Identity Manager Identity Administration Console, click
Advanced.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 12
8. On the Home page of the Oracle Identity Manager Advanced Administration Console,
click the Install Connector link (located in the System Management pane).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
Note: For more information about the
Oracle
Identity
e Manager Advanced Administration
m
s
u
d
Console, refer to the lesson titled
vi Launching
to Oracle Identity Manager.
a
e
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 13
9. From the Connector List box, select the name of the connector that you want to import
into Oracle Identity Manager (for this practice, Sun Java System Directory 9.0.4.4). Click
Load.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 14
10. After verifying that the Connector History Details and Connector Dependency Details
panes are populated with information, click Continue.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 15
The following tasks are performed in sequence:

a. Configuration of Connector Libraries. Oracle Identity Manager configures
software files. These software files are contained in the Integration Library of the
Oracle Identity Manager connector for Sun Java System Directory Server.
b. Import of Connector XML Files. These XML files represent the Oracle Identity
Manager connector for the Sun Java System Directory Server that you are
importing into your environment.
c. Compilation of Adapter Definitions. Oracle Identity Manager compiles the
adapters that are imported along with other components of the Oracle Identity
Manager connector for Sun Java System Directory Server.
Oracle Identity Manager must recompile these adapters. Otherwise, their code
cannot reside in the application server associated with your Oracle Identity
Manager environment. As a result, they cannot function.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
On successful completion of a task, a green check mark is displayed for the task. If all
three tasks of the connector installation process are successful, a message indicating a
successful installation appears.

Chapter 6 - Page 16
11. Click Finish.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
nfor theSImport
tudof Connector XML Files
o
t
Important: If you receive a Failed status message
s connector are not imported
leDirectory
d
task, the XML files for the Sun Java System
thiServer
d
i
e
into Oracle Identity Manager properly.
m To ensure
us that these files are transferred into
d
i
o
v
Oracle Identity Manager successfully,
click
Retry.
t
(daan Oracle
se Identity Manager connector for Sun Java System
Now that you have imported
n
n
e
to are ready
Directory Server,
lic to configure this connector to operate in your
eyou
l
d
e
l
environment.
id rab
M
vid ansfe
a
D n-tr
no

Chapter 6 - Page 17
Practice 6-4: Define an IT Resource
Overview
By importing your Oracle Identity Manager connector, you transfer any IT resource types for that
connector into your environment. However, because an IT resource contains administrative
credentials that Oracle Identity Manager requires to provision a user to a specific resource (for
this practice, Sun Java System Directory Server), you must create this definition.
In this practice, you create an IT resource named Sun IT Resource for the LDAP Server IT
resource type.
Assumptions
You completed the practices titled Copy Connector and External Code Files, Configure
Oracle Identity Manager Server, and Import an Oracle Identity Manager Connector.
Tasks
1. Navigate to the Home page of the Oracle Identity Manager Advanced Administration
Console.
Note: For more information about accessing the Home page of this console, refer to the
practice titled Import an Oracle Identity Manager Connector.
click the Create IT Resource link (located in the Configuration pane).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 18
3. Populate the fields of the Provide IT Resource Information page that appears.
Field
Value
IT Resource Name
Sun IT Resource
IT Resource Type
LDAP Server
Remote Manager
[do not populate]
Note: LDAP Server is the name of the IT resource type that you imported for Sun Java
System Directory Server (along with the other components of the connector). To assign
this IT resource type to the Sun IT Resource, complete the following steps:
a. Click the magnifying glass to the right of the IT Resource Type field.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
b. On the Select IT Resource Type lookup form:
o en
@
i.
Ensure that IT Resource Type appears
in the Filter
3
ud By drop-down list.
n
t
o
S
t
ii. Select the option that represents
ITiresource
to which you want
spractice, type
le Forthethis
d
h
t
to assign the Sun IT Resource.
LDAP
Server
d
i type.se
m
represents this ITdresource

u
i
o
v
t
a
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

Chapter 6 - Page 19
iii.
Click Select.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
ns IT Resource Information page, click Continue.
avi trProvide
a
D
4. On the
non

Chapter 6 - Page 20
5. Parameters for your IT resource type appear. Enter values for parameters of your IT
resource on the Specify IT Resource Parameter Page, as follows:
Parameter
Value
Admin Id
cn=Directory Manager
Admin Password
dead_line
Group Reconciliation Time Stamp
20090801170000Z
Port
53016
Prov Attribute Lookup Code
AttrName.Prov.Map.iPlanet
Prov Group Attribute Lookup Code
AtMap.iPlanetGroup
Prov Role Attribute Lookup Code
AttrMap.iPlanetRole
Recon Attribute Lookup Code
AttrName.Recon.Map.iPlanet
a
s
a
Root DN
dc=us,dc=oracle,dc=com) h
ca ide
Server Address
localhost
o
i
ar t Gu
SSL
false ont
n
e
@
d
3
Target Resource Reconciliation Time Stamp n
20090801170000Z
tu
o
S
t
e
Trusted Source Reconciliation Time Stamp
dl 20090801170000Z
this
d
i
e
m us false
Use XL Org Structure
d
i
v Valueefield,
to click the designated field. Also, for security
a
d
Note: To enter a value into
the
nass a series of bullets ().
n (appears
e
purposes, the password
o
t
c
dle babout
e liparameters and values of the Sun IT Resource, refer to the
For more iinformation
l
d
lesson M
titled Understanding
Predefined Connectors (Initial Onboarding).
ra
e
d
f
i
s
v
Da n-tran
no
Role Reconciliation Time Stamp
20090801170000Z

Chapter 6 - Page 21
6. Click Continue.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 22
7. On the Set Access Permission to IT Resource page, click Continue.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
npage contains
tuda list of roles that have
Note: The Set Access Permission to IT Resource
o
S
t
leIT resource
isthat you are creating. For more
Read, Write, and Delete permissions on the
d
thsetting
d
i
information about assigning roles tom
the
IT resource,
access permissions for the
e
s
u
d
roles, or modifying access permissions
of
roles
assigned
to
the
IT resource, refer to
i
o
v
t
a
Oracle Fusion Middleware
(dAdministrator's
se Guide for Oracle Identity Manager 11g
n
Release 1 (11.1.1).on
e
et le lic
l
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 6 - Page 23
8. On the Verify IT Resource Details page, review information that you provided on the
Provide IT Resource Information, Specify IT Resource Parameter Page, and Set Access
Permission to IT Resource pages. Click Continue.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 24
9. On the IT Resource Connection Result page, click Continue.
a
s
a
h
)
a
c ide
o
i
Note: Some predefined connectors come equipped with a connectivity
testuthat is run by
tar tParameter
G
using the IT resource information provided in the Specify o
ITn
Resource
Page.
n
e
@
The IT Resource Connection Result page displays results
3 oftthis
udconnectivity test.
nOracle
o
S
t
However, test connectivity is not supported lfor
the
Identity
Manager connector for
e
s
i
d
h
Sun Java System Directory Server. Forid
this reason,t click Continue.
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 25
10. On the IT Resource Created page, click Finish.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s an IT resource for Sun Java System Directory Server.
vi adefined
n
DaYounhave
r
-t
o
n

Chapter 6 - Page 26
Important: You have defined an IT resource for Sun Java System Directory Server.
Before proceeding, you will start the console to verify that it is running.
The following procedure shows you how to launch the console for Sun Java System
Directory Server.
1. Within Windows Explorer, double-click the startconsole.exe file (found in the
D:\Program Files (x86)\Sun\MPS directory). The Sun ONE Server Console
can also be started by clicking Start > Programs > Sun ONE Server Products >
Sun ONE Server Console 5.2.
2. Populate the Sun ONE Server Console Login window, as follows:
Parameter
Value
User ID
cn=Directory Manager
Password
dead_line
Administration URL
http://localhost.oracle.com:53017
Note: For security purposes, the password that you enter appears as a series of
asterisks.
3. Click OK.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
( appears.
ns
nConsole
Sun ONE Server
e
o
t
c
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You started the Sun ONE Server Console for Sun Java System Directory Server.

Chapter 6 - Page 27
Practice 6-5: Create a User

Overview
In this practice, use the Oracle Identity Manager Identity Administration Console to create the
following user record:
Field
Value
First Name
James
Last Name
Mosher
[cleared]
User Login
JMOSHER
Password
Welcome1
Confirm Password
Welcome1
s
a
Organization
Curriculum
h
a) e
c
User Type
Full-Time Employee
rio Guid
a
t
on ent
Assumptions
@
n3 Stud
You completed the practice titled Create Users.
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 28
Practice 6-6: Assign the Connector to a User

Overview
In this practice, use the Oracle Identity Manager Identity Administration Console to assign the
connector for Sun Java System Directory Server to the end user with the ID of JMOSHER.
Assumptions
You completed all practices for this lesson (that is, practices 6-1 through 6-5).
Tasks
1. Click the Welcome tab to return to the Oracle Identity Manager Identity Administration
Console Home page.
2. Click the Advanced Search - Users link on this page.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 29
3. Enter JMOSHER in the text box to the right of the User Login drop-down list. Click
Search.
Note: JMOSHER is the ID of the end user that you created in the practice titled Create
a User.
4. From the result set, click the link that contains the full name of James Mosher.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 30
5. Click the Resources tab.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
6. On the Resources tab, click Add.
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: Click the Resources tab and the Add button because you want to assign the
connector that represents the resource for Sun Java System Directory Server to the end
user with the full name of James Mosher.

Chapter 6 - Page 31
7. On the Select a Resource panel, select the iPlanet User connector. Click Continue.
Note: The iPlanet User connector represents the Sun Java System Directory Server
resource.
The Verify Resource Selection panel appears:
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
You are now ready to populate the fields of the custom
process
3
n
tudform, contained within
this connector, and save this information to theto
database. S
When you complete those
letargetthuser
is with access rights to the
d
tasks, Oracle Identity Manager provisions
the
d
i
e
corresponding resource (for this practice,
sJava System Directory Server).
m Sun
u
d
i
o
av se t
d
(
n icen
o
t
l
e
l
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 32
Practice 6-7: Complete the Custom Process Form
Overview
You are ready to fill out the custom process form, contained in the connector that you assigned
to the target user (that is, James Mosher), and save this information to the database. As a
result, Oracle Identity Manager can grant the user access rights to the corresponding resource
(in this case, Sun Java System Directory Server).
Using the Oracle Identity Manager Identity Administration Console, complete the custom
process form for the connector that represents the Sun Java System Directory Server resource.
After you perform this action, the status of the connector should be Provisioned.
Assumptions
Tasks
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
2. Populate the custom process form, as follows:
le this
d
d
i
e
Parameter
Value
m
s
u
d
viJMOSHER
to
a
Password
e
d
ns
n ( iceou=people
Organization DNto
le le l
d
d
Server i
Sun IT Resource
ab
M
r
e
d
f
Important:
vi anIfsthe Common Name field is empty, populate this field with the first name
Daandnlast
tr name of the user who is to be provisioned with the Sun Java System Directory
o resource. For this example, enter James Mosher into the Common Name field.
nServer
1. On the Verify Resource Selection panel, click Continue.
Note: For security purposes, the password appears as a series of bullets ().
The Common Name parameter (cn) contains the users first name and last name.
ou=people is the Distinguished Name (DN) of the organizational unit (ou) to which the
user is to belong in Sun Java System Directory Server. Sun IT Resource is the name of
the IT resource that you created in the practice titled Define an IT Resource. To
populate the custom process form with the values for the Organization DN and Server,
complete the following steps:
a. Click the magnifying glass to the right of the Organization DN field.
b. On the Select Organization DN lookup form:
i.
Ensure that Value appears in the Filter By drop-down list.
ii. Select the option that represents the Distinguished Name (DN) of the
organizational unit (ou) to which the user is to belong in Sun Java System
Directory Server. For this practice, ou=people represents this DN.

Chapter 6 - Page 33
iii.
Click Select.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ansthe magnifying glass to the right of the Server field.
Da nc.-trClick
Select Server lookup form:
no d. Oni.the Ensure
that Instance Name appears in the Filter By drop-down list.
ii.
Select the option that represents the name of the IT resource that you
created in the practice titled Define an IT Resource. For this practice,
Sun IT Resource represents this IT resource.

Chapter 6 - Page 34
iii.
Click Select.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 35
3. On the Provide Process Data panel, click Continue.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o
4. nOn the iPlanet User Role panel, click Continue.
5. On the iPlanet User Group panel, click Continue.
6. On the Verify Process Data panel, click Continue.
7. Close the Provisioning Has Been Initiated window.

Chapter 6 - Page 36
8. On the Resources tab, click Refresh.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o inethen Status column of
The status of the iPlanet User connector, Provisioned,@
appears d
3
n
tu
the Resources tab:
o
S
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The Provisioned status indicates that Oracle Identity Manager granted access rights to
Sun Java System Directory Server for the target user (that is, James Mosher).
You are ready to verify that the login credentials for this user, which you specified in the
custom process form, can be used to access the associated resource (that is, Sun Java
System Directory Server).

Chapter 6 - Page 37
Practice 6-8: Access the Resource
Overview
You learned how to use Oracle Identity Manager to provision an external resource (for this
practice, Sun Java System Directory Server) to a designated user, whose login credentials are
specified in the associated custom form.
Now you must ensure that this user (James Mosher) is provisioned with the resource. For this
practice, this provisioning is accomplished by using Sun ONE Server Console.
Assumptions
Tasks
1. From Sun ONE Server Console, expand the localhost.oracle.com node. Then
expand the Server Group node and select the Directory Server item.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 38
2. Click Open. Then click the Directory tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i nodeseand select the People organization.
3. Expand the dc=us,dc=oracle,dc=com
m
u
d
i
o
v
t
a
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
JMOSHER appears in the associated pane. JMOSHER is the ID of James Mosher. This
user is provisioned with Sun Java System Directory Server.

Chapter 6 - Page 39
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 6 - Page 40
s
a
h
a) e
c
rio Guid
a
t
t 7
Practices for
onLesson
n
e
@
3
tud
o
Chapter
7n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 1

Practices Overview
There are three ways to assign a connector to a user in Oracle Identity Manager 11g:
Direct provisioning
Criteria (auto membership rules and access policies)
Requests
In the practices for lesson 6, you learned how to assign a connector to a user by direct
provisioning. In the practices for this lesson, you learn how to assign a connector to a user
through auto membership rules and access policies. In the practices for lesson 8, you learn how
to assign a connector to a user via requests.
After the connector is assigned to the user (for the practices in this lesson, through auto
membership rules and access policies), there are two ways to provision the associated resource
to the user:
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
Autoprovisioning. Autoprovisioning is the process 3

of@
provisioning
a user with a
ncompletes
tuthedcustom
o
S
resource automatically. Oracle Identity Manager
process form of
t
e and
s
l
i
d
a connector, saves form values to its database,
uses
these
values
to
provision the
h
t
dManager
i
e
user with the resource. Oracle Identity
completes
these
three
actions
(instead
m
s
u
d
i
of an administrator). Autoprovisioning
eliminates
the
manual
steps
performed
by
an
o
v et
a
d
administrator to fill out (the customsprocess form and save form values to the database.
n
n iceautoprovisioning
o
As with manual provisioning,
occurs after the connector is assigned to
t
l
e
the user. ddl
e
l
i yourrtasks
ab include:
M
For these practices,
e
d
f
vi antwos users
D a Creating
-tr the Sun Java System Directory Server connector to each user through auto
n
o
Assigning
n membership rules and access policies
Manual provisioning. With manual provisioning, manual intervention is required by the

administrator for provisioning to occur. After a connector is assigned to a user, an
Oracle Identity Manager administrator fills out the custom process form of the
connector and saves form values to a database. Oracle Identity Manager then uses
these values to provision the user with the resource.
Manually provisioning the Sun Java System Directory Server resource to one user
Modifying the Sun Java System Directory Server connector so that Oracle Identity
Manager can provision the other user with the resource automatically
1.
Open a DOS window.
2.
At the DOS prompt, enter hostname. The host name of your machine appears.

Chapter 7 - Page 2
Practice 7-1: Configure the Resource Object
Overview
In this practice, you configure the Oracle Identity Manager connector for the Sun Java System
Directory Server resource (that is, the iPlanet User connector).
Specifically, you modify this connector so that you can assign multiple instances of it to a user.
Each instance corresponds to a way a connector can be assigned to a user (that is, through
criteria, via requests, and by direct provisioning). You perform this action by selecting the Allow
Multiple check box of your connectors representative resource object (that is, the iPlanet User
resource object).
Using the Oracle Identity Manager Design Console, configure the iPlanet User resource object
so that you can assign multiple instances of the iPlanet User connector to a user.
Note: In the practices for lesson 6, you learned how to assign a connector to a user by direct
provisioning. In the practices for lesson 8, you learn how to assign a connector to a user through
requests.
a
s
a
Assumptions
h
)
a
You imported and configured the Oracle Identity Manager connector for SunJava
c System
e
o
d
i
i
Directory Server.
ar t Gu
t
n
o en
@
Tasks
d
3
nConsoleStisuactive.
o
1. Ensure that the Oracle Identity Manager Design
t
le Design
d
thisConsole in the practice titled
Note: You started the Oracle Identity Manager
d
i
e
s
mDesignuConsole.
Launch the Oracle Identity Manager
d
i
o
v
t
a forms(found
2. Open the Resource Objects
e in the Resource Management folder of the
(dExplorer).
n
n
lice
eto le representative
l
3. Query for thedconnectors
resource object (by entering the name of the
d
i
b
resource
object
in
the
Name
field
and
clicking
the Query button on the toolbar). For this
a
M
r
e
d
f
practice,
iPlanet
User
represents
this
resource
object.
vi ans
a
D n-tr
no

Chapter 7 - Page 3
4. Select the Allow Multiple check box.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
( box,nsyou modify the connector for Sun Java System
n check
Note: By selectingto
this
ccane assign multiple instances of it to a user. Each instance
i
l
e
l
Directory Server
so
that
you
le the connector can be assigned to the user (that is, through
iddto a rway
bthat
corresponds
a
M
fe and by direct provisioning).
criteria,
requests,
s
vid via
n
a
D
5. Click-Save
tra to save your modification to the database.
n
no

Chapter 7 - Page 4
Practice 7-2: Create an Auto Membership Rule
Overview
In this practice, you create criteria that Oracle Identity Manager evaluates to determine whether
a user should be added to a role automatically. As a result, the user is associated with all Oracle
Identity Manager connectors assigned to this role.
The criteria that you are creating is known as an auto membership rule. Auto membership rules
are created through the Rule Designer form of the Oracle Identity Manager Design Console.
Assumptions
You completed the practice titled Configure the Resource Object.
Tasks
1. Open the Rule Designer form (found in the Resource Management folder of the
Oracle Identity Manager Explorer).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 5
2. Populate the fields of this form, as follows:
Field
Value
Name
Oracle 11g Users
Type
General
Description
Auto membership rule for the Oracle 11g Users role
3. Click Save. You can use the buttons in the Rule Elements tab.
4. Click Add Element.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
5. Populate the fields of the Edit Rule Element window, as follows:
Field
Value
Attribute
Organization Name
Operation
==
Attribute Value
Curriculum

Chapter 7 - Page 6
6. Click Save. Then click Close.
Note: If a Closing Form window appears, click Yes.

The Rule Designer form appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
7. Click Save. The outcome of this rule element is true for all users who belong to the
Curriculum organization.
You are ready to assign this auto membership rule to the Oracle 11g Users role. Oracle
Identity Manager automatically assigns users who meet the rules criteria to this role. As
a result, they can access all connectors associated with the role.

Chapter 7 - Page 7
Practice 7-3: Assign an Auto Membership Rule to a Role
Overview
In this practice, you assign the Oracle 11g Users auto membership rule to the Oracle 11g Users
role. This is one of the roles that you defined in the practice titled Create Roles.
By assigning this type of rule to the Oracle 11g Users role, Oracle Identity Manager
automatically assigns users who meet the rules criteria to this role. As a result, they can access
all connectors associated with the role.
Assumptions
You completed the practices titled Configure the Resource Object and Create an Auto
Membership Rule.
Tasks
1. Ensure that the Oracle Identity Manager Identity Administration Console is active.
2. Click the Welcome tab on this console.
Note: For more information about starting this console, refer to the document titled
Practices for Lesson 3.
3. Click the Advanced Search - Roles link on the Home page of this console.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 8
4. On the Advanced Search: Roles page, query for the Oracle 11g Users role. To do so,
enter Oracle 11g Users in the Name field. Click Search.
s
a
h
5. From the result set, click the link that contains the name of the role.
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 9
6. On the Oracle 11g Users page, click Membership Rules.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
7. On the Membership Rules form,
vi clicke Assign
to Rules.
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 10
8. On the Assign Membership Rules page, select the Assign check box to the right of
the auto membership rule (for this practice, Oracle 11g Users). Click Assign.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
ns
n (pageicappears.
The Membership Rules
e
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
9. On the Confirmation page, click Confirm Assign.
The Oracle 11g Users auto membership rule is assigned to the Oracle 11g Users role.
You are ready to create an access policy.

Chapter 7 - Page 11
Practice 7-4: Create an Access Policy
Overview
In this practice, you create an access policy. When you do so, Oracle Identity Manager allocates
the iPlanet User connector, representing the Sun Java System Directory Server resource, to
any user who belongs to the Oracle 11g Users role (because the user is a member of the
Curriculum organization).
Assumptions
Tasks
1. Close the Membership Rules page.
2. Make the Oracle Identity Manager Advanced Administration Console active.
3. On the Home page of the Oracle Identity Manager Advanced Administration
Console, click the Create Access Policy link (located in the Policies pane).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 12
4. Populate the fields of the Create Access Policy page, as follows:
Field
Value
Access Policy Name
Users Access Policy
Access Policy Description
Access policy for the Oracle 11g Users role
Retrofit Access Policy

[check box]
[selected]
Priority
Note: By selecting the Retrofit Access Policy check box, Oracle Identity Manager
applies this access policy to users that you created in the practice titled Create Users.
5. Click Continue.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
6. On the Select Resources
panel,
select
(
s and assign the iPlanet User connector to this
n
n
e
access policy (by tselecting
the
iPlanet
User check box and clicking Add). Then click
o lic
e
l
Continue. d
id rable
M
vid ansfe
a
D n-tr
no

Chapter 7 - Page 13
7. On the Select Resources panel, click Skip This Step.
Note: Do not provide any parameter values for the IT resource for Sun Java System
Directory Server (represented by the iPlanet User connector). This is because you
already specified these values in the practice titled Define an IT Resource.
8. On the Select Resources to Revoke panel, click Continue.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
i connectors
Note: Through this panel, select
assigned to an end user, as long as the
vrole.
tis,o when
a
e
d
user belongs to a designated
That
the user leaves the role, Oracle Identity
(
srights to the corresponding
n
n
Manager revokes tthe
users
access
resource.
e
o lic
e
l
9. On the Select
le panel, click Continue.
iddResources
b
a
M
d nsfer
i
v
Da n-tra
no
Note: Through this panel, select connectors that should not be assigned to an end user
who belongs to a designated role.

Chapter 7 - Page 14
10. On the Select Roles panel, select and assign the Oracle 11g Users role to this access
policy. To do so:
a. Click the Next link until the Oracle 11g Users role appears.
b. Select the Oracle 11g Users check box.
c. Click Add.
Tip: For step 10a, you can also locate the Oracle 11g Users role by selecting Role
Name from the Filter By drop-down list, entering Oracle 11g Users in the text field
to the right of the Filter By drop-down list, and clicking Go.
11. Click Continue.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
i
12. On the Verify Access PolicyvInformation
to panel, click Create Access Policy.
a
e
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 15
Note: The Verify Access Policy Information panel displays high-level information about
the access policy.
The access policy is created.
Oracle Identity Manager assigns the iPlanet User connector, representing the Sun Java
System Directory Server resource, to any user who is a member of the Oracle 11g Users
role (because the user belongs to the Curriculum organization).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 16
Practice 7-5: Create a User

Overview
Field
Value
First Name
Sam
Last Name
Williams
[cleared]
User Login
SWILLIAMS
Password
Welcome1
Confirm Password
Welcome1
a
s
a
Organization
Curriculum
h
)
a
c ide
User Type
Full-Time Employee
o
i
ar t Gu
t
n
o connector
n to the user with
Then verify that Oracle Identity Manager assigned the iPlanet@
User
e
d
3
the ID of SWILLIAMS.
n
tu
o
S
t
e
is
dl
thTherefore,
Note: SWILLIAMS belongs to the Curriculum iorganization.
the Oracle 11g Users
d
e
s
auto membership rule assigns this userd
tom
the Oracle
11g
Users
role.
As
a result, the Users
u
i connector,
o
v
t
Access Policy allocates the iPlaneta
User
representing the Sun Java System
(d nse
Directory Server resource, tonSWILLIAMS.
to lice
e
l
le
Assumptions idd
b
a
M
You completed
d allnpractices
fer for this lesson (that is, practices 7-1 through 7-4).
i
s
v
Da
ra
Tasks n-t
o
1. nClose the Access Policy Has Been Created window.
2. Make the Oracle Identity Manager Identity Administration Console active.
3. Click the Create User link on the Home page of this console.

Chapter 7 - Page 17
4. Enter values for the user record that you are creating, as follows:
Field
Value
First Name
Sam
Last Name
Williams
[cleared]
User Login
SWILLIAMS
Password
Welcome1
Confirm Password
Welcome1
Organization
Curriculum
User Type
Full-Time Employee
Note: For more information about creating users, refer to the document titled Practices
for Lesson 5.
5. Click Save. The user is created. Oracle Identity Manager sets the users identity status
to Active and the account status to Unlocked automatically.
You are ready to verify that Oracle Identity Manager assigned the iPlanet User
connector to the user with the ID of SWILLIAMS.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 18
6. Click the Resources tab (because you want to check whether Oracle Identity Manager
assigned the Sun Java System Directory Server resource, represented by the iPlanet
User connector, to the user).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 19
The iPlanet User connector appears in the Resources tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
ns organization. Therefore, the Oracle 11g Users
nto (the iCurriculum
SWILLIAMS belongs
e
o
t
c
l this user to the Oracle 11g Users role. As a result, the
le rule assigns
auto membership
d
e
l
d
i Policy
Users Access
aballocates the iPlanet User connector, representing the Sun Java
M
r
e
d
f
System
Directory
Server
resource, to SWILLIAMS.
vi ans
a
D Younare
tr now ready to populate the fields of the custom process form, contained in this
and save this information to the database. When you do so, Oracle Identity
o
nconnector,
Manager provisions this user with access rights to the corresponding resource (for this
practice, Sun Java System Directory Server).
Note: The status of the connector is Provisioning, signifying that the corresponding
resource is not yet provisioned to the end user.

Chapter 7 - Page 20
Practice 7-6: Complete the Custom Process Form
Overview
You are ready to fill out the custom process form, contained in the connector that you assigned
to the target user (that is, SWILLIAMS), and save this information to the database. As a result,
Oracle Identity Manager can grant the user access rights to the corresponding resource (in this
case, Sun Java System Directory Server).
Using the Oracle Identity Manager Identity Administration Console, complete the custom
process form for the connector that represents the Sun Java System Directory Server resource.
After you perform this action, the status of the connector should change to Provisioned.
Assumptions
Tasks
1. In the Resources tab, highlight the row that contains the iPlanet User connector. Click
the Action menu. Select the Open command from the pop-up menu that appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: By selecting the Open command, you can access the custom process form for the
connector that represents the Sun Java System Directory Server resource.
2. Populate the custom process form, as follows:
Parameter
Value
Password
SWILLIAMS
Organization DN
ou=people
Server
Sun IT Resource
Important: If the Common Name field is empty, populate this field with the first name
and last name of the user who is to be provisioned with the Sun Java System Directory
Server resource. For this example, enter Sam Williams into the Common Name field.
Note: For more information about filling out the custom process form, refer to the
document titled Practices for Lesson 6.

Chapter 7 - Page 21
3. On the custom process form, click Save.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
4. Close the View Form window.
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: Use the View Form window to examine high-level and detailed user-related and
role-related information about the user and the resource.

Chapter 7 - Page 22
5. On the Resources tab, click Refresh. The status of the iPlanet User connector changes
from Provisioning to Provisioned.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
This indicates that Oracle Identity Manager granted
access rights
ud to Sun Java System
n
t
o
S
t
Directory Server for the target user (that is, lSWILLIAMS).
e this
d
d
i
You are ready to verify that the login credentials
this user, whom you specified in the
eforassociated
m
s
u
custom process form, can be used
to
access
the
resource (that is, Sun Java
d
i
o
t
System Directory Server).dav
(
se
n
n
e
eto le lic
l
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 7 - Page 23
Overview
practice, Sun Java System Directory Server) to a designated user, whose login credentials are
Now you must ensure that this user (SWILLIAMS) is provisioned with the resource. For this
practice, this is accomplished by using Sun ONE Server Console.
Assumptions
Tasks
1. Refresh Sun ONE Server Console. To do this, click the View menu and select Refresh
from the menu that appears.
2. Expand the dc=us,dc=oracle,dc=com node and select the People organization.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
SWILLIAMS appears in the associated pane. This user is provisioned with Sun Java
System Directory Server.
You are ready to modify the Sun Java System Directory Server connector so that Oracle
Identity Manager can provision a user with the resource automatically.

Chapter 7 - Page 24
Practice 7-8: Modify the Provisioning Process
Overview
In this practice, modify a component of the connector for Sun Java System Directory Server: the
provisioning process. By doing so, Oracle Identity Manager (and not an administrator) populates
fields of the connectors process form with data and saves this information to the database.
After this occurs, Oracle Identity Manager uses this data to provision a user with the
corresponding resource (that is, a Sun Java System Directory Server).
To set up Oracle Identity Manager to perform these actions, select the Auto Save Form and
Auto Prepopulate Form check boxes of the record that represents the provisioning process. For
this practice, that record is titled iPlanet User.
Using the Workflow Designer, modify the provisioning process of the connector for Sun Java
System Directory Server. This includes:
1. Launching the iPlanet User provisioning process.
2. Selecting the Auto Save Form and Auto Prepopulate Form check boxes.
a
s
a
h
Assumptions
)
a
c ide
o
i
ar t Gu
t
n
Tasks
o en
@
3
1. Make the Oracle Identity Manager Advanced Administration
n
tudConsole active.
o
S
t
Note: For more information about starting this
le console,
d
thisrefer to the document titled
d
i
e
m Manager
us Advanced Administration Console,
d
i
2. On the Home page of the Oracle
Identity
o
v
t
click the Manage Resource
(dalink n(located
se in the Configuration pane).
n
e
eto le lic
l
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 7 - Page 25
3. On the Resource Search form, query for the iPlanet User resource object. To do so,
select Resource Name from the topmost drop-down menu, enter iPlanet User in the
text box to the right of the drop-down menu, and click Search.
a
s
a
h with other
Note: iPlanet User is the name of the resource object that you imported along
)
a
components of the connector for Sun Java System Directory Server in
the
practice
c ide titled
o
i
Import an Oracle Identity Manager Connector.
ar t Gu
t
n
4. From the result set, click the link that contains the name of
othe connector.
n
e
@
d
3
n
tu
o
S
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 26
5. On the Resource Detail form, select Resource Workflows from the drop-down list.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 27
6. On the Resource Workflows form, click the Edit link.
Note: You select Resource Workflows from the drop-down list on the Resource Detail
form and click the Edit link on the Resource Workflows form because you want to modify
a workflow associated with the connector for Sun Java System Directory Server. For this
practice, you are modifying the iPlanet User provisioning process.
7. On the Warning Security window, click Run.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: This application must be run for the Workflow Designer to appear. The Workflow
Designer is a Web-based Oracle Identity Manager tool that you use to create and modify
provisioning processes. For this practice, you are modifying the provisioning process of
the connector for Sun Java System Directory Server.

Chapter 7 - Page 28
8. On the Workflow Designer windows toolbar, click Workflow Configuration.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s Configuration window, select the Auto Save Form and Auto
vithe Workflow
9. aOn
n
a
D
r
Prepopulate
Form check boxes if not already selected. Click OK.
-t
n
o
n

Chapter 7 - Page 29
10. On the Workflow Designer windows toolbar, click Save.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi theaWorkflow
11.aClose
Designer tool.
n
D
r
t
- the Resource Workflows window.
12. Close
onhave
nYou
modified the provisioning process of this connector. You are ready to
configure Oracle Identity Manager so that it (and not an administrator) populates

required fields of the connectors custom process form automatically. After this occurs,
Oracle Identity Manager saves the values in these fields to its database. Then it uses
this information to provision a user with an external resource (for this practice, Sun Java

Chapter 7 - Page 30
Practice 7-9: Modify the Custom Process Form
Overview
In this practice, you modify another component of the connector for Sun Java System Directory
Server: the custom process form. By doing so, you configure Oracle Identity Manager to
populate required fields of the connectors custom process form automatically. After this occurs,
Oracle Identity Manager saves values in these fields to its database. Then it uses this
information to provision a user with an external resource (for this practice, Sun Java System
Directory Server).
For this to happen, Oracle Identity Manager must know the following:
The Distinguished Name (DN) of the organizational unit (ou) to which the user is to
belong in Sun Java System Directory Server. For this practice, the user is to be a
member of the People organization in Sun Java System Directory Server.
ou=people is the DN of this organization.
The IT resource that contains administrative credentials that Oracle Identity Manager
requires to provision a user to Sun Java System Directory Server. For this practice, use
Sun IT Resource, the IT resource you created in the practice titled Define an IT
Resource.
The Form Designer form of the Oracle Identity Manager Design Console is used to create and
modify process and resource object forms that are not packaged with Oracle Identity Manager.
For this practice, use the Form Designer form to modify the custom process form for the Sun
Java System Directory Server connector.
To modify the custom process form, complete the following steps:
1. Open the Form Designer form.
2. Query for the custom process form for the Sun Java System Directory Server connector.
For this practice, iPlanet User represents the name of this form.
3. Make the Additional Columns tab of the Form Designer form active. This tab is used
to create and manage data fields. These data fields are displayed on the connector's
custom process form.
4. Populate the Default Value column of the Additional Columns tab with two values:
ou=people and Sun IT Resource. These values represent the DN of the ou to which
the user is to belong in Sun Java System Directory Server and the IT resource that
contains administrative credentials that Oracle Identity Manager requires to provision a
user to Sun Java System Directory Server.
5. Save your changes to the database.
Using the Form Designer form of the Oracle Identity Manager Design Console, modify the
custom process form for the Sun Java System Directory Server connector.
Note: The Default Value column contains values that appear in the associated data fields after
the form is generated and if no other default values are specified.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Assumptions

Chapter 7 - Page 31
Tasks
1. Make the Oracle Identity Manager Design Console active.
Note: For more information about launching this console, refer to the document titled
2. From the Design Console, open the Form Designer form (found in the Development
Tools folder of the Oracle Identity Manager Explorer).
3. Enter IPNT_USR in the Table Name field (it appears as UD_IPNT_USR). Click Query.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: The UD_IPNT_USR value represents how the iPlanet User custom process form
for the Sun Java System Directory Server connector is recognized in the database.
4. Ensure that the Additional Columns tab of the Form Designer form is active.
Note: The Additional Columns tab is used to create and manage data fields. These data
fields are displayed on the connector's custom process form.

Chapter 7 - Page 32
5. Modify default values on the Additional Columns tab, as follows:
Field
Old Value
New Value
Server
iPlanet User
Sun IT Resource
Organization DN
[not populated]
ou=people
Important: The Default Value column on the Additional Columns tab contains values
that appear in the associated data fields after the form is generated and if no other
default values are specified.
To add a value in the Default Value field, first double-click the field (to select it). Then,
double-click the field again (to make it active). Next, enter the value into the field.
Note: Sun IT Resource is the IT resource that you created in the practice titled
Define an IT Resource. This IT resource contains administrative credentials required
by Oracle Identity Manager to provision a user to Sun Java System Directory Server.
ou=people is the Distinguished Name (DN) of the organizational unit (ou) to which the
user is to belong in Sun Java System Directory Server.
6. Click Save.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You are ready to create another user record in Oracle Identity Manager. This user is to
belong to the Curriculum organization. Therefore, the Oracle 11g Users auto
membership rule assigns this user to the Oracle 11g Users role. As a result, the Users
Access Policy allocates the iPlanet User connector, representing the Sun Java System
Directory Server resource, to the user.
After this happens, Oracle Identity Manager fills out the custom process form, saves the
values to its database, and uses these values to provision this user with the
corresponding external resource (that is, Sun Java System Directory Server).

Chapter 7 - Page 33
Practice 7-10: Provision a Resource to a User

Overview
Field
Value
First Name
Mike
Last Name
Williams
[cleared]
User Login
MWILLIAMS
Password
Welcome1
Confirm Password
Welcome1
a
s
a
Organization
Curriculum
h
)
a
c ide
User Type
Full-Time Employee
o
i
ar t Gu
t
n
o en
Then verify that Oracle Identity Manager:
@
3
Assigned the iPlanet User connector to the usern

with the IDtu
ofd
MWILLIAMS
o
S
t
e
is
Provisioned the Sun Java System Directory

represented by the
dl Serverthresource,
d
i
iPlanet User connector, to this user
e
m us
d
i
v e organization.
to
a
Note: MWILLIAMS belongs to the
Curriculum
Therefore, the Oracle 11g Users
d
(
s
n
n
auto membership rule assigns
this user
the Oracle 11g Users role. As a result, the Users
toiPlanet
ce toconnector,
i
l
e
Access Policy allocates
the
User
representing the Sun Java System
l
d tobMWILLIAMS.
e
l
d
i
Directory Server resource,
d M nOracle
feraIdentity Manager populates the custom process form, saves the
i
After thisvhappens,
s
values
Dato itsn-database,
tra and uses these values to provision MWILLIAMS with the corresponding
externalo
resource (that is, Sun Java System Directory Server).
n
In short, these three actions are completed by Oracle Identity Manager, not by an administrator.
No manual intervention is required.
Assumptions
Tasks
1. Make the Identity Administration Console active.
2. Click the Create User link on the Home page of this console.

Chapter 7 - Page 34
3. Enter values for the user record you are creating, as follows:
Field
Value
First Name
Mike
Last Name
Williams
[cleared]
User Login
MWILLIAMS
Password
Welcome1
Confirm Password
Welcome1
Organization
Curriculum
User Type
Full-Time Employee
Note: For more information about creating users, refer to the document titled Practices
for Lesson 4.
4. Click Save. The user is created. Oracle Identity Manager sets the users identity status
to Active and the account status to Unlocked automatically.
You are ready to verify that Oracle Identity Manager assigned the iPlanet User
connector and provisioned the associated resource (Sun Java System Directory Server)
to the user with the ID of MWILLIAMS.
5. Click the Resources tab.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 35
The iPlanet User connector appears in the Resources tab.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The status of the connector is Provisioned, signifying that Oracle Identity Manager
granted access rights to Sun Java System Directory Server for the target user (that is,
MWILLIAMS).
For these practices, Oracle Identity Manager completed the custom process form, saved
the values to its database, and uses these values to provision MWILLIAMS with the
These three actions are completed by Oracle Identity Manager, not by an administrator.
No manual intervention is required.
You are ready to verify whether the login credentials for this user can be used to access
the associated resource (Sun Java System Directory Server).

Chapter 7 - Page 36
Important: If the status of the connector is Provisioning, complete the following steps:
a. Make the Advanced Administration Console active.
Note: For more information about starting this console, refer to the document
titled Practices for Lesson 3.
b. Click the Import Deployment Manager File link on the Home page of this
console.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 37
c. On the Select a file for import window, navigate to the

D:\stage\labs\lab_07 folder. Select the common_name.xml file, and click
Open.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi ewindow,
to click Add File.
d. On the Deployment
Manager
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 38
e. On the second Deployment Manager window, click Add File.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
f.
On the Deployment Manager Import window, click Import.
g. On the Confirmation window, click Import.

Chapter 7 - Page 39
h. On the Success window, click OK.
i. Close the Deployment Manager Import window.

j. Make the Design Console active.
k. Click the Prepopulate tab of the Form Designer form.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 40
l.
Click the Common Name field (to select it). Then, double-click the row header of
the Common Name field.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 41
m. In the Pre-Populate Adapters window, double-click inside of the Adapter field.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi
ns
Da nn.-trInathe
Lookup window, select Common Name Adapter. Click OK.
no
o. On the Pre-Populate Adapters window, click Save. Then, click Close.


Chapter 7 - Page 42
p. On the Form Designer form, click Save.

q. Make the Identity Administration Console active.
Note: For more information about starting this console, refer to the document
r. Click the Advanced Search - Users link on the Home page of this console.
s. Enter MWILLIAMS in the text box to the right of the User Login drop-down list.
Click Search.
t. From the result set, click the link that contains the full name of Mike Williams.
u. Click the Resource tab.
v. On the Resources tab, click Add.
w. On the Select a Resource panel, select the iPlanet User connector. Click
Continue.
x. On the Verify Resource Selection panel, click Continue.
y. Close the Provisioning Has Been Initiated window.
z. On the Resources tab, click Refresh. The status of the iPlanet User connector
changes from Provisioning to Provisioned.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 7 - Page 43
Overview
practice, Sun Java System Directory Server) to a designated user whose login credentials are
Now you must ensure that this user (MWILLIAMS) is provisioned with the resource. For this
practice, this is accomplished by using Sun ONE Server Console.
Assumptions
Tasks
1. Refresh Sun ONE Server Console. To do this, click the View menu and select Refresh
from the menu that appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
MWILLIAMS appears in the associated pane. This user is provisioned with Sun Java

Chapter 7 - Page 44
s
a
h
a) e
c
rio Guid
a
t
t 8
Practices for
onLesson
n
e
@
3
tud
o
Chapter
8n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 1
Practices Overview
In these practices, you will familiarize yourself with existing workflow approvals, creating and
modifying approval policies and request templates, and managing requests created by a user.
You become familiar with these concepts by implementing the following use-case scenario:
Bob McCarren is a program manager who needs to request access to the iPlanet User
directory server resource for two members of his team, Linda Spitz and Priya Roshan.
Before Bob can perform this request, you must create supporting approval policies and a
request template. The request template will only be made available to program
managers associated with Bobs project. Program Managers associated with his project
are assigned to the role, Program Mgmt Project X Development.
You will be supplied with two custom approval processes, or SOA composites, to
complete this task. One approval process, ResourceAuthorizerApproval-India, forwards
requests to IT resource approvers managing users in India. These users are associated
with the role, India-Resource-Approvers. The other approval process,
ResourceAuthorizerApproval-US, forwards requests to IT resource approvers managing
users in the United States. These users are associated with the role, US-ResourceApprovers. The approval processes assign the operation level request to appropriate
authorizers. The overall flow of the request that Bob will make is as follows:
The request is first sent to the request targets manager, who in this case, is the
user Valli Pataballa.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le willthbeisforwarded to the next
d
If Valli approves the request, the
request
d
i
e
m
appropriate operation-levelauthorizers.
s
u
d
vi approvers
to assigned to the role, US-Resource Charlie List is oned
ofathe
e
Approvers. Charlie
approve
ns access to the resource for users in the United
n ( will
e
o
t
c
States. le
li
d
e
l
d
i Whitman
M
Sarah
approver assigned to the role, India-Resource-Approvers.
ab istheanrequest
r
e
d
Sarah
will
reject
f
s for the rejection. to the resource for the user in India. She will provide
vi aareason
n
a
D n-tr
the user whose request has been approved, their task will complete and they
no For
will be authorized and provisioned to the resource.

Chapter 8 - Page 2
Practice 8-1: Create Prerequisite Organizations, Role Categories, and

Roles
Overview
In this practice, you create the supporting cast for the use case as the system administrator
account, xelsysadm. You manually create these users by using the Oracle Identity Manager
Administrative and User interface.
Note: The Bulk Load Utility can also be used to create the users, roles, and role categories, but
in this case, it would consume the same amount of time to shut down Oracle Identity Manager
and load the data as it would to manually create the objects in Oracle Identity Manager
Administrative and User Console.
Assumptions
You completed the practices titled Create Organizations, Create Users, and Create Roles
in the document titled Practices for Lesson 5.
a
s
a
h Console,
)
1. From the Welcome tab on the Oracle Identity Manager Identity Administration
a
c ide
create the following organizations:

o
i
r Gu
aValue
t
n
Field
o ent
@
Name
Information
n3 Technology
tud Support - Training
o
S
t
Type
leDepartment
d
his
t
d
i
e
Parent Organization
s
m uApprovers
d
i
o
t
Field av
Value
e
d
(
s
n icen
Name
Quality Assurance and Support
o
t
l
e
l
Type
Department
idd rable
M
Parent
Curriculum
e
d Organization
f
i
s
v
n
aWelcome
2. aFrom the
tab on the Oracle Identity Manager Identity Administration Console,
D
r
t
n
create
the
following
role category:
no
Tasks
Field
Value
Name
Projects
Description
This category contains roles associated

with projects.
3. From the Welcome tab on the Oracle Identity Manager Administration console, create
the following roles:
Field
Value
Name
US-Resource-Approvers
Display Name
Resource Approvers (US)
Description
This role contains the approvers

responsible for approving access to
resources for users in the United States.
Role Category Name
Administrative

Chapter 8 - Page 3
Field
Value
Name
India-Resource-Approvers
Display Name
Resource Approvers (India)
Description
This role contains the approvers

responsible for approving access to
resources for users in India.
Role Category Name
Administrative
Field
Value
Name
Program Mgmt Project X Development
Display Name
Project X Program Management Team
Description
This role contains program managers,

project managers, and team leads for the
Project X Development effort.
a
s
a
h Console,
4. From the Welcome tab on the Oracle Identity Manager Identity Administration
)
a
c ide
create the following users:
o
i
r Gu
aValue
t
Field
n
o ent
First Name
Bob 3@
n
tud
o
S
t
Last Name
McCarren
le this
d
d
Design Console Access
[cleared]
i
e
m
s
u
d
Organization
vi e to Training
a
d
User Type
Full-Time Employee
n ( icens
o
t
User Login
BMCCARREN
le le l
d
d
i
b
Password/Confirm
Welcome1
aPassword
M
r
e
d
f
i
s
v
ALL USERS
Role
Da n-tran
Program Mgmt Project X
o
Development
n
Role Category Name
Projects
Field
IDENTITY USER
ADMINISTRATORS
Value
First Name
Charlie
Last Name
List
[selected]
Organization
Information Technology Support - Training
User Type
Full-Time Employee
User Login
CLIST
Password/Confirm Password
Welcome1
Role
ALL USERS
IDENTITY USER
ADMINISTRATORS
Resource Approvers (US)

Chapter 8 - Page 4
Field
Value
First Name
Sarah
Last Name
Whitman
[selected]
Organization
Information Technology Support - Training
User Type
Full-Time Employee
User Login
SWHITMAN
Welcome1
Role
ALL USERS
IDENTITY USER
ADMINISTRATORS
Resource Approvers (India)
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 5
Practice 8-2: Configuring the JDeveloper Environment
Overview
In this practice, you configure the environment for JDeveloper and the ant command that will be
used to deploy the custom SOA composites and register these composites with Oracle Identity
Manager.
Assumptions
You completed all the preceding practices for this lesson.
Tasks
1. Start SOA Server. The server must be started before you start working with requests.
Note: For more information about starting this server or launching the SOA-based
consoles, refer to the document titled "Practices for Lesson 03."
2. From the DOS window, verify that the JAVA_HOME variable is set to
D:\Program Files\Java\jdk1.6.0_18.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 6
3. Modify the PATH variable to gain access to the ant command. The directory to include is
D:\app\oracle\product\middleware_jdev\jdeveloper\ant\bin.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: Ant is a Java library and command-line tool used to build files, compile, assemble,
test, and run Java and non-Java applications.

Chapter 8 - Page 7
a. On the Desktop, right-click the host name of your machine and select
Properties.
s
a
h
b. Select the Advanced tab and click Environment Variables.
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 8
c. In the System variables section of the Environment Variables dialog box, select
PATH. Click Edit.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
nsof the PATH variable and click OK:
n ( to ithe
d. Add the following
end
e
o
t
c
;D:\app\oracle\product\middleware_jdev\jdeveloper\ant\bin
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: The semicolon preceding the directory separates one directory from
another directory in the PATH variable.
e. Click OK on the Environment Variables screen.
f. Click OK on the System Properties screen.
4. Open JDeveloper by clicking Start > Programs > Oracle Fusion Middleware
11.1.1.3.0 > JDeveloper Studio 11.1.1.3.0.

Chapter 8 - Page 9
5. Click OK after verifying that Default Role is selected.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
i types for
6. When prompted to select the v
toJDeveloper, select JDeveloper Application
a file
and JDeveloper Project(d
and
click s
OK.
e
n icen
o
t
l
e
l
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This dialog box is displayed the first time JDeveloper is started. It will not be displayed
hereafter.

Chapter 8 - Page 10
7. Deselect Allow automated usage reporting to Oracle and click OK.
This dialog box is also displayed only the very first time that JDeveloper is started. It will
no longer be displayed on subsequent execution of JDeveloper.
8. Close the window for Tip of the Day.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 11
9. You will now define the application server that will be used when deploying the SOA
composites. To create the appropriate application server:
a. Select View > Application Server Navigator.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
Mthe
rab Server tab, right-click Application Servers and select New
e
b. iWithin
Application
d
f
v ans Server.
Da nApplication
tr
no

Chapter 8 - Page 12
c. On the Usage screen, select Standalone Server and click Next.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
JDeveloper allows you
to
use
the
(
s integrated WebLogic server installed with
n
n
e
JDeveloper. This
the WebLogic server is different from the one installed
licof You
etoinstance
l
for Oracled
Identity
Manager.
will define the application server for Oracle Identity
e
l
idserverrahere.
b
Manager
M
vid ansfe
a
D n-tr
no

Chapter 8 - Page 13
d. On the Name and Type screen, specify your host name in the Connection Name field
and select WebLogic 10.3 for the Connection Type, if not already selected. Click
Next.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l connection name is edrsr11p1.
leexample,
Note: In this
the
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 14
e. On the Authentication screen, enter the credentials for your WebLogic server
installation and click Next. The username is weblogic and the password is
Welcome1.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 15
f.
On the Configuration screen, enter the full host name of the server on which
WebLogic has been installed. In this example, the host name is
edrsr11p1.us.oracle.com.
Change the Weblogic Domain field to IDMDomain. Click Next when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 16
g. Click Test Connection to verify the connection to the WebLogic server. Click Next
when it has completed.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
lofe theseletestsl fail, verify that the host name you entered on the
Note: If any
d
d
i
Configuration
screen
is correct and matches your host name. Also verify that the
abspecified
M
r
e
d
WebLogic
Domain
f
s is running. is correct and that the WebLogic server for Oracle
viIdentityanManager
a
D n-tr
no

Chapter 8 - Page 17
h. Click Finish to complete the connection configuration.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
i. Verify that JDeveloper
connect
s to and access the application server connection
nApplication
n ( can
e
o
that you have created.
Expand
> hostname in the Application
t
c
liIf application serverServers
e panel.
l
d
e
Server navigation
connection
expands and matches what
l
idin therfollowing
b image, JDeveloper has successfully
a
is shown
connected to the
M
e
d
f
i
s
application
server
defined
for
the
connection
specified.
v
Da n-tran
no

Chapter 8 - Page 18
10. Now that the application server connection has been configured, you will install the
Oracle SOA Composite Editor extension for JDeveloper. To do this:
a. Select Tools > Preferences from the JDeveloper menu.
a
s
a
h
)
a
c ide
o
i
uin the rightaforr Updates
t
b. Select Extensions in the left navigation panel. Click Check
G
n
t
o en
hand panel.
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 19
c. Click Next when prompted on the Welcome screen.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 20
d. Select Install From Local File and enter the path,

D:\stage\jdev_soa_ext\jdev_soa_ext.zip in the File Name field.
Click Next when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 21
e. On the Summary screen, the full name of the extension that you are installing is
displayed. Click Finish to install the Oracle SOA Composite Editor 11.1.1.3.0.25.55
extension.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 22
f.
Click OK on the Preferences screen.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
g. Click Yes on the Confirm Restart
vi escreen
to to apply the changes made.
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
h. When JDeveloper restarts, select the Default Role and close the Tip of the Day.
You have now started and configured JDeveloper. You are ready to deploy custom SOA
composites provided to you as part of the lab.

Chapter 8 - Page 23
Practice 8-3: Deploy and Register Custom SOA Composites
Overview
In this practice, you deploy the custom SOA composites provided for the exercise. These SOA
composites are deployed to the SOA server and registered with the OIM server.
The composites, ResourceAuthorizerApproval-India and ResourceAuthorizerApproval-US, are
loaded into JDeveloper. The composites are deployed directly to the SOA server through
JDeveloper.
After deploying the composites to the SOA server, use the ant command provided by
JDeveloper to register the two composites to the Oracle Identity Manager server.
Assumptions
Tasks
s
a
h
a) e
c
2. Copy the following two files to

rio Guid
a
t
on ent
workflows\registration.
@
n3 Stud
ResourceAuthorizerApproval-India.props
o
t
le this
ResourceAuthorizerApproval-US.props
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
1. Open Windows Explorer and change to the
D:\stage\labs\lab_08\CustomComposites\registration directory.
3. Using Windows Explorer, change to the

D:\stage\labs\lab_08\CustomComposites\process-template directory.

Chapter 8 - Page 24
4. Copy the following three directories to the,

workflows\new-workflow\process-template directory:
ApprovalApp
ResourceAuthorizerApproval-India
ResourceAuthorizerApproval-US
a
s
a
h
)
a
c ide
o
i
u Fusion
ar t> G
5. If not already started, open JDeveloper by clicking Start > Programs
Oracle
t
n
n
Middleware 11.1.1.3.0 > JDeveloper Studio 11.1.1.3.0. o
e
@
d
3
n
tu
6. Click OK after verifying that Default Role is selected.
o
S
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 25
7. Close the window for Tip of the Day.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
8. Load the application for the ResourceAuthorizerApproval-US
SOA composite.
m
s
u
d
i
o
a. Select the Application
t panel, if not already selected.
avnavigation
e
d
(
s
b. Click Open Application.
n icen
o
t
l
e
l
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
c. Change to the D:\app\oracle\product\middleware\iam_home\server\

workflows\new-workflow\process-template\
ResourceAuthorizerApproval-US\
ResourceAuthorizerApproval-US directory.
d. Select the ResourceAuthorizerApproval-USApplication.jws file.
e. Click Open when finished.

Chapter 8 - Page 26
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
This loads the ResourceAuthorizerApproval-USApplication
Application into JDeveloper.
i
o
v
t
a
The Projects panel is populated
project saved
(d with
sethe ResourceAuthorizerApproval-US
n
n
as a part of the ResourceAuthorizerApproval-USApplication
application.
e
eto le lic
l
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 8 - Page 27
9. From the Application Navigator, within the Project panel, right-click the
ResourceAuthorizerApproval-US project and select Deploy >
ResourceAuthorizerApproval-US.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
nto Application
tudServer and click Next.
o
10. In the Deployment Action window, select Deploy
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 28
11. On the Deploy Configuration screen, ensure that the revision ID of your composite is
correct. By default, it is set to 1.0. If you are making a change to an existing composite,
you should update the version accordingly. Select the check box for Overwrite any
existing composites with the same revision ID. Click Next when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 29
12. Select the application server created for your Oracle Identity Manager environment. In
this example, the server connection created in JDeveloper is edrsr11p1. Substitute your
host name. Click Next.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 30
13. Select the SOA server associated with the WebLogic application server defined within
JDeveloper. The SOA server must be running before you can deploy the application.
Click Next.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 31
14. On the Summary screen, click Finish after verifying the information presented.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi SOAelog.
toThe SOA log displays the status of the build.
a
d
15. Click the SOA tab to access
the
n ( icethensbuild was successful.
In this case, despite
warnings,
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
16. Using WordPad, open the file

D:\app\oracle\product\middleware\iam_home\server\workflows\
registration\registerworkflows-mp.xml.

Chapter 8 - Page 32
17. Change the wls.home property to the WLS base directory. Set the line for the
wls.home property should be set as follows:
<property name="wls.home"
value="${basedir}/../../../../wls_home"/>
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
b
Miwindow,
rachange
e
18. In aid
DOS
to the
f
v ans
a
D workflows\registration
tr
directory.
n
no

Chapter 8 - Page 33
Register the ResourceAuthorizerApproval-US SOA composite with the command,

ant -f registerworkflows-mp.xml register. Provide the following information
when asked:
Field
Value
Username
xelsysadm
Password
Welcome1
OIM Server t3 URL
t3://localhost:7007
Property File
ResourceAuthorizerApproval-US.props
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: If the ant command is not recognized, start a new DOS window and change to
the D:\app\oracle\product\middleware\iam_home\server\workflows\
registration directory. Changes to the PATH variable are available from DOS
windows opened after modifying the variable.

Chapter 8 - Page 34
19. Verify that the SOA composite has been deployed to the SOA server by visiting the URL,
http://hostname:7006/soa-infra, where hostname represents your systems
host name. If prompted, enter xelsysadm for the login and Welcome1 for the
password.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans
a
D
r the SOA composite has been registered to Oracle Identity Manager.
20. Verify-tthat
n
no a. Log in to Oracle Identity Manager as the system administrator if not already
logged in.
b. Access the Oracle Identity Manager Advanced Administration console.
c. Click the Search Request Templates link in the Configuration panel.
d. Click the Create Request Template button in the Search panel.

Chapter 8 - Page 35
e. Click the search icon to the right of the Template Level Approval Process and
perform a search to verify that the SOA composite,
default/ResourceAuthorizerApproval-US!1.0 is accessible.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: If the approval process is not immediately apparent, cancel the search and
the wizard creation process and repeat step 20. It may take a few moments for
Oracle Identity Manager to make the approval process available.
f. Cancel the search.
g. Cancel the Create Request Template wizard.

Chapter 8 - Page 36
21. Deploy and register the ResourceAuthorizerApproval-India SOA composite with the
following steps:
a. Load the ResourceAuthorizerApproval-India application.
i. From JDeveloper, select Application > Open from the applications menu
bar.
ii. Change to the
workflows\new-workflow\process-template\
ResourceAuthorizerApproval-India\
ResourceAuthorizerApproval-India directory.
iii. Select the
ResourceAuthorizerApproval-IndiaApplication.jws application
file.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
iv. Click Open.

v. Deploy the ResourceAuthorizerApproval-India project to the SOA
server.

Chapter 8 - Page 37
b. Register the ResourceAuthorizerApproval-India SOA composite.

i. From a DOS window, change to the
D:\app\oracle\proudct\middleware\iam_home\server\
workflows\registration directory.
ii. Execute the command,
ant -f registerworkflows-mp.xml register. Provide the
following information when asked:
Field
Value
Username
xelsysadm
Password
Welcome1
OIM Server t3 URL
t3://localhost:7007
Property File
ResourceAuthorizerApproval-India.props
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
c. Verify that the SOA composite is available from both the SOA server and in
22. Close JDeveloper when you have completed deploying the SOA composites.

Chapter 8 - Page 38
You have now successfully deployed the two custom SOA composites,
ResourceAuthorizerApproval-India and ResourceAuthorizerApproval-US, to the SOA server.
You have also successfully registered the composites to the Oracle Identity Manager server.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 39
Practice 8-4: Import the iPlanet User Resource Request Dataset
Overview
In this practice, you import the request dataset required to when provisioning the user to the IT
Resource defined by the iPlanet User resource object. The request dataset contains any
additional resource-specific attributes that are used as part of the provisioning process.
The request dataset contains the child form definitions for the Sun Java System Directory
Server User and Role child tables used when provisioning the user to the Sun Java System
Directory Server. The MDS import utility is used to import the resource request dataset into the
MDS repository so that it is available for Oracle Identity Manager.
Assumptions
Oracle SOA Server has been started and has a status of Running.
Tasks
s
a
h
1. In a DOS window, change to the
a) e
c
D:\app\oracle\product\middleware\iam_home\server\bin
directory.
rio Guid
a
2. Set the OIM_ORACLE_HOME variable to
t
on ent
D:\app\oracle\product\middleware\iam_home.
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The variable must be set to the Oracle Identity Manager base directory so that the MDS
utility calls the appropriate Java classes.

Chapter 8 - Page 40
3. Copy the D:\stage\labs\lab_08\weblogic.properties file to the

D:\app\oracle\product\middleware\iam_home\server\bin directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
When prompted, click Yes to overwrite the existing file. ont
n
e
Note: The weblogic.properties file contains settings
usedd
by
the MDS utility to
@
3
n
tu
import the iPlanet User request dataset from D:\stage\labs\lab_08\requesto
S
t
e
dataset into the MDS repository. It specifies
dl the name
hisof the Oracle Identity Manager
t
d
i
e
server as well as the base directory
s importing XML files into the MDS
mto use when
u
d
i
repository.
o
av se t
d
(
n icen
o
t
l
e
l
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 41
4. Execute the MDS import utility, weblogicImportMetadata.bat, in the DOS window

and enter the following values when prompted:
Parameter
Value
Username
weblogic
Password
Welcome1
Server URL
t3://<hostname>.us.oracle.com:7001
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi iPlanet
n
User resource request dataset has been successfully imported into the MDS
a
DaThe
r
-t The MDS utility loaded the file from D:\stage\labs\lab_08\requestrepository.
n
o
ndataset\custom\iPlanetUser\ProvisionResourceiPlanet_User.xml into
the MDS as /custom/iPlanetUser/ProvisionResourceiPlanet_User.xml.

Chapter 8 - Page 42
5. Purge the cache for the MDS repository. This step is necessary when making changes
to the MDS repository:
a. In a DOS window, verify that you are in the
D:\app\oracle\product\middleware\iam_home\server\bin directory.
b. If not already set, set the variable WL_HOME to
D:\app\oracle\product\middleware\wls_home by using the following
command:
set WL_HOME=D:\app\oracle\product\middleware\wls_home.
c. Execute the command, setEnv.bat.
d. Execute the following command to purge the cache for the MDS:
PurgeCache.bat MetaData
When prompted, provide the following values:
Prompt
Enter the admin password
Value
xelsysadm
Welcome1
t3://localhost:7007
a
s
a
h
)
a
6. Using WordPad, open the iPlanet User resource request dataset to familiarize
c idyourself
e
o
i
with the format. The XML file is available from D:\stage\labs\lab_08\requestar t Gu
t
n
dataset\custom\iPlanetUser\ProvisionResourceiPlanet_User.xml.
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: The request dataset defines the child forms used when defining a request
template as well as when creating the request itself.

Chapter 8 - Page 43
7. Remove the customized weblogic.properties file and re-create the original

weblogic.properties file.
a. Remove the D:\app\oracle\product\middleware\iam_home\server\
bin\weblogic.properties file.
b. Copy the D:\stage\labs\lab_08\weblogic.properties_orig file to
D:\app\oracle\product\middleware\iam_home\server\bin.
c. Rename D:\app\oracle\product\middleware\iam_home\server\
bin\weblogic.properties_orig to
bin\weblogic.properties.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 44
Practice 8-5: Configure Sun Java System Directory Server Group and
Role
Overview
In this practice, you create the Sun Java System Directory group and role that will be used as
part of the provisioning process when the user is provisioned through the request created later
in this lab.
Assumptions
Tasks
1. Open the Sun ONE Directory Server console for Sun Java System Directory Server.
Note: For more information about starting the Sun ONE Directory Server Console, refer
to the document titled "Practices for Lesson 6."
2. Expand the dc=us,dc=oracle,dc=com node and click Groups.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 45
3. Create the default group that will be used when provisioning users through requests.
The group name is OIM-SJSDS-Group-Default.
a. Right-click Groups and select New > Group.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 46
b. Populate the fields as follows and click OK when finished:
Field
Value
Group Name
OIM-SJSDS-Group-Default
Description
Default group for users provisioned directly from Oracle

Identity Manager
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 47
4. Create the default role that will be used when provisioning users through requests in this
lab. The role name is OIM-SJSDS-Role-Default.
a. Right click Groups and select New > Role.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 48
b. Populate the fields as follows and click OK:
Field
Value
Group Name
OIM-SJSDS-Role-Default
Description
Default role for users provisioned directly from Oracle

Identity Manager
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 49
5. Verify that the OIM-SJSDS-Group-Default group and the OIM-SJSDS-RoleDefault role have been created.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i two objects
abhave been created in the Groups organization. When referring to
M
r
Note:
The
e
d
f
s Identity Manager, you will refer to them by their nodename, cn=OIMvi fromanOracle
Dathem
r
-t
SJSDS-Group-Default,ou=Groups
for OIM-SJSDS-Group-Default, and
n
o
ncn=OIM-SJSDS-Role-Default,ou=Groups for OIM-SJSDS-Role-Default.
You have now created the Sun Java System Directory Server group and role that will be used
when provisioning the user through a request. You will now modify the Oracle Identity Manager
lookup values for the iPlanet User role and group lookup definitions for the values that you
created here.

Chapter 8 - Page 50
Practice 8-6: Update Lookup Definitions
Overview
In this practice, you update the lookup definitions for two lookup codes used for the iPlanet User
resource object. The lookup definition code, Lookup.IPNT.UserGroup, defines the values for
groups associated with the iPlanet User resource object. The lookup definition code,
Lookup.IPNT.Role, defines the values for roles associated with the iPlanet User resource
object.
These lookup definition codes contain no values by default. You can either manually populate
them or run a reconciliation process that will poll for existing objects within the Sun Java System
Directory Server, in this example, and populate the values automatically.
You will use the Oracle Identity Manager Design Console to manually create values for these
lookup definition codes.
Assumptions
a
s
a
h
)
a
Tasks
c ide
o
i
1. Open the Oracle Identity Manager Design Console. If not signed
inu
with the
tarin, sign
G
t
credentials xelsysadm and the password Welcome1. on
en Design Console,
@
d
Note: For more information about starting the Oracle
Identity u
Manager
3
n3." St
o
refer to the document titled "Practices for Lesson
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 51
2. Expand the Administration folder and double-click Lookup Definition.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
Note: Thisi action loads
Lookup Definition form that will be used to modify the values
M
rab the
e
for ithe
lookup
definition
codes
used by iPlanet User.
d
f
v ans
a
D n-tr
no

Chapter 8 - Page 52
3. Enter the value, *IPNT* in the Code field and click the Query for records button.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i actionrenables
Note: This
ab you to search the Oracle Identity Manager repository for any
M
e
d
f
lookup
definition
codes
that contain the text, IPNT.
vi ans
a
D n-tr
no

Chapter 8 - Page 53
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
The first record returned
loaded into the form.
le islautomatically
d
e
d
i
b
M fera
d
i
s
v
Da n-tran
no

Chapter 8 - Page 54
4. Click the Lookup Definition Table tab at the bottom of the screen.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i displays
b results returned from the search.
This action
athe
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 55
5. Select the line for Lookup.IPNT.UserGroup and click the Lookup Definition tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i now preloaded
The form
is
ab with the data for the Lookup.IPNT.UserGroup lookup
M
r
e
d
f
definition
code.
At
this
time, no code keys have been defined for the lookup definition
i
s
v
n
a
D code.
tra
n
6. Add
o the value for the OIM-SJSDS-Group-Default group created in Sun Java System
nDirectory
Server.
a. Populate the Group field with the following value: lookup group.

Chapter 8 - Page 56
b. Click Add to add a code key.
a
s
a
h
)
a
c the fields
e
o
d
i
c. Populate the fields by clicking each field and entering the values
for
i
r Gu as
a
t
follows:
on ent
@
Field
n3 Value
tud
o
S
t
cn=OIM-SJSDS-Group-Default,ou=Groups
le this
Code Key
d
d
i
e
m
OIM-SJSDS-Group-Default
s
Decode
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The Code Key is the value that is passed back to the requester. Decode is the value
that is displayed to the user within Oracle Identity Manager.

Chapter 8 - Page 57
d. Click the Save changes to the database button to save your changes.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 58
7. Add the value for the OIM-SJSDS-Role-Default role created in Sun Java System
Directory Server to the Lookup.IPNT.Role lookup definition code.
a. Click the Lookup Definition Table tab and select the line for
Lookup.IPNT.Role. Click the Lookup Definition tab to preload the form with
the selected lookup definition code.
b. Populate the Group field with the following value: lookup role.
c. Click Add to add a code key.
d. Populate the fields by clicking each field and entering the values for the fields as
follows:
Field
Value
Code Key
cn=OIM-SJSDS-Role-Default,ou=Groups
Decode
OIM-SJSDS-Role-Default
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no The Code Key is the value that is passed back to the requester. Decode is the
value that is displayed to the user within Oracle Identity Manager.

Chapter 8 - Page 59
e. Click the Save changes to the database button to save your changes.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
You have now updated
thealookup
b definition codes that will be used when creating the request
Mi fethe
r request
template toid
be used for
toward the end of the lab. You are now ready to create the
s the corresponding
v ancreate
a
request
template,
approval policies, and test the request template by
D n-tracking
tr a request.
creating and
no

Chapter 8 - Page 60
Practice 8-7: Create a Request Template
Overview
In this practice, you create the request template, Provision Project X Resources. This request
template is based on the Provision Resource request type. It will only be accessible to users in
the role, Program Mgmt Project X Development. To limit the resources visible to the user
when making the request, the request template will include iPlanet User as the allowed
resource.
Assumptions

You are logged in to the Oracle Identity Manager Administrative and User Console as
the xelsysadm user.
Oracle SOA Server has been started and has a status of Running.
a
s
a
hthe Oracle
)
1. From the Oracle Identity Manager Administrative and User Console, access
a
c ide
Identity Manager Advanced Administration console.

o
i
ar t Gu
t
2. Click the Configuration tab.
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
( the Request
3. If not already selected,
ns Templates sub-tab.
n click
e
o
t
c
li
leRequest
d
e
4. Click the Create
Template
(
) button.
l
d
i
b
a
M
d nsfer
i
v
Da n-tra
no
Tasks
This action signals the wizard to begin creating the request template.

Chapter 8 - Page 61
5. Complete the request template with the following information and click Next when
finished:
Field
Value
Request Template Name
Provision Project X Resources
Request Type
Provision Resource
Description
Request template to provision resources

for Project X Development.
Note: The Template Level Approval policy is left blank in this practice. It will
automatically default to an automatic approval for the overall request. In this practice,
you do not need an additional approval step. However, if your processes require
additional approval, such as a vice-president (VP) approval or human resources (HR)
approval, then the template-level approval process is the ideal process level to assign
these approvers.
6. On the Step 2: Resources screen, click Search to obtain a list of resources available on
the system. You can filter your results by entering a part of the name. Entering iplanet
will find all resources that contain the string, iplanet. The search string is not casesensitive.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 62
7. Move iPlanet User to the Selected Resources column. Click Next when complete.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
s the check box for Service Account and click
nselect
8. On the Step 3: Attributes
n ( screen,
e
o
t
c
Next.
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 63
This screen enables you to choose the attributes whose behavior you want to modify.
The Service Account attribute is consistently available across all resources. The Group
Name and Role attributes are available only on this screen because you imported the
iPlanet User resource request dataset into the MDS repository.
9. On the Step 4: Restrictions screen, select Do not allow users to enter values for this
attribute, if not already selected. Click Next when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
avi se to
Field(d
Value
n
n
e
Attribute Nameeto
Project X Role
lic
l
d
e
l
Data Type
String
id rab
M
fe
Text Field
id Type
s
vDisplay
n
a
D n-tra
no
Selecting the first option prevents a user making a request from changing the Service
Account attribute. Because this is not a service account, the attribute does not need to
be displayed to the user.
10. On the Step 5: Additional Attributes page, you define additional attributes that are not
mapped to the resource, but are mapped to the request. This section enables you to
define additional fields that request additional information from the requester. This
information can be used to help the approver make their final decision.
Add the following attribute by using the information defined in the table and click Add
when finished:

Chapter 8 - Page 64
11. After adding additional attributes to the request template, click Next to proceed.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o toefind
n all roles that start
12. On the Step 6: User Roles screen, search for the text
Project*,d
@
3
n Management
tu Team role to the
with the term Project. Move the Project X Program
o
S
t
e
Selected Roles area and click Next.
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 65
13. Verify the information is complete on the Step 7: Confirm screen, and click Finish when
finished.
a
s
a
h
)
a
14. Click OK after the request template has been created.
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
ehas now been successfully created.
m
s
Your request template, Provision Project X
Resources,
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 66
Practice 8-8: Create Approval Policies
Overview
In this practice, you create three approval policies to support the request template created. You
create one request-level approval policy, Provision Resource iPlanet User RL, which is
evaluated for the request-level approval itself. This approval policy calls the
BeneficiaryManagerApproval approval process.
You also create two operation-level approval policies. The first, Provision Resource iPlanet
User US OL, calls the ResourceAuthorizerApproval-US approval process. The second is the
Provision Resource iPlanet User India OL, which calls the ResourceAuthorizerApprovalIndia approval process.
Rules are used with each of the approval policies to ensure that the appropriate approval policy
is called as part of the request.
Assumptions
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
Tasks
@
3
1. Access the Oracle Identity Advanced Administration
n console,
tuif dyou are not already
o
S
t
there.
le this
d
d
i
2. Click the Policies tab. This should automatically
eselect the Approval Policies sub-tab.
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans
3. aClick the
Policy entity creation wizard button (
) to start the Approval Policy
D
tr Approval
n
entity
creation
wizard.
no

the xelsysadm user.

Chapter 8 - Page 67
4. In the Create Approval Policy form, you are presented with the Step 1: Set Approval
Policy details screen. Populate the fields of the form as follows:
Field
Value
Policy Name
Provision Resource - iPlanet User - RL
Description
Request-level approval policy for the

Provision Project X Resources request
template.
Request Type
Provision Resource
Level
Request Level
Note: A best practice is to add the approval policy request type to the end of the policy
name. In this case, RL is added to the end of the policy name to show that it is a
request-level request.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 68
5. In the Approval Process Configuration section, click the Search icon ( ) to the right of
the Approval Process field. Click the right arrow ( ) to search for all approval policies
visible to Oracle Identity Manager. Select default/BeneficiaryManagerApproval!1.0
and click Confirm.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
(
s
nmanager
nlocates
e
o
This approval process
the
the beneficiary of this request and
t
c
li of the task.forThis
eas theleapprover
l
d
assigns that
user
SOA composite is shipped with
id rab
OracleM
Identity Manager.
vid ansfe
a
D n-tr
no

Chapter 8 - Page 69
6. Click Next to proceed to the next step.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
7. On the Step 2: Set Approval Rule and Component
le tscreen,
is enter Provision Resource d
h
d
i field.
iPlanet User - RL - Rule in the Rule Name
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: A best practice for the rule name is to use the approval policy name with the word
Rule added to the end of the name.

Chapter 8 - Page 70
8. Click Add Simple Rule to create a rule for the approval policy. Select or enter the
information as follows and click Save when finished:
Field
Value
Entity
Request
Attribute
Template name
Condition
Equals
Value
Parent Rule Container
Approval Rule
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o rule checks that the request template name is equal to the text Provision Project X
nThis
Resources.

Chapter 8 - Page 71
9. Expand the Approval Rule (OR) to view the rule added. Click Next when finished.
s
a
h
a) e
c
10. Click Finish after reviewing the summary page.
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
11. Click OK after the approval policy has been created.

Chapter 8 - Page 72
12. Create an operation-level approval policy by clicking on the Approval Policy entity
creation wizard (
)button.
13. Use the following information on the Step 1: Set Approval Policy details screen:
Field
Value
Policy Name
Provision Resource - iPlanet User - US - OL
Description
Operation level approval policy for the

template for users in the United States.
Request Type
Provision Resource
Level
Operation Level
Approval Process
default/ResourceAuthorizerApproval-US!1.0
14. Click the Search icon (
) to the right of the Scope field.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
15. Click the right-arrow ( ) to the right of the Search field to list all resources. Select
iPlanet User and click Confirm.
Note: This action limits the scope of the approval policy only to the iPlanet User
resource. This approval policy is evaluated only against requests that specify the iPlanet
User resource.

Chapter 8 - Page 73
16. Click Next when complete.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
17. On the Step 2: Set Approval Rule and Component
e tscreen,
is enter Provision Resource dlName.
h
d
iPlanet User - US - OL - Rule, for the iRule
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 74
18. Click Add Simple Rule and create a rule with the following properties:
Field
Value
Entity
Request
Attribute
Template Name
Condition
Equals
Value
Approval Rule
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 75
19. Create another simple rule with the following properties:
Field
Value
Entity
Beneficiary
Attribute
Country
Condition
Equals
Value
United States
Approval Rule
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
20. Click
no Approval Rule (OR) and click Modify Rule Components.

Chapter 8 - Page 76
21. Select AND for the Operator field and click Apply.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
ltoe verifyththeisrules and click Next to proceed.
22. Expand the Approval Rule (AND) container
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 77
23. Click Finish after reviewing the summary for the approval policy.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi ebeen
to created.
a
24. Click OK after the approval
policy has
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o a second approval policy with the following information:
25.nCreate
a. Approval Policy Details:

Field
Value
Policy Name
Provision Resource - iPlanet User - India

OL
Description
Operation level approval policy for the

template for users in India.
Request Type
Provision Resource
Level
Operation Level
Scope
iPlanet User
Approval Process
default/ResourceAuthorizerApprovalIndia!1.0

Chapter 8 - Page 78
b. Rules Details:
Field
Rule Name
Value
Provision Resource - iPlanet User - India
OL Rule
c. Simple Rule 1:
Field
Value
Entity
Request
Attribute
Template Name
Condition
Equals
Value
Approval Rule
d. Simple Rule 2:
s
Field
Value ) ha
ca ide
Entity
Beneficiary
o
i
ar t Gu
t
n
Attribute
Country
o en
@
3
Condition
Equals
n
tud
o
S
t
leIndia this
Value
d
d
i
e Rule
m
s

Approval
u
d
to
avi from
e
d
e. Change the rule (container
Approval
(OR) to Approval (AND).
s
n
n
e
eto le lic
l
d
id rab
M
vid ansfe
a
D n-tr
no

Chapter 8 - Page 79
f.
Click Finish when you have completed all the screens.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi the eapproval
to policies required for the use case.
You have now successfully created
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 80
Practice 8-9: Create Users for the Request

Overview
In this practice, you create the two users who are the beneficiaries of the request. The two
users, Linda Spitz and Priya Roshan, are located in the United States and India respectively.
Assumptions
the xelsysadm user.
You completed the practice titled Create Users in the document titled Practices for
Lesson 5.
Tasks
From the Oracle Identity Administration Console, create the users for the request using the
following values:
s
a
h
a) e
Field
Value
c
rio Guid
a
t
First Name
Linda
on ent
Last Name
Spitz 3@
ud
n
t
o
S
t
Manager
leValli Pataballa
d
this
d
i
[cleared]
e
m us
d
i
v e to Quality Assurance and Support
Organization
a
d
User Type
Full-Time Employee
n ( icens
o
t
l
e
User Login dl
LSPITZ
id rable
M
Password/Confirm
Welcome1
d nsfe Password
i
v
United States
DaCountry
tra
n
Field
Value
no
First Name
Priya
Last Name
Roshan
Manager
Valli Pataballa
[cleared]
Organization
User Type
Full-Time Employee
User Login
PROSHAN
Welcome1
Country
India

Chapter 8 - Page 81
Practice 8-10: Create a Request
Overview
In this practice, you create two requests as the user, Bob McCarren. One request is created for
Linda Spitz, while the other is created for Priya Roshan. You will view the status of the requests
to ensure that they have been properly created and have initiated the approval workflow.
Assumptions
Tasks
1. If you are logged in to the system administration account, xelsysadm, click the Sign Out
link.
2. Log in to the Oracle Identity Manager User and Administrative Console as the Bob
McCarren user. The credentials are as follows:
a
s
a
h
)
a
User Name
bmccarren
c ide
o
i
Password
Welcome1
ar t Gu
t
n
o as welleas
n the challenge
3. When you log in, you will be asked to update the password
@
d
3
u following information:
n with
tthe
questions. Populate the Password Managementoscreen
S
t
e
dl
Field
Value
this
d
i
e
m
s
Old Password
id to uWelcome1
v
a
(d nse
Password
Welcome1
n
e
o
t
c
le le li
Confirm Password
Welcome1
d
d
i
b
ra maiden name?
What M
is your mothers
Stewart
e
d
f
i
s
v
is
Spot
athen name of your pet?
Da What
r
t
n is the city of your birth?
Galway
noWhat
Field
Value
4. When successfully logged in, click the Self-Service link in the top-right corner to access
the Oracle Identity Manager Self Service console, if you are not already there.
5. Click the Create Request link in the Requests area.

Chapter 8 - Page 82
6. On the Select Request Beneficiary screen, select Request for Others. This enables you
to create a request for users other than yourself.
7. On the Select Request Template screen, select Provision Project X Resources from
the Request Template pull-down menu. Click Next when finished.
a
s
a
h
)
a
c imade
This is the request template that you created earlier. Only request templates
e
o
d
i
available to roles to which Bob McCarren has been assigned tand
will be displayed
in the
u
artemplates
G
n
t
pull-down menu. The list seen here also differs from the request
when
you
o en
@
select Request for Others on the Request Beneficiary
screen. The
d request types
3
u
n
t
determine which lists are available to the Request
Me S
or the Request for Others
eto for
s
l
i
screen.
d
h
t
itodselectsone
e
m
8. The Select Users screen enables
you
or more users for the request. In the
u criteria
d as the
i
o
v
Last Name search field, enter
Spitz
search
and click Search. Move the
t
aSelected
e
d
s
entry for Linda Spitz to (the
Users
area
and
click
Next to continue.
n icen
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: In order to perform searches on this screen, the user performing the search must
be assigned to the IDENTITY USER ADMINISTRATIONS role. If not assigned, the user
cannot perform any searches against the Oracle Identity Manager users.

Chapter 8 - Page 83
9. Click the right arrow ( ) to list all resources available to this request template. Select
iPlanet User from the list and move it to the Selected Resources area. Click Next when
complete.
The list of resource objects was restricted by the request template. In this case, the user
will only see the iPlanet User resource object. If there were no restrictions, the user
would be able to search for all available resource objects in Oracle Identity Manager.
10. On the Resource Details screen, click Add in the iPlanet User Groups tab.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This screen reflects the attribute restrictions made when you created the request
template. If the Service Account attribute had not been restricted, it would have been
displayed on this page, enabling you to change the value of the attribute.

Chapter 8 - Page 84
11. Click Search to search for all available groups. Move OIM-SJSDS-Group-Default to
the Selected column and click Add.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
dlein thetDecode
his field for the lookup definition
The text displayed in this search is theid
value
e
m us
code, Lookup.IPNT.UserGroup.
d
i
vclick Add.
to
a
12. On the iPlanet User Roles
tab,
e
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 85
13. Click Search. Move OIM-SJSDS-Role-Default to the Selected column and click
Add.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
14. Click Next to proceed.
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 86
15. On the Enter Additional Data screen, enter Course Developer in the Project X Role
field. Click Next when complete.
The Additional Data screen reflects the custom fields that you entered when creating the
request template.
16. On the Justification screen, enter the following for the Justification field:
This user must be provisioned to this directory server as a requirement for
accessing other project related services.
Click Finish when complete.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
17. You are now presented
le lewithl a tracking ID for the request. Click the link for the Request
d
d
ID to viewiinformation
abon the request created.
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 87
18. The Request Details page for the specified request provides the requester with the
request ID, type, current status, requester name, and the beneficiarys name. It also
includes the justification provided for the request, as well as the effective date, and the
parent ID that may have spawned this request.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le oftthe
19. Click the Approval Tasks tab to view thedstatus
hisapproval tasks associated with
d
i
the request.
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o
nThe
request is awaiting the beneficiary managers approval for the task created for the
request. In this case, the task has been assigned to Valli Pataballa.

Chapter 8 - Page 88
20. Click the Requests tab to view all requests made by the user.
By clicking on the line for the request, you can obtain additional details on the request or
withdraw the request. The request created in this example is now Obtaining Request
Approval. The Status field indicates the current state of the request.
21. From the Welcome tab, create a similar request for Priya Roshan by using the Provision
Project X Resources request template. Use the following information for the additional
attributes and justification:
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o Value
n
Field
e
@
d
3
n UserStu
Selected Resource(s)
iPlanet
o
t
e
dl OIM-SJSDS-Group-Default
this
iPlanet User Groups
d
i
e
s
m uOIM-SJSDS-Role-Default
d
iPlanet User Roles
i
o
v
t
(da nse
Project X Role
Course Developer QA
n
e
o
t
c
li
This user must be provisioned to this
Justification le
d
e
l
d
i
b
directory server as a requirement for
a
M
r
e
accessing other project related services.
d
f
vi ans
a
D
22. Click-the
tr My Requests tab to view requests created by the current user.
n
no
In this example, the request list was filtered by updating the Status field to Obtaining
Request Approval and clicking Search.

Chapter 8 - Page 89
You have now successfully created the requests for the users Linda Spitz and Priya Roshan.
The workflows for the requests have been initiated and you will follow the workflow, approving it
where necessary.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 90
Practice 8-11: Approve Tasks and Verify Provisioning
Overview
In this practice, you approve the request-level tasks as the manager of Linda Spitz and Priya
Roshan. You then approve the operation-level task for Linda Spitz and reject it for Priya
Roshan.
After creating the requests, the manager for both users, Valli Pataballa, approves the request.
The request for Linda Spitz is forwarded onto Charlie List, because Linda is located in the
United States. He approves the request. After he approves the request, the user is provisioned
to the iPlanet User. The request for Priya Roshan is forwarded onto Sarah Whitman, because
Priya is located in India. She rejects the request with a comment stating the reason for the
rejection.
You will then access the Sun Directory Server to verify that Linda Spitz has been provisioned to
the resource, while Priya Roshan has not.
Assumptions
s
a
h
a) e
c
Tasks
rio Guid
a
t
1. If you are logged in as Bob McCarren, click Sign Out to log
onout. ent
@
d
2. Log in to the Oracle Identity Manager User and Administrative
as Valli
n3 StuConsole
Pataballa, using the following credentials: eto
dl
this
d
i
e
m us
Field
Value
d
i
o
v
t
a
(d nse
User Name
vpatabal
n
e
o
t
c
Password
Welcome1
le le li
d
d
i
b
3. When prompted
M fetoramake changes on the Password Management screen, use the
d
i
s
following
information:
v
Da n-tran
Field
Value
o
nOld
Password
Welcome1
Password
Welcome1
Confirm Password
Welcome1
What is your mothers maiden name?
Haryana
What is the name of your pet?
Celia
What is the city of your birth?
Delhi
4. Access the Oracle Identity Manager Self Service Console by clicking on the SelfService link.

Chapter 8 - Page 91
5. Click the Search Approval Tasks link in the Tasks panel.
6. The Approval Tasks screen is presented. On this screen, you can view existing tasks
you or roles you have, have been assigned. Click the line of the task for Linda Spitz and
click Open Task Detail.
a
s
a
h
)
a
c more
e
7. From the Task Details page, you can approve, reject, reassign, orirequest
o
d
i
u on the
ar information
information about this approval task. You are supplied with detailed
t
G
n
t
n has been
task, including the task name, the current status, to whomothe request
e
@
d
3
assigned, and the date of the assignment. Additional
information
shows the type of
tu request,
S
tonof the
request, the date of the request, the currentle
status
overall
and the
dresourcethtoisbe provisioned to the
requester and beneficiary information. iThe
beneficiary
d
e
m
s
is displayed in the Resources tab.

id to u the information on the task and request.
v
Click the Request History a
tab
after reviewing
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
Note: The Task Name, Beneficiary manager approval for Request ID #, is defined
directly in the approval process, BeneficiaryManagerApproval. Customizing the task
name enables your users to differentiate the different types of requests that they receive.

Chapter 8 - Page 92
8. The Request History tab shows the overall workflow of the request itself, including the
current state. Here, the request is awaiting request-level approval.
Click Approve Task after you have completed reviewing the task.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
ud
n
t
o
S
t
9. Once the task has been approved, click OK
leto complete
is the process.
d
h
t
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i on the
b
10. Click Search
page to list the current status of all tasks awaiting
aorApprovals
M
r
e
d
approval
from
you
your
roles.
should now have only the approval task for Priya
f
stask for Linda SpitzYou
vi aThe
n
a
Roshan.
has
now moved onto the next stage in the workflow.
D n-tr
no
11. Approve the task for Priya Roshan.

12. After verifying there Valli has no additional tasks, click Sign Out to log out of Oracle
Identity Manager User and Administrative Console.

Chapter 8 - Page 93
13. Log in to the Oracle Identity Manager User and Administrative Console as Charlie List by
using the following credentials:
Field
Value
User Name
clist
Password
Welcome1
14. When prompted to make changes on the Password Management screen, use the
following information:
Field
Value
Old Password
Welcome1
Password
Welcome1
Confirm Password
Welcome1
Lewis
Rafraf
a
s
a
h
)
a
St. Louis
c ide
o
i
ar click
15. If not already in the Oracle Identity Manager Self Service Console,
theuSelf-Service
t
G
n
t
o en
link.
@
3
16. Click Search Approvals Tasks to load the list o
of n
approval tasks
tudrequiring attention from
S
t
this user.
le this
d
d
i
17. In the task list area, you will see them
approval
task
e awaiting an action from this user. The
s
u
d
approval task has been assigned
to the US-Resource-Approvers
role. Any member of
vi the
to
a
that role is capable of approving
task.
e
d
nsSpitz and click Open Task Detail or click the link of
n ( foricLinda
Click the line for the
task
e
o
t
le le l
the request ID.
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 94
18. From the Basic Details section of the task details, the task name is shown as Resource
Authorizer Approval (US) for Request ID #, where # represents the request ID number
assigned to the request. The status is Pending, and the task has been assigned to USResource-Approvers.
Click the Request History tab to view the current workflow of the request.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i approval,
e this stage of the workflow. After the
m
s
19. The request is now awaiting operational
u
d
i
vrequest
approval has been made, the
will
tomove on to provisioning the user to the
a
e
d
resource specified under( the Resources
nthiss stagetab.of the workflow.
nto approve
e
o
Click Approve Task
t
c
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
20. Click OK after the approval has been completed. You should no longer see any approval
tasks awaiting an action on the Approvals page.

Chapter 8 - Page 95
21. Log out of the Oracle Identity Manager User and Administrative Console.
22. Log in to the Oracle Identity Manager User and Administrative Console as Sarah
Whitman, using the following credentials:
Field
Value
User Name
swhitman
Password
Welcome1
23. When prompted to make changes on the Password Management screen, use the
following information:
Field
Value
Old Password
Welcome1
Password
Welcome1
Confirm Password
Welcome1
Charles
a
s
a
h
)
Sweetie
a
c ide
o
i
Auckland
ar t Gu
t
n
o Approvals
n Tasks.
24. From the Identity Manager Self Service Console, click@
Search
e
d
3
n click Open
tu Task Detail.
25. Select the line for the request for Priya Roshanto
and
S
e
dthel task name
26. From the Basic Details section, note that
hisis Resource Authorizer Approval
t
d
i
e
(India) for Request ID #, where # represents
the
s request ID. This task has been
m uAny
d
i
assigned to the India-Resource-Approvers.
member of that role is capable of
o
v et
a
d
approving or rejecting this
task.
(
ns
e
Click Reject Task.ton
c
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 8 - Page 96
27. Provide the following reason for the rejection: The quota of accounts has already
been filled for this location. Access the following link for alternative options:
http://learningit.example.com/resourceAllocation.htm.
Click Reject when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi User
toand Administrative Console.
a
28. Log out of Oracle Identity
Manager
e
d
ns User and Administrative Console as Bob
n ( iManager
e
29. Log in to the Oracle
Identity
o
t
c
l ID, bmccarren, and password, Welcome1.
le thellogin
McCarren byd
using
e
d
i
ab Manager Self Service Console, click the Requests tab.
M
r
30. From the
OracleeIdentity
d
f
vi operations should now be completed for each of the requests initiated by you.
The
Da n-tran
no
31. Refresh the Sun ONE Server Console. To do this, click the View menu and select
Refresh from the menu that appears.

Chapter 8 - Page 97
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e should not exist in this pane, as this
m
s
u
LSPITZ appears in the associated
pane.
PROSHAN
d
vi elevel,
toand so was not provisioned to the directory
a
user was rejected at the operational
d
server.
n ( icens
o
t
l Design Console.
e lManager
lIdentity
33. Exit the Oracle
d
e
d
i
bstill open.
34. Exit JDeveloper,
ifra
it is
M
e
d
f
s SOA Server.
vi down
35. Shut
Oracle
n
a
DaNote:
r
information about stopping this server, refer to the document titled
-tFor more
n
o
"Practices
for
Lesson
3."
n

Chapter 8 - Page 98
s
a
h
a) e
c
rio Guid
a
t
t 9
Practices for
onLesson
n
e
@
3
tud
o
Chapter
9n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 1

Practices Overview
In these practices, you become familiar with implementing authoritative and account
reconciliation workflows for Oracle Identity Manager 11g. Specifically, you learn how to:
Implement an authoritative reconciliation workflow that Oracle Identity Manager uses to

recognize a new user account on a trusted source, and transfer this account into
Oracle Identity Manager. For this practice, Microsoft Active Directory represents the
trusted source.
Implement an account reconciliation workflow that Oracle Identity Manager uses to

recognize modified user-related information on a target resource, and transfer this
information into Oracle Identity Manager. For this practice, the users email address is
the user information that is modified, and Sun Java System Directory Server
represents the target resource.
Your tasks for setting up and running authoritative and account reconciliation workflows include:
1. Starting Microsoft Active Directory and Sun Java System Directory Server so that Oracle
Identity Manager can reconcile with these resources.
2. Configuring each resource so that the associated Oracle Identity Manager connector
functions with it for reconciliation purposes. This includes creating organizations within
Microsoft Active Directory and Sun Java System Directory Server that match
organizations in Oracle Identity Manager. For the practices in this lesson, Curriculum
represents the organization in Microsoft Active Directory and People represents the
organization in Sun Java System Directory Server.
3. Copying connector and external code files transfer for the Microsoft Active Directory and
Sun Java System Directory Server connectors to folders on Oracle Identity Manager
Server. This copying ensures that the connectors function with Oracle Identity Manager.
4. Configuring Oracle Identity Manager Server. This includes clearing content related to
connector files from the Server cache and enabling logging.
5. Import the connectors files. Import files that represent Oracle Identity Manager
connectors. These connectors represent the trusted source (Microsoft Active Directory)
or target resource (Sun Java System Directory Server) with which you are reconciling to
implement an authoritative or account reconciliation workflow. The files that you import
contain definitions of connector components. By importing the connectors files, you
create these components in Oracle Identity Manager.
6. Define IT resources. Provide IT resource parameter values for specific computers,
services, or applications represented by each connector. By importing Oracle Identity
Manager connectors, you transfer any IT resource types for each connector into your
environment. However, because an IT resource contains administrative credentials
Oracle Identity Manager requires you to provision a user to a specific resource or
reconcile with a resource (for this practice, Microsoft Active Directory and Sun Java
System Directory Server), you must create a definition for each resource.
7. Modify scheduled jobs. Scheduled jobs are records that are created or imported into
Oracle Identity Manager (along with other components of the connectors that are
imported). These records contain tasks that are configured to run in Oracle Identity
Manager at a particular date and time, or on demand. For this practice, these tasks
include:
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Recognizing a new user account on an authoritative source (Microsoft Active

Directory), and bringing this account into Oracle Identity Manager

Chapter 9 - Page 2
Recognizing modified user-related information on a target resource (for this practice,

a users email address in Sun Java System Directory Server), and transferring this
information into Oracle Identity Manager
8. Reconcile with the trusted source (Microsoft Active Directory) and target resource (Sun
Java System Directory Server). Specifically:
Creating a user record in the Curriculum organization of Microsoft Active Directory.

Through the authoritative reconciliation workflow, the users record is detected
within the trusted source and brought into Oracle Identity Manager automatically.
Editing the e-mail address of a user in Sun Java System Directory Server. Through
the account reconciliation workflow, the modified user-related information is
detected within the target resource and brought into Oracle Identity Manager
automatically.
1.
Open a DOS window.
2.
At the DOS prompt, enter hostname. The host name of your machine appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 3
Practice 9-1: Start Microsoft Active Directory and Sun Java System
Directory Server
Overview
In this practice, you learn how to start the consoles for Microsoft Active Directory and Sun Java
System Directory Server. For Oracle Identity Manager to reconcile with Microsoft Active
Directory and Sun Java System Directory Server, these applications must be running. The
consoles help to verify their current state.
Assumptions
Microsoft Active Directory and Sun Java System Directory Server are installed and are running.
Task: Starting Microsoft Active Directory Console

Important: For this course, the Instructor is to provide students with a demonstration of how to
start Microsoft Active Directory. Therefore, the Microsoft Active Directory portion of this practice
is to be completed by the Instructor, not the student.
Start Microsoft Active Directory. From the Windows Start Menu, select Programs >
Administrative Tools > Active Directory Users and Computers.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 4
The Active Directory Users and Computers window appears.
You started the Microsoft Active Directory console.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 5
Important: If the Active Directory Users and Groups menu item does not appear, complete
the following steps:
1. Proceed to the Help and Support menu, located within the Start button at the lower-lefthand corner of the screen.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
d
3
tuAdministrative
S
tonCommon
2. From the Help and Support Center window,le
select
Tasks.
s
i
d
h
id se t
m
id to u
v
a
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

Chapter 9 - Page 6
3. On the Common Administrative Tasks pane, select the Creating user and group
accounts link.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l missing link from the Windows Start menu: Programs >
lethat has
d
e
l
A page appears,
the
d
i Tools
ab > Active Directory Users and Computers.
M
r
Administrative
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 7
4. Connect to one of the two Microsoft Active Directory PCs used for this course. The
Active Directory Users and Computers window appears. In that window, select Action >
Connect to Domain Controller.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
e this
The Connect to Domain Controller window lappears.
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
5. In this window, enter the hostname of either Microsoft Active Directory machine used for
the course (for example, EDCHR4P1 or EDCHR4P2) This should give you the needed
train11.oim.com domain controller in the Active Directory Users and Computers
window.
Task: Starting Sun Java System Directory Server Console

Note: For more information about starting Sun Java System Directory Server, refer to the

Chapter 9 - Page 8
Practice 9-2: Configure the External Resources
Overview
You are ready to configure Microsoft Active Directory and Sun Java System Directory Server so
that the associated Oracle Identity Manager connectors function with these resources for
reconciliation purposes. This includes creating organizations within Microsoft Active Directory
and Sun Java System Directory Server that match organizations in Oracle Identity Manager. At
run time, users from these organizations are retrieved and transferred into Oracle Identity
Manager.
For this practice, Curriculum represents the organization in Microsoft Active Directory and
People represents the organization in Sun Java System Directory Server.
In this practice, you use Microsoft Active Directory to create the Curriculum organization. Then,
you use Sun Java System Directory Server to create the People organization.
Assumptions
You completed the practice titled Start Microsoft Active Directory and Sun Java System
Directory Server.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 9
Tasks: Configuring Microsoft Active Directory

create the Curriculum organization in Microsoft Active Directory. Therefore, the Microsoft Active
Directory portion of the practice is to be completed by the Instructor, not the student.
1. Right-click the train11.oim.com node in the Active Directory Users and Computers
window.
2. From the pop-up menu that appears, select New > Organizational Unit.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 10
3. On the New Object Organizational Unit window, enter Curriculum in the Name field.
Then click OK.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
The Curriculum organization appears in thele
d Active tDirectory
his Users and Computers
d
i
window.
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This organization matches the organization that you created in Oracle Identity Manager
in the practice titled Practices for Lesson 5. Because of this match, at run time, Oracle
Identity Manager reconciles users from this organization.
Task: Configuring Sun Java System Directory Server

Note: The People organization was created automatically when you installed Sun Java System
Directory Server. Therefore, you do not have to create it.

Chapter 9 - Page 11
Practice 9-3: Copy Connector and External Code Files
Overview
In this practice, you transfer Oracle Identity Manager connector files and external code files for
Microsoft Active Directory and Sun Java System Directory Server to folders on Oracle Identity
Manager Server. With this file transfer, the associated connectors can function with Oracle
Identity Manager.
Assumptions
You completed all the practices for this lesson (that is, practices 9-1 through 9-2).
Tasks: Microsoft Active Directory

1. Copy the xliActiveDirectory.jar file, which resides in the
D:\stage\OIM_11g_Connectors\AD\MSFT_AD_Base_91140\lib directory.
D:\app\oracle\product\middleware\iam_home\server\JavaTasks directory.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
3. Copy the xliADRecon.jar file, which resides in the

D:\stage\OIM_11g_Connectors\AD\MSFT_AD_Base_91140\lib directory.
directory.
5. Copy the ldapbp.jar and ldapsdk-4.1.jar files, which reside in the
D:\stage\labs\lab_09 directory.

Chapter 9 - Page 12

server\ScheduleTask directory.
s
a
h
a) e
c
rio Guid
7. Copy all files that reside in the
a
t
D:\stage\OIM_11g_Connectors\AD\MSFT_AD_Base_91140\resources
on ent
@
directory.
3
ud
n
t
o
S
t
le this
d
d
server\connectorResources directory.
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
9. Copy the D:\stage\OIM_11g_Connectors\AD\MSFT_AD_Base_91140\scripts

directory.

Chapter 9 - Page 13

server directory.
a
s
a
h
As a result, the scripts directory and all of its files are nested in the a)
c ide
o
D:\app\oracle\product\middleware\iam_home\serverridirectory.
a t Gu
t
n
11. Copy the D:\stage\OIM_11g_Connectors\AD\MSFT_AD_Base_91140\test
o en
@
directory.
3
n
tud
o
S
t
le this
d
server directory.
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
As a result, the test directory and all of its files and subdirectories are nested in the
D:\app\oracle\product\middleware\iam_home\server directory.
Tasks: Sun Java System Directory Server

Note: For more information about transferring Oracle Identity Manager connector files and
external code files for Sun Java System Directory Server to folders on Oracle Identity Manager
Server, refer to the document titled Practices for Lesson 6.

Chapter 9 - Page 14
Practice 9-4: Configure Oracle Identity Manager Server

Overview
In this practice, you configure Oracle Identity Manager Server. This includes performing the
following actions:
Clearing content related to connector files from the Server cache. In the practice titled
Copy Connector and External Code Files, you copied connector and external code
files to folders on Oracle Identity Manager Server. Some files are copied to the
connectorResources folder.
Whenever you add a new file or change an existing file in this folder, you must clear
content related to connector files from the Server cache.
Enabling logging. When you enable logging, Oracle Identity Manager stores
information in a log file about events that occur during the course of provisioning and
reconciliation operations. In addition, you customize the log level to specify the type of
event for which you want logging to take place.
Note: By setting the log level for Microsoft Active Directory, Oracle Identity Manager
logs information about events that occur during provisioning and reconciliation with this
resource.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
Assumptions
3
ud
n
t
o
S
t
You completed all the practices for this lesson (thatle
is, practices
is 9-1 through 9-3).
d
h
t
d
i
e
m
s
Tasks
u
d
vi Windows
toStart Menu, select Run.
a
1. Open a DOS window. From
the
e
d
s
n ( cmd
2. In the Run window,
enter
in n
the Open field and click OK.
e
o
t
c
li to the D:\app\oracle\product\middleware\
le navigate
d
e
l
i
ab directory.
iam_home\server\bin
M
r
e
d
f
s
vi setanWL_HOME=D:\app\oracle\product\middleware\wls_home
4. aEnter
at the
D
r
t
DOS
prompt
(and
press
Enter).
on You enter the command in step 4 to set the WL_HOME environment variable to the
nNote:
base directory of Oracle WebLogic Server.
5. Enter setEnv.bat at the DOS prompt (and press Enter).
Note: You enter the command in step 5 to set environment variables for Oracle Identity
Manager.
6. Enter PurgeCache.bat ConnectorResourceBundle at the DOS prompt (and press
Enter).

Chapter 9 - Page 15
7. Enter values for the prompts that appear, as follows (and press Enter after each value):
Prompt
Value
xelsysadm
Welcome1
t3://localhost:7007
Important: If you are not able to purge the cache successfully, replace localhost with
<hostname> for your service URL. For example, if the host name of your machine is
edtdr22p1, enter t3://edtdr22p1:7007 at the Enter the service url prompt.
Note: For security purposes, the password you enter is hidden. Also, 7007 is the port
reserved for Oracle Identity Manager.
Oracle Identity Manager empties the content from its Server cache. After the cache is
cleared, a DOS prompt appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
You
o are ready to set the log level for Microsoft Active Directory.
n
8. In Windows Explorer, navigate to the D:\app\oracle\product\middleware\
iam_home\server\config directory.
9. Using Microsoft Wordpad, open the log.properties file.

Chapter 9 - Page 16
10. Add the following line of code to this file:

log4j.logger.XL_INTG.ACTIVEDIRECTORY=WARN
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
to Active Directory (ACTIVEDIRECTORY),
avfori Microsoft
Note: By setting the log (level
e
d
ns about events that occur during provisioning
n logsicinformation
e
o
t
lresource. Also, for more information about setting the log
and reconciliation
le with lthis
d
e
d
i JavarSystem
level for Sun
ab Directory Server, refer to the document titled Practices for
M
e
Lesson
6.
d
f
s
vi anchanges
11.aSave your
to the log.properties file. Close the file.
D
r
t
n
o Oracle Identity Manager Server.
12.nRestart
Note: For more information about restarting this server, refer to the document titled

Chapter 9 - Page 17
Practice 9-5: Import Oracle Identity Manager Connectors
Overview
In this practice, log in to the Oracle Identity Manager Identity Administration Console with the
xelsysadm superuser account. Use the Connector Installer to import Oracle Identity Manager
connectors for Microsoft Active Directory and Sun Java System Directory Server into your
environment.
Assumptions

1. From Windows Explorer, navigate to the D:\stage\OIM_11g_Connectors\AD
directory.
2. Copy the MSFT_AD_Base_91140.zip file, which resides in this directory.
s
a
h
a) e
c
4. Unzip the MSFT_AD_Base_91140.zip file into this directory. rio

id
u
a
t
G
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Note: The MSFT_AD_Base_91140 folder is automatically created and nested in the

5. Launch the Oracle Identity Manager Identity Administration Console.
6. Log in to this console with the xelsysadm superuser account.
Note: For more information about launching the Oracle Identity Manager Identity
Administration Console, refer to the document titled Practices for Lesson 3.
7. On the Home page of this console, click the Advanced link to access the Oracle Identity
Manager Advanced Administration console.

Chapter 9 - Page 18
click the Install Connector link (located in the System Management pane).
Note: For more information about the Oracle Identity Manager Advanced Administration
Console, refer to the lesson titled Launching Oracle Identity Manager.
9. From the Connector List box, select the name of the connector that you want to import
into Oracle Identity Manager (for this practice, ActiveDirectory9.1.1.4). Click Load.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 19
10. After verifying that the Connector History Details and Connector Dependency Details
panes are populated with information, click Continue.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi anstasks are performed in sequence:
DaThenfollowing
trConfiguration of Connector Libraries
no Import of Connector XML Files
Compilation of Adapter Definitions

Note: For more information about these tasks, refer to the document titled Practices for
Lesson 6.
On successful completion of a task, a green check mark is displayed for the task. If all
three tasks of the connector installation process are successful, a message indicating a
successful installation appears.

Chapter 9 - Page 20
11. Click Finish.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le Manager
Now that you have imported an Oracle Identity
d
his connector for Microsoft Active
t
d
i
e
Directory, you are ready to configure
s to operate it in your environment.
mthis connector
u
d
i
o
t
av Server
e
d
Tasks: Sun Java System Directory
(
s
n
n iceConnector
o
For more information about
using the
Installer to import the connector for Sun Java
t
l
e
l
d
e
System DirectoryiServer
into
Oracle
Identity
Manager,
refer to the document titled Practices for
l
d rab
M
Lesson 6.
vid ansfe
a
D n-tr
no

Chapter 9 - Page 21
Practice 9-6: Define IT Resources
Overview
By importing your Oracle Identity Manager connector, you transfer any IT resource types for that
connector into your environment. However, because an IT resource contains administrative
credentials that Oracle Identity Manager requires to provision a user to a specific resource or
reconcile with a resource (for this practice, Microsoft Active Directory and Sun Java System
Directory Server), you must create a definition for each resource.
In this practice, you create IT resources for Microsoft Active Directory and Sun Java System
Directory Server.
Assumptions
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
Field
Value
m
s
u
d
vi AD eIT Resource
to
IT Resource Name
a
d
n ( icenADsServer
IT Resource Type
o
t
dle ble l [do not populate]
RemoteiManager
d
M Server
risathe name of the IT resource type that you imported for Microsoft
e
d
f
i
Note:
AD
s
v Directory
an (along with the other components of the connector). For more
DaActive
r
t
about assigning an IT resource type to an IT resource, refer to the document
on
ninformation
Console.
click the Create IT Resource link (located in the Configuration pane).
3. Populate the fields of the Provide IT Resource Information page that appears.
4. On the Provide IT Resource Information page, click Continue.

Chapter 9 - Page 22
5. Parameters for your IT resource type appear. Enter values for parameters of your IT
resource on the Specify IT Resource Parameter Page, as follows:
Parameter
Value
ADAMLockoutThresholdValue
ADGroup LookUp Definition
Lookup.ADReconciliation.GroupLookup
Admin FQDN
administrator@train11.oim.com
Admin Password
e1car0
Allow Password Provisioning
yes
AtMap ADGroup
AtMap.ADGroup
AtMap ADUser
AtMap.AD
Invert Display Name
no
a
s
a
isUserDeleteLeafNode
no
h
)
a
c ide
Port Number
389
o
i
ar t Gu
t
n
Remote Manager Prov Lookup
AtMap.AD.RemoteScriptlookUp
o en
@
3
Remote Manager Prov Script Path
[do not populate]
n
tud
o
S
t
le this
Root Context
ou=Curriculum,dc=train11,dc=oim,dc=com
d
d
i
e
m
s
Server Address
<hostname>.us.oracle.com
u
d
o
vi e tGMT
a
d
Target Locale: TimeZone
(
ns
n
e
o
t
c
UPN Domainle
[do not populate]
li
d
e
l
d
i
Use SSL
no
ab
M
r
e
d
f
i
s
v anThe value of the <hostname> represents the host name of the machine on
DaImportant:
r
tMicrosoft
which
Active Directory resides (not the Oracle Identity Manager machine). To
n
o the hostname,
open a DOS window on the Microsoft Active Directory machine, and
nfind
isADAM
no
enter hostname at the DOS prompt.

Note: To enter a value into the Value field, click the designated field. Also, for security
purposes, the password appears as a series of bullets ().
For more information about parameters and values of the AD IT Resource, refer to the
lesson titled Understanding Reconciliation.

Chapter 9 - Page 23
6. Click Continue.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le page,thclick
is Continue.
d
7. On the Set Access Permission to IT Resource
d
i
e
m page,urefer
s to the document titled Practices for
this
Note: For more information about
d
i
o
v
Lesson 6.
t
a se
(dDetails
8. On the Verify IT Resource
page, review information that you provided on the
n
enSpecify
o
t
c
i
Provide IT Resource
Information,
IT Resource Parameter Page, and Set Access
l
e
l Resource
d
e
l
d
Permission
to
IT
pages.
Click
Continue.
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 24
9. On the IT Resource Connection Result page, click Create.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e with a connectivity test that is run by
m
s
Note: Some predefined connectors
come equipped
u
d
vi provided
using the IT resource information
to in the Specify IT Resource Parameter Page.
a
e
d
The IT Resource Connection
ns page displays the results of this connectivity test.
n ( icResult
e
o
t
For this practice,
Identity
l Manager is able to use the credentials that you
leITOracle
d
e
l
specified for
the
resource
d
i
b to connect to Microsoft Active Directory successfully. As a
a
M
r
result,
the
Successfully
established connection to the AD IT Resource message
d onnthe
feIT Resource
i
s
v
appears
Connection Result page.
Da n-tra
no

Chapter 9 - Page 25
10. On the IT Resource Created page, click Finish.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You have defined an IT resource for Microsoft Active Directory.

For more information about defining an IT resource for Sun Java System Directory Server, refer
to the document titled Practices for Lesson 6.

Chapter 9 - Page 26
Practice 9-7: Modify Scheduled Jobs
Overview
In this practice, you modify two scheduled jobs: one for Microsoft Active Directory and one for
Sun Java System Directory Server. Scheduled jobs are records that are created or imported into
Oracle Identity Manager (along with other components of the connectors that are imported).
These records contain tasks that are configured to run in Oracle Identity Manager at a particular
date and time, or on demand. For this practice, these tasks include:
Recognizing a new user account on an authoritative source (Microsoft Active

Directory), and bringing this account into Oracle Identity Manager
Recognizing modified user-related information on a target resource (for this practice, a

users email address in Sun Java System Directory Server), and transferring this
information into Oracle Identity Manager
You must modify the scheduled job for Microsoft Active Directory so that it contains:
The IT resource, which contains administrative credentials that Oracle Identity

Manager requires to reconcile with Microsoft Active Directory
The location in Microsoft Active Directory where Oracle Identity Manager is to retrieve
the user's account. This is known as the Base DN.
You also have to modify the scheduled job for Sun Java System Directory Server so that it
contains:
The IT resource, which contains administrative credentials that Oracle Identity

Manager requires to reconcile with Sun Java System Directory Server
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e where Oracle Identity Manager is
m
The Base DN in Sun Java System

Directory
Server
s
u
d
to retrieve the modified user-related
(for this practice, the user's email
vi einformation
to
a
d
(
address)
s
n icen
o
t
l
e
e
Assumptions iddl
l
ab for this lesson (that is, practices 9-1 through 9-6).
M
r
You completed
all thefpractices
e
d
s
vi
Da n-tran
no

Chapter 9 - Page 27

Console.
click the Search Scheduled Jobs link (located in the System Management pane).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans
D3.aIn the
r Scheduler text field, enter AD User Trusted Recon. Click Search (the
tSearch
n
o button to the right of the text field).
narrow

Chapter 9 - Page 28
4. In the Search region, click the AD User Trusted Recon link.
Note: AD User Trusted Recon is the name of the scheduled job for Microsoft Active
Directory. For this practice, this job is used to recognize a new user account on an
authoritative source (Microsoft Active Directory), and bring this account into Oracle
Identity Manager.
5. Modify the default values for the AD User Trusted Recon scheduled job, as follows:
a
s
a
h
)
a
c ide
o
i
arValuet Gu
t
Field
Old Value
New
n
o en
@
IT Resource Name ADITResource
AD IT Resource
3
n
tud
o
S
t
Search Base
[not populated]
leou=Curriculum,dc=train11,dc=oim,dc=com
d
his
t
d
i
e
OIM Organization
Xellerate Users
s
m uCurriculum
d
i
o
v
t
Note: AD IT Resourcedisathe name
of the IT resource that you defined in the practice
( ThisnITseresource
titled Define IT Resources.
contains administrative credentials that
n
to requires
ce to reconcile with
i
l
Oracle Identity lManager
Microsoft Active Directory.
e
d
e
l
d
i
ou=Curriculum,dc=train11,dc=oim,dc=com
is the location in Microsoft Active
ab
M
r
e
d
f
Directory
s Oracle Identity Manager is to retrieve the user's account. This is known
vi awhere
Daas nthe-tBase
r nDN.
o OIM Organization field contains the name of the Oracle Identity Manager
nThe
organization in which reconciled users are to be created. For this practice, users who are
transferred from Microsoft Active Directory into Oracle Identity Manager through an
authoritative reconciliation workflow are to be placed into the Curriculum organization.

Chapter 9 - Page 29
6. Click Apply.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s the scheduled job for Microsoft Active Directory. You are ready to
vi amodified
n
DaYounhave
r
-t the scheduled job for Sun Java System Directory Server.
modify
o
n

Chapter 9 - Page 30
1. In the Search Scheduler text field, enter iPlanet User Target Recon Task. Click
Search (the arrow button to the right of the text field).
2. In the Search region, click the iPlanet User Target Recon Task link.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
Field
Old Value
New Value
d
i
e
m
s
id to u
ITResourceNam iPlanet User
Sun IT Resource
v
a
e
e
d
(
s
n
n
e
o
t
c
SearchBase le dc=corp,dc=company,dc=co
ou=people,dc=us,dc=oracle,dc=co
li
d
e
l
m
m
d
i
b
a
M
r
feResource is the name of the IT resource that you defined in the
Note:
id SunnIT
s
v
a
IT Resources. This IT resource contains administrative
D practice
tratitledthatDefine
n
credentials
Oracle
Identity Manager requires to reconcile with Sun Java System
o
nDirectory
Server.
Note: iPlanet User Target Recon Task is the name of the scheduled job for Sun Java
System Directory Server. For this practice, this job is used to recognize modified userrelated information on a target resource (for this practice, a users email address in Sun
Java System Directory Server), and transfer this information into Oracle Identity
Manager.
3. Modify the default values for the iPlanet User Target Recon Task scheduled job, as
follows:
ou=people,dc=us,dc=oracle,dc=com is the Base DN in Sun Java System

Directory Server where Oracle Identity Manager is to retrieve the modified user-related
information (for this practice, the user's email address).

Chapter 9 - Page 31
4. Click Apply.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
leJava tSystem
d
his Directory Server.
You have modified the scheduled job for
Sun
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 32
Practice 9-8: Reconcile with a Trusted Source and a Target Resource

Overview
In this practice, you implemented an authoritative reconciliation workflow and an account

reconciliation workflow. As a result, Oracle Identity Manager can:
Recognize a new user account on a trusted source, and transfer this account into
Oracle Identity Manager. For this practice, Microsoft Active Directory represents the
trusted source.
Detect modified user-related information on a target resource, and transfer this

information into Oracle Identity Manager. For this practice, the users email address is
the user information that is modified, and Sun Java System Directory Server
represents the target resource.
For this practice, first create a user record in the Curriculum organization of Microsoft Active
Directory. Through the authoritative reconciliation workflow, the users record is detected within
the trusted source and brought into Oracle Identity Manager automatically.
Then, modify the email address of a user in the People organization of Sun Java System
Directory Server. Through the account reconciliation workflow, the modified user-related
information is detected in the target resource and brought into Oracle Identity Manager
automatically.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
Assumptions
ud 9-7).
n3 9-1
tthrough
S
You completed all the practices for this lesson (that e
is,to
practices
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 33

create a record of a user who belongs to the Curriculum organization in Microsoft Active
Directory. For this practice, George Trager represents this user. Therefore, steps 1-6 of this
practice are to be completed by the Instructor, not the student. Students should begin this
practice with step 7.
1. From the Active Directory Users and Computers window of Microsoft Active Directory,
right-click the Curriculum organization. Select New > User from the pop-up menu that
appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
2. Populate the fields of the New Object User window, as follows:

Field
Value
First name
George
Last name
Trager
User logon name
GTRAGER

Chapter 9 - Page 34
3. Click Next.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le Userthwindow,
4. Populate the fields of the second New Object
is as follows:
d
d
i
e
Field
Value
m us
d
i
o
v
t
Password
(da nse AbCdEfG1234567
n
to lice
Confirm password
AbCdEfG1234567
e
l
d
e
l
d rapurposes,
b
Note: Forisecurity
the password you enter appears as a series of bullets.
M
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 35
5. Click Next.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
6. On the third New Object - User window, click
leFinish.
d
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 36
The Active Directory Users and Computers window is active. The user record is created
in Microsoft Active Directory.
a
s
a
Through the reconciliation workflow, this record is detected in the trusted source
h and
)
a
brought into Oracle Identity Manager automatically.
c ide
o
i
Note: You are ready to see whether the authoritative reconciliation
u is
ar workflow
t
G
n
t
successful. To verify that the user record is retrieved fromoMicrosoftn
Active Directory and
e
@
transferred into Oracle Identity Manager, complete the
remaining
steps
of this
d
3
n
tu
o
procedure.
S
t
le Manager
d
this Advanced Administration
7. Navigate to the Home page of the Oracle
Identity
d
i
e
m us
Console.
d
i
v Identity
toManager Advanced Administration Console,
a
8. On the Home page of thed
Oracle
e
click the Search Scheduled
nslink (located in the System Management pane).
n ( icJobs
e
o
t
le lejobl for Microsoft Active Directory that you modified in the
9. Query for thedscheduled
d
i Modify
practice
titled
abScheduled Jobs. For this practice, this job is AD User Trusted
M
r
e
d
Recon.
f
s
vi
Da n-tran
no

Chapter 9 - Page 37
10. Click the Run Now button that appears to the right of the name of the scheduled job.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
11. Navigate to the Home page of the Oracle
Identity
Manager Identity Administration
i
e
m
s
Console.
id to u
v
a
Note: For more information
accessing
(dforabout
se5. the Home page of this console, refer to the
n
n
document titled Practices
Lesson
e
lic- Users link on the Oracle Identity Manager Identity
etoSearch
l
12. Click the Advanced
d
e
l
id Console
Administration
ab Home page.
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 38
13. Query for the user account that you created in Microsoft Active Directory (that is, George
Trager).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
ns
n ( icreconciliation
Because of the authoritative
workflow, this user record is detected in the
e
o
t
l
e
trusted source land brought into Oracle Identity Manager automatically.
le belongs to the Curriculum organization, the Oracle 11g Users
iddGTRAGER
b
Also, because
a
M
errule assigns this user to the Oracle 11g Users role. As a result, the
dmembership
f
i
auto
s
v
an Policy allocates the iPlanet User connector, representing the Sun Java
Access
DaUsers
r
t
on Directory Server resource, to GTRAGER.
nSystem
After this happens, Oracle Identity Manager populates the custom process form, saves
the values to its database, and uses these values to provision GTRAGER with the
These actions result in the users identity being synchronized at all three places: the
authoritative source, Oracle Identity Manager, and target resource.
Oracle Identity Manager functions as the gateway between the authoritative source and
target resource.
You are ready to modify the email address of a user in the People organization of Sun
Java System Directory Server. Through the account reconciliation workflow, the modified
user-related information is detected in the target resource and brought into Oracle
Identity Manager automatically.

Chapter 9 - Page 39

1. Make Sun ONE Server Console active.
2. Double-click the ID of the user who has an email address that you want to modify. For
this practice, JMOSHER is the ID of the user.
3. In the E-Mail field of the Edit User window, enter a modified email address for the user.
For this practice, jmosher@oracle.com is the modified email address.
4. Click OK.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o
nSun
ONE Server Console is active. The users email address is modified in Sun Java
5.
6.
7.
8.

Through the reconciliation workflow, this modification is detected in the target resource
and brought into Oracle Identity Manager automatically.
Note: You are ready to see whether the account reconciliation workflow is successful.
To verify that the modified user-related information is detected in Sun Java System
Directory Server and transferred into Oracle Identity Manager, complete the remaining
steps of this procedure.
Navigate to the Home page of the Oracle Identity Manager Advanced Administration
Console.
On the Home page of the Oracle Identity Manager Advanced Administration Console,
click the Search Scheduled Jobs link (located in the System Management pane).
Query for the scheduled job for Sun Java System Directory Server that you modified in
the practice titled Modify Scheduled Jobs. For this practice, this job is iPlanet User
Target Recon Task.
Click the Run Now button that appears to the right of the name of the scheduled job.

Chapter 9 - Page 40
9. Navigate to the Home page of the Oracle Identity Manager Identity Administration
Console.
10. Click the Advanced Search - Users link on the Oracle Identity Manager Identity
Administration Console Home page.
11. Query for the User Login of the user with the email address you modified (that is,
JMOSHER).
12. Click the link that contains the users full name.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 9 - Page 41
13. Click the Resources tab. Then click the iPlanet User link.
a
s
a
) toh see
Note: You click the Resources tab and iPlanet User link because you c
want
a
o
whether Oracle Identity Manager modified the users email address
for the Sun
i
ideJava
r
u
a
t
G User
System Directory Server resource. This resource is represented
n by nthet iPlanet
o
connector.
e
dappears.
u
n3@ Server
t
The custom process form for Sun Java Systemto
Directory
e this S
l
d
id se
m
id to u
v
a
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
o
nBecause
of the account reconciliation workflow, the modified user-related information
(the users email address) is detected in the target resource and brought into Oracle
Identity Manager automatically.

Chapter 9 - Page 42
s
a
h
a) e
c
rio Guid
a
t
t 10
Practices for
onLesson
n
e
@
3
tud
o
Chapter
10n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 10 - Page 1
Practices Overview
In these practices, you perform tasks to familiarize yourself with authorization as a part of
managing user access in Oracle Identity Manager. Authorization policies are used to enforce
run-time security in the user management service. Roles are the vehicles used to assign access
privileges to users.
You will implement the appropriate policies and roles to create the following use-case scenario:
The Curriculum organization is rapidly expanding and requires its own HelpDesk to
handle more common tasks for the users within that organization. While users will be
able to self-manage several aspects of their accounts, some of the problems and
requests can be deferred to the HelpDesk. Sam Watterson has been hired to manage
user accounts within the Curriculum organization. He will be tasked with creating new
user accounts for an organization and resetting a user's password when they have
forgotten their challenge questions and password. Managers will also have the ability to
modify their direct reports' accounts by changing their performance level as part of a
performance review process. The manager, Larry Byrdie, who has now been assigned
several direct reports, will be tasked with performing a performance assessment on his
employees. An authorization policy will provide him with the ability to do so.
To succeed at these tasks, Sam Watterson will be assigned to the HelpDesk
organization that you create. Users assigned to the HelpDesk organization will also be
assigned to the Curriculum HelpDesk Admin role that you create. This role provides the
appropriate access rights to create, search, view details of, and modify users within the
Curriculum organization only. Members of the organization will only be able to modify a
user account by resetting the individual's password. They will not be able to modify any
other account attributes. Managers with direct reports will be able to view only their
reports' information and modify the performance level for the user. You will also create
the user Lisa Simmons, and assign the user to the Human Resources organization and
role. This user will be capable of updating the professional qualifications of a user within
the Curriculum organization.
You will create appropriate data attributes for users and the authorization policies to
support the access rights, keeping in mind the scope that must be maintained in order to
safeguard other accounts.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 10 - Page 2
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 10 - Page 3
Practice 10-1: Create Prerequisite Entities

Overview
In this practice, you create the supporting cast required to build the use case for this lab. You
create these entities as the system administrator account, xelsysadm.
Assumptions
You completed the practice titled Create Users.
Tasks
1. From the Welcome tab on the Oracle Identity Administration console, create the
following organizations:
Field
Value
Name
Curriculum HelpDesk
Type
Department
Role Category Name
Administrative
a
s
a
h
)
Parent Organization
Curriculum
a
c ide
o
i
r Gu
Field
aValue
t
n
o ent
Name
Human Resources
@
n3 Stud
o
Type
Department
t
le this
d
d
i
Parent Organization
<none>
e
m
s
u
d
i Identity
2. From the Welcome tab on the
vOracle
to Administration console, create the
a
e
d
following roles:
n ( icens
o
t
Value
le Fieldle l
d
d
i
ab
Name M
Curriculum HelpDesk Admin
r
e
d
f
i
s
v Name
HelpDesk (Curriculum Organization)
an
DaDisplay
r
t
This role is associated with individuals in
on
nDescription
the Curriculum HelpDesk organization.
Field
Value
Name
Human Resources
Display Name
Human Resources
Description
This role is associated with accounts in the

Human Resources organization.
Role Category Name
Administrative
3. Close the open tabs for the objects that you created.

Chapter 10 - Page 4
Practice 10-2: Create and Associate Membership Rules
Overview
In this practice, you create and associate membership rules to existing organizations. By
associating the membership rule to the organization, any user added to the organization will
automatically be associated with the role.
You will create a membership rule for the Curriculum HelpDesk organization that associates any
user added to the organization to the Curriculum HelpDesk Admin role. This rule will be called
Curriculum HelpDesk Users. You will also create a membership rule for the Human Resources
organization that associates users in the organization to the Human Resources role. This rule
will be called Human Resources Users.
Assumptions
You completed the practices titled Create an Auto Membership Rule and Assign an Auto
Membership Rule to a Role.
a
s
a
h
)
a
1. Open the Design Console, if not already opened, and log in as xelsysadm
the
c with
e
o
d
i
i
password Welcome1.
uclosing and
ar practice,
t
G
n
Note: If the Design Console was already opened from a previous
t
o the Oracle
n Identity Manager
e
reopening ensures that the Design Console can still3access
@
d
nrestartedSattuany point while the Design
database. If Oracle Identity Manager Server was
o
t
e
is session and will not be able
Console was open, the Design Console will
dllose itsthexisting
d
i
to contact the database.
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Tasks

Chapter 10 - Page 5
2. Open the Rule Designer form, found in the Resource Management folder.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
3. Populate the fields of this
form,
as s
follows:
(
n
n
e
Field
Value
eto le lic
l
d
d
i
ab
Name
Curriculum HelpDesk Users
M
r
e
d
f
i
s
v an
General
Da Type
r
t
n
Auto membership rule for the Curriculum HelpDesk
noDescription
Admin role.
4. Click Save. You can use the buttons in the Rule Elements tab.
5. Click Add Element.
6. Populate the fields of the Edit Rule Element window, as follows:
Field
Value
Attribute
Organization Name
Operation
==
Attribute Value
Curriculum HelpDesk

Chapter 10 - Page 6
7. Click Save. Then click Close.
Note: If a Closing Form window appears, click Yes.

The Rule Designer form appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 10 - Page 7
8. Click Save. The outcome of this rule element is true for all users who belong to the
Curriculum HelpDesk organization.
9. Click the Create a blank form button to open a blank form.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
le- 8 for lthe
d
e
10. Perform steps
3
d
i
b new rule, Human Resources Users.
a
M
r
fethe form with the following information:
s
vida. Populate
n
a
D n-tra Field
Value
o
n Name
Human Resources Users
Type
General
Description
Auto membership rule for the Human Resources role.
b. Create a rule element using the following information:

Field
Value
Attribute
Organization Name
Operation
==
Attribute Value
Human Resources

Chapter 10 - Page 8
11. In the Oracle Identity Manager Administrative and User Console, change to the Oracle
Identity Manager Administration console if not already there.
12. Search for and open the HelpDesk (Curriculum Organization) role if it is not already
opened.
13. Open the Membership Rules dialog box by clicking Membership Rules.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 10 - Page 9
14. Click Assign Rules.
15. Select the Curriculum HelpDesk Users rule. Click Assign.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
16. Click
no Confirm Assign to complete the process.

Chapter 10 - Page 10
17. Close the dialog box after confirming that the rule has been assigned to the organization.
The role will be automatically updated to reflect this new membership rule.
a
s
a
h
)
18. Repeat steps 12 - 17 for the Human Resources role. Select the Human
Resources
a
c ide
o
Users rule for the membership rule.
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You have now successfully created two new rules for the organizations created earlier and have
associated these rules to the appropriate roles. You are ready to proceed to the next practice.

Practice 10-3: Create HelpDesk, Human Resources, and Manager User

Accounts
Overview
In this practice, you create the Oracle Identity Manager accounts that you will use to perform
tasks that interact with the authorization policies you will create.
Assumptions
You completed the all the preceding practices in this lab and the practice titled Create Users.
Tasks
1. Create the following Oracle Identity Manager user accounts from the Oracle Identity
Administration console:
Field
Value
First Name
Sam
Organization
Curriculum
User Type
Full-Time Employee
User Login
LBYRDIE
Password
Welcome1
Confirm Password
Welcome1
s
a
h
Last Name
Watterson
a) e
c

[selected]
rio Guid
a
t
on ent
Organization
Curriculum HelpDesk
@
n3 Employee
tud
User Type
Full-Time
o
S
t
leSWATTERSON
d
User Login
this
d
i
e
s
m uWelcome1
d
Password
i
o
v
t
a se
Confirm Password n (d
Welcome1
n
e
o
t
c
le Fieldle li
Value
d
d
i
b
M fera
FirstdName
Larry
i
s
v
Byrdie
DaLastn-Name
tran
o Console Access
[selected]
nDesign

Field
Value
First Name
Lisa
Last Name
Simmons
[cleared]
Organization
Human Resources
User Type
Full-Time Employee
User Login
LSIMMONS
Password
Welcome1
Confirm Password
Welcome1
Note: All users will be associated to the appropriate role because of the auto membership
rules. Verify that Sam Watterson has been associated with the Curriculum HelpDesk Admin
role and that Lisa Simmons has been associated with the Human Resources role.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

2. Change the manager for Linda Spitz and Priya Roshan to Larry Byrdie.
a. From the Identity Manager Administration console, click Advanced Search Users.
b. Enter Quality Assurance in the Organization field and click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no c. Select the user accounts for Linda Spitz and Priya Roshan and click Bulk
Modify.

d. Change the manager for both users to Larry Byrdie and click Save.
s
a
h
a) e
c
The users are now updated with the new manager.

rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 10-4: Extend the Oracle Identity Manager User Schema
Overview
In this practice, you create additional attributes for Oracle Identity Manager users. This action is
referred to as extending the Oracle Identity Manager User schema. The attributes that will be
added pertain to a users professional qualifications as well as their professional assessment.
Specifically, the attributes you will add include:
Work Experience: This attribute summarizes the number of years of experience this user
has, and is displayed as a list of values. The choices available will be 0-2 years, 2-5
years, 5-10 years, 10-20 years, and 20+ years.
Previous Job History Verified: This attribute pertains to whether or not the individuals job
history has been verified. This attribute will be a checkbox.
Post Graduate: This attribute describes whether or not the individual has a postgraduate degree. The attribute will be displayed as a checkbox.
Performance Level: This attribute describes the performance level for the individual. The
list of values available for selection include:
o Does Not Meet Requirements
a
s
a
h
)
a
c ide
o
i
o New Hire/Development Needed
ar t Gu
t
n
o Successfully Meets Requirements
o en
@
3
o Usually Exceeds Requirements
n
tud
o
S
t
o Outstanding (Always Exceeds Requirements)
le this
d
d
i displayed
e as a text field, enables a
Performance Level Summary: Thism
attribute,
s
u
d
manager to enter comments for
vi the individuals
to account.
a
e
d
All attributes will be created within
Oracle
Manager Administrative and User Console by
nsIdentityBefore
n ( xelsysadm.
e
o
the system administrator
account,
creating the data attributes, you will
t
c
li attributes: Professional
estore lthe
l
d
e
create two categories
to
data
Qualifications will store the first
d
i
b
a
M
three data attributes defined
d nsfer previously; Professional Assessment stores the remaining two data
i
v
attributes.
Da n-tra
Assumptions
no
You have completed the preceding practices in this lab.

Tasks
1. From the Oracle Identity Manager Administrative and User console, access the Oracle
Identity Manager Advanced Administration console.
2. Click the link, User Configuration, to begin modifying the user schema.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e tocategory.
a
4. Create the Professional d
Qualifications
(
ns or select Add Category from the Actions dropnCategory
a. Click the Add
button
e
o
t
c
le le li
downd
menu.
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
3. Select User Attributes from the Actions drop-down menu. The User Attributes are
displayed in a table and are displayed in their respective categories. Several of these
categories are displayed when you create a user using the Create User link. Other
categories are available for display when you create a request form for users to use to
create other users.

b. Enter Professional Qualifications for the Category Name and click Save.
c. Click OK after the category has been created. All attributes created within this
category will be displayed in the category when you create or modify a user.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
3
ncategory.
tud
5. Repeat step 4 for the Professional Assessment
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You have now added two new categories.

6. Create the data attribute, Work Experience.

a. Click Create Attribute or select Create Attribute from the Actions drop-down
menu.
a
s
a
h
b. Complete the fields by using the following information:
)
a
c ide
Field
Value
o
i
ar t Gu
t
n
Attribute Name
Work Experience
o en
@
3
Back-end Attribute
WORKEXP
n
tud
o
S
t
leProfessional
Category Name
d
this Qualifications
d
i
e
mwill automatically
Note: The Back-end Attribute value
update to prepend the term,
us
d
i
o
v
t
USR_UDF_ to the text that a
you entered.
e In this example, you entered WORKEXP. When
(dIdentity
s
you leave the field, Oracle
Manager updates the contents of the field to
n
n
to lice
USR_UDF_WORKEXP.
e
l
idd rable
M
vid ansfe
a
D n-tr
no

c. Change the Display Type to List of Values. This automatically updates the
screen to enable you to enter values for the data attribute.
d. Select Admin Configured for the LOV Type, if not already selected.
e. Enter the following information for the fields shown and click Add when finished:
s
a
h
a) e
c
Field
Value
rio Guid
a
t
LOV Code
Lookup.Users.WorkExp
on ent
@
LOV Options
1 n3
tud
o
S
t
le0-2 Years
LOV Options Description
d
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The LOV Code describes the code that will be called when you access the list of
values for the Work Experience attribute. The LOV Options field is a value that
represents the description. The LOV Options Description field is the description shown
when the drop-down menu for the Work Experience field is displayed.

f.
Add the remaining list of values by using the following information. Click Add
after entering the information for each value in the LOV fields.
Field
Value
LOV Code
LOV Options
2-5 Years
Field
Value
LOV Code
LOV Options
5-10 Years
Field
Value
s
a
h
a) e
c
LOV Options
4
rio Guid
10-20 Years nta
o ent
@
Field
dValue
3
u
n
t
to is S
LOV Code
eLookup.Users.WorkExp
l
d
d 5se th
i
LOV Options
m
d to u
i
v
LOV Options Description da
20+ Years
e
(
s
n
n
o verifying
tafter
ce that all the values have been added.
i
l
e
g. Click Next
l
idd rable
M
vid ansfe
a
D n-tr
no
LOV Code

h. Change the Attribute Size to 10. This represents the size of the field when it is
displayed on the page. Click Next when finished.
i.
Click Save after reviewing the details of the attribute that you are creating.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ansOK when prompted.
Da nj.-trClick
no

7. Create the data attribute, Previous Job History Verified.

a. Click Create Attribute or select Create Attribute from the Actions drop-down
menu.
s
a
h
a) e
c
b. Complete the fields by using the following information and click
Next:
rio Guid
a
t
Field
Value
on ent
@
Attribute Name
Previous
n3 JobSHistory
tud Verified
o
t
Back-end Attribute
lePREVIOUSJOBHISVER
d
his
t
d
i
e
Category Name
Qualifications
s
m uProfessional
d
i
o
av se t Checkbox
Display Type
d
(
n icen
o
t
l
e
l
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

c. Select Yes for the Bulk Updateable field. This selection enables this attribute to
be displayed when multiple users are selected. Click Next when finished.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
nsOK when prompted.
avi e. trClick
a
D
- the remaining attributes by using the information provided for each attribute.
8. Create
nona. Create
the Post Graduate data attribute:
d. Click Save on the summary page.
Field
Value
Attribute Name
Post Graduate
Back-end Attribute
POSTGRAD
Category Name
Professional Qualifications
Display Type
Checkbox

b. Create the Performance Level data attribute:
Field
Value
Attribute Name
Performance Level
Back-end Attribute
PERFLEVEL
Category Name
Professional Assessment
Display Type
List of Values
LOV Type
Admin Configured
LOV Code
Lookup.Users.PerfLevel
LOV Options
Does Not Meet Requirements
LOV Options
s
a
h
LOV Options
3
a) e
c
io uid
Successfully Meets
rRequirements
a
t
n nt G
o
LOV Options
4
@ tude
3
n
Usually
S Requirements
to Exceeds
e
s
l
i
LOV Options
dd 5se th
i
m
uOutstanding (Always Exceeds

LOV Options Description vid
o
t
a
Requirements)
(d nse
n
e
Attribute Size
20
eto le lic
l
d
d
i therPerformance
c. M
Create
Level Summary data attribute:
ab
e
d
f
i
s
v
Field
Value
Da n-tran
Performance Level Summary
no Attribute Name
New Hire/Development Needed
Back-end Attribute
PERFLEVELSUMMARY
Category Name
Professional Assessment
Display Type
Text Area
Attribute Size
300

9. Expand the Professional Qualifications category.
s
a
h
a) e
10. Select Work Experience and click Modify Attribute.
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

11. Click Preview User Profile to view how this and other attributes will be displayed on a
Create User form.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

12. Scroll to the bottom of the form to view all the data attributes you have recently created.
These attributes are in the Professional Qualifications and Professional Assessment
categories. Close the form when you have finished reviewing it.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
You have now created
and data attributes for the categories that will be used
i theracategories
b
e
later in theid
lab.M
You will
create authorization policies that allow specific users to have access to
f
s
n
avcreated
the newly
data attributes. These attributes are not visible on users that have already
a
D
r
-tbut will be visible when you create new users.
been created,
n
o
n

Practice 10-5: Create Authorization Policies
Overview
In this practice, you create the Oracle Identity Manager authorization policies that allow several
different types of users to access various types of information for users in the Curriculum
organization. Members of the Curriculum HelpDesk organization associated with the Curriculum
HelpDesk Admin role, will be able to reset a users password, search for and view a users
account information, and create users to the Curriculum organization. Members of the Human
Resources organization will be able to modify the professional qualifications attributes for a
users account. A manager will be able to directly modify a users professional assessment
attributes.
You will create the following authorization policies:
Curriculum HelpDesk - View Users - AP: This authorization policy allows the HelpDesk
to view the details of a user in the Curriculum organization.
Curriculum HelpDesk - Search Users - AP: This authorization policy lets the HelpDesk
members search for all user accounts in the Curriculum organization.
a
s
a
hlets the
Curriculum HelpDesk - Modify User Password - AP: This authorization policy
)
a
c ide
HelpDesk members reset the password for a user account in the Curriculum
o
i
organization.
ar t Gu
t
n
Curriculum HelpDesk - Create User - AP: This authorization
lets
n the HelpDesk
e
@o tpolicy
d
3
members create a user account in the Curriculumnorganization.
u
o
S
t
e
Manager - Modify User - Professional Assessment
is This authorization policy lets
dl attributes
t-hAP:
d
i
the manager modify the professional assessment
of a direct report.
e
m
s
u
d
Human Resources - Modify User
Professional
- AP: This authorization
vi -member
tomodifyQualifications
a
e
d
policy lets the Human Resources
the
professional
qualifications
(
s
n
n
attributes of user accounts
in
all
organizations.
e
eto le lic
l
d
id rab
Assumptions
M
d nsallfethe preceding practices in this lab.
You have
vicompleted
a
D n-tra
Tasksno
1. From the Oracle Identity Manager Administrative and User Console, click
Administration to access the Oracle Identity Administration console.
2. On the Welcome tab, click Create Authorization Policy in the Authorization Policies
panel.

3. Complete the fields using the following information. Click Next when finished:
Field
Value
Policy Name
Curriculum HelpDesk - View Users - AP
Description
This authorization policy allows the

HelpDesk to view the details of a user in
Entity Name
User Management
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i accessspermissions
e
m
The User Management Entity provides
for managing user accounts,
u
d
i
o
including creating, modifying,
t user accounts.
avand deleting
e
d
(
s
n icen
o
t
l
e
l
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

4. Select the View User Details permission. This permission allows you select specific
attributes that are viewable to the user with this authorization policy. Using the mouse,
hover over the Info button to view a listing of all the attributes that an individual with this
authorization policy will be able to see.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

5. With the line for View User Details selected, click Edit Attributes to select the attributes
that you will allow the individual with this authorization policy to view. You should protect
an administrator from seeing specific privacy-related information, such as the
professional assessment attributes associated with the user account.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
nsbe available with some of the permissions chosen.
n ( williconly
e
The Edit Attributesto
button
le dolenotl require access to attributes and will leave the Edit Attributes
Several permissions
d
d
i
ab
button M
disabled.
r
e
d
f
s
vi
Da n-tran
no

6. All of the attributes have been selected by default. Deselect the following attributes and
click Save when finished: Performance Level, Performance Level Summary, Post
Graduate, Previous Job History Verified, and Work Experience.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

7. Click Next when you are ready to move to the next screen.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

On the Data Constraints screen, select Users that are members of selected
Organizations in the User Management field. Click Add Organization.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
On this screen, you are placing a restriction on the
nlist of users
tudthat this authorization
o
S
t
allows access to. You can specify the list ofle
organizations
is that the user must be in for
d
h
t
d
this authorization policy.
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

8. Search for and select the Curriculum organization. Click Add to include users in the
Curriculum organization for the authorization policy.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

9. Select Hierarchy Aware (include all Child Organizations) to include any child
organizations in the authorization policy. In this example, the Curriculum, Curriculum
HelpDesk, and Training organizations will be included in the authorization policy. Click
Next when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

10. On the Policy Assignment screen, you designate the role or roles that will be assigned
the authorization policy. Click Add in the Assign By Role section.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
o management chain for the user for the
vi select
tthe
a
In addition to roles, you can
also
e
d
s assignment is by rule instead of by role.
authorization policy. This
ofn
policy
n ( type
e
o
t
c
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

11. In the Assign Roles window, search for the Role Name, Curriculum HelpDesk. Select
the role and click Add.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

12. The Curriculum HelpDesk Admin role has now been added as an assignee for the
authorization policy. Click Next when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

13. Review the information for the authorization policy on the Policy Confirmation screen
and click Finish when ready.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

14. Repeat steps 2 - 14 to create the remaining authorization policies, using the following
information:
a. Curriculum HelpDesk - Search Users - AP:
Screen
Field
Basic Policy Information
Permissions
Value
Policy Name
Curriculum HelpDesk Search Users - AP
Description
This authorization policy lets

the HelpDesk members
search for all user accounts in
Entity Name
User Management
Search User
[selected]
a
s
a
h
)
a
c ide
Organization
Curriculum
o
i
ar t Gu
t
Hierarchy Aware (include all
[selected]
n
o en
Child Organizations)
@
3
n
tud HelpDesk Admin
o
S
t
Policy Assignment
Role
Curriculum
le this
d
d
i Password
b. Curriculum HelpDesk - Modify
User
e - AP:
m
s
u
d
vi e Field
Screen
Value
to
a
d
(
s
n Policy
Curriculum HelpDesk - Modify
enName
o
t
c
i
l
e
User Password - AP
l
d ble
d
i
M fera Description
d
i
s
v
the HelpDesk members reset
Da n-tran
the password for a user
account in the Curriculum
o
n
organization.
Data Constraints
User Management
Users that are members of

selected Organizations
Entity Name
User Management
Permissions
Change User Password
[selected]
Data Constraints
User Management

Organization
Curriculum
Hierarchy Aware (include all

[selected]
Role
Policy Assignment

c. Curriculum HelpDesk - Create User - AP:

Screen
Field
Value
Policy Name
Curriculum HelpDesk - Create

User - AP
Description

the HelpDesk members
create a user account in the
Curriculum organization.
Entity Name
User Management
Permissions
Create User
[selected]
Data Constraints
User Management

a
s
a
h
)
a
c ide
o
i
r Gu
t
a Training
n
o ent
@
Hierarchy Aware (include3all
[cleared]
n
tud
o
S
t
le this
d
d
i
Policy Assignment
Role
e
m
s
u
d
i youtomanually select the child organizations that the
Note: With this last authorization
vpolicy,
a
d
( access
Curriculum HelpDesk members
seto create members, instead of choosing the
n
n
e
hierarchy awareness,to
would
all child members. This is a more secure method
lic select
e which
l
d
e
of ensuring that
a
HelpDesk
member
does
not create another HelpDesk member. That
l
id be performed
b
a
behavior should
or
approved
at a higher level.
M
r
e
d
f
i
s
v
Da n-tran
no
Organization*
(See accompanying
screenshot)

Curriculum
Quality Assurance and
Support
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

d. Manager - Modify User - Professional Assessment - AP:

Screen
Field
Permissions
Value
Policy Name
Manager - Modify User Professional Assessment - AP
Description

the manager modify the
professional assessment
attributes of a direct report.
Entity Name
User Management
Modify User Profile
[selected]
Attribute Name
(Deselect all and select only
the items listed to the right)
Performance Level
Performance Level
Summary
a
s
a
h
)
a
Attribute Name
All
c ide
o
i
u
Data Constraints
User Management
Users
of
arthat tareGmembers
t
n
selected n
Organizations
o
@ tude
3
n
Organization
to is SCurriculum
e
l
d (includethall [selected]
Hierarchy Aware
d
i
e
m
s
u
d
vi e toChain of User* [selected]
a
Policy Assignment
Management
d
nsfollowing
n ( (See
the
e
o
t
c
li
le le screenshot)
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
View User Details
[selected]

a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
nand theSModify
tud User Profile
o
t
In this case, you selected both the View User Details
le of the
is before you can modify their
d
permissions. You must be able to view the
details
thuser
d
i
e
attributes.
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

e. Human Resources - Modify User - Performance Qualifications - AP:

Screen
Field
Permissions
Value
Policy Name
Human Resources - Modify

User - Professional
Qualifications - AP
Description

the Human Resources
member modify the
professional qualifications
attribute of user accounts in
all organizations.
Entity Name
User Management
Modify User Profile
[selected]
a
s
a
h
)
a
c ide
o
i
ar Work Experience
u
t
G
n
t
o[selected]
n
View User Details
e
@
d
3
u
n
Attribute Name
Allt
o
S
t
e
dl
this [selected]
d
Search User
i
e
m us
d
i
Data Constraints
User
Management
All Users
v e to
a
d
Policy Assignment n ( Role ns
Human Resources
e
o
t
c
i
l
e
15. Close all open
dltabs forblthe
e objects that you have just created.
d
i
a
M
r authorization policies required to proceed with the remainder of the
You have now created e
the
sf have created the organizations, roles, role membership rules, and
vid anyou
lab. Toasummarize,
D the
r schema. The authorization policies that you have created are based on the
extended
tOIM
n
User Management
entity, in which you are capable of modifying or viewing some aspect of a
no
users account.
Attribute Name
(Deselect all and select only
the items listed to the right)

Post Graduate
Previous Job History
Verified
Practice 10-6: Test and Verify Authorization Policies Implementation
Overview
In this practice, you perform several tasks to test the authorization policies created in the lab.
You will verify that the Sam Watterson (a Curriculum HelpDesk member) can create an account
only in the Curriculum or child organizations. The account you create, Tim Listowitz, will have
Larry Byrdie as the manager. You will then reset the password for that user account.
Next, you will login as the Human Resources representative to update the Professional
Qualifications for Tim Listowitz. The manager, Larry Byrdie, will then login to update the
Professional Assessment attributes for the account.
Assumptions
You have completed all the preceding practices in this lab.
Tasks
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o Value
n
Field
e
@
d
3
n
tu
User Name
SWATTERSON
o
S
t
e
dl Welcome1
this
d
Password
i
e
s password as well as the challenge
m
uthe
d
i
3. When you log in, you will be asked
to update
o
v
t
e
da nsManagement
questions. Populate the (Password
screen with the following information:
n
e
Value
etoFieldle lic
l
d
d
i
Old Password
Welcome1
ab
M
r
e
d
f
i
s
v an
Welcome1
Da Password
r
t
n- Password
Welcome1
noConfirm
1. If you are currently logged in as the system administrator account in the Oracle Identity
Manager Administrative and User console, click Sign Out to log out of Oracle Identity
Manager.
2. Log in to Oracle Identity Manager with Sam Wattersons account information:
Smith
What is your favorite color?
Blue
Cleveland
Once you have logged in, you will see that you have access to the Advanced Search
Users and the Create User links.

4. Click the Search button in the left navigation area. This action returns only users that are
in the Curriculum organization and in its child organizations. For example, Valli Pataballa
is in the Approvers organization, which is not a child of the Curriculum organization. Her
account will not be visible in the listing.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i andsechild organizations because of the
m
The user listing is limited to the Curriculum
u - AP.
d
o
v
authorization policy, HelpDesk
-i SearchtUsers
a
(d to start
secreating the user, Tim Listowitz. Use the following
5. Click the Create User
button
n
n
e
information to create
licaccount:
eto theleuser
l
d
id raField
b
Value
M
e
d
f
i
s
v Name
Tim
n
a
Da First
r
t
n-Name
Listowitz
noLast
[cleared]
Manager
Larry Byrdie
Organization
Approvers
User Type
Full-Time Employee
User Login
TLISTOWITZ
Password
Welcome1
Confirm Password
Welcome1

You should receive the following error message. This error message is a result of
attempting to create the user in the Approvers organization. Curriculum HelpDesk users
are not authorized to create users outside of the Curriculum organization. This limitation
is defined in the authorization policy, HelpDesk - Create User - AP.
6. Create the user, this time assigning him to the Training organization.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s be successfully created. Notice that you cannot modify the attributes for
vi userashould
n
DaThe
r
-t Again, this is because specific permissions were not given to the HelpDesk
thenuser.
o
naccount to modify user attributes, with the exception of the password.
7. At the top of the user account page for Tim Listowitz, click Reset Password.
Note that the other buttons you are used to seeing at the top of the user page, including
Lock Account, Disable User, and Delete User, are not available. These rights have not
been provided through the authorization policies to the HelpDesk members.

8. Select Manually change the Password and deselect E-mail the new password to the
user. Change the password to W3LC0M3. Click Reset Password.
For a more secure solution, you would select to have the new password auto-generated
and have that password sent in an email to the user.
9. You have now successfully reset the password for Tim Listowitz.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The ability to reset the users password is defined in the authorization policy, HelpDesk Modify User - Password - AP.
10. Now that the user has been created, you will log in as the Human Resources
representative Lisa Simmons to modify the user accounts attributes. Click Sign Out.

11. Log into the Oracle Identity Manager Administrative and User console with the following
credentials:
Field
Value
User Name
LSIMMONS
Password
Welcome1
12. When you log in, you will be asked to update the password as well as the challenge
questions. Populate the Password Management screen with the following information:
Field
Value
Old Password
Welcome1
Password
Welcome1
Confirm Password
Welcome1
Cravitz
a
s
a
Fluffy
h
)
a
has
c Simmons
13. Click the Search icon in the navigation panel to view all users that o
Lisa
e
d
i
i
udoes not
access to. The authorization policy defined for Human Resources
ar members
t
G
n
t
restrict those members to any specified organization, so you
o will see
nall user accounts
e
@
d
defined in Oracle Identity Manager.
3
n
tu
o
S
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Red
14. Select and edit the user account for Tim Listowitz.

15. Scroll to the bottom of the Attributes tab for Tim Listowitz. You will note that you cannot
change most of the attributes listed in the Attributes tab.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
lefield. Select
is the checkbox for the Previous
16. Select 5-10 Years for the Work Experience
d
thScroll
d
i
Job History Verified and Post Graduate
attributes.
to the top of the Attributes
e
m
s
u
d
tab and click Apply.
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

17. You have now successfully modified the Professional Qualifications attributes. Close the
window for Tim Listowitz.
The permissions responsible for allowing Lisa Simmons to modify the Professional
Qualifications attributes are defined in the authorization policy, Human Resources Modify Users - Professional Qualifications - AP.
18. You will now be performing a bulk update to multiple users. Click Advanced Search Users.
19. Click Add Fields and select Manager from the drop-down list.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

20. Enter Larry Byrdie in the Manager field and click Search.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o and eclick
n Bulk Modify.
21. Select the user accounts for Linda Spitz and Priya Roshan
@
d
3
n
tu
o
S
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

22. Only a few attributes are available for a bulk update. Select the checkbox for Previous
Job History Verified and click Save.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n bySmodifying
tud the Previous Job
23. You have now successfully modified multiple accounts
o
t
le this
History Verified attribute for those accounts.
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l due to the definition of the data attribute, Previous Job
leis possible
d
e
l
This modification
d
i
ab defined as a Bulk Updatable data attribute.
HistoryM
Verified.eItrwas
d
f
s to log off.
vi Sign
n
24.aClick
Out
a
D
r
-t now verify the managers access rights. Log into the Oracle Identity Manager
25. You
will
n
o
nAdministrative and User console with the credentials for Larry Byrdie:
Field
Value
User Name
LBYRDIE
Password
Welcome1
26. When you log in, you will be asked to update the password as well as the challenge
questions. Populate the Password Management screen with the following information:
Field
Value
Old Password
Welcome1
Password
Welcome1
Confirm Password
Welcome1
Birdie
Miami
Burgundy

27. From the Identity Manager Administration console, click the Search icon to view all the
user accounts Larry Byrdie can see.
This manager can only see his direct reports. This access is set by the out-of-the-box
authorization policy, User Management policies for Managers.
28. Select and edit Tim Listowitz.
29. Scroll to the bottom of the Attributes tab. You will note that while you can view attributes,
you cannot modify most attributes, including the attributes in the Professional
Qualifications category.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

30. Complete the Professional Assessment using the following information and then scroll to
the top of the tab and click Apply:
Field
Value
Performance Level
New Hire/Development Needed
Performance Level Summary
Tim is making a concerted effort to come

up to speed on the processes he needs to
complete his job. He has only been here
for three weeks and so will be re-evaluated
at a later date.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
avi trans
D
- now successfully modified the Professional Assessment attributes for Tim
31. You
onhave
nListowitz.
The ability to make changes to these attributes was defined in the
authorization policy, Manager - Modify User - Professional Assessment - AP.
Additionally, that authorization policy allows the manager to view all attributes for the
user account.

s
a
h
a) e
c
rio Guid
a
t
t 11
Practices for
onLesson
n
e
@
3
tud
o
Chapter
11n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 11 - Page 1

Practices Overview
In these practices, you use Oracle BI Publisher to create the following types of reports for
Oracle Identity Manager organizations, roles, and users:
Access Policy Reports
Attestation, Request, and Approval Reports

Password Reports
Resource and Entitlement Reports

Role and Organization Reports
User Reports
For this practice, your tasks include creating the following reports:
1. Access Policy Details: With this access policy report, administrators and auditors can view
a current snapshot of all access policies defined in Oracle Identity Manager, along with key
information about each policy.
2. Request Details: With this request report, administrators can view details (for example,
requester, current approver, and so on) of requests. Additionally, this report displays details
of all users (for example, user name, organization, manager details, user status, and so on)
provisioned as a result of the request approval. This report helps administrators in planning
and prioritizing operational activities so that they can expedite the closure of pending
requests.
3. Approval Activity: With this approval report, administrators can view approval activity,
including requests that are approved, rejected, or pending.
4. Password Expiration Summary: With this password report, administrators can view a list
of all active users whose Oracle Identity Manager passwords are about to expire within a
specified period.
5. User Resource Access: This resource report provides administrators or auditors with the
ability to query for resources provisioned to an Oracle Identity Manager user. This report can
be used for operational and compliance purposes.
6. Role Membership History: With this role report, administrators can view details about
users assigned to a role or role category.
7. Organization Details: With this organizational report, administrators can view a hierarchical
organizational structure, and details about suborganizations, roles, and users assigned to an
organization in Oracle Identity Manager.
8. User Summary: This user report lists all Oracle Identity Manager users created in a
specified time period.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 11 - Page 2
Practice 11-1: Configure the Oracle BI Publisher Environment

Overview
In this practice, you configure Oracle BI Publisher so that it can be used to create reports for
Oracle Identity Manager organizations, roles, and users. This includes:
Copying predefined Oracle Identity Manager reports to a directory that can be

referenced by Oracle BI Publisher. Oracle Identity Manager reports are placed in the
D:\OraHome_1\xmlp\XMLP\Reports\Oracle Identity Manager directory.
Note: The Oracle Identity Manager folder does not exist. Therefore, you must
create it and nest it within the D:\OraHome_1\xmlp\XMLP\Reports directory.
Starting Oracle BI Publisher

Creating data sources in Oracle BI Publisher. A data source contains credentials that
Oracle BI Publisher requires to connect to the Oracle database associated with Oracle
Identity Manager. Oracle BI Publisher uses this connection to retrieve information from
the Oracle Identity Manager database to generate reports for Oracle Identity Manager
organizations, roles, and users.
a
s
a
h
)
a
c ide
Assumptions
o
i
u10gR2
aBIrPublisher
t
You installed and configured Oracle Identity Manager 11g and Oracle
G
n
t
o en
(10.1.3.4.1).
@
3
n
tud
o
S
t
Tasks
le this
d
d
i D:\OraHome_1\xmlp\XMLP\Reports
1. From Windows Explorer, navigate to
the
e
m
s
u
d
directory.
vi e to
a
d
2. Create a folder titled Oracle
Manager in this directory. This folder is to
ns Identity
n ( iceIdentity
o
contain a copy of
all
predefined
Oracle
Manager reports that can be referenced
t
e le l
l
d
by Oracle BI
Publisher.
id rab
M
3. Copy
the
oim_product_reports_11_1_1_3_0.zip
file, which resides in the
e
d
f
i
s
v
directory.
an
DaD:\app\oracle\product\middleware\iam_home\server\reports
r
t
Note:
This directory is created automatically when Oracle Identity Manager is installed
onconfigured.
nand
4. Paste this file into the D:\OraHome_1\xmlp\XMLP\Reports\Oracle Identity
Manager directory.
5. Unzip the oim_product_reports_11_1_1_3_0.zip file into this directory.

Chapter 11 - Page 3
6. Click the reports folder, contained in the

D:\OraHome_1\xmlp\XMLP\Reports\Oracle Identity Manager directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
Note: The folders that appear in the
D:\OraHome_1\xmlp\XMLP\Reports\Oracle
m
s
u
d
Identity Manager\reports
vi directory
topertain to the types of reports that Oracle BI
a
e
d
Publisher can create for(Oracle Identity
n icens Manager organizations, roles, and users. These
reports include: to
l
le reports
d
e
l
Access
policy
d
Mi ferequest,
rab and approval reports
id
Attestation,
v ans
Da nPassword
tr reports
no Resource and entitlement reports
Role and organization reports
User reports
You copied predefined Oracle Identity Manager reports to a directory that can be
referenced by Oracle BI Publisher. You are ready to start Oracle BI Publisher to use this
application to generate reports.

Chapter 11 - Page 4
7. Start Oracle BI Publisher:

a. Start Oracle WebLogic Server and Oracle Identity Manager Server (if you stopped
these applications).
b. Start Oracle BI Publisher Server from the Windows Start Menu. Select Programs >
Oracle BIPHome1 > Start BI Publisher.
c. Start the Oracle BI Publisher Administration Console from the Windows Start Menu.
Select Programs > Oracle BIPHome1 > BI Publisher Server.
d. Enter Administrator in the Username field and Administrator in the Password
field. Then click Sign In.
You are ready to change the password of the Administrator user (from Administrator
to Welcome1). You do this to synchronize the Administrator account between Oracle
Identity Manager and Oracle BI Publisher.
Note: The Administrator account is created automatically in Oracle BI Publisher when
this product is installed. Also, you imported the Administrator account into Oracle Identity
Manager in the practice titled Use the Bulk Load Utility to Import Users into Oracle
Identity Manager.
8. To change the password of the Administrator account in Oracle BI Publisher:
a. On the Home page, click the Preferences link.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 11 - Page 5
b. On the Edit Preferences window, click the Account link.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
c. Populate the fields of the Change Password
form, as follows:
i
e
m
s
id to u
Field
Value
v
a
e
d
( Administrator
Current Password n
ns
e
o
t
c
le le li Welcome1
New Password
d
d
i
ab
M
r
Repeat
Password
Welcome1
e
d
f
vi ans
a
D Note:
r passwords that you enter are encrypted for security purposes.
tThe
n
no

Chapter 11 - Page 6
d. Click Apply.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
You changed the password of the Administrator
euser (from Administrator to
m
s
u
d
Welcome1).
i
o
tthe
avsources
e
d
You are ready to create (data
in
Oracle BI Publisher tool. A data source
s
n
n
e
contains credentials
BI Publisher requires to connect to the Oracle database
tothat Oracle
lic Manager.
eOracle
l
associated with
Identity
Oracle BI Publisher needs this connection to
d
e
l
iddata from
b
a
retrieveM
the
the
Oracle
Identity
Manager
database. Oracle BI Publisher uses
r
e
d
f
i
this
information
to
generate
reports
for
Oracle
Identity
Manager organizations, roles, and
s
v an
Dausers.
r
t
onthe- Change Password form, click Close.
9. nOn
10. On the Oracle BI Publisher Home page, click the Admin tab.
11. On the Data Sources region of the Admin page, click the JDBC Connection link.
Note: You click the JDBC Connection link because Oracle BI Publisher uses Java
connectivity to access the Oracle database associated with Oracle Identity Manager.
12. On the Data Sources page, click Add Data Source.

Chapter 11 - Page 7
13. Parameters for the data source appear. Enter values for parameters of the data source
on the Add Data Source page, as follows:
Field
Value
Data Source Name
OIM JDBC
Driver Type
Oracle 11g
Database Driver Class
oracle.jdbc.OracleDriver
Connection String
jdbc:oracle:thin:@<hostname>.us.oracle.com:1521:orcl
Username
dev_oim
Password
Welcome1
Use Proxy Authentication

check box
[cleared]
Note: The name of the data source is case-sensitive. Also, for security purposes, the
password is encrypted and appears as a series of bullets (). Lastly, for more
information about parameters and values of the OIM JDBC data source, refer to the
lesson titled Managing Reports.
14. Click Apply.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The Data Sources page appears. You created the OIM JDBC data source in Oracle BI
Publisher.

Chapter 11 - Page 8
Tip: To verify that Oracle BI Publisher can use this data source to connect to the Oracle
database associated with Oracle Identity Manager:
a. Click the OIM JDBC data source (on the Data Sources page).
b. Click Test Connection. A Connection established successfully. message
signifies that Oracle BI Publisher can use the OIM JDBC data source to connect
to the Oracle database associated with Oracle Identity Manager.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le BIthPublisher.
You created the OIM JDBC data source in
Oracle
You are ready to create
is
d
d
i
another data source: BPEL JDBC. Oracle
BI
Publisher
uses
this
data source to connect
e
m
s
u
d
to the Oracle database associated
with
Oracle
Identity
Manager,
retrieve information
i
o
v
t
a
from this database, and (use
this
data
to
generate
reports
for
Oracle
Identity Manager
d nse
n
requests and approval
workflows.
lice page appears.
etoDataleSources
l
15. Click Cancel.dThe
id rabpage, click Add Data Source.
16. On theM
Data Sources
sfethe data source appear. Enter values for parameters of the data source
vid anfor
17.aParameters
D on nthe-tAdd
r Data Source page, as follows:
no
Field
Value
Data Source Name
BPEL JDBC
Driver Type
Oracle 11g
Database Driver Class
oracle.jdbc.OracleDriver
Connection String
jdbc:oracle:thin:@<hostname>.us.oracle.com:1521:orcl
Username
dev_soainfra
Password
Welcome1
Use Proxy
[cleared]
Authentication check box

Chapter 11 - Page 9
18. Click Apply.
a
s
a
The Data Sources page appears. You created the BPEL JDBC data source h
in Oracle BI
)
a
Publisher.
c ide
o
i
r connect
Tip: To verify that Oracle BI Publisher can use this data sourceato
uto the Oracle
t
G
n
database associated with Oracle Identity Manager:
t
o en
@
d
a. Click the BPEL JDBC data source (on the Data3
Sources
page).
u
n
t
o
S
t
b. Click Test Connection. A Connection lestablished
e thissuccessfully. message signifies
d
that Oracle BI Publisher can use the
BPEL
JDBC data source to connect to the
d
i
e Manager.
m
s
Oracle database associated d

with
Oracleu
Identity
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 11-2: Create Access Policy Reports
Overview
In this practice, you use Oracle BI Publisher to create the Access Policy Details access policy
report. With this report, administrators and auditors can view a current snapshot of all access
policies defined in Oracle Identity Manager, along with key information about each policy.
For this practice, you are searching for resources and roles associated with the Users Access
Policy. You created this access policy in the practices associated with the lesson titled
Understanding Direct and Automated Provisioning.
Important: Before you begin this practice, ensure that you imported a user in Oracle Identity
Manager with the User Login of ADMINISTRATOR and verified that this user is assigned to the
ACCESS POLICY ADMINISTRATORS role. You completed these actions in the document titled
Assumptions
You completed the practice titled Configure the Oracle BI Publisher Environment.
s
a
h
a) e
Tasks
c
rio Guid
1. Click the Reports tab.
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
You return to the Oracle BI Publisher Home page.

2. Click the more link that is nested within the Shared Folders link.
3. Click the reports link that is nested within the Oracle Identity Manager folder.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
4. From the list of reports that appears, click the link that represents the name of the
desired report (that is, select the Access Policy Details report). The Access Policy
Details form appears.

5. For this example, you are searching for resources and roles associated with the Users
Access Policy. Therefore, enter Users Access Policy into the Access Policy Name
field, and click View.
The Access Policy Details report appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This report displays details about the Users Access Policy, including resources and roles
assigned to the policy.
Note: For more information about parameters and values of this report, refer to the

Practice 11-3: Create Request and Approval Reports

Overview
In this practice, you use Oracle BI Publisher to create the following request and approval
reports:
Request Details: With this report, administrators can view details (for example,
requester, current approver, and so on) of requests. Additionally, this report displays
details of all users (for example, user name, organization, manager details, user status,
and so on) provisioned as a result of the request approval. This report helps
administrators in planning and prioritizing operational activities so that they can
expedite the closure of pending requests.
For this practice, you are searching for all requests created by Bob McCarren. These
requests are created in the practices associated with the lesson titled Understanding
Approval Workflows and Requests.
Approval Activity: With this report, administrators can view approval activity, including
requests that are approved, rejected, or pending.
For this practice, you are searching for all requests approved by Valli Pataballa. These
requests are created in the practices associated with the lesson titled Understanding
Approval Workflows and Requests.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
Assumptions
d
3
nPublisher
tuEnvironment.
o
S
t
You completed the practice titled Configure the Oracle
BI
le this
d
d
i
e
m
s
Tasks
u
d
o BI Publisher Home page.
vi to ethetOracle
1. Click the Reports tab. You
return
a
d
nswithin the Shared Folders link.
nthat( isinested
2. Click the more link
e
o
t
c
lelink that
3. Click the reports
isl nested within the Oracle Identity Manager folder.
d
e
l
d
i
abRequest and Approval Reports link nested within the reports
M
4. Click the
Attestation
r
e
d
f
vi ans
afolder.
D
tr list of reports that appears, click the link that represents the name of the
5. From
the
n
o report (that is, select the Request Details report). The Resource Details form
ndesired
appears.
Note: By default, this report is filtered to retrieve data pertaining to requests that were
created over the last 30 days. The value in the Request Data From field is a date-andtime stamp of 30 days before the current date and time. The value in the Request Data
To field is the current date and time.

6. For this example, you are searching for all requests created by Bob McCarren.
Therefore, enter values for parameters on the Request Details form, as follows:
Field
Value
Requestor User First Name
Bob
Requestor User Last Name
McCarren
7. Click View.
The Resource Details report appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This report displays details about all requests created by Bob McCarren.
You created a Request Details report. You are ready to create an Approval Activity
report: With this report, administrators can view approval activity, including requests that
are approved, rejected, or pending.

8. Click the Attestation Request and Approval Reports link, located above the
Requestor User Last Name field of the Request Details form.
a
s
a
h
)
a
c ide
o
i
u
ar the tname
t
G
n
9. From the list of reports that appears, click the link that represents
of the
oThe Approval
n
e
@
desired report (that is, select the Approval Activity report).
Activity
form
d
3
u
n
t
appears.
eto this S
l
d
id se
m
id to u
v
a
(d nse
n
to lice
e
l
idd rable
M
10. For d
this example,
e you are searching for all requests approved by Valli Pataballa.
f
i
s
v
Therefore,
enter
Da n-tran values for the parameters on the Request Details form, as follows:
Field
Value
no
Approvers First Name
Valli
Approvers Last Name
Pataballa
11. Click View.

The Approval Activity report appears.
a
s
a
h
)
a
c ide
This report displays details about all requests approved by Valli Pataballa.
o
i
r report,
urefer to the
athis
Note: For more information about the parameters and valuestof
G
n
t
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 11-4: Create a Password Report
Overview
In this practice, you use Oracle BI Publisher to create the Password Expiration Summary
password report. This report shows a list of all active users whose Oracle Identity Manager
passwords are about to expire within a specified period.
For this practice, you are searching for all Oracle Identity Manager users who have passwords
that are to expire within 120 days.
Assumptions
You have completed the practice titled Configure the Oracle BI Publisher Environment.
Tasks
1.
2.
3.
4.
Click the Reports tab. You return to the Oracle BI Publisher Home page.
Click the more link that is nested within the Shared Folders link.
Click the reports link that is nested within the Oracle Identity Manager folder.
From the list of reports that appears, click the link that represents the name of the
desired report (that is, select the Password Expiration Summary report). The
Password Expiration Summary form appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
(
ns to retrieve data pertaining to passwords of Oracle
nreport
e
Note: By default, tthis
is
filtered
o
c
liexpired over the last 30 days. The value in the Expiration
leuserslthat
Identity Manager
d
e
d
i Fromrfield
Date Range
ab is a date-and-time stamp of 30 days before the current date and
M
e
d
f
time.
s in the Expiration Date Range To field is the current date and time.
vi Theavalue
n
a
D
r
5. For this
you are searching for all Oracle Identity Manager users who have
-t example,
n
passwords
that
are
to expire within 120 days. Therefore:
o
n
a. Click the Calendar icon to the right of the Expiration Date Range To field.
b. On the Calendar application that appears, select a date that is 120 days from the
current date (for this example, February 06, 2011). The date you selected appears in
the Expiration Date Range To field.
6. Click View.

The Password Expiration Summary report appears.
a
s
a
h
)
This report displays details about all active users whose Oracle Identity a
Manager
c ide
passwords are about to expire within 120 days.

o
i
u
arreport,t G
t
Note: For more information about parameters and values ofnthis
refer to the
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 11-5: Create a Resource Report
Overview
In this practice, you use Oracle BI Publisher to create the User Resource Access resource
report. This report provides administrators or auditors with the ability to query for resources
provisioned to an Oracle Identity Manager user. This report can be used for operational and
compliance purposes.
For this practice, you are searching for resources provisioned to Mike Williams. You provisioned
these resources to Mr. Williams in the practices associated with the lesson titled Understanding
Direct and Automated Provisioning.
Assumptions
Tasks
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
abare searching for resources provisioned to Mike Williams.
Mi feryou
6. Forid
this example,
s values for parameters on the User Resource Access form, as follows:
v anenter
DaTherefore,
r
-t Field
n
o
Value
n
1.
2.
3.
4.
5.
Click the Resource and Entitlements Reports link on the reports page.
desired report (that is, select the User Resource Access report). The User Resource
Access form appears.
Last Name
Williams
First Name
Mike
7. Click View.

The User Resource Access report appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
This report displays details about

resources
provisioned
to Mike Williams. For this
u
d
i
o
v
t
example, Sun Java System
represented by the iPlanet User resource
eServer,
daDirectory
s
object, is provisionednto (Mr. Williams.
You provisioned this resource to him in the
n
e titled Understanding Direct and Automated
to with the
clesson
i
practices associated
l
e
l
Provisioning.
idd rable
M
Note:
more
feinformation about parameters and values of this report, refer to the
s
vid For
n
a
lesson
titled
Managing
Reports.
D n-tra
no

Practice 11-6: Create Role and Organization Reports

Overview
In this practice, you use Oracle BI Publisher to create the following role and organization
reports:
Role Membership History: With this report, administrators can view details about
users assigned to a role or role category.
For this practice, you are searching for all users assigned to the Oracle 11g Users role
over the last 30 days. You created this role in the practices associated with the lesson
titled Understanding Organizations, Roles, and Users.
Important: This report does not show indirect role memberships.
Organization Details: With this report, administrators can view a hierarchical

organizational structure, and details about suborganizations, roles, and users assigned
to an organization in Oracle Identity Manager.
For this practice, you are searching for all suborganization, roles, and users assigned
to the Curriculum organization. You created this organization in the practices
associated with the lesson titled Understanding Organizations, Roles, and Users.
a
s
a
h
)
a
c ide
o
i
Assumptions
ar t Gu
t
n
o eEnvironment.
n
You have completed the practice titled Configure the Oracle@
BI Publisher
d
3
n
tu
o
S
t
Tasks
e
dl BI Publisher
this Home page.
dOracle
i
1. Click the Reports tab. You return tom
the
e
usShared Folders link.
d within
i
2. Click the more link that is nested
the
o
v
t
e the Oracle Identity Manager folder.
(disanested
swithin
3. Click the reports link that
n
n
e
to thatliappears,
c
4. From the list ofle
reports
click the link that represents the name of the
d
e
l
desired report
(that
is,
select
the
Role
Membership History report, nested within the
d
i
b
a
M
r
Roledand
Organization
Reports
folder).
The Role Membership History form appears.
e
f
i
s
v
Da n-tran
no
Note: By default, this report is filtered to retrieve data pertaining to users assigned to a
role or role category over the last 30 days. The value in the Effective From field is a
date-and-time stamp of 30 days before the current date and time. The value in the
Effective To field is the current date and time.

5. For this example, you are searching for all users assigned to the Oracle 11g Users role.
Therefore, enter Oracle 11g Users into the Role Name field, and click View.
The Role Membership History report appears.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
This report displays details about all users assigned to the Oracle 11g Users role over
the last 30 days.
You created a Role Membership History report. You are ready to create an Organization
Details report: With this report, administrators can view a hierarchical organizational
structure, and details about suborganizations, roles, and users assigned to an
organization in Oracle Identity Manager.

6. Click the Role and Organization Reports link, located above the Role Category field of
the Role Membership History form.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
8. For this example, you are searching

for
all
suborganizations,
roles, and users assigned
u
d
i
o
v
t
to the Curriculum organization.
e enter Curriculum into the Organization
(da Therefore,
s
Name field, and clickn
View.
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
7. From the list of reports that appears, click the link that represents the name of the
desired report (that is, select the Organization Details report). The Organization Details
form appears.

The Organization Details report appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
labout all suborganizations, roles, and users assigned to the
le details
This report displays
d
e
l
d
i organization.
Curriculum
ab
M
r
e
d
f
s information about parameters and values of this report, refer to the
Note:
vi Foranmore
Dalesson
r
-ttitled Managing Reports.
n
o
n

Practice 11-7: Create a User Report
Overview
In this practice, you use Oracle BI Publisher to create the User Summary user report. This
report lists all Oracle Identity Manager users created in a specified time period.
For this practice, you are searching for all Oracle Identity Manager users assigned to the
Curriculum organization over the last 30 days.
Assumptions
Tasks
1.
2.
3.
4.
desired report (that is, select the User Summary report, nested within the User Reports
folder). The User Summary form appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
( is filtered
ns to retrieve data pertaining to users created in
nreport
Note: By default, tthis
e
o
c
li the last 30 days. The value in the Creation Date From field
e leover
lManager
Oracle Identity
d
d
i
b of 30 days before the current date and time. The value in the
is a date-and-time
astamp
M
r
e
d
f
Creation
Date
To
field
is the current date and time.
vi ans
a
5. For this
D
trexample, you are searching for all Oracle Identity Manager users assigned to
n
o Curriculum organization over the last 30 days. Therefore, enter Curriculum into
nthe
the Organization field, and click View.

The User Summary report appears.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
This report displays details
about
all
(
s Oracle Identity Manager users assigned to the
n
n
e
Curriculum organization
to over
cthe last 30 days.
liabout
einformation
l
d
e
Note: Forimore
parameters and values of this report, refer to the
l
d
b
a
M
lesson titled Managing
er Reports.
d
f
i
s
v
6. aStop Oracle
nBI Publisher:
D
traOracle
a. nStop
BI Publisher Server.
nb.o Close the Oracle BI Publisher Administration Console.

s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

s
a
h
a) e
c
rio Guid
a
t
t 12
Practices for
onLesson
n
e
@
3
tud
o
Chapter
12n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 12 - Page 1
Practices Overview
In these practices, you familiarize yourself with the log files and monitoring tools and charts
available to the Oracle Identity Manager environment. You also use these tools to resolve an
issue that occurs in the environment. Specifically, you learn how to:
Access the logs for Oracle Identity Manager as well as the monitoring tools through the
Oracle Enterprise Manager Fusion Middleware Control tool.
Use the ECID and RID values within the Oracle Identity Manager log to resolve an issue
whereby a provisioning task fails. You create a failed scenario by creating a user in the
Oracle Identity Manager environment and attempting to provision the user to the Sun
Java Directory Services server associated with the iPlanet User resource. The iPlanet
User resource has not been properly configured, and such, a failure should result from
the provisioning attempt. You will view the logs to analyze the problem and implement a
fix to resolve it.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Use monitoring tools through the Oracle Enterprise Manager Fusion Middleware Control
console to view how many events have been completed for the scheduler. The
scheduler is used to initiate jobs, such as reconciliation events. You will modify an
existing user in the Active Directory environment and reconcile that user to the Oracle
Identity Manager environment. While performing tasks related to that action, you will
monitor several metrics to see how the system is performing during that task.
Your tasks for this practice include:
1. Accessing the configuration details for the Oracle Identity Manager log to enable tracing
for the Sun Java System Directory Server module. By capturing tracing data, you can
view even more detailed information on events as they are triggered and logged to the
log files.
2. Creating a user in the Oracle Identity Manager environment that does not currently exist
in the Sun Java System Directory Server environment. You will then initiate the
provisioning process for the user. After initiating the process, you modify the server for
the provisioning process and re-attempt the provision. The server you choose will be
iPlanet User. This action forces an error to the Oracle Identity Manager environment.
3. Examining the status of the provisioning process in Oracle Identity Manager and then
view the status in the Fusion Middleware Control tool. You will filter the Oracle Identity
Manager logs to view messages pertaining to the provisioning event for the Sun Java
System Directory Server. On viewing the log, examine the execution ID (ECID) to view
the processes related to the provisioning event.
4. Resolving the issue and re-executing the provisioning process to synchronize the user to
the Sun Java System Directory Server environment.
5. Selecting and viewing several metrics chosen from the metrics palette. After selecting
the metrics, you will modify a user in Active Directory and reconcile that user to the
Oracle Identity Manager environment.

Chapter 12 - Page 2
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 12 - Page 3
Practice 12-1: Access Oracle Identity Manager Log Configuration

Details
Overview
In this practice, you change the log configuration for Sun Java System Directory Server events
within Oracle Identity Manager. You can control the diagnostic logging level for the different
components within Oracle Identity Manager. The top level diagnostic level is set to WARNING:1
(WARNING), and is inherited by lower level Oracle Identity Manager components, but can be
changed as needed. In this practice, you change the diagnostic level for Reconciliation events
to TRACE:1 (FINE). This provides a greater level of output, normally used for higher level
debugging.
Assumptions
You have completed the practices in the document titled Practices for Lesson 5.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 12 - Page 4
Tasks
1. Access the Oracle Enterprise Manager 11g Fusion Middleware Control console using
the browser. The URL is http://hostname:7001/em.
2. Log in to the console using the following credentials:
Field
Value
User Name
weblogic
Password
Welcome1
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 12 - Page 5
3. In the navigation panel on the left-side of the screen, expand Identity and Access >
OIM. Click the link for oim(11.1.1.3.0).
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
i health
voverall
to of the components available within the
This main screen displays the
a
e
d
(
WebLogic instance. By
clicking
on
nsthe appropriate server, you narrow the focus of your
n
e
o
t
c
view to the components
made
li available by the server. In this case, you went directly to
dle Manager
e
l
the Oracleid
Identity
application by clicking on the application link.
b server
a
M
r
Note:
If
the
Oracle
SOA
is down, the overall status will be updated accordingly
ethe server as down
dwill display
f
i
s
v
and
or unavailable.
Da n-tran
no

Chapter 12 - Page 6
4. From the Oracle Identity Manager drop-down menu on the oim(11.1.1.3.0) page, select
Logs > Log Configuration.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
nsoverall performance metrics for the Oracle Identity
n ( provides
The oim(11.1.1.3.0)
page
e
o
t
c
liwithin the Oracle Identity Manager application, you can view
le Once
Manager application.
d
e
l
d
i to it, rmanage
logs specific
ab the log configuration, view performance data, view any web
M
e
d
f
services
associated
with the application, access application policies and roles, view the
s Browser
vi MBean
n
a
DaSystem
r
t and stopping it.for Oracle Identity Manager, and control the status of the server
by
starting
n
no

Chapter 12 - Page 7
5. From the Log Configuration page, you can modify the diagnostic levels for the Oracle
Identity Manager loggers that interface with a myriad of components for Oracle Identity
Manager. On the Log Levels page, you define the diagnostic level for each logger.
Using the Search area, select All Categories if not already selected, enter SJSDS in the
search field and hit the Search button.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
The search returns loggers
contain
s the word, SJSDS. In this example, you are
nlogger.
n ( ithat
e
o
looking for the XL_INTG.SJSDS
t
c
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 12 - Page 8
6. The XL_INTG.SJSDS logger is displayed as part of the search results. This logger
collects information for events between the Sun Java System Directory Server and the
Oracle Identity Manager environment. Change the diagnostic level to Trace:1 (FINE).
This captures higher level debugging information as well as all other higher levels of
diagnostics, including notifications and errors. Click Apply when finished.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
othe same
ndiagnostic level. This
e
By changing the top level logger, any child loggers inherit
@
d
3
nare noSchild
tu loggers associated with
is updated after you click Apply. In this case, there
o
t
e
the XL_INTG.SJSDS logger.
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 12 - Page 9
7. Click Close once the log levels have been updated.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l for the term, SJSDS, to validate the settings for the
8. From the LogdLevels
search
le tab,
e
l
d
i logger.
XL_INTG.SJSDS
ab
M
r
e
d
f
s
vi
Da n-tran
no
You have now updated the logging level for provisioning events for the SJSDS connector
moving forward.

Practice 12-2: Create an Oracle Identity Manager User
Overview
In this practice, you create an Oracle Identity Manager user that does not exist in Sun Java
System Directory Server. The user, Terri Lasario, has a login ID of TLASARIO. The user will be
automatically assigned to the resource, iPlanet User, based on changes you make to the default
setting for the iPlanet User resource object. The default server associated with the provisioning
process for iPlanet User is the Sun IT Resource server. You will edit the provisioning process
form for the user to change the server from Sun IT Resource to iPlanet User.
Assumptions
You have completed the practices in the document titled Practices for Lesson 6.
You have completed all the preceding practices for this lab.
Tasks
a
s
a
h
)
a
c idtoeopen
2. Expand the Development Tools folder and double-click on the Form

Designer
o
i
the forms.
ar t Gu
t
n
o en with the syntax,
3. In the Table Name field, enter IPNT_USR. The field will auto-populate
@
d
3
UD_IPNT_USR. Click the Query for records button
n to loadSthe
tutable.
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
1. Open the Design Console and login with the superuser credentials of xelsysadm for the
username and Welcome1 for the password.

4. Find the field, Server, and change the default field value from Sun IT Resource to
iPlanet User. Click the save button to save the changes to the database.
5. From the Oracle Identity Manager Administrative and User console, create the following
user:
a
s
a
h
)
a
First Name
Terri
c ide
o
i
Last Name
Lasario
ar t Gu
t
n
o en
[cleared]@
3
n
tud
o
S
t
Organization
Training
le this
d
d
i
User Type
Full-Time
e Employee
m
s
u
d
vi e to TLASARIO
User Login
a
d
n ( icens
Password/Confirm o
Password
Welcome1
t
l
e
l
Role
Oracle 11g Users
idd rable
M
ALL USERS
vid ansfe
a
D Note:
r roles for a user must be added after the user has been created. Once you
tThe
n
o added the Oracle 11g Users role, the environment will automatically attempt to
nhave
provision the user to the iPlanet User resource.
Field
Value
6. When you have completed creating and saving the user, click on the Resources tab for
the user and select the line for the iPlanet User resource.

7. From the Action drop-down list, select Open to edit the provisioning process form.
a
s
a
h
)
a
c changes
8. Change the Common Name for the user to cn=Terri Lasario. Save the
by
e
o
d
i
i
clicking Save on the process form page.
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
9. This will start the provisioning process.

Now that you have created the user and started the provisioning process to the iPlanet User
server, you are ready to proceed to accessing and viewing the logs for the reconciliation event.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 12-3: View Provisioning Messages in the Oracle Identity

Manager Log
Overview
In this practice, you access the Oracle Identity Manager log using the Oracle Enterprise
Manager Fusion Middleware Control console. You filter for, and view events pertaining to
provisioning events that have occurred within the last hour.
Assumptions
Tasks
1. If not already logged in, log in to the Oracle Enterprise Manager Fusion Middleware
Control console using the following credentials:
Field
Value
s
a
User Name
weblogic
h
a) e
c
Password
Welcome1
rio Guid
a
t
2. From the left-hand navigation area, expand Identity and o
Access
Click the
n >nOIM.
t
oim(11.1.1.3.0) link to access the Oracle Identity Manager
@ application.
de
3
u
n
t
eto this S
l
d
id se
m
id to u
v
a
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

3. From the Oracle Identity Manager drop-down list, select Logs > View Log Messages.
Choosing the View Log Messages menu item from the Oracle Identity Manager
application provides you with a view of all Oracle Identity Manager related log files.
4. Using the Search area, you can filter the number of messages that are displayed. If the
Oracle Identity Manager is heavily used or accessed, there will be a large number of
messages to filter through.
In this example, we are examining reconciliation events that have occurred within the
last hour. We will be examining messages of type Trace, Notification, Warning, and
Error. Complete the search fields using the following information (DO NOT CLICK
SEARCH):
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
i
to
Field av
Value
e
d
(
s
n icen
Date Range
Most Recent / 1 / Hours
o
t
l
e
l
d ble
Messageid
Types
Incident Error [selected]
a
M
r
Error
[selected]
d nsfe
i
v
Warning
[selected]
Da n-tra
Notification [selected]
Trace [selected]
no
Unknown [selected]

5. In addition to the filters listed in the previous step, you will add a field to filter for
reconciliation events only.
a. Click Add Fields. Select Module and click Add.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o hasenbeen added:
b. Enter the following text in the Module search
field that d
@
3
n
tu
XL_INTG.SJSDS.
o
S
t
e
dl
this
d
i
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans
Da n-trThe
XL_INTG.SJSDS module is the logger that you modified earlier to enable
logging information. By choosing this module, only provisioning events
no additional
for the Sun Java System Directory Server are retrieved from the log files.

6. Click Search to filter the log files. The results display all log files that match the criteria
specified.
In this example, a match has been found within the Oracle Identity Manager
environment. Notification and trace messages display detailed information about the
data that has been between Oracle Identity Manager and the Sun Java System Directory
Server. The trace data shows the functions that have been called associated with the
attributes sent to the Sun Java System Directory Server. An error indicates that there
was a problem with the provisioning process. Click the message for the error.
7. Detailed information for the message you chose is displayed directly below the search
results. The error indicated for this provisioning process is
Error while getting tcUtilLDAPOperations instance. Created
With empty Arguments. This indicates that some information is missing during the
provisioning process.
Click the ECID link to view the list of messages related to this process.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans within 30 seconds of the event, that are directly associated with the ECID
8. aAll messages,
D
tr chosen, are displayed to the page. The scope can be changed to values of 1
n
you
have
o to 1 hour. All messages, irrespective of the module or component that logged the
nsecond
message, are displayed.
Based on the initial error message, we surmise there was a problem adding the user to
the Sun Java System Directory Server.

9. Trace events detail the calls that are made, the arguments passed, and the resulting
operations performed. Select the trace line below the error,
com.thortech.xl.integration.iplanet.tcUtilIPlanetUserOperations :
tcUtilIPlanetUserOperations() : Error while getting
tcUtilLDAPOperations instance. Created With empty Arguments.
10. In the details window for that trace, you will see the list of arguments passed for the Sun
Java System Directory Server provisioning process.
a
s
a
h
)
a
c ide
o
i
The full message displayed is:
ar t Gu
t
n
com.thortech.xl.integration.iplanet.tcUtilIPlanetUserOperations
:
oVariables
n
e
tcUtilIPlanetUserOperations() : Parameter
passed
are:
@
n3 Stu=d[], pPrincipalDN
pServerName = [], pPort = [636], pRootContext
o
t
le toAttributeMap
= [], pPrincipalPwd = [************],
= [{ldapRoleM
d
his
d
i
emberName=nsroledn, ldapOrgObjectClass=Organization,
ldapUserDisa
e
dm to us
bleAttr=nsaccountlock,viTelephone=telephonenumber,
ldapUserUniqueA
ttr=uid, Password=userpassword,
da nse ldapFirstName=givenname, ldapLast
(
n
Name=sn, ldapOrgDNPrefix=ou,
Middle Name=initials, ldapObjectClas
toldapOrgUnitObjectClass=organizationalunit,
ce
i
l
e
s=objectclass,
Entry D
l
d ldapUserDNPrefix=uid,
e
l
d
i
b
N=entrydn,
ldapRoleDNPrefix=cn,
NsuniqueID=
M feDepartment=departmentnumber,
ra
nsuniqueid,
ldapGroupMemberAttr=uniq
d
i
s
v an loginDisabled=nsaccountlock, ldapOrgPersonObject=Organi
a
uemember,
D zationalPerson,
tr
Location=l, User ID=uid, Title=title, ldapUserObj
n
o
nectClass=inetorgperson,
ldapPassword=userpassword, ldapCommonName
=cn, Email=mail, Common Name=cn, Communication Language=preferred
language, ldapGroupDNPrefix=cn, Last Name=sn, First Name=givennam
e}], oUdfMap = [null], sslFlag = [true]
In this case, you can see that the server name field is blank, the port does not match any
ports that has been setup for connecting to Sun Java System Directory Server, and
other fields are blank. Based on the error and the trace details, you can see that there is
a configuration error with the resource object.
Now that you have viewed the log files and discovered that the user was not automatically
added, you can pursue options to resolve the issue.

Practice 12-4: Resolve Provisioning Issue

Overview
In this practice, you update the provisioning process again to change the server to the Sun IT
Resource. By saving the changes, the user is pushed to the Sun Java System Directory Server.
Assumptions
You have completed all preceding lessons for this lab.
Tasks
1. From the Oracle Identity Manager Administrative and User console, go to the Identity
Administration console and edit the account for Terri Lasario, if you do not already have
it opened.
2. Click on Resources to view the history of provisioning for the user.
3. Click on the line for the iPlanet User resource.
4. Select Open from the Action drop-down menu.
5. Click the search button to the right of the Server field.
6. Select the Sun IT Resource server and click Select.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

7. Click Save after making changes to the server and verifying all other required fields are
completed. Close the follow-on screen after verifying your changes.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
8. You now need to force the provisioning process to restart.oClick on
nthe Self-Service link
e
@
d
3
to go to the Identity Manager Self Service console.
Click
on
the
link,
n
tu Search
o
S
t
Provisioning Tasks.
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
o the Provisioning page, you will see the list of provisioning tasks that have been
9. nFrom
rejected or are in pending mode. Select the line for Terri Lasario (TLASARIO) where the
Task Name is Create User and click OpenTask Detail. You should note that the status
of this provisioning task is Rejected.

10. The details window displays the full status of the provisioning task for TLASARIO. The
message, Created With empty Arguments, is displayed as the response when the
provisioning task was submitted. This correlates to the message seen in the OIM
message logs. Close the window.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l ensure the line for TLASARIO is selected and click Retry
le window,
d
e
l
11. From the Provisioning
d
i Task.
ab
M
r
Provisioning
e
d
f
s
vi
Da n-tran
no
12. The provisioning task is resubmitted and the results are displayed. In this case, the
provisioning task has succeeded. Click OK.

13. From the Oracle Enterprise Manager Fusion Middleware Control console, view the
Oracle Identity Manager logs for provisioning events for the XL_INTG.SJSDS module
that occurred within the past hour. To do this, select Logs > View Log Messages from
the Oracle Identity Manager drop-down menu. Click Search to refresh the search.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
You should no longer view a
any
vierroremessages.
to A notification message, in this example,
d
shows that the user, TLASARIO,
s created.
n ( icenwas
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

14. In the Message field, search for the following string: tcUtilIPlanetUserOperations(). This
will filter the search for the arguments used for connecting to the Sun Java System
Directory Server. Click Search.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vofi traceeevents,
to you should see a trace event with the
a
15. Towards the bottom of the
list
d
(
ns
following message:on
e
t
c
com.thortech.xl.integration.iplanet.tcUtilIPlanetUserOperations
:
le le li
d
d
tcUtilIPlanetUserOperations()
:
Parameter
Variables
passed
are:
i
b
a[localhost],
M
r
pServerName
=
pPort = [53016], pRootContext = [dc=us
e
d
f
vi ans
,dc=oracle,dc=com],
pPrincipalDN = [cn=Directory Manager], pPrinc
a
D ipalPwd
tr = [************], oAttributeMap = [{ldapRoleMemberName=ns
n
o
ldapOrgObjectClass=Organization, ldapUserDisableAttr=nsac
nroledn,
countlock, Telephone=telephonenumber, ldapUserUniqueAttr=uid, Pas
sword=userpassword, ldapFirstName=givenname, ldapLastName=sn, lda
pOrgDNPrefix=ou, Middle Name=initials, ldapObjectClass=objectclas
s, ldapOrgUnitObjectClass=organizationalunit, Entry DN=entrydn, l
dapUserDNPrefix=uid, ldapRoleDNPrefix=cn, NsuniqueID=nsuniqueid,
Department=departmentnumber, ldapGroupMemberAttr=uniquemember, lo
ginDisabled=nsaccountlock, ldapOrgPersonObject=OrganizationalPers
on, Location=l, User ID=uid, Title=title, ldapUserObjectClass=ine
torgperson, ldapPassword=userpassword, ldapCommonName=cn, Email=m
ail, Common Name=cn, Communication Language=preferredlanguage, ld
apGroupDNPrefix=cn, Last Name=sn, First Name=givenname}], oUdfMap
= [{uid=TLASARIO, sn=Lasario, userpassword=Welcome1, cn=cn=Terri
Lasario, givenname=Terri}], sslFlag = [false]
In this example, the server name is localhost, the port is 53016, and the root context
is dc=us,dc=oracle,dc=com. The information now properly matches what was
originally configured for accessing the Sun Java System Directory Server.

16. Verify the user has been added by searching for the user in the Sun Java System
Directory Server console. If it is not already showing, press CTRL-R to refresh the
listings.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

17. In the Design Consoles Form Designer for the UD_IPNT_USR table, change the default
value of Server to Sun IT Resource. Click Save when finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e ttoo ensure newly provisioned users will be
This restores the previous configuration
a
d
properly provisioned.n (
ns
e
o
t
c
le le li
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 12-5: Monitor Scheduled Events
Overview
In this practice, you select additional metrics from the Metric Palette for the Oracle Identity
Manager application. These metrics include the Completed Events Executions for the
ReconScheduledTaskhandler and SchedulerCreate event handlers for the Oracle Identity
Manager application. Once the metrics have been selected, you will modify an existing Active
Directory user and initiate a reconciliation job in Oracle Identity Manager to push the users
information from Active Directory to Oracle Identity Manager. You will view the monitoring charts
before and after performing these tasks.
Oracle Identity Manager dynamically loads an Event Handler whenever a specific action is
called. For example, if the scheduler task for AD User Trusted Recon is executed and there are
changes to user accounts in Active Directory, Oracle Identity Manager loads the
ReconScheduledTaskhandler event handler to help mitigate the changes for Oracle Identity
Manager. Once the event handler has been loaded, you can monitor the metrics for the event
handler to see how many times the event handler has been executed.
a
s
a
h
Assumptions
)
a
c ide
o
i
ar t Gu
t
n
o en
Tasks
@
3
n with
tua ddemonstration of how to
Important: For this course, the Instructor is to provide o
students
S
t
e Curriculum
s organization in Microsoft
modify the email address of a user who belongs d
tolthe
thithis
d
i
Active Directory. For this practice, George Trager
represents
user. Therefore, steps 8-9 and
e
m
s
u
14 e-f of this practice are to be completed
by
the
Instructor,
not
the
d
vi foresteps
to 8-9 and 14 e-f. student. Students should
a
complete all steps of this practicedexcept
ns Fusion Middleware Control as weblogic, if not
n ( iceManager
1. Log in to the Oracle
Enterprise
o
t
l is Welcome1.
e The lpassword
lin.
already logged
d
e
d
i
b expand WebLogic Domain > IDMDomain. Click the link,
aarea,
M
r
2. From the
navigation
e
d
f
s
vi
oim_server1.
Da n-tran
no

3. From the WebLogic Server drop-down list, select Performance Summary.
a
s
a
h
)
a
c iIdentity
Oracle
e
4. The Performance Summary page displays several key factors forrithe
o
d
u usage and
a (JVM)t G
t
Manager server. These metrics include the Java Virtual Machine
CPU
n
oIdentityeManager
n
heap usage, the number of active sessions for the Oracle
application,
@
d
3
the request processing time, and the number of requests
pertu
minute to the application.
n
S
Click the Show Metric Palette to view the list
available
to you, as well as the
etofometrics
s
l
i
d
h
t
d
list of metrics that have already been selected.
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

5. Collapse the Metrics folder for oim_server1. This will allow you to more easily view
the metrics for the server and application.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

6. Expand Members > oim(11.1.1.3.0) > Events Handler > SchedulerCreate. Select
Completed Events Executions from the list of metrics. This will show a chart with the
number of completed events for the Scheduler for the past 15 minutes. New events will
be captured while the monitoring chart is viewable.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Important: The Metric Palette is a dynamic palette. Only events that have been loaded
since the application was last started will be displayed. Your Metric Palette may differ
from the image shown in this step. If the Event Handler section of the Metric Palette is
aware of a large amount of event handler metrics, it will divide the list into multiple
groups, based on the first letter of the event handler metric. In this example,
SchedulerCreate may be accessible under Members > oim(11.1.1.3.0) > Events
Handler > [26-43] ProvisionR U.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

7. Expand ReconScheduledTaskHandler and select Completed Events Executions as

well to see all provisioning for the past 15 minutes. If the ReconScheduledTaskHandler
metric is not visible within the Events Handler folder, expand the folders, Related
Targets > IDMDomain > OIM > Members > oim(11.1.1.3.0) > Events Handler. Expand
ReconScheduledTaskHandler and select Completed Events Executions.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi anIfsthe ReconScheduledTaskHandler event handler metric is not visible in
Important:
Daeither
r
you must perform a task that forces Oracle Identity Manager to load the
tlocation,
n
o
event
handler.
Once
Oracle Identity Manager loads the event handler, the Fusion
nMiddleware Control tool
will allow you to monitor the metric for the event handler. To
enable the metric within Fusion Middleware Control, proceed with steps 8 - 12. Once you
have completed all of the steps, perform the tasks described in step 14.

The Performance Summary page has now been updated to reflect the two new charts.
These are displayed as the oim(11.1.1.3.0): SchedulerCreate: Completed Events
Executions chart and the oim(11.1.1.3.0): ReconScheduledTaskHandler: Completed
Events Executions chart.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

8. In the Active Directory Users and Computers console, right-click on George Tragers
name and select Properties.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

9. Update the E-mail address field for George Trager to george.trager@oracle.com. Click
OK when finished.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s Identity Manager Administrative and User console, go to the Identity
10. From
vi theaOracle
n
DaManager
r
-t Advanced Administration console if not already there.
n
o
11.nRe-execute the job, AD User Trusted Recon.
a. Click Refresh on the job details page for the AD User Trusted Recon. This stops
any executing job, allowing you to restart the job.
b. Click Run Now to start the job for the Active Directory reconciliation.

12. Verify the reconciliation event occurred.

a. Select the Welcome tab and click Search Reconciliation Events in the Event
Manager section.
b. Search for all reconciliation events. Look for the highest numbered AD User
Trusted reconciliation event with the key field, GTRAGER.
s
a
h
a) e
c
d
c. Select the link for the event. This opens the details for event
inithis
rioID 81,
u
a
t
G
example.
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
In the Reconciliation Data sub-tab, the email address for George Trager is synchronized
to the Oracle Identity Manager environment as part of his existing account information.

13. Go to the Performance Summary page you modified earlier to view the new charts. You
will see that the monitoring tools have captured changes to the charts for both the
SchedulerCreate and ReconScheduledTaskhandler event handlers. The
ReconScheduledTaskhandler shows that one event was captured. The SchedulerCreate
shows that there were several jobs that executed as part of the reconciliation process.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Note: If the chart does not appear to be updating, it can be a result of the refresh rate for
the Fusion Middleware Control tool. Refresh the charts by clicking the Refresh icon in
the top right corner.

14. (Optional) This step is only necessary if the ReconScheduledTaskHandler event handler
metric was not initially visible in step 7 of this practice.
a. From the Fusion Middleware Control tool, open the Performance Summary page
for oim_server1, if the page is not currently active.
b. Click Show Metric Palette to open the Metric Palette, if it is not already visible.
c. Click Refresh to reload the Metric Palette.
a
s
a
h
)
a
d. Expand Members > oim(11.1.1.3.0) > Event Handlers > oc

e
d
i
i
r Executions.
u
ReconScheduledTaskhandler and select Completed
aEvents
t
G
n
t
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The Performance Summary page will now update to reflect the newly added
chart.
e. In the Active Directory Users and Computers console, right-click on George
Tragers name and select Properties.

f.
Change the email address to george.m.trager@oracle.com. Click Apply when

finished.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
steps 10-13 to execute the AD User Trusted Recon job, view the
vi g. Repeat
ans
event for this update, and view the updated chart for the
Da n-trreconciliation
ReconScheduledTaskhandler
event handler metric.
no

s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

s
a
h
a) e
c
rio Guid
a
t
t 13
Practices for
onLesson
n
e
@
3
tud
o
Chapter
13n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 13 - Page 1
Practices Overview
Throughout this course, you have created custom objects and entities, including organizations,
roles, policies, rules, and resource objects. Using the Deployment Manager provided in Oracle
Identity Manager, you can export your custom data and migrate it to another Oracle Identity
Manager environment.
In addition to migrating custom content from one Oracle Identity Manager environment to
another, such as when migrating content from a staging server to a production server, you can
also use the Deployment Manager to create a backup of the Oracle Identity Manager
environment.
The MDS utility, a command-line utility, is used to also export and import metadata from and to
Oracle Identity Manager. While it can be used to export multiple objects, it requires a more
intimate knowledge of the metadata structure in Oracle Identity Manager. The MDS utility allows
you to make changes to the Oracle Identity Manager configuration.
In this practice, you will use the MDS utility to export the OIM configuration file. You will then
modify and re-import the OIM configuration file to the MDS repository. You will export your
custom metadata, including users, organizations, policies, and rules, using the Deployment
Manager. You will then import a set of organizations through the Deployment Manager.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 13 - Page 2
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 13 - Page 3
Practice 13-1: Export and Re-import the OIM Configuration using the
MDS Utility
Overview
Using the MDS Utility, you will export the OIM configuration from the Oracle Identity Manager
repository. The OIM configuration XML file can be updated to allow for performance
improvements, changes to the BI Publisher URL, or other Oracle Identity Manager system
configuration.
In this practice, you modify the OIM configuration file exported from the MDS to change the
timeout value for your Oracle Identity Manager connection session. By increasing the timeout
value from 360 seconds, or 5 minutes, to 6000 seconds, or 10 minutes, you increase the idle
time for a database connection session between Oracle Identity Manager and its repository.
Assumptions
You have completed all the preceding labs for this course.
s
a
Tasks
h
)
1. From the desktop, open a DOS window and change to the directory, ca
e
o
d
i
i
D:\app\oracle\product\middleware\iam_home\server\bin.
ar t Gu
t
n
o en
2. Set the OIM_ORACLE_HOME variable to
@
3
D:\app\oracle\product\middleware\iam_home.
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The variable must be set to the Oracle Identity Manager base directory so that the MDS
utility calls the appropriate Java classes.
3. Open and edit the file,
D:\app\oracle\product\middleware\iam_home\server\bin\
weblogic.properties.

Chapter 13 - Page 4
4. Change the values highlighted as follows, so that your file looks like the code example
shown below:
Parameter
Value
wls_servername
oim_server1
application_name
oim
metadata_to_loc
/stage/labs/lab_13/exportedData/
metadata_files
/db/oim-config.xml
# Weblogic Server Name on which OIM application is running

wls_servername=oim_server1
# If you are importing or exporting any out of box event handlers,
value is oim.
# For rest of the out of box metadata, value is OIMMetadata.
# If you are importing or exporting any custom data, always use
application name as OIMMetadata.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
application_name=oim
o en
@
3
ud
n
t
o
S
t
# Directory location from which XML
imported.
lefilethshould
isis inbethe
d
d
# Lets say I want to import User.xml
and
it
location
i
e
m
s
/scratc/asmaram/temp/oim/file/User.xml,
u
id value
o
v
t
a
# I should give from
location
as /scratc/asmaram/temp/oim. Make
(dexistnse
sure no other files
n
e sub folders. Import utility tries to
to or inlicits
# in this folder
e
l
leall the files under the
recursively
idd import
b
a
M
er folder. This property is only used by
#id
from location
f
s
v
an
Da weblogicImportMetadata.sh
r
t
n
nometadata_from_loc=@metatdata_from_loc
# Directory location to which XML file should be exported to
metadata_to_loc=/stage/labs/lab_13/exportedData/
# For example /file/User.xml to export user entity definition. You can
specify multiple xml files as comma separated values.
# This property is only used by weblogicExportMetadata.sh and
weblogicDeleteMetadata.sh scripts
metadata_files=/db/oim-config.xml
# Application version
application_version=11.1.1.3.0

Chapter 13 - Page 5
5. Once the values have been changed, you can run the MDS export utility. The MDS utility
reads the values from the weblogic.properties and will export the /db/oimconfig.xml to /stage/labs/lab_13/exportedData.
Run the command, weblogicExportMetadata.bat in the DOS window and enter
the following values when prompted:
Parameter
Value
Username
weblogic
Password
Welcome1
Server URL
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 13 - Page 6
6. The db directory is created in the D:\stage\labs\lab_13\exportedData directory.

Navigate to the directory in Windows Explorer and edit the oim-config.xml file using
Notepad or WordPad. Excerpts of the extracted file is displayed below:
<xmlConfig
xsi:schemaLocation="http://www.oracle.com/schema/oracle/iam/platform/c
onfig oim-config.xsd ">
<discoveryConfig>
</directDBConfigParams>
<bIPublisherURL>http://edrsr11p1.us.oracle.com:9704/xmlpserver</bIPubl
isherURL>
<oimFrontEndURL>http://edrsr11p1.us.oracle.com:7007</oimFrontEndURL>
<oimJNDIURL>@oimJNDIURL</oimJNDIURL>
<backOfficeURL/>
</discoveryConfig>
<cacheConfig clustered="false" enabled="false" expirationTime="144000"

provider="oracle.iam.platform.utils.cache.OSCacheProvider"
threadLocalCacheEnabled="false">
<cacheCategoriesConfig>
<cacheCategoryConfig name="DataObjectEventHandlers" enabled="false"
expirationTime="14400"/>
<cacheCategoryConfig name="ProcessDefinition" enabled="false"
expirationTime="14400"/>
</cacheCategoriesConfig>
<callbackOwsmSecurityPolicy>
oracle/wss11_saml_token_with_message_protection_client_policy
</callbackOwsmSecurityPolicy>
<SOAConfig>
<username>weblogic</username>
<passwordKey>SOAAdminPassword</passwordKey>
<type>rmi</type>
<soapurl>http://edRSr11p1.us.oracle.com:7006</soapurl>
<rmiurl>t3://edRSr11p1.us.oracle.com:7006</rmiurl>
</SOAConfig>
</xmlConfig>
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
An example of a change that can be made is if you were to setup your BI Publisher at a
later time. You can extract this file from the repository, change the <bIPublisherURL>
tag to point to the appropriate URL, and re-import the file back into the repository.

Chapter 13 - Page 7
7. Search for the following term:

idleTimeout=360
s
a
h
8. Change the value from 360 to 6000.
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
9. To import the OIM configuration back into the repository, edit the
D:\app\oracle\product\middleware\iam_home\server\bin\
weblogic.properties file using the following values:
Parameter
metadata_from_loc
Value
/stage/labs/lab_13/exportedData
# Weblogic Server Name on which OIM application is running

wls_servername=oim_server1
# If you are importing or exporting any out of box event handlers,
value is oim.
# For rest of the out of box metadata, value is OIMMetadata.
# If you are importing or exporting any custom data, always use
application name as OIMMetadata.

Chapter 13 - Page 8
application_name=oim
# Directory location from which XML file should be imported.
# Lets say I want to import User.xml and it is in the location
/scratc/asmaram/temp/oim/file/User.xml,
# I should give from location value as /scratc/asmaram/temp/oim. Make
sure no other files exist
# in this folder or in its sub folders. Import utility tries to
recursively import all the files under the
# from location folder. This property is only used by
weblogicImportMetadata.sh
metadata_from_loc=/stage/labs/lab_13/exportedData
# Directory location to which XML file should be exported to
a
s
a
h
)
a
c ideYou can
o
# For example /file/User.xml to export user entity r
definition.
i
a t Gu
t
specify multiple xml files as comma separated values.
n
o en and
# This property is only used by weblogicExportMetadata.sh
@
3
weblogicDeleteMetadata.sh scripts
n
tud
o
S
t
le this
d
d
i
metadata_files=/db/oim-config.xml
e
m
s
u
d
vi e to
a
d
# Application version
n ( icens
o
t
application_version=11.1.1.3.0
le le l
d
d
i parameters
The remaining
remain the same as before. The MDS import utility reads the
ab file
M
r
e
weblogic.properties
and retrieves all files it finds in the
d
f
vi ans
a
D:\stage\labs\lab_13\exportedData
directory.
D n-tr
o While both the metadata_from_loc and meatadata_to_loc variables have
nNote:
metadata_to_loc=/stage/labs/lab_13/exportedData/
values, the MDS export utility will only use the metadata_to_loc variable, while the
MDS import utility will only use the metadata_from_loc variable.

Chapter 13 - Page 9
10. Execute the MDS import utility, weblogicImportMetadata.bat, in the Command

window and enter the following values when prompted:
Parameter
Value
Username
weblogic
Password
Welcome1
Server URL
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
vi ans
DaThenconfiguration
tr
file has been successfully re-imported into the repository.
no

Practice 13-2: Exporting Deployment Configuration with the

Deployment Manager
Overview
In this practice, you use the Deployment Manager in the Oracle Identity Manager Administrative
and Web Console to export an XML file that contains custom objects and entities created during
the course. You will export the organization hierarchy created, roles, role categories, rules,
approval, authorization, and access policies into a single XML file, entities-training.xml.
Any dependent and child objects associated with those entities and objects, such as resource
objects, will be included.
Important: If you are migrating connectors between Oracle Identity Manager servers, before
importing your connectors, copy all associated JAR files to the ScheduleTask and
JavaTasks directories. Otherwise, your connectors cannot function in your target Oracle
Identity Manager environment. The Deployment Manager does not move JAR files as part of a
migration effort.
a
s
a
Assumptions
h
)
a
You have completed all the preceding labs for this course.
c ide
o
i
ar t Gu
t
n
Tasks
o en
@
1. If you are not already logged in, log in to the Oracle3
Identity
Manager
n xelsysadm.
tud Administrative and
o
S
t
Web Console as the system administrator user
account,
s
dleIdentity
thiManager
d
2. Click the Advanced link to access theiOracle
Advanced Administration
e
m
s
console.
id to u
v
a
3. From the System Management
eclick Export Deployment Manager File.
(d area,
s
n
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
This loads the Deployment Manager application. You may receive a Warning Security
window. If so, trust and accept the security certificate.

4. From the Deployment Manager Wizard, select Organization from the Search drop-down
list. Click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
d
3 empty,tuthis
nthis
The second field is a filter search field. By leaving
returns all
o
S
t
e
s
l
i
organizations defined within Oracle Identity
Manager.
dd se th
i
m
d to u
i
v
(da nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

5. Select the following organizations and click Select Children >> when done:

Curriculum
Process Owners
Reviewers
Approvers
Training
Legal
Curriculum HelpDesk
Human Resources
Information Technology Support Training
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

6. On the Select Children screen, you select any children you wish to include as part of the
objects that are exported. Click Select Dependencies >>.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
d
3
nand lowest
tulevel
In this example, you have already chosen the ttop
of the organizational
o
S
e
s
l
i
hierarchy, so all children have already been
selected
in
this
case.
On
the previous
d
h
t
d
i
e
screen, you can choose the top-level
and then select or deselect the children
mhierarchy
swith
u
dare
i
organizations on this screen ifvyou
dealing
a significant number of organizations
o
t
a
e
that you would like to select.
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

7. You can select any dependencies associated with the objects to be exported on the
Select Dependencies screen. Organizations previously selected are automatically
selected on this screen and cannot be deselected. Click Confirmation >>.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le rules
isand roles. You will not be
Objects associated with the organizationsdinclude
h
t
d
i
e
exporting any of these dependencies
s
mat thisumoment.
d
i
8. On the Confirmation screen,averify
the items
you are adding for export and click Add For
o
v
t
(d nse
Export.
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

9. You can now either quit the wizard and export your objects or add more objects to be
exported. Click Add More (Go to Step 1) and click OK.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
10. Add roles, role categories, and rules to the list of
exported
objects.
o
S
t
le list tand
a. Select Role from the search drop-down
d
hisclick Search.
d
i
e
b. Select the following roles from
s Results list and click Select Children:
mthe Search
u
d
i
o
Oracle 11g
Managers
av se t
d
(
n11g Users
Oracle
en
o
t
c
i
l
e
d lOracleb11g
le Approvers
d
i
a
M
d ns fITer
i
v
Da n-tra US-Resource-Approvers
India-Resource-Approvers
no
Program Mgmt Project X Development
Human Resources

c. On the Select Children screen, click Select Dependencies.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
d the Select Children
The role category associated with each role 3
is@
selected
uon
n so thatStthey
o
screen. You can deselect the role categories
are not exported, if you
t
e selected
s
l
i
d
h
wish. In this example, we will leave
them
so
that
they are exported.
d se t
i
m
displayed
d. Select all of the dependencies
u on the Select Dependencies screen.
iddone.
o
v
t
Click Confirmation a
when
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
The dependencies listed here are the rules associated with several of the roles
selected earlier. If you have additional rules that you wish to capture, you can select
the Rule object on the search page and select all other rules not displayed here.

e. Click Add for Export on the confirmation page to complete the process for
adding role and associated objects.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
f. Click Add More (Go to Step 1) and click
OK.
n
tud
o
S
t
le objects.
11. Add authorization policies to the list of exported
d
his
t
d
i
e
a. Select Authorization Policyfrom
m the uSearch
s drop-down list and click Search.
d
i
o
v e t policies and then click Select Children >>:
b. Select the following a
authorization
d
(
ns - Search Users - AP
Curriculum
n HelpDesk
e
o
t
c
i
e le lHelpDesk
lCurriculum
- Create User - AP
d
d
i
b
M fProvision
ra Project X Resources
e
d
i
s
v
HelpDesk - Modify User Password - AP
Da n-tran Curriculum
Human Resources - Modify User - Professional Qualifications - AP
no
Curriculum HelpDesk - View Users AP

c. On the Select Children screen, click Select Dependencies.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
ofor exportation
n by the
e
@
Objects with a gray box have already been marked
d
3
u are associated with
n
tpolicies
Deployment Manager. In this case, thetauthorization
o
S
e
is
roles and organizations. These roles
have already been
dl and organizations
h
t
d
i
e
selected for export, and sowill
here.
m not beuselectable
s
d
i
d. There are no dependencies
to
select
on
the
Select
Dependencies screen. Click
o
v et
a
d
Confirmation. (
n icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

e. Click Add for Export on the Confirmation screen.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
n
f. Click Add More (Go to Step 1) and click OK. @o
e
d
3
n
tu
12. Add access policies to the list of objects to export.
o
S
t
e
dl drop-down
a. Select Access Policy from the d
Search
this list and click Search.
i
e
b. Select Users Access Policy
mand click
usSelect Children >>.
d
i
o
v
t
c. There are no children
da for ntheseaccess policy. Click Select Dependencies >>.
(
n
d. Dependencies
for the access
policy include the role Oracle 11g Users and the
toresource.
ceSince we
i
l
e
l
iPlanet
User
be exporting the resource in another step,
dselect btheleresource. Click will
d
doinot
Confirmation
to proceed.
a
M
r
e
d
f
s
vi
Da n-tran
no

e. Click Add for Export to complete the process.

f. Click Add More (Go to Step 1) and click OK.
13. Add approval policies to the list of objects to export.
a. Select Approval Policy from the Search drop-down list and click Search.
b. Select Provision Resource - iPlanet User - RL, Provision Resource - iPlanet
User - India - OL, and iPlanet User - US - OL. Click Select Children >>.
c. On the Select Children screen, the iPlanet User resource and any child
definitions have been selected. Click Select Dependencies.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i Confirmation
d. Click
ab on the Select Dependencies screen.
M
r
e
d
f
vi e. Click sAdd for Export to complete the process.
Da n-tran
no

14. Select Exit wizard and show full selection and click OK.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o you have
n selected to export.
15. The Deployment Manager Export page lists all the objects
e
@
d
3
The total number of objects, as well as a breakdown
n of theSobject
tu type is displayed in the
o
t
e
Summary area on the left side of the screen.
Click
Export
to
l
is proceed.
d
h
t
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

16. Enter the following in the short description field: Custom Objects for training - orgs,
roles, authorization policies, approval policies, access policies, and rules. This
field should be as descriptive as possible.
17. Navigate to D:\stage and save the file as entities-training.xml.

18. Click Close after the objects have been exported.
a
s
a
h
)
a
c ide
o
i
r Gu
aother
t
n
t
The Deployment Manager screen clears and is ready to export
to another
o enobjects
@
XML file.
n3 Stud
o
t
19. Close the Deployment Manager Export window.
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice 13-3: Import an XML File Using the Deployment Manager
Overview
In this practice, you import an XML file that contains the hierarchical structure of a company with
several departments defined within it. This task is performed with the Deployment Manager. The
Deployment Manager verifies the dependencies for objects you import are available. You can
perform substitutions of names during the import process.
Assumptions
Tasks
1. Log in to the Oracle Identity Manager Administrative and User Console as the system
administrator, xelsysadm, if not already logged in, or if your session has timed out.
2. Click the Advanced link to proceed to the Identity Manager Advanced Administration
console.
3. Click the link, Import Deployment Manager File.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l (get lock by force) and click Get Lock if presented with
le anyway
4. Select Start d
import
e
l
d
i Another
the window,
abimport in progress.
M
r
e
d
f
s
vi
Da n-tran
no

5. A file manager browse window is opened. Select the file ACME.xml from the directory
D:\stage\labs\lab_13\XMLFiles. Click Open.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l company organizational hierarchy. Child hierarchies
This XML file contains
ACME
le the
d
e
l
d
and role objects
i are
b included in the XML file.
aalso
M
r
e
d
f
s
vi
Da n-tran
no

6. Details on the XML file are displayed on the File Preview screen. In this example, the
objects were exported by the system administrator, xelsysadm. The contents of the file
were exported from an Oracle database on the host, edrsr11p1.us.oracle.com,
port 1521, SID orcl. The description ACME Company and Roles was provided when
the objects were exported.
Click Add File to proceed.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vishould
7. Before loading the objects, a
you
determine
if you need to make substitutions. If
to
e
d
(
s
the object you are importing
has
the
same
name
as
an object in the Oracle Identity
n is different, you
n and iitscebehavior
o
t
Manager environment,
consider renaming the
e leInl this case, the roles and usersshould
dlimporting.
object youid
are
defined
here are the same as
b
a
M
those that are being
d nsfer imported.
i
v
Da n-tra
no

Click Next to proceed.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o enonsubstitutions were
8. The Confirmation screen shows any changes made. In
this case,
@
3
n
tud
made. Click Next to proceed.
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

9. All objects that will be imported are listed in the Deployment Manager Import page.
The organization hierarchy and role hierarchy are listed. A breakdown of all of the
objects is shown in the Summary section of the Deployment Manager.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
( exclamation
ns caution or error symbol should be investigated.
n the
The items marked o
with
e
t
c
li
le in thelescreenshot,
In the case shown
there is a dependency missing from the file
d
d
i
b
imported.
M fera
d
i
s
v
Da n-tran
no
In this case, the ACME Roles category is listed for two roles, the ACME SeniorManagers
and ACME HelpDesk Administrators roles.
If there is a chance of overwriting an existing object with newer information, the caution
will highlight this as well.
10. Click Add File to add a file that contains the dependencies necessary to properly import
the objects from the original file.

11. Select the file, ACME_dependencies.XML from the directory,

D:\stage\labs\lab_13\XMLFiles. Click Open.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
ninsthe ACME_dependencies.xml file to the queue of
nthe( objects
e
o
12. Click Add File to
add
t
c
le le li
dimported.
objects to ibe
d
ab
M
r
e
d
f
s
vi
Da n-tran
no

13. The object in this XML file expects the role, SPML_App_Role. If this role exists in the
target system by a different name, the name can be entered in the Substitutions screen.
Click Next to proceed.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e Confirmation page.
m
s
u
14. Since no substitutions are made,
click
Next
on
the
d
i
toclick Import to proceed.
avresolved,
e
15. Now that the errors have(d
been
n icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

16. Click Import once you are ready to proceed.
17. Once the import is successful, click OK.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l that begin with ACME and click Search.
le lenames
20. Search for d
organization
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
The objects have now been successfully imported into Oracle Identity Manager. You can
validate the objects by visiting the Organization and Role screens.
18. Click the Administration link to go to the Identity Manager Administration console.
19. Click the Advanced Search Organizations link in the Organizations panel.
The organizations you imported are displayed.


21. From the Welcome tab, click the Advanced Search Roles link in the Roles panel.
22. Search for roles that begin with ACME and click Search.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
leThe objects
All of the roles that were imported are listed.
d
this have been successfully
d
i
imported.
e
m us
d
i
v e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

s
a
h
a) e
c
rio Guid
a
t
t B
Practices for
onLesson
n
e
@
3
tud
o
Chapter
14n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Lesson B

Chapter 14 - Page 1

Practices Overview
There are no practices for Lesson B.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 14 - Page 2
s
a
h
a) e
c
rio Guid
a
t
t C
Practices for
onLesson
n
e
@
3
tud
o
Chapter
15n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Lesson C

Chapter 15 - Page 1

Practices Overview
There are no practices for Lesson C.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 15 - Page 2
s
a
h
a) e
c
rio Guid
a
t
t D
Practices for
onLesson
n
e
@
3
tud
o
Chapter
16n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Lesson D

Chapter 16 - Page 1

Practices Overview
There are no practices for Lesson D.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 16 - Page 2
s
a
h
a) e
c
rio Guid
a
t
t E
Practices for
onAppendix
n
e
@
3
tud
o
Chapter
17n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Appendix E

Chapter 17 - Page 1

Practice Overview
In this practice, you complete a business scenario. This scenario culminates in the completion
of the Design phase of constructing an Oracle Identity Manager connector.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 2
Practice E-1: Build an Oracle Identity Manager Connector
Overview
In this practice, you complete a business scenario. This scenario culminates in the completion
of the Design phase of constructing an Oracle Identity Manager connector.
The purpose of this connector is to provision a user with a resource. For this practice, Sun Java
System Directory Server represents this resource.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Assumptions
You have a thorough understanding of the appendix titled Oracle Identity Manager
Connectors.

Chapter 17 - Page 3
Tasks
a.
Create an IT resource type. This record represents the classification type, parameter
fields, and encryption settings associated with a resource (for this practice, Sun Java
System Directory Server). These parameter fields can include the following:
Admin ID: The Directory Name (DN) of the user who has administrative rights on
Sun Java System Directory Server
Admin Password: The administrators password. Also, for security purposes, you
should encrypt this parameter field.
Prov Attr. Lookup Code: The name of the lookup definition in Oracle Identity
Manager that has the target attribute mappings required for provisioning a user to
Sun Java System Directory Server
Server Address: The IP address of Sun Java System Directory Server
Port: The port number that Oracle Identity Manager requires to connect to Sun
Java System Directory Server
Root DN: The Base DN where all user operations are to occur on Sun Java
System Directory Server
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 4
b.
Define an IT resource. This record contains values Oracle Identity Manager requires to
communicate with a resource (for this practice, Sun Java System Directory Server) and
access it as an administrator (for provisioning or reconciliation purposes). These values
can include the following:
Admin ID: cn=Directory Manager
Admin Password: dead_line1

Note: Because the Admin Password parameter is encrypted, the associated
value appears as a series of asterisks (*********).
Prov Attr. Lookup Code: AttrName.Prov.Map.iPlanet
Server Address: localhost

Port: 53960
Root DN: dc=oracle,dc=com

Important: One part of defining an IT resource is specifying the IT resource type to
which it belongs. By doing so, you create a link between the IT resource type and the
IT resource.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 5
c.
Create the process form. This record is a central housing mechanism, holding
everything Oracle Identity Manager requires to either provision a user to a resource or
reconcile a user with the resource (for this practice, Sun Java System Directory
Server). This can include the following:
User ID: The ID of the user who is to be provisioned with Sun Java System
Directory Server
First Name: The users first name

Last Name: The users last name
Organization: The organization to which the user is to belong

Server: The IT resource Oracle Identity Manager is to use to communicate with
Sun Java System Directory Server and access it as an administrator (for
provisioning or reconciliation purposes)
Important: One part of constructing a process form is creating an IT resource type
lookup field. For this practice, Server represents this field.
With this field, you specify which IT resource type is associated with your form. By
doing so, you create a link between the IT resource type and the form.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 6
d.
Build a process task adapter. Oracle Identity Manager uses this piece of Java code to
automate the completion of a provisioning process task. This process task represents a
common function on the resource (for this practice, creating a user account in Sun
Java System Directory Server).
To build a process task adapter, you must:
1) Create top-level information for the adapter.
2) Construct placeholders for data to be mapped to parameters of an adapters tasks
at run time. These placeholders are adapter variables.
3) Build atomic function calls organized in a logical flow. These function calls are
adapter tasks.
4) Compile the adapter so that Oracle Identity Manger uses it to automate a particular
action (for this practice, creating a new user account in Sun Java System Directory
Server).
The adapter contains certain mappings and functionalities, used to interact with both a
task of the provisioning process and the fields of the process form.
Important: There is a one-to-one relationship between adapter and process task. That
is, each task has only one adapter associated with it. For example, suppose the
provisioning process of your connector for Sun Java System Directory Server has the
Create User process task. For Oracle Identity Manager to complete this task
automatically, you must have a process task adapter attached to it.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 7
e.
Define a resource object. This record is a virtual representation of a resource and

contains everything required to either provision a user to that resource, reconcile a
user with it, or both. It is the central record for all entities related to the resource, and is
the parent record with which the provisioning process and process form are
associated.
For this practice, when you define a resource object, Oracle Identity Manager uses
entities contained in that object to create an account for a user in Sun Java System
Directory Server.
Important: There is a one-to-one relationship between resource object and connector.
That is, each connector has only one resource object.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 8
f.
Create a provisioning process. This record contains steps Oracle Identity Manager
must complete to perform provisioning or reconciliation with a particular resource (for
this practice, Sun Java System Directory Server).
For this practice, the process definition is used to create user accounts on Sun Java
System Directory Server. It contains the process task used to perform this function on
the resource. This function is automated through the process task adapter.
Important: One part of creating a provisioning process is specifying the resource
object to which it belongs. In addition, you select the custom process form associated
with the process. As a result, you create a link between the provisioning process and
both the resource object and the custom process form.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 17 - Page 9
g.
Create a process task. This is a step contained in the provisioning process. It

represents the action Oracle Identity Manager is to perform on a resource (for this
practice, creating a user account in Sun Java System Directory Server).
Important: Part of creating a process task is specifying the provisioning process to
which it belongs. By doing so, you establish a link between the provisioning process
and the process task.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

h.
Attach the process task adapter to the process task. By doing so, you enable Oracle
Identity Manager to automate the completion of this task. When the status of a process
task changes to Pending, Oracle Identity Manager triggers the associated process task
adapter.
After you attach the process task adapter to the process task, you must map all
placeholders of data (or variables) in the adapter to their proper locations. Otherwise,
Oracle Identity Manager cannot use the process task adapter to automate completion
of the associated process task (for this practice, creating a user account in Sun Java
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

s
a
h
a) e
c
rio Guid
a
t
t F
Practices for
onAppendix
n
e
@
3
tud
o
Chapter
18n
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
Practices for Appendix F

Chapter 18 - Page 1

Practices Overview
In these practices, you become familiar with customizing the following Web-based consoles for
Oracle Identity Manager 11g:
Oracle Identity Administration
Authenticated Self Service

Levels of customization for you to perform with these consoles include:
Modifying console look and feel (that is, branding it)
Changing console functionality by modifying Oracle Identity Manager code

Specifically, you learn how to perform the following customizations:
1. Customizing the overall layout of a console. This includes:
Modifying the text that appears in the header banner of the console. This text is
known as branding text.
Adding a logo to a console.
a
s
a
h
)
a
Changing the mouseover text associated with the logo. A mouseover
toa GUI
c refers
e
o
d
i
i
r over aGparticular
event that is raised when a user moves or "hovers" the cursor
area
u
aManager
t
n
of the GUI (for this example, the logo on the Oracle Identity
11g
page
or
t
o en
@
console).
d
nthe3Identity
tuAdministration
o
S
t
2. Renaming button text (or labels) in two consoles:
Console
eSpecifically,
s
l
i
d
h
and the Authenticated Self Service Console.
you
learn
how
to
change
id se t
m
button labels in the following consoles:
u
id console,
o
v
t
For the Identity Administration
you
the text in the Save and Cancel
a
e buttons change
(dClear.nThese
s
buttons to Submitnand
are located on the Create User page of
to lice
the console.
e
l
d ble Self Service console, you change the text in the Apply and
ForM
theid
Authenticated
rato Submit and Cancel. These buttons are located on the Challenge
e
d
Revert buttons
f
i
s
v an page of the console.
Da nQuestions
tr custom skins and style sheets for the Authenticated Self Service Console and
3. Creating
o Identity Administration Console. As a result, the appearance of these consoles is
nthe
modified, and reflects the custom skin and style sheet you created for the consoles.
These changes include the consoles background color, menu link color, and activity
icon (located in the upper-right-hand corner of the console).

Chapter 18 - Page 2
Important: For the customizations you make to take effect, you must clear both the cache
for the Oracle Identity Manager Server (the Server cache) and the cache for the Web
browser (the Browser cache).
To clear the Server cache:
1. Shut down the Oracle Identity Manager Server, all Oracle Identity Manager Webbased consoles, and the Oracle Identity Manager Design Console.
2. Open a DOS window. To do so, select Run from the Windows Start menu. Then,
enter cmd in the Open field of the Run window, and click OK.
domains\IDMDomain\servers\oim_server1\tmp directory.
4. Clear all files in this directory.
To clear the Browser cache:
1. Open a Web browser.
2. Select the Tools menu. Then, select Delete Browsing History from the popup menu
that appears.
3. In the Delete Browsing History window, click Delete All.
4. On the second Delete Browsing History window, select the Also delete files and
settings stored by add-ons check box. Click Yes.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 18 - Page 3
Practice F-1: Branding the Identity Administration Console

Overview
In this practice, you customize the look and feel of the Identity Administration Console (or brand
the console). This includes:
Modifying the text that appears in the header banner of the console. This text is known
as branding text. Specifically, you change the branding text of this console from Identity
Administration to Identity Provisioning System.
Adding a logo to the console. For this practice, replace the Oracle Corporation logo with
the logo for ACME Capital (or ACME INC.). ACME INC. is the company for which you
are an administrator. This logo is represented by the acme_capital2.png file.
Changing the mouseover text associated with the logo. Specifically, replace the Oracle
mouseover text with text for your company (ACME INC).
Note: A mouseover refers to a GUI event that is raised when a user moves or "hovers"
the cursor over a particular area of the GUI (for this example, the logo on the Oracle
Identity Manager 11g page or console).
a
s
a
h
)
a
c ide
Assumptions
o
i
r Gu
You installed, configured, and launched Oracle Identity Manager 11g.ta
n
o ent
@
Tasks: Modifying Branding Text
n3 Stud
o
t
1. Shut down the Oracle Identity Manager Server,
le all tOracle
d
his Identity Manager Web-based
d
i
consoles, and the Oracle Identity Manager
Design
Console (if the server and consoles
e
m us
are still running and operable). id
v selecte Run
to from the Windows Start menu. Then, enter
a
2. Open a DOS window. To
do
so,
d
s and click OK.
nwindow,
nof (the iRun
cmd in the Open field
e
o
t
c
l to the
le navigate
d
e
l
i
ab
D:\app\oracle\product\middleware\iam_home\
M
r
e
d
f
directory.
vi ans
aserver\apps\oim.ear\admin.war\WEB-INF\lib
D
r
t
- a folder titled backups in this directory. This folder contains a copy of all files
4. Create
onare
to modify for this subpractice.
nyou
Important: Before modifying any file, back it up. The file you edit corresponds to a type
of customization to perform with a console. For example, by editing the
IdentityUIBundle_en.properties file, you change the branding text for the
Identity Administration Console.
5. Copy the IdentityTaskFlow.jar file, which resides in the
D:\app\oracle\product\middleware\iam_home\
server\apps\oim.ear\admin.war\WEB-INF\lib directory.
6. Paste this file into the backups folder.

Chapter 18 - Page 4
7. Navigate to the backups folder. At the prompt, enter:

jar xf IdentityTaskFlow.jar
Important: If you cannot extract the jar file, make sure you set the PATH environment
variable to point to the folder where the Java JDK resides. For example, if the Java JDK
is located in the D:\Program Files\Java\jdk1.6.0_18\bin directory, enter the
following at the prompt:
set PATH=%PATH%;D:\Program Files\Java\jdk1.6.0_18\bin
Note: You are extracting the contents of the IdentityTaskFlow.jar file because you
have to modify the IdentityUIBundle_en.properties file, which is contained in
the jar file. By editing the IdentityTaskFlow.jar file, you change the branding text
for the Identity Administration Console.
8. Using a text editor, open the IdentityUIBundle_en.properties file, found in the
backups\oracle\iam\identitytaskflow\resources directory.
Note: This directory appears after you extract the contents of the
IdentityTaskFlow.jar file.
9. Locate the following string of text:
admin_branding_text=Identity Administration
s
a
h
a) e
c
io uid
10. Change the value of the admin_branding_text parameter to rIdentity
a
t
n nt G
Provisioning System.
o
de
Your file should resemble the following screenshot: 3@
u
n
t
eto this S
l
d
id se
m
id to u
v
a
(d nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no
11. Save your changes to the IdentityUIBundle_en.properties file. Close the file.

Chapter 18 - Page 5
12. In the DOS Window, navigate to the backups directory if you are not already there. At
the prompt, enter:
jar cf IdentityTaskFlow.jar *
Note: By entering c as an argument, you are creating (c) a new
IdentityTaskFlow.jar file. This file contains the modifications you made to the
IdentityUIBundle_en.properties file.
13. Navigate to the D:\app\oracle\product\middleware\iam_home\
server\apps\oim.ear\admin.war\WEB-INF\lib directory. Replace the unedited
IdentityTaskFlow.jar file with the modified file.
14. Restart Oracle Identity Manager Server and access the Identity Administration Console
in the Oracle Identity Manager Administrative and User Console. The Home page of this
console appears. The header banner of this console is changed from Identity
Administration to Identity Provisioning System.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 18 - Page 6
Tasks: Adding a Logo

1. If logged into the Oracle Identity Manager Administrative and User Console, click Sign
Out to log off.
2. From Windows Explorer, copy the acme_captial2.png file, which represents the logo,
from the D:\stage\labs\Appendix_F\original_files\F_1\adding_a_logo
directory to the
D:\app\oracle\product\middleware\iam_home\server\apps\oim.ear\
iam-consoles-faces.war\images directory.
Note: The images directory is the place where all graphics files for the Oracle Identity
Manager Web-based consoles are to be stored (including the logo you are to add).
3. Using a text editor or JDeveloper, open the Admin.jspx file, located in the
admin.war\pages directory.
4. Locate the following line of code:
<af:document title=#{resUI.window_title_text} theme=dark
id=d1>
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 18 - Page 7
5. Below this line of code, add the following lines of code:

<af:resource type="css">
.MyCustomBrandingLogo {
backgroundimage:url('/oim/images/acme_captial2.png');
background-position:center;
background-repeat:repeat-n; display:block;
height:3.5em; width:119px;
}
</af:resource>
Your file should resemble the following screenshot:
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
6. Locate
o the following line of code:
n<af:pageTemplate
viewId="/templates/IdmShell.jspx"
value="#{bindings.pageTemplateBinding}" id="pt1">

Chapter 18 - Page 8
7. Below this line of code, add the following line of code:
<f:attribute name="brandingLogoCls"
value="MyCustomBrandingLogo"/>
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
le to the
8. Save your changes
Admin.jspx file. Close the file.
d
e
l
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Chapter 18 - Page 9
9. Reload the Oracle Identity Manager Administrative and User Console, log in as the
superuser account, and access the Oracle Identity Administration Console. The logo,
represented by the acme_capital2.png file, appears in the Home page of this
console.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Tasks: Changing the Logo Mouseover Text
1. Shut down the Oracle Identity Manager Server and the Identity Administration Console.
2. From Windows Explorer, navigate to the
D:\app\oracle\product\middleware\iam_home\modules\
oracle.idm.uishell_11.1.1 directory.
3. Create a folder titled backups in this directory.
Note: The backups folder contains the contents of the oracle.idm.uishell.war
file, which you are going to extract in Step 7 of this procedure.
4. Copy the oracle.idm.uishell.war file, which resides in the
6. Open a DOS window and navigate to the
oracle.idm.uishell_11.1.1\backups directory.
7. At the prompt, enter:
jar xf oracle.idm.uishell.war
a
s
a
h
)
a
c ide
o
i
r PATHGenvironment
Important: If you cannot extract the jar file, make sure you seta
the
u
nt example,
variable to point to the folder where the Java JDK resides.oFor
if
the Java JDK
t
n
e
@
is located in the D:\Program Files\Java\jdk1.6.0_18\bin
directory,
enter the
d
3
u
n
t
eto this S
l
d
id se
m
8. Navigate to the backups\WEB-INF\lib

u
id to directory.
v
a
Note: The WEB-INF\lib
after you extract the contents of the
e
(ddirectory
sappears
n
n
oracle.idm.uishell.war
file.
e
to lic
etitled
l
d
9. Create a folder
in this directory.
le
id rabbackups2
M
Note:
e folder contains a copy of all files you are to modify for this
d Thenbackups2
f
i
s
v
asubpractice.
D
traoracle-idm-uishell.jar file, which resides in the backups\WEB10. Copy
the
n
no
INF\lib directory.
11. Paste this file into the backups2 folder.

12. Navigate to the backups2 folder. At the prompt, enter
jar xf oracle-idm-uishell.jar
13. Navigate to the backups2\templates directory.
oracle-idm-uishell.jar file.
14. Using a text editor or JDeveloper, open the IdmShell.jspx file, found in the
backups2\templates directory.
af:spacer shortDesc="Oracle"

16. Replace the Oracle mouseover text with mouseover text for your company (ACME
INC).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
17. Save your changes to the IdmShell.jspxle
file. Closeis
the file.
d
h
t
d
i the IdmSignIn.jspx
18. Using a text editor or JDeveloper, open
file, found in the
e
m
s
u
d
backups2\templates directory.
vi e to
a
d
19. Locate the following line(of code: s
n shortDesc="Oracle"
en
o
t
af:spacer id=logo
c
i
l
e
l
dOracle
le
d
20. Replace the
mouseover
text with mouseover text for your company (ACME
i
b
a
M
r
INC).
id nsfe
v
a
D Yourn-file
trashould resemble the following screenshot:
no
21. Save your changes to the IdmSignIn.jspx file. Close the file.

22. In the DOS Window, navigate to the backups2 directory. At the prompt, enter:
jar cf oracle-idm-uishell.jar *
Important: After creating the oracle-idm-uishell.jar file, make sure that only two
files appear in the templates folder: IdmShell.jspx and IdmSignIn.jspx. If other
files appear in the folder (for example, IdmShell.jspx~ and IdmSignIn.jspx~),
delete these files.
23. Navigate to the backups\WEB-INF\lib directory. Replace the unedited oracleidm-uishell.jar file with the modified file.
24. Delete the backups2 directory.
25. Navigate to the backups directory. At the prompt, enter:
jar cmf META-INF\MANIFEST.MF oracle.idm.uishell.war *
Note: The MANIFEST.MF file is created whenever a war file is created. This file contains
information about the war file, such as the files build number and version number.
By entering m as an argument, you are forcing Java to keep the details that exist in the
original MANIFEST.MF file (that is, you are not overwriting the file). Oracle Identity
Manager requires this information to use the contents in the
oracle.idm.uishell.war file.
a
s
a
h
)
a
c ide
o
i
26. Navigate to the D:\app\oracle\product\middleware\iam_home\modules\
r
nta nt Gu
oracle.idm.uishell_11.1.1 directory. Replace theo
unedited
@ tude
oracle.idm.uishell.war file with the modified 3
file.
n
27. Delete the backups directory.
eto this S
l
d
28. Restart Oracle Identity Manager Server
the Oracle Identity Administration
idand access
e
m
s
Console. The Home page of this

appears.
u The mouseover text of Oracle, which
idconsole
o
v
t
is associated with the logo,
is
now
replaced
the mouseover text you specified in
a
e (ACMEwithINC).
(d procedure
s
Step 16 and Step 20 n
of this
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

Important: If the mouseover text for the logo on the Home page of the Identity Administration
Console does not change (that is, it still appears as Oracle), complete the following steps:
1. On the Oracle WebLogic Server Home page, click the Deployments link.
2. On the Summary of Deployments page, locate the enterprise application titled
oim (11.1.1.3.0).
3. Stop this application. By doing so, the status of this application changes from Active to
Prepared.
6. Navigate to the D:\app\oracle\product directory.
7. Create a folder titled IDMShell in this directory.
8. Copy the oracle.idm.uishell.war file, which resides in the
9. Paste this file into the IDMShell folder.

10. On the Summary of Deployments page of Oracle WebLogic Server, locate the library
titled oracle.idm.uishell(11.1.1,11.1.1).
11. Delete this library.
12. From the DOS window, navigate to the D:\app\oracle\product\middleware\
user_projects\domains\IDMDomain\servers\oim_server1\tmp\_WL_user
directory.
13. Delete the oracle.idm.uishell folder that resides in this directory.
14. On the Summary of Deployments page of Oracle WebLogic Server, reinstall the
oracle.idm.uishell(11.1.1,11.1.1) library. To do so:
a. Click Install.
b. Verify that D:\app\oracle\product\IDMShell\oracle.idm.uishell.war
appears in the Path field. If it doesnt, select this path. Then, select the
oracle.idm.uishell.war option, and click Next.
c. Select the Install this deployment as a library option. Click Next.
d. Select the oim_server1 check box. Click Next.
e. Click Finish. Verify that the oracle.idm.uishell(11.1.1,11.1.1) library appears on the
Summary of Deployments page and that it has a status of New.
15. Restart the Oracle Identity Manager Server.
16. On the Summary of Deployments page of Oracle WebLogic Server, locate the enterprise
application titled oim (11.1.1.3.0).
17. Start this application. By doing so, the status of this application changes from Prepared
to Active. In addition, the Health column displays a status of OK and contains a green
check mark.
18. Launch the Identity Administration Console. The Home page of this console appears.
The mouseover text of Oracle is replaced with the mouseover text of ACME INC.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Practice F-2: Branding the Authenticated Self Service Console

Overview
In this practice, you brand the Authenticated Self Service Console. This includes:
Modifying the text that appears in the header banner of the console (the branding text).
Specifically, you change the branding text of this console from Identity Manager Self
Service to Identity Provisioning System Self Service.
Adding a logo to the console. For this practice, replace the Oracle Corporation logo with
the logo for ACME Capital (or ACME INC.). ACME INC. is the company for which you
are an administrator. This logo is represented by the acme_capital2.png file.
Changing the mouseover text associated with the logo. Specifically, replace the Oracle
mouseover text with text for your company (ACME INC.).
Assumptions
You completed the practice titled Branding the Identity Administration Console.
a
s
a
h
Tasks: Modifying Branding Text
)
a
c idConsole.
e
1. Shut down the Oracle Identity Manager Server and the Identity Administration
o
i
ar t Gu
t
n
o en
@
3. Navigate to the D:\app\oracle\product\middleware\iam_home\server\
3
n
tuddirectory.
o
apps\oim.ear\iam-consoles-faces.war\WEB-INF\lib
S
t
le Thisthfolder
is contains a copy of all files
d
4. Create a folder titled backups in this directory.
d
i
e
m us
you are to modify for this subpractice.
d
i
o which resides in the
v e tfile,
a
5. Copy the iam-consoles-faces.jar
d
n ( icens
o
t
iam-consoles-faces.war\WEB-INF\lib
directory.
le le l
d
d
i
b
6. Paste this
a backups folder.
M file into
rthe
e
d
f
i
s
v atonthe backups folder. At the prompt, enter
7. aNavigate
D
tr iam-consoles-faces.jar
jar -xf
n
o a text editor, open the Self_en.properties file, found in the
8. nUsing
backups\oracle\iam\consoles\faces\resources directory.
9. Locate the following string of text:
header_branding=Identity Manager Self Service
10. Change the value of the header_branding parameter to Identity Provisioning

System Self Service.

a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
11. Save your changes to the Self_en.properties file. Close
o theefile.
n
@
d
3
12. Navigate to the backups directory. At the prompt,nenter: tu
o is S
jar cf iam-consoles-faces.jar *let
d
d se th
i
m
d to u
i
apps\oim.ear\iam-consoles-faces.war\WEB-INF\lib
directory. Replace the
v
a
e
d
unedited iam-consoles-faces.jar
file
with
the
modified
file.
(
s
nServer
n Manager
e
o
14. Restart Oracle Identity
and the Authenticated Self Service Console. The
t
c
i
lappears.
e console
lthis
d
e
Home pagedof
The header banner of this console is changed from
l
i
abService to Identity Provisioning System Self Service.
IdentityM
Manager r
Self
e
d
f
s
vi
Da n-tran
no

Tasks: Adding a Logo

1. Shut down the Oracle Identity Manager Server and the Authenticated Self Service
Console.
2. Using a text editor, open the Self.jspx file, located in the
iam-consoles-faces.war\pages directory.
<f:facet name="metaContainer">
<af:resource type="css">
.MyCustomBrandingLogo {
backgroundimage:url('/oim/images/acme_captial2.png');
background-position:center;
background-repeat:repeat-n; display:block;
height:3.5em; width:119px;
}
</af:resource>
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no


<af:outputText id="brandingTitle"
value="#{self.model.resources.self.header_branding}"/>
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
7. Save your changes
Self.jspx
file. Close the file.
le to the
d
e
l
d
i
b
8. RestartM
Oracle Identity
ra Manager Server and the Authenticated Self Service Console. The
e
d
f
i
logo,
represented
s
v an by the acme_capital2.png file, appears in the Home page of this
Daconsole.
tr
n
no

Tasks: Changing the Logo Mouseover Text

Console.
3. Using a text editor, open the Self.jspx file, located in the
iam-consoles-faces.war\pages directory.
<f:attribute name="brandingLogoText" value="ACME INC"/>
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
o en
@
3
n
tud
o
S
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
l
dle tobthe
e Self.jspx
l
6. Save yourid
changes
file. Close the file.
a
M
r
e Manager Server and the Authenticated Self Service Console. The
fIdentity
7. Restart
s
vid Oracle
n
a
mouseover
text
a of Oracle, which is associated with the logo, is now replaced with the
D mouseover
r
t
text you specified in Step 5 of this procedure (ACME INC).|
non

Practice F-3: Renaming Button Labels
Overview
In this practice, you rename button text (or labels) in two consoles: the Identity Administration
Console and the Authenticated Self Service Console.
Specifically, you learn how to change button labels in the following consoles:
For the Identity Administration console, you change the text in the Save and Cancel
buttons to Submit and Clear. These buttons are located on the Create User page of the
console.
For the Authenticated Self Service Console, you change the text in the Apply and
Revert buttons to Submit and Cancel. These buttons are located on the Challenge
Questions page of the console.
Assumptions
You completed the practices titled Branding the Identity Administration Console and Branding
the Authenticated Self Service Console.
a
s
a
h
)
a
c ide
Tasks: Identity Administration Console
o
i
uService
ar tSelf
1. Shut down the Oracle Identity Manager Server and the Authenticated
t
G
n
o en
Console.
@
3
n
tud
o
S
t
le this
d
d
i
apps\oim.ear\admin.war\WEB-INF\lib\
edirectory.
m
s
u
d
viin thisedirectory.
4. Create a folder titled backups
to This folder contains a copy of all files
a
d
s
you are to modify for this( subpractice.
nalready
n ifolder
e
o
t
Important: If the
backups
exists, remove all files and directories within
c
le le l
the folder.idd
ab
M
r
5. Copy
the
IdentityTaskFlow.jar
file, which resides in the
e
d
f
i
s
v
an
DaD:\app\oracle\product\middleware\iam_home\
r
t
server\apps\oim.ear\admin.war\WEB-INF\lib
directory.
n
o
n
7. Navigate to the backups folder. At the prompt, enter:
jar xf IdentityTaskFlow.jar
Important: If you cannot extract the jar file, make sure you set the PATH environment
variable to point to the folder where the Java JDK resides. For example, if the Java JDK
is located in the D:\Program Files\Java\jdk1.6.0_18\bin directory, enter the
8. Using a text editor, open the IdentityUIBundle_en.properties file, found in the
backups\oracle\iam\identitytaskflow\resources directory.
IdentityTaskFlow.jar file.

9. Locate the following lines of code:

## Create User Taskflow properties
save_action=Save
cancel_action=Cancel
Note: You search for these lines of code because you are going to rename button labels
on the Create User page of the Identity Administration console.
10. Modify the values for the save_action and cancel_action parameters, as follows:
Parameter
Old Value
New Value
save_action
Save
Submit
cancel_action
Cancel
Clear
Note: By modifying the values for the save_action and cancel_action parameters,
you are renaming the Save and Cancel buttons (to Submit and Clear). These buttons
are located on the Create User page of the Identity Administration Console.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no
11. Save your changes to the IdentityUIBundle_en.properties file. Close the file.
12. Navigate to the backups directory. At the prompt, enter:
jar cf IdentityTaskFlow.jar *
apps\oim.ear\admin.war\WEB-INF\lib directory. Replace the unedited
IdentityTaskFlow.jar file with the modified file.
14. Restart Oracle Identity Manager Server and the Identity Administration Console. The
Home page of this console appears.

15. Click the Create User link on the Identity Administration Console Home page. Your
modifications to the IdentityUIBundle_en.properties file are reflected in this
form. Specifically, you changed the text in the Save and Cancel buttons (to Submit and
Clear).
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

Tasks: Authenticated Self Service Console
apps\oim.ear\iam-consoles-faces.war\WEB-INF\lib directory.
4. Create a folder titled backups in this directory. This folder contains a copy of all files
Important: If the backups folder already exists, remove all files and directories within
the folder.
5. Copy the OIMUI.jar file, which resides in the D:\app\oracle\product\
middleware\iam_home\server\apps\oim.ear\iam-consolesfaces.war\WEB-INF\lib directory.
7. Navigate to the backups folder. At the prompt, enter the command:
jar xf OIMUI.jar
a
s
a
8. Using a text editor, open the Agent_en.properties file, found in the
h
)
a
backups\oracle\iam\selfservice\self\agentry\resources
c directory.
e
o
d
i
i
u file.
Note: This directory appears after you extract the contents oftthe
arOIMUI.jar
G
n
t
o en
9. Locate the following lines of code:
@
3
Intent[SECURITY_SAVE].name = Apply on
tud
S
t
le = Save
Intent[SECURITY_SAVE].description
d
thischallenge questions
d
i
e
m us
d
i
v e =toRevert
Intent[SECURITY_REVERT].name
a
d
Intent[SECURITY_REVERT].description
= Revert changes made for
n ( icens
o
t
setting challenge
questions
l
e
dl forbthese
le lines of code because you are going to rename button labels
d
i
Note: You
search
a
M
erQuestions page of the Authenticated Self Service Console.
d Challenge
on ithe
f
s
v
a
anvalues for the Intent[SECURITY_SAVE].name and
10. Modifytrthe
D
parameters, as follows:
on
nIntent[SECURITY_REVERT].name
Parameter
Old Value
Intent[SECURITY_SAVE].name
Apply
Intent[SECURITY_REVERT].name Revert
New Value
Submit
Cancel
Note: By modifying the values for the Intent[SECURITY_SAVE].name and

Intent[SECURITY_REVERT].name parameters, you are renaming the Apply and
Revert buttons (to Submit and Cancel). These buttons are located on the Challenge
Questions page of the Authenticated Self Service Console.

11. Save your changes to the Agent_en.properties file. Close the file.
12. Navigate to the backups directory. At the prompt, enter the command:
jar cf OIMUI.jar *
a
s
a
h
)
a
c Replace
e the
o
apps\oim.ear\iam-consoles-faces.war\WEB-INF\lib rdirectory.
d
i
i
a t Gu
t
unedited OIMUI.jar file with the modified file.
n
o Selfen
@
14. Restart Oracle Identity Manager Server and the Authenticated
d Service Console. The
3
u
n
t
Home page of this console appears.
o is S
etService
l
d
15. Click the Profile tab on the Authenticated
Self
d se th Console Home page. The My
i
m
Profile tab appears.
id totouthe Agent_en.properties file are
v
16. Click the Security tab. Youra
modifications
(d nyou
sechanged the text in the Apply and Revert buttons
reflected in this form.n
Specifically,
e
to Submit and Cancel
lic
eto respectively.
l
d
e
l
id rab
M
vid ansfe
a
D n-tr
no

Practice F-4: Creating Custom Skins and Style Sheets
Overview
In this practice, you create custom skins and style sheets for two Oracle Identity Manager
consoles: the Identity Administration Console and the Authenticated Self Service Console.
Oracle Identity Manager uses two techniques to customize the appearance of its Web-based
consoles: style sheets and skins.
Style sheets separate the presentation and content for a Web page. The code for the
Web page contains the page's semantic content and structure, but does not define its
visual layout (style). Instead, the style is defined in an external style sheet file using a
style sheet language such as CSS. This design approach is identified as a "separation"
because it overrides the antecedent methodology in which a page's code defined both
style and structure.
Style sheets for the Authenticated Self Service Console are placed into the
apps\oim.ear\iam-consoles-faces.war\skins\myskin directory.
a
s
a
hit must be a
Note: The myskin folder does not exist. Therefore, you must create it and
)
a
c ide
subdirectory of the D:\app\oracle\product\middleware\iam_home\server\
o
i
apps\oim.ear\iam-consoles-faces.war\skins directory.
ar t Gu
t
n
nthe
Style sheets for the Identity Administration Console @
are o
placed into
e
d
3
n
tu
o
S
t
apps\oim.ear\admin.war\skins\myskin
directory.
e
his you must create it and
tTherefore,
ddnotl exist.
i
Note: The skins\myskin folderm
does
e
d to us
i
nest it within the D:\app\oracle\product\middleware\iam_home\server\
v
apps\oim.ear\admin.war
(da directory.
se
n
n
e
o appearance
tthe
A skin refers lto

ic of an Oracle Identity Manager Web-based console; it
l
e
d
e
l
gives theid
console ab
different look and feel. A skin changes the way the console
a
M
appears
whenearuser
clicks a button, but does not change the behavior of the user
d nAschange
f
i
v
interface.
in
the skin results in a change to the consoles appearance only; it
a
Da does
r
t
not
impact
the
consoles
functionality.
n
o
n New skins for the Authenticated Self Service Console and the Identity Administration
Console are created in the trinidad-skins.xml file and registered in the
trinidad-config.xml file.
For the Authenticated Self Service Console, these files are located in the
apps\oim.ear\iam-consoles-faces.war\WEB-INF directory.
For the Identity Administration Console, these files are located in the
admin.war\WEB-INF directory.
Assumptions
You completed all practices for this appendix (that is, practices F-1 through F-3).

Tasks: Authenticated Self Service Console

Console.
apps\oim.ear\iam-consoles-faces.war\WEB-INF directory.
4. Create a folder titled backups in this directory. This folder contains a copy of all files
Important: If the backups folder already exists, remove all files and directories within
the folder.
5. Copy the trinidad-skins.xml file and trinidad-config.xml files, which reside
in the D:\app\oracle\product\middleware\iam_home\server\apps\
oim.ear\iam-consoles-faces.war\WEB-INF directory.
6. Paste these files into the backups folder.
7. Using a text editor or JDeveloper, open the trinidad-skins.xml file, found in the
backups folder.
Note: For this subpractice, you are defining a new skin for the Authenticated Self
Service Console. New skins for this console are created in the trinidad-skins.xml
file.
<skins xmlns="http://myfaces.apache.org/trinidad/skin">
<skin>
<id>myskin.desktop</id>
<family>myskin</family>
<extends>fusion.desktop</extends>
<render-kit-id>org.apache.myfaces.trinidad.desktop</renderkit-id>
<style-sheet-name>skins/myskin/myskin.css</style-sheet-name>
<bundlename>oracle.iam.consoles.faces.resources.AdfComponentsMessageBund
le</bundle-name>
</skin>
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
d
d
i
e
m
s
u
d
vi e to
a
d
n ( icens
o
t
le le l
d
d
i
ab
M
r
e
d
f
s
vi
Da n-tran
no

a
s
a
hare
Note: By adding these lines of code to the trinidad-skins.xml file, you
)
a
c In iaddition,
e
defining a new skin (myskin) for the Authenticated Self Service Console.
o
d
i
u
you are setting this skin to be the default skin for the console.tar
G
n
t
o theefile.
n
10. Save your changes to the trinidad-skins.xml file.
Close
@
d
3
nServiceSConsole.
tu You are ready to
You created a new skin for the Authenticated Self
o
t
e
register the skin. New skins for the console
dlare registered
his in the trinidadt
d
i
e
config.xml file.
m us
d
i
v efile,tofound in the backups folder.
11. Open the trinidad-config.xml
a
d
12. Locate the following line
ns
n (of code:
e
o
t
c
<skin-family>fusion</skin-family>
le le li
d
d
b <skin-family> parameter, as follows:
athe
13. ModifyM
thei value for
r
e
d
f
vi ans
Old Value
New Value
Da Parameter
r
t
n
fusion
myskin
no<skin-family>
Note: By changing the value for the <skin-family> parameter (from fusion to
myskin), you are registering this skin. You defined this skin in the trinidadskins.xml file.

14. Save your changes to the trinidad-config.xml file. Close the file.
apps\oim.ear\iam-consoles-faces.war\WEB-INF directory. Replace the
unedited trinidad-skins.xml file and trinidad-config.xml file with the
modified files.
You created and registered myskin, a new skin for the Authenticated Self Service
Console. You are ready to create a style sheet for this console.
This style sheet (myskin.css) is used to override default elements for the
Authenticated Self Service Console, such as the consoles background color, menu link
color, and activity icon (located in the upper-right-hand corner of the console).
apps\oim.ear\iam-consoles-faces.war\skins directory.
17. Create a folder titled myskin in this directory.
Note: This folder is to contain myskin.css, the style sheet for the Authenticated Self
Service Console.
18. Copy the myskin.css file, which resides in the D:\stage\labs\Appendix_F\
original_files\F_4\Self_Service_Console directory.
a
s
a
h
)
a
c ide
o
i
ar t Gu
t
n
apps\oim.ear\iam-consoles-faces.war\skins\myskin
o edirectory.
n
@
d
3
20. Restart Oracle Identity Manager Server and the Authenticated
Service Console. The
StuSelf
ton theiscustom
appearance of this console is modified, andle
reflects
skin and style sheet you
d thethconsoles background color, menu
created for the console. These changes
dinclude
i
e
m
s
link color, and activity icon (located

in
the
upper-right-hand
corner of the console).
u
d
i
o
v
t
(da nse
n
to lice
e
l
idd rable
M
vid ansfe
a
D n-tr
no

Tasks: Identity Administration Console

Console.
3. Copy the trinidad-skins.xml file, which resides in the
iam-consoles-faces.war\WEB-INF directory.
apps\oim.ear\admin.war\WEB-INF directory.
Note: The trinidad-skins.xml file contains the modifications you made to the file
for the Authenticated Self Service Console. These changes are also applicable for the
Identity Administration Console.
By copying the trinidad-skins.xml file, you create a new skin for the Identity
Administration Console. You are ready to register the skin. New skins for this console
are registered in the trinidad-config.xml file.
s
a
h
a) e
c
rio Guid
a
t
on ent
@
n3 Stud
o
t
le this
7. Paste this file into the backups folder.idd
ein the backups folder.
m
s
8. Open the trinidad-config.xml

file,
located
u
d
vi e to
acode:
9. Locate the following line(of
d
n icens
<skin-family>fusion</skin-family>
o
t
l
dlefor the
e
l
10. Modify theid
value
<skin-family>
parameter, as follows:
b
a
M
r
Old Value
New Value
id nsfe
vParameter
a
a
D <skin-family>
r
fusion
myskin
-t
n
o
nYour file should resemble the following screenshot:
5. Create a folder titled backups in the D:\app\oracle\product\middleware\

iam_home\server\apps\oim.ear\admin.war\WEB-INF directory. This folder
contains a copy of all files you are to modify for this subpractice.
6. Copy the trinidad-config.xml file, which resides in the
admin.war\WEB-INF directory.
Note: By changing the value for the <skin-family> parameter (from fusion to
myskin), you are registering this skin. You defined this skin in the trinidadskins.xml file.

11. Save your changes to the trinidad-config.xml file. Close the file.

apps\oim.ear\admin.war\WEB-INF directory. Replace the unedited
trinidad-config.xml file with the modified file.
You created and registered myskin, a new skin for the Identity Administration Console.
You are ready to use the myskin.css style sheet for this console. You created this
style sheet for the Authenticated Self Service Console.
The myskin.css style sheet is used to override default elements for the Identity
Administration Console, such as the consoles background color, menu link color, and
activity icon (located in the upper-right-hand corner of the console).
apps\oim.ear\admin.war directory.
14. Create a subfolder titled skins in this directory.
apps\oim.ear\admin.war\skins directory.
a
s
a
16. Create a subfolder titled myskin in this directory.
h
)
a
c ide
Note: This folder is to contain myskin.css, the style sheet for theoIdentity
i
ar t Gu
t
n
o en
17. Copy the myskin.css file, which resides in the D:\stage\labs\Appendix_F\
@
3
original_files\F_4\Self_Service_Console
n directory.
tud
o
S
t
le this
18. Paste this file into D:\app\oracle\product\middleware\iam_home\server\
d
d
i
edirectory.
apps\oim.ear\admin.war\skins\myskin
m
s
u
d
o the Identity Administration Console. The
vi Server
19. Restart Oracle Identity Manager
tand
a
e
d
appearance of this console
is modified,
reflects the custom skin and style sheet you
ns and
n (These
e
o
created for the console.
changes
include
the consoles background color, menu
t
c
i
l(located
e icon
l
d
e
link color, and
activity
in
the
upper-right-hand
corner of the console).
l
id rab
M
vid ansfe
a
D n-tr
no


Oracle Identity Manager 11g Essentials Activity Guide

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Oracle Identity Manager 11g Essentials Activity Guide

Cargado por

Copyright:

Formatos disponibles

Unauthorized reproduction or distribution prohibited Copyright 2011, Oracle and/or its affiliates

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1 .....................................................................................................................................1-1

Practices for Lesson 5 .....................................................................................................................................5-1

Practice 6-4: Define an IT Resource ..............................................................................................................6-18

Oracle Identity Manager 11g: Essentials Table of Contents

Practice 7-10: Provision a Resource to a User...............................................................................................7-34

Practice 10-6: Test and Verify Authorization Policies Implementation ...........................................................10-48

Practices for Lesson 11 ...................................................................................................................................11-1

Oracle Identity Manager 11g: Essentials Table of Contents

Practice 12-5: Monitor Scheduled Events ......................................................................................................12-27

Practices for Appendix F .................................................................................................................................18-1

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Identity Manager 11g: Essentials Table of Contents

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1

Practices for Lesson 1

There are no practices for Lesson 1.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Practices for Lesson 2

There are no practices for Lesson 2.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practices for Lesson 3

Starting Oracle WebLogic Server (the Administration server)

Launching the Oracle Identity Manager Design Console

Oracle WebLogic Server Administration

Oracle SOA Platform Console

Oracle BPM Worklist Console

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practice 3-1: Start Oracle WebLogic Server

An administrative server. This type of server is always included as part of a domain.

A managed server. This type of server is managed by the administrative server. A

You installed and configured Oracle WebLogic Server 11g, Oracle

You created a domain for Oracle WebLogic Server

You created an administrative server fordOracle

You created two servers managed

Practices for Lesson 3

2. Open an Internet Explorer Web browser.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practices for Lesson 3

to start Oracle Identity Manager Server.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

7. At the DOS prompt, enter startManagedWebLogic.cmd

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

b. Copy all of the files located in the directory.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Oracle BPM Worklist Console. This Web-based console is used

Oracle Identity Manager Administrative and

delegated administration features