ORACLE IDENTITY & ACCESS MANAGEMENT
1. Introduction of Product Overview
2. Components of Oracle IAM
3. Components of OIM
4. History of OIM
5. History of OAM
Middleware components Installation & Configuration :
1. Oracle Identity Manager
2. Oracle Access Manager
3. Oracle Identity Federation
4. Oracle Adaptive Access Manager
5. Oracle Internet Directory
6. Oracle Unified Directory
7. Oracle Directory Server Enterprise Edition ( ODSEE )
8. Oracle Entitlement Server
9. Oracle E-Business Suite
10. Oracle PeopleSoft
11. Jdevloper
12. Eclipse
13. Tomcat server
14. BI Publisher
15. Oracle Privileged Account Manager
16. JES
- Automated Oracle Identity & Access Management Deployement
1. Using LCM tool
LDAPSync :
1. OIM sync vth OID
2. OIM sync vth OUD
3. OIM sync vth MS AD
PasswordSync :
1. MS AD Password Sync
Integrations :
1. OIM integration vth MS AD - OOTB
2. OIM integration vth OID/OVD
3. OIM integration vth OUD/ODSEE
4. OIM integration vth Exchange
5. OIM integration vth E-Business Suite
6. OIM integration vth Peoplesoft
7. OIM integration vth OAM
8. OID Integration vth MS AD
9.OIM integration vth 3rd Party Application ....
Provisioning :
1. Manual / Direct Provisioning
2. AutoMated Provisioing
Eg: Provisioing Usr/Group/Org to MS AD
Reconciliation :
1. Trusted Reconciliation - tRUSTED SYSTEMS ( EX : core hr , AD )- To create user Accouts
2. Target Reconciliation - User Profiles - processform
Forms :
1. UserObjectForm ( Resource Object )
2. ProcessForm ( TargetProcessForm )
Logs : How to checks the logs for Weblogic/SOA/OIM and OAM Servers in Linux
Server Logs locations :
1. $DOMAIN_HOME/servers/Admin_server/logs
2. $DOMAIN_HOME/servers/oim_server1/logs
3. $DOMAIN_HOME/servers/oam_server1/logs
4. $DOMAIN_HOME/servers/soa_server1/logs
Server diagnostic Logs locations :
1. Weblogic Server : $DOMAIN_HOME/servers/Admin_server and view admin_server_diagnostic.log
2. SOA Server : $DOMAIN_HOME/servers/soa_server1 and view soa_server1_diagnostic.log
3. OIM Server : $DOMAIN_HOME/servers/oim_server1 and view oim_server1_diagnostic.log
4. OAM Server : $DOMAIN_HOME/servers/oam_server1 and view oam_server1_diagnostic.log
Adapters :
1. Entity Adapters ( pre insert, post insert, pre-update, post-update, pre-delete, post-delete )
2. Process Task Adapters
3. Pre-populate Adapters
4. Task Assignment Adapters
5. RuleGenerator Adapters
Event Handlers : (Pre-Insert, Pre-Update )
1. Validation
Ex: TelephoneNumberValidation
2. Pre-process Event Handlers
Ex: To Generate a "Userid", "Password", "CustomerId", etc...
3. Post-Process Event Handlers
Examples : I . Populate Organization Event Handler
Soa Composites :
0. Default SOA Default Composite
1. SelfRegistrationApprovalSoaComposite ( User, Role, Group )
2. RoleApprovals
3. Group Approvals
4. Resource Approval
WorkFlows :
1. Approval WorkFlows
2. Provisioning WorkFlows
UI Custumizations :( Branding )
1. UDF / UI Entities
2. Logo
3. ADF Faces
PlugIns :
1. UserIDGeneration
2. DisableUserDate
Connectors :
1. OOTB - Out Of Box Connectors (Pre-Defined Connectors ) - Download from Oracle suport
2. GTC Connectors - Generic Technology Connectors
a. Flatfile
b. Database
c. webservices
3. Custom Connectors
a. SMPL(webservices) & Database (JDBC)
b. ICF Connectors - 11g
Eg1 : FlatFile
Eg2 : Database
Schedulers :
1. PreDefined Sechedulers
2. Custom Schedulers
a. Recon_Job
Bulk Operations :
1. BulkLoad Utility
2. Bulk Password update for OID
3. BulkChanges
Simple Soket Layer ( SSL )- Configuration
1. Configure SSL for Design Console
2. Configure SSL for Managed Servers
NO SSL : http://www.oratechsoft.com or http://localhost:14000/sysadmin
SSL : https://www.google.com or https://localhost:14000/identity
ByPass the UserName & Password for following ( boot.properties --> vim "username = weblogic password=Lucky1234" )
1. At Production Mode - Weblogic ( Admin Server )
2. At DEV , QA & Production - ManagedServer ( OIM, OAM, SOA, ...)
Notifications ::
1. Configuring UMS Email Notification
2. Configuring SOA Email Notification
SOD ::
ENTILEMENTS ::
UpGrade : OIM11gR1 to 11gR2 PS3
Migration :
1. SIM to OIM
BI Publisher :
1. Reports
Monitoring
1. EMCC Monitoring
Windows Server ::
------------------------------------------------------------------------
1. Install & Config MS AD ( DCPROMO )
2. Install Connector Server
3. User/GRoup/Org Manageemnt
4. To Change the time Zone ( tzutil/g - current Zone , tzutil/l - list of time zones, tzutil/s "Indian Stand TIme")
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Oracle Access Manager
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. Webtier & Webgate Installation & Cong and Registration
a. OHS WebGate
b. IIS WebGate
c. Apache WebGate
2. AccessGate
3. URL Protection --Oam SERVER - hTdOCS ( FILE.HTML )
4. Datastorages
5. Single Sign On
6. Reverse Proxy
7. SessionManagement
8. OAM Plugins
9. SSL Certifications
A. OPEN
B. Cert
C. SIMPLE
10. Windows Native Authentication
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Certifications ::
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. Oracle Identity Governance 1z0-549
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Questions & Answers
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
OIM Interview Questions
1. What are the new features in PS3?
2. What are the differences between PS2 and PS3?
3. How do you identify rogue account creation in target system?
4. What is the high level architecture of OIM 11g R2?
5. List out difference between OIM 9.1 and 11g and possibly 11gR2
6. What are the new features in 11gR2 PS2 , PS3
a. 7. How do you save multi-valued attribute in process form and how the linking happens between process form & child form , 1 child form per multi valued attribute
7. Can we still use entity adapters in OIM 11g
8. What is plugin service in oim 11g/ what is the orchestration service in oim 11g.
9. What is the difference between entity match found and process match found?
10. What are service accounts in oim?
11. Why remote manager is used?
12. What is a connector server and types of connector server available?
13. What is ICF, ICF architecture?
14. Why connector server (ICF) is used. Can connector server replace remote manager? Types of connector server. Which OOTB connector is ICF based now - 11g?
15. What is Lookup.USR_PROCESS_TRIGGERS, how data flow happens during provisioning.
16. How will you develop a custom connector from scratch? List all the components involved.
17. What are the different types of adapters and under which circumstances they are used.
18. List some OIM API java classes. How do we initialize the api before we can use them (example tcUserOperationsIntf)
19. List some differences in api classes / new classes from 11g point of view
20. How you create a plugin in oim 11g (packaging, registration, MDS seeding etc.)
21. Difference between execute and bulk Execute in post process handler and under which scenarios they are used?
22. Can preprocess event handler be used during trusted user recon
23. Email templates are now removed in oim 11g and how do we send emails in oim 11g?
24. What are notification templates, notification resolvers, notification event xml file registration?
25. Oim 9.1 - formmetadata.xml - why we use it and what all is possible by changing/configuring it.
26. How do you modify self-registration page in 11g?
27. A lot of questions on MDS , how we use it, what all configuration objects are stored, the structure of configuration objects , oim-config.xml, list some very common file names
28. What is the difference between object form and process form (9.1)
29. What has replaced object form in 11g?
30. What is the difference between approval policy, authorization policy and access policy?
31. How do we deploy the SOA workflows in 11g?
32. What is basic Request Templates model, how are they extended to create custom ones, how authorization is enforced while defining new one, Is it possible that certain set of users can only see the certain request templates (yes).
33. How do you create a custom scheduled task in OIM 11g?
34. How do you create a custom plugin in OIM 11g?
35. What performance improvement measures have been implemented in OIM 11g in terms of reconciliation?
36. How do you use task assignment adapter in OIM?
37. Under what circumstances spml is used?
38. Attestation - Why / what / when / how?
39. Certification - Why / what / when / how?
40. List out the difference between LDAP sync and OID Connector when both can essentially sync the user info between oim and OID (11g )
41. How can you disable certain menu item on OIM 11g R2 PS2 based on the user's role?
42. What is request dataset status change plugin and how do you use it?
43. What is request dataset validator plugin and how do you use it?
44. What are application instances, disconnected applications?
45. What is a sandbox and how will you go about doing sandbox management, its issues and limitations?
46. What is a dynamic organization and how do we use it ?
47. Pre Process Event Handlers are applicable on what all entities and event types?
48. What is a catalog, what all it contains, how do you publish item to a catalog, how will you do catalog management?
49. What is a public task flow and how do you develop and use it in OIM?
50. What is Access Policy Harvesting and how will you set it up?
51. Difference between OIM 11g R1 and OIM 11g R2?
52. Difference between OIM 10g and OIM 11g R2?
53. What is Request Catalog?
54. What is Request Profile?
55. Difference between Application Instance and Resource Object?
56. What are Admin Roles?
57. Experience with UI Customization in OIM 11g R2?
58. Experience with ICF Connector?
59. Experience in upgrading existing OIM implementation to OIM 11g R2?
60. List of connectors which you have worked on?
61. High level steps for Custom Connector?
62. What are Archival Utilities?
63. How do you hide Admin Links for End Users from Identity Console?
64. What are factors which one should keep in mind for upgrade project?
65. How will you plan an upgrade project?
66. What are the new features in PS3?
67. What are the differences between PS2 and PS3?
68. How do you identify rogue account creation in target system?
69. What is the high level architecture of OIM 11g R2?
70. What are the new features in 11gR2 PS2 , PS3
71. What are Archival Utilities?
72. What are factors which one should keep in mind for upgrade project?
73. How will you plan an upgrade project?
74. What are the high level steps to install OIM 11g R2 PS2 on High Availability Mode?
75. What is the use of Node Manager?
76. How many ways, we can start or stop the entire managed servers in OIM?
77. How to verify the logs in OIM?
78. How to troubleshoot the provisioning issues in OIM 11g R2 PS2?
79. What are the high levels steps to perform performance tuning in OIM 11g R2 PS2?
80. How to assign/remove admin privileges to a user in OIM 11g R2 PS2?
81. How to troubleshoot Reconciliation issues in OIM 11g R2 PS2?
82. How many schemas will be created while installing RCU for OIM?
83. What is the use of Load Balancer and Clustering?
84. List of table names you knows in OIM 11g R2 PS2?
85. How many ways we can upload/register .jar files in OIM 11g R2 PS2?
86. How to change the log levels in OIM 11g R2 PS2?
87. How to resolve password issues in OIM 11g R2 PS2?
88. How to assign/revoke specific group access to a user in OIM 11g R2 PS2?
89. What is catalog and usage?
90. What is Sandbox and usage?
91. How do we get reports in OIM 11g R2 PS2?
92. What are the differences between LDAP and Active Directory?
ANS :
Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment
LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.
Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.
Active directory is a directory service provider, where you can add new user to a directory, remove or modify, specify privilages, assign policy etc. Its just like a phone directory where every person have a unique contact number. Every thing in AD(Active Directory) are considered as Objects and every object is given a Unique ID.(similar to a unique contact number in a phone directory.
Ldap is a protocol specially designed for directory service providers. Windows server OS uses AD as a directory server, AIX which is a UNIX version by IBM uses Tivoli directory server. Both of them uses LDAP protocol for interacting with directory.
Apart from protocol there are LDAP servers, LDAP browsers too.
active directory is the directory service database to store the organizational based data,policy,authentication etc whereas ldap is the protocol used to talk to the directory service database that is ad or adam.
References :
1. docs.oracle.com/cd/E11223_01/doc.910/e11217/cnnctrcmpnts.htm#CEGIBDFG
2. ThorAPI's : http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_903/doc_cd/javadocs/operations/Thor/API/Operations/package-summary.html
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Oracle Identity Manager Connector Component Concepts
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1. Introduction to OIM Connectors
* Target account management
- Target Resource Reconciliation
- Provisioing
* Trusted Source Reconciliation
Connectors Types
1. PreDefined Connectors
2. GTC Connectors
3. Custom Connectors
Reconciliation
Reconciliation Configuration Options
# Reconciliation Type : Target Resource or Trusted Source
# Reconciliation Mode : Full or Incremental
# Batched Reconciliation
# Limited Reconciliation
# Periodic, On-Demand, or Real-Time Reconciliation
Regular Reconciliation Events vs Delete Reconciliation Events
1. The data for deleting an account is provided and the Oracle Identity Manager locates the matching account based on existing rules.
2. The matching account record in Oracle Identity Manager is provided as the data for deleting an account.
Provisioning
* Request-based provisioning
* Policy-based provisioning
* Direct provisioning
Target System Configuration Enabled by a Connector
* Target System Configured As a Target Resource
During target resource reconciliation:
# For a newly created target system identity that is fetched from the target system, a target resource account (resource object) is granted (provisioned) to the corresponding OIM User. This takes place only if an OIM User already exists for the target system identity.
# For a modified target system identity that is fetched from the target system, the same modifications are made to its corresponding resource object provisioned to an entity in Oracle Identity Manager.
* Target System Configured As a Trusted Source
During trusted source reconciliation:
# For a newly created target system identity that is fetched from the target system, a corresponding OIM User is created in Oracle Identity Manager.
# For a modified target system identity that is fetched from the target system, the same modifications are made to its corresponding OIM User.
# If you specify certain attributes of a target system as trusted sources, then Oracle Identity Manager must be disabled from provisioning the same set of attributes in the target system.
2. Components Used for Connector Operations
* Oracle Identity Manager Components
Reconciliation APIs
Reconciliation Engine
Reconciliation Manager
Remote Manager
* Connector Components
Reconciliation Field Definitions
Reconciliation Field Mappings
Reconciliation Rules
Reconciliation Action Rules
Reconciliation Provisioning Tasks
IT Resource
IT Resource Type
Lookup Definitions
Scheduled Tasks
Resource Object
Process Form
Provisioning Process, Process Tasks, and Adapters
3. Reconciliation and Provisioing Processes
Target Resource Reconciliation
Provisioning
Trusted Source Reconciliation
4. Performing Connector Operation
Guidelines on Running Reconciliation
Managing Scheduled Tasks
Guidelines on Performing Provisioning Operations
Provisioning Resources
#
#
#
IAM - Custom Connector Development Questions
1.Provisioning/Reconciliation/or Both: Generally provisioning is assumed by default as that is the whole point of connector development but we should keep the reconciliation estimate also in mind if that is required. If both are required then estimates obviously go higher and with much longer development cycle.
2.Is Authoritative Source (Yes/No) ? : If the end system is an authoritative source of data for user,role or organization information then a slightly different design is required for connector development with more checks and balances in place.
3.Provisioning Functions (CRUD) ? Which all provisioning functions should be considered for connector development. It is most likely all but in some situations delete or update of all attributes are not required so that will save some time and effort for a tailored solution.
4.Reconciliation Features (Agent less or Agent based) ? Most connector should work without actually installing anything on end systems (i.e. Agent less) there by reducing time, effort and complexity involved but in situations where an Agent based connector is required , two components are developed, one on end system and one on IAM system. This requires more testing and fault tolerance.
5.Is Password or any other secure attribute part of connector development ?
6.What will be connectivity channel requirement for the connector like SSL/TLS or any other protocol ?
7.What type of User Accounts this connector should support (Regular Users/ Service Accounts/ Any Other ) ?
8.How many number of Attributes that this connector should support ? This can greatly affect the time and effort as this more attributes require some generic design which can make the connector more flexible but with initial effort early on.
9.Group/Role/Entitlement/Org or any other Entity management part of the connector solution.
10.Any other additional capabilities that this connector should support ?
#
#
#
IAM - Application Integration Questionnaire :
-------------------------------------------
I have come up with a list of questions that can be asked to integrate any standard or custom third party applications with the IdM product.
This questions will be specially helpful if the number of Apps are large enough.
1. App Name
2. App Description
3. No. of Users
4. Types of Users
5. Type of App (online/thick client/legacy/cloud/any other) : Please mention
6. No. of App Instances
7. Type of Connectivity available (JDBC/Web Service/Directory/Messaging system/File system/any other)
8. Database used by the App (Proprietary/Standard)
9. Mention database name if known
10. Is it Authoritative source of data for Users/Role/Org or any other entity?
11. Does this App depend on any other App?
12. If yes, mention the other App Name
13. Network zone this app resides in (public/subnet/intranet/firewalled/limited etc.)
14. Any web services exposed by this App.
15. Is SSO a requirement for App ?
16. Is provisioning a requirement for this App ?
17. Is reconciliation a requirement for this App ?
18. Is password sync a requirement for this App ?
19. Does this App require any special treatment from performance, security or high availability perspective?
20. What does this App store? Put a tick (Users/Groups/Roles/Entitlement/Org Structure)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
OIM Database Back up / Restore
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Backup
========
@echo on
set ORACLE_SID=ORCL
exp DEV_OIM/Lucky1234 full=no owner=DEV_OIM file=D:\Backupof_ORCL_DEV_OIM_dontdelete\BACKUP\emptydb log=D:\Backupof_ORCL_DEV_OIM_dontdelete\BACKUP\emptydb
@echo off
Restore::
==========
sqlplus /nolog
CONNECT sys/sys123@ORCL AS SYSDBA
DROP USER DEV_OIM CASCADE;
@D:\oracle\javavm\install\initxa.sql
CREATE USER DEV_OIM IDENTIFIED BY Lucky1234 DEFAULT TABLESPACE DEV_OIM TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON DEV_OIM;
GRANT connect, resource, aq_administrator_role, dba, query rewrite TO DEV_OIM with ADMIN OPTION;
@D:\oracle\RDBMS\ADMIN\dbmspool.sql
GRANT EXECUTE ON sys.dbms_shared_pool TO DEV_OIM WITH GRANT OPTION;
BEGIN
dbms_resource_manager_privs.grant_switch_consumer_group( grantee_name => 'DEV_OIM',consumer_group => 'SYS_GROUP',grant_option => TRUE);
END;
/
Exit
imp DEV_OIM/Lucky1234@ORCL fromuser=DEV_OIM touser=DEV_OIM file=D:\Backupof_ORCL_DEV_OIM_dontdelete\BACKUP\emptydb.DMP log=D:\Backupof_ORCL_DEV_OIM_dontdelete\BACKUP\emptydb.log
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
OIM 11G R2 Server Performance Tuning
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I will list some of the server tuning parameter that can be used to tune oim managed server.
JVM Memory
For Hotspot JVM
Min Heap Size(Xms) = 4GB, Max Heap Size(Xmx) = 8GB, PermSize(-X:PermSize) = 500m and PermGen size (-XX:MaxPermSize) = 1 GB.
For JRockit JVM
Min Heap Size(Xms) = 4GB, Max Heap Size(Xmx) = 8GB, PermSize(-X:PermSize) = N/A and PermGen size (-XX:MaxPermSize) = N/A
To change the JVM memory setting:
1. If your OIM version is 11.1.2.1.0 or above, use DOMAIN_HOME/bin/setOIMDomainEnv.sh
(Unix) or setOIMDomainEnv.cmd (Windows). If not, continue to use
DOMAIN_HOME/bin/setDomainEnv.sh (Unix) or setDomainEnv.cmd (Windows) to
change the heap size settings.
2. Change the value of DEFAULT_MEM_ARGS and PORT_MEM_ARGS from the default value and
save.
3. Restart OIM Server
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Oracle Identity & Access Managers Features
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Oracle Identity Manager (OIM) 11G R2 PS1 (11.1.2.1.0) New Features
Oracle Identity Manager (OIM) 11G R2 PS2 (11.1.2.2.0) New Features
Oracle Identity Manager (OIM) 11G R2 PS3 (11.1.2.3.0) New Features :
-------------------------------------------------------------------
Improved Self Service UI
In PS3 , the UI has gone a major overhaul and looks much more tablet and mobile friendly with tiles and easy access. faster navigation is what we are looking for in PS3.
There is less drop down and complicated web structure and all the items that you need are easily accessible.
Access Catalog with Guided Navigation
Complications involved in PS2 navigation are done away and now you have guided navigation feature which helps you in better understanding and manageability of your current accesses.
Temporal Grants for New and Existing Access
Users can now set start date and end date while making the requests which helps in access being given on the exact dates and also there are empowered users who can modify the grant duration as well.
Self Capabilities
PS3 comes with Self Capabilities feature that allows what action an end user can perform on themselves and on others.
This feature allows specifying rules an what all actions can be performed either on themselves or on others.
Simplified Admin Roles
These admin roles allows assigning functional capabilities to the admin role, specify members and membership rules, and organizations that the admin role members can manage.
This also makes APM obsolete and it is of no use in PS3.
Role Lifecycle Management
PS3 comes with complete end to end role life-cycle management capabilities thus making OIA obsolete.
Identity Audit Policy Management
Basically this feature performs Segregation of Duties (SoD) violation during the request process itself and checks the existing user access and also what is being requested.
Enhanced Auditing
This is a new engine which replaces older auditing engine. This one does not depend on audit snapshots and JMS and is synchronous in operation.
used by user, role, and organization management, and other components excluding provisioning
Enhanced Password Policy Management
This solves the older issue of how to password policy management when you have OIM-OAM integrated. It also allow to define challenge questions at global or at per user level.
policies can be defined at Org level.
SCIM-Based REST Services
SCIM stands for System for Cross-Domain Identity Management
and
REST - Representational State Transfer
Both these standards allows for a industry standard approach for integrating with other identity management components or from third party vendors.
SPML XSD-based SOAP web service is deprecated with this particular feature.
Simplified Workflow Policies
This new feature replaces approval policies and provides perform better, expose additional configuration options, and conform to the UI of this release.
Simplified SSO Integration
Weblogic authenticators and plugins are deprecated and it looks like PS3 has gone in favour of older HTTP Header based SSO solution which was present in 10G release.
This allows better and simpler integration with other vendors also.
Regards
LuckyFusion
No comments:
Post a Comment