Oracle Access Manager (OAM)
+++++++++++++++++++++++++++
Oracle Access Manager is a J2EE application typically deployed on a dedicated managed server in a Weblogic (Application Server) clustered environment.
An enterprise typically has many applications for different purposes. Each application typically has its own authentication and authorization functionality.
OAM provides a single point to control all resource grants in an enterprise where multiple applications exist on different platform.
OAM provides:
Single Sign On (SSO)
Authentication
Authorization
Real time session management
Auditing
Policy Administration
Flaws in conventional security model.
Individual authentication/authorization for each independent application in the enterprise. .net, J2EE, SAP, WebCenter etc. All application have their *own* authentication and authorization mechanism.
Effective Security
Cost
Inconsistence
Security Complainces
Ease for users (Single Sign On)
Governance, Support and Management
One of the web server will have OAM-Agent. Other web servers will be redirected to this OAM-Agent via a reverse proxy. Hence, we don't need OAM-Agent on each Web Server.
The request goes to the OAM agent which redirects the request to OAM which in turn challenges the user for user/pwd. Once user/pwd is provided the OAM goes to the LDAP (AD or OID) to authenticate the user. Once the user is authenticated the webgate opens the gate to the underlying corresponding web server.
Oracle Internet Directory (OID)
+++++++++++++++++++++++++++++++
This is a directory of objects. For e.g in case of employees in an organization, this directory will hold employees details like name, designation, enterprize roles, applicaiton specific roles, security credentials like password, password reminder questions.
This is typically a single source of truth for information about employees in an organization.
Various applications access OID to authenticate and authorize users. Typically, OID is integrated with OAM.
OID is Oracle's LDAP implementation. Active Directory or AD is similar implementation for the same solution from Microsoft.
OID generally uses oracle database for storage of all the said information above.
Oracle Identity Manager (OIM)
+++++++++++++++++++++++++++++
OIM does life cycle management of an identity (generally a user, e.g employee).
OIM server is a J2EE application. User provisioning is done in OIM. The OIM integrates this with all the other applications.
Lets take an example of an employee joining an organizaiton. He/She needs access to various applications in the organization. The HR typically creates the employee in HRMS on the joining date.
The manager raises various user ids crations for this new employee for email, time sheet app, crm, leave mgmt app etc. With OIM this provisioning can be done automatically or manually at single point.
OIM provides a unified access control for all the applications in the enterprise. Once the employee quits, the manager need only to log onto OIM and delete (soft/hard) the employee from various applications.
OIM integrates with other application using SOA suite with respective JCA adapters.
Accounts:
--------
Rogue Account : A rogue account is an account created "out of process" or beyond the control of the provisioning system ( OIM Engine ).
Orphan Account : An orphan account is an operational account without a valid owner.
Note : Rogue and Orphan account represents serious security risks.
Service Account: Service account is like Admin account. Which has different life cycle and privileges.
Provisioning:
++++++++++++
Process of creating account of user into target resource is known as Provisioning.
Reconciliation : (Read, Discovery )
+++++++++++++++++++++++++++++++++++
Process of creating account of user into OIM is known as Reconciliation.
Resource Object:
++++++++++++++++
Virtual representation of a target resource is known as Resource Object in OIM. (like AD User )
The Logical representation of target system.
IT Resource:
+++++++++++
IT Resource stores the configuration data of Actual Target Resource.
It stores actual connection data.(Password is always encrypted)
IT Resource Type:
+++++++++++++++++
IT Resource Type is used to define the connection details of a target system
Process Def:
++++++++++++
This defines the flow of actual tasks.
Process Form:
+++++++++++++
Table within OIM Database to hold data for a given resource object
Form :
++++++
The Combination of Entities/Attributes is known as Form
There are two types of forms in OIM which are used for showing and storing user data for provisioning. Forms are:
1. Object Form
2. Process Form
Object Form: Object form is associated with Resource Object
Process Form: This form is associated with provisioning process of any target resource. During a provisioning process, data flows to the actual target resource from process form only.
Parent Form (object ) & Child Form (entitlements )
Application Instance : ( New In OIM11g on-words)
++++++++++++++++++++++++++++++++++++++++++++++++
Application Instance is the entity that can be provisioned to a user.
Application Instance are published to the catalog and user can access application instances via catalog.
In Pre-OIM 11gR2, to provision account you select name of the resource where as from OIM 11gR2 on wards resources and entitlements are bundles in Application Instances which user can select via catalog (catalog is another feature introduced in OIM 11gR2 more on catalog in OIM 11gR2 later)
Application instance is combination of an IT Resource instance and resource object + Form
Catalog :
+++++++
Catalog is a web based interface that allows business users to request Roles, Application Instance, and Entitlements (within applications).
Policy :
+++++++
1. Approval Policy ( Purpose : Auto Approvals & Manual Approvals )
2. Access Policy ( Purpose : Auto Provisioning )
3. Password Policy ()
Sandbox : ( New in 11g on-words )
++++++++++++++++++++++++++++++++
Sandbox is an area where metadata objects can be modified without affecting their mainline usage.
In simple words, sandbox is a temporary storage area to save a group of page customization before they are either saved and published to other users, or discarded.
Adapter :
+++++++++
Adapter is Nothing But Pre-Defined Java Program
Adapters are Java programs that enable you to integrate Oracle Identity Manager with other software solutions
EventHandler :
++++++++++++
Any Action can be performed by user / system is known as Event
Scheduler :
++++++++++
Scheduler is nothing but to run the Job is known as Scheduler
Connector :
+++++++++
Connector is nothing but Application Programming Interface, it can be used for make operations lies between two systems like create, update, delete, etc .
Regards,
Lakshmi Prasad Reddy Nandyala
+++++++++++++++++++++++++++
Oracle Access Manager is a J2EE application typically deployed on a dedicated managed server in a Weblogic (Application Server) clustered environment.
An enterprise typically has many applications for different purposes. Each application typically has its own authentication and authorization functionality.
OAM provides a single point to control all resource grants in an enterprise where multiple applications exist on different platform.
OAM provides:
Single Sign On (SSO)
Authentication
Authorization
Real time session management
Auditing
Policy Administration
Flaws in conventional security model.
Individual authentication/authorization for each independent application in the enterprise. .net, J2EE, SAP, WebCenter etc. All application have their *own* authentication and authorization mechanism.
Effective Security
Cost
Inconsistence
Security Complainces
Ease for users (Single Sign On)
Governance, Support and Management
One of the web server will have OAM-Agent. Other web servers will be redirected to this OAM-Agent via a reverse proxy. Hence, we don't need OAM-Agent on each Web Server.
The request goes to the OAM agent which redirects the request to OAM which in turn challenges the user for user/pwd. Once user/pwd is provided the OAM goes to the LDAP (AD or OID) to authenticate the user. Once the user is authenticated the webgate opens the gate to the underlying corresponding web server.
Oracle Internet Directory (OID)
+++++++++++++++++++++++++++++++
This is a directory of objects. For e.g in case of employees in an organization, this directory will hold employees details like name, designation, enterprize roles, applicaiton specific roles, security credentials like password, password reminder questions.
This is typically a single source of truth for information about employees in an organization.
Various applications access OID to authenticate and authorize users. Typically, OID is integrated with OAM.
OID is Oracle's LDAP implementation. Active Directory or AD is similar implementation for the same solution from Microsoft.
OID generally uses oracle database for storage of all the said information above.
Oracle Identity Manager (OIM)
+++++++++++++++++++++++++++++
OIM does life cycle management of an identity (generally a user, e.g employee).
OIM server is a J2EE application. User provisioning is done in OIM. The OIM integrates this with all the other applications.
Lets take an example of an employee joining an organizaiton. He/She needs access to various applications in the organization. The HR typically creates the employee in HRMS on the joining date.
The manager raises various user ids crations for this new employee for email, time sheet app, crm, leave mgmt app etc. With OIM this provisioning can be done automatically or manually at single point.
OIM provides a unified access control for all the applications in the enterprise. Once the employee quits, the manager need only to log onto OIM and delete (soft/hard) the employee from various applications.
OIM integrates with other application using SOA suite with respective JCA adapters.
Accounts:
--------
Rogue Account : A rogue account is an account created "out of process" or beyond the control of the provisioning system ( OIM Engine ).
Orphan Account : An orphan account is an operational account without a valid owner.
Note : Rogue and Orphan account represents serious security risks.
Service Account: Service account is like Admin account. Which has different life cycle and privileges.
Provisioning:
++++++++++++
Process of creating account of user into target resource is known as Provisioning.
Reconciliation : (Read, Discovery )
+++++++++++++++++++++++++++++++++++
Process of creating account of user into OIM is known as Reconciliation.
Resource Object:
++++++++++++++++
Virtual representation of a target resource is known as Resource Object in OIM. (like AD User )
The Logical representation of target system.
IT Resource:
+++++++++++
IT Resource stores the configuration data of Actual Target Resource.
It stores actual connection data.(Password is always encrypted)
IT Resource Type:
+++++++++++++++++
IT Resource Type is used to define the connection details of a target system
Process Def:
++++++++++++
This defines the flow of actual tasks.
Process Form:
+++++++++++++
Table within OIM Database to hold data for a given resource object
Form :
++++++
The Combination of Entities/Attributes is known as Form
There are two types of forms in OIM which are used for showing and storing user data for provisioning. Forms are:
1. Object Form
2. Process Form
Object Form: Object form is associated with Resource Object
Process Form: This form is associated with provisioning process of any target resource. During a provisioning process, data flows to the actual target resource from process form only.
Parent Form (object ) & Child Form (entitlements )
Application Instance : ( New In OIM11g on-words)
++++++++++++++++++++++++++++++++++++++++++++++++
Application Instance is the entity that can be provisioned to a user.
Application Instance are published to the catalog and user can access application instances via catalog.
In Pre-OIM 11gR2, to provision account you select name of the resource where as from OIM 11gR2 on wards resources and entitlements are bundles in Application Instances which user can select via catalog (catalog is another feature introduced in OIM 11gR2 more on catalog in OIM 11gR2 later)
Application instance is combination of an IT Resource instance and resource object + Form
Catalog :
+++++++
Catalog is a web based interface that allows business users to request Roles, Application Instance, and Entitlements (within applications).
Policy :
+++++++
1. Approval Policy ( Purpose : Auto Approvals & Manual Approvals )
2. Access Policy ( Purpose : Auto Provisioning )
3. Password Policy ()
Sandbox : ( New in 11g on-words )
++++++++++++++++++++++++++++++++
Sandbox is an area where metadata objects can be modified without affecting their mainline usage.
In simple words, sandbox is a temporary storage area to save a group of page customization before they are either saved and published to other users, or discarded.
Adapter :
+++++++++
Adapter is Nothing But Pre-Defined Java Program
Adapters are Java programs that enable you to integrate Oracle Identity Manager with other software solutions
EventHandler :
++++++++++++
Any Action can be performed by user / system is known as Event
Scheduler :
++++++++++
Scheduler is nothing but to run the Job is known as Scheduler
Connector :
+++++++++
Connector is nothing but Application Programming Interface, it can be used for make operations lies between two systems like create, update, delete, etc .
Regards,
Lakshmi Prasad Reddy Nandyala
