This article is written in continuation to my Part I of the article with the same title (except it is called Part I). If you didn’t read that I recommend having a glance before reading this one (though I will try to recap some of the concepts). You can find the Part I here.
When you start talking about automating the User Provisioning Operations in an enterprise, Oracle Identity Manager is a wonderful product that comes into mind. There are other similar products. You can find the complete offerings from Gartner’s Magic Quadrant link below. Even if you are not planning to deploy Oracle Identity Manager, it will be useful if you can understand little bit about this product. Some learning to do.
Magic Quadrant for Provisioning for the Year 2010 (from Gartner), Oracle’s Identity and Access Management Products are the market leader in terms of Product Offerings and Service. You may probably want to have a look at this report Magic Quadrant for Provisioning at Gartner’s website. There are other vendors in the Leader’s Quadrant – IBM Tivoli, CA, Novell and Courion. I think you should read this article once.
One of the finding OIM 184.108.40.206 BP 10 was used for this report. However in Q3 2010, Oracle Identity Manager 11g was released (same time the report was published). It looks like we need to wait for few more months to see how OIM 11g did on the User Provisioning.
Let’s talk more about my favorite. Oracle Identity Manager (IDM).
Common Operations with Oracle Identity Manager (IDM)
Oracle Identity Manager (IDM) performs tasks related to Reconciliation and User Provisioning. This is on a high-level. Let’s talk little bit more about these individual operations and what they really can do.
All of the Oracle Documentation about IDM talks about three operations predominantly. They are:
- Trusted Source Reconciliation
- Target Reconciliation
A clear understanding of these three operations is necessary to understand IDM Product. I want to make sure you are clear about these concepts before I start complicating more. So be patience and try to understand these terminologies first.
Trusted Source Reconciliation
In the Trusted Source Reconciliation, another Source System in an enterprise (for example, a Peoplesoft HRMS System) acts as a Trusted Source for user information. IDM connects to this Trusted Source and gets the user information through its scheduled Tasks. These scheduled Tasks can be run in IDM System to contact the Trusted Source. All the users that were created, modified or deleted are reconciled into the IDM System.
Since IDM System treats another system (a trusted source) for user information, this type of setup is called Trusted Source Reconciliation.
For example, a Peoplesoft HRMS System is fed by the HR Department in an enterprise. In this case, we can configure Peoplesoft HRMS System as a trusted source for IDM System. IDM System connects to this Peoplesoft System by Scheduled Tasks, and performs Trusted Source Reconciliation (which copies changed user information from the Peoplesoft System to IDM System).
In the provisioning configuration, an IDM System is considered as central repository for user information. Also, IDM System is configured to connect to target systems to perform copying the user information from IDM System to the target System. This is called Provisioning.
For Example, an IDM System can be configured to populate user information for the first time with Active Directory, Sun Java System Directory and Oracle Internet Directory. Going forward, whenever a new user is created or modified or deleted in an IDM System, then we can configure Provisioning Operation to perform the same operation in the Active Directory, Sun Java System Directory and Oracle Internet Directory.
Target Resource Reconciliation
Using Target Resource Reconciliation, we can achieve partial Reconciliation Operations with a Target Systems. For example, we can treat Microsoft Exchange System for feeding the “email” attribute. Then we can configure to copy the email data for user from Exchange to the IDM System using this configuration.
IDM integration with Peoplesoft Applications
IDM System needs to be integrated with various systems in the enterprise for Identity Administration purposes. We can do lot of things such as, automatic user account creation, password change across various target systems, etc through an IDM System. So what are the options we have to integrate an IDM System with various Peoplesoft Applications that handles user’s identity across an enterprise?
Here is an integration Example:
Here are the options:
Connectors (Three types of them: Pre-defined, GTC and Custom)
SPML Web Service
We will talk about these integration options in the next article.
Ok, I think I tried to explain few things about IDM. Let’s talk more about how we can integrate with Peoplesoft Systems in the next post.