OIM - Adapters

One thing I found very confusing without much documentation is how and when to create adapters. Adapters are a crucial part of OIM operation and provisioning. Adapters perform the functions of how and what to do through code. Every action you want to perfom on a user object requires one.

To use adapters, they have to be attached to an OIM User Form or to a User-defined custom form.

• Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)
• Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete
• Pre-Populate Adapter - specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
• Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
• Task Assignment Adapter - automates the assignment of a process task to a user or group

The ones we have found to be most used are Entity, PrePop, and Process task. More about creating adapters and adapter tasks later.

OIM - Rule Designer

Rule Designer is very useful in OIM to categorize people for adding to directory groups or even to provision accounts. The rules are associated with User Groups in OIM and can have Access Policies attached to them that add them to specific groups in your directories based on their role, or any other attribute that you have defined on the user form.

When defining rules you need to be as granular as possible and use the rule that is most restrictive first so if people do not match that one, they are not evaluated for the remaining and do not degrade performance if you define hundreds of rules.

• Example: If you have a rule based on location, department, and role - and you have 3 locations, 200 departments, and 2 roles - you would want to use 'Department' and the first rule element, then 'location', then 'role' along with the qualifier 'and'.
• This means that if you are not in a certain department, you do not match the first rule, and are not evaluated for the remaining rules.
• Performance is not compromised by having to traverse all 2 roles, 3 locations, and then 200 departments

You can also nest rules which is very important if you have an 'or' condition that you want to combine with an 'and' condition.

We have found this a very effective way to manage our group assignments and permissions in Oracle Internet Directory, Active Directory, and previously eDirectory.

OIM Design Console - Resource Management

This is where you will find your definitions for resources and resource types.

Resource Type = classifies resource types (AD Server, Database, Flatfile, LDAP server, etc) These types can serve multiple uses and can be reused when defining an IT Resource.

IT Resource = These are definitions that represent a specific server or hardware and shows where it is and how to connect to it: Example - OID Server

• admin ID and password to connect
• port
• Root DN
• Server Address
• Provisioning Attribute lookup code
• Recon Attribute lookup code
• Time stamp (last recon)

Resource Objects - contains objects that you actually want to have provisioned (AD User, eDir User, Exchange). This is also where you find the fields that you want to reconcile information from the directories.

• NOTE: If you want to add a field to a User Defined form and have it reconciled, it must be defined here first before adding to the Process Definition Form recon mappings

It also contains the VERY useful tool Rule Designer which we will go into later.

OIM Scheduler

This has been posted a couple times in other blogs, but it bears repeating. This is a tool that you can use to stop the scheduler (and a task) without having to stop the entire application

http://YourOIMAppHost.com/xlScheduler/admin

You can use the system admin account and password to start and stop the service.

IF you have a task that is in process and you want to stop that task immediately, use the scheduler. In the design console, for that task make sure the check box for "Stop Execution" is checked, save the task, then stop and start the scheduler. If this is not checked, the task will continue to run to completion.

IDM Documentation

In the past year, I have found very little in the way of documentation for OIM. Classes go over some of the basics, but it is very structured around one directory and a couple tasks. It is much more useful to have a sandbox and learn from doing. I will attempt to share some of the things that we have come across in our implementation and that we have learned along the way.