Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
After you install an application and use the Provisioning Subscription Tool to create a provisioning profile for it, you must perform the following steps to register the application for provisioning:
Perform the initial provisioning registration and create a provisioning-integration profile. The Oracle Provisioning Service uses the provisioning-integration profiles to identify provisioning-integrated applications.
Provide the Oracle Provisioning Service with application- specific attributes, default values, and whether an attribute is mandatory when provisioning users for the application.
Register any plug-ins that are required by the provisioning-integrated application. This may include application-specific plug-ins that the application uses to enforce business policies.
Note: The Oracle Provisioning Service does not support instance-level provision of applications that support multiple instance architecture. If you install multiple instances of the same application, the Oracle Provisioning Service treats each instance as a separate provisioning-integrated application. |
When creating users with the Provisioning Console, an administrator can assign user attributes for a specific provisioning-integrated application. Because Oracle Internet Directory is the primary directory for attributes that the Provisioning Console manages, application-specific attributes are stored in Oracle Internet Directory for each user that is provisioned for an application. For better performance, provisioning-integrated applications usually cache a local copy of user attributes instead of retrieving them from Oracle Internet Directory. Applications are notified of user creations, user deletions, and attribute modifications either synchronously with the Data Access Java plug-in or asynchronously with a PL/SQL plug-in.
Registration creates a unique identify for an application in Oracle Internet Directory. Oracle applications typically register themselves for provisioning by using the repository APIs located in the repository.jar file, which Oracle Application Server installs by default in the $ORACLE_HOME/jlib directory. In addition to creating an application entry in Oracle Internet Directory, the repository APIs can be used to add applications to privileged groups.
For non-Oracle applications that are not capable of using the registration APIs, you can use LDAP commands and LDIF templates to create identities for the applications in Oracle Internet Directory. You create a container for the application under cn=Products,cn=OracleContext"
or cn=Products, cn=OracleContext,
Realm DN
. The container where you create an application identity depends on whether the application will be available to users in a single realm or multiple realms. In most case, you should create an application identity in the cn=Products, cn=OracleContext
container so the application is not bound by the identity management policies of a specific Oracle Internet Directory identity management realm.
You can install multiple instances of the same application. Installing a new instance of a provisioning-integrated application creates a separate entry for the new instance under the application identity container. Although some configuration settings are instance-specific, other settings are shared across multiple instances of the same application. As an example, consider an application that is similar to Oracle Files. You can deploy multiple instances of Oracle Files in an environment where each instance is independent of other instances. You define each instance as a separate provisioning-integrated application. You can also provision users in multiple instances of the application.
When you install the first instance of an application, you must create in Oracle Internet Directorythe entries shown in the following example. The example creates the application identity in the cn=Products, cn=OracleContext
container and assumes the application name and type are Files-App1 and FILES.
dn: cn=FILES,cn=Products,cn=OracleContext changetype: add objectclass: orclContainer dn: orclApplicationCommonName=Files-App1,cn=FILES,cn=Products,cn=OracleContext changetype: add orclappfullname: Files Application Instance 1 userpassword: password description: This is a test application instance. protocolInformation: protocol information orclVersion: 1.0 orclaci: access to entry by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (browse,proxy) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (browse,proxy) orclaci: access to attr=(*) by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (search,read,write,compare) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (search,read,write,compare)
When you install the second instance of an application, you must create in Oracle Internet Directorythe entries shown in the following example. The example also creates the application identity in the cn=Products, cn=OracleContext
container and assumes the application name is Files-App2.
dn: orclApplicationCommonName=Files-App2,cn=FILES,cn=Products,cn=OracleContext changetype: add orclappfullname: Files Application Instance 2 userpassword: password description: This is a test Appliction instance. protocolInformation: protocol information orclVersion: 1.0 orclaci: access to entry by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (browse,proxy) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (browse,proxy) orclaci: access to attr=(*) by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (search,read,write,compare) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (search,read,write,compare)
After you successfully register a provisioned-integrated application with Oracle Internet Directory, you may need to add the application to various privileged groups. Table 13-1 lists common privileged groups in Oracle Internet Directory.
Table 13-1 Common Privileged Groups in Oracle Internet Directory
Group | Description |
---|---|
|
Create users |
|
Edit users |
|
Delete users |
|
Create groups |
|
Edit groups |
|
Delete groups |
The following LDIF file demonstrates how to grant create user privileges in all realms to the Files-App1 application:
dn:cn=OracleCreateUser,cn=Groups,cn=OracleContext changetype: modify add: uniquemember uniquemember: orclApplicationCommonName=Files-App1,cn=FILES,cn=Products,cn=OracleContext