OIM11gR2: SOA composite for Request Approval Process

This thread discuss the detailed steps for creating SOA composite for Application & Entitlement (in this case SAP Role) request approval process explained below.

Requirement:  The Identity Management (OIM 11gR2) system is installed and configured with SAP connector. And SAP roles are reconciled to OIM using lookup reconciliation schedule task. And for each SAP role reconciled an equivalent OIM role with a suffix "_Approver" will be created and users who needs to approve the SAP role access will be added as members. And following approval rules needs to be considered while developing SOA composite.

 1) SAP account or entitlement (role) request needs be approved by user's manager at first level.
 2) And if the request contains SAP role access then it needs to be approved by role approver at second level, otherwise it will be auto approved.

At high-level this thread cover following task of implementing aforesaid requirement

1)  Designing SOA Composite

2)  Deploying SOA Composite

3) Configuring Email Notification

4)  Configuring OIM Approval Policy

To accommodate the requirements described in section 3, the following two SOA workflow composites will be developed, customized and deployed.

1) Beneficiary Manager Approval

· This is an OOB workflow composite available with OIM 11g R2 installation. But customized to include few additional requirement changes.

· This composite will be used for user manager approval

· This composite will be used in both request type, i.e., requesting an account and role access.

2) SAP Role Approval

· This is a custom built workflow composite.

· This composite will be used for initiating approval task for SAP role approvers

· This composite will be configured to be used with SAP role access request only.

The following matrix table details the use and scope of approval composites.

Workflow Name

Request Type

Process Level

Scope

Beneficiary Manager Approval

Requesting Account

(or Requesting an application instance)

Request Level

For any account creation request in OIM

SAP Role Approval

Requesting Role Access

(or Requesting an Entitlement)

Operation Level

For SAP role/ entitlement request only

This section details step to customize the OOB Beneficiary Manager Approval SOA composite to include following additional functionality

a) Renaming Approval Task

b) Renaming Approval Task stage name.

c) Adding approval notification for approval completion.

1) Login to serer where Oracle Identity Manger 11g R2 is installed.

2) Navigate to following directory

cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/composites

3) Copy BeneficiaryManagerApproval.zip file to server where JDeveloper Studio 11g environment is setup and extract the content to JDeveloper workspace.

4) Open BeneficiaryManagerApproval application from JDeveloper Studio.

5) Expand the content of BeneficiaryManagerApproval project

6) Open “ApprovalTask.task” file for edit.

7) On the “General” section of approval task configuration , change the Task Tile as follows

Task Title: Manager approval for Request ID <%/task:task/task:payload/task:RequestID%>

8) Navigate to “Assignment” tab and switch to source view.

9) On the source view for Approval Task, change the participant name value as highlighted below

<participants isAdhocRoutingSupported="false">

<stage name="Stage1">

<participant name="Manager Approval">

<list>

<resourceList>

<ruleset>

<name>BeneficiaryManagerRuleset</name>

</ruleset>

</resourceList>

</list>

</participant>

</stage>

</participants>

10) Switch back to “Designer” view, navigate to “Notification” tab and press add button to create new notification event

11) Set new notification event parameter as follows

Task Status: Complete

Recipient: Initiator

Notification Header: Press edit button and set following value for notification message

Email Template

The <%/task:task/task:payload/task:RequestModel%> request has been <%translate(/task:task/task:systemAttributes/task:outcome, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')%>d by the approver. <BR><BR>

Request ID: <%/task:task/task:payload/task:RequestID%> <BR>

Request type: <%/task:task/task:payload/task:RequestModel%> <BR>

<BR>

Check your request in the

<A

style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/request?key<%/task:task/task:payload/task:RequestID%>

>

Identity Self Service

</A>

12) Save the changes.


13) Create deployment artifact for BeneficiaryManagerApproval composite, by following the steps below

a. Right click on the project name, select Deploy option and select “BeneficiaryManagerApproval”.

b. On the “Deployment Action” window, select “Deploy to SAR” and press “Next”.

c. Click “Next” button on “Deployment Configuration” screen.

d. Press “Finish” button on “Summary” screen to generate new SOA composite jar deployment file.

This section details the step for developing custom approval workflow for SAP Role Approval.

1.2.1 Create New Composite

1) Login to server where Oracle Identity Manager 11g R2 is installed

2) Navigate to directory ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow


cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow

3) Run following ANT script to generate default workflow template for SAP Role Approval. And provide inputs as given below.

ant –f new_project.xml

Please enter application name: SAPAppInstanceApproval

Please enter project name: SAPAppInstanceApproval

Please enter the service name of the composite: SAPAppInstanceApproval

4) Navigate to following directory

cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow/process-template

5) Compress the newly created SOA composite directory “SAPAppInstanceApproval” using a zip utility

zip -r SAPAppInstanceApproval SAPAppInstanceApproval

6) Move “SAPAppInstanceApproval.zip” file to server where JDeveloper Studio 11g environment is setup and extract the content of the zip to to JDeveloper workspace.

7) Follow the step below to copy schema definition files (xsd) and wsdl file for Request Web Service to SAPAppInstanceApproval project.

1.2.2 Copy WSDL and Schema Files

1) Copy the request web service EAR, reqsvc.ear, from <OIM_HOME>/webapp/optional/ to the location where you copied the SOA composite.

2) Rename the reqsvc.war file to reqsvc.zip and extract it.

3) In the extracted reqsvc.war, navigate to /reqsvc/reqsvc/WEB-INF/wsdl/.

4) Copy all the files under “xsd” directory to project directory “SAPAppInstanceApproval/SAPAppInstanceApproval/xsd”.

5) Copy the “requestdataservice.wsdl” to project directory “SAPAppInstanceApproval/SAPApprovalInstance”

1.2.3 Configure Request Web Service Partner Links

1) Open SAPRoleApproval application from JDeveloper Studio

2) Now expand the content of SAPRoleApproval project

3) Open “ApprovalProcess.bpel” file for edit

4) Right click on the “Partner Links” section and choose “Create Partner Link..” option from pop-up menu.

5) In the Create Partner Link dialog box, enter RequestWSPartnerLink as the name.

6) To specify the WSDL URL, click the SOA Resource Browser icon, as shown in the screen shot below.

Description of Figure 21-8 follows

7) Enter the following values to create the partner link, and then click Apply and OK.

WSDL URL: requestdataservice.wsdl

Partner Role: RequestDataServiceProvider

8) Switch to the Composite view by opening “composite.xml” file. Right-click the newly created partner link, and select Configure WS Policies, as shown in the screen shot below. The Configure SOA WS Policies dialog box is displayed.

Description of Figure 21-9 follows

9) In the Security section, click the Add icon. The Select Client Security Policies dialog box is displayed.

10) Select oracle/wss_username_token_client_policy, and click OK.

11) Select the policy that you added to the Security section.

12) Click the Edit icon. The Configure Override Properties dialog box is displayed.

13) Select the CSF Key parameter, enter “RequestWSKey” as the value, and then click OK.

1.2.4 Configure Sequence for Getting Request Details from OIM

1) Add an assign activity next to “receiveInput” activity, and name it AssignRequestWSURL,

Description of Figure 21-10 follows

2) Select the activity, and open the BPEL process in the Source view.

3) Replace the line <assign name="AssignRequestWSURL"/> with the following:


<assign name="AssignRequestWSURL">

<copy>

<from>

<EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address/>

</EndpointReference>

</from>

<to variable="partnerLink"/>

</copy>

<copy>

<from expression="concat(substring-before(bpws:getVariableData('inputVariable','payload','/ns3:process/ns4:url'),'workflowservice'),'reqsvc/reqsvc')"/>

<to variable="partnerLink" query="/ns14:EndpointReference/ns14:Address"/>

</copy>

<copy>

<from variable="partnerLink"/>

<to partnerLink="RequestWSPartnerLink"/>

</copy>

</assign>

4) Switch back to Design view.

5) Drag the Invoke activity from the Component Palette and drop it below the AssignRequestWSURL activity. Rename it to InvokeRequestDetailsOperation.

6) Right-click InvokeRequestDetailsOperation, and select Edit.

7) Select partner link from the Partner Link Chooser as RequestWSPartnerLink, and operation as getRequestDetails

Description of Figure 21-11 follows

8) Under the Variables section, click the plus (+) icon for the Input and Output fields to create the input and output variables. Name the input and output variables asrequestDetails_InputVariable and requestDetails_OutputVariable respectively. Then click Apply and OK.

9) Drag and drop an assign activity, rename it to AssignRequestInput, and place it above the InvokeRequestDetailsOperation invoke activity.


Description of Figure 21-12 follows

10) Right-click AssignRequestInput to map the input of the InvokeRequestDetailsOperation, as shown below.

inputVariables/payload//ns3:process/ns4:RequestID ->

requestDetails_InputVariable/RequestId//ns16:RequestId

Description of Figure 21-13 follows

1.2.5 Configure Workflow Selection

1) Add a switch activity next to “InvokeRequestDetailsOperation”


2) Select the first condition under the switch activity and enter following details.

Label : Has Child Data

Condition:

bpws:getVariableData('requestDetails_OutputVariable','RequestData','/ns16:RequestData/ns16:BeneficiaryData/ns16:Beneficiary/ns16:Entity/ns16:DataAttribute[@Name="UD_APPROLES"]')

3) Add an assign activity under otherwise section of newly created switch activity. And name it “AutoApproval”

4) Select “AutoApproval” activity and switch to “Source” view.

5) Replace “<assign name=”AutoApproval”/> with following block

<assign name="AutoApproval">

<copy>

<from expression="string('approved')"/>

<to variable="outputVariable"

part="payload"

query="/ns3:processResponse/ns3:result"/>

</copy>

<copy>

<from expression="ora:getConversationId()"/>

<to variable="Invoke_1_callback_InputVariable_1"

part="parameters"

query="/ns1:callback/arg0"/>

</copy>

<copy>

<from expression="string('approved')"/>

<to variable="Invoke_1_callback_InputVariable_1"

part="parameters"

query="/ns1:callback/arg1"/>

</copy>

</assign>

6) Switch to Design view.

7) Drag “ApprovalTask_1” and the switch activity below it to “Has Child Data” switch case as shown below.

1.2.6 Configure Workflow Selection

1) Open “ApprovalTask.Task” file for edit

2) On the “General” section of “ApprovalTask” edit page enter following details

Task Tile: SAP Role Approval for Request ID <%/task:task/task:payload/task:RequestID%>

Description: Approval Task for SAP Role Request



3) On the “Data” section, add a new string parameter namely “ApproverRole”

4) Now open “ApprovalProcess.bpel” , right click and edit “ApprovalTask_1” activity. And map “ApproverRole” parameter as follows

ApproverRole -> /ns16:RequestData/ns16:BeneficiaryData/ns16:Beneficiary/ns16:Entity/ns16:DataAttribute/ns16:ChildRow/ns16:ChildDataAttribute/@Value

5) Re-open ApprovalTask.task file and on the “Assignment” section, select the stage “Stage1.Participant1” and press the Edit button.

6) On the “Edit Participant Type” dialog enter following details

Label: SAP Role Approvers

Specify attributes using: select “Rule-based” radio option

List RuleSet: SAPRoleApproverRule

7) Save the participant type by pressing “Ok” button. And wait for the Oracle Business Rule component to be retendered.

8) On the “ApprovalTaskRules.rules” page, press “Create Rule” button.

9) On the Rule configuration section, set the details as follows

a. Select “Rule1” and name it “SAPApproverRule”

b. Select “Description” and enter value as “Rule to get approver from OIM SAP Approval Role”

c. And expand “SAPApproverRule” Advanced setting and select “Advanced Mode” option.


10) On the rule builder section enter variables and operands as follows for “IF THEN ELSE” block

a. Select “Variable” on the IF section and enter value as “Task”

b. Select “fact type” on the IF section and select “Task” from the drop-down

c. Select “<insert pattern>” on the IF section of the rule builder to add another condition

d. Set the new conditions’ variable and fact type as follows

Variable: Lists

Fact Type: Lists

e. Select “<insert action>” button on “THEN” section of IF block and select “call” action.

f. Select “<target>” placeholder on the call action and select “CallResourceList” action from the drop-down.

g. Set “CreateResourceList” function parameter as follows

Users : null

Groups : set following value using expression builder

If Role Name is String (without IT Resource Key prefix)

Task.payload.approverRole+”_Approver”

If Role Name is DN set following,

RL.string.substring before(RL.string.substring after(Task.payload.approverRole, "cn="), ",ou=")+ "_Approver"


NOTE: The current assumption is that the naming convention used to create OIM approver roles for equivalent SAP role/ entitlement is as follows.

<COMMONNAME_OF_SAP_ROLE>_Approver

Eg. If SAP Role is “cn=TestRole,ou=Role,dc=mydomain,dc=com” then OIM approver role is “TestRole_Approver”.

If there is a change in the naming convention used for OIM approver role then the same need be reflected in the value for “Groups” parameter.

Approles: null

ResponseType: ResponseType.REQUIRED

RuleName: Enter following text within the expression box and press enter


“SAPRoleApproverRule”

Lists: Lists

11) Save the changes.

12) The updated “SAPRoleApproverRule” looks as follows

13) Click “Validate” button to check for errors.

14) Close “ApprovalTaskRules.rules” window

15) And open “ApprovalTask.task” file for edit.

16) Navigate to “Notification” tab

17) Select notification configured “Assign” task status and click “Edit” button

18) Copy and paste the content below to “Edit Notification Message” text box.

Email Template

A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR>

Request ID: <%/task:task/task:payload/task:RequestID%> <BR>

Request type: <%/task:task/task:payload/task:RequestModel%> <BR>

<BR>

Access this task in the

<A

style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details

>

Identity Self Service

</A>

application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request.

19) Click Ok and Save the changes

20) Select and edit notification for “Complete” task status. And set following notification message.

Email Template

The <%/task:task/task:payload/task:RequestModel%> request has been <%translate(/task:task/task:systemAttributes/task:outcome, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')%>d by the approver. <BR><BR>

Request ID: <%/task:task/task:payload/task:RequestID%> <BR>

Request type: <%/task:task/task:payload/task:RequestModel%> <BR>

<BR>

Check your request in the

<A

style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/request?key<%/task:task/task:payload/task:RequestID%>

>

Identity Self Service

</A>

21) Click Ok and Save the changes

22) Navigate to “Advanced” tab of Notification configuration and select following options

· Make notification actionable

1.2.7 Make SOA Composite

1) Create deployment artifact for SAPAppInstanceApproval composite, by following the steps below

a. Right click on the project name, select Deploy option and select “SAPAppInstanceApproval”.

b. On the “Deployment Action” window, select “Deploy to SAR” and press “Next”.

c. Click “Next” button on “Deployment Configuration” screen.

d. Press “Finish” button on “Summary” screen to generate new SOA composite jar deployment file.

This section details the step for developing custom approval workflow for SAP Role Approval.

2) Login to server where Oracle Identity Manager 11g R2 is installed

3) Navigate to directory ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow


cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow

4) Run following ANT script to generate default workflow template for SAP Role Approval. And provide inputs as given below.

ant –f new_project.xml

Please enter application name: SAPRoleApproval

Please enter project name: SAPRoleApproval

Please enter the service name of the composite: SAPRoleApproval

5) Navigate to following directory

cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow/process-template

6) Compress the newly created SOA composite directory “SAPRoleApproval” using a zip utility

zip -r SAPRoleApproval SAPRoleApproval

7) Move “SAPRoleApproval.zip” file to server where JDeveloper Studio 11g environment is setup and extract the content of the zip to to JDeveloper workspace.

8) Open SAPRoleApproval application from JDeveloper Studio

9) Now expand the content of SAPRoleApproval project

10) Open “ApprovalTask.Task” file for edit

11) On the “General” section of “ApprovalTask” edit page enter following details

Task Tile: SAP Role Approval for Request ID <%/task:task/task:payload/task:RequestID%>

Description: Approval Task for SAP Role Request



12) On the “Assignment” section, select the stage “Stage1.Participant1” and press the Edit button.

13) On the “Edit Participant Type” dialog enter following details

Label: SAP Role Approvers

Specify attributes using: select “Rule-based” radio option

List RuleSet: SAPRoleApproverRule

14) Save the participant type by pressing “Ok” button. And wait for the Oracle Business Rule component to be retendered.

15) On the “ApprovalTaskRules.rules” page, press “Create Rule” button.

16) On the Rule configuration section, set the details as follows

a. Select “Rule1” and name it “SAPApproverRule”

b. Select “Description” and enter value as “Rule to get approver from OIM SAP Approval Role”

c. And expand “SAPApproverRule” Advanced setting and select “Advanced Mode” option.


17) On the rule builder section enter variables and operands as follows for “IF THEN ELSE” block

a. Select “Variable” on the IF section and enter value as “Task”

b. Select “fact type” on the IF section and select “Task” from the drop-down

c. Select “<insert pattern>” on the IF section of the rule builder to add another condition

d. Set the new conditions’ variable and fact type as follows

Variable: Lists

Fact Type: Lists

e. Select “<insert action>” button on “THEN” section of IF block and select “call” action.

f. Select “<target>” placeholder on the call action and select “CallResourceList” action from the drop-down.

g. Set “CreateResourceList” function parameter as follows

Users : null

Groups : set following value using expression builder

If Role Name is String (without IT Resource Key prefix)

Task.payload.objectDetails.name+”_Approver”

If Role Name is DN set following,

RL.string.substring before(RL.string.substring after(Task.payload.objectDetails.name.toLowerCase(), "cn="), ",ou=")+ "_Approver"


NOTE: The current assumption is that the naming convention used to create OIM approver roles for equivalent SAP role/ entitlement is as follows.

<COMMONNAME_OF_SAP_ROLE>_Approver

Eg. If SAP Role is “cn=TestRole,ou=Role,dc=mydomain,dc=com” then OIM approver role is “TestRole_Approver”.

If there is a change in the naming convention used for OIM approver role then the same need be reflected in the value for “Groups” parameter.

Approles: null

ResponseType: ResponseType.REQUIRED

RuleName: Enter following text within the expression box and press enter


“SAPRoleApproverRule”

Lists: Lists

18) Save the changes.

19) The updated “SAPRoleApproverRule” looks as follows

20) Click “Validate” button to check for errors.

21) Close “ApprovalTaskRules.rules” window

22) And open “ApprovalTask.task” file for edit.

23) Navigate to “Notification” tab

24) Select notification configured “Assign” task status and click “Edit” button

25) Copy and paste the content below to “Edit Notification Message” text box.

Email Template

A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR>

Request ID: <%/task:task/task:payload/task:RequestID%> <BR>

Request type: <%/task:task/task:payload/task:RequestModel%> <BR>

<BR>

Access this task in the

<A

style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details

>

Identity Self Service

</A>

application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request.

26) Click Ok and Save the changes

27) Select and edit notification for “Complete” task status. And set following notification message.

Email Template

The <%/task:task/task:payload/task:RequestModel%> request has been <%translate(/task:task/task:systemAttributes/task:outcome, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')%>d by the approver. <BR><BR>

Request ID: <%/task:task/task:payload/task:RequestID%> <BR>

Request type: <%/task:task/task:payload/task:RequestModel%> <BR>

<BR>

Check your request in the

<A

style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/request?key<%/task:task/task:payload/task:RequestID%>

>

Identity Self Service

</A>

28) Click Ok and Save the changes

29) Navigate to “Advanced” tab of Notification configuration and select following options

· Make notification actionable

30) Create deployment artifact for SAPRoleApproval composite, by following the steps below

a. Right click on the project name, select Deploy option and select “SAPRoleApproval”.

b. On the “Deployment Action” window, select “Deploy to SAR” and press “Next”.

d. Press “Finish” button on “Summary” screen to generate new SOA composite jar deployment file.

This section details the step for deploying or configuring following components.

a) Deploying SOA Composites

b) Configuring SOA Email Notification

c) Configuring OIM Approval Policy

As pre-requisite to deploying SOA composites, prepare the SOA composite JAR file as explained in section 4 and make following two JAR files available at the host system from where administrator will perform deployment.

a. sca_BeneficiaryManagerApproval_rev1.0.jar

b. sca_SAPAppInstanceApproval_rev1.0.jar

c. sca_SAPRoleApproval_rev1.0.jar

2.1.1 Un-deploying OOB Manager approval composite

1. Login to Weblogic Enterprise Manager web console as administrative user

http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em

2. Expand Weblogic Farm as shown below

Farm_<OIM_Domain_Name> -> SOA -> soa-infra (<soa_server_instance_name>) -> default

3. Select and right click on the “BeneficiaryManagerApproval[1.0]” SOA composite. And select “Undeploy” option from drop-down as shown

4. On the confirmation screen, press “Undeploy” button and wait for composite to be un-deployed.

2.1.2 Deploying custom build sOA composite

Follow the instructions detailed below to deploy listed composites.

a. sca_BeneficiaryManagerApproval_rev1.0.jar

b. sca_SAPAppInstanceApproval_rev1.0.jar

c. sca_SAPRoleApproval_rev1.0.jar

1) Expand Weblogic farm from Enterprise Manager as administrative user.

Farm_<OIM_Domain_Name> -> SOA -> soa-infra (<soa_server_instance_name>)

2) Select and right click on “default” name space. And select “Deploy To This partition…” option from the drop-down menu to open “Deploy SOA Composite” wizard

Default -> SOA Deployment -> Deploy To This Partition…

3) On the “Select Archive” page, choose “Archive is on the machine where this web browser is running” option, browse the composite to upload and press “Next” button.

4) Wait for the “Confirmation” page to load and press “Deploy” button to initiate composite upload

.

To deploy the Request web service:

1. Login to Weblogic Enterprise Manager as administrative user.

http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em

2. Expand Weblogic Farm as shown below

Farm_<OIM_Domain_Name> -> Weblogic Domain -> <OIM Domain Name>

3. Select and right click on “OIM Server”. And choose following options “Application Deployment -> Deploy” from pop-up menu.

4. On the “Select Archive” page, choose Archive or exploded directory is on the server where Enterprise Manager is running option.

5. Click Browse to open a file browser popup, select the following web service and press “Next” button.

<OIM_HOME>/server/webapp/optional/reqsvc.ear

6. Ensure “OIM server” is selected on the “Select Target” page and press “Next” button.

7. Press “Deploy” button on the “Application Attributes” page to deploy request web service.

The Request web service is protected with the wss_username_token_service_policy security policy. Therefore, the composite that acts as a client to the web service must validate and pass the username and password for authentication. As a result, you must store the credential of the System Administrator in the CSF.

To store credentials in CSF:

1. Login to Weblogic Enterprise Manager as administrative user.

http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em

2. Expand Weblogic Farm as shown below

Farm_<OIM_Domain_Name> -> Weblogic Domain

3. Right-click OIM domain and select following options from pop-up menu.

Security -> Credentials

4. Select oracle.wsm.security, and click Create Key. The Create Key dialog box is displayed.

5. Enter following details on Create Key dialog box.

o Select Map: oracle.wsm.security

o Key: RequestWSKey

o Type: Password

o Username: Oracle Identity Manager system administrator login ID

o Password: Oracle Identity Manager system administrator password

o Description: Security token for Request Web Service

2. Click OK.

2.4.3 Configure Email driver properties

1. Login to Weblogic Enterprise Manager web console as administrative user

http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em

2. Expand Weblogic Farm as shown below

Farm_<OIM_Domain_Name> -> User Message Service

3. Select and right click on “usermessagingdriver-email (soa_server_name)”. And select “Email Driver Properties” option as shown below.

4. On the “Email Driver Properties” page, navigate to “Driver-specific Configuration” section

Set following attribute values to send email from SOA environment

Attribute Name

Description

OutgoingMailServer

Hostname of the SMTP email server

OutgoingMailServerPort

Port on which SMTP email server is listening.

OutgoingMailServerSecurity

Set to SSL / TLS if the email server only accepts secure connection. Otherwise “None”

OutgoingUsername

Username to be used to connect SMTP server.

Can be blank if anonymous authentication is supported

OutgoingPassword

Password to be used for SMTP server connection.

The following set of properties must be configured if notification needs to be actionable.

§ MessageAccessPortocol

§ IncomingMailServer

§ IncomingMailServerPort

§ IncomingMailServerSSL

§ IncomingMailIDs

§ IncomingUserIDs

§ IncomingUserPasswords

5. After updating email driver properties, press “Apply” button to save the changes.

2.4.4 Configure SOA Suite Workflow Notification property

1) Expand Weblogic farm from Enterprise Manager as administrative user.

Farm_<OIM_Domain_Name> -> SOA -> soa-infra (<soa_server_instance_name>)

2) Select and right click on “soa-infra”. And select “SOA Administration -> Workflow Config” option.


3) On “Workflow Notification Properties” page, set values for following properties.

Notification Mode: Email

From Address: <From address to be used for email sent from SOA>

Actionable Address: <Mail address to which approval task action reply will be sent>

Reply Address: <A default reply address to be used>

4) Press “Apply” button to save the changes.


2.5.5 Application Instance Approval Policy

2.5.5.1 Request Level Policy

1) From the OIM sysadmin console, open “Approval Policies” Configuration wizard.

2) Create a new Approval Policy, with following details.

Basic Information

Policy Name: ApplicationAccountPolicy-RL

Description: Approval policy for application account/instance request

Request Type: Provisioning ApplicationInstance

Level: Request Level

Approval Process Configuration

Approval Process: default/BeneficiaryManagerApproval!1.0

Leave other parameters as default.

3) Press “Next” button, to bring “Set Approval Rule and Component” and fill in the details as below

Rule Name: AccountApprovalRule

And add the following simple rule to Rule Components section.

4) Press “Next” button followed by “Finish” button on the “Review Approval Policy Summary” screen to create new approval policy.

2.5.5.2 Operation Level Policy

1) Create another Approval Policy for application account request at operation level, with following details.

Basic Information

Policy Name: ApplicationAccountPolicy-OL

Description: Approval policy for application account/instance request at operation level

Request Type: Provisioning ApplicationInstance

Level: Operation Level

Scope: Select the Application Instance configured for SAP resource

Approval Process Configuration

Approval Process: default/SAPAppInstanceApproval!1.0

Leave other parameters as default.

2) Press “Next” button, to bring “Set Approval Rule and Component” and fill in the details as below

Rule Name: AccountApprovalRule

And add the following simple rule to Rule Components section.

3) Press “Next” button followed by “Finish” button on the “Review Approval Policy Summary” screen to create new approval policy.

2.5.6 Application Entitlement Approval Policy

2.5.6.1 Request Level Policy

1) From the OIM sysadmin console, open “Approval Policies” Configuration wizard.

2) Create a new Approval Policy, with following details.

Basic Information

Policy Name: ApplicationEntitlementPolicy-RL

Description: Approval policy for application entitlement request

Request Type: Provision Entitlement

Level: Request Level

Approval Process Configuration

Approval Process: default/BeneficiaryManagerApproval!1.0

Leave other parameters as default.

3) Press “Next” button, to bring “Set Approval Rule and Component” page and fill in the details as below

Rule Name: EntitlementApprovalRule

And add the following simple rule to Rule Components section.

4) Press “Next” button followed by “Finish” button on the “Review Approval Policy Summary” screen to create new approval policy.

2.5.6.2 Operation Level Policy

1) Create another Approval Policy for application account request at operation level, with following details.

Basic Information

Policy Name: ApplicationEntitlementPolicy-OL

Description: Approval policy for application entitlement request at operation level

Request Type: Provision Entitlement

Level: Operation Level

Scope: Select the Application Instance configured for SAP resource

Approval Process Configuration

Approval Process: default/SAPRoleApproval!1.0

Leave other parameters as default.

2) Press “Next” button, to bring “Set Approval Rule and Component” and fill in the details as below

Rule Name: AccountApprovalRule

And add the following simple rule to Rule Components section.

3) Press “Next” button followed by “Finish” button on the “Review Approval Policy Summary” screen to create new approval policy.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

OIM11gR2 Blog by NA-TAG Offshore IDAM team

Search

Categories
Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today