Using Segregation of Duties SoD 27-29 This deploys a new composite on SOA server. You can check if the composite is deployed by navigating to the following URL: http:SOA_SERVER_HOSTNAME:SOA_PORTsoa-infra In the URL, replace SOA_SERVER_HOSTNAME with the host name of the SOA server, and SOA_PORT with the port on which the SOA server is installed. h. Restart the SOA server. Registering the Workflow a. In the OIM_HOMEworkflowsregistration directory, create a NEW_PROJECT_NAME.props file by copying the DefaultRequestApproval.props. Modify the NEW_PROJECT_NAME.props by changing the name attribute. Here, NEW_PROJECT_NAME is the name of the new project that you created. The NEW_PROJECT_NAME.props file has the following contents: This is is the input file for registering the default workflow new project name name=NEW_PROJECT_NAME category=Approval providerType=BPEL serviceName=RequestApprovalService domainName=default version=1.0 payLoadID=payload operationID=process listOfTasks=ApprovalTask Here, – The version parameter is the version of the workflow deployed on BPEL. – The listOfTasks parameter is the colon-seperated list of approval tasks. For example, if you add a new approval task as Approval_Task1, then you must provide ApprovalTask:ApprovalTask1 as the value for this parameter. b. Run OIM_HOMEworkflowsregistration registerworkflows-mp.xml as shown: Note: You must replace the following with valid values: ■ SOA_SERVER_HOSTNAME ■ SOA_PORT ■ PROJECT_NAME ■ SOA_USER ■ SOA_PASSWORD See Also: Chapter 25, Developing SOA Composites for general procedure for creating a new workflow and registering it with Oracle Identity Manager 27-30 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager ant -f registerworkflows-mp.xml register This commands prompts for the following: UserName: Enter Oracle Identity Manager administrator user name. Password: Enter Oracle Identity Manager administrator Password oim server t3 URL: Enter t3:OIM_HOST_NAMEOIM_MANAGED_SERVER_PORT. Here, replace OIM_HOST_NAME with the host name of the computer on which Oracle Identity Manager is installed, and OIM_MANAGED_SERVER_PORT with the port on which Oracle Identity Manager is installed. inputpath complete file name of the property file: OIM_HOMEworkflowsregistrationNEW_PROJECT_NAME.props. Here, replace NEW_PROJECT_NAME with the name of the project that you created. Appying the Workflow By Using Approval Policy a. Create approval policy for the request model to which you want to apply the SoD workflow. For example, if you want to perform SoD check while provisioning a resource, then create a policy for the Provision Resource request model. See Creating Approval Policies in the Oracle Fusion Middleware Users Guide for Oracle Identity Manager for information about creating approval policies.

27.8.2 Modifying the Provisioning Workflow for SoD

Each process definition has a process task attached to provision entitlements to a user. The SoD validation process must be performed before triggering this task and immediately after inserting all data in the child table that holds entitlements on the target system. Therefore, you must hold this process task until the SoD validation process is completed after inserting the data in child tables. To achieve this, you create a Holder task that precedes the provisioning of an entitlement to a user. The Holder task is added to prevent provisioning of a resource to a user before the SoD validation process is completed. User entitlements are provisioned only if this task is complete. The task is completed when the SoD engine validates that SoD policies or rules are not violated by the assignment of the entitlements. If an SoD validation process has been performed in approval workflow, then the SoD validation process need not be performed again even if the SoD validation process is enabled at the provisioning level. Whether the SoD validation process needs to be performed or not can be assessed by checking the following before the SoD validation process at the provisioning level: ■ Is the provisioning related to a request? ■ If yes, is the SoDCheckStatus field set to SoDCheckCompleted? Note: ■ Always attach SoD workflow at the operational level of approval because SoD is triggered separately for each resource. ■ Whether SoD Engine is asynchronous or synchronous, the SoD Check Web Service is always asynchronous and workflow modification remains the same for both. Using Segregation of Duties SoD 27-31 ■ If yes, then do not perform the SoD validation process during entitlement provisioning. To modify the provisioning workflow for SoD validation: 1. Add a Holder task to the provisioning workflow. This task must be made conditional and the Allow Multiple instances option must be selected. The following figure shows this Holder task: 2. Make the connector insert, update, and revoke entitlement tasks dependent on the Holder task. The following figure shows all entitlement tasks of the Oracle e-Business User Management connector dependent on the Holder task: Note: The SoD validation process will be performed again only when the process child form is edited to add, update, or remove entitlements. 27-32 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager The following figure shows the Holder task as a preceding task of the Add Responsibility to User task: 3. Add the SODChecker task any task whose name starts with SODChecker. This task must be made conditional. The following figure shows the SODChecker task: