Understanding the Oracle Directory Integration Platform for Provisioning 12-13 Figure 12–5 Valid Provisioning Status Transitions

12.5.2.3 Upgrading and Coexistence Provisioning Statuses

In Oracle Identity Management 11g Release 1 11.1.1, a user entry can be physically represented in Oracle Internet Directory by multiple LDAP entries. In addition to the base user entry, separate LDAP entries can exist for each provisioning-integrated application. In a typical upgrade of Oracle Identity Management, multiple middle tiers are not upgraded simultaneously. This means that following an Oracle Identity Management upgrade, middle tiers from a previous version may need to run in parallel with middle tiers from the upgraded version. When a middle tier is upgraded, all of a user’s application-specific data that was previously stored in the application metadata repository, will be migrated on-demand. For each user entry that is present in Oracle Internet Directory prior to the upgrade, the Oracle Directory Integration Platform will initiate a new user event and assign a provisioning status of PENDING_UPGRADE to the user entry. If a new user entry is created from an older middle tier or some unsupported route, such as an existing application using the standard LDAP SDK, the provisioning status attribute will be missing. In this case, the Oracle Directory Integration Platform also initiates a new user event and assign a provisioning status of PENDING_UPGRADE to the user entry. Once a provisioning-integrated application receives the event, it will return a response to the Oracle Directory Integration Platform indicating whether or not the user is provisioned. The Oracle Directory Integration Platform then updates the provisioning status in the user entry accordingly.

12.5.2.4 Provisioning Statuses and Exception Handling

If a new user entry created with the Provisioning Console or through synchronization with an external data source does not contain enough information to provision the user in a particular application, provisioning may fail. Provisioning can also fail for a 12-14 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform variety of other reasons. The Oracle Directory Integration Platform Service identifies user provisioning failures as exceptions. Whenever an application responds to a USER_ADD event with a failure status, the Oracle Directory Integration Platform will change the user’s provisioning status to PROVISIONING_FAILURE. The Oracle Directory Integration Platform will then send notifications to the applications of the failed cases also just like a new user case. This will serve as a retry for the provisioning request. The provisioning status of a user displays in the Provisioning Console. The administrator can make the necessary changes to fix the problem, and the provisioning would get retried automatically. This will result in invocation of the data access plug-in if the provisioning is synchronous. However, an event will be propagated if the provisioning is asynchronous. This sequence of steps will be retried as long as the user is not provisioned successfully.

12.6 Understanding Provisioning Flow

This section discusses the flow of information and control in various provisioning scenarios. It contains these topics: ■ Creating and Modifying Users with the Provisioning Console ■ Deleting Users with the Provisioning Console ■ User Provisioning from an External Source

12.6.1 Creating and Modifying Users with the Provisioning Console

You can use the Provisioning Console to create and provision new user entries in Oracle Internet Directory. The console uses a wizard-based interface to perform the following steps:

1. The initial user creation screen shows a list of required base user attributes. The

base user attributes are populated after the Provisioning Console invokes the Pre-Data Entry plug-in. For user creation, the plug-in processes the base user attributes and generates the application’s default provisioning policy and attributes. For user modification, the Provisioning Console retrieves user information from Oracle Internet Directory, and the plug-in retrieves application information. 2. The next step in the wizard displays how a user will be provisioned in each application, based on the application’s default provisioning policy. For user modification, this step displays one list with applications for which the user is currently provisioned and another list in which the user can be provisioned. You can select one of the following values for an application in which the user is not yet provisioned: ■ User Policy . The selected value for this field is based on each application’s default provisioning policy. This field can display one of two values: Provision or Do Not Provision. ■ Override Policy to perform Provision . Selecting this option overrides the application’s default policy and provisions the user. ■ Override Policy NOT to perform Provision . Selecting this option override the application’s default policy and does not provision the user.