6-6 Oracle Fusion Middleware Users Guide for Oracle Identity Manager – UPD: Stores User Policy Profile data. This is a policy-centric view of the resources that are provisioned to a user. – UPP: Stores User Policy Profile-related details. This is a user-centric view of all the applicable policies for a user, and the resources they allowdeny. ■ User Resource Profile: This component can be divided into the following subcomponents: – User Resource Instance: Contains the OBI, OBJ, and OIU tables, as listed in Table 6–2 . – Resource Lifecycle Provisioning Process: Contains the MIL, ORC, OSI, PKG, SCH, and TOS tables, as listed in Table 6–3 . Note: When you change a role name by using the Administrative and User Console, the User Profile Audit UPA tables in the database are not updated with the change until the next snapshot of the user. Table 6–2 User Resource Instance Tables Table Name Description OBI Stores resource object instance information. Oracle Identity Manager creates a resource instance every time a resource is provisioned. This instance stores all generic information related to that provisioned instance, including a request key if the resource has been provisioned through a request, the corresponding process instance, and the instance status. OBJ Represents the resource object data, including details about the resource, such as resource name, whether or not auto-save and auto-prepopulate are set, and whether or not the resource object allows multiple instances. OIU Associates applicable user information to the resource object instance when provisioning takes place. In addition, it stores policy-related information for the specific resource instance. Table 6–3 Resource Lifecycle Process Tables Table Name Description MIL Defines the process task definitions. Each entry corresponds to a process task. A process definition PKG table comprises of multiple tasks, which are a part of the various workflows in the definition. ORC Stores process instance information when provisioning takes place. When provisioning starts, Oracle Identity Manager generates an associated process or workflow instance that stores process-related information specific to the provisioning instance. OSI Stores information about tasks created for process instance. PKG Defines processes or workflows in Oracle Identity Manager, including process details such as process name, process type, descriptive field mapping, and associated resources and process forms. SCH Stores information related to running of a specific task instance such as the task status, status bucket, and timing of when the adapter run started or ended. Auditing 6-7 – Resource State Process Form: This information is stored in the UD parent and child tables. The UD_ tables are user-defined field tables that store the account state.

6.3.1.2 Storage of Snapshots

When Oracle Identity Manager takes a snapshot of a user profile, it stores the snapshot in the UPA table. The structure of the UPA table is described in Table 6–4 .

6.3.1.3 Trigger for Taking Snapshots

When any data element in a user profile changes, Oracle Identity Manager creates a snapshot. The following events trigger the creation of a user profile snapshot: ■ Modification of any kind to the user record for example, through reconciliation and direct provisioning ■ Role membership change for the user ■ Changes in the policies that apply to the user ■ Provisioning a resource to the user ■ Deprovisioning of a resource for the user ■ Any provisioning-related event for a provisioned resource: TOS Stores atomic process information. Table 6–4 Definition of the UPA Table Column Data Type Description UPA_KEY NUMBER 19,0 Key for the audit record USR_KEY NUMBER 19,0 Key for the user whose snapshot is recorded in this entry EFF_FROM_DATE TIMESTAMP 6 Date and time at which the snapshot entry became effective EFF_TO_DATE TIMESTAMP 6 Date and time at which the snapshot entry was no longer effective In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to NULL. SRC VARCHAR2 4000 User ID of the user responsible for the change, and the API used to carry out the change SNAPSHOT CLOB XML representation of the snapshot DELTAS CLOB XML representation of old and new values corresponding to a change made to the snapshot SIGNATURE CLOB Can be used to store a digital signature for the snapshot for nonrepudiation purposes Note: The initial audit snapshots for default users in Oracle Identity Manager is not UTF-8 encoded. However, auditing of subsequent modifications to these users have UTF-8 encoded snapshots. Table 6–3 Cont. Resource Lifecycle Process Tables Table Name Description 6-8 Oracle Fusion Middleware Users Guide for Oracle Identity Manager – Resource status change – Addition of provisioning tasks to the provisioning process – Updates to provisioning tasks in the provisioning process, for example, status changes, escalations, and so on – Creation of or updates to Process Form data

6.3.2 Post-Processor Used for User Profile Auditing

The user profile auditor has an internal post-processor that normalizes the snapshot XML into the reporting tables: UPA_USR, UPA_FIELDS, UPA_GRP_MEMBERSHIP, UPA_RESOURCE, UPA_UD_FORMS, and UPA_UD_FORMFIELDS. These tables are used by the reporting module to generate the appropriate reports.

6.3.3 Tables Used for User Profile Auditing

Table 6–5 lists the tables in the database that User profile audits use: Note: For more information about the User Profile Audits tables, such as column names and how to use them, refer to the schema documentation provided with Oracle Identity Manager. Table 6–5 User Profile Audit Tables Table Name Description AUD Stores detailed information about all of the Auditors for example, the User Profile Auditor supported by Oracle Identity Manager. Currently, only the UserProfileAudit entry is available. AUD_JMS Staging table that stores information about changes made as a part of any business transaction. This is an intermediate table to temporarily store data changelog data before the audit engine consumes it. When Audit messages are successfully processed, corresponding records are deleted from the table. Note: This table is not intended for end users and must not be used directly. UPA Main auditing table for storing all snapshots and changes made to the user profiles. UPA_FIELDS Stores user profile audit history changes in denormalized vertical format. UPA_GRP_MEMBERSHIP Stores groups membership history in denormalized format. UPA_RESOURCE Stores user profile resource history in denormalized format. UPA_USR Stores user profile history in denormalized format. UPA_UD_FORMS Together with the UPA_UD_FORMFIELDS table, contains information about changes to the users account profile process form. This table keeps track of the changes to the various forms, such as parent or child forms, which are being changed in any transaction. The changes to the account or entitlement attributes are stored in the UPA_UD_FORMFIELDS table. UPA_UD_FORMFIELDS Stores the names of account or entitlement profile fields that are modified. This table also keeps track of the old and new values of the modified fields.