12-14 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform variety of other reasons. The Oracle Directory Integration Platform Service identifies user provisioning failures as exceptions. Whenever an application responds to a USER_ADD event with a failure status, the Oracle Directory Integration Platform will change the user’s provisioning status to PROVISIONING_FAILURE. The Oracle Directory Integration Platform will then send notifications to the applications of the failed cases also just like a new user case. This will serve as a retry for the provisioning request. The provisioning status of a user displays in the Provisioning Console. The administrator can make the necessary changes to fix the problem, and the provisioning would get retried automatically. This will result in invocation of the data access plug-in if the provisioning is synchronous. However, an event will be propagated if the provisioning is asynchronous. This sequence of steps will be retried as long as the user is not provisioned successfully.

12.6 Understanding Provisioning Flow

This section discusses the flow of information and control in various provisioning scenarios. It contains these topics: ■ Creating and Modifying Users with the Provisioning Console ■ Deleting Users with the Provisioning Console ■ User Provisioning from an External Source

12.6.1 Creating and Modifying Users with the Provisioning Console

You can use the Provisioning Console to create and provision new user entries in Oracle Internet Directory. The console uses a wizard-based interface to perform the following steps:

1. The initial user creation screen shows a list of required base user attributes. The

base user attributes are populated after the Provisioning Console invokes the Pre-Data Entry plug-in. For user creation, the plug-in processes the base user attributes and generates the application’s default provisioning policy and attributes. For user modification, the Provisioning Console retrieves user information from Oracle Internet Directory, and the plug-in retrieves application information. 2. The next step in the wizard displays how a user will be provisioned in each application, based on the application’s default provisioning policy. For user modification, this step displays one list with applications for which the user is currently provisioned and another list in which the user can be provisioned. You can select one of the following values for an application in which the user is not yet provisioned: ■ User Policy . The selected value for this field is based on each application’s default provisioning policy. This field can display one of two values: Provision or Do Not Provision. ■ Override Policy to perform Provision . Selecting this option overrides the application’s default policy and provisions the user. ■ Override Policy NOT to perform Provision . Selecting this option override the application’s default policy and does not provision the user. Understanding the Oracle Directory Integration Platform for Provisioning 12-15 For applications in which the user is currently provisioned, there will be an option for deprovisioning the user. 3. For applications in which the user is not provisioned, the next step in the wizard displays attributes for the applications to be provisioned, with the default values returned by the Pre-Data Entry plug-in. For applications in which the user is provisioned, current application information is listed. You can make any necessary changes to the attributes in this step before clicking Next. When you click Next, the Post-Data Entry plug-in is invoked, which validates the data you entered. 4. The final step in the wizard enables you to review application attributes and values. Click Finish. After you click Finish, the Provisioning Console creates or updates the user information in Oracle Internet Directory, and then invokes the Data Access Java plug-in for applications that are provisioned synchronously to create or update the application

12.6.2 Deleting Users with the Provisioning Console

Before a user is deleted, the Provisioning Console displays a read-only page listing the base user and the application attributes. After the user confirms the deletion, the Provisioning Console deletes the base user information and any application-specific information, or invokes the Data Access Java plug-in for applications that are provisioned synchronously. For asynchronous applications, a USER_DELETE event is propagated.

12.6.3 Viewing and Editing Provisioning Profiles Using Fusion Middleware Control

As of 11g Release 1 11.1.1, you view and edit provisioning profiles using the Oracle Enterprise Manager Fusion Middleware Control by performing the following steps: 1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https:host:portem. 2. Log in to Oracle Enterprise Manager Fusion Middleware Control.

3. In the navigation panel on the left, click or expand the Identity and Access entry

and then select the DIP component that contains the profile you want to view or edit.

4. Select Administration and then Provisioning Profiles from the DIP Server menu.

The Manage Provision Profiles screen appears displaying the existing provisioning profiles. To change which attributes of the provisioning profiles are displayed, click View, then Column, and select the attributes you want to display or hide. You can also reorder the columns of provision profiles by clicking View, and then Reorder Columns . To enable or disable a provisioning profile, click the appropriate profile, and then click Enable or Disable. To edit a provisioning profile, click the profile you want to edit, and then click Edit . The attributes of the profile appear. Edit the settings as desired and click OK to save the changes. Table 12–3 lists and describes the provisioning profile fields: 12-16 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform

12.6.4 User Provisioning from an External Source

The majority of deployments are expected to provision users from an external source, such a third-party enterprise user repository. In these types of deployments, the third-party repository bootstraps Oracle Internet Directory. Oracle Directory Integration Platform will provide ongoing synchronization between Oracle Internet Directory and the third-party repository. Example of third-party user repositories include Oracle Human Resources and LDAP directories such as Microsoft Active Directory, Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server, Novell eDirectory, IBM Tivoli Directory Server, and OpenLDAP. The Oracle Directory Synchronization Service will create the user entry in Oracle Internet Directory. Because the information coming from the external source may not be sufficient to provision the user in various applications, the application defaults will be used to create the application information. User creation by the Oracle Directory Synchronization Service occurs as follows: 1. The Oracle Directory Synchronization Service evaluates the provisioning policies specified by the applications to determine whether the user should be provisioned in the application. 2. The Oracle Directory Synchronization Service evaluates any other plug-ins that the application has registered. 3. The Oracle Directory Integration Platform Service invokes the PLSQL plug-in or the Data Access Java plug-in to deliver the user information to the application. 4. The provisioning status of the user is returned by the application using the event interfaces. 5. The Oracle Directory Integration Platform Service updates the provisioning status of the user for the application. 12.7 How Are Administrative Privileges Delegated? Administrative rights in Oracle Delegated Administration Services vary according to the privileges delegated to each administrator. An administrator can be granted rights Table 12–3 Provisioning Profile Fields Field Name Description Profile Name The name of the profile you are editing. You cannot edit a profile name after it is created. This field is provided only to identify the profile you are editing. Application Name The name of the application the provisioning profile applies to. Profile Version The version of the provisioning profile. Application to OID Options to set the provisioning profile as Configured and Enabled in the Application to Oracle Internet Directory relationship. OID to Application Options to set the provisioning profile as Configured and Enabled in the Oracle Internet Directory to Application relationship. Scheduled Interval HH:MM:SS Specifies the number of hours, minutes, and seconds between provisioning attempts between a connected directory and Oracle Internet Directory. Last Execution Shows the status SuccessFailed and execution time of the last provisioning attempt.