27-32 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager The following figure shows the Holder task as a preceding task of the Add Responsibility to User task: 3. Add the SODChecker task any task whose name starts with SODChecker. This task must be made conditional. The following figure shows the SODChecker task: Using Segregation of Duties SoD 27-33 4. Attach the InitiateSODCheck process task adapter to the SoDChecker task. Attach the following response codes to the SODChecker task: The following figure shows these response codes: Response Code Task Status Description SODCheckResultPending P The SoD validation process is initiated and results are awaited. Note: This response code is for an SoD engine that returns responses asynchronously. SODCheckCompleted C The SoD validation process results have been returned, and the response shows that there is no SoD violation. SODCheckViolation C The SoD validation process results have been returned, and the response shows that there is an SoD violation. SODCheckNotInitiated C The SoD validation process has not been initiated because SoD has not been enabled in Oracle Identity Manager. 27-34 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager

27.9 Marking Fields as Entitlements

This section contains the following topics: ■ Marking Request Dataset Attributes That Hold Entitlement Data ■ Marking Child Process Form Tables That Hold Entitlement Data

27.9.1 Marking Request Dataset Attributes That Hold Entitlement Data

The request dataset attribute that holds the entitlement shall be marked with entitlement property set to true. Below is an example: AttributeReference name=Responsibility Name attr-ref=Responsibility Name type=String length=256 widget=lookup-query available-in-bulk=true required=true entitlement=true lookupQuery lookup-query=select lkv_encoded as lkv_encoded,lkv_decoded as lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key=Lookup.EBS.Responsibility and instrlkv_encoded,concatForm data.Application Name,~0 display-field=lkv_decoded save-field=lkv_encoded AttributeReference

27.9.2 Marking Child Process Form Tables That Hold Entitlement Data

Child process form tables can hold different types of multivalued data, for example, role data, profile data, and address information. You must mark the child process form tables holding entitlement data that you want to use for SoD operations. See Marking Entitlement Attributes on Child Process Forms on page 37-4 for information. See Also: Step 1: Creating a Request Dataset for the Resources on page 23-1 for information about creating the request dataset Using Segregation of Duties SoD 27-35

27.10 Custom Combination of Target Systems and SoD Engines

This section contains the following topics: ■ Using a Custom Target System ■ Adding Custom SoD Engine

27.10.1 Using a Custom Target System

The following is a summary of the procedure to configure the SIL for a new target system:

1. Follow instructions given in the section

Addressing Prerequisites on page 27-43.

2. Create Java class implementations of the IdMvsSoDDataTransformationOper

interface for the connector. See Creating the Transformation Layer on page 27-36 for instructions.

3. Deploy the transformation service component. See

Deploying the Transformation Layer on page 27-36.

4. Add entries in the registration XML file for the new target system. See

Modifying the Registration XML File on page 27-36 for instructions.

5. Perform the procedure described in

Configuring Workflows on Non SoD-enabled Connectors on page 27-13.

6. Mark child process forms that hold entitlement data. See

Marking Fields as Entitlements on page 27-34 for instructions.

7. Register the new target system. See

Registering the New Target System on page 27-38 for instructions.

27.10.1.1 Addressing Prerequisites

Ensure that the following prerequisites are addressed: 1. Load entitlement data from the target system to the SoD engine. For details, see vendor documentation for the SoD engine. 2. Deploy the Oracle Identity Manager connector for the target system. See the connector documentation for more information. Note: Perform the procedure described in this section only if you want to use a target system other than Oracle e-Business Suite, SAP CUA, and SAP R3. You must also perform the procedures given in Adding Custom SoD Engine on page 27-42 if you are using an SoD engine other than Oracle Application Access Controls Governor and SAP GRC. You can perform this procedure either before or at any time after first-time implementation of SoD in Oracle Identity Manager. 27-36 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager

27.10.1.2 Creating the Transformation Layer

The transformation layer is used to transform target system attribute values into values that can be used by the SoD engine. The transformation layer is required to be created for any new SoD engine or target system type. You must create the transformation layer as an implementation of the IdMvsSoDDataTransformationOper interface. Create implementations of the transformInput and transformSoDAnalysisInput methods in the implementation class of the IdMvsSoDDataTransformationOper interface. In earlier releases of Oracle Identity Manager, the approval workflow data is read from the object forms. In Oracle Identity Manager 11g Release 1 11.1.1, object forms are replaced by request datasets in the approval processes. As a result, the transformation layer must be changed so that entitlement data is read from the request dataset instead of object forms. Transformation layer must also check the request model. If the request model is Provision Resource, then data must be read only from the request dataset. But if the request model is Modify Provisioned Resource, then data must be read both from the request dataset and process form.

27.10.1.3 Deploying the Transformation Layer

Transformation Service component is deployed as follows: 1. Create a JAR file for the Java classes that you created for implementation of the IdMvsSoDDataTransformationOper service component type. 2. Use the UploadJar utility to upload the JAR file as ThirdParty.

27.10.1.4 Modifying the Registration XML File

Enter the details of the transformation layer in the registration.xml file as follows: 1. Import the Registration.xml file from the MDS. The Registration.xml file is present with namespace metadataiam-features-sildbRegistration.xml in MDS. 2. Open the Registration.xml file in a text editor. 3. Add the SystemType and ServiceComponent elements as shown in this block of XML lines: SystemType name=SYSTEM_TYPE_NAME type=Sod Source DataStoreSystemType ServiceComponent type=IdMvsSoDDataTransformationOper name=NAME_FOR_IMPLEMENTATION Impl-ClassNAME_OF_IPMLEMENTATION_CLASSImpl-Class See Also: Oracle Fusion Middleware Java API Reference for Oracle Identity Manager for information about the implementation methods Note: The UploadJar.sh or UploadJar.bat utility is in the OIM_HOMEbin directory. Run the utility from this location to upload the created JAR file to MDS. Note: Values that you must set are highlighted in bold. Guidelines and sample values are given after this block of XML. Using Segregation of Duties SoD 27-37 IdMSystemTypeOIMIdMSystemType SoDEngineTypeSoD_ENGINESoDEngineType srcSystemTypeSYSTEM_TYPE_NAMEsrcSystemType DataTransformation AttrSoD type=user name=NAME_OF_ATTRIBUTE_ON_TARGET_SYSTEM sourceIdMAttrName=NAME_OF_ATTRIBUTE_ON_SOD_ENGINE isSourceKey=true AttrSoD type=user name=firstname sourceIdMAttrName=firstname isSourceKey=false AttrSoD type=user name=lastname sourceIdMAttrName=lastname isSourceKey=false AttrSoD type=duty dutyType=ENTITLEMENT_TYPE name=accessorigid sourceIdMAttrName=ENTITLEMENT_NAME isSourceKey=true DataTransformation DataTransformation . . . DataTransformation DataTransformation . . . DataTransformation ServiceComponent Apply the following guidelines while adding the SystemType and ServiceComponent elements in the registration.xml file: ■ Replace the placeholders with the following values: – SYSTEM_TYPE_NAME: Specify a name for the system type. – In the SystemType tag, type can have the SoD Source DataStore value for a custom target system, or SoD Engine as value for a custom SoD engine. – NAME_FOR_IMPLEMENTATION: Specify a name for the service component. For example: DBToOAACG – NAME_OF_IPMLEMENTATION_CLASS: Specify the name that you have set for the class that you create by performing the procedure described in Creating the Transformation Layer on page 27-36. For example: oracle.iam.grc.sod.scomp.impl.oaacg.transformation.IdMv sSoDDataTransformationOperDBvsOAACG – SoD_ENGINE: Enter OAACG if you are using Oracle Application Access Controls Governor as the SoD engine. Enter GRC if you are using SAP GRC as the SoD engine. If you are using a custom SIL provider, then enter the name that you set for that SoD engine. – SYSTEM_TYPE_NAME: Specify the system type name that you entered earlier. – NAME_OF_ATTRIBUTE_ON_TARGET_SYSTEM: Specify the name of the attribute on the target system. – NAME_OF_ATTRIBUTE_ON_SOD_ENGINE: Specify the name of the corresponding attribute on the SoD engine. – ENTITLEMENT_TYPE: Enter the type of entitlement. For example: ROLE See Also: Adding Custom SoD Engine on page 27-42 27-38 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager – ENTITLEMENT_NAME: Enter the name of one instance of the entitlement. For example: Resource Manager ■ Add one DataTransformation element for each attribute mapping that you want to create. 4. Save and close the Registration.xml file. 5. Export the Registration.xml file back to MDS.

27.10.1.5 Registering the New Target System

To register the new target system, perform the procedure described in the following sections: ■ Running the Registration Script and Providing Registration Information ■ Recording the Names of the System Types

27.10.1.5.1 Running the Registration Script and Providing Registration Information The

registration script registration.sh and registration.bat drives the registration process. When you run this script, it prompts you for the required information. The initial set of prompts displayed by the script are read from the registration.xml file. The registration script is in the OIM_HOMEbin directory. The registration.xml file is in the MDS. To run the script and provide registration information for the Oracle Identity Manager installation, SoD engine, and target system:

1. Export the SILConfig.xml file from MDS. The SILConfig.xml file is present in MDS

with namespace metadataiam-features-sildbSILConfig.xml.

2. Open the SILConfig.xml file in a text editor and provide values for the

DOMBuilderFactoryImpl element. The value of the DOMBuilderFactoryImpl element depends on the JRE that you are using: ■ If you are using the Sun JRE or Oracle JRockit JRE, then uncomment the DOMBuilderFactoryImpl element containing the following value: com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl ■ If you are using the IBM JRE, then uncomment the DOMBuilderFactoryImpl element containing the following value: org.apache.xerces.jaxp.DocumentBuilderFactoryImpl

3. In a command window, switch to the OIM_HOMEbin directory and run the

registration script. Note: You can run the registration script multiple times, at any time during the lifecycle of the Oracle Identity Manager installation. For example, you might want to register a new SoD engine. When you run the script, use the prompts to guide you to the section set of prompts in which you want provide input. You can skip the remaining sections. See Example 27–1 for a sample run of the registration script. In that example, it is assumed that an IT resource has been created to provide information about the SoD engine. Using Segregation of Duties SoD 27-39 Enter login information for Oracle Identity Manager. You are prompted to provide the values for Username, Password, and URL. The sample run segment is given below: [Enter the admin username:]OIM_ADMINISTRATOR_LOGIN [Enter the admin password:]OIM_ADMINISTRATOR_PASSWORD [Enter the service url:]t3:OIM_HOST_NAME:OIM_PORT_NO Specify valid values for: ■ OIM_ADMINISTRATOR_LOGIN ■ OIM_ADMINISTRATOR_PASSWORD ■ OIM_HOST_NAME ■ OIM_PORT_NO An example of the T3 URL is: t3:localhost:14000 You are prompted to specify whether or not you want to proceed with registration: Do you want to proceed with registration? yn 4. Enter y to proceed with the registration. You are prompted to specify whether or not you want to register an Oracle Identity Manager installation: Register System Instance for type OIM?yn 5. Enter n. 6. You are prompted to specify whether or not you want to register an Oracle e-Business Suite installation: Register System Instance for type EBS? yn 7. Enter n if you want to use the existing Oracle e-Business Suite, which is registered by default. Enter y if you want to register a new EBS instance with another IT resource in Oracle Identity Manager. 8. If you enter y, then you are prompted to enter an instance name for the Oracle e-Business Suite installation: Provide instance name Enter a name for the Oracle e-Business Suite installation. For example: Note: From this point onward, an explanation of each prompt displayed by the script is followed by the actual message of the prompt. The actual message is shown in monospace font in this document. Note: From this point onward, the flow is specific to the registration of an Oracle e-Business Suite and Oracle Application Access Controls Governor installation. The flow is almost the same for the SAP CUA or SAP R3 and SAP GRC installation. 27-40 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager ebs2 9. You are prompted to specify whether or not you want to register an Oracle Application Access Controls Governor installation: Register System Instance for type OAACG? yn Enter n if you want to use the existing OAACG, which is registered by default. Enter y if you want to register a new OAACG instance with another IT resource in Oracle Identity Manager. 10. If you enter y, then you are prompted to enter an instance name for the Oracle Application Access Controls Governor installation: Provide instance name Enter a name for the Oracle Application Access Controls Governor installation. For example: oaacg01 11. You are prompted to enter the name of the IT resource that you have created: OIM ITResource Instance Name: Enter the name of the IT resource that you created: OAACG ITR2 12. If there are no more SoD components system instances to register, then enter n in response to the remaining prompts. Otherwise, similar steps to be followed for SAP and GRC instances. After this, you are prompted for custom System Type that you added in Registration.xml, say NEW. Register System Instance for type NEW? yn 13. Enter y. You are prompted to enter an instance name for the custom type, as shown: Provide instance name 14. Enter a name for the installation, for example, new1. If the added system type is SoD Engine, then you are prompted to enter the name of the IT resource that you have created: OIM ITResource Instance Name: 15. Enter the name of the IT resource that you created: ITR_NEW. 16. Open the SILConfig.xml file in a text editor and provide values for the Topologies element. For information about topology values, refer to Recording the Names of the System Types on page 27-41. The following block of XML shows the Topologies element and its child elements: Topologies Topology nametopologyNamename IdmIdIdm RegistrationIdIdmId Note: If you have multiple target system and SoD engine combinations, then you can add multiple Topology elements inside the Topologies element.