8-10 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager 9 Configuring LDAP Container Rules 9-1 9 Configuring LDAP Container Rules In earlier releases of Oracle Identity Manager, role name UGP.UGP_NAME in the database is unique. This is a limitation because a lot of roles can exist in large enterprises, and as a result, it is possible that administrators need to create two or more roles in Oracle Identity Manager with the same name but for different purpose. Oracle Identity Manager can be installed with LDAP synchronization enabled. When roles are coming from LDAP via reconciliation, it is possible that two or more roles have the same name. LDAP supports two roles with the same name if the roles are located under two different Organization Units OUs. In Oracle Identity Manager 11g Release 1 11.1.1, namespace is introduced to handle two roles with the same name. Roles with the same name are supported if the roles are in different namespaces. However, two or more roles with the same name in the same namespace is not supported. When LDAP is integrated with Oracle Identity Manager, the namespace maps to an OU. By the default configuration, there is only one default namespace called Default, and therefore, role names are unique. To configure multiple namespaces, you must create an XML file called LDAPContainerRules.xml and load it in the metadata store MDS.The LDAPContainerRules.xml also specifies the namespace of a role based on the role attributes. When LDAP synchronization is enabled, and a user is to be created, then a plug-in determines in which container the user is to be created. Similarly, if a role is to be created, then this plug-in determines the container in which the role is to be created. For this, Oracle Identity Manager calls a plug-in that implements the oracle.iam.ldapsync.LDAPContainerMapper interface. All the attributes of the userrole are passed to the plug-in, and it returns the Domain Name DN of the LDAP container. You can write your own plug-in, register the plug-in to Oracle Identity Manager, and then configure Oracle Identity Manager to use the plug-in by setting the LDAPContainerMapperPlugin system property. See System Properties in Oracle Identity Manager in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager for information about this system property. Oracle Identity Manager provides a default plug-in for determining the LDAP container for userrole based on user or role attributes that are synchronized to LDAP. The default plug-in reads the rules from a XML file to determine the LDAP container. The XML file must deployed to MDS as dbLDAPContainerRules.xml. When Oracle Identity Manager is installed with LDAP synchronization enabled, the installer asks for user and role container values. These values are stored in the dbLDAPContainerRules.xml file at containers for which the expression is Default. The following is an example: container-rules user 9-2 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager rule expressionCountry=US, Locality Name=AMERexpression containerl=amer,dc=oracle,dc=comcontainer rule rule expression Country=IN, Locality Name=APACexpression containerl=apac,dc=oracle,dc=comcontainer rule rule expressionDefaultexpression containerl=users,dc=oracle,dc=comcontainer rule user role rule expressionRole Description=AMERexpression descriptionAMERdescription containerl=amer,ou=role,dc=oracle,dc=comcontainer rule rule expression Role Description=APACexpression descriptionAPACdescription containerl=apac,ou=role,dc=oracle,dc=comcontainer rule rule expressionDefaultexpression descriptionDefaultdescription containerl=roles,dc=oracle,dc=comcontainer rule role container-rules In the LDAPContainerRules.xml file, each rule contains the following sections: ■ Expression: This specifies the actual rule that you use to find the namespace and the OU for LDAP. The expression tag must be defined based on userrole attributes. Only the equal to = operator is supported in the expression tag. The expression can be based on multiple attributes, as shown in the example, and the LDAP container is determined based on an AND operation of all the defined attributes. If none of the rules satisfy, then the users or roles are put in the container for which expression is Default. ■ Description: This is the namespace that is used for the Role Namespace attribute. The description namespace associated to the default expression will always use Default. By default, roles do not have many attributes for creating meaningful expressions. Therefore, you need to add a new User Defined Field UDF attribute, for instance, the Role Location attribute. In this example, the Role Description attribute is used to define the rule. ■ Container: This is the OU that is used to figure out where to create the user or role in LDAP. Suppose a user is to be created with the attributes Country=US and Locality Name=AMER. This user would be created in the container l=amer,dc=oracle,dc=com. If a user is to be created in Country=France and Locality Name=FR, then it would be created in the container l=users,dc=oracle,dc=com because no expression matches these two attributes, and therefore, the default container is selected. 10 Understanding Context 10-1 10 Understanding Context A context is the environment in which an Oracle Identity Manager operation is performed. For example, a user creation operation performed on the Oracle Identity Manager Administrative and User Console is carried out in the Web context. The following information constitutes the context or environment in which this operation is performed: ■ User performing the operation ■ IP address of the computer from which the user creation request originated ■ Date and time at which the request is submitted ■ Proxy that is used to reach the application server For example, if the user is created by running the bulk load utility, the context includes the user who started the bulk load utility, the computer from which the operation is being performed, and so on. A context is maintained in main-memory. It consists of a set of context variables where each context variable has both a name and value. Each functional component involved in an operation, such as request management, reconciliation, or notification, can add values to the context. Context values can only be set, they cannot be modified. The context values act as a means of communication across components involved in an operation. Context variable values are loaded into memory only when they are required. This enhances performance. A context also acts as a cache of the typical values required by event handlers. This helps reduce the need to fetch values from the repository each time the values are required. ■ Child Context ■ Context Types

10.1 Child Context

A child context is a subcontext that is initiated while an operation is in progress. For example, if user creation operation involves provisioning of resource through access policies, resource provisioning runs in the access policy context, which is the child context of the one in which user is being created. This means that contexts can be nested, and there can be a stack of contexts. New contexts can be created by functional components, and further processing starts using the newly created context. 10-2 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager

10.2 Context Types

Context Manager supports the following context types: ■ SELF: Operation is initiated through Oracle Identity Manager Self Service. ■ ADMIN: Operation is initiated through Identity Administration or Advanced Administration. This is the default context. ■ RECON: Operation is performed by reconciliation. ■ REQUEST: Operation is performed by a request. ■ POLICY: Operation is performed because of access policy. Calling ContextManager.getContextType should tell the type of context. Some of the information that you can retrieve under various contexts are: ■ Reconciliation context: The profile from which the reconciliation event has been created can be retrieved by ContextManager.getValueprofileName method call. ■ Scheduled tasks run in ADMIN context: Some of the information that can be retrieved are: – Job name: ContextManager.getValueJOBNAME – Task name: ContextManager.getValueTASKNAME ■ Request context: You can retrieve the request key by using the following code: HashMapString, ContextAware requestContext = HashMapString, ContextAware ContextManager.getValuerequestData, true; requestContext.getrequestKey; ■ Policy context: ContextManager.getContextKey provides the policy that is evaluated. If multiple policies are applicable, then this returns the highest priority policy key.