OIG 11G R2 Field Enablement Training · OIG 11G R2 Field Enablement Training Lab 4.1 – PS2...

OIG 11gR2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class

OIG 11G R2 Field Enablement Training

Lab 4.1 – PS2 Request Enhancements

Disclaimer: The Virtual Machine Image and other software are provided for use only during the workshop. Please note that you are responsible for deleting them from your computers before you leave. If you would like to try out any of the Oracle products, you may download them from the Oracle Technology Network (http://www.oracle.com/technology/index.html) or the Oracle E-Delivery WebSite (http://edelivery.oracle.com)

http://www.oracle.com/technology/index.html

http://edelivery.oracle.com/

OIG 11gR2 Training


Table of Contents

Introduction to Request Related New Features in Patchset 2 ………………………………………………….. 3

Request for Secondary Account …………………………………………………………………………………………….. 4

Account Dependency for Entitlement Request …………………………………………………………………………..9

Providing Additional Information in Request for Approver ……………………………………………………….14

Hierarchical Entitlement in Catalog …………………………………………………………………………………………..28

Draft Requests. …………………………………………………………………………………………………………………………35

Catalog Search Enhancements ………………………………………………………………………………………………… 52

OIG 11gR2 Training


Introduction to Request Related New Features in Patchset 2

OIM Patch Set 2 (11.1.2.2.0) has added bunch of new features including features around requesting for accounts, Entitlements and roles.

In previous releases a user could have 2 accounts on a target, but user could only request entitlements for the account that has been nominated as Primary account. PS2 allows you to request entitlements for any account there by requesting entitlements for non primary accounts simple.

In Previous releases when use selects an entitlement to be provisioned without having an account the request flow gave a warning that the account doesn’t exist and flow was terminated. In PS2 when a user selects an entitlement for which no account exists on target, we will automatically include the base account as part of the request.

PS2 also allows you to create a Draft request there by requester can save the request come back later and submit the request. When the request is saved a request Id will be created.

PS2 allows you to provide additional request only information during the request. This is request only information (attributes) which allow the approver to look at the information and make decision on approval. This information will not be propagated to actual target but will help the approver in making decision. 11.1.2.1.0 (PS2) allows you to customize the UI interface and add link which can open a pop up window for providing additional information. There are two levels in which you can provide this information at the Cart level which will be common to all the items in the cart and at the each cart item level which is specific to each item in the cart.

PS2 will allow you to provide additional hierarchical information about entitlements. In some cases when user requests for entitlement it’s necessary to provide more information about what access user might be getting. Consider an example of requesting for EBS responsibility. When a user request for a EBS responsibility the responsibility is grant access to bunch of menu items for that user in EBS. It will be beneficial to display what menu item user is getting access to during the request process.

PS2 allows you to save your request as draft request. This allows the user to save the request in cases where user might need to gather additional information to fill before submitting the request. You can save OIM User creation request, Request for Application Instance, Entitlement and Roles as draft request. When you create a draft request a request id will be created. When the user finally submits the request, original request id will be carried forward for the approval process. The request will get updated with the current date. All the validation will be only performed during the request submission and not during the draft request creation/save.

PS2 also has done some enhancements around how to search the catalog. You can search the catalog now by using the metadata available on the catalog objects like name of the items, tags on the catalog and user defined filed in the catalog. This allows you to provide users with the ability to search the catalog by geographical region etc.. This is very useful in scenarios where you would provide a link to North America employees when they user that to search catalog. Catalog will only bring in results that are applicable to North America.

OIG 11gR2 Training


Note: If you are doing it in the workshop VM environment, please take a snapshot. Please take a snapshot after shutting down the VM completely. We would need to revert back to this snapshot for doing the lab Appedix_A-How to Create a TaskFlow

Request for Secondary Account

In previous releases an user could have 2 accounts on a target, but user could only request entitlements for the account that has been nominated as Primary account. PS2 allows you to request entitlements for any account there by requesting entitlements for non primary accounts simple.

When you request for an entitlement where user has more than one account you can specify which account you need this entitlement needs to be associated with. OIM will then provision the entitlement and associate the specified account.

Pre Requisite

Start OIM Server

Start SOA Server and make sure it’s completely started

1. Login to Identity Console as admin/Oracle123 2. Search for the user AADAM

3. Open the user AADAM and navigate to Accounts tab. The user is already provisioned to OUD

and has a primary account.

OIG 11gR2 Training


4. Click on Request Accounts to request for new Account

5. Select the Enterprise Directory – OUD from the list and Add to cart . Click Checkout

6. Provide the following details

User ID: AADAM12 First Name : Ana Last Name : Adam Container DN : ou=people ( Search and Select this)

7. Click on Ready to Submit and then Click on Submit

OIG 11gR2 Training


8. Close the Catalog Tab. Now back on Accounts tab for the user AADAM. Click Refresh

9. You should see the second account provisioned for the user. You can also see that Account Name AADAM12 displayed due to the steps we did first in this lab. The account has been provisioned as other. Since there is already a primary account for the user.

10. Now let’s try to request an Entitlement for the Other Account. Click on the Entitlements Tab . Then click on Request Entitlements

11. Search for Sales. There will be one Entitlement returned which is in OUD. Click on Add to Cart then click on Checkout

OIG 11gR2 Training


12. Notice in the next screen, there is Search facility to select Account to which this entitlement needs to be associated.

13. Click on the Search icon 14. Now you can see that there are 2 accounts displayed. AADAM12 and the previous primary

account that has been provisioned to the user. Select AADAM12 Note: The Primary account is not displaying the account name, since we have only done the change to display the Account ID (User ID) In this lab.

15. Now you can see the Selected Target account to which this Entitlement needs to be added. Click on Submit

OIG 11gR2 Training


Note: In the instance where there are multiple accounts and if you try to submit without selecting the account, you will see an error message.

16. Close the Catalog tab. Go back to Entitlements page for the user and click refresh.

17. You should see the Entitlement Sales provisioned to the Account AADAM12 which is the non primary account for the user.

Note: Ability to switch the account between Primary and Non Primary account continue to exist. You can highlight the Other account and make it Primary using the option under Action Menu as shown below.

OIG 11gR2 Training


Account Dependency for Entitlement Request

In Previous releases when user selects an entitlement to be provisioned without having an account the request flow gave an warning that the account doesn’t exist and flow was terminated. In PS2 when an user selects an entitlement for which no account exists on target, we will automatically include the base account as part of the request. This will help user request for an entitlement where account doesn’t exists rather than request flow getting terminated.

1. Login to OIM identity console using admin/Oracle123 2. Create a new OIM user with following details

First Name: Demo Last Name : User2 User Login : duser2 Password: Oracle123 Manager : Danny Crane Organization : Information Systems User Type: Part-Time Employee

3. Logout and login to Identity console as duser2/Oracle123. It will ask to reset the password. You can set it to Oracle123. Also answer the Challenge Questions.

4. Click on Catalog on the left hand side to open the Catalog

5. Search for VPN in the Catalog. This is an Entitlement in the OUD. Note that the user doesn’t have account on OUD. Add this Item to Cart.

6. Click on Checkout

OIG 11gR2 Training


7. Notice that since user is requesting for an entitlement in a target for which user doesn’t have an account, OIM has detected this and added the Account to the request automatically. It also shows that your original requested entitlement is in the cart already.

8. Fill in the Details for the Account as below. Click on Ready to Submit and then Submit. UserID: duser2 Password: Oracle123 First Name: Demo Last Name : User2 Container DN: ou=people (Search and select this)

9. Since this is a Heterogeneous Request (More than one type in the cart). OIM creates request ID for the request for approval. Since the manager is Danny Crane this request has been assigned to Danny Crane.

OIG 11gR2 Training


10. Click Refresh on the screen. You should see the status of the request changing

Parent request is waiting for approval. The Entitlement request is pending on completion of Account Approval.

11. Click on the Request ID for Enterprise Directory-OUD. Click on Approval Details Tab. You can see that Request has been assigned to Danny Crane who is the manager of the beneficiary.

12. Logout of identity console. The requests are assigned to Manager of the user. Login as

dcrane/Oracle123

13. Click on InBox , you should see a Pending Task.

14. Click on the Pending Approval item to open it. 15. This request is for Account in OUD. Now you can Approve it

OIG 11gR2 Training


16. Now logout and login as duser2/Oracle123 17. Once logged in click on Inbox

18. In the Pending Requests, on the right side, you will only see 2 pending Requests with Provision

Entitlement in Obtaining Operation Level Approval. Since the OUD account has been provisioned due to approval of last request. Status of Request for Entitlement has been changed.

OIG 11gR2 Training


19. Now Click on the Request ID for Provision Entitlement to open it & Navigate to Approval Details Tab. This request has also been assigned to Danny Crane who is the manager

20. Logout of Identity Console and login as dcrane/Oracle123. You should see one more request is

pending for approval

21. Open the Request and Approve it.

22. Logout of Identity console and login as duser2/Oracle123 23. Now you should not see any request in the Pending Requests section.

OIG 11gR2 Training


24. Click on MyAccess on Left Menu and then Accounts Tab on the right side. You should see the account for the user in OUD.

25. Click on Entitlements Tab. You should see the Requested VPN Access Entitlement granted to this user.

As we saw in this section in OIM PatchSet2, when a user request for an entitlement on target where he doesn’t have account. OIM will add the account in the cart so that the Account provisioning happens first followed by requested entitlement provisioning.

Providing Additional Information in Request for Approver Sometimes it’s necessary to provide additional information in the request. This is request only information (attributes) which allow the approver to look at the information and make decision on approval. This information will not be propagated to actual target but will help the approver in making decision. 11.1.2.1.0 (PS2) allows you to customize the UI interface and add link which can open a pop up window for providing additional information. There are two levels in which

OIG 11gR2 Training


you can provide this information at the Cart level which will be common to all the items in the cart and at the each cart item level which is specific to each item in the cart. 11.1.2.1.0 (PS2) has introduced a new interface AdditionalRequestInfo. This interface has setAttribute and getAttribute methods for setting the additional information and getting the information respectively. You can create a custom taskflow which will have fields for displaying/entering the information to users. This custom taskflow will use the AdditionalRequestInfo for setting the values (using setAttribute method) whenever the values are set by the requester or approvers. It will display the values to the user using getAttribute method. You can deploy this taskflow as part of oracle.iam.ui.custom library. This is a custom war file that get’s supplied with OIM where you can configure all your customizations and deploy. UI customization through webcenter composer will allow you can add link or button for calling this taskflow. Let’s look at the additional information in the request feature 1. Stop the OIM Server. 2. Copy the oracle.iam.ui.custom-dev-starter-pack.war located at /app/dummydata/Lab4.1 to

OIM Server. This WAR will replace the existing war file & this war contains the custom taskflow for providing additional information in the request. cp /app/dummydata/Lab4.1/oracle.iam.ui.custom-dev-starter-pack.war /app/Middleware/Oracle_IDM1/server/apps/. Note: This war file is supplied as part of the OOTB install. The idea is to allow any customization to be included in this war file and deploy it to server without touching the core OIM war files.

3. Start OIM Server 4. Login to OIM Identity console as admin/Oracle123 5. Click on Sandboxes link at the top

6. Click on Import SandBox

7. Click on Browse and select /app/dummydata/Lab4.1/sandbox_AdditionalRequestInfo.zip file

OIG 11gR2 Training


Note: You would create a sandbox from beginning and also modify the existing oracle.iam.ui.custom-dev-starter-pack.war as part of lab Appendix_A-How To CreateTaskflow Lab later.

8. Click Import to import the sandbox 9. Now Click Refresh on the sandbox page. You should see the new sandbox

AdditionalReqInformation

10. Highlight the AdditionalReqInformation sandbox and Publish it by clicking Publish SandBox

11. Click Yes on the Publish confirmation dialog

12. Now we need to change the risk level of a role to high so that according to the approval policy it will go through two levels of approval so that approver can then see the additional request information. Login to Identity Console as sellison/Oracle123. This user is catalog administrator

13. Click on the Catalog on the left to open the catalog

OIG 11gR2 Training


14. Search for Mobile Services. You should have the roles Mobile Services displayed

15. Click on the i (Information) button to open the details about the role Mobile Services.

16. Change the Risk Level from Low Risk to High Risk. Click on Apply to save the change

OIG 11gR2 Training


You should get the success message

17. Logout of Identity Console 18. If the SOA Server is not running. Start the SOA Server and wait for the server to start fully. 19. Now let’s test the additional request information. Login to Identity Console as

jkrause/Oracle123 20. Click on Catalog to open the catalog

21. Search for Mobile Services role and Add to Cart

OIG 11gR2 Training


22. Search for Payables Application Entitlement and Add to Cart. Once done click on Checkout

23. On the checkout screen notice that there are links to add request only information in two

places. One at the Cart level and other at the per cart item level.

24. Click on the Additional Cart Information link

25. It will open a pop up box as shown below. Enter the information as shown below. Click on Save

OIG 11gR2 Training


26. Now click on Additional Cart Item Information for the entitlement Payables Application

27. Provide a Valid Start and End Date in the pop up as shown below. Click on Save once done. Also notice the Header in the pop up reflect the cart item you are providing this information.

28. Now click on the Additional Cart Item Information for role Mobile Services

29. Notice that the Header of the pop up window reflects the role you are requesting. Also

notice that the pop up for role is requesting different information than the one requested for Entitlement. It’s possible to call different task flow based on what’s being requested. Also it is possible to display the Additional information link conditionally if you need to collect this information for only subset of roles/entitlements/Application Instances in the Catalog. Fill the Pop up window as shown. Click on Save once done.

OIG 11gR2 Training


30. Submit the Cart for Approval by clicking on Submit

Note: If you would like to validate the additional request information entered by end user you can use a validation action handler. An example will be validating start and end dates and making sure that end date is not before start date. The validation handler can throw an error message. This validation can be done once the user clicks on Submit

31. You should have two requests created. (Your request id might be different)

32. According to the approval policy defined, the request will first go to user’s manager. For Entitlement with a risk level of Low only manager needs to approve. For the role with High Risk it will be two level approvals, first by manager then by any member of Audit Review Group. Login to Identity Console as manager dcrane/Oracle123

33. Clik on Inbox on the Left

34. You should see two approval request pending. Click on the first request to open it.

OIG 11gR2 Training


35. Look for whether it’s a request for Role Mobile Services, If it’s not go back to Inbox and click on other request. If the request is for Mobile Services continue. (Note : It’s possible to include the requested cart item in the subject of the approval request)

36. Click on the Additional Cart Information link to open the pop up. This provides the common information at the cart level which is shared by all the cart items. Notice the information supplied by the requester.

OIG 11gR2 Training


This information is supplied for approver and is request only. Approver can use this information to make his decision.

37. Since this request for Role involves two level approvals let’s make some updates as shown. Once done click on Save

38. Now click on the Additional Cart Item Information link. This provides information specific to the item in the cart. Notice the information supplied by requester

OIG 11gR2 Training


Lets update the End Date. Once done click on Save

39. Now click on the Update button to save the update to request data.

You should see a message successfully updated the request data

OIG 11gR2 Training


40. Now Click on Approve to approve the request.

41. Refresh the Inbox. You should see only one remaining approval. Click on it to open

42. Click on the Additional Cart Item Information to open the pop up

OIG 11gR2 Training


Notice the information supplied by the requester. This information is request only and will help requester in making his approval decision.

43. Since the Entitlement requires only one level of approval (According to the approval policy we have). We can just approve the request. Click on Approve to approve the request.

44. Logout of Identity console. 45. Now for the Role request it requires a second level approval. This approval will be from

Audit Review Team (According to the approval policy and the BPEL composite we have deployed in Lab 3 & 3.1). Login to identity console as as sdowns/Oracle123 who is part of Audit Review Team. Note: if the system asks you to change the password, set the password to Oracle123

46. Click on InBox to open the inbox. There should be one approval pending. Click to open it.

OIG 11gR2 Training


47. Once the request is open, click on Additional Cart information link to open the pop up. This provides the information entered at the cart level which is common to all the items in the cart. Notice that the information contains both supplied by the requester (jkruase) and updated by the first approver (dcrane) . Dcrane has updated End Date. Notice that since this is the final approval in the two level approval. Information is presented as Read only

This allows the second level approver to make his decision based on the information supplied.

Click on the X link to close the pop up.

The approver can always go to Approvals link and see the approval chain as well

OIG 11gR2 Training


48. Now click on the Additional Cart Item Information link to open the information specific to

the cart item Notice the information provided by the requester. The pop up also has the information updated by the first level approver. (End Date). Notice that since this is the final approval in the two level approval. Information is presented as Read only

Click on X to close the window.

49. Click on Claim to claim the request then Approve the request. 50. Now the Requester should have the role and entitlement requested. You can check it by

logging into Identity console as jkrause/Oracle123. The MyAccess link will display the current Application Instance, Entitlement and Roles granted to the user

OIG 11gR2 Training


Note: We didn’t request access for Application Instance requester can also provide cart level and item level information just like Role and Entitlement we saw in this lab.

As we saw in this section you can create custom taskflow to display additional information for the request. The information can be supplied both at the cart level which is common and also at the individual cart item level. This is request only information which will be used by the approver during the approval.

Hierarchical Entitlement in Catalog

In some cases when user requests for entitlement it’s necessary to provide more information about what access user might be getting. Consider an example of requesting for EBS responsibility. When a user request for a EBS responsibility the responsibility is grant access to bunch of menu items for that user in EBS. It will be beneficial to display what menu item user is getting access to during the request process.

PS2 will allow you to display this additional information using hierarchical entitlement functionality. The additional details of entitlements is called technical glossary. The technical glossary is displayed in a list view with bread crumbs at the top showing the navigational path in a hierarchical setup

PS2 allows you to define the hierarchical structure for hierarchical entitlement(s) in an XML file. You can then use the catalog synchronization schedule job to load hierarchical definition for entitlements into catalog which will be displayed when user requests the entitlement(s).

OIG 11gR2 Training


Let’s take a look at this feature.

1. Login to sysadmin console as admin/Oracle123 2. Click on the scheduler link and search for Catalog*

3. Open the Catalog Synchronization schedule job 4. Update the FilePath as /app/dummydata/Lab4.1 & Mode as Technical Glossary. Click on

Apply and Run Now

OIG 11gR2 Training


Note: Open the file HEntitlement.xml located in /app/dummydata/Lab4.1 and take a look at the file to understand the hierarchical entitlement definition provided for two entitlements VPN Access and Open Ticket for Desktop. These entitlements are from OUD (groups). We are just demonstrating the hierarchical entitlement as these descriptions won’t translate to actual menu items or links. But as mentioned before for target link EBS a responsibility entitlement could have menu items which gets granted as part of the entitlements and the hierarchical entitlements structure will let you display that to the requester. Note: For the File Path we only need to provide the directory which contains our hierarchical entitlement definitions.

5. Make sure that the job is executed successfully

6. Once you see the sucessful run. Remove the File path you have entered and change the Mode to Incremental. Click on Apply to save the change.

OIG 11gR2 Training


7. Now in a command prompt navigate to /app/dummydata/Lab4.1 directory and look at the files. The schedule job will create two directories archive and xmlprocessedlogs

8. Open the archive directory. The file that was executed by the scheduled job will be backed up in this directory with the timestamp of schedule job execution

OIG 11gR2 Training


9. Look at the xmlprocessedlogs directory. If there are any errors during the execution it will create a log file for the execution run and report error in the file. We don’t have any errors so there are no error files

10. Now login to Identity console as admin/Oracle123 and click on Catalog to open the catalog

11. Search for Entitlement VPN Access. You can see that it has an extra link now for displaying the hierarchal entitlement. Click on the link top open it.

OIG 11gR2 Training


12. Now you should see the first level information in the hierarchical entitlement structure. Click on the arrow to open next level

13. Similarly click on arrows at each level to display the complete hierarchical entitlement description. As mentioned this hierarchy will represent what menu items, links will be enabled for the user when you request and get this entitlement on the target.

OIG 11gR2 Training


14. Similarly you can search for Entitlement Open Ticket for Desktop

15. You can navigate hierarchical entitlement and look at the full hierarchy. As mentioned this hierarchy will represent what menu items, links will be enabled for the user when you request and get this entitlement on the target.

OIG 11gR2 Training


Draft Requests

Draft request is a new feature that has been added in the PS2 version. The Draft feature allows a requester to save the request. Requestor might want to get additional details before submitting a request. With Draft request feature requestor can save the request and modify it at a later time and then submit it once he has all the details needed to fill in for the request. This is available to any end user who can raise requests. All types of request except the Self Service requests can be save as draft requests. When the request is saved a request id will be created for the request. Once the request is saved it can be updated multiple times before finally submitting it. Once the request is saved it will be with the status “Request Draft Created”. This request can only be tracked by the requester. It’s also possible to delete a draft request as well. No validation will be performed when a request is saved as draft and no sensitive data is stored as part of the draft request. Once the request is finally submitted validation will be performed on the request. Request will also get updated with the request date as the current date and request then follows the normal flow. We will look at 3 use cases with draft request 1. Draft request support for user creation requests. 2. Draft request support for Heterogeneous requests

Draft Request Support for User Creation Requests

1. Login to Identity Console as admin/Oracle123 2. Click on Users under Administration, then click on Create

3. Provide the details as shown below. When finished click on Save as Draft

You can provide password as “Oracle123”

OIG 11gR2 Training


4. Once you submit the draft request, you should get a request id with the status of the request set to Request Draft Created. Note down the request id.

Notice that the Draft request doesn’t save the sensitive information like Password

5. Now lets search the request. Click on Track Request. Select Request Raised by Me and provide the request ID & Search. You should be able to see the request Note: Your request id might be different than what’s shown in this example.

OIG 11gR2 Training


6. Open the request again by clicking on the request id 7. Now provide some additional information on the request

Provide some values to the fields Telephone Number & Home Phone

8. Once finished click on the “Update Draft Request”

9. You should see the updated information saved in the draft request

OIG 11gR2 Training


10. Search for the request again under Track Request

11. Open the Request again

12. Notice each time that sensitive information (password) is not stored. Provide the password as

“Oracle123” . Once finished click on “Submit”.

OIG 11gR2 Training


13. At this point OIM will update the status of the request as well as the request date.

14. Click on the Refresh link and you should see an approval task generated. Eventhough Admin is

requesting the create user the draft request will always go through approval

OIG 11gR2 Training


15. Now click on the Inbox and you should see a approval task pending.

16. Click on Action -> Approve to approve the request

17. Finally open the Users page and search for the user. You should see the user successfully

created

OIG 11gR2 Training


18. Finally if you open the user by clicking on the User Login (DUSER10) link for the record, you

should see all the attributes for the user including the home and telephone number we updated after the initial draft created.

Note: Similarly you can save the request as Draft when you request for Account/Entitlement/Role as a Manager/Delegated Administrator OR end user.

19. For next part of the lab, Lets Modify the user to add a Manager. Click on Modify User 20. For the manager field Search for a user DCRANE and Assign.

OIG 11gR2 Training


21. Click on Submit to make the change. Since this is not a draft request and the administrator is

requesting the modification. Modification will be done without a request.

OIG 11gR2 Training


Draft request support for Heterogeneous requests

1. Login as newly create duser10/Oracle123. Change the password to same password and answer the challenge questions.

2. Click on the Catalog on left hand side menu. This will Open the Catalog on right hand side

OIG 11gR2 Training


3. Search for Enterprise Directory in the catalog. Select the Enterprise Directory –OUD and Add to Cart.

4. Search for Denver Badge (It’s a role) and Add to Cart. Click on CheckOut

5. Now you have two items in the cart of different type. This will create a Heterogeneous Request. Click on Save as Draft

OIG 11gR2 Training


6. This will create a draft request with Heterogeneous Request type (since the cart has items which are more than one type i.e Application Instance & Role). Note down the request id

OIG 11gR2 Training


7. Now Open the Track Request and Search. You should be able to create the Request you created

8. Open the Request by Clicking on the Request ID 9. Now highlight on the Enterprise Directory - OUD and provide Details as shown below. When

finished click on Update Draft Request. For Password you can provide Oracle123

10. Now you should see that the request is getting updated. Also notice that Draft Request doesn’t store the sensitive information

OIG 11gR2 Training


11. Open the Track Request and Search for the request again

12. Click the Request ID and Open the Request Again for Update. Provide the password &

Telephone and click on Ready to Submit

OIG 11gR2 Training


13. Now click on Submit to finally submit the request for approval.

14. According to the approval policy we defined in the OIM. It has created 2 requests .One for Application Instance and other for Role.

OIG 11gR2 Training


15. Lets open the request for Denver Badge by clicking on Request ID 16. This request has been completed. This is based on the approval policy for Roles we have

created in this environment (Roles with Low Risk will be auto approved). Close this tab by Clicking on the X

17. Now click on the Request ID for Application Instance Enterprise Directory – OUD to open the request. Note down this request ID since we need it later.

18. Click on the Approval Details tab and you can see that the request has been assigned to Danny Crane who is the manager of current user.

OIG 11gR2 Training


19. Logout and login to Identity Console as dcrane/Oracle123. If asked to change the passwords provide the same password.

20. Once logged in click on the inbox. You should see an approval pending. Highlight the row and click on Approve. Once done logout

21. Login again to Identity Console as duser10/Oracle123 22. Now Open the Request for Enterprise Directory – OUD. You should see the status completed

OIG 11gR2 Training


23. Click on My Access on left hand side , Then click on Accounts Tab you should see the Account

Granted to the user

24. Click on the Roles tab, you should see the role Denver Badge granted.

OIG 11gR2 Training


Catalog Search Enhancements PS2 release has added new catalog search functionality. You could pass search parameters into catalog and display a filter search. This would be parameterized catalog search capability. Example you would like to display links for the users where the links are by region. When the user clicks on a specify country you can display all the catalog items relevant to that country. When you specify search filters you can use the objects name, the user defined tags or use the value of user defined catalog field. This functionality will also be helpful in the event you are building your own UI and need to call and display the catalog items. You can call the catalog task flow by passing In the parameters which will filter the result according to your search filter. Lets look at the functionality. 1. As mentioned we can search the objects using user defined tags as well as user defined UDF

in catalog. Lets first add tags to couple of objects in the catalog. Login as catalog administration sellison/Oracle123 to Identity console

2. Open the Catalog and search for San Francisco Badge

3. Open the Catalog description by clicking on i link

4. For the User Defined tags add US,California. Click on Apply (You need to change the focus

on the page from user defined tags attribute in order for Apply button to get enabled) Once done close the window.

OIG 11gR2 Training


5. Go back to Catalog and search for Los Angeles Badge

6. Open the Catalog Description and add the same tag , Click Apply and close the window

7. Now back to Catalog Search for Denver Badge

OIG 11gR2 Training


8. Open the Catalog Description. For the User Defined Tags enter US,Colorado Click Apply and close the window.

9. Logout from OIM. 10. Now we would also demonstrate using catalog UDF value in the search filter as well. So we

need to extend the Catalog to add UDF field for catalog. Login to sysadmin console as admin/Oracle123

11. Click on Sandboxes and create a new sandbox catalog_udf 12. Now open the catalog by clicking the Catalog link under System Entities

13. Click on Create (+) button to create a new field

OIG 11gR2 Training


14. Select the Type as Text and click ok

15. Enter the display label as Location. The name will be prepolulated to location. Click on Searchable. Click Save and Close to save the field.

16. You should have the UDF created for the catalog

17. Now we need to display this UDF in the UI. Login to Identity console. ( You can type identity.oracleads.com:14000/oim in the same browser window)

OIG 11gR2 Training


18. Click on the Sandboxes and make the catalog_udf sandbox Active

19. Click on Catalog link and search for San Francisco Badge

20. Now click on Customize link

21. Now for the Displayed San Francisco Badge click on i button

22. This should open the additional catalog details page

OIG 11gR2 Training


23. Now click on the View -> Source to take you into customization mode

24. Click on San Francisco Badge. On the top you should see the code getting highlighted

25. One the source code section. Move one level up to panelFormLayout and click on Add Content

OIG 11gR2 Training


26. Locate Data Component – Catalog and open it

27. Locate CartItemsV01 and open it

OIG 11gR2 Training


28. Scroll down and locate Location attribute. Click on Add and select ADF Input Text w/Label

29. Close the Add Content window by clicking X . You should see the new attribute added

30. Now close the customization mode by clicking close

OIG 11gR2 Training


31. Click on the Sandboxes to open the current sandboxes. Highlight catalog_udf and publish the sandbox. Remember to close all the other tabs before publishing

32. Now let’s add some value in this user defined attribute. Logout of OIM. Login to Identity console as sellision/Oracle123 . This user is catalog Administrator

33. Open the catalog and search for San Francisco Badge. Click on the i to open the information page

34. Update the Location attribute with Redwood Shores and Audit Objective to SOX . Click on Apply Note: We don’t use the Audit Objective for this lab, but in order for Apply button to be enabled we need to update OOTB attribute

35. Close the window by clicking on X and logout 36. Now let’s test the Catalog Search with filters. Login to Identity console as admin/Oracle123 37. Click on Sandboxes and then Import Sandbox 38. Select /app/dummydata/Lab4.1/sandbox_CatalogCustomizations.zip and click on Import

OIG 11gR2 Training


39. Click on Refresh in the main page. You should see the imported sandbox. Highlight and Click on Publish Sandbox to publish it.

40. Now click on Catalog. You would see an additional tab Browse and you would see links. All the highlighted links will work for this lab

Note: This sandbox was designed using by creating a sandbox first. Then creating a additional tab. Once the tab is created. The links (command Links) has been added in the page. Sandbox was finally exported. You would create a sandbox , export and update the contents and import it in the Appendix_A-How To CreateTaskflow lab.

OIG 11gR2 Training


Note: You can design this links using sandbox importable file. Unzip the /app/dummydata/sandbox_CatalogCustomizations.zip file. Navigate to oracle/iam/ui/catalog/pages/mdssys/cust/site/site and open the searchcatalog.jsff.xml using gedit and take a look. The page design you see above is specified in this file. You can modify this file according to your requirements and import the sandbox as needed. When you click on each of these highlighted links a filter will be sent to the catalog which will return a filtered list of items. There are the attributes you can pass in a search to look at the items in catalog and these are the attributes you can pass {criteriaName: string, allowSearch: true/false, profileName: string, directCheckout: true/false, showEntityTypeSelector: true/false, hiddenTag: string, allowedEntityTypes: string, tags: string, entityType: string, auditObjective: string, riskLevel: string,any user defined field: string}

criteriaName – A Name given to your search criteria allowSearch - Optional boolean attribute to control rendering of tag search field in results page profileName - Optional string attribute to take user to cart page by simulating the saved profile click directCheckout - Optional attribute to add search results to cart and take user to checkout page (true/false) showEntityTypeSelector - Optional boolean attribute to show entityTypeSelector dropdown. Will be shown only if allowSearch is also set to true. hiddenTag - Optional string attribute to further narrow down the search within the tags specified. allowedEntityTypes - Optional string attribute to show entityTypes in the entityTypeSelector dropdown. If more than one entity is to be shown, they need to separated by '~' delimiter. eg "Role~Entitlement" tags - Search criteria for tags. It is a mandatory string attribute in all cases except when profileName is specified.

OIG 11gR2 Training


entityType - Optional String attribute specifying search criteria for entity type (Role/Entitlement/ApplicationInstance) auditObjective - OOTB attribute audit objective's value riskLevel - OOTB attribute risk level's values that can be 3(Low Risk), 5(Medium Risk), 7(High Risk) user defined field – Any UDF defined on the catalog will be used for the search There are 3 attributes that are important to our search Tags: Value for this could be name of the object (App Instance , Role,Entitlement) Or it could be user defined tag in the catalog hiddenTag : This will allow you to further narrow down the result. E.g Lets say you have defined a user defined tag as US, California. When you specify tag as US it will search and bring all the objects that matches. When you specify the hiddenTag as California . It will narrow down the result to only those object that matches the tag California. So the results from US will filtered down into only objects that matches California. User Defined Field (UDF) in the catalog: You can define an UDF on catalog by extending the catalog object and use it in the search .

41. Click on the LDAP Targets

42. You should see the result with only Enterprise Directory – OUD

OIG 11gR2 Training


Lets look at the search criteria for this. Open the searchcatalog.jsff.xml using gedit from your exploded sandbox_CatalogCustomization.zip at /app/dummydata/Lab4.1. The file will be at oracle/iam/ui/catalog/pages/mdssys/cust/site/site Search for LDAP Targets in the file and located the below snippet <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl1_1" text="LDAP Targets"

actionListener="#{backingBeanScope.catReqBean.searchCatalogs}" partialSubmit="true">

<af:clientAttribute xmlns:af=http://xmlns.oracle.com/adf/faces/rich name="searchCriteria"

value="{entityType:"ApplicationInstance", criteriaName: "Enterprise ", tags: "OUD*",

allowSearch: "false"}"/>

</af:commandLink>

The code for executing this (ADF Bean) is in the oam dev started war file we deployed earlier. When user clicking on the link its calling the bean highlighted in the actionListener. Look at entityType Its Application Instance . So we would like to search the application instances as part of this search. Look at the tag we passed for this search. Its OUD* . We need to search any application instance which has its name as OUD or catalog tags which has OUD. In our case the search is looking at the name of the object and its brining the result which matches to the search filter. Also note that we need to pass the values in &quot which will put “ for the values.

43. Click on Back to Catalog Home to go back to Catalog. Now click on Sales

44. You should see the result highlighted below

http://xmlns.oracle.com/adf/faces/rich

OIG 11gR2 Training


In the searchcatalog.jsff.xml search for Sales and locate the below snippet <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="salesid" text="Sales"


<af:clientAttribute xmlns:af="http://xmlns.oracle.com/adf/faces/rich" name="searchCriteria"

value="{hiddenTag: "Sales*", entityType:"Entitlement", allowedEntityTypes:

"Entitlement", showEntityTypeSelector: "true", criteriaName: "Sales Entitlements"}"/>

</af:commandLink>

In this example we want only the Entitlements (entityType) and we are using hiddenTag. So it will filter the entitlements and will only bring in thoese entitlements which either has the name which contains sales or user defined tag which has sales

45. Click on Back to Catalog Home and click on Application Access : Payroll

46. You should see the below result

Now search for Application Access: Payroll in the searchcatalog.jsff.xml file and look for this snippet <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl5" text="Application Access: Payroll"


OIG 11gR2 Training



value="{entityType:"Entitlement",tags: "Application", hiddenTag:"Payroll",allowSearch:

"true"}"/>

</af:commandLink>

We are searching for Entitlement (entityType). The tag: Application specifies to search for any entitlements that has name or user defined tag as Application. The hiddenTag:Payroll allows us to further narrow down the result only to Application which has Payroll. If you go back to catalog and click on the link Application Access you would see that you get all the entitlement which has Application and if you look at the code snippet for that section you notice that we don’t pass hiddenTag. We only pass tag:Application which will give us all the entitlements with name or user defined tag as Application. This is how you further restrict down the search result. <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl5_1" text="Application Access"



value="{entityType:"Entitlement",tags: "Application", allowSearch: "true"}"/>

</af:commandLink>

47. Click on Back to Catalog Home and click on Fulfillment Roles

48. Look at the result. You would be getting all the roles which has fulfillment

OIG 11gR2 Training


In the searchcatlog.jsff.xml search for Fulfillment and look at the code snippet

<af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl3" text="Fulfillment Roles"



value="{entityType:"Role", showEntityTypeSelector: "false", criteriaName: "FulFillment

Roles", hiddenTag: "Fulfill*"}"/>

</af:commandLink>

This would be similar to previous example. We are looking for the entityType Role. And in the hiddenTag we have specified as Fulfil*. So the result will have all the roles that has Fulfillment.

There is one more link under the roles for Tracking Role which works same as above.

49. Now go Back to Catalog Home and click on HQ under By Location

OIG 11gR2 Training


50. Look at the result

Now look at the searchcatalog.jsff.xml file ad search for HQ and look at the snippet <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl4_2" text="HQ"


<af:clientAttribute xmlns:af="http://xmlns.oracle.com/adf/faces/rich"

name="searchCriteria" value="{entityType:"Role", criteriaName: "HQ Roles", showEntityTypeSelector:

"false",tags:"Badge",Location: "Redwood Shores"}"/>

We are looking for entityType Role. We are searching by the tag Badge. But we are using the user defined UDF in the catalog. We have defined an UDF called Location earlier in the lab and for San Francisco Badge role we have specified the value for this attribute Location as Redwood Shores. This is an example of searching the catalog by using the user defined attribute for the catalog by extending the catalog. So in this example even tough the catalog contains multiple roles with value as Badge. The search uses the Location attribute value to present the final filter result.

51. Go back to Catalog Home page and click on US under By Region

OIG 11gR2 Training


52. Observe the result

Look at the searchcatalog.jsff.xml and search for US and look at the code snippet <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl7" text="US"



value="{criteriaName: "US", tags: "US", allowSearch: "false"}"/>

</af:commandLink>

Here we are searching with the tag US. This uses the User Defined Tags in the catalog. During the beginning of this section we had opened the roles San Francisco Badge, Los Angeles and specified user defined tags as US,California and for Denver Badge we have specified the tags as US,Colorado So the search is looking the user defined tags and in this case 3 objects are matching the tags so it’s filtering the result to those 3 objects.

53. Go back to Home and click on California under by Region -> US . Now you should only see 2 results. San Francisco Badge and Los Angeles Badge

OIG 11gR2 Training


Look at the Code Snippet by searching for California <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl7_1" text="California"



value="{criteriaName: "California", tags: "US California", allowSearch: "false"}"/>

</af:commandLink>

In this case we are passing US California for the tag and it will filter the results to only objects that have these two tags. This example shows searching the catalog using the tags defined for the catalog items.

54. Go Back to Catalog Home. Click on the By Region -> US -> Colorado. You should see the below result

If you look at the code snippet in searchcatalog.jsff.xml by searching for Colorado <af:commandLink xmlns:af="http://xmlns.oracle.com/adf/faces/rich" id="e2089913679_cl7_2" text="Colorado"



value="{criteriaName: "Colorado", tags: "US Colorado", allowSearch: "false"}"/>

</af:commandLink>

It would be similar to the earlier example. Here we are searching by the tags US Colorado.

Summary

OIG 11gR2 Training


In this lab we have seen the request related enhancements done in PS2. It would be now easier to request for a secondary account and request entitlements on those accounts. We now support draft request. We also support supplying additional request only information as well as hierarchical entitlements which would be useful when requesting entitlements for targets like EBS. We have also seen how to use the parameters for searching the catalog which will be useful in use cases where we need to provide users with the ability to search catalog by region etc.. based on the data available on the catalog items.

OIG 11G R2 Field Enablement Training · OIG 11G R2 Field Enablement Training Lab 4.1 – PS2...

Documents

Transcript of OIG 11G R2 Field Enablement Training · OIG 11G R2 Field Enablement Training Lab 4.1 – PS2...