Archive for July, 2010

Oracle Identity Management 11g Products available for download!

Click here or visit the Oracle Technology Network to download and check out the latest Oracle Identity Management 11g products!


A Primer on Oracle Identity Manager 11g

July 27, 2010 1 comment

As you may already know, Oracle Identity Manager, Oracle’s industry leading identity administration and user provisioning solution, provides operational and business efficiency through centralized administration & complete automation of identity and user provisioning events across the enterprise as well as the extranet. With its latest 11g release, Oracle Identity Manager has now been architecturally optimized for internet-grade scalability in cloud, distributed & in-house environments. This release not only provides enhanced usability to enrich user experience but also provides advanced security features for a granular control of this user experience. Oracle Identity Manager’s superior performance for enterprise-grade deployments makes it an ideal choice for customers seeking an identity administration platform that can serve their changing  business needs.

Let’s talk about some of the exciting new innovations with the 11g release, which has seen over 750 man months of development time from a dedicated Engineering team and 1300 man months of QA in this release, not to mention a great team of solution architects and product managers (cannot discount them!).

Rich User Interface

Oracle Identity Manager 11g provides a multi-tab, desktop-application-like, dynamic Web 2.0 user experience using Oracle’s ADF technology. In addition to great usability, it also provides high performance architecture, such as partial page rendering, real-time scrolling, and transparent paging. This UI framework allows high level meta-data driven customization, such as branding changes, label changes, changes in default sorting schemes, etc. It also includes built-in globalization and accessibility support. It provides very advanced browse, keyword based search and advanced search capabilities. It also tailors the user experiences for different user groups. For example, a task-oriented desktop-application-like UI model for administrators and guided wizards for business end-users. This corporate-wide UI framework contributes to customers’ bottom lines by allowing for greater flexibility in UI customization and reducing the UI learning curve for business end-users and administrators.

Suite Integration

Oracle Identity Manager provides out-of-the-box integration with Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator Oracle Identity Navigator to significantly reduce the deployment and administrative costs associated with setting up an enterprise deployment topology. Oracle Identity Manager provides the password management (security registration, expired password, forgotten password etc) flows in the login flows initiated by Oracle Access Manager. As an example the end-users clicking on forgotten password link in Oracle Access Manager are seamlessly directed to Oracle Identity Manager. Similarly in an integrated Oracle Identity Manager, Oracle Access Manager and Oracle Adaptive Access Manager environment, the challenge questions for the forgotten password flows may be answered in Oracle Adaptive Access Manager using its virtual devices. Oracle Identity Navigator provides a single, suite-wide SSO-enabled launch-pad to all Identity Management product administrative consoles, which streamlines the user experience and significantly improves the service levels.

Request Management

Oracle Identity Manager 11g provides multiple enhancements in the area of request management. It allows users to create requests for business & IT roles, new application accounts, modifications to existing application accounts and application entitlements or privileges.  It provides a very flexible, simplified, business-centric, and context sensitive request creation wizard that allows users to create these requests in context of their current views. As an example, the users may create requests for additional roles while viewing their existing role assignments, create request for additional accounts or modification to existing accounts while viewing the provisioned resource lists, or create a complex request including multiple roles & resources for self or others from their home page. By placing the request and approval process closer to the business, enterprises realize better service levels and reduced costs.

Request Templates

Request Management service in Oracle Identity Manager 11g allows administrators to create job or role specific request templates. The template is a simplified overlay on top of a request model that allows the person defining that template to control how a request gets created, and add additional layers of approval, authorization and data restrictions over those already defined in the model. Once configured by the administrators, the request templates provide the much-desired request catalog services to the end users. This results into significantly enhanced usability experience for the end users while creating access requests by providing them with a narrowing down the list of roles, resources and entitlements specific to their job functions.

Approval Workflow Orchestration

Oracle Identity Manager 11g relies on the Oracle BPEL Process Manager, an integral component of Oracle SOA Suite for its approval workflow and routing engine. Developers can use Oracle JDeveloper as their Integrated Development Environment that offers a rich visual design paradigm for creating and deploying BPEL based processes. Additionally developers can also leverage Oracle BPEL Process Manager’s advanced approval features like email based approvals, serial or parallel approval orchestrations or voting based approval etc. This not only results into significantly faster deployment time, but also provides the architecture agility to adjust workflows quickly when business processes and enterprise policies change for the approval needs.

Universal Delegated Administration

Oracle Identity Manager 11g introduces a new feature called Universal Delegated Administration that provides highly flexible authorization model without compromising corporate security policies by moving administration point users like customers, partners, suppliers etc ts as close to the user as possible. Oracle Identity Manager now embeds a fine-grained authorization service based on Oracle Entitlement Server. Using this authorization service, Oracle Identity Manager provides advanced, attribute level delegated administration policies that can be scoped using organization hierarchies and assigned based on roles. For example, administrators can configure a policy stating that users in the helpdesk administrator role can only change the password of the users in certain organizations, or users in the organization administrator role can unlock a locked out user only in their organization. Additionally as enterprises start managing extranet, Universal Delegated Administration enables the enterprises to define complex delegation policies for the extranet identity administration needs for users like customers, partners, suppliers etc.

High Performance Reconciliation Engine

Oracle Identity Manager 11g has a new high performance, next generation reconciliation engine that is optimized for handling multi-million user populations. For extranet and enterprise deployments with such high volume scenarios, up to  10x performance gains have been observed when compared with previous releases. Oracle Identity Manager achieves such performance gains by leveraging bulk and batch processing design paradigms directly at the database tier, which altogether avoids increased network latency resulting from middle tier to database tier communication.

Web-based Reconciliation Event Management

Oracle Identity Manager 11g provides a web based reconciliation event management tool that allows operational administrators to manually (also known as ad-hoc) link high-risk orphan accounts to users. Administrators can also tag these orphan accounts as service accounts, also known as administrator or privileged accounts, which have special life cycle requirements that extend beyond the lifecycle of an assigned user and across the lifecycles of multiple assigned users. Proper management of service accounts can help to eliminate another source of potential orphan accounts.

Service Oriented Security

Oracle Identity Manager 11g enables in-premise, cloud & partner applications to externalize their identity administration services through its XSD profile SPML web service, which defines the interfaces for applications to interact with Oracle Identity Manager. Additionally, Oracle Identity Manager now supports a LDAP identity repository for managing users, roles and role assignments. The SPML web service can thus be used by applications to achieve LDAP integration. The 11g release also provides new identity services for example, generating a username or a random password for the user, reserving username in LDAP while user registration is going through approval etc. Applications leveraging such a service oriented security strategy are able to benefit from the innovation in Oracle Identity Manager on day 1. Additionally, applications customers looking for enterprise provisioning solutions face a much shorter & smoother learning curve given that they are already well versed with provisioning technology powering their application.

Cost Effective Product Lifecycle Management

Oracle Identity Manager 11g leverages the standard Oracle lifecycle management technologies for installation, configuration, patching and upgrades. Oracle Universal Installer (OUI) is now used to perform a wizard-driven installation and configuration Oracle Identity Manager as well as other Oracle Identity Management 11g products. Pre-configured Oracle WebLogic Server domain templates enable easier deployment to an enterprise topology. Patching and upgrades are handled by Oracle OPatch and Upgrade Assistant technologies respectively. Additionally, Oracle Identity Manager now stores its configuration metadata in Oracle Meta Data Services thereby ensuring that this metadata can be managed independently. Customers will find their total cost of ownership significantly reduced as they do not have to learn and adopt any product specific technologies. Their time to market new features that their business users want is also expected to reduce given the usage of these enterprise-grade lifecycle management technologies.

That sums up the exciting new release highlights of Oracle Identity Manager 11g. For more information, please feel free to visit us on our product website, as well as the 11g Launch Center. Viresh Garg, Director of Product Management for Identity Administration, also provides a great webcast that highlights the OIM 11g release, available here.

Oracle Identity Analytics 11g…all systems go!

Yesterday was a momentous day for the Oracle Identity Management team. With over 750 man months of development and 1300 man months of QA in this release, Oracle Identity Management 11g is a huge milestone! And Oracle Identity Analytics 11g is our first official release with Oracle post the Sun acquisition and the smooth migration of the highly successful Sun Role Manager product…and we are proud to have this strategic product moving forth in the Identity and Access Governance marketplace. I will take the time to discuss some of the great architectural innovations we have performed with this release and granted that primary work was done to assimilate Oracle Identity Analytics into Oracle Identity Management portfolio, our product engineering team was still able to fit in some great new features in here, which I will address.

Oracle Identity Analytics provides enterprise the ability to engineer and manage roles, automate critical identity-based controls and truly amalgamates Business Intelligence and enterprise security and access governance for cross product identity analytics. The various components of the products include:

1. Identity Warehouse

Identity Warehouse

Identity Warehouse

Identity Warehouse is the central repository that contains identity, access and audit data, optimized for complex analytical queries and simulations. This data is imported from one or more databases within your organization on a scheduled basis. The Oracle Identity Analytics import engine supports complex entitlement feeds saved as either text files or XML. A glossary entry, defined as a business friendly term for typically cryptic IT entitlements, can also be captured during the import process enabling business users to view and analyze user’s access rights in a business-friendly way. Oracle Identity Analytics provides strong and robust integration capabilities with the provisioning products including Oracle Identity Manager and Oracle Waveset.

2. Attestation of Access Rights with Cert 360

Identity Certification

Oracle Identity Analytics reduces operational risk exposure by providing a 360-degree view of users’ access – not just “who has access to what”, but whether access was appropriately assigned and how it is being used. Oracle Identity Analytics securely automates existing manual re-certification or attestation processes for certifying the user access rights by business managers and application owners. This significantly reduces costs associated with existing manual controls and enhances audit effectiveness, resulting in enforcement of “least privilege” across the enterprise. A significant amount of effort has gone into developing the next gen user interface of the attestation UI, focusing on the overall usability as well as the time to load a large amount of attestation data to the end user. Concepts such as paging, improved batching and lazy-loading allow for a much quicker sign-off experience for the end user and advanced searching, sorting and filtering capabilities enable the end user (or access reviewer) to view the data that matters to them the most and certify it with a single click.

3. IT Audit Policy Monitoring

Segregation of duties (SoD) enforcement prevents users from intentionally or inadvertently breaching security policy by having a conflicting combination of roles or entitlements. IT Audit Policy enforcement directly impacts an organization¹s ability to comply with explicit requirements of the Sarbanes-Oxley Act and multiple other regulatory mandates aimed at ensuring the integrity of enterprise financial operations.

4. Comprehensive Role Governance

Role Mining

Oracle Identity Analytics’ role mining feature allows customers to conduct role mining based on organization, user and entitlement attributes to clean up and organize existing entitlements towards a role-based setup.  The Identity Warehouse is used to capture the necessary information about users, entitlements and their relationships – allowing OIA to perform both top-down and bottom-up role mining.  The role-mining feature also provides rule discovery to correlate rules between approved roles and attributes for use in role assignment.  Once the roles are defined, role change management ensures approval workflow for any role creation and role definition changes along with version tracking to monitor the history of these controls. Comprehensive reports and dashboards to drill down and tweak role content are also provided with the solution. Roles defined across an enterprise are subject to evolve over time, and require a robust administration and governance process. Oracle Identity Analytics provides role approvals upon detection of associated entitlement updates and performs real time impact analysis for role consolidation before changes are applied in a live environment. The role change approval process combined with role versioning, role change “what if” simulations, and rollback features, provides a complete role administration solution. Oracle Identity Analytics also fully audits all the changes made to role definitions including role assignment rules and entitlement mapping policies.

5. Compliance Command Console

Compliance Command Console

Compliance Command Console

Oracle Identity Analytics provides comprehensive actionable dashboards and advanced analytics capabilities based on user identity, access and audit data residing in the Identity Warehouse. Oracle Identity Analytics provides various compliance and operational dashboards for a quick review of compliance and operational status in context of roles, segregation of duty policies, audit policies and other controls. While compliance dashboards are typically used for executive level compliance monitoring, detailed out of box reports enables IT staff, business users and auditors to structurally analyze the warehouse data. The dashboards can further be customized for business users, compliance and audit officers and other end users on need basis. While Oracle Identity Analytics provides close to 50 out of box reports, its data dictionary is published to allow customers to extend these reports and build custom reports.

For more information on Oracle Identity Analytics 11g, please visit us at the Oracle Technology Network.

Oracle Announces Significant Advances in Application Security With Oracle Identity Management 11g

Check out the article on the Oracle Identity Management 11g launch here.

On Data Ownership…

In order to understand the concept of data ownership, I think its important to first attempt to understand how data can be classified within an enterprise. With most organizations, data can be classified into three main categories:

1) Classified: would represent the most critical business information, intended for use strictly for authorized personnel. This could include PII (personally identifiable information) and this could be personal credit level information or health related information.

2) Confidential: this would include less sensitive information, can be used within the organization when deemed appropriate by designated data owners.

3) Public: this is all information that can be shared outside the organization, once approved.

It is important to understand what the word “data” means within the context of an organization. Data can be any information which could include personal employee information beginning with their street address to their social security number, health care records (PII or ePHI), intellectual property, any financial information, and most importantly any access control or entitlement information, granting access to critical target systems and business applications. This could also include network access level information, from IP addresses to server names to account ids and passwords. As you can tell, the list can explode, and every organization defines it uniquely.

data owner can now be defined as designated party responsible for maintaining the integrity of the information we just attempted to define above. A data owner is responsible to manage, update and assess any risks associated to data. Eventhough the data eventually belongs to the organization, a data owner shepherds the data and protects it against any harmful entities and ensures that it is maintained with accordance to the organization’s pre-determined guidelines. Finally, data owners take the necessary steps to ensure controls and policies are implemented and managed in the storage, handling, distribution, and regular usage of this data.

From a compliance perspective, it is extremely important for data owners to attest the users authorized to access the information they are owners for. With identity based information, periodic reviews that allow data owners to verify permissions given to employees by their business managers are indeed what the employee is accessing, and should have access to. The advantages of this are:

1) Prevents data hoarding, with too many users accessing data. Managers may not be aware of the criticality of the data and may approve access to the data, such as an Active Directory group membership, an SAP Role or a RACF group.

2) Allows data owners to bring their expertise to the table and attest users accessing the data while revoking access to users that should not be permitted to view this data.

3) Allows data owners to gauge the interest levels in the data they manage and allows them to create alternative views to information if possible, and then ensuring the right users are accessing the appropriate data.

In the market today, products such as Oracle Identity Analytics provide this attestation capability that allows designated data owners to attest the users that access the data they are owners for. This is a very data centric view and a bottom up approach to user attestation. Nevertheless, a necessary approach that allows for a second set of eyes validating the integrity of critical information…I mean, data.

Oracle Directory Services Blog!

Identity Management is an evolving market. This blog post explores some of the market forces that are shaping this evolution. Let us know what you think? Register for the webinar to hear how Oracle is leading the evolution of the market and taking a giant leap forward in identity management.

Tag us on Facebook!


Check out our latest Oracle IdM Facebook page to follow us!