<Insert Picture Here>
Oracle Identity Manager 11gR2-PS2 Hands-on Workshop Tech Deep Dive – DB Schema, Backup & Restore, Bulkload, Reports, Archival & Purge
Principal Product Manager, Oracle Identity Governance
This document is for informational purposes. It is not a
commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described in this
document remains at the sole discretion of Oracle. This
document in any form, software or printed matter,
contains proprietary information that is the exclusive
property of Oracle. This document and information
contained herein may not be disclosed, copied,
reproduced or distributed to anyone outside Oracle
without prior written consent of Oracle. This document
is not part of your license agreement nor can it be
incorporated into any contractual agreement with Oracle
or its subsidiaries or affiliates.
Agenda
• DB Schema
• Backup and Restore
• Archival and Purge
• BIP Reports
• Bulkload
OIM R2PS2 DataModel
R2PS2 DB Data model Metalink Note
– MOS Note for OIM 11R2 PS2 Schema Documentation [External]
The MOS (Master Note) note [1612983.1] contains references
to Oracle Identity Manager 11g R2PS2 Database Schema
Documentation
– MOS Master Note for OIM 11g Schema Documentations
The MOS (Master Note) note [1541870.1] contains reference
links for all the OIM 11g Release 11.1.x – 11.1.2.x Database
Schema Documentations.
Backup and Restore
OIM11gR2 Schema Backup and Restoration
using Data Pump Client Utility
Logical Backup of OIM Schema
o For OIM11gR2 Schema(s) Logical Backup (and its subsequent Restoration),
the recommended tool is Oracle11g R1/R2 Data Pump Export utility.
Restoration of OIM Schema
o For the restoration of the Logical Backup (taken using the Oracle 11g/10g
Data Pump Export utility), the corresponding the Data Pump Import utility
is to be used.
Following are the possible scenarios of restoration based on the location of
restore:
a) Local restoration [Restoration in the same Database Instance]
b) Remote restoration [Restoration in a different Database Instance]
OIM11gR2 Schema Backup and Restoration
using Data Pump Client Utility
OIM11gR2 Schema Backup and Restoration
using Data Pump Client Utility
OIM 11gR2 Schema components
Metadata – User, Tablespace DDL, Stored Proc/Functions/Packages, GTT definitions etc
Data – Table data
Access on DB Objects like Oracle Text, XAVIEW,DBMS_SHARED_POOL etc
Access to SCHEMA VERSION REGISTRY and entry.
OIM11gR2 Schema Backup and Restoration
Generic High Level steps in Logical Export
OIM11gR2 Schema Backup and Restoration
Generic High Level steps in Logical Import
OIM11gR2 Schema Backup and Restoration
MOS Note for Schema Backup and Restoration using Data Pump
Client Utility note [1492129.1]
OIM Bulk Load Utility
• The Bulk load utility is aimed at automating the process of loading a large amount of
data into Oracle Identity Manager.
• It helps reduce the downtime involved in loading data. We can use this utility either
immediately after installation of Oracle Identity Manager or at any time during the
Production lifetime of Oracle Identity Manager.
Features of Bulk Load Utility
• The Bulk Load utility is compatible with OIM 9.1.0 and Above.
• Data can be loaded into OIM either as OIM users or as accounts allocated to OIM users or Roles assigned to users.
• Data can be loaded from single or multiple CSV files or a Database table.
• Data can be loaded from a single or multiple trusted sources.
• Exceptions generated during data loading are handled.
• Data can be loaded into either empty OIM repository or repository that already contains data.
• Easy exception handling and reloading of failed users and accounts
• Generate audit snapshots for loaded User.
• OIM should be down while using bulkload utility.
Entities of Bulk Load Utility
• This Entity is used to load OIM User data.
• In other words, data is imported into the USR table of Oracle Identity Manager.
• In addition, you can select the input source, CSV files or database tables, for the data that you want to load.
Load User Data
Load Account Data
• This Entity is used to load OIM account data.
• In other words, data is imported into the relevant UD_ tables of Oracle Identity Manager against a application instance.
• In addition, you can select the input source, CSV files or database tables, for the data that you want to load.
Load Role Data
• This Entity is used to load OIM role data.
• In other words, data is imported into UGP table of Oracle Identity Manager.
• In this version, roles will be published to specified organization as per new authorization model.
Entities of Bulk Load Utility
Load Role Membership
• This Entity is used to load OIM role membership data.
• In other words, data is imported into USG table of Oracle Identity Manager.
• In addition, you can select the input source, CSV files or database tables, for the data that you want to load.
Load Role Hierarchy
• This Entity is used to load OIM role hierarchy data.
• In other words, data is imported into GPG table of Oracle Identity Manager.
• In addition, you can select the input source, CSV files or database tables, for the data that you want to load.
Load Role Category
• This Entity is used to load OIM role data.
• In other words, data is imported into ROLE_CATEGORY tables of Oracle Identity Manager.
• In addition, you can select the input source, CSV files or database tables, for the data that you want to load.
What’s New in OIM11gR2 Bulkload Utility
• Application Instance support for provisioning
o In this version of OIM11gR2, Provisioning use application
instance for provisioning. Application instance is a new
abstraction used in 11g Release 2 (11.1.2). It is a combination of
IT resource instance (target connectivity and connector
configuration) and resource object (provisioning mechanism).
o In earlier version of Bulkload utility, Accounts gets provision
using IT resource and Resource object directly.
o In this release, Bulkload will prompts for application instance
name and proceed with the provisioning of accounts.
o If end user is not aware of application instance then he can fall
back on earlier mechanism of provisioning using IT resource and
Resource object directly.
What’s New in OIM11gR2 Bulkload Utility
• Publish roles to organization
o As per new authorization model in OIM11gR2, Request able
entities need to be published to a org then only entities will be
accessible/viewable.
o Enterprise roles: These are roles that users (depending on the
permissions granted) can create in Oracle Identity Manager and
request for by using the request catalog or Bulkload utility.
o In this version of Bulkload utility, we can publish the roles to
organization with include/exclude hierarchy option.
o This can be achievable via editing CSV file or DB table.
o By default, Bulkload publish roles to TOP with include
hierarchy.
BIP Reports
Reports Configuration Steps
• Create the Metadata Repository
• Matadata Store (MDS)
• Business Intelligence Platform (BI Platform)
• Install BI Publisher – 11.1.1.7.1
Setup BI Publisher
Deploy OOB Reports
• Deploy Reports
• Extract reports bundle (oim_product_BIP11gReports_11_1_2_1_0.zip) from OIM Installer package into Oracle_IDM1/Middleware/user_projects/domains/bi_domain/config/bipublisher/repository/Reports/ Oracle Identity Manager folder
• Import/Upload OIM Reports in BIP
• Configure Users and Groups in BIP
Configure Data Sources
• Configuring Oracle Identity Manager JDBC Connection
• Use OIM Schema Details
• Configuring BPEL-Based JDBC Connection
• Use SOA Schema Details
• Required for Task Assignment History, Request Details, Request Summary and Approval Activity
Reports Configuration Steps
Run OOB Reports
• Login to BIP
• Select Reports Category
• Select Individual Report
• Provide Input parameters such as date rage etc.
• Run Report
Design Custom Reports
• Identify underline data store/ tables
• Identify Datasource (OIM or SOA)
• Develop SQL Script
• Design UI
• Build and Deploy custom report.
Reports for Oracle Identity
Manager
Access Policy Reports
Access Policy Details
Access Policy List by Role
Attestation, Request, and
Approval Reports
Approval Activity
Attestation Process List
Attestation Request Details
Attestation Requests by
Process
Attestation Requests by
Reviewer
Request Details
Request Summary
Task Assignment History
Role and Organization Reports
Role Membership History
Role Membership Profile
Role Membership
Organization Details
User Membership History
Account Activity In Resource
Delegated Admins and
Permissions by Resource
Delegated Admins by
Resource
Entitlement Access List
Password Reports
Password Expiration
Summary
Password Reset Summary
Resource Password
Expiration
Resource and Entitlement
Reports
Entitlement Access List
History
Financially Significant
Resource Details
Resource Access List History
Resource Account Summary
Resource Activity Summary
User Resource Access
History
User Resource Access
User Resource Entitlement
User Resource Entitlement
History
User Reports
User Profile History
User Summary
Users Deleted
Users Disabled
Users Unlocked
Certification Reports
Exception Reports
Fine Grained Entitlement
Exceptions By Resource
Orphaned Account Summary
Rogue Accounts By Resource
OOB Reports – Just high level category.
Archival and Purge
Real-time Archival & Purge – Business Needs
• In the OIM world, with the growing enhancements in the application capabilities with each
release, we are generating more data than ever before.
• Expectations from our customers to meet higher standards of performance and scalability
with each release have made the management of OIM entity LCM data volumes an ever
increasing challenge.
• Continuous data purge assisted with database reorganization activities are a must to keep the
systems in good health, meeting the customer expectations for performance, scalability and
availability for OIM.
• Managing this phenomenal growth of data has been a hot topic recently and an optimal
strategy on a complete hands-off approach to purge data in OIM has come out to be the need
of the hour, this endeavor would definitely contribute towards OIM to consistently meet and
exceed business expectations not only for the R2 PS2 Release but also for the future Releases
to come.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
High Level Overview of the New Solution in R2 PS2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
R2 PS2 Purge Utility Salient Features
Complete Hands-off and Automated approach
Entities now divided into two categories - ‘Purge Only’ and ‘Archive + Purge’
Fail Safe design for Purge operations
Maximum Run Time for Auto-Cutoff in Purge Run for each Entity
Single Threaded Batching
Better operational and maintainability features
Single unified interface at the DB Stored Programs level
Common Core Purge Logic
Purge run level metrics
Minimal Configuration
Configuration
Step#1
User decides on the Retention Period
(age of data to be purged) for the Entity.
This is entered via Scheduled Task UI.
Configuration
Step#2
User selects functional purge criteria for each entity like Request, Recon,
Prov. Tasks, Orch. for the continuous purge to happen via UI.
Configuration
Step#3
User defines other run specific Scheduled task level common parameters like periodicity, batch size, Max. Purge duration for each Entity etc. for each run.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Real-time Online OIM Data Purge Scheduled Task
Scenarios
Day 0 - Data setup in the System
10K users bulk-loaded with Post Processing -> Orchestration Data
GTC Trusted and Target Recon for 1.1 K users -> Recon, Orchestration and Prov.
Tasks Data
Requests created for 100-200 users for Role Assignment via Approval Policies.
Day n - Real Time Purge
Live OIM 11g R2 PS2 System with Request, Recon, Orchestration and
Provisioning Tasks Data.
Data of all the FOUR Entities segregated over functional criteria and dates aka
Retention Periods.
OIM Data Purge Sch. Task would delete data based on Entity Selection /Retention
Period and Purge criteria as in a real-time OIM system (with Recon/Orch/Prov.
Tasks activity going).
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.