Friday, June 24, 2011

Creating Custom Attributes in 11g

Creating Custom Attributes for User Profile
============================================
Step-1:
=======
* Should not use GUI form designer for users.
* Browser -> OIM Login -> Advanced -> User Configurtion
* Left Panel -> Actions -> User Attributes
* Right Panel -> "Custom Attributes" Category Name -> Create Attribute Button

Step-2: Create Authorization Policy
=======
* Browser -> OIM Login -> Administration -> Create Authorization Policy
* Policy Name = test; Entity Name = User Management -> Next
* Permissions : Check "Enable All Permissions" checkbox at top -> Next
* Data Constraints : All Users -> Next
* Assigment: Click on Add Command Button -> A new search box will display -> Without entering any data, click on Search -> A list will display. Just select all of them
* Save it.

Related Bugs:
OTN-1

Creating Custom Attributes for Roles, Organizations, etc
=========================================================
* All customizations happen through GUI
* Choose Administration -> User Defined Fields.
* There will be 4 tables, one for Organizations, One for Roles, etc...
* Add Attributes, Add Properties
* Save
* Check these new things in Web UI.
This document describes complete example for all except users

Developer Guide - Chapter : 13.3 User Defined Field Definition Form Page 303 of 802

Thursday, June 23, 2011

Installation of DBAT connector for target provisioning

Step-1 : Copy files to ConnectorDefaultDirectory
=======
* ade:[ labburi_dmuBug12682244 ] [labburi@adc2171727 ConnectorDefaultDirectory]$ pwd
/scratch/labburi/view_storage/labburi_dmuBug12682244/oracle/work/OIM/ConnectorDefaultDirectory
* ade:[ labburi_dmuBug12682244 ] [labburi@adc2171727 ConnectorDefaultDirectory]$ cp -R /work/labburi/installables/connectors/DBAT91050/Database_App_Tables_9.1.0.5.0 ./

Step-2: Install Connector
=======
* Browser -> OIM Login --> Advanced Tab --> Install Connector
* Screen-1:
- Select DBAT connector
- Click on Load
- Click on Continue

* Screen-2:
- Install. Following message will display
DatabaseApplicationTables 9.1.0.5.0 Installation Status : Successful
Configuration of Connector Libraries
Import of Connector XML Files (Using Deployment Manager)
Compilation of Adapter Definitions
Perform the following steps before you start using this connector.
1. Go to Resource Management >> Create IT Resource and create an IT resource for this connector.
2. Go to Advanced >> System Management >> Search Scheduled Job and configure the following scheduled Jobs that are already created for this connector.

* Do not follow these steps. These are not required
1. Go to Resource Management >> Create IT Resource and create an IT resource for this connector.
2. Go to Advanced >> System Management >> Search Scheduled Job and configure the following scheduled Jobs that are already created for this connector.
ITResource will be created automatically when you configure GTC.


Step-3: Configure GTC
=======
* Browser -> OIM Login --> Advanced Tab --> Create Generic Connector

* Screen-1:
- Provide name - DBAT91050
- Select Provisioning checkbox (This testcase needs this)
- Deselect Reconcilation checkbox
- Transport Provider : DBAT Provisioning
- Format Provider : DBAT Provisioning

* Screen-2: Specify Paramater Values (This works for DB XE 10g too)
- DB Driver : oracle.jdbc.driver.OracleDriver
- DB URL : jdbc:oracle:thin:@10.133.169.36:1521:xe
- DB User ID : SYSTEM
- DB Password : ********
- Parent Table / View Name : oim_target
- All other fields should not be touched. Leave them and click continue

* Screen-3: Map Data as needed.

Step-4: Verify
=======
* Verify that ITResource for DBAT is created automatically through Web UI.
* Verify that a new provisioning process is created automatically from Steps-2&3 through GUI.

Step-5: Test
=======
* Create a test user
* Provision DBAT91050
* Using SQL Developer, connect to target system and verify that oim_target table is populated with test user data from OIM

References:
===========
DBApplicationTables_guide

OIM 11g / 9x: DB Table Description

To get some documentation on OIM Tables, try the following:
-----------------------------------------------------------
- Connect to OIM DB using Oracle SQL Developer.
- Left Panel -> List of Tables -> Click on table name. You will see table information on Right Panel
- Right Panel -> Detail Tab -> Look for Comments Field at the end. It has some documentation.

****************
Tables Analysis
****************

* SDC - User Defined Fields in User Form, etc...
- Used by interface - getFormFeildsData() to get user defined attributes.
Sample Query
------------
SELECT sdc.sdc_key, sdc.sdk_key, sdc_name, sdc_variant_type, sdc_sql_length, sdc_label, sdc_field_type, SDC_DEFAULT_VALUE, sdc_order, sdc_profile_enabled, sdc_encrypted, sdc_rowver,sdc_version, sdpv.sdp_property_value as Editable, sdpr.sdp_property_value as Optional, sdpv.sdp_property_value as Visible , sdplkv.sdp_property_value as LookupCode FROM sdk, sdc LEFT OUTER JOIN sdp_visible_v sdpv on sdc.sdc_key=sdpv.sdc_key LEFT OUTER JOIN sdp_required_v sdpr on sdc.sdc_key=sdpr.sdc_key LEFT OUTER JOIN sdp_lookupcode_v sdplkv on sdc.sdc_key=sdplkv.sdc_key WHERE sdc.sdk_key=sdk.sdk_key and (sdc.sdc_default is null or sdc.sdc_default='0') and sdc.sdc_version=0 and sdk.sdk_key=3 ORDER BY sdc_order asc, sdc.sdc_key asc;

Sample Result
--------------
155 3 USR_UDF_OBGUID String 300 ObjectGUID TextField 1 0 0000000000000001 0 false false
561 3 USR_UDF_MYCUSTATTR1BN String 25 MyCustAttr1 TextField CustAttr1DefValue 2 0 0000000000000000 0
562 3 USR_UDF_MYCUSTAATR2BN String 25 MyCustAttr2 TextField CustAttr2DefVal 3 0 0000000000000000 0

* ORC: Order Content Item Table
- Used by ScheduledTask to run a set of ordered events.

* SCH - Schedulted Item Table
- Used by tcScheduledTask to run scheduled Tasks.

* MIL : Tasks in Processes
- Contains all tasks from all processes.

* GCD : Generic Connector definitions Table.
- When you do "Install Connector" + "Create Generic Connector" in 11g UI, the entire information that you enter to create a new connector - like Format, data mapping between source and target, etc... will be formed into an XML document and will be stored in GCD_XML Field of GCD Table.
- During provisioning, a scheduled task will kick-in Generic Connector package - transform operation in OIM. This will transform data from USR tables' user record into target systems record using GCD_XML fields' connector definition.

* PTY - Property definition
- Properties Table
- Metadata used by OIM for System Properties defined. Product uses this to set status etc... as defined by OIM configuration
Sample Data
------------
70 XL.GTCAutoImport true GTC Auto Import 1 S 2 01-APR-11 1 01-APR-11 1 0000000000000000
71 XL.PagingSystemDefaultMaxRecords 1000 Paging System Default Max Records 1 S 2 01-APR-11 1 01-APR-11 1 0000000000000000
72 XL.SoDCheckRequired FALSE XL.SoDCheckRequired 1 S 2 01-APR-11 1 01-APR-11 1 000000000000
57 XL.RequestRaisedByYou.DayLimit 30 Property to indicate day limit set for Request raised by you 1 S 2 31-MAR-11 1 31-MAR-11 1 0000000000000000
58 XL.RequestRaisedForYou.DayLimit 30 Property to indicate day limit set for Request raised for you 1 S 2 31-MAR-11 1 31-MAR-11 1 0000000000000000

**************************************************
User Tables
**************************************************
* USR : All user information - very important table.
* UPH: User Policy Profile History Table

**************************************************
Resource Objects
**************************************************
Just like we have a class definition and a class instance in Java, we have Resource Object Definition and Resource Object Instance.
* OBJ : Resource Object Definition
- Defines structure of an object
Sample Data
------------
21 21 U Generic 1 1 Laptopres 0 1 1 0 0 0 05-APR-11 1 05-APR-11 1 0000000000000003 0 0
83 86 U Generic 1 1 Stapler 0 1 1 0 0 1 29-APR-11 1 29-APR-11 1 0000000000000001 0 0

* OBI : Resource Object Instance
- Entry for a resource object instantiated at run time.
- Very important as Provisioning operates on tcOBI to complete Provisioning.
Sample Data
------------
466 126 131 Data Received 1 27-JUN-11 1 27-JUN-11 1 0000000000000000

* RIU : Request Users Resolved Object Instances
- When you revoke a resource object from users resources, OIM will update revoke request information in this table
- Table Fields
RIU_KEY NUMBER, REQ_KEY NUMBER, OBJ_KEY NUMBER, USR_KEY NUMBER,
OIU_KEY NUMBER, OBI_KEY NUMBER, RIU_COMPLETED, RIU_DATA_LEVEL, RIU_CREATE
RIU_CREATEBY, RIU_UPDATE, RIU_UPDATEBY, RIU_NOTE, RIU_ROWVER
Sample Query Result
====================
1 110 125 182 235 444 1 27-JUN-11 1 27-JUN-11 1 0000000000000001
2 110 126 182 236 445 0 27-JUN-11 1 27-JUN-11 1 0000000000000000
3 111 125 183 237 448 1 27-JUN-11 1 27-JUN-11 1 0000000000000001

* OST : OBJECT STATUS INFORMATION.
- Contains users, resource objects and all objects
Sample Query Result
====================
268 110 Revoked 0 20-JUN-11 1 20-JUN-11 1 0000000000000000
269 110 Provisioned 1 20-JUN-11 1 20-JUN-11 1 0000000000000000
270 110 Provide Information 0 20-JUN-11 1 20-JUN-11 1 0000000000000000


**************************************************
Request Object Tables
**************************************************
* RQH - Request History Table
Sample Query Result
====================
66 41 1 Object Approval Complete 14-APR-11 1 14-APR-11 1 0000000000000000
67 41 61 181 Approved 14-APR-11 1 14-APR-11 1 0000000000000000
68 42 1 Request Initialized 14-APR-11 62 14-APR-11 62 0000000000000000
69 42 61 182 Awaiting Data 14-APR-11 62 14-APR-11 62 0000000000000000
70 42 61 182 Data Received 14-APR-11 62 14-APR-11 62 0000000000000000

* RQO - ? TODO
Sample Query Result
====================




**************************************************************************
SAMPLE QUERIES
***************************************************************************
* SELECT sdc.sdc_key, sdc.sdk_key, sdc_name, sdc_variant_type, sdc_sql_length, sdc_label, sdc_field_type, SDC_DEFAULT_VALUE, sdc_order, sdc_profile_enabled, sdc_encrypted, sdc_rowver,sdc_version, sdpv.sdp_property_value as Editable, sdpr.sdp_property_value as Optional, sdpv.sdp_property_value as Visible , sdplkv.sdp_property_value as LookupCode FROM sdk, sdc LEFT OUTER JOIN sdp_visible_v sdpv on sdc.sdc_key=sdpv.sdc_key LEFT OUTER JOIN sdp_required_v sdpr on sdc.sdc_key=sdpr.sdc_key LEFT OUTER JOIN sdp_lookupcode_v sdplkv on sdc.sdc_key=sdplkv.sdc_key WHERE sdc.sdk_key=sdk.sdk_key and (sdc.sdc_default is null or sdc.sdc_default='0') and sdc.sdc_version=0 and sdk.sdk_key=3 ORDER BY sdc_order asc, sdc.sdc_key asc;

* select ost.ost_key, ost_status from ost ost, obj obj where obj.obj_key=ost.obj_key and obj.obj_name='Request';

* select ost.ost_key, ost_status from ost ost, rqo rqo where ost.obj_key=rqo.obj_key and rqo.req_key=130;

* select * from OST where OST_STATUS='Object Approval Complete';

* select osi.orc_key, osi.mil_key, osi.sch_key, osi_rowver, sch_rowver, osi_retry_for, sch_offlined from osi osi, sch sch where osi.sch_key=sch.sch_key and sch.sch_key=1091;

* select mil_name from osi osi,sch sch,pkg pkg,tos tos,mil mil where osi.sch_key = sch.sch_key and osi.pkg_key=pkg.pkg_key and pkg.pkg_key = tos.pkg_key and tos.tos_key = mil.tos_key and pkg_type='Approval' and mil_name in('Awaiting Object Data','Awaiting Approval Data') and osi.mil_key = mil.mil_key and osi.sch_key=1091;

* select * from act act where act_name='Requests'

* select obi.obi_key, obi.obj_key, obi_status, obi_rowver, rqo_rowver, obd.obd_parent_key from rqo rqo, obi obi left outer join obd obd on obd.obd_child_key=obi.obj_key where rqo.obi_key = obi.obi_key and rqo.req_key=131 order by obd.obd_parent_key desc;

* select act_key from act act where act_name='Requests';

* select obj_autolaunch from obj where obj_key = 126;

* select pty_value from pty where pty_keyword='XL.RequestCompleteStatus';

* select orc.orc_key, orc.orc_status, oiu.oiu_key, riu.riu_key from orc orc, oiu oiu, riu riu where orc.orc_key=oiu.orc_key and riu.oiu_key=oiu.oiu_key and riu.req_key=131 and riu.obj_key=125;

* select riu.oiu_key, oiu.oiu_rowver from riu riu, oiu oiu where riu.oiu_key=oiu.oiu_key and riu.req_key=131 and riu.obj_key=125;

* select pty_value from pty where pty_keyword='XL.RequestCompleteStatus';

Table Updates
--------------
update RIU set RIU_COMPLETED=0 where riu_key=2;

OIM 9x : Useful DB Queries for Debugging OIM

1. Get resource objects to operate for a user. This happens during access policy evaluation when user is being created.
- Post Event during user creation process.
Query
-----
select obj.obj_key, obj.obj_name, obj.obj_allow_multiple, obj.obj_allowall, pop.pop_denial, pop.pop_revoke_object from pop pop, obj obj where pop.pol_key = 41 and pop.obj_key = obj.obj_key;
Results
--------
108 RO_A 1 1 0 0
109 RO_B 1 1 0 1
110 RO_C 1 1 0 1

2. List of provioned objects for an user
Query
-----
select * from oiu oiu, obj obj, obi obi, ost ost where oiu.obi_key = obi.obi_key and obi.obj_key = obj.obj_key and oiu.usr_key = 161 and oiu.ost_key = ost.ost_key and ost.ost_status != 'Revoked';

3. Get a particular task from a provisioning process
Query
------
select mil_key, mil_name, mil_sequence, mil_day, mil_hour, mil_minute,mil_create_multiple, mil_cancel_while_pending, mil_comp_on_rec, mil_required_complete, mil_retry_period, mil_retry_count, evt_key, mil_default_assignee, mil_assign_to_manager from mil where mil_key=373;
Results
-------
373 Enable User 0 1 1 0 0 1

Wednesday, June 22, 2011

OIM 9x : Membership auto-assign

1. Goto Design Console GUI --> Resource Management --> Rule Designer,
Create a new rule as -
* GroupMemMiddleName : Rule Type - "General" : Rule Sub Type - Empty : Rule Operator - "AND"
* Save it.
* Add a new "Rule Elemenent" - "Middle Name == Roger"
* Save it.

2. Goto Browser UI --> Manage User Groups --> "Test Group" --> Memebership Rules
Assign this new rule to the group.

Now if a new user with middle name Roger is created, he will be member of this "Test Group" automatically.

Adding tasks to a Provisioning Process

Create User : "Required for Completion" : tcCompleteTask : C-Completed-Provisioned : None for "Task Effect"

Delete User : "Conditional" : tcCompleteTask : C-Completed-Revoked : None for "Task Effect"

Enable User : "Conditional" : tcCompleteTask : C-Completed-Revoked : "Enable Process or Access to Application" for "Task Effect"

Disable User: "Conditional" : tcCompleteTask : C-Completed-Revoked : "Disable Process or Access to Application" for "Task Effect"

* With above tasks in a provisioning process, when you enable a user, Enable User task in Provisioning process will kick-in. This will kick-in not because of task name but because of Task-Effect configured above.

* With above tasks in a provisioning process, when you disable a user, Disable User task in Provisioning process will kick-in. This will kick-in not because of task name but because of Task-Effect configured above.

========================================
How to define reserved names for tasks?
========================================
* In Design Console GUI --> Administration --> Lookup Definition, Type *trigger* in "Code" text box --> Click Lookup in toolbar menu.
* In Lookup Definition Table --> Select "Lookup.USR_PROCESS_TRIGGERS"
You will get a "Code Key" - "Decode" table

In this table, you will see that task names are defined for a particular operation. For ex: "USR_FIRST_NAME" - "Change First Name"
So if you define a task in Provisioning process with task name "change First Name", then OIM will trigger this particular task when user profile modifies for "First Name" field.

You can extend this table for new tasks if needed.

=================
Test Case to try:
==================
Define a provisioning process for resource object Laptop. Add a new task

Create User : "Required for Completion" : tcCompleteTask : C-Completed-Provisioned : None for "Task Effect"

1. Try provisiong this resource object Laptop to test user - tu1. Provisioning will happen.
2. Disable the user. You will see that OIM reports that - there is no task for Disable.

======
Notes
======
* OIM operates task-based. If a particular task "Disable User" with Task Effect as described above in 10 Provisioning Processes. If a user - tu1 is disabled, then all 10 provisioning processes - tasks will be triggered.

Wednesday, June 15, 2011

Designing Shuttle boxes in ADF UI

Code Example: GoogleCodeLink

PanelStretchLayout Geometry - Link

Some discussion:
1. OTN-Thread1
2. OTN-Thread2
3. OTN-Thread3

ADF Documentation
1. ADF Overview
2. JDEV Overview

Monday, June 13, 2011

Creating new sample ADF tab in OIM 11g

Oracle Deployment doc: OracleDocLink

Step-1 : Copy src code of new tab
======
ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ pwd
ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ /scratch/lakshman/view_storage/lakshman_IAM0612/tklocal/oimDeployments/oim.ear/iam-consoles-faces.war/WEB-INF/lib/.
ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ cp /work/lakshman/bugs/tabBug/cuFiles/CustomTabApp/deploy/adflibCustomTabs1.jar .

Step-2: No need to do any change in Self.jspx
=======


Step-3 : Make changes to faces-config-self.xml
======

ade:[ lakshman_IAM0612 ] [lakshman@parrot oim.ear]$ diff ./iam-consoles-faces.war/WEB-INF/faces-config-self.xml /work/lakshman/bugs/tabBug/myChanges/faces-config-self.xml
235a236,250
>
> customPage
> oracle.iam.consoles.faces.backing.Self$OperationAction
> application
>
> id
> java.lang.String
> customization_page
>

>
> pageUrl
> java.lang.String
> /examples/MyProfile.jspx
>

>

258a274,277
>
> #{customPage.id}
> #{customPage}
>



ade:[ lakshman_IAM0612 ] [lakshman@parrot oim.ear]$ cp /work/lakshman/bugs/tabBug/myChanges/faces-config-self.xml ./iam-consoles-faces.war/WEB-INF/faces-config-self.xml


Step-4: Copy Self.properties
=======
* cp iam-consoles-faces.jar /work/lakshman/bugs/tabBug/myChanges/
* cd /work/lakshman/bugs/tabBug/myChanges/
* mkdir dir_iam-consoles-faces.jar
* mv iam-consoles-faces.jar ./dir_iam-consoles-faces.jar/
* cd ./dir_iam-consoles-faces.jar/
* jar -xvf iam-consoles-faces.jar
* rm iam-consoles-faces.jar
* cp ../Self.properties ./oracle/iam/consoles/faces/resources/Self.properties
* cd /work/lakshman/bugs/tabBug/myChanges/dir_iam-consoles-faces.jar
* jar -cvf ../iam-consoles-faces.jar ./*
* jar -tvf /work/lakshman/bugs/tabBug/myChanges/iam-consoles-faces.jar - Check if there is anything wrong.
* cd /scratch/lakshman/view_storage/lakshman_IAM0612/tklocal/oimDeployments/oim.ear/iam-consoles-faces.war/WEB-INF/lib
* cp /work/lakshman/bugs/tabBug/myChanges/iam-consoles-faces.jar ./

Step-5: Restart wls server
=======

Step-6: Make changes and re-test
=======
When the user first accesses the Self Service console and a custom ADF tab the MyProfile.jspx file is copied into iam-consoles-faces.war. This file will need to be deleted when any new changes to the source file are redeployed.
Delete: oim.ear/iam-consoles-faces.war/examples/MyProfile.jspx
Note: this file will only exist after a user access the Self Service console.

********
Notes:
********
* Use latest JDev 11g for ADF development.
* Mapping between MyProfile.jspx and CustomUserProfile.java (bean class with business logic) is provided in faces-config.xml. You have managed bean name, class etc... here
* In MyProfile.jspx, we reference all business logic using beanName.logic. Example:
inputText label="#{customtabsBundle.EMAIL}"
value="#{profile.userprofile.email}" id="abc"

commandButton text="#{customtabsBundle.APPLY}"
actionListener="#{profile.updateAction}"
id="xyz"
where profile is bean name, useprofile is data member of this bean class.