DBA to Cloud: Oracle Identity Management (OIM)

Showing posts with label Oracle Identity Management (OIM). Show all posts

Saturday, March 9, 2019

Oracle Identity Manager Tables and SQL Queries

Oracle Identity Manager Tables and Description/SQL Queries

Table Name	Table Description
OIU	Object Instance Request Target User Information. Associate user information to the resource object instance when provisioning take places.
OST	Object Status Information.
OBI	Object Instance Information. Once resource provisioned to user, OIM created resource instance for each resource provisioning.
OBJ	Resource Object definition information This contains detail about resource such as resource name, auto-save enable or not and auto-prepopulate is enable or not, and whether or not the resource object allows multiple instances.
USR	It contains user information like login id, password, etc.,
ORCHPROCESS	Stores the process instances that are being executed.
ORCHEVENTS	Stores event handler names, status and result for all orchestration processes. Event status like COMPLETED, FAILED, PENDING, etc.
ORCHFAILEDEVENTS	Stores event handler information that are executed because of failures in main flow.
UPA	User profile audit information
USG	Role assigned to user

Query to list the resource that are in different status for given user:-

SELECT oiu.oiu_key,

oiu.obi_key,

oiu.orc_key,

ost.ost_status,

obj.obj_name,

obj.obj_key,

oiu.req_key

FROM oiu

INNER JOIN ost ON oiu.ost_key = ost.ost_key

INNER JOIN obi ON oiu.obi_key = obi.obi_key

INNER JOIN obj ON obi.obj_key = obj.obj_key

WHERE oiu.usr_key = (SELECT usr_key

FROM usr

WHERE usr_login = 'TSTUSR01');

Changing Resource Status in OIM in Account Tab:-

Through below query we can change the resource (AD, LDAP, Exchange etc..) Status.

UPDATE oiu

SET ost_key =

(SELECT ost_key

FROM ost

WHERE obj_key = (SELECT obj_key

FROM obj

WHERE obj.obj_name = 'LDAP User')

AND ost_status = 'Revoked')

WHERE oiu.orc_key IN (SELECT orc_key

FROM ud_ldap_usr

WHERE ud_ldap_usr_userid IN ('TSTUSR01'));

Force users to change password on next login:-

In case user’s password reset by either OIM Admin or API, user will be prompt to reset on next login. to avoid the force user password on next login by update column 'USR_CHANGE_PWD_AT_NEXT_LOGON' in table ‘usr’. Column takes values 0 or 1.

The column value 0 means User not forced to reset password on next login.

UPDATE usr

SET USR_CHANGE_PWD_AT_NEXT_LOGON = '0'

WHERE usr_login = 'TSTUSR01';

The column value 1 means User forced to reset password on next login.

UPDATE usr

SET USR_CHANGE_PWD_AT_NEXT_LOGON = '1'

WHERE usr_login = ‘TSTUSR01’;

Orchestration Query:-

Orchestration is main Component in OIM, Operations, such as create user, modify user, Delete, Enable etc., were closely integrate with OIM Orchestration.

Known Issue: OIM Orchestration will retry failed event handlers ONLY 2 times and will ignore after that. Because, the retry limit was hard coded in OIM.

SQL Query:

Below sql query is to get list of event handlers, which are executed for a particular users during enable process:

This query used to get user key from usr table-

SELECT usr_key

FROM USR

WHERE usr_login = 'TSTUSR01';

This query get process instance of enabled user ‘TSTUSR01’

SELECT id

FROM orchprocess

WHERE entityid = '1045' AND entitytype = 'User' AND operation = 'ENABLE';

This query gets all the event handler for enabled user ‘TSTUSR01’:-

SELECT *

FROM orchevents

WHERE processid = ’237254’

ORDER BY orchorder;

In the same way we can use for Create, Modify, Delete, Disable...etc Operation.

Query to find who modified user attributes:-

We can identify when and who made change for user profile attributes for example, email address.

Below query fetch the email address value for user ‘TSTUSR01’ from audit table:

SELECT field_name, field_old_value, field_new_value

FROM upa_fields fields

WHERE upa_usr_key IN

(SELECT upa_key

FROM upa

WHERE upa_key IN (SELECT usr_key

FROM usr

WHERE LOWER (usr_login) LIKE 'TSTUSR01'))

and field_name = 'Users.Email'

order by upa_usr_key, field_name;

Query to find who assigned role to users:-

OIM provides strong auditing features that will capture all user profile modification. It will be stored on UPA table.

Below query gets list of roles when was assigned to user ‘TSTUSR01’:

SELECT *

FROM upa

WHERE usr_key = (SELECT usr_key

FROM usr

WHERE LOWER (usr_login) = 'TSTUSR01')

AND src LIKE '%RoleManager%CREATE%';

Similarly, we can check for user role revoked by using src with ‘%RoleManager%DELETE%'

Oracle Schema Version Registry:-

Most of the Oracle Fusion Middleware components require existence of schemas in database prior to install. These schemas created and loaded using RCU.

You can run query to get list of schema created though RCU:

SELECT * FROM schema_version_registry;

Query to get users whose specific role:-

We often may need to find user who has specific role in OIM.

I have used query to get users who have role called ‘System Administrator’.

SELECT usr.usr_display_name,

usr.usr_login,

usr.usr_email,

ugp.ugp_name

FROM usg usg

LEFT OUTER JOIN usr usr ON (usg.usr_key = usr.usr_key)

LEFT OUTER JOIN ugp ugp ON (ugp.ugp_key = usg.ugp_key)

WHERE UPPER (ugp_name) IN (UPPER ('System Administrator'));

Query to update the ldap common name on process form:-

UPDATE ud_ldap_usr

SET UD_LDAP_USR_COMMON_NAME = 'Tst01 User01'

WHERE UD_LDAP_USR_USERID = 'TSTUSR01'

Query to find all the Schedule tasks:-

SELECT * FROM QRTZ92_JOB_DETAILS --contains list of all schedule task

SELECT * FROM JOB_HISTORY --Contains the details about the execution history

Query to list the resource that are in different status for given user:-

SELECT oiu.oiu_key,

oiu.obi_key,

oiu.orc_key,

ost.ost_status,

obj.obj_name,

obj.obj_key,

oiu.req_key

FROM oiu

INNER JOIN ost ON oiu.ost_key = ost.ost_key

INNER JOIN obi ON oiu.obi_key = obi.obi_key

INNER JOIN obj ON obi.obj_key = obj.obj_key

WHERE oiu.usr_key = (SELECT usr_key

FROM usr

WHERE usr_login = 'MUQTHIYAR.PASHA');

Changing Resource Status in OIM in Account Tab:-

Through below query we can change the resource (AD, LDAP, Exchange etc..) Status.

UPDATE oiu

SET ost_key =

(SELECT ost_key

FROM ost

WHERE obj_key = (SELECT obj_key

FROM obj

WHERE obj.obj_name = 'LDAP User')

AND ost_status = 'Revoked')

WHERE oiu.orc_key IN (SELECT orc_key

FROM ud_ldap_usr

WHERE ud_ldap_usr_userid IN ('TESTUSR01'));

In the same way we can use for Create, Modify, Delete, Disable...etc Operation.

Query to find who modified user attributes:-

We can identify when and who made change for user profile attributes for example, email address.

Below query fetch the email address value for user ‘TSTUSR01’ from audit table:

SELECT field_name, field_old_value, field_new_value

FROM upa_fields fields

WHERE upa_usr_key IN

(SELECT upa_key

FROM upa

WHERE upa_key IN

(SELECT usr_key

FROM usr

WHERE LOWER (usr_login) LIKE 'MUQTHIYAR.PASHA'))

AND field_name = 'Users.Email'

ORDER BY upa_usr_key, field_name;

Query to Generate Audit Report of Users:-

SELECT b.usr_login LoginID,

a.field_name attribute_Name,

a.field_old_value Old_Value,

a.field_new_value New_Value,

a.create_date CreateDate,

a.update_date UpdateDate

FROM PRDOIM_OIM.usr b, PRDOIM_OIM.upa_usr c, PRDOIM_OIM.upa_fields a

WHERE 1 = 1

AND c.usr_key = b.usr_key

AND a.upa_usr_key = c.upa_usr_key

AND a.field_name != 'Users.Role'

ORDER BY a.UPA_USR_KEY DESC;

Query to get info on all the 'Active' users:-

SELECT U.USR_FIRST_NAME || ' ' || U.USR_LAST_NAME

Name,

U.USR_LOGIN

LoginName,

R.UGP_DISPLAY_NAME

RoleName,

A.STATUS

RoleStatus,

A.USG_UPDATEBY_LOGIN

Assigned_RevokedBy_LoginName,

USR.USR_DISPLAY_NAME

Assigned_RevokedBy_Name,

A.CREATE_DATE

Assigned_RevokedDate

FROM PRDOIM_OIM.UPA_USR U,

PRDOIM_OIM.UGP R,

PRDOIM_OIM.UPA_GRP_MEMBERSHIP A,

PRDOIM_OIM.USR USR

WHERE U.USR_STATUS = 'Active'

AND U.USR_LOGIN NOT IN ('oim_write',

'XELSYSADM',

'FAAdmin',

'OCLOUD9_OSN_APPID',

'FUSION_APPS_HCM_SOA_SPML_APPID',

'oamAdminUser',

'weblogic_idm')

AND A.UPA_USR_KEY = U.UPA_USR_KEY

AND A.UGP_KEY = R.UGP_KEY

AND A.USG_UPDATEBY_LOGIN = USR.USR_LOGIN

ORDER BY A.CREATE_DATE, A.STATUS, R.UGP_DISPLAY_NAME;

Query to get info for a single user:-

SELECT U.USR_FIRST_NAME || ' ' || U.USR_LAST_NAME

Name,

U.USR_LOGIN

LoginName,

R.UGP_DISPLAY_NAME

RoleName,

A.STATUS

RoleStatus,

A.USG_UPDATEBY_LOGIN

Assigned_RevokedBy_LoginName,

USR.USR_DISPLAY_NAME

Assigned_RevokedBy_Name,

A.CREATE_DATE

Assigned_RevokedDate

FROM PRDOIM_OIM.UPA_USR U,

PRDOIM_OIM.UGP R,

PRDOIM_OIM.UPA_GRP_MEMBERSHIP A,

PRDOIM_OIM.USR USR

WHERE U.USR_STATUS = 'Active'

AND U.USR_LOGIN = 'MUQTHIYAR.PASHA'

AND A.UPA_USR_KEY = U.UPA_USR_KEY

AND A.UGP_KEY = R.UGP_KEY

AND A.USG_UPDATEBY_LOGIN = USR.USR_LOGIN

ORDER BY A.CREATE_DATE, A.STATUS, R.UGP_DISPLAY_NAME;

Thursday, January 17, 2019

Identity Manager Connector for Microsoft Active Directory User Management

Deploying Microsoft Active Directory User Management Connector

Deploying the Connector

1. Copy the contents of the connector installation media directory into the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
2. Log in to Oracle Identity System Administration http://idmhost:14000/sysadmin with xelsysadm user
3. In the left pane, under System Management, click Manage Connector.

4. In the Manage Connector page, click Install.
5. From the Connector List list, select ActiveDirectory RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select ActiveDirectory RELEASE_NUMBER.
6. Click Load.
7. To start the installation process, click Continue.
The following tasks are performed, in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
8. Retry the installation by clicking Retry.
9. Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.

Configuring the IT Resource for Microsoft AD and AD LDS

You must specify values for the parameters of the Active Directory IT resource as follows:
1. Log in to Oracle Identity System Administration.
2. In the left pane, under Configuration, click IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory and then click Search.

5. Click the edit icon corresponding to the Active Directory IT resource.
6. From the list at the top of the page, select Details and Parameters.
7. Specify values for the parameters of the Active Directory IT resource

The following list describes each parameter of the Active Directory IT resource
ADLDSPort
Enter the number of the port at which Microsoft AD LDS is listening.
Sample value: 50001
Note: Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.
BDCHostNames
Enter the host name of the backup domain controller to which Oracle Identity Manager must switch to if the primary domain controller becomes unavailable.
Sample value: mydc1;mydc2;mydc3
Note:Multiple backup domain controllers must be separated by semicolon (;).

Configuration Lookup

This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning.
If you have configured your target system as a target resource, then enter Lookup.Configuration.ActiveDirectory.
If you have configured your target system as a trusted source, then enter Lookup.Configuration.ActiveDirectory.Trusted.
Default value: Lookup.Configuration.ActiveDirectory
Connector Server Name
Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server.
Note:Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server.
Default value: Active Directory Connector Server
Container
Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Manager, respectively.
Sample value: DC=example,DC=com
DirectoryAdminName
Enter the user name of account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.
Enter the value for this parameter in the following format:
DOMAIN_NAME\USER_NAME
Sample value: mydomain\admin
Note:If you are using AD LDS as the target system and this machine belongs to a workgroup, enter the username of the account created in Creating a Target System User Account for Connector Operations.
Enter a value for this parameter in the following format:
USER_NAME
Sample value: admin
DirectoryAdminPassword
DomainName
Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed.
Sample value: example.com
Note:This is a mandatory parameter if you are using Microsoft Active Directory as the target system.
isADLDS
Enter yes to specify that the target system is Microsoft AD LDS.
Enter no to specify that the target system is Microsoft Active Directory.
LDAPHostName
Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed.
Note:If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller.
To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.
Sample values:
w2khost
172.20.55.120
example.com
SyncDomainController
Enter the name of the domain controller from which user accounts must be reconciled.
Note:The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to no. If no value is specified for the SyncDomainController parameter and the SearchChildDomains lookup entry is set to no, then the connector automatically finds a domain controller for the target system and reconciles users from it.
Sample value: mynewdc
SyncGlobalCatalogServer
Enter the host on which the global catalog server is located.
Note:The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to yes. If no value is specified for the SyncGlobalCatalogServer parameter and the SearchChildDomains lookup entry is set to yes, then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running.
It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains lookup entry to yes.
Sample value: myglobalcatalogdc
UseSSL
Enter yes if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter no.
Default value: no
Note:For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to no, it is possible to reset user passwords during provisioning operations because the default communication is secure. See Configuring SSL for Microsoft Active Directory and Microsoft AD LDS for information about configuring SSL.
The default communication between the .NET Connector Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to yes to secure communication with Microsoft AD LDS. See Configuring SSL Between Connector Server and Microsoft AD LDS for more information about configuring SSL.
8. To save the values, click Update.

Creating and Activating a Sandbox

1. Log in to Oracle Identity System Administration.
2. In the upper pane, click Sandbox

3. Click on create SandBox

4. Click on Form Designer and then Create.

5. Click the search icon for “Resource Type “ and choose “AD User”

6. Type a Form Name
7. While creating a new UI form, the form type should be Parent Form + Child Tables (Master/Detail).

8. Click Create.

Create an Application Instance

9. In the System Administration console, click on Application Instances

10. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
11. Specify values for the following fields:
Name: The name of the application instance.
Display Name: The display name of the application instance.
Description: A description of the application instance.
Resource Object: The resource object name. Click the search icon next to this field to search for and select AD User.

IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select Active Directory.

Form: Select the form name (created in previous step).

11. Click Save. The application instance is created
12. Click on the Sandboxes icon.
13. Select the sandbox and click “Publish Sandbox”
14. Click Yes to continue.

Identity Manager Connector for Oracle E-Business Suite User Management

Deploying Oracle UM Connector

Deploying the Connector

1. Copy the contents of the connector installation media directory into the following directory:.

cp -r Oracle_EBS_UM-11.1.1.5.0/u01/oracle/middleware/Oracle_IDM1/server/ConnectorDefaultDirectory/

2. Log in to Oracle Identity System Administration http://idmhost:14000/sysadmin with xelsysadm user

3. In the left pane, under System Management, click Manage Connector.

4. In the Manage Connector page, click Install.

5. The Connector List list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

You can select the following option:

Oracle EBS UM Connector RELEASE_NUMBR

6. Click Load.

7. To start the installation process, click Continue.

8. The following tasks are performed, in sequence:

-Configuration of connector libraries

-Import of the connector XML files (by using the Deployment Manager)

-Compilation of adapters

9. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed.

Configuring the IT Resource for the Target System

You must specify values for the parameters of the Oracle EBS UM IT resource as follows:

1. Log in to Oracle Identity System Administration.

2. In the left pane, under Configuration, click IT Resource.

3. In the IT Resource Name field on the Manage IT Resource page, enter Oracle EBS UM and then click Search. Alternatively, from the IT Resource Type menu, select the name of the IT resource type Oracle EBS User Management, and then click Search.

4. Click the edit icon corresponding to the Oracle EBS UM IT resource.