Tuesday, September 11, 2012

OIM 11g R2 Catalog

The Catalog is one of most commented new features in OIM 11g. It introduces a new way to search items and to create access requests and it also introduces the ‘shopping cart’ experience.

The request process was drastically simplified with the Catalog. Whereas in OIM 11g R1 users have to go through a multiple step wizard to create a request, in OIM 11g R2 the work is done in two pages: the catalog search and the shopping cart summary.

End users use the catalog to create requests for the following OIM objects:

  • Roles
  • Application Instances
  • Entitlements
The catalog search result picture below shows all the above mentioned objects. Highlighted on the right the 'Refine Search' area, where users can choose specific object types. On the center-left, the highlight shows how catalog log items are identified by different icons (application instance, role and entitlement respectively).

The catalog content is created based on the three different objects mentioned above. The catalog information is stored in specific database tables to facilitate the indexing and searching of catalog items.

The task to keep the catalog data up to date is performed by an OIM scheduled job called ‘Catalog Synchronization’. This job should be scheduled on a regular basis interval to guarantee that the catalog content gets updated quickly whenever a object is created or updated in OIM. This task has different execution modes: “Incremental” where only objects created after the last execution date are pulled into the catalog, and “Full” where all OIM objects will be analyzed and pulled into the catalog. The task can be configured to work only on one specific object type (role, application instance or entitlement), and it can also load data in bulk from a flat file.

The search experience in the catalog user interface leverages the powerful features provided by Oracle Text, an Oracle database content indexing feature. Oracle Text improves the performance and provides advanced search capabilities like the use of operators to build search expressions (AND, OR, etc). Some ‘trickiness’ is also introduced: both ‘*’ and ‘&’ work as wildcard, but the behavior is a little different for them, ‘*’ is preferable; end user must provide at least one character along with the wild card (wildcard only search does not bring any results).

With the introduction of Oracle Text, there are two database scheduler jobs that must be running:
These are DATABASE JOBS and not OIM scheduler jobs, therefore any action on them is performed directly at the database. Both jobs are responsible for keeping the catalog indexes optimized and for preventing index fragmentation.

When creating OIM ‘requestable’ objects, it is important to provide information in the description fields. This information, along with ‘name’ and ‘display name’, is used to build the catalog index. Good description makes easier to search and find specific catalog items and add them to the shopping car.

There are two different ways of getting to the catalog search page:
  • Directly: an end user logs in to OIM and simply click on the catalog menu link. In this case the request beneficiary will be the user her/himself.
  • Through another user's profile: in this case an administrator searches for an user in OIM, go to user's details and clicks on a 'Request' action button (like 'Request Role'). In this case the request beneficiary will be the searched user.
 Another particularity in the catalog is the fact that users can see and add to the shopping cart any objects that they have access to request, even the ones that are already provisioned. Then, at shopping cart submission time, OIM will prevent the submission if an already provisioned object is among the cart items.

Shopping cart submission will create, if necessary, the approval processes. The approvals are not that different from OIM 11g R1. A shopping cart submission will create a request process. Wen an approval is needed, this process will go through request and operational level approvals (in the default configuration).

The picture below shows the shopping cart details page:

The security model in the catalog follows the Organization-based scoping OIM security model. In this model, the catalog items (roles, application instances and entitlements) are published to specific organizations in OIM (with or without following the organization chain). End users will be able to see only those catalog items that are published (directly or indirectly) to the organization that they belong to. The security model does not follow the organization based scoping if the user is a system or catalog administrator, these users must have access to all catalog content.

Catalog customization is also available in R2. Catalog can be extended by the creation of catalog ‘UDFs’, and the catalog user interface can be customized through the use of sandboxes and the other WebCenter/ADF features. Custom catalog attributes data can also be indexed in the Oracle Text based catalog index.

Catalog APIs are also available and can be used in direct customization or even to perform searches (among other catalgo functions) in custom applications. The API documentation is available here.

OIM 11g R2 documentation has a whole chapter dedicated to the catalog. Such documentation is available here.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.