Applied Oracle Security: Developing Secure Database and Middleware
Chapter 9: Oracle Identity Manager
In this section, learn about the Oracle Identity Manager (OIM) deployment model and its multiple tiers, which include the client tier, web tier, business logic tier and data tier.
Table of contents:
to use Oracle Identity Manager for user provisioning
Understanding the Oracle user provisioning process
Using Oracle Identity Manager (OIM) connectors and integration
The Oracle Identity Manager (OIM) deployment model
Every OIM component (design client, web application and core server engine) is written in Java and executes in a multi-tiered deployment model, shown in Figure 9-13.
Client Tier When working with OIM, two types of clients are used: a web-based administrative console and a design-time client. The web administrative console is used mainly for managing users, resources, and all the constructs supporting them. The design-time client is used by the developers of the identity management processes for designing and configuring the core components such as resource objects, IT resources, provisioning processes, and the integration configurations to communicate with the physical applications being provisioned or reconciled. Both types of clients follow a distributed communication model so that you can have many clients from many computers communicating with the same set of policies and objects defined in the OIM business logic tier.
Web Tier This tier exists as a web application container for the OIM administrative user interface. It is a pure Java-based web application environment that uses technologies such as JSP, servlets, Struts, and JavaBeans. By using these standard technologies, the OIM web tier can be deployed in a number of application servers and containers.
Business Logic Tier This tier is the core of the OIM product. In this tier, OIM decides who (the user) to provision where (target resource) and how (the process). This tier is written exclusively in Java and leverages a J2EE design pattern and therefore inherits the core benefits of that combination—platform-neutrality and distributed component architecture. A Java-based OIM business tier allows a standard development platform for new integration connectors and adapters. The distributed nature of J2EE allows for the business logic tier to be spread across multiple application server deployments while accessing the common metadata from the data tier.
Data Tier The data tier is a SQL-based relational database that stores all metadata about the identities, accesses, and configurations for the user provisioning platform. The only OIM data that lives outside the database are the JAR (Java Archive) files containing the code to connect to thirdparty resources and target systems. The data tier is accessed exclusively by the OIM business tier and should not be integrated with any external clients and tools for direct data manipulation. In fact, we recommend that you consider using Oracle database protection technologies, such as Oracle Database Vault and Transparent Data Encryption, to secure and protect the sensitive identity-related metadata stored in the OIM repository. Refer to earlier chapters on TDE and Database Vault for details on how to secure the OIM metadata repository.
FIGURE 9-13 OIM deployment architecture
This chapter reviewed the Oracle Identity Manager that addresses the simple to understand but hard to implement area of user provisioning. Provisioning is a mandatory process inside every enterprise, executing constantly either in a manual or an automated manner. As a result, optimizing the processes around provisioning is critical to both achieve operational efficiency and deliver assurance that access policies are not being violated or ignored. Security issues include orphaned accounts that are not de-provisioned. Open, unused accounts are footholds for disgruntled employees and attackers and are at the top of the list of things that compliance auditors look for. As a result, a truly successful user provisioning solution balances building better optimized processes and policies to lower administrative burden with instituting consistency of identity management, in terms of the way it grants and monitors access to information, to result in a higher level of security and protection of all enterprise assets.
Download the chapter "Oracle Identity Manager " in PDF form.
This was first published in April 2010