One of the key aspects of Fusion Applications operations is the Users and Roles management. Fusion Applications uses the Oracle Identity management for its Identity store and policy store by default.This article explains how user and roles flows work from different poin of views, using 'key' IDM products for each flow in detail. With a clear understanding of the workings of the Fusion Applications with Identity Management for user provisioning and roles management you will have better understanding and can improve your FA IDM environments by integrating with the rest of the enterprise assets and processes. For example: If you need to integrate your current IDM enterprise with this solution what are the flows you need to be aware of.
FA relies on roles and privileges implemented in IDM to both authenticate and authorize users and operations respectively. FA uses jobs in the ESS system to reconcile the users and roles in OIM. OIM, in turn, gets the corresponding data from the user and policy store respectively using LdapSynch(provisioning and reconciliation process). This flow is described below
Brief explanation of each topic on this main flow above:
FA OID flow: OID holds policy information from FA. Basically duty roles and privileges are created from FA to OID(Policy or Security Store).
FA OIM flow:FA/OIM provision users or roles to OIM/FA through SPML.
For example: Enterprise business logic may qualify the requester and initiate a role provisioning request by invoking the Services Provisioning.
Language (SPML) client module, as may occur during onboarding of internal users with Human Capital Management (HCM), in which case the SPML client submits an asynchronous SPML call to OIM.
Or OIM handles the role request by presenting roles for selection based on associated policies.
Or it communicates with each other produc providing challenge questions response , password reset procedure and more.
OID OIM flow: OIM connects into OVD through LDAP ITResource feature, that allows the connection and it is also responsible for LDAP Synch Reconciliations from OID to OIM as well as the event handlers that OIM triggers, if there is any update from there.
FA OIM flow: Here it's ESS JOB from FA that create user into OID or update it from OID. 4.1)"Retrieve Latest LDAP Changes" reads from OID and updates FA if there are any things missing (users, role assignments, etc); 4.2) "Send Pending LDAP Changes" will send over to OIM any requests that have not yet been processed. (If you are using the FA UIs like Manage Users to create a user, it should happen almost immediately, but if you have bulk loaded employees and assignments, you need to run Send Pending LDAP Requests to get the requests processed.)
Implementing FA+IDM solution for an organization is a proposition that should be done with all other flows consideration, such as 'New Hire' and 'Authentication and Autorization' flows. Using a proper planning and understanding the various dimensions provided by this solution and its concepts allows an organization to discern why or even whether they need Oracle IDM and FA wired or not with their IDM enterprise solution. It also highlights, what of the enterprise is willing to protect on user details, and how best to offer Oracle protection in an integrated and effective manner.
Other useful links:
Oracle® Fusion Applications Security Guide ,11g Release 1 (188.8.131.52.0) : http://docs.oracle.com/cd/E15586_01/fusionapps.1111/e16689/F323392AN1A795.htm