3. Contents
1 Introducing Oracle Identity Analytics 11gR1
Objectives 1-2
Organizational Pressures 1-3
Controlling System Access 1-4
Achieving Compliance 1-6
Manual Processing 1-7
Problems with This Approach 1-8
Roles 1-9
Role Benefits 1-10
Enterprise Roles 1-12
Enterprise Role Management 1-14
Enterprise Role Management Categories 1-15
Oracle Identity Analytics 1-17
Oracle Identity Analytics Features 1-18
Architecture 1-20
Sample Deployment 1-21
Integration with Provisioning Systems 1-23
Functionality Matrix 1-24
Implementation Methodology 1-26
Oracle Identity Management 1-27
Available Documentation 1-29
Summary 1-30
Practice 1 Overview: Installing the Software 1-31
2 Building the Identity Warehouse
Objectives 2-2
Terms Used in Oracle Identity Analytics 2-3
Identity Warehouse 2-5
Identity Warehouse Contents 2-7
Business Structures 2-8
Users 2-9
Roles 2-11
Role Hierarchy 2-13
Audit Policies 2-14
Segregation of Duties (SoD) 2-15
SoD Matrix 2-16
iii
4. Applications 2-17
Resources 2-18
Attributes 2-19
Populating the Identity Warehouse 2-20
Populating Data Manually 2-21
Adding Additional Data Elements 2-22
Importing Data (Bulk Load of Data) 2-23
Configuring a Provisioning Server 2-24
Provisioning Server Parameters 2-25
Importing from File Processing 2-27
Importing from File: Rules 2-29
Debugging Import Errors 2-30
Debugging Import Errors Exception 2-31
Job Scheduling 2-32
Job Scheduling Through the GUI 2-33
Job Scheduling Through Direct Edit 2-34
Database Entries for Job Scheduling 2-37
Summary 2-39
Practice 2 Overview: Importing and Setting Up Identity Warehousing 2-40
3 Configuring Security
Objectives 3-2
Oracle Identity Analytics Users (OIA Users) 3-3
Oracle Identity Analytics Roles (OIA Roles) 3-5
OIA Role Creation 3-7
OIA Role Visibility 3-8
OIA Users/Roles Database Tables 3-9
Proxy Assignments 3-10
Alternate Credential Store 3-11
Summary 3-12
Practice 3 Overview: Configuring Security 3-13
4 Configuring Identity Certification
Objectives 4-2
Security Challenges 4-3
Identity Certification 4-4
Automated Certification: Benefits 4-5
Certification Environment 4-6
Certification Process 4-8
Phase 1: Preparation 4-9
Phase 2: Pilot 4-13
iv
5. Phase 3: Validation 4-14
Phase 4: Certification 4-15
Phase 5: Remediation 4-17
Certification Dashboard 4-19
Closed-Loop Remediation 4-21
Best Practices 4-22
Metrics 4-24
Return on Investment 4-25
Summary 4-26
Practice 4 Overview: Configuring Identity Certification 4-27
5 Configuring Auditing
Objectives 5-2
Identity Auditing 5-3
Product Capabilities 5-4
Audit Rules 5-5
Audit Policy 5-6
Actors 5-7
Policy Violations 5-8
Audit Scans 5-10
Dashboard: Overview 5-11
Dashboard 5-12
Policy Violation States 5-13
Audit Policy Actions 5-14
Job Scheduling 5-15
Event Listeners 5-16
Summary 5-17
Practice 5 Overview: Configuring Auditing 5-18
6 Performing Role Mining
Objectives 6-2
Role Management 6-3
Role Mining (Role Discovery) 6-4
Approaches to Role Mining 6-5
The Wave Methodology 6-7
The Wave Methodology (Step 1 of 7) 6-8
The Wave Methodology (Step 2 of 7) 6-11
The Wave Methodology (Step 3 of 7) 6-12
The Wave Methodology (Step 4 of 7) 6-14
The Wave Methodology (Step 5 of 7) 6-16
The Wave Methodology (Step 6 of 7) 6-17
v
6. The Wave Methodology (Step 7 of 7) 6-19
Accessing Role Mining 6-21
Performing Role Mining 6-22
Role Mining: Minable Attributes 6-23
Role Mining: General Information 6-25
Role Mining: User Selection 6-26
Role Mining: Basic Parameters 6-27
Role Mining: Advanced Parameters 6-28
Role Mining: Preview 6-30
Role Mining: Execution 6-31
Role Mining: Users In Roles 6-32
Role Mining: Classification Rules 6-33
Role Mining: Mining Statistics 6-34
Role Mining: Roles 6-35
Role Mining: Role Mining Reports 6-37
Entitlements Discovery 6-38
Accessing Entitlements Discovery 6-39
Performing Entitlements Discovery 6-40
Entitlements Discovery: Strategy 6-41
Entitlements Discovery: Role/Users 6-42
Entitlements Discovery: Entitlements 6-43
Entitlements Discovery: Verification 6-45
Best Practices 6-46
Summary 6-47
Practice 6 Overview: Role Engineering 6-48
7 Performing Role Lifecycle Management
Objectives 7-2
Role Management Activities 7-3
Role Lifecycle Management 7-4
Role Engineering (Definition) 7-5
Role Maintenance (Refinement) 7-6
Examples of Change Events 7-7
Role Certification (Verification) 7-8
Workflows 7-9
Default Workflows 7-10
Editing Workflows 7-11
Custom Role Modification Workflow 7-13
Processing Role Changes 7-14
Role Modification 7-15
Workflow Status 7-16
vi
7. Pending Requests 7-17
Modification Details 7-18
Role Versions 7-19
Role History 7-20
Best Practices 7-21
Summary 7-22
Practice 7 Overview: Performing Lifecycle Management 7-23
8 Generating Reports
Objectives 8-2
Reports 8-3
Reporting Categories 8-4
Accessing Reports 8-5
Report Dashboard 8-6
Business Structure Reports 8-7
Business Structure Roles Report 8-8
Creating Custom Reports 8-9
Executing Custom Reports 8-11
Summary 8-12
Practice 8 Overview: Generating Reports 8-13
vii
13. Controlling System Access (continued)
• Loss of Sensitive Customer or Employee Data
Protection of customer or employee data is one of the main drivers of regulatory
compliance, and companies have a fiduciary responsibility to protect this information.
However, more and more companies are making headlines as sensitive personal
information is stolen, lost, or inadvertently published to corporate Web sites. Companies
realize they need adequate access control practices to reduce these risks.
In addition to insider threats, companies are forced to comply with one or more regulations that
require a review of access and access control processes. In essence, companies are being
forced into compliance. Regardless of whether a company must adhere to SOX/Cobit, PCI,
HIPAA, GLBA, or Basel II, it needs to understand the current access held by individuals inside
and outside the company, and the current access control process. It also needs to be able to
rapidly generate the evidence and related artifacts to determine user access and pass an audit.
Oracle Identity Analytics 11gR1: Administration 1 - 5
19. Role Benefits (continued)
• Provide evidence of compliance. Auditors need to easily understand the access controls
and processes in your organization. Having a defined set of roles (that is utilized across
the identity and access management program) will greatly advance your ability to prove
that you have compliant processes.
• Bridge the gap between business and information technology. Roles bridge the
communications gap between business and IT. The role definition process itself requires
input from both business and IT personnel, and the result is a defined set of roles that
encapsulates business requirements.
• Provide controls. Roles provide known and approved levels of access for a job title or job
function. Because roles are engineered and reviewed, they should not provide any
access that violates separation of duties (SoD) policies. Additionally, with defined roles,
provisioning operations and services could be limited to allow only role-based access
allocation, thereby increasing control and decreasing risk.
• Facilitate valid requests from employees. With clearly defined roles, employees can easily
understand and request access to the applications and data that they need. For example,
Bob might be added to Project Team 7 and need to request access defined for that
project, or he might want read-only access to product-line financial data to perform some
analysis. These roles (business or IT) should be available and understandable.
Oracle Identity Analytics 11gR1: Administration 1 - 11
21. Enterprise Roles (continued)
• Business Managers
Business managers are often tasked with requesting and approving access to resources
for their direct reports. In many cases, the business managers do not understand what
access is actually required or even appropriate. This leads to copy/paste entitlements
(access based on another user’s rights) or an accumulation of entitlements over time.
Roles provide a method for defining resource access based on business terminology
rather than technical terms. When they request or approve access, business managers
can be assured that the access would be adequate based on their needs, and that it
would be provided in a timely manner.
Business managers can also be assured that during the audit process, they can better
understand access requirements and can attest to access based on role definitions
already in place.
• Auditors
Auditors, like employees, need to understand how access is defined, granted, and
removed, and a business-friendly context is easier to understand than the cryptic IT
entitlements.
When determining access control compliance, auditors can review the defined roles, an
individual’s assigned roles, and an individual’s assigned access outside of the defined
roles. This makes the review process more efficient and accurate.
By defining, utilizing, and periodically verifying roles, you are establishing controls that
prove to auditors that a repeatable, sustainable process for access control exists.
Oracle Identity Analytics 11gR1: Administration 1 - 13
24. Enterprise Role Management Categories (continued)
• Role Management
Role management involves the grouping and management of application-level
entitlements into enterprise roles. Role definitions consist of the grouping of entitlements
across one or more resources. These roles are then associated with organizational
structures such as job titles, employee codes, or departments. A user is granted access to
resources based on a role definition and as such, roles themselves need to be
periodically reviewed and recertified.
• Provisioning Integration
Integration with provisioning systems such as Sun Identity Manager provides both a
proactive and reactive mechanism for achieving compliance. Account provisioning
systems should utilize roles defined in a role provisioning system to ensure that access is
granted properly. Alternatively, violations detected during the attestation process should
interface to an account provisioning system in order to address the violation in a timely
manner.
Oracle Identity Analytics 11gR1: Administration 1 - 16
27. Oracle Identity Analytics Features (continued)
The next key feature of the warehouse is application metadata, to which it attributes its
flexibility. The metadata is the definition of attributes and the security structure of applications in
the infrastructure. The metadata enables you to define the security structure of any application,
platform, or database without any coding. You can then define parameters and include
constraints on each of the data attributes, which enable you to control how the data will be
used. For example, you might import 200 attributes from Microsoft Active Directory, but display
only the five key attributes in your certification.
The next key feature is the Glossary, which is highly recommended for certifications. The
Glossary is a business-friendly description of entitlement values that can be managed from the
user interface of the Identity Warehouse.
Oracle Identity Analytics 11gR1: Administration 1 - 19
30. Sample Deployment (continued)
A common deployment scenario is to separate Oracle Identity Analytics instances based on
functionality as follows:
• Role Management and Identity Compliance (certification and audit):
This instance requires periodic feeds from resources in order to perform scans for policy
violations and might also include connectivity to a Provisioning Server to perform closed-
loop remediation. Application and data owners interface to this instance to perform audits
and certifications.
• Role Engineering (role mining and entitlement discovery):
This instance can be treated as an offline instance. It does not need to be part of a
production server cluster and might even be used as a staging server for the production
environment. Role engineering instances require one-time application feeds when
performing role mining and entitlements discovery, and the data is locked until the
analysis has been completed. This instance is not typically connected to the Provisioning
Server, but it could be in order to provide another highly available instance.
Note that both instances point to the same Identity Warehouse. In such architectures, you
should consider using database clustering in order to achieve a highly available database
solution.
Oracle Identity Analytics 11gR1: Administration 1 - 22
33. Functionality Matrix (continued)
The Oracle Identity Manager software manages users throughout the identity life cycle. It
creates, deletes, and modifies accounts on managed resources and can do so by utilizing role
definitions created by Oracle Identity Analytics. Oracle Identity Manager can monitor data from
one or more identity sources (such as human resource applications or contractor databases)
and can provision user accounts based on roles. As such, it is primarily a proactive tool in the
hiring process.
Oracle Identity Manager provides an end-user interface that enables employees, contractors, or
other users to manage certain attributes (such as mobile phone or password). The primary
users of Oracle Identity Analytics are the administrators who support the product and owners
who participate in the certification process (nonadministrative users do not access Oracle
Identity Analytics directly).
Oracle Identity Analytics 11gR1: Administration 1 - 25
36. Oracle Identity Management (continued)
Oracle Identity Federation (OIF):
OIF enables identity providers and service providers to connect seamlessly. It creates trust
relationships between partners and agencies by connecting users seamlessly and securely.
OIF ensures the interoperability to securely share identities across vendors, customers, and
business partners, thus providing cross-domain SSO.
Oracle Adaptive Access Manager (OAAM):
OAAM provides real-time fraud prevention, multifactor authentication, and unique
authentication strengthening. OAAM consists of two primary components:
• Adaptive Strong Authenticator, which provides multifactor authentication and protection
mechanisms for sensitive information such as passwords, PINs, security questions,
account numbers, and other credentials
• Adaptive Risk Manager, which provides real-time and offline risk analysis and proactive
actions to prevent fraud at critical login and transaction checkpoints. Adaptive Risk
Manager examines and profiles a large number of contextual data points to dynamically
determine the level of risk during each unique login and transaction attempt.
Security Token Service:
STS simplifies the orchestration of standards-based and proprietary tokens between Web
services clients and providers, enabling businesses to abstract security from Web services. It
provides a solution for abstracting Web services security and handling token issuance,
validation, and translation through WS-Trust.
It also provides a means to propagate identity and security information across infrastructure
tiers by converting a Web SSO token issued for an enterprise portal to an SAML token that is
consumed by applications or Web services.
Fedlets:
A Fedlet is a service provider implementation of SAML 2.0 SSO Protocol. It is a lightweight way
for service providers to quickly federate with an identity provider. An 8.5 MB package that
identity providers give to service providers enables them to federate back to a company without
the need for any additional federation products.
To become federation enabled, the service provider simply adds the Oracle OpenSSO Fedlet
to their application and deploys the application. No configuration is required and it works with
both Java and .NET applications. With Fedlets, service providers can consume identity
assertion and receive user attributes from OIF.
Oracle Entitlements Server (OES):
OES provides management of fine-grained authorization policies and a standardized
enforcement mechanism as an alternative to embedding one-off security within the application.
Oracle Platform Security Services (OPSS):
OPSS provides an abstraction layer in the form of standards-based APIs that insulate
developers from security and identity management implementation details. With OPSS,
developers do not need to know the details of cryptographic key management or interfaces with
user repositories and other identity management infrastructures. By leveraging OPSS, in-house
developed applications, third-party applications, and integrated applications all benefit from the
same uniform security, identity management, and audit services across the enterprise. It is a
standards-based, portable, integrated, enterprise-grade security framework for Java Standard
Edition (Java SE) and Java Enterprise Edition (Java EE) applications.
Oracle Identity Analytics 11gR1: Administration 1 - 28
44. Terms Used in Oracle Identity Analytics (continued)
• Audit policy – An audit policy is a collection of audit rules that together enforce the
business polices associated with segregation of duties (SoD).
• Role – A role represents a job function. Roles contain policies that describe the access
that individuals have on a particular resource. Roles represent unique job functions
performed by users in the domain.
• Role mining – A role mining process can be used to discover relationships between
users based on similar access permissions that can logically be grouped to form a role.
This process is also known as role discovery and can drastically reduce the time needed
to define and manage roles.
• Certification – Also known as attestation, certification is the process of evaluating users’
access to system resources and attesting that their presence on these resources does not
violate any business policies.
• Application – Applications provide a method of grouping entitlements across one or more
resources for auditing purposes.
Oracle Identity Analytics 11gR1: Administration 2 - 4
46. Identity Warehouse (continued)
The glossary information provides business descriptions that are associated with the raw
entitlement data for improved usability and understandability. The complete entitlement data
can be correlated during the certification phase, and the entitlement hierarchy can be shown as
part of the drill-down entitlements. The advanced correlation engine built within Oracle Identity
Analytics ensures that the user account is correlated to the appropriate identity based on
defined correlation rules. Data owners and data classification can be assigned to individual
entitlements. Appropriate entitlements can be tagged as high-privileged to be used during
certification and reporting.
Oracle Identity Analytics 11gR1: Administration 2 - 6
50. Users (continued)
The user store is the central platform, database, or directory where user records are stored.
Oracle Identity Analytics uses the user to populate identities within the Identity Warehouse.
Commonly used user stores include Active Directory, Exchange, ORACLE, SAP, UNIX, and
RDBMS Tables.
Initially, an organization in Oracle Identity Analytics is populated with users by using a feed
from an HR system. The HR system is used to create all the global identities in Oracle Identity
Analytics. Alternatively, the global identities can be created from a provisioning system such as
Oracle Waveset (formerly Sun Identity Manager).
Note: Oracle Identity Analytics is a data-heavy model and consists of several data elements
associated with a user. This is in contrast to Oracle Waveset, which maintains only enough
data to accurately identify and correlate users (a data-sparse model). Oracle Identity Analytics
can consist of hundreds of data elements, whereas Oracle Waveset consists of less than 10, by
default.
Oracle Identity Analytics 11gR1: Administration 2 - 10
52. Roles (continued)
Roles provide the flexibility and power to enforce enterprise standards so that you can
accomplish the following:
• Manage users who perform the same tasks the same way no matter where they are
located in the enterprise
• Perform less work when managing users because you do not have to manually specify
privileges every time a change is made to a person’s job function
A role can be nested within another role. Role hierarchy can be defined for any level required in
an organization.
Roles have a life of their own and change as the organization changes. The role management
features within Oracle Identity Analytics enable organizations to maintain the life cycle of a role.
This includes comprehensive workflows for adding, modifying, and decommissioning of roles,
and provides the following features:
• Role consolidation allows for the comparison of roles based on underlying entitlements or
similarity in users.
• Role versioning ensures that all historical data is maintained for each role.
• Role certification ensures that the owner of the role can validate the content of each role.
• Role versus Actual analysis ensures that all access that the user has beyond that
provided by the role is monitored.
Note: Refer to the lesson titled “Performing Role Lifecycle Management” for more information
about role lifecycle management.
Oracle Identity Analytics 11gR1: Administration 2 - 12
66. Provisioning Server Parameters (continued)
• complete – Location of archived data files (after the import is completed)
Note: It is common to schedule tasks within Oracle Identity Analytics to periodically read data
from files. This enables you to keep the data in the Identity Warehouse current. Take care,
however, to ensure that the file being consumed by Oracle Identity Analytics is complete and
that it is not updated while it is being processed because this will cause the import to terminate
unexpectedly. Consider adding a staging directory to the drop location for files that are in the
process of being updated and moving files from staging to the import drop location when the
processing has been completed.
In addition to importing data from files, you can also export data from the Identity Warehouse to
files. This is especially useful when moving customizations between different environments
such as development, staging, and production. Before exporting data, you must provide the
following folder locations for the file-based Provisioning Server:
• export – Location of outbound (exported) data files
• schema – Location of the attribute mapping files
Oracle Identity Analytics 11gR1: Administration 2 - 26
68. Importing from File Processing (continued)
# account.setNamespaceName("Windows Active Directory");
# account.setUserName(account.getId());
# }
# End Post Line Read Script
#
name<CorrelationKey>,accountId,userName,accountLocked,adGroups,country
,de
partment,disabled,division,email,employeeNumber,exchangeServer,expireP
ass
word,faxNumber,firstname,lastname,fullname,homeAddress,homeCity,homeSt
ate
,homeZip,homeMDB,homeMTA,homePhone,middleInitial,jobTitle,mailNickName
,ma
nagerId,managerDN,mDBOverHardQuotaLimit,mDBOverQuotaLimit,mDBStorageQu
ota
,mDBUseDefaults,mobilePhone,objectGUID,uSNChanged,telephone,domain,end
poi
nt
Note: Ensure that you have all the necessary attributes based on the schema definition. If you
do not have all the necessary attributes, the data will not be imported.
4. Place the data file into the import drop location.
5. Start the import process from the graphical user interface.
This can be performed from the following location:
Administration > Configuration > Import/Export > Schedule Job > Job Type
After the import has been initiated, the file is read from the import drop location, and data
is imported into the Identity Warehouse according to the mappings defined in the schema
file. Import drop files are then time-stamped and moved to one of the following folders
based on whether the import was successful:
- Successful completion – complete/success
- Unsuccessful completion – complete/error
6. Review the status of the import process in the following areas:
- Graphical user interface
- Import complete location
7. If you detect an error during the import process, you may need to review the Oracle
Identity Analytics log file (rbacx.log).
Oracle Identity Analytics 11gR1: Administration 2 - 28