Application Instance in OIM – IDM 11gR2 changes/new features

Application Instances (new entity introduced in OIM 11gR2) is the entity that can be provisioned to a user. Application Instance are published to the catalog and user can access application instances via catalog.

In Pre-OIM 11gR2, to provision account you select name of the resource where as from OIM 11gR2 onwards resources and entitlements are bundles in Application Instances which user can select via catalog (catalog is another feature introduced in OIM 11gr2 more on catalog in OIM 11gR2 later)

This post covers everything you (as an OIM administrator) need to know about Application Instances in OIM 11gR2

1. Use link “Application Instances” under configuration in System Administration Console (/sysadmin) to create and manage Application Instances.


2. Application instance is combination of an IT Resource instance and resource object that means you can’t have two application instances with same IT Resource instance and Resource object (either IT Resource instance or resource objects must be different between two Application Instances)

Note: you will not see any thing in resource Object unless OIM connector is installed and configured with OIM.

Note: You can create application instances without connector installation for disconnected application instance (More on disconnect applications later)

3. Disconnected application instance can only be created when a sandbox is active. (More on disconnect applications later)

4. Application instances are published to Organizations in OIM and these application instances can be requested (via request catalog) by users belonging to Organization to which this application instance is published.

Note: Useful feature in multi-tenant environment where same OIM is used by multiple organisations to provision accounts.

5. An application instance can be associated with multiple organisations.

6. An application instance can have entitlements associated with it (Entitlement can be role, group or responsibility). For example with Application Instance “Active Directory” you can also attach entitlement (group in AD)

To allow users to request entitlement, you must add child object and add an attribute that is tagged as an Entitlement. More on entitlements in application instance later

An Application Instance will be published to the catalog by running a scheduled job “Catalog Synchronization Job” (This job is configured to run every 15 minute)

8. Application Instance can have parent application instance and in such case new application instance inherits all properties of parent application instance.

9. When you delete an application instance it does a soft delete . For hard delete run schedule job “Application Instance Post Delete Processing Job” (with mode Delete). More here

10. Pre-defined Roles associated with Application instance in OIM 11gR2 are a) Application Instance Viewer b) Application Instance Administrator c) Application Authorizer


References/Related :

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

vda says September 8, 2012

your blog is seriously very good and i am
thinking about that since long time but
if any body want to know about the IT education
and the any exam information and if you want
to increase your skill please visit


kuldeep says September 28, 2012

Your blog is very good/useful. Thank you very much
Keep it up…

Nash says October 26, 2012


I have LDAP Sync enabled in OIM 11g R2 and I am looking to create an application instance where I need to add 2 attribute values in the same OID where the user is created. I want them to request for application, fill in those two values and have the OIM write them in the same user store/dn but on different attributes configured for them is this possible ?


nand says March 27, 2013

HI Atul,

I want to provision a disconnected resource to a user ,which has to be autoapproved and request has to be done by fulfillment role.

nand says March 27, 2013

created disconnected resource and given approval policies as autoapprove. Logged in as admin user and requested an Disconnected resource in the catalog for user ,and at the bottom of the catalog page ,filled in the details for fulfillment role and submitted.
The problem i am facing is the for the user the resurce is showing provisioning status,but when i logged in as fulfillment role member i cant see any approvals pending (he as to claim and complete the task).

Help needed…..

chinna says September 5, 2013

Hi to all
I am getting bellow error while doing LDAPS SYNC with AD.I created certificate and SSL on.
I tried by giving lot of credentials.
Please help me out from this issue.
INST-6128: Could not connect to the LDAP with the given credentials.
Check the values. Make sure the LDAP is up and running.
INST-6182: Specified LDAP URL is not a SSL URL .

    Atul Kumar says September 7, 2013

    What details you select for LDAP server (provide details) ?

    From AD user that you provided in LDAP sync – does this user have privileges to create and delete users in AD ?

    Can you connect from this user to AD using any LDAP based tool like Apache LDAP browser ?

Anand says September 18, 2013

Error message: oracle.iam.ui.platform.exception.OIMRuntimeException: IAM-3051005 : The organization search operation failed..

when we upgrade from OIM11gR2 to PS1.

Please help us out.

Atul Kumar says September 18, 2013

@ Anand ,

It looks like some upgrade failed

Check “”Verifying MDS Patch In The Upgrade Process From R1 To R2 (Doc ID 1512678.1)””

Though this is not exactly same but issues are related , focus on MDS . Was there any error reported while applying PS1

Anand says September 18, 2013

Thanks Atul,

i think it just a rename somewhere
it is in error code during upgrades
but do not know where to change
its a label reneame

Ramesh Bhattacharjee says September 26, 2013

My requirement is that i have near about 12 Application instance and above 100 entitlements.
now i have a csv file which contains the approver for each application instance and entitlements.
To bulk load and set the approver of the catalog what is the procedure that is to followed.
Since it will be a one time activity per deployment was looking to create a schedule job and use api to set the approver of the catalog.
please help and guide.

Akshata says May 15, 2014


I’ve created ICf connector with all the artifacts.
But when i try to create Application instance i’m not able to find Process form assosiated with my Ro in Form drop down( Drop down is blank).

Even in your screen shot also i saw that process form name is visible.

Please let me know where i’ve gone wrong.
I’m able to create application instance without form, but while assigning resource to user i’m not able to view process form.


mathmut says June 5, 2014

Hi Atul,

Is there any way to revoke all entitlements of an application instance when application instance is disabled?


sandeep singh says August 26, 2014

Hi Atul,

can you post some more topics of OIM 11g R2 like event handlers, bulk load & Post processing, Oracle Identity Analytics and more….

Thanks & Regards
Sandeep Singh

Add Your Reply