Oracle Identity Analytics (OIA) Architecture

.

OIA Architecture : Oracle Identity Analytics is a J2EE application deployed on J2EE compliant application server. OIA architecture consists of following layers

a) Web Presentation Layer: OIA Web UI is thin client accessible via web browser. It also exposes identity compliance and role management functionality via web services.

b) OIA Server Layer: OIA server is divided in to different abstraction layer  like Security, Business Logic, Services, Transaction & Data Access, and Backend System Integration Layer. OIA Server is divided in to modules based on functionality like Identity Warehouse, Certification, Audit, and Role management explained below.

c) Data Tier Layer: consists of OIA repository, which manages and stores OIA metadata and transactional data in relational database.

.

.

OIA Modules

Oracle Identity Analytics (OIA) is divided in to various modules based on functionality offered by OIA

a) Identity Warehouse: This is core of OIA where data is being populated and present in OIA for various functionality like Certification or SoD. Identity warehouse could be populated using existing Identity Provisioning solution like OIM (Oracle Identity Manager), API, CSV, XML as shown in above diagram.

b) Identity Certification: This module is responsible for certifying User, Roles, Data Owners etc. . This module is also responsible for tracking changes made after certification and remediating the changes with appropriate comments.

c) Identity Audit: provides SOX compliance capabilities. This module is responsible for identifying the users with access that are in conflict with each other, or with user’s job responsibility.

d) Role Management and Role Analytics: is responsible for the Role definition and lifecycle management including assignment of roles based on rules. This module also performs role consolidation to remove redundant roles.

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

46 comments
Pallavi says December 28, 2011

Hi,

In OIA : Identity warehouse -> Roles -> New Role -> Ownership tab – > Add Owners.

Here at Add Owners step I can see only users which are imported from OIM (global users / end user)

And if I assign end user as owner of a role -> role membership approval task still goes to rabcxadmin.

Can we select OIA users as a Role Owner?

Is there any way to log in in OIA using global user/end user?

Please help me to understand this scenario.

Thanks,
Pallavi Chaudhari

Reply
Atul Kumar says December 28, 2011

@ Pallavi,

Is there any way to log in in OIA using global user/end user?

Yes, If you integrate OIA with Single Sign-On solution like OAM (Access Manager).

Reply
Pallavi says December 28, 2011

Thanks Atul,

Is there any way to assign OIA user as a role owner? because whenever role membership workflow executes it always assign membership approval task to rabacxadmin or OIA user with access control permissions.

And one more thing even if I assign Role owner as a OIM User when roles pushed to OIM from OIA — role owner always reflected as a system administrator. Is the way OIA behaves?

Thanks for your time.

– Pallavi Chaudhari

Reply
Pallavi says December 29, 2011

Any pointer would be a great help Atul.

Reply
Pallavi says January 3, 2012

Resolved this issue. We have to manually create OIA User account for global user with access control enabled. Then role change and role creation request will goes to role owner – (who is global user)

Reply
Atul Kumar says January 3, 2012

@ Pallavi,
Thanks for sharing information.

Have you integrated OIM 11g with OIA 11g for user provisioning ?

Reply
Pallavi says January 4, 2012

Hi Atul,

Yes I have integrated OIM 11.1.1.5.0 with OIA 11.1.1.5.0. But not for user provising using it for RBAC , attestation process.

Reply
Atul Kumar says January 4, 2012

@ Pallavi,
Thanks a lot, For some reason my OIM-OIA integration was not working earlier . This is now fixed.

Do you currently hold OIA certification 1z0-544 ? http://www.oracle.com/partners/en/knowledge-zone/middleware/identity-analytics-admin-exam-page-177476.html

I am planning to do this certification but finding it extremely difficult to do on my own. Do let me know if you can help me or would like to do group study (May be I can bring few more people each covering 1-2 topics)

Contact me on my email atul [at] onlineAppsDBA.com if interested

Reply
Tariks says January 5, 2012

Hello!

Need help to integrate the OIA with OIM. When you run the job to import metadata from the IOM is generated the following error.

09:12:09,271 ERROR [IamDbNamespaceImporterHelperImpl] Error connecting to OIM
Thor.API.Exceptions.tcAPIException: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
at Thor.API.tcUtilityFactory.(tcUtilityFactory.java:166)
at com.vaau.rbacx.iam.util.oracle.oimapi.OimUtilityFactory.getUtilityFactory(OimUtilityFactory.java:67)
at com.vaau.rbacx.iam.db.helpers.IamDbNamespaceImporterHelperImpl.readNamespaces(IamDbNamespaceImporterHelperImpl.java:85)
at com.vaau.rbacx.iam.db.DBIAMSolution.readResourceMetadata(DBIAMSolution.java:697)
at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.importResourceMetadata(RbacxIAMServiceImpl.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy118.importResourceMetadata(Unknown Source)
at com.vaau.rbacx.scheduling.executor.iam.IAMJobExecutor.execute(IAMJobExecutor.java:107)
at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:534)
09:12:09,272 ERROR [DBIAMSolution] Error Importing Namespaces : javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied

The OIA is not installed on the same domain of the OIM.

If you can help me I would be very grateful

Tks

Reply
Atul Kumar says January 5, 2012

@ Tariks,
Please update version of OIM and OIA you are using .

Reply
Tariks says January 5, 2012

Versions

OIM = 11.1.1.5.0
OIA = 11.1.1.5.0
Weblogic = 10.3.5.0

Reply
Atul Kumar says January 5, 2012

@ Tarkis,

1. Verify that you can login to OIM url http://server:14000/oim using xelsysadm password

2. Ensure that all steps mentioned in section 1.4 at http://docs.oracle.com/cd/E24179_01/doc.1111/e23377/integratingwithoimpreferred.htm#BABCDIGB are actioned.

Including creation of wlfullclient.jar and copy to OIA_staging/WEB-INF/lib

Reply
Pallavi says January 5, 2012

@Tariks

Did you follow this step :

Copy the config folder located at /config and paste it in the Oracle Identity Analytics $RBACX_HOME/xellerate folder.

Reply
Tariks says January 5, 2012

Hi

The problem was the folder setting RBACX_HOME/xelerate/config

This working now. Sirs, thank you for your help

Reply
Dhani says January 25, 2012

Hi,I am a new entrant to OIA.Can someone tell me how can i delete the exhisting data in OIA?..
I see an exhisting data for users , roles and business units…I wanna delete it and imposrt it again just to undersatnd how it works.

thanks in advance

Reply
Pallavi says January 27, 2012

Hi,

OIA table structure …

http://docs.oracle.com/cd/E27119_01/doc.11113/e23128/docinfo.html#scrolltoc

there must be multiple dependency of data. Study table structure

Reply
vappador says January 30, 2012

If the interest is to get a clean fresh DB you can rerun the DB creation script to clean up the db. This script will drop the tables and relevant data associated with it. Please note this is a destructive process and appropriate back up needs to take place in the case of a production instance.

Reply
naidubetha says February 10, 2012

hi atul/pallavi,

we are using the OIA attestation process. but the problem here is when we have create a cetification based on the resource entitlement it getting all the resorce assigned user and create a certification and mean while it automatically pulling the users manager(certifier who is now in global user’s list) in to the oia user’s list,this is fine but whats the default password it is setting to it to make it as a admin user.

please help me in this reagard

thanks
naidu

Reply
Pallavi says February 13, 2012

Hi,

If you still looking for answer :

Password for certifier created by OIA :

Reply
Pallavi says February 13, 2012

Certifier password will be :

First Name 3 letter + ‘@’ + last name 3 letters

Reply
Pallavi says February 13, 2012

Hi naidubetha,

If you create Resource Entitlement attestation it will include all users associated with that resource for certification.

I do not have working set up of OIA right now. Can you please try to see options while creating attestation job for selecting particular user?

Reply
naidubetha says February 14, 2012

hi pallavi,

thanks for your valuable information. it saved lot of time for me.

yes i am able to do the Resource Entitlement attestation for the selected users too but any way i need it for the user manager only. can u please how did u find this password solution? any doc..or site etc. bcz i need to do lot of r&d on this OIA

thanks a lot
Naidubetha

Reply
Pallavi says February 15, 2012

Hi naidubetha,

Please look into /WEB-INF/security-config-context.xml.

Search for :

Reply
Pallavi says February 15, 2012

search for property :

Reply
Pallavi says February 15, 2012

property name=”rbacxUserPasswordTemplate”

Reply
silviuchiric says April 10, 2012

hello all,

please reply me for the following questions: (required to prepare for 1Z0-5454 OIA and OIM 11g certification exam):

(Best answer)
You want to trigger role membership rules manually and not through the UI. You should add the “roleMembershipRuleJob” trigger to…
XA) Scheduling-context.xml .
B) SchedulerExecutionLogRecord.xml
XC) Jobs.xml
D) Conf-context.xml
E) Search-Context.xml

Why is “role consolidation”(Role Management Engineering) an important step in an OIA implementation?
A) It helps streamline provisioning and deprovisioning processes in IDM organizations – looks valid answer , further investigation need it
the next 3 answers were ones of the following(including C)
B) Ensures compliance
C) Helps in Role Entitlement certification
D) Avoids role explosion
D) Helps in building audit policies
E) Improves system performance

Reply
Pallavi says April 10, 2012

Hi,

Answer to first question :

To import role membership rules manually without using UI you need to enable entry of bean ‘roleMembershipRuleJob’ in Scheduling-context.xml and in jobs.xml you need to update cron expression – to decide how frequently job will run.

Reply
Pallavi says April 10, 2012

Answer to question -Why is “role consolidation”(Role Management Engineering) an important step in an OIA implementation?

– I think it is D) Avoids role explosion

Reply
Kesavan says August 2, 2012

Hi,

I am try to import users from Global to OIA user. I heard we have to use OIA Web service for Create the user.

I enabled the web service when i see the guide the provide me the method not a class.

public boolean createUser(UserVO user) throws
RbacxServiceException

IS there you know how to right the code using this method

Regards,
L.Kesavan

Reply
Pallavi Chaudhari says August 2, 2012

1. Generate java classes from the wsdl.
wsdl URL for userservice is : http://oia-host:oia-port/youroiawebappname/ws/userService?wsdl

2. package the generated java classes from above step into the jar and add this jar into classpath.

3. Write HeaderHandlerResolver to provide the authentication information to the OIA web service.

sample code to create user in OIA:

public void sendCreateUserRequest(UserServicePortType oiaWSPort){
System.out.println(” Entering into sendCreateUserRequest() “);
try{
UserVO userVoObject = new UserVO();
userVoObject.setUsername(“WSUSER1”);
userVoObject.setFirstName(“WS”);
userVoObject.setLastName(“User1”);
userVoObject.setMiddleName(“S”);
userVoObject.setEmployeeType(“Full-Time”);
userVoObject.setEmployeeType(“Full-Time”);

boolean isUserCreated = oiaWSPort.createUser(userVoObject);
System.out.println(” User Created :: “+isUserCreated);

}catch (Exception e) {
e.printStackTrace();
}
System.out.println(” Exit from sendCreateUserRequest() “);
}

Try it out. Let me know if you need more information.

Reply
Vani Joshi says August 8, 2012

Hi,

I have question realted to OIA(11.1.1.5.4) and OAM(11.1.1.5).
I have protected the OIA using OAM, cretaed policy, LDAP authentication scheme, OID is used as source for authentication.

ANd on OIA side have done the modification as mentioned OIA system integration guide(section4)

But facing a proble.
when I access rbacx through reverse proxy URL, i get the SSO loginpage and after entering the credential it is taking me again to OIA login page.

Any information on this??

Reply
Vani Joshi says August 8, 2012

Hi,

We are using create user API of OIA11.1.1.5, to create the logon users direcylt in OIA through OIM.
BUt getting some exceptions:
Please find the code and the exception we are getting. Any info on this will be of great help.

code :

public static void main(String[] args) {
try {
webservice.proxy.UserServiceHttpPortClient myPort = new webservice.proxy.UserServiceHttpPortClient();
System.out.println(“calling ” + myPort.getEndpoint());
// Add your own code here
myPort.setUsername(“rbacxadmin”);
myPort.setPassword(“Abs@1234”);
System.out.println(“calling ” + myPort.getPort().testConnection());

} catch (Exception ex) {
ex.printStackTrace();
}
}

Error:

calling http://kabini:7003/rbacx/ws/userService
javax.xml.rpc.soap.SOAPFaultException: ForgivingWSS4jInHandler: Error occured, and it wasn’t the one I am configured to ignore: WSS4JInHandler: Request does not contain required Security
header (WSS4JInHandler: Request does not contain required Security header)
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at webservice.proxy.runtime.UserServiceHttpBinding_Stub.testConnection(UserServiceHttpBinding_Stub.java:836)
at webservice.proxy.UserServiceHttpPortClient.main(UserServiceHttpPortClient.java:31)
Process exited with exit code 0.

Reply
Vani Joshi says August 8, 2012

@Thanks

This is working now. Header variable was set correct but I had given wrong value in the resource protection..

Reply
amit vibhute says August 22, 2012

Hi,

can you please help me regarding setting of header variable in response of OAM.
I have tried one but when i hit the URL : /rbacx/j_acegi_security_check
it throws OIA login page with invalid credentials error.
Can you please tell me the names and values which i have to assign to the header variables
currently i m using :
name: preAuthUsernameHeaderKey value: $sm-user

is this correct or i have to change it? please help.

Reply
» Oracle Identity Analytics (OIA) : Global Users vs OIA Users : Online Apps DBA: One Stop Shop for Apps DBA’s says October 19, 2012

[…] Sun Role Manager (SRM)and before that it was Vaau‘s RBACX.  More on OIA Architecture here and high level OIA installation […]

Reply
nitinj says December 5, 2012

Hi,

I need to call OIA session from a java code outside the OIA application, so that I can access the OIA database and OIA API in my java code.

Could you please let me know how to acheive this functionality.

Thanks

Reply
nitinj says December 6, 2012

Hi Atul,

Thanks for the reply. I saw the API documentation.

Could you please share some sample code to access the OIA session from outside OIA application.

Thanks

Reply
amruta agarwal says December 14, 2012

Hi,

What header variable are to be used to pass to OIA for SSO?

Thanks,
Amruta Agarwal

Reply
Atul Kumar says December 16, 2012

@ Amruta,
USe sm-user as described in http://docs.oracle.com/cd/E24179_01/doc.1111/e23377/configuringwebaccesscontrol.htm#sthref68

or You can pick any header of your choice (pass on userID in that header variable) and then replace sm-user with this header variable in file security-context.xml

I am going to soon post on OIA integration with Oracle Access Manager (OAM) 11g for Single Sing-On (SSO)

Reply
Shashikant Shetty says December 17, 2012

Hi Guys,

Is there a way we can provision OIM users (global users) in OIA as OIA users so they can login to the rbacx console?? is any kind of OIA/DBUM connector available for it?

Reply
Shashikant Shetty says December 17, 2012

Figured it out 🙂

Please create a certification for the user, user will appear in OIA user list …

Thanks!
Shashikant

Reply
Roma Gupta says March 13, 2013

Hi All

I am using
OIA-11.1.1.5.4c
OIM-11.1.1.5.6
importing users from OIM to OIA and then exporting roles from OIA to OIM.
My issue is
how to delete the users in OIA??
Without getting into database.

Reply
Jatin Gupta says March 18, 2013

Hi,
Has anybody posted the steps for OIA and OAM integration for SSO

Thanks,
Jatin Gupta

Reply
anand says November 6, 2014

hi Atul Kumar

can u plz post OAM integration with oia

Reply
Add Your Reply