Friday, May 24, 2024

Identity and Access Management: Waveset, Sun, Oracle, SailPoint, ForgeRock, Ping

 Long enough in Identity and Access Management domain to go through all of these.





Friday, September 8, 2017

Oracle Identity and Access Management 12cPS3 (12.2.1.3.0) Released

Wednesday, August 9, 2017

OIM 11.1.2.3.x OIM Bundle Patch History

Bundle Patch VersionPatch NumberRelease DatePillar/Suite Patch OIM Opatch NumberPatch Documentation
 11.1.2.3.1Patch:21169810 15-Jul-2015 Yes 21308416Patch Readme
 11.1.2.3.2 Patch:21615056 19-Aug-2015No 21615056Patch Readme
 11.1.2.3.3Patch:2177160915-Sep-2015No 21771609Patch Readme
11.1.2.3.4Patch:2169888020-Oct-2015Yes 21979115Patch Readme
11.1.2.3.5Patch:2208527419-Jan-2016Yes22364075 Patch Readme
11.1.2.3.160419Patch:2267528619-Apr-2016Yes22874405Patch Readme
11.1.2.3.160719Not Available*19-Jul-2016Yes24290399Not Available*
11.1.2.3.161018Patch:2432620118-Oct-2016Yes24751162Patch Readme
11.1.2.3.170117Patch:2503877517-Jan-2017Yes24927639Patch Readme
11.1.2.3.170418Patch:2565415018-Apr-2017Yes25348617Patch Readme
11.1.2.3.170718Patch:2604026018-Jul-2017Yes25840295Patch Readme

Oracle BI Pubisher (11.1.1.7) Report - Not able to create group link between two data sets with different data source type JDBC and LDAP

It is not supported to create group link between two data sets with different data source type JDBC and LDAP.

OIM - uSNChanged out of sync between domain controllers problem for AD Target Recon

OIM - 11.1.2.3
AD Connector - 11.1.1.6


When you configure the AD IT Resource as serverless binding, the target recon may have problem with uSNChanged as 'Incremental Recon Attribute' because it's out of sync between domain controllers.


You can workaround this by setting the 'SyncDomainController' to a domain controller in the AD IT Resource configuration.



Friday, June 2, 2017

Connector ConnectorKey not found Error OIM 11g R2PS3

This is caused by missing jars on Connector Server. 


oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=org.identityconnectors.domino bundleVersion=2.0.2 connectorName=org.identityconnectors.domino.DominoConnector ) not found
        at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:179)
        at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:116)
        at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:383)
        at oracle.iam.scheduler.vo.TaskSupport.invokeExecute(TaskSupport.java:275)
        at oracle.iam.scheduler.vo.TaskSupport.access$000(TaskSupport.java:46)
        at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:221)
        at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
        at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
        at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
        at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
        at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
        at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:201)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:266)
        at oracle.security.jps.internal.jaas.AccActionExecutor.execute(AccActionExecutor.java:65)
        at oracle.security.jps.internal.jaas.AbstractSubjectSecurity$ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:228)
        at oracle.security.jps.internal.jaas.CascadeActionExecutor$SubjectPrivilegedAction.run(CascadeActionExecutor.java:68)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.security.Security.runAs(Security.java:41)
        at oracle.security.jps.wls.jaas.WlsActionExecutor.execute(WlsActionExecutor.java:47)
        at oracle.security.jps.internal.jaas.CascadeActionExecutor.execute(CascadeActionExecutor.java:50)
        at oracle.security.jps.internal.jaas.AbstractSubjectSecurity$ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:228)
        at Thor.API.Security.LoginHandler.AssertionLoginSession.runAs(AssertionLoginSession.java:93)
        at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:85)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)

Wednesday, May 17, 2017

OIM Bulkload Utility - "Utility is already running"

If the Bulkload Utility hasn't been run cleaning, you may got the "Utility is already running' while executing the oim bulk load utility.  The solution is to drop the temporary table "OIM_BLKLD_TMP".

After the bulkload, the following should be checked to see is there any indexes and constraints in DISABLED or UNUSABLE state.

Being a database-intensive operation by design, Bulk Load disables the constraints and indexes on the relevant Oracle Identity Manager entity tables during the start of the operation. Bulk Load operation failure towards the end of the load might at times render the indexes and constraints in disabled state. To identify and fix this issue, manually restore the indexes and constraints as follows:
  1. Identify the unusable indexes and disabled constraints. To do so, the following SQL queries or similar mechanism can be used:
    SELECT TABLE_NAME, CONSTRAINT_NAME FROM user_constraints WHERE status = 'DISABLED';
    SELECT index_name FROM user_indexes WHERE status = 'UNUSABLE';
    
  2. Enable the constraints and rebuild the indexes manually, as shown:
    ALTER TABLE TABLE_NAME ENABLE CONSTRAINT CONSTRAINT_NAME;
    ALTER INDEX INDEX_NAME REBUILD;

Tuesday, May 16, 2017

OIM11gR2: Bulk Load Bugs

Got the following error when bulk laoad user data to OIM 11.1.2.3

java.sql.SQLException: ORA-01400: cannot insert NULL into ("HA_OIM"."OIM_BLKLD_LOG"."LOAD_SOURCE")
ORA-06512: at "DEV_OIM.OIM_BLKLD_SP_LOG_MSG", line 21
ORA-06512: at "DEV_OIM.OIM_BLKLD_PKG_USR", line 1505
ORA-06502: PL/SQL: numeric or value error: character string buffer too small

Google found this:

http://ajmerasunny.blogspot.com.au/2014/07/oim11gr2-bulk-load-bugs.html

Monday, April 10, 2017

IdAM product landscape in cloud and on-premise

This matrix from the following link has listed the products by vendors of IdAM in cloud and on-premise.


IDaaS – Vendor + Product + Feature Matrix – November 2016









Wednesday, March 29, 2017

OIM Services

UserManager
RequestService
RoleManager
PlatformService
ProvisioningService
ApplicationInstanceService
tcLookupOperationsIntf
tcITResourceInstanceOperationsIntf
tcFormInstanceOperationsIntf
RoleCategoryManager
AuthorizationService
AuthorizationOPSSService
AuthenticatedSelfService
ConfigManager
OrganizationManager
UnauthenticatedSelfService
UnauthenticatedRequestService
tcITResourceDefinitionOperationsIntf
PasswordMgmtService
SystemConfigurationService
tcObjectOperationsIntf
RequestDataSetService
EntitlementService
CatalogService
OIMService
EntityPublicationService
AdminRoleService
tcFormDefinitionOperationsIntf
RequestProfileService
AttestationOperationsIntf
SODCheckService
MetaDataDefinitionManager
CertificationService
CertificationAdministrationService
ConnectorBundleService
ConnectorInfoService
ReconConfigService
tcAccessPolicyOperationsIntf
ConnectorServerService
ApplicationService
ScanDefinitionManager
ScanRunManager
IDAConfigurationManager
PolicyManager
PolicyViolationManager
PolicyViolationCauseManager
PolicyTypeManager
RuleManager
EntityManager
OrchestrationEngine
NotificationService
AuditEventManager
SchedulerService

Monday, March 20, 2017

OIM (11.1.2.3) - Full list of entity-type/operations

Full list of entity-type/operations:




Entity TypeOperation
PendingRoleUserANY
RoleUserANY
CREATE
DELETE
UserANY
ADD_PROXY
CHANGE_PASSWORD
CREATE
DELETE
DISABLE
ENABLE
EVALUATE_POLICIES
GET_ALL_PROXIES
LOCK
MODIFY
REMOVE_ALL_PROXIES
REMOVE_PROXY
RESET_PASSWORD
SELFSETCHALLENGE
UNLOCK
UPDATE_PROXY
ConfigANY
ADD_DERIVED_ATTRIBUTES
CONFIGURE_SEARCH_ATTRIBUTES
CREATE_ATTRIBUTE
CREATE_CATEGORY
DELETE_ATTRIBUTE
MODIFY_ATTRIBUTE
UPDATE_CATEGORY
ResourceACCESS_POLICY_BASED_DISABLE
ACCESS_POLICY_BASED_ENABLE
ACCESS_POLICY_BASED_MODIFY
ACCESS_POLICY_BASED_PROVISION
ACCESS_POLICY_BASED_REVOKE
DEPROVISION
DISABLE
ENABLE
MODIFYRESOURCE
PROVISION
SAMPLEPROVISION
SELFDEPROVISION
SELFMODIFYRESOURCE
BulkRequestANY
ApplicationInstanceCHANGEACCOUNTPASSWORD
MODIFY
PROVISION
AccountANY
DELETE
AdminRoleSET_MEMBERSHIP_RULE
OrganizationANY
CREATE
DELETE
DISABLE
ENABLE
MODIFY
SET_MEMBERSHIP_RULE
myentityREVERSE
oracle.iam.request.vo.RequestTemplateCREATE
JobDetailsANY
SystemPropertyANY
oracle.iam.request.vo.ApprovalPolicyCREATE
RoleRoleANY
DELETE
RoleCategoryANY
oracle.iam.notification.vo.LocalTemplateANY
oracle.iam.requestprofile.vo.RequestProfileCREATE
DELETE
MODIFY
RoleANY
ASSIGNROLES
CREATE
DELETE
MODIFY
REMOVEROLES
SELFASSIGNROLES
SELFREMOVEROLES
EntitlementMODIFY
PROVISION
REVOKE

Monday, February 6, 2017

OIM Siebel Connector (11.1.1.6.0) - User out of organization 'Xellerate Users' fail to provision Siebel Account

After implementing the Siebel Connector (11.1.1.6.0) on OIM 11.1.2.3, fail to provision Siebel Account unless the user is under organization 'Xellerate Users'.


Cross-checked everything, it fails because the Pre-Populate Rule - 'Siebel Rule' is 'Organization Name == Xellerate Users'. Anything pre-populated attributes in Siebel Process Form using the 'Siebel Rule' are not able to be pre-populated if the user's organization is not 'Xellerate Users'.


The fix is to use 'Default' Pre-Populate Rule instead of 'Siebel Rule' for all pre-populated attributes in Siebel Process Form.


Shared this solution to Oracle and you can find it via My Oracle Support - Admin User Out Of Organization 'Xellerate Users' Fail To Provision Siebel Account (Doc ID 2231147.1)

Thursday, January 19, 2017

OIM Connector - provisioning set the default value to 1/1/1970 for Date attribute

There is a bug in OIM  for Connector provisioning for the date format attribute. OIM adapter sets the date to '1/1/1970' and provision that to the target system.


There is a simple workaround for this:


In the provisioning lookup to map the date attribute as follows:


Code Key Decode
SampleDate targetSampleDate=SampleDate!=null&&!SampleDate.startsWith("1970-01-01")?SampleDate:null

Thursday, November 10, 2016

OIM 11.1.2.3 Catalog - Risk Level

Low Risk - 3
Medium Risk - 5
High Risk - 7

Wednesday, September 21, 2016

Tuesday, August 9, 2016

How user Lock Unlock functionality works in OIM - OAM integrated environment

http://idmexpress.blogspot.com.au/2014/09/how-user-lock-unlock-functionality.html

OIM11gR2PS3 - System Properties

As a reference.


Property NameKeywordDefault ValueDescription
Access Policy Revoke If No Longer Applies Enhancement
XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement
FALSE
Determines if the Revoke if no longer applies flag in access policy is applicable.
If the value is true, then this flag is applicable to child table data (entitlements) along with parent data. The user can determine if child data must be removed or retained when access policy no longer applies to user based on this flag.
If the value if false, then child table data (entitlements) are always removed after access policy is no longer applied.
Note: This property is not used in Oracle Identity Manager Release 2 (11.1.2) or later.
Allows access policy based provisioning of multiple instances of a resource
XL.AllowAPBasedMultipleAccountProvisioning
FALSE
Determines if multiple instances of a resource can be provisioned to multiple target resources.
When the value is false, provisioning multiple instances of resource object via access policy is not allowed.
When the value is true, provisioning multiple instances of resource object via access policy is allowed.
Allows linking of access policies to reconciled and bulk loaded accounts
XL.AllowAPHarvesting
FALSE
Determines if access policy engine can link access policies to reconciled accounts and to accounts created by the Bulk Load Utility.
This property is used in the context of evaluating access policies for reconciled accounts and to accounts created by the Bulk Load Utility. For more information, see"Evaluating Policies for Reconciled and Bulk Load-Created Accounts".
Note: This property is used in Oracle Identity Manager 11g Release 2 (11.1.2.2.0) or later.
Are challenge questions disabled in OIM
OIM.DisableChallengeQuestions
FALSE
Determines if challenge questions are enabled or disabled when a user logs in to Oracle Identity Manager for the first time.
When value is False, challenge questions are enabled.
When value is True, challenge questions are disabled.
This property is primarily used in the context of Oracle Adaptive Access Manager (OAAM) configuration. When the value is TRUE, the challenge questions are handled by OAAM.
When the value is FALSE, then PWR.PWR_CHA_POLICY_ENABLED is honored to determine if challenge policy is enabled or not.
Catalog Additional Application Details Task Flow
CatalogAdditionalApplicationDetailsTaskFlow
/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tf
A custom task flow is to be displayed when an application is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Additional Entitlement Details Task Flow
CatalogAdditionalEntitlementDetailsTaskFlow
/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tf
A custom task flow is to be displayed when an entitlement is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Additional Role Details Task Flow
CatalogAdditionalRoleDetailsTaskFlow
/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tfs
A custom task flow is to be displayed when a role item is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Advanced Search Maximum Applications
CatalogAdvancedSearchMaxApps
15
In the default form for catalog advanced search, you can search for entitlements by specifying the list of applications to search from. This system property controls the maximum number of applications that can be selected for entitlement search.
Catalog Advanced Search Taskflow
CatalogAdvancedSearchTaskflow
/WEB-INF/oracle/iam/ui/catalog/tfs/catalog-advanced-search-tf.xml#catalog-advanced-search-tf
Determines the taskflow used for catalog search. If you create custom taskflow for catalog search, then change the value of this property to the complete path of the custom taskflow.
Catalog Attributes for Sorting Search Results
CatalogSortAttributes
ENTITY_DISPLAY_NAME; ENTITY_TYPE
This property determines the attributes that are displayed in the Sort By drop down in the catalog results tab.
Catalog Audit Data Collection
XL.CatalogAuditDataCollection
none
Determines if catalog auditing is enabled or disabled. The default value is none, which specifies that catalog auditing in disabled. To enable catalog auditing, set the value of this property to catalog.
Catalog Regex for special characters
Catalog.SpecialCharacterRegex
[^\w]
Enables text parsing and escaping of special characters when performing a catalog search by using some special characters. If you do not want any text parsing and escaping of special characters, then change the value of this property to [^\w^\W].
Catalog search MAX result size. Default value is -1 which means return all
XL.CatalogSearchResultCap
-1
When the data is huge in the request catalog and you encounter any issue with the performance of the catalog, you can change the value of this system property and provide some reasonable values, such as 500. As a result, catalog search will not return more than the specified value. If the value is -1, then no result size limit is applied on the catalog search result.
Catalog Searchable UDF In Tags
CATALOG.SearchableUdfInTags
FALSE
If want to use searchable UDF in TAGS, then you can set the value of this property to TRUE. Then, you can run the scheduled task in recalculate tags mode and searchable UDF values are part of the TAGS column. The same value can be used in keyword search.
Catalog Table Rows To Display Size
CatalogTableRowsToDisplaySize
10
This property is used to control the number of rows displayed in all tables found in all catalog-related pages.
CommonName generation plugin
XL.DefaultCommonNamePolicyImpl
oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy
Determines the common name generation plugin to generate common name.
Compiler Path for Connectors
XL.CompilerPath
Specifies the Java home depending on the application server.
Note: If the path of the JDK directory is not included in the System Path variable, then you must set the path of the JDK directory in the XL.CompilerPath system property. If this is not done, then an error is encountered during the adapter compilation stage of the process performed when you import an XML file by using the Deployment Manager.
Compute and Persist Min Age On Password Change
ComputePersistMinAgeOnPasswordChange
proactive
Password minimum age calculation has two modes, proactive and reactive mode.
In proactive, where minimum age date is calculated at password change time, any subsequent change to the user's applicable password policy's minimum age property will not be honored until the next password change, where as with the reactive approach, policy changes are applied immediately.
To enable proactive or reactive approach, system property Compute Persist Min Age On Password Change is introduced.
Copy both user and manager of user in the create user email notification
XL.NotifyUserCreateToOther
TRUE
Copies the user and user's manager in the email notification that is sent when a user is created.
Data Collection Session ID
XL.DataCollectionSessionID
dummy
Specifies the session ID of the current Oracle Identity Analytics (OIA) Data collection session.
Data Collection Status
XL.DataCollectionStatus
FINALIZED
Specifies the status of the current OIA data collection session.
Default Date Format
XL.DefaultDateFormat
yyyy/mm/dd hh:mm:ss z
When creating reconciliation events by calling the APIs and date format is not passed as one of the arguments to the API, Oracle Identity Manager assumes that all the date field values are specified in Default Date Format.
Default policy for username generation
XL.DefaultUserNamePolicyImpl
oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy
Determines the username policy to use when generating a username.
Default user name domain
XL.UserNameDomain
oracle.com
This property is used by the DefaultComboPolicy to generate a user name in e-mail format.
Display Certification or Attestation
OIM.ShowCertificationOrAttestation
attestation
This property has been superseded by theIdentity Auditor Features Enabledsystem property, and attestation is no longer supported.
Note: In this release, this property is not used as Attestation is not supported. This property is superceded by the Identity Auditor Features Enabled system property.
Does user have to provide challenge information during registration
PCQ.PROVIDE_DURING_SELFREG
TRUE
If the value is TRUE, then users will have to provide challenge information during registration.
Email Server
XL.MailServer
Email Server
Name of the e-mail server.
Note: After modifying the Email Server system property value, you must restart the server for the change to take effect.
Email Validation Pattern
XL.EmailValidationPattern
[A-Za-z0-9\.\_\#\!\$\&\'\*\/\=\?\^\`\{\}\~\|\%\+\-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}
This property contains the regular expression used to validate the email ID of a user.
Enable Exception Reports
XL.EnableExceptionReports
TRUE
This property is used to enable the exception reporting feature. Exception reporting is enabled only if the value is set to TRUE.
Evaluate LDAP Container Rules for Entity Modification
LDAPEvaluateContainerRulesForModify
FALSE
If the property value is TRUE, then the LDAP container rules defined in LDAPContainerRules.xml are evaluated for entity modification. However, if none of the rules match, then the default container is not returned. The original parent container of the entity is returned, which means that there is no change in the entity DN.
If the property value is FALSE, then the LDAP container rules defined in LDAPContainerRules.xml are not evaluated. The entity DN does not change.
Note: This property only applies to a modification scenario and not to the entity creation scenario.
Force to set questions at startup
PCQ.FORCE_SET_QUES
False
When the user logs into the Oracle Identity Self Service or Oracle Identity System Administration for the first time, the user must set the default questions for resetting the password.
Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
GTC Auto Import
XL.GTCAutoImport
true
Based on the value of this property, the DM xml that is generated while Generic Technology Connector (GTC) creation can be saved to a directory.
The default value of this property is true.
When the value of this property is set to "False", then while creating GTC, the DM xml (the xml that GTC creates and imports using Deployment Manager internally while GTC creation) created by the GTC framework is stored in the following directory:
OIM_HOME/GTC/XMLOutput
The naming convention followed for the DM xml is:
GTCNAME_CURRENTDATE_ TIMESTAMPcreated using date format "yyyy-MM-dd-HH-mm-ss".xml
For example:
TRUSTEDCSV_2009-02-05-22-41-11.xml
Homepage for Self Service console
OIM.IdentityHomepage
none
This property is used to set the page to be displayed after a user logs in to Oracle Identity Manager Self Service.
You can set one of the following as the value of this property:
  • my_access: Displays the My Access page
  • my_info: Displays the My Information page
  • home: Displays the Home page
  • catalog_home:Displays the Catalog page
  • none: Displays no page
After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
Note: This property is not used in Oracle Identity Manager 11g Release 2 (11.1.2.3.0).
Identity Auditor Feature Set Availability
OIG.IsIdentityAuditorEnabled
FALSE
When the value of this property is TRUE, role lifecycle management, Segregation of Duties (SoD), and identity certification are enabled.
Note: After modifying the value of this system property, you must restart Oracle Identity Manager server for the changes to take effect.
Inbox Task Tabs (none/all)
UI.INBOX.VIEW.TaskTabs
none
This property determines whether or not to show additional links, such as Initiated tasks, Reportees and Administrative tasks, in the Inbox. When set to all, the following links are displaied in the Inbox:
My tasks,Initiated tasks, Reportees, Administrative tasks.
When set to none, only the My tasks link is displayed in the Inbox.
Indicates if referential integrity is enabled in target LDAP directory
XL.IsReferentialIntegrityEnabledInLDAP
FALSE
The value of this property is TRUE if referential integrity in target LDAP directory is turned on.
The value of this property is FALSE if referential integrity in target LDAP directory is turned off.
To be able to modify an entity stored in LDAP, this prop must be set to TRUE.
Is DataProvider LDAP/DB
OIM.DataProvider
DB
Specifies the data provider, which is Oracle Identity Manager database. The default value is DB, which indicates that the database is the data provider.
Is disabled manager allowed
AllowDisabledManagers
FALSE
Specifies whether a user in the disabled state can be set as a manager for another user.
Is OIM Notifications disabled (true/false)
XL.DisableAllNotifications
false
This property is used to enable or disable all notifications in Oracle Identity Manager. When the value of this property is set to false, notifications are enabled. When the value of this property is true, notifications are disabled.
Is Self-Registration Allowed
XL.SelfRegistrationAllowed
TRUE
If the value is TRUE, then the users are allowed to self-register.
LDAP Reservation Plugin
XL.LDAPReservationPluginImpl
oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID
This property determines the LDAP reservation plugin implementation to be picked up for reservation of user attributes.
Level of Role Auditing
XL.RoleAuditLevel
None
This property controls the amount of audit data collected when an operation is performed on a role, such as creation or modification. The supported levels are:
  • None: No audit data is collected.
  • Role: Creation, modification, and deletion of role is audited.
  • Role Hierarchy: Changes made to the role inheritance is audited.
Notify other recipients with the password reset email if email of user is null
XL.NotifyPasswordGenerationToOther
TRUE
When the value of this property is TRUE, the email notification for reset password is sent to other recipients if the email ID of the user is not specified.
Number of records to be executed in a batch during Catalog Enrichment
XL.CatalogEnrichmentBatchSize
500
This property determines how many records must be processed in a batch by the catalog job during catalog enrichment.
OIA integration status
OIM.IsOIAIntegrationEnabled
FALSE
Specifies whether OIA is integrated with Oracle Identity Manager.
Set the value of this property to TRUE before you add role memberships in Oracle Identity Manager.
If you set the value of this property to FALSE,incremental role memberships into OIA will not work.
Note: You must do a full import of role memberships at least once after this property is enabled.
Old Password Validator
OIM.OldPasswordValidator
oracle.iam.identity.usermgmt.impl.ContainerLoginPasswordVerifier
The property specifies the name of the plugin class to be used for verifying old passwords.
OMSS Enabled
OMSS Enabled
false
When the value of this property is true, OMSS integration is enabled, and the OMSS links and tabs are displayed in Oracle Identity Self Service.
Note: After modifying the value of this system property, you must restart Oracle Identity Manager server for the changes to take effect.
Period to Delay User Delete
XL.UserDeleteDelayPeriod
0
This property is used to specify the time period before deleting a user. When this property is set and a user is deleted, the user's state is changed to disabled and "automatically delete on date" is set to current date plus the delay period.
If this property is not set, then the user is automatically deleted at the expiration of the end date by the Disable/Delete User After End Date scheduled job.
Proxy User Email Notification
XL.ProxyNotificationTemplate
Notify Proxy User
The corresponding PTY_VALUE is the e-mail definition name that is sent when a proxy user is created. User gets a notification e-mail when the user is made the proxy for some other user.
Recon Batch Size
OIM.ReconBatchSize
500
This property is used to specify the batch size for reconciliation. You can specify 0 as the value for this to indicate that the reconciliation will not be performed in batches.
Note: When using trusted source reconciliation from Oracle Directory Server Enterprise Edition (ODSEE), the value of this property must not be 0. When the value is 0, users are not created in Oracle Identity Manager.
Note: You must restart Oracle Identity Manager server after setting this property.
Request Notification Level
RequestNotificationLevel
0
This property indicates whether or not notification is sent to the requester and beneficiary when a request is created or the request status is changed. This property can have the following values:
  • 0: The notification feature is disabled.
  • 1: Notifications are sent for every change in request status.
  • 2: Notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed.
  • 3: Email notifications are sent only on request completion.
For request notification level 2, notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed.
Retry Count for recon event
Recon.RetryCount
5
This property determines the reconciliation retry count. The retry count value is picked up from the value of this property.
If you specify a value that is greater than 0, then auto retry is configured. If you specify 0 as the value of this property, then auto retry is not configured.
Search Stop Count
XL.IDADMIN_STOP_COUNT
300
This property determines the maximum number of records that are displayed in the advanced search result. If the search criteria specified returns more number of records than that value of this property, then the number of records displayed is limited to this value. In addition, a warning is displayed stating that the results exceed maximum counts and you must refine your search with additional attributes.
Segregation of Duties (SOD) Check Required
XL.SoDCheckRequired
FALSE
This property indicates whether or not Segregation of Duties (SoD) check is required.
Send email notification based on user locale
XL.SendEmailNotificationBasedOnUserLocale
false
This property determines whether an email notification is sent based on the receiver's (user/manager/assignee/requestor) locale when the value is set to true. If the value is set to false, then notification is sent in the server locale.
Note: This system property has been deprecated in this release of Oracle Identity Manager.
Should send notifications in recon or not
Recon.SEND_NOTIFICATION
true
Determines if notification is sent to the user when the user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
If the value is set to true, then notification is sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
If the value is set to false, then notification is not sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
Shows tasks assigned to group users with highest priority or least load only
XL.ShowTaskAssignedToGroupUserOnly
FALSE
If the value is TRUE, then the tasks are assigned to group users with highest priority or least load only when the assignment type is Group User With Least Load.
Specifies the LDAP container mapper plug-in to be used
LDAPContainerMapperPlugin
oracle.iam.ldapsync.impl.DefaultLDAPContainerMapper
When Oracle Identity Manager is installed with LDAP synchronization enabled, this plug-in determines in which container users and roles are to be created. Value of this system property indicates the default Oracle Identity Manager plug-in name used for computing the container values. If the default plug-in does not meet the requirement, then you can define your own plug-in to determine the container and specify the name of the plug-in in this system property.
URL for challenge questions modification
OIM.ChallengeQuestionsModificationURL
NONE
When a user is locked, an automatic unlock occurs after a prescribed time period. This property defines that time period in seconds. Therefore, for example, if a user account is locked and the value of this property is 86400 seconds (one day), then the account is automatically unlocked after one day.
The value of this property is the URL within OAAM that handles the challenge questions. For example:
http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=registerQuestions
URL for change password
OIM.ChangePasswordURL
NONE
This property is used in combination with the property OIM.DisableChallengeQuestions. The value of this property is the URL within OAAM that handles the change password functionality. For example:
http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=changePassword
User Attribute Reservation Enabled
XL.IsUsrAttribReservEnabled
TRUE
This property is used to enable user attribute reservation.
User Id reuse property.Requires dropping the index present on USR_LOGIN column
XL.UserIDReuse
FALSE
Determines whether a deleted user account can be reused. To reuse a deleted user account, assign this property a value of TRUE and drop the unique index for the USR_LOGIN column in the USR table and create a nonunique index. To prevent a user account from being reused, assign this property a value of FALSE.
Note: It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the XL.UserIDReuse property totrue, then the new user might get access to offline accounts of the deleted user that was not deleted as part of the de-provisioning process.
User Language
user.language
en
The user.language value is configured during installation for Locale handling at server side.
User profile audit data collection level
XL.UserProfileAuditDataCollection
Resource Form
This property controls the user profile data that is collected for audit purpose when an operation is performed on the user, such as creation, modification, or deletion of a user, role grants or revokes, and resource provisioning or deprovisioning. Depending upon the property value, such as Resource Form or None, the data is populated in the UPA table.
The audit levels are specified as values of this property. The supported levels are:
  • Process Task: Audits the entire user profile snapshot together with the resource lifecycle process.
  • Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource.
  • Resource: Audits the user record, role membership, and resource provisioning.
  • Membership: Only audits the user record and role membership.
  • Core: Only audits the user record.
  • None: No audit is stored.
User Region
user.region
US
The user.region value is configured during installation for Locale handling at server side.
Whether or not email should be validated for uniqueness
OIM.EmailUniqueCheck
TRUE
This property is available in an Oracle Identity Manager 11g Release 2 (11.1.2.1.0) deployment that has been upgraded from an earlier release of Oracle Identity Manager.
If the value of this property is FALSE, then Email Uniqueness check is not performed by Oracle Identity Manager.
If the value if TRUE, then Email Uniqueness check is performed by Oracle Identity Manager.
Note: If this property is not present, then Email Uniqueness check is performed by Oracle Identity Manager.
Workflows Enabled
Workflows Enabled
TRUE
This property determines whether SOA server is turned on or turned off.
If the value of this property is TRUE, then SOA sever is turned on.
If the value of this property is FALSE, then SOA server is turned off.
Note: After setting the value of this system property, you must restart Oracle Identity Manager.
Note: Toggling between enabling and disabling workflows is not supported.
Workflow Policies Enabled
Workflow Policies Enabled
TRUE
This property determines whether approval workflows is enabled or disabled in Oracle Identity Manager. Approval workflows is used to determine if operation requires approval or not, and if approval is required, then which workflow is to be invoked.
If the value of this property is TRUE, then approval workflow is enabled.
If the value of this property is FALSE, then approval workflow is disabled.
For detailed information about approval workflow, see Chapter 4, "Managing Workflows".