Author: Luke Wenz, Senior Solutions Architect
Oracle Identity Governance (OIG) projects follow a common process when integrating new applications and systems. Although there are ways to accomplish most of these by leveraging out of the box functionality, it can require a large amount of manual effort that is time consuming and error prone. To address these shortcomings, Zirous has created several onboarding scripts to reduce implementation time and project cost.
The process of integrating new applications and systems with OIG includes the following:
- Installing connectors
- Configuring connection information
- Performing initial reconciliations to bring in current account and entitlement access
- Building roles and access policies
- Granting roles to users that do not have membership rules
- Creating Identity Audit rules to enforce segregation of duty (SoD) requirements
To streamline this process, the following scripts have been created by our team (I’ve indicated the onboarding step that they address in parentheses after each subheading below).
Role Import (Step 4)
OIG provides a role import script, but it has several deficiencies including the following:
- Multiple scripts need to be run to load OIG roles (e.g. name and description) and OIG catalog data (e.g. approvers, certifiers)
- These scripts do not support loading role membership rules
- The enrich catalog script does not support business friendly values (e.g. database keys for approval users instead of usernames)
The script Zirous has developed loads role and catalog data from a single business friendly spreadsheet and addresses each of these issues. As a result, it eliminates the need to have a highly technical resource involved in the process of loading new roles.
Access Policy Import (Step 4)
Many organizations that leverage role based access control must load a large number of access policies into OIG and associate them to their roles. Creating access policies can be a very tedious and error prone process using the standard user interface. Furthermore, it take can several minutes per policy. The script Zirous has developed leverages a business-friendly spreadsheet and can load a policy in seconds. Additionally, it performs validation to ensure that the access policies are built correctly (e.g. checks for valid entitlements for the application).
Granting Roles Based on Account Access (Step 5)
When the initial account reconciliation is performed that brings user account access into OIG, it is not associated with a role unless role membership rules have been defined. This is common for roles that are requested in a one-off fashion. As a result, a user might have all the access defined in a role but not actually be a member of the role. This can be misleading during access certification or auditing activities. To prevent this from being an issue, Zirous has created a script that will determine if users have all the access defined within a role (e.g. account and entitlements) and will grant them the role if they are not already members.
Identity Audit Policy Import (Step 6)
Identity audit policies must be created in order to ensure that potentially dangerous combinations of access are not granted to users without special approval or periodic reviews(e.g. accounts payable and receivable). Some systems require many policies to be created and it can take a large amount of time to build these out clicking through the OIG interface. To reduce this effort, Zirous has created a script to load these policies from a business-friendly spreadsheet that can be easily loaded in multiple environments.
Zirous not only has skilled and experienced implementers, but a tool kit full of productivity scripts to make your OIG implementation go quicker and more smoothly. To see more about Zirous’ high level OIG project approach and how application onboarding fits into the bigger scheme, check out this previous blog post.