What's New in Oracle Identity Manager 11g Release 11.1.2.3.0
Oracle Identity Manager 11g Release 2 (11.1.2.3.0) has the following key new features:Improved Self Service UI
The simplified tiled user interface of Oracle Identity Manager presents end-users with quick access to the self service functions they need to do their jobs. Users can see what access they have, manage their information, and reset their passwords without having to do unnecessary navigation. Managers and empowered users can access their work items easily, with the ubiquitous notification icons providing them a clear picture of their work.Access Catalog with Guided Navigation
The access request feature has been further simplified to enable end-users to get the access they need to do their jobs in a simple and user-friendly manner. Users are guided through the access request process and are presented with the relevant access in an easy to understand manner via the access catalog. The guided navigation and intelligent forms ensure that end-users are able to browse and, if required, search for access using keyword search. The access catalog presents end-users with relevant business information that helps them make a decision about the access they need.Temporal Grants for New and Existing Access
As part of requesting for new access (or modifications to existing access), users can set start and end dates so that access is granted at the right time and revoked when the requirement is over. Empowered users can modify the grant duration for pending as well as provisioned access.Self Capabilities
Administrators have a requirement to control the actions that end-users can perform in Oracle Identity Manager, either on themselves or on others. In earlier releases, there is no ability for an administrator to control the end-user actions as this function is handled by a combination of admin roles and approval policies.In this release, administrators can make use of the self capabilities feature and specify rules that determine which action users can perform on themselves. To control the actions that users can perform on others, administrators can leverage the custom admin roles feature.
Simplified Admin Roles
Oracle Identity Manager allows you to define custom admin roles. As part of creating these admin roles, you can assign functional capabilities to the admin role, specify members and membership rules, and organizations that the admin role members can manage. The system-defined admin roles of 11g Release 2 (11.1.2.2.0) are present for backward compatibility only and should be considered deprecated. It is recommended to move to the new admin role model as soon as possible. To make use of the new admin role functionality, you must also enable the workflow policies feature.With the introduction of this feature, Oracle Identity Manager no longer requires the use of Authorization Policy Manager (APM) and does not support policy customizations based on Oracle Entitlement Server (OES).
Role Lifecycle Management
Oracle Identity Manager allows empowered users to create, modify, approve, and certify business roles. Users composing new business roles or modifying existing roles can define business-friendly metadata, control membership, and specify which organizations have access to the role. They can also associate one or more access policies, which are collections of application entitlements, with the role. Access policies abstract out the complexities associated with application entitlements from business users, simplifying the role modeling and composition process. The application-specific access policy model also encourages reuse across roles simplifying the overall process.As part of role composition or approval, users can see the impact of their actions, including potential compliance violations in a simple graphical manner. They can see which users will be impacted, whether there are other roles similar to the one being worked on, and whether any compliance policies are violated.
The use of this feature requires you to be licensed for its use.
Identity Audit Policy Management
Ensuring compliance with security controls across applications and enforcement of these controls are a key part of regulatory compliance. This requires you to define access controls that span applications and the ability to enforce these in real-time when access is being granted or modified, but also in a detective manner, for access that has already been granted. Oracle Identity Manager makes it possible for organizations to meet their compliance objectives by allowing business users to define audit policies. Audit policies specify what type of access a user may or may not have. For example, a user who has access to both Accounts Payables and Accounts Receivables is violating Sarbanes-Oxley guidelines. This is known as a Segregation of Duties (SoD) violation. Oracle Identity Manager allows organizations to define SoD policies that can be enforced during access request and can also be used to scan existing access to identify toxic combinations of access privileges, known as policy violations. Oracle Identity Manager identifies the violations and initiates a workflow allowing remediators, who could be business manager or administrators to fix these violations. This process is known as remediation. All actions taken by remediators are recorded and a comprehensive audit trail is maintained.The use of this feature requires you to be licensed for its use.
Enhanced Auditing
This release of Oracle Identity Manager introduces a lightweight auditing engine which is used by user, role, and organization management, and other components excluding provisioning. Unlike the existing audit engine, it does not depend on audit snapshots and JMS and is synchronous in operation. This audit engine is the strategic choice, and the current audit engine will be deprecated in the next release of the product.Enhanced Password Policy Management
This release of Oracle Identity Manager provides a common password policy management framework between Oracle Identity Manager and Oracle Access Manager (OAM). It also introduces the concept of a challenge policy, which allows you to specify whether challenge questions are system-defined or end-user defined (or a combination of both). You can specify different password policies for different organizations, allowing granular control of passwords and challenge questions.SCIM-Based REST Services
Representational State Transfer (REST) services is the standard approach for creating scalable web services over HTTP. System for Cross-Domain Identity Management (SCIM) is the standard used to represent users and groups and provides a REST API for all necessary CRUD operations. This release of Oracle Identity Manager exposes several services as SCIM-based REST services. The SPML XSD-based SOAP web service is deprecated in favor of SCIM-based REST Services. It is recommended to move to the new REST services as soon as possible.Simplified Workflow Policies
Approval policies are used in Oracle Identity Manager to determine the approval workflow to be launched for a particular action. This feature has been deprecated in favor of workflow policies. Functionally, workflow policies are equivalent to approval policies but perform better, expose additional configuration options, and conform to the UI of this release. You can continue using approval policies if you are upgrading to this release of Oracle Identity Manager. However, you cannot leverage the simplified admin roles capabilities. You must work with workflow policies only for a fresh deployment of Oracle Identity Manager.If you are upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.3), then it is recommended that you convert the approval policies to workflow policies as soon as possible.
