Thursday, August 5, 2010

OIM resource objects, provisioning processes, connectors and IT Resources

When you first start working with OIM there are all of these strange new concepts that are really hard to grasp. Even worse is to try to figure out how everything hangs together. Having tried to explain this a number of times to different people over the years I wanted to try to write down a very basic guide to some of the core objects in OIM.

Lets start with the resource object (often called RO). A RO is in it's most basic form basically a virtual representation of an account on a target system. If an OIM user has an account on the target system the user has an RO instance associated with it.

The most basic process that you do with ROs is to provision the account to a target system. The provisioning is handled by a provisioning process. The provisioning processes usually consists of a number of provisioning tasks that fires adapters that in turn calls code, often Java code, that actually does the provisioning work.

In many cases the provisioning tasks needs information about the target system such as logins and passwords for the accounts that is used to run the provisioning process. This information is often kept in an IT resource and is referenced by the Java code. In many cases you keep a reference to the relevant IT resource on the process form or in the attribute section of a scheduled task. This makes it possible to have multiple physical target systems interacted with by a single resource object and also makes it clearer for an admin exactly what physical target system is being managed by a specific resource object instance or scheduled task.

A connector is a set of objects such as resource objects, provisioning processes and it resources. It also includes the jars that contain the Java code that performs the provisioning process.

The out of the box connectors are often very complex but a simple custom connector may only consist of an RO, a provisioning process, an adapter that links the provisioning process to the provisioning logic and finally some provisioning logic in a jar. The IT Resource is not essential but it is very useful to avoid having to put system specific information straight into the provisioning process (or even the provisioning logic). One common mistake is to think that the IT Resource is much more important than it actually is. 

6 comments:

  1. Hi Martin,

    The blog post is quite helpful in understanding the OIM entities.

    I could understand RO, IT Resource, Connectors.

    Could you please explain the below quoted lines once again, putting it in other words, may be!

    "This makes it possible to have multiple physical target systems interacted with by a single resource object and also makes it clearer for an admin exactly what physical target system is being managed by a specific resource object instance or scheduled task."

    Also I would like to know, what is the difference between an IT Resource Type and IT Resource ?

    ReplyDelete
  2. If you are familiar with object oriented programming it can help to think of an IT resource type as an class while the it resource is an instance of an object of that class.

    ReplyDelete
    Replies
    1. Could you please let me know how OIM will work on this below scenario?

      We have added resource AD under ‘Depends On’ tab for RO Exchange. So only after AD is provisioned, exchange will get provisioned. Till then even if Exchange instance comes up in OIM user’s resource profile, it will still be in “Waiting” status.

      My query here is, when Exchange is in Waiting status, will Exchange’s process form will be loaded with prepopulate values? i.e Will “Create Mailbox” task will be called? Because while AD provisioning, am updating a UDF. And exchange should take that UDF value for its Mail Alias name. So want to understand the flow.

      Delete
    2. I remember running into this problem back in 2006 (I am clearly getting old...)

      The depends on function works a little different on different versions of OIM. In OIM 9 back in 2006 it basically added an AD object when you requested/rule provisioned an Exchange object. The timing between AD and Exchange worked by magic (probably some hard coding somewhere) so that AD was provisioned first.

      I would strongly recommend opening a ticket with Oracle to get the correct info on this issue for your specific version of OIM.

      Delete
  3. Complex things explained in a simple way !!
    Its really very useful.

    ReplyDelete
  4. can u please Explain me what ie Entitlement in 11g r2 after giving a general example, I searched a lot but couldn't get exactaly

    ReplyDelete