Thursday, May 30, 2013

IT Service Catalog in OIM11G R2 - filtering objects

In the post "IT service catalog evolution" I discussed how the set of entitlements that IT offers to the business have been presented to the business in the various request interfaces that have been available in various provisioning products. A major and ongoing issue has been how to expose the entitlements that the business cares about. Traditionally the solution there were a couple of different ways to solve that problem if you are using OIM but if you wanted to solve the problem within the confines of the standard web interface you often ended up with a very large number of resoure objects (ROs aka application instances). Another reason for ending up with "too many ROs" could be that you have large numbers of independent target systems and each system has been modeled as an RO.

A large number of ROs comes with a number of issues but the biggest is usually that it can make it hard for the business to pick the right entitlement in the request interface.

In this post I will take a closer look on how you can resolve this problem in OIM11G R2 by utilizing the catalog concept.

The catalog offers the ability to not only present resource objects (application instances) but also use enterprise roles and entitlements. This gives you a very rich tool chest when it comes to displaying options but sometimes what you need to do is to selectively not showing certain options based on the attributes of the user that is using the request interface.


Daniel Gralewski has written an excellent introduction to the Catalog concept that is a very good starting point if you are unfamiliar with the feature. A more in depth discussion can be found in the OIM manual.


The object filtering approach requires that it is possible from a business standpoint to divide the objects in the request interface into a number of different buckets and then map these buckets to different groups of users. A typical situation may be that the following "buckets" exists:

  • Birthright objects such as a base AD account
  • Enterprise applications
  • Applications that are used by a specific department such as HR or Finance apps
  • Applications used in a specific geographic region i.e. EMEA

The discovery and categorizing exercise is very similar to role mining and if you drive it too far you will run into the same issues that plagued role mining projects. That said it is usually decently easy to perform some form of coarse grained sorting of the apps.

Once you have the apps sorted you can map the users through their cost centers or departments so that the users only see the objects that are interesting for them.

Daniel Gralewski has written a detailed howto that shows how to change the shopping cart icon based on if the user already is associated with an object or not. The same approach with some modifications to hide objects that the users really doesn't need to be able to request.

Alex Lopez has written a more advanced example that also uses multi step drop downs where the content of the first drop down is determined by the requesting user's attributes and the content of the second is determined by the pick in the first drop down. Very nice example that shows the versatility of the interface.

The catalog does offer a number of advanced capabilities and really gives the implementation team an ability to create a very customized user interface within the core product. This means that you don't have to take the very large base investment that a "ground up" user interface means and that the implementation also is decently upgrade safe.

The downside of the catalog approach is that you do need to do some business analyzes work up front to understand the who should be able to request what. The implementation team does need to have quite deep webcenter/adf skills to be able to perform the customization.

Overall the catalog is a very nice feature and clearly puts OIM clearly ahead of some of it's competition i.e. IBM SIM/TIM 6.0.

No comments:

Post a Comment