Oracle Identity Analytics 11gR1:
Administration
Student Guide

D68340GC20
Edition 2.0
December 2010
D71223


Authors

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Steve Friedberg
David Goldsmith

Disclaimer

Technical Contributors
and Reviewers
Neil Gandhi
David Goldsmith
Stephan Hausmann
Stephen Man Lee
Harsh Patwardhan
Editors
Vijayalakshmi Narasimhan
PJ Schemenaur
Graphic Designer
Satish Bettegowda

This document contains proprietary information and is protected by copyright and
other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.

Publishers

Trademark Notice

Syed Ali
Sumesh Koshy

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.



Contents

1

Introducing Oracle Identity Analytics 11gR1
Objectives 1-2
Organizational Pressures 1-3
Controlling System Access 1-4
Achieving Compliance 1-6
Manual Processing 1-7
Problems with This Approach 1-8
Roles 1-9
Role Benefits 1-10
Enterprise Roles 1-12
Enterprise Role Management 1-14
Enterprise Role Management Categories 1-15
Oracle Identity Analytics 1-17
Oracle Identity Analytics Features 1-18
Architecture 1-20
Sample Deployment 1-21
Integration with Provisioning Systems 1-23
Functionality Matrix 1-24
Implementation Methodology 1-26
Oracle Identity Management 1-27
Available Documentation 1-29
Summary 1-30
Practice 1 Overview: Installing the Software 1-31


2

Building the Identity Warehouse
Objectives 2-2
Terms Used in Oracle Identity Analytics 2-3
Identity Warehouse 2-5
Identity Warehouse Contents 2-7
Business Structures 2-8
Users 2-9
Roles 2-11
Role Hierarchy 2-13
Audit Policies 2-14
Segregation of Duties (SoD) 2-15
SoD Matrix 2-16

iii


Applications 2-17
Resources 2-18
Attributes 2-19
Populating the Identity Warehouse 2-20
Populating Data Manually 2-21
Adding Additional Data Elements 2-22
Importing Data (Bulk Load of Data) 2-23
Configuring a Provisioning Server 2-24
Provisioning Server Parameters 2-25
Importing from File Processing 2-27
Importing from File: Rules 2-29
Debugging Import Errors 2-30

Debugging Import Errors Exception 2-31
Job Scheduling 2-32
Job Scheduling Through the GUI 2-33
Job Scheduling Through Direct Edit 2-34
Database Entries for Job Scheduling 2-37
Summary 2-39
Practice 2 Overview: Importing and Setting Up Identity Warehousing 2-40
3

Configuring Security
Objectives 3-2
Oracle Identity Analytics Users (OIA Users) 3-3
Oracle Identity Analytics Roles (OIA Roles) 3-5
OIA Role Creation 3-7
OIA Role Visibility 3-8
OIA Users/Roles Database Tables 3-9
Proxy Assignments 3-10
Alternate Credential Store 3-11
Summary 3-12
Practice 3 Overview: Configuring Security 3-13

4

Configuring Identity Certification
Objectives 4-2
Security Challenges 4-3
Identity Certification 4-4
Automated Certification: Benefits 4-5
Certification Environment 4-6
Certification Process 4-8

Phase 1: Preparation 4-9
Phase 2: Pilot 4-13
iv


Phase 3: Validation 4-14
Phase 4: Certification 4-15
Phase 5: Remediation 4-17
Certification Dashboard 4-19
Closed-Loop Remediation 4-21
Best Practices 4-22
Metrics 4-24
Return on Investment 4-25
Summary 4-26
Practice 4 Overview: Configuring Identity Certification 4-27
5

Configuring Auditing
Objectives 5-2
Identity Auditing 5-3
Product Capabilities 5-4
Audit Rules 5-5
Audit Policy 5-6
Actors 5-7
Policy Violations 5-8
Audit Scans 5-10
Dashboard: Overview 5-11
Dashboard 5-12
Policy Violation States 5-13
Audit Policy Actions 5-14

Job Scheduling 5-15
Event Listeners 5-16
Summary 5-17
Practice 5 Overview: Configuring Auditing 5-18

6

Performing Role Mining
Objectives 6-2
Role Management 6-3
Role Mining (Role Discovery) 6-4
Approaches to Role Mining 6-5
The Wave Methodology 6-7
The Wave Methodology (Step 1 of 7)
The Wave Methodology (Step 2 of 7)
The Wave Methodology (Step 3 of 7)
The Wave Methodology (Step 4 of 7)
The Wave Methodology (Step 5 of 7)
The Wave Methodology (Step 6 of 7)

6-8
6-11
6-12
6-14
6-16
6-17
v


The Wave Methodology (Step 7 of 7) 6-19

Accessing Role Mining 6-21
Performing Role Mining 6-22
Role Mining: Minable Attributes 6-23
Role Mining: General Information 6-25
Role Mining: User Selection 6-26
Role Mining: Basic Parameters 6-27
Role Mining: Advanced Parameters 6-28
Role Mining: Preview 6-30
Role Mining: Execution 6-31
Role Mining: Users In Roles 6-32
Role Mining: Classification Rules 6-33
Role Mining: Mining Statistics 6-34
Role Mining: Roles 6-35
Role Mining: Role Mining Reports 6-37
Entitlements Discovery 6-38
Accessing Entitlements Discovery 6-39
Performing Entitlements Discovery 6-40
Entitlements Discovery: Strategy 6-41
Entitlements Discovery: Role/Users 6-42
Entitlements Discovery: Entitlements 6-43
Entitlements Discovery: Verification 6-45
Best Practices 6-46
Summary 6-47
Practice 6 Overview: Role Engineering 6-48
7

Performing Role Lifecycle Management
Objectives 7-2
Role Management Activities 7-3
Role Lifecycle Management 7-4

Role Engineering (Definition) 7-5
Role Maintenance (Refinement) 7-6
Examples of Change Events 7-7
Role Certification (Verification) 7-8
Workflows 7-9
Default Workflows 7-10
Editing Workflows 7-11
Custom Role Modification Workflow 7-13
Processing Role Changes 7-14
Role Modification 7-15
Workflow Status 7-16
vi


Pending Requests 7-17
Modification Details 7-18
Role Versions 7-19
Role History 7-20
Best Practices 7-21
Summary 7-22
Practice 7 Overview: Performing Lifecycle Management 7-23
8

Generating Reports
Objectives 8-2
Reports 8-3
Reporting Categories 8-4
Accessing Reports 8-5
Report Dashboard 8-6
Business Structure Reports 8-7

Business Structure Roles Report 8-8
Creating Custom Reports 8-9
Executing Custom Reports 8-11
Summary 8-12
Practice 8 Overview: Generating Reports 8-13

vii



Introducing Oracle Identity Analytics 11gR1

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Objectives
After completing this lesson, you should be able to:
• Identify the business drivers for role management
• Describe methods for meeting compliance
• Describe how a role management solution streamlines the
process
• Describe the features and components of Oracle Identity
Analytics
• Describe an Oracle Identity Analytics implementation

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Objectives
Discussion: The following questions are relevant to understanding the topics covered in this
lesson:

• How are regulatory compliance mandates affecting companies today?
• How are companies dealing with compliance?
• What is a role and how can role-based access control solutions help achieve compliance?
• What is the difference between a role management solution and a user provisioning
solution?

Oracle Identity Analytics 11gR1: Administration 1 - 2


Organizational Pressures
Companies are faced with:
• A growing number of
applications
• A constantly
changing user
population
• The need to prevent
or detect inside threats
• The need to meet
regulatory compliance

Security:
Minimize
Risk

Reduce
Costs

Business:
Open

Access

Sarbanes
-Oxley

GrammLeachBliley
Act

The Enterprise

European
Data Protection
Directive

Improve
Quality of
Service

Health Insurance
Portability &
Acct Act (HIPAA)

How can you achieve an acceptable balance between
functionality, risk, and cost?
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Organizational Pressures
Companies face multiple, multifaceted business challenges in which the management of
employees’ and partners’ access to enterprise resources is vital. Foremost among these is the
challenge of complying with an ever-growing number of regulations that govern the integrity

and privacy of enterprise data. With the need to protect data comes the need to closely manage
access to it. This involves knowing at all times who has access to corporate resources and
whether their access is appropriate. Companies then need to provide documentation of this
information in the event of an audit.
Compliance is not the only challenge in today’s enterprise. Even more critical is the need to
operate an agile business that can respond quickly and competitively to business opportunities
and competitive threats. Operating such a business while remaining compliant is a tall order. A
major concern is how to achieve a balance between implementing new functionality while
managing risk and still keep costs under control. Companies are looking to spend “just enough”
to pass an audit and lower their risk. Companies want to reduce existing costs associated with
audits while still making the process more efficient, accurate, and repeatable, thereby balancing
their efforts.

Oracle Identity Analytics 11gR1: Administration 1 - 3


Controlling System Access
•

Insider Threats
– Loss of business continuity
– Loss of trade secrets
– Loss of sensitive customer or employee data

•

Regulatory pressures
–
–
–

–

The Sarbanes-Oxley Act of 2002
The Graham-Leach-Bliley Act
The Health Insurance Portability and Accountability Act
The Payment Card Industry Data Security Standard

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Controlling System Access
Studies have shown that 70 percent of all security threats are caused by insiders (employees or
contractors). This number consists of breaches that were caused by employees with malicious
intentions, as well as by well-intentioned personnel who simply made mistakes. Irrespective of
the nature of the breach, companies must control access to system resources in order to
protect their business, corporate information, or even trade secrets.
Concerns about threats from insiders fall into three main categories:
• Loss of Business Continuity
Disruptive events such as hardware failures, an act of nature such as a flood, or even
denial-of-service attacks impact a company’s ability to maintain business flow. When such
an event occurs, companies face large losses because they are not able to process
orders or access vital resources.
• Loss of Trade Secrets
Companies have a responsibility to their shareholders, employees, and customers to
protect corporate assets. This involves trade secrets, proprietary processes, or
information that provides an advantage over competitors. Companies spend billions of
dollars on research and development, only to find themselves engaged in battles to
protect their proprietary information.

Oracle Identity Analytics 11gR1: Administration 1 - 4



Controlling System Access (continued)
•

Loss of Sensitive Customer or Employee Data
Protection of customer or employee data is one of the main drivers of regulatory
compliance, and companies have a fiduciary responsibility to protect this information.
However, more and more companies are making headlines as sensitive personal
information is stolen, lost, or inadvertently published to corporate Web sites. Companies
realize they need adequate access control practices to reduce these risks.

In addition to insider threats, companies are forced to comply with one or more regulations that
require a review of access and access control processes. In essence, companies are being
forced into compliance. Regardless of whether a company must adhere to SOX/Cobit, PCI,
HIPAA, GLBA, or Basel II, it needs to understand the current access held by individuals inside
and outside the company, and the current access control process. It also needs to be able to
rapidly generate the evidence and related artifacts to determine user access and pass an audit.

Oracle Identity Analytics 11gR1: Administration 1 - 5


Achieving Compliance
•

A common theme behind compliance involves
identification and management of user access rights.
–
–
–
–

–

•

What resources does a user have an account on?
Does the user require an account on that system?
What are the user’s capabilities on that resource?
Who authorized or created the user’s account?
Does the user’s presence violate any business or security
policies?

How do companies determine this information today?

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Achieving Compliance
A common theme behind a company’s ability to achieve compliance involves its ability to
ascertain all the systems that a user has access to, what capabilities or access rights the user
has on those systems, and who authorized or created the account on that system. Additionally,
a company needs to determine whether the user actually requires access to those systems to
perform his or her job and whether his or her presence on one or more of those systems
violates any business or security policies.
So how do companies determine this information today? The next few pages show one such
solution.

Oracle Identity Analytics 11gR1: Administration 1 - 6


Manual Processing
•

•
•
•
•
•
•

Use spreadsheets to store roles and entitlements.
Interview managers and business owners.
Dump the systems (accounts and entitlements).
Manually correlate accounts.
Compare accounts and entitlements to standards.
Identify violations.
Periodically review role definitions.

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Manual Processing
Historically, companies have implemented manual processes for achieving compliance. These
companies share several traits, as shown in this slide.

Oracle Identity Analytics 11gR1: Administration 1 - 7


Problems with This Approach
•
•
•

Error prone and time intensive

Minimal process ownership (or involvement)
Difficult to manage spreadsheets
– Time consuming
– No version control

•
•
•

Continuous monitoring of exceptions impossible
Difficult to manage user access rights
Performing defined versus actual analysis impossible

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Problems with This Approach
This slide shows some of the problems associated with using a manual approach to
compliance.
• Manual processes lead to human errors and extra work.
• Reviews are not performed in a timely manner and, in general, managers do not seem to
want to be involved in the process.
• Spreadsheets are difficult to manage, are time consuming, do not easily allow for version
control, and do not provide a method for looking back in time to determine who had
access at that time.
• It is extremely difficult or impossible to perform continuous monitoring of exceptions when
information is kept in a spreadsheet.
• It is difficult to assign roles to existing users and remove exceptions when violations are
detected.
• There is no way to perform a role versus actual analysis and no way to easily certify that
role definitions are correct.


Oracle Identity Analytics 11gR1: Administration 1 - 8


Roles
Abstraction layer:
• Provides access rights
grouping mechanism
• Contains systems and
privileges
• Makes assignments based
on job function
• Provides mechanism for
detecting violations

Branch
Manager

Bank
Teller

Role 1

Role 2

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Roles
A role is a grouping of entitlements across a set of resources. This grouping mechanism
enables you to associate access rights to computing resources based on a user’s job function.

In a financial institution, for example, roles might correspond to job functions such as bank
teller, loan officer, branch manager, clerk, accountant, or administrative assistant. Persons in
these job functions require access to a specific set of resources to perform their jobs, and their
privileges on these resources might differ based on their job function as well.
Roles can be shared among users as necessary. In this slide, the Branch Manager has access
to the systems defined within two different roles (Role 1 and Role 2). The Bank Teller, however,
has access only to the systems defined in Role 2. Assignment of multiple roles to a user is
acceptable as long as that assignment does not violate any corporate business or security
policies.

Oracle Identity Analytics 11gR1: Administration 1 - 9


Role Benefits
•
•
•
•
•
•

Provide an understandable model for access
Provide an efficient definition of processes and policies
Reduce auditing efforts
Provide a common language between business and
information technology
Provide consistent, known controls for defining access
Facilitate access requests more easily

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Role Benefits
A role-based access control (RBAC) model provides a structure that can be used to address
compliance. By coupling access requirements to users based on organizational information
(such as job title, employee code, or business unit), roles enable business managers to provide
users with the access they need without violating business or security policies.
Roles provide the following benefits. Roles:
• Define the model for access. Access requirements are often difficult to understand.
Managers simply do not know which groups within Active Directory their employees need
to perform their duties, and employees do not know what level of access to request.
• Define the structure for access. A role can encapsulate access requirements for a
particular job function (Business Role), an application function such as “create vendor” (IT
Role), or a temporary project membership (Auxiliary Role). In all cases, when the role
content is agreed upon by the business, the business owners can also define the “friendly
description,” the owner, and even the population who can have or request the role. All
these items make it easier to understand access.
• Are efficient. Defined roles can be utilized throughout a company’s identity and access
management program. Roles make all operations easier to develop, maintain, and
understand.

Oracle Identity Analytics 11gR1: Administration 1 - 10


Role Benefits (continued)
•

•

•


•

Provide evidence of compliance. Auditors need to easily understand the access controls
and processes in your organization. Having a defined set of roles (that is utilized across
the identity and access management program) will greatly advance your ability to prove
that you have compliant processes.
Bridge the gap between business and information technology. Roles bridge the
communications gap between business and IT. The role definition process itself requires
input from both business and IT personnel, and the result is a defined set of roles that
encapsulates business requirements.
Provide controls. Roles provide known and approved levels of access for a job title or job
function. Because roles are engineered and reviewed, they should not provide any
access that violates separation of duties (SoD) policies. Additionally, with defined roles,
provisioning operations and services could be limited to allow only role-based access
allocation, thereby increasing control and decreasing risk.
Facilitate valid requests from employees. With clearly defined roles, employees can easily
understand and request access to the applications and data that they need. For example,
Bob might be added to Project Team 7 and need to request access defined for that
project, or he might want read-only access to product-line financial data to perform some
analysis. These roles (business or IT) should be available and understandable.

Oracle Identity Analytics 11gR1: Administration 1 - 11


Enterprise Roles
IT Ops & Security

•Managing access
control across the
enterprise

•Enforcing and
proving compliance

Business Managers

•Acquiring and
providing access
quickly
•Understanding and
attesting to access

Audit & Compliance

•Mapping control
objectives into security
and access policies
•Lacking IT knowledge
to automate critical
access controls

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Enterprise Roles
Utilization of roles across the enterprise provides benefits across multiple lines of business.
• Information Technology (IT)
The IT department can use roles during the provisioning process to ensure that users
have access to the correct resources. During provisioning, an automated or manual
process can assign access based on roles. This makes access assignment logic easier to
develop and maintain, and makes self service requests for access by employees easy to
understand.

Additionally, IT departments can control access to systems based on role definitions.
During policy evaluations for real-time access management, being able to define policies
based on roles is more efficient than policies based on fine-grained attributes.
Finally, roles reduce the risk associated with access control. IT is often responsible for the
risk associated with access control. With well-defined roles, access control increases, and
risk decreases.

Oracle Identity Analytics 11gR1: Administration 1 - 12


Enterprise Roles (continued)
•

•

Business Managers
Business managers are often tasked with requesting and approving access to resources
for their direct reports. In many cases, the business managers do not understand what
access is actually required or even appropriate. This leads to copy/paste entitlements
(access based on another user’s rights) or an accumulation of entitlements over time.
Roles provide a method for defining resource access based on business terminology
rather than technical terms. When they request or approve access, business managers
can be assured that the access would be adequate based on their needs, and that it
would be provided in a timely manner.
Business managers can also be assured that during the audit process, they can better
understand access requirements and can attest to access based on role definitions
already in place.
Auditors
Auditors, like employees, need to understand how access is defined, granted, and
removed, and a business-friendly context is easier to understand than the cryptic IT

entitlements.
When determining access control compliance, auditors can review the defined roles, an
individual’s assigned roles, and an individual’s assigned access outside of the defined
roles. This makes the review process more efficient and accurate.
By defining, utilizing, and periodically verifying roles, you are establishing controls that
prove to auditors that a repeatable, sustainable process for access control exists.

Oracle Identity Analytics 11gR1: Administration 1 - 13


Enterprise Role Management

Employees

Who is accessing
what data and
which applications?

HP

Who approved the
access assigned to
users?

IBM

How can access
control policies be
enforced?


Oracle

Access Management

Apps & Data

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Enterprise Role Management
Enterprise role management (ERM) provides a strong technology solution for access certification
and segregation of duties enforcement. With such a solution in place, you can drastically reduce
the cost for audit preparation by easily answering the questions most often asked by auditors.
• Who is accessing what data and applications?
To improve security, you must first understand your current level of security as it pertains to
entitlements. After locating where inappropriate access is present, you can determine how it
was granted and adjust the processes that provisioned the access. This gives you the ability
to evolve your controls and increase your proactive and reactive security processes.
• Who approved the access assigned to users?
Improved security lowers your risk and protects your company from threats originating from
inappropriate access (such as data breaches). Strong access control governance through
roles is a key component in protecting critical applications and data from both internal and
external threats.
• How can access control policies be enforced?
Having a strong compliance program can also be utilized internally and externally to promote
goodwill.

Oracle Identity Analytics 11gR1: Administration 1 - 14


Enterprise Role Management Categories

•
•
•
•

Role mining
Attestation
Role management
Provisioning integration

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Enterprise Role Management Categories
Enterprise Role Management consists of four main categories:
• Role Mining
Role mining is the widespread discovery of application-level entitlements. The role mining
process discovers relationships between users based on similar access permissions that
can logically be grouped to form a role. Role engineers can specify the applications and
attributes that will return the best mining results. Role mining is also called role discovery.
• Attestation
Attestation is the process of certifying access and entitlements across one or more
resources. Attestation involves a certification review process where an individual
(business manager or resource owner) confirms that the right users have the right access
on the right resources. Organizational changes should be reflected in a user’s
entitlements because the user is either granted additional access or denied access due to
job changes. As such, attestation should be performed on an ongoing basis and should
be automated where possible.

Oracle Identity Analytics 11gR1: Administration 1 - 15



Enterprise Role Management Categories (continued)
•

•

Role Management
Role management involves the grouping and management of application-level
entitlements into enterprise roles. Role definitions consist of the grouping of entitlements
across one or more resources. These roles are then associated with organizational
structures such as job titles, employee codes, or departments. A user is granted access to
resources based on a role definition and as such, roles themselves need to be
periodically reviewed and recertified.
Provisioning Integration
Integration with provisioning systems such as Sun Identity Manager provides both a
proactive and reactive mechanism for achieving compliance. Account provisioning
systems should utilize roles defined in a role provisioning system to ensure that access is
granted properly. Alternatively, violations detected during the attestation process should
interface to an account provisioning system in order to address the violation in a timely
manner.

Oracle Identity Analytics 11gR1: Administration 1 - 16


Oracle Identity Analytics
Features:
• Role Engineering
• Role Maintenance
• Role Certification
• Access Certification

• SoD Policy Enforcement
•

Securely automates and
simplifies compliance
processes, and aligns with
business drivers

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Oracle Identity Analytics
Oracle Identity Analytics (formerly Sun Role Manager, before that Vaau’s RBACx product)
provides comprehensive role lifecycle management and identity compliance capabilities to
streamline operations, enhance compliance, and reduce costs. Created and developed by
Vaau in 2001, Oracle Identity Analytics was the first comprehensive solution in the market.
Sun’s acquisition of Vaau in 2007 added a world-class role management solution to its already
impressive arsenal of identity management products.
The Oracle Identity Analytics open architecture is both robust and scalable, and has the highest
number of managed users for a single deployment (1.1 million identities at a large financial
services company). The solution has been audited by all the major audit and regulatory bodies,
and is tightly coupled with best practices and proven methodologies.
The Oracle Identity Analytics software has been implemented at numerous client sites across
different industries, and analysts such as Gartner and Forester agree that Oracle Identity
Analytics is the leading identity compliance and role management solution on the market today.

Oracle Identity Analytics 11gR1: Administration 1 - 17