Suppose a company does a little project. It is kind of successful, money is made staff is paid.
It is so successful one might try it again in four years time. But that will be another project in another country, with different customers.
In many companies the information used in the old project will be discarded or left in a corner without anybody looking at is. The database with the data of the project will still be on a server or just in a couple of backup's. But nobody will be looking at it since the project has ended anyway.
I suppose that is what happened to the FIFA.
http://www.guardian.co.uk/football/2010/sep/05/fifa-passports-claims
Wednesday, 8 September 2010
Wednesday, 18 August 2010
Same Triggers in window dressed Oracle Identity Manager 11g
Oracle Identity Manager 11g came out in 21st of July. This new version has a lot of improvements among them: BPEL workflow, Reporting, ADF integration and performance.
Some things stayed the same though like the Design console fat client. Also all the triggers we have discussed in the blog (and more are to follow) stil kick start the provisioning, reconciliation or workflow engines of the OIM.
The windows are dressed differently, but the core is the same.
Some things stayed the same though like the Design console fat client. Also all the triggers we have discussed in the blog (and more are to follow) stil kick start the provisioning, reconciliation or workflow engines of the OIM.
The windows are dressed differently, but the core is the same.
Tuesday, 17 August 2010
Trigger happy Oracle Identity Manager - Part 6 - Fine granulair OIM user attribute
When an attribute of an OIM user is changed a trigger can be started. The first thing that is triggered is the post update trigger of the Data Object. This will trigger a check of the LOOKUP.USR.TRIGGER lookup tables.
When a field defined in this lookup table is changed the process defined in the decode field of this table is triggered. This means all the processes on all the resource objects exactly named as in the decode field are triggered. This way a password change on the OIM user atribute could change password change processes be triggered on all resource objects. As long as the resource objects tasks are exactly named like in the lookup table is defined.
Watch out for circular triggers in the post update trigger. When the post update trigger makes an update of the attribute it will recursively trigger itself. When no end point in this trigger process is defined the application server will go down because all the resources will be used in this process.
Tuesday, 18 May 2010
Trigger Happy Oracle Identity Manager - Part 5 - Trigger a task on another resource object
This is the fourth way to trigger a task in the Oracle Identity Manager (OIM).
Previous triggers and event generators have been discussed in post one, post two and post three.
In the previous (#4) post I explained how a task on the same resource object can be triggered after a task has finished with a certain response code. It is also possible to trigger a task on another resource object. This can be done by having the task on the first resource object set a User Defined Field value in the User object. The change of that field would trigger the lookup.usr_trigger explained in post . The t ask to be triggered for the second resource object would then automatically triggered. Because the exact task name defined in the lookup.usr_trigger is triggered in all resource object proces definitions that have this task defined.
It should be noted that the definition of the decode name in the lookup table must be exact the name of the task(s) to be triggered.
Previous triggers and event generators have been discussed in post one, post two and post three.
In the previous (#4) post I explained how a task on the same resource object can be triggered after a task has finished with a certain response code. It is also possible to trigger a task on another resource object. This can be done by having the task on the first resource object set a User Defined Field value in the User object. The change of that field would trigger the lookup.usr_trigger explained in post
It should be noted that the definition of the decode name in the lookup table must be exact the name of the task(s) to be triggered.
Tuesday, 11 May 2010
Trigger Happy Oracle Identity Manager - Part 4 - Trigger a task on the same Resource Object process definition
This is the fourth way to trigger a task in the Oracle Identity Manager (OIM).
Previous triggers and event generators have been discussed in post one, post two and post three.
Suppose one tasks ends and one would want to start another task. A ugly and not very structured way would be to add the second task to the first task. Much more elegant is to trigger the second task after the first task is finished.
This can be defined in the responses tab of the process task definition. In that tab the response codes are set, but also based on the response codes the next task (of that resource object to be started.)
But it is also possible to trigger a task after another task has failed or half succeeded all depending on the response of the first task.
One must of course make sure there is no circular chain of tasks being triggered, because that would hangup the OIM.
Previous triggers and event generators have been discussed in post one, post two and post three.
Suppose one tasks ends and one would want to start another task. A ugly and not very structured way would be to add the second task to the first task. Much more elegant is to trigger the second task after the first task is finished.
This can be defined in the responses tab of the process task definition. In that tab the response codes are set, but also based on the response codes the next task (of that resource object to be started.)
But it is also possible to trigger a task after another task has failed or half succeeded all depending on the response of the first task.
One must of course make sure there is no circular chain of tasks being triggered, because that would hangup the OIM.
Monday, 10 May 2010
Trigger happy Oracle identity Manager - Part 3 - Delete User only works when defined as recovery task
One of the things not clearly described in the Oracle documentation is the triggering of processes and actions in the OIM. When you know how it works you can find the descriptions in the documentation supporting this functionality. But this is scattered over the documentation and needs trial and error testing to be user on how this works. This is due to the fact the documentation talks about "buttons that can be pressed" and the action that follows.
In the first post we discussed the start provisioning and the task triggers. In the second post we did a twist on this first post.
In this post the de-provision picture is complete and the failure trigger is explained.
One of the things not clearly described in the Oracle documentation is the triggering of processes and actions in the OIM. When you know how it works you can find the descriptions in the documentation supporting this functionality. But this is scattered over the documentation and needs trial and error testing to be user on how this works. This is due to the fact the documentation talks about "buttons that can be pressed" and the action that follows.
One of the "poorly" documented features of OIM is this tidbit for the task "Delete User". This is triggered with a deprovisioning, but only works when this task has been added as recovery task of the task "Create User".
The recovery task would be triggered when the "Create User" fails, that is clear, but why the delete only works when it has been added as a recovery task for the "Create User" is not clear to me.
In the first post we discussed the start provisioning and the task triggers. In the second post we did a twist on this first post.
In this post the de-provision picture is complete and the failure trigger is explained.
One of the things not clearly described in the Oracle documentation is the triggering of processes and actions in the OIM. When you know how it works you can find the descriptions in the documentation supporting this functionality. But this is scattered over the documentation and needs trial and error testing to be user on how this works. This is due to the fact the documentation talks about "buttons that can be pressed" and the action that follows.
One of the "poorly" documented features of OIM is this tidbit for the task "Delete User". This is triggered with a deprovisioning, but only works when this task has been added as recovery task of the task "Create User".
The recovery task would be triggered when the "Create User" fails, that is clear, but why the delete only works when it has been added as a recovery task for the "Create User" is not clear to me.
Friday, 7 May 2010
Trigger Happy Oracle Identity Manager - Part 2 - Provisioning with a twist
In the previous post on OIM we discussed how a process task is triggered when a resource in de OIM is provisioned or de-provisoned. The task "Create User" starts the java task that will create a user in the Resource object to be provisioned. The resource object could be a database, ldap server, file server or application.
Part of a process definition could also be a task that would add the user to a group within a ldap server. The standard way to resolve this using a "child table" with the process. But then the provisioning to this ldap group would not be seen in the OIM as a separate resource object provisioning for that user. This make all the resources this user has been provisioned too less transparent.
If one would want to see the provisioning to a ldap group as a separate resource provisioning, the process definition of this resource object must have the task "Create User", but in stead of creating the user in the ldap server this task would be linked to the java task that would add the user to the ldap group.
De-Provisioning that resource would result in the task "Delete User" being triggered that would remove the user from the ldap group.
Part of a process definition could also be a task that would add the user to a group within a ldap server. The standard way to resolve this using a "child table" with the process. But then the provisioning to this ldap group would not be seen in the OIM as a separate resource object provisioning for that user. This make all the resources this user has been provisioned too less transparent.
If one would want to see the provisioning to a ldap group as a separate resource provisioning, the process definition of this resource object must have the task "Create User", but in stead of creating the user in the ldap server this task would be linked to the java task that would add the user to the ldap group.
De-Provisioning that resource would result in the task "Delete User" being triggered that would remove the user from the ldap group.
Thursday, 6 May 2010
Trigger Happy Oracle Identity Manager - Part 1
In the previous post I mentioned the number of undocumented or not clearly documented features of the Oracle Identity Manager (OIM).
One of the things not clearly described in the Oracle documentation is the triggering of processes and actions in the OIM. When you know how it works you can find the descriptions in the documentation supporting this functionality. But this is scattered over the documentation and needs trial and error testing to be user on how this works. This is due to the fact the documentation talks about "buttons that can be pressed" and the action that follows.
In this blog I'll try to explain the functionality more from a process view.
To start of simple I'll talk about how the provisioning process is triggered.
Processes in the OIM are defined in the "Process Definition" of the "Process Administration" in the Design Console. In the process definition tasks can be created. The tasks are linked to Java code (adapters) that will perform the actual action. An action could be the provisioning or de-provisioning of a user, group membership or update of an attribute like a password.
The question to be answered in this blog is how this task is triggered.
This is done very untidily based on the name of the task. When a resource is provisioned the task named "Create User" is triggered. The spelling should be exact like this, otherwise the nothing is triggered.
Similarly the task to be triggered in case of a de-provisioning should be called "Delete User", exact with this spelling.
One of the things not clearly described in the Oracle documentation is the triggering of processes and actions in the OIM. When you know how it works you can find the descriptions in the documentation supporting this functionality. But this is scattered over the documentation and needs trial and error testing to be user on how this works. This is due to the fact the documentation talks about "buttons that can be pressed" and the action that follows.
In this blog I'll try to explain the functionality more from a process view.
To start of simple I'll talk about how the provisioning process is triggered.
Processes in the OIM are defined in the "Process Definition" of the "Process Administration" in the Design Console. In the process definition tasks can be created. The tasks are linked to Java code (adapters) that will perform the actual action. An action could be the provisioning or de-provisioning of a user, group membership or update of an attribute like a password.
The question to be answered in this blog is how this task is triggered.
This is done very untidily based on the name of the task. When a resource is provisioned the task named "Create User" is triggered. The spelling should be exact like this, otherwise the nothing is triggered.
Similarly the task to be triggered in case of a de-provisioning should be called "Delete User", exact with this spelling.
Oracle Identity Manager or SUN Identity Manager
The Oracle Identity Manager (OIM) is a central product in the Oracle identity Management suite. It survived the merger with the SUN Identity Management suite which had a product doing similar things. The "core" task of OIM is the provisioning and de-provisining of account and entitlements to different applications, databases, ldap servers and other kinds of servers.
It has alot of functionality "around this" core functionality like self service account management, password resets, compliance auditing reporting, workflow etc.
For a number of people it was surprising the Oracle Identity Manager won the "battle" over the Sun product. This expectation was mainly because the idea/feeling that the Sun product was easier to use. But Oracle product development will not have had a biase for its "own" products, it saw that OIM has much more functionality and capabilities that the SUN product.
What needs to be done is make the OIM easier to use. Off course that will all be resolved in the next version 11g of the OIM :-), a rule that is true for all Oracle products. But until that time, and possibly even after, we will have to live with the issues in the current versions.
The biggest reason the OIM product is perceived not easy to use is because of the number of undocumented or not clearly documented features and functionalities of the OIM.
There are a number of good blog post and Oracle Metalink Notes on OIM functionality. In the coming posts I would like to shine my light on the way processes and actions are triggered in OIM.
It has alot of functionality "around this" core functionality like self service account management, password resets, compliance auditing reporting, workflow etc.
For a number of people it was surprising the Oracle Identity Manager won the "battle" over the Sun product. This expectation was mainly because the idea/feeling that the Sun product was easier to use. But Oracle product development will not have had a biase for its "own" products, it saw that OIM has much more functionality and capabilities that the SUN product.
What needs to be done is make the OIM easier to use. Off course that will all be resolved in the next version 11g of the OIM :-), a rule that is true for all Oracle products. But until that time, and possibly even after, we will have to live with the issues in the current versions.
The biggest reason the OIM product is perceived not easy to use is because of the number of undocumented or not clearly documented features and functionalities of the OIM.
There are a number of good blog post and Oracle Metalink Notes on OIM functionality. In the coming posts I would like to shine my light on the way processes and actions are triggered in OIM.
Saturday, 6 March 2010
Scenario thinking - the security officer is a serial killer
More inspiration on scenario thinking. I picked up another Michael Connelly thriller. I've read about 20 of his thrillers and almost al of them are hard boiled thrillers often with serial killers. In about 15 of his books Harry Bosch a LAPD detective is the main character. Harry doesn't know anything about computers and the way the books are written it is described as if it should be like that. In the other 5 books two of them the lawyer is the main character, one a journalist, one an ex-cop with a new hart, the brilliant Blood works and one a ex-con. In some of the books the different main characters meet, making feel like one sees different parts of the puzzle of crime.
In none of them computers or internet played a big role. But the books are a great read with a lot of pace and reasonable scenario's with a dark edge.
I was more than pleasantly surprised when I picked up "The scarecrow" and it starts with Due Diligence visit of CIO of a data hosting centre. Ok the Due Diligence check doesn't go as it should go, but the way it is described with a visit to a girly bar to settle the deal it might go the way it goes with some CIO's. At least that is my security officer view of it. But in the mainstream book with millions of readers, SAS 70 reports, SOX and Hipaa are mentioned too.
In the book a serial killer is running around and choosing his victims from the internet. He also uses the internet, social websites, public self service interfaces of credit card companies and company e-mail systems, to isolate the journalist that is chasing him. All threats that currently exist and could with some skill indeed be used. The journalist is the one that was in a earlier Connelly book the Poet. He just got fired from the job, because newspapers need to cut back on costs, very real life too.
What makes this book very useful for scenario descriptions for a board meeting is the fact that the security officer of the data center turns out to be a serial killer . (I'm not ruining your join of reading, this is clear from the start of the book.). Ok according to the book the guy is called CTO, Chief Thread Officer, a title I’ve never heard off, but this could also be used in some presentations. And the name of the book is related to the way CTO scares away hackers of the data center, a name I’ve also never heard in this relation.
Still that a main character of a mainstream thriller is a security officer must mean the profession still has future even though is a vicious killer. Wasn’t the main character in American psycho a stock broker, just before that profession became a Master of the universe ?
In none of them computers or internet played a big role. But the books are a great read with a lot of pace and reasonable scenario's with a dark edge.
I was more than pleasantly surprised when I picked up "The scarecrow" and it starts with Due Diligence visit of CIO of a data hosting centre. Ok the Due Diligence check doesn't go as it should go, but the way it is described with a visit to a girly bar to settle the deal it might go the way it goes with some CIO's. At least that is my security officer view of it. But in the mainstream book with millions of readers, SAS 70 reports, SOX and Hipaa are mentioned too.
In the book a serial killer is running around and choosing his victims from the internet. He also uses the internet, social websites, public self service interfaces of credit card companies and company e-mail systems, to isolate the journalist that is chasing him. All threats that currently exist and could with some skill indeed be used. The journalist is the one that was in a earlier Connelly book the Poet. He just got fired from the job, because newspapers need to cut back on costs, very real life too.
What makes this book very useful for scenario descriptions for a board meeting is the fact that the security officer of the data center turns out to be a serial killer . (I'm not ruining your join of reading, this is clear from the start of the book.). Ok according to the book the guy is called CTO, Chief Thread Officer, a title I’ve never heard off, but this could also be used in some presentations. And the name of the book is related to the way CTO scares away hackers of the data center, a name I’ve also never heard in this relation.
Still that a main character of a mainstream thriller is a security officer must mean the profession still has future even though is a vicious killer. Wasn’t the main character in American psycho a stock broker, just before that profession became a Master of the universe ?
Tuesday, 2 March 2010
Scenario thinking
To explain IT security risks to the business or customers it is good to tell a story. The story should take the listener into the story to explain why an IT solution has certain risks. The story shouldn't start with the "bigbang accident" that could to the system, but gradually taking the listener along its path.
*
Scenario thinking is part of architecture books like Software System Architecture - working with stakeholders using viewpoints and perspectives. The method of scenario thing is described, but one would need inspiration too. Popular literature could give this inspiration.
*
Lately a number of good samples were published as regular thriller stories. Daemon by Daniel Suarez is sold in Amsterdam bookstores in the Science Fiction section, but in fact it uses mainly of existing technology.
Core in the book is the use of VOIP systems that are activated by a daemon process, that scans the Internet news sites for certain news facts. When a certain news fact happens the Daemon using VOIP calls people and using voice recognitions lets them generate new news facts. So on and so forth. This part is the best part of the book. Existing technology "miss used" to break the system of society. The security specialists in the book use standard security technology to find where a daemon or Trojan is running. Off course the book also has its standard I don't understand and don't want to understand IT character, but allot of people in the book take it serious and are not putting IT security in the Geek corner.
The story further develops into a "Hollywood" Armageddon style in which "Autonomous Vehicles" and "Laser-Induced Plasma Channel Weapons". This is also based on existing technology, but for a simple IT person, just a bit too much. I like it better when it is not right away that the whole world is collapsing, but just the world of a few people. e.g. this part of the book would have been better if this was Hitchcock style instead of Bruce Willis. That is the way the first 200 pages develop.
But all in all the book to read for IT and specifically IT security people.
I'm not going to tell you how it ends, because I don't know. The IT consultant that wrote the book, was at page 1200 when he decided that two books might be better for sales.
The second part called Freedom, I still need to read. Hopefully this will give some inspiration for more scenario thinking too.
The fact that IT security is not just a "front runner thing: anymore. It is on its way into the mainstream. Hopefully IT business will follow on its path ......
*
Scenario thinking is part of architecture books like Software System Architecture - working with stakeholders using viewpoints and perspectives. The method of scenario thing is described, but one would need inspiration too. Popular literature could give this inspiration.
*
Lately a number of good samples were published as regular thriller stories. Daemon by Daniel Suarez is sold in Amsterdam bookstores in the Science Fiction section, but in fact it uses mainly of existing technology.
Core in the book is the use of VOIP systems that are activated by a daemon process, that scans the Internet news sites for certain news facts. When a certain news fact happens the Daemon using VOIP calls people and using voice recognitions lets them generate new news facts. So on and so forth. This part is the best part of the book. Existing technology "miss used" to break the system of society. The security specialists in the book use standard security technology to find where a daemon or Trojan is running. Off course the book also has its standard I don't understand and don't want to understand IT character, but allot of people in the book take it serious and are not putting IT security in the Geek corner.
The story further develops into a "Hollywood" Armageddon style in which "Autonomous Vehicles" and "Laser-Induced Plasma Channel Weapons". This is also based on existing technology, but for a simple IT person, just a bit too much. I like it better when it is not right away that the whole world is collapsing, but just the world of a few people. e.g. this part of the book would have been better if this was Hitchcock style instead of Bruce Willis. That is the way the first 200 pages develop.
But all in all the book to read for IT and specifically IT security people.
I'm not going to tell you how it ends, because I don't know. The IT consultant that wrote the book, was at page 1200 when he decided that two books might be better for sales.
The second part called Freedom, I still need to read. Hopefully this will give some inspiration for more scenario thinking too.
The fact that IT security is not just a "front runner thing: anymore. It is on its way into the mainstream. Hopefully IT business will follow on its path ......
Subscribe to:
Posts (Atom)