| Subcribe via RSS

Sean O’Neill on OIA versus OIM

March 2nd, 2012 | No Comments | Posted in IAM Engagement, IdM Engagement, Vendor Specific

I was looking into an Oracle Identity Analytics discussion group on LinkedIn the other day and there was a friendly “back and forth” going on between Oracle Identity Analytics features versus Oracle Identity Manager features crossover.  I wanted to highlight the discussion here, specifically with Sean O’Neill‘s response because he really nailed it.

The backdrop, which I will provide here, is something clients ask often for Oracle IdM implementations because there does seem to be some cross functionality between Oracle Waveset and OIM for provisioning, certifications and attestations, as well as some role management, versus OIA for role management, certifications and attestations and overall identity warehousing.

“Oracle Waveset and/or Oracle Identity Manager have similar functionality to Oracle Identity Analytics, so which should I use?”

This is a common question amongst clients as well as implementers.  If you are a client and you see even implementers are divided on when to use which feature in which product, it can get a bit confusing if not unsettling.  The real answer, before I get to Sean’s response, is somewhat three-fold:

  1. (1) The dilemma stems from the fact these were all products derived from different sources and product roadmaps from other companies, and so there simply is crossover in features and functionality.  So the confusion is understandable, even amongst implementers.  In some cases, either answer (“go with OIM“, “no, use OIA for ______”) is “right” and may stem more from an implementer’s comfort level in implementation than anything else.
  2. (2) It’s best, when utilizing these products in conjunction (eg. Oracle Waveset with OIA or OIM with OIA) to settle on the proper division of functionality during the design phase of your IdM project, while keeping mind…
  3. (3) Oracle’s roadmap for both products in the new Oracle Fusion Middleware 11g line.

This will help “settle” the questions during implementation and provide for a more seamless transition to the Oracle Fusion Middleware 11g product line and conformance to that roadmap.

So, when choosing a vendor to implement the Oracle stack, make sure you choose one that understands the Oracle Fusion Middleware 11g product roadmap as well as the specifics of an Oracle technical implementation.  For OIM, you really need technical expertise, as there are many more moving parts for an OIM implementation.  (What a shame that Oracle Waveset was kicked to the curb, but it’s history now, so no sense lamenting it any longer.  A natural product progression for Oracle Waveset users exists in Sailpoint IIQ IMO. :-))  But make sure, when you are RFP’ing for what you know will likely be an Oracle implementation, that you bring on a vendor who thoroughly understands the Oracle roadmap and, preferably, has ties to internal Oracle IdM resources. :-)

Sean’s Response to OIM Functionality versus OIA

Now, for Sean’s clarification on “which to use,” which was the backdrop of the discussion on LinkedIn, I’ll just quote most of Sean’s response:

OIM can do many of the same functions (though not as richly) such as role management, attestations, etc. as OIA, but it can only do it for systems that are connected to OIM. In order for OIM to work with a target resource, it has to be connected to the resource. 

This means using a connector to access the resources user API’s, which introduces cost and effort. This means not all systems in the enterprise will get hooked up.

As most companies do not provision to 100% of their systems, it means they are working with a subset of user entitlement information. OIM is mainly a provisioning platform, using a BPEL based workflow engine to manage accounts across connected systems. (Yes, you can have stubbed, manually maintained resources using emails or flat files to dictate what an admin should change in the user accounts, but that complicates this discussion.)
More »

Tags: , , , , , , , , ,

Developer Tomcat Settings for Sailpoint IIQ Sandboxing

October 10th, 2011 | No Comments | Posted in IAM Development, IAM Engagement

Working on IAM projects and out on client sites for Qubera Solutions, our technical peeps all have developer sandboxes we use for prototyping, setting up read-only connectors to outlying systems (eg. PeopleSoft, AD, LDAP, JDBC connections, etc.), doing RBAC analysis and just about anything GRC related. We sandbox just about everything we can or run pre-configured VMware VMs on laptops outfitted with as much memory as we can. (My Macbook Pro is spiked out at 8gb RAM.)

Generally we use Tomcat for the app server piece but not always. None of this is earth-shattering news. Any developer or integrator of note at Any Company USA and around the world is going to have at least “A” sandbox running if not multiple. Just whether those sandboxes are configured and tweeked properly is going to be the only question, really.

As it relates to Sailpoint IIQ, first of all, me running a Macbook Pro, it’s technically “not supported.” But the IIQ deployment, like Oracle Waveset, is just a WAR. For the middleware piece (the DB layer aside), you essentially deploy a WAR, import your objects from XML, and you are off and running. Nevertheless, the “non-supported” aspect of a MacBook tended to rear its ugly head and I had frequent hangups in Tomcat until I tweeked a few things. It turns out setting my JAVA_OPTS to the following not only helps, but seems to be recommended from a trusted source. (I don’t have permission to credit here, much as I would like, so just take it for what it’s worth.)

I’ll “split this up” in a syntactically correct way so this doesn’t extend the page on the blog entry, but you can put these settings all on one line; hopefully that is obvious:

JAVA_OPTS="-server -Xms3072m -Xmx3072m -XX:NewSize=1024m -XX:MaxNewSize=1024m"
JAVA_OPTS="$JAVA_OPTS -XX:MaxPermSize=1024m -XX:CodeCacheMinimumFreeSpace=2M"
JAVA_OPTS="$JAVA_OPTS -XX:ReservedCodeCacheSize=64M"
JAVA_OPTS="$JAVA_OPTS -Dsun.lang.ClassLoader.allowArraySyntax=true"

More »

Tags: , , , , , , , , , , , , , , , ,