Its come to my attention lately there's a LOT of confusion about what the litany of 'O' products ('O' being Oracle). Given Oracle's choice to name everything after itself you end up with a myriad of 'O' products in three and four letter acronyms. Coming from a background of Microsoft products where almost every year the product was renamed to something entirely different for no rhyme or reason (see MIIS to ILM to FIM), I am OK with Oracle renaming everything it buys to "Oracle" something. Still there's a lot of confusion about the products and what they do. Given the recent acquisition of Sun products and there subsequent renaming there's lots of speculation that the products overlap or worse, compete. Some examples, OAAM or Oracle Adaptive Access Manager, OAM or Oracle Access Manager, given the names one might think the products are competitors. Naturally in today's business environment where every penny counts as businesses guard their cash reserves you wouldn't want to put anything into production with an overlapping or competitive function. As such, I've been repeatedly asked about things like OIM, OID, OIA, and OAAM and whether they are serving the same function. This post is my attempt to provide some insight as to how those products interact, what purpose they serve, and our roadmap for implementing them.
A good visual is invaluable to show the relationship between the parts of the Oracle Identity Suite. Here's the interaction as presented by Oracle for their products and respective niches they fill:
We're currently implementing the foundation for good Access & Identity Management which is good role based access and role governance. This is served by Oracle Identity Analytics or OIA. OIA will allow us to move away from the very manual of process of managing roles today by spreadsheet and SQL Scripts. It will also allow us several key improvements; separating our AIM systems from any and all legacy databases, moving away from the tight coupling of roles (access) to job codes and cost codes, and finally associating access with job functions and responsibilities in the form of enterprise roles. Having a solid grasp on roles is fundamental to our efforts and will provide a multitude of benefits to us, our customers, and the business.
We're also implementing Oracle Internet Directory or OID which will allow us to govern access to Oracle databases. Oracle Internet Directory (OID) is an implementation of LDAP (lightweight directory access protocol) and allows end users to access Oracle databases with their network credentials. This allows us to tie back access to Active Directory as our single point of control for all access in the enterprise. OID will also allow us to manage authorizations in Oracle databases via membership in LDAP (OID) groups, groups governed and approved by the database owners. So Business Intelligence database access will have to be approved by the Business Intelligence team, CRM database access will be controlled by CRM team, etc. All of this access will be requested, approved, and authorized through a single site, the Computer Access Process or CAP.
The CAP itself will get a facelift this year and we're going to improve and extend our provisioning process (see Identity Administration) as we implement Oracle Identity Manager or OIM. OIM will allow us to move away from our Microsoft based workflow engine, which has served our purposes admirably but not without its challenges, and allow us to begin to use OIM's connectors for expanded provisioning to the eBusiness applications. OIM also promises tighter integration with the Oracle owned applications like PeopleSoft and the rest of our Oracle Identity Suite products like Oracle Adaptive Access Manager (OAAM) and Oracle Identity Federation (OIF), two technologies we're going to implement in the next 4-6 months as well. More on Oracle Adaptive Access Manager and Oracle Identity Federation in a future post.
So to RECAP:
OIA: Oracle Identity Analytics - role management, a foundational piece (database) for role based access and role governance.
OID: Oracle Internet Directory - a directory implementing LDAP which will allow us to authenticate Oracle database users via Active Directory and authorize them based on membership in groups (roles) governed in the near future by OIA (no dependency).
OIM: Oracle Identity Manager - a workflow and provisioning engine for extending and enhancing the administration of identities.
OIF: Oracle Identity Federation - a means for federation of our identities with partner organizations. Federation via standards, plain and simple.
OAAM: Oracle Adaptive Access Manager - strong authentication and knowledge based authorizations for websites. Coupled with its capabilities for real time fraud detection and prevention this tool will serve a variety of purposes.
