Oracle Identity Manager 11g
by Deborah Volk on October 14th, 2009

Hot off the Oracle OpenWorld presses, I give you OIM 11g:
To expand a bit on the above highlights:

1) Shiny new web UI based on Oracle's Application Development Framework (ADF).

2) BPEL-based request/approval workflows. By using inference and set algebra, I can claim that provisioning workflows will stay "as is" (if there can be such a state as "as is" in 11g). To see is to believe so we shall see.

3) Embedded Oracle Entitlement Server (OES) that will deliver enough semantic firepower in rules that make up various authorization pieces. I am calling this an OES microcontainer (please send me a royalty check if you use the term). This should make it easier to implement real-world business processes in OIM. The primary use case enabled by this is attribute-level delegated administration where you can say that all users with department="Engineering" and cost center="123" can do or have access to function blah in OIM.

4) The identity administration pieces of Oracle Role Manager (ORM) will move to OIM. Management of roles, their relationship to various entities and associated lifecycle will be in OIM. To help with role-based stuff, a few classification nodes in the overall OIM asset taxonomy will be introduced, namely role categories, namespaces and owners. Since roles are now part and parcel of OIM, their membership can be managed via requests and there's a bunch of role-based use cases sprinkled throughout the product.

5) New reconciliation engine. Performance was Oracle's top goal when rewriting the recon engine. This was achieved by pushing a (larger) portion of the transaction to the database via stored procedures and horizontal table partitioning. For a performance-starved and scale-hungry customer, this is a declaration of love. Only time (and millions of reconciliation events banging against the glass) will tell. (Better get some DBAs on your team now!) As a bonus, reconciliation event manager is now available on the web, no need for Operations people to use Design Console. It's been improved as well with an eye toward helping out Operations. For example, it. allows the capture of justification for manual operations such as manual/ad-hoc linking of events.

6) SPML-based web services for identity administration. This is already available in 10g. I don't know if the guts have been changed but 11g reads like an expansion of the current SPML web service interface with coverage for operations new in 11g, e.g. role admin. This was touted as an example of "Identity as a Service" with OIM acting as an authoritative source of identity info for the rest of the products in IAM stack and beyond (collective moniker: Fusion Middleware and Apps)

Some of the request workflow gaps that currently require a bit more engineering than expected by customers from an out-of-the-box-product have also been fixed. Namely, account modification requests (generically "modify requests") are now available thanks to BPEL workflow (ok, human tasks in a BPEL process). Thanks to BPEL engine being quite a bit more flexible than the current "homegrown" workflow engine in OIM, a slew of workflow features are available when dealing with requests, including dynamic routing, retraction, bulk actions, assignment to groups and more.

So the SOA/BPM and IAM worlds have finally collided. I predicted as much all the way back in April (Yes, my crystal ball is very special) If I look at my crystall ball now, I think eventually OIM may be nothing more than a specialized application running on top of a SOA/BPM platform.

Oracle Role Manager has been sent to sleep with the fishes. Its turf is going to be taken over by OIM on the identity administration side and by Oracle Identity Analytics (OIA) on the reporting/analytics side.
It'll be interesting to see the deployment requirements. OES microcontainer is embedded but will the same be true of SOA Suite components necessary for BPEL workflows to work? I doubt it. We'll probably witness the pull-through conquest model employed by legacy Oracle Identity Management stack. OIM will drag SOA pieces along and plant the Oracle SOA Suite seeds whether you like it or not.

Connectors have been mentioned briefly as in "there will be new connectors". On the reconciliation side, backward compatibility was highlighted ("no change to existing connectors or existing reconciliation config data") but I wonder about the rest of the APIs and backward compatibility in general. I am sure there will be lots of twists and footnotes to this story as it develops.

Release date of OIM 11g is calendar year 2010, somewhere between January 1st and December 31st. Apparently all Oracle PMs have been threatened with the worst punishment imaginable - exile to Support - if they narrow it down to a time period less than a year wide.

Last but not least, I don't see any room for Sun Identity Manager or Sun Role Manager in this new world order. Perhaps certain pieces could be extracted from Sun products and dropped into OIM 11g but off the top of my head, I can't think of any. If someone knows better, please leave a comment. Although we're far from seeing the curtain rise (or fall) on the Sun/Oracle deal, when it comes to combining the identity administration products (identity and role managers), I can claim to be at least 50% correct in my Suncle forecast.

Posted in Oracle Identity Manager, Oracle Entitlement Server, Identity Management, Oracle Role Manager, Sun Role Manager, Sun Identity Manager    Tagged with oow09, 11g


anon - November 25th, 2009 at 8:09 PM
"Last but not least, I don't see any room for ... Sun Role Manager in this new world order."

I would strongly recommend reconsidering this assesment.
Deborah Volk - November 25th, 2009 at 10:24 PM
What I meant by that is that since ORM as a product is going away in 11g, I don't see Oracle resurrecting another role manager as a separate product. If the deal does go through, they'll probably support Sun RM for maintenance revenue but the eventual migration path will be from Sun RM to OIM.
anon - January 29th, 2010 at 7:55 PM
I mean what you are going to see is ORM drop like a rock, and SRM become the basis for Identity Analytics instead.
anon - December 1st, 2009 at 2:30 AM
I believe their plan is to keep vaau's certification to replace the existing attestation engine...
Deborah Volk - December 1st, 2009 at 2:35 AM
Attestation in 11g is part of Oracle Identity Analytics. I don't see Oracle ripping out functionality out of the new product they just built.
Simon - January 29th, 2010 at 12:52 AM
Hi Deb,

Its been a long time :-)

As per Oracle's webcast yesterday, Vaau/Sun Role Manager will be the strategic direction (

But I think we should all wait to see the Identity Management-specific strategy to be announced via webcast in the next few days ( ...


Deborah Volk - January 29th, 2010 at 9:14 AM
Yes, clarification is clearly needed!
Matt Walters - December 10th, 2010 at 3:14 PM
Thanks for the discussion. Could you comment on the difficulty of completing an upgrade to the newer version?
Deborah Volk - December 10th, 2010 at 3:42 PM
Using a commonly accepted definition of 'upgrade', there's no upgrade path at the moment. You have to treat 11g as a new IDM application.
Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)