Navigating OIM 12c: Your Comprehensive Migration and Go-Live Handbook

This blog is all about helping you understand OIM 12c migration, cutover, and go-live processes easily. It's the result of my experience with numerous successful OIM deployments. In the world of Identity and Access Management (IAM), where I couldn't find similar resources in one place, I felt inspired to create this blog to assist myself and others in gaining valuable insights and having a useful handbook readily available when needed. SQL queries are a significant part of this blog because, in OIM, understanding the database and logs is key to fixing any problems. So, get ready to dive in and make your OIM journey smoother!

Table of Contents

1 Certification Matrix and Infrastructure Checks
    1.1 OS and Version
    1.2 CPUs
    1.3 RAM
    1.4 Network Interface IP
    1.5 Open Ports
    1.6 Network Connectivity
2 Installing OIG 12c
3 JVM memory parameters and garbage collection
4 Applying Stack Patch Bundle (SPB)
5 Identity Console First Time Login
6 Disable OIM Notification
    6.1 XL.DisableAllNotifications System Property
    6.2 Disable Notification Templates
7 Disable Schedulers
8 Setting OimFrontEndURL and OimExternalFrontEndURL
9 Connector Preinstallation Steps
10 Target System User Account
11 Download and Install Connector Server
    11.1 Set Key for Connector Server
    11.2 Configuring Log File Rotation
    11.3 Installing the Connector
12 Taking Full Database backup
13 Connector Installation using AOB/CI
14 OIM Configuration Migration using Deployment Manager
    14.1 User Metadata
    14.2 JARs
    14.3 Lookups
    14.4 Plugins
    14.5 Prepopulate Adapters
    14.6 Task Adapters
    14.7 Roles
    14.8 IT Resource Definition
    14.9 IT Resource
    14.10 Resource + Process + Process Form
    14.11 Email Definition
    14.12 Organizations
    14.13 Application Instance
    14.14 Access Policies
    14.15 Admin Roles
    14.16 Notification Template
    14.17 Request Dataset
    14.18 Scheduled Task and Job
    14.19 System Properties
    14.20 Certification Definition
15 Validate Adapter Mappings
16 Create and attach form to Application Instances
17 Publish Application Instances to Organization(s)
18 ADF JARs Migration
19 Undo a Published Sandbox
20 UI Customizations
    20.1 Upgrade User Form
    20.2 Customize Various Form
    20.3 EL Expressions
    20.4 Customize branding and logo
21 SOA Composite
    21.1 Export Composite
    21.2 Set BpelcClasspath
    21.3 Deploy Composite
22 Approval Workflow
23 Updating IT Resources
24 Target Lookup Recon
25 UMS Configuration
    25.1 Enable UMS Email Notification
    25.2 Create UMS Driver
    25.3 Workflow Notification
26 Custom Database Entities
27 Configuring Custom Logging
28 Import Certificate in Keystore
29 The Indispensable Role of a Test User before Go-Live
30 Cutover and Day Zero
    30.1 Full Trusted Recon/ Bulk Load
    30.2 Full Target Recon
    30.3 Assigning Roles
    30.4 Access Policy Harvesting
31 Enabling Notifications
32 Enabling and Scheduling Jobs
33 Enabling Auditing
34 Helpful Queries
    34.1 Retrieve all accounts of a user
    34.2 Retrieve Task Details
    34.3 Retrieve Request Details
    34.4 Retrieving Users by Manager Hierarchy
    34.5 Parent-Child Table Associations
    34.6 Investigating Constraint Details

  66

1.    Certification Matrix and Infrastructure Checks

The recommendation before starting with installation of OIG 12c is to check the certification matrix. This matrix provides information about the supported OS, browser, database, web server etc.

The commands listed below may not be compatible with your operating system, and you may need to search for the precise command. Nonetheless, the process will remain consistent.

1.1    OS and Version

The file which contains the OS details in linux is os-release.

To display the details, use following command:

    cat /etc/os-release

1.2    CPUs

To get entire CPU information use following command:

    cat /proc/cpuinfo

To get the number of CPUs in linux use the following command:

    nproc

1.3    RAM

To get the RAM details in linux, use the following command:

    free -h

1.4    Network Interface IP

To get the IP address assigned to network interface use the following command:

    ip addr show

1.5         Open Ports

To get the list of open ports on the system use the following commands:

    sudo netstat -tuln

1.6    Network Connectivity

To check the network connectivity from OIM server to any system (trusted or target) telnet is a handy tool:

    telnet <TARGET_IP_Address> <TARGET_Port_Number>

2.    Installing OIG 12c

The installation of OIG 12c should be done with utmost care and important data points should be recorded like oracle home location, domain location, schema prefix, passwords.

The installation is generally divided into following steps:

1. Pre-deployment Preparation
2. QuickStart Based Installation
3. RCU Steps
4. WLS Domain Configuration
5. Post Configuration Steps
6. First Time Start-up
7. Post Deploy Steps
8. OIM Validation and Setup

For detailed instructions please refer: 

Quick Install of OIM 12c with screen-shots (Doc ID 2259159.1)

3.    JVM memory parameters and garbage collection

The Java Virtual Machine's (JVM) memory parameters are settings that regulate how much memory is allocated and used. These parameters control how much memory is allotted to various components of JVM.

1. -Xmx: This parameter specifies the maximum heap size that can be allocated to the Java. For example, -Xmx2048m set the maximum heap size to 2 gigabytes.
2. -Xms: This parameter specifies the initial heap size that is allocated to Java when the JVM starts. For example, -Xms512 sets the initial heap size to 512 megabytes.
3. -Xss: This parameter sets the thread stack size, specifying the amount of memory allocated to each thread's stack.
4. -XX:MaxMetaspaceSize: Sets the maximum size of the metaspace, which is used to store class metadata. For example, -XX:MaxMetaspaceSize=256m sets the maximum metaspace size to 256 megabytes.

GC Log is an important log to observe memory utilization, GC time, and frequency of the Java process.

This log is a must for investigating OutOfMemoryError, and performance issues.

To add the argument in weblogic follow the below steps:

1. Open Environment -> Servers
2. Click on OIM managed server (eg. oim_server1)
3. In configuration click on ‘Server Start’ tab
4. In arguments box add the following

    -Xloggc:<DIR>/<GCLog_File_Name> -XX:+PrintGCDetails -XX:+PrintGCDateStamps

4.    Applying Stack Patch Bundle (SPB)

The quarterly SPB includes the bundle patches for each of the select Identity Management products as well as the patches for their respective underlying components.

The SPB also includes the SPBAT tool which can be used to apply all the patches for a single product with a single command by using a phased approach.

For detailed instructions please refer: 

Stack Patch Bundle for Oracle Identity Management Products (Doc ID 2657920.2)

5.    Identity Console First Time Login

When the XELSYSADM user logs in for the first time, they are prompted to answer challenge questions. These answers are then utilized if the "forgot password" link on the sign-in page is clicked in the future.

6.    Disable OIM Notification

6.1    XL.DisableAllNotifications System Property

XL.DisableAllNotifications System Property is used to enable or disable all notifications in Oracle Identity Manager. When the value of this property is set to false, notifications are enabled. When the value of this property is true, notifications are disabled.

It is recommended to disable the notifications before go-live.

6.2     Disable Notification Templates

Disable all out-of-the box (OOTB) notification templates in case they are not required.

To disable a notification template:

1. Log in to Oracle Identity System Administration.
2. In the left pane, under System Configuration, click Notification.
3. Blank search
4. Open notification template and click on Disable

7.    Disable Schedulers

Disable some critical schedulers like ‘Evaluate User Policies’ which evaluates the access policies and provisions accounts based on eligibility defined in membership rule.

You can also disable other OOTB schedulers which you don’t want to be executed while you are performing migration activities.

In case you want to disable all the scheduler, navigate to the following URL:

    

    http://OIM_HOST:OIM_PORT/SchedulerService-web/status

Enter the system admin credentials and after authentication the page will show the current scheduler status. If you want to disable, click on ‘STOP’.

8.    Setting OimFrontEndURL and OimExternalFrontEndURL

The OimFrontEndURL represents the designated URL for accessing the user interface of Oracle Identity Manager (OIM). It can be either a load balancer URL or a web server URL.

1. Login to Enterprise Manager with the following URL:
   http://ADMIN_SERVER_IP:PORT/em
   (Note: The Admin server should and any one of the OIM managed server must be in running state.)
2. Navigate to Identity and Access, oim.
3. Right-click oim, and navigate to System MBean Browser.
4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.
5. Set the desired values for OimFrontEndURL and OimExternalFrontEndURL

9.     Connector Pre-installation Steps

It is critical to follow the preinstallation processes indicated in the connector guide to enable a smooth and reliable integration between Oracle Identity Manager (OIM) 12c and external systems, ensuring compatibility, optimal performance, and reducing potential installation issues.

10.    Target System User Account

The OIM 12c connector relies on a target system account to establish connectivity during operations. To determine the privileges necessary for this account, refer the connection guide. It is advised that you request the target application team/owner to give you with the relevant account credentials beforehand.

As these credentials will be required for the IT Resource setup, make sure you have easy access to them.

11.    Download and Install Connector Server

Note: This step is specifically relevant if you have connector installed on a separate Connector Server.

A connector server is an application that enables remote execution of an Identity Connector.

The Connector Server, which is independent from the core Oracle Identity Manager (OIM) server, is required for scalability and flexibility since it enables effective management of specialized connectors and assures optimal performance.

Download Link - https://www.oracle.com/security/identity-management/technologies/oim-connectors-downloads/#

12.    Taking Full Database backup

It is highly recommended that a database backup be performed prior to importing data into an OIM 12c production environment. This preventive measure enables for data restoration if there are any problems or challenges during the import procedure. Before making significant changes, it is a good idea to backup the database.

13.    Connector Installation using AOB/CI

The connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer based connector).

To ensure proper installation of the connector, follow the instructions outlined in the connector documentation. It is crucial to create the application using the exact name present in your lower environment.

Note: If the installation process is skipped and the connector artifacts are migrated directly, the application will not appear in the Applications/Manage Connector tab. Additionally, upgrading the connector in the future will not be possible under such circumstances.

14.    OIM Configuration Migration using Deployment Manager

The Deployment Manager is a tool for exporting and importing Oracle Identity Manager configurations.

Note: The Deployment Manager is not a merge utility. It replaces the object in the target system with that in the XML file. The Deployment Manager does not track versions of imported files, and does not provide rollback functionality.

Steps for export/import are as follows:

1. Open Oracle Sysadmin console in pre-prod environment
2. Under system configuration click on Export
3. Select the type and entities
4. Click Next and select the dependency as yes or no
5. Give valid description and click Export (Note: Make sure to give a valid filename and description to exported entities because it is stored in EIF table. The table also contains the content of the XML file.)
6. Open Oracle Sysadmin console in Prod
7. Under system configuration click on Import
8. Browse the file which you want to import
9. It will show the summary of import
10. Click Import

To facilitate the proper import order, I have compiled a list of entities in the recommended sequence of import:

1. User Metadata
2. Jars
3. Lookups
4. Plugins
5. Prepopulate Adapters
6. Task Adapters
7. Roles
8. IT Resource Definition
9. IT Resource
10. Resource + Process + Process Form
11. Email Definition
12. Organizations
13. Application Instance
14. Access Policies
15. Admin Roles
16. Notification Templates
17. Request Dataset
18. Scheduled Task and Job
19. System Properties
20. Certification Definition

By adhering to this order during the import process using the Deployment Manager, you can ensure that dependencies are met, and the entities are imported successfully into Oracle Identity Manager (OIM) 12c. I have also listed queries to get these entities from lower environment which can be later compared with prod.

14.1 User Metadata

User Metadata contains information about User Defined Fields (UDFs). Make sure to migrate only the required UDFs as these can’t be deleted later.

Export with Dependency = Yes

The query to get all the UDFs in the lower environment is as follows:

    SELECT * FROM SDC
    WHERE SDK_KEY = (SELECT SDK_KEY FROM SDK WHERE SDK_NAME = 'USR')
    order by sdc_name;

14.2    JARs

JARs in OIM are of 4 different types namely ICFBundle, JavaTasks, ScheduleTask, and ThirdParty. The ICFBundle are the jars used by the connector. The JavaTasks are the jars used by custom adapters which might be pre-populate adapter or process task adapter. The ScheduleTask jars are used by the scheduler in older version of OIM. The ThirdParty as the name suggest are the third party jars that we might use in our custom code.

The order of uploading the jars is ICFBundle, JavaTasks, ScheduleTask, and ThirdParty.

The query to get all the JARs in OIM is as follows:

    SELECT * FROM oimhome_jars
    ORDER BY oj_type, oj_name;

Steps to Upload jars are as follows:

1. Navigate to <ORACLE_HOME>/idm/server/JavaTasks/ and put the jar file in this location.
2. Set environment variables
   export ORACLE_HOME=<ORACLE_HOME PATH IN YOUR ENV>
   export APP_SERVER=weblogic
   export OIM_ORACLE_HOME=<ORACLE_HOME>/idm
   export WL_HOME=<MW_HOME>/wlserver
   export JAVA_HOME=<JAVA_HOME PATH IN YOUR ENV>
   export MW_HOME=<MW_HOME PATH IN YOUR ENV>
   export DOMAIN_HOME=<MW_HOME>/user_projects/domains/base_domain
3. Navigate to <ORACLE_HOME>/idm/server/bin and run the script UploadJars.sh

Note: It is advised to add the third party jars to OIM classpath in startManagedWebLogic.sh/cmd file and restart OIM.

    export CLASSPATH=$CLASSPATH:<absolute path of jar file>

14.3    Lookups

Lookups in OIM store data that can be used in various contexts within the system.

The query to get all the lookups in OIM is as follows:

SELECT LKU_TYPE_STRING_KEY, LKU_GROUP FROM LKU
WHERE LKU_TYPE = 'l'
ORDER BY LKU_TYPE_STRING_KEY;

14.4    Plugins

Plugins help us to extend the functionality of OIM. Plugins can be of different types like Event Handler (pre-process, postprocess, and validation), Scheduler, Notification Resolver, Pre-populate plugin, Username generation plugin and Request Data Validator.

The query to get all the plugins in OIM is:

select plugins.ID, plugins.TYPE, plugin_zip.zip from plugins, plugin_zip

where plugins.zipid = plugin_zip.zipid

ORDER BY NAME;

Note: The ZIP column contains a downloadable BLOB file.

The steps to register plugin are as follows:

1. Export environment variables
   export ANT_HOME=<ORACLE_HOME>/oracle_common/modules/thirdparty/org.apache.ant/1.10.5.0.0/apache-ant-1.10.5
   export PATH=$ANT_HOME/bin:$PATH
2. Place the plugin zip file in the following directory
   cd /apps/oracle/products/OIM_Home/idm/server/plugins
3. Navigate to the following directory
   cd /apps/oracle/products/OIM_Home/idm/server/plugin_utility/
4. Run the command to register the plugin
   ant -f pluginregistration.xml register

14.5    Prepopulate Adapters

Prepopulate adapters are linked to application process form. They automatically populate certain fields with predefined values. They are different from prepopulate plugin in the sense that prepopulate plugin displays the data on the process form while we are raising the request while prepopulate adapters does not display the data on the process form while raising the request.

Export with Dependency = Yes

The query to get all the prepopulate adapters in OIM is as follows:

    select ADP_NAME, ADP_DESCRIPTION from adp
    where adp_type = 'P'
    order by ADP_NAME;

14.6    Task Adapters

Task adapters as the name suggests are attached to process tasks in OIM. These tasks can be triggered on various conditions like create, update, disable, delete or any process form value updates. They can also be assigned on different outcomes of previous tasks like success, failure etc.

Export with Dependency = Yes

The query to get all the task adapters in OIM is as follows:

    select ADP_NAME, ADP_DESCRIPTION from adp
    where adp_type = 'T'
    order by ADP_NAME;

14.7    Roles

Roles in OIM allows for managing a set of entitlements and accounts that the user or group of users will have. The eligibility is defined based on membership rule. Roles also allows to implement the concept of least privilege in OIM.

Export with Dependency = No

The query to get list of all roles in OIM is as follows:

    SELECT * FROM UGP;

The GPG table holds parent/ child role information.

Note: If there are large number of roles then they can also be created using bulk load utility.

14.8    IT Resource Definition

IT resource definition can be seen as a blueprint or template for IT resource.

Export with Dependence = No

The query to get list of all IT Resource Definition in OIM is as follows:

    SELECT * FROM SVD;

14.9    IT Resource

IT Resource holds the connection details that OIM will use to connect with an external system. It acts as a bridge between OIM and target system.

Export with Dependence = No

The query to get list of all IT Resource in OIM is as follows:

    SELECT * FROM SVR;

14.10    Resource, Process and Process Form

Resource, process, and process form are the most integral components in OIM. Resource is a blueprint or template of the target system. It contains all the target system attributes and recon action rule. Process defines a series of tasks to be performed on the resource and it also contains recon field mappings. Process form stores the data that is send to target system.

Export with Dependency = Yes

The query to get list of all resource, process, and process form mapping in OIM is as follows:

SELECT DISTINCT OBJ.OBJ_NAME AS "Resource", PKG.PKG_NAME AS "Process", SDK.SDK_NAME AS "Process Form"
FROM MIL, TOS, PKG, OBJ, SDK
WHERE TOS.TOS_KEY = MIL.TOS_KEY
AND TOS.PKG_KEY = PKG.PKG_KEY
AND PKG.OBJ_KEY = OBJ.OBJ_KEY
AND TOS.SDK_KEY = SDK.SDK_KEY
ORDER BY 1;

14.11    Email Definition

Email Definition in design console stores the email template of the automated emails send by OIM. For email definition to work we need to create an IT Resource of type mail server which contains the following parameters:

1. Authentication
2. Server Name
3. User Login
4. User Password

Export with Dependency = Yes

14.12    Organizations

Organizations in OIM is a hierarchical structure to organize users, roles, and resources.

Export with Dependency = No

The query to get list of all organizations in OIM is as follows:

    SELECT * FROM ACT;

Note: If there are large number of organizations then they can also be created using bulk load utility.

14.13    Application Instance

An application instance is a construct which is used to depict a provisionable entity. It is a combination of IT resource and resource object.

Export with Dependency = Yes

The query to get list of all Application Instances in OIM is as follows:

    select APP_INSTANCE_NAME from app_instance order by 1;

14.14    Access Policies

Access Policies are attached to roles in OIM and they define application and entitlements that the users of a particular role are eligible.

Export with Dependency = No

The query to get list of all access policies in OIM is as follows:

            SELECT * FROM POL;

The query to get the role and access policy mapping in OIM is as follows:

SELECT UGP.UGP_ROLENAME AS "ROLE", POL.POL_NAME "ACCESS POLICY"
FROM POL, UGP, POG
WHERE POG.POL_KEY = POL.POL_KEY
AND POG.UGP_KEY = UGP.UGP_KEY;

The query to get the role its access policy, associated application and entitlement is as follows:

SELECT A.POL_PRIORITY, A.ROLE, A."ACCESS POLICY", A.OBJ_NAME,

CASE WHEN A.POP_DENIAL = '0' THEN 'PROVISION'

    ELSE 'DENY' END AS ACTION_ON_ASSIGN,

CASE WHEN A.POP_REVOKE_OBJECT = '1' THEN 'REVOKE'

    WHEN A.POP_REVOKE_OBJECT = '2' THEN 'DISABLE'

    ELSE 'N/A' END AS ACTION_ON_REMOVE,

POC.POC_FIELD_VALUE FROM

(

SELECT POL.POL_PRIORITY, UGP.UGP_ROLENAME AS "ROLE", POL.POL_NAME "ACCESS POLICY", OBJ.OBJ_NAME, POP.POP_DENIAL, POP.POP_REVOKE_OBJECT, POL.POL_KEY

FROM POL, UGP, POG, POP, OBJ

WHERE POG.POL_KEY = POL.POL_KEY

AND POG.UGP_KEY = UGP.UGP_KEY

AND POP.POL_KEY = POL.POL_KEY

AND POP.OBJ_KEY = OBJ.OBJ_KEY

ORDER BY POL.POL_PRIORITY

)A LEFT JOIN POC

ON A.POL_KEY = POC.POL_KEY;

14.15    Admin Roles

Admin Roles in OIM allows users to perform administrative actions in OIM.

Export with Dependency = No

The query to get list of all admin roles in OIM is as follows:

    SELECT * FROM ADMIN_ROLE;

14.16    Notification Template

Notification templates store the content of an automated notification in OIM. The notifications can be written in either plain text or html format. Each template is associated with an event in OIM.

Export with Dependency = No

The query to get list of all Notification Template in OIM is as follows:

    SELECT * FROM NOTIFICATIONTEMPLATE;

14.17    Request Dataset

Request dataset contains all the versions of forms in OIM.

Export with Dependency = No

14.18    Scheduled Task and Job

Scheduled tasks and jobs in OIM are like cron jobs they allow for periodic execution of a specific activity in OIM.

Export with Dependency = Yes

The query to get list of all Jobs in OIM is as follows:

    SELECT * FROM QRTZ92_JOB_DETAILS;

14.19    System Properties

System properties as the name suggest control various system operations in OIM.

The query to get list of all System Properties in OIM is as follows:

    SELECT * FROM PTY;

14.20    Certification Definition

A certification definition in OIM defines the scope, frequency, reviewers, and rules for certifying access.

The query to get list of all Certification Definition in OIM is as follows:

    SELECT * FROM CERT_DEFN;

 

15.    Validate Adapter Mappings

Validating adapter mappings is crucial especially when you have literals as the values might change from one environment to another.

Following is the query for Pre-populate adapters and mappings:

select distinct s.SRE_SDC_NAME,e.EVT_NAME,adp.adp_name,a.adv_name,r.RAV_MAP_TO,r.RAV_MAP_QUALIFIER, r.RAV_MAP_VALUE
from RAV r, SRE s, ADV a, EVT e, ADP, SDK
where r.SRE_KEY = s.SRE_KEY
AND r.ADV_KEY = a.ADV_KEY
and s.evt_key = e.evt_key
and e.evt_key = adp.evt_key
and adp.adp_key = a.adp_key
and s.sdk_key = sdk.sdk_key
and s.SRE_SDC_NAME like '<UD_TABLE>%';

Following is the query for Resource Object Process Task its adapter and adapter mappings:

select OBJ.OBJ_NAME, Mil.mil_key,MIL.MIL_NAME,adp.adp_key,ADP.ADP_NAME,ADV.ADV_NAME, MAV.MAV_MAP_TO,MAV.MAV_MAP_QUALIFIER,MAV.MAV_MAP_VALUE from mil
join tos on tos.tos_key = mil.tos_key
join pkg on tos.pkg_key = pkg.pkg_key
join obj on  pkg.obj_key = obj.obj_key
LEFT OUTER JOIN ADP ON ADP.EVT_KEY = MIL.EVT_KEY
left outer join mav on mav.mil_key = mil.mil_key
left outer JOIN ADV ON MAV.ADV_KEY = ADV.ADV_KEY
where obj.obj_name = '<Resource Object>';

Note: Make sure to compile all the adapters after making changes from Design Console -> Adapter Manager -> Compile All.

16.    Create and attach form to Application Instances

Attaching a form to application instance is necessary for providing account specific details.

The steps to create and attach form to application instances are as follows:

1. Login to Oracle Identity System Administration.
2. Create and activate a sandbox.
3. In the left pane, under Provisioning Configuration, click Form Designer.
4. From the Actions menu, select Create.
5. In the Resource Type field, specify a resource object with which you want to associate the form.
6. In the Form Name field, enter a form name.
7. In the Application Instance page or the Attributes tab of the Application Instance details page, click Refresh adjacent to the Form field.
8. Select the newly created form in the Form list and click Apply.

17.    Publish Application Instances to Organization(s)

To enable users to request and provision the application instance, it is essential to publish it within the organization.

If the application is CI based, follow the below steps:

1. Open Sysadmin Console
2. Under Provisioning Configuration open Application Instances
3. Search and open the application you want to publish.
4. Click on Organizations tab
5. Click Assign

If the application is AOB based, follow the below steps:

1. Open Identity Console
2. Under Manager click on Applications tile
3. Search and open the application you want to publish.
4. Click on Setting tab and expand Preview Settings
5. Click on Organization
6. Click Add

Note: Select Hierarchy Aware checkbox only if you want to publish to all child organizations as well.

18.    ADF JARs Migration

Note: This step is applicable only if there are ADF customization in your environment.

Steps to migrated ADF jars are as follows:

1. Download the /apps/oracle/products/OIM_Home/idm/server/apps/oracle.iam.ui.custom-dev-starter-pack.war
2. Open the file in 7-zip
3. Navigate to WEB-INF -> lib
4. Paste the JARs
5. Copy this new oracle.iam.ui.custom-dev-starter-pack.war back to the same location
6. Restart OIM

19.    Undo a Published Sandbox

Before moving to the UI customizations, it is essential to know how the sandbox changes can be reverted. Sometimes UI customizations can mess up OIM if you publish the sandbox without proper testing.

There is no feature that un-deploys a specific sandbox. What we can do instead is rolling back to a point in time of a sandbox previously published.

The steps are as follows:

1. Login to Enterprise Manager as the Domain Admin User.
2. Expand the Weblogic Domain drop down menu on the left and select System MBean Browser.
3. Then navigate to Application Defined MBeans -> oracle.mds.lcm -> Server: [OIM Managed Server Name] -> Application: oracle.iam.console.identity.self-service.ear -> MDSAppRuntime -> MBeanMDSAppRuntime.
4. Click on the "Operations" tab.
5. Scroll down and identify the MBean operation "listMetadataLabels" and invoke it (choose the one that takes no parameters).
6. Select the sandbox to which you want to restore and copy it to the clipboard.
   For example the value you might copy might look something like - Creation_IdM_SBox007_10:35:24
7. Now go back to Operations by clicking Return.
8. Find the MBean operation "promoteMetadataLabel" (the one that takes a single parameter).
9. Enter the full sandbox label you wish to roll back to, carefully excluding any extra white space at the beginning or end of the label.
10. Click the Invoke button.
11. Restart OIM

20.    UI Customizations

20.1    Upgrade User Form

Use the Upgrade User Form feature after migrating the custom attributes of user. This ensures proper functioning of user form.

The steps to upgrade user form are as follows:

1. Login to sysadmin console and create a sandbox.
2. Under Upgrade section click on ‘Upgrade User Form’.
3. Click Upgrade Now button.

20.2    Customize Various Form

In this step depending on your specific implementation add custom attributes to User, Organization, Role, or Catalog form.

The general steps to customize form are as follows:

1. Create a sandbox.
2. Go to the form and click on customize on top right.
3. Click on Structure tab and select the panel you want to customize.
4. To add a field, click on plus icon and add the data component (To know exact data component for the particular form check the ‘Entities and Corresponding Data Components and View Objects’ on Oracle page)

For catalog customization follow these steps:

1. Create Sandbox in Pre-prod
2. For a user request application, open request form and click customize.
3. Do any minor change and export the sandbox.
4. Create the sandbox and follow the same steps in prod.
5. Copy the customization from UAT xml file to prod xml file.
6. Import the Sandbox back in prod and activate it.
7. Check the customizations from the process form.
8. If they are correct, then publish the sandbox.

20.3    EL Expressions

In OIM an EL expression allows us to fetch and evaluate values dynamically for various components. In case your pre-prod environment has EL expressions, you need to copy the same to prod.

20.4    Customize branding and logo

To change the logo the custom logo image must be placed in the <OIM_HOME>/server/apps/oim.ear/iam-consoles-faces.war/images/ folder.

Steps to change the logo are as follows:

1. Log in to Oracle Identity Self Service as the system administrator.
2. Create and activate a sandbox.
3. Click Customize.
4. Click Structure.
5. Click the OOTB Oracle logo.
6. Click Edit.
7. In Component Properties, click the down arrow icon next to the Icon property, and select Expression Builder.
8. In the Expression Builder, replace the default value of #{attrs.logoImagePath} with your logo path, that is /../oim/images/<LOGO_NAME.png>, where LOGO_NAME is the name of the custom logo.
9. Click Apply. 
10. Publish the sandbox.

21.    SOA Composite

In OIM, SOA composites are used to implement provisioning, deprovisioning and approvals.

21.1    Export Composite

To deploy the composites in prod, first we need to export the composites from pre-prod.

The steps to export composite from pre-prod are:

1. Open EM Console and click on burger icon -> SOA -> soa infra
2. Click on Deployed Composites
3. Click on the Composite you want to export -> <Composite Name> dropdown -> Export…
4. If there are any environment related changes then import the JAR in JDeveloper
5. Perform the changes and deploy the composite as SAR.

21.2    Set BpelcClasspath

The BpelcClasspath allows to use custom classes in SOA.

Before deploying the SOA composite, you need to set the BpelcClasspath property in the System MBean Browser of Oracle Enterprise Manager (EM) Console

1. Go to EM console. Login as weblogic user.
2. Expand Weblogic Domain from the left pane. Right click on System MBeans Browser
3. Go to Application Defined MBeans -> oracle.as.soainfra.config -> Server: soa_server1 -> BPELConfig -> bpel
4. Under Attributes column click on BpelcClasspath. Provide full path for oimclient.jar and jps-manifest.jar.

These files are located at following location

<OIM_ORACLE_HOME>/server/client/oimclient.jar
<ORACLE_HOME>/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar

Note: The paths should be separated by a colon (:) on UNIX and semicolon (;) on Windows.

21.3    Deploy Composite

The steps to deploy composite from EM console is as follows:

1. Click on the burger icon on top left corner of EM Console.
2. Open SOA Infra
3. Select Deployed Composites
4. Deploy

The composite can also be deployed using WLST as follows:

1. Navigate to <ORACLE_HOME>/oracle_common/common/bin
2. Run the command
   ./wlst.sh
3. Connect to weblogic server
   connect()
4. Run the following command to deploy the composite
   sca_deployComposite("http://<SOA_HOST>:<SOA_PORT>","<path_to_sar>/sca_ApprovalProject.jar",user="weblogic")
5. Exit WLST with the following command
   exit()

22.    Approval Workflow

Approval workflow rules can be configured to determine whether an operation requires approval or not. In addition, if approval is required, then the rule also indicates which SOA workflow is to be initiated.

The approval workflow can be assigned on various events like create user, disable user, create role, provision application instance etc.

Duplicate any such approval workflow rules from lower environment to production.

23.    Updating IT Resources

IT Resource holds the connection details that OIM will use to connect with an external system. It acts as a bridge between OIM and target system.

In this step update all the IT resource parameters with PROD trusted/target system details.

24.    Target Lookup Recon

Target Lookup Recon is essential to synchronize the target system groups/roles/entitlements with OIM. It should be done after updating IT resource because it gives you a clarity that the details entered are indeed correct.

Further run the ‘Entitlement List’ scheduled job which populates the entitlement table with the values from lookup.

Finally run the ‘Catalog Synchronization Job’ which is responsible for displaying the entitlement in the request catalog.

25.    UMS Configuration

The User Messaging Service (UMS) in OIM is used for sending notification or alerts to user on various channels like email and SMS.

25.1    Enable UMS Email Notification

First, you need to enable UMS Email Notification following the below steps:

1. Go to System MBean Browser
2. Application Defined MBeans-> oracle.iam, Server: oim_server_name, Application: oim, IAMAppRuntimeMBean, and select UMSEmailNotificationProviderMBean
3. Make the Enabled attribute as ‘true’.

25.2    Create UMS Driver

The UMS driver can be thought of as a connector between OIM and messaging system.

The steps to create UMS driver are as follows:

1. Login to the Enterprise Manager, and navigate to User Messaging Service -> usermessagingdriver-email
2. Right click in usermessagingdriver-email and select Email Driver Properties
3. In Email Driver Properties, click Create
4. Define the Name
5. Select the Sender Address
   NOTE: The format is EMAIL:<user_email>
6. Click in the Supported Content Types and select which type your email server supports, for example text/html
7. Define the Message Folder, Outgoing Mail Server, Outgoing Mail Server Port

25.3    Workflow Notification

UMS also works for workflow notification to keep users informed about the different stages of approval process.

To setup workflow notification properties follow the steps given below:

1. Log in to Oracle Enterprise Manager.
2. Expand the SOA node and select soa-infra.
3. Right-click soa-infra, select SOA Administration and then Workflow Properties.
4. Select the Notification Mode as Email.
5. In the Mailer tab, under Notification Service, enter From Address, Actionable Address, and Reply To Address for your outgoing mail address.
6. Click Apply.

26.    Custom Database Entities

In case your pre-prod environment has any custom database entities like tables, views, stored procedures, indexes, triggers, dbms scheduler it’s the right time to move them to production.

Make sure to keep a proper track of all such entities and keep them documented otherwise they will be lost in limbo.

27.    Configuring Custom Logging

Configuring custom log in OIM is essential for isolating and debugging issues in custom code.

The steps to configure custom logger in OIM are as follows:

1. Go to the <DOMAIN_HOME>/config/fmwconfig/servers/<OIM_SERVER_NAME>.
2. Open the logging.xml file.
3. Add the Log Handler and Logger.
4. Save the file
5. Restart OIM managed server

Note: If you have a clustered setup perform these steps on all the servers.

Example of log handler and logger:

<log_handler name='test' class='oracle.core.ojdl.logging.ODLHandlerFactory' level='TRACE:32'>
<property name='useDefaultAttributes' value='false'/>
<property name='format' value='ODL-Text'/>
<property name='path' value='${domain.home}/servers/${weblogic.Name}/logs/${weblogic.Name}-custom.log'/>
<property name='maxFileSize' value='10485760'/>
<property name='maxLogSize' value='104857600'/>
<property name='useSourceClassAndMethod' value='TRACE:1'/>
</log_handler>

<logger name='TEST-LOG' level='TRACE:32'>
<handler name='test'/>
</logger>

28.    Import Certificate in Keystore

Importing certificate is essential to establish trust between OIM and other external systems.

The steps to import certificate in keystore are as follows:

cd <MW_HOME>/wlserver/server/lib

keytool -import -v -noprompt -trustcacerts -alias <alias_name> -file <cer_file_location> -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

Command to list all certificates in keystore:

keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase >> CertList.txt

Note: Make a list of certificate and their corresponding expiry dates which will be useful later.

29.    The Indispensable Role of a Test User before Go-Live

There is one very important saying that the amount of testing is inversely proportional to the number of surprises during go-live. The more you test the less surprises are expected and vice versa. Never be under an assumption when migrating from pre-prod to prod that the functionality is working in lower environment so it should work in prod. There may be some environment related changes that must be performed in prod.

The only way to catch these issues before go-live is to have at least one test user and perform all critical operation in prod on that user like trusted/target recon and provisioning.

30.    Cutover and Day Zero

Day Zero is the critical day for any project go-live. On this day we setup all the existing user identities and accounts in OIM. From day 1 onwards the user life cycle is managed centrally by OIM.

Note: If you have a large amount of data to be reconciled then the performance issues can be addressed using any the following ways:

1. Use filter to break the data into smaller chunks so the entire data is not pulled at the same time.
2. Disable the following jobs before doing large recons:
   - Issue Audit Message
   - Evaluate User Policies
   - Refresh Role Memberships
3. Decrease the WorkManager concurrent threads while doing the initial recon.

30.1    Full Trusted Recon/ Bulk Load

All the users who are present in the HRMS/Trusted system must be created in OIM. Full Trusted Recon scheduled job should be run at this stage to bring all the existing users in OIM. An alternative approach is to use bulk load utility which is efficient for loading large amount of data.

The query to get the count of recon events generated by the status is as follows:

SELECT RECON_EVENTS.RE_ENTITY_TYPE, TRUNC(RECON_EVENTS.RE_CREATE) AS EVENT_DATE, OBJ.OBJ_NAME, RECON_EVENTS.RE_STATUS, COUNT(RECON_EVENTS.RE_STATUS) AS EVENT_COUNT
FROM RECON_EVENTS LEFT JOIN OBJ
ON RECON_EVENTS.OBJ_KEY = OBJ.OBJ_KEY
GROUP BY RECON_EVENTS.RE_ENTITY_TYPE, TRUNC(RECON_EVENTS.RE_CREATE), OBJ.OBJ_NAME, RECON_EVENTS.RE_STATUS
HAVING TRUNC(RECON_EVENTS.RE_CREATE) = TRUNC(SYSDATE)
ORDER BY 2 DESC;

To check the received data in any recon event you can use the RA_<name> table.

select RA_<name>.*
from recon_events left join ra_<name>
on recon_events.re_key = ra_<name>.re_key
left join obj
on recon_events.obj_key = obj.obj_key
where RECON_EVENTS.RE_STATUS = ‘<status>’
and TRUNC(RECON_EVENTS.RE_CREATE) = TRUNC(SYSDATE);

To get the values added and removed during a particular event you can refer the AUDIT_EVENT table.

30.2    Full Target Recon

Full Target Recon is responsible for linking corresponding target accounts to user in OIM. This must be done because from day 1 onwards all accounts are going to be managed centrally by OIM. It is advisable to run the target recon in lower environment before cutover with a chunk of users to get an idea on the amount of time it will take during cutover.

For target recon to work correctly ensure that proper attributes are marked as key fields. The key fields are used to match the account in OIM with the corresponding account in target system. Also check the ‘Identity correlation rule’ is correct. It helps to determine the account is for which user in OIM.

30.3    Assigning Roles

There are multiple ways of assigning roles to users as follows:

1. ‘Evaluate membership rule now’ checkbox in members tab of role which has membership rule can be useful in scenario where the users are bulk loaded.
2. The Role Members can also be assigned using bulk load utility.
3. Request based role assignment.

30.4    Access Policy Harvesting

In simple terms Access Policy Harvesting is the process of linking bulk loaded, target reconciled or direct provisioned accounts with Access Policy assigned to the specific user.

Suppose there is a user ‘ABC’ which is created in OIM through trusted recon. The user has one account ‘Z’ which is target reconciled. The user is also assigned a role named ‘Z Account Role’. This role has an access policy which provisions account ‘Z’. Now OIM needs to know that after running evaluate user policy job it should not provision another account ‘Z’ but instead link to already existing target reconciled account. This process is called Access Policy Harvesting.

The steps to enable Access Policy Harvesting in OIM are as follows:

1. Set XL.AllowAPHarvesting and XL.AllowAPBasedMultipleAccountProvisioning system properties as TRUE
2. Set Access Policies Retrofit flag as true
3. Set IT Resource field’s Account Discriminator property as true.
4. Finally, you can run the evaluate user policy job.

The query to check the users who need evaluation is:

select * from user_provisioning_attrs
     where POLICY_EVAL_NEEDED = 1;

After running the evaluate user policy job the value for oiu_prov_mechaniSM in OIU table gets updated to ‘AP HARVESTED’.

The query to check the oiu_prov_mechanism for all the accounts of a particular user is as follows:

Select usr.usr_key, usr.usr_login, oiu.oiu_prov_mechanism, oiu.oiu_key, app_instance.APP_INSTANCE_NAME
From oiu, usr, app_instance
where oiu.usr_key = usr.usr_key and
app_instance.app_instance_key = oiu.app_instance_key
and usr.usr_login =<user login>;

Note: The possible values for OIU_PROV_MECHANISM can AP HARVESTED, RECONCILIATION, Direct Provision, or Access Policy.

31.    Enabling Notifications

If your specific use case require OIM’s notification, then it should be enabled at this stage. It can be done by setting the XL.DisableAllNotifications System Property to false.

32.    Enabling and Scheduling Jobs

At this stage you are ready to enable the jobs which were disabled earlier and schedule all the jobs which need to run periodically. This will allow the schedulers to run automatically at specified time and intervals and eliminates the need for manual intervention.

A list of all such job names must be prepared beforehand along with their schedule.

The query to get all the scheduled jobs and their trigger frequency is as follows:

SELECT QRTZ92_JOB_DETAILS.job_name,
QRTZ92_TRIGGERS.TRIGGER_TYPE,
TO_CHAR(TIMESTAMP '1970-01-01 00:00:00' + NUMTODSINTERVAL(QRTZ92_TRIGGERS.START_TIME / 1000, 'SECOND'), 'DD-mm-YYYY HH:MI:SS AM') as START_TIME,
TO_CHAR(TIMESTAMP '1970-01-01 00:00:00' + NUMTODSINTERVAL(QRTZ92_TRIGGERS.PREV_FIRE_TIME / 1000, 'SECOND'), 'DD-mm-YYYY HH:MI:SS AM') as PREV_FIRE_TIME,
TO_CHAR(TIMESTAMP '1970-01-01 00:00:00' + NUMTODSINTERVAL(QRTZ92_TRIGGERS.NEXT_FIRE_TIME / 1000, 'SECOND'), 'DD-mm-YYYY HH:MI:SS AM') as NEXT_FIRE_TIME,
QRTZ92_SIMPLE_TRIGGERS.REPEAT_INTERVAL/ 1000 / 60 as REPEAT_INTERVAL_MINUTES,
QRTZ92_SIMPLE_TRIGGERS.REPEAT_INTERVAL/ 1000 / 3600 as REPEAT_INTERVAL_HOURS,
QRTZ92_SIMPLE_TRIGGERS.REPEAT_INTERVAL/ 1000 / 60 / 60 / 24 as REPEAT_INTERVAL_DAYS,
QRTZ92_cron_TRIGGERS.CRON_EXPRESSION,
QRTZ92_SIMPLE_TRIGGERS.TIMES_TRIGGERED
FROM QRTZ92_JOB_DETAILS
left join QRTZ92_TRIGGERS
on QRTZ92_JOB_DETAILS.job_name = QRTZ92_TRIGGERS.job_name
left join QRTZ92_SIMPLE_TRIGGERS
on QRTZ92_TRIGGERS.TRIGGER_NAME = QRTZ92_SIMPLE_TRIGGERS.TRIGGER_NAME
left join QRTZ92_cron_TRIGGERS
on QRTZ92_TRIGGERS.TRIGGER_NAME = QRTZ92_cron_TRIGGERS.TRIGGER_NAME
order by QRTZ92_JOB_DETAILS.job_name;

There are 2 TRIGGER_TYPE ‘SIMPLE’ and ‘CRON’. The ‘SIMPLE’ is populated when we select ‘Periodic’ in schedule type and ‘CRON’ is populated when we select ‘Cron’ in schedule type.

The only difference between the two is ‘SIMPLE’ is used for jobs that you want to execute exactly once, optionally followed by repeated execution at specific intervals and ‘CRON’ is used for jobs that are recurring on calendar-based schedule.

The columns REPEAT_INTERVAL_MINUTES, REPEAT_INTERVAL_HOURS, and REPEAT_INTERVAL_DAYS represents the interval of ‘SIMPLE’ schedule type.
The column CRON_EXPRESSION represents the expression for ‘CRON’ type.

Example of CRON_EXPRESSION:

4 11 16 1/1 * ? *

• Second: 4 - The task should execute at the 4th second of the minute.
• Minute: 11 - The task should execute at the 11th minute of the hour.
• Hour: 16 - The task should execute at the 16th hour of the day (4 PM).
• Day of the month: 1/1 - The task should execute every day of the month.
• Month: * - The task should execute every month.
• Day of the week: ? - The day of the week is not specified (ignoring the day of the week).
• Year: * - The year is not specified (ignoring the year).

33.    Enabling Auditing

OIG provides an audit engine to collect data for audit and compliance purposes.

When Oracle Identity Manager takes a snapshot of a user profile, it stores the snapshot in the UPA table. The user profile auditor has an internal post-processor that normalizes the snapshot XML into the reporting tables: UPA_USR, UPA_FIELDS, UPA_GRP_MEMBERSHIP, UPA_RESOURCE, UPA_UD_FORMS, and UPA_UD_FORMFIELDS.

The GPA table stores the snapshot of role profile audits. The ARM_AUD table stores the snapshot of an admin role membership profile.

Note: The term snapshot means a copy taken of the entire profile data at any instant when the data is modified.

To enable auditing in Oracle Identity Governance:

1. Set the values of User profile audit data collection level (XL.UserProfileAuditDataCollection) and Level of Role Auditing (XL.RoleAuditLevel) system properties.
2. To enable catalog auditing, set the value of the XL.CatalogAuditDataCollection system property to catalog.
3. Enable the ‘Issue Audit Messages Task’ scheduled job and make it periodic. This scheduled task fetches audit message details from the AUD_JMS table and sends a single JMS message for a particular identifier and auditor entry in the AUD_JMS table. An MDB processes the corresponding audit message.

Note: AUD_JMS is a staging table that stores information about changes made as a part of any business transaction. When Audit messages are successfully processed, corresponding records are deleted from the table.

The query to get all the user form fields updated for a particular user along with their old value and new value is as follows:

SELECT T1.FIELD_NAME, T1.FIELD_OLD_VALUE, T1.FIELD_NEW_VALUE, T1.UPDATE_DATE
FROM UPA_FIELDS T1,
UPA_USR T2,
USR T3
WHERE T2.USR_KEY = T3.USR_KEY
AND T1.UPA_USR_KEY = T2.UPA_USR_KEY
AND T3.USR_LOGIN = '<user login>'
ORDER BY T1.UPDATE_DATE DESC;

The query to get all the process form fields updated for a particular user along with their old value and new value is as follows:

SELECT USR.USR_LOGIN, T3.OBJ_NAME, SDK.SDK_NAME, T1.FIELD_NAME, T1.OLD_VALUE, T1.NEW_VALUE, T1.UPDATE_DATE
FROM UPA_UD_FORMFIELDS T1,
UPA_UD_FORMS T2,
UPA_RESOURCE T3,
UPA_USR T4,
USR,
SDK
WHERE T1.UPA_UD_FORMS_KEY = T2.UPA_UD_FORMS_KEY
AND T2.UPA_RESOURCE_KEY = T3.UPA_RESOURCE_KEY
AND T3.UPA_USR_KEY = T4.UPA_USR_KEY
AND T4.USR_KEY = USR.USR_KEY
AND T2.SDK_KEY = SDK.SDK_KEY
AND SDK.SDK_NAME = '<UD_ table name>’
AND USR.USR_LOGIN = '<user login>';

The query to get all the group assigned or removed for a particular user is as follows:

SELECT USR.USR_LOGIN, T1.UGP_NAME, T1.STATUS, T1.MEMBERSHIP_TYPE, T1.UPDATE_DATE
FROM UPA_GRP_MEMBERSHIP T1,
UPA_USR T2,
USR
WHERE T1.UPA_USR_KEY = T2.UPA_USR_KEY
AND T2.USR_KEY = USR.USR_KEY
AND USR.USR_LOGIN = '<user login>';

 

34.    Helpful Queries

34.1    Retrieve all accounts of a user

SELECT USR.USR_LOGIN, OBJ.OBJ_NAME, OST.OST_STATUS
FROM OBJ, OBI, OIU, OST, USR
WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY
AND OBI.OBI_KEY=OIU.OBI_KEY
AND OIU.USR_KEY=USR.USR_KEY
AND OIU.OST_KEY=OST.OST_KEY
AND OST.OBJ_KEY=OBJ.OBJ_KEY
AND USR.USR_LOGIN='<user login>';

34.2    Retrieve Task Details

SELECT USR.USR_LOGIN, PKG.PKG_NAME, MIL.MIL_NAME as TASKS, SCH.SCH_STATUS
FROM USR, ORC, MIL, PKG, TOS, SCH, OSI
WHERE OSI.MIL_KEY=MIL.MIL_KEY
AND OSI.ORC_KEY=ORC.ORC_KEY
AND ORC.USR_KEY=USR.USR_KEY
AND OSI.TOS_KEY=TOS.TOS_KEY
AND OSI.PKG_KEY=PKG.PKG_KEY
AND OSI.SCH_KEY=SCH.SCH_KEY
--AND PKG.PKG_NAME=''
--AND SCH.SCH_STATUS =''
--AND USR.USR_LOGIN=''
ORDER BY OSI.OSI_UPDATE;

Note: You can filter further by PKG_NAME, SCH_STATUS and USR_LOGIN.

34.3    Retrieve Request Details

SELECT R1.REQUESTER_KEY, U1.USR_LOGIN, R1.REQUEST_ID, R1.REQUEST_MODEL_NAME,R1.REQUEST_STATUS,R1.REQUEST_JUSTIFICATION, R1.REQUEST_CREATION_DATE,R1.REQUEST_ISPARENT
FROM REQUEST R1 INNER JOIN USR U1 ON R1.REQUESTER_KEY = U1.USR_KEY
ORDER BY REQUEST_CREATION_DATE DESC;

34.4    Retrieving Users by Manager Hierarchy

select level, usr.*
from usr
start  with usr_manager_key is null
connect by nocycle prior usr_key = usr_manager_key
order by level;

Note: Level 1 are all the users with usr_manager_key = null

34.5    Parent-Child Table Associations

SELECT
    b.table_name AS parent_table,
    d.column_name AS referenced_column,
    a.table_name AS child_table,
    c.column_name AS referencing_column,
    a.constraint_name AS constraint_name,
    CASE
        WHEN a.table_name = '<table_name>' THEN 'Parent'
        ELSE 'Child'
    END AS relationship_type
FROM
    all_constraints a
JOIN all_constraints b ON a.r_constraint_name = b.constraint_name
JOIN all_cons_columns c ON a.constraint_name = c.constraint_name
JOIN all_cons_columns d ON b.constraint_name = d.constraint_name
WHERE
    a.constraint_type = 'R'
    AND (a.table_name = '<table_name>' OR b.table_name = '<table_name>');

34.6    Investigating Constraint Details

select * from user_constraints where constraint_name like '<constraint_name>';

SELECT COLUMN_NAME
FROM USER_CONS_COLUMNS
WHERE CONSTRAINT_NAME = '<constraint_name>'
AND TABLE_NAME = '<table_name>';

If you have any thoughts to share or questions to ask, don't hesitate to connect with me on LinkedIn. Your feedback is invaluable in shaping future content. With that said, I bid you adieu, until we meet again in the digital realm of exploration and innovation.