Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Standard
Release 9.0.4

E10427-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Using the Connector

This chapter contains the following sections:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

3.1 Performing First-Time Reconciliation

First-time reconciliation involves synchronizing lookup definitions in Oracle Identity Manager with the lookup fields of the target system, and performing full reconciliation. In full reconciliation, all existing user records from the target system are brought into Oracle Identity Manager.

The following is the sequence of steps involved in reconciling all existing user records:

Note:

In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

  1. Perform lookup field synchronization by running the scheduled tasks provided for this operation.

    See Section 3.2, "Lookup Field Synchronization" for information about the attributes of the scheduled tasks for lookup field synchronization.

    See Section 3.4, "Configuring Scheduled Tasks" for information about running scheduled tasks.

  2. Perform user reconciliation by running the scheduled task for user reconciliation.

    See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about the attributes of this scheduled task.

    See Section 3.4, "Configuring Scheduled Tasks" for information about running scheduled tasks.

3.2 Lookup Field Synchronization

The RACF lookup fields reconciliation scheduled task is used for lookup fields reconciliation.

Table 3-1 lists the attributes of this scheduled task. See Section 3.4, "Configuring Scheduled Tasks" for information about configuring scheduled tasks.

Note:

  • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

  • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Table 3-1 Attributes of the Scheduled Tasks for Lookup Field Synchronization

Attribute Description

Server

Name of the IT resource instance that the connector uses to reconcile data

Default value: RACF Server

LookupField Name

Name of the lookup field to be reconciled

The value can be any one of the following:

  • Lookup.RACF.Groups

  • Lookup.RACF.Procedures

  • Lookup.RACF.Accounts

Default value: Lookup.RACF.Groups

LookupField Target File

Name of the file that you create on the target system server to store temporary data

Note: You must create this file on the target system before you begin using the connector.

Valid file name up to 8 characters in length

Default value: ADTTAR.NEW

RACF Source Directory

Name of the directory on the IBM Mainframe server to which you copy the RACF scripts while performing the procedure described in Section 2.3.3, "Postinstallation on the Target System."

Default value: ADTTAR.DT250207.CNTL

LookupType

Specifies the type of lookup reconciliation to be performed

The value can be any one of the following:

  • Groups

  • Procedures

  • Accounts

Default value: Groups


3.3 Configuring Reconciliation

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

3.3.1 Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

To perform a full reconciliation run:

  • Ensure that the following schedules task attributes do not contain a value:

    • Filter Auditor Privilege (Y/N)

    • Filter Default Group

    • Filter Group Access Privilege (Y/N)

    • Filter Name

    • Filter Operations Privilege (Y/N)

    • Filter Owner

    • Filter Special Privilege (Y/N)

    • Filter User Id

    • Filter Type (AND/OR)

  • Set the value of the Trial attribute of the user reconciliation scheduled task to No.

At the end of the reconciliation run, the Last Recon TimeStamp parameter of the GroupWise IT Resource IT resource is automatically set to the time stamp at which the run started. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.

3.3.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

Creating a filter involves specifying a value for a target system attribute, which will be used in the query SELECT criteria to retrieve the records to be reconciled. You can specify values for any one or a combination of the following filter attributes:

  • Filter Auditor Privilege (Y/N)

  • Filter Default Group

  • Filter Group Access Privilege (Y/N)

  • Filter Name

  • Filter Operations Privilege (Y/N)

  • Filter Owner

  • Filter Special Privilege (Y/N)

  • Filter User Id

  • Filter Type (AND/OR)

If you want to use multiple target system attributes to filter records, then you must also specify the logical operator (AND or OR) that you want to apply to the combination of target system attributes that you select.

The value of the Filter Type (AND/OR) attribute is applied to the rest of the filter attribute values that you specify. For example, suppose you specify the following values:

  • Filter Default Group: sales

  • Filter User Id: jdoe

  • Filter Type (AND/OR): AND

When this scheduled task is run, records for which the user ID is jdoe and the default group value is sales are reconciled. If you were to specify OR as the value of the Filter Type (AND/OR) attribute, then records that satisfy any one filter criteria are reconciled.

See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about specifying values for these attributes and the logical operator that you want to apply.

3.3.3 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify values for the following submitjob user reconciliation scheduled task attributes:

  • Trial: Use this attribute to specify whether to perform batched reconciliation. The default value is Yes.

  • trialCount: Use this attribute to specify the total number of batches that must be reconciled. The default value is All.

If you specify a value other than All, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:

Suppose you specify the following values while configuring the scheduled tasks:

  • Trial: Yes

  • trialCount: 10

Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 310 records would be reconciled during the current reconciliation run. The remaining 4 records would be reconciled during the next reconciliation run.

You specify values for the Trial and trialCount attributes by following the instructions described in Section 3.3.4, "Reconciliation Scheduled Tasks".

3.3.4 Reconciliation Scheduled Tasks

When you run the Connector Installer or import the connector XML file, the following reconciliation scheduled tasks are automatically created in Oracle Identity Manager:

3.3.4.1 Submitjob User Reconciliation Scheduled Task

Fetching user data from the target system during reconciliation is a two-stage process. In the first stage, user data is extracted from the target system repository and copied to a file that you specify. In the second stage, the contents of the file are brought into Oracle Identity Manager.

The following scheduled tasks are used to submit the job that extracts user data and copies it into a file:

Note:

You must specify values for the attributes of one of these scheduled tasks.

  • RACF submit job reconciliation

  • RACF submit job trusted reconciliation

Table 3-2 describes the attributes of these scheduled tasks.

Note:

  • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

  • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Table 3-2 Attributes of the Submitjob User Reconciliation Scheduled Tasks

Attribute Description

Filter Type (AND/OR)

Specifies whether or not, and in what combination the specified filter conditions are to be used

The value can be any one of the following:

  • AND to specify that you want reconciliation to be performed only if all the specified filter conditions are met.

  • OR to specify that you want reconciliation to be performed if any one or a combination of the specified filter conditions are met.

  • NODATA to specify that you do not want the filter conditions to be used. This is the default value.

Default value: AND

RACF Database Name

Fully qualified name for the partitioned data set (PDS) containing the IBM RACF database

Default value: ADTTAR.RACFBACK

System Parameter file Name

Fully qualified PS name used to upload the SYSTMDAT file

Default value: ADTTAR.SYSTMDAT

Filter User Id

Specifies the user ID of the user account to be reconciled

The value can be any one of the following:

  • User ID of the user account to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Filter Owner

Specifies the owner of the user accounts to be reconciled

The value can be any one of the following:

  • User ID or group ID of the owner

  • NODATA to specify that this filter is to be ignored. This is the default value.

Filter Name

Specifies the Name value of the user accounts to be reconciled

The value can be any one of the following:

  • Name value of the user accounts to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Filter Default Group

Specifies the default group of the user accounts to be reconciled

The value can be any one of the following:

  • Default group ID of the user accounts to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Filter Operations Privilege (Y/N)

Specifies that user accounts with operations privileges are to be reconciled

The value can be any one of the following:

  • Yes to specify that users with the Operations privilege are to be reconciled

  • No to specify that users with the Operations privilege are not to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Default value: Yes

Filter Special Privilege (Y/N)

Specifies that user accounts with special privileges are to be reconciled

The value can be any one of the following:

  • Yes to specify that users with the Special privilege are to be reconciled

  • No to specify that users with the Special privilege are not to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Default value: Yes

Filter Group Access Privilege (Y/N)

Specifies that user accounts with the Group Access privilege are to be reconciled

The value can be any one of the following:

  • Yes to specify that users with the Group Access privileges are to be reconciled

  • No to specify that users with the Group Access privileges are not to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Default value: No

Filter Auditor Privilege (Y/N)

Specifies that user accounts with the Auditor privilege are to be reconciled

The value can be any one of the following:

  • Yes to specify that users with the Auditor privilege are to be reconciled

  • No to specify that users with the Auditor privilege are not to be reconciled

  • NODATA to specify that this filter is to be ignored. This is the default value.

Default value: No

Trial

Specifies whether or not batched reconciliation is to be carried out

The value can be Yes or No.

Default value: Yes

trialCount

Specifies the number of batches into which the reconciliation data is to be divided for the batched reconciliation run

The value can be any natural number (1, 2, 3 . . .).

Default value: 1

Target System Recon - Resource Object name

Name of the resource object

Default value: RACF Server

Server

Name of the IT resource instance that the connector uses to reconcile data

Default value: RACF Server

RACF Source Directory

Specifies the IBM RACF directory in which IBM RACF scripts are stored

Default value: ADTTAR.DT281107.CNTL

Target System New User File

Name of the file that IBM RACF uses to store the latest image of the IBM RACF database

Default value: ADTTAR.NEW

Target System Old User File

Name of the file that IBM RACF uses to store the old image of the IBM RACF database

For first-time reconciliation, provide a dummy file name. You must ensure that this file does not exist on the IBM Mainframe. From the second reconciliation run onward, the value must be the same as the value of the Target System old User File attribute used during the first reconciliation run.

Default value: ADTTAR.OLDFILE.FRI112

IsDebug

Specifies whether or not debugging must be performed

The value can be Yes or No.

Default value: No

isTrusted

A value of Yes implies that you want to configure the connector for trusted source reconciliation.

A value of No implies that you want to configure the connector for target resource reconciliation.

The default value of this attribute in the RACF submit job reconciliation scheduled task is No.

The default value of this attribute in the RACF submit job trusted reconciliation scheduled task is Yes.

Note: It is recommended that you do not change the value of this attribute.

File Path

Name and path of the file that stores information about the task running on the mainframe

The next task checks this file to determine the status of the current task.

Default value: C:\RACF\Get.txt


3.3.4.2 GetData User Reconciliation Scheduled Task

The following scheduled tasks are used to fetch user data from the file on the target system server to Oracle Identity Manager:

Note:

You must specify values for the attributes of one of these scheduled tasks. You must configure the GetData scheduled task to run after the SubmitJob scheduled task.

  • RACF getdata job reconciliation

  • RACF getdata job trusted reconciliation

Table 3-3 describes the attributes of these scheduled tasks.

Note:

  • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

  • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Table 3-3 Attributes of the GetData User Reconciliation Scheduled Tasks

Attribute Description

Server

Name of the IT resource instance that the connector uses to reconcile data

Default value: RACF Server

RACF Source Directory

Specifies the IBM RACF directory in which IBM RACF scripts are stored

Default value: ADTPKM.DT280507.REXX

Target System Old User File

Name of the file that IBM RACF uses to store the old image of the IBM RACF database

For first-time reconciliation, provide a dummy file name. You must ensure that this file does not exist on the IBM Mainframe. From the second reconciliation run onward, the value must be the same as the value of the Target System old User File attribute used during the first reconciliation run.

Default value: ADTTAR.OLDFILE.FRI112

Job Name Path

Name and path of the file that stores information about the task running on the mainframe

The next task checks this file to determine the status of the current task.

Sample value: C:/dummyfile.txt

Target System Filter File

Specifies the fully qualified name of the PS file that is used to store filter file information

Default value: ADTTAR.RACF08.WORK

System Parameter file Name

Specifies the fully qualified name of the PS file that is used to upload the SYSTMDAT file

Default value: ADTTAR.SYSTMDAT

Target System Recon - Resource Object name

Name of the resource object

Default value: RACF Server

isTrusted

A value of Yes implies that you want to configure the connector for trusted source reconciliation.

A value of No implies that you want to configure the connector for target resource reconciliation.

The default value of this attribute in the RACF getdata job reconciliation scheduled task is No.

The default value of this attribute in the RACF getdata job trusted reconciliation scheduled task is Yes.

Note: It is recommended that you do not change the value of this attribute.


3.4 Configuring Scheduled Tasks

You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 3-4 lists the scheduled tasks that form part of the connector.

Table 3-4 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task Description

RACF lookup fields reconciliation

This lookup definition is used to synchronize the values of the lookup fields between Oracle Identity Manager and the target system. See Section 3.2, "Lookup Field Synchronization" for information about this scheduled task.

RACF submit job reconciliation

You use this scheduled task when the target system is configured as a target resource. This scheduled task is used to submit the job that extracts user data from the target system repository and copies to a file that you specify. In the second stage, the contents of the file are brought into Oracle Identity Manager. See Section 3.3.4.1, "Submitjob User Reconciliation Scheduled Task" for information about this scheduled task.

RACF submit job trusted reconciliation

You use this scheduled task when the target system is configured as a trusted source. This scheduled task is used to submit the job that extracts user data from the target system repository and copies to a file that you specify. In the second stage, the contents of the file are brought into Oracle Identity Manager. See Section 3.3.4.1, "Submitjob User Reconciliation Scheduled Task" for information about this scheduled task.

RACF getdata job reconciliation

You use this scheduled task when the target system is configured as a target resource. This scheduled task is used to fetch user data from the file on the target system server to Oracle Identity Manager. In the second stage, the contents of the file are brought into Oracle Identity Manager. See Section 3.3.4.2, "GetData User Reconciliation Scheduled Task" for information about this scheduled task.

RACF getdata job trusted reconciliation

You use this scheduled task when the target system is configured as a trusted source. This scheduled task is used to fetch user data from the file on the target system server to Oracle Identity Manager. In the second stage, the contents of the file are brought into Oracle Identity Manager. See Section 3.3.4.2, "GetData User Reconciliation Scheduled Task" for information about this scheduled task.


Depending on the Oracle Identity Manager release that you are using, perform the procedure described in one of the following sections:

3.4.1 Configuring Scheduled Tasks on Oracle Identity Manager Release 9.0.1 through 9.0.3.x

To configure a scheduled task:

  1. Open the Oracle Identity Manager Design Console.

  2. Expand the Xellerate Administration folder.

  3. Select Task Scheduler.

  4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

  5. For the first scheduled task, enter a number in the Max Retries field. Oracle Identity Manager must attempt to complete the task before assigning the FAILED status to the task.

  6. Ensure that the Disabled and Stop Execution check boxes are not selected.

  7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

  8. In the Interval region, set the following schedule parameters:

    • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

      If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

    • To set the task to run only once, select the Once option.

  9. Provide values for the attributes of the scheduled task.

    See Also:

    Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

  10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

Stopping Reconciliation

Suppose the user reconciliation scheduled task for the connector is running and user records are being reconciled. If you want to stop the reconciliation process:

  1. Perform Steps 1 through 3 of the procedure to configure reconciliation scheduled tasks.

  2. Select the Stop Execution check box in the task scheduler.

  3. Click Save.

3.4.2 Configuring Scheduled Tasks on Oracle Identity Manager Release 9.1.0.x or Release 11.1.1

To configure a scheduled task:

  1. Log in to the Administrative and User Console.

  2. Perform one of the following:

    1. If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.

    2. If you are using Oracle Identity Manager release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

  3. Search for and open the scheduled task as follows:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      1. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

      2. In the search results table, click the edit icon in the Edit column for the scheduled task.

      3. On the Scheduled Task Details page where the details of the scheduled task that you selected is displayed, click Edit.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

      2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

      3. In the search results table on the left pane, click the scheduled job in the Job Name column.

  4. Modify the details of the scheduled task. To do so:

    1. If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:

      • Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

      • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

      • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

      • Frequency: Specify the frequency at which you want the task to run.

    2. If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, you can modify the following parameters:

      • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

      Note:

      See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

      In addition to modifying the job details, you can enable or disable a job.

  5. Specify values for the attributes of the scheduled task. To do so:

    Note:

    • If you are using Oracle Identity Manager release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.

    • If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

  6. After specifying the attributes, perform one of the following:

    • If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.

      Note:

      The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

    • If you are using Oracle Identity Manager release 11.1.1, then click Apply to save the changes.

      Note:

      The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.5 Performing Provisioning Operations

Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 3.6, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1."

This following are types of provisioning operations:

See Also:

Oracle Identity Manager Connector Concepts for information about the types of provisioning

This section discusses the following topics:

3.5.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.

  2. If you want to first create an OIM User and then provision a target system account, then:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      1. From the Users menu, select Create.

      2. On the Create User page, enter values for the OIM User fields and then click Create User.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. On the Welcome to Identity Administration page, in the Users region, click Create User.

      2. On the Create User page, enter values for the OIM User fields, and then click Save.

  3. If you want to provision a target system account to an existing OIM User, then:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      1. From the Users menu, select Manage.

      2. Search for the OIM User and select the link for the user from the list of users displayed in the search results.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

      2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

  4. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      1. On the User Detail page, select Resource Profile from the list at the top of the page.

      2. On the Resource Profile page, click Provision New Resource.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. On the user details page, click the Resources tab.

      2. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

  5. On the Step 1: Select a Resource page, select RACF Server from the list and then click Continue.

  6. On the Step 2: Verify Resource Selection page, click Continue.

  7. On the Step 5: Provide Process Data for Connect a RACF user to group page, if required, enter the relevant details and then click Continue.

  8. On the Step 5: Provide Process Data for Add TSO parameters to user page, if required, enter the relevant details and then click Continue.

  9. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

  10. The "Provisioning has been initiated" message is displayed. Perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. Close the window displaying the "Provisioning has been initiated" message.

      2. On the Resources tab, click Refresh to view the newly provisioned resource.

3.5.2 Request-Based Provisioning

Note:

The information provided in this section is applicable only if you are using Oracle Identity Manager release 11.1.1.

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

3.5.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Advanced in the upper-right corner of the page.

  3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and click Next.

  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

  7. From the Available Users list, select the user to whom you want to provision the account.

    If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

  10. From the Available Resources list, select RACF Server, move it to the Selected Resources list, and then click Next.

  11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

  12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.

  14. To view details of the approval, on the Request Details page, click the Request History tab.

3.5.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Self-Service in the upper-right corner of the page.

  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

  4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.

3.6 Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1

Note:

It is assumed that you have performed the procedure described in Section 2.3.1.5, "Confuguring Request-Based Provisioning."

On Oracle Identity Manager release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:

  1. Log in to the Design Console.

  2. Disable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the RACF User process definition.

    3. Deselect the Auto Save Form check box.

    4. Click the Save icon.

  3. If the Self Request Allowed feature is enabled, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the RACF Server resource object.

    3. Deselect the Self Request Allowed check box.

    4. Click the Save icon.

On Oracle Identity Manager release 11.1.1, if you want to switch from direct provisioning to request-based provisioning, then:

  1. Log in to the Design Console.

  2. Enable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the RACF User process definition.

    3. Select the Auto Save Form check box.

    4. Click the Save icon.

  3. If you want to enable end users to raise requests for themselves, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the RACF Server resource object.

    3. Select the Self Request Allowed check box.

    4. Click the Save icon.