| Oracle® Identity Manager Connector Guide for IBM RACF Advanced Release 9.0.4 Part Number E10451-18 |
|
|
PDF · Mobi · ePub |
| Oracle® Identity Manager Connector Guide for IBM RACF Advanced Release 9.0.4 Part Number E10451-18 |
|
|
PDF · Mobi · ePub |
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use IBM RACF either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.
The advanced connector for IBM RACF provides a native interface between IBM RACF installed on an IBM z/OS mainframe and Oracle Identity Manager. The connector functions as a trusted virtual administrator on the target system, performing tasks related to creating and managing user profiles.
In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.
In the IBM RACF context, the term "user profile" is synonymous with "user account." If IBM RACF is configured as a target resource, then user profiles on IBM RACF correspond to accounts or resources assigned to OIM Users. In contrast, if IBM RACF is configured as a trusted source, then user profiles on IBM RACF correspond to OIM Users.
This chapter is divided into the following sections:
Table 1-1 lists the certified components.
Table 1-1 Certified Components
| Item | Requirement |
|---|---|
|
The Oracle Identity Manager can be one of the following:
The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at:
|
|
|
JDK |
The JDK version can be one of the following:
|
|
IBM RACF on z/OS 1.9 and above. |
|
|
Infrastructure Requirements: Message transport layer between the Oracle Identity Manager and the mainframe environment |
The infrastructure requirements can be one of the following:
|
|
Target system user account for reconciliation and provisioning operations |
RACF authorized account with SystemAdministrators privileges See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more information. |
|
Product Libraries |
The following are the product libraries:
|
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
On Oracle Identity Manager release 9.1.0.x, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. On Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
The connector architecture is described in the following sections:
The connector contains the following components:
LDAP Gateway: The LDAP Gateway receives instructions from Oracle Identity Manager in the same way as any LDAP version 3 identity store. These LDAP commands are then converted into native commands for IBM RACF and sent to the Provisioning Agent. The response, which is also native to IBM RACF, is parsed into an LDAP-format response and returned to Oracle Identity Manager.
During reconciliation, the LDAP Gateway receives event notification, converts the events to LDAP format, and then forwards them to Oracle Identity Manager or the events can be pulled by a Scheduled Task from Oracle Identity Manager that are stored in the LDAP Gateway internal store.
Provisioning Agent (Pioneer): The Provisioning Agent is a mainframe component. It receives native mainframe IBM RACF provisioning commands from the LDAP Gateway. These requests are processed against the IBM RACF authentication repository. The response is parsed and returned to the LDAP Gateway.
Note:
At some places in this guide, the Provisioning Agent is referred to as Pioneer.
Reconciliation Agent (Voyager): The Reconciliation Agent captures mainframe events by using exits, which are programs run after events in IBM RACF are processed. These events include the ones generated at the TSO logins, the command prompt, batch jobs, and other native events. All these events are stored in a subpool cache area that is established by a supplied, standard z/OS procedure (STARTUP). The Reconciliation Agent captures these events, transforms them into notification messages, and then sends them to Oracle Identity Manager through the LDAP Gateway.
Note:
At some places in this guide, the Reconciliation Agent is referred to as Voyager.
Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. TCP/IP protocol is used for the transport of messages.
TCP/IP with Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. The connector supports a message transport layer by using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.
This section provides an overview of the following processes:
Section 1.3.2.2, "Initial LDAP Population and Reconciliation Process"
Section 1.3.2.3, "Incremental (Real-Time) Reconciliation Process"
Full reconciliation involves fetching existing user profile data from the mainframe to Oracle Identity Manager. If you configure the target system as a target resource, then this user profile data is converted into accounts or resources for OIM Users. If you configure the target system as a trusted source, then the user profile data is used to create OIM Users.
The following is a summary of the full reconciliation process:
Note:
For detailed instructions, see Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" of this guide.
You set values for the properties defined in the RACF Reconcile All Users scheduled task. You also specify whether you want to configure IBM RACF as a target resource or trusted source of Oracle Identity Manager.
You run the scheduled task. The task sends a search request to the LDAP Gateway.
The LDAP Gateway encrypts the search request and then sends it to the Provisioning Agent on the mainframe.
The Provisioning Agent encrypts user profile data received from RACF and then passes this data to the LDAP Gateway.
The LDAP Gateway decrypts the user profile data and passes it to Oracle Identity Manager.
The next step depends on the setting in the scheduled task:
If you configure the target system as a target resource, then this user profile data is converted into accounts or resources for OIM Users.
If you configure the target system as a trusted source, then the user profile data is used to create OIM Users.
This new reconciliation process allows for a faster reconciliation based on an Extracted File configured on the Mainframe that will be used to populated the internal LDAP store, which OIM can then use a normal Scheduled Task to reconcile all the data to Oracle Identity Manager.
The following is a summary of the full reconciliation process:
Note:
For detailed instructions, see Section 5.8, "Initial LDAP Gateway Population and Full Reconciliation" of this guide.
Use IBM Utility to EXTRACT user data to a file.
Configure Pioneer to use this file when needed.
One this file has been created and used by OIM it will become stale and must be deleted. The file can be generated again if needed for re-populating or updating the Internal LDAP for OIM to reconcile the latest data.
Once above File has been generated, use the new OIM Scheduled Task "ReconcileUsersToInternalLdapTask" to populate the LDAP Gateway internal store.
After the LDAP store is populated by the Task above then the normal process for reconciling users from the LDAP can be run by using the "ReconcileAllLdapUsersTask".
Using LMTS (Last Modified Timestamp) set to 0 will reconcile all users.
Using LMTS (Last Modified Timestamp) set to a Date Range will reconcile all users that have changed since that Date.
Note:
The LDAP internal store will also be populated on an ongoing basis by the "real-time" event capture using Voyager and the EXIT(s). So after initial population and reconciliation the process will still continue to use the "ReconcileAllLdapUsersTask" using a Date range to reconcile these "real-time" event changes from data captured in the LDAP internal store.
Real-time reconciliation is initiated by the 3 exits that work in conjunction with the Reconciliation Agent. Figure 1-1 shows the flow of data during reconciliation.
The following is a summary of the incremental reconciliation process:
Incremental reconciliation begins when a user profile is created, updated, or deleted on IBM RACF. This event might take place either directly on the mainframe or in response to a provisioning operation on Oracle Identity Manager.
ICHPWX01, ICHRIX02, and IRREVX01 are standard IBM RACF exits. These exits must be used in conjunction with the Reconciliation Agent. All of these exits detect RACF events and sends a message containing user profile data to Subpool 231 (cache). This message contains the minimum number of data items, such as the user ID and password, required to reconcile the event.
The Reconciliation Agent polls Subpool 231. It reads the message, converts to ASCII and encrypts the message prior to transport to the LDAP. This frees up the subpool.
The Reconciliation Agent starts a connection with the LDAP Gateway using the IPAD= and PORT= parameters in the Voyager STC, and then sends the message to the gateway over TCP/IP.
Note:
Messages sent to the LDAP Gateway are encrypted using AES-128 encryption.
The LDAP Gateway decrypts the message. The gateway then sends the message to Oracle Identity Manager or just stores the data internally for use by a Scheduled Task in Oracle Identity Manager.
Oracle Identity Manager processes the message and creates or updates either the corresponding IBM RACF resource or the OIM User.
Figure 1-2 shows the flow of data during provisioning.
The following is a summary of the provisioning process:
Provisioning data submitted from the Administrative and User Console is sent to the LDAP Gateway.
Note:
Oracle Identity Manager and the LDAP Gateway are installed on the same computer.
The LDAP Gateway converts the provisioning data into mainframe commands, encrypts the commands, and then sends them to the mainframe computer over TCP/IP.
The Provisioning Agent installed on the mainframe computer decrypts and converts the LDAP message from ASCII to EBCDIC.
The Provisioning agent executes the commands, runs them on the mainframe and within the Pioneer STC (Started Task) using the RACF API (IRRSEQ00).
The Provisioning Agent converts the RACF API output to ASCII and encrypts the message prior to sending back to the LDAP Gateway.
The outcome of the operation on the mainframe is displayed on the Oracle Identity Manager console. A more detailed message is recorded in the connector log file.
The following are features of the connector:
Section 1.4.1, "Target Resource and Trusted Source Reconciliation"
Section 1.4.3, "Encrypted Communication Between the Target System and Oracle Identity Manager"
You can use the connector to configure IBM RACF as either a target resource or trusted source of Oracle Identity Manager.
After you deploy the connector, you perform full reconciliation to bring all existing user profile data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled and active. Incremental reconciliation is a real-time process. User profile changes on the target system are directly sent to Oracle Identity Manager or stored in the LDAP Gateway internal store..
You can perform a full reconciliation run at any time.
AES-128 encryption is used to encrypt data that is exchanged between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent on the mainframe.
The following are component-failure scenarios and the response of the connector to each scenario:
Scenario 1: The Reconciliation Agent is running and the LDAP Gateway stops responding
The Reconciliation Agent stops sending messages (event data) to the LDAP Gateway.
Messages that are not sent are stored in the subpool cache.
When the LDAP Gateway is brought back online, the Reconciliation Agent reads data from the subpool cache and then sends messages to the LDAP Gateway.
Scenario 2: The LDAP Gateway is running and the Reconciliation Agent stops responding
Event data is sent to the subpool cache.
When the Reconciliation Agent is brought back online, it reads data from the subpool cache and then sends messages to the LDAP Gateway.
Scenario 3: The LDAP Gateway is running and the mainframe stops responding
Messages that are in the subpool cache are written to disk.
When the mainframe is brought back online, event data written to disk is again stored in the subpool cache.
The Reconciliation Agent reads data from the subpool cache and then sends messages to the LDAP Gateway.
Scenario 4: The LDAP Gateway is running and the Provisioning Agent or mainframe stops responding
The process task that sends provisioning data to the LDAP Gateway retries the task.
Scenario 5: The subpool is stopped by an administrator
If an administrator stops the subpool, then it shuts down the Reconciliation Agent, thereby destroying any messages that are not transmitted. However, messages in the AES-encrypted file are not affected and can be recovered.
The following sections provide information about connector objects used during reconciliation and provisioning:
Section 1.5.1, "Supported Functions for Target Resource and Trusted Source Reconciliation"
Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning"
Section 1.5.4, "Group Attributes for Target Resource Reconciliation and Provisioning"
Section 1.5.5, "Dataset Profile Attributes for Target Resource Reconciliation and Provisioning"
Section 1.5.6, "Resource Profile Attributes for Target Resource Reconciliation and Provisioning"
The connector supports reconciliation of user data from the following events:
Create user
Modify user
Change password
Reset password
Revoke user
Resume user
Delete user
Add user to group
Revoke user from group
Delete user from group
Create group
Alter group
Delete group
Table 1-2 lists the provisioning functions supported by the connector.
Table 1-2 Supported Provisioning Functions
| Function | Description | Mainframe Command |
|---|---|---|
|
Create users |
Adds new user on IBM RACF |
ADDUSER |
|
Create groups |
Adds new group on IBM RACF |
ADDGRP |
|
Modify users |
Modifies user information on IBM RACF |
ALTUSER |
|
Modify group |
Modifies group information on IBM RACF |
ALTGRP |
|
Change passwords |
Changes user password on IBM RACF in response to password changes made on Oracle Identity Manager through user self-service |
ALTUSER |
|
Reset passwords |
Resets user password on IBM RACF The passwords are reset by the administrator. |
ALTUSER |
|
Revoking user accounts |
Sets IBM RACF user to a REVOKED state |
ALTUSER |
|
Resuming user accounts |
Sets IBM RACF user to an ENABLED state |
ALTUSER |
|
Add user to group |
Connects user with an IBM RACF group |
CONNECT |
|
Remove user from group |
Disconnects user from an IBM RACF group |
REMOVE |
|
Revoke user from group |
Revokes user's membership in an IBM RACF group |
CONNECT REVOKE |
|
Permit user to dataset |
Permits user to be part of the data set ACL and gives them access rights to the data set |
PERMIT |
|
Remove user from dataset |
Removes user from the data set ACL |
PERMIT |
|
Permit user to access general resource |
Permits user to be part of the resource ACL and gives them access rights to the resource |
PERMIT |
|
Remove user from general resource |
Removes user from the resource ACL |
PERMIT |
|
Grant user to TSO segment |
Provides TSO access and information to user |
ALTUSER |
|
Grant user to OMVS segment |
Provides OMVS information to users |
ALTUSER |
|
Delete User |
Deletes user from IBM RACF |
DELUSER |
|
Delete Group |
Deletes group from IBM RACF |
DELGRP |
|
Add Dataset |
Adds new dataset profile to IBM RACF |
ADDSD |
|
Modify Dataset |
Modifies dataset information on IBM RACF |
ALTDSD |
|
Delete Dataset |
Deletes dataset profile from IBM RACF |
DELDSD |
|
Define Resource |
Adds new resource profile to IBM RACF |
RDEFINE |
|
Modify Resource |
Modifies resource profile information in IBM RACF |
RALTER |
|
Delete Resource |
Deletes resource profile from IBM RACF |
RDELETE |
|
Define Alias |
Defines an alias in IBM RACF |
DEFINE ALIAS |
|
Delete Alias |
Deletes an alias in IBM RACF |
DELETE ALIAS |
|
Refresh Setropts |
Refreshes in-storage generic profiles in IBM RACF |
SETROPTS RACLIST REFRESH |
Table 1-3 lists attribute mappings between IBM RACF and Oracle Identity Manager for target resource reconciliation and provisioning. The OnBoardRacfUser and ModifyRacfUser adapters are used for the Create User and Modify User provisioning operations, respectively.
Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning
| Process Form Field | IBM RACF Attribute | Description |
|---|---|---|
|
cn |
NAME |
Full name You can specify the format in which Full Name values are stored on the target system. Step 3 of Section 3.9, "Installing and Configuring the LDAP Gateway" describes the procedure. |
|
cicsOpclass |
CICS_OPCLASS |
Operator class |
|
cicsOpident |
CICS_OPIDENT |
Operator ID |
|
cicsOpprty |
CICS_OPPRTY |
Operator priority |
|
cicsRslkey |
CICS_RSLKEY |
Resource key 0–99 |
|
cicsTimeout |
CICS_TIMEOUT |
Timeout value |
|
cicsTslkey |
CICS_TSLKEY |
Type key 1–99 |
|
cicsXrfsoff |
CICS_XRFSOFF |
Transaction off (Force|NoForce) |
|
dfltGrp |
DEFAULT-GROUP |
Default group for the user |
|
instdata |
DATA |
Installation-defined data for the user |
|
netviewConsname |
NETVIEW_CONSNAME |
Console name |
|
netviewCtl |
NETVIEW_CTL |
Control |
|
netviewDomains |
NETVIEW_DOMAINS |
Domain name |
|
netviewIc |
NETVIEW_IC |
Command|Command List |
|
netviewMsgrecvr |
NETVIEW_MSGRECVR |
Message receiver |
|
netviewNgmfadmn |
NETVIEW_NGMFADMN |
Administration (Y|N) |
|
netviewNgmfvspn |
NETVIEW_NGMFVSPN |
View span |
|
netviewOpclass |
NETVIEW_OPCLASS |
Operator class |
|
omvsAssizemax |
OMVS_ASSIZEMAX |
Address space size |
|
omvsAutouid |
OMVS_AUTOUID |
Generate auto user identifier |
|
omvsCputimemax |
OMVS_CPUTIMEMAX |
CPU time |
|
omvsFileprocmax |
OMVS_FILEPROCMAX |
Files per process |
|
omvsHome |
HOME |
Homelocation |
|
omvsMemlimit |
OMVS_MEMLIMIT |
Non-shared memory size |
|
omvsMmapareamax |
OMVS_MMAPAREAMAX |
Memory map size |
|
omvsProcusermax |
OMVS_PROCUSERMAX |
Processes per UID |
|
omvsProgram |
PROGRAM |
Program |
|
omvsShared |
OMVS_SHARED |
Shared user identifier |
|
omvsShmemmax |
OMVS_SHMEMMAX |
Shared memory size |
|
omvsThreadsmax |
OMVS_THREADSMAX |
Threads per process |
|
omvsUid |
UID |
UID |
|
owner |
OWNER |
Owner of the user profile |
|
resumeDate |
RESUME DATE |
Future date from which the user will be allowed access to the system |
|
revokeDate |
REVOKE DATE |
Future date from which the user's access to the system will be revoked |
|
revoke |
REVOKE|RESUME |
Status of the user |
|
tsoAcctNum |
ACCTNUM |
Default TSO account number on the TSO/E logon panel |
|
tsoCommand |
COMMAND |
Command to be run during TSO/E logon |
|
tsoDest |
DEST |
Default SYSOUT destination |
|
tsoHoldclass |
HOLDCLASS |
Default hold class |
|
tsoJobclass |
JOBCLASS |
Default job class |
|
tsoMaxSize |
MAXSIZE |
Maximum region size the user can request at logon |
|
tsoMsgclass |
MSGCLASS |
Default message class |
|
tsoProc |
PROC |
Default logon procedure on the TSO/E logon panel |
|
tsoSize |
SIZE |
Minimum region size if not requested at logon |
|
tsoSysoutclass |
SYSOUTCLASS |
Default SYSOUT class |
|
tsoUnit |
UNIT |
Default UNIT name for allocations |
|
tsoUserdata |
USERDATA |
TSO-defined data for the user |
|
uid |
USER |
Login ID |
|
userPassword |
PASSWORD |
Password used to log in |
|
waaccnt |
WAACCNT |
Account number for APPC or IBM z/OS processing |
|
waaddr1 |
WAADDR1 |
Address line 1 for SYSOUT delivery |
|
waaddr2 |
WAADDR2 |
Address line 2 for SYSOUT delivery |
|
waaddr3 |
WAADDR3 |
Address line 3 for SYSOUT delivery |
|
waaddr4 |
WAADDR4 |
Address line 4 for SYSOUT delivery |
|
wabldg |
WABLDG |
Building for SYSOUT delivery |
|
wadept |
WADEPT |
Department for SYSOUT delivery |
|
waname |
WANAME |
User name for SYSOUT delivery |
|
waroom |
WAROOM |
Room for SYSOUT delivery |
Table 1-4 lists group attribute mappings between IBM RACF and Oracle Identity Manager. The AddUserToGroup, RemoveUserFromGroup, RevokeUsersGroupMembership, RevokeAllMemberships, and ResumeAllMemberships adapters are used for group provisioning operations.
Table 1-4 Group Attributes for Target Resource Reconciliation and Provisioning
| Child Form Field | IBM RACF Attribute | Description |
|---|---|---|
|
cn |
GROUP |
Group ID |
|
uniqueMember |
USERS |
Users associated with the group |
|
adsp |
ADSP |
All permanent tape and DASD data sets created by the user are RACF-protected by discrete profiles |
|
at |
AT |
Node the command should run under |
|
onlyat |
ONLY AT |
Only node that the command should run under |
|
auditor |
AUDITOR |
User has the group-AUDITOR attribute |
|
authority |
AUTHORITY |
User's level of authority in the group |
|
grpacc |
GRPACC |
Group data sets defined by user are automatically accessible to other users in the group |
|
operations |
OPERATIONS |
User has the group-OPERATIONS attribute |
|
owner |
OWNER |
Owner of the connect profile |
|
resume |
RESUME |
User is allowed to access the system |
|
resumeDate |
RESUME(date) |
The date that the user is allowed to access the system |
|
noresume |
NORESUME |
Specifies that RACF is to clear the RESUME date field |
|
revoke |
REVOKE |
User is no longer allowed to access the system |
|
revokeDate |
REVOKE(date) |
The date that the user is no longer allowed to access the system |
|
norevoke |
NOREVOKE |
Specifies that RACF is to clear the REVOKE date field |
|
special |
SPECIAL |
User has the group-SPECIAL attribute |
|
uacc |
UACC |
Universal access authority for all new resource profiles while connected to group |
Table 1-5 lists data set resource profile attribute mappings between IBM RACF and Oracle Identity Manager. The AddUserToDataset, RemoveUserFromDataset, AddDataset, ModifyDataset, and DeleteDataset adapters are used for data set resource profile provisioning operations.
Table 1-5 Dataset Profile Attributes for Target Resource Reconciliation and Provisioning
| Child Form Field | IBM RACF Attribute | Description |
|---|---|---|
|
dsname |
PROFILE NAME |
Profile ID |
|
dsaccess |
ACCESS |
User's access level to the dataset |
|
dsgeneric |
GENERIC |
Treat the dataset as a generic name |
Note:
A pre-configured child form and process task for the following attributes is not included with the release. Instead, literal values have been mapped for the connector release, but these values must be updated once the process is implemented. To provision create, modify, or delete dataset actions, the user will need to create a form and edit the process task mappings for AddDataset, ModifyDataset, and DeleteDataset adapters.
Table 1-6 Dataset Profile Attributes for Provisioning
| Adapter attribute | IBM RACF Attribute |
|---|---|
|
audit |
AUDIT |
|
addcategory |
ADDCATEGORY |
|
category |
CATEGORY |
|
instdata |
DATA |
|
erase |
ERASE |
|
fclass |
FCLASS |
|
fgeneric |
FGENERIC |
|
fileseq |
FILESEQ |
|
from |
FROM |
|
fvolume |
FVOLUME |
|
generic |
GENERIC |
|
level |
LEVEL |
|
model |
MODEL |
|
noset |
NOSET |
|
notify |
NOTIFY |
|
onlyat |
ONLYAT |
|
owner |
OWNER |
|
retpd |
RETPD |
|
seclabel |
SECLABEL |
|
seclevel |
SECLEVEL |
|
set |
SET |
|
setonly |
SETONLY |
|
tape |
TAPE |
|
uacc |
UACC |
|
unit |
UNIT |
|
volume |
VOLUME |
Table 1-7 lists resource profile attribute mappings between IBM RACF and Oracle Identity Manager. The AddUserToResource, RemoveUserFromResource, DefineResource, AlterResource, and DeleteResource adapters are used for resource profile provisioning operations.
Table 1-7 Resource Profile Attributes for Target Resource Reconciliation and Provisioning
| Child Form Field | IBM RACF Attribute | Description |
|---|---|---|
|
id |
PROFILE NAME |
Profile ID |
|
classname |
CLASS NAME |
Class type |
|
access |
ACCESS |
User's access level to resource profile |
Note:
A pre-configured child form and process task for the following attributes is not included with the release. Instead, literal values have been mapped for release, but these values must be updated once the process is implemented. To provision create, modify, or delete resource profile actions, the user will need to create a form and edit the process task mappings for DefineResource, ModifyResource, and DeleteResource adapters.
Table 1-9 lists attribute mappings between IBM RACF and Oracle Identity Manager for trusted source reconciliation.
See Also:
Oracle Fusion Middleware User's Guide for Oracle Identity Manager for generic information about reconciliation matching and action rules
During target resource reconciliation, Oracle Identity Manager tries to match each user profile fetched from IBM RACF with existing IBM RACF resources provisioned to OIM Users. This is known as process matching. A reconciliation rule is applied for process matching. If a process match is found, then changes made to the user profile on the target system are copied to the resource on Oracle Identity Manager. If no match is found, then Oracle Identity Manager tries to match the user profile against existing OIM Users. This is known as entity matching. The reconciliation rule is applied during this process. If an entity match is found, then an IBM RACF resource is provisioned to the OIM User. Data for the newly provisioned resource is copied from the user profile.
During trusted reconciliation, the same reconciliation rule is applied for entity matching. If an entity match is found, then an OIM User is created out of the data in the reconciliation event.
The following is the reconciliation rule for both target resource and trusted source reconciliation:
Rule name: IdfReconUserRule
Rule element: User Login Equals uid
In this rule element:
User Login is the User ID field on the process form and the OIM User form.
uid is the USER attribute on IBM RACF.
After you deploy the connector, you can view this reconciliation rule by performing the following steps:
On the Design Console, expand Development Tools and then double-click Reconciliation Rules.
Search for and open the IdfReconUserRule rule.
Reconciliation action rules specify actions that must be taken depending on whether or not matching IBM RACF resources or OIM Users are found when the reconciliation rule is applied. Table 1-10 lists the reconciliation action rules for this connector.
Table 1-10 Reconciliation Action Rules
| Rule Condition | Action |
|---|---|
|
No Matches Found |
Assign to Administrator With Least Load |
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:
For Oracle Identity Manager release 9.1.0.x: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
On the Design Console, expand Resource Management and double-click Resource Objects.
Search for and open the OIMRacfResourceObject resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.
|
 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
