1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications.

A custom application in your organization may use relational database tables as a repository for user data. This guide describes the procedure to create the connector for integrating these database tables with Oracle Identity Manager. After you integrate the tables with Oracle Identity Manager, you can use them either as a managed (target) resource or as an authoritative (trusted) source of user data for Oracle Identity Manager.

The connector that you create is known as a Database Application Tables connector. The following sample scenario describes the requirement that can be addressed by a Database Application Tables connector:

Example Inc. has some database-driven custom applications. These applications cannot be LDAP enabled, and they do not have any APIs for identity administration. The company wants to deploy an identity management and provisioning system that can be linked with their database.

The Database Application Tables connector is one of the solutions to this business problem. Example Inc. can use this connector to enable the exchange of user data between the database and Oracle Identity Manager.

Note:

In this guide:

  • The database tables that store user data are collectively referred to as the target system.

  • The computer on which the database is installed is referred to as the target system host computer.

In the target resource configuration, data about users created or modified on the target system is reconciled into Oracle Identity Manager and is used to create or update resources allocated to OIM Users. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the trusted source configuration, data about users created or modified on the target system is reconciled into Oracle Identity Manager and is used to create or update OIM Users.

Note:

  • It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.

  • See Oracle Identity Manager Connector Concepts for detailed information about connector deployment configurations.

This chapter discusses the following topics:

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

  • Oracle Identity Manager release 9.1.0.2 BP03 and future releases in this release track

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.2 BP03 and future releases in the 9.1.0.x series that the connector will support.

  • Oracle Identity Manager 11g release 1 (11.1.1.3.0) and future releases in this release track

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).

  • Oracle Identity Manager 11g release 1 PS1 (11.1.1.5.0) and future releases in this release track

  • Oracle Identity Manager 11g release 1 PS2 (11.1.1.7.0) and future releases in this release track

  • Oracle Identity Manager 11g release 2 (11.1.2.0.4) and future releases in this release track

    Note: In this guide, Oracle Identity Manager release 11.1.2.x has been used to denote Oracle Identity Manager release 11.1.2.0.4 and future releases in the 11.1.2.x series that the connector will support.

  • Oracle Identity Manager 11g release 2 PS1 (11.1.2.1.0) and future releases in this release track

  • Oracle Identity Manager 11g release 2 PS2 (11.1.2.2.0) and future releases in this release track

JDK

For Oracle Identity Manager release 9.1.0.x, JDK 1.5 or later

For Oracle Identity Manager release 11.1.1 and 11.1.2.x, JDK 1.6 or later

Target systems

The target system can be database tables from any one of the following RDBMSs:

  • IBM DB2/UDB Version 9.x running on Microsoft Windows, UNIX, and IBM z/OS platforms

  • Microsoft SQL Server 2005, 2008

  • MySQL 5.1.30, 5.3, 5.5

  • Oracle Database 10g, 11gR1, 11g Release 2 (11.2.0.x), as either single database or Oracle RAC implementation.

  • Sybase Adaptive Server Enterprise 15.x

JDBC drivers

Depending on the target system that you use, you would need one of the following sets of JDBC drivers:

For IBM DB2/UDB:

  • For all platforms: db2jcc.jar

  • For Microsoft Windows and UNIX platforms: db2jcc_license_cu.jar

  • For IBM z/OS platforms: db2jcc_license_cisuz.jar

  • For IBM DB2/UDB with the autoincrement option set on the primary key column: db2jcc4.jar and jdk 1.6

For Microsoft SQL Server:

  • For Microsoft SQL Server 2005: sqljdbc.jar version 1.2

  • For Microsoft SQL Server 2008: sqljdbc4.jar version 2.0

For MySQL, you need the mysql-connector-java-5.1.8-bin.jar driver.

For Oracle Database

  • Oracle Database 10g drivers

  • Oracle Database 11g drivers

  • For Oracle RAC: ojdbc14.jar

For Sybase Adaptive Server Enterprise, you need the jconn3.jar JDBC driver for all platforms.

Instructions to download and use these drivers are provided later in this guide.

Format in which user data is stored in the target system

You can use a Database Application Tables connector only if user data is stored in the target system in any one of the following formats:

  • All user data is in a single table.

  • User data is spread across one parent table and one or more child tables. This target system can be configured only as a target resource, and not as a trusted source.

  • All user data is in a single updatable view (that is based on one or more tables).

  • User data is spread across one updatable view (that is based on one or more tables) and one or more child views (that are based on one or more tables). This target system can be configured only as a target resource, and not as a trusted source. In other words, a trusted source cannot store child data.

    Note: If you use read-only views, then you must create INSTEAD OF triggers to enable modification of the read-only views during provisioning operations. This requirement has also been mentioned in "Using Read-Only Views".

Other requirements of the target system

The target system must meet the following requirements:

  • The target system must not contain a column named ID. See "Ensuring That There Are No Target System Columns Named ID" for the description of a workaround to this requirement.

  • Names of foreign key columns must be the same in parent and child tables. However, the names of all other columns in the parent table must be different from the names of columns in the child tables.

For Oracle Identity Manager release 9.1.0.x, see "Names of Fields" in the "Best Practices for Creating and Using Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide for more information.

For Oracle Identity Manager release 11.1.1 and 11.1.2.x, see "Names of Fields" in the "Creating and Managing Generic Technology Connectors" chapter of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information.

1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

  • If you are using an Oracle Identity Manager release that is 9.1.0.2 BP03 or later and earlier than Oracle Identity Manager Release 11g Release 2 BP10 (11.1.2.0.10), then you must use the 9.1.x version of this connector.

  • If you are using Oracle Identity Manager 11g Release 2 BP10 (11.1.2.0.10) or later, then you must use the latest 11.1.1.x version of this connector.

1.3 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

See Also:

One of the following guides for information about supported special characters:

1.4 Supported Data Types

The data types supported for reconciliation and provisioning operations are listed in the following section:

Note:

Complex data types, such as RAW, Binary File, CLOB, and BLOB, are not supported. Any data type that is not supported and is not a complex data type is treated as a String data type.

For IBM DB2 Database:

  • SMALLINT

  • BIGINT

  • INTEGER

  • REAL

  • FLOAT

  • DOUBLE

  • DECIMAL

  • CHARACTER

  • VARCHAR

  • DATE

  • TIMESTAMP

For Microsoft SQL Server:

  • CHAR

  • VARCHAR

  • TINYINT

  • SMALLINT

  • INT

  • BIGINT

  • DECIMAL

  • NUMERIC

  • FLOAT

  • REAL

  • SMALLDATETIME

  • DATETIME

For MySQL:

  • TINYINT

  • SMALLINT

  • MEDIUMINT

  • INT

  • BIGINT

  • FLOAT

  • DOUBLE

  • DECIMAL

  • CHAR

  • VARCHAR

  • TINYTEXT

  • DATE

  • DATETIME

  • TIMESTAMP

For Oracle Database:

  • VARCHAR2

  • CHAR

  • NUMBER

  • NUMERIC

  • INTEGER

  • INT

  • SMALLINT

  • DOUBLE

  • FLOAT

  • DECIMAL

  • DEC

  • REAL

  • DATE

  • TIMESTAMP

For Sybase Database:

  • CHAR

  • DATE

  • VARCHAR

  • TINYINT

  • SMALLINT

  • INT

  • NUMERIC

  • DECIMAL

  • FLOAT

  • REAL

  • DATETIME

1.5 Features of the Connector

This section discusses the following topics:

1.5.1 Connector Architecture

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of a Database Application Tables Connector

Description of Figure 1-1 follows
Description of ''Figure 1-1 Architecture of a Database Application Tables Connector''

See Also:

One of the following guides for conceptual information about providers and data sets:

This diagram shows the providers that constitute the connector. The position of each provider is based on its role during reconciliation or provisioning.

The Transformation and Validation Providers are optional elements of the connector. Predefined Transformation and Validation Providers are shipped as part of the generic technology connector framework.

The following predefined providers are the building blocks of the connector:

Note:

The provider parameters mentioned in this section are described later. While creating the connector, you specify values for these parameters. The providers use the parameter values to perform their intended function. For example, the Reconciliation and Provisioning Transport Providers use the Database URL parameter to connect to the target system.

Some of the parameters are common to both the provisioning and reconciliation providers. For example, the Database Driver parameter is common to both the Database Application Tables Reconciliation Transport Provider and the Database Application Tables Provisioning Transport Provider.

  • Database Application Tables Reconciliation Transport Provider

    This provider uses a SQL query to fetch data from the target system. The column names for the SELECT clause of the SQL query are derived from the field mappings that you create while performing the procedure described in "Step 3: Modify Connector Configuration Page". The table names for the FROM clause are derived from the values of the Parent Table/View Name and Child Table/View Names parameters. The WHERE clause is derived from the value of the Customized Query parameter. This clause is optional. In other words, it is not mandatory to enter a value for the Customized Query parameter.

    If the primary key constraint cannot be set in the target system, then you use the Unique Attribute parameter to specify the name of the unique key column.

    Similarly, if the target system is composed of more than one table or view, then this provider can automatically detect and use referential integrity constraints that have been set between the tables. However, if referential integrity constraints have not been set between parent and child tables, then you can use the Unique Attribute parameter to specify the name of the column that you want to use as the foreign key. The only requirement is that the name of the column must be the same in the parent and child tables.

    Note:

    If a referential integrity constraint can be set, then ensure that the name of the primary key column in the parent table is the same as the name of the foreign key column in the child table. If this requirement is not met, then the connector cannot detect the referential integrity constraint.

    The result set fetched by the SQL query is in a format that is supported by the predefined Reconciliation Format Provider.

  • Database Application Tables Reconciliation Format Provider

    This provider converts the format of data fetched by the Database Application Tables Reconciliation Transport Provider into a format supported by Oracle Identity Manager.

  • Database Application Tables Provisioning Format Provider

    This provider converts the format of data sent from Oracle Identity Manager into a format supported by the target system.

  • Database Application Tables Provisioning Transport Provider

    This provider uses INSERT, UPDATE, and DELETE statements to perform provisioning operations on the target system. Like the Database Application Tables Reconciliation Transport Provider, this provider can detect primary and foreign key constraints that are set in the target system. Similarly, if the primary and foreign keys have not been set in the target system, then the value of the Unique Attribute parameter is used during connector operations.

Note:

The Database Application Tables connector does not support the use of stored procedures to perform CRUD operations against a table.

1.5.2 Target Resource Reconciliation

Target resource reconciliation involves fetching data about newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users. See Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation.

The scheduled task that you use to start a target resource reconciliation run is automatically created when you create the connector.

Note:

In Oracle Identity Manager release 11.1.1 and 11.1.2.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1 and 11.1.2.x.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

See Also:

One of the following guides:

Supported Target Resource Reconciliation Functions

The connector supports any of the following actions during a target resource reconciliation run:

  • For each account created on the target system, a resource is assigned to the corresponding OIM User.

  • Updates made to each account on the target system are propagated to the corresponding resource.

  • Deletion of child data from accounts on the target system results in deletion of the same data from the resource. For example, if user John Doe is removed from the Leave Approvers group on the target system, then the same action is performed on the resource assigned to the OIM User John Doe.

Note:

Reconciliation of user account deletion on the target system is not supported in this release.

Reconciliation Rules

You create the reconciliation rule when you perform the procedure described in "Step 3: Modify Connector Configuration Page".

You can modify the default rule conditions and actions that are created automatically at the end of the connector creation process. The procedure is described later in this guide.

1.5.3 Provisioning

Provisioning involves creating or modifying a user's data on the target system through Oracle Identity Manager. See Oracle Identity Manager Connector Concepts for conceptual information about provisioning.

The connector supports the following provisioning functions:

  • Create an account

  • Update an account

  • Enable an account

  • Disable an account

  • Delete an account

1.5.4 Trusted Source Reconciliation

The connector supports any of the following actions during a trusted source reconciliation run:

  • For each newly created user on the target system, an OIM User is created.

  • Updates made to each user on the target system are propagated to the corresponding OIM User.

Note:

Reconciliation of user account deletion on the target system is not supported in this release.

Reconciliation Rules

You create the reconciliation rule when you perform the procedure described in "Step 3: Modify Connector Configuration Page".

You can modify the default rule conditions and actions that are created automatically at the end of the connector creation process. The procedure is described later in this guide.

1.6 Roadmap for Deploying and Using the Connector

Note:

Before you start creating the connector, it is recommended that you read and familiarize yourself with the generic technology connector information in one of the following guides:

The following is a summary of the rest of the content in this guide: