Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications.
A custom application in your organization may use relational database tables as a repository for user data. This guide describes the procedure to create the connector for integrating these database tables with Oracle Identity Manager. After you integrate the tables with Oracle Identity Manager, you can use them either as a managed (target) resource or as an authoritative (trusted) source of user data for Oracle Identity Manager.
The connector that you create is known as a Database Application Tables connector. The following sample scenario describes the requirement that can be addressed by a Database Application Tables connector:
Example Inc. has some database-driven custom applications. These applications cannot be LDAP enabled, and they do not have any APIs for identity administration. The company wants to deploy an identity management and provisioning system that can be linked with their database.
The Database Application Tables connector is one of the solutions to this business problem. Example Inc. can use this connector to enable the exchange of user data between the database and Oracle Identity Manager.
Note:
In this guide:The database tables that store user data are collectively referred to as the target system.
The computer on which the database is installed is referred to as the target system host computer.
In the target resource configuration, data about users created or modified on the target system is reconciled into Oracle Identity Manager and is used to create or update resources allocated to OIM Users. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
In the trusted source configuration, data about users created or modified on the target system is reconciled into Oracle Identity Manager and is used to create or update OIM Users.
Note:
This chapter discusses the following topics:
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
|
|
JDK |
For Oracle Identity Manager release 9.1.0.x, JDK 1.5 or later For Oracle Identity Manager release 11.1.1 and 11.1.2.x, JDK 1.6 or later |
The target system can be database tables from any one of the following RDBMSs: |
|
JDBC drivers |
Depending on the target system that you use, you would need one of the following sets of JDBC drivers:
For MySQL, you need the mysql-connector-java-5.1.8-bin.jar driver.
For Sybase Adaptive Server Enterprise, you need the jconn3.jar JDBC driver for all platforms. Instructions to download and use these drivers are provided later in this guide. |
Format in which user data is stored in the target system |
You can use a Database Application Tables connector only if user data is stored in the target system in any one of the following formats:
|
Other requirements of the target system |
The target system must meet the following requirements:
For Oracle Identity Manager release 9.1.0.x, see "Names of Fields" in the "Best Practices for Creating and Using Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide for more information. For Oracle Identity Manager release 11.1.1 and 11.1.2.x, see "Names of Fields" in the "Creating and Managing Generic Technology Connectors" chapter of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information. |
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
If you are using an Oracle Identity Manager release that is 9.1.0.2 BP03 or later and earlier than Oracle Identity Manager Release 11g Release 2 BP10 (11.1.2.0.10), then you must use the 9.1.x version of this connector.
If you are using Oracle Identity Manager 11g Release 2 BP10 (11.1.2.0.10) or later, then you must use the latest 11.1.1.x version of this connector.
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
One of the following guides for information about supported special characters:For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Globalization Guide.
For Oracle Identity Manager release 11.1.1 and 11.1.2.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
The data types supported for reconciliation and provisioning operations are listed in the following section:
Note:
Complex data types, such as RAW, Binary File, CLOB, and BLOB, are not supported. Any data type that is not supported and is not a complex data type is treated as a String data type.For IBM DB2 Database:
SMALLINT
BIGINT
INTEGER
REAL
FLOAT
DOUBLE
DECIMAL
CHARACTER
VARCHAR
DATE
TIMESTAMP
For Microsoft SQL Server:
CHAR
VARCHAR
TINYINT
SMALLINT
INT
BIGINT
DECIMAL
NUMERIC
FLOAT
REAL
SMALLDATETIME
DATETIME
For MySQL:
TINYINT
SMALLINT
MEDIUMINT
INT
BIGINT
FLOAT
DOUBLE
DECIMAL
CHAR
VARCHAR
TINYTEXT
DATE
DATETIME
TIMESTAMP
For Oracle Database:
VARCHAR2
CHAR
NUMBER
NUMERIC
INTEGER
INT
SMALLINT
DOUBLE
FLOAT
DECIMAL
DEC
REAL
DATE
TIMESTAMP
For Sybase Database:
CHAR
DATE
VARCHAR
TINYINT
SMALLINT
INT
NUMERIC
DECIMAL
FLOAT
REAL
DATETIME
This section discusses the following topics:
The "Connector Architecture" section describes the architecture of the connector.
The following sections describe features of the target resource configuration:
The "Trusted Source Reconciliation" section describes features of the trusted source configuration.
Figure 1-1 shows the architecture of the connector.
Figure 1-1 Architecture of a Database Application Tables Connector
See Also:
One of the following guides for conceptual information about providers and data sets:For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1 and 11.1.2.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This diagram shows the providers that constitute the connector. The position of each provider is based on its role during reconciliation or provisioning.
The Transformation and Validation Providers are optional elements of the connector. Predefined Transformation and Validation Providers are shipped as part of the generic technology connector framework.
The following predefined providers are the building blocks of the connector:
Note:
The provider parameters mentioned in this section are described later. While creating the connector, you specify values for these parameters. The providers use the parameter values to perform their intended function. For example, the Reconciliation and Provisioning Transport Providers use the Database URL parameter to connect to the target system.Some of the parameters are common to both the provisioning and reconciliation providers. For example, the Database Driver parameter is common to both the Database Application Tables Reconciliation Transport Provider and the Database Application Tables Provisioning Transport Provider.
Database Application Tables Reconciliation Transport Provider
This provider uses a SQL query to fetch data from the target system. The column names for the SELECT clause of the SQL query are derived from the field mappings that you create while performing the procedure described in "Step 3: Modify Connector Configuration Page". The table names for the FROM clause are derived from the values of the Parent Table/View Name and Child Table/View Names parameters. The WHERE clause is derived from the value of the Customized Query parameter. This clause is optional. In other words, it is not mandatory to enter a value for the Customized Query parameter.
If the primary key constraint cannot be set in the target system, then you use the Unique Attribute parameter to specify the name of the unique key column.
Similarly, if the target system is composed of more than one table or view, then this provider can automatically detect and use referential integrity constraints that have been set between the tables. However, if referential integrity constraints have not been set between parent and child tables, then you can use the Unique Attribute parameter to specify the name of the column that you want to use as the foreign key. The only requirement is that the name of the column must be the same in the parent and child tables.
Note:
If a referential integrity constraint can be set, then ensure that the name of the primary key column in the parent table is the same as the name of the foreign key column in the child table. If this requirement is not met, then the connector cannot detect the referential integrity constraint.The result set fetched by the SQL query is in a format that is supported by the predefined Reconciliation Format Provider.
Database Application Tables Reconciliation Format Provider
This provider converts the format of data fetched by the Database Application Tables Reconciliation Transport Provider into a format supported by Oracle Identity Manager.
Database Application Tables Provisioning Format Provider
This provider converts the format of data sent from Oracle Identity Manager into a format supported by the target system.
Database Application Tables Provisioning Transport Provider
This provider uses INSERT, UPDATE, and DELETE statements to perform provisioning operations on the target system. Like the Database Application Tables Reconciliation Transport Provider, this provider can detect primary and foreign key constraints that are set in the target system. Similarly, if the primary and foreign keys have not been set in the target system, then the value of the Unique Attribute parameter is used during connector operations.
Note:
The Database Application Tables connector does not support the use of stored procedures to perform CRUD operations against a table.Target resource reconciliation involves fetching data about newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users. See Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation.
The scheduled task that you use to start a target resource reconciliation run is automatically created when you create the connector.
Note:
In Oracle Identity Manager release 11.1.1 and 11.1.2.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1 and 11.1.2.x.See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
See Also:
One of the following guides:For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1 and 11.1.2.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Supported Target Resource Reconciliation Functions
The connector supports any of the following actions during a target resource reconciliation run:
For each account created on the target system, a resource is assigned to the corresponding OIM User.
Updates made to each account on the target system are propagated to the corresponding resource.
Deletion of child data from accounts on the target system results in deletion of the same data from the resource. For example, if user John Doe is removed from the Leave Approvers group on the target system, then the same action is performed on the resource assigned to the OIM User John Doe.
Note:
Reconciliation of user account deletion on the target system is not supported in this release.You create the reconciliation rule when you perform the procedure described in "Step 3: Modify Connector Configuration Page".
You can modify the default rule conditions and actions that are created automatically at the end of the connector creation process. The procedure is described later in this guide.
Provisioning involves creating or modifying a user's data on the target system through Oracle Identity Manager. See Oracle Identity Manager Connector Concepts for conceptual information about provisioning.
The connector supports the following provisioning functions:
Create an account
Update an account
Enable an account
Disable an account
Delete an account
The connector supports any of the following actions during a trusted source reconciliation run:
For each newly created user on the target system, an OIM User is created.
Updates made to each user on the target system are propagated to the corresponding OIM User.
Note:
Reconciliation of user account deletion on the target system is not supported in this release.You create the reconciliation rule when you perform the procedure described in "Step 3: Modify Connector Configuration Page".
You can modify the default rule conditions and actions that are created automatically at the end of the connector creation process. The procedure is described later in this guide.
Note:
Before you start creating the connector, it is recommended that you read and familiarize yourself with the generic technology connector information in one of the following guides:For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1 and 11.1.2.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
The following is a summary of the rest of the content in this guide:
Chapter 2, "Tasks to Be Performed Before You Create the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system before you can start creating Database Application Tables connectors.
Chapter 3, "Creating the Connector" describes the procedure to create Database Application Tables connectors. This procedure is based on the procedure to create generic technology connectors given in one of the following guides:
For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1 and 11.1.2.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
Chapter 4, "Known Issues, Workarounds, and Troubleshooting" lists the known issues that you may encounter while using Database Application Tables connectors.
Appendix A, "An Example of the Procedure to Create Connectors" demonstrates the procedure to create a Database Application Tables connector.
Appendix B, "Screenshots of the Step 3: Modify Connector Configuration Page" presents screenshots of pages that you encounter while creating Database Application Tables connectors. These screenshots are referenced in Chapter 3.