1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Oracle E-Business Suite as a managed (target) resource for Oracle Identity Manager.

In the account management (target resource) mode of the connector, information about users created or modified directly on Oracle E-Business Suite can be reconciled into Oracle Identity Manager. This data is used to provision (assign) resources to or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to the corresponding target system accounts.

Note:

At some places in this guide, Oracle E-Business Suite is referred to as the target system.

This chapter is divided in the following sections:

Section 1.1, "Certified Components"
Section 1.2, "Usage Recommendations"
Section 1.3, "Certified Languages"
Section 1.4, "Connector Architecture"
Section 1.5, "Features of the Connector"
Section 1.6, "Reconciliation Process"
Section 1.7, "Provisioning Process"
Section 1.8, "Lookup Definitions Used During Connector Operations"
Section 1.9, "Roadmap for Deploying and Using the Connector"

1.1 Certified Components

Table 1-1 lists the certified components for the connector.

Table 1-1 Certified Components

Component	Requirement
Oracle Identity Manager	You can use one of the following releases of Oracle Identity Manager: Oracle Identity Manager release 9.1.0.2 BP02 and any later BP in this release track Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.2 BP02 and future releases in the 9.1.0.x series that the connector supports. Oracle Identity Manager 11g release 1 (11.1.x) Note: In this guide, Oracle Identity Manager release 11.1.x has been used to denote Oracle Identity Manager 11g release 1 (11.1.x) and future releases in the 11.1.1.x series that the connector supports. Oracle Identity Manager 11g Release 2 (11.1.2.0.1) and any later BP in this release track Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)
Target system	You can use one of the following releases of Oracle E-Business Suite: Oracle E-Business Suite 11.5.10 Oracle E-Business Suite 12.0.0 through 12.0.6 Oracle E-Business Suite 12.1.0 through 12.1.3 Oracle E-Business Suite 12.2.0 through 12.2.4 These applications may run on Oracle Database 10g or Oracle Database 11g, as either single database or Oracle RAC implementation. Note: Communication between Oracle Identity Manager and the target system can be in SSL or non-SSL mode.
SoD engine	If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install one of the following: If you are using Oracle Identity Manager release 9.1.0.x, then install Oracle Applications Access Controls Governor release 8.2.1 along with the latest patch set. Note: Contact Oracle Support for information about the patch set for release 8.2.1. If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then install Oracle Applications Access Controls Governor release 8.5.1. See Section 1.5.3, "SoD Validation of Entitlement Provisioning" for more information about the SoD feature.
SSO system	The target system can use one of the following single sign-on (SSO) solutions: Oracle Single Sign-On with Oracle Internet Directory as the LDAP-based repository Oracle Access Manager with Microsoft Active Directory, Sun Java System Directory, or Novell eDirectory as the LDAP-based repository
JDK	The JDK requirement is as follows: For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or later For Oracle Identity Manager release 11.1.x, use JDK 1.6 or later For Oracle Identity Manager release 11.1.2 or later, use JDK 1.6 or later

1.2 Usage Recommendations

If you are using Oracle Identity Manager 11g Release 2 (11.1.2), then you must perform the steps mentioned in Metalink note 1535369.1 to ensure the connector works as expected.

1.3 Certified Languages

The connector supports the following languages:

Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.4 Connector Architecture

Note:

In Oracle Identity Manager releases 11.1.x and 11.1.2.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager releases 11.1.x and 11.1.2.x.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

The basic function of the connector is to enable management of user data on Oracle E-Business Suite through Oracle Identity Manager. In other words, Oracle E-Business Suite (the target system) is used as a managed or target resource of Oracle Identity Manager. You can create and manage target system accounts (resources) for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled (using scheduled tasks) and linked with existing OIM Users and provisioned resources.

Figure 1-1 shows the basic architecture of the connector. Data flow between the various components shown in this diagram is explained later in this chapter.

Figure 1-1 Architecture of the Connector

Description of "Figure 1-1 Architecture of the Connector"

1.5 Features of the Connector

The following are features of the connector:

Section 1.5.1, "Oracle E-Business User Management Connectors"
Section 1.5.2, "Management of Entitlements"
Section 1.5.3, "SoD Validation of Entitlement Provisioning"
Section 1.5.4, "Support for an SSO-Enabled Target System Installation"
Section 1.5.5, "Reconciliation of Effective-Dated Events"
Section 1.5.6, "Account Status Reconciliation and Provisioning"
Section 1.5.7, "Configurable Reconciliation Queries"
Section 1.5.8, "Account Password Management"
Section 1.5.9, "Support for Full and Incremental Reconciliation"
Section 1.5.10, "Support for Limited (Filtered) Reconciliation"
Section 1.5.11, "Support for Batched Reconciliation"
Section 1.5.12, "Connection Pooling"

1.5.1 Oracle E-Business User Management Connectors

An FND_USER record represents an Oracle E-Business Suite account. This record is the main component of the account data whose management is enabled by the connector. Depending on your configuration of the target system, there may be other user data components that must be managed by the connector:

Some applications in Oracle E-Business Suite require a user to have a person record in Oracle E-Business HRMS.

These users are either full-time employees of the organization or users (such as contract or part-time employees) who have been provided with access that is similar to the access provided to full-time employees. iExpense is an example of an application that requires users to have person (HRMS) records.
Some applications in the Oracle E-Business Suite require a user to have a record in Oracle E-Business TCA.

Typically, these users are representatives or employees of customers and vendors of your organization. iStore and iProcurement are examples of applications that require users to have TCA records.

The connector can be used to manage any one or a combination of FND_USER, HRMS, and TCA records. Three separate versions of the connector have been provided for this purpose. The following sections provide information about these three connectors:

Section 1.5.1.1, "User Management"
Section 1.5.1.2, "User Management with HR Foundation"
Section 1.5.1.3, "User Management with TCA Foundation"

The following section provides information that is common to all three connectors:

Section 1.5.1.4, "Similarities Between the Three Connectors"
Section 1.5.1.5, "Differences Between the Connectors"

1.5.1.1 User Management

In the User Management connector, you can use the connector to create Oracle E-Business Suite accounts (FND_USER records) for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. These reconciled records are used to create and update Oracle E-Business Suite accounts assigned to OIM Users. These provisioning and reconciliation operations constitute the basic functions of the User Management connector.

The process form stores the User ID of the FND_USER record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value.

If required, you can also link an FND_USER record with an existing HRMS person record. Use of this feature arises when the FND_USER record is required to be linked with an HRMS person record for access to intranet applications such as iExpense.

On the target system, the person ID forms the link between the FND_USER record and HRMS person record. For an FND_USER record that is linked with an HRMS record, the value in the EMPLOYEE_ID column of the FND_USER table is the same as the value in the PERSON_ID column of the PER_ALL_PEOPLE_F table.

While provisioning or modifying an already provisioned Oracle E-Business Suite account (FND_USER record), you can specify the person ID of the HRMS person record with which you want to link the FND_USER record. If a match is found, then the person record is linked with the FND_USER record. This person ID constitutes the link between the FND_USER record and the HRMS person record.

1.5.1.2 User Management with HR Foundation

In the User Management with HR Foundation connector, you can use the connector to create FND_USER records for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. This is the same as the basic function of the connector in the User Management connector. In addition, you can create a basic HRMS person record for the user in Oracle E-Business HRMS and link that record with the FND User. As mentioned earlier in this chapter, the existence of an HRMS record is a prerequisite for using some applications in the Oracle E-Business Suite, such as iExpense and iRecruitment. This linking of records can also take place during reconciliation.

Note:

In this guide, the basic HRMS record created by the connector is referred to as the HR Foundation record.

During a Create User provisioning operation, the FND_USER record is created first and then the employee record is created. Next, the link between the FND_USER record and employee record is established. The connector does not check for an existing employee record with the First Name and Last Name values provided during the provisioning operation.

For FND_USER records that are linked with HRMS person records, the value in the EMPLOYEE_ID column in the FND_USER table is the same as the value in the PERSON_ID column of the PER_ALL_PEOPLE_F table.

Note:

You use the Manage HR Records parameter of the IT resource to enable the linking of HRMS Person records with FND_USER records. The IT resource is discussed later in this guide.

The process form stores the User ID of the FND_USER record and the Person ID of the HRMS record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value. Similarly, all subsequent update operations (through reconciliation or provisioning) on the HRMS record are performed on the basis of the person ID value.

Guidelines on selecting the User Management with HR Foundation connector

You use the Oracle E-Business Employee Reconciliation connector to configure Oracle E-Business HRMS as a trusted source of Oracle Identity Manager. Ideally, Oracle Identity Manager only reconciles data from a trusted source. You do not perform provisioning (account management) operations on a trusted source.

The User Management with HR Foundation connector creates an HR Foundation record on Oracle E-Business HRMS. This is an account creation (that is, provisioning) operation.

As mentioned earlier, the HR Foundation record is a very basic HRMS person record. The connector supports only creation of and updates to this basic HRMS person record. These provisioning operations cannot be effective dated. For these reasons, you cannot use the connector to manage records on an Oracle E-Business HRMS installation.

In addition, to avoid conflicting data flows, it is strongly recommended that you do not configure a particular Oracle E-Business HRMS installation as both of the following:

A trusted source, by using the Oracle E-Business Employee Reconciliation connector
A target resource, by using the User Management with HR Foundation connector

Note:

If you want the connector to recognize links between HRMS person records and FND_USER records, then use the User Management connector.

1.5.1.3 User Management with TCA Foundation

In the User Management with TCA Foundation connector, you can use the connector to create FND_USER records for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. This is the same as the basic function of the User Management connector. In addition, you can create a basic TCA person-type party record for the user in Oracle E-Business TCA and link that record with the FND User. As mentioned earlier in this chapter, the existence of a TCA party record is a prerequisite for using some applications in the Oracle E-Business Suite, such as iStore. This linking of records can also take place during reconciliation.

Note:

In this guide, the basic TCA person-type party record created by the connector is referred to as the TCA Foundation record.

During a create or modify FND_USER provisioning operation for a particular OIM User, the TCA party record is created the first time you specify First Name and Last Name values for that record. While creating the TCA party record, the connector does not check if another record with the same First Name and Last Name values exists. After the connector creates the TCA party record, the link established through the Party ID returned by Oracle E-Business TCA is used during subsequent updates of the TCA party record.

For FND_USER records that are linked with TCA party records, the value in the PERSON_PARTY_ID column in the FND_USER table is the same as the value in the PARTY_ID column of the HZ_PARTIES table.

Creating a person party ID internally creates or derives customer ID which is same as party ID and links this customer ID, party ID to the CUSTOMER_ID and PERSON_PARTY_ID columns of the FND_USER table, respectively. This connector supports provisioning and reconciliation of customer parties, but does not support provisioning and reconciliation of Suppliers or Vendors.

Note:

You use the Manage TCA Records parameter of the IT resource to enable the linking of TCA party records with FND_USER records. The IT resource is discussed later in this guide.

The process form stores the User ID of the FND_USER record and the Party ID of the TCA record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value. Similarly, all subsequent update operations (through reconciliation or provisioning) on the TCA record are performed on the basis of the Party ID value.

1.5.1.4 Similarities Between the Three Connectors

The following are similarities between the three connectors:

The basic provisioning and reconciliation function is the same in all three connectors:

The connector creates and updates FND_USER records.
Connector objects, such as process forms and resource objects, store data related to target system resources assigned to OIM Users. Each connector has its own set of these data objects.
Each connector can be installed independently of the other connectors.
Any combination of the connectors can be installed, in any order.
All three connectors support standard features such as SoD and integration with an SSO-enabled target system. These features are discussed in detail later in this chapter.

1.5.1.5 Differences Between the Connectors

Table 1-2 summarizes the differences between the connectors.

Table 1-2 Differences Between the Connectors

Feature	User Management	User Management with HR Foundation	User Management with TCA Foundation
Provisioning function in addition to the basic provisioning function	The connector can establish a link between an FND_USER record and an existing HRMS person record. The person ID of the FND_USER is used to establish and store the link. You specify the person ID during provisioning operations.	The connector can establish a link between an FND_USER record and an HRMS person record. The existence of an HRMS person record is determined through the Employee Number and Business Group ID attributes of the HRMS person record. If an HRMS person record does not exist, then a basic HRMS person record (HR Foundation record) is created and then linked to the FND_USER record. If an HRMS person record exists, then the person record is linked with the FND_USER record. The person ID of the PER_ALL_PEOPLE_F is used to establish the link. You cannot specify the person ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field.	The connector can establish a link between an FND_USER record and a TCA party (person-type) record. The party (person type) record is always created when you run a provisioning process. The PARTY_ID column of the HZ_PARTIES is brought back to Oracle Identity Manager by the API and is used to establish the link with the FND_USER record. You cannot specify the party ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field.
Additional reconciliation function	None	During reconciliation, if the connector detects a link between an existing HRMS person record and an FND_USER record, then the same link is established in Oracle Identity Manager. After a link is established with an existing HRMS person record or an HR Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the HRMS person/HR Foundation record during reconciliation.	During reconciliation, if the connector detects a link between an existing TCA party record and an FND_USER record, then the same link is established in Oracle Identity Manager. After a link is established with an existing TCA party record or a TCA Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the TCA party/TCA Foundation record during reconciliation.
Other features	The additional provisioning function is always enabled. You cannot enable or disable that feature.	You can enable and disable the additional provisioning and reconciliation functions by using the Manage HR Records parameter of the IT resource.	You can enable and disable the additional provisioning and reconciliation functions by using the Manage TCA Records parameter of the IT resource.

Feature

User Management

User Management with HR Foundation

User Management with TCA Foundation

Provisioning function in addition to the basic provisioning function

The connector can establish a link between an FND_USER record and an existing HRMS person record. The person ID of the FND_USER is used to establish and store the link. You specify the person ID during provisioning operations.

The connector can establish a link between an FND_USER record and an HRMS person record.

The existence of an HRMS person record is determined through the Employee Number and Business Group ID attributes of the HRMS person record.

If an HRMS person record does not exist, then a basic HRMS person record (HR Foundation record) is created and then linked to the FND_USER record. If an HRMS person record exists, then the person record is linked with the FND_USER record. The person ID of the PER_ALL_PEOPLE_F is used to establish the link.

You cannot specify the person ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field.

The connector can establish a link between an FND_USER record and a TCA party (person-type) record.

The party (person type) record is always created when you run a provisioning process. The PARTY_ID column of the HZ_PARTIES is brought back to Oracle Identity Manager by the API and is used to establish the link with the FND_USER record.

You cannot specify the party ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field.

Additional reconciliation function

None

During reconciliation, if the connector detects a link between an existing HRMS person record and an FND_USER record, then the same link is established in Oracle Identity Manager.

After a link is established with an existing HRMS person record or an HR Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the HRMS person/HR Foundation record during reconciliation.

During reconciliation, if the connector detects a link between an existing TCA party record and an FND_USER record, then the same link is established in Oracle Identity Manager.

After a link is established with an existing TCA party record or a TCA Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the TCA party/TCA Foundation record during reconciliation.

Other features

The additional provisioning function is always enabled. You cannot enable or disable that feature.

You can enable and disable the additional provisioning and reconciliation functions by using the Manage HR Records parameter of the IT resource.

You can enable and disable the additional provisioning and reconciliation functions by using the Manage TCA Records parameter of the IT resource.

1.5.2 Management of Entitlements

UMX roles and responsibilities are an integral part of the features offered by the target system. These roles and responsibilities are entitlements granted to target system users. An entitlement enables a user to access and use features of the target system to meet the user's job requirements.

Note:

A role can be seen as an alias for a particular responsibility or set of responsibilities. The connector provides similar features for working with both roles and responsibilities.

You can use the connector to:

Synchronize data about entitlements available for assignment to users

See Section 3.2, "Scheduled Task for Lookup Field Synchronization" for more information.
Reconcile data about entitlements assigned to users

See Section 3.3.4, "Reconciliation Scheduled Tasks" for more information.

1.5.3 SoD Validation of Entitlement Provisioning

This connector supports the SoD feature. The following are the focal points of this software update:

The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager release. The SIL acts as a pluggable integration interface with any SoD engine.
The Oracle E-Business User Management connector is preconfigured to work with Oracle Applications Access Controls Governor as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.
The SoD engine processes role and responsibility entitlement requests that are sent through the connector. Potential conflicts in role and responsibility assignments can be automatically detected.

See Also:

Oracle Identity Manager Tools Reference for Release 9.1.0.2 for detailed information about the SoD feature

Section 2.3.1, "Configuring SoD" in this guide

1.5.4 Support for an SSO-Enabled Target System Installation

Note:

This feature is available in all three connectors.

Oracle E-Business Suite can be configured to use a single sign-on solution, such as Oracle Single Sign-On or Oracle Access Manager, to authenticate users. Oracle Single Sign-On uses Oracle Internet Directory as an LDAP-based repository for storing user records. Oracle Access Manager can use Microsoft Active Directory, Sun Java System Directory, or Novell eDirectory as the LDAP-based repository. You can configure the connector to work with either one of these SSO solutions during reconciliation and provisioning operations.

Figure 1-2 shows the architecture of the connector with the LDAP system. Data flow between the various components shown in this diagram is explained later in this chapter.

Note:

In this guide, the generic term LDAP system is used to refer to the LDAP system used by the SSO solution in your operating environment.

Figure 1-2 Architecture of the Connector with Configured to Work with an SSO Solution

Description of "Figure 1-2 Architecture of the Connector with Configured to Work with an SSO Solution"

1.5.5 Reconciliation of Effective-Dated Events

Oracle E-Business Suite allows future-dating (effective-dating) of account disable and account enable operations. For example, an administrator on the target system can specify that user John Doe's account must be disabled on 1-April-2009 by setting the Effective Date To that date for the account. This date is stored in the END_DATE column of the target system database table. Similarly, the day an account is revoked can be set in advance. The date for an event of this type is stored in the END_DATE column. For a particular future-dated change, when the current date equals the date stored in the START_DATE or END_DATE column, the appropriate change is made in the person's record on the target system.

The connector can detect and respond to these future-dated lifecycle events.

When you run any of the predefined queries, only records for which changes fall within the START_DATE and END_DATE range are fetched into Oracle Identity Manager.

Similarly, the connector can also respond to future-dated operations in which roles and responsibilities are granted or revoked.

1.5.6 Account Status Reconciliation and Provisioning

When you enable an account on the target system, the Effective Date From field is set to the current date and the Effective Date To field is set to NULL on the target system.

When you disable an account on the target system, the Effective Date To field is set to the current date on the target system.

The same effect can be achieved through provisioning operations performed on Oracle Identity Manager. In addition, status changes made directly on the target system can be copied into Oracle Identity Manager during reconciliation.

See Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" for more information.

1.5.7 Configurable Reconciliation Queries

Reconciliation involves running a SQL query on the target system database to fetch the required user account records to Oracle Identity Manager. Predefined SQL queries are stored in a file in the connector deployment package. You can modify these SQL queries or add your own SQL queries for reconciliation.

See Section 1.6.1, "Reconciliation Queries" for information about the reconciliation queries.

1.5.8 Account Password Management

The connector supports basic password management features. For a particular user, you can specify when the user's password must expire by using the following process form fields:

Password Expiration Type

You use the Password Expiration Type field to specify the factor (or measure) that you want to use to set a value for password expiration. You can select either Accesses or Days as the password expiration type.
Password Expiration Interval

In the Password Expiration Interval field, you specify the number of access or days for which the user must be able to use the password.

For example, if you specify Accesses in the Password Expiration Type field and enter 20 in the Password Expiration Interval field, then the user is prompted to change the user's password at the twenty-first login. Similarly, if you specify Days in the Password Expiration Type field and enter 100 in the Password Expiration Interval field, then the user is prompted to change the user's password on the hundred and first day after setting a new password.

1.5.9 Support for Full and Incremental Reconciliation

In full reconciliation, all user records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, user records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.

The Last Execution Time and Batch Size scheduled task attributes are used to implement full and incremental reconciliation. If the Last Execution Time attribute is set to 0 and the Batch Size attribute is set to a non-zero value, then full reconciliation is performed. If the Last Execution Time attribute holds a non-zero value, then incremental reconciliation is performed.

See Section 3.3.4, "Reconciliation Scheduled Tasks" for more information.

1.5.10 Support for Limited (Filtered) Reconciliation

To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can add conditions in the WHERE clause of the reconciliation query that you run.

See Section 3.3.3, "Configuring Limited Reconciliation" for more information.

1.5.11 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.2, "Batched Reconciliation" for more information.

1.5.12 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.

The configuration properties of the connection pool are part of the IT resource definition. Section 2.3.3.6, "Configuring the IT Resource" provides information about setting up the connection pool.

1.6 Reconciliation Process

See Also:

The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation

The connector is configured to perform target resource reconciliation with the target system. Data from newly created and updated target system records is brought to Oracle Identity Manager and used to create and update Oracle E-Business Suite resources provisioned to OIM Users.

Note:

The reconciliation process is the same for all three connectors. There are three scheduled tasks, one for each connector.

The following is an overview of the steps involved in target resource reconciliation:

A SQL query is used to fetch target system records during reconciliation. All predefined SQL queries are stored in a properties file. Each query in the file is identified by a name. While configuring the scheduled tasks described in Section 3.3.4, "Reconciliation Scheduled Tasks", you specify the name of the query that you want to run as the value of the Query Name attribute.
The scheduled task is run at the time (frequency) that you specify. This scheduled task contains details of the mode of reconciliation you want to perform.
The scheduled task establishes a connection with the target system.
The scheduled task reads values that you set for the task attributes, maps the task attributes to parameters of the reconciliation query, formats the query, and then runs the query on the target system database.
The SQL query is run on the target system database. Target system records that meet the query criteria are fetched into Oracle Identity Manager. In addition:
- If the target system is SSO-enabled, then the USER_GUID value is first read from the target system record. This USER_GUID value is then used to fetch the SSO User ID value from the LDAP system.
  
  Note:
  The USER_GUID and SSO User ID values are fetched by a query that is internal to the connector. The reconciliation query is not used for this purpose.
- If you use the User Management with HR Foundation connector, then HRMS Foundation data from HRMS person records is also fetched for all FND_USER users that are linked with HRMS users.
- If you use the User Management with TCA Foundation connector, then TCA Foundation data from TCA Party records is also fetched for all FND_USER users that are linked with TCA users.
Each user record fetched from the target system is compared with existing target system resources assigned to OIM Users. The reconciliation rule is applied during the comparison process.

See Also:
Section 1.6.3, "Reconciliation Rule"
The next step of the process depends on the outcome of the matching operation:
- If a match is found between the target system record and a resource provisioned to an OIM User, then the resource is updated with changes made to the target system record.
- If no match is found, then the target system user record is compared with existing OIM Users. The next step depends on the outcome of the matching operation:
  - If a match is found, then the target system record is used to provision a resource for the OIM User.
  - If no match is found, then the status of the reconciliation event is set to No Match Found.

The rest of this section discusses connector objects used during reconciliation:

Section 1.6.1, "Reconciliation Queries"
Section 1.6.2, "Target System Columns Used in Reconciliation"
Section 1.6.3, "Reconciliation Rule"
Section 1.6.4, "Reconciliation Action Rules for Target Resource Reconciliation"

1.6.1 Reconciliation Queries

As mentioned earlier in this chapter, a SQL query is used to fetch target system records during reconciliation. All predefined SQL queries are stored in the ebsUMQuery.properties file.

Note:

Depending on your requirements, you can modify existing queries or add your own query in the properties file. Alternatively, you can create and use your own properties file. Section 4.1, "Guidelines on Extending the Functionality of the Connector" provides more information.

The predefined queries are used in conjunction with the Last Execution Time scheduled task attribute. This attribute stores the time stamp at which the last reconciliation run started. When the next reconciliation run begins, only target system records for which the LAST_UPDATE_DATE column value is greater than the value of the Last Execution Time attribute are fetched into Oracle Identity Manager. In other words, only records that were added or modified after the last reconciliation run started are considered for the current reconciliation run.

Note:

If the effective end date of a responsibility granted to a user is changed directly on the target system, then that account will not be reconciled in the next reconciliation run unless some other attribute of the account is also modified.

You can specify a value for the Last Execution Time attribute. See Section 3.3.1, "Reconciliation Time Stamp" for more information.

The following are predefined queries in the ebsUMQuery.properties file:

UM_USER_RECON

This query is used to fetch users' FND_USER records. It is used in the User Management connector.
UM_USER_HRMS_RECON

This query is used to fetch users' FND_USER records and HRMS person records. It is used in the User Management with HR Foundation connector.
UM_USER_TCA_RECON

This query is used to fetch users' FND_USER records and TCA party records. It is used in the User Management with TCA Foundation connector.
UM_USER_RESPONSIBILITIES

This query is used to fetch data about users' responsibility entitlements.
UM_USER_ROLES

This query is used to fetch data about users' role entitlements.

1.6.2 Target System Columns Used in Reconciliation

Columns in the SELECT clause of each predefined query other than the ones for entitlements are directly mapped to process form fields by lookup definitions in Oracle Identity Manager.

For the User Management connector, Table 1-3 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserRecon lookup definition.

Table 1-3 Attribute Mappings for Reconciliation in the User Management Connector

Process Form Field	Target System Column	Description
Person ID	PERSON_ID	Person ID
User ID	USER_ID	User ID This is a mandatory attribute.
User Name	USER_NAME	User name This is a mandatory attribute.
Description	DESCRIPTION	Description
Email	EMAIL_ADDRESS	E-mail address
Fax	FAX	Fax number
Effective Date From	START_DATE	Date from which the account is active This is a mandatory attribute.
Effective Date To	END_DATE	Date up to which the account is active

For the User Management with HR Foundation connector, Table 1-4 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserHRMSRecon lookup definition.

Table 1-4 Attribute Mappings for Reconciliation in the User Management with HR Foundation Connector

Process Form Field	Target System Column	Description
User ID	USER_ID	User ID This is a mandatory attribute.
User Name	USER_NAME	User name This is a mandatory attribute.
Description	DESCRIPTION	Description
Email	EMAIL_ADDRESS	E-mail address
Fax	FAX	Fax number
Effective Date From	START_DATE	Start date of the account This is a mandatory attribute.
Effective Date To	END_DATE	End date of the account
Note: The remaining attributes listed in this table are HR Foundation record attributes.
Employee Number	EMPLOYEE_NUMBER	Employee number
First Name	FIRST_NAME	First name
Last Name	LAST_NAME	Last name
Gender	SEX	Gender
Person Type ID	PERSON_TYPE_ID	Person type ID
Business Group ID	BUSINESS_GROUP_ID	Business group ID
Hire Date	ORIGINAL_DATE_OF_HIRE	Hire date
Person ID	PERSON_ID	Person ID

For the User Management with TCA Foundation connector, Table 1-5 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserTCARecon lookup definition.

Table 1-5 Attribute Mappings for Reconciliation in the User Management with TCA Foundation Connector

Process Form Field	Target System Column	Description
User ID	USER_ID	User ID This is a mandatory attribute.
User Name	USER_NAME	User name This is a mandatory attribute.
Description	DESCRIPTION	Description
Email	EMAIL_ADDRESS	E-mail address
Fax	FAX	Fax number
Effective Date From	START_DATE	Start date of the account This is a mandatory attribute.
Effective Date To	END_DATE	End date of the account
Note: The remaining attributes listed in this table are TCA Foundation record attributes.
First Name	PERSON_FIRST_NAME	First name
Last Name	PERSON_LAST_NAME	Last name
Party ID	PERSON_PARTY_ID	Party ID

For all three connectors, Table 1-6 lists mappings between the target system columns and the process form fields for responsibilities defined on the target system.

Table 1-6 Relationship Between Process Form Fields for Responsibilities and Target System Data Fields

Process Form Field	Target System Column	Description
Application Name	Format of the value: IT_RESOURCE_KEY~APPLICATION_ID Sample value: 1~810	Combination of the IT resource key and the application ID on the target system Note: The IT resource key is a numeric value.
Responsibility Name	Format of the value: IT_RESOURCE_KEY~APPLICATION_ID~RESPONSIBILITY_ID Sample value: 1~810~2751	Combination of the IT resource key, application ID, and responsibility ID on the target system
Effective Start Date	START_DATE	Start date of the responsibility assignment
Effective End Date	END_DATE	End date of the responsibility assignment
Security Group	Format of the value: IT_RESOURCE_KEY~SECURITY_GROUP_ID Sample value: 1~1	Combination of the IT resource key and the security group ID on the target system. Note: The IT resource key is a numeric value.

For all three connectors, Table 1-7 lists mappings between the target system columns and the process form fields for roles defined on the target system.

Table 1-7 Relationship Between Process Form Fields for Roles and Target System Data Fields

Process Form Field	Target System Column	Description
Application Name	Format of the value: IT_RESOURCE_KEY~APPLICATION_ID Sample value: 1~260	Combination of the IT resource key and the application ID on the target system Note: The IT resource key is a numeric value.
Role Name	Format of the value: IT_RESOURCE_KEY~APPLICATION_ID~ROLE_ID Sample value: 1~260~UMX\|UMX_TEST_ROLE	Combination of the IT resource key, application ID, and role ID on the target system
Start Date	start_date	Start date of the role assignment
Expiration Date	expiration_date	End date of the role assignment

1.6.3 Reconciliation Rule

See Also:

Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules

The following is the reconciliation rule:

Rule name for the User Management connector:

EBS UM Target Resource
Rule name for the User Management with HR Foundation connector:

EBS UM HRMS Target Resource
Rule name for the User Management with TCA Foundation connector:

EBS UM TCA Target Resource

Rule element for all three connectors: User Login Equals User Name

In this rule:

User Login is the field on the OIM User form.
User Name is the target system field.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for the rule name.

1.6.4 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-8 lists the action rules for target resource reconciliation.

Table 1-8 Action Rules for Target Resource Reconciliation

Rule Condition	Action
No Matches Found	Assign to Administrator With Least Load
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the resource object. The following are the names of the resource objects for each connector:
- Resource object for the User Management connector:
  
  eBusiness Suite User
- Resource object for the User Management with HR Foundation connector:
  
  eBusiness Suite User HR Foundation
- Resource object for the User Management with TCA Foundation connector:
  
  eBusiness Suite User TCA Foundation
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.

1.7 Provisioning Process

See Also:

The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioning

Provisioning involves management of user accounts and assignment of responsibilities and roles to users in the target system. When you allocate (or provision) an Oracle E-Business Suite resource to an OIM User, the operation results in the creation of an account on Oracle E-Business Suite for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.

You can enable the Segregation of Duties (SoD) feature in Oracle Identity Manager for validation of role and responsibility provisioning. When SoD is enabled, a role or responsibility is granted to an OIM User's resource (account) only after the request for the role or responsibility clears the SoD validation process. If a conflicting role or responsibility is detected by the SoD engine, then the role or responsibility request is rejected.

Note:

the SoD validation process is asynchronous. The response from the SoD engine must be brought to Oracle Identity Manager by a scheduled task.

The provisioning process can be started through one of the following events:

Direct provisioning

A user uses the Administrative and User Console to create a target system account for another user.
Request-based provisioning

A user creates a request for a target system account, role, or responsibility, and another user approves this request.
Provisioning triggered by access policy changes

An access policy related to accounts on the target system is modified. When an access policy is modified, it is reevaluated for all users to which it applies.

The following is an overview of the provisioning process:

The provisioning process is started through direct provisioning, request-based provisioning, or an access policy change.
If the target system is configured to work with Oracle Single Sign-On, then:

Note:
There must be a GUID for the user on the LDAP system before the user can be created on the target system. In other words, the user for whom the provisioning operation is being performed must have a record on the LDAP system.
1. The connector first establishes a connection with the LDAP system used by Oracle Single Sign-On. To establish a connection, the connector uses information stored in the IT resource for the LDAP system.
2. From the LDAP system, the connector reads the GUID of the user for whom the provisioning operation is being performed and then adds the GUID to the provisioning data that will be passed on to the target system.
The connector establishes a connection with the target system, and passes the provisioning data to the FND APIs of the target system.
The target system APIs use the provisioning data to perform the required operation (create or update user). The actual steps performed depend on the connector that you are using:
- In the User Management connector, the FND_USER record is created or updated. If the person ID is provided on the process form and a record with the same person ID exists on the target system, then that record is linked with the FND_USER record.
- In the User Management with HR Foundation connector:
  1. The HRMS person record (containing only HRMS Foundation data) is created or updated.
  2. The FND_USER record is created or updated.
    
    Note:
    If the HRMS record is created, then the value in the Person_ID column of the PER_ALL_PEOPLE_F table is copied into the Employee_ID column in the FND_USER table.
- In the User Management with TCA Foundation connector:
  1. The FND_USER record is created or updated.
  2. The TCA Party record (containing only TCA Party foundation data) is created or updated.
    
    Note:
    If the TCA record is created, then the value in the PARTY_ID column of the HZ_PARTIES table is copied into the PERSON_PARTY_ID column in the FND_USER table.
The target system APIs return the status of the operation to the connector.
The connector translates and displays (or logs) the status message returned by the FND APIs.
In an SoD-enabled Oracle Identity Manager system, the connector cannot grant roles or responsibilities directly to the provisioned user account. When a user performs the procedure to provision a role or responsibility, the details of the entitlement request (sent through direct or request-based provisioning) are sent to an SoD engine for conflict analysis. Based on the outcome of the SoD validation process, the entitlement request is either accepted or rejected.

The rest of this section discusses connector objects used during provisioning:

Section 1.7.1, "Request-Based Provisioning of Entitlements"
Section 1.7.2, "Attribute Mappings for Provisioning"
Section 1.7.3, "Provisioning Functions"

1.7.1 Request-Based Provisioning of Entitlements

Note:

On Oracle Identity Manager release 9.1.0.x, you can create separate requests for provisioning:

Target system resources to OIM Users.
Entitlements to OIM Users who have been provisioned target system resources.

On Oracle Identity Manager releases 11.1.x and 11.1.2.x, you can provision entitlements while provisioning a target system resource to an OIM User. In other words, you need not create a new request for provisioning entitlements.

Therefore, information provided in this section is applicable only if you are using Oracle Identity Manager release 9.1.0.x. If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then skip this section.

Roles and responsibilities defined on the target system are entitlements that can be assigned to a user during the Create User provisioning operation. In addition, an existing user can create requests for responsibilities and roles. If you enable SoD in your Oracle Identity Manager installation, then an entitlement is granted only after the SoD validation clears the request for the entitlement. Users can create entitlement requests for themselves. Alternatively, administrators can submit entitlement requests on behalf of a user.

Note:

The connector supports the scenario in which a single request is created for multiple responsibilities and a single approver is assigned the entire request.

Request-based provisioning of responsibilities involves the following steps:

A request for a role or responsibility is created.

Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" describes the procedure to create the request.
The request data is written to an object form.
When the object form is populated with data, it is sent for approval.
After the standard approval process, the SoD Checker process task is triggered. This process task is completed by running the GetSODCheckResultApproval scheduled task from the task scheduler.

Note:
The approver should not approve/deny this task manually while approving the request.

After the SoD Checker process task is run and the SoD Check result is passed, the Human Approval task (if it has been defined) is triggered.
If the approval process clears the request, then the request data is sent to the process form. When this data reaches the target system, the responsibility is assigned to the user.

Note:
If SoD is not enabled or if the provisioning operation does not include entitlement provisioning, then the SODCheckStatus field remains in the SODCheckNotInitiated state.

If the approval process does not clear the request, then the status of the request is set to Denied.

1.7.2 Attribute Mappings for Provisioning

Table 1-9 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations. The third column of this table specifies the connector in which the function is supported.

Note:

During a Create User provisioning operation, the EBS Create User adapter is used to populate values in all the target system attributes. Similarly, during an Update User provisioning operation, the EBS Update User performs this function.

Table 1-9 Attribute Mappings for Provisioning

Process Form Attribute	Target System Attribute	Connector	Mandatory?
User Name	User Name	All	Yes
Password	Password	All	Yes
Description	Description	All
Email	E-Mail	All
Fax	Fax	All
Password Expiration Type This is a lookup field.	Password Expiration Type	All
Password Expiration Interval	Password Expiration Interval	All
Effective Date From	Effective Dates From	All	Yes
Effective Date To	Effective Dates To	All
Person ID Note: This field can be edited in the User Management connector. It is a display-only field in the User Management with HR Foundation connector.	Person ID Note: The Full Name corresponding to the person ID in HRMS person record is displayed on the UI with the label `Person ID`.	User Management and User Management with HR Foundation
SSO User ID	SSO User ID from the LDAP system Note: This attribute is not displayed on the target system UI.	All
User ID This is a display-only field.	User ID Note: This attribute is not displayed on the target system UI.	All
SSO GUID This is a display-only field.	GUID fetched from the LDAP system used by Oracle Single Sign-On This value is stored in the USER_GUID column of the FND_USER table. Note: This attribute is not displayed on the target system UI.	All
Employee Number	Employee Number	User Management with HR Foundation
First Name	First Name (in the User Management with HR Foundation connector) First Name (in the User Management with TCA Foundation connector)	User Management with HR Foundation and User Management with TCA Foundation
Last Name	Last Name (in the User Management with HR Foundation connector) Last Name (in the User Management with TCA Foundation connector)	User Management with HR Foundation and User Management with TCA Foundation
Gender This is a lookup field.	Sex	User Management with HR Foundation
Person Type ID	Person Types	User Management with HR Foundation
Business Group ID	Business Group ID Note: This attribute is not displayed on the target system UI.	User Management with HR Foundation
Party ID This is a display-only field.	Party ID Note: The full name corresponding to the party ID in the TCA Party record is displayed on the target system UI with the label `Customer`.	User Management with TCA Foundation
Hire Date	Latest Start Date	User Management with HR Foundation
Responsibility Child Form Fields (for all three connectors)
Application Name	IT_RESOURCE_KEY~APPLICATION_ID	All
Responsibility Name	IT_RESOURCE_KEY~APPLICATION_ID~RESPONSIBILITY_ID	All	Yes
Effective Start Date	Effective Dates From	All
Effective End Date	Effective Dates To	All
Security Group	IT_RESOURCE_KEY~SECURITY_GROUP_ID All	All
Roles Child Form Fields (for all three connectors)
Application Name	IT_RESOURCE_KEY~APPLICATION_ID	All
Role Name	IT_RESOURCE_KEY~APPLICATION_ID~ROLE_ID	All	Yes
Start Date	Start Date	All
Expiration Date	Expiration Date	All

1.7.3 Provisioning Functions

Table 1-10 lists provisioning functions and the corresponding adapters.

Note:

An Update provisioning operation on child data is not supported.

Table 1-10 Provisioning Functions

Provisioning Function	Adapter	Stored Procedure in Wrapper Package
Create user	EBS Create User	OIM_FND_USER_PKG.CreateUser
Create SSO-enabled user	EBS Create User	OIM_FND_USER_PKG.CreateUser
Disable user	EBS Disable User	OIM_FND_USER_PKG.DisableUser
Update Email	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Fax	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Password	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Description	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Effective Date From	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Effective Date To	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update SSO User ID	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Password Expiration Type	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Password Expiration Interval	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Update Person ID Note: This is applicable only in the User Management connector.	EBS Update User	OIM_FND_USER_PKG.UpdateUser
Enable User	EBS Enable User	OIM_FND_USER_PKG.EnableUser
Add Responsibility	EBS Add Responsibility	OIM_FND_USER_PKG.AddResp
Remove Responsibility	EBS Revoke Responsibility	OIM_FND_USER_PKG.DelResp
Add Role	EBS Add Role	WF_LOCAL_SYNCH_PKG.PropagateUserRole
Remove Role	EBS Revoke Role	WF_LOCAL_SYNCH_PKG.PropagateUserRole
Update User Name	EBS Update Username	OIM_FND_USER_PKG.change_user_name
Functions Specific to the User Management with HR Foundation Connector
Create Employee	EBS Create User HRMS	OIM_EMPLOYEE_WRAPPER.create_emp_api
Delete User	EBS Revoke Employee	OIM_EMPLOYEE_WRAPPER.terminate_emp_api
Delete User Note: It is recommended not to perform a delete employee operation on the target system. However, delete employee operation is configurable by setting the value of DELETE_EMP_RECORD to "Yes" in the Lookup.EBS.UMHRMS.Configuration lookup definition. The default value of DELETE_EMP_RECORD is set to "No" and hence needs to be changed to "Yes".	EBS Revoke Employee	OIM_EMPLOYEE_WRAPPER.delete_emp_api
Update First Name	EBS Update Employee	OIM_EMPLOYEE_WRAPPER.update_person_api
Update Last Name	EBS Update Employee	OIM_EMPLOYEE_WRAPPER.update_person_api
Update Gender	EBS Update Employee	OIM_EMPLOYEE_WRAPPER.update_person_api
Update Person Type ID	EBS Update Employee	OIM_EMPLOYEE_WRAPPER.update_person_api
Update Business Group ID	EBS Update Employee	OIM_EMPLOYEE_WRAPPER.update_person_api
Update Hire Date	EBS Update Employee	OIM_EMPLOYEE_WRAPPER.update_person_api
Functions Specific to the User Management with TCA Foundation Connector
Create Party of Person Type	EBS Create User TCA	OIM_TCA_WRAPPER.create_person_party_api
Delete User	EBS Revoke Party	OIM_TCA_WRAPPER.disable_person_party_api
Delete User Note: It is recommended not to perform a delete employee operation on the target system. However, delete employee operation is configurable by setting the value of DELETE_EMP_RECORD to "Yes" in the Lookup.EBS.UMHRMS.Configuration lookup definition. The default value of DELETE_EMP_RECORD is set to "No" and hence needs to be changed to "Yes".	EBS Revoke Party	OIM_TCA_WRAPPER.delete_person_party_api
Update First Name	EBS Update Party	OIM_TCA_WRAPPER.update_person_party_api
Update Last Name	EBS Update Party	OIM_TCA_WRAPPER.update_person_party_api

1.8 Lookup Definitions Used During Connector Operations

When you deploy the connector, lookup definitions of the following types are created in Oracle Identity Manager:

Lookup definitions corresponding to lookup fields on the target system
Lookup definitions that store configuration information

The following sections discuss lookup definitions used by the connector:

Section 1.8.1, "Lookup Definitions That Are Common to All Three Connectors"
Section 1.8.2, "Lookup Definitions That Are Specific to the User Management Connector"
Section 1.8.3, "Lookup Definitions That Are Specific to the User Management with HR Foundation Connector"
Section 1.8.4, "Lookup Definitions That Are Specific to the User Management with TCA Foundation Connector"

1.8.1 Lookup Definitions That Are Common to All Three Connectors

Table 1-11 describes lookup definitions that are common to all three connectors.

Table 1-11 Lookup Definitions Common to All Three Connectors

Lookup Definition	Code Key	Decode	Input Source
Lookup.EBS.Application	Combination of the following elements: A number assigned to the IT resource for the target system installation from which values are synchronized Application ID on the target system Sample value: `1~694` In this example, 1 is the number assigned to the IT resource for the target system installation and 694 is the application ID assigned to the application in the target system.	Short name for the application in the target system Sample value: `PRP`	You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.
Lookup.EBS.SecurityGroup	Combination of the following elements: A number assigned to the IT resource for the target system installation from which values are synchronized Security Group Name on the target system Sample value: `1~1` In this example, 1 is the number assigned to the IT resource for the target system installation and 1 is the application ID assigned to the application in the target system.	Short name for the Security Group Name in the target system Sample value: `GOVERNMENT`	You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.
Lookup.EBS.Responsibility	Combination of the following elements: Number assigned to the IT resource for the target system installation from which values are synchronized Application ID on the target system Responsibility ID on the target system Sample value: 1~694~20903 In this sample value, 1 is the number assigned to the IT resource for the target system installation, 694 is the application ID, and 20903 is the responsibility ID.	Responsibility name of the corresponding application in the target system Sample Value: `MRC Purchasing Manager`	You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.
Lookup.EBS.UMX.Roles	Combination of three elements: A number assigned to the IT resource for the target system installation from which values are synchronized Application ID on the target system Role name on the target system Sample value: `1~694~UMX\|UMX_EXT_ADMN` In this example, 1 is the number assigned to the IT resource for the target system installation, FND-UMX is the short name for the application, and UMX_EXT_ADMN is the role name.	Display name of the role on the target system Sample Value: `Customer Administrator`	You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.
Lookup.EBS.PasswordExpirationType	Unit of measurement for specifying the password expiration type The value can be one of the following: Accesses Days None	Unit of measurement for specifying the password expiration type The value can be one of the following: Accesses Days None	This lookup definition is preconfigured. You must not modify this lookup definition.

1.8.2 Lookup Definitions That Are Specific to the User Management Connector

Table 1-12 describes lookup definitions that are specific to the User Management connector.

Table 1-12 Lookup Definitions Specific to the User Management Connector

Lookup Definition	Code Key	Decode	Input Source
Lookup.EBS.UM.UserProvisioning	Process form field name Sample value: UD_EBS_USER_USRNAME	Corresponding argument of the stored procedure used for user provisioning Sample Value: x_user_name,1,varchar2,IN	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UM.UserRecon	Reconciliation field of resource object Sample value: User Name	Corresponding column names or column alias names used in reconciliation query Sample value: USER_NAME	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.Responsibility.Mapping Note: This lookup definition is used for entitlement provisioning.	Name of the process form column for the responsibility attributes in the eBusiness Suite User Responsibility resource object	Name of the process form column for the responsibility attribute in the eBusiness Suite User resource object	This lookup definition is preconfigured. You must not modify this lookup definition.
Lookup.EBS.Role.Mapping	Name of the process form column for the role attributes in eBusiness Suite User Role resource object	Name of the process form column for the role attribute in the eBusiness Suite User resource object	This lookup definition is preconfigured. You must not modify this lookup definition.
Lookup.EBS.UM.QueryFilters	Filter parameters that you want to append to the reconciliation SQL query	See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about the Decode value.	See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition.
Lookup.EBS.UM.Configuration	Configurable data items used by the connector during both reconciliation and provisioning	Values of the configurable parameters	You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information.

1.8.3 Lookup Definitions That Are Specific to the User Management with HR Foundation Connector

Table 1-13 describes lookup definitions that are specific to the User Management with HR Foundation connector.

Table 1-13 Lookup Definitions Specific to the User Management with HR Foundation Connector

Lookup Definition	Code Key	Decode	Input Source
Lookup.EBS.Gender	Code for gender Sample value: `M`	Display name of gender Sample value: `Male`	This lookup definition is preconfigured. You must not modify this lookup definition.
Lookup.EBS.UM.UserHRMSProvisioning	Process form field name Sample value: `UD_EBSH_USR_USRNAME`	Information about the corresponding argument in the stored procedure used for user provisioning Sample Value: `x_user_name,1,varchar2,IN`	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UM.UserHRMSRecon	Reconciliation fields of resource object Sample value: `Employee Number`	Column names or column name alias used in the reconciliation query Sample value: `EMPLOYEE_NUMBER`	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UM.CreateEmployee	Process form field name Sample value: `UD_EBSH_USR_EMPNUM`	Information about the corresponding argument in the stored procedure used for HRMS person record provisioning Sample Value: `p_employee_number,7,varchar2,IN OUT`	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UM.UpdateEmployee	Process form field name Sample value: `UD_EBSH_USR_EMPNUM`	Information about the corresponding argument in the stored procedure used for HRMS person record provisioning Sample Value: `p_employee_number,8,varchar2,IN OUT`	You must not modify or remove existing attributes in this lookup defintion. However, you can add or remove new attributes for provisioning.
Lookup.EBS.HRMSResponsibility.Mapping Note: This lookup definition is used for request-based responsibility provisioning.	Name of the process form column for the responsibility attributes in the eBusiness Suite User HR Foundation Responsibility resource object	Name of the process form column for the responsibility attribute in the eBusiness Suite User HR Foundation resource object	You must not modify this lookup definition.
Lookup.EBS. HRMSRoles.Mapping Note: This lookup definition is used for request-based role provisioning.	Name of the process form column for the role attributes in the eBusiness Suite User HR Foundation Role resource object	Name of the process form column for the role attribute in the eBusiness Suite User HR Foundation resource object	You must not modify this lookup definition.
Lookup.EBS.UMHRMS.QueryFilters	Filter parameters that you want to append to the reconciliation SQL query	See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about the Decode value.	See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition.
Lookup.EBS.UMHRMS.EmployeeInfoMapping	Name of the process form column for information about the HR Foundation person record	Name of the column used for fetching the person record data from the target system database	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UMHRMS.Configuration	Configurable data items used by the connector during both reconciliation and provisioning	Values of the configurable parameters	You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information.

1.8.4 Lookup Definitions That Are Specific to the User Management with TCA Foundation Connector

Table 1-14 describes lookup definitions that are specific to the User Management with TCA Foundation connector.

Table 1-14 Lookup Definitions Synchronized with the Target System

Lookup Definition	Code Key	Decode	Input Source
Lookup.EBS.UM.UserTCAProvisioning	Process form field name Sample value: `UD_EBST_USR_USRNAME`	Information about the corresponding argument in the stored procedure used for user provisioning Sample Value: `x_user_name,1,varchar2,IN`	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UM.PartyProvisioning	Process form field name Sample value: `UD_EBST_USR_FNAME`	Information about the corresponding argument in the stored procedure used for HRMS Person provisioning Sample Value: `p1_a1,9,varchar2,IN`	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UM.UpdateParty	Process form field name Sample value: `UD_EBST_USR_FNAME`	Information about the corresponding argument in the stored procedure used for HRMS Person provisioning Sample Value: `p1_a1,9,varchar2,IN`	You must not modify or remove existing attributes in this lookup defintion. However, you can add or remove new attributes for provisioning.
Lookup.EBS.UM.UserTCARecon	Reconciliation field of resource object Sample value: `First Name`	Column name or column alias name used in reconciliation query Sample value: `FIRST_NAME`	This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.
Lookup.EBS.UserTCAResponsibility.Mapping Note: This lookup definition is used for entitlement provisioning.	Name of the process form column for the responsibility attributes in the eBusiness Suite User TCA Foundation Responsibility	Name of the process form column for the responsibility attribute in the eBusiness Suite User TCA Foundation resource object	You must not modify this lookup definition.
Lookup.EBS. TCARoles.Mapping	Name of the process form column for the role attributes in the eBusiness Suite User TCA Foundation Role resource object	Name of the process form column for the role attribute in the eBusiness Suite User TCA Foundation resource object	You must not modify this lookup definition.
Lookup.EBS.UMTCA.QueryFilters	Name of the process form column for information about the TCA Foundation person record	Name of the column used for fetching the person record data from the target system database	See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition
Lookup.EBS.UMTCA.Configuration	Configurable data items used by the connector during both reconciliation and provisioning	Values of the configurable parameters	You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information.

1.9 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide:

Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure to use the connector testing utility and the Diagnostic Dashboard for testing the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.