1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Oracle E-Business Suite as a managed (target) resource for Oracle Identity Manager.

In the account management (target resource) mode of the connector, information about users created or modified directly on Oracle E-Business Suite can be reconciled into Oracle Identity Manager. This data is used to provision (assign) resources to or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to the corresponding target system accounts.

Note:

At some places in this guide, Oracle E-Business Suite is referred to as the target system.

This chapter is divided in the following sections:

1.1 Certified Components

Table 1-1 lists the certified components for the connector.

Table 1-1 Certified Components

Component Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.1.0.2 BP02 and any later BP in this release track

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.2 BP02 and future releases in the 9.1.0.x series that the connector supports.

  • Oracle Identity Manager 11g release 1 (11.1.x)

    Note: In this guide, Oracle Identity Manager release 11.1.x has been used to denote Oracle Identity Manager 11g release 1 (11.1.x) and future releases in the 11.1.1.x series that the connector supports.

  • Oracle Identity Manager 11g Release 2 (11.1.2.0.1) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

Target system

You can use one of the following releases of Oracle E-Business Suite:

  • Oracle E-Business Suite 11.5.10

  • Oracle E-Business Suite 12.0.0 through 12.0.6

  • Oracle E-Business Suite 12.1.0 through 12.1.3

  • Oracle E-Business Suite 12.2.0 through 12.2.4

These applications may run on Oracle Database 10g or Oracle Database 11g, as either single database or Oracle RAC implementation.

Note: Communication between Oracle Identity Manager and the target system can be in SSL or non-SSL mode.

SoD engine

If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install one of the following:

  • If you are using Oracle Identity Manager release 9.1.0.x, then install Oracle Applications Access Controls Governor release 8.2.1 along with the latest patch set.

    Note: Contact Oracle Support for information about the patch set for release 8.2.1.

  • If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then install Oracle Applications Access Controls Governor release 8.5.1.

See Section 1.5.3, "SoD Validation of Entitlement Provisioning" for more information about the SoD feature.

SSO system

The target system can use one of the following single sign-on (SSO) solutions:

  • Oracle Single Sign-On with Oracle Internet Directory as the LDAP-based repository

  • Oracle Access Manager with Microsoft Active Directory, Sun Java System Directory, or Novell eDirectory as the LDAP-based repository

JDK

The JDK requirement is as follows:

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or later

  • For Oracle Identity Manager release 11.1.x, use JDK 1.6 or later

  • For Oracle Identity Manager release 11.1.2 or later, use JDK 1.6 or later


1.2 Usage Recommendations

If you are using Oracle Identity Manager 11g Release 2 (11.1.2), then you must perform the steps mentioned in Metalink note 1535369.1 to ensure the connector works as expected.

1.3 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.4 Connector Architecture

Note:

In Oracle Identity Manager releases 11.1.x and 11.1.2.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager releases 11.1.x and 11.1.2.x.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

The basic function of the connector is to enable management of user data on Oracle E-Business Suite through Oracle Identity Manager. In other words, Oracle E-Business Suite (the target system) is used as a managed or target resource of Oracle Identity Manager. You can create and manage target system accounts (resources) for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled (using scheduled tasks) and linked with existing OIM Users and provisioned resources.

Figure 1-1 shows the basic architecture of the connector. Data flow between the various components shown in this diagram is explained later in this chapter.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector"

1.5 Features of the Connector

The following are features of the connector:

1.5.1 Oracle E-Business User Management Connectors

An FND_USER record represents an Oracle E-Business Suite account. This record is the main component of the account data whose management is enabled by the connector. Depending on your configuration of the target system, there may be other user data components that must be managed by the connector:

  • Some applications in Oracle E-Business Suite require a user to have a person record in Oracle E-Business HRMS.

    These users are either full-time employees of the organization or users (such as contract or part-time employees) who have been provided with access that is similar to the access provided to full-time employees. iExpense is an example of an application that requires users to have person (HRMS) records.

  • Some applications in the Oracle E-Business Suite require a user to have a record in Oracle E-Business TCA.

    Typically, these users are representatives or employees of customers and vendors of your organization. iStore and iProcurement are examples of applications that require users to have TCA records.

The connector can be used to manage any one or a combination of FND_USER, HRMS, and TCA records. Three separate versions of the connector have been provided for this purpose. The following sections provide information about these three connectors:

The following section provides information that is common to all three connectors:

1.5.1.1 User Management

In the User Management connector, you can use the connector to create Oracle E-Business Suite accounts (FND_USER records) for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. These reconciled records are used to create and update Oracle E-Business Suite accounts assigned to OIM Users. These provisioning and reconciliation operations constitute the basic functions of the User Management connector.

The process form stores the User ID of the FND_USER record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value.

If required, you can also link an FND_USER record with an existing HRMS person record. Use of this feature arises when the FND_USER record is required to be linked with an HRMS person record for access to intranet applications such as iExpense.

On the target system, the person ID forms the link between the FND_USER record and HRMS person record. For an FND_USER record that is linked with an HRMS record, the value in the EMPLOYEE_ID column of the FND_USER table is the same as the value in the PERSON_ID column of the PER_ALL_PEOPLE_F table.

While provisioning or modifying an already provisioned Oracle E-Business Suite account (FND_USER record), you can specify the person ID of the HRMS person record with which you want to link the FND_USER record. If a match is found, then the person record is linked with the FND_USER record. This person ID constitutes the link between the FND_USER record and the HRMS person record.

1.5.1.2 User Management with HR Foundation

In the User Management with HR Foundation connector, you can use the connector to create FND_USER records for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. This is the same as the basic function of the connector in the User Management connector. In addition, you can create a basic HRMS person record for the user in Oracle E-Business HRMS and link that record with the FND User. As mentioned earlier in this chapter, the existence of an HRMS record is a prerequisite for using some applications in the Oracle E-Business Suite, such as iExpense and iRecruitment. This linking of records can also take place during reconciliation.

Note:

In this guide, the basic HRMS record created by the connector is referred to as the HR Foundation record.

During a Create User provisioning operation, the FND_USER record is created first and then the employee record is created. Next, the link between the FND_USER record and employee record is established. The connector does not check for an existing employee record with the First Name and Last Name values provided during the provisioning operation.

For FND_USER records that are linked with HRMS person records, the value in the EMPLOYEE_ID column in the FND_USER table is the same as the value in the PERSON_ID column of the PER_ALL_PEOPLE_F table.

Note:

You use the Manage HR Records parameter of the IT resource to enable the linking of HRMS Person records with FND_USER records. The IT resource is discussed later in this guide.

The process form stores the User ID of the FND_USER record and the Person ID of the HRMS record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value. Similarly, all subsequent update operations (through reconciliation or provisioning) on the HRMS record are performed on the basis of the person ID value.

Guidelines on selecting the User Management with HR Foundation connector

You use the Oracle E-Business Employee Reconciliation connector to configure Oracle E-Business HRMS as a trusted source of Oracle Identity Manager. Ideally, Oracle Identity Manager only reconciles data from a trusted source. You do not perform provisioning (account management) operations on a trusted source.

The User Management with HR Foundation connector creates an HR Foundation record on Oracle E-Business HRMS. This is an account creation (that is, provisioning) operation.

As mentioned earlier, the HR Foundation record is a very basic HRMS person record. The connector supports only creation of and updates to this basic HRMS person record. These provisioning operations cannot be effective dated. For these reasons, you cannot use the connector to manage records on an Oracle E-Business HRMS installation.

In addition, to avoid conflicting data flows, it is strongly recommended that you do not configure a particular Oracle E-Business HRMS installation as both of the following:

  • A trusted source, by using the Oracle E-Business Employee Reconciliation connector

  • A target resource, by using the User Management with HR Foundation connector

Note:

If you want the connector to recognize links between HRMS person records and FND_USER records, then use the User Management connector.

1.5.1.3 User Management with TCA Foundation

In the User Management with TCA Foundation connector, you can use the connector to create FND_USER records for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. This is the same as the basic function of the User Management connector. In addition, you can create a basic TCA person-type party record for the user in Oracle E-Business TCA and link that record with the FND User. As mentioned earlier in this chapter, the existence of a TCA party record is a prerequisite for using some applications in the Oracle E-Business Suite, such as iStore. This linking of records can also take place during reconciliation.

Note:

In this guide, the basic TCA person-type party record created by the connector is referred to as the TCA Foundation record.

During a create or modify FND_USER provisioning operation for a particular OIM User, the TCA party record is created the first time you specify First Name and Last Name values for that record. While creating the TCA party record, the connector does not check if another record with the same First Name and Last Name values exists. After the connector creates the TCA party record, the link established through the Party ID returned by Oracle E-Business TCA is used during subsequent updates of the TCA party record.

For FND_USER records that are linked with TCA party records, the value in the PERSON_PARTY_ID column in the FND_USER table is the same as the value in the PARTY_ID column of the HZ_PARTIES table.

Creating a person party ID internally creates or derives customer ID which is same as party ID and links this customer ID, party ID to the CUSTOMER_ID and PERSON_PARTY_ID columns of the FND_USER table, respectively. This connector supports provisioning and reconciliation of customer parties, but does not support provisioning and reconciliation of Suppliers or Vendors.

Note:

You use the Manage TCA Records parameter of the IT resource to enable the linking of TCA party records with FND_USER records. The IT resource is discussed later in this guide.

The process form stores the User ID of the FND_USER record and the Party ID of the TCA record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value. Similarly, all subsequent update operations (through reconciliation or provisioning) on the TCA record are performed on the basis of the Party ID value.

1.5.1.4 Similarities Between the Three Connectors

The following are similarities between the three connectors:

  • The basic provisioning and reconciliation function is the same in all three connectors:

    The connector creates and updates FND_USER records.

  • Connector objects, such as process forms and resource objects, store data related to target system resources assigned to OIM Users. Each connector has its own set of these data objects.

  • Each connector can be installed independently of the other connectors.

  • Any combination of the connectors can be installed, in any order.

  • All three connectors support standard features such as SoD and integration with an SSO-enabled target system. These features are discussed in detail later in this chapter.

1.5.1.5 Differences Between the Connectors

Table 1-2 summarizes the differences between the connectors.

Table 1-2 Differences Between the Connectors

Feature User Management User Management with HR Foundation User Management with TCA Foundation

Provisioning function in addition to the basic provisioning function

The connector can establish a link between an FND_USER record and an existing HRMS person record. The person ID of the FND_USER is used to establish and store the link. You specify the person ID during provisioning operations.

The connector can establish a link between an FND_USER record and an HRMS person record.

The existence of an HRMS person record is determined through the Employee Number and Business Group ID attributes of the HRMS person record.

If an HRMS person record does not exist, then a basic HRMS person record (HR Foundation record) is created and then linked to the FND_USER record. If an HRMS person record exists, then the person record is linked with the FND_USER record. The person ID of the PER_ALL_PEOPLE_F is used to establish the link.

You cannot specify the person ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field.

The connector can establish a link between an FND_USER record and a TCA party (person-type) record.

The party (person type) record is always created when you run a provisioning process. The PARTY_ID column of the HZ_PARTIES is brought back to Oracle Identity Manager by the API and is used to establish the link with the FND_USER record.

You cannot specify the party ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field.

Additional reconciliation function

None

During reconciliation, if the connector detects a link between an existing HRMS person record and an FND_USER record, then the same link is established in Oracle Identity Manager.

After a link is established with an existing HRMS person record or an HR Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the HRMS person/HR Foundation record during reconciliation.

During reconciliation, if the connector detects a link between an existing TCA party record and an FND_USER record, then the same link is established in Oracle Identity Manager.

After a link is established with an existing TCA party record or a TCA Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the TCA party/TCA Foundation record during reconciliation.

Other features

The additional provisioning function is always enabled. You cannot enable or disable that feature.

You can enable and disable the additional provisioning and reconciliation functions by using the Manage HR Records parameter of the IT resource.

You can enable and disable the additional provisioning and reconciliation functions by using the Manage TCA Records parameter of the IT resource.


1.5.2 Management of Entitlements

UMX roles and responsibilities are an integral part of the features offered by the target system. These roles and responsibilities are entitlements granted to target system users. An entitlement enables a user to access and use features of the target system to meet the user's job requirements.

Note:

A role can be seen as an alias for a particular responsibility or set of responsibilities. The connector provides similar features for working with both roles and responsibilities.

You can use the connector to:

1.5.3 SoD Validation of Entitlement Provisioning

This connector supports the SoD feature. The following are the focal points of this software update:

  • The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager release. The SIL acts as a pluggable integration interface with any SoD engine.

  • The Oracle E-Business User Management connector is preconfigured to work with Oracle Applications Access Controls Governor as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.

  • The SoD engine processes role and responsibility entitlement requests that are sent through the connector. Potential conflicts in role and responsibility assignments can be automatically detected.

See Also:

Oracle Identity Manager Tools Reference for Release 9.1.0.2 for detailed information about the SoD feature

Section 2.3.1, "Configuring SoD" in this guide

1.5.4 Support for an SSO-Enabled Target System Installation

Note:

This feature is available in all three connectors.

Oracle E-Business Suite can be configured to use a single sign-on solution, such as Oracle Single Sign-On or Oracle Access Manager, to authenticate users. Oracle Single Sign-On uses Oracle Internet Directory as an LDAP-based repository for storing user records. Oracle Access Manager can use Microsoft Active Directory, Sun Java System Directory, or Novell eDirectory as the LDAP-based repository. You can configure the connector to work with either one of these SSO solutions during reconciliation and provisioning operations.

Figure 1-2 shows the architecture of the connector with the LDAP system. Data flow between the various components shown in this diagram is explained later in this chapter.

Note:

In this guide, the generic term LDAP system is used to refer to the LDAP system used by the SSO solution in your operating environment.

Figure 1-2 Architecture of the Connector with Configured to Work with an SSO Solution

Description of Figure 1-2 follows
Description of "Figure 1-2 Architecture of the Connector with Configured to Work with an SSO Solution"

1.5.5 Reconciliation of Effective-Dated Events

Oracle E-Business Suite allows future-dating (effective-dating) of account disable and account enable operations. For example, an administrator on the target system can specify that user John Doe's account must be disabled on 1-April-2009 by setting the Effective Date To that date for the account. This date is stored in the END_DATE column of the target system database table. Similarly, the day an account is revoked can be set in advance. The date for an event of this type is stored in the END_DATE column. For a particular future-dated change, when the current date equals the date stored in the START_DATE or END_DATE column, the appropriate change is made in the person's record on the target system.

The connector can detect and respond to these future-dated lifecycle events.

When you run any of the predefined queries, only records for which changes fall within the START_DATE and END_DATE range are fetched into Oracle Identity Manager.

Similarly, the connector can also respond to future-dated operations in which roles and responsibilities are granted or revoked.

1.5.6 Account Status Reconciliation and Provisioning

When you enable an account on the target system, the Effective Date From field is set to the current date and the Effective Date To field is set to NULL on the target system.

When you disable an account on the target system, the Effective Date To field is set to the current date on the target system.

The same effect can be achieved through provisioning operations performed on Oracle Identity Manager. In addition, status changes made directly on the target system can be copied into Oracle Identity Manager during reconciliation.

See Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" for more information.

1.5.7 Configurable Reconciliation Queries

Reconciliation involves running a SQL query on the target system database to fetch the required user account records to Oracle Identity Manager. Predefined SQL queries are stored in a file in the connector deployment package. You can modify these SQL queries or add your own SQL queries for reconciliation.

See Section 1.6.1, "Reconciliation Queries" for information about the reconciliation queries.

1.5.8 Account Password Management

The connector supports basic password management features. For a particular user, you can specify when the user's password must expire by using the following process form fields:

  • Password Expiration Type

    You use the Password Expiration Type field to specify the factor (or measure) that you want to use to set a value for password expiration. You can select either Accesses or Days as the password expiration type.

  • Password Expiration Interval

    In the Password Expiration Interval field, you specify the number of access or days for which the user must be able to use the password.

For example, if you specify Accesses in the Password Expiration Type field and enter 20 in the Password Expiration Interval field, then the user is prompted to change the user's password at the twenty-first login. Similarly, if you specify Days in the Password Expiration Type field and enter 100 in the Password Expiration Interval field, then the user is prompted to change the user's password on the hundred and first day after setting a new password.

1.5.9 Support for Full and Incremental Reconciliation

In full reconciliation, all user records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, user records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.

The Last Execution Time and Batch Size scheduled task attributes are used to implement full and incremental reconciliation. If the Last Execution Time attribute is set to 0 and the Batch Size attribute is set to a non-zero value, then full reconciliation is performed. If the Last Execution Time attribute holds a non-zero value, then incremental reconciliation is performed.

See Section 3.3.4, "Reconciliation Scheduled Tasks" for more information.

1.5.10 Support for Limited (Filtered) Reconciliation

To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can add conditions in the WHERE clause of the reconciliation query that you run.

See Section 3.3.3, "Configuring Limited Reconciliation" for more information.

1.5.11 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.2, "Batched Reconciliation" for more information.

1.5.12 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.

The configuration properties of the connection pool are part of the IT resource definition. Section 2.3.3.6, "Configuring the IT Resource" provides information about setting up the connection pool.

1.6 Reconciliation Process

See Also:

The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation

The connector is configured to perform target resource reconciliation with the target system. Data from newly created and updated target system records is brought to Oracle Identity Manager and used to create and update Oracle E-Business Suite resources provisioned to OIM Users.

Note:

The reconciliation process is the same for all three connectors. There are three scheduled tasks, one for each connector.

The following is an overview of the steps involved in target resource reconciliation:

  1. A SQL query is used to fetch target system records during reconciliation. All predefined SQL queries are stored in a properties file. Each query in the file is identified by a name. While configuring the scheduled tasks described in Section 3.3.4, "Reconciliation Scheduled Tasks", you specify the name of the query that you want to run as the value of the Query Name attribute.

  2. The scheduled task is run at the time (frequency) that you specify. This scheduled task contains details of the mode of reconciliation you want to perform.

  3. The scheduled task establishes a connection with the target system.

  4. The scheduled task reads values that you set for the task attributes, maps the task attributes to parameters of the reconciliation query, formats the query, and then runs the query on the target system database.

  5. The SQL query is run on the target system database. Target system records that meet the query criteria are fetched into Oracle Identity Manager. In addition:

    • If the target system is SSO-enabled, then the USER_GUID value is first read from the target system record. This USER_GUID value is then used to fetch the SSO User ID value from the LDAP system.

      Note:

      The USER_GUID and SSO User ID values are fetched by a query that is internal to the connector. The reconciliation query is not used for this purpose.
    • If you use the User Management with HR Foundation connector, then HRMS Foundation data from HRMS person records is also fetched for all FND_USER users that are linked with HRMS users.

    • If you use the User Management with TCA Foundation connector, then TCA Foundation data from TCA Party records is also fetched for all FND_USER users that are linked with TCA users.

  6. Each user record fetched from the target system is compared with existing target system resources assigned to OIM Users. The reconciliation rule is applied during the comparison process.

  7. The next step of the process depends on the outcome of the matching operation:

    • If a match is found between the target system record and a resource provisioned to an OIM User, then the resource is updated with changes made to the target system record.

    • If no match is found, then the target system user record is compared with existing OIM Users. The next step depends on the outcome of the matching operation:

      • If a match is found, then the target system record is used to provision a resource for the OIM User.

      • If no match is found, then the status of the reconciliation event is set to No Match Found.

The rest of this section discusses connector objects used during reconciliation:

1.6.1 Reconciliation Queries

As mentioned earlier in this chapter, a SQL query is used to fetch target system records during reconciliation. All predefined SQL queries are stored in the ebsUMQuery.properties file.

Note:

Depending on your requirements, you can modify existing queries or add your own query in the properties file. Alternatively, you can create and use your own properties file. Section 4.1, "Guidelines on Extending the Functionality of the Connector" provides more information.

The predefined queries are used in conjunction with the Last Execution Time scheduled task attribute. This attribute stores the time stamp at which the last reconciliation run started. When the next reconciliation run begins, only target system records for which the LAST_UPDATE_DATE column value is greater than the value of the Last Execution Time attribute are fetched into Oracle Identity Manager. In other words, only records that were added or modified after the last reconciliation run started are considered for the current reconciliation run.

Note:

If the effective end date of a responsibility granted to a user is changed directly on the target system, then that account will not be reconciled in the next reconciliation run unless some other attribute of the account is also modified.

You can specify a value for the Last Execution Time attribute. See Section 3.3.1, "Reconciliation Time Stamp" for more information.

The following are predefined queries in the ebsUMQuery.properties file:

  • UM_USER_RECON

    This query is used to fetch users' FND_USER records. It is used in the User Management connector.

  • UM_USER_HRMS_RECON

    This query is used to fetch users' FND_USER records and HRMS person records. It is used in the User Management with HR Foundation connector.

  • UM_USER_TCA_RECON

    This query is used to fetch users' FND_USER records and TCA party records. It is used in the User Management with TCA Foundation connector.

  • UM_USER_RESPONSIBILITIES

    This query is used to fetch data about users' responsibility entitlements.

  • UM_USER_ROLES

    This query is used to fetch data about users' role entitlements.

1.6.2 Target System Columns Used in Reconciliation

Columns in the SELECT clause of each predefined query other than the ones for entitlements are directly mapped to process form fields by lookup definitions in Oracle Identity Manager.

For the User Management connector, Table 1-3 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserRecon lookup definition.

Table 1-3 Attribute Mappings for Reconciliation in the User Management Connector

Process Form Field Target System Column Description

Person ID

PERSON_ID

Person ID

User ID

USER_ID

User ID

This is a mandatory attribute.

User Name

USER_NAME

User name

This is a mandatory attribute.

Description

DESCRIPTION

Description

Email

EMAIL_ADDRESS

E-mail address

Fax

FAX

Fax number

Effective Date From

START_DATE

Date from which the account is active

This is a mandatory attribute.

Effective Date To

END_DATE

Date up to which the account is active


For the User Management with HR Foundation connector, Table 1-4 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserHRMSRecon lookup definition.

Table 1-4 Attribute Mappings for Reconciliation in the User Management with HR Foundation Connector

Process Form Field Target System Column Description

User ID

USER_ID

User ID

This is a mandatory attribute.

User Name

USER_NAME

User name

This is a mandatory attribute.

Description

DESCRIPTION

Description

Email

EMAIL_ADDRESS

E-mail address

Fax

FAX

Fax number

Effective Date From

START_DATE

Start date of the account

This is a mandatory attribute.

Effective Date To

END_DATE

End date of the account

Note: The remaining attributes listed in this table are HR Foundation record attributes.

   

Employee Number

EMPLOYEE_NUMBER

Employee number

First Name

FIRST_NAME

First name

Last Name

LAST_NAME

Last name

Gender

SEX

Gender

Person Type ID

PERSON_TYPE_ID

Person type ID

Business Group ID

BUSINESS_GROUP_ID

Business group ID

Hire Date

ORIGINAL_DATE_OF_HIRE

Hire date

Person ID

PERSON_ID

Person ID


For the User Management with TCA Foundation connector, Table 1-5 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserTCARecon lookup definition.

Table 1-5 Attribute Mappings for Reconciliation in the User Management with TCA Foundation Connector

Process Form Field Target System Column Description

User ID

USER_ID

User ID

This is a mandatory attribute.

User Name

USER_NAME

User name

This is a mandatory attribute.

Description

DESCRIPTION

Description

Email

EMAIL_ADDRESS

E-mail address

Fax

FAX

Fax number

Effective Date From

START_DATE

Start date of the account

This is a mandatory attribute.

Effective Date To

END_DATE

End date of the account

Note: The remaining attributes listed in this table are TCA Foundation record attributes.

   

First Name

PERSON_FIRST_NAME

First name

Last Name

PERSON_LAST_NAME

Last name

Party ID

PERSON_PARTY_ID

Party ID


For all three connectors, Table 1-6 lists mappings between the target system columns and the process form fields for responsibilities defined on the target system.

Table 1-6 Relationship Between Process Form Fields for Responsibilities and Target System Data Fields

Process Form Field Target System Column Description

Application Name

Format of the value:

IT_RESOURCE_KEY~APPLICATION_ID

Sample value:

1~810

Combination of the IT resource key and the application ID on the target system

Note: The IT resource key is a numeric value.

Responsibility Name

Format of the value:

IT_RESOURCE_KEY~APPLICATION_ID~RESPONSIBILITY_ID

Sample value:

1~810~2751

Combination of the IT resource key, application ID, and responsibility ID on the target system

Effective Start Date

START_DATE

Start date of the responsibility assignment

Effective End Date

END_DATE

End date of the responsibility assignment

Security Group

Format of the value:

IT_RESOURCE_KEY~SECURITY_GROUP_ID

Sample value: 1~1

Combination of the IT resource key and the security group ID on the target system.

Note: The IT resource key is a numeric value.


For all three connectors, Table 1-7 lists mappings between the target system columns and the process form fields for roles defined on the target system.

Table 1-7 Relationship Between Process Form Fields for Roles and Target System Data Fields

Process Form Field Target System Column Description

Application Name

Format of the value:

IT_RESOURCE_KEY~APPLICATION_ID

Sample value:

1~260

Combination of the IT resource key and the application ID on the target system

Note: The IT resource key is a numeric value.

Role Name

Format of the value:

IT_RESOURCE_KEY~APPLICATION_ID~ROLE_ID

Sample value:

1~260~UMX|UMX_TEST_ROLE

Combination of the IT resource key, application ID, and role ID on the target system

Start Date

start_date

Start date of the role assignment

Expiration Date

expiration_date

End date of the role assignment


1.6.3 Reconciliation Rule

See Also:

Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules

The following is the reconciliation rule:

  • Rule name for the User Management connector:

    EBS UM Target Resource

  • Rule name for the User Management with HR Foundation connector:

    EBS UM HRMS Target Resource

  • Rule name for the User Management with TCA Foundation connector:

    EBS UM TCA Target Resource

Rule element for all three connectors: User Login Equals User Name

In this rule:

  • User Login is the field on the OIM User form.

  • User Name is the target system field.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.
  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for the rule name.

1.6.4 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-8 lists the action rules for target resource reconciliation.

Table 1-8 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the resource object. The following are the names of the resource objects for each connector:

    • Resource object for the User Management connector:

      eBusiness Suite User

    • Resource object for the User Management with HR Foundation connector:

      eBusiness Suite User HR Foundation

    • Resource object for the User Management with TCA Foundation connector:

      eBusiness Suite User TCA Foundation

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.

1.7 Provisioning Process

See Also:

The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioning

Provisioning involves management of user accounts and assignment of responsibilities and roles to users in the target system. When you allocate (or provision) an Oracle E-Business Suite resource to an OIM User, the operation results in the creation of an account on Oracle E-Business Suite for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.

You can enable the Segregation of Duties (SoD) feature in Oracle Identity Manager for validation of role and responsibility provisioning. When SoD is enabled, a role or responsibility is granted to an OIM User's resource (account) only after the request for the role or responsibility clears the SoD validation process. If a conflicting role or responsibility is detected by the SoD engine, then the role or responsibility request is rejected.

Note:

the SoD validation process is asynchronous. The response from the SoD engine must be brought to Oracle Identity Manager by a scheduled task.

The provisioning process can be started through one of the following events:

  • Direct provisioning

    A user uses the Administrative and User Console to create a target system account for another user.

  • Request-based provisioning

    A user creates a request for a target system account, role, or responsibility, and another user approves this request.

  • Provisioning triggered by access policy changes

    An access policy related to accounts on the target system is modified. When an access policy is modified, it is reevaluated for all users to which it applies.

The following is an overview of the provisioning process:

  1. The provisioning process is started through direct provisioning, request-based provisioning, or an access policy change.

  2. If the target system is configured to work with Oracle Single Sign-On, then:

    Note:

    There must be a GUID for the user on the LDAP system before the user can be created on the target system. In other words, the user for whom the provisioning operation is being performed must have a record on the LDAP system.
    1. The connector first establishes a connection with the LDAP system used by Oracle Single Sign-On. To establish a connection, the connector uses information stored in the IT resource for the LDAP system.

    2. From the LDAP system, the connector reads the GUID of the user for whom the provisioning operation is being performed and then adds the GUID to the provisioning data that will be passed on to the target system.

  3. The connector establishes a connection with the target system, and passes the provisioning data to the FND APIs of the target system.

  4. The target system APIs use the provisioning data to perform the required operation (create or update user). The actual steps performed depend on the connector that you are using:

    • In the User Management connector, the FND_USER record is created or updated. If the person ID is provided on the process form and a record with the same person ID exists on the target system, then that record is linked with the FND_USER record.

    • In the User Management with HR Foundation connector:

      1. The HRMS person record (containing only HRMS Foundation data) is created or updated.

      2. The FND_USER record is created or updated.

        Note:

        If the HRMS record is created, then the value in the Person_ID column of the PER_ALL_PEOPLE_F table is copied into the Employee_ID column in the FND_USER table.
    • In the User Management with TCA Foundation connector:

      1. The FND_USER record is created or updated.

      2. The TCA Party record (containing only TCA Party foundation data) is created or updated.

        Note:

        If the TCA record is created, then the value in the PARTY_ID column of the HZ_PARTIES table is copied into the PERSON_PARTY_ID column in the FND_USER table.
  5. The target system APIs return the status of the operation to the connector.

  6. The connector translates and displays (or logs) the status message returned by the FND APIs.

  7. In an SoD-enabled Oracle Identity Manager system, the connector cannot grant roles or responsibilities directly to the provisioned user account. When a user performs the procedure to provision a role or responsibility, the details of the entitlement request (sent through direct or request-based provisioning) are sent to an SoD engine for conflict analysis. Based on the outcome of the SoD validation process, the entitlement request is either accepted or rejected.

The rest of this section discusses connector objects used during provisioning:

1.7.1 Request-Based Provisioning of Entitlements

Note:

On Oracle Identity Manager release 9.1.0.x, you can create separate requests for provisioning:
  • Target system resources to OIM Users.

  • Entitlements to OIM Users who have been provisioned target system resources.

On Oracle Identity Manager releases 11.1.x and 11.1.2.x, you can provision entitlements while provisioning a target system resource to an OIM User. In other words, you need not create a new request for provisioning entitlements.

Therefore, information provided in this section is applicable only if you are using Oracle Identity Manager release 9.1.0.x. If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then skip this section.

Roles and responsibilities defined on the target system are entitlements that can be assigned to a user during the Create User provisioning operation. In addition, an existing user can create requests for responsibilities and roles. If you enable SoD in your Oracle Identity Manager installation, then an entitlement is granted only after the SoD validation clears the request for the entitlement. Users can create entitlement requests for themselves. Alternatively, administrators can submit entitlement requests on behalf of a user.

Note:

The connector supports the scenario in which a single request is created for multiple responsibilities and a single approver is assigned the entire request.

Request-based provisioning of responsibilities involves the following steps:

  1. A request for a role or responsibility is created.

    Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" describes the procedure to create the request.

  2. The request data is written to an object form.

  3. When the object form is populated with data, it is sent for approval.

  4. After the standard approval process, the SoD Checker process task is triggered. This process task is completed by running the GetSODCheckResultApproval scheduled task from the task scheduler.

    Note:

    The approver should not approve/deny this task manually while approving the request.

    After the SoD Checker process task is run and the SoD Check result is passed, the Human Approval task (if it has been defined) is triggered.

  5. If the approval process clears the request, then the request data is sent to the process form. When this data reaches the target system, the responsibility is assigned to the user.

    Note:

    If SoD is not enabled or if the provisioning operation does not include entitlement provisioning, then the SODCheckStatus field remains in the SODCheckNotInitiated state.

    If the approval process does not clear the request, then the status of the request is set to Denied.

1.7.2 Attribute Mappings for Provisioning

Table 1-9 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations. The third column of this table specifies the connector in which the function is supported.

Note:

During a Create User provisioning operation, the EBS Create User adapter is used to populate values in all the target system attributes. Similarly, during an Update User provisioning operation, the EBS Update User performs this function.

Table 1-9 Attribute Mappings for Provisioning

Process Form Attribute Target System Attribute Connector Mandatory?

User Name

User Name

All

Yes

Password

Password

All

Yes

Description

Description

All

 

Email

E-Mail

All

 

Fax

Fax

All

 

Password Expiration Type

This is a lookup field.

Password Expiration Type

All

 

Password Expiration Interval

Password Expiration Interval

All

 

Effective Date From

Effective Dates From

All

Yes

Effective Date To

Effective Dates To

All

 

Person ID

Note: This field can be edited in the User Management connector. It is a display-only field in the User Management with HR Foundation connector.

Person ID

Note: The Full Name corresponding to the person ID in HRMS person record is displayed on the UI with the label Person ID.

User Management and User Management with HR Foundation

 

SSO User ID

SSO User ID from the LDAP system

Note: This attribute is not displayed on the target system UI.

All

 

User ID

This is a display-only field.

User ID

Note: This attribute is not displayed on the target system UI.

All

 

SSO GUID

This is a display-only field.

GUID fetched from the LDAP system used by Oracle Single Sign-On

This value is stored in the USER_GUID column of the FND_USER table.

Note: This attribute is not displayed on the target system UI.

All

 

Employee Number

Employee Number

User Management with HR Foundation

 

First Name

First Name (in the User Management with HR Foundation connector)

First Name (in the User Management with TCA Foundation connector)

User Management with HR Foundation and User Management with TCA Foundation

 

Last Name

Last Name (in the User Management with HR Foundation connector)

Last Name (in the User Management with TCA Foundation connector)

User Management with HR Foundation and User Management with TCA Foundation

 

Gender

This is a lookup field.

Sex

User Management with HR Foundation

 

Person Type ID

Person Types

User Management with HR Foundation

 

Business Group ID

Business Group ID

Note: This attribute is not displayed on the target system UI.

User Management with HR Foundation

 

Party ID

This is a display-only field.

Party ID

Note: The full name corresponding to the party ID in the TCA Party record is displayed on the target system UI with the label Customer.

User Management with TCA Foundation

 

Hire Date

Latest Start Date

User Management with HR Foundation

 

Responsibility Child Form Fields (for all three connectors)

     

Application Name

IT_RESOURCE_KEY~APPLICATION_ID

All

 

Responsibility Name

IT_RESOURCE_KEY~APPLICATION_ID~RESPONSIBILITY_ID

All

Yes

Effective Start Date

Effective Dates From

All

 

Effective End Date

Effective Dates To

All

 

Security Group

IT_RESOURCE_KEY~SECURITY_GROUP_ID All

All

 

Roles Child Form Fields (for all three connectors)

     

Application Name

IT_RESOURCE_KEY~APPLICATION_ID

All

 

Role Name

IT_RESOURCE_KEY~APPLICATION_ID~ROLE_ID

All

Yes

Start Date

Start Date

All

 

Expiration Date

Expiration Date

All

 

1.7.3 Provisioning Functions

Table 1-10 lists provisioning functions and the corresponding adapters.

Note:

An Update provisioning operation on child data is not supported.

Table 1-10 Provisioning Functions

Provisioning Function Adapter Stored Procedure in Wrapper Package

Create user

EBS Create User

OIM_FND_USER_PKG.CreateUser

Create SSO-enabled user

EBS Create User

OIM_FND_USER_PKG.CreateUser

Disable user

EBS Disable User

OIM_FND_USER_PKG.DisableUser

Update Email

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Fax

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Password

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Description

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Effective Date From

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Effective Date To

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update SSO User ID

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Password Expiration Type

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Password Expiration Interval

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Update Person ID

Note: This is applicable only in the User Management connector.

EBS Update User

OIM_FND_USER_PKG.UpdateUser

Enable User

EBS Enable User

OIM_FND_USER_PKG.EnableUser

Add Responsibility

EBS Add Responsibility

OIM_FND_USER_PKG.AddResp

Remove Responsibility

EBS Revoke Responsibility

OIM_FND_USER_PKG.DelResp

Add Role

EBS Add Role

WF_LOCAL_SYNCH_PKG.PropagateUserRole

Remove Role

EBS Revoke Role

WF_LOCAL_SYNCH_PKG.PropagateUserRole

Update User Name

EBS Update Username

OIM_FND_USER_PKG.change_user_name

Functions Specific to the User Management with HR Foundation Connector

   

Create Employee

EBS Create User HRMS

OIM_EMPLOYEE_WRAPPER.create_emp_api

Delete User

EBS Revoke Employee

OIM_EMPLOYEE_WRAPPER.terminate_emp_api

Delete User

Note: It is recommended not to perform a delete employee operation on the target system.

However, delete employee operation is configurable by setting the value of DELETE_EMP_RECORD to "Yes" in the Lookup.EBS.UMHRMS.Configuration lookup definition.

The default value of DELETE_EMP_RECORD is set to "No" and hence needs to be changed to "Yes".

EBS Revoke Employee

OIM_EMPLOYEE_WRAPPER.delete_emp_api

Update First Name

EBS Update Employee

OIM_EMPLOYEE_WRAPPER.update_person_api

Update Last Name

EBS Update Employee

OIM_EMPLOYEE_WRAPPER.update_person_api

Update Gender

EBS Update Employee

OIM_EMPLOYEE_WRAPPER.update_person_api

Update Person Type ID

EBS Update Employee

OIM_EMPLOYEE_WRAPPER.update_person_api

Update Business Group ID

EBS Update Employee

OIM_EMPLOYEE_WRAPPER.update_person_api

Update Hire Date

EBS Update Employee

OIM_EMPLOYEE_WRAPPER.update_person_api

Functions Specific to the User Management with TCA Foundation Connector

   

Create Party of Person Type

EBS Create User TCA

OIM_TCA_WRAPPER.create_person_party_api

Delete User

EBS Revoke Party

OIM_TCA_WRAPPER.disable_person_party_api

Delete User

Note: It is recommended not to perform a delete employee operation on the target system.

However, delete employee operation is configurable by setting the value of DELETE_EMP_RECORD to "Yes" in the Lookup.EBS.UMHRMS.Configuration lookup definition.

The default value of DELETE_EMP_RECORD is set to "No" and hence needs to be changed to "Yes".

EBS Revoke Party

OIM_TCA_WRAPPER.delete_person_party_api

Update First Name

EBS Update Party

OIM_TCA_WRAPPER.update_person_party_api

Update Last Name

EBS Update Party

OIM_TCA_WRAPPER.update_person_party_api


1.8 Lookup Definitions Used During Connector Operations

When you deploy the connector, lookup definitions of the following types are created in Oracle Identity Manager:

  • Lookup definitions corresponding to lookup fields on the target system

  • Lookup definitions that store configuration information

The following sections discuss lookup definitions used by the connector:

1.8.1 Lookup Definitions That Are Common to All Three Connectors

Table 1-11 describes lookup definitions that are common to all three connectors.

Table 1-11 Lookup Definitions Common to All Three Connectors

Lookup Definition Code Key Decode Input Source

Lookup.EBS.Application

Combination of the following elements:

  • A number assigned to the IT resource for the target system installation from which values are synchronized

  • Application ID on the target system

Sample value: 1~694

In this example, 1 is the number assigned to the IT resource for the target system installation and 694 is the application ID assigned to the application in the target system.

Short name for the application in the target system

Sample value: PRP

You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.

Lookup.EBS.SecurityGroup

Combination of the following elements:

  • A number assigned to the IT resource for the target system installation from which values are synchronized

  • Security Group Name on the target system

Sample value: 1~1

In this example, 1 is the number assigned to the IT resource for the target system installation and 1 is the application ID assigned to the application in the target system.

Short name for the Security Group Name in the target system

Sample value: GOVERNMENT

You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.

Lookup.EBS.Responsibility

Combination of the following elements:

  • Number assigned to the IT resource for the target system installation from which values are synchronized

  • Application ID on the target system

  • Responsibility ID on the target system

Sample value: 1~694~20903

In this sample value, 1 is the number assigned to the IT resource for the target system installation, 694 is the application ID, and 20903 is the responsibility ID.

Responsibility name of the corresponding application in the target system

Sample Value: MRC Purchasing Manager

You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.

Lookup.EBS.UMX.Roles

Combination of three elements:

  • A number assigned to the IT resource for the target system installation from which values are synchronized

  • Application ID on the target system

  • Role name on the target system

Sample value: 1~694~UMX|UMX_EXT_ADMN

In this example, 1 is the number assigned to the IT resource for the target system installation, FND-UMX is the short name for the application, and UMX_EXT_ADMN is the role name.

Display name of the role on the target system

Sample Value: Customer Administrator

You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system.

Lookup.EBS.PasswordExpirationType

Unit of measurement for specifying the password expiration type

The value can be one of the following:

Accesses

Days

None

Unit of measurement for specifying the password expiration type

The value can be one of the following:

Accesses

Days

None

This lookup definition is preconfigured. You must not modify this lookup definition.


1.8.2 Lookup Definitions That Are Specific to the User Management Connector

Table 1-12 describes lookup definitions that are specific to the User Management connector.

Table 1-12 Lookup Definitions Specific to the User Management Connector

Lookup Definition Code Key Decode Input Source

Lookup.EBS.UM.UserProvisioning

Process form field name

Sample value: UD_EBS_USER_USRNAME

Corresponding argument of the stored procedure used for user provisioning

Sample Value: x_user_name,1,varchar2,IN

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UM.UserRecon

Reconciliation field of resource object

Sample value: User Name

Corresponding column names or column alias names used in reconciliation query

Sample value: USER_NAME

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.Responsibility.Mapping

Note: This lookup definition is used for entitlement provisioning.

Name of the process form column for the responsibility attributes in the eBusiness Suite User Responsibility resource object

Name of the process form column for the responsibility attribute in the eBusiness Suite User resource object

This lookup definition is preconfigured. You must not modify this lookup definition.

Lookup.EBS.Role.Mapping

Name of the process form column for the role attributes in eBusiness Suite User Role resource object

Name of the process form column for the role attribute in the eBusiness Suite User resource object

This lookup definition is preconfigured. You must not modify this lookup definition.

Lookup.EBS.UM.QueryFilters

Filter parameters that you want to append to the reconciliation SQL query

See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about the Decode value.

See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition.

Lookup.EBS.UM.Configuration

Configurable data items used by the connector during both reconciliation and provisioning

Values of the configurable parameters

You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information.


1.8.3 Lookup Definitions That Are Specific to the User Management with HR Foundation Connector

Table 1-13 describes lookup definitions that are specific to the User Management with HR Foundation connector.

Table 1-13 Lookup Definitions Specific to the User Management with HR Foundation Connector

Lookup Definition Code Key Decode Input Source

Lookup.EBS.Gender

Code for gender

Sample value: M

Display name of gender

Sample value: Male

This lookup definition is preconfigured. You must not modify this lookup definition.

Lookup.EBS.UM.UserHRMSProvisioning

Process form field name

Sample value: UD_EBSH_USR_USRNAME

Information about the corresponding argument in the stored procedure used for user provisioning

Sample Value: x_user_name,1,varchar2,IN

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UM.UserHRMSRecon

Reconciliation fields of resource object

Sample value: Employee Number

Column names or column name alias used in the reconciliation query

Sample value: EMPLOYEE_NUMBER

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UM.CreateEmployee

Process form field name

Sample value: UD_EBSH_USR_EMPNUM

Information about the corresponding argument in the stored procedure used for HRMS person record provisioning

Sample Value: p_employee_number,7,varchar2,IN OUT

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UM.UpdateEmployee

Process form field name

Sample value: UD_EBSH_USR_EMPNUM

Information about the corresponding argument in the stored procedure used for HRMS person record provisioning

Sample Value: p_employee_number,8,varchar2,IN OUT

You must not modify or remove existing attributes in this lookup defintion. However, you can add or remove new attributes for provisioning.

Lookup.EBS.HRMSResponsibility.Mapping

Note: This lookup definition is used for request-based responsibility provisioning.

Name of the process form column for the responsibility attributes in the eBusiness Suite User HR Foundation Responsibility resource object

Name of the process form column for the responsibility attribute in the eBusiness Suite User HR Foundation resource object

You must not modify this lookup definition.

Lookup.EBS. HRMSRoles.Mapping

Note: This lookup definition is used for request-based role provisioning.

Name of the process form column for the role attributes in the eBusiness Suite User HR Foundation Role resource object

Name of the process form column for the role attribute in the eBusiness Suite User HR Foundation resource object

You must not modify this lookup definition.

Lookup.EBS.UMHRMS.QueryFilters

Filter parameters that you want to append to the reconciliation SQL query

See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about the Decode value.

See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition.

Lookup.EBS.UMHRMS.EmployeeInfoMapping

Name of the process form column for information about the HR Foundation person record

Name of the column used for fetching the person record data from the target system database

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UMHRMS.Configuration

Configurable data items used by the connector during both reconciliation and provisioning

Values of the configurable parameters

You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information.


1.8.4 Lookup Definitions That Are Specific to the User Management with TCA Foundation Connector

Table 1-14 describes lookup definitions that are specific to the User Management with TCA Foundation connector.

Table 1-14 Lookup Definitions Synchronized with the Target System

Lookup Definition Code Key Decode Input Source

Lookup.EBS.UM.UserTCAProvisioning

Process form field name

Sample value: UD_EBST_USR_USRNAME

Information about the corresponding argument in the stored procedure used for user provisioning

Sample Value: x_user_name,1,varchar2,IN

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UM.PartyProvisioning

Process form field name

Sample value: UD_EBST_USR_FNAME

Information about the corresponding argument in the stored procedure used for HRMS Person provisioning

Sample Value: p1_a1,9,varchar2,IN

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UM.UpdateParty

Process form field name

Sample value: UD_EBST_USR_FNAME

Information about the corresponding argument in the stored procedure used for HRMS Person provisioning

Sample Value: p1_a1,9,varchar2,IN

You must not modify or remove existing attributes in this lookup defintion. However, you can add or remove new attributes for provisioning.

Lookup.EBS.UM.UserTCARecon

Reconciliation field of resource object

Sample value: First Name

Column name or column alias name used in reconciliation query

Sample value: FIRST_NAME

This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure.

Lookup.EBS.UserTCAResponsibility.Mapping

Note: This lookup definition is used for entitlement provisioning.

Name of the process form column for the responsibility attributes in the eBusiness Suite User TCA Foundation Responsibility

Name of the process form column for the responsibility attribute in the eBusiness Suite User TCA Foundation resource object

You must not modify this lookup definition.

Lookup.EBS. TCARoles.Mapping

Name of the process form column for the role attributes in the eBusiness Suite User TCA Foundation Role resource object

Name of the process form column for the role attribute in the eBusiness Suite User TCA Foundation resource object

You must not modify this lookup definition.

Lookup.EBS.UMTCA.QueryFilters

Name of the process form column for information about the TCA Foundation person record

Name of the column used for fetching the person record data from the target system database

See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition

Lookup.EBS.UMTCA.Configuration

Configurable data items used by the connector during both reconciliation and provisioning

Values of the configurable parameters

You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information.


1.9 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: