This chapter provides an overview of the updates made to the software and documentation for the Oracle E-Business User Management connector in release 188.8.131.52.14.
The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software.
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss software updates:
The following are software updates in release 184.108.40.206.14:
The following table lists issues resolved in release 220.127.116.11.14:
|12715982||When an attempt to reconcile one record in the SSO-enabled mode was made, the SSO GUID of the user was reconciled successfully.
However, when an attempt to reconcile more than one user was made, only the first record reconciled the SSO User ID. The subsequent records logged the following warning:
|This issue has been resolved. During a reconciliation run, the SSO GUIDs of all user records being reconciled are fetched.|
|12956783||Enabling a disabled user record did not work as expected.||This issue has been resolved. Enabling a disabled user records works as expected.|
|12980532||Consider an Oracle Identity Manager environment with a large number of target system user accounts. Revoking a target system resource from an Oracle Identity Manager User account worked as expected. However, provisioning the target system resource to the same Oracle Identity Manager User account resulted in a timeout.||This issue has been resolved. The connector does not timeout while trying to provision a revoked resource in an Oracle Identity Manager environment with a large number of user accounts.
In addition, the searching criteria is optimized to get a revoked status before a new user is provisioned.
|13070641||Child form fields such as Application Name, Responsibility Name, and Security Group displayed encoded values that were difficult to decipher.||This issue has been resolved. The Lookup Column Name property has been modified from "lkv_encoded" to "lkv_decoded". Therefore, the connector displays decoded values in the child form fields.|
|13593940||The scripts/script1/OIM.sh and scripts/script2/OIM.sh scripts did not function as expected due to shell syntax errors.||This issue has been resolved. The OIM.sh scripts work as expected as all syntax errors in the scripts have been corrected.|
|13997216||When you specified a value for the Context User ID parameter of the IT resource, the CREATED_BY and LAST_UPDATE_BY columns of the FND_USR table were not set to contain the right value.||This issue has been resolved. CREATED_BY and LAST_UPDATE_BY columns of the FND_USER table are updated correctly.|
|14126858||The value of the SSO identifier was not updated after an EBS resource was reprovisioned to an Oracle Identity Manager User. In addition, the Oracle Identity Manager User could not use the SSO password through OID, although SSO was enabled. As a result, the user was unable to log in to the EBS target system.||This issue has been resolved. The value of the SSO identifier is updated after reprovisioning an EBS resource. OIM Users can now successfully log in to the EBS target system.|
|14176597||The OIM.sh scripts had misleading headers that prompted the use of an incorrect OIM.sh script version.||This issue has been resolved. The headers in the OIM.sh scripts have been corrected. In addition, these scripts do not mention the target system.|
|14826572||The HRMS Revoke and TCA Revoke provisioning operations and cross-provisioning features were missing.||This issue has been resolved. The HRMS Revoke and TCA Revoke provisioning functions have been added. This addition provides a configuration option to delete employee records or party records.|
|14827165||Create User provisioning operation was rejected with the "USER_EXISTS" status if you provisioned a TCA resource to the OIM User after revoking an HR resource.
This issue was encountered because the CUSTOMER_ID column of the FND_USER table was not checked while provisioning a TCA resource.
|This issue has been resolved. The connector has been enhanced to check the CUSTOMER_ID column value and update the same while provisioning or deprovisioning TCA resource.|
|15996977||While provisioning an EBS account, if the Hire Date was in the past, the connector created two records in the PER_ALL_PEOPLE_F table.
While updating an employee record, the date track mode was set to "UPDATE" if the hire date was not the same as the start date, which created two employee records.
|This issue has been resolved. Connector does not create two employee records if the employee hire date has a past value.
The date track update mode is set to "CORRECTION" to ensure that only one record is created for each employee.
|16015896||The value of the START_DATE column in the target system was incorrectly updated when a Remove Role provisioning operation was performed.||This issue has been resolved. The role start date is not modified when a role is revoked from a user.|
|16458228||Updating any OIM User process form field (for example Email), updated the Person ID field also.
This was because the already existing Person ID values were overwritten in the target system and the same person ID field was not modified in the process form.
|This issue has been resolved. The Person ID field is updated only when it is modified in the OIM User process form.|
|16692869||The connector was able to perform cross-provisioning operations to both the TCA and HRMS resource. This allowed a single user account to be provisioned with both the TCA and HRMS resources at the same time.
This issue was encountered because the connector did not check whether the resource being provisioned (HRMS or TCA) was revoked.
|This issue has been resolved. Before performing a cross-provisioning an operation, the connector check whether the resource being provisioned (HRMS or TCA) has been revoked.|
|16808397||Creation of a target system user account for connector operations failed if your target system was running on an Oracle RAC implementation.
This issue was encountered because the scripts used for creating the user account were creating a tablespace.
|This issue has been resolved. Creation of a target system user account for connector operations works as expected.
Tablespace related commands have been removed to ensure that the user account gets created successfully.
|16892131||During a reconciliation run, the connector created a new user account in Oracle Identity Manager even if the status of the corresponding user in the target system was "disabled".||This issue has been resolved. The connector does not create OIM User accounts for target system accounts that are in the "disabled" state.|
|17055095||After a reconciliation run from the target system to Oracle Identity Manager, the connector set an incorrect value for the Effective Date To field.
This issue was encountered because fields storing date values did not use the correct date format.
|This issue has been resolved. Fields containing date values are now reconciled correctly. The connector now uses the dd-Mon-yyyy format instead of the dd-Mon-yy format.|
|17252551||Inconsistencies in expected behavior were observed while handling entitlements through access policy-based provisioning. For example, if an application name was not provided in an access policy, then issues were encountered after reconciliation.||This issue has been resolved. Application Name is no longer a key field in reconciliation mappings.|
The following are the major enhancements in this release:
From this release onward, the security groups are added for provisioning and reconciliation in User Management connector, User Management with HR Foundation connector, and User Management with TCA Foundation connectors. During provisioning, the user can select a security group for any responsibility. If the user does not select any security group, then by default Standard security group is selected.
From this release onward, support for validation and transformation are added for provisioning and reconciliation.
The following table lists issues resolved in release 18.104.22.168:
|10353797||Target User Reconciliation run stopped in between due to IllegalInputException||This issue has been resolved. Target User Reconciliation now will not be stopped even if user fields contain special characters. It will log the warning message with exception stack trace details of that user record and continue the reconciliation run for the next user records.|
|11890859||Java command is incorrect in the test utility script oracleebiz.sh||This issue has been resolved. The Java command typo is now corrected in the test utility script, oracleebiz.sh|
|11829671||Logs do not display proper error for password expiration type||This issue has been resolved. The logs now display proper error message when password expiration type is selected, but password expiration interval value is not provided while updating the user task.|
The following are the software updates in release 22.214.171.124:
The following table lists issues resolved in release 126.96.36.199:
|9779250||The scripts to create a target system user account for connector operations were not divided according to connector type.||This issue has been resolved. The scripts to create a target system user account for connector operations are now divided according to connector type.|
|9938336||During reconciliation, if a date field in a child table contained a NULL value, then that date field was not included in the reconciliation data.||This issue has been resolved. The connector correctly processes date fields into which NULL values are brought during reconciliation.|
|9467030||During provisioning operations, roles and responsibilities displayed in lookup fields on the Administrative and User Console were not filtered according to the selected IT resource.||This issue has been resolved. The list of roles or responsibilities is now filtered according to the selected IT resource.|
|9925468||An incorrect error message was displayed when an invalid configuration lookup definition name was specified in the IT resource.||This issue has been resolved. The message displayed when an invalid configuration lookup definition name is specified accurately describes the issue.|
The following are the software updates in release 188.8.131.52:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Section 3.6.3, "Request-Based Provisioning in an SoD-Enabled Environment" for more information.
The following table lists issues resolved in release 184.108.40.206:
|6086572||On Oracle E-Business Suite 11.5.10, the target system user account for performing connector operations did not work as expected.||This issue has been resolved. See Section 220.127.116.11, "Creating a Target System User Account for Connector Operations" for information about the procedure to create the target system user account.|
|8502490||To update an entitlement, the connector revoked and then added the entitlement.||This issue has been resolved. From this release onward, the connector can update the start date and end date values of an entitlement. The entitlement need not be revoked and then added.|
|9389768||The scheduled task for lookup field synchronization did not use the updateLookupValue method to update existing values in lookup definitions.||This issue has been resolved. The scheduled task now uses the updateLookupValue method to update existing values in lookup definitions.|
The following table lists issues resolved in release 18.104.22.168:
|8509529||In earlier releases, lookup field synchronization could be run in one of two modes: Refresh or Update. The Mode attribute of the eBusiness UM Lookup Definition Reconciliation scheduled task was used to store your choice.||From this release onward, lookup field synchronization is always run in the Update mode. The Mode attribute has been removed.|
|8969251||The connector created reconciliation events even for records that had not changed since the last reconciliation run.||This issue has been resolved. The connector now creates reconciliation events only for records that are added or modified after the last reconciliation run.|
|8798992||The Create User provisioning operation failed if you entered a value in the Person ID field.||This issue has been resolved. During the Create User provisioning operation, you can now enter a value in the Person ID field.|
|8783010||The Javadocs did not provide documentation on the public methods for the connector.||The Javadocs have been updated.|
|9004591||In an SSO-enabled environment, the default password set through a Create User operation was not configurable.||This issue has been resolved. The FND_WEB_SEC.EXTERNAL_PWD entry has been added in the configuration lookup definition. In an SSO-enabled environment, you can use this entry to specify the default password for new users.
Note: The "s" at the end of the name of the configuration lookup definitions has been removed in this release.
|9000721||For Create User operations, the minimum password length for new users was set at 5 characters.||This issue has been resolved. You can now use the Minimum Password Length parameter of the IT resource to set the minimum password length.|
|8999921||During a Create User operation, you had to specify a password even when SSO communication was enabled.||This issue has been resolved. If SSO is enabled, then you need not specify a password during Create User operations.|
|8916172||In earlier releases, the connector required the ojdbc14.jar during reconciliation and provisioning. You had to copy this file from an external source.||This issue has been resolved. The connector can now work with the ojdbc6.jar file. This file is present in the application server installation directory.
As part of the fix implemented for this bug, the RECON_DATE_FORMAT and TO_CHAR_DATE_FORMAT entries have been introduced in the Lookup.EBS.ER.Configurations lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information about the these entries.
|9003839||The target system user account for connector operations was unable to perform the required connector operations. The following error message was displayed on the server console:
||This issue has been resolved. The target system user account is now able to perform all connector operations successfully. However, a target system user account created on Oracle E-Business Suite 11.5.10 is unable to perform connector operations. This point has also been mentioned in the "Known Issues" chapter.|
The following are software updates in release 9.1.0:
From this release onward, the connector supports the following new target system versions and configurations:
Oracle E-Business Suite 11.5.10, 12.0.1 through 12.0.6 running on Oracle Real Application Clusters 10g and 11g
Oracle E-Business Suite 12.1.1 running on Oracle Database 10g or Oracle Database 11g, as either single database or Oracle RAC implementation
These target systems are listed in the Section 1.1, "Certified Components" section.
The connector provides all the features required for setting up Oracle E-Business Suite as a managed (target) resource of Oracle Identity Manager. If you want to use Oracle E-Business Suite as a trusted source of identity data for Oracle Identity Manager, then use the Oracle E-Business Employee Reconciliation connector.
Along with creation of a user record in Oracle E-Business Suite, the connector can be used to create a basic person record in Oracle E-Business HRMS. This feature enables access to Oracle E-Business Suite applications that require a user to have an account in Oracle E-Business HRMS.
In addition, the connector can be used to create a basic person-type party record in Oracle E-Business TCA. This feature enables access to Oracle E-Business Suite applications that require a user to have an account in Oracle E-Business TCA.
See Section 1.5.1, "Oracle E-Business User Management Connectors" for more information.
UMX role assignments can now be managed during reconciliation and provisioning.
From this release onward, the connector supports the Segregation of Duties (SoD) feature introduced in Oracle Identity Manager release 22.214.171.124. Requests for Oracle E-Business Suite role and responsibility entitlements can be validated with Oracle Application Access Controls Governor. Entitlements are provisioned into Oracle E-Business Suite only if the request passes the SoD validation process. This preventive simulation approach helps identify and correct potentially conflicting assignment of entitlements to a user, before the requested entitlements are granted to users.
See Section 1.5.3, "SoD Validation of Entitlement Provisioning" for more information.
The connector can be used to integrate Oracle Identity Manager with an SSO-enabled Oracle E-Business Suite installation.
See Section 1.5.4, "Support for an SSO-Enabled Target System Installation" for more information.
You can use the connector to fetch data about responsibilities and roles definitions from each target system application and store this data in lookup definitions on Oracle Identity Manager. During a provisioning operation, these lookup definitions are populated with responsibilities and roles that are specific to the Oracle E-Business Suite application you select for the operation. This feature leverages the dependent lookup capability of Oracle Identity Manager.
See Section 1.8, "Lookup Definitions Used During Connector Operations" for more information.
Oracle E-Business Suite allows future-dating (effective-dating) of account disable and account enable operations. The connector can detect and respond to these effective-dated lifecycle events.
Similarly, the connector can also respond to effective-dated operations in which roles and responsibilities are granted or revoked.
See Section 1.5.5, "Reconciliation of Effective-Dated Events" for an overview of the process.
The connector can now be used for reconciliation and provisioning account status data. During reconciliation, changes to the Effective Date From and Effective Date To fields on the target system are duplicated in Oracle Identity Manager. The same effect can be achieved through provisioning operations performed on Oracle Identity Manager.
See Section 1.5.6, "Account Status Reconciliation and Provisioning" for more information.
Reconciliation involves running a SQL query on the target system database to fetch the required user account records to Oracle Identity Manager. From this release onward, predefined SQL queries are stored in a file in the connector deployment package. You can modify these SQL queries or add your own SQL queries for reconciliation.
See Section 1.6.1, "Reconciliation Queries" for information about the reconciliation queries.
To meet the requirements of specific use cases, you might need to create multiple copies of the Oracle Identity Manager objects that constitute the connector. The connector can work with multiple instances of these objects.
See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for more information.
In earlier releases, you had to use the APPS user for connector operations. From this release onward, you can create and use an Oracle E-Business Suite user with the minimum permissions required for connector operations.
See Section 126.96.36.199, "Creating a Target System User Account for Connector Operations" for more information.
The connector supports the connection pooling feature introduced in Oracle Identity Manager release 188.8.131.52. In earlier releases, a connection with the target system was established at the start of a reconciliation run and closed at the end of the reconciliation run. With the introduction of connection pooling, multiple connections are established by Oracle Identity Manager and held in reserve for use by the connector.
See Section 1.5.12, "Connection Pooling" for more information.
From this release onward, you can configure SSL to secure communication between Oracle Identity Manager and the target system.
See Section 2.3.2, "Configuring Secure Communication Between the Target System and Oracle Identity Manager" for more information.
The connector now supports the multiple trusted source reconciliation feature of Oracle Identity Manager. See Oracle Identity Manager Design Console Guide for detailed information about multiple trusted source reconciliation.
The following sections discuss documentation-specific updates:
The following documentation-specific update has been made in revision "17" of release 184.108.40.206.14:
The "Oracle Identity Manager" and "Target system" rows of Table 1-1, "Certified Components" have been updated.
The "ResourceConnection class definition" row of Table 2-6, "IT Resource Parameters" has been updated.
The following documentation-specific update has been made in revision "16" of release 220.127.116.11.14:
The "Target System" row of Table 1-1, "Certified Components" has been updated.
The following documentation-specific update has been made in revision "15" of release 18.104.22.168.14:
Section 3.9, "Uninstalling the Connector" has been added.
The following documentation-specific updates have been made in revision "14" of release 22.214.171.124.14:
A "Note" has been added to Section 126.96.36.199.2, "Creating a New UI Form."
The "Admin Id" row of Step 2 has been modified in Section 188.8.131.52, "SSO IT Resource."
The following documentation-specific updates have been made in the revision "13" of release 184.108.40.206.14:
The first point has been added to the first note of Section 3.3.4, "Reconciliation Scheduled Tasks."
The "External code" row has been removed from Table 1-1, "Certified Components".
A note has been added to Section 1.7.3, "Provisioning Functions."
"Update Role" and "Update Responsibility" have been removed from Table 1-10, "Provisioning Functions".
Information related to wrapper package for revoke role operation has been added to Section 220.127.116.11, "Compiling Custom Wrapper Packages."
Revoke role provisioning operation related information has been added to the following Sections:
Added the first point to the "Note" present in Section 3.3.4, "Reconciliation Scheduled Tasks."
A "Note" has been added to Step 4 of Section 4.3.1, "Adding New Attributes for Provisioning."
Step 6 has been added to Section 4.3.1, "Adding New Attributes for Provisioning."
Steps 5 and 6 have been added to Section 4.3.2, "Removing Attributes for Provisioning."
The following are the documentation-specific updates in this release:
The following sections have been added:
Instructions specific to Oracle Identity Manager release 11.1.2.x have been added as required throughout the guide.
The "Target System" row in Table 1-1, "Certified Components" has been updated.
Information about CUSTOMER ID and PARTY ID has been added to Section 18.104.22.168, "User Management with TCA Foundation".
Steps 1, 2, and 3 have been added to the procedure to "Enable SoD" in Section 22.214.171.124, "Disabling and Enabling SoD."
The "Reinstallation of the connector is unsuccessful" row has been added to the table in Section 5.2, "Troubleshooting."
The following is a documentation-specific update in this release:
The following are documentation-specific updates in release 126.96.36.199:
Section 188.8.131.52, "Prerequisites" has been added.
Some of the text in Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" has been moved to Section 184.108.40.206, "Prerequisites."
There are no documentation-specific updates in this release.
The following are documentation-specific updates in release 220.127.116.11:
In Section 1.1, "Certified Components," changes have been made in the "External code" row.
The "Using External Code Files" section has been removed from Chapter 2, "Deploying the Connector."
All occurrences of "Lookup.EBS.UM.Configurations" have been replaced with "Lookup.EBS.UM.Configuration".
In the Chapter 6, "Known Issues":
The following issue tracked by bug 8535215 has been removed as it was fixed in an earlier release:
The "ORA-00904 OBJ_UDF_KEYFIELD is invalid" error is thrown during reconciliation. To resolve this problem, deselect the Sequence Recon check box on the Resource Objects form of the Design Console. See Oracle Identity Manager Design Console Guide for more information about this flag.
A known issue tracked by bug 6086572 has been added.
In Section 18.104.22.168, "Files and Directories on the Installation Media," information about the script/OimUserAppstablesSynonyms.sql file and documentation/javadocs directory has been added.
In Section 22.214.171.124, "Configuring the IT Resource," the Minimum Password Length IT resource parameter has been added.
In the Section 126.96.36.199, "Creating a Target System User Account for Connector Operations," the information that you must enter while running the script to create a target system user account for connector operations has been updated.
In the Section 3.2, "Scheduled Task for Lookup Field Synchronization," the Mode attribute has been removed.
From this release onward:
The minimum certified release of Oracle Identity Manager is release 188.8.131.52 or later.
The minimum certified release of JDK is release 1.5.
See Section 1.1, "Certified Components" for the complete listing of certified components.
The following are documentation-specific updates in release 9.1.0:
Major changes have been made in the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usability of information provided by the guide.
See Section 1.9, "Roadmap for Deploying and Using the Connector" for detailed information about the organization of content in this guide.
In Section 1.1, "Certified Components," changes have been made in the "Target system" row.