This chapter contains the following sections:
Section 3.2, "Configuring the Scheduled Tasks for Lookup Field Synchronization"
Section 3.4, "Resending Messages That Are Not Received by the PeopleSoft Listener"
Section 3.7, "Provisioning Operations Performed in an SoD-Enabled Environment"
The following is a summary of the steps to use the connector for full reconciliation:
Note:
It is assumed that you have performed all the procedures described in the preceding chapter.
In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
Configure and run the scheduled task to synchronize the lookup fields. See Section 3.2, "Configuring the Scheduled Tasks for Lookup Field Synchronization" for more information.
Generate XML files for the USER_PROFILE message for all users. See Section 3.3.2, "Performing Full Reconciliation" for more information.
Copy these XML files to a directory on the Oracle Identity Manager host computer.
Configure and run the PeopleSoft User Management Target Reconciliation scheduled task for the USER_PROFILE message. The XML files are read by this scheduled task to generate reconciliation events. See "Configuring the Scheduled Task for User Data Reconciliation" for more information.
Change from full reconciliation to incremental reconciliation. See Section 3.3.3, "Performing Incremental Reconciliation" for instructions.
When you run the Connector Installer, the following scheduled tasks for lookup field synchronization are automatically created in Oracle Identity Manager:
Currency Code Lookup Reconciliation
Email Type Lookup Reconciliation
Language Code Lookup Reconciliation
Permission List Lookup Reconciliation
Roles Lookup Reconciliation
These scheduled tasks are used to synchronize the values of the lookup fields between the target system and Oracle Identity Manager. Table 3-1 describes the attributes of this scheduled task. See Section 3.6, "Configuring Scheduled Tasks" for instructions on running the scheduled task.
Note:
Default attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for those attributes that you want to change.
Table 3-1 Scheduled Task Attributes for Lookup Field Synchronization
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource. Default Value: |
FilePath |
Enter the full path of the file in which the lookup data to be reconciled is stored. The operating system of the computer on which Oracle Identity Manager is installed must be able to access this file path. The data extracted from this file is stored in the Lookup Definition Name attribute of the scheduled task. Default value: Enter a Value Sample value: |
Lookup Definition Name |
Enter the name of the lookup definitions created in Oracle Identity Manager that corresponds to the lookup fields in the target system. The value can be any one of the following:
|
Task Name |
Enter the name of the scheduled task. Sample value: |
Ref Data Provider Impl |
Enter the name of the lookup reconciliation implementation class. Default value: Note: You must not change this value. |
File Archival |
Enter Default value: |
File Archival Folder |
Enter the full path and name of the directory in which you want the lookup properties file used during lookup reconciliation to be archived. Default Value: Enter a Value Note: You must change this value if the File Archival attribute is set to Sample Value: |
This section discusses the following topics related to configuring reconciliation:
This section describes the procedure to generate the properties file, which contains the lookup data to be consumed by the lookup reconciliation scheduled task.
Running the Application Engine Program
You can run the Application Engine program by using PeopleSoft Internet Architecture to perform Lookup Reconciliation as follows:
Note:
You must run the Application Engine program periodically.
Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:
http://IPADDRESS:PORT/psp/ps/?cmd=login
For example:
http://172.21.109.69:9080/psp/ps/?cmd=login
Click People Tools, Process Scheduler, Processes, and then Add a new Value.
Select Application Engine as the process type, and enter LOOKUP_RECON
as the process name.
Click Add.
In the Process Definition Options tab, enter the following values for Component and Process Groups, and click Save:
Component: AE_REQUEST
Process Groups: TLSALL
, STALL
To make the Application Engine program run in PeopleSoft Internet Architecture, click People Tools, Application Engine, Request AE, and then click Add a new Value.
Enter values for the following and then click Add:
User ID: Enter your User ID
Run Control ID: Enter a unique run control value
Program Name: Enter LOOKUP_RECON
Click Run.
From the list that is displayed, select the LOOKUP_RECON process, which you created in Step 3.
Click OK.
To determine the progress status of the Application Engine program, click People Tools, Process Scheduler, and then Process Monitor. Click Refresh until Success
message is displayed as the status.
Note:
If Status is displayed as "Queued," then you must check the status of the process scheduler. To do so, click People Tools, Process Scheduler, and then Process Monitor. Click the Server List tab and check the status of the server. If the status is not displayed, then start the process scheduler.
Full reconciliation involves reconciling all existing user profile records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.
The following sections discuss the procedures involved in full reconciliation:
You must generate XML files for all existing users in the target system.
Note:
Before performing the procedure to generate XML files, you must ensure that you have configured the USER_PROFILE message. See Section 2.2.2.2, "Configuring the Target System for Full Reconciliation" for more information.
To generate XML files for full reconciliation, perform the following procedure:
Note:
If you are using PeopleTools 8.50 and HCM 9.0, then before running Full Data Publish, you must apply the patch that addresses Bug 824529. This patch can be downloaded from Oracle Metalink.
Running the USER_PROFILE (VERSION_84) Message for Full Data Publish
To configure the USER_PROFILE message, see Section 2.2.2.2.5, "Configuring the USER_PROFILE Service Operation."
Note:
You must run the Application Engine program if you are performing the full reconciliation for the first time. See "Running the Application Engine Program" for more information.
To run the USER_PROFILE message:
In PeopleSoft Internet Architecture, expand Enterprise Components, Integration Definitions, Initiate Processes, and then click Full Data Publish.
Click the Add a New Value tab.
In the Run Control ID field, enter a value and then click ADD.
In the Process Request region, provide the following values:
Request ID: Enter a request ID.
Description: Enter a description for the process request.
Process Frequency: Select Always.
Message Name: Enter USER_PROFILE
as the message name.
Click Save to save the configuration.
Click Run.
The following screenshot displays the preceding steps:
The Process Scheduler Request page appears.
From the Server Name list, select the appropriate server.
Select Full Table Data Publish process list, and click OK.
The following screenshot displays the Process Scheduler Request page:
Click Process Monitor to verify the status of EOP_PUBLISHT Application Engine. The Run Status is Success if the transaction is successfully completed.
On successful completion of the transaction, XML files for the USER_PROFILE message are generated at a location that you specified in the FilePath property while creating the OIM_FILE_NODE node for PeopleSoft Web Server. See "Configuring PeopleSoft Integration Broker" section for more information.
You must copy these XML files to a directory on the Oracle Identity Manager host computer.
Note:
After you have performed this procedure:
Remove the permission list created in "Setting Up the Security for the USER_PROFILE Service Operation" section. This is for security purposes.
Disable the USER_PROFILE_HR_TO_UMFILE routing created in "Defining the Routing for the USER_PROFILE Service Operation" section. To do so, clear the Active check box in Step 2 of the procedure.
This section describes the procedure to import XML files into Oracle Identity Manager.
Configuring the Scheduled Task for User Data Reconciliation
When you run the Connector Installer, the PeopleSoft User Management Target Reconciliation scheduled task is automatically created in Oracle Identity Manager.
The PeopleSoft User Management Target Reconciliation scheduled task is used for target resource reconciliation. In addition, this same scheduled task is used to reconcile data of deleted users from a target resource into Oracle Identity Manager.
The scheduled task transfers data from the XML file to the parser. The parser then converts this data into reconciliation events. Table 3-2 describes the attributes of this scheduled task. See Section 3.6, "Configuring Scheduled Tasks" for instructions on configuring the scheduled task.
Table 3-2 Attributes of the Scheduled Task for Reconciliation of User Data
Attribute | Description |
---|---|
Archive Mode |
Enter If |
Archive Path |
Enter the full path and name of the directory in which you want XML files used during full reconciliation to be archived. You must enter a value for the Archive Path attribute only if you specify Sample value: |
File Path |
Enter the path of the directory on the Oracle Identity Manager host computer into which you copied the file containing XML data. Sample value: |
IT Resource Name |
Enter the name of the IT resource that you create by performing the procedure described in the Section 2.2.1.3, "Configuring the IT Resource" section. Default value: |
Message Implementation Class |
Enter the name of the Implementation class for the message handler required to process the message. For example, the implementation class for the following messages are provided by default: For the USER_PROFILE message:
For the DELETE_USER_PROFILE message:
|
Message Name |
Use this attribute to specify the name of the delivered message used for full reconciliation. Sample value: |
Task Name |
This attribute holds the name of the scheduled task. Default value: |
You do not require additional configuration for incremental reconciliation.
It is assumed that you have deployed the PeopleSoft listener as described in Section 2.2.1.5, "Deploying the PeopleSoft Listener."
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current incremental reconciliation run. For full reconciliation, all target system records are fetched into Oracle Identity Manager.
You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.
You configure limited reconciliation by specifying a query condition as the value of the Custom Query attribute of the PeopleSoft User Management Target Reconciliation scheduled task.
You must use the following format to specify a value for the Custom Query attribute:
RESOURCE_OBJECT_ATTRIBUTE_NAME=VALUE
For example, suppose you specify the following as the value of the Custom Query attribute:
Currency Code=1~USD
With this query condition, only records for users with currency code as 1~USD are considered for reconciliation.
You can add multiple query conditions by using the ampersand (&) as the AND operator and the vertical bar (|) as the OR operator. For example, the following query condition is used to limit reconciliation to records of those users for whom the Currency Code is 1~USD and User ID is John01:
Currency Code=1~USD & User ID=John01
To configure limited reconciliation:
Create the query condition. Apply the following guidelines when you create the query condition:
Use only the equal sign (=), the ampersand (&), and the vertical bar (|) in the query condition. Do not include any other special characters in the query condition. Any other character that is included is treated as part of the value that you specify.
Add a space before and after the ampersand and vertical bar signs used in the query condition. For example:
Currency Code=1~USD & User ID=John01
Currency Code=1~USD | User ID=John01
This is to help the system distinguish between ampersands and vertical bars used in the query and the same characters included as part of attribute values specified in the query condition.
You must not include unnecessary blank spaces between operators and values in the query condition.
A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:
Currency Code=1~USD & User ID=John01
Currency Code= 1~USD & User ID= John01
In the second query condition, the reconciliation engine would look for Currency Code and User ID values that contain a space at the start.
Ensure that attribute names that you use in the query condition are in the same case (uppercase or lowercase) as the case of the attribute defined in PeopleSoft User resource object. For example, the following query condition would fail:
cUrReNcY Code= 1~USD
Configure the message-specific configuration lookup with the query condition as the value of the Custom Query attribute. For example, to specify the query condition for the USER_PROFILE message, search and open the Lookup.PSFT.Message.UserProfile.Configuration lookup. Specify the query condition in the Decode column of the Custom Query attribute.
The messages are generated and sent to Oracle Identity Manager regardless of whether the WAR file is running. Reconciliation events are not created for the messages that are sent to Oracle Identity Manager while the WAR file is unavailable. To ensure that all the messages generated on the target system reach Oracle Identity Manager, perform the following procedure:
If Oracle Identity Manager is not running when a message is published, then the message is added to a queue. You can check the status of the message in the queue in the Message Instance tab. This tab lists all the published messages in a queue. When you check the details of the particular message, the status is listed as Timeout
or Error.
To publish a message in the queue to Oracle Identity Manager, resubmit the message when Oracle Identity Manager is running.
If the status of the message is New
or Started
and it does not change to Timeout
or Done,
then you must restart the PeopleSoft application server after you restart Oracle Identity Manager.
Note:
PeopleSoft supports this functionality for a limited rights user described in Section 2.1.2.2.2, "Creating a Role for a Limited Rights User." But, you can specify users who have rights to perform this task based on the security policy of your organization.
To manually resend messages in Error or TimeOut status:
In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Service Operations Monitor, Monitoring, and then click Asynchronous Services.
From the Group By list, select Service Operation or Queue to view the number of messages in Error, TimeOut, Done, and so on.
The number is in the form of a link, which when clicked displays the details of the message.
Click the link pertaining to the message to be resent, for example, the link under the Error or the TimeOut column.
You are taken to the Operation Instance tab.
Click the Details link of the message to be resent. A new window appears.
Click the Error Messages link to check the error description.
Click Resubmit after you have resolved the issue.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a PeopleSoft account for the user.
The following are types of provisioning operations:
Direct provisioning
Request-based provisioning
Note:
The "Unable to access pstools.properties" message might be recorded in the server logs during provisioning operations. You can safely ignore this message.
This section discusses the following topics:
Section 3.5.1, "Direct Provisioning on Oracle Identity Manager"
Section 3.5.2, "Request-Based Provisioning in Oracle Identity Manager"
This section describes the prerequisites and the procedure to perform direct provisioning. It contains the following sections:
Note:
Perform the procedure in this section only in the following situations:
The first time you perform direct provisioning.
If you switch from request-based provisioning to direct provisioning.
When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you configure the connector for request-based provisioning, then the process form is suppressed and object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then Section 3.8, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1."
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Oracle Identity Manager Self Service page, click Advanced.
Click the Administration tab.
If you want to first create the OIM User and then provision a resource:
If you are using Oracle Identity Manager release 9.1.0.x, then:
From the Users menu, select Create.
On the Create User page, enter values for the OIM User fields and then click Create User.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Identity Administration page, in the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
If you are using Oracle Identity Manager release 9.1.0.x, then:
From the Users menu, select Manage.
Search for the OIM User by using the Search feature, and then click the link for the OIM User from the list of users displayed in the search results table.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Identity Administration page, in the Users region, click Advanced Search - Users.
Search for the OIM User by using the Search feature, and then click the link for the OIM User from the list of users displayed in the search results table.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then on the User Detail page, select Resource Profile from the list at the top of the page.
If you are using Oracle Identity Manager release 11.1.1, then click the Resources tab.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then on the Resource Profile page, click Provision New Resource.
If you are using Oracle Identity Manager release 11.1.1, then click Add. The Provision Resource to User page is displayed in a new window.
On the Select a Resource page, select Peoplesoft User from the list, and then click Continue.
On the Verify Resource Selection page, click Continue.
On Provide Process Data page, enter the details of the account that you want to create on the target system, and then click Continue.
On the Provide Process Data page for child data, search for and select the child data for the user on the target system. For instance, on the Provide Process Data page for e-mail data, specify the e-mail address and e-mail type for the account and then click Add. If you want to add more than one e-mail, repeat the process. Then, click Continue.
On the Provide Process Data page for role data, specify the role name, and then click Add. If you want to add more than one role, repeat the process. Then, click Continue.
On the Verify Process Data page, verify the data that you entered, and then click Continue.
The account is created on the target system and provisioned as a resource to the OIM User.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then page that is displayed provides options to disable or revoke the resource from the OIM User.
If you are using Oracle Identity Manager release 11.1.1, the "Provisioning has been initiated" message is displayed. Close this window, and click Refresh to view details of the newly provisioned resource.
See Also:
Section 1.7, "Connector Objects Used During Provisioning" for more information about the provisioning functions supported by this connector and the process form fields used for provisioning
Note:
The information provided in this section is applicable only if you are using Oracle Identity Manager release 11.1.1.
A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.
The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Section 3.5.2.1, "End User's Role in Request-Based Provisioning"
Section 3.5.2.2, "Approver's Role in Request-Based Provisioning"
The following steps are performed by the end user in a request-based provisioning operation:
Log in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.
The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and then click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.
If you want to create a provisioning request for more than one user, then from the Available Users list, select the users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select PeopleSoft User, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system. and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish.
Effective Date
Justification
On the resulting page, a message confirming that your request has been sent is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
To view details of the approval, on the Request Details page, click the Request History tab.
The approver in a request-based provisioning operation performs the following steps:
Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first region, you can specify a search criterion for the request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.
A message confirming that the task was approved is displayed.
This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.
The following is a list of scheduled tasks that you must configure.
Currency Code Lookup Reconciliation
Email Type Lookup Reconciliation
Language Code Lookup Reconciliation
Permission List Lookup Reconciliation
Roles Lookup Reconciliation
PeopleSoft User Management Target Reconciliation
To configure a scheduled task:
Log in to the Administrative and User Console.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Oracle Identity Manager Self Service page, click Advanced.
Click the System Management tab, and then click Scheduler.
On the left pane, click Advanced Search.
On the page that is displayed, you can use any combination of the search options provided to locate a scheduled task. Click Search after you specify the search criteria.
The following screenshot shows the Scheduled Task Management page for Oracle Identity Manager release 9.1.0.x:
The list of scheduled tasks that match your search criteria is displayed in the search results table.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then in the search results table, click the Edit icon in the Edit column for the scheduled task.
The following screenshot shows the Scheduled Task Details page:
If you are using Oracle Identity Manager release 11.1.1, then select the link for the scheduled task from the list of scheduled tasks displayed in the search results table.
Modify the details of the scheduled task. To do so:
If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task Details page, you can modify the following parameters:
- Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.
- Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.
- Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.
- Frequency: Specify the frequency at which you want the task to run.
If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, you can modify the following parameters:
- Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
- Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.
After modifying the values for the scheduled task details listed in the previous step, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then click Continue.
If you are using Oracle Identity Manager release 11.1.1, then perform the next step.
Specify values for the attributes of the scheduled task. To do so:
If you are using Oracle Identity Manager release 9.1.0.x, then select each attribute from the Attribute list, specify a value in the field provided, and then click Update. See Table 3-2 for more information about the attributes of the scheduled task.
The following screenshot shows the Attributes page. The attributes of the scheduled task that you select for modification are displayed on this page.
If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, under the Parameters section, specify values for the attributes of the scheduled task. See Table 3-2 for more information about the attributes of the scheduled task.
Note:
Attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for the attributes that you want to change.
After specifying the attributes, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.
Note:
The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.
If you are using Oracle Identity Manager release 11.1.1, then click Apply to save the changes.
Note:
The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to start, stop, or reinitialize the scheduler.
Note:
The information in this section applies only to Oracle Identity Manager 11.1.1.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create an PeopleSoft User account for the user.
The following are types of provisioning operations:
Direct provisioning
Request-based provisioning of entitlements
See Also:
Oracle Identity Manager Connector Concepts for information about the types of provisioning
This section discusses the following topics:
Section 3.7.1, "Overview of the Provisioning Process in an SoD-Enabled Environment"
Section 3.7.2, "Direct Provisioning in an SoD-Enabled Environment"
Section 3.7.3, "Request-Based Provisioning in an SoD-Enabled Environment"
The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:
The provisioning operation triggers the appropriate adapter.
The adapter carries provisioning data to the corresponding BAPI on the target system.
If you select an account or entitlements to be provisioned to the OIM User, then the SoD check is initiated. The SoDChecker task submits the User Account and Entitlements details in a form of Duties list to Oracle Application Access Controls Governor. In other words, the SoD validation process takes place asynchronously.
The user runs either the Get SOD Check Results Provisioning or Get SOD Check Results Approval scheduled task.
The scheduled task passes the entitlement data to the Web service of Oracle Application Access Controls Governor.
After Oracle Application Access Controls Governor runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.
The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
On the Identity Manager - Self Service page, click Administration.
On the Welcome to Identity Administration page, in the Users section, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select the resource that you want to provision from the list and then click Continue. The following screenshot shows the Step 1: Select a Resource page:
On the Step 2: Verify Resource Selection page, click Continue. The following screenshot shows the Step 2: Verify Resource Selection page:
On the Step 3: Provide Resource Data page for process data, enter the details of the account that you want to create on the target system and then click Continue. The following screenshot shows the user details added:
On the Step 3: Provide Process Data page for role data, specify the role name for the account, and then click Add. If you want to add more than one role, repeat the process. Then, click Continue. The following screenshot shows this page:
On the Step 4: Verify Process Data page, verify the data that you have provided and then click Continue. The following screenshot shows Step 4: Verify Process Data page.
The "Provisioning has been initiated" message is displayed. To view the newly provisioned resource, perform one of the following steps:
Close the window displaying the "Provisioning has been initiated" message.
On the Resource tab of the user details page, click Refresh to view the newly provisioned resource.
To view the process form, on the Resources tab of the user details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.
The following screenshot shows the page displaying the process form:
In this screenshot, the SODCheckStatus field shows SODCheckPending. The value in this field can be SoDCheckResultPending or SoDCheckCompleted.
Note:
If Oracle Identity Manager is not SoD enabled, then SOD Check Status field shows SODCheckNotInitiated.
To view the Resource Provisioning Details page, which shows the details of the process tasks that were run, on the Resources tab of the user details page, from the Action menu, select Resource History.
The following screenshot shows the Resource Provisioning Details page:
This page shows the details of the process tasks that were run. The Holder and SODChecker tasks are in the Pending state. These tasks will change state after the status of the SoD check is returned from the SoD engine. The Add Role to User task corresponds to the roles selected for assignment to this user.
Note:
SoD validation by Oracle Application Access Controls Governor is asynchronous. The validation process returns a result as soon as it is completed.
After the Get SOD Check Results Provisioning scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. To view the process form, on the Resources tab of the User Details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.
The following screenshot shows the page displaying this process form:
In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.
In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.
The following screenshot shows this page:
In this screenshot, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.
As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, on the Resource tab of the user details page, select the row containing the resource, and then click Open.
In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.
Note:
To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.
In the following screenshot, one of the roles selected earlier is marked for removal:
Rerun the Get SOD Check Results Provisioning scheduled task to initiate the SoD validation process.
After the Get SOD Check Results Provisioning scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. On the Resources tab of the user details page, select the row containing the resource, and then click Open. The process form is displayed.
The following screenshot shows the page displaying the process form:
In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoDCheckResult field shows Passed
.
In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.
The following screenshot shows this page:
On the Resource Provisioning Details page, the state of the Add Role to User task is completed.
See Also:
The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.
In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.
The following steps are performed by the end user in a request-based provisioning operation:
See Also:
The "Creating and Searching Requests" chapter of Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps
Log in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Manager Advanced Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.
The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.
If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select PeopleSoft User, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish:
Effective Date
Justification
On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
On the Resource tab of the Request Details page, click the View Details link in the row containing the resource for which the request was created. The Resource data page in displayed in a new window.
One of the fields on this page is the SODCheckStatus field. The value in this field can be SoDCheckResultPending or SoDCheckCompleted. When the request is placed, the SODCheckStatus field contains the SoDCheckResultPending status.
Note:
If Oracle Identity Manager is not SoD enabled, then the SOD Check Status field shows SODCheckNotInitiated.
To view details of the approval, on the Request Details page, click the Approval Tasks tab.
On this page, the status of the SODChecker task is pending.
To initiate SoD validation of pending requests, the approver must run the Get SOD Check Results Approval scheduled task.
After the Get SOD Check Results Approval scheduled task is run, on the Request Details page, click the Approval Tasks tab. The status of the SODChecker task is Completed and the Approval task status is Pending. This page also shows details of the administrator who must now approve the request.
This section discusses the role of the approver in a request-based provisioning operation.
The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.
In addition, the approver can click the View link to view details of the SoD validation process.
The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.
The following are steps performed by the approver in a request-based provisioning operation:
Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.
A message confirming that the task was approved is displayed.
Note:
It is assumed that you have performed the procedure described in Section 2.3.1.9, "Enabling Request-Based Provisioning."
On Oracle Identity Manager release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Peoplesoft User Management process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Peoplesoft User resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
On Oracle Identity Manager release 11.1.1, if you want to switch from direct provisioning to request-based provisioning, then:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Peoplesoft User Management process definition.
Select the Auto Save Form check box.
Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Peoplesoft User resource object.
Select the Self Request Allowed check box.
Click the Save icon.