3 Using the Connector

This chapter is divided into the following sections:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Section 3.1, "Performing Full Reconciliation"

• Section 3.2, "Scheduled Task for Lookup Field Synchronization"

• Section 3.3, "Guidelines on Performing Reconciliation"

• Section 3.4, "Configuring Reconciliation"

• Section 3.5, "Configuring Scheduled Tasks"

• Section 3.6, "Guidelines on Performing Provisioning"

• Section 3.7, "Provisioning Operations Performed in an SoD-Enabled Environment"

• Section 3.8, "Switching Between SAP R/3 and SAP CUA Target Systems"

• Section 3.9, "Switching Between SAP R/3 or SAP CUA Target System to an SAP CUP Target System on Oracle Identity Manager Release 11.1.x"

• Section 3.10, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1"

• Section 3.11, "Enabling and Disabling the SoD Feature"

• Section 3.12, "Enabling and Disabling the Compliant User Provisioning Feature"

3.1 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

To perform a full reconciliation run, set the Last Execution Timestamp attribute of the SAP User Management User Recon and SAP User Management Delete Recon scheduled tasks to 0. At the end of the reconciliation run, this attribute is automatically set to the time stamp at which the run started. From the next run onward, only records created or modified after this time stamp value are considered for reconciliation.

3.2 Scheduled Task for Lookup Field Synchronization

Note:

It is assumed that you have performed all the procedures described in the preceding chapter.

In Oracle Identity Manager release 11.1.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.x.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

The SAP User Management Lookup Recon scheduled task is used for lookup field synchronization. Table 3-1 describes the attributes of this scheduled task. The procedure to configure scheduled tasks is described later in the guide.

Table 3-1 Attributes of the SAP User Management Lookup Recon Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: SAP UM IT Resource
Lookup Name	Enter Lookup.SAP.UM.LookupMappings if the target system is SAP R/3. Enter Lookup.SAP.CUA.LookupMappings if the target system is SAP CUA. Default value: Lookup.SAP.UM.LookupMappings
Schedule Task Name	This attribute holds the name of the scheduled task. Value: SAP User Management Lookup Recon

3.3 Guidelines on Performing Reconciliation

Apply the following guidelines while configuring reconciliation:

• On SAP CUA, an account that is directly created on the target system must be assigned a master system before changes to that account can be detected and brought to Oracle Identity Manager during reconciliation.

• On a Microsoft Windows platform, if you encounter the org.quartz.SchedulerException exception during a reconciliation run, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.

3.4 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Section 3.4.1, "Full Reconciliation vs. Incremental Reconciliation"

• Section 3.4.2, "Limited Reconciliation"

• Section 3.4.3, "Reconciliation Scheduled Tasks"

3.4.1 Full Reconciliation vs. Incremental Reconciliation

The Last Execution Timestamp attribute of the scheduled task stores the time stamp at which a reconciliation run begins. During a reconciliation run, the scheduled task fetches only target system records that are added or modified after the time stamp stored in the parameter for reconciliation. This is incremental reconciliation. If you set the parameter to 0, then full reconciliation is performed. In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation.

As mentioned earlier in this chapter, you can switch from incremental to full reconciliation at any time.

3.4.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current incremental reconciliation run. For full reconciliation, all target system records are fetched into Oracle Identity Manager.

You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.

You configure limited reconciliation by specifying a query condition as the value of the Custom Query attribute of the SAP User Management User Recon scheduled task.

You must use the following format to specify a value for the Custom Query attribute:

RESOURCE_OBJECT_FIELD_NAME=VALUE

For example, suppose you specify the following as the value of the Custom Query attribute:

Last Name=Doe

With this query condition, only records for users whose last name is Doe are considered for reconciliation.

You can add multiple query conditions by using the ampersand (&) as the AND operator and the vertical bar (|) as the OR operator. For example, the following query condition is used to limit reconciliation to records of those users whose first name is John and last name is Doe:

First Name=John  & Last Name=Doe

Note:

This feature cannot be applied to the Locked/Unlocked status attribute of the target system.

To configure limited reconciliation:

1. Ensure that the attribute that you want to use in the query exists in the Lookup.SAP.UM.ReconAttrMap lookup definition.

   See Also:

   Table 1-4, "Entries in the Lookup.SAP.UM.ReconAttrMap Lookup Definition"

   If there is no entry in this lookup definition for the attribute that you want to use, then create an entry. See Section 4.2, "Adding New Attributes for Reconciliation" for more information.

2. Create the query condition. Apply the following guidelines to create the query condition:

   • Use only the equal sign (=), ampersand (&), and vertical bar (|) in the query condition. If any other special character is included, then it is treated as part of the attribute value that you specify.

   • Add a space before and after ampersands and vertical bars used in the query condition. For example:

     First Name=John & Last Name=Doe

     This is to help the system distinguish between ampersands and vertical bars used in the query and the same characters included as part of attribute values specified in the query condition.

   • You must not include unnecessary blank spaces between operators and values in the query condition.

     A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions is not the same:

     First Name=John & Last Name=Doe

     First Name= John & Last Name= Doe

     In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

   • Ensure that attribute names that you use in the query condition are in the same case (uppercase and lowercase) as the case of values in the Lookup.SAP.UM.ReconAttrMap lookup definition. For example, the following query condition would fail:

     fiRst Name = John
     

3. While configuring the SAP User Management User Recon scheduled task, specify the query condition as the value of the Custom Query attribute. The procedure is described later in this chapter.

3.4.3 Reconciliation Scheduled Tasks

You must specify values for the attributes of the following scheduled tasks:

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change.

• Section 3.4.3.1, "SAP User Management User Recon"

• Section 3.4.3.2, "SAP User Management Delete Recon"

• Section 3.4.3.3, "SAP CUP Status Update Recon"

• Section 3.4.3.4, "SAP CUP Delete Recon"

3.4.3.1 SAP User Management User Recon

You use the SAP User Management User Recon scheduled task to reconcile user data from the target system. Table 3-2 describes the attributes of this scheduled task.

Table 3-2 Attributes of the SAP User Management User Recon Scheduled Task

Attribute	Description
Attribute Mapping Lookup	This attribute holds the name of the lookup definition that stores attribute mappings for reconciliation. Value: Lookup.SAP.UM.ReconAttrMap
Batch Size	Enter the number of records that must be included in each batch fetched from the target system during a reconciliation run. This attribute is used to implement batched reconciliation. Default value: 100
Child Attribute Mapping Lookup	This attribute holds the name of the lookup definition that stores child attribute mappings for reconciliation. Value: Lookup.SAP.UM.ReconChildAttrMap
Custom Query	Enter the query that you want the connector to apply during reconciliation. See Section 3.4.2, "Limited Reconciliation" for more information.
IT Resource	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: SAP UM IT Resource
Last Execution Timestamp	This attribute holds the time stamp at which the last reconciliation run started. For the next reconciliation run, only target system records that have been added or modified after this time stamp are considered for reconciliation. For consecutive reconciliation runs, the connector automatically enters a value for this attribute. However, you can use this attribute to switch from incremental reconciliation to full reconciliation. See Section 3.4.1, "Full Reconciliation vs. Incremental Reconciliation" for more information. Default value: 0
Resource Object	This attribute holds the name of the resource object. Default value: SAP UM Resource Object
SAP System Time Zone	Enter the abbreviation for the time zone of the target system host computer. The value that you enter must be one of the time zones supported by the java.util.TimeZone class. Note: The connector does not validate the value that you enter. In addition, no error is thrown during reconciliation if the value entered is not a valid time zone. Sample value: PST
Schedule Task Name	This attribute holds the name of the scheduled task. Value: SAP User Management User Recon

3.4.3.2 SAP User Management Delete Recon

You use the SAP User Management Delete Recon scheduled task to reconcile deleted users from the target system. Table 3-3 describes the attributes of this scheduled task.

Table 3-3 Attributes of the SAP User Management Delete Recon Scheduled Task

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system during a reconciliation run. This attribute is used to implement batched reconciliation. Default value: 100
Disable User	Enter yes if you want the connector to disable accounts (in Oracle Identity Manager) corresponding to accounts deleted on the target system. Enter no if you want the connector to revoke accounts in Oracle Identity Manager. Default value: no
IT Resource	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: SAP UM IT Resource
Last Execution Timestamp	This attribute holds the time stamp at which the last reconciliation run started. For the next reconciliation run, only target system records that have been added or modified after the recorded time stamp are considered for reconciliation. For consecutive reconciliation runs, the connector automatically enters a value for this attribute. However, you can use this attribute to switch from incremental reconciliation to full reconciliation. See Section 3.4.1, "Full Reconciliation vs. Incremental Reconciliation" for more information. Default value: 0
Resource Object	This attribute holds the name of the resource object. Default value: SAP UM Resource Object
SAP System Time Zone	Enter the abbreviation for the time zone of the target system host computer. The value that you enter must be one of the time zones supported by the java.util.TimeZone class. Note: The connector does not validate the value that you enter. In addition, no error is thrown during reconciliation if the value entered is not a valid time zone. Sample value: PST
Schedule Task Name	This attribute holds the name of the scheduled task. Default value: SAP User Management Delete Recon

3.4.3.3 SAP CUP Status Update Recon

Note:

Configure this scheduled task only if you enable the Compliant User Provisioning feature.

You use the SAP CUP Status Update Recon scheduled task to fetch the status of provisioning requests sent to SAP GRC Compliant User Provisioning. For a particular user, only the status of the latest request is brought to Oracle Identity Manager. This request is the one currently stored on the process form. Table 3-4 describes the attributes of this scheduled task.

Table 3-4 Attributes of the SAP CUP Status Update Recon Scheduled Task

Attribute	Description
Constants Lookup	This attribute holds the name of the lookup definition that holds constant values used by the connector during reconciliation and provisioning. Default value: Lookup.SAP.CUP.Constants
IT Resource	Enter the name of the IT resource for the SAP GRC installation from which you want to fetch request status data. Default value: GRC-ITRes
Resource Object	This attribute holds the name of the resource object. Default value: SAP UM Resource Object
Schedule Task Name	This attribute holds the name of the scheduled task. Default value: SAP CUP Status Update Recon

3.4.3.4 SAP CUP Delete Recon

Note:

Configure this scheduled task only if you enable the Compliant User Provisioning feature.

You use the SAP CUP Delete Recon scheduled task to revoke accounts (resources) of users in Oracle Identity Manager for whom the Create User provisioning requests are rejected by SAP GRC Compliant User Provisioning.

When you perform a Create User provisioning operation, the account is allocated to the OIM User even before SAP GRC Compliant User Provisioning clears the provisioning request and creates an account on the target system. For a particular user, if account creation on the target system fails, then the account provisioned in Oracle Identity Manager is an invalid account. You use the SAP CUP Delete Recon scheduled task to identify and delete such accounts.

Table 3-5 Attributes of the SAP CUP Delete Recon Scheduled Task

Attribute	Description
Configuration Lookup	This attribute holds the name of the lookup definition that stores configuration values used by the connector during reconciliation and provisioning. You can set values for some of the entries in this lookup definition. Default value: Lookup.SAP.UM.Configuration
Constants Lookup	This attribute holds the name of the lookup definition that holds constant values used by the connector during reconciliation and provisioning. Default value: Lookup.SAP.CUP.Constants
IT Resource	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: SAP UM IT Resource
Resource Object	This attribute holds the name of the resource object. Default value: SAP UM Resource Object
Schedule Task Name	This attribute holds the name of the scheduled task. Default value: SAP CUP Delete Recon

3.5 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 3-6 lists the scheduled tasks that you must configure.

Table 3-6 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
SAP User Management Lookup Recon	This scheduled task is used for lookup field synchronization. Section 3.2, "Scheduled Task for Lookup Field Synchronization" describes this scheduled task.
SAP User Management User Recon	This scheduled task is used for user record reconciliation. Section 3.4.3.1, "SAP User Management User Recon" describes this scheduled task.
SAP User Management Delete Recon	This scheduled task is used for reconciliation of deleted user records. Section 3.4.3.2, "SAP User Management Delete Recon" describes this scheduled task.
SAP CUP Status Update Recon	This scheduled task is used to fetch the status of provisioning requests sent to SAP GRC Compliant User Provisioning. Section 3.4.3.3, "SAP CUP Status Update Recon" describes this scheduled task. Note: This scheduled task is created only if you configure the Compliant User Provisioning feature.
SAP CUP Delete Recon	This scheduled task is used to revoke accounts (resources) of users in Oracle Identity Manager for whom the Create User provisioning requests are rejected by SAP GRC Compliant User Provisioning. Section 3.4.3.4, "SAP CUP Delete Recon" describes this scheduled task. Note: This scheduled task is created only if you configure the Compliant User Provisioning feature.

To configure a scheduled task:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 9.1.0.x or 11.1.1:

     1. Log in to the Administrative and User Console.

     2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

   • For Oracle Identity Manager release 11.1.2:

     1. Log in to Oracle Identity System Administration.

     2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see the "Managing Sandboxes" section of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

     3. In the left pane, under System Management, click Scheduler.

2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

     2. Click the System Management tab, and then click Scheduler.

     3. On the left pane, click Advanced Search.

3. On the page that is displayed, you can use any combination of the search options provided to locate a scheduled task. Click Search after you specify the search criteria.

   The list of scheduled tasks that match your search criteria is displayed in the search results table.

4. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then in the search results table, click the Edit icon in the Edit column for the scheduled task.

   • If you are using Oracle Identity Manager release 11.1.x, then select the link for the scheduled task from the list of scheduled tasks displayed in the search results table.

5. Modify the details of the scheduled task. To do so:

   • If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task Details page, you can modify the following parameters:

     - Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

     - Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

     - Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

     - Frequency: Specify the frequency at which you want the task to run.

   • If you are using Oracle Identity Manager release 11.1.x, then on the Job Details tab, you can modify the following parameters:

     - Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

     - Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

     Note:

     See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

6. After modifying the values for the scheduled task details listed in the previous step, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then click Continue.

   • If you are using Oracle Identity Manager release 11.1.x, then perform the next step.

7. Specify values for the attributes of the scheduled task. To do so:

   • If you are using Oracle Identity Manager release 9.1.0.x, select each attribute from the Attribute list, specify a value in the field provided, and then click Update.

   • If you are using Oracle Identity Manager release 11.1.x, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   Attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for the attributes that you want to change.

8. After specifying the attributes, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.

     Note:

     The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

   • If you are using Oracle Identity Manager release 11.1.x, then click Apply to save the changes.

     Note:

     The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to start, stop, or reinitialize the scheduler.

3.6 Guidelines on Performing Provisioning

See Also:

Section 1.4.5, "Guidelines on Using a Deployment Configuration"

Apply the following guidelines while performing provisioning operations in any of the supported deployment configurations:

• Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through attribute to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIM User is in the Disabled state immediately after the account is created.

  However, on the target system, if you set the Valid Through attribute to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:

  • The value of the Valid Through attribute on Oracle Identity Manager and the target system do not match.

  • On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.

  You can lock the user on the target system so that the user is not able to log in the day the account is created.

• Remember that if password or system assignment fails during a Create User provisioning operation, then the user is not created.

• When you try to provision a multivalued attribute, such as a role or profile, if the attribute has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Manager. If required, you can configure the task so that it shows the status Rejected in this situation. See one of the following guides for information about configuring process tasks:

  • For Oracle Identity Manager release 9.1.0.x: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

  • For Oracle Identity Manager release 11.1.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

• When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.

• The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.

• On a Microsoft Windows platform, if you encounter the java.lang.UnsatisfiedLinkError exception during a provisioning operation, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.

Apply the following guidelines while performing provisioning operations after configuring the Compliant User Provisioning feature of the connector:

• During a Create User operation performed when the Compliant User Provisioning is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Compliant User Provisioning is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.

• The following fields on the process form are mandatory attributes on SAP GRC Compliant User Provisioning:

  Note:

  When the Compliant User Provisioning feature is configured, you must enter values for these fields even though some of them are not marked as mandatory fields on the Administrative and User Console.

  • CUP Requestor ID

  • CUP Requestor First Name

  • CUP Requestor Last Name

  • CUP Requestor Email

  • GRC IT Resource

  • User ID

  • First Name

  • Last Name

  • E Mail

  The Valid From and Valid Through attributes are not mandatory attributes.

• As mentioned earlier in this guide, SAP GRC Compliant User Provisioning does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:

  • To use the Oracle Identity Manager password as the target system password, change the password through Oracle Identity Manager.

  • Directly log in to the target system, and change the password.

• You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.

• When you delete a user (account) on the Administrative and User Console (process form), a Delete User request is created.

• When you select the Lock User check box on the process from, a Lock User request is created.

• When you deselect the Lock User check box on the process from, an Unlock User request is created.

• The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.

• In a Modify User operation, you can specify values for attributes that are mapped with SAP GRC Compliant User Provisioning and attributes that are directly updated on the target system. A request is created SAP GRC Compliant User Provisioning only for attributes whose mappings are present in these lookup definitions. If you specify values for attributes that are not present in these lookup definitions, then the connector sends them to directly the target system.

3.7 Provisioning Operations Performed in an SoD-Enabled Environment

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user. The following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning of accounts

• Request-based provisioning of entitlements

• Provisioning triggered by policy changes

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

• Section 3.7.1, "Overview of the Provisioning Process in an SoD-Enabled Environment"

• Section 3.7.2, "Guidelines on Performing Provisioning Operations"

• Section 3.7.3, "Direct Provisioning in an SoD-Enabled Environment"

• Section 3.7.4, "Request-Based Provisioning in an SoD-Enabled Environment"

3.7.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

1. The provisioning operation triggers the appropriate adapter.

2. The user runs the scheduled task (either ResubmitUninitiatedProvisioningSODCheck or Resubmit Uninitiated Approval SOD Checks).

3. The scheduled task passes the entitlement data to the Web service of SAP GRC.

4. After SAP GRC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.

5. The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the adapter carries provisioning data to the corresponding BAPI on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

3.7.2 Guidelines on Performing Provisioning Operations

Apply the following guidelines while performing provisioning operations:

• When you assign a role to a user through provisioning, you set values for the following attributes:

  • Role System Name

  • Role Name

  • Start Date

  • End Date

  However, when you update a role assignment, you can specify values only for the Start Date and End Date attributes. You cannot set new values for the Role System Name and Role Name attributes. This also applies to new child forms that you add.

• You can only assign profiles. You cannot update an assigned profile.

3.7.3 Direct Provisioning in an SoD-Enabled Environment

This section describes the prerequisites and the procedure to perform direct provisioning. It contains the following sections:

• Section 3.7.3.1, "Prerequisites"

• Section 3.7.3.2, "Performing Direct Provisioning in Oracle Identity Manager Release 9.1.0.x or 11.1.1"

• Section 3.7.3.3, "Performing Direct Provisioning in Oracle Identity Manager Release 11.1.2"

3.7.3.1 Prerequisites

Note:

Perform the procedure in this section only in the following situations:

• The first time you perform direct provisioning.

• If you switch from request-based provisioning to direct provisioning.

On Oracle Identity Manager release 9.1.0.x, when you run the Connector Installer, configurations for both direct provisioning and request-based provisioning of SAP user accounts are installed. Therefore, during direct provisioning, the process form is suppressed and object form is displayed. If you want to enable the use of the process form during direct provisioning, then perform the procedure described later in this section.

On Oracle Identity Manager release 11.1.x, when you run the Connector Installer, the configuration for direct provisioning of SAP user accounts is installed. Although the process form is displayed during direct provisioning, the connector cannot complete direct provisioning operations unless you enable the use of the process form. If you want to enable the use of the process form during direct provisioning, then perform the procedure described later in this section.

To enable the use of the process form during direct provisioning:

Note:

Request-based provisioning is disabled after you perform this procedure.

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the SAP UM Process Form process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the SAP UM Resource Object resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

3.7.3.2 Performing Direct Provisioning in Oracle Identity Manager Release 9.1.0.x or 11.1.1

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. If you want to first create an OIM User and then provision a target system account:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. From the Users menu, select Create.

     2. On the Create User page, enter values for the OIM User fields and then click Create User. The following screenshot shows the Create User page:

        
        

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Identity Administration page, in the Users region, click Create User.

     2. On the Create User page, enter values for the OIM User fields, and then click Save.

3. If you want to provision a target system account to an existing OIM User, then:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. From the Users menu, select Manage.

     2. Search for the OIM User by using the Search feature, and then click the link for the OIM User from the list of users displayed in the search results table.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.

     2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

4. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. On the User Detail page, select Resource Profile from the list at the top of the page. The following screenshot shows the User Detail page:

        
        

     2. On the Resource Profile page, click Provision New Resource. The following screenshot shows the Resource Profile page:

        
        

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the user details page, click the Resources tab.

     2. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

5. On the Step 1: Select a Resource page, select SAP UM Resource Object from the list and then click Continue. The following screenshot shows the Step 1: Select a Resource page.

   
   

6. On the Step 2: Verify Resource Selection page, click Continue. The following screenshot shows the Step 2: Verify Resource Selection page.

   
   

7. On the Step 5: Provide Process Data page for process data, enter the details of the account that you want to create on the target system and then click Continue. The following screenshot shows the user details added.

   
   

8. On the Step 5: Provide Process Data page for profile data, search for and select profiles for the user on the target system and then click Continue. The following screenshot shows this page.

   
   

9. On the Step 5: Provide Process Data page for role data, search for and select roles for the user on the target system and then click Continue. The following screenshot shows this page.

   
   

10. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue. The following screenshot shows Step 6: Verify Process Data page.

    
    

11. The "Provisioning has been initiated" message is displayed. To view the newly provisioned resource, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user. The following screenshot shows this page:

      
      

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. Close the window displaying the "Provisioning has been initiated" message.

      2. On the Resource tab of the user details page, click Refresh to view the newly provisioned resource.

12. To view the process form, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then on the Resource Profile page, click the View link in the Process Form column. The View Form page is displayed.

      
      

      In this screenshot, the SOD Check Status field shows SODCheckNotInitiated. The value in this field can be SoDCheckNotInitiated, SoDCheckResultPending, or SoDCheckCompleted.

    • If you are using Oracle Identity Manager release 11.1.1, then on the Resources tab of the user details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.

13. To view the Resource Provisioning Details page, which shows the details of the process tasks that were run, perform the procedure in one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then on the Resource Profile page, click the resource link in the Resource Name column.

      
      

      This page shows the details of the process tasks that were run. The Holder and SODChecker tasks are in the Pending state. These tasks will change state after the status of the SoD check is returned from the SoD engine. The Add User Role tasks correspond to the two roles selected for assignment to this user.

    • If you are using Oracle Identity Manager release 11.1.1, then on the Resources tab of the user details page, from the Action menu, select Resource History.

14. The SODCheckNotInitiated status in the SOD Check Status field indicates that SoD validation has not started. If you are using Oracle Identity Manager release 9.1.0.x, then to start SoD validation, you must run the ResubmitUninitiatedProvisioningSODChecks scheduled task.

    Note:

    SoD validation by SAP GRC is synchronous. The validation process returns a result as soon as it is completed. However, if the requested entitlement throws a large number of violations in policies defined on SAP GRC, then the process might take a long time to complete. If that happens, then Oracle Identity Manager might time out. The ResubmitUninitiatedProvisioningSODChecks scheduled task has been introduced to circumvent this issue.

    The following screenshot shows the ResubmitUninitiatedProvisioningSODChecks scheduled task in the Design Console:

    
    

15. After the ResubmitUninitiatedProvisioningSODChecks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. To view the process form, perform the procedure described in one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then on the Resource Profile page, click the View link in the Process Form column. The View Form page is displayed.

      
      

      In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.

      In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

      The following screenshot shows this page:

      
      

      In this screenshot, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.

    • If you are using Oracle Identity Manager release 11.1.1, then on the Resources tab of the user details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.

16. As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, perform the procedure in one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then first click the Edit link in the Process Form column on the Resource Profile page.

    • If you are using Oracle Identity Manager release 11.1.1, then on the Resource tab of the user details page, select the row containing the resource, and then click Open.

17. In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.

    Note:

    To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.

    In the following screenshot, one of the roles selected earlier is marked for removal:

    
    

18. Rerun the ResubmitUninitiatedProvisioningSODChecks scheduled task to initiate the SoD validation process.

19. After the ResubmitUninitiatedProvisioningSODChecks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then on the Resource Profile page, click the View link in the Process Form column. The process form is displayed.

      
      

      In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoD Check Violation field shows Passed.

      In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

      The following screenshot shows this page:

      
      

      On the Resource Provisioning Details page, the state of the Add User Role task is Completed.

    • If you are using Oracle Identity Manager release 11.1.1, then on the Resources tab of the user details page, select the row containing the resource, and then click Open. The process form is displayed.

20. After the ResubmitUninitiatedProvisioningSODChecks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

3.7.3.3 Performing Direct Provisioning in Oracle Identity Manager Release 11.1.2

To configure provisioning operations in Oracle Identity Manager release 11.1.2:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

1. Log in to Oracle Identity Administrative and User console.

2. Create a user. See the "Managing Users" chapter in Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information about creating a user.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance and then click Checkout.

5. Specify value for fields in the application form and then click Ready to Submit.

6. Click Submit.

7. If you want to provision entitlements, then:

   1. On the Entitlements tab, click Request Entitlements.

   2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

   3. Click Submit.

3.7.4 Request-Based Provisioning in an SoD-Enabled Environment

See Also:

Section 2.3.14, "Configuring SoD"

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

3.7.4.1 End User's Role in Request-Based Provisioning

The following are types of request-based provisioning:

Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.

Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.

Depending on the Oracle Identity Manger release that you are using, end-users perform the procedure described in one of the following sections:

• Section 3.7.4.1.1, "End User's Role in Request-Based Provisioning on Oracle Identity Manager Release 9.1.0.x"

• Section 3.7.4.1.2, "End User's Role in Request-Based Provisioning on Oracle Identity Manager Release 11.1.1"

3.7.4.1.1 End User's Role in Request-Based Provisioning on Oracle Identity Manager Release 9.1.0.x

The following steps are performed by the end user in a request-based provisioning operation:

Note:

The procedure is almost the same for request-based provisioning of both accounts and entitlements. Differences have been called out in the following sequence of steps.

1. Log in to the Administrative and User Console.

2. Expand My Resources, and then click Request New Resources.

3. On the Step 1: Provide resources page, use the Add button to select one of the following:

   • SAP UM Resource Object, if you want to create a request for a target system account

   • SAP UM Roles or SAP UM Profiles, if you want to create a request for an entitlement on the target system

   The following screenshot shows the SAP UM Roles entitlement selected:

   
   

4. On the Step 2: Provide resource data page, click Continue.

   The following screenshot shows this page:

   
   

5. On the second Step 2: Provide resource data page, select the IT resource corresponding to the target system installation on which you want the selected entitlement.

   The following screenshot shows this page:

   
   

6. On the third Step 2: Provide resource data page, select the entitlements that you want to request.

   The following screenshot shows two roles selected on this page:

   
   

7. On the Step 3: Verify information page, review the information that you have provided and then submit the request.

   The following screenshot shows this page:

   
   

8. If you click Submit Now, then the Request Submitted page shows the request ID.

   The following screenshot shows this page:

   
   

9. If you click the request ID, then the Request Details page is displayed.

   The following screenshot shows this page:

   
   

   On the page displayed when you click View, the SOD Status field shows SODCheckNotInitiated. The value in this field can be SoDCheckNotInitiated, SoDCheckResultPending, or SoDCheckCompleted.

   The following screenshot shows this page:

   
   

10. To view details of the approval, select Approval Tasks from the list at the top of the page. The Approval Tasks page is displayed. The following screenshot shows this page:

    
    

    On this page, the status of the SODChecker task is Pending.

11. To initiate SoD validation of pending entitlement requests, an administrator must run the Resubmit Uninitiated Approval SOD Checks scheduled task. The following screenshots shows this scheduled task in the Design Console:

    
    

12. After the Resubmit Uninitiated Approval SOD Checks scheduled task is run, on the Approvals Task page, the status of the SODChecker task is Completed and the Approval task status is Pending. This page also shows details of the administrator who must now approve the request.

    The following screenshot shows the Approvals Task page after the request passes the SoD validation process.

    
    

3.7.4.1.2 End User's Role in Request-Based Provisioning on Oracle Identity Manager Release 11.1.1

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

The " Creating and Searching Requests" chapter of Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Advanced on the top right corner of the page.

3. On the Welcome to Identity Manager Advanced Administration page, click the Administration tab, and then click the Requests tab.

4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and then click Next.

6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.

7. From the Available Users list, select the user to whom you want to provision the account.

   If you want to create a provisioning request for more than one user, then from the Available Users list, select the users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

10. From the Available Resources list, select SAP UM Resource Object, move it to the Selected Resources list, and then click Next.

11. On the Resource Details page, enter details of the account that must be created on the target system. and then click Next.

12. On the Justification page, you can specify values for the following fields, and then click Finish:

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.

14. On the Resource tab of the Request Details page, click the View Details link in the row containing the resource for which the request was created. The Resource Details page in displayed in a new window.

    One of the fields on this page is the SODCheckStatus field. The value in this field can be SoD Check Not Initiated or SoDCheckCompleted. When the request is placed, the SODCheckStatus field contains the SoDCheckCompleted status.

15. To view details of the approval, on the Request Details page, click the Approval Tasks tab.

    On this page, the status of the SODChecker task is pending.

3.7.4.2 Approver's Role in Request-Based Provisioning

This section discusses the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

Depending on the Oracle Identity Manager release that you are using, approvers can perform the procedure described in one of the following sections:

• Section 3.7.4.2.1, "Approver's Role in Request-Based Provisioning on Oracle Identity Manager Release 9.1.0.x"

• Section 3.7.4.2.2, "Approver's Role in Request-Based Provisioning on Oracle Identity Manager Release 11.1.1"

3.7.4.2.1 Approver's Role in Request-Based Provisioning on Oracle Identity Manager Release 9.1.0.x

The following steps are performed by the approver in a request-based provisioning operation:

1. As the approver, to edit and approve a request, click the Edit link.

2. In the Edit Form window, select the entitlement request data that you want to modify from the list at the top of the window and then make the required change. In the following screenshot, one of the roles that the requester had included in the request has been removed:

   
   

3. Close the Edit Form window, select the check box for the task that you want to approve, and then click Approve.

4. On the Confirmation page, click Confirm.

   The following screenshot shows this page:

   
   

5. On the Request Details page, the SOD Status column shows SODCheckCompleted.

   If you search for and open the requester's profile, the entitlements granted to the user are shown in the Provisioned state. This is shown in the following screenshot:

   
   

3.7.4.2.2 Approver's Role in Request-Based Provisioning on Oracle Identity Manager Release 11.1.1

The following steps are performed by the approver in a request-based provisioning operation:

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Self-Service in the upper-right corner of the page.

3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

4. On the Approvals tab, in the first region, you can specify a search criterion for the request task that is assigned to you.

5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task has been approved is displayed and the request status is changed to Obtaining Operation Approval.

6. Select the row containing the request which is approved, and then click Approve Task.

   A message confirming that the task has been approved is displayed and the request status is changed to Request Completed.

7. Click the Administration tab and search for the user(s) for whom the request is completed.

8. Select the user.

   The user detail information is displayed in the right pane.

9. Click the Resources tab to view the resource being provisioned.

10. Select the resource being provisioned, and then click Open to view the resource details.

11. On the Resources tab of the User Details page, from the Action menu, select Resource History to view the resource provisioning tasks.

3.8 Switching Between SAP R/3 and SAP CUA Target Systems

To switch target systems for reconciliation:

1. If you are switching to SAP CUA, then set the value of the Is CUA Enabled entry to yes in the Lookup.SAP.UM.Configuration lookup definition. If you are switching to SAP R/3, then set the value to no.

   See Section 2.3.5, "Setting Up the Configuration Lookup Definition in Oracle Identity Manager" for more information.

2. In the SAP User Management User Recon and SAP User Management Delete Recon scheduled tasks, set values for the following attributes:

   • IT Resource: Enter the name of the required IT resource.

   • Last Execution Timestamp: Enter 0 as the value of this attribute. Alternatively, if you have saved the time stamp value from the previous reconciliation run on the same target system, then you can enter that value in the Time Stamp attribute. See Section 3.4.3, "Reconciliation Scheduled Tasks" for information about the scheduled task.

To switch target systems for provisioning:

1. If you are switching to SAP CUA, then set the value of the Is CUA Enabled entry to yes in the Lookup.SAP.UM.Configuration lookup definition. If you are switching to SAP R/3, then set the value to no.

2. If you have configured the target system for SoD, then set the Is CUA Enabled entry in the Lookup.SAP.UM.SoDConfiguration lookup definition to yes or no depending on the target system that you want to use.

3. In the SAP User Management Lookup Recon scheduled task, set values for the following attributes:

   • IT Resource: Enter the name of the required IT resource.

   • Lookup Name: Enter Lookup.SAP.CUA.LookupMappings if the target system is SAP CUA. Otherwise, enter Lookup.SAP.UM.LookupMappings.

4. Run the SAP User Management Lookup Recon scheduled task.

5. Start the provisioning operation on the Administrative and User Console by selecting the required IT resource.

3.9 Switching Between SAP R/3 or SAP CUA Target System to an SAP CUP Target System on Oracle Identity Manager Release 11.1.x

On Oracle Identity Manager release 11.1.x, if you want to switch from an SAP R/3 or SAP CUA target system to a SAP CUP target system and vice versa, then perform the following steps:

1. Ensure that you have set the environment variable for running the MDS Delete utility. In the weblogic.properties file, ensure that values are set for the wls_servername, application_name, and metadata_files properties. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.

2. Delete the existing request datasets using the following command:

   • On Microsoft Windows

     weblogicDeleteMetadata.bat
     

   • On UNIX

     weblogicDeleteMetadata.sh
     

3. Run the PurgeCache utility to clear the cache for the content category Metadata. See Section 2.3.8, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

4. If you are using Oracle Identity Manager release 11.1.1, then import the request datasets for the target system to which you want to switch. Perform the procedure described in Section 2.3.6.2.2, "Importing Request Datasets into MDS."

5. Run the PurgeCache utility to clear the cache for the content category Metadata. See Section 2.3.8, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

3.10 Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1

Note:

It is assumed that you have performed the procedure described in Section 2.3.6, "Enabling Request-Based Provisioning."

On Oracle Identity Manager release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the SAP UM Process Form process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the SAP UM Resource Object resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

On Oracle Identity Manager release 11.1.1, if you want to switch from direct provisioning back to request-based provisioning, then:

1. Log in to the Design Console.

2. Enable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the SAP UM Process Form process definition.

   3. Select the Auto Save Form check box.

   4. Click the Save icon.

3. If you want to enable end users to raise requests for themselves, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the SAP UM Resource Object resource object.

   3. Select the Self Request Allowed check box.

   4. Click the Save icon.

3.11 Enabling and Disabling the SoD Feature

See the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference for Release 9.1.0.2 for information about enabling and disabling the SoD feature in Oracle Identity Manager.

3.12 Enabling and Disabling the Compliant User Provisioning Feature

To enable or disable the Compliant User Provisioning feature of the connector:

• Set one of the following values for the CUP request mode entry in the Lookup.SAP.UM.Configuration lookup definition:

  Enter yes as the value of this entry to enable the Compliant User Provisioning feature.

  Enter no to disable this feature.

• If you are enabling Compliant User Provisioning, set yes as the value of the Password Disabled entry in the Lookup.SAP.UM.Configuration lookup definition.

See Section 2.3.5.3, "Setting Values in the Lookup.SAP.UM.Configuration Lookup Definition" for information about setting values in this lookup definition.