2 Components Used for Connector Operations
A connector is an abstraction for a collection of components that are used to perform reconciliation and provisioning operations on a target system. Each component plays a specific role during reconciliation, provisioning, or both. When you build a custom connector, you create these components by using the Oracle Identity Manager Design Console. In a predefined connector, the definitions of these components are included in the connector XML files. When you import the connector XML files during connector deployment, these components are automatically created in Oracle Identity Manager. Along with connector components, this chapter also discusses certain Oracle Identity Manager components that are essential during connector deployment.
The Oracle Identity Manager and connector components are described in the following sections:
2.1 Oracle Identity Manager Components
The following components of Oracle Identity Manager are used during connector operations:
2.1.1 Reconciliation APIs
The published set of Oracle Identity Manager APIs includes a set related to reconciliation. Oracle Identity Manager uses these APIs to create reconciliation events. These APIs provide for the mechanisms by which the appropriate data is provided for the events.
See Also:
Chapter 2, "What's New" of Oracle Identity Manager API Usage Guide for information about the APIs related to reconciliation2.1.2 Reconciliation Engine
The reconciliation engine uses all components, data processors, and rule evaluators that use these components to convert input data into a list of action items. It also includes the components that determine whether or not the actions can be automated based on the rule context. When an action is performed, either automatically or manually, the reconciliation engine performs the appropriate updates and provisioning actions.
2.1.3 Reconciliation Manager
The Reconciliation Manager is a form in the Oracle Identity Manager Design Console. You can use this form to examine a reconciliation event and perform the actions based on the status of the event. The Reconciliation Manager displays the data received, results of rule evaluation, actions that you can perform, and results of the actions.
The main section of the form displays the event information, including the resource object with which it is associated, the date the event occurred, its current status, and the entity to which it is linked. The following are action buttons in the form for the actions that you can perform:
-
Close Event: Closes an event without any resolution.
-
Re-apply Matching Rules: Takes the processed data and reapplies all reconciliation rules by deleting the results from previous applications of the rule. This action must be performed when the rule is modified.
-
Create User: Enables the creation of an OIM User based on the data provided.
-
Create Organization: Enables the creation of an OIM Organization based on the data provided.
To view the Reconciliation Manager, you must click Reconciliation Manager under User Management on the left pane of the Oracle Identity Manager Design Console. The status of the events are displayed on the right pane. Figure 2-1 shows the Reconciliation Manager form of Microsoft Active Directory.
2.1.4 Remote Manager
A Remote Manager is an application that enables Oracle Identity Manager to interact with local commands on the target system. You may use a Remote Manager in one of the following situations:
-
The target system is not network aware. In other words, the target system does not provide features that can be used to communicate with it over a network.
-
Fields of the target system are not in a format that is compatible with the format of fields in Oracle Identity Manager.
-
The network APIs do not provide all the required functionality.
A Remote Manager is deployed on the target system host computer.
2.2 Connector Components
The following components are created when you deploy a connector:
2.2.1 Reconciliation Field Definitions
When you define a target system as a resource object in Oracle Identity Manager, reconciliation fields represent the actual fields of the target system.
To view the reconciliation fields, you click Resource Objects under Resource Management on the left pane of the Oracle Identity Manager Design Console, and then click the Object Reconciliation tab. Figure 2-2 shows the screenshot of the reconciliation fields of Microsoft Active Directory.
2.2.2 Reconciliation Field Mappings
After you define the reconciliation fields, you must map them to the fields that are defined on a process form. Reconciliation field mappings define how the data received from the target system is used to update the fields on a process form. Each reconciliation field of a target system is mapped to a process form field in Oracle Identity Manager.
See Also:
- The "Process Definition Form" section in Oracle Identity Manager Design Console Guide
- The "Reconciliation Field Mappings Tab" section in Oracle Identity Manager Design Console Guide for information about status reconciliation
To view the reconciliation field mappings, you click Process Definition under Process Manager on the left pane of the Oracle Identity Manager Design Console, and then click the Reconciliation Field Mappings tab. Figure 2-3 shows the screenshot of the reconciliation field mappings for Microsoft Active Directory.
2.2.3 Reconciliation Rules
During reconciliation, when a target system record is brought to Oracle Identity Manager, the reconciliation engine tries to match the record with an existing record in Oracle Identity Manager. The rules that the reconciliation engine applies to look for a match are called reconciliation rules.
The reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Manager must assign a newly discovered account on the target system. The reconciliation engine can locate the user of the newly discovered account based on well-known patterns established for the target system. Consider the following example:
Suppose that all login IDs on the target system are created from the user's initial and last name. You could then set up a rule that accepts the login ID received from the target system and searches for any user whose first name starts with the first character of the login ID, and the last name is the same as the remainder of the login ID.
See Also:
"The Reconciliation Manager Form" in Oracle Identity Manager Design Console Guide for more information about reconciliation rulesThe manner and sequence in which the rules and action rules are applied is described in "Target Resource Reconciliation" and "Trusted Source Reconciliation".
To view a reconciliation rule, you click Reconciliation Rules under Development Tools on the left pane of the Oracle Identity Manager Design Console. The rule is displayed on the Rule Elements tab. Figure 2-4 shows the screenshot of the target resource reconciliation rule for the Microsoft Active Directory connector.
Figure 2-4 Target Resource Reconciliation Rule
Description of "Figure 2-4 Target Resource Reconciliation Rule"
2.2.4 Key Field for Reconciliation Matching
The key field for reconciliation matching is used for process matching, just like the reconciliation rule is used for entity matching. The reconciliation field mappings include the key field for reconciliation matching. The key field is marked in a special way, and it can be highlighted in the list of reconciliation field mappings. During a target resource reconciliation run, process matching is performed first. If no match is found, then entity matching is performed.
2.2.5 Reconciliation Action Rules
Reconciliation action rules define the actions that must be performed based on the reconciliation rules. These action rules are created during connector deployment. Using the reconciliation action rules, the following actions can be defined that the reconciliation engine must automatically perform based on the reconciliation rule evaluations:
-
Assign an event to an administrator.
-
Create a new provisioned resource in Oracle Identity Manager and associate it with the corresponding owner identity.
-
Update the matched provisioned resource in Oracle Identity Manager.
-
Delete the matched provisioned resource in Oracle Identity Manager.
-
Create a new user in Oracle Identity Manager.
-
Update an existing user in Oracle Identity Manager.
-
Delete an existing user in Oracle Identity Manager.
See Also:
"The Resource Objects Form" in Oracle Identity Manager Design Console Guide for more information about reconciliation action rulesTo view the reconciliation action rules, you click Resource Objects under Resource Management on the left pane of the Oracle Identity Manager Design Console, and then click the Reconciliation Action Rules tab. Figure 2-5 shows the screenshot of the target resource reconciliation action rules for the Microsoft Active Directory connector.
2.2.6 Reconciliation Provisioning Tasks
In target resource reconciliation, if an event is linked to an existing instance of a provisioned resource, then the process form for that resource instance is updated.
Note:
In trusted source reconciliation, the user record is updated instead.If the account did not exist in Oracle Identity Manager before the reconciliation run, then the default provisioning process is started, adapters are suppressed, and all nonconditional tasks are completed automatically.
In both cases, a marker task is added to the provisioning process for the provisioned resource (or user). The marker task can be either Reconciliation Insert Received or Reconciliation Update Received. These tasks might have adapters attached to them to begin provisioning. If no adapters are attached to the task, then a response code of "Event Processed" is assigned to that task. Additional provisioning process tasks could be generated based on this response code to start a provisioning flow due to the reconciliation event. This mechanism can be leveraged to start multitarget synchronization processes.
2.2.7 IT Resource
An IT resource is composed of parameters that store connection and other generic information about a target system. Oracle Identity Manager uses this information to connect to a specific installation or instance of the target system. The information stored by these IT resource parameters includes the following:
-
Host name or IP address of the computer that hosts the target system
-
User name and password of the target system account that Oracle Identity Manager uses to connect to the target system
-
Whether or not SSL communication is enabled between the target system and Oracle Identity Manager
There must be one IT resource for each installation or instance of the target system. For example, a Microsoft Active Directory installation in the Tokyo office of an organization will have its own IT resource, which will be different from the IT resource used for the Microsoft Active Directory installation in the London office of the organization.
While deploying a connector, you provide the connection information as the values of parameters of the IT resource.
To view the parameters of an IT resource, you click IT Resources under Resource Management on the left pane of the Oracle Identity Manager Design Console, and then enter the name of an IT resource or search for an IT resource. The parameters are displayed on the Parameters tab. Figure 2-6 shows the screenshot of the parameters of one Microsoft Active Directory IT resource.
2.2.8 IT Resource Type
The number and type of parameters that constitute target system connection information may vary from one target system to another. An IT resource type stores the definitions of the connection parameters for a particular target system. An IT resource is an instance of an IT resource type. In other words, IT resources for multiple installations or instances of a particular target system belong to the same IT resource type. For example, the IT resources for the London and Tokyo offices of an organization are created from the same IT resource type.
The IT resource type is linked with the process form. To view the parameters of an IT resource type, you click IT Resources Type Definition under Resource Management on the left pane of the Oracle Identity Manager Design Console. The parameters are displayed under the IT Resource Type Parameters tab. Figure 2-7 shows the screenshot of the IT resource type of Microsoft Active Directory.
2.2.9 Lookup Definitions
A lookup definition is a repository for a list of values that you can select from while performing a provisioning operation. When a connector is deployed, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. During a provisioning operation, these values are fetched from the definitions and displayed in lookup fields. Country, Currency Code, and Language Code are examples of lookup fields.
To view the lookup definitions, you click Process Definition under Process Management on the left pane of the Oracle Identity Manager Design Console. The lookup definitions are displayed on the Lookup Code Information tab. Figure 2-8 shows the screenshot of the lookup definitions for Microsoft Active Directory.
2.2.10 Scheduled Tasks
A scheduled task is used to start a specific action at a specified time. For example, the Password Warning Task scheduled task of Oracle Identity Manager sends e-mail to users for whom the password warning date has passed at the time when the task is run.
A lookup field synchronization scheduled task is used to synchronize the values of lookup fields that are used during provisioning operations.
A reconciliation scheduled task is used to fetch data from the target system for reconciliation with Oracle Identity Manager.
Most predefined connectors contain scheduled tasks for lookup field synchronization and reconciliation of user data. In addition to user data, some target systems require scheduled tasks for reconciliation of group data.
While configuring a scheduled task, you specify values for the attributes of the task in addition to configuring the time at which the task must run.
The following are some of the information that you specify as values of scheduled task attributes for lookup field synchronization:
-
Name of the IT resource
-
Type of data that is searched for in the target system
-
Path of the file in which the lookup data to be reconciled is stored
-
Whether you want the existing values of the Oracle Identity Manager lookup definition to be deleted or whether these should be updated with the changes made to the target system lookup fields
The following are some of the information that you specify as values of scheduled task attributes for reconciliation:
-
Name of the IT resource
-
Name of the resource object
-
Whether or not you want to run reconciliation
-
Whether you want to perform full reconciliation or incremental reconciliation
To view the attributes of a scheduled task, you click Task Scheduler under Administration on the left pane of the Oracle Identity Manager Design Console. The scheduled task attributes are displayed on the Task Attributes tab. Figure 2-9 shows the screenshot of the attributes of the AD User Target Recon scheduled task of Microsoft Active Directory.
2.2.11 Resource Object
A resource object is a virtual representation of a target system. It contains details of the target system attributes (reconciliation fields) whose values are fetched during reconciliation. In addition, configuration information that is specific to a target system is stored in the resource object. A connector can have only one resource object.
To view the details of a resource object, you click Resource Objects under Resource Management on the left pane of the Oracle Identity Manager Design Console. The different parameters of the resource object stored in different tabs are displayed on the Resource Object tab. Figure 2-10 shows the screenshot of the Microsoft Active Directory resource object.
2.2.12 Process Form
A process form stores the details of the target system identity attributes to which Oracle Identity Manager writes data during a provisioning operation and from which Oracle Identity Manager reads data during reconciliation. The name of the IT resource is stored as an attribute on the process form. If there are multivalued target system fields, then one child form is included for each multivalued field and all the child forms are linked to the parent process form.
To view the different attributes used in a process form, you click Form Designer under Development Tools on the left pane of the Oracle Identity Manager Design Console. The details of the different attributes are displayed on the right pane. Figure 2-13 shows the screenshot of the configuration of the process form for Microsoft Active Directory.
Figure 2-11 Configuration of a Process Form
Description of "Figure 2-11 Configuration of a Process Form"
There is a one-to-one relationship between a process form and a provisioning process.
Each connector is shipped with certain default process forms. You can manually create additional/custom process forms.
Attributes defined on a process form are displayed on the Oracle Identity Manager Administrative and User Console page that is used to provision the target system resource to an entity in Oracle Identity Manager. To access this page, you click Manager under Users on the left pane of the Oracle Identity Manager Administrative and User Console, and then navigate through the pages on the right pane until you reach this page.
Figure 2-12 shows the screenshot of the Oracle Identity Manager Administrative and User Console page for provisioning a Microsoft Active Directory resource to an OIM User.
Figure 2-12 Provisioning a Resource to an OIM User
Description of "Figure 2-12 Provisioning a Resource to an OIM User"
2.2.13 Provisioning Process, Process Tasks, and Adapters
A provisioning process is a representation of the workflow for provisioning operations. It forms the link between the resource object and process form, and it is composed of process tasks. A process task performs a specific function during a provisioning operation. For example, there can be one process task for each of the following provisioning operations:
-
Create User
-
Modify User Attribute
-
Delete User
If required, there can be a set of process tasks for a single provisioning operation. For example, the Create User provisioning operation can be performed by a combination of the Create Login for User and Assign Privileges to User process tasks.
An adapter calls the code for performing a specific provisioning operation on the target system. The adapter, in turn, is called by a process task. There is a one-to-one relationship between an adapter and a process task. The code called by the adapter is custom-built for compatibility with the features that the target system provides for performing provisioning operations initiated on other systems. For example, the adapters in an SAP connector interact with the application programming interfaces (APIs) of SAP.
To view the mappings between process tasks and adapters, you click Process Definition under Process Management on the left pane of the Oracle Identity Manager Design Console. The details of the process tasks are displayed on the Tasks tab. Figure 2-13 shows the screenshot of the provisioning process for the Microsoft Active Directory connector. Mappings between process tasks and adapters are shown on the Tasks tab.
The provisioning process also contains mappings between the reconciliation fields defined in the resource object and the attributes defined on the process form. These mappings are shown in Figure 2-3.