This chapter discusses guidelines on performing connector operations. This chapter contains the following sections:
The following are guidelines on running reconciliation:
After you deploy a connector, perform full reconciliation to ensure that all the data on the target system is imported into Oracle Identity Manager. Thereafter, you can run incremental reconciliation, which can be periodic, on-demand or real-time.
Before you perform user reconciliation, ensure that the lookup definitions are synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs and before provisioning operations.
Leave the value of the StartRecord scheduled task attribute as 1. All the connectors contain this scheduled task attribute for reconciliation. This attribute specifies the first record in a batch during reconciliation.
The time stamp attribute is updated after an event is created for each user record. If the reconciliation fails, then the reconciliation is resumed from the updated time stamp. Therefore, it is recommended that you leave the value of the StartRecord attribute as 1.
After you configure reconciliation, if reconciliation fails during a reconciliation run, then you rerun the scheduled task without changing the values of the task attributes.
The scheduled task for reconciliation of user data must be run before the scheduled task for reconciliation of deleted user data.
To make changes to the reconciliations that are performed, you must modify the scheduled tasks accordingly. You can make the following changes to a scheduled task:
You can change the schedule of the reconciliation runs. For example, you can change a daily schedule to a weekly or a monthly one.
You can change the criteria for limited reconciliation in a scheduled task. For example, you have scheduled a reconciliation only for users who belong to a particular group. You can change the criteria to include managers of the users who belong to that group.
At any time, you can disable a scheduled task for a certain period of time. When required, the same scheduled task can be enabled also.
You can delete a scheduled task.
You can configure a scheduled task to run full or incremental reconciliation. To do so, use the scheduled task attribute that specifies whether the reconciliation run must be full or incremental.
You can configure a scheduled task for reconciliation. To do so, you must specify the batch size, the record that is the first in a batch, and the number of batches to be reconciled in the scheduled task.
You can also stop a reconciliation run by using the Stop Execution option, which is available in the Task Scheduler form of the Oracle Identity Manager Design Console.
For all the actions mentioned in the preceding list, you must modify the reconciliation scheduled task. To refer to the procedure to modify a scheduled task, see the "Managing Scheduled Tasks" section in Oracle Identity Manager Administrative and User Console Guide.
The following are guidelines that you must apply while performing provisioning operations:
Passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in the target system.
On some target systems, password policies may be controlled through password complexity rules. Complexity requirements are enforced when passwords are changed or created. While changing the password of an account by performing a provisioning operation on Oracle Identity Manager, you must ensure that the new password adheres to the password policies on the target system.
Specifying multibyte values for fields
Some Asian languages use multibyte character sets. If the character limit for fields in the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this point:
Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you were using the Japanese language and if the character limit for the target system fields were specified in bytes, then you would not be able to enter more than 25 characters in the same field.
If you come across a situation similar to the preceding example, then you may create a newer version of the form in which the length of the fields are appropriate for language settings selected.
The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields
During a provisioning operation, you must keep the lengths of target system fields in mind while entering values for Oracle Identity Manager process form fields. The character limit specified for some process form fields may be more than that of the corresponding target system field.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a Microsoft Active Directory account for the user. The following are types of provisioning operations:
Direct provisioning
Request-based provisioning
Provisioning triggered by policy changes
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
From the Users menu:
Select Create if you want to first create the OIM User and then provision a target system account to the user.
Select Manage if you want to provision a target system account to an existing OIM User.
If you select Create, on the Create User page, enter values for the OIM User fields and then click Create User.
If you select Manage, then search for the OIM User and select the link for the user from list of users displayed in the search results.
On the User Detail page, select Resource Profile from the list at the top of the page.
On the Resource Profile page, click Provision New Resource.
On the Step 1: Select a Resource page, select the resource object from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify that you entered and then click Continue.
The account is created on the target system and provisioned as a resource to the OIM User. The page that is displayed provides options to disable or revoke the resource from the OIM User.