Sun Identity Manager 8.1 Resources Reference

Usage Notes

This section describes resource parameters that are applicable for the Oracle ERP adapter, including

Oracle Applications User Management Security

User security is controlled at three levels within Oracle Applications:

The Oracle ERP adapter supports functional security only. Therefore, the adapter cannot list create, update, or delete Oracle data objects, object instances, or instance sets. Nor does the adapter create or manage role objects, role hierarchies or role categories.

Oracle Client Encryption Types

This parameter can contain a list of valid Oracle support encryption algorithm names, such as RC4_56 or RC4_128. If this list is empty, all algorithms supported by Oracle for that Oracle release will be available. The client/server will negotiate on which of these algorithms to use based on Oracle Client Encryption Level setting.

Note –

The Oracle Server must also be configured to support this type of encryption.

For a more information about the supported algorithms, refer to the Oracle Advanced Security Administrator’s Guide. See the SQLNET.ENCRYPTION_TYPES_CLIENT section for a list of valid values for the thin JDBC client.

Oracle Client Encryption Level

This value determines the level of security that the server/client negotiates and enforces. The default value, if left blank, is ACCEPTED. The valid values are REJECTED, ACCEPTED, REQUESTED and REQUIRED. For more details about the use of this parameter, refer to the Oracle Advanced Security Administrator’s Guide and the SQLNET.ENCRYPTION_CLIENT values.

You must also configure the Oracle Server to support this type of encryption.

Oracle E-Business Suite (EBS) Admin User Responsibility

This value determines the EBS Responsibility used by the Identity Manager Oracle EBS Admin user to call the EBS application initialization routine. A list of valid responsibilities can be found in the fnd_responsibility_vl table. Also refer to the Oracle EBS documentation for more information.

If the Identity Manager Oracle EBS Admin user has a valid EBS system account and has a responsibility that matches the value of this parameter, the Oracle session created during connection enables the users’ actions to be audited using the Oracle EBS auditing mechanism. For example, the created_by and the last_updated_by fields of the fnd_user table objects will be updated correctly with the user ID of the Identity Manager Oracle EBS Admin user.

Adding Securing Attributes

The securingAttrs account attribute supports the Securing Attributes feature in Oracle E-business Suite. To configure Securing Attributes from the Identity Manager Create User page, perform the following steps:

ProcedureConfiguring Securing Attributes from the Create User Page

  1. Select the Add Securing Attribute checkbox.

  2. Enter a search pattern to narrow the choices of available attributes in the Enter Securing Attribute Search Pattern text box. Use the % character as a wild card. Then click the Load Securing Attributes button. This will load the attributes into the Oracle Securing Attributes select box.

  3. Select an attribute from the drop-down menu, and it will be added to the Securing Attributes table.

    You can remove securing attributes by selecting the attribute to be removed from the table and clicking the Remove Selected Securing Attribute button.

Enabling Users

Enabling an Oracle EBS user requires the value of the owner attribute to be specified. The value CUST is used by default unless the value is specifically added to the Enable form and sent through the Enable view. The following code example changes the default owner to MYOWNER:

<Field name=’resourceAccounts.currentResourceAccounts[MyOracleERP].
attributes.owner’ type=’string’>
   <Display class=’Text’>
      <Property name=’title’ value=’Owner’/>

Returning User Responsibilities

The listResourceObjects call can be used to return a user’s responsibilities and other Oracle EBS objects. The following table provides information about the supported object types.


Options Supported  



id, activeRespsOnly

Returns a list of auditor responsibilities for the user. 

id is a string indicating a resource identity whose responsibilities are returned. 

If activeRespsOnly is set to true, then only active responsibilities are returned. The default is false. 


id, activeRespsOnly

Returns the user’s responsibilities. Valid for 11.5.9 only. 


id, activeRespsOnly

Returns the user’s direct responsibilities. Valid for 11.5.10 only. 


id, activeRespsOnly

Returns the user’s indirect responsibilities. Valid for 11.5.10 only. 



Returns a list of responsibility names assigned to the user. 



If no responsibility names are specified, then all applications assigned to the user are returned. 



If no applications are specified, then all security groups assigned to the user are returned. 



Returns a list of accounts for the user. If set to true, then only active accounts are returned. The default is false. 



Returns a list of securing attributes that match the specified search pattern. If a pattern is not specified, all securing attributes are returned. 

The following code sample adds a field to the user form that returns active responsibilities. You must replace USER_NAME and RESOURCE_NAME with valid values. auditorResps may be replaced with responsibilities, directResponsibilities, or indirectResponsibilites

<Field name=’respNames’ type=’string’>
   <Display class=’Text’>
      <Property name=’title’ value=’Oracle ERP Responsibilities’/>
      <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>

Auditing Responsibilities

To audit the sub-items (such as forms and functions) of responsibilities assigned to users, add the auditorObject to the schema map. auditorObject is a complex attribute that contains a set of responsibility objects. The following attributes are always returned in a responsibility object:

Note –

readOnly and ReadWrite attributes are identified by querying the PARAMETERS column in the fnd_form_functions table for one of the following:

If the Return Set of Books and/or Organization resource parameter is set to TRUE, the following attributes are also returned:

With the exception of the responsibility, setOfBooksName, setOfBooksId, organizationalUnitId, and organizationalUnitName attributes, the attribute names match account attribute names that may be added to the schema map. The account attributes contain an aggregate set of values that are assigned to the user. The attributes that are contained in the responsibility objects are specific to the responsibility.

The auditorResps[] view provides access to the responsibility attributes. The following form snippet returns all the active responsibilities (and their attributes) assigned to a user .

<defvar name=’audObj’>
   <invoke name=’get’>
      <ref>accounts[Oracle ERP 11i VIS].auditorObject</ref>
<!-- this returns list of responsibility objects -->
<defvar name=’respList’>
   <invoke name=’get’>

For example: