|
| |
| Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 | |
Oracle and Oracle ERPIdentity Manager provides resource adapters for supporting the following Oracle products:
The following table summarizes the attributes of the Oracle adapters:
GUI Name
Class Name
Oracle
com.waveset.adapter.OracleResourceAdapter
Oracle ERP
com.waveset.adapter.OracleERPResourceAdapter
Use this adapter to support user accounts for logging into Oracle or Oracle Financials. If you have a custom Oracle table, see Database Table on page 1-89 for information about using the Resource Adapter Wizard to create a custom Oracle table resource.
Resource Configuration Notes
None
Identity Manager Installation Notes
The Oracle and Oracle ERP resource adapters are custom adapters. You must perform the following steps to complete the installation process:
- To add an Oracle resource to the Identity Manager resources list, you must add the one of the following values in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.OracleResourceAdapter
com.waveset.adapter.OracleERPResourceAdapter
- If you are using the JDBC thin driver:
- If you are using a different driver, specify the driver and connection URL on the Resource Parameters page.
The Oracle ERP adapter supports version 11.5.9 without further modification; however, the following additional changes are required to support version 11.5.10:
- Delete the responsibilities account attribute from the schema map and add the directResponsibilities and indirectResponsibilities attributes.
- Copy the OracleERPUserForm.xml file and comment out the section labeled 11.5.9 and uncomment the 11.5.10 section. Then import your copy of the sample user form.
Note Remember to replace the OracleERP Resource string with site-specific ERP resource names in fields calling listResourceObjects.
Usage Notes
This section describes dependencies and limitations related to using the Oracle and Oracle ERP resource adapters.
Oracle
Information about user types and cascade deletes are provided in the following sections.
User Types
The Oracle database permits the following types of users:
- Local. Local users are fully managed by Oracle and require a password. Oracle manages these passwords as well. Therefore, the user name and password must fully comply with the standards set within the application.
- External. External users must be authenticated by the operating system or a third-party application. Oracle relies on the login authentication to ensure that a specific operating system user has access to a specific database user.
- Global. Global users must be authenticated by a directory service, such as LDAP or Active Directory. The user’s name must be specified as a full distinguished name (DN) or as a null string. If a null string is used, the directory service will map authenticated global users to the appropriate database features.
If you are managing external or global users, you should place the Oracle resource in a resource group that also includes the machine upon which it is installed or the directory service.
Cascade Deletes
The noCascade account attribute indicates whether to perform cascade drops when deleting users. By default, cascade drops are performed. To disable cascade drops:
- Add an entry to updateableAttributes section of System Configuration Object:
<Attribute name='Delete'>
<Object>
<Attribute name='all'>
<List>
<String>noCascade</String>
</List>
</Attribute>
</Object>
</Attribute>
- Add a field to the deprovision form:
<Field name='resourceAccounts.currentResourceAccounts
[MyOracleResource].attributes.noCascade'><Display class='Checkbox'>
<Property name='title' value='Do NOT Cascade MyOracleResource Delete'/>
<Property name='alignment' value='left'/>
</Display>
<Disable>
<isnull>
<ref>resourceAccounts.currentResourceAccounts[MyOracleRes ource]</ref>
</isnull>
</Disable>
</Field>
- Add the noCascade account attribute to Oracle Resource schema.
Note If the user owns objects and the “do not cascade” option has been selected, Oracle will throw an error. The user will not be deleted.
- Add a noCascade field to the user form so that the attribute can be disabled. For example:
<Field name='global.noCascade'>
<Disable>
<s>TRUE</s>
</Disable>
</Field>
Oracle ERP
The following resource parameters are applicable for the Oracle ERP adapter.
Oracle Client Encryption Types
This parameter can contain a list of valid Oracle support encryption algorithm names, such as RC4_56 or RC4_128. If this list is empty, all algorithms supported by Oracle for that Oracle release will be available. The client/server will negotiate on which of these algorithms to use based on Oracle Client Encryption Level setting.
Note The Oracle Server must also be configured to support this type of encryption.
For a more details on the supported algorithms, refer to the Oracle Advanced Security Administrator's Guide. See SQLNET.ENCRYPTION_TYPES_CLIENT for a list of valid values for the thin JDBC client.
Oracle Client Encryption Level
This value determines the level of security that the server/client negotiates and enforces. The default value, if left blank, is ACCEPTED. The valid values are REJECTED, ACCEPTED, REQUESTED and REQUIRED. For more details on use of this parameter, refer to the Oracle Advanced Security Administrator's Guide and the SQLNET.ENCRYPTION_CLIENT values.
The Oracle Server will need to be configured also to support this type of encryption.
Oracle ERP Admin User Responsibility
This value determines the ERP Responsibility used by the Identity Manager Oracle ERP Admin user to call the ERP application initialization routine. A list of valid responsibilities can be found in the fnd_responsibility_vl table. Also refer to the ERP documentation for more information.
If the Identity Manager Oracle ERP Admin user has a valid ERP system account and has a responsibility that matches the value of this parameter, the Oracle session created during connection enables the users’ actions to be audited using the Oracle ERP auditing mechanism. For example, the created_by and the last_updated_by fields of the fnd_user table objects will be updated correctly with the user ID of the Identity Manager Oracle ERP Admin user.
Adding Securing Attributes
The securingAttrs account attribute supports the Securing Attributes feature in Oracle Financials. To configure Securing Attributes from the Identity Manager Create User page, perform the following steps:
- Select the Add Securing Attribute checkbox.
- Enter a search pattern to narrow the choices of available attributes in the Enter Securing Attribute Search Pattern text box. Use the % character as a wild card. Then click the Load Securing Attributes button. This will load the attributes into the Oracle Securing Attributes select box.
- Select an attribute from the drop-down menu, and it will be added to the Securing Attributes table.
You may remove securing attributes by selecting the attribute to be removed from the table and clicking the Remove Selected Securing Attribute button.
Enabling Users
Enabling an Oracle ERP user requires the value of the owner attribute to be specified. The value CUST is used by default unless the value is specifically added to the Enable Form and sent through the enable view. The following example changes the default owner to MYOWNER:
<Field name='resourceAccounts.currentResourceAccounts[MyOracleERP].
attributes.owner' type='string'><Display class='Text'>
<Property name='title' value='Owner'/>
</Display>
<Default>
<s>MYOWNER</s>
</Default>
</Field>
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use one of the following drivers to communicate with the Oracle adapters:
Required Administrative Privileges
To create an Oracle user, the administrator must have CREATE USER, ALTER USER, and DROP USER system privileges.
For Oracle and Oracle Applications, administrators must have SELECT permissions on the following database views:
Oracle ERP Permissions
Oracle Applications require access to the following tables and stored procedures.
Note The administrator must be able to run the select command for all tables. In addition, the administrator must be able to update the apps.fnd_user table.
Note The adapter might access additional tables and stored procedures. Refer to the Oracle Applications documentation for additional information.
Oracle states that the Oracle ERP system, including the fnd_user_pkg stored procedures, were designed to be used to administer the ORACLE ERP system as the APPS user. Oracle does NOT recommend creating an alternate administrative user. However, if you need to manage Oracle ERP with a user other than APPS, contact Oracle for guidance.
The alternate administrative user must be granted the same access as the APPS user has to all Oracle data, including tables, views, and stored procedures.
The user will also need synonyms set up so the user will have access to the tables that the APPS user has access to. If a different user is used and the appropriate grants and synonyms have not been created for the user, the following error might be encountered:
Error: ORA-00942: table or view does not exist
Add the appropriate grants and synonyms to correct the error.
A sample SQL*Plus script is can be found in $WSHOME/sample/other/
CreateLHERPAdminUser.oracle.This script can be modified as necessary and be used to create an alternative Oracle ERP administrative user. Usage instructions are documented in the comments at the beginning of the script.
For pass-through authentication only, authority is needed to run the following SQL command:
create or replace function wavesetValidateFunc1 (username IN varchar2, password IN varchar2)
RETURN varchar2 IS ret_val boolean;
BEGIN ret_val := apps.FND_USER_PKG.ValidateLogin(username, password);
IF ret_val = TRUE THEN RETURN 'valid';
ELSE RETURN NULL;
END IF;
END wavesetValidateFunc1;
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Account Attributes
This section provides information about the Oracle and Oracle ERPaccount attributes, including:
Oracle Database
The following table lists the Oracle database user account attributes.
Notes:
Oracle Financials
The following table lists the Oracle ERP account attributes. All attributes are optional.
The Oracle ERP adapter allows you to add several read-only attributes that Identity Auditor can use to audit changes to responsibilities. The values returned in the auditorResps attribute are the active responsibilities for that user. All other attributes listed below are aggregates of each responsibility's sub-items, minus any menu and function exclusions that may exist.
The following table lists attributes that may be added to the schema map
Resource Object Management
None
Identity Template
$accountId$
Sample Forms
Built-In
None
Also Available
OracleERPUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes: