You can use the Google Apps connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
This chapter is divided into the following sections:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.
Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x
Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2.x or Later
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.
The GoogleApps Group Lookup Reconciliation scheduled job is used for lookup field synchronization.
Values fetched by this scheduled job from the target system are populated in the Lookup.GoogleApps.Groups lookup definition. Table 3-1 describes the attributes of this scheduled job. The procedure to configure scheduled tasks is described later in this guide.
Note:
The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.
Table 3-1 Attributes of the GoogleApps Group Lookup Reconciliation Scheduled Job
Attribute | Description |
---|---|
Batch Size | Enter the number of records that must be included in each batch during reconciliation. |
Code Key Attribute |
This attribute holds the name of the connector attribute whose value is used to populate the Code Key column of the Lookup.GoogleApps.Groups lookup definition. Default value: |
Decode Attribute | This attribute holds the name of the connector attribute whose value is used to populate the Decode column of the Lookup.GoogleApps.Groups lookup definition.
Default value: |
IT Resource Name | Name of the IT resource for the target system installation from which you reconcile user records.
Default value: |
Lookup Name |
This attribute holds the name of the lookup definition into which values must be populated by the scheduled task. Default value: If you create a copy of the Lookup.GoogleApps.Groups lookup definition, then enter the name of that new lookup definition as the value of the Lookup Name attribute. |
Object Type |
This attribute is used to perform reconciliation of specified object type. Group is the only supported object type. Default value: |
You can configure the connector to specify the type of reconciliation and its schedule.
As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.
After you deploy the connector, you must first perform full reconciliation. To perform a full reconciliation run, ensure that no value is specified for the Filter attribute of the scheduled job for reconciling users and groups.
By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled.
The scheduled job provides a Filter
parameter that allows you to use any of the Google Apps resource attributes to filter the target system records.
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use Google Apps resource attributes to filter the target system records.
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
While deploying the connector, follow the instructions in Configuring Scheduled Jobs to specify attribute values.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.
To configure batched reconciliation, specify a value for the Batch Size attribute of the scheduled job for user and group reconciliation. You use the Batch Size attribute to specify the number of records that must be included in each batch fetched from the target system.
When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
You must specify values for the attributes of the following scheduled jobs:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change.
You use the GoogleApps Target Resource User Reconciliation scheduled job to reconcile account data from the target system.
Table 3-2 describes the attributes of this scheduled job.
Table 3-2 Attributes of the GoogleApps Target Resource User Reconciliation Scheduled Task
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
Filter |
This attribute holds the ICF Filter written using ICF-Common Groovy DSL. See Limited Reconciliation for more information about this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Note: You must not change the default value. |
You use the GoogleApps Target Resource User Delete Reconciliation scheduled job to reconcile deleted users from the target system.
Table 3-3 describes the attributes of this scheduled job.
Table 3-3 Attributes of the GoogleApps Target Resource User Delete Reconciliation Scheduled Job
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
You use the GoogleApps Group Recon scheduled job to reconcile group data from the target system.
Table 3-2 describes the attributes of this scheduled job.
Table 3-4 Attributes of the GoogleApps Group Recon Scheduled Job
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
Filter |
This attribute holds the ICF Filter written using ICF-Common Groovy DSL. See Limited Reconciliation for more information about this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Organization Name |
Enter the name of the Oracle Identity Manager organization in which reconciled groups must be created or updated. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Note: You must not change the default value. |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
You use the GoogleApps Group Delete Recon scheduled job to reconcile deleted groups from the target system.
Table 3-3 describes the attributes of this scheduled job.
Table 3-5 Attributes of the GoogleApps Group Delete Recon Scheduled Job
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Organization Name |
Enter the name of the Oracle Identity Manager organization from which reconciled groups must be deleted. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.
This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
Table 3-6 lists the scheduled jobs that you must configure.
Table 3-6 Scheduled Jobs for Lookup Field Synchronization and Reconciliation
Scheduled Task | Description |
---|---|
GoogleApps Group Lookup Reconciliation | This scheduled job is used for lookup field synchronization. Scheduled Task for Lookup Field Synchronization describes this scheduled job. |
GoogleApps Target Resource User Reconciliation | This scheduled job is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see GoogleApps Target Resource User Reconciliation. |
Google Apps Target Resource User Delete Reconciliation | This scheduled job is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the GoogleApps resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see GoogleApps Target Resource User Delete Reconciliation. |
GoogleApps Group Recon | This scheduled job is used to fetch data about groups during target resource reconciliation. For information about this scheduled task and its attributes, see GoogleApps Group Recon. |
GoogleApps Group Delete Recon | This scheduled job is used to reconcile data about deleted groups in the target resource mode of the connector. For information about this scheduled task and its attributes, see GoogleApps Group Delete Recon. |
To configure a scheduled task:
The following are guidelines that you must apply while performing a provisioning operation:
For a Create User provisioning operation, you must specify a value for the Account Name field along with the domain name. For example, jdoe@example.com.
During a group provisioning operation, if you select ANYONE_CAN_JOIN as the value of the Who Can Join field, then you must set the value of the Allow External Members field to True. Before you perform the group provisioning operation with the values discussed in this point, ensure you have performed the procedure described in Preinstallation.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a Google account for the user.
When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you configure the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.
This following are types of provisioning operations:
This section provides information on the following topics:
You create a new user in the Administrative and User Console by using the Create User page. You provision an account for the newly created user on the Resource tab of the user details page.
To provision a resource by using the direct provisioning approach:
A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.
The following steps are performed by the end user in a request-based provisioning operation:
Note:
It is assumed that you have performed the procedure described in Enabling Request-Based Provisioning.
The following sections provide information on switching between request-based provisioning and direct provisioning:
To do so:
To do so:
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Manager release 11.1.2.x or later:
Uninstalling the connector deletes all the account related data associated with resource objects of the connector.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.