3 Using the Connector

You can use the Google Apps connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter is divided into the following sections:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Scheduled Task for Lookup Field Synchronization

• Configuring Reconciliation

• Configuring Scheduled Jobs

• Guidelines on Performing Provisioning Operations

• Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x

• Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2.x or Later

• Uninstalling the Connector

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

3.1 Scheduled Task for Lookup Field Synchronization

The GoogleApps Group Lookup Reconciliation scheduled job is used for lookup field synchronization.

Values fetched by this scheduled job from the target system are populated in the Lookup.GoogleApps.Groups lookup definition. Table 3-1 describes the attributes of this scheduled job. The procedure to configure scheduled tasks is described later in this guide.

Note:

The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.

Table 3-1 Attributes of the GoogleApps Group Lookup Reconciliation Scheduled Job

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch during reconciliation.
Code Key Attribute	This attribute holds the name of the connector attribute whose value is used to populate the Code Key column of the Lookup.GoogleApps.Groups lookup definition. Default value: __NAME__
Decode Attribute	This attribute holds the name of the connector attribute whose value is used to populate the Decode column of the Lookup.GoogleApps.Groups lookup definition. Default value: __NAME__
IT Resource Name	Name of the IT resource for the target system installation from which you reconcile user records. Default value: GoogleApps
Lookup Name	This attribute holds the name of the lookup definition into which values must be populated by the scheduled task. Default value: Lookup.GoogleApps.Groups If you create a copy of the Lookup.GoogleApps.Groups lookup definition, then enter the name of that new lookup definition as the value of the Lookup Name attribute.
Object Type	This attribute is used to perform reconciliation of specified object type. Group is the only supported object type. Default value: Group

3.2 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Full Reconciliation

• Limited Reconciliation

• Batched Reconciliation

• Reconciliation Scheduled Jobs

3.2.1 Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.

After you deploy the connector, you must first perform full reconciliation. To perform a full reconciliation run, ensure that no value is specified for the Filter attribute of the scheduled job for reconciling users and groups.

3.2.2 Limited Reconciliation

By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled.

The scheduled job provides a Filter parameter that allows you to use any of the Google Apps resource attributes to filter the target system records.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use Google Apps resource attributes to filter the target system records.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

While deploying the connector, follow the instructions in Configuring Scheduled Jobs to specify attribute values.

3.2.3 Batched Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, specify a value for the Batch Size attribute of the scheduled job for user and group reconciliation. You use the Batch Size attribute to specify the number of records that must be included in each batch fetched from the target system.

3.2.4 Reconciliation Scheduled Jobs

When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.

You must specify values for the attributes of the following scheduled jobs:

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change.

• GoogleApps Target Resource User Reconciliation

• GoogleApps Target Resource User Delete Reconciliation

• GoogleApps Group Recon

• GoogleApps Group Delete Recon

3.2.4.1 GoogleApps Target Resource User Reconciliation

You use the GoogleApps Target Resource User Reconciliation scheduled job to reconcile account data from the target system.

Table 3-2 describes the attributes of this scheduled job.

Table 3-2 Attributes of the GoogleApps Target Resource User Reconciliation Scheduled Task

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.
Filter	This attribute holds the ICF Filter written using ICF-Common Groovy DSL. See Limited Reconciliation for more information about this attribute.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: GoogleApps
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: User Do not change the default value.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: GoogleApps User Note: You must not change the default value.

3.2.4.2 GoogleApps Target Resource User Delete Reconciliation

You use the GoogleApps Target Resource User Delete Reconciliation scheduled job to reconcile deleted users from the target system.

Table 3-3 describes the attributes of this scheduled job.

Table 3-3 Attributes of the GoogleApps Target Resource User Delete Reconciliation Scheduled Job

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: GoogleApps
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: User Do not change the default value.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: GoogleApps User

3.2.4.3 GoogleApps Group Recon

You use the GoogleApps Group Recon scheduled job to reconcile group data from the target system.

Table 3-2 describes the attributes of this scheduled job.

Table 3-4 Attributes of the GoogleApps Group Recon Scheduled Job

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.
Filter	This attribute holds the ICF Filter written using ICF-Common Groovy DSL. See Limited Reconciliation for more information about this attribute.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: GoogleApps
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: Group Do not change the default value.
Organization Name	Enter the name of the Oracle Identity Manager organization in which reconciled groups must be created or updated.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: GoogleApps Group Note: You must not change the default value.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: GoogleApps Group Recon

3.2.4.4 GoogleApps Group Delete Recon

You use the GoogleApps Group Delete Recon scheduled job to reconcile deleted groups from the target system.

Table 3-3 describes the attributes of this scheduled job.

Table 3-5 Attributes of the GoogleApps Group Delete Recon Scheduled Job

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: GoogleApps
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: Group Do not change the default value.
Organization Name	Enter the name of the Oracle Identity Manager organization from which reconciled groups must be deleted.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: GoogleApps Group

3.3 Configuring Scheduled Jobs

Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.

This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

Table 3-6 lists the scheduled jobs that you must configure.

Table 3-6 Scheduled Jobs for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
GoogleApps Group Lookup Reconciliation	This scheduled job is used for lookup field synchronization. Scheduled Task for Lookup Field Synchronization describes this scheduled job.
GoogleApps Target Resource User Reconciliation	This scheduled job is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see GoogleApps Target Resource User Reconciliation.
Google Apps Target Resource User Delete Reconciliation	This scheduled job is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the GoogleApps resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see GoogleApps Target Resource User Delete Reconciliation.
GoogleApps Group Recon	This scheduled job is used to fetch data about groups during target resource reconciliation. For information about this scheduled task and its attributes, see GoogleApps Group Recon.
GoogleApps Group Delete Recon	This scheduled job is used to reconcile data about deleted groups in the target resource mode of the connector. For information about this scheduled task and its attributes, see GoogleApps Group Delete Recon.

To configure a scheduled task:

1. If you are using Oracle Identity Manager release 11.1.1.x:
   1. Log in to the Administrative and User Console.
   2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
   3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
2. If you are using Oracle Identity Manager release 11.1.2.x or later:
   1. Log in to Oracle Identity System Administration.
   2. In the left pane, under System Management, click Scheduler.
3. Search for and open the scheduled task as follows:
   1. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   2. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. On the Job Details tab, you can modify the parameters of the scheduled task:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the cStopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   • See Reconciliation Scheduled Jobs for the list of scheduled tasks and their attributes.

6. Click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Oracle Administration and User console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.4 Guidelines on Performing Provisioning Operations

The following are guidelines that you must apply while performing a provisioning operation:

• For a Create User provisioning operation, you must specify a value for the Account Name field along with the domain name. For example, jdoe@example.com.

• During a group provisioning operation, if you select ANYONE_CAN_JOIN as the value of the Who Can Join field, then you must set the value of the Allow External Members field to True. Before you perform the group provisioning operation with the values discussed in this point, ensure you have performed the procedure described in Preinstallation.

3.5 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a Google account for the user.

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you configure the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.

This following are types of provisioning operations:

• Direct provisioning
• Request-based provisioning

This section provides information on the following topics:

• Direct Provisioning

• Request-Based Provisioning

• Switching Between Request-Based Provisioning and Direct Provisioning

3.5.1 Direct Provisioning

You create a new user in the Administrative and User Console by using the Create User page. You provision an account for the newly created user on the Resource tab of the user details page.

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.
2. If you want to first create an OIM User and then provision a target system account, then:
   1. On the Welcome to Identity Administration page, in the Users region, click Create User.
   2. On the user details page, enter values for the OIM User fields, and then click Save.
3. If you want to provision a target system account to an existing OIM User, then:
   1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
   2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
4. On the user details page, click the Resources tab.
5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
6. On the Step 1: Select a Resource page, select GoogleApps User from the list and then click Continue.
7. On the Step 2: Verify Resource Selection page, click Continue.
8. On the Step 5: Provide Process Data for Google Users Form page, enter the details of the account that you want to create on the target system and then click Continue.
9. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
10. Close the window displaying the "Provisioning has been initiated" message.
11. On the Resources tab, click Refresh to view the newly provisioned resource.

3.5.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

• End User's Role in Request-Based Provisioning

• Approver's Role in Request-Based Provisioning

3.5.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

1. Log in to the Administrative and User console.
2. On the Welcome page, click Advanced on the top right corner of the page.
3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.
6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
7. From the Available Users list, select the user to whom you want to provision the account.

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
10. From the Available Resources list, select GoogleApps User, move it to the Selected Resources list, and then click Next.
11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    A message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.
14. To view details of the approval, on the Request Details page, click the Request History tab.

3.5.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

1. Log in to the Administrative and User console.
2. On the Welcome page, click Self-Service in the upper-right corner of the page.
3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

3.5.3 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Enabling Request-Based Provisioning.

The following sections provide information on switching between request-based provisioning and direct provisioning:

• Switching From Request-Based Provisioning to Direct Provisioning

• Switching From Direct Provisioning to Request-Based Provisioning

3.5.3.1 Switching From Request-Based Provisioning to Direct Provisioning

To do so:

1. Log in to the Design Console.
2. Disable the Auto Save Form feature as follows:
   1. Expand Process Management, and then double-click Process Definition.
   2. Search for and open the GoogleApps User process definition.
   3. Deselect the Auto Save Form check box.
   4. Click Save.
3. If the Self Request Allowed feature is enabled, then:
   1. Expand Resource Management, and then double-click Resource Objects.
   2. Search for and open the GoogleApps User resource object.
   3. Deselect the Self Request Allowed check box.
   4. Click Save.

3.5.3.2 Switching From Direct Provisioning to Request-Based Provisioning

To do so:

1. Log in to the Design Console.
2. Enable the Auto Save Form feature as follows:
   1. Expand Process Management, and then double-click Process Definition.
   2. Search for and open the GoogleApps User process definition.
   3. Select the Auto Save Form check box.
   4. Click Save.
3. If you want to enable end users to raise requests for themselves, then:
   1. Expand Resource Management, and then double-click Resource Objects.
   2. Search for and open the GoogleApps User resource object.
   3. Select the Self Request Allowed check box.
   4. Click Save.

3.6 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2.x or Later

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Manager release 11.1.2.x or later:

1. Log in to Identity Self Service.
2. Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
3. On the Account tab, click Request Accounts.
4. In the Catalog page, search for and add to cart the application instance created in Step 3, and then click Checkout.
5. Specify value for fields in the application form and then click Ready to Submit.
6. Click Submit.
7. If you want to provision entitlements, then:
   1. On the Entitlements tab, click Request Entitlements.
   2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
   3. Click Submit.

3.7 Uninstalling the Connector

Uninstalling the connector deletes all the account related data associated with resource objects of the connector.

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.