3 Using the Connector

This chapter is divided into the following sections:

• Section 3.1, "Guidelines on Using the Connector"

• Section 3.2, "Scheduled Jobs for Lookup Field Synchronization"

• Section 3.3, "Configuring Reconciliation"

• Section 3.4, "Configuring and Running Group Reconciliation"

• Section 3.5, "Configuring and Running Organization Reconciliation"

• Section 3.6, "Configuring Scheduled Jobs"

• Section 3.7, "Configuring Action Scripts"

• Section 3.8, "Performing Provisioning Operations"

• Section 3.9, "Switching Between Request-Based Provisioning and Direct Provisioning"

• Section 3.10, "Uninstalling the Connector"

3.1 Guidelines on Using the Connector

This section discusses the following topics:

• Section 3.1.1, "Guidelines on Configuring Reconciliation"

• Section 3.1.2, "Guidelines on Performing Provisioning Operations"

3.1.1 Guidelines on Configuring Reconciliation

The following are guidelines that you must apply while configuring reconciliation:

• Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs.

• The scheduled job for user reconciliation must be run before the scheduled job for reconciliation of deleted user data.

• In the identity reconciliation mode, if you want to configure group reconciliation, then note that group reconciliation does not cover reconciliation of updates to existing groups on the target system. If you modify the name of a group on the target system, then it is reconciled as a new group in Oracle Identity Manager.

• In the identity reconciliation mode, if you want to configure organization reconciliation, then note that:

  • Organization reconciliation does not cover reconciliation of updates to existing organization names on the target system. If you modify the name of an organization on the target system, then it is reconciled as a new organization in Oracle Identity Manager.

  • Organization reconciliation events created by the scheduled job for organization reconciliation (Active Directory Organization Recon) must be successfully processed before the scheduled job for trusted source reconciliation (Active Directory User Trusted Recon) is run. In other words, organization reconciliation must be run and the organization records reconciled from the target system must be successfully linked in Oracle Identity Manager.

  • On the target system, users are created in specific organizations. During trusted source reconciliation of user data, if you want OIM Users to be created in the same organizations on Oracle Identity Manager, then you must set the MaintainHierarchy attribute of the trusted source reconciliation scheduled task to yes. In addition, you must configure organization reconciliation to run before trusted source reconciliation.

  • In Oracle Identity Manager, the organization namespace is a flat namespace although it allows parent-child hierarchical relationships between organizations. Therefore, two Microsoft Active Directory OUs with the same name cannot be created in Oracle Identity Manager, even if they have different parent OUs on the target system.

  • The name of an organization in Oracle Identity Manager cannot contain special characters, such as the equal sign (=) and comma (,). However, these special characters can be used in the name of an organization on the target system.

  • The synchronization of organization lookup fields is independent of whether or not you configure organization reconciliation.

• If you are going to configure Microsoft AD LDS as the trusted source, then you must ensure that a value (either true or false) is set for the msDS-UserAccountDisabled field of each user record on the target system. In Microsoft ADAM, the msDS-UserAccountDisabled field does not have a default value.

• The Filter attribute must contain only attributes that are present in the Decode column of the lookup definition that holds reconciliation attribute mapping.

• If you are going to run the scheduled job for reconciliation of deleted user records, then ensure that you set the value of the Container parameter of the IT resource to the root. This ensures that all accounts are fetched to Oracle Identity Manager. User records that are not fetched in to Oracle Identity Manager are assumed to have been deleted.

3.1.2 Guidelines on Performing Provisioning Operations

The following are guidelines that you must apply while performing provisioning operations:

• Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before provisioning operations.

• When both Microsoft Active Directory User Management and Microsoft Exchange connectors are deployed in your environment, do not specify a value for the Redirection Mail Id field.

  If you specify a value for the Redirection Mail Id field during a user provisioning operation, then a corresponding mail user account is created in Microsoft Exchange. When an Exchange mail user account is created through Active Directory, then some of the fields of an Exchange mail user account such as Maximum Receive Size cannot be updated. This also means that the Microsoft Exchange Connector cannot be used for further provisioning operations of this user. This is because the user is already created in Microsoft Exchange as a Mailuser.

  Note that the Microsoft Exchange connector cannot be used to convert Mailuser, mail user accounts created in the manner described in the preceding paragraph, to Mailbox as this is not allowed by the target. Therefore, it is recommended not to specify a value for the Redirection Mail Id field if both Microsoft Active Directory and Microsoft Exchange connector are deployed.

• Passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in Microsoft Active Directory.

  Note:

  If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

  In Microsoft Active Directory, password policies are controlled through password complexity rules. These complexity rules are enforced when passwords are changed or created. While changing the password of a Microsoft Active Directory account by performing a provisioning operation on Oracle Identity Manager, you must ensure that the new password adheres to the password policies on the target system.

  See Also:

  For more information about password guidelines applicable on the target system, visit the Microsoft TechNet Web site at

  http://technet2.microsoft.com

• Some Asian languages use multibyte character sets. If the character limit for fields on the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this point:

  Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.

• The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields.

• On the target system, the Manager Name field accepts only DN values. Therefore, when you set or modify the Manager Name field on Oracle Identity Manager, you must enter the DN value.

  For example:

  cn=abc,ou=lmn,dc=corp,dc=com

• While specifying a value for the Home Directory field, follow these guidelines:

  • The value must always begin with two backslashes (\\).

  • The value must contain at least one backslash (\), but not at the end.

  Correct sample values:

  \\SOME_MACHINE\SOME_SHARE\SOME_DIRECTORY

  \\SOME_MACHINE\SOME_SHARE\SOME_DIRECTORY\SOME_OTHER_DIRECTORY

  Incorrect sample values:

  \\SOME_MACHINE\SOME_SHARE\

  \\SOME_MACHINE

• During a provisioning operation, you can specify multiple auxiliary classes to be attached (to the user account being created) by specifying a value for the ObjectClass field on the Assigned Object Classes Form.

• If you want to provision users and groups under the Users container, then include the following entry in the Lookup.ActiveDirectory.OrganizationalUnits lookup definition:

  Code Key:

  150~CN=Users,DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

  Decode:

  SamAD~CN=Users,DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

3.2 Scheduled Jobs for Lookup Field Synchronization

The following are the scheduled jobs for lookup field synchronization:

Note:

The procedure to configure these scheduled tasks is described later in the guide.

• Active Directory Group Lookup Recon

  This scheduled task is used to synchronize group lookup fields in Oracle Identity Manager with group-related data in the target system.

• Active Directory Organization Lookup Recon

  This scheduled task is used to synchronize organization lookup fields in Oracle Identity Manager with organization-related data in the target system.

Table 3-1 describes the attributes of both scheduled jobs.

Table 3-1 Attributes of the Scheduled Tasks for Lookup Field Synchronization

Attribute	Description
Code Key Attribute	Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For Active Directory Group Lookup Recon: distinguishedName For Active Directory Organization Lookup Recon: distinguishedName Note: You must not change the value of this attribute.
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For Active Directory Group Lookup Recon: distinguishedName For Active Directory Organization Lookup Recon: distinguishedName
Filter	Enter a filter to filter out records to be stored in the lookup definition. For more information about the Filter attribute, see Section 3.3.2, "Limited Reconciliation."
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile records. Sample value: Active Directory
Lookup Name	Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Manager, then this lookup definition is created while the scheduled job is run. Depending on the scheduled job you are using, the default values are as follows: For Active Directory Group Lookup Recon: Lookup.ActiveDirectory.Groups For Active Directory Organization Lookup Recon: Lookup.ActiveDirectory.OrganizationalUnits
Object Type	This attribute holds the name of the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows: For Active Directory Group Lookup Recon: Group For Active Directory Organization Lookup Recon: OrganizationalUnit

3.3 Configuring Reconciliation

When you run the Connector Installer, scheduled jobs for user reconciliation are automatically created in Oracle Identity Manager. Configuring reconciliation involves providing values for the attributes of these scheduled jobs.

The following sections provide information about the attributes of the scheduled jobs:

• Section 3.3.1, "Full Reconciliation and Incremental Reconciliation"

• Section 3.3.2, "Limited Reconciliation"

• Section 3.3.3, "Batched Reconciliation"

• Section 3.3.4, "Reconciliation Scheduled Jobs"

3.3.1 Full Reconciliation and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

To perform a full reconciliation run, ensure that no values are specified for the following attributes of the scheduled jobs for reconciling user records:

Batch Start

Filter

Latest Token

At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the highest value of the uSNChanged attribute of a domain controller that is used for reconciliation. From the next run onward, only records created or modified after the value in the latest token attribute are considered for reconciliation. This is incremental reconciliation.

3.3.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

You can perform limited reconciliation the first time you perform a reconciliation run. In other words, by using filters or by specifying a search base while configuring a scheduled job for full reconciliation, you can perform limited reconciliation. The following are the ways in which limited reconciliation can be achieved:

• Section 3.3.2.1, "Limited Reconciliation By Using Filters"

• Section 3.3.2.2, "Limited Reconciliation By Using the Search Base Attribute"

3.3.2.1 Limited Reconciliation By Using Filters

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the Microsoft Active Directory resource attributes to filter the target system records. Table 3-2 lists the filter syntax that you can use and the corresponding description and sample values.

Note:

Filters with wildcard characters are not supported.

Table 3-2 Keywords and Syntax for the Filter Attribute

Filter Syntax	Description
String Filters
startsWith('ATTRIBUTE_NAME','PREFIX')	Records whose attribute value starts with the specified prefix are reconciled. Example: startsWith('userPrincipalName','John') In this example, all records whose userPrincipalName begins with 'John' are reconciled.
endsWith('ATTRIBUTE_NAME','SUFFIX')	Records whose attribute value ends with the specified suffix are reconciled. Example: endsWith('sn','Doe') In this example, all records whose last name ends with 'Doe' are reconciled.
contains('ATTRIBUTE_NAME','STRING')	Records where the specified string is contained in the attribute's value are reconciled. Example: contains('displayName','Smith') In this example, all records whose display name contains 'Smith' are reconciled.
containsAllValues('ATTRIBUTE_NAME',['STRING1','STRING2', . . . ,'STRINGn'])	Records that contain all the specified strings for a given attribute are reconciled. Example: containsAllValues('objectClass',['person','top']) In this example, all records whose objectClass contains both "top" and "person" are reconciled.
Equality and Inequality Filters
equalTo('ATTRIBUTE_NAME','VALUE')	Records whose attribute value is equal to the value specified in the syntax are reconciled. Example: equalTo('sAMAccountName','Sales Organization') In this example, all records whose sAMAccountName is Sales Organization are reconciled.
greaterThan('ATTRIBUTE_NAME','VALUE')	Records whose attribute value (string or numeric) is greater than (in lexicographical or numerical order) the value specified in the syntax are reconciled. Example 1: greaterThan('cn','bob') In this example, all records whose common name is present after the common name 'bob' in the lexicographical order (or alphabetical order) are reconciled. Example 2: greaterThan('employeeNumber','1000') In this example, all records whose employee number is greater than 1000 are reconciled.
greaterThanOrEqualTo('ATTRIBUTE_NAME','VALUE')	Records whose attribute value (string or number) is lexographically or numerically greater than or equal to the value specified in the syntax are reconciled. Example 1: greaterThanOrEqualTo('sAMAccountName','S') In this example, all records whose sAMAccountName is equal to 'S' or greater than 'S' in lexicographical order are reconciled. Example 2: greaterThanOrEqualTo('employeeNumber','1000') In this example, all records whose employee number is greater than or equal to 1000 are reconciled.
lessThan('ATTRIBUTE_NAME','VALUE')	Records whose attribute value (string or numeric) is less than (in lexicographical or numerical order) the value specified in the syntax are reconciled. Example 1: lessThan('sn','Smith') In this example, all records whose last name is present after the last name 'Smith' in the lexicographical order (or alphabetical order) are reconciled. Example 2: lessThan('employeeNumber','1000') In this example, all records whose employee number is less than 1000 are reconciled.
lessThanOrEqualTo('ATTRIBUTE_NAME','VALUE')	Records whose attribute value (string or numeric) is lexographically or numerically less than or equal to the value specified in the syntax are reconciled. Example 1: lessThanOrEqualTo('sAMAccountName','A') In this example, all records whose sAMAccountName is equal to 'A' or less than 'A' in lexicographical order are reconciled. Example 2: lessThanOrEqualTo('employeeNumber','1000') In this example, all records whose employee number is less than or equal to 1000 are reconciled.
Complex Filters
<FILTER1> & <FILTER2>	Records that satisfy conditions in both filter1 and filter2 are reconciled. In this syntax, the logical operator & (ampersand symbol) is used to combine both filters. Example: startsWith('cn', 'John') & endsWith('sn', 'Doe') In this example, all records whose common name starts with John and last name ends with Doe are reconciled.
<FILTER1> | <FILTER2>	Records that satisfy either the condition in filter1 or filter2 are reconciled. In this syntax, the logical operator | (vertical bar) is used to combine both filters. Example: contains('sAMAccountName', 'Andy') | contains('sn', 'Brown') In this example, all records that contain 'Andy' in the sAMAccount Name attribute or records that contain 'Brown' in the last name are reconciled.
not(<FILTER>)	Records that do not satisfy the given filter condition are reconciled. Example: not(contains('cn', 'Mark')) In this example, all records that does not contain the common name 'Mark' are reconciled.

3.3.2.2 Limited Reconciliation By Using the Search Base Attribute

You can perform limited reconciliation by using the Search Base attribute of the reconciliation scheduled jobs. By specifying a value for the Search Base attribute, you can limit the container from which the user, group, or organization records must be reconciled. This is the starting point for the search in the hierarchial structure for objects in Microsoft Active Directory. For more information about the Search Base attribute, see Section 3.3.4, "Reconciliation Scheduled Jobs."

3.3.3 Batched Reconciliation

This section discusses the Batch Size, Batch Start, Sort By, and Sort Direction attributes of the scheduled jobs for target resource reconciliation (Active Directory User Target Recon) and trusted source reconciliation (Active Directory User Trusted Recon).

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, specify values for the following attributes while performing the procedure described in the Section 3.3.4.1, "Scheduled Jobs for Reconciliation of User Records":

• Batch Size: Use this attribute to specify the number of records that must be included in each batch.

• Batch Start: Use this attribute to specify the record number from which batched reconciliation must begin.

• Number of Batches: Use this attribute to specify the total number of batches that must be reconciled. The default value of this attribute is All. If you do not want to implement batched reconciliation, then accept the default value. When you accept the default value, the values of the Batch Size, Batch Start, Sort By, and Sort Direction attributes are ignored.

• Sort By: Use this attribute to specify the name of the target system field by which the records in a batch must be sorted.

• Sort Direction: Use this attribute to specify the whether records being fetched must be sorted in ascending or descending order. The value of this attribute can be either asc or desc.

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then you only need to rerun the scheduled task without changing the values of the task attributes.

Note:

Sorting of large number of records on the target system fails during batched reconciliation. Therefore, it is recommended that you use the PageSize entry of the Lookup.Configuration.ActiveDirectory or Lookup.Configuration.ActiveDirectory.Trusted lookup definitions to tune fetching of records from the target system. See Section 1.5.2.1, "Lookup.Configuration.ActiveDirectory" or Section 1.5.2.2, "Lookup.Configuration.ActiveDirectory.Trusted" for more information about the PageSize entry.

3.3.4 Reconciliation Scheduled Jobs

When you run the Connector Installer, the following reconciliation scheduled tasks are automatically created in Oracle Identity Manager:

• Section 3.3.4.1, "Scheduled Jobs for Reconciliation of User Records"

• Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records"

• Section 3.3.4.3, "Scheduled Jobs for Reconciliation of Groups and Organizations"

• Section 3.3.4.4, "Scheduled Job for Reconciliation of Deleted Groups"

3.3.4.1 Scheduled Jobs for Reconciliation of User Records

Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:

• Active Directory User Target Recon

• Active Directory User Trusted Recon

Active Directory User Target Recon

This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector. Table 3-3 describes the attributes of this scheduled job.

Table 3-3 Attributes of the Scheduled Job for Reconciliation of User Data from a Target Resource

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system. Default value: 100 This attribute is used in conjunction with the Batch Start, Number of Batches, Sort By, and Sort Direction attributes. All these attributes are discussed in Section 3.3.3, "Batched Reconciliation."
Batch Start	Enter the number of the target system record from which a batched reconciliation run must begin. Default value: 1 This attribute is used in conjunction with the Batch Size, Number of Batches, Sort By, and Sort Direction attributes. All these attributes are discussed in Section 3.3.3, "Batched Reconciliation."
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default value: None
Incremental Recon Attribute	Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings. The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system. Default value: uSNChanged Note: Do not change the value of this attribute.
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Sample value: Active Directory
Latest Token	This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts whose uSNChanged value is greater than the Latest Token attribute value are reconciled.
Number of Batches	Enter the number of batches that must be reconciled. Default value: All Sample value 20 This attribute is used in conjunction with the Batch Size, Batch Start, Sort By, and Sort Direction attributes. All these attributes are discussed in Section 3.3.3, "Batched Reconciliation." If you accept the default value (All), then all batches are reconciled.
Object Type	This attribute holds the type of object you want to reconcile. Default value: User Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. Default value: AD User
Scheduled Task Name	This attribute holds the name of the scheduled task. Default value: Active Directory User Target Recon
Search Base	Enter the container in which the search for user records must be performed during reconciliation. Sample Value: ou=org1,dc=corp,dc=com Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.
Search Scope	Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs. Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU. Note: If you want to enter onelevel, then remember that you must not include a space between "one" and "level." Default value: subtree
Sort By	Enter the name of the target system field by which the records in a batch must be sorted. Default value: samAccountName Note: If you are using AD LDS as the target system, then change the default value of this attribute to some other attribute (for example, cn) because the samAccountName attribute does not exist on the AD LDS target system.
Sort Direction	Use this attribute to specify whether records being fetched must be sorted in ascending or descending order. The value of this attribute can be either asc or desc. Default value: asc

Active Directory User Trusted Recon

This scheduled job is used to reconcile user data in the trusted resource (identity management) mode of the connector. Table 3-4 describes the attributes of this scheduled job.

Table 3-4 Attributes of the Scheduled Job for Reconciliation of User Data from a Trusted Source

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system. Default value: 100 This attribute is used in conjunction with the Batch Start, Number of Batches, Sort By, and Sort Direction attributes. All these attributes are discussed in Section 3.3.3, "Batched Reconciliation."
Batch Start	Enter the number of the target system record from which a batched reconciliation run must begin. Default value: 1 This attribute is used in conjunction with the Batch Size, Number of Batches, Sort By, and Sort Direction attributes. All these attributes are discussed in Section 3.3.3, "Batched Reconciliation."
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default value: None
Incremental Recon Attribute	Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings. The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system. Default value: uSNChanged Note: Do not change the value of this attribute.
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Sample value: Active Directory
Latest Token	This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts whose uSNChanged value is greater than the Latest Token attribute value are reconciled.
Maintain Hierarchy	Enter yes to specify that you want to maintain in Oracle Identity Manager the same organization hierarchy that is maintained on the target system. Otherwise, enter no. Default value: no Note: If you set this attribute to yes, then you must schedule the job for organization reconciliation (Active Directory Organization Recon) to run before this scheduled job.
Manager Id	Enter the decode value of the User Id Code Key in the lookup definition that holds mappings between resource object fields and target system attributes for trusted source reconciliation. If you are using Microsoft Active Directory as the target system, then the default value of this attribute is sAMAccountName. If you are using Microsoft AD LDS as the target system, then set the value of this attribute to __UPN_WO_DOMAIN__. Default value: sAMAccountName
Number of Batches	Enter the number of batches that must be reconciled. Default value: All Sample value 20 This attribute is used in conjunction with the Batch Size, Batch Start, Sort By, and Sort Direction attributes. All these attributes are discussed in Section 3.3.3, "Batched Reconciliation." If you accept the default value (All), then all batches are reconciled.
Object Type	This attribute holds the type of object you want to reconcile. Default value: User Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.
OIM Employee Type	Enter the employee type that must be set for OIM Users created through reconciliation. Default value: Full-Time
OIM Organization Name	Enter the name of the Oracle Identity Manager organization in which reconciled users must be created. The OIM Organization attribute is taken into account only if you set the MaintainHierarchy attribute to no. If you set the MaintainHierarchy attribute to yes, then the value of the OIM Organization attribute is ignored. Default value: Xellerate Users
OIM User Type	Enter the role that must be set for OIM Users created through reconciliation. You must select one of the following values: End-User End-User Administrator Default value: End-User
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. Default value: AD User Trusted
Scheduled Task Name	This attribute holds the name of the scheduled task. Default value: Active Directory User Trusted Recon
Search Base	Enter the container in which the search for user records must be performed during reconciliation. Sample Value: ou=org1,dc=corp,dc=com Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.
Search Scope	Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs. Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU. Note: If you want to enter onelevel, then remember that you must not include a space between "one" and "level." Default value: subtree
Sort By	Enter the name of the target system field by which the records in a batch must be sorted. Default value: samAccountName Note: If you are using AD LDS as the target system, then change the default value of this attribute to some other attribute (for example, cn) because the samAccountName attribute does not exist on the AD LDS target system.
Sort Direction	Use this attribute to specify whether records being fetched must be sorted in ascending or descending order. The value of this attribute can be either asc or desc. Default value: asc

3.3.4.2 Scheduled Jobs for Reconciliation of Deleted User Records

Depending on whether you want to implement trusted source or target resource delete reconciliation, you must specify values for the attributes of one of the following scheduled jobs:

• Active Directory User Target Delete Recon

  This scheduled job is used to reconcile data about deleted users in the target resource (account management) mode of the connector. During a reconciliation run, for each deleted user account on the target system, the Active Directory resource is revoked for the corresponding OIM User.

• Active Directory User Trusted Delete Recon

  This scheduled job is used to reconcile data about deleted users in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Table 3-5 describes the attributes of both scheduled jobs.

Table 3-5 Attributes of the Scheduled Jobs for Delete User Reconciliation

Attribute	Description
Delete Recon	Specifies whether delete reconciliation must be performed. Default value: yes Note: Do not change the value of this attribute.
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile user data. The default value of this attribute in the Active Directory User Target Delete Recon scheduled job is Active Directory. The default value of this attribute in the Active Directory User Trusted Delete Recon scheduled job is none. Note: If you have configured your target system as trusted source, then ensure that you specify the name of the IT resource in which the Configuration Lookup parameter is set to Lookup.Configuration.ActiveDirectory.Trusted.
Object Type	This attribute holds the type of object you want to reconcile. Default value: User
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. The default value of this attribute in the Active Directory User Target Delete Recon scheduled job is AD User. The default value of this attribute in the Active Directory User Trusted Delete Recon scheduled job is AD User Trusted.
Scheduled Task Name	This attribute holds the name of the scheduled task. The default value of this attribute in the Active Directory User Target Delete Recon scheduled job is Active Directory User Target Delete Recon. The default value of this attribute in the Active Directory User Trusted Delete Recon scheduled job is Active Directory User Trusted Delete Recon.
Sync Token	This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Manager. After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Manager. This attribute stores values in the following format: <String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String> A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running. A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER will be replaced with the name of the domain controller from which data about deleted records is fetched.

3.3.4.3 Scheduled Jobs for Reconciliation of Groups and Organizations

Depending on your requirement, you must specify values for the attributes of one of the following scheduled jobs:

• Active Directory Group Recon

  This scheduled job is used to reconcile group data from the target system.

• Active Directory Organization Recon

  This scheduled job is used to reconcile organization data from the target system.

See Also:

The following sections for information about running group and organization reconciliation:

• Section 3.4, "Configuring and Running Group Reconciliation"

• Section 3.5, "Configuring and Running Organization Reconciliation"

Table 3-6 describes the attributes of both scheduled jobs.

Table 3-6 Attributes of the Scheduled Task for Reconciliation of Group and Organization Data

Attribute	Description
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue ')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default value: None
Incremental Recon Attribute	Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings. The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system. Default value: uSNChanged Note: Do not change the value of this attribute.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group or organization data. Default value: Active Directory
Latest Token	This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Sample value: 0 Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled.
Object Type	Type of object to be reconciled. The default value of this attribute in the Active Directory Group Recon scheduled job is Group. The default value of this attribute in the Active Directory Organization Recon scheduled job is organizationalUnit.
Organization Name	Enter the name of the organization to which all groups fetched from the target system is linked. See Section 3.4, "Configuring and Running Group Reconciliation" for more information on the usage of this attribute. Note: This attribute is present only in the Active Directory Group Recon scheduled job.
Organization Type	Type of organization to be created in Oracle Identity Manager. Default value: Company Note: This attribute is present only in the Active Directory Group Recon scheduled job.
Resource Object Name	Name of the resource object that is used for reconciliation. The default value of this attribute in the Active Directory Group Recon scheduled job is AD Group. The default value of this attribute in the Active Directory Organization Recon scheduled job is Xellerate Organization.
Scheduled Task Name	Name of the scheduled task used for reconciliation. The default value of this attribute in the Active Directory Group Recon scheduled job is Active Directory Group Recon. The default value of this attribute in the Active Directory Organization Recon scheduled job is Active Directory Organization Recon.
Search Base	Enter the container in which the search for group or organization records must be performed during reconciliation. Sample Value: ou=org1,dc=corp,dc=com Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.
Search Scope	Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs. Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU. Note: If you want to enter onelevel, then remember that you must not include a space between "one" and "level." Default value: subtree

3.3.4.4 Scheduled Job for Reconciliation of Deleted Groups

The Active Directory Group Delete Recon is used to reconcile data about deleted groups.

Table 3-7 describes the attributes of this scheduled job.

Table 3-7 Attributes of the Active Directory Group Delete Recon Scheduled Job

Attribute	Description
Delete Recon	Specifies whether delete reconciliation must be performed. Default value: yes Note: Do not change the value of this attribute.
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile group data. Default value: Active Directory
Object Type	This attribute holds the type of object you want to reconcile. Default value: Group
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. Default value: AD Group
Scheduled Task Name	This attribute holds the name of the scheduled task. Default value: Active Directory Group Delete Recon
Sync Token	This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Manager. After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Manager. This attribute stores values in the following format: <String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String> A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running. A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller from which data about deleted records is fetched.
Organization Name	Enter the name of the organization to which data about all deleted groups fetched from the target system is linked. There are two scenarios in which group reconciliation is performed. These scenarios are described in Section 3.4, "Configuring and Running Group Reconciliation." If you have configured the connector to perform group reconciliation in scenario 1, then you need not specify a value for this attribute. In case you specify a value, it is ignored by the connector. If you have configured the connector to perform group reconciliation in scenario 2, then enter the same organization name specified for the Organization Name attribute of the Active Directory Group Recon scheduled job.

3.4 Configuring and Running Group Reconciliation

This section describes the two scenarios in which group reconciliation is performed and their procedure.

Scenario 1

Create an organizational unit in Oracle Identity Manager with the name of the group (available in the target system), and then reconcile groups to this newly created organizational unit. In other words, suppose a scenario in which you want every target system group to be reconciled into an organization of its own.

To perform group reconciliation in this scenario:

1. Ensure that the value of the Configuration Lookup parameter of the IT resource is set to Lookup.Configuration.ActiveDirectory.

2. Search for and open the Active Directory Group Recon scheduled job.

3. Set the value of the Resource Object Name attribute of the scheduled job to Xellerate Organization. Note that you need not specify a value for the Organization Name attribute. If you specify a value for the Organization Name attribute, then the value is ignored.

4. Run the Active Directory Group Recon scheduled job. See Section 3.6, "Configuring Scheduled Jobs" for information on configuring and running a scheduled job.

5. After completion of the reconciliation run:

   • Clear the value in the Latest Token attribute of the scheduled job.

   • Specify AD Group as value of the Resource Object Name attribute of the scheduled job.

6. Run the Active Directory Group Recon scheduled job again. See Section 3.6, "Configuring Scheduled Jobs" for information on configuring and running a scheduled job.

7. In the Administrative and User Console, verify whether an organizational unit with the name of the group is created , and then the organizational unit has the AD Group resource object in the 'Provisioned' state.

Scenario 2

This section discusses the procedure to perform group reconciliation when all groups available on the target system must be reconciled under the same organizational unit in Oracle Identity Manager. In other words, suppose a scenario in which you want all target system groups to be reconciled into a single organization.

To perform group reconciliation in this scenario:

1. Log in to the Design Console.

2. Expand Administration, and then double-click Lookup Definition.

3. Search for and open the Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition.

4. Change the Decode value of the OIM Org Name entry from sAMAccountName to Organization Name.

5. Save and close the lookup definition.

6. Log in to the Administrative and User Console.

7. Search for and open the Active Directory Group Recon scheduled job, and then:

   • Clear the value in the Latest Token attribute.

   • In the Resource Object Name attribute field, specify AD Group as the value.

   • In the Organization Name attribute field, specify the name of an organizational unit under which all groups from the target system must be reconciled.

8. Run the Active Directory Group Recon scheduled job. See Section 3.6, "Configuring Scheduled Jobs" for information on configuring and running a scheduled job.

3.5 Configuring and Running Organization Reconciliation

The following is the procedure to run the scheduled job for organization reconciliation:

1. Ensure that the value of the Configuration Lookup parameter of the IT resource is set to Lookup.Configuration.ActiveDirectory.Trusted.

2. Search for and open the Active Directory Organization Recon scheduled job.

3. Set the value of the Resource Object Name attribute of the scheduled job to Xellerate Organization. This creates organizations in Oracle Identity Manager after the scheduled job is run.

4. Run the Active Directory Organization Recon scheduled job. See Section 3.6, "Configuring Scheduled Jobs" for information on configuring and running a scheduled job.

5. After completion of the reconciliation run:

   • Clear the value in the Latest Token attribute of the scheduled job.

   • Specify AD Organizational Unit as value of the Resource Object Name attribute of the scheduled job.

6. Set the value of the Configuration Lookup parameter of the IT resource to Lookup.Configuration.ActiveDirectory.

7. Run the Active Directory Organization Recon scheduled job again. See Section 3.6, "Configuring Scheduled Jobs" for information on configuring and running a scheduled job.

8. In the Administrative and User Console, verify whether the AD Organizational Unit Resource is provisioned to the organizations created in Step 3 of this section.

3.6 Configuring Scheduled Jobs

This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

Table 3-8 lists the scheduled job that you must configure.

Table 3-8 Scheduled Jobs for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
Active Directory Group Lookup Recon	This scheduled task is used to synchronize the values of group lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 3.2, "Scheduled Jobs for Lookup Field Synchronization."
Active Directory Organization Lookup Recon	This scheduled task is used to synchronize the values of organization lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 3.2, "Scheduled Jobs for Lookup Field Synchronization."
Active Directory User Target Recon	This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see Section 3.3.4.1, "Scheduled Jobs for Reconciliation of User Records."
Active Directory User Target Delete Recon	This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the AD User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records."
Active Directory Organization Recon	This scheduled task is used to reconcile data about organizations. For information about this scheduled task and its attributes, see Section 3.3.4.3, "Scheduled Jobs for Reconciliation of Groups and Organizations."
Active Directory User Trusted Recon	This scheduled task is used to fetch user data during trusted source reconciliation. For information about this scheduled task and its attributes, see Section 3.3.4.1, "Scheduled Jobs for Reconciliation of User Records."
Active Directory User Trusted Delete Recon	This scheduled task is used to fetch data about deleted users during trusted source reconciliation. During a reconciliation run, for each deleted target system account, the corresponding OIM User is deleted. For information about this scheduled task and its attributes, see Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records."
Active Directory Group Recon	This scheduled task is used to fetch data about groups during target resource reconciliation. For information about this scheduled task and its attributes, see Section 3.3.4.3, "Scheduled Jobs for Reconciliation of Groups and Organizations."
Active Directory Group Delete Recon	This scheduled task is used to reconcile data about deleted groups in the target resource (account management) mode of the connector. For information about this scheduled task and its attributes, see Section 3.3.4.4, "Scheduled Job for Reconciliation of Deleted Groups."

To configure a scheduled job:

1. Log in to the Administrative and User Console.

2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

3. Search for and open the scheduled task as follows:

   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   3. In the search results table on the left pane, click the scheduled job in the Job Name column.

4. On the Job Details tab, you can modify the parameters of the scheduled task:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   • See Section 3.3.4, "Reconciliation Scheduled Jobs" for the list of scheduled tasks and their attributes.

6. Click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.7 Configuring Action Scripts

Actions are scripts that you can configure to run before or after the create, update, or delete an account provisioning operations. For example, you could configure a script to run before every user creation.

Note:

To configure a before or after action, your connector must support running scripts. An exception is Groovy (with target set to Connector), which the Identity Connector Framework (ICF) supports by default for all converged connectors.

Every connector should specify the scripting language and the target it supports. The Microsoft Active Directory connector supports the following scripts:

CMD: windows batch script and target: Connector

The target means where the script is executed.

• If the target is Connector, then the script is executed on the same computer (JVM or .Net Runtime) where the connector is deployed. For example, if you deploy the connector on the connector server, the script will be executed on that computer.

  That is, if you are using a local framework, the script runs in your JVM. If you are connected to a remote framework, the script runs in the remote JVM or .Net Runtime.

• If the target is Resource, then the script is executed on the computer where the target resource is running (and is typically interpreted by the target computer).

Table 3-9 describes the entries to be added to the Lookup.ActiveDirectory.UM.Configuration lookup definition for running actions scripts.

Table 3-9 Lookup Entries for Running Action Scripts

Code Key	Decode
TIMING Action Language	Script language, which can be Shell or Boo.
TIMING Action File	Full path and name to the file containing the script to be run. Note that the file containing the script must be located on the computer on which Oracle Identity Manager is running.
TIMING Action Target	Context in which the script must be run. Set Connector, if the script must be run in the same .NET runtime as the connector. Set Resource, if the script must be run on the target resource. Note: It is recommended to set the value of the Action Target entry to Resource because the connector handles all implementation.

In the preceding table, TIMING defines when an action must be performed. An action can be invoked either before or after a create, update, or delete provisioning operation. Therefore, TIMING can be replaced with any of the following values:

Before Create

Before Update

Before Delete

After Create

After Update

After Delete

All the entries in Table 3-9 define an action together. Therefore, to configure action scripts, all the entries must be defined. Otherwise, no action is performed.

To configure the action:

1. Log in to the Design Console.

2. Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.

3. Add the following new values:

   • Code Key: TIMING Action Language

     Sample value: Before Create Action Language

   • Decode: Enter the scripting language of the script you want to execute

     Sample value: Shell

4. Add these new values:

   • Code Key: TIMING Action File

     Sample value: Before Create Action File

   • Decode: Enter the full path to the file containing the script to be executed (Oracle Identity Manager must be able to access this file.)

     Sample value: /home/scripts/testscript.bat

5. Add these new values:

   • Code Key: TIMING Action Target

     Sample value: Before Create Action Target

   • Decode: Allowed values are Connector and Resource, depending on the connector what is supported.

     Sample value: Connector

6. Save the lookup definition.

Now, this action will be executed every time you create a user. You must configure these three values for each action you want to execute.

Note that you can pass process form fields to the scripts that call the before or after action scripts. The following is an example procedure for running a script before a create provisioning operation:

1. Create a file named script.bat (extension doesn't matter) with following line:

   echo create >> C:\%givenName%.txt
   

2. Log in to the Design Console.

3. Expand Administration and then double-click Lookup Definition.

4. Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition and add the following entries:

   Code Key	Decode
   Before Create Action Language	Shell
   Before Create Action File	/scratch/jdoe/script/script.bat
   Before Create Action Target	Resource

   
   

   Figure 3-1 shows the Lookup.ActiveDirectory.UM.Configuration lookup definition with the newly added action script entries.

   Figure 3-1 Lookup Entries for Action Scripts

   
   Description of "Figure 3-1 Lookup Entries for Action Scripts"
   
   

5. Save and close the lookup definition.

6. Log in to the Administrative and User Console.

7. Provision a user account. You notice that the script (created in Step 1) is run and a file with the value specified for the givenName attribute is created on the target system.

You can also configure actions by using Visual Basic scripts. Although Visual Basic scripts are not directly supported, a Visual Basic script can be called using a shell script.

The following is an example procedure for running actions using Visual Basic scripts that consumes data dynamically from the process form. This is an example procedure for an After Create action, which requires creating a user in an organizational unit in addition to the one in which the user is provisioned to.

1. Create a file (a script) on the OIM machine with following data:

   C:\arg.vbs %givenName%
   

   Note that there is a space between C:\arg.vbs and %givenName%.

2. On the machine hosting the target system, create a file in the C:\ directory. For example, create an arg.vbs file.

3. Include the following lines in the arg.vbs file:

   Set args = WScript.Arguments
   GivenNameFromArg = args.Item(0)
   lengthGivenName = Len(GivenNameFromArg) - 2
   GivenNameTrim = Mid(GivenNameFromArg, 2, lengthGivenName)
   Set objOU = GetObject("LDAP://ausovm3194win.matrix.com:389/OU=TestOrg4,dc=matrix,dc=com")
   Set objUser = objOU.Create("User", "cn=scriptCreate" & GivenNameTrim )
   objUser.Put "givenName", "scriptCreate" & GivenNameTrim
   objUser.Put "sAMAccountName", "scriptCreate " & GivenNameTrim
   objUser.Put "userPrincipalName", "scriptCreate" & GivenNameTrim
   objUser.Put "displayName", "scriptCreate" & GivenNameTrim
   objUser.Put "sn", "scriptCreate" & GivenNameTrim
   objUser.SetInfo
   

4. Save and close the file.

5. Provision a user account on Oracle Identity Manager.

3.7.1 Guidelines on Creating Scripts

The following are the guidelines that you must apply or be aware of while configuring action scripts:

• Your script file can contain scripts that include attributes present in the decode column of any of the following lookup definitions:

  Lookup.ActiveDirectory.UM.ProvAttrMap

  Lookup.ActiveDirectory.GM.ProvAttrMap

  Lookup.ActiveDirectory.OM.ProvAttrMap

• In case of a script file for a Before Update or After Update action, your script must contain only the field being updated and the UID field.

• In case of a script file for a Before Delete or After Delete action, your script must contain only the UID field.

• All field names used in the scripts must be enclosed within %%.

• You can call any VB script from a shell and pass the process form fields.

• You cannot include the Password field in the script. This is because password is stored as a guarded string. Therefore, we do not get the exact password when we fetch values for the Password field.

• Addition of child table attributes belongs to the 'Update' category and not 'Create.'

3.8 Performing Provisioning Operations

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a Microsoft Active Directory account for the user.

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you configure the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 3.9, "Switching Between Request-Based Provisioning and Direct Provisioning."

This following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

• Section 3.8.1, "Direct Provisioning"

• Section 3.8.2, "Request-Based Provisioning"

3.8.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. If you want to first create an OIM User and then provision a target system account, then:

   1. On the Welcome to Identity Administration page, in the Users region, click Create User.

   2. On the user details page, enter values for the OIM User fields, and then click Save. Figure 3-2 shows this page.

      Figure 3-2 User Details Page

      
      Description of "Figure 3-2 User Details Page"
      
      

3. If you want to provision a target system account to an existing OIM User, then:

   1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

   2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

4. On the user details page, click the Resources tab.

5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

6. On the Step 1: Select a Resource page, select AD User from the list and then click Continue. Figure 3-3 shows the Step 1: Select a Resource page.

   Figure 3-3 Step 1: Select a Resource Page

   
   Description of "Figure 3-3 Step 1: Select a Resource Page"
   
   

7. On the Step 2: Verify Resource Selection page, click Continue. Figure 3-4 shows the Step 2: Verify Resource Selection page.

   Figure 3-4 Step 2: Verify Resource Selection Page

   
   Description of "Figure 3-4 Step 2: Verify Resource Selection Page"
   
   

8. On the Step 5: Provide Process Data for Active Directory Users Form page, enter the details of the account that you want to create on the target system and then click Continue. Figure 3-5 shows the user details added.

   Figure 3-5 Step 5: Provide Process Data for AD User Form Page

   
   Description of "Figure 3-5 Step 5: Provide Process Data for AD User Form Page"
   
   

9. If required, on the Step 5: Provide Process Data for Assigned Groups Form page, search for and select a group for the user on the target system and then click Continue. Figure 3-6 shows this page.

   Figure 3-6 Step 5: Provide Process Data for Assigned Groups Form Page

   
   Description of "Figure 3-6 Step 5: Provide Process Data for Assigned Groups Form Page"
   
   

10. If required, On the Step 5: Provide Process Data for Assigned Object Classes Form page, search for and select an object class and then click Continue. Figure 3-7 shows this page.

    Note:

    • You can specify values of the auxiliary classes to be associated with the user account begin created. For example, the posixAccount auxiliary class.

    • Reconciliation of object classes is not supported.

    Figure 3-7 Step 5: Provide Process Data for Assigned Object Classes Form Page

    
    Description of "Figure 3-7 Step 5: Provide Process Data for Assigned Object Classes Form Page"
    
    

11. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue. Figure 3-8 shows Step 6: Verify Process Data page.

    Figure 3-8 Step 6: Verify Process Data Page

    
    Description of "Figure 3-8 Step 6: Verify Process Data Page"
    
    

12. Close the window displaying the "Provisioning has been initiated" message.

13. On the Resources tab, click Refresh to view the newly provisioned resource.

3.8.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

• Section 3.8.2.1, "End User's Role in Request-Based Provisioning"

• Section 3.8.2.2, "Approver's Role in Request-Based Provisioning"

3.8.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Advanced on the top right corner of the page.

3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.

6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

7. From the Available Users list, select the user to whom you want to provision the account..

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

10. From the Available Resources list, select AD User, move it to the Selected Resources list, and then click Next.

11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

    If you are setting values for the Terminal Services Profile fields, then you must select the Remote Manager IT resource.

12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    A message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.

14. To view details of the approval, on the Request Details page, click the Request History tab.

3.8.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Self-Service in the upper-right corner of the page.

3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

3.9 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Section 2.3.1.4, "Configuring Oracle Identity Manager for Request-Based Provisioning."

If you want to switch from request-based provisioning to direct provisioning, then:

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the AD User process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the AD User resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

If you want to switch from direct provisioning back to request-based provisioning, then:

1. Log in to the Design Console.

2. Enable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the AD User process definition.

   3. Select the Auto Save Form check box.

   4. Click the Save icon.

3. If you want to enable end users to raise requests for themselves, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the AD User resource object.

   3. Select the Self Request Allowed check box.

   4. Click the Save icon.

3.10 Uninstalling the Connector

If you want to uninstall the connector for any reason, see "Uninstalling Connectors" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Note:

• The connector cannot be uninstalled if a valid access policy is present in Oracle Identity Manager. As a workaround, create a dummy resource type by using the design console. Remove the dependent access policy by directing it to a dummy resource type and then remove the dependency from the resource type that must be deleted.

• Uninstalling the connector removes only those IT resource definitions (and its IT resources) that are attached with the process form. However, the IT resource of the Connector Server IT Resource Type Definition is not removed for Oracle Identity Manager.