Skip Headers
Oracle® Identity Manager Connector Guide for AS400
Release 11.1.1

E20671-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide documents the connector that enables you to use an IBM AS400 system as a managed (target) resource of Oracle Identity Manager.

Note:

At some places in this guide, the term target system is used to refer to AS400, also known as OS/400, i5/OS, and IBM i.

In the account management (target resource) mode of the connector, data about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. This data is used to provision (allocate) new resources or update resources already assigned to OIM users.

In addition, you can use Oracle Identity Manager to provision or update AS400 resources (that is, accounts) assigned to OIM users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to target system accounts.

This chapter contains the following sections:

1.1 Certified Components

Table 1-1 lists certified components for the AS400 connector.

Table 1-1 Certified Components

Component Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager 11g Release 1 (11.1.1.5.0) or later

  • Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later

Target systems

AS400 (also known as OS/400, i5/OS, and IBM i) v5r4, IBM i 6.1, and IBM i 7.1

External code

JTOpen library version 6.2

JDK

See the following Oracle Technology Network Web page for information about the JDK versions certified for Oracle Identity Manager:

http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html


1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

1.3 Certified Languages

The AS400 connector supports the following languages:

1.4 Connector Architecture

The following figure shows the architecture for the AS400 connector.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

Managing accounts consists of the following processes:

AS400 is configured as a target, or a trusted resource of Oracle Identity Manager. Through provisioning operations performed on Oracle Identity Manager, accounts are created and updated on the target system for OIM users. Through reconciliation, account data that is created and updated directly on the target system is fetched into Oracle Identity Manager and stored against the corresponding OIM users.

The AS400 connector is implemented using the Identity Connector Framework (ICF). The ICF provides a container that separates the connector bundle from the application. The ICF also provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering.

For more information about the ICF, see the "Understanding the Identity Connector Framework" chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

1.5 Features of the Connector

The following are features of the AS400 connector:

1.5.1 User Attributes for Target Resource Reconciliation and Provisioning

You can create mappings for attributes that are not included in the list of default attribute mappings. These attributes can be part of the standard set of attributes provided by the target system or custom attributes that you add on the target system.

The following is the list of the "out-of-the-box" supported attributes for Oracle Identity Manager (the attribute names are from the User Form Label name):

  • User Id

  • Password

  • Owner

  • User Class

  • Password Expire

  • Group Profile

  • Initial Menu

  • Job Description

  • Limit Capabilities

  • Description Text

  • Initial Program

Table 1-2 describes the complete set of supported attributes, including the previously listed "out-of-the-box" attributes. To add these attributes and make them available, see the following sections:

Some attributes as indicated in the table are stored in an OS/400 Directory Entry object. See Appendix A, "Policies for OS/400 Accounts Migration."

Table 1-2 User Attributes for Target Resource Reconciliation and Provisioning

OIM Process Form Attribute Name AS400 Connector Attribute Name Native OS/400 Attribute Description

Status

__ENABLE__

None

Boolean. Indicates whether the account is enabled and logins are allowed.

__LAST_LOGIN_DATE__

__LAST_LOGIN_DATE__

None

Long. Read-only. Last login date.

__LAST_PASSWORD_CHANGE_DATE__

__LAST_PASSWORD_CHANGE_DATE__

None

Long. Read-only. Date and time the password was last updated.

Account Name

__NAME__

User profile name

Required. Not updatable. OS/400 user profile name.

The user profile name can be a maximum of 10 characters, including any letter (A-Z), a number (0-9), and the following special characters: pound (#), dollar ($), underscore (_), and at (@). The first character cannot be a number.

Password

__PASSWORD__

User password

Required. Guarded string. OS/400 user password. Value is encrypted.

PASSWORD_CHANGE_INTERVAL

PASSWORD_CHANGE_INTERVAL

None

Integer. Number of days between the date when the password is changed and the date when the password expires. Values can be -1 - 366:-1 - The user's password does not expire (*NOMAX).0 - The system value QPWDEXPITV is used to determine the user's password expiration interval (*SYSVAL).1–366 days.

Password Expire

__PASSWORD_EXPIRED__

None

Boolean. Indicates whether the password has expired.

ACCOUNTING_CODE

ACCOUNTING_CODE

ACGCDE

Accounting code associated with the user. Values can be a character value (15 characters, padded with blanks if fewer that 15 characters), *SAME, or *BLANK.

ADDRESS1

ADDRESS1

Directory entry attribute

First line of the user's address.

ADDRESS2

ADDRESS2

Directory entry attribute

Second line of the user's address.

ASTLVL

ASTLVL

ASTLVL

Assistance level. Sets which interface to use.

ATNPGM

ATNPGM

ATNPGM

Attention-key-handling program for this user

BUILDING

BUILDING

Directory entry attribute

Building name or number.

CCSID

CCSID

CCSID

Coded character set identifier.

CNTRYID

CNTRYID

CNTRYID

Country or region identifier.

COMPANY

COMPANY

Directory entry attribute

Company name.

CURLIB

CURLIB

CURLIB

Current library for jobs initiated by this user profile.

DAYS_UNTIL_PASSWORD_EXPIRES

DAYS_UNTIL_PASSWORD_EXPIRES

None

Integer. Read-only. Number of days until the password expires.

DEPARTMENT

DEPARTMENT

Directory entry attribute

Department name or code.

DLVRY

DLVRY

DLVRY

Delivery mode that specifies how messages sent to the message queue for this user are to be delivered.

FAX

FAX

Directory entry attribute

Fax telephone number.

First Name

FIRST_NAME

Directory entry attribute

User's first name. A maximum of 20 characters is allowed.

FULL_NAME

FULL_NAME

Directory entry attribute

User's full name.

GID

GID

GID

Long. Group identification number for this user profile. You can assign the GID to a user who does not have an associated group profile.

GROUP_AUTHORITY

GROUP_AUTHORITY

GRPAUT

Authority given to the group profile for newly created objects. Values can be *SAME, *NONE, *ALL, *CHANGE, *USE, or *EXCLUDE.

Group Profile

GROUP_PROFILE_NAME

GRPPRF

User's group profile name whose authority is used if no specific authority is given for the user or *NONE.

HIGHEST_SCHEDULING_PRIORITY

HIGHEST_SCHEDULING_PRIORITY

PTYLMT

Integer. highest scheduling priority the user is allowed to have for each job submitted to the system. Values can be 0 (highest) through 9 (lowest).

HOMEDIR

HOMEDIR

HOMEDIR

Pathname of the user's home directory.

Initial Menu

INLMNU

INLMNU

Initial menu displayed when the user signs on the system if the user's routing program is the command processor.

Initial Program

INLPGM

INLPGM

Initial program to call when a user signs on. An initial program runs before the initial menu, if any, is displayed.

Job Description

JOBD

JOBD

Fully qualified integrated file-system path name of the job description used for jobs that start through subsystem work station entries.

JOB_TITLE

JOB_TITLE

Directory entry attribute

Job title for this user.

KBDBUF

KBDBUF

KBDBUF

Keyboard buffering used when a job is initiated for this user.

LANGID

LANGID

LANGID

Language identifier for the user.

Last Name

LAST_NAME

Directory entry attribute

User's last name. A maximum of 40 characters is allowed.

Limit Capabilities

LMTCPB

LMTCPB

Limit capabilities for this user.

LMTDEVSSN

LMTDEVSSN

LMTDEVSSN

Limit for number of device sessions for this user.

LOCATION

LOCATION

Directory entry attribute

Location for this user.

MAXSTG

MAXSTG

MAXSTG

Maximum amount of auxiliary storage (in kilobytes) assigned to store permanent objects owned by this user profile. Values can be:

-1 – As much storage as is required is assigned to this profile (*NOMAX).

Maximum amount of storage for the user, in kilobytes (1 kilobyte equals 1024 bytes).

MIDDLE_NAME

MIDDLE_NAME

Directory entry attribute

User's middle name.

MSGQ

MSGQ

MSGQ

Message queue where messages are sent for this user.

OFFICE

OFFICE

Directory entry attribute

Office name or number.

OUTQ

OUTQ

OUTQ

Output queue for this user profile.

Owner

OWNER

OWNER

Owner of new objects created by this user.

PREFERRED_NAME

PREFERRED_NAME

Directory entry attribute

User's preferred name.

PRTDEV

PRTDEV

PRTDEV

Default print device for this user.

SIGN_ON_ATTEMPTS_NOT_VALID

SIGN_ON_ATTEMPTS_NOT_VALID

None

Integer. Read-only. Number of invalid login attempts since the last successful login.

Special Authority

SPCAUT

SPCAUT

List of special authorities for this user. Can have multiple values.

SPCENV

SPCENV

SPCENV

Special environment for this user.

SRTSEQ

SRTSEQ

SRTSEQ

Sort sequence table used for string comparisons for this user.

STORAGE_USED

STORAGE_USED

None

Integer. Read-only. Amount of auxiliary storage in kilobytes occupied by this user's owned objects. Default is 12 kilobytes.

Supplemental Group

SUPGRPPRF

SUPGRPPRF

List of the user's supplemental group profiles. Can have multiple values.

To update the Supplemental Group attribute, the Group Profile attribute must have a non-empty value. That is, to populate supplemental groups, a primary group (Group Profile) must already be defined.

TELEPHONE

TELEPHONE

Directory entry attribute

Use's telephone number.

Description Text

TEXT

TEXT

Text up to 40 characters describing the object (OS/400 account).

UID

UID

UID

Long. User identification number. Range is 1 to 4294967294. The UID must not already be assigned to another user profile.

Note. The UID is read-only (that is, non-creatable and non-updatable).

User Class

USRCLS

USRCLS

Type of user associated with this user profile: security officer, security administrator, programmer, system operator, or user.

USROPT

USROPT

USROPT

Level of help information detail to be shown and the function of the Page Up and Page Down keys by default.


1.5.2 Process Form Fields Used for Target Provisioning and Reconciliation

The following table describes the process form fields that the AS400 connector uses for target provisioning and reconciliation.

Table 1-3 Process Form Fields Used for Target Provisioning and Reconciliation

Process Form Field Label Field Type Description

Account Name

TextField

OS/400 user profile name.

The user profile name can be a maximum of 10 characters, including any letter (A-Z), a number (0-9), and the following special characters: pound (#), dollar ($), underscore (_), and at (@). The first character cannot be a number.

Description Text

TextField

Text up to 40 characters describing the object (OS/400 account).

First Name

TextField

User's first name. A maximum of 20 characters is allowed.

Group Profile

LookupField

User's group profile name whose authority is used if no specific authority is given for the user or *NONE.

Initial Menu

TextField

Initial menu displayed when the user signs on the system if the user's routing program is the command processor.

Initial Program

TextField

Initial program to call when a user signs on. An initial program runs before the initial menu, if any, is displayed.

Job Description

TextField

Fully qualified integrated file-system path name of the job description used for jobs that start through subsystem work station entries.

Last Name

TextField

User's last name. A maximum of 40 characters is allowed.

Limit Capabilities

TextField

Limit capabilities for this user.

Owner

TextField

Owner of new objects created by this user.

Password

PasswordField

OS/400 user password. Value is encrypted.

Password Expire

CheckBox

Boolean. Indicates whether the password has expired.

Server

ITResourceLookupField

Name of the IT Resource instance.

Special Authority

TextField

List of special authorities for this user. Can have multiple values.

Supplemental Group

TextField

List of the user's supplemental group profiles. Can have multiple values.

User Class

TextField

Type of user associated with this user profile: security officer, security administrator, programmer, system operator, or user.

User Id

TextField

OS/400 user profile name.


The following table describes the AS400 connector mapping of form fields to user attributes for target resource provisioning and reconciliation.

Table 1-4 Mapping Form Fields to User Attributes for Target Resource Provisioning and Reconciliation

Process Form Field Label OS/400 Attribute

Account Name

__NAME__

Description Text

TEXT

First Name

FIRST_NAME

Group Profile

GROUP_PROFILE_NAME

Initial Menu

INLMNU

Initial Program

INLPGM

Job Description

JOBD

Last Name

LAST_NAME

Limit Capabilities

LMTCPB

Owner

OWNER

Password

__PASSWORD__

Password Expire

__PASSWORD_EXPIRED__

Special Authority

SPCAUT

Status

__ENABLE__

Supplemental Group

SUPGRPPRF

User Class

USRCLS

User Id

__UID__


The following table describes the AS400 connector mapping of form fields to user attributes for trusted source reconciliation.

Table 1-5 Mapping Form Fields to User Attributes for Trusted Source Reconciliation

OIM User Form Field OS/400 Attribute

First Name

FIRST_NAME

Last Name

LAST_NAME

Status

__ENABLE__

User Id

__UID__

User Login

__NAME__


1.5.3 Reconciliation

Reconciliation involves pulling identities from the target resource (OS/400) to the destination (Oracle Identity Manager). Reconciliation is based on following criteria:

  • Destination type: trusted and target reconciliation

  • Scope: full or incremental reconciliation

The scheduled task name includes the keywords trusted or target to determine the type of destination. By choosing the scheduled task, it is determined whether trusted or target reconciliation is launched.

This section describes the following subsections:

Caution:

Make sure that you use the right IT Resource type (trusted or target) with the respective scheduled task. The type of IT resource is determined by the value for the Configuration Lookup IT resource parameter:

  • If Configuration Lookup is Lookup.AS400.Configuration, then it is target mode.

  • If Configuration Lookup is Lookup.AS400.Configuration.Trusted, then it is trusted mode.

1.5.3.1 Common Reconciliation Parameters

Common reconciliation parameters for the AS400 connector are:

  • Filter - optional filter to limit the number of reconciled accounts or to select specific set of users.

  • IT Resource Name - required parameter specifying the name of IT Resource instance to recon.

  • Object Type (constant) – User object class.

  • Resource Object Name – constant parameter determining what OIM Resource Object to use for reconciliation.

1.5.3.2 Full and Incremental Reconciliation Modes

When the reconciliation scheduled task is launched for the first time, it is run in full reconciliation mode. Subsequent runs are automatically in incremental mode.It is possible to switch manually between full and incremental modes by emptying the Latest Token field on the scheduled task.

The following scheduled tasks provide for optional incremental reconciliation: AS400Connector Target User Reconciliation and AS400Connector Trusted User Reconciliation.

Advanced Incremental Reconciliation

The format of Latest Token is altered by setting the Recon Date Format scheduled task parameter. The formatting string needs to follow the standard pattern used in Java. For information, see the Javadoc for java.text.SimpleDateFormat class:

http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html

By default, the Latest Token is a long value that specifies the Unix/POSIX time.

1.5.3.3 Delete Reconciliation

AS400 supports both trusted and target reconciliation of deleted accounts. Target reconciliation evaluate which OIM users have lost their account on OS/400 resource, and unassign this resource in OIM. Trusted delete recon goes further, and deletes the OIM User.

1.5.3.4 Group Lookup Reconciliation

Before the first use of provisioning with the AS400 connector, it is recommended that you launch Lookup Reconciliation. This Lookup Reconciliation populates the Lookup.AS400.Groups table with the groups available on the IT Resource that is being reconciled.

Lookup Reconciliation must be launched on the target mode IT Resource (that is, the value of the "Configuration Lookup" property on the IT Resource equals "Lookup.Configuration.AS400").

The reconciliation is performed by the AS400Connector Lookup Reconciliation scheduled task. The target IT Resource Name is used for the Lookup Reconciliation of the groups.

These parameters are constants:

  • Code key attribute – connector attribute that will be used as key of lookup

  • Decode key attribute – connector attribute specifying the value of lookup

  • Object type – Group

For more information, see Section 3.1, "Scheduled Job for Lookup Field Synchronization."

1.5.4 Full or Incremental Reconciliation

In full reconciliation, all records are fetched from the target system to Oracle Identity Manager during the first reconciliation run performed on the target system. From the second reconciliation run onward, incremental reconciliation meaning accounts that have been added, modified, or deleted after the recorded timestamp are fetched for reconciliation.

The following scheduled jobs are used to automate full reconciliation:

  • AS400Connector Target User Reconciliation

  • AS400Connector Trusted User Reconciliation

1.5.4.1 Delete Reconciliation

The following scheduled jobs are used for delete reconciliation:

  • AS400Connector Trusted User Delete Reconciliation

  • AS400Connector Target User Delete Reconciliation

1.5.4.2 Lookup Reconciliation

In Lookup reconciliation, groups that exists on the target and can be assigned to the user are fetched from the target system to Oracle Identity Manager. The AS400Connector Lookup Reconciliation scheduled job is used to automate lookup reconciliation.

1.5.5 Support for Reconciliation of Account Status

During a reconciliation run, the connector can fetch status information along with the rest of the account data.

1.5.6 Features Provided by the Identity Connector Framework

The Identity Connector Framework (ICF) is a component that provides basic provisioning, reconciliation, and other functions that all Oracle Identity Manager and Oracle Waveset connectors require. The ICF also uses classpath isolation, which allows the AS400 connector to co-exist with legacy versions of the connector.

For more information, see the "Understanding the Identity Connector Framework,"section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

1.5.7 Support for Scheduled Tasks

Table 1-6 shows an overview of the AS400 connector scheduled task capabilities. For more information, see Section 3.3, "Configuring Scheduled Jobs."

Table 1-6 Overview of AS400 Connector Scheduled Task Capabilities

Scheduled Task Capability

AS400Connector Target User Reconciliation

Trusted: Not available

Target: Available

Full: Empty "Latest Token" scheduled task parameter controls reconciliation.

Incremental: Populated "Latest Token" scheduled task parameter controls incremental reconciliation.

Delete: Not available

AS400Connector Trusted User Reconciliation

Trusted: Available

Target: Not available

Full: Empty "Latest Token" scheduled task parameter controls reconciliation.

Incremental: Populated "Latest Token" scheduled task parameter controls incremental reconciliation.

Delete: Not available

AS400Connector Target User Delete Reconciliation

Trusted: Not available

Target: Available

Full: Not available

Incremental: Not available

Delete: Available

AS400Connector Trusted User Delete Reconciliation

Trusted: Available

Target: Not available

Full: Not available

Incremental: Not available

Delete: Available


1.5.8 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target system. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each IT resource type. For example, if you have three IT resources for three installations of the target system, then three connection pools are created, one for each target system installation.

The AS400 connector uses Identity Connector Framework (ICF) connection pooling. For more information, see Section 4.3, "Configuring Connection Pooling."

1.5.9 Support for the Connector Server

If required by your deployment, you can deploy the AS400 connector in the Connector Server. For more information, see Section 2.1, "AS400 Connector Deployment Architecture With the Connector Server."

1.6 Lookup Definitions Used During Connector Operations

This section describes the following AS400 connector Lookup definitions:

1.6.1 AS400 Connector Lookup Definitions Overview

The AS400 connector Lookup definitions provide various information to the Oracle Identity Manager engine. These Lookup definitions are either prepopulated with values, or values must be manually entered in a definition after the connector is deployed:

  • Configuration of the AS400 connector (for example, Lookup.Configuration.AS400): Top-level Lookup element that contains the connector version. The configuration references the following user management (UM) configuration Lookup.

  • User management (UM) configuration (for example, Lookup.AS400.UM.Configuration): Hub that points to subordinate lookups that contain information about attribute mapping for reconciliation and provisioning.

  • Provisioning attribute map (for example, Lookup.AS400.UM.ProvAttrMap): Mapping of OIM user attributes (key) to connector attributes (value) for provisioning.

  • Reconciliation attribute map (for example, Lookup.AS400.UM.ReconAttrMap): Mapping of OIM user attributes (key) to connector attributes (value) for reconciliation.

  • Holder of lookup reconciliation values (Lookup.AS400.Groups): Whenever group reconciliation is performed, this lookup is populated with group names.

1.6.2 Lookup.Configuration.AS400 Definition

The Lookup.Configuration.AS400 definition contains the entries shown in Table 1-7.

Table 1-7 Lookup.Configuration.AS400 Entries

Key Code Decode Description

Connector Name

org.identityconnectors.as400.AS400Connector

This entry holds the name of the connector class. Do not modify this entry.

Bundle Name

org.identityconnectors.as400

This entry holds the name of the connector bundle class. Do not modify this entry.

Bundle Version

1.0.0

This entry holds the version of the connector bundle class. Do not modify this entry.

User Configuration Lookup

Lookup.AS400.UM.Configuration

This entry holds the name of the lookup definition that stores configuration information used during user management operations. Do not modify this entry.


1.6.3 Lookup.AS400.UM.Configuration Definition

The Lookup.AS400.UM.Configuration definition contains the entries shown in Table 1-8.

Table 1-8 Lookup.AS400.UM.Configuration Entries

Key Code Decode Description

Provisioning Attribute Map

Lookup.AS400.UM.ProvAttrMap

This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during provisioning operations.

Recon Attribute Map

Lookup.AS400.UM.ReconAttrMap

This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during reconciliation.

Unique Id Form Field

UD_AS400CON_UID

This entry holds the name of the process form field (column) that stores Unique ID values. If you create a copy of the process form, then enter the name of the field (column) in the new process form that stores Unique ID values.


1.6.4 Lookup.AS400.UM.ProvAttrMap Definition

The Lookup.AS400.UM.ProvAttrMap definition holds mappings between process form fields and target system attributes. These Lookup definitions are used during provisioning. These lookup definitions are preconfigured.

The Lookup.AS400.UM.ProvAttrMap definition contains the entries shown in Table 1-9.

Table 1-9 Lookup.AS400.UM.ProvAttrMap Entries

Key Value

Last Name

LAST_NAME

UD_AS400CSP~Special Authority

SPCAUT

User Id

__UID__

User Class

USRCLS

Password

__PASSWORD__

Account Name

__NAME__

Initial Menu

INLMNU

Owner

OWNER

Job Description

JOBD

Password Expire

__PASSWORD_EXPIRED__

Description Text

TEXT

First Name

FIRST_NAME

Initial Program

INLPGM

UD_AS400CSG~Supplemental Group[Lookup]

SUPGRPPRF

Limit Capabilities

LMTCPB

Group Profile[Lookup]

GROUP_PROFILE_NAME


You can add entries in this Lookup definition if you want to map new target system attributes for provisioning. See Section 4.1.1, "Adding Target System Attributes for Provisioning."

1.6.5 Lookup.AS400.UM.ReconAttrMap Definition

The Lookup.AS400.UM.ReconAttrMap definition holds mappings between process form fields and target system attributes. These Lookup definitions are used during reconciliation. These Lookup definitions are preconfigured.

The Lookup.AS400.UM.ReconAttrMap definition contains the entries shown in Table 1-10.

Table 1-10 Lookup.AS400.UM.ReconAttrMap Entries

Key Value

Status

__ENABLE__

Description Text

TEXT

Special Authorities~Special Authority

SPCAUT

Owner

OWNER

Account Name

__NAME__

User Id

__UID__

Initial Program

INLPGM

User Class

USRCLS

Job Description

JOBD

Limit Capabilities

LMTCPB

Password Expire

__PASSWORD_EXPIRED__

Initial Menu

INLMNU

Supplemental Groups~Supplemental Group[Lookup]

SUPGRPPRF

Group Profile[Lookup]

GROUP_PROFILE_NAME

Last Name

LAST_NAME

First Name

FIRST_NAME


You can add entries in this Lookup definition if you want to map new target system attributes for reconciliation. See Section 4.1.2, "Adding Target System Attributes for Target Reconciliation" and Section 4.1.3, "Adding Target System Attributes for Trusted Reconciliation."

1.6.6 Lookup.Configuration.AS400.Trusted Definition

The Lookup.Configuration.AS400.Trusted definition contains the entries shown in Table 1-11.

Table 1-11 Lookup.Configuration.AS400.Trusted Entries

Key Value

Bundle Name

org.identityconnectors.as400

Connector Name

org.identityconnectors.as400.AS400Connector

User Configuration Lookup

Lookup.AS400.UM.Configuration.Trusted

Bundle Version

1.0.0


1.6.7 Lookup.AS400.UM.ReconAttrMap.Trusted Definition

The Lookup.AS400.UM.ReconAttrMap.Trusted definition contains the entries shown in Table 1-12.

Table 1-12 Lookup.AS400.UM.ReconAttrMap.Trusted Entries

Key Value

Status

__ENABLE__

Last Name

LAST_NAME

User Login

__NAME__

First Name

FIRST_NAME

User Id

__UID__


1.6.8 Lookup.AS400.UM.Configuration.Trusted Definition

The Lookup.AS400.UM.Configuration.Trusted definition contains the entries shown in Table 1-13.

Table 1-13 Lookup.AS400.UM.Configuration.Trusted Entries

Key Value

Unique Id Form Field

UD_AS400CON_UID

Recon Attribute Defaults

Lookup.AS400.UM.TrustedDefaults

Recon Attribute Map

Lookup.AS400.UM.ReconAttrMap.Trusted


1.6.9 Lookup.AS400.UM.TrustedDefaults Definition

The Lookup.AS400.UM.TrustedDefaults definition contains the entries shown in Table 1-14.

Table 1-14 Lookup.AS400.UM.TrustedDefaults Entries

Key Value

Organization

Xellerate Users

Employee Type

Full-Time

User Type

End-User


1.6.10 Lookup.AS400.Groups Definition for Reconciliation for Groups

The Lookup.AS400.Groups is populated with the groups from the OS/400 target resource when Lookup Reconciliation is performed.

During a provisioning operation, you use the Group lookup field on the process form to specify a group for the user for whom the provisioning operation is being performed. The Group lookup field is populated with values from the Lookup.AS400.Groups lookup definition, which is automatically created on Oracle Identity Manager when you deploy the connector. However, to get it populated, an initial reconciliation should be explicitly launched.

The Code Key column contains the following format: <IT Resource key~groupName>. The Decode column has the format: <IT Resource key~groupName>.

The source of group names is the connector __NAME__ attribute of the Group objectClass.

When you perform lookup field synchronization, entries in the Group lookup field on the target system are fetched to Oracle Identity Manager and populated in the Lookup.AS400.Groups lookup definition.

1.7 Resource Objects Used for Provisioning and Reconciliation

The AS400 connector uses the following Resource Objects:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for conceptual information about provisioning and reconciliation

This section discusses the following topics:

1.7.1 User Provisioning Functions

Provisioning involves creating or modifying account data on the target system through Oracle Identity Manager.

Table 1-15 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for generic information about process tasks and adapters

Table 1-15 User Provisioning Functions

Function Adapter

Create user

CREATEUSER

Update user

UPDATEATTRIBUTEVALUE

For multivalued attributes: UPDATECHILDTABLEVALUES

Delete user

DELETEUSER

Enable or disable user

ENABLEUSER, DISABLEUSER

Change or reset password

UPDATEATTRIBUTEVALUE

Add or remove user from group

UPDATEATTRIBUTEVALUE


1.7.2 Reconciliation Rules

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for generic information about reconciliation matching and action rules

The following sections provide information about the reconciliation rules for this connector.

There are different reconciliation rules used for trusted and target reconciliation:

  • AS400 Trusted User Recon Rule: User Login equals UserId, Resource Object: AS400 Trusted User

  • AS400 User Recon Rule: User Login equals UserId, Resource Object: AS400 User

1.7.2.1 Viewing Reconciliation Rules in the Design Console

After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for and openAS400 User Recon Rule or AS400 Trusted User Recon Rule.

1.7.3 Reconciliation Action Rules

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

The following sections provide information about the reconciliation rules for this connector:

You can configure the Reconciliation Action Rules in the Design Console under the Resource Object tab, Object Reconciliation tab, and then Reconciliation Action Rules.

1.7.3.1 Reconciliation Action Rules for Reconciliation

Table 1-16 lists the action rules for reconciliation.

Table 1-16 Action Rules for Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


1.7.3.2 Viewing Reconciliation Action Rules in the Design Console

After you deploy the connector, you can view the reconciliation action rules for reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management, and double-click Resource Objects.

  3. If you want to view the AS400 User Recon rule for reconciliation, then search for and open the AS400 User resource object.

  4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-2 shows the reconciliation action rules for reconciliation.

    Figure 1-2 Reconciliation Action Rules

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Action Rules"

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: