3 Using the Connector

This chapter is divided into the following sections:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

3.1 Scheduled Job for Lookup Field Synchronization

The AS400Connector Lookup Reconciliation scheduled job is used for lookup field synchronization. Values fetched by this scheduled task from the target system are populated in the Lookup.AS400.Groups lookup definition. Table 3-1 describes the attributes of this scheduled job. The procedure to configure scheduled jobs is described later in this guide.

Note:

The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.

Table 3-1 Attributes of the AS400Connector Lookup Reconciliation Scheduled Task

Key Value

IT Resource Name

Required name of the IT resource for the target system installation from which you want to reconcile user records.

Default value: AS400

Object Type

Name of the object type for the reconciliation run.

Default value: Group

Do not change the default value. User is the only supported object type.

Lookup Name

Name of the lookup definition into which values must be populated by the scheduled job.

Default value: Lookup.AS400.Groups

If you create a copy of the Lookup.AS400.Groups lookup definition, enter the name of that new lookup definition as the value of the Lookup Name attribute.

Code Key Attribute

Name of the connector attribute whose value is used to populate the Decode column of the Lookup.AS400.Groups lookup definition.

Default value: __UID__

Do not change the default value.

Decode Attribute

Name of the connector attribute whose value is used to populate the Code Key column of the Lookup.AS400.Groups lookup definition.

Default value: __NAME__

Do not change the default value.


3.2 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

3.2.1 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

Caution:

If you are using filters in reconciliation as described in this section, be consistent and always use the same filters for delete and normal (trusted or target) reconciliation. By using the same filters, you will maintain consistency of the data and will ensure that you work with the same user base in all reconciliation operations.

With trusted delete reconciliation, make sure that you use the same filter you used in trusted reconciliation.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use AS400 resource attributes to filter the target system records.

For detailed information about ICF Filters, see the "ICF Filter Syntax" section of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Note:

When referencing an OS/400 user profile in the "Filter" parameter for trusted reconciliation, the __UID__ attribute is not recognized.

Therefore, use the __NAME__ attribute when identifying an account for the OS/400 user profile.

3.2.2 Reconciliation Scheduled Jobs

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change.

The AS400 connector supports these scheduled jobs by default:

  • AS400Connector Lookup Reconciliation

  • AS400Connector Target User Delete Reconciliation

  • AS400Connector Target User Reconciliation

  • AS400Connector Trusted User Delete Reconciliation

  • AS400Connector Trusted User Reconciliation

Common reconciliation parameters for all jobs are:

  • Filter - optional filter to limit the number of reconciled accounts or to select specific set of users.

  • IT Resource Name - required parameter specifying the name of IT Resource instance to recon.

  • Object Type (constant) – User object class.

  • Resource Object Name – constant parameter determining what OIM Resource Object to use for reconciliation.

3.3 Configuring Scheduled Jobs

To configure a scheduled job for the AS400 connector:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 11.1.1:

      1. Log in to the Administrative and User Console.

      2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

    • For Oracle Identity Manager release 11.1.2:

      1. Log in to Oracle Identity System Administration.

      2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see the "Managing Sandboxes" section of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

      3. In the left pane, under System Management, click Scheduler.

  2. Search for and open the scheduled job as follows:

    1. If you are using Oracle Identity Manager release 11.1.1, then on the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    2. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    3. In the search results table on the left pane, click the scheduled job in the Job Name column.

  3. On the page that is displayed, you can use any combination of the search options provided to locate a scheduled task. Click Search after you specify the search criteria.

    The list of scheduled tasks that match your search criteria is displayed in the search results table.

  4. Select the link for the scheduled task from the list of scheduled tasks displayed in the search results table.

  5. Modify the details of the scheduled job. To do so:

    • On the Job Details tab, you can modify the following parameters:

      - Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      - Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

      Note:

      See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

  6. Specify values for the attributes of the scheduled task. To do so:

    • On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

    Note:

    Attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for the attributes that you want to change.

  7. After specifying the attributes, click Apply to save the changes.

    • Note:

      The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to start, stop, or reinitialize the scheduler.

3.4 Configuring Action Scripts

Actions are scripts that you can configure to run before or after create, update, and delete provisioning operations. For example, you can configure a script to run before every user creation.

The AS400 connector supports the OS/400 Command Language and target: Resource.

The target indicates where the script is executed. For the target Resource, the script is executed on the computer where the target resource is running (and is typically interpreted by the target computer).

To configure the action:

  1. Log in to the Design Console.

  2. Search for and open the Lookup.AS400.UM.Configuration lookup definition.

  3. Add the following new values:

    • Code Key: Before Create Action Language

    • Decode: Enter the scripting language of the script you want to execute. The AS400 connector supports the OS/400 Command Language. Specify the value as "OS/400 CL."

      Note:

      The only value supported for the AS400 connector is "OS/400 CL."

  4. Add these new values:

    • Code Key: Before Create Action File

    • Decode: Enter the full path to the file containing the script to be executed. Oracle Identity Manager must be able to access this file.

      For example, the following command in a file sets the value of the TEXT attribute to the text specified by 'new text description' for a new account:

      CHGUSRPRF USRPRF($__NAME__$) TEXT('new text description')
      
  5. Add these new values:

    • Code Key: Before Create Action Target

    • Decode: Allowed value is Resource.

  6. Save the lookup.

Now, this action will be executed every time you create a user. You must configure these values for each action you want to execute.

3.5 Configuring Provisioning in Oracle Identity Manager Release 11.1.1

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 3.5.3, "Switching Between Request-Based Provisioning and Direct Provisioning."

The following are types of provisioning operations:

  • Direct provisioning

  • Request-based provision

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

3.5.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.

  2. If you want to first create an OIM User and then provision a target system account, then:

    1. On the Welcome to Identity Administration page, in the Users region, click Create User.

    2. On the Create User page, enter values for the OIM User fields, and then click Save.

  3. If you want to provision a target system account to an existing OIM User, then:

    1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

    2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

  4. On the user details page, click the Resources tab.

  5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

  6. On the Step 1: Select a Resource page, select AS400 User from the list and then click Continue.

  7. On the Step 2: Verify Resource Selection page, click Continue.

  8. On the Step 5: Provide Process Data for AS400 Connector User page, enter the details of the account that you want to create on the target system and then click Continue.

  9. (Optional) On the Step 5: Provide Process Data for Special Authorities page, specify the special authorities for the user on the target system and then click Continue.

  10. (Optional) On the Step 5: Provide Process Data for Supplemental Group page, search for and select a supplemental group for the user on the target system and then click Continue.

  11. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

  12. The "Provisioning has been initiated" message is displayed. Close the window displaying this message.

  13. On the Resources tab, click Refresh to view the newly provisioned resource.

3.5.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

3.5.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Advanced in the upper-right corner of the page.

  3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and click Next.

  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

  7. From the Available Users list, select the user to whom you want to provision the account..

    If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

  10. From the Available Resources list, select AS400 User, move it to the Selected Resources list, and then click Next.

  11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

  12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.

  14. To view details of the approval, on the Request Details page, click the Request History tab.

3.5.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Self-Service in the upper-right corner of the page.

  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

  4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.

3.5.3 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Section 2.4.4, "Enabling Request-Based Provisioning."

To switch from request-based provisioning to direct provisioning:

  1. Log in to the Design Console.

  2. Disable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the AS400 User Process Form process definition.

    3. Deselect the Auto Save Form check box.

    4. Click the Save icon.

  3. If the Self Request Allowed feature is enabled, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the AS400 User resource object.

    3. Deselect the Self Request Allowed check box.

    4. Click the Save icon.

To switch from direct provisioning back to request-based provisioning:

  1. Log in to the Design Console.

  2. Enable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the AS400 User Process Form process definition.

    3. Select the Auto Save Form check box.

    4. Click the Save icon.

  3. If you want to enable end users to raise requests for themselves, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the AS400 User resource object.

    3. Select the Self Request Allowed check box.

    4. Click the Save icon.

3.6 Configuring Provisioning in Oracle Identity Manager Release 11.1.2

To configure provisioning operations in Oracle Identity Manager release 11.1.2:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

  1. Log in to Oracle Identity Administrative and User console.

  2. Create a user. See the "Managing Users" chapter in Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information about creating a user.

  3. On the Account tab, click Request Accounts.

  4. In the Catalog page, search for and add to cart the application instance, and then click Checkout.

  5. Specify value for fields in the application form and then click Ready to Submit.

  6. Click Submit.

  7. If you want to provision entitlements, then:

    1. On the Entitlements tab, click Request Entitlements.

    2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

    3. Click Submit.

3.7 Uninstalling the Connector

If you want to uninstall the connector for any reason, see "Uninstalling Connectors" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.