3 Using the Connector

After you deploy the connector, you must configure it to meet your requirements.

This chapter is divided into the following sections:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

3.1 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter attribute of the SAP UME User Recon scheduled task. See Configuring Scheduled Jobs for information about this scheduled task.

3.2 Scheduled Job for Lookup Field Synchronization

Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following scheduled jobs are used for lookup field synchronization:

SAP UME Group Lookup Reconciliation
SAP UME Role Lookup Reconciliation

You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of these scheduled jobs. The procedure to configure scheduled tasks is described later in the guide.

Table 3-1 Attributes of the Scheduled Jobs for Lookup Field Synchronization

Attribute	Description
Code Key Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For SAP UME Group Lookup Reconciliation: `id` For SAP UME Role Lookup Reconciliation: `id` Note: You must not change the value of this attribute.
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job that you are using, the default values are as follows: For SAP UME Group Lookup Reconciliation: `description` For SAP UME Role Lookup Reconciliation: `description`
Filter	Enter a filter condition using the or operator, represented by vertical bar (\|), to filter out the data sources from which group or role details must be fetched. Sample value of this attribute for group lookup synchronization: `equalTo('datasource','R3_ROLE_DS')\|equalTo('datasource','PRIVATE_DATASOURCE')\|equalTo('datasource','SUPER_GROUPS_DATASOURCE')` Sample value of this attribute for role lookup synchronization: `equalTo('datasource','PCD_ROLE_PERSISTENCE')\|equalTo('datasource','UME_ROLE_PERSISTENCE')` Note: Specifying a value for this attribute is mandatory for Group and Role reconciliation schedule jobs.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: `SAPUME IT Resource`
Lookup Name	This attribute holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Default value of this attribute for group lookup synchronization: `Lookup.SAPUME.UM.Group` Default value of this attribute for role lookup synchronization: `Lookup.SAPUME.UM.Role`
Object Class	Enter the name of the object class from which value must be fetched. Default value of this attribute for group synchronization: `__GROUP__` Default value of this attribute for role synchronization: `__ROLE__` Note: You must not change the value of the attribute.
Object Type	Enter the type of object whose values must be synchronized. Default value of this attribute for group synchronization: `Group` Default value of this attribute for role synchronization: `Role` Note: You must not change the value of this attribute.

3.3 Scheduled Jobs for SAP BusinessObjects AC Lookup Field Synchronization

Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following scheduled jobs are used for SAP BusinessObjects AC lookup field synchronization:

SAP AC UME BusinessProcess Lookup Reconciliation
SAP AC UME FunctionalArea Lookup Reconciliation
SAP AC UME Group Lookup Reconciliation
SAP AC UME ItemProvAction Lookup Reconciliation
SAP AC UME Priority Lookup Reconciliation
SAP AC UME ReqInitSystem Lookup Reconciliation
SAP AC UME RequestType Lookup Reconciliation
SAP AC UME Request Status
SAP AC UME Role Lookup Reconciliation
SAP AC UME Target User Delete Reconciliation
SAP AC UME Target User Reconciliation

You can specify values for the attributes of these scheduled jobs. Table 3-2 describes the attributes of these scheduled jobs. Configuring Scheduled Jobs describes the procedure to configure scheduled jobs.

Table 3-2 Attributes of the Scheduled Jobs for SAP BusinessObjects AC Lookup Field Synchronization

Attribute	Description
Code Key Attribute	Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: SAP AC UME BusinessProcess Lookup Reconciliation: `LCODE` SAP AC UME FunctionalArea Lookup Reconciliation: `LCODE` SAP AC UME Group Lookup Reconciliation: `id` SAP AC UME ItemProvAction Lookup Reconciliation: `LCODE` SAP AC UME Priority Lookup Reconciliation: `LCODE` SAP AC UME ReqInitSystem Lookup Reconciliation: `REQSYSCODE` SAP AC UME RequestType Lookup Reconciliation: `LCODE` SAP AC UME Role Lookup Reconciliation: `id` Note: You must not change the value of this attribute.
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: SAP AC UME BusinessProcess Lookup Reconciliation: `LDECODE` SAP AC UME FunctionalArea Lookup Reconciliation: `LDECODE` SAP AC UME Group Lookup Reconciliation: `description` SAP AC UME ItemProvAction Lookup Reconciliation: `LDECODE` SAP AC UME Priority Lookup Reconciliation: `LDECODE` SAP AC UME ReqInitSystem Lookup Reconciliation: `REQSYSDECODE` SAP AC UME RequestType Lookup Reconciliation: `LDECODE` SAP AC UME Role Lookup Reconciliation: `description`
IT Resource Name	Name of the IT resource for the target system installation from which you want to reconcile records. Default value: `SAP AC UME IT Resource`
Lookup Name	Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Manager, then this lookup definition is created while the scheduled job is run. Depending on the scheduled job you are using, the default values are as follows: SAP AC UME BusinessProcess Lookup Reconciliation: `Lookup.SAPACUME.Bproc` SAP AC UME FunctionalArea Lookup Reconciliation: `Lookup.SAPACUME.Funcarea` SAP AC UME Group Lookup Reconciliation: `Lookup.SAPACUME.Group` SAP AC UME ItemProvAction Lookup Reconciliation: `Lookup.SAPAC10UME.ItemProvAction` SAP AC UME Priority Lookup Reconciliation: `Lookup.SAPACUME.Priority` SAP AC UME ReqInitSystem Lookup Reconciliation: `Lookup.SAPACUME.ReqInitSystem` SAP AC UME RequestType Lookup Reconciliation: `Lookup.SAPAC10UME.RequestType` SAP AC UME Role Lookup Reconciliation: `Lookup.SAPACUME.Role`
Object Class	Enter the name of the class of the object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows: SAP AC UME BusinessProcess Lookup Reconciliation: `BusProc` SAP AC UME FunctionalArea Lookup Reconciliation: `FunctionArea` SAP AC UME Group Lookup Reconciliation: `__GROUP__` SAP AC UME ItemProvAction Lookup Reconciliation: `ItemProvActionType` SAP AC UME Priority Lookup Reconciliation: `PriorityType` SAP AC UME ReqInitSystem Lookup Reconciliation: `SYSTEM` SAP AC UME RequestType Lookup Reconciliation: `RequestType` SAP AC UME Role Lookup Reconciliation: `__ROLE__`
Object Type	Enter the name of the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows: SAP AC UME BusinessProcess Lookup Reconciliation: `BusProc` SAP AC UME FunctionalArea Lookup Reconciliation: `FunctionArea` SAP AC UME Group Lookup Reconciliation: `Group` SAP AC UME ItemProvAction Lookup Reconciliation: `ItemProvActionType` SAP AC UME Priority Lookup Reconciliation: `PriorityType` SAP AC UME ReqInitSystem Lookup Reconciliation: `SYSTEM` SAP AC UME RequestType Lookup Reconciliation: `RequestType` SAP AC UME Role Lookup Reconciliation: `Role`

3.4 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

3.4.1 Full Reconciliation

In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation.

See Performing Full Reconciliation for instructions.

3.4.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

The connector provides a Filter attribute that allows you to use any of the SAP UME resource attributes to filter the target system records.

The syntax for this parameter is as follows:

Note:

You can use a shortcut for the <and> and <or> operators. For example: <filter1> & <filter2> instead of and (<filter1>, <filter2>), analogically replace or with |.

syntax = expression ( operator expression )* 
operator = 'and' | 'or' 
expression = ( 'not' )? filter 
filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith'
| 'endsWith'  | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' 
| 'lessThanOrEqualTo' )  '(' 'attributeName' ',' attributeValue ')' 
attributeValue = singleValue  |  multipleValues
singleValue = 'value'
multipleValues = '[' 'value_1' (',' 'value_n')* ']'

For example, to limit the number of reconciled accounts to only those in which the account name starts with "a" letter, you could use the following expression:

startsWith('__NAME__', 'a')

For a more advanced search, where you want to filter only those account names that end with 'z', you could use the following filter:

startsWith('__NAME__', 'a') & endsWith('__NAME__', 'z')

While deploying the connector, follow the instructions in Configuring Scheduled Jobs to specify attribute values.

3.4.3 Reconciliation Scheduled Jobs

You can use reconciliation scheduled job to reconcile user account data from the target system.

Depending on whether you want to reconcile data about users or deleted users from the target system, you must specify values for the attributes of one of the following scheduled jobs:

SAP UME Target User Reconciliation

You use the SAP UME Target User Reconciliation scheduled job to reconcile user data from the SAP UME target system.
SAP UME Target User Delete Reconciliation

You use the SAP UME Target User Delete Reconciliation scheduled to reconcile data about deleted users from the target system. During a reconciliation run, for each deleted user account on the target system, the SAP User Management Engine resource is revoked for the corresponding OIM User.
SAP AC UME Target User Reconciliation

You use the SAP AC UME Target User Reconciliation scheduled job to reconcile user data from the SAP AC UME target system.
SAP AC UME Target User Delete Reconciliation

You use the SAP AC UME Target User Delete Reconciliation scheduled to reconcile data about deleted users from the target system. During a reconciliation run, for each deleted user account on the target system, the SAP User Management Engine resource is revoked for the corresponding OIM User.

This section discusses the attributes of the following scheduled jobs:

3.4.3.1 SAP UME Target User Reconciliation and SAP AC UME Target User Reconciliation

You use the SAP UME Target User Reconciliation and SAP AC UME Reconciliation scheduled job to reconcile user records from SAP BusinessObjects AC target system. Table 3-3 describes the attributes of the SAP UME Target User Reconciliation and SAP AC UME Target User Reconciliation scheduled jobs.

Table 3-3 Attributes of the SAP UME Target User Reconciliation and SAP AC UME Target User Reconciliation Scheduled Jobs

Attribute	Description
Filter	Expression for filtering records. Sample value: `equalTo('logonname','SEPT12USER1')`
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Depending on the scheduled job you are using, the default values are as follows: For SAP UME Target User Reconciliation `SAPUME IT Resource` For SAP AC UME Target User Reconciliation `SAP AC UME IT Resource`
Object Type	Enter the type of object you want to reconcile. Default value: `User`
Resource Object Name	Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For SAP UME Target User Reconciliation `SAPUME Resource Object` For SAP AC UME Target User Reconciliation `SAP AC UME Resource Object`

3.4.3.2 SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation

You use the SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation scheduled job to reconcile deleted user records from SAP BusinessObjects AC target system. Table 3-4 describes the attributes of the SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation scheduled jobs.

Table 3-4 Attributes of the SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation Scheduled Jobs

Attribute Description

Attribute	Description
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Depending on the scheduled job you are using, the default values are as follows: For SAP UME Target User Delete Reconciliation `SAPUME IT Resource` For SAP AC UME Target User Delete Reconciliation `SAP AC UME IT Resource`
Object Type	Enter the type of object you want to reconcile. Default value: `User`
Resource Object Name	Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For SAP UME Target User Delete Reconciliation `SAPUME Resource Object` For SAP AC UME Target User Delete Reconciliation `SAP AC UME Resource Object`

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile user records.

Depending on the scheduled job you are using, the default values are as follows:

For SAP UME Target User Delete Reconciliation

SAPUME IT Resource
For SAP AC UME Target User Delete Reconciliation

SAP AC UME IT Resource

Object Type

Enter the type of object you want to reconcile.

Default value: User

Resource Object Name

Name of the resource object that is used for reconciliation.

Depending on the scheduled job you are using, the default values are as follows:

For SAP UME Target User Delete Reconciliation

SAPUME Resource Object
For SAP AC UME Target User Delete Reconciliation

SAP AC UME Resource Object

3.4.3.3 SAP AC Request Status

You use the SAP AC Request Status scheduled job to reconcile request status from SAP BusinessObjects AC target system. Table 3-5 describes the attributes of this scheduled job.

Table 3-5 Attributes of the SAP AC Request Status Scheduled Job

Attribute	Description
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data Default value: `SAP AC UME IT Resource`
Object Type	Type of object you want to reconcile Default value: `STATUS`
Resource Object Name	Name of the resource object against which reconciliation runs must be performed Default value: `SAP AC UME Resource Object`
Scheduled Task Name	Name of the scheduled task Default value: `SAP AC UME Request Status`

3.5 Configuring Scheduled Jobs

Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.

This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

Table B-1 lists the scheduled jobs that you must configure.

To configure a scheduled job:

If you are using Oracle Identity Manager release 11.1.1.x, then perform the following steps:
1. Log in to the Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
If you are using Oracle Identity Manager release 11.1.2.x, then perform the following steps:
1. Log in to Identity System Administration.
2. In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
1. If you are using Oracle Identity Manager release 11.1.1.x, then on the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
2. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
3. In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the following parameters:
- Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
- Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.
Note:
- Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
- Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
- Attributes of the scheduled job are discussed in Reconciliation Scheduled Jobs.
Click Apply to save the changes.

Note:

You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

3.6 Guidelines on Performing Provisioning

These are the guidelines that you must apply while performing provisioning operations.

This section provides more information about the following guidelines:

3.6.1 Guidelines While Performing Provisioning Operations in any of the supported deployment configurations

The following are guidelines that you must apply while performing provisioning operations in any of the supported deployment operations:

If an ABAP data source is configured in SAP User Management Engine, then ABAP roles are shown as groups in SAP User Management Engine. However, SAP User Management Engine does not allow assigning such groups to user accounts in some configurations.

To assign groups that represent the AS ABAP role, create a new AS Java role in the User Administration tool of SAP User Management Engine. Then, assign the group that represents the AS ABAP role to the newly created AS Java role in Oracle Identity Manager.
If you disable a user account in Oracle Identity Manager, the connector updates the value of the Valid Through attribute with yesterday's date. If the user has logged in to the target system today, or if the password of the user was changed today, then SAP User Management Engine updates the Valid Through attribute with today's date and lock the user.

Ensure that the dates on Oracle Identity Manager and the SAP User Management Engine target system are in sync.
The length of the Logon Name field varies in the target system based on the data source configuration. If a target system allows 15 characters, and if you enter more than 15 characters for the Logon Name field in Oracle Identity Manager, then an error is encountered. Therefore, the length of the Logon Name field must be limited to 15 characters in Oracle Identity Manager.
Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through attribute to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIM User is in the Disabled state immediately after the account is created.

However, on the target system, if you set the Valid Through attribute to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:
- The value of the Valid Through attribute on Oracle Identity Manager and the target system do not match.
- On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.
You can lock the user on the target system so that the user is not able to log in the day the account is created.
Remember that if password or system assignment fails during a Create User provisioning operation, then the user is not created.
When you try to provision a multivalued attribute, such as a role or group, if the attribute has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Manager. If required, you can configure the task so that it shows the status Rejected in this situation. See Modifying Process Tasks in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about configuring process tasks.
When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.
The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.
When you assign a role to a user through provisioning, you set values for the following attributes:
- Datasource
- Role

3.6.2 Guidelines While Performing Provisioning Operations After Configuring the Access Request Management Feature of the Connector

The following are guidelines that you must apply while performing provisioning operations after configuring the access request management feature of the connector:

During a Create User operation performed when the Access Request Management is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Access Request Management is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.
The following fields on the process form are mandatory attributes on SAP BusinessObjects AC Access Request Management:

Note:

When the Access Request Management feature is configured, you must enter values for these fields even though some of them are not marked as mandatory fields on the Oracle Identity System Administration.
- AC Manager
- AC Manager email
- AC Priority
- AC System
- AC Requestor ID
- AC Requestor email
- AC Request Reason
The following fields may be mandatory or optional based on the configuration in SAP BusinessObjects Access Control system:
- AC Manager First Name
- AC Manager Last Name
- AC Manager Telephone
- AC Request Due Date
- AC Functional Area
- AC Business Process
- AC Requestor First Name
- AC Requestor Last Name
- AC Requestor Telephone
- AC Company
As mentioned earlier in this guide, SAP BusinessObjects Access Request Management does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:
- To use the Oracle Identity Manager password as the target system password, change the password through Oracle Identity Manager.
- Directly log in to the target system, and change the password.
You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.
When you delete a user (account) on Oracle Identity System Administration (process form), a Delete User request is created.
When you select the Lock User check box on the process from, a Lock User request is created.
When you deselect the Lock User check box on the process from, an Unlock User request is created.
The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.
In a Modify User operation, you can specify values for attributes that are mapped with SAP BusinessObjects AC Access Request Management and attributes that are directly updated on the target system. A request is created SAP BusinessObjects AC Access Request Management only for attributes whose mappings are present in these lookup definitions. If you specify values for attributes that are not present in these lookup definitions, then the connector sends them to directly the target system.

3.7 Configuring Provisioning in Oracle Identity Manager Release 11.1.1.x

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager release 11.1.1.x, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.

The following are types of provisioning operations:

Direct provisioning
Request-based provisioning
Provisioning triggered by policy changes

See Also:

Manually Completing a Task in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

3.7.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

The provisioning operation triggers the appropriate adapter.
SAP BusinessObjects SoD Invocation Library (SIL) Provider passes the entitlement data to the Web service of SAP BusinessObjects AC.
After SAP BusinessObjects AC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.
The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the adapter carries provisioning data to the corresponding SPML request on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

3.7.2 Direct Provisioning

In direct provisioning, only Oracle Identity Manager administrators can create and manage target system resources.

To provision a resource by using the direct provisioning approach:

Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
1. On the Welcome to Identity Administration page, in the Users region, click Create User.
2. On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select SAPUME Resource Object from the list and then click Continue.

Note:

If you are using SAP BusinessObjects AC system, then select SAP AC UME Resource Object from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data for SAPUME Process Form page, enter the details of the account that you want to create on the target system and then click Continue.

If you are using SAP BusinessObject AC system, you enter the details of the account on the Provide Process Data for SAP AC UME Process Form page.
If required, on the Step 5: Provide Process Data for SAPUME Group Form page, search for and select a group for the user on the target system and then click Continue.

If you are using SAP BusinessObjects AC system, then search for a select a group on the Provide Process Data for SAP AC UME Group Form.
If required, on the Step 5: Provide Process Data for SAPUME Role Form page, search for and select a role for the user on the target system and then click Continue.

If you are using SAP BusinessObjects AC system, then search for a select a role on the Provide Process Data for SAP AC UME Role Form.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Close the window displaying this message.
On the Resources tab, click Refresh to view the newly provisioned resource.

3.7.3 Direct Provisioning in an SoD-Enabled Environment

This section describes the prerequisites and the procedure to perform direct provisioning. It contains the following sections:

3.7.3.1 Prerequisites

Note:

Perform the procedure in this section only in the following situations:

The first time you perform direct provisioning.
If you switch from request-based provisioning to direct provisioning.

When you run the Connector Installer, the configuration for direct provisioning of SAP user accounts is installed. Although the process form is displayed during direct provisioning, the connector cannot complete direct provisioning operations unless you enable the use of the process form. If you want to enable the use of the process form during direct provisioning, then perform the procedure described later in this section.

To enable the use of the process form during direct provisioning:

Note:

Request-based provisioning is disabled after you perform this procedure.

Log in to the Design Console.
Disable the Auto Save Form feature as follows:
1. Expand Process Management, and then double-click Process Definition.
2. Search for and open the SAPUME process process definition.
3. Deselect the Auto Save Form check box.
4. Click the Save icon.
If the Self Request Allowed feature is enabled, then:
1. Expand Resource Management, and then double-click Resource Objects.
2. Search for and open the SAPUME Resource Object resource object.
3. Deselect the Self Request Allowed check box.
4. Click the Save icon.

3.7.3.2 Performing Direct Provisioning

To provision a resource by using the direct provisioning approach:

Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
1. On the Welcome to Identity Administration page, in the Users region, click Create User.
2. On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.
2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select SAPUME Resource Object from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page for process data, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 5: Provide Process Data page for profile data, search for and select profiles for the user on the target system and then click Continue.
On the Step 5: Provide Process Data page for role data, search for and select roles for the user on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Close the window displaying this message.
On the Resource tab of the user details page, click Refresh to view the newly provisioned resource.
To view the Resource Provisioning Details page, which shows the details of the process tasks that were run:

On the Resources tab of the user details page, from the Action menu, select Resource History.
The SOD Check Status field is updated with SOD Check Completed status.
As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, on the Resource tab of the user details page, select the row containing the resource, and then click Open.
In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.

Note:

To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.

In the following screenshot, one of the roles selected earlier is marked for removal:

Description of the illustration edit_form.gif
After invoking the risk analysis web service, the results of the SoD validation process are brought to Oracle Identity Manager. If you open the process form, the results will be displayed as shown in the screenshot in Step 17.

3.7.4 Request-Based Provisioning

In request-based provisioning, users can raise requests for creating and managing their accounts. Other users designated as administrators or approvers act upon these requests.

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

3.7.4.1 Creating of Request-Based Provisioning by the End User

The following steps are performed by the end user in a request-based provisioning operation:

Log in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.

The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.

If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select SAPUME Resource Object, move it to the Selected Resources list, and then click Next.

If you are using SAP BusinessObjects AC system, select SAP AC UME Resource Object
On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish.
- Effective Date
- Justification
On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
To view details of the approval, on the Request Details page, click the Request History tab.

3.7.4.2 Approving Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.

A message confirming that the task was approved is displayed.

3.7.5 Request-Based Provisioning in an SoD-Enabled Environment

In request-based provisioning, users can raise requests for creating and managing their accounts. Other users designated as administrators or approvers act upon these requests.

See Also:

Configuring SoD (Segregation of Duties)

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

The following topics provide more information about request-based provisioning:

3.7.5.1 Creating of Request-Based Provisioning by End-Users

The following are types of request-based provisioning:

Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.

Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.

The following steps are performed by the end user in a request-based provisioning operation on Oracle Identity Manager release 11.1.1.x:

See Also:

Registering to Oracle Identity Manager of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for detailed information about these steps

Log in to the Administrative and User Console.
On the Welcome page, click Advanced on the top right corner of the page.
On the Welcome to Identity Manager Advanced Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.

The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and then click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.

If you want to create a provisioning request for more than one user, then from the Available Users list, select the users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select SAPUME Resource Object, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system. and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish:
- Effective Date
- Justification
On the resulting page, a message confirming that your request has been sent is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
On the Resource tab of the Request Details page, click the View Details link in the row containing the resource for which the request was created. The Resource Details page in displayed in a new window.

One of the fields on this page is the SODCheckStatus field. The value in this field can be SoD Check Not Initiated or SoDCheckCompleted. When the request is placed, the SODCheckStatus field contains the SoDCheckCompleted status.
To view details of the approval, on the Request Details page, click the Approval Tasks tab.

On this page, the status of the SODChecker task is pending.

3.7.5.2 Approving Request-Based Provisioning

This section discusses the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

The following steps are performed by the approver in a request-based provisioning operation on Oracle Identity Manager release 11.1.1.x:

Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first region, you can specify a search criterion for the request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.

A message confirming that the task has been approved is displayed and the request status is changed to Obtaining Operation Approval.
Select the row containing the request which is approved, and then click Approve Task.

A message confirming that the task has been approved is displayed and the request status is changed to Request Completed.
Click the Administration tab and search for the user(s) for whom the request is completed.
Select the user.

The user detail information is displayed in the right pane.
Click the Resources tab to view the resource being provisioned.
Select the resource being provisioned, and then click Open to view the resource details.
On the Resources tab of the User Details page, from the Action menu, select Resource History to view the resource provisioning tasks.

3.7.6 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

Perform this procedure only if you are using Oracle Identity Manager release 11.1.1.x. It is assumed that you have performed the procedure described in Configuring Oracle Identity Manager for Request-Based Provisioning.

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager. Diret provisioning cannot be used if you enable request-based provisioning.

The following sections discuss the steps to be performed to switch between request-based provsioning and direct provisioning:

3.7.6.1 Switching from Request-Based Provisioning to Direct Provisioning

You can switch from request-based provisioning to direct provisioning using the following steps.

To switch from request-based provisioning to direct provisioning, do the following:

Log in to the Design Console.
Disable the Auto Save Form feature as follows:
1. Expand Process Management, and then double-click Process Definition.
2. Search for and open the SAPUME process process definition.
  
  Note:
  
  If you are using SAP BusinessObjects AC system, then search for and open the SAP AC UME process process definition.
3. Deselect the Auto Save Form check box.
4. Click the Save icon.
If the Self Request Allowed feature is enabled, then:
1. Expand Resource Management, and then double-click Resource Objects.
2. Search for and open the SAPUME Resource Object resource object.
  
  Note:
  
  If you are using SAP BusinessObjects AC system, then search for and open the SAP AC UME process process definition.
3. Deselect the Self Request Allowed check box.
4. Click the Save icon.

3.7.6.2 Switching from Direct Provisioning to Request-Based Provisioning

You can switch from direct provisioning to request-based provisioning using the following steps.

To switch from direct provisioning to request-based provisioning, do the following:

Log in to the Design Console.
Enable the Auto Save Form feature as follows:
1. Expand Process Management, and then double-click Process Definition.
2. Search for and open the SAPUME process process definition.
3. Select the Auto Save Form check box.
4. Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
1. Expand Resource Management, and then double-click Resource Objects.
2. Search for and open the SAPUME Resource Object resource object.
  
  Note:
  
  If you are using SAP BusinessObjects AC system, then search for and open the SAP AC UME Resource Object resource object.
3. Select the Self Request Allowed check box.
4. Click the Save icon.

3.8 Configuring Provisioning in Oracle Identity Manager Release 11.1.2.x

Provisioning involves creating or modifying user account on the target system through Oracle Identity Manager.

To configure provisioning operations in Oracle Identity Manager release 11.1.2.x:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

Log in to Oracle Identity System Administration.
Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managins Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Create an application instance. To do so:
1. In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.
2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
3. Specify values for the following fields:
  
  Name: The name of the application instance.
  
  Name: The name of the application instance.
  
  Description: A description of the application instance.
  
  Resource Object: The resource object name. Click the search icon next to this field to search for and select SAPUME Resource Object. If you are using SAP BusinessObjects AC system, then select SAP AC UME Resource Object.
  
  IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select SAPUME IT Resource. If you are using SAP BusinessObject AC system, then select SAP AC UME IT Resource.
  
  Form: Select the form name, for example, SAPUME (or SAPACUME for SAP BusinessObjects AC system). To do so, click Create. against the Form list, specify the form name, and then create it. On the Create Application Instance page, click the Refresh icon next to the Form field. From this list, select the form name that you created.
  Note:
  
  If you are using SAP BusinessObjects AC system, then:
  - Resource Object: SAP AC UME Resource Object
  - IT Resource Instance: SAP AC UME IT Resource
  - Form: UD_SAPACUME
Publish the sandbox.
Run lookup field synchronization. See Scheduled Job for Lookup Field Synchronization and Scheduled Jobs for SAP BusinessObjects AC Lookup Field Synchronization for more information.
Search for and run the Entitlement List scheduled job to populate the ENT_LIST table. See Configuring Scheduled Jobs for more information about configuring and running scheduled jobs.
Publish the application instance (created in Step 3) to an organization. To do so:
1. On the Organizations tab of the Application Instance page, click Assign.
2. In the Select Organizations dialog box, select the organization to which you want to publish the application instance.
3. Select the Apply to entitlements checkbox.
4. Click OK.
Search for and run the Catalog Synchronization Job scheduled job. See Configuring Scheduled Jobs for more information about configuring and running scheduled jobs.
Log in to Oracle Identity System Administration.
Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance created in Step 3, and then click Checkout.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
1. On the Entitlements tab, click Request Entitlements.
2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
3. Click Submit.

3.9 Uninstalling the Connector

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.