This chapter is divided into the following sections:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.
To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter attribute of the SAP UME User Recon scheduled task. See Configuring Scheduled Jobs for information about this scheduled task.
Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following scheduled jobs are used for lookup field synchronization:
SAP UME Group Lookup Reconciliation
SAP UME Role Lookup Reconciliation
You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of these scheduled jobs. The procedure to configure scheduled tasks is described later in the guide.
Table 3-1 Attributes of the Scheduled Jobs for Lookup Field Synchronization
Attribute | Description |
---|---|
Code Key Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
Note: You must not change the value of this attribute. |
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job that you are using, the default values are as follows:
|
Filter |
Enter a filter condition using the or operator, represented by vertical bar (|), to filter out the data sources from which group or role details must be fetched. Sample value of this attribute for group lookup synchronization: Sample value of this attribute for role lookup synchronization: Note: Specifying a value for this attribute is mandatory for Group and Role reconciliation schedule jobs. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Lookup Name |
This attribute holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Default value of this attribute for group lookup synchronization:
Default value of this attribute for role lookup synchronization:
|
Object Class |
Enter the name of the object class from which value must be fetched. Default value of this attribute for group synchronization: Default value of this attribute for role synchronization: Note: You must not change the value of the attribute. |
Object Type |
Enter the type of object whose values must be synchronized. Default value of this attribute for group synchronization: Default value of this attribute for role synchronization: Note: You must not change the value of this attribute. |
Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following scheduled jobs are used for SAP BusinessObjects AC lookup field synchronization:
SAP AC UME BusinessProcess Lookup Reconciliation
SAP AC UME FunctionalArea Lookup Reconciliation
SAP AC UME Group Lookup Reconciliation
SAP AC UME ItemProvAction Lookup Reconciliation
SAP AC UME Priority Lookup Reconciliation
SAP AC UME ReqInitSystem Lookup Reconciliation
SAP AC UME RequestType Lookup Reconciliation
SAP AC UME Request Status
SAP AC UME Role Lookup Reconciliation
SAP AC UME Target User Delete Reconciliation
SAP AC UME Target User Reconciliation
You can specify values for the attributes of these scheduled jobs. Table 3-2 describes the attributes of these scheduled jobs. Configuring Scheduled Jobs describes the procedure to configure scheduled jobs.
Table 3-2 Attributes of the Scheduled Jobs for SAP BusinessObjects AC Lookup Field Synchronization
Attribute | Description |
---|---|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
Note: You must not change the value of this attribute. |
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
|
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile records. Default value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Manager, then this lookup definition is created while the scheduled job is run. Depending on the scheduled job you are using, the default values are as follows:
|
Object Class |
Enter the name of the class of the object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows:
|
Object Type |
Enter the name of the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows:
|
You can configure the connector to specify the type of reconciliation and its schedule.
As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation.
See Performing Full Reconciliation for instructions.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
The connector provides a Filter attribute that allows you to use any of the SAP UME resource attributes to filter the target system records.
The syntax for this parameter is as follows:
Note:
You can use a shortcut for the <and>
and <or>
operators. For example: <filter1> & <filter2>
instead of and
(<filter1>, <filter2>
), analogically replace or
with |
.
syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue ')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']'
For example, to limit the number of reconciled accounts to only those in which the account name starts with "a" letter, you could use the following expression:
startsWith('__NAME__', 'a')
For a more advanced search, where you want to filter only those account names that end with 'z', you could use the following filter:
startsWith('__NAME__', 'a') & endsWith('__NAME__', 'z')
While deploying the connector, follow the instructions in Configuring Scheduled Jobs to specify attribute values.
You can use reconciliation scheduled job to reconcile user account data from the target system.
Depending on whether you want to reconcile data about users or deleted users from the target system, you must specify values for the attributes of one of the following scheduled jobs:
SAP UME Target User Reconciliation
You use the SAP UME Target User Reconciliation scheduled job to reconcile user data from the SAP UME target system.
SAP UME Target User Delete Reconciliation
You use the SAP UME Target User Delete Reconciliation scheduled to reconcile data about deleted users from the target system. During a reconciliation run, for each deleted user account on the target system, the SAP User Management Engine resource is revoked for the corresponding OIM User.
SAP AC UME Target User Reconciliation
You use the SAP AC UME Target User Reconciliation scheduled job to reconcile user data from the SAP AC UME target system.
SAP AC UME Target User Delete Reconciliation
You use the SAP AC UME Target User Delete Reconciliation scheduled to reconcile data about deleted users from the target system. During a reconciliation run, for each deleted user account on the target system, the SAP User Management Engine resource is revoked for the corresponding OIM User.
This section discusses the attributes of the following scheduled jobs:
You use the SAP UME Target User Reconciliation and SAP AC UME Reconciliation scheduled job to reconcile user records from SAP BusinessObjects AC target system. Table 3-3 describes the attributes of the SAP UME Target User Reconciliation and SAP AC UME Target User Reconciliation scheduled jobs.
Table 3-3 Attributes of the SAP UME Target User Reconciliation and SAP AC UME Target User Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter |
Expression for filtering records. Sample value: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Depending on the scheduled job you are using, the default values are as follows:
|
Object Type |
Enter the type of object you want to reconcile. Default value: |
Resource Object Name |
Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
You use the SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation scheduled job to reconcile deleted user records from SAP BusinessObjects AC target system. Table 3-4 describes the attributes of the SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation scheduled jobs.
Table 3-4 Attributes of the SAP UME Target User Delete Reconciliation and SAP AC UME Target User Delete Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Depending on the scheduled job you are using, the default values are as follows:
|
Object Type |
Enter the type of object you want to reconcile. Default value: |
Resource Object Name |
Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
You use the SAP AC Request Status scheduled job to reconcile request status from SAP BusinessObjects AC target system. Table 3-5 describes the attributes of this scheduled job.
Table 3-5 Attributes of the SAP AC Request Status Scheduled Job
Attribute | Description |
---|---|
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile data Default value: |
Object Type |
Type of object you want to reconcile Default value: |
Resource Object Name |
Name of the resource object against which reconciliation runs must be performed Default value: |
Scheduled Task Name |
Name of the scheduled task Default value: |
Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.
This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
Table B-1 lists the scheduled jobs that you must configure.
To configure a scheduled job:
If you are using Oracle Identity Manager release 11.1.1.x, then perform the following steps:
Log in to the Administrative and User Console.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
If you are using Oracle Identity Manager release 11.1.2.x, then perform the following steps:
Log in to Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
If you are using Oracle Identity Manager release 11.1.1.x, then on the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Attributes of the scheduled job are discussed in Reconciliation Scheduled Jobs.
Click Apply to save the changes.
Note:
You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.
These are the guidelines that you must apply while performing provisioning operations.
This section provides more information about the following guidelines:
The following are guidelines that you must apply while performing provisioning operations in any of the supported deployment operations:
If an ABAP data source is configured in SAP User Management Engine, then ABAP roles are shown as groups in SAP User Management Engine. However, SAP User Management Engine does not allow assigning such groups to user accounts in some configurations.
To assign groups that represent the AS ABAP role, create a new AS Java role in the User Administration tool of SAP User Management Engine. Then, assign the group that represents the AS ABAP role to the newly created AS Java role in Oracle Identity Manager.
If you disable a user account in Oracle Identity Manager, the connector updates the value of the Valid Through attribute with yesterday's date. If the user has logged in to the target system today, or if the password of the user was changed today, then SAP User Management Engine updates the Valid Through attribute with today's date and lock the user.
Ensure that the dates on Oracle Identity Manager and the SAP User Management Engine target system are in sync.
The length of the Logon Name field varies in the target system based on the data source configuration. If a target system allows 15 characters, and if you enter more than 15 characters for the Logon Name field in Oracle Identity Manager, then an error is encountered. Therefore, the length of the Logon Name field must be limited to 15 characters in Oracle Identity Manager.
Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through attribute to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIM User is in the Disabled state immediately after the account is created.
However, on the target system, if you set the Valid Through attribute to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:
The value of the Valid Through attribute on Oracle Identity Manager and the target system do not match.
On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.
You can lock the user on the target system so that the user is not able to log in the day the account is created.
Remember that if password or system assignment fails during a Create User provisioning operation, then the user is not created.
When you try to provision a multivalued attribute, such as a role or group, if the attribute has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Manager. If required, you can configure the task so that it shows the status Rejected in this situation. See Modifying Process Tasks in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about configuring process tasks.
When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.
The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.
When you assign a role to a user through provisioning, you set values for the following attributes:
Datasource
Role
The following are guidelines that you must apply while performing provisioning operations after configuring the access request management feature of the connector:
During a Create User operation performed when the Access Request Management is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Access Request Management is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.
The following fields on the process form are mandatory attributes on SAP BusinessObjects AC Access Request Management:
Note:
When the Access Request Management feature is configured, you must enter values for these fields even though some of them are not marked as mandatory fields on the Oracle Identity System Administration.
AC Manager
AC Manager email
AC Priority
AC System
AC Requestor ID
AC Requestor email
AC Request Reason
The following fields may be mandatory or optional based on the configuration in SAP BusinessObjects Access Control system:
AC Manager First Name
AC Manager Last Name
AC Manager Telephone
AC Request Due Date
AC Functional Area
AC Business Process
AC Requestor First Name
AC Requestor Last Name
AC Requestor Telephone
AC Company
As mentioned earlier in this guide, SAP BusinessObjects Access Request Management does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:
To use the Oracle Identity Manager password as the target system password, change the password through Oracle Identity Manager.
Directly log in to the target system, and change the password.
You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.
When you delete a user (account) on Oracle Identity System Administration (process form), a Delete User request is created.
When you select the Lock User check box on the process from, a Lock User request is created.
When you deselect the Lock User check box on the process from, an Unlock User request is created.
The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.
In a Modify User operation, you can specify values for attributes that are mapped with SAP BusinessObjects AC Access Request Management and attributes that are directly updated on the target system. A request is created SAP BusinessObjects AC Access Request Management only for attributes whose mappings are present in these lookup definitions. If you specify values for attributes that are not present in these lookup definitions, then the connector sends them to directly the target system.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.
When you install the connector on Oracle Identity Manager release 11.1.1.x, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.
The following are types of provisioning operations:
Direct provisioning
Request-based provisioning
Provisioning triggered by policy changes
See Also:
Manually Completing a Task in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for information about the types of provisioning
This section discusses the following topics:
The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:
The provisioning operation triggers the appropriate adapter.
SAP BusinessObjects SoD Invocation Library (SIL) Provider passes the entitlement data to the Web service of SAP BusinessObjects AC.
After SAP BusinessObjects AC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.
The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the adapter carries provisioning data to the corresponding SPML request on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.
In direct provisioning, only Oracle Identity Manager administrators can create and manage target system resources.
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
On the Welcome to Identity Administration page, in the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select SAPUME Resource Object from the list and then click Continue.
Note:
If you are using SAP BusinessObjects AC system, then select SAP AC UME Resource Object from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data for SAPUME Process Form page, enter the details of the account that you want to create on the target system and then click Continue.
If you are using SAP BusinessObject AC system, you enter the details of the account on the Provide Process Data for SAP AC UME Process Form page.
If required, on the Step 5: Provide Process Data for SAPUME Group Form page, search for and select a group for the user on the target system and then click Continue.
If you are using SAP BusinessObjects AC system, then search for a select a group on the Provide Process Data for SAP AC UME Group Form.
If required, on the Step 5: Provide Process Data for SAPUME Role Form page, search for and select a role for the user on the target system and then click Continue.
If you are using SAP BusinessObjects AC system, then search for a select a role on the Provide Process Data for SAP AC UME Role Form.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Close the window displaying this message.
On the Resources tab, click Refresh to view the newly provisioned resource.
This section describes the prerequisites and the procedure to perform direct provisioning. It contains the following sections:
Note:
Perform the procedure in this section only in the following situations:
The first time you perform direct provisioning.
If you switch from request-based provisioning to direct provisioning.
When you run the Connector Installer, the configuration for direct provisioning of SAP user accounts is installed. Although the process form is displayed during direct provisioning, the connector cannot complete direct provisioning operations unless you enable the use of the process form. If you want to enable the use of the process form during direct provisioning, then perform the procedure described later in this section.
To enable the use of the process form during direct provisioning:
Note:
Request-based provisioning is disabled after you perform this procedure.
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the SAPUME process process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the SAPUME Resource Object resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
On the Welcome to Identity Administration page, in the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select SAPUME Resource Object from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page for process data, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 5: Provide Process Data page for profile data, search for and select profiles for the user on the target system and then click Continue.
On the Step 5: Provide Process Data page for role data, search for and select roles for the user on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Close the window displaying this message.
On the Resource tab of the user details page, click Refresh to view the newly provisioned resource.
To view the Resource Provisioning Details page, which shows the details of the process tasks that were run:
On the Resources tab of the user details page, from the Action menu, select Resource History.
The SOD Check Status field is updated with SOD Check Completed status.
As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, on the Resource tab of the user details page, select the row containing the resource, and then click Open.
In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.
Note:
To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.
In the following screenshot, one of the roles selected earlier is marked for removal:
After invoking the risk analysis web service, the results of the SoD validation process are brought to Oracle Identity Manager. If you open the process form, the results will be displayed as shown in the screenshot in Step 17.
In request-based provisioning, users can raise requests for creating and managing their accounts. Other users designated as administrators or approvers act upon these requests.
A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.
The following steps are performed by the end user in a request-based provisioning operation:
In request-based provisioning, users can raise requests for creating and managing their accounts. Other users designated as administrators or approvers act upon these requests.
See Also:
The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.
In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.
The following topics provide more information about request-based provisioning:
The following are types of request-based provisioning:
Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.
Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.
The following steps are performed by the end user in a request-based provisioning operation on Oracle Identity Manager release 11.1.1.x:
See Also:
Registering to Oracle Identity Manager of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for detailed information about these steps
This section discusses the role of the approver in a request-based provisioning operation.
The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.
In addition, the approver can click the View link to view details of the SoD validation process.
The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.
The following steps are performed by the approver in a request-based provisioning operation on Oracle Identity Manager release 11.1.1.x:
Note:
Perform this procedure only if you are using Oracle Identity Manager release 11.1.1.x. It is assumed that you have performed the procedure described in Configuring Oracle Identity Manager for Request-Based Provisioning.
In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager. Diret provisioning cannot be used if you enable request-based provisioning.
The following sections discuss the steps to be performed to switch between request-based provsioning and direct provisioning:
You can switch from request-based provisioning to direct provisioning using the following steps.
To switch from request-based provisioning to direct provisioning, do the following:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the SAPUME process process definition.
Note:
If you are using SAP BusinessObjects AC system, then search for and open the SAP AC UME process process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the SAPUME Resource Object resource object.
Note:
If you are using SAP BusinessObjects AC system, then search for and open the SAP AC UME process process definition.
Deselect the Self Request Allowed check box.
Click the Save icon.
You can switch from direct provisioning to request-based provisioning using the following steps.
To switch from direct provisioning to request-based provisioning, do the following:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the SAPUME process process definition.
Select the Auto Save Form check box.
Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the SAPUME Resource Object resource object.
Note:
If you are using SAP BusinessObjects AC system, then search for and open the SAP AC UME Resource Object resource object.
Select the Self Request Allowed check box.
Click the Save icon.
Provisioning involves creating or modifying user account on the target system through Oracle Identity Manager.
To configure provisioning operations in Oracle Identity Manager release 11.1.2.x:
Note:
The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.
Log in to Oracle Identity System Administration.
Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managins Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Create an application instance. To do so:
In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
Specify values for the following fields:
Name: The name of the application instance.
Name: The name of the application instance.
Description: A description of the application instance.
Resource Object: The resource object name. Click the search icon next to this field to search for and select SAPUME Resource Object. If you are using SAP BusinessObjects AC system, then select SAP AC UME Resource Object.
IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select SAPUME IT Resource. If you are using SAP BusinessObject AC system, then select SAP AC UME IT Resource.
Form: Select the form name, for example, SAPUME (or SAPACUME for SAP BusinessObjects AC system). To do so, click Create. against the Form list, specify the form name, and then create it. On the Create Application Instance page, click the Refresh icon next to the Form field. From this list, select the form name that you created.
Note:
If you are using SAP BusinessObjects AC system, then:
Resource Object: SAP AC UME Resource Object
IT Resource Instance: SAP AC UME IT Resource
Form: UD_SAPACUME
Publish the sandbox.
Run lookup field synchronization. See Scheduled Job for Lookup Field Synchronization and Scheduled Jobs for SAP BusinessObjects AC Lookup Field Synchronization for more information.
Search for and run the Entitlement List scheduled job to populate the ENT_LIST table. See Configuring Scheduled Jobs for more information about configuring and running scheduled jobs.
Publish the application instance (created in Step 3) to an organization. To do so:
On the Organizations tab of the Application Instance page, click Assign.
In the Select Organizations dialog box, select the organization to which you want to publish the application instance.
Select the Apply to entitlements checkbox.
Click OK.
Search for and run the Catalog Synchronization Job scheduled job. See Configuring Scheduled Jobs for more information about configuring and running scheduled jobs.
Log in to Oracle Identity System Administration.
Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance created in Step 3, and then click Checkout.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
On the Entitlements tab, click Request Entitlements.
In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
Click Submit.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.