This chapter contains the following sections:
Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics"
Section 10.2, "Scheduling a Job by Editing the Configuration Files"
Oracle Identity Analytics provides a scheduler that enables you to set a specific time for imports and exports. You can schedule import and export jobs using the scheduler in the user interface (the UI-based scheduler), or you can schedule jobs by hand-editing configuration files.
Note:
Before you can import data into Oracle Identity Analytics, you need to configure a provisioning server. For more information, see Section 11.1.4, "Provisioning Servers Configuration."
This section discusses how to schedule an import and export job using the user interface. For instructions on how to schedule an import and export job by editing the configuration files, see Section 10.2, "Scheduling a Job by Editing the Configuration Files."
Note:
You cannot export roles, policies, or other account-related data to a file.
You can export roles from Oracle Identity Analytics to either Oracle Waveset or Oracle Identity Manager. For more information see the following chapters in the System Integrator's Guide for Oracle Identity Analytics:
Integrating With Oracle Waveset (Sun Identity Manager)
Integrating With Oracle Identity Manager, Deprecated Method
Note:
When scheduling a one-time-only job, the job runs at the scheduled date and time in your local time zone (that is, the client computer time zone).
When scheduling a recurring job, the job will run at the scheduled time in the time zone configured on the server (that is, the server computer time zone).
Log in to Oracle Identity Analytics as an administrator.
Choose Administration > Configuration.
Click Import/Export.
Click Schedule Job.
Click a job type (for example, Import Users) to select it.
The Data Selection Source page opens.
Select a data selection source from the list of provisioning servers.
It is important to select the correct server type from the drop-down menu.
Oracle Identity Analytics does not support flat-file data exports.
For flat-file data imports, choose the File Server option. The File Server option is a standard option that you can use to import data from a CSV or XML file.
Type a name and description for the job.
Select Run Now to run the job immediately, or clear this option and enter the required job scheduling information.
Click Finish to create the job.
Note - Each resource type has at least one resource. Therefore, it is important to select the correct resource if performing an entitlement import or export.
You do not need to specify resource type or resource information for certain kinds of imports and exports. Specifically, role imports and exports as well as users imports and exports do not require this information.
You can schedule jobs, including import and export jobs, by hand-editing configuration files and restarting the application server.
Two configuration files control the scheduler. These two files are located in the $RBACX_HOME/WEB-INF folder:
scheduling-context.xml - Edit this file to enable (or disable) scheduled tasks, such as users import, accounts import, and others.
jobs.xml - Edit the cron expressions in this file to define a schedule for each job.
Note:
The contents of these files vary by application server.
To schedule a job, you must edit both scheduling-context.xml and jobs.xml and restart the application server.
The following table lists the types of jobs that can be enabled and scheduled by editing the configuration files. For each job that you are enabling or disabling, both the job name and the trigger name appear in both scheduling-context.xml and jobs.xml. If you are enabling a job, verify that both job references and both trigger references contain correct information and are not commented out. See Section 10.2.1, "To Enable a Job by Editing the Configuration Files" for more information.
Table 10-1 Jobs That can be Scheduled by Editing the Configuration Files
| Job Name | Trigger Name | Description | Dependency | Input |
|---|---|---|---|---|
|
usersImportJob |
usersImportTrigger |
Imports users. |
Business Structure Import. |
${Drop file location}/schema/filename + ${Drop file location}/in/filename + |
|
accountsImportJob |
accountsImportTrigger |
Imports accounts. |
Users Import. |
${Drop file location}/schema/filename + ${Drop file location}/in/filename + |
|
rolesImportJob |
rolesImportTrigger |
Imports roles. |
Policy Import. |
${Drop file location}/schema/filename + ${Drop file location}/in/filename + |
|
glossaryImportJob |
glossaryImportTrigger |
Imports glossary definitions. |
Policy Import. |
${Drop file location}/schema/filename + ${Drop file location}/in/filename + |
|
policiesImportJob |
policiesImportTrigger |
Imports policies. |
Accounts Import. |
${Drop file location}/schema/filename + ${Drop file location}/in/filename + |
|
businessStructureImportJob |
businessStructureImportTrigger |
Imports business structure definitions. |
Resources import Job. |
${Drop file location}/schema/filename + ${Drop file location}/in/filename + |
|
identityAuditContinuousViolationScanJob |
identityAuditContinuousViolationScanTrigger |
Scans for continuous identity audit violations |
No dependency. |
Database for auto scan. |
|
identityAuditViolationReminderJob |
identityAuditViolationReminderTrigger |
Sends out an identity violation reminder when an e-mail template is configured. |
No dependency. |
Reminder email template notification for audit. |
|
certificationReminderJob |
certificationReminderTrigger |
Sends out a certification reminder when an e-mail template is configured. |
No dependency. |
Reminder e-mail templates notification for certification. |
|
reportReminderJob |
reportReminderTrigger |
Sends out a report reminder when an email template is configured. |
No dependency. |
Reminder e-mail template notification for reports. |
|
stableFolderCleanUpJob |
stableFolderCleanUpTrigger |
Cleans the stable folder. |
No dependency. |
$(Drop file location)/in/.stable |
|
accountsMaintenanceJob |
accountsMaintenanceTrigger |
Maintenance of accounts. |
Accounts Import. |
Accounts in the database based on the settings from iam.properties. Cleaning up internal tables in the database. |
|
roleMembershipRuleJob |
roleMembershipRuleTrigger |
Triggers the role membership rule. |
Roles Import. |
Database for rules of roles. |
|
fullTextIndexMaintenancedJob |
fullTextIndexMaintenancedTrigger |
Maintenance of full text index. |
No dependency. |
Database. |
|
workflowStepSLAJob |
workflowStepSLATrigger |
Triggers workflow steps. |
No dependency. |
Database. N/A |
|
roleStatusAndMembershipMaintenanceJob |
roleStatusAndMembershipMaintenanceTrigger |
Maintenance of role status and membership. |
Role membership rule job. |
Database for start or end date of users. |
|
rmPreviewCleanUpJob |
rmPreviewCleanUpTrigger |
Cleans preview. |
No dependency. |
Database cleanup. |
|
userApplicationMaintenanceJob |
userApplicationMaintenanceTrigger |
Maintenance of user application. |
No dependency. |
Database for Applications scan. |
|
postImportJobsLauncherJob |
postImportJobsLauncherTrigger |
Triggers post import jobs. |
Users Import and Accounts Import. |
N/A |
|
certificationRemediationJob |
certificationRemediationTrigger |
Triggers certification remediation. |
No dependency. |
Database for remediation update. |
|
rmScanArchivalJob |
rmScanArchivalTrigger |
Triggers scan archival. |
No dependency. |
Database cleanup. |
|
eventPublishingJob |
eventPublishingTrigger |
Triggers event publishing. |
No dependency. |
Database for Event Listener. |
|
rmeRuleMigrationJob |
rmeRuleMigrationTrigger |
Triggers rule migration. |
No dependency. |
Database for migration from an earlier release to PS1. |
The following procedure describes how to enable a job. This example demonstrates how to enable the users import job and the accounts import jobs. The same procedure, however, can be used to enable other kinds of jobs, as well.
Navigate to $RBACX_HOME/WEB-INF/.
Open scheduling-context.xml in a text editor.
Edit the required lines as follows to enable import:
To enable users import, uncomment usersImportJob in the jobDetails property section, and uncomment usersImportTrigger in the triggers property section.
The uncommented usersImportJob line should look like this:
<ref bean="usersImportJob"/>
The uncommented usersImportTrigger line should look like this:
<ref bean="usersImportTrigger"/>
To enable accounts import, uncomment accountsImportJob in the jobDetails property section, and uncomment accountsImportTrigger in the triggers property section.
The uncommented accountsImportJob line should look like this:
<ref bean="accountsImportJob"/>
The uncommented accountsImportTrigger line should look like this:
<ref bean="accountsImportTrigger"/>
Save your changes.
Schedule the job by editing jobs.xml in a text editor.
See Section 10.2.2, "To Schedule a Job by Editing the Configuration Files" for more information.
The portion of scheduling-context.xml that contains the lines that you need to edit follows:
<property name="jobDetails">
<list>
<!-- Uncomment the line before to use this account import job.
Multiple jobs can be added,
1. Define a job in jobs.xml
2. Add a reference to job below -->
<!--ref bean="usersImportJob"/-->
<!--ref bean="accountsImportJob"/-->
<!--ref bean="rolesImportJob"/-->
<!--ref bean="glossaryImportJob"/-->
<!--ref bean="policiesImportJob"/-->
<!--ref bean="certificationReminderJob"/-->
<!--ref bean="reportReminderJob"/-->
<!--ref bean="stableFolderCleanUpJob"/-->
<!--ref bean="accountsMaintenanceJob"/-->
<!--ref bean="roleMembershipRuleJob"/-->
<ref bean="fullTextIndexMaintenancedJob"/>
<ref bean="workflowStepSLAJob"/>
<ref bean="roleMembershipJob"/>
</list>
</property>
<property name="triggers">
<list>
<!-- Uncomment the line before to use this account import job.
Multiple triggers can be added,
1. Define a trigger in jobs.xml
2. Add a reference below -->
<!--ref bean="usersImportTrigger"/-->
<!--ref bean="accountsImportTrigger"/-->
<!--ref bean="accountsImportTrigger_2"/--> <!-- Additional triggers for account imports
to be used in clusters -->
<!--ref bean="accountsImportTrigger_3"/--> <!-- Additional triggers for account imports
to be used in clusters -->
<!--ref bean="rolesImportTrigger"/-->
<!--ref bean="glossaryImportTrigger"/-->
<!--ref bean="policiesImportTrigger"/-->
<!--ref bean="certificationReminderTrigger"/-->
<!--ref bean="reportReminderTrigger"/-->
<!--ref bean="stableFolderCleanUpTrigger"/-->
<!--ref bean="accountsMaintenanceTrigger"/-->
<!--ref bean="roleMembershipRuleTrigger"/-->
<ref bean="fullTextIndexMaintenanceTrigger"/>
<ref bean="workflowStepSLATrigger"/>
<ref bean="roleMembershipJobTrigger"/>
</list>
</property>
The following procedure describes how to schedule a job by editing jobs.xml in a text editor. This example demonstrates how to schedule the users import jobs and the accounts import jobs. The same procedure, however, can be used to schedule other kinds of jobs, as well.
Before You Begin - Before a job can run, you need to enable it. See Section 10.2.1, "To Enable a Job by Editing the Configuration Files" for instructions.
Navigate to $RBACX_HOME/WEB-INF/.
Open jobs.xml in a text editor.
To schedule a users import job, follow these steps:
Uncomment usersImportTrigger and usersImportJob (if necessary).
In usersImportTrigger, edit the cron expression to schedule the job.
See Section 10.2.3, "Sample Cron Expressions" for more information.
To schedule an accounts import job, follow these steps:
Uncomment accountsImportTrigger and accountsImportJob (if necessary).
In accountsImportTrigger, edit the cron expression to schedule the job. See Section 10.2.3, "Sample Cron Expressions" for more information.
Save your changes.
Restart the application server to have your changes take effect.
Note:
If running Oracle Identity Analytics in a clustered environment, you need to define additional triggers for each server in the cluster that you want to run the job at the same time. Refer to the example in the jobs.xml file for more information.
The portion of jobs.xml that contains the usersImportJob and usersImportTrigger sections that you need to edit follows:
<bean id="usersImportTrigger" class="org.springframework.scheduling.quartz.CronTriggerBean">
<property name="jobDetail">
<ref bean="usersImportJob"/>
</property>
<property name="cronExpression">
<value>0 0/5 * * * ?</value>
</property>
</bean>
<bean id="usersImportJob" class="org.springframework.scheduling.quartz.JobDetailBean">
<property name="name">
<value>Users Import</value>
</property>
<property name="description">
<value>Users import Job</value>
</property>
<property name="jobClass">
<value>com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.IAMJob</value>
</property>
<property name="group">
<value>SYSTEM</value>
</property>
<property name="durability">
<value>true</value>
</property>
<property name="jobDataAsMap">
<map>
<!-- only single user name can be specified for jobOwnerName (optional)-->
<entry key="jobOwnerName">
<value>REPLACE_ME</value>
</entry>
<!-- multiple user names can be specified as
comma delimited e.g user1,user2 (optional)-->
<entry key="usersToNotify">
<value>REPLACE_ME</value>
</entry>
<entry key="IAMActionName">
<value>ACTION_IMPORT_USERS</value>
</entry>
<entry key="IAMServerName">
<value>FILE_SERVER</value>
</entry>
<!-- Job chaining, i.e. specify the next job to run (optional) -->
<entry key="NEXT_JOB">
<value>rolesImportJob</value>
</entry>
</map>
</property>
</bean>
The schedule for each job is specified using a cron expression. A cron expression is a string comprised of six or seven fields separated by white space that specify the time and day (or time and date) for every job. Each job has a cron expression, which is defined within the <property name="cronExpression"> element in jobs.xml.
The following operators can be used in cron expressions:
The comma operator (',') specifies a list of values, for example: 1,2,3,5,7.
The dash operator ('-') specifies a range of values, for example: 1-5, which is equivalent to 1,2,3,4,5.
The asterisk operator ('*') specifies all possible values for a field. For example, an asterisk in the day-of-month field is equivalent to every day (unless other fields further modify the expression).
The slash operator ('/') can be used to skip a given number of values. For example 0/5 in the minute field is equivalent to every five minutes.
The question mark operator ('?') is allowed for the day-of-month and day-of-week fields. It is used to specify 'no specific value'. This is useful when you need to specify something in one of the two fields, but not the other.
The fields that make up a cron expression are listed here:
.------------------- second (0 - 59) | .---------------- minute (0 - 59) | | .------------- hour (0 - 23) | | | .---------- day of month (1 - 31) | | | | .------- month (1 - 12) OR jan,feb,mar,apr ... | | | | | .---- day of week (1 - 7) (Sunday=1) OR | | | | | | sun,mon,tue,wed,thu,fri,sat * * * * * *
Following are a few sample cron expressions.
Table 10-2 Sample Cron Expressions
| Cron Expression | Definition |
|---|---|
|
|
Fire at 12pm (noon) every day |
|
|
Fire at 10:15am every day |
|
|
Fire at 10:15am every day |
|
|
Fire at 10:15am every day |
|
|
Fire at 10:15am every day during the year 2007 |
|
|
Fire every minute starting at 2pm and ending at 2:59pm, every day |
|
|
Fire every 5 minutes starting at 2pm and ending at 2:55pm, every day |
|
|
Fire every 5 minutes starting at 2pm and ending at 2:55pm, AND fire every 5 minutes starting at 6pm and ending at 6:55pm, every day |
|
|
Fire every minute starting at 2pm and ending at 2:05pm, every day |
|
|
Fire at 2:10pm and at 2:44pm every Wednesday in the month of March |
|
|
Fire at 10:15am every Monday, Tuesday, Wednesday, Thursday and Friday |
|
|
Fire at 10:15am on the 15th day of every month |
|
|
Fire at 10:15am on the last day of every month |
|
|
Fire at 10:15am on the last Friday of every month |
|
|
Fire at 10:15am on every last Friday of every month during the years 2002, 2003, 2004 and 2005 |
|
|
Fire at 10:15am on the third Friday of every month |
|
|
Fires every half hour between the hours of 8:00am and 10:00am on the 5th and 20th of every month. Note that the trigger will NOT fire at 10:00 am, just at 8:00, 8:30, 9:00 and 9:30. |
|
|
Fire every 5 minutes and 10 seconds |
|
|
Fire every 5 minutes |
This section lists other kinds of jobs that can be scheduled in Oracle Identity Analytics.
Reports - For information about how to schedule reports, see "To Schedule Reports" in the "Reports" chapter of the User's Guide for Oracle Identity Analytics.
Email reminders - For information about how to schedule reminder e-mails to be sent to data owners reminding them to review and sign-off on reports, see Section 11.2.4, "Reports Configuration."
Certifications - For information about how to schedule certifications, see Section 7.3.1, "To Schedule a Certification" in the Oracle Identity Analytics Identity Certifications chapter.
Role mining tasks - For information about how to schedule role mining tasks, see Section 5.2.3, "Running or Scheduling a Role Mining Task."
Risk aggregation - For information about how to schedule risk aggregation, see Section 1.4.4.2, "To Control How Often the Risk Aggregation Job Runs."