Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager
11g Release 2 (11.1.2.1.0)

Part Number E27149-14
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

15 Managing the Scheduler

In Oracle Identity Manager, it is often required to run jobs at specified times on a regular basis to manage various activities. Scheduler enables you to schedule jobs that automatically run predefined scheduled tasks at the specified time. This is illustrated by the following example:

To meet the security policies of an organization, employees may be required to change their product application password every 60 days. For this purpose, the system administrator has to ensure that an email is sent to all employees whose passwords for the respective product applications have expired. One approach would be to identify the set of users whose passwords have expired and send email to each employee manually. Alternatively, the system administrator can use a service, such as scheduler. In Oracle Identity Manager, there is a predefined scheduled task called Password Warning Task. The system administrator can use this scheduled task to create a scheduled job with the intended schedule.

See Also:

Table 15-2, "Predefined Scheduled Tasks" for information about the Password Warning Task scheduled task

Scheduler also enables you to create your own scheduled tasks that can be run by a job at a set time.

A scheduled task configure the metadata for a job, which is to be run, and the parameters required for execution of that task. This metadata is predefined for the predefined tasks. A new task can be added by the user, which will have the new metadata or the existing tasks can be updated to add/update the parameters for other configuration details. A job can be scheduled to run at the specified interval. You can create multiple jobs scheduled to run at different time intervals. A job run is a specific execution of a job. Each job run includes information such as the start time, stop time, exceptions and status of the execution.

This chapter discusses the following topics:

15.1 Configuring the oim-config.xml File

After you install Oracle Identity Manager, you can configure the scheduler settings by editing the child elements of the Scheduler element in the oim-config.xml file located in the following location in Meta Data Store (MDS):

db/oim-config.xml

See Also:

"Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about importing and exporting data to and from MDS

Table 15-1 lists the default elements that you can configure within the Scheduler element in the oim-config.xml file.

Note:

You can add new configurable child elements. For the information about new child elements, refer to the following URL:

http://www.quartz-scheduler.org/

Table 15-1 Child Elements of the Scheduler Element

Element Within Scheduler Element Description

DSJndiURL

This element is used for configuring transactional data source in the application server, which is used by Quartz to establish the connection.

Default value: jdbc/operationsDB

nonTxnDSJndiURL

This element is used for configuring non-transactional data source in the application server, which is used by Quartz to establish the connection.

Default value: jdbc/oimJMSStoreDS

Clustered

Enter true if Oracle Identity Manager has been installed in a clustered environment. Otherwise, enter false.

Default value: true

NOTE: In a clustered environment, the clocks on all nodes of the cluster must be synchronized.

implementationClass

Enter the name of the Java class that implements scheduler.

Default value: oracle.iam.scheduler.impl.quartz.QuartzSchedulerImpl

instanceID

Enter a unique string value in this element. This value represents a string that uniquely identifies an Oracle Identity Manager scheduler instance.

NOTE: In a clustered environment, each node of the cluster must have a unique InstanceId. This can be achieved by entering a value of AUTO in the instanceId element.

startOnDeploy

Enter false if you do not want scheduler service to start automatically when Oracle Identity Manager is started. Otherwise, enter true.

Default value: true

threadPoolSize

Enter an integer value in this element. This value represents the number of threads that must be used for running jobs.

Default Value: 10


15.2 Starting and Stopping the Scheduler

The Scheduler Status page is an authenticated UI page that displays the current status of the scheduler. At any given instance, the scheduler can be in one of the following statuses:

The Scheduler Status page also displays a detailed error message in the Last Error field, if any.

You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

By default, the scheduler is in the started status after you install Oracle Identity Manager. However, if you want to stop scheduler for any reason and then restart it, then you must follow the procedure discussed in this section.

To start or stop the scheduler:

Note:

  • You need to have Scheduler Admin role to start or stop the scheduler.

  • In a clustered environment, you must perform this procedure on each node of the cluster.

  1. Browse to the following URL by using a Web browser:

    http://OIM_HOST:OIM_PORT/SchedulerService-web/status

    In this URL, OIM_HOST represents the name of the computer hosting the Oracle Identity Manager server, and OIM_PORT refers to the port on which Oracle Identity Manager server is listening.

  2. Enter the User ID and password, and then click Submit.

    The Scheduler Status page is displayed.

    Note:

    You may be automatically logged in to the scheduler service if you are working in a single sign-on environment.

  3. Depending on the type of action that you want to perform, click one of the following:

    • START: Click this button to start the scheduler.

    • STOP: Click this button to stop the scheduler. This stops the scheduler and further execution of triggers, but it does not stop or abort any jobs that are already executing. When the Scheduler Service is started again, jobs will then be executed at their appropriate times based on when they are scheduled.

    • REINIT: Click this button to reinitialize the scheduler.

15.2.1 Controlling Scheduler Start or Stop in a Clustered Environment

The scheduler.disabled system property is required if you want to control scheduler start or stop on a clustered setup. The scheduler.disabled system property must be set to true if you do not want to start the scheduler service on that node of the cluster.

This section contains the following topics:

15.2.1.1 Adding the Server Side Property for Oracle Identity Manager

To add the scheduler.disabled server-level property:

  1. Log in to the WebLogic Administrative Console.

  2. On the left panel, select Environment, Servers.

  3. Click the name of the managed server where you want to add the scheduler.disabled=false property.

  4. Select Lock and Edit.

  5. Select Configuration, Server Start.

  6. In the Arguments box, add the scheduler.disabled=false property, and click Save.

  7. Click Activate Change.

Restart the managed server using node manager so that the newly added property is picked up. Restarting from the Command-Line Interface does not work.

15.2.1.2 Restarting Oracle Identity Manager Managed Servers from the Node Manager

To restart Oracle Identity Manager Managed Servers from the Node Manager:

  1. Start the Administration server. To do so:

    1. From your current working directory, go to the MW_HOME/user_projects/domains/base_domain/ directory.

    2. Run the following command:

      For UNIX:

      startWebLogic.sh
      

      For Windows:

      startWebLogic.cmd
      
  2. Start the Node Manager. To do so:

    1. From your current working directory, go to the MW_HOME/wlserver_10.3/server/bin/ directory.

    2. Run the following command:

      For UNIX:

      startNodeManager.sh
      

      For Windows:

      startNodeManager.cmd
      
  3. Log in to the WebLogic Administrative Console.

  4. On the left panel, select Environment, Servers.

  5. Select Control from the right panel.

  6. Select the option where the property is added, and click Start.

15.2.1.3 Modifying the Server Side Property for Oracle Identity Manager

To modify the scheduler.disabled system property:

  1. Log in to the WebLogic Administrative Console by using the WebLogic administrator credentials.

  2. Under Domain Structure, select Environment, Servers. The Summary of Servers page is displayed.

  3. Click the Oracle Identity Manager server name, for example, oim_server1. The settings for oim_server1 is displayed.

  4. Click Configuration, Server Start.

  5. In the Arguments box, change the existing property scheduler.disabled = false/true.

  6. Click Save.

  7. Click Activate Changes.

  8. Restart the Oracle Identity Manager Managed Server.

    Note:

    After modifying the scheduler.disabled system property, you must start the Managed Server by using the Node Manager.

15.3 Disabling and Enabling the Scheduler on a Node in Cluster Setup

Disabling and enabling the scheduler on a node in cluster setup involves the following:

15.3.1 Adding the Server-Level Property

To add the server-level property to disable/enable the scheduler on a node in cluster setup:

  1. Log in to the WebLogic Administrative Console.

  2. In left pane, click Environment, Servers.

  3. Click the name of the managed server in which you want to add the scheduler.disabled=true property.

  4. Click Lock and Edit in the left tab.

  5. Click Configuration, Server start tab in the right pane.

  6. In the Argument Text box, add scheduler.disabled=true, and save.

  7. Click Activate Change in the left pane.

  8. To ensure that this property is picked, restart the managed server via the node manager. Restarting from script does not work.

15.3.2 Restarting the Managed Server from the Node Manger

To restart the managed server from the node manager:

  1. Start the Admin Sever by running the following script:

    MW_HOME/user_projects/domains/base_domain/startWebLogic.sh
    
  2. Start the Node Manager by running the following script:

    MW_HOME/wlserver_10.3/server/bin/startNodeManager.sh
    
  3. Login to the WebLogic Administrative Console.

  4. In left pane, click Environment, Servers.

  5. Click the Control tab in the right pane.

  6. Select the checkbox against the managed server in which the property has been added, and then click the start button.

After restarting the managed server, scheduler will not start because the value of the scheduler.disabled property is set to true. To verify this, navigate to the following URL and log in:

http://HOST:PORT/SchedulerService-web

15.4 Scheduled Tasks

In Oracle Identity Manager, metadata is predefined for the default scheduled tasks. New tasks can be added by the user with new metadata, or the existing tasks can be updated to add or update the parameters or other configuration details.

For example, you can configure a reconciliation run using a scheduled task that checks for new information on target systems periodically and replicates the same in Oracle Identity Manager. Each scheduled task contains the following metadata information:

This section discusses the following topics:

15.4.1 Predefined Scheduled Tasks

This release of Oracle Identity Manager provides a set of predefined scheduled tasks that you can use while creating or working with jobs. Table 15-2 lists the predefined scheduled tasks.

Table 15-2 Predefined Scheduled Tasks

Job Name Description User-Configurable Attributes Enabled By Default

Password Expiration Task

This scheduled task sends e-mail to users whose password expiration date had passed at the time when the task was run and then updates the USR_PWD_EXPIRED flag on the user profile.

Email Definition Name: Name of the email definition created in the Design Console for sending password expired notification to the user. The default value is "Password Expired".

Yes

Password Warning Task

This scheduled task sends e-mail to users whose password warning date had passed at the time when the task was run and then updates the USR_PWD_WARNED flag on the user profile.

Email Definition Name: Name of the email definition created in the Design Console for sending password expiration warning notification to the user. The default value is "Password Expiration Warning".

No

User Operations

This scheduled task performs the operation specified by the UserOperation attribute on the user account specified by the UserLogin attribute.

  • UserLogin: User ID of the user account

  • UserOperation: Operation that you want to perform on the user account. The value of this attribute can be ENABLE, DISABLE, or DELETE.

No

Attestation Grace Period Expiry Checker

This scheduled task delegates the attestation process after the grace period expires.

None

Yes

Task Escalation

This scheduled task escalates pending tasks whose escalation time had elapsed at the time when the scheduled task was run.

None

Yes

Task Timed Retry

This scheduled task creates a retry task for rejected tasks whose retry time has elapsed and whose retry count was greater than zero.

None

Yes

Set User Deprovisioned Date

A deprovisioning date is defined when a user account is created. For users whose deprovisioning date had passed at the time when this scheduled task was run, the task sets the deprovisioned date as the current date.

None

Yes

Disable/Delete User After End Date

An end date is defined when a user account is created. This scheduled task disables user accounts for which the end date had passed the current date at the time when the task is run.

Note: Oracle recommendation is to run this scheduled task every 30 minutes or 1 hour.

None

Yes

Set User Provisioned Date

This scheduled task sets the provisioned date to the current date for users for whom all of the following conditions are true:

  • The provisioning date is in the past.

  • The deprovisioned date has not been set.

  • The deprovisioning date has not been reached or is NULL.

None

Yes

Enable User After Start Date

A start date is set when a user account is created. This scheduled task enables user accounts for which the start date has passed, and the user status is Disabled Until Start Date. These users are enabled thorough this scheduled task, thereby making the users ACTIVE.

None

Yes

Remove Open Tasks

This scheduled task removes information about open tasks from the table that serves as the source for the list displayed in Oracle Identity System Administration.

Day Limit

Number of days for which information about an open task should be retained in the table before the information is deleted

By default, this attribute is not specified and disabled. You must enable and configure the time.

No

Issue Audit Messages Task

This scheduled task fetches audit message details from the aud_jms table and sends a single JMS message for a particular identifier and auditor entry in the aud_jms table. An MDB processes the corresponding audit message.

Max Records: Use this attribute to specify the maximum number of audit messages to be processed for a specified scheduled task run. The default value of this attribute is 400.

Yes

Initiate Attestation Processes

This scheduled task initiates a call to the Attestation Engine to run attestation processes that are scheduled to run at a time that has passed.

None

Yes

Request Execution Scheduled Task

This is a periodic scheduled task searches for requests with status "Request Awaiting Completion" and moves requests forward to the next stage "Operation Initiated" if the effective date set during the request submission is prior or equal to the current date.

Job Periodic Settings: Use this attribute to specify the time interval for the scheduled task to be run.

The default value is 6 hours.

Yes

Automated Retry of Failed Async Task

This scheduled task retries Async Tasks (JMS Messages) that have failed. If the execution of the task succeeds, it is removed from the list of failed tasks. If it fails, the retry count is incremented. The maximum number of times a Failed Task is retried is determined by the 'maxRetries' defined for that task in async-messaging.xml.

None

Yes

Evaluate User Policies

This scheduled task evaluates the access policies.

Number of Threads: Use this attribute to specify the total number of threads that will process re-evaluation.

The default value is 20.

Batch Size: Use this attribute to fetch number of records from the database to be processed in one iteration.

The default value is 500.

Time Limit in mins: Use this attribute to specify time in minutes, after which the schedule task will stop.

By default, this attribute is not specified and disabled. You must enable and configure the time.

Yes

Automatically Unlock User

This scheduled task automatically unlocks an user after the specified number of days.

None

Yes

Delayed Delete User

This scheduled task automatically deletes the user whose delete date is set as today. The scheduled task reads the XL.UserDeleteDelayPeriod system property, which indicates the number of days for which user will be in a Disable state when the user is deleted. This scheduled task finds all such users for whom this period has been reached and marks those users as deleted.

Note: See "System Properties in Oracle Identity Manager" for information about the XL.UserDeleteDelayPeriod system property.

In Oracle Identity Manager 11g Release 1 (11.1.1.5), this scheduled task is not active by default. In Oracle Identity Manager 11g Release 1 (11.1.1.3), this scheduled task is active by default. However, the state of this scheduled task does not change if Oracle Identity Manager is upgraded from Release 1 (11.1.1.3) to Release 1 (11.1.1.5).

Note: Oracle recommendation is to run this scheduled task frequently, such as every 1 hour.

None

No

Entitlement Assignments

This scheduled task populates Entitlement Assignment schema from child process form table whose field, Entitlement is marked as true.

RECORDS_TO_PROCESS_IN_BATCH: Number of records to process in a batch.

No

Entitlement List

This scheduled task populates Entitlement schema from lookup table whose child process form field, Entitlement is marked as true.

None

No

Get SOD Check Results Approval

This scheduled task gets back the result of SoD Evaluation from the SoD Server, for example, OAACG, SAP, and GRC for all requests waiting for SoD Check results. It reflects the SoDCheckResult and violation in appropriate dataset attributes. It will pick up all requests that are in "SoD check result pending" state and mark them as "SoD check completed".

None

No

Get SOD Check Results Provisioning

This scheduled task gets back the result of SoD Evaluation from the SoD Server, for example, OAACG, SAP, and GRC for all pending SoDCheck provisioning tasks. It reflects the SoDCheckResult and violation in appropriate process form attributes.

None

No

Non Scheduled Batch Recon

This scheduled task tries to process all the events created by non scheduled task based connectors such as PeopleSoft. Such connector created events are in either Event Received State or Data Received State, they only get processed if the batch size specified by the set of events is reached or via this scheduled task. This task executes as per settings to pick up all the unprocessed non scheduled task based events and submits them to the reconciliation engine for processing.

None

No

Orchestration Process Cleanup Task

This scheduled task deletes all completed parent orchestration processes.

Batch Size: Use this attribute to specify the number of completed orchestration processes to be deleted in each iteration.

Delete Just One Batch: Use this attribute to specify the value true or false. Only a single batch is deleted if the value is true. All the completed events are deleted batch at a time in a loop if the value is false.

Yes

Refresh Materialized View

The materialized view is used to generate reports related to reconciliation. This view needs to be updated periodically (at a specified interval, for instance, once a day). Therefore, this scheduled task was created to update the view on a periodic basis.

None

No

Resubmit Uninitiated Approval SODChecks

This scheduled task tries to initiate SoD Check for pending requests, which have SoDCheckStatus as "SoD check not initiated" or "SoD check completed with error". The pending requests are the ones for which SoD initiation failed in first try and are pending for some level of approval.

None

No

Resubmit Uninitiated Provisioning SODChecks

This scheduled task tries to initiate SoD Check by submitting a JMS message for all pending SoDCheck provisioning tasks. The SoD Check initiation may have failed because of SoD server being down at the time of entitlement add/update via direct provisioning.

None

No

Reconciliation Retry Scheduled Task

This scheduled task processes the failed reconciliation event for the users whose status is set as Failed.

None

Yes

Run Future Dated Reconciliation Events

This scheduled task processes the current dated reconciliation event for the users whose status is set as Deferred.

None

No

Job History Archival

This scheduled task is designed to archive/purge entries for Job History.

Archival Date: Use this attribute to specify date till which the records need to be archived/purged.

Batch Size: Use this attribute to specify the size of a batch in which the records must be processed.

Operation Type: Use this attribute to specify the operation type. This attribute can have two possible values, Archive and Purge.

The default value is Archive.

No

Bulk Load Post Process

This scheduled task starts post processing jobs for the Bulk Load Utility.

  • Batch Size for Processing Records: User records are processed in batches. This attribute specifies the size of the batch and must have a value. The default is 500.

  • Generate Password: This attribute specifies whether a password will be automatically generated when users are created with the Bulk Load Utility. It must have a value of Yes or No; the default is Yes.

  • Ldap Sync: This attribute specifies whether users created in Oracle Identity Manager using the Bulk Load Utility will also be created in the LDAP repository in an LDAP enabled environment. This attribute must have a value of Yes or No; the default is No.

  • Notification: This attribute specifies whether users created using the Bulk Load Utility will be notified with an email. It must have a value of Yes or No; the default is Yes.

  • Process User Ids: This attribute specifies the range of user keys (in the Oracle Identity Manager Database) that need to be processed. The keys are associated with the users created using the Bulk Load Utility. It defines a range from start (From:) to finish (To:).

No

Bulk Load Archival Job

This scheduled task cleans up the processed entries in the Oracle Identity Manager Database staging tables used during bulk load post processing.

  • Archival Date: This attribute specifies the date up to which the records will be purged. It must have a value. The format is ddMMyyyy or MMM dd, yyyy.

  • Batch Size: Database records are cleaned up in batches. This attribute specifies the size of the batch and must have a value. The default is 1000.

No

Retry Failed Orchestrations

This scheduled task retries all failed orchestrations based on the attribute values provided. If there is no parameter value defined, no orchestration will be retried.

  • Orchestration ID: This attribute takes a comma separated list of Orchestration Ids to be retried.

  • Entity Type: Orchestrations submitted for the given Entity will be retried.

  • Operation: Orchestrations submitted for given Operation will be retried.

  • Stage: Orchestrations on the given stage will be retried.

  • From Date: Orchestrations submitted after the given date will be retried. The format is ddMMyyyy or MMM dd, yyyy.

  • To Date: Orchestrations submitted before given date will be retried. The format is ddMMyyyy or MMM dd, yyyy.

No

DataCollection Scheduled Task

This scheduled task is used to populate data from Oracle Identity Manager operational tables to the staging tables in an offline manner. The scheduled task is set to run manually, and is triggered when Oracle Identity Analytics (OIA) invokes the DataCollectionOperationsIntf->startDataCollection API. See "Oracle Identity Analytics" for information about integration between Oracle Identity Manager and OIA.

None

Yes

Application Instance Post Delete Processing Job

This scheduled task is used to revoke, delete, or decommision applicaion instances that have been soft-deleted. It can be run in the following modes:

  • Revoke: Deletes the provisioned accounts from the target system after the application instances has been deleted

  • Delete: Hard-deletes the accounts from all provisioning tasks and targets, and subsequently from Oracle Identity Manager

  • Decommission: Changes the account status to Revoke without keeping the accounts in Oracle Identity Manager in provisioned state

None

Yes

Catalog Synchronization Job

This scheduled task is used to identify the soft-deleted application instances, and remove them from the catalog.

None

Yes

Retry Reconciliation Batch Job

This scheduled task is used to re-process batches with the 'Ready for Processing' status.

Batch ID: This is the comma-separated ID of the batches to be retried.

No

Entitlement Post Delete Processing Job

This scheduled task is used for post-processing of entitlement soft deletion in the provisioning component.

None

Yes

Update Accounts with App Instance Job

This scheduled task is used to ensure that application instance keys are populated for all entries in the OIU table.

In some instances, the application instance might not be available when the account is provisioned. This is possible when:

  • Oracle Identity Manager is upgraded, when app_instance_key is to be populated for all the existing entries in the OIU table.

  • Accounts are brought in via reconciliation, but the application instances are not available when the accounts are reconciled. The application instances are created after the reconciliation.

  • Accounts are provisioned via access policies, but the application instances are not available when the accounts are provisioned. The application instances are created after the provisioning.

The Update Accounts with App Instance Job scheduled task checks all the entries in the OIU table corresponding to the resource objects that have a null app_instance_key. It attempts to determine the application instance key based on the obj_key and the IT Resource instance value in the process form. If the scheduled task finds an application instance corresponding to the obj_key and IT resource instance value, then it updates the app_instance_key in the OIU table.

None

Yes

Entitlement Post Delete Processing Job

This scheduled task is used to revoke or delete entitlements that have been soft-deleted. It can be run in the following modes:

  • Revoke: Revokes the entitlement-grant for all the accounts in Oracle Identity Manager, which have that specific entitlement granted.

  • Delete: Hard-deletes the entitlements from the UD_CHILD table.

Irrespective of the mode, the entitlement grant entry is removed from the ENT_ASSIGN table.

None

Yes

Risk Aggregation Job

This scheduled task is used for calculating the risk summary value for users, roles, and accounts based on their item-risk and risk-factor levels as defined in the system

Note: See "Understanding Risk Aggregation and Risk Summaries" for more information.

  • Number of Concurrent Threads: Use this attribute to specify the number of threads that process risk aggregation.

  • User Batch Size: Use this attribute to specify the number of users that must be processed in each thread.

No

Certification Event Trigger Job

This scheduled task is responsible for running event listeners against the set of user modification events that have occurred in the system. All event listeners will be executed by default if none are listed in the Event Listener Name List parameter.

See Section 6.8, "Configuring Event Listeners and Certification Event Trigger Jobs" for more information.

Event Listener Name List: This is a comma-separated list of event listeners to be evaluated. If no value if specified for this attribute, then all event listeners will be evaluated.

No


15.4.2 LDAP Scheduled Tasks

This release of Oracle Identity Manager provides a set of LDAP scheduled tasks that you can use while creating or working with jobs. These schedule tasks are created only when Oracle Identity Manager is configured with LDAP synchronization. Table 15-3 lists the LDAP scheduled jobs.

See Also:

"Configuring the Integration with LDAP" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about configuring the integration between Oracle Identity Manager and LDAP

Table 15-3 LDAP Scheduled Jobs

Scheduled Jobs Description User-Configurable Attributes Enabled By Default

LDAP User Create and Update Reconciliation

This scheduled job reconciles user updates based on the change log from LDAP.

The LDAP User Create and Update Reconciliation scheduled job cannot reconcile the User Defined Fields (UDFs). To enable this scheduled job to reconcile UDFs, export the /db/LDAPUser and /db/RA_LDAPUSER.xml files from MDS, make required configuration changes in the files, and import them back to MDS. See "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about importing and exporting MDS files.

Note: While modifying the files, you must not specify any spaces when providing attribute names in the profile.

Last Change Number: Use this attribute to update the last change number of scheduled jobs with last changelog number value of Oracle Internet Directory.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

OIM User Type: Use this attribute to specify the user type, for example, End-User or End-User Administrator.

OIM User Organization Name: Use this attribute to specify Oracle Identity Manager organization in which reconciled users will be created.

OIM Employee Type: Use this attribute to specify the value of employee type for users that are created through reconciliation.

No

LDAP User Delete Reconciliation

This scheduled job reconciles user deletes based on the change log from LDAP.

Last Change Number: Use this attribute to specify the last changelog identifier processed by this job.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

No

LDAP Role Create and Update Reconciliation

This schedule job reconciles role creates or updates based on the change log from LDAP.

Last Change Number: Use this attribute to specify the last changelog identifier processed by this job.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

No

LDAP Role Delete Reconciliation

This schedule job reconciles role deletes based on the change log from LDAP.

Last Change Number: Use this attribute to specify the last changelog identifier processed by this job.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

No

LDAP Role Membership Reconciliation

This schedule job reconciles role membership based on the change log from LDAP.

Last Change Number: Use this attribute to specify the last changelog identifier processed by this job.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

No

LDAP Role Hierarchy Reconciliation

This schedule job reconciles role hierarchy based on the change log from LDAP.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

Last Change Number: Use this attribute to specify the last changelog identifier processed by this job.

No

LDAP User Create and Update Full Reconciliation

This schedule job reconciles user creates or updates from LDAP, which includes all users under the search base that is defined in the Directory Server IT resource.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

OIM Use Type: User this attribute to specify the user type, for example, End-User or End-User Administrator.

OIM User Organization Name: Use this attribute to specify Oracle Identity Manager organization in which reconciled users will be created.

OIM Employee Type: Use this attribute to specify the value of employee type for users that are created through reconciliation.

Yes

LDAP User Delete Full Reconciliation

This schedule job reconciles user deletes from LDAP. It detects the deleted users by comparing the users that exist in Oracle Identity Manager and LDAP.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

Yes

LDAP Role Create and Update Full Reconciliation

This schedule job reconciles role creates or updates from LDAP, which includes all roles under the search base that is defined in the Directory Server IT resource.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

Yes

LDAP Role Delete Full Reconciliation

This schedule job reconciles role deletes from LDAP. It detects the deleted roles by comparing the roles that exist in Oracle Identity Manager and LDAP.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

Yes

LDAP Role Membership Full Reconciliation

This schedule job reconciles role membership from LDAP. It detects the addition or deletion of role membership by comparing the entries existing in Oracle Identity Manager and LDAP.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

Yes

LDAP Role Hierarchy Full Reconciliation

This schedule job reconciles role hierarchy from LDAP. It detects the addition or deletion of role hierarchy by comparing the entries existing in Oracle Identity Manager and LDAP.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

Yes

Fusion Applications Role Category Seeding

This schedule job will query the LDAP system for all roles and find out their Role Category. If there are new role category in LDAP that are not in Oracle Identity Manager, it creates a new role category in Oracle Identity Manager.

Start Change Log Number: Use this attribute to specify last changelog identifier processed by this job or starting identifier for next run.

Yes

LDAP Consolidated Full Reconciliation

This scheduled job runs the following jobs in order:

  1. LDAP User Create and Update Full Reconciliation

  2. LDAP Role Create and Update Full Reconciliation

  3. LDAP Role Membership Full Reconciliation

  4. LDAP Role Hierarchy Full Reconciliation

By default, these jobs are selected in the Job Details page and are automatically triggered when you click Run.

The delete full reconciliation jobs, LDAP User Delete Full Reconciliation and LDAP Role Delete Full Reconciliation are not run automatically by this consolidated job.

The LDAP Consolidated Full Reconciliation scheduled job consolidates these jobs into a single job and provides all the common parameters in the consolidated job. In addition, this scheduled job provides separate reconciliation parameters to support full reconciliation from specific nodes in LDAP, and a search base for reconciliation.

Note: See "Consolidated LDAP Sync Full Reconciliation" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the Reconciliation Search Base, Reconciliation Role Search Filter, and Reconciliation User Search Filter parameters.

Batch Size: Use this attribute to fetch number of entries from the directory in each query.

OIM Employee Type: Use this attribute to specify the type of employee, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary.

OIM User Organization Name: Use this attribute to specify the organization name of the user.

OIM User Type: Use this attribute to specify the type of user, such as End-User or End-User Administrator.

Reconciliation Role Search Filter: Use this attribute to specify the search filter for full reconciliation of roles.

Reconciliation Search Base: Use this attribute to specify the search base for the full reconciliation of users or roles.

Reconciliation User Search Filter: Use this attribute to specify the search filter for full reconciliation of users.

Use the following attributes to specify whether or not you want to run the scheduled jobs of the same names as a part of the LDAP Consolidated Full Reconciliation job run:

  • Run Role Create and Update Full Reconciliation

  • Run Role Delete Full Reconciliation

  • Run Role Hierarchy Full Reconciliation

  • Run Role Membership Full Reconciliation

  • Run User Create and Update Full Reconciliation

  • Run User Delete Full Reconciliation

Yes


Note:

Granular or node-specific reconciliation is possible by running all the LDAP Consolidated Full Reconciliation jobs. This is achieved by specifying values for the Reconciliation Search Base parameter.

15.4.2.1 Using Attribute-Level Filtering for Running LDAP Sync Incremental Reconciliation Jobs

Changelog query returns incremental changes of user/role account or entries in LDAP server to Oracle Identity Manager database during changelog reconciliation when LDAP Sync incremental reconciliation jobs are run. You might not want to return changes to the database for some entries in LDAP based on a rule or filter during the changelog reconciliation when LDAPSync incremental reconciliation jobs are run. To do this, you can use the includeEntriesFilter filter tag or filter parameter in the LDAPUser.xml file to filter out the unwanted entries and bring in only the required entries based on the rule before sending the data for reconciliation, so that those entries would not be in the database. In other words, you can use attribute-level filtering for changelog reconciliation.

See Also:

The usage of the includeEntriesFilter tag is shown in the following example:

<parameter name="includeEntriesFilter">
   <value>employeeNumber=123456</value>
</parameter> 

The <value> tag contains the employeeNumber LDAP attribute and the corresponding value. This filters out all the changelog entries or user entries from the LDAP server that match the criteria employeeNumber=123456, and sends them to the reconciliation engine for the users to be reconciled into Oracle Identity Manager database. Other changelog entries that do not match the filter are stopped from being reconciled into Oracle Identity Manager database.

The following are sample usages of the includeEntriesFilter filter parameter:

  • (!(LDAP_attribute=VAL1)(LDAP_attribute=VAL2)(LDAP_attribute=VAL3)...)

  • If the values are variables, then the filter must be:

    ObjectClass=*

  • LDAP_attribute_name=SOME_VARIABLE_VALUE

    This means that different users have different attribute values.

Note:

Make sure that the LDAP attributes used in the filter value are indexed.

15.4.3 Creating Custom Scheduled Tasks

Oracle Identity Manager provides you with the capability of creating your own scheduled tasks. You can create scheduled tasks according to your requirements if you choose not to use any of the predefined scheduled tasks listed in Table 15-2.

See Also:

"Developing Scheduled Tasks" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about creating a scheduled task

To create a custom scheduled task:

  1. Create the scheduled task XML file and seed it in MetaData Store (MDS).

  2. Develop the schedule task class and package it in a Jar.

  3. Upload the Jar by:

Using Plug-ins

You can upload the jar using the Plug-in Framework provided by Oracle Identity Manager.

To upload the jar using plug-ins:

  1. Create the plugin.xml file.

  2. Create the directory structure (plugin.zip) for the scheduled task.

  3. Place the ZIP file in the file store (the OIM_HOME/plugins/ directory) or database store.

Using Database

You can upload the jar in the database (DB) of Oracle Identity Manager.

To upload the jar using DB:

Upload the jar in DB using UploadJar utility. You can run this utility from the following location:

$OIM_HOME/bin/

See Also:

"Upload Jar Utility" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about running the UploadJar utility

15.5 Jobs

As discussed in one of the earlier chapters, a job is a task that can be scheduled to run at the specified interval. A job run is a specific execution of a job. Each job run includes information such as the start time, stop time, job status, exceptions and status of the execution.

This section discusses the following topics:

15.5.1 Creating Jobs

Note:

The procedure described in this section assumes that the XML file for the scheduled task, which contains the job description is available in the OIM_HOME/metadata/file directory.

To create a job:

  1. Log in to Oracle Identity System Administration with the appropriate credentials.

  2. In the left pane, under System Management, click Scheduler. The Advanced Administration is displayed with the Scheduler section in the System Management tab active.

  3. On the left pane, from the Actions menu, select Create. Alternatively, you can click the icon with the plus (+) sign beside the View list.

  4. On the Create Job page, enter values in the following fields under the Job Information section:

    • Job Name: Enter a name for the job.

    • Task: Specify the name of the scheduled task that runs the job. Alternatively you can search and specify a scheduled task.

      To search and specify a scheduled task:

      1. Click the magnifying glass icon next to this field.

      2. In the Search and Select : Scheduled Task dialog box, specify a search criterion for the scheduled task and click the icon next to Search field.

        A list of all scheduled tasks that meet the search criterion is displayed.

      3. From this list, select the scheduled task that runs the job being created, and then click Confirm.

    • Start Date: Specify the date and time on which you want the job to run. To do this, select the date and time along with timezone from the date editor and click Ok. By default, the timezone is "(UTC-08:00) US Pacific Time".

    • Retries: Retry count is used to manage the job in case of failure. A job cannot execute more than its retry count if it fails consecutively. The job is disabled if it fails consecutively till its retry count is exhausted. The job must be enabled from the UI for further execution.

    • Schedule Type: Depending on the frequency at which you want the job to run, select one of the following schedule types:

      • Periodic: Select this option if you want the job to be run at a time that you specify, on a repeating basis. If you select this option, then you must enter an integer value in the Run every field under the Job Periodic Settings section and select one of the following values:

        - mins

        - hrs

        - days

      • Cron: Select this option if you want the job to be run at a particular interval on a recurring basis. For example, you can create a job that must run at 8:00 A.M. every Monday through Friday or at 1:30 A.M. every last Friday of the month.

        The recurrence of the job must be specified in the Cron Settings section. In the Recurring Interval field, you can select any of the following values:

        - Daily

        - Weekly

        - Monthly on given dates

        - Monthly on given weekdays

        - Yearly

        After selecting a value, you can enter an integer value in the Days between runs field.

      • Single: Select this option if the job is to be run only once at the specified start date and time.

      • No pre-defined schedule: This option specifies that no schedule is attached to the job you are creating, and therefore, it is not triggered automatically. As a result, the only option to trigger the job is by clicking Save and Run Now.

  5. Note:

    For all the schedule types, if you want the job to be saved run immediately, then click Save and Run Now.

    A message confirming that the job has been successfully created and triggered is displayed.

15.5.2 Searching Jobs

You can perform the following search operations to search for jobs in the Oracle Identity Administration:

15.5.2.1 Performing a Simple Search for Jobs

To perform a simple search for jobs:

  1. In the Welcome page of the Advanced Administration, under System Management, click Search Scheduled Jobs. Alternatively, you can click the System Management tab, and then click Scheduler.

  2. On the left pane, in the Search field, specify the search criterion for the job that you want to locate. You can also include wildcard characters in the search criteria.

  3. Click the icon next to the Search field. A list of all jobs that meet the search criterion is displayed.

    The search results are displayed in a tabular format with the following columns:

    • Job Name: This column displays the name of the job. If you want to view the details of the job, then click its name in the column.

    • Status: This column displays the status of the Job. A job can be in any one of the following statuses:

      • RUNNING: The job is currently running.

      • STOPPED: The job is currently not running. However, the job will run again at the date and time specified in the Next Scheduled Run field.

      • INTERRUPT: The job is interrupted while running. This status may appear if admin server go down in between while job is running.

      • FAILED: The Job was failed to execute due to some reasons.

15.5.2.2 Performing an Advanced Search for Jobs

To perform an advanced search for scheduler:

  1. On the left pane of the Scheduler section, click Advanced Search. The Advanced Search: Scheduled Jobs page is displayed.

  2. Select any one of the following options:

    • All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.

    • Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.

  3. In the Job Name field, enter the job name that you want to search. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Job Name field. The search conditions include Not Contains, Not Begins With, Not Equals, Equals, Ends With, Not Ends With, Contains, and Begins With.

  4. For the Status field, select a search condition. Then select a status: All, Running, or Stopped.

  5. In the Task Name field, enter the task name. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Task Name field.

  6. Click Search. The list of jobs that match your search criteria are displayed in the search results table.

    Table 15-4 lists the columns of the search results table:

    Table 15-4 Fields in the Search Results Table

    Field Description

    Job Name

    The name of the scheduled job

    Task

    The task associated with the job

    Status

    The status of the job, RUNNING, STOPPED, FAILED, or INTERRUPT

    Schedule

    The schedule or the time for the job to run

    Last Run

    The time when the job ran for the last time

    Enable

    The job is enabled or disabled


15.5.3 Viewing Jobs

To view the details of a job:

  1. Search for the job whose details you want to view. See "Searching Jobs" for information about how to search a job.

  2. Click the job whose details you want to view in the Job Name column of the search results table.

The Job Details page is divided into the following sections:

  • Job Information: This section displays the fields that provide information about the job. For example, Job Name, Task, Retries, and Start Date fields. If you want to modify the details of the job, then make the relevant change and click Apply. See "Modifying Jobs" for more information about modifying jobs.

  • Job Status: This section displays details of the status of the job in the following fields:

    • Current Status: This field displays the status of the job.

    • Last Run Start: This field displays the date and time of when the job started to run last.

    • Last Run End : This field displays the most recent date and time of when the job stopped running

    • Next Scheduled Run: This field specifies that no schedule is attached to the job you are creating and therefore the job is not triggered automatically. The only option to trigger the job in this case is performing "Run Now" .

      Note:

      No value is displayed in this field if the Schedule Type is No pre-defined schedule.

  • Parameters: The parameter values specified are used at run-time while the job is being executed. The values need not be provided at the runtime, they can be there for each job and are used when the job is executed.

  • Job History: This section displays a list of all job runs for the job in a table.

    Each row of the table displays the following information about the job:

    • Start Time: This column displays the date and time at which the job run started its run.

    • End Time: This column displays the time at which the job run ended its run.

    • Job Status: This column displays the status of the job.

    • Execution Status: This column displays the job execution status.

    You can reorder the display of columns in the table under the History section:

    1. From the View list, select Reorder Columns.

    2. In the Reorder Columns dialog box, select the column name that you want to move.

    3. Depending on the order in which you want to columns to appears, click the up or down arrows.

    To add or remove the columns displayed in the table under the History section:

    1. From the View list, select Columns.

    2. Depending on your requirement, select one of the following:

      - Show All

      - Start Time

      - End Time

      - Job Status

      - Execution Status

    3. Repeat Steps a and b for each column that you want to add or remove.

After viewing the details of the job, you can either modify, run, or stop the job. In addition, you can also enable or disable the job. Job Detail screen can be refreshed.

After you view the details of the job on the Job Details page, you can perform one of the following:

  • If you want to modify the details of the job, then make the relevant change and click Apply. See "Modifying Jobs" for more information about modifying jobs.

  • If you want to run the job, then click Run Now.

  • If the Disable button is enable, then it means that the job is currently enabled and you can disable the job by clicking Disable.

  • If the Enable button is enable, then it means that the job is currently disabled and you and enable the job by clicking Enable.

  • If you want to refresh a job detail screen, then click Refresh.

  • If the Stop button is displayed, then it means that the job is currently running and you can stop the job by clicking Stop.

15.5.4 Modifying Jobs

To modify a job:

  1. Search and view the details of the job that you want to modify. See "Viewing Jobs" for information about viewing job details.

    Note:

    If you want to run the job, then click the job name in the first column of the search results table and then click Run Now. After you click Run Now, you need not perform the rest of the steps in this procedure. However, if you want to modify the job and then run it, then perform the next step and click Run Now.

  2. On the Job Details page, you can modify all the details of the job, except for the Job Name and Task fields under the Job information section and the fields under the Job Status section. See Step 4 of "Creating Jobs" for details about the fields that you want to modify.

  3. Click Apply to commit the changes made on the Job Details page to the database.

    A message confirming that the job has been successfully modified is displayed.

15.5.5 Disabling and Enabling Jobs

In addition to creating and modifying jobs, you can disable a job that is currently enabled, and enable a job that has been disabled earlier. On the Job Details page:

  • If the Enabled button is enable, then it means that the job is currently disabled and you can enable it by clicking Enable. A job that has been enabled will run only when one of the following is true on the Job Details page:

    • The date and time displayed in the Start Date field matches the current date and time.

    • The date and time displayed in the Next Scheduled Run field matches the current date and time.

  • If the Disabled button is enable, then it means that the job is currently enabled and you can disable the job by clicking Disable. A job that has been disabled will not run even when the date and time on which the job has been scheduled to run matches the current date and time.

    To enable or disable a job:

    1. Search for the job that you want to enable or disable by performing the procedure described in "Searching Jobs".

    2. On the left pane, in the search results table, right click on the job name and select Enable or Disable. Depending on whether you click Enable or Disable, a message indicating that the job has either been successfully enabled or disabled is displayed.

    3. Click OK to close the dialog box.

15.5.6 Starting and Stopping Jobs

In addition to scheduling jobs to run automatically at the specified time, you can manually start or stop a job at any given time. For example, you create and schedule a job that runs every Friday. However, if you want to run the job on any day other than Friday, then you must run the job manually.

To start or stop a job:

  1. Search for the job that you want to start or stop by performing the procedure described in "Searching Jobs".

  2. On the left pane, in the search results table, click the job name of the job that you want to start or stop.

    Note:

    By default, the status of all jobs is STOPPED unless a job is running.

  3. If you want to start a job, then from the Actions list, click Run Now.

    A dialog box prompting you to confirm if you want to run the job is displayed.

  4. If you want to stop a job, then from the Action list, click Stop.

    A dialog box prompting you to confirm if you want to stop the job is displayed.

  5. Click OK.

15.5.7 Deleting Jobs

To delete a job:

  1. Search for the job that you want to delete by performing the procedure described in "Searching Jobs".

  2. On the left pane, in the search results table, click the job name of the job that you want to delete.

  3. From the Actions list, click Delete. Alternatively, you can click the Delete icon next to the icon with the plus (+) sign.

    A dialog box prompting you to confirm if you want to delete the job is displayed.

  4. Click OK. A message indicating that the job has been deleted successfully is displayed.