| Oracle® Identity Manager Design Console Guide Release 9.0 B25940-01 |
|
 Previous |
 Next |
| Oracle® Identity Manager Design Console Guide Release 9.0 B25940-01 |
|
Previous |
Next |
This chapter describes the details of managing the user in Oracle Identity Manager. It contains the following topics:
The User Management folder provides System Administrators with the tools necessary to create and manage information pertaining to your company's organizations, users, user groups, requests, form templates, locations, process tasks, and reconciliation events.
This folder contains the following forms:
Organizational Defaults: This form is used to view the organization records that reflect the internal structure of your enterprise as well as designate other information related to these entities.
Policy History: This form is used to view the user records that your employees require.
Group Entitlements: This form is used to view the records of collections of users to whom you may assign some common functionality. These collections of users are known as user groups.
Administrative Queues: This form is used to create and manage mass-assignment privileges of user groups for other Oracle Identity Manager forms.
Reconciliation Manager: This form is used to manage reconciliation in Oracle Identity Manager.
The Organizational Defaults form is located in the User Management folder. It is used to view the organization records that reflect the internal structure of your enterprise as well as designated other information related to these entities. An organization record contains information related to an organizational unit within an enterprise's hierarchy, such as a company, department, or branch. A sub-organization is an organization, which is a member of another organization, (for example, a department within a company). The organization to which the sub-organization belongs is also referred to as a Parent Organization.
The Organizational Default tab is used to specify default values for parameters on the custom process form of resources that can be provisioned for the current organization. Each process form is associated with a resource object that has either been allowed for the organization or has the Allow All check box on the associated Resource Objects form selected.
The values specified in the Process Defaults tab are used as the default values for all users within the organization.
Figure 5-1 The Organizational Defaults Form
Now that we have reviewed organizations, you will learn about the data fields of the Organizational Defaults form. The following table describes the data fields of this form.
| Field Name | Description |
|---|---|
| Organization Name | Name of the organization. |
| Type | The classification type of the organization (for example, Company, Department, Branch). |
| Status | The current status of the organization (Active, Disabled, or Deleted). |
| Parent Organization | The organization of which this organization is a member. If an organization appears in this field, this organization appears on the Sub Organizations tab of that parent organization. When no value is specified in this field, this organization does not belong to any other organization (i.e., it is a top-level organization). |
The Policy History form is used to view information related to user records. Specifically, the resources that are allowed or disallowed for the user.
There are two types of users within Oracle Identity Manager:
End-User Administrators. Users with this type of Oracle Identity Manager account are able to access both editions of the Oracle Identity Manager interface (for example, the Java Client and the Administrative and User Console). Based on the permissions assigned by the System Administrator, End-User Administrators have access to a subset of the forms available within the Java Client.
End-Users. Users with this type of Oracle Identity Manager account are able to access only the Administrative and User Console edition of the Oracle Identity Manager interface and generally have a lesser set of permissions than End-User Administrators. Only those resource objects that are defined as self-serviceable on the Objects Allowed tab of the user's organization will be available for provisioning requests using the Administrative and User Console.
Now that we have reviewed about users, you will learn about the data fields of the Policy History form. The following table describes the data fields of this form.
| Field Name | Description |
|---|---|
| User ID | The user's Oracle Identity Manager login ID. |
| First Name | The user's first name. |
| Middle Name | The user's middle name. |
| Last Name | The user's last name. |
| The user's e-mail address. | |
| Start Date | The date on which the user's account will be activated. |
| Status | The current status of the user (Active, Disabled, or Deleted). |
| Organization | The organization to which the user belongs. |
| User Type | The user's classification status. Valid options are End-User Administrator and End User. Only End-User Administrators have access to the Java Client edition of the Oracle Identity Manager interface. |
| Employee Type | The employment status of the user at the parent organization (for example, Full-Time, Part-Time, Intern, etc.). |
| Manager ID | The user's manager |
| End Date | The date on which the user's account will be deactivated. |
| Created on | The date and time that the user record was first created. |
This tab is used to view the resource objects that are allowed or disallowed for the user based on:
The access policies that are applicable to the user group to which they belong.
The resource objects that have been allowed by the organization of which they are a member.
The Policy History tab has a Display Selection region. By accessing the upper-most combo box from this region, and selecting one of its menu items, you can determine how Oracle Identity Manager will organize the contents that appear within this tab.
If you select the Resource Policy Summary menu item, the resource objects that are allowed and/or disallowed based on a combination of the user's organization and applicable access policies is displayed.
By selecting the Not Allowed by Org menu item, the only resource objects that appear are those that are disallowed, based on the user's organization.
If you select the Resources by Policy menu item, a second combo box is displayed. This combo box contains the access policies that apply to the user groups of which the user is a member. By selecting an access policy from this combo box, the resource objects that are allowed or disallowed for the user, based on this access policy, is displayed.
Oracle Identity Manager also provides you with a tracking system, designed to see the resources that have been allowed or disallowed for a user, based on the organizations of which the user is a member, and/or the access policies that apply to the user.
The resource objects that are allowed for the user appear in the Resources Allowed list. The resource objects that are disallowed for the user are displayed in the Resources Not Allowed list. Resource objects that are displayed in the Resources Allowed list merely represent the resource objects with which the user can be provisioned. It does not represent the resource objects with which the user is provisioned.
To view this tracking system, click the Policy History button (which appears within the Display Selection region of the Policy History tab). The User Policy Profile History window is displayed.
From this window, by selecting:
The desired date (from the History Date combo box);
Whether you want Oracle Identity Manager to display resources with which has been allowed or disallowed, based on the organizations of which the user is a member, the access policies that apply to the user, or both (from the Display Type combo box); and
The specific access policy, which determines the resource objects that are allowed and/or disallowed for the user (from the Policy combo box),
You can see the resources that have been allowed or disallowed for a user for the date and time you selected.
The Group Entitlements form is located in the User Management folder. It is used to designate the Oracle Identity Manager forms and folders that members of a user group can access through the Oracle Identity Manager Explorer.
|
Note: You can use the Group Entitlements form to create and move forms. |
Open the Group Entitlements form. The User Group Information dialog box is displayed.
In the Group Name field, enter the name of the user group.
Click Assign. The User Form Assignment lookup table is displayed.
From the lookup table, select the user form for this user group. Use the Arrow button(s) to either add or delete from the Assigned Forms list.
Click OK when completed. The User Group Information dialog box is displayed.
Note that the newly added user forms are listed in the Group Entitlement display table. This display table shows the name of the user form and the type. In this example, there are two distinct types, javaform and folder. A javaform is a java-based, graphical interface. A folder is a container of one or many javaforms.
|
Note: The Group Entitlement Table displays all available user groups. |
Oracle Identity Manager provides four default user group definitions:
System Administrators
Operators
Self Operators
All Users
You may modify the permissions associated with these user groups. In addition, you can create additional user groups, as needed.
Members of the System Administrators user group have full permissions to create, edit, and delete records within Oracle Identity Manager (except for system records).
|
Note: When using the Oracle Identity Manager Administrator's Console (Administrative and User Console), a user assigned to a particular process task can change its status. |
Members of the Operators user group have access to the Organizational Defaults and Policy History forms. These users can perform limited functionality within these forms.
Members of the All Users user group have minimal permissions, which include, but are not limited to, the ability to access one's own user record. By default, each user automatically belongs to the All Users user group.
|
Note: A user cannot be removed from the All Users group. |
|
Important: There is a fourth user group definition, SELF OPERATORS, which is added to Oracle Identity Manager, by default. This user group contains one user, XELSELFREG, who is responsible for modifying the privileges that users have when performing self-registration actions within the Oracle Identity Manager Administrative and User Console.Do not modify the permissions associated with the SELF OPERATORS user group, or assign any users to this group. |
Oracle Identity Manager allows you to designate that specific groups of users are collectively responsible for managing a provisioning request. These groups are assigned to a request using an entity called a Queue. A queue is merely a collection of existing group definitions, which functions as a mega-group.
|
Note: Queues can also be nested within other queues, further enhancing the ability to create mega-collections of groups for streamlined assignment. |
Once defined, queues can then be attached to requests, thereby making the members of the groups (of which the queue is comprised), responsible for managing the request.
For example, your might create a queue that contained three user groups. Once the queue was assigned to a request, the members of these three groups would have administrative privileges on that request. The administrative privileges that each group has on a particular request are specified within the request (i.e., each group may have distinct privileges within the queue). For instance, the first user group might be able to read, modify, and delete the request. The second user group might be able to read and modify the request, while the third user group might only be able to read and delete the request.
Once defined, a queue is assigned to a request using the Queues tab on the Requests form.
Assigning administrative queues to a form increases your efficiency as a user. Queues also enhance the manageability of requests across an enterprise.
By using an administrative queue, you can accomplish the same goal with only a few mouse clicks. In addition, the queue that you assign to one request can be reused for other requests.
The Administrative Queues form is located in the User Management folder. It is used to create and manage the administrative queues that will be assigned to requests.
Figure 5-3 The Administrative Queues Form
You will now learn about the data fields of the Administrative Queues form. The following table describes the data fields of this form.
| Field Name | Description |
|---|---|
| Queue Name | The name of the administrative queue. |
| Parent Queue | The queue to which this administrative queue belongs. |
| Description | Explanatory information about the administrative queue. |
Now that we have reviewed administrative queues and the data fields of the Administrative Queues form, you are ready to create an administrative queue.
To create an administrative queue, perform the following steps:
Open the Administrative Queue form.
In the Queue Name field, enter the name of the administrative queue.
Double-click the Parent Queue lookup field. From the lookup dialog box that appears, select the queue of which this administrative queue is a member.
|
Note: If the administrative queue you are creating does not belong to another administrative queue (it is a parent administrative queue), proceed to Step 4. |
In the Description field, you can enter explanatory information about the administrative queue.
Click Save. The administrative queue is created.
Once you launch the Administrative Queues form, and create an administrative queue, the tabs of this form become functional.
The Administrative Queues form contains the following tabs:
Each of these tabs is covered in greater detail in the following sections.
Figure 5-4 The Members Tab of the Administrative Queues Form
This tab is used to select the user groups that will be members of the current administrative queue. In addition, the Write Access and Delete Access check boxes are visual indicators of the privileges that a user group will have on the requests to which this queue is assigned.
When the Write Access check box is selected, the corresponding user group can create and modify information on the request (to which the administrative queue is assigned). If this check box is cleared, the user group will not be able to create or edit data on requests to which the queue is assigned.
Similarly, when the Delete Access check box is selected, it signifies that the associated user group can delete any requests (to which the administrative queue is assigned). If this check box is cleared, the user group cannot delete requests to which the queue is assigned.
For this example, if the User Groups Permissions for Requests queue was assigned to a particular request:
The SYSTEM ADMINISTRATORS user group would be able to read, modify, and delete information within the request.
The OPERATORS user group would be able to read and modify information within the request. However, since the Delete Access check box is cleared, this user group would not be able to delete the request.
The Senior Management Staff user group would be able to delete the request. However, because the Write Access check box is cleared, this user group would not be able to modify information the within the request.
Just as you can assign a user group to an administrative queue, you must also remove a user group from the administrative queue when that user group can no longer read, modify, or delete information on requests to which this administrative queue is assigned.
Now that we have reviewed the Members tab, you will learn how to assign a user group to an administrative queue, and remove a user group from an administrative queue.
To assign a user group to an administrative queue, perform the following steps:
Click Assign. The Assignment dialog box is displayed.
Select the user group, and assign it to the administrative queue.
Click OK. The user group is displayed in the Members tab.
If you do not want this user group to be able to modify information on requests to which the administrative queue is assigned, clear the corresponding Write Access check box. Otherwise, proceed to Step 5.
If you do not want this user group to be able to delete the requests to which this administrative queue is assigned, clear the associated Delete Access check box. Otherwise, proceed to Step 6.
Click Save. The user group is assigned to the administrative queue.
|
Note: By default, any group listed on the Members tab will have read privileges on the requests to which the queue is assigned. |
Figure 5-5 The Administrators Tab of the Administrative Queues Form
This tab is used to select the user groups that can read, modify, and delete the current administrative queue.
In addition, the Write Access and Delete Access check boxes are visual indicators of the privileges that a user group has with an administrative queue. When the Write Access check box is selected, the corresponding user group can read and modify the current administrative queue. If this check box is cleared, the user group cannot create or edit the administrative queue.
Similarly, when the Delete check box is selected, the associated user group can delete the current administrative queue. If this check box is cleared, the user group cannot delete the administrative queue.
For this example, both the Write Access and Delete Access check boxes are selected for the SYSTEM ADMINISTRATORS user group. As a result, this user group can read, modify, and delete the User Groups Permissions for Requests administrative queue.
Just as you can assign a user group to an administrative queue, you must also remove a user group from an administrative queue when the user group can no longer read, modify, or delete the current administrative queue.
Now that we have reviewed the Administrators tab, you will learn how to designate a user group as an administrator to an administrative queue. You will also learn how to remove an administrator user group from an administrative queue.
To designate a user group as an administrator of an administrative queue, perform the following steps:
Click Assign. The Assignment dialog box is displayed.
Select the user group, and assign it to the administrative queue.
Click OK. The user group is displayed in the Administrators tab.
If you do not want this user group to be able to modify the current administrative queue, clear the corresponding Write Access check box. Otherwise, proceed to Step 5.
If you want this user group to be able to delete the current administrative queue, clear the associated Delete Access check box. Otherwise, proceed to Step 6.
Click Save. The user group is now an administrator to the administrative queue.
Figure 5-6 The Reconciliation Manager Form
This form is located in the User Management folder. As the reconciliation classes you have defined periodically poll your target resources and trusted source, changes occurring on those systems will cause reconciliation events to be generated. Once these events are generated, they are written directly to the Reconciliation Manager where Oracle Identity Manager begins analyzing the information contained within them (according to the mappings defined in the relevant provisioning process). Oracle Identity Manager can be configured to take automated action (based on any action rules you may have defined) if the information in the event is ultimately determined to be associated with an existing record or to represent a new account or it can allow the linking of the information in the event to be manually initiated.
|
Note: You can use Oracle Identity Manager Task Scheduler form to define a schedule and set the timing parameters that will govern how often your reconciliation class is run or use a third party scheduling tool to set the polling frequency. |
This form allows users to view, analyze, correct, link, and manage information contained in reconciliation events received from your target resources and trusted source. The analysis and linking of information contained within your reconciliation events can be conducted manually by a designated individual or performed automatically by Oracle Identity Manager based on information available to it.
More specifically:
If the information in the reconciliation event is related to an existing user or organization record, this form can be used to manually link the data contained in the reconciliation event to the relevant user's (or organization's) record or review the information that was automatically linked to the user (or organization).
If the reconciliation event represents the creation of a new employee on a trusted source (i.e., user discovery) or the provisioning of an existing employee with a new resource (i.e., account discovery), this form can be used to manually update Oracle Identity Manager with new data or review the information that was automatically linked to a user. For trusted sources, the data in the reconciliation event will be used to create a new user account. For target resources, the data in the reconciliation event will be used to populate the relevant resource-specific process form.
If the reconciliation event represents the creation of a new organization on a trusted source (i.e., organization discovery) or the provisioning of an existing organization with a new resource (i.e., account discovery), can be is used to manually update Oracle Identity Manager will that new data or review the information that was automatically linked to a organization.
If the reconciliation event represents the deletion of an account on a target system or trusted source, this form can be used to instruct Oracle Identity Manager to delete a particular account or review the account that was automatically deleted. For trusted sources, this will result in the deletion of the user's Oracle Identity Manager account (and the revocation of all accounts with which that user may have been provisioned on any target resources). For target resources, this will result in Oracle Identity Manager recognizing that the user's account on that system has been revoked.
The upper portion of the Reconciliation Manager form contains the following fields and buttons:
| Field Name | Description |
|---|---|
| Event ID | The numeric ID of the reconciliation event. |
| Delete Event (Yes/No flag) | This display-only field is used to indicate whether the classification type of the current reconciliation event is a delete event (i.e., the corresponding record has been deleted from either the target resource or the trusted source).If the reconciliation event is a delete event, Oracle Identity Manager selects the Yes option. If this event is ultimately associated with a user's account on a target resource, that account will be marked as revoked. If the event is ultimately associated with a particular user's account, that user's account will be deleted. If the current reconciliation event is not a delete event, Oracle Identity Manager selects the No option.
Note: This field is set by Oracle Identity Manager. A user cannot set it. |
| Object Name | The resource object (target resource/trusted source) associated with this reconciliation event. For trusted sources, this will be the user. |
| For User/For Organization | Option designating whether the reconciliation event related to a resource object is associated with a user or organization record. |
| Status | The current status of the reconciliation event. Possible statuses are:
|
| Event Date | The date and time on which this reconciliation event was received. |
| Assigned to User | The user to whom this reconciliation event has been assigned. |
| Assigned to Group | The user group to which this reconciliation event has been assigned. |
| Linked To (region) | The fields in this section of the form are described below. |
| User Login | The Oracle Identity Manager ID of the user record to which the reconciliation event has been linked. |
| Organization Name | The Oracle Identity Manager ID of the Oracle Identity Manager organization record to which the reconciliation event has been linked. If you are conducting organization discovery with a trusted source, it is recommended that this be done prior to performing user discovery (since every user record in Oracle Identity Manager must be associated with an organization record). |
| Process Instance Key | Numeric instance of the provisioning process to which the reconciliation event has been linked. |
| Process Descriptive Data | Instance-specific descriptive data for the provisioning process (that is defined in the Map Descriptive Field pop-up window within the Process Definition form) |
| Close Event | This button is used to close the reconciliation event. If the reconciliation event is closed, no additional matching attempts or linking can be performed on it. |
| Re-apply Matching Rules | This button is used to reapply the reconciliation matching rules (i.e., both process data and user/organization-matching rules) associated with the resource object. If Oracle Identity Manager is not generating satisfactory matches, the resource's reconciliation matching rules can be amended and reapplied (alternately, you might also amend the mappings on the provisioning process). Re-applying these rules after they have been edited may cause different records to be appearing on the Processes Matched, Matched Users or Matched Organizations tabs. Reconciliation rules are only applied to target resource reconciliation events when no provisioning process matches are generated (since the process matches are considered to be of better quality and therefore more likely accurate). |
| Create Organization (Only available on events related to the trusted source) | This button is used to create an organization record in Oracle Identity Manager based on the information provided in the reconciliation event. This button should only be used when you are certain that the reconciliation event represents the creation of a new organization on the trusted source. |
| Create User(Only available on events related to the trusted source) | This button is used to create a user record in Oracle Identity Manager based on the information provided in the reconciliation event. This button should only be used when you are certain that the reconciliation event represents the creation of a new user on the trusted source. |
To view and manage reconciliation events, perform the following steps:
Access the Reconciliation Manager form.
Use the query feature to locate the desired reconciliation event.
|
Note: Reconciliation events can also be queried by their associated resource (in the Object Name field) or Status (in the Status field). |
If the reconciliation event for which you are querying is a delete event (i.e., the corresponding record has been deleted from either the target resource or the trusted source), the Yes option for the Delete Event flag will be selected. Otherwise, the No option will be selected.
Once the desired reconciliation event has been located, use the tabs of this form to:
Correct any unprocessed data.
Browse and link to matching provisioning process form instances or user/organization record candidates.
View the audit history of the event.
|
Note: Depending on how you have defined your reconciliation action rules, Oracle Identity Manager may automatically link data in a reconciliation event to a user or organization record when only one match is found (or when no matches are found for the trusted source). |
The information displayed on each tab is described in the Tabs on the Reconciliation Manager form section. When evaluating the matches Oracle Identity Manager has generated you can either:
Link the reconciliation event to a particular provisioning process, user or organization (this denotes that the event is associated with an existing user or organization record). To do this, click the Link button on the applicable tab. Alternately, you may have defined rules that instruct Oracle Identity Manager to automatically link the data when only a single match is found.
[For user-based reconciliation with the trusted source] Create a new user in Oracle Identity Manager (this denotes that the event represents the creation of a new user on the trusted source). To do this, click the Create User button. Alternately, you may have defined action rules that instruct Oracle Identity Manager to automatically create the user when no match is found.
[For organization-based reconciliation with the trusted source] Create a new organization in Oracle Identity Manager (this denotes that the event represents the creation of a new organization on the trusted source). To do this, click the Create Organization button. Alternately, you may have defined action rules that instruct Oracle Identity Manager to automatically create the organization when no match is found.
Refine the reconciliation rules associated with this resource and then re-apply the rule to generate more accurate matches. To do this, first refine the applicable reconciliation rule, save it and then click the Re-apply Matching Rules button.
|
Note: If you refine a reconciliation rule and reapply it or choose to create/link a user/provisioning process/organization, these actions will be logged on the Reconciliation Event History tab. To view a log of the actions that have been performed on the reconciliation event, click the Reconciliation Event History tab. |
Once the reconciliation event you wish to examine has been located, you can use these tabs to view any processed/unprocessed data in that event, view any provisioning process/ user/organization matches that have been generated and link the event to the appropriate record (or create a new user).
The data displayed on this tab appears under one of two branches: Processed Data and Unprocessed Data.
The fields listed within the Processed Data branch are those fields (as defined on the Reconciliation Fields tab of the associated resource) within the reconciliation event that have been successfully processed (for example, have not violated any data types requirements). For each successfully processed field, the following information will be provided:
Name of the field as defined on the Reconciliation Fields tab of the associated resource (for example, field1).
Data type associated with the field that was reconciled (for example, string). Possible values are Multi-Valued, String, Number, Date, IT resource.
Value of the field that was received in the reconciliation event (for example, Newark). This may be one of several values that changed on the target resource/trusted source and initiated the reconciliation event.
An example of a processed data field might appears as follows:
Location [String] = Newark
|
Note: If a field is of type multi-value (only allowed for target resources, not trusted sources), it will not have a value. Instead, its component fields (contained within it's sub-branch) will each have their own individual values. |
The fields listed within the Unprocessed Data branch are those fields within the reconciliation event that were unable to be processed (for example, due to not being defined or having a conflict with the data type set on the Reconciliation Fields tab of the associated resource). For each unprocessed field, the following information will be provided:
Name of the field (for example, user_securityid).
Value of the field that was received in the reconciliation event (for example, capital). This may be one of several values that changed on the target resource/trusted source and initiated the reconciliation event.
Reason why the data received from the target system was unable to be automatically processed (for example, <Not Numeric>). One of the following reason codes appears next to the unprocessed field:
| Error code | Reason generated |
|---|---|
| NOT MULTI-VALUED ATTRIBUTE | A value was specified for a field that is defined as a multi-valued attribute. Only the component fields of a multi-value attribute (not the multi-value field itself) can accept values. |
| NOT NUMERIC | The value specified for a numeric field was non-numeric. |
| DATE PARSE FAILED | The system failed to recognize the value of a date field as a valid date. |
| SERVER NOT FOUND | The value specified for a field of type IT Resource was not recognized as the name of an existing IT Resource instance. |
| FIELD NOT FOUND | The name of the field specified in the event has not been defined on the resource. |
| PARENT DATA LINK MISSING | The parent data field (of type multi-value) is not yet linked to a reconciliation field. As a result, this component field cannot be linked to a child reconciliation field. |
| FIELD LINKAGE MISSING | The corresponding reconciliation field is not defined on the Reconciliation Fields tab of the associated resource. |
| ATTRIBUTE LINKAGE MISSING | [Only for fields of type multi-value.] The multi-value reconciliation field cannot be processed as one or more of its component (child) fields' data is not linked to reconciliation fields. |
| TABLE ATTRIBUTE LINKAGE MISSING | [Only for fields of type multi-value.] The multi-value field cannot be processed as some of its component (child) fields of type Multi-Valued Attribute are not linked to a reconciliation field of type Multi-Valued Attribute. |
The name of the resource field this reconciliation event field was ultimately mapped to (if the unprocessed field is successfully mapped to a resource field).
An example of an unprocessed data field might appears as follows:
user_securityid = capital <Not Numeric>
|
Note: Oracle Identity Manager will not attempt to match processes (for target resources) or user/organizations (for trusted sources) until all fields that have been set as required (on the Reconciliation Fields tab of the associated resource) have been successfully processed. |
This procedure is used to correct and/or map unprocessed fields within the reconciliation event to the relevant fields as defined on the applicable resource.
Double-click the unprocessed field.
If the unprocessed field is of type multi-value, you may need to map it to the appropriate child process form and/or check the individual component field (for multi-value fields, double-click and correct the component fields).
The Edit Reconciliation Field Data dialog box is displayed.
|
Note: To map an unprocessed multi-value component field to one of the multi-value fields defined on the Reconciliation Fields tab of the associated resource, double-click the Linked to field, select the desired field and click OK. Then click Save and close the Edit Reconciliation Field Data dialog box. |
To map the unprocessed field to one of the fields defined on the Reconciliation Fields tab of the associated resource, double-click the Linked To field, select the desired field, and click OK. Then click Save and close the Edit Reconciliation Field Data dialog box.
To correct the value of the unprocessed field, enter the correct value in the Corrected Value field, click Save and close the Edit Reconciliation Field Data dialog box.
If the field's data is successfully processed, the entry within the Unprocessed Data branch will be updated to reflect the field to which it was linked. A new entry for the field will be added to the Processed Data branch.
Once all the required data elements (as set as on the Object Reconciliation tab of the applicable resource definition) within the reconciliation event have been marked as processed on the Reconciliation Data tab, Oracle Identity Manager will display:
For trusted sources:
All user or (organization) records that match the relevant data (as specified within the logic of all applicable user/organization-matching reconciliation rule associated with the resource) in the reconciliation event. These candidates represent any accounts on the trusted source for which a potential owner was found in Oracle Identity Manager (i.e., user update) based on the application of user-matching rules. If no matches are found, the reconciliation event represents the creation of a new user account on the trusted source (i.e., user creation).
For target resources:
All provisioning process form instances where the values of all key fields (as set on the Reconciliation Field Mappings tab of the applicable process definition) match the values for all key fields within the reconciliation event. This represents an account in the target system for which a possible matching account was found within Oracle Identity Manager (i.e., account update). If no processes instances are found to match these values, Oracle Identity Manager will proceed to evaluate the applicable user- (or organization-) matching reconciliation rules and display any users (or organizations) that match relevant data in the reconciliation event. These matches represent accounts on the target system for which the reconciliation engine did not find a matching account record within Oracle Identity Manager (i.e. Oracle Identity Manager is not aware that the user has been provisioned with an account on that system) but did find potential owners of the account (i.e., account creation). If more than one matching candidate is found, you will generally want to have an administrator examine the records and decide which Oracle Identity Manager account to link it to. If no matches are found, it could mean that there has been a possible mismatch between the data in your trusted source and the target application, that this event represents a "rogue" account on the target system or that an existing employee has been provisioned with a new account on the target system but Oracle Identity Manager is unable to decide which user that account is associated with.
Once all required fields (as defined on the Reconciliation Fields tab of the associated resource) have been processed, this tab will display all provisioning process form instances where the values of all key fields match the values for all key fields within the reconciliation event.
|
Note: This will only occur for reconciliation events associated with target resources. Since the trusted source is linked to the user resource (or Organization) and it's provisioning process, cannot have a custom process form and therefore, cannot possess the matches required to populate this tab. As a result, for trusted sources, once all required fields have been processed, Oracle Identity Manager will proceed immediately to evaluating user\organization matching rules. |
For each matched provisioning process, the follwing is displayed:
The name of provisioning process associated with the process form instance that matched the values of the key fields in the reconciliation event (for example, windows2000_prov).
The numeric ID of the particular process instance (for example, 445)
The User ID (for example, jdoe) or Organization Name (for example, Finance) associated with this process instance (i.e., the user who was provisioned with the resource by that instance of the provisioning process).
An example of a matched provisioning process might appears as follows:
Windows2000_prov [445] for User=jdoe
If no provisioning processes are listed on this tab, it denotes that Oracle Identity Manager was unable to match any of the values in the key fields in the reconciliation event to any of the values for those fields within process form instances associated with that resource. If this occurs, Oracle Identity Manager will then attempt to apply any user\organization-matching rules that have been defined for the resource (if matches are found, they appears on the Matched Users or Matched Organizations tab accordingly).
To link a provisioning process instance to the reconciliation event, perform the following steps:
Once you have determined which provisioning process instance to link to the reconciliation event, select it and click Establish Link.
Oracle Identity Manager will then update the relevant process form instance with the information in the reconciliation event according to the mappings defined on the relevant provisioning process (and insert the Reconciliation Update Received task within that process).
This tab displays the user records that match the relevant data within the reconciliation event (as specified in the criteria of the resource's reconciliation rules).
For trusted sources, Oracle Identity Manager will evaluate these rules and display any matching user records as soon as all required fields (as defined on the Reconciliation Fields tab of the associated resource) have been processed.
For target resource, Oracle Identity Manager will evaluate these rules and display any matching user records only after all required fields (as defined on the Reconciliation Fields tab of the associated resource) have been processed and no matches have been generated on the Processes Matched Tree tab.
|
Note: If matching records are present on the Processes Matched Tree tab, no records appears on the Matched Users tab (since the process matches are considered to be of better quality and therefore more likely accurate). |
For each matching record, Oracle Identity Manager will display the User's ID, First Name, and Last Name.
Once you have determined which user to link to the reconciliation event, select it and click Link.
If you click Link and the reconciliation event is for a target resource, then Oracle Identity Manager:
Creates an instance of the resource's provisioning process (for the selected user), suppress any adapters associated with the process' tasks, auto completes the process and inserts the Reconciliation Insert Received task.
Creates an instance of the resource's process form with the data from the reconciliation event according to the mappings defined on the provisioning process.
If you click Link and the reconciliation event is for a trusted source, then Oracle Identity Manager:
Updates the user record with the data from the reconciliation event according to the mappings defined on the "user" provisioning process.
Inserts the Reconciliation Insert Received task in the existing instance of the "user" provisioning process for the user record to which the reconciliation event has been linked.
|
Note: Alternately, for trusted sources, if you determine that the reconciliation event represents the creation of a new user on the trusted source, click the Create User button (this will create a new user record with the information contained in the reconciliation event). |
This tab displays the Oracle Identity Manager organization records that match the data within the reconciliation event (as specified in the criteria of the resource's reconciliation rules).
For trusted sources, Oracle Identity Manager will evaluate these rules and display any matching organization records as soon as all required fields (as defined on the Reconciliation Fields tab of the associated resource) have been processed.
For target resources, Oracle Identity Manager will evaluate these rules and display any matching organization records only after all required fields (as defined on the Reconciliation Fields tab of the associated resource) have been processed and no matches have been generated on the Processes Matched Tree tab.
|
Note: If matching records are present on the Processes Matched Tree tab, no records appears on the Matched Organizations tab (since the process matches are considered to be of better quality and therefore more likely accurate). |
For each matching record, Oracle Identity Manager will display the User's ID, First Name, and Last Name.
Once you have determined which organization to link to the reconciliation event, select it and click Link.
If you click Link and the reconciliation event is for a target resource, Oracle Identity Manager:
Creates an instance of the resource's provisioning process (for the selected organization), suppress any adapters associated with the process' tasks, auto completes the process and inserts the Reconciliation Insert Received task.
Creates an instance of the resource's process form with the data from the reconciliation event according to the mappings defined on the provisioning process.
If you click Link and the reconciliation event is for a trusted source, Oracle Identity Manager:
Updates the organization record with the data from the reconciliation event according to the mapping defined on the "Oracle Identity Manager Organization" provisioning process.
Inserts the Reconciliation Insert Received task in the existing instance of the "Oracle Identity Manager Organization" provisioning process for the organization record to which the reconciliation event has been linked.
|
Note: Alternately, for trusted sources, if you determine that the reconciliation event represents the creation of a new organization on the trusted source, click the Create Organization button (this will create a new organization record with the information contained in the reconciliation event). |
This tab displays a history of the actions performed on this reconciliation event. For each action, the date and time on which it took place will be listed. Oracle Identity Manager will track and log the following reconciliation event actions:
Event Received: The action is logged when a reconciliation event is received by Oracle Identity Manager.
Data Sorted: The action is logged when the data within a reconciliation event has been sorted into processed and unprocessed fields.
Rules Reapplied: The action is logged when a user has clicked the Re-apply Matching Rules button.
Processes Matched: The action is logged when one or more process form instances (and their associated provisioning process) have been matched to the values of key fields within the reconciliation event.
Users Matched: The action is logged when one or more user records have been matched with the data in the reconciliation event (using the invocation of a user-matching reconciliation rules).
Organization Matched: The action is logged when one or more Oracle Identity Manager organization records have been matched with the data in the reconciliation event (using the invocation of a organization-matching reconciliation rules).
Linked to User: The action is logged when the data in the reconciliation event has been linked to a particular user.
Linked to Organization: The action is logged when the data in the reconciliation event has been linked to a particular organization.
