Oracle® Identity Manager Generic Technology Connector Administrator's Guide Release 9.0.3.1 Part Number B32445-02 |
|
|
View PDF |
After you determine the provider requirements, you must identify the predefined providers that meet these requirements. To perform this step, use the information provided in this appendix.
The following providers are shipped with the current release of Oracle Identity Manager:
This provider reads data from flat files stored in staging directories on the target system server and copies the data to a file in an archiving directory on the Oracle Identity Manager server. If the staging directories are on a different computer, then they must be shared and mapped as network drives on the Oracle Identity Manager server.
The following are parameters of this provider:
Staging Directory (Parent Data)
Use this parameter to specify the path of the directory in which files containing parent data are stored. It is mandatory to specify a value for this parameter.
In this context, "parent data" means the user information that is stored in the target system. The staging directory must be a shared directory that is mapped on the Oracle Identity Manager server.
Sample value for this parameter:
T:\TargetSystemDirectory\ParentData
Data stored in the parent data files must conform to the following conventions:
First line of the file: File header that describes the contents of the file
The file header can be preceded by number signs (#). These are ignored while the file is read. However, you must ensure that there are no spaces at the start of the header. If you are using a language other than English, then you must not enter non-ASCII characters on this line.
Note:
There are no checks to stop you from entering non-ASCII characters on the first line. In addition, the generic technology connector framework can parse such characters. However, the use of non-ASCII characters would result in problems at the time when the framework automatically creates objects for the generic technology connector that you create. Refer to the "Multilanguage Support" section of the "Known Issues" chapter for more information about this limitation.Second line of the file: Metadata, or the field names for the data in the file
If you are using a language other than English, then you must not enter non-ASCII characters on this line. Refer to the Note in the preceding point for more information about this limitation.
Third line of the file onward: Actual data rows or lines
From the third line onward, you can enter data in the language that you have selected for Oracle Identity Manager, regardless of whether the language has an ASCII or non-ASCII character set.
During reconciliation, if there is no data from the third line onward, then an exception is thrown and the results of a stack trace are displayed on the screen. When this happens, you must retry reconciliation after ensuring that there is data from the third line onward in the data files. This point has also been discussed in the "Other Known Issues" section of the "Known Issues" chapter.
The following are contents of a sample parent data file:
##Active Directory user Name TD,Address TD,User ID TD John Doe,Park Street,jodoe Jane Doe,Mark Street,jadoe
Staging Directory (Multivalued Data)
Use this parameter to specify the directory path at which files containing multivalued data (for example, role or group membership data) are stored. It is not mandatory to specify a value for this parameter.
Sample value for this parameter:
T:\TargetSystemDirectory\ChildData
The staging directory must be a shared directory on the target system that is mapped on the Oracle Identity Manager server. In addition, for each category of multivalued data, there must be a different file in the shared directory. For example, if the multivalued data for a particular target system is group membership data and role data, then there must be one file for group membership data and a second file for role data.
Data stored in the child data files must conform to the conventions that are defined for the parent data files.
In addition, the same unique field must be present in the parent data file and each child data file. This field is used as the reference value to uniquely link each record of the child data files with a single record in the parent data file. This structure is similar to the concept of integrity constraints (primary key-foreign key) in RDBMSs.
Note:
The unique field must be the first field in the child data files.The following are contents of a sample child data file holding role information that is linked to the sample parent data file listed earlier:
###Role User ID TD,Role Name TD,Role Type TD jodoe,admin1,admin jadoe,admin2,admin
The following are contents of a sample child data file holding group membership information that is linked to the sample parent data file listed earlier:
###Group Membership User ID TD,Group Name TD,Group Type TD jodoe,OracleDev1,OracleDev jadoe,OracleDev2,OracleDev jadoe,OracleDev3,OracleDev jadoe,OracleDev4,OracleDev jadoe,OracleDev5,ConnectorDev
Note that the name of the unique field, User ID TD
, is the same in the child data files and their parent data file.
On the Modify Connector Configuration screen, the name of a child data set is the same as the header that you provide in the child data file. For these sample child data files, the child data sets displayed on the would be labeled Role
and Group Membership
. In addition, on the Step 3: Verify Connector Form Names screen, the default names displayed for forms corresponding to the child data sets would be Role
and Group Membership
. As mentioned in the "Step 3: Verify Connector Form Names Screen" section, you can either accept the default form names or change them.
Archiving Directory
Use this parameter to specify the Oracle Identity Manager server directory path at which data files that have already been reconciled are to be stored.
It is mandatory to specify a value for this parameter.
At the end of the reconciliation run, the data files are copied into the archiving directory and deleted from the staging directory.
The files moved to the archiving directory are not time-stamped or marked in any way. Therefore, while specifying the path of the archiving directory, bear in mind the following limitations:
The archiving directory path that you specify must not be the same as the staging directory path. If you specify the same path, then the existing files in the archiving directory are deleted at the end of the reconciliation run.
During the current reconciliation run, if data files with the same names as the files used in the last reconciliation run are placed in the staging directory, then the existing files in the archiving directory are overwritten by the new files from the staging directory.
Both these limitations are mentioned in the "Step 2: Define Parameters Screen" section of the "Known Issues" chapter.
File Prefix
Use this parameter to specify the prefix added to the names of the files in the staging directories for both parent and child data files. During reconciliation, all files with names that start with the specified prefix are processed, regardless of the file extension.
For example:
If you specify usrdata
as the value of the File Prefix parameter, then data is parsed from the following files placed in the staging directory for multivalued (child) data files:
usrdataRoleData.csv usrdataGroupMembershipData.txt
Data is not extracted from the following files in the same directory, because the file names do not begin with usrdata
:
RoleData.csv GroupMembershipData.txt
Specified Delimiter
Use this parameter to specify the character that is used as the delimiter character in the files in the staging directories.
You can specify only a single character as the value of this parameter.
Note:
You cannot use the space character ( ) as a delimiter.In addition, you must ensure that the character you specify is used only as the delimiter in the data files. If this character also appears inside the data itself, then the data row (or record) is not parsed correctly. For example, you cannot use the comma (,) as the delimiter if it also appears inside the data itself.
Tab Delimiter
Use this parameter to specify whether or not the file is tab delimited. This parameter is ignored if you specify a value for the Specified Delimiter parameter.
Fixed Column Width
If the input file contains fixed-width data, then use this parameter to specify the character width of the data columns.
Note:
In this context, the term "fixed-width" refers to the number of characters in the data field, not the byte length of the field. This means that, for example, four characters of single-byte data and four characters of multibyte data are the same in terms of width.This parameter is ignored if you specify a value for the Specified Delimiter or the Tab Delimiter parameter.
Unique Attribute (Parent Data)
For multivalued data, use this parameter to specify the field that is common to both the parent data and child data files.
File Encoding
Use this parameter to specify the character set encoding used in the parent and data files.
Specify Cp1251
for data files stored on a computer running an operating system with the English-language setting. This is the canonical name for the java.io
API that is supported by the generic technology connector framework. For any other language that you choose from the list given in the "Multilanguage Support" section, you must specify the canonical name for the corresponding java.io
API listed on the following Web page:
http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html
Note:
The canonical name that you specify for the API must be entered exactly the way it appears on this Web page. You must not change the case (uppercase or lowercase) of the canonical name.For example, if you want to specify the encoding set for the Traditional Chinese language on a Microsoft Windows computer, then you specify MS950
as the value of the File Encoding parameter.
The following table describes the impact of the various permissions on the shared directories that are used to hold staging and archiving data files.
Storage entity | Access Permission | Impact If This Permission Is Missing |
---|---|---|
Staging directory parent | Read | Reconciliation is not performed. An error message is logged. |
Staging directory parent | Write | Data files in the parent staging directory are not deleted at the end of the archiving process. |
Staging directory parent | Execute | No impact |
Staging directory child | Read | Reconciliation is not performed for child data. An error message is logged. |
Staging directory child | Write | Data files in the child staging directory are not deleted at the end of the archiving process. |
Staging directory child | Execute | No impact |
Archiving directory | Read | Reconciliation is performed for parent and child data. During the archiving process, files are not copied to the archiving directory. However, these files are deleted from the parent and child staging directories if the required permissions have been set on those directories. |
Archiving directory | Write | Reconciliation is performed for parent and child data. During the archiving process, files are not copied to the archiving directory. However, these files are deleted from the parent and child staging directories if the required permissions have been set on those directories. |
Archiving directory | Execute | No impact |
Staging directory parent file | Read | Reconciliation is performed for all parent data files that have the Read permission, but not for this file. An error message is logged. |
Staging directory parent file | Write | Data in this file is reconciled. However, this file is not deleted at the end of the archiving process. An error message is logged. |
Staging directory parent file | Execute | No impact |
Staging directory child file | Read | Reconciliation is performed for all parent data files that have the Read permission, but not for this file. An error message is logged. |
Staging directory child file | Write | Data in this file is reconciled. However, this file is not deleted at the end of the archiving process. An error message is logged. |
Staging directory child file | Execute | No impact |
Note:
Data files in the staging directory cannot be deleted if they are open in any editor.Although this provider is packaged as a standalone provider, all of its parameters are bundled with the Shared Drive Transport provider. If you select the Shared Drive Transport Provider on the Step 1: Basic Information screen, then you must select the CSV Format provider. When you select this provider, its parameters are displayed along with the Shared Drive Transport provider parameters.
The following is the parameter of this provider:
Target ID
Use this parameter to define the target ID of the actual target.
A Velocity template engine is used to create the SPML requests. For the following processes, the provider generates requests based on the SPML 2.0 DSML profile:
Add request
Modify request for the following Oracle Identity Manager process tasks:
Field updated
Add child data
Modify child data
Delete child data
Suspend request (for Disable Oracle Identity Manager process tasks)
Resume request (for Enable Oracle Identity Manager process tasks)
Delete request
This provider also has the following default identity fields:
objectClass
containerID
Note:
On the Modify Connector Configuration screen, these two fields are displayed by default in the Provisioning Staging data set.For each provisioning task (for example, Create User and Modify User), the provider generates a request in a predefined format.
The following sections list the XML definition code for provisioning requests and responses implemented by the provider, for the various provisioning tasks:
Note:
The definition XML code for requests and responses is for your reference. You cannot customize this code in the provider.The Provisioning Transport provider expects responses that are based on the sample response formats described in these sections.
The following is sample SPML code for the Add request:
<addRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> <data> <dsml:attr name="objectclass"> <dsml:value>userObject</dsml:value> </dsml:attr> <dsml:attr name="firstName"> <dsml:value>John</dsml:value> </dsml:attr> <dsml:attr name="lastName"> <dsml:value>Doe</dsml:value> </dsml:attr> </data> </addRequest>
The following is sample SPML code for the Add response:
<addResponse status="success"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </addResponse>
The following is sample SPML code for the Modify request:
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> <modification> <dsml:modification name="lastName" operation="replace"> <dsml:value>Doe</dsml:value> </dsml:modification> </modification> </modifyRequest>
The following is sample SPML code for the Modify response:
<modifyResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </modifyResponse>
The following is sample SPML code for the Delete request:
<deleteRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </deleteRequest>
The following is sample SPML code for the Delete response:
<deleteResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </deleteResponse>
The following is sample SPML code for the Suspend request:
<suspendRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </suspendRequest>
The following is sample SPML code for the Suspend response:
<suspendResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </suspendResponse>
The following is sample SPML code for the Resume request:
<resumeRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </resumeRequest>
The following is sample SPML code for the Resume response:
<resumeResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </resumeResponse>
The following is sample SPML code for the Modify request that captures the input for inserting child table data.
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> <modification> <dsml:modification name="Group Membership" operation="add"> <dsml:value>AdminOra, System Admins, USA </dsml:value> </dsml:modification> </modification> </modifyRequest>
Note:
There is no standard format for child table operations. Therefore, child data provisioning is handled through the SPML Modify request. The modification involves the use of a single attribute whose name is the same as the name of the corresponding child data set. The order in which field values are placed in the XML request file must be the same as the order in which the corresponding fields are displayed on the relevant child form. The data set name and field values are highlighted in bold font in the preceding XML code lines.This also applies to the requests used for the Child Table Update and Child Table Delete operations.
The following is sample SPML code for the Modify response:
<modifyResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </modifyResponse>
The following is sample SPML code for the Modify request that captures the input for updating child table data.
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> <modification> <dsml:modification name="Group Membership" operation="replace"> <dsml:value>AdminOra, System Admins, USA </dsml:value> </dsml:modification> </modification> </modifyRequest>
The following is sample SPML code for the Modify response:
<modifyResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </modifyResponse>
The following is sample SPML code for the Modify request that captures the input for deleting child table data.
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> <modification> <dsml:modification name="Group Membership" operation="delete"> <dsml:value>AdminOra, System Admins, USA </dsml:value> </dsml:modification> </modification> </modifyRequest>
The following is sample SPML code for the Modify response:
<modifyResponse status="success" > <psoID ID="jdoe"> <targetID ID="ADServer_124"/> <containerID ID="Contractors"/> </psoID> </modifyResponse>
The following are parameters of this provider:
Web Service URL
Use this parameter to specify the URL of the Web service that you want to use.
Operation Name
Use this parameter to specify the name of the Web service method that you want the provider to run.
In addition, the target Web service must meet the following requirements:
The input parameter of the target operation must be a byte array (byte[]
). This parameter holds the SPML provisioning request.
The parameter returned by the target operation must be a byte array (byte[]
).This parameter holds the SPML response.
The following is the signature of a sample operation:
public byte[] doProvisioning(byte[] requestData){
In this sample, the name of the operation is doProvisioning
.
The following table describes the Validation providers that are shipped with this release of Oracle Identity Manager.
Validation Provider | Description |
---|---|
IsNotBlankOrNulll | Checks if the field value is null or blank |
IsValidDate | Checks if the field value is a valid date |
IsInRange | Checks if the field value is within a range specified by a minimum and maximum value pair |
IsByte | Checks if the field value can be converted to a byte primitive |
IsDouble | Checks if the field value can be converted to a double primitive |
IsFloat | Checks if the field value can be converted to a float primitive |
IsInteger | Checks if the field value can be converted to an integer primitive |
IsLong | Checks if the field value can be converted to a long primitive |
IsShort | Checks if the field value can be converted to a short primitive |
MatchRegexp | Checks if the field value matches the specified regular expression |
MaxLength | Checks if the length of the field value is less than or equal to the specified value |
MinLength | Checks if the length of the field value is greater than or equal to the specified value |