Oracle® Identity Manager Generic Technology Connector Administrator's Guide Release 9.0.3.1 Part Number B32445-02 |
|
|
View PDF |
This chapter discusses known issues related to the generic technology connector framework.
The known issues are divided into the following categories:
This section describes the following known issues related to the names that you specify for generic technology connectors and connector objects:
Summary:
No warning is displayed if the name that you specify for a generic technology connector is the same as the name of an existing connector object.
No warning is displayed if an existing connector object is overwritten by a new connector object when you import a connector XML file.
Description:
During the creation or modification of a generic technology connector, various objects are automatically created or modified by the generic technology connector framework. You are prompted to specify names for the generic technology connector and process forms. The framework automatically generates names for the remaining objects. These autogenerated names are based on the name that you specify for the generic technology connector.
When you specify a name for the generic technology connector, you must ensure that the name is unique across all object categories (such as resource objects and IT resources) for that Oracle Identity Manager installation. Similarly, you must also ensure that the process form names are unique. This guideline must be followed even while importing a generic technology connector XML configuration file to a different Oracle Identity Manager installation. You must ensure that the names of objects defined in the XML file are not the same as the names of objects belonging to the same category on the destination Oracle Identity Manager installation. The scope of this guideline covers all connector objects, regardless of whether the object is used by an application-specific connector or a generic technology connector on the destination Oracle Identity Manager installation.
If you do not follow this guideline, then existing objects that have the same name as imported objects are overwritten during the XML file import operation. No message is displayed during the overwrite process, and the process leads to eventual failure of the affected connector.
This point has also been discussed in the "Connector Objects" section.
Summary:
Oracle Identity Manager does not prevent the automatic creation of a resource object that has the same name, but different combination of uppercase and lowercase characters in its name, when compared with the name of an existing resource object.
Description:
Consider the following scenario:
There is a resource object definition named MyConnRO
in the Oracle Identity Manager database. Now, if you use the Design Console to create another resource object named myconnro
, then an error message is displayed. This error message tells you that there is an existing resource object with the same name. The check for the name of the resource object takes place at the UI level, and it does not take into account the case (uppercase or lowercase) of the resource object name.
However, this error message is not displayed if you import a connector XML file that contains the definition of the myconnro
resource object. The Deployment Manager of Oracle Identity Manager does not perform a non-case-sensitive comparison of the resource object name defined in the XML file with the names of existing resource objects.
The same problem occurs if you create a generic technology connector with a name that is the same as the name of an existing resource object.
The existence of a duplicate resource object in the Oracle Identity Manager database causes problems during reconciliation and provisioning. Therefore, you must ensure that:
A connector XML file that you import does not contain the definition of a resource object that has the same name as the name of an existing resource object.
While creating a generic technology connector, you do not specify a name that is the same as the name of an existing resource object.
Summary:
You are not allowed to specify a name containing non-ASCII characters for a generic technology connector.
Description:
Most of the connector objects that are automatically created at the end of the connector creation process have the same name as the generic technology connector. In the Oracle Identity Manager database, there is no provision for storing these objects with names in non-ASCII characters. Therefore, an error message is displayed if you enter non-ASCII characters while specifying the name of a generic technology connector.
This point has also been discussed in the "Multilanguage Support" section.
This section describes the following known issues related to the user account used to create generic technology connectors:
Summary:
An error may occur if the user account that is used to create a generic technology connector is a member of three or more groups.
Description:
You must assign certain menu items and permissions to the group whose members create generic technology connectors. The "Step 3: Addressing Requirements to Create the Generic Technology Connector" section lists these menu items and permissions. Members of this group are also members of the ALL USERS
group, because every Oracle Identity Manager user is a member of the ALL USERS
group.
The user that you assign to this group is, by default, also a member of the ALL USERS
group. Besides these two groups, if the user is a member of any other group, then an error may occur when the user clicks the Create button on the final Administrative and User Console screen for creating generic technology connectors. The reason for this is as follows:
When the user clicks the Create button on the last screen, the generic technology connector framework checks the menu items and permissions assigned to the group (other than the ALL USERS
group) to which the user belongs. If the required menu items and permissions have not been assigned to this group, then an error is thrown.
Suppose the first group that the framework checks does not have the required menu items and permissions. The framework does not move on to the next group to check if that group meets the requirements. Instead, an error is thrown and the user must restart the procedure from the beginning by using a different generic technology connector name or by restarting the application server. However, if the first group that the framework checks has the required menu items and permissions, then the generic technology connector is created correctly.
Therefore, to ensure that an error does not occur when the framework checks for the required permissions, the user account that you plan to use to create generic technology connectors must not be a member of more than two groups.
This section describes the following known issues related to the input that you specify on the Step 2: Define Parameters screen:
Summary:
Existing files in the archiving directory are deleted if you specify the same path for the staging and archiving directories.
Existing files in the archiving directory are overwritten at the end of a reconciliation run if these files have the same name as the files placed in the staging directory.
Description:
When you use the predefined Shared Drive Transport provider, after each reconciliation run, data files are moved from the staging directory to the archiving directory. The files moved to the archiving directory are not time-stamped or marked in any way. Therefore, when you use the Shared Drive Transport provider, bear in mind the following guidelines:
The archiving directory path that you specify must not be the same as the staging directory path. If you specify the same path, then the existing files in the archiving directory are deleted at the end of the reconciliation run.
During the current reconciliation run, if data files with the same names as the files used in the last reconciliation run are placed in the staging directory, then the existing files in the archiving directory are overwritten by the new files from the staging directory. This can be illustrated by the following example:
Suppose that at the end of the last reconciliation run, the following files were moved automatically from the staging directory to the archiving directory:
usrdataParentData.csv usrdataRoleData.csv usrdataGroupMembershipData.txt
For the current reconciliation run, you place the following files in the staging directory:
usrdataParentData.csv usrdataRoleData_04Feb07.csv usrdataGroupMembershipData_04Feb07.txt
At the end of the current reconciliation run, these files are moved to the archiving directory. When this happens, the old usrdataParentData.csv
file is overwritten by the new one.
Therefore, if you want to ensure that files in the archiving directory are not overwritten at the end of a reconciliation run, then you must ensure that the names of files in the staging directory are not the same as the names of files in the archiving directory.
Summary:
Metadata detection does not take place a second time if an error occurs the first time you submit information through the Step 2: Define Parameters screen.
Metadata detection does not take place a second time if you go back to the Step 2: Define Parameters screen or the Step 1: Basic Information screen to make changes in the input that you have already specified.
Description:
Suppose the values that you provide on the Step 2: Define Parameters screen are not correct. When you submit the information, the following error is displayed at the top of the screen:
"Problem encountered during metadata detection. Please check the server logs for more details."
If the cause of this error is the entry of incorrect provider parameter values, then the same error message is displayed even after you rectify and resubmit the parameter values. This is because all the values that you specify on the first and second screen are stored in the cache memory of the application and are associated with the name of the generic technology connector. For the same reason, you cannot go back to the Step 2: Define Parameters screen or the Step 1: Basic Information screen to make changes in the input that you have already specified.
To circumvent this problem, you must start the entire procedure again and provide a new name for the generic technology connector. Alternatively, if you want to specify the same name for the generic technology connector, then you must restart Oracle Identity Manager.
You must follow either one of these two methods only if the error is caused by the entry of incorrect provider parameter values. The information in the server logs can help you determine the actual cause of the error.
Summary:
While creating a connector in which you want to enable reconciliation, if there are no data files in the staging directories, then an error occurs after you enter and submit parameter values on the Step 2: Define Parameters screen.
Description:
On the Step 1: Basic Information screen, suppose you select the Reconciliation-only option or the Reconciliation and Provisioning option and then enter and submit values for the parameters displayed on the Step 2: Define Parameters screen.
At this point, if there are no data files in the staging directories, then an error occurs. This will be fixed in a future release of Oracle Identity Manager. If this error occurs while you are using the current release of Oracle Identity Manager, then you must restart the procedure. Refer to the "Names of Generic Technology Connectors and Connector Objects" section for information about why you need to restart the procedure.
This section describes the following known issues related to the input that you specify on the Modify Connector Configuration screen:
Summary:
Suppose you create a generic technology connector, use it for provisioning or reconciliation, and then delete fields or child data sets of the Account data set. An error occurs the next time you perform provisioning or reconciliation by using the same generic technology connector.
Description:
Suppose you create a generic technology connector and then use it for provisioning or reconciliation. You then delete some fields or child data sets of the Account data set of this generic technology connector. Now, the next time you perform provisioning or reconciliation by using the same generic technology connector, an exception is displayed on the screen.
After you use the generic technology connector for provisioning or reconciliation even once, deleting the fields or child data sets of the Account data set is an invalid operation. This is because data linked to the fields or child data sets that you delete has already been stored in the Oracle Identity Manager database.
Therefore, you must not delete fields or child data sets of the Account data set if the generic technology connector has already been used to perform provisioning or reconciliation.
In a future release, an appropriate error message will be displayed instead of the exception that is thrown at present.
Summary:
While modifying an existing generic technology connector, if you modify the fields or child data sets of the Account data set, then corresponding changes are not made in the Oracle Identity Manager database entries for the forms that are based on these data sets. At the same time, no error message is displayed.
Description:
While modifying an existing generic technology connector, the Modify Connector Configuration screen provides features that enable you to add, modify, and delete fields and field mappings. You can also use these features to make changes in the data sets of an existing generic technology connector.
You could use these features to modify the field size or field data type value of the Account data set or its child data sets. However, this action would not translate into corresponding changes in the Oracle Identity Manager database entries for these data sets. At the same time, no error message is displayed.
This issue will be fixed in a future release of Oracle Identity Manager. Until then, you must not make changes in the fields or child data sets of the Account data set.
Summary:
The Length field displayed on the Add and Edit windows that you open through the Modify Connector Configuration screen accepts non-numeric values.
Description:
The Modify Connector Configuration screen provides features that enable you to add, modify, and delete fields and field mappings. The Length field on the Add Field and Modify Field windows must accept only a numeric value. However, there is no validation to stop you from entering non-numeric values, such as abcd
, in this field.
For the Length field, the generic technology connector framework automatically replaces a non-numeric value that you enter with the default numeric value, which is 20.
This section describes the following known issues related to the Multilanguage Support feature:
Summary:
You are not allowed to specify a name containing non-ASCII characters for a generic technology connector.
Description:
Most of the connector objects that are automatically created at the end of the connector creation process have the same name as the generic technology connector. In the Oracle Identity Manager database, there is no provision for storing these objects with names in non-ASCII characters. Therefore, an error message is displayed if you enter non-ASCII characters while specifying the name of a generic technology connector.
This point has also been discussed in the "Names of Generic Technology Connectors and Connector Objects" section.
Summary:
No warning is displayed if there are non-ASCII characters in the first or second line of the data files in the staging directory.
Description:
There is no support for non-ASCII data in the metadata of target system identity data. In the case of the CSV Format provider, this limitation means that you cannot include non-ASCII characters in the metadata line (second line) of the parent and child data files that you store in the staging directory.
The reason for this limitation is as follows:
The generic technology connector framework creates User Defined process forms in Oracle Identity Manager and names the forms and their fields on the basis of the input metadata. In addition, database tables and columns are created for these forms and their fields, respectively. Because non-ASCII characters cannot be used in database object names, these characters are not supported in the target system metadata.
The generic technology connector framework may be able to parse and correctly display non-ASCII characters in the first and second lines of the data files. However, to ensure that the Oracle Identity Manager data objects of the generic technology connector are created correctly, you must ensure that non-ASCII characters are not used in the first and second lines of the data files.
Note:
From the third line onward in the data files, the field data values can contain non-ASCII characters. These data values are correctly reconciled and stored in the Oracle Identity Manager database.Summary:
For any language that Oracle Identity Manager supports, if the browser language setting does not match the operating system language setting, then data is not displayed correctly on the Modify Connector Configuration screen.
Description:
The Modify Connector Configuration screen displays an image that is dynamically created by the generic technology connector framework. The following are limitations related to the display of localized text items on this screen:
The language in which you want field names to be displayed must match the following language settings:
Oracle Identity Manager language
Operating system language
Browser language
If the browser language is the same as the operating system language, then all the text items (field names and GUI element labels) are displayed in the required language.
Note:
If you are using the Traditional Chinese or Simplified Chinese language, then the browser locale (language and country/region) must be the same as the operating system locale (language and country/region) for all the text items to be displayed in the required language.If the browser language is not the same as the operating system language, then the following static labels would be displayed in English (regardless of the browser language):
Labels of the User and Account data sets, "User" and "Account"
Labels of the fields that constitute the User data set:
"User ID"
"Email"
"First Name"
"Last Name"
For non-ASCII languages, labels for the remaining items on this screen would not be displayed correctly.
Summary:
Certain text items displayed on screens associated with using generic technology connectors are always displayed in English.
Description:
For this release, some of the static text displayed on the screens associated with using a generic technology connector has not been localized. For example, suppose you create a generic technology connector named MyGTC
. When you provision the resource object of this connector to a user, the following text is displayed on the screen:
"Provisioning form for MyGTC
Child Form of MyGTC representing child-dataset: child_data_set_name"
In this release of Oracle Identity Manager, the static part of this text is always displayed in English.
If required, you can localize the static text as follows:
For the language to which you want to localize the text, open the corresponding customResources.properties
file. The files for all the languages that Oracle Identity Manager supports are inside the OIM_home
\xellerate\customResources
directory.
In the customResources.properties
file for the required language, add the following lines:
global.UD_PARENT_FORM_NAME.description=Localized_text_for_"Provisioning form for" GTC_name global.UD_CHILD_FORM_NAME.description=Localized_text_for_"Child Form of" GTC_name Localized_text_for_"representing the child data set": child_data_set_name
In these two lines, replace:
PARENT_FORM_NAME
with the name of the parent form
The parent form name is always converted to uppercase letters in Oracle Identity Manager. Therefore, the name that you enter must be in uppercase letters.
Localized_text_for_"Provisioning form for"
with localized text for the words "Provisioning form for"
GTC_name
with the name of the generic technology connector
CHILD_FORM_NAME
with the name of the child form
The child form name is always converted to uppercase letters in Oracle Identity Manager. Therefore, the name that you enter must be in uppercase letters.
Localized_text_for_"Child Form of"
with localized text for the words "Child form for"
child_data_set_name
with the name of the child data set
The following example illustrates this procedure.
Suppose you specify the following values while creating a generic technology connector:
Connector Name: MyGTC
Parent Form name: ADUser
Child data set name: ADUserRole
Child form name: ADURole1
If you want the static text to be displayed in the Spanish language, then:
Open the customResources_es.properties
file for the Spanish language. This file is inside the OIM_home
\xellerate\customResources
directory.
In the customResources.properties
file, add the following lines:
global.UD_ADUSER.description=Spanish_text_for_"Provisioning form for" MyGTC global.UD_ADUROLE1.description=Spanish_text_for_"Child Form of" MyGTC Spanish_text_for_"representing the child data set": ADUserRole
This section describes the following known issues related to the connector objects that are automatically created by the generic technology connector framework:
Summary:
No warning is displayed if the name that you specify for a generic technology connector is the same as the name of an existing connector object.
No warning is displayed if an existing connector object is overwritten by a new connector object when you import a connector XML file.
Description:
During the creation or modification of a generic technology connector, various objects are automatically created or modified by the generic technology connector framework. You are prompted to specify names for the generic technology connector and process forms. The framework automatically generates names for the remaining objects. These autogenerated names are based on the name that you specify for the generic technology connector.
When you specify a name for the generic technology connector, you must ensure that the name is unique across all object categories (such as resource objects and IT resources) for that Oracle Identity Manager installation. Similarly, you must also ensure that the process form names are unique. This guideline must be followed even while importing a generic technology connector XML configuration file to a different Oracle Identity Manager installation. You must ensure that the names of objects defined in the XML file are not the same as the names of objects belonging to the same category on the destination Oracle Identity Manager installation. The scope of this guideline covers all connector objects, regardless of whether the object is used by an application-specific connector or a generic technology connector on the destination Oracle Identity Manager installation.
If you do not follow this guideline, then existing objects that have the same name as imported objects would be overwritten during the XML file import operation. No message is displayed during the overwrite process, and the process leads to eventual failure of the affected connector.
This point has also been discussed in the "Names of Generic Technology Connectors and Connector Objects" section.
Summary:
A generic technology connector might not work if you use the Design Console to modify connector objects created by the generic technology connector framework.
Description:
The Design Console provides features that enable you to modify connector objects. In general, these features are meant for use with application-specific connectors. For most scenarios, you do not need to modify the connector objects that are automatically created by the generic technology connector framework. If you modify connector objects outside the generic technology connector framework, then the generic technology connector might not work.
Summary:
Connector objects that are automatically created are not deleted even if the generic technology connector creation process fails.
Description:
Certain connector objects may be created even if the overall creation process fails and an error message to this effect is displayed on the Step 4: Verify Connector Creation Information screen. If such an event occurs, then it is recommended that you contact Oracle Support and send them a description of the error message and the server logs.
Summary:
The resource object created automatically for a reconciliation-only generic technology connector cannot be used for provisioning.
Description:
Suppose you select only the Reconciliation option while creating a generic technology connector. At the end of the creation process, a resource object is one of the objects created automatically for this generic technology connector. However, you cannot provision this resource object to any user because a generic adapter is not created for a reconciliation-only generic technology connector.
This section describes the following known issues that do not fall under any of the preceding categories:
This release of the generic technology connector does not support trusted source reconciliation.
You can modify only one connector at a time. If you try to use the Modify screens for two different connectors at the same time on the same computer, then the Modify features would not work correctly.
Summary:
The display of the Create End-to-End Mapping check box is of no significance if you are adding a field in the data set category that is at the right end of the Modify Connector Configuration screen.
Description:
As described in the "Adding Fields to Data Sets" section, you select the Create End-to-End Mapping check box if you want the same field to be part of the corresponding data sets of all the categories that are displayed to the right of the current category. However, this check box is also displayed when you add a field to a data set in a category that does not have any categories to its right. For example, this check box would be displayed on the screen for adding a field to the Provisioning Staging category data set, although there are no data set categories to the right of the Provisioning Staging category.
There are limitations related to creating mappings across the following data sets categories:
Source category and Reconciliation Staging category
OIM category and Provisioning Staging category
These limitations are as follows:
You cannot create a mapping between one child data set of the source category and a different child data set of the destination category.
The following example illustrates this limitation:
Suppose the Source category contains the following child data sets:
MyGTC:Group data set
Field 1: Group Name
Field 2: Group Type
MyGTC:Role data set
Field 1: Role Name
Field 2: Role Type
Suppose the Reconciliation Staging category contains the following child data sets:
MyGTC:Group data set
Field 1: Group Name
Field 2: Group Type
MyGTC:Role data set
Field 1: Role Definition
According to this limitation, you cannot create a mapping between, for example, the Group Name field of the Source category and the Role Definition field of the Reconciliation Staging category.
You cannot create a mapping between a parent data set of the source category and a child data set of the destination category.
The following example illustrates this limitation:
Suppose the OIM category contains the following data set:
Account data set
Field 1: Name
Field 2: Address
Field 3: User ID
. . .
Suppose the Provisioning Category contains the following child data set:
Group data set
Field 1: Group Name
Field 2: Group Type
According to this limitation, you cannot create a mapping between, for example, the Name field of the Account data set and the Group Name field of the Group data set.
Summary:
If there is no data from the third line onward in the data files that you place in the staging directory, then an exception is thrown during reconciliation.
Description:
In the data files that you place in the staging directories, the actual target-system data that you want to reconcile must be placed from the third line onward. Suppose these data files only contain header and metadata information in the first and second line, respectively. During reconciliation, an exception is thrown and the results of a stack trace are displayed on the screen.
When this happens, you must retry reconciliation after ensuring that there is data from the third line onward in the data files.
Summary:
An error message is displayed on the Edit page for a resource object if you enter special characters in any field displayed on that page.
Description:
Suppose you create a generic technology connector. While provisioning the resource object of the generic technology connector to a newly created user, you need to use the Resource Profile page of the Administrative and User Console. On this page, suppose you select a child form from the Additional Details list, enter a special character in any field of the Edit page, and then click Add. The following message is displayed, because the framework does not support the entry of special characters in any of these fields:
"The page cannot be displayed."
Note:
Special characters are characters such as the number sign (#) and equal sign (=).Summary:
Changes made in the field values of the OIM User form are not automatically propagated to corresponding fields of the provisioning process form.
Description:
Suppose you create a mapping between the First Name field of the User data set and the Name field of the Provisioning data set. At the end of the generic technology connector creation process, a link is set up between the First Name field of the OIM User form and the Name field of the process form.
However, when you make changes in the First Name field of the OIM User form, these changes are not automatically propagated to the Name field of the process form for existing user accounts. User accounts created after the change in the field value are correctly updated.
This issue will be fixed in a future release of Oracle Identity Manager. For the current release, you must manually make changes in both forms at the same time.
Summary:
The deletion of a child record from an existing parent-child pair of records is not reconciled.
Description:
Consider the following scenario:
You have selected the Full Reconciliation feature while creating a generic technology connector. During the first reconciliation run, a parent data record with its child data record is reconciled. Before the next reconciliation run, the child record is deleted from the target system. During the next reconciliation run, this deletion of the child record is not reconciled because the required reconciliation event is not created.
This issue will be fixed in a future release of Oracle Identity Manager.
Scheduled tasks that are not currently running have the INACTIVE
status. These tasks run at the next specified date and time. Under certain conditions, a scheduled task is automatically assigned the NONE
status. However, this status change does not affect the functionality of the task, which continues to run at the specified date and time.
Summary:
While a generic adapter is in the RECOMPILE
state, a system error occurs if you try to modify the process form for a resource object that has been provisioned to a user.
Description:
Consider the following scenario:
You create a generic technology connector and then assign the resource object of the generic technology connector to a user. Next, you modify the generic technology connector, but you do not recompile the generic adapter after modifying the generic technology connector. Now, you modify the process form for the generic technology connector. When you try to save the changes that you make to the process form, a system error occurs.
This issue will be fixed in a future release of Oracle Identity Manager.