| Oracle® Identity Manager Design Console Guide Release 9.0.3 Part Number B32453-01 |
|
|
View PDF |
| Oracle® Identity Manager Design Console Guide Release 9.0.3 Part Number B32453-01 |
|
|
View PDF |
This chapter describes managing users in Design Console. It contains the following topics:
The User Management folder provides System Administrators with tools to create and manage information about a company's organizations, users, user groups, requests, form templates, locations, process tasks, and reconciliation events.
This folder contains the following forms:
Organizational Defaults: Use this form to view records that reflect the internal structure of your organization and to designate information related to these entities.
Policy History: Use this form to view user records that your employees require.
Group Entitlements: Use this form to view records for groups of users to whom you may assign some common functionality.
Administrative Queues: Use this form to create and manage mass-assignment privileges for user groups for other Design Console forms.
Reconciliation Manager: Use this form to manage reconciliation events in Oracle Identity Manager.
The Organizational Defaults form appears in the User Management folder. You use this form to view records that reflect the structure of your organization and to enter and modify information related to organizational entities. An organization record contains information about an organizational unit in an enterprise hierarchy, for example, a company, department, or branch. A sub-organization is an organization that is a member of another organization, for example, a department in a company. The organization that the sub-organization belongs to is referred to as a parent organization.
You use the Organizational Defaults tab to specify default values for parameters on the custom process form for resources that can be provisioned for the current organization. Each process form is associated with a resource object that is allowed for the organization, or with a resource that has the Allow All check box on the associated Resource Objects form selected.
The values that you provide in the Process Defaults tab become the default values for all users in the organization.
Figure 5-1 illustrates the Organizational Defaults form.
Figure 5-1 The Organizational Defaults Form
The following table describes the data fields of the Organizational Default form.
| Field Name | Description |
|---|---|
| Organization Name | Name of the organization. |
| Type | The classification type of the organization, for example, Company, Department, Branch. |
| Status | The current status of the organization (Active, Disabled, or Deleted). |
| Parent Organization | The organization that this organization belongs to. If a parent organization appears in this field, this organization appears on the Sub Organizations tab for the parent organization. If this field is empty, this organization is a top-level organization. |
You use the Policy History form to view information about the resources that are allowed or disallowed for a user.
There are two types of users in Oracle Identity Manager:
End-User Administrators: This type of user can access the Design Console and the Administrative and User Console. The System Administrator sets permissions to enable End-User Administrators to access a subset of the forms in the Design Console.
End-Users: This type of user can access only the Administrative and User Console and generally have fewer permissions than End-User Administrators. Only resource objects that are defined as self-service on the Objects Allowed tab of the user's organization are available for provisioning requests using the Administrative and User Console.
Figure 5-2 illustrates this form.
The following table describes the data fields of the Policy History form.
| Field Name | Description |
|---|---|
| User ID | The user's Oracle Identity Manager login ID. |
| First Name | The user's first name. |
| Middle Name | The user's middle name. |
| Last Name | The user's last name. |
| The user's e-mail address. | |
| Start Date | The date on which the user's account will be activated. |
| Status | The current status of the user (Active, Disabled, or Deleted). |
| Organization | The organization to which the user belongs. |
| User Type | The user's classification status. Valid options are End-User and End-User Administrator. Only End-User Administrators have access to Design Console. |
| Employee Type | The employment status of the user at the parent organization (for example, Full-Time, Part-Time, Intern, and so on). |
| Manager ID | The user's manager. |
| End Date | The date on which the user's account will be deactivated. |
| Created on | The date and time when the user record was created. |
Use this tab to view resource objects that are allowed or disallowed for a user, based on the following:
Access policies for the user group that the user belongs to
Resource objects that are allowed by the organization that the user belongs to
The Policy History tab contains a Display Selection region. To organize the contents of this tab, go to the uppermost box in this region and select an item from one of its menus, as follows:
Resource Policy Summary: Displays resource objects that are allowed or disallowed based on the user's organization and applicable access policies.
Not Allowed by Org: Displays only resource objects that are disallowed, based on the user's organization.
Resources by Policy: Displays a second box that contains the access policies for the user groups that the user is a member of.
Select an access policy from this box to display the resource objects that are allowed or disallowed for the user, based on this access policy.
A tracking system enables you to view resources that are allowed or disallowed for a user, based on the organizations the user is a member of and the access policies that apply to the user.
The resource objects that are allowed for the user appear in the Resources Allowed list. This list represents resource objects that can be provisioned for the user. It does not represent the resource objects that are provisioned for the user.
The resource objects that are disallowed for the user appear in the Resources Not Allowed list.
To view this tracking system:
Go to the Policy History tab.
Find the Display Selection region on this tab.
Click the Policy History button.
The User Policy Profile History window appears.
From this window, you can view resources that are allowed or disallowed for a user for the date and time you selected as follows:
From the History Date box, you can select the desired date.
From the Display Type box, you can display resources that are allowed or disallowed based on the organizations the user is a member of, the access policies that apply to the user, or both.
From the Policy box, you can display the access policy that determines what resource objects are allowed or disallowed for the user.
The Group Entitlements form appears in the User Management folder. You use it to create and move forms, and to designate the forms and folders that members of a user group can access through the Explorer.
To work with the Group Entitlements form:
Open the Group Entitlements form.
The User Group Information dialog box appears.
In the Group Name field, enter the name of the user group.
Click Assign.
The User Form Assignment lookup table appears.
From the lookup table, select the user form for this user group.
Use the Arrow button(s) to either add or delete from the Assigned Forms list.
Click OK when you are done.
The User Group Information dialog box appears.
The newly added user forms are listed in a Group Entitlement table. The Group Entitlement Table displays all available user groups. This table shows the name of the user form and the type. In the previous example, there are two types, javaform and folder. A javaform is a Java-based, graphical interface. A folder is a container of one or many javaforms.
Oracle Identity Manager provides four default user group definitions:
System Administrators
Operators
All Users
Self Operators
You can modify the permissions associated with these user groups, and you can create additional user groups.
Members of the System Administrators user group have full permission to create, edit, and delete records in Oracle Identity Manager, except for system records.
Members of the Operators user group can view Organizational Defaults and Policy History forms, and can perform limited functions with these forms.
Members of the All Users user group have minimal permissions including but not limited to the ability to access one's own user record. By default, each user automatically belongs to the All Users user group.
A user cannot be removed from the All Users group.
The Self Operators group is added to Oracle Identity Manager by default. This user group contains one user, XELSELFREG, who is responsible for modifying the privileges that users have when performing self-registration actions in the Oracle Identity Manager Administrative and User Console.
Important:
Do not modify the permissions associated with the Self Operators user group or assign any users to this group.You assign groups of users to manage a provisioning request using an entity called a queue. A queue is a collection of group definitions. Queues can be nested within other queues.
You use the Administrative Queues form to create and manage administrative queues. You assign queues to requests from the Queues tab on the Requests form.
Administrative queues increase the efficiency and manageability of requests. By using an administrative queue, you can accomplish the same goal with only a few mouse clicks. A queue that you assign to one request can be reused for other requests.
A request can specify different administrative privileges for each group in the queue. For example, suppose that you assign a queue with three user groups to a request. The members of the three groups can each have different administrative privileges for the request. The first user group can be allowed to read, modify, and delete the request. The second user group can be allowed to read and modify only, while the third user group can only be able to read and delete the request.
The Administrative Queues form is illustrated in Figure 5-3. This form appears in the User Management folder.
Figure 5-3 The Administrative Queues Form
The following table describes the fields of the Administrative Queues form.
| Field Name | Description |
|---|---|
| Queue Name | The name of the administrative queue. |
| Parent Queue | The queue to which this administrative queue belongs. |
| Description | Explanatory information about the administrative queue. |
You can create parent queues and nested queues. The following procedure describes how to create an administrative queue.
To create an administrative queue:
Open the Administrative Queue form.
In the Queue Name field, enter the name of the queue.
Double-click the Parent Queue lookup field.
From the lookup dialog box, select the queue that this queue is a member of. If the queue does not belong to another queue (it is a parent queue), proceed to the next step.
In the Description field, enter information about the queue.
Click Save.
After you launch the Administrative Queues form and create a queue, the tabs on this form become functional.
The Administrative Queues form contains the following tabs:
You use the Members tab to add user groups to, and delete user groups from, the current administrative queue. The Members tab is illustrated in Figure 5-4.
Figure 5-4 The Members Tab of the Administrative Queues Form
In Figure 5-4, the User Groups Permissions for Requests queue is configured as follows:
The SYSTEM ADMINISTRATORS user group can read, modify, and delete information in the request.
The OPERATORS user group can read and modify information in the request. The Delete Access check box is cleared, so this user group cannot delete the request.
The Senior Management Staff user group can delete the request. The Write Access check box is cleared, so this user group cannot modify information in the request.
To assign a user group to a queue:
Click Assign.
The Assignment dialog box appears.
Select the user group, and assign it to the administrative queue.
Click OK.
The user group appears in the Members tab.
Select the Write Access check box to enable a user group to create and modify information in the requests that the administrative queue is assigned to.
Otherwise, proceed to Step 5.
Select the Delete Access check box to enable the user group to delete requests that the administrative queue is assigned to.
Otherwise, proceed to Step 6.
Click Save.
The user group is assigned to the administrative queue.
Note:
By default, groups listed on the Members tab have read privileges for the requests that the queue is assigned to.Remove a user group from the administrative queue when that user group can no longer read, modify, or delete information on requests that queue is assigned to.
To remove a user group to an administrative queue:
Select the user group that you want to remove.
Click Delete.
The user group is removed from the administrative queue.
You use this tab to select the user groups that can read, modify, and delete the current administrative queue, as illustrated in Figure 5-5.
Figure 5-5 The Administrators Tab of the Administrative Queues Form
In Figure 5-5, both the Write Access and Delete Access check boxes are selected for the SYSTEM ADMINISTRATORS user group. This allows the user group to read, modify, and delete the User Groups Permissions for Requests administrative queue.
Adding a user group as to an administrative queue gives the group members administrative privileges.
To add a user group to an administrative queue:
Click Assign.
The Assignment dialog box appears.
Select the user group, and assign it to the administrative queue.
Click OK.
The user group appears in the Administrators tab.
Select the Write Access check box to enable the associated user group to read and modify the current administrative queue.
Otherwise, proceed to Step 5.
Select the Delete check box to enable the associated user group to delete the current administrative queue.
Otherwise, proceed to Step 6.
Click Save.
The user group is now an administrative group in the administrative queue.
You should remove a user group from an administrative queue when the user group can no longer read, modify, or delete the current administrative queue.
To remove an administrator user group from an administrative queue:
Select the user group that you want to remove.
Click Delete.
The administrator user group is removed from the administrative queue.
This form is located in the User Management folder. It enables you to view, analyze, correct, link, and manage information in reconciliation events received from target resources and trusted source. A designated person can manually analyze and link information in reconciliation events, or analysis and linking can be performed automatically by Oracle Identity Manager based on action rules you have defined. These rules are based on whether an event is associated with an existing record, if it represents a new account, or if it can allow the linking of the information in the event to be manually initiated.The reconciliation classes that you define periodically poll your target resources and trusted source. Any changes on these systems generate reconciliation events that are written to the Reconciliation Manager. Oracle Identity Manager analyzes event information according to mappings defined in a relevant provisioning process.
Figure 5-6 illustrates the Reconciliation Form.
Figure 5-6 The Reconciliation Manager Form
Note:
You can use Design Console Task Scheduler form to define a schedule and set timing parameters to govern how often a reconciliation class is run, or to use a third-party scheduling tool to set the polling frequency.The Reconciliation Manager form works as follows:
If the information in the event relates to an existing user or organization record, you can use this form to manually link the data in the event to the record.
Or, you can review information that was automatically linked to the user or organization.
If the event represents creation of a new employee on a trusted source (user discovery) or provisioning of an existing employee with a new resource (account discovery), you can use this form to manually update Oracle Identity Manager with new data.
Or, you can review information that was automatically linked to a user. For trusted sources, the data in the event is used to create a new user account. For target resources, the data in the event is used to populate the relevant resource-specific process form.
If the event represents creation of a new organization on a trusted source (organization discovery) or provisioning of an existing organization with a new resource (account discovery), you can use the form to manually update Oracle Identity Manager with the new data.
Or, you can use the form to review the information that was automatically linked to a organization.
If the event represents deletion of an account on a target system or trusted source, this form can be used to instruct Oracle Identity Manager to delete a particular account or to review an account that was automatically deleted.
For trusted sources, this deletes the user's Oracle Identity Manager account and revokes all accounts with which that user may have been provisioned on any target resources.
For target resources, Oracle Identity Manager recognizes that the user's account on that system has been revoked.
The upper portion of the Reconciliation Manager form contains the following items:
| Field Name | Description |
|---|---|
| Event ID | The numeric ID of the reconciliation event. |
| Delete Event (Yes/No flag) | This display-only field indicates if this is a delete event, that is, the corresponding record has been deleted from the target resource or the trusted source. A value of Yes indicates a delete event.
If this event is associated with a user account on a target resource, the account is marked as revoked. If the event is associated with a user account, the account is deleted. Note: This field is set by Oracle Identity Manager. |
| Object Name | The target resource or trusted source that is associated with this reconciliation event. For trusted sources, this is the user. |
| For User/For Organization | Designates if the event for a resource object is associated with a user or organization record. |
| Status | The current status of the reconciliation event:
|
| Event Date | The date and time that this event was received. |
| Assigned to User | The user to whom this event has been assigned. |
| Assigned to Group | The user group to which this event has been assigned. |
| Linked To (region) | The fields in this section of the form are described below. |
| User Login | The Oracle Identity Manager ID of the user record to which the event is linked. |
| Organization Name | The Oracle Identity Manager ID of the organization record that the event is linked to. If you are conducting organization discovery with a trusted source, it is recommended that this be done prior to performing user discovery, since every user record in Oracle Identity Manager must be associated with an organization record. |
| Process Instance Key | Numeric instance of the provisioning process that is linked to the event. |
| Process Descriptive Data | Instance-specific descriptive data for the provisioning process that is defined in the Map Descriptive Field pop-up window in the Process Definition form. |
| Close Event | This button closes the reconciliation event. If the event is closed, no additional matching attempts or linking can be performed on it. |
| Re-apply Matching Rules | This button reapplies the reconciliation matching rules. This includes both process data and user- or organization-matching rules that are associated with the resource object. If Oracle Identity Manager is not generating satisfactory matches, you can amend and re-apply the resource's reconciliation matching rules, or you can amend the mappings for the provisioning process. Re-applying these rules after editing them may cause different records to appear on the Processes Matched, Matched Users or Matched Organizations tabs. Reconciliation rules are only applied to target resource reconciliation events when no provisioning process matches are generated, since the process matches are considered to be of better quality and more likely to be accurate. |
| Create Organization (Only available on events related to the trusted source) | You use this button to create an organization record in Oracle Identity Manager based on the information in the reconciliation event. Only click this button when you are certain that the reconciliation event represents the creation of a new organization on the trusted source. |
| Create User (Only available on events related to the trusted source) | You use this button to create a user record in Oracle Identity Manager based on the information in the reconciliation event. Only click this button when you are certain that the reconciliation event represents the creation of a new user on the trusted source. |
The following procedure describes how to view and manage reconciliation events.
Note:
Depending on how you define your reconciliation action rules, Oracle Identity Manager can automatically link data in a reconciliation event to a user or organization record when only one match is found or when no matches are found for the trusted source.To view and manage reconciliation events:
Access the Reconciliation Manager form.
Use the query feature to locate the desired reconciliation event.
You can also query reconciliation events by their associated resource in the Object Name field or status in the Status field.
If you are querying a deleted event, that is, the corresponding record was deleted from the target resource or the trusted source, the Yes option for the Delete Event flag is selected. Otherwise, the No option is selected.
After locating the desired reconciliation event, use the tabs of this form to:
Correct any unprocessed data.
Browse and link to matching provisioning process form instances, or user or organization record candidates.
View the audit history of the event.
The information on each tab is described in the Tabs on the Reconciliation Manager form section. When evaluating the matches that Oracle Identity Manager has generated you can do the following:
Link the reconciliation event to a particular provisioning process, user or organization: This assumes that the event is associated with an existing user or organization record.
To do this, click the Link button on the applicable tab. Or, you may have defined rules that instruct Oracle Identity Manager to automatically link the data when only a single match is found.
For user-based reconciliation with the trusted source: Create a new user in Oracle Identity Manager if the event represents the creation of a new user on the trusted source.
To do this, click the Create User button. Or, you may have defined action rules that instruct Oracle Identity Manager to automatically create the user when no match is found.
For organization-based reconciliation with the trusted source: Create a new organization in Oracle Identity Manager if the event represents the creation of a new organization on the trusted source.
To do this, click the Create Organization button. Or, you may have defined action rules that instruct Oracle Identity Manager to automatically create the organization when no match is found.
Refine the reconciliation rules: These are rules associated with this resource. Then re-apply the rule to generate more accurate matches.
To do this, refine the applicable reconciliation rule, save it, then click the Re-apply Matching Rules button.
Note:
If you refine a reconciliation rule and reapply it or choose to create or link a user or provisioning process or organization, these actions are logged in the Reconciliation Event History tab. To view a log of the actions that have been performed on the reconciliation event, click the Reconciliation Event History tab.After locating the reconciliation event that you want to examine, you can use tabs to do the following:
View any processed or unprocessed data in the event
View provisioning process, user, or organization matches that were generated
Link the event to the appropriate record or create a new user
The data on this tab appears under one of two branches: Processed Data and Unprocessed Data.
The fields in the Processed Data branch are defined on the Reconciliation Fields tab of the associated resource. In the reconciliation event, these fields have been successfully processed, for example, they have not violated any data type requirements. For each successfully processed field, the following is provided:
Name of the field as defined on the Reconciliation Fields tab of the associated resource, for example, field1.
Data type associated with the field that was reconciled, for example, string. Possible values are Multi-Valued, String, Number, Date, IT resource.
Value of the field that was received in the reconciliation event, for example, Newark. This may be one of several values that changed on the target resource or trusted source and initiated the reconciliation event.
An example of a processed data field might appears as follows:
Location [String] = Newark
Note:
If a field is of type multi-value (only allowed for target resources, not trusted sources), it will not have a value. Instead, its component fields (contained in its sub-branch) will each have their own values.The fields listed in the Unprocessed Data branch are reconciliation event items that could not be processed. For example, these can be items that were not defined or that conflicted with the data type set on the Reconciliation Fields tab of the associated resource. For each unprocessed field, the following information appears:
Name of the field, for example, user_securityid.
Value of the field that was received in the reconciliation event, for example, capital. This may be one of several values that changed on the target resource or trusted source and initiated the reconciliation event.
Reason why the data received from the target system was unable to be automatically processed, for example, <Not Numeric>. One of the following reason codes appears next to the unprocessed field:
| Error code | Reason generated |
|---|---|
| NOT MULTI-VALUED ATTRIBUTE | The field value is a multi-valued attribute. Only the component fields of a multi-value attribute, not the multi-value field itself, can accept values. |
| NOT NUMERIC | A numeric field value was non-numeric. |
| DATE PARSE FAILED | The system failed to recognize the value of a date field as a valid date. |
| SERVER NOT FOUND | The value for a field of type IT Resource was not recognized as the name of an existing IT Resource instance. |
| FIELD NOT FOUND | The name of the field in the event has not been defined on the resource. |
| PARENT DATA LINK MISSING | The parent data field (of type multi-value) is not yet linked to a reconciliation field. As a result, this component field cannot be linked to a child reconciliation field. |
| FIELD LINKAGE MISSING | The corresponding reconciliation field is not defined on the Reconciliation Fields tab of the associated resource. |
| ATTRIBUTE LINKAGE MISSING | This applies only to fields of type multi-value. One or more of the multi-value field's component (child) fields' data is not linked to reconciliation fields. |
| TABLE ATTRIBUTE LINKAGE MISSING | This applies only to fields of type multi-value. Some of the component (child) fields of type Multi-Valued Attribute are not linked to a reconciliation field of type Multi-Valued Attribute. |
The name of the resource field that this event field was mapped to, if the unprocessed field is successfully mapped to a resource field.
An example of an unprocessed data field might appears as follows:
user_securityid = capital <Not Numeric>
Note:
Oracle Identity Manager does not attempt to match processes for target resources, or users or organizations for trusted sources, until all fields that were set as required on the Reconciliation Fields tab of the associated resource are successfully processed.Use the following procedure to correct or map unprocessed fields in the reconciliation event to the relevant fields as defined on the applicable resource.
To map or correct unprocessed fields:
Double-click the unprocessed field.
For a multi-value field, you may need to map it to the appropriate child process form or check the individual component field.
For multi-value fields, double-click and correct the component fields.
The Edit Reconciliation Field Data dialog box appears.
Note:
To map an unprocessed multi-valued component field to one of the multi-valued fields defined on the Reconciliation Fields tab of the associated resource, double-click the Linked to field, select the desired field and click OK. Then click Save and close the Edit Reconciliation Field Data dialog box.To map the unprocessed field to one of the fields defined on the Reconciliation Fields tab of the associated resource, double-click the Linked To field, select the desired field, click OK, click Save, and close the Edit Reconciliation Field Data dialog box.
To correct the value of the unprocessed field, enter the correct value in the Corrected Value field, click Save and close the Edit Reconciliation Field Data dialog box.
If the field's data is successfully processed, the entry in the Unprocessed Data branch is updated to reflect the field to which it was linked. A new entry for the field is added to the Processed Data branch.
After the required data elements (on the Object Reconciliation tab of the applicable resource definition) in the reconciliation event are marked as processed on the Reconciliation Data tab, Oracle Identity Manager displays the following:
For trusted sources:
All user or organization records that match the relevant data in the reconciliation event, as specified in the logic of all applicable user or organization-matching reconciliation rules that are associated with the resource. These candidates represent accounts on the trusted source for which a potential owner was found in Oracle Identity Manager (user update) based on the application of user-matching rules. If no matches are found, the reconciliation event represents the creation of a new user account on the trusted source (that is, user creation).
For target resources:
All provisioning process form instances where the values of all key fields (as set on the Reconciliation Field Mappings tab of the applicable process definition) match the values for all key fields in the reconciliation event. This represents an account in the target system for which a possible matching account was found in Oracle Identity Manager (account update).
If no processes instances match these values, Oracle Identity Manager evaluates the applicable user- or organization-matching reconciliation rules and displays users or organizations that match data in the reconciliation event. These matches represent accounts on the target system for which the reconciliation engine did not find a matching account record in Oracle Identity Manager, that is, Oracle Identity Manager is not aware that the user was provisioned with an account on that system, but did find potential owners of the account (account creation). If more than one matching candidate is found, you will usually want an administrator to examine the records and decide which Oracle Identity Manager account to link it to. If no matches are found, there may be a mismatch between the data in your trusted source and the target application. This event may represent a rogue account on the target system or an existing employee was provisioned with a new account on the target system. However, Oracle Identity Manager is unable to decide which user that account is associated with.
After all required fields defined on the Reconciliation Fields tab of the associated resource have been processed, the tab displays all provisioning process form instances where the values of all key fields match the values for all key fields in the reconciliation event.
Note:
This only occurs for reconciliation events that are associated with target resources. Since the trusted source is linked to the user resource or Organization and its provisioning process, it cannot have a custom process form. As a result, it cannot possess the matches required to populate this tab. For trusted sources, after all required fields are processed, Oracle Identity Manager proceeds immediately to evaluating the user or organization matching rules.For each matched provisioning process, the following is displayed:
The name of provisioning process associated with the process form instance that matched the values of the key fields in the reconciliation event, for example, windows2000_prov.
The numeric ID of the particular process instance, for example, 445.
The User ID, for example, jdoe, or Organization Name, for example, Finance, associated with this process instance. That is, the user who was provisioned with the resource by that instance of the provisioning process.
An example of a matched provisioning process might appear as follows:
Windows2000_prov [445] for User=jdoe
If no provisioning processes are listed on this tab, Oracle Identity Manager was unable to match any values in the key fields in the reconciliation event to any values for fields in process form instances associated with that resource. If this occurs, Oracle Identity Manager then attempts to apply any user- or organization-matching rules that are defined for the resource. If matches are found, they appear on the Matched Users or Matched Organizations tab.
To link a provisioning process instance to the reconciliation event:
After you have determined which provisioning process instance to link to the reconciliation event, select it and click Establish Link.
Oracle Identity Manager updates the relevant process form instance with the information in the reconciliation event according to the mappings defined on the relevant provisioning process.
It also inserts the Reconciliation Update Received task in that process.
This tab displays the user records that match the relevant data in the reconciliation event, as specified in the criteria of the resource's reconciliation rules.
For trusted sources, Oracle Identity Manager evaluates these rules and displays any matching user records as soon as all required fields (as defined on the Reconciliation Fields tab of the associated resource) are processed.
For a target resource, Oracle Identity Manager evaluates the rules and displays any matching user records only after all required fields (as defined on the Reconciliation Fields tab of the associated resource) are processed and no matches have been generated on the Processes Matched Tree tab.
For each matching record, Design Console displays the user's ID, first name, and last name.
Note:
If matching records are present on the Processes Matched Tree tab, no records appears on the Matched Users tab. The process matches are considered to be of better quality and more likely to be accurate.The following procedure describes how to link a user record to a reconciliation event.
Note:
The following procedure assumes a record exists. For trusted sources, if you determine that the reconciliation event represents the creation of a new user on the trusted source, click the Create User button. This creates a new user record using the information in the reconciliation event.To link a user record to a reconciliation event:
Determine the user to link to the reconciliation event, select it, and click Link.
If you click Link and the reconciliation event is for a target resource, then Oracle Identity Manager:
Creates an instance of the resource's provisioning process for the selected user, suppresses any adapters associated with the process' tasks, auto-completes the process, and inserts the Reconciliation Insert Received task.
Creates an instance of the resource's process form with the data from the reconciliation event according to the mappings defined on the provisioning process.
If you click Link and the reconciliation event is for a trusted source, then Oracle Identity Manager:
Updates the user record with the data from the reconciliation event according to the mappings defined on the user provisioning process.
Inserts the Reconciliation Insert Received task in the instance of the user provisioning process for the user record that the reconciliation event is linked to.
This tab displays Oracle Identity Manager organization records that match the data in the reconciliation event, as specified the resource's reconciliation rules.
For trusted sources, Oracle Identity Manager evaluates these rules and displays matching organization records as soon as all required fields (as defined on the Reconciliation Fields tab of the associated resource) are processed.
For target resources, Oracle Identity Manager evaluates these rules and displays matching organization records only after all required fields (as defined on the Reconciliation Fields tab of the associated resource) are processed and no matches have been generated on the Processes Matched Tree tab.
For each matching record, Oracle Identity Manager displays the User's ID, First Name, and Last Name.
Note:
If matching records are present on the Processes Matched Tree tab, no records appear on the Matched Organizations tab since the process matches are considered to be of better quality and more likely to be accurate.The following procedure describes how to link an organization record to a reconciliation event.
Note:
The following procedure assumes a record already exists. In the following procedure, for trusted sources, if you determine that the reconciliation event represents the creation of a new organization on the trusted source, click the Create Organization button. This creates a new organization record using the information in the reconciliation event.To link an organization record to a reconciliation event:
After you determine what organization to link to the reconciliation event, select it and click Link.
If the reconciliation event is for a target resource, Oracle Identity Manager does the following:
Creates an instance of the resource's provisioning process for the selected organization, suppresses any adapters associated with the process' tasks, automatically completes the process, and inserts the Reconciliation Insert Received task.
Creates an instance of the resource's process form with the data from the reconciliation event, according to the mappings defined on the provisioning process.
If the reconciliation event is for a trusted source, Oracle Identity Manager does the following:
Updates the organization record with the data from the reconciliation event, according to the mapping defined on the Oracle Identity Manager Organization provisioning process.
Inserts the Reconciliation Insert Received task in the existing instance of the Oracle Identity Manager Organization provisioning process for the organization record that the reconciliation event is linked to.
This tab displays a history of the actions performed on this reconciliation event. For each action, the date and time on which it took place is listed. Oracle Identity Manager tracks and logs the following reconciliation event actions:
Event Received: This action is logged when Oracle Identity Manager receives a reconciliation event.
Data Sorted: The action is logged when the data in a reconciliation event is sorted into processed and unprocessed fields.
Rules Reapplied: The action is logged when a user clicks the Re-apply Matching Rules button.
Processes Matched: The action is logged when one or more process form instances and their associated provisioning process have been matched to values of key fields in the reconciliation event.
Users Matched: The action is logged when one or more user records are matched with data in the reconciliation event using user-matching reconciliation rules.
Organization Matched: The action is logged when one or more Oracle Identity Manager organization records are matched with data in the reconciliation event using organization-matching reconciliation rules.
Linked to User: The action is logged when the data in the reconciliation event is linked to a particular user.
Linked to Organization: The action is logged when the data in the reconciliation event is linked to a particular organization.
