1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for Database User Management is used to integrate Oracle Identity Manager with various databases.

Note:

Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.

This chapter contains the following sections:

• Reconciliation Module

• Provisioning Module

• Supported Functionality

• Multilanguage Support

• Files and Directories That Comprise the Connector

• Determining the Release Number of the Connector

Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Framework Guide for conceptual information about reconciliation configurations

The following table lists the target system attributes whose values are read from the database during reconciliation.

Field	IBM DB2 UDB	Microsoft SQL Server	Oracle Database	Sybase
Login	Yes	Yes	Yes	Yes
userType	Yes	-	-	-
Full Name	-	-	-	Yes
DefaultTablespace	-	-	Yes	-
dbName	Yes	-	-	-
Roles	-	Yes	Yes	Yes
schemaName	Yes	-	-	-
tableSpaceName	Yes	-	-	-
User	-	Yes	-	Yes
Group	-	-	-	Yes
Database	-	Yes	-	Yes

Reconciled Xellerate User Fields

The following target system fields are reconciled only if trusted source reconciliation is implemented:

• User ID

• First Name

• Last Name

• Organization

• User Type

• Employee Type

Provisioning Module

Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Administrative and User Console to perform provisioning operations.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Framework Guide for conceptual information about provisioning

For this target system, the provisioning module is divided into the following sections:

• Database Access Entity: Login Provisioning

• Database Access Entity: User Provisioning

Database Access Entity: Login Provisioning

The following fields are provisioned.

Field	IBM DB2 UDB	Microsoft SQL Server	Oracle Database	Sybase
Login	Yes	Yes	Yes	Yes
Password	Yes	Yes	Yes	Yes
Default DB	-	-	-	Yes
Default Language	-	Yes	-	Yes
Full Name	-	-	-	Yes
Authentication Type	Yes	-	-	-
Tablespace	-	-	Yes	-
Datafile Size (in MB)	-	-	Yes	-
Default Role	-	-	-	Yes
DB2 Database	Yes	-	-	-
DB2 User Type	Yes	-	-	-
Role	-	-	Yes	Yes
Tablespace Name	Yes	-	-	-
Schema Name	Yes	-	-	-

Database Access Entity: User Provisioning

The following fields are provisioned.

Field	IBM DB2 UDB	Microsoft SQL Server	Oracle Database	Sybase
DB User	-	Yes	-	Yes
DB Name	-	Yes	-	Yes
DB Group	-	-	-	Yes
DB Parent Login	-	Yes	-	Yes
Authentication Type	-	Yes	-	-
Role	-	-	-	Yes

Supported Functionality

In Microsoft SQL Server and Sybase, database access entities can be divided into the following types:

• Login (parent)

• User (child)

Because the connector must provide user provisioning features in both these RDBMSs, each database access entity is handled using separate provisioning and reconciliation functions.

However, for Oracle Database and IBM DB2 UDB, the Create Login function is sufficient to create accounts for users. Therefore, the Create User function is not used for these RDBMSs.

The following sections provide information about the provisioning and reconciliation functions supported by the connector for each database access entity type:

• Database Access Entity: Login

• Database Access Entity: User

Database Access Entity: Login

The following table lists the connector functions corresponding to the login database access entity type.

Note:

Most of these functions are supported on all four RDBMSs: IBM DB2 UDB, Microsoft SQL Server, Oracle Database, and Sybase.

Function	Type	Description	Supported on
Create Login	Provisioning	Creates a login in the database Note: Running this function on Oracle Database would result in the creation of a user, but would not grant any privileges to the user. To provide the required privileges, run the Add Role or Grant function with the values CONNECT, RESOURCE, and SELECT ANY TABLE. For more information, refer to the description of the Add Role or Grant function.	All
Delete Login	Provisioning	Deletes a provisioned login	All
Enable Login	Provisioning	Enables a disabled login	IBM DB2 UDB
Disable Login	Provisioning	Disables a login	IBM DB2 UDB
Default DB Updated	Provisioning	Updates the properties of a login in the database according to a change in the Default DB Updated attribute You must add appropriate lookup codes (corresponding to valid database names) in the following lookup definitions: UD_Lookup.DB_Dbnames-sql: For example, if a database named model exists on the target Microsoft SQL Server, then the following entry must be added as the lookup code: Code Key: model Decode: model Lang: en Country: US UD_Lookup.DB_Dbnames: For example, if a database named master exists on the target Sybase installation, then the following entry must be added as the lookup code: Code Key: master Decode: master Lang: en Country: US	Microsoft SQL Server and Sybase
Full Name Updated	Provisioning	Updates the properties of a login in the database according to a change in the Full Name attribute	Sybase
Default Role Updated	Provisioning	Updates the properties of a login in the database according to a change in the Default Role attribute This function works only if the relevant role is already assigned to the Sybase login. You must add appropriate lookup codes (corresponding to valid roles) in the following lookup definition: Lookup.DB Role: For example, if a role named oper_role exists on the target Sybase database, then the following entry must be added as the lookup code: Code Key: oper_role Decode: oper_role Lang: en Country: US	Sybase
Default Language Updated	Provisioning	Updates the properties of a login in the database according to a change in the Default Language attribute You must add appropriate lookup codes (corresponding to valid roles) in the following lookup definition: UD_Lookup.Def_Lang: For example, if a language named us_English exists on the target Sybase or Microsoft SQL Server database, then the following entry must be added as the lookup code: Code Key: us_english Decode: us_english Lang: en Country: US	Microsoft SQL Server and Sybase
Password Updated	Provisioning	Updates the properties of a login in the database according to a change in the Password Updated attribute This function is run when the password in a process form is changed. For Sybase: The password must contain at least 6 characters. If no input is provided in the Password field of the process form, then the provisioned user is assigned a password with the same value as the user login.	Microsoft SQL Server, Oracle Database, and Sybase
Add Role or Grant	Provisioning	Adds a role to an existing login in the database The required role must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid role names) in the following lookup definitions: Lookup.DB Role: For example, if a role named oper_role exists on the target Sybase database, then the following entry must be added as the lookup code: Code Key: oper_role Decode: oper_role Lang: en Country: US Lookup.DB Role-Oracle: For example, if a role named DBA exists on the target Oracle Database, then the following entry must be added as the lookup code: Code Key: DBA Decode: DBA Lang: en Country: US	Oracle Database and Sybase
Revoke Role	Provisioning	Revokes a role from an existing login in the database	Oracle Database and Sybase
Add Tablespace	Provisioning	Adds a tablespace to an existing login in the database The required tablespace must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid tablespaces) in the following lookup definition: UD_Lookup.DB_Tablespacenames: For example, if a tablespace named tb_xel exists on the target IBM DB2 UDB database, then the following entry must be added as the lookup code: Code Key: tb_xel Decode: tb_xel Lang: en Country: US	IBM DB2 UDB
Delete Tablespace	Provisioning	Revokes a tablespace from an existing login in the database	IBM DB2 UDB
Add Schema	Provisioning	Adds a schema to an existing login in the database The required schema must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid schema names) in the following lookup definition: UD_Lookup.DB_Schemas: For example, if a schema named xeltest exists on the target IBM DB2 UDB database, then the following entry must be added as the lookup code: Code Key: xeltest Decode: xeltest Lang: en Country: US	IBM DB2 UDB
Delete Schema	Provisioning	Revokes a schema from an existing login in the database	IBM DB2 UDB
Trusted Reconciliation for Login	Reconciliation	Creates login accounts in Oracle Identity Manager corresponding to reconciled logins from the database	All
Create Login	Reconciliation	Reconciles logins	All
Update Login	Reconciliation	Reconciles attributes of logins existing in Oracle Identity Manager	Microsoft SQL Server and Sybase
Default DB Updated	Reconciliation	Reconciles changes in the Default DB attribute of logins existing in Oracle Identity Manager	Microsoft SQL Server and Sybase
Full Name Updated	Reconciliation	Reconciles changes in the Full Name attribute of logins existing in Oracle Identity Manager	Sybase
Default Role Updated	Reconciliation	Reconciles changes in the Default Role attribute of logins existing in Oracle Identity Manager	Microsoft SQL Server and Sybase
Default Language Updated	Reconciliation	Reconciles changes in the Default Language attribute of logins existing in Oracle Identity Manager	Microsoft SQL Server and Sybase
Add Role or Grant	Reconciliation	Reconciles newly added roles of logins existing in Oracle Identity Manager	Oracle Database and Sybase
Add Tablespace	Reconciliation	Reconciles newly added tablespaces of logins existing in Oracle Identity Manager	IBM DB2 UDB
Add Schema	Reconciliation	Reconciles newly added schemas of logins existing in Oracle Identity Manager	IBM DB2 UDB

Database Access Entity: User

The following table lists the connector functions corresponding to the user database access entity type.

Note:

These functions are supported on only Microsoft SQL Server and Sybase.

Function	Type	Description	Supported on
Create User	Provisioning	Creates a user corresponding to an existing login in the database While running this function, you must provide the required value in the DB Name field. The required schema must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid schema names) in the following lookup definitions: UD_Lookup.DB_Dbnames: For example, if a database named master exists on the target Sybase installation, then the following entry must be added as the lookup code: Code Key: master Decode: master Lang: en Country: US UD_Lookup.DB_Dbnames-sql: For example, if a database named model exists on the target Microsoft SQL Server installation, then the following entry must be added as the lookup code: Code Key: model Decode: model Lang: en Country: US	Both
Delete User	Provisioning	Deletes a provisioned user corresponding to an existing login in the database This function can be run by running the Revoke Request function using the Request form in Oracle Identity Manager.	Both
Disable User	Provisioning	Disables an existing user in the database This function revokes access to all tables for the specified user.	Sybase
Enable User	Provisioning	Enables a disabled existing user in the database The provisioned account has default access to only a particular set of tables. This function grants all types of access privileges to the account for all system- and user-defined tables in the specified database.	Sybase
DB Group Updated	Provisioning	Updates the configuration of a user in the database according to a change in the DB Group attribute If no input is provided in the User Group field of the process form, then the provisioned user is added to the default group, public, in the Sybase database. The required group must be defined and valid in the Sybase database. You must add appropriate lookup codes (corresponding to valid group names) in the following lookup definition: UD_Lookup.DB_Group: For example, if a group named Managers exists on the target Sybase database, then the following entry must be added as the lookup code: Code Key: Managers Decode: Managers Lang: en Country: US	Sybase
Add Role	Provisioning	Adds a role to an existing user in the database The required role must be defined and valid on the target Microsoft SQL Server database. You must add appropriate lookup codes (corresponding to valid role names) in the following lookup definition: Lookup.DB Role-MSSQL: For example, if a role named db_datawriter exists on the target Sybase database, then the following entry must be added as the lookup code: Code Key: db_datawriter Decode: db_datawriter Lang: en Country: US	Microsoft SQL Server
Revoke Role	Provisioning	Revokes a role from an existing user in the database	Microsoft SQL Server
Create User	Reconciliation	Reconciles users that are created in the database	Both
DB Group Updated	Reconciliation	Reconciles the updated DB Group attribute of existing users in Oracle Identity Manager	Sybase
Add Role	Reconciliation	Reconciles newly added roles of existing logins in Oracle Identity Manager	Microsoft SQL Server

Multilanguage Support

The connector supports the following languages:

• Chinese Simplified

• Chinese Traditional

• English

• French

• German

• Italian

• Japanese

• Korean

• Portuguese (Brazilian)

• Spanish

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

Files and Directories That Comprise the Connector

The files and directories that comprise this connector are in the following directory on the installation media:

Database Servers/Database User Management

These files and directories are listed in the following table.

File in the Installation Media Directory	Description
lib/xliDatabaseAccess.jar	This file contains the class files required for performing provisioning and reconciliation.
Files in the resources directory	Each of these resource bundle files contains language-specific information that is used by the connector. There are two resource bundle files for a particular language, one for each database access entity (Login and User). Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
scripts/procGrantAllToUser.sql	This file contains the code for the stored procedure that implements the Enable User function.
scripts/procRevokeAllFromUser.sql	This file contains the code for the stored procedure that implements the Disable User function.
test/config/config.properties	This file contains the attributes for Oracle Identity Manager to connect to the target system and perform provisioning operations.
test/config/log.properties	This file is used to store logging messages.
test/scripts/DBAccess.bat test/scripts/DBAccess.sh	This file is used to start the testing utility.
xml/xliDBAccessLogin_DM Nontrusted.xml	This XML file contains definitions for the connector components related to Database Access (Login) provisioning. These components include: Database Access (Login) IT resource type Custom Process form Process task and adapters (along with their mappings) Login resource object Provisioning process Pre-populate rules
xml/xliDBAccessUser_DM Nontrusted.xml	This XML file contains definitions for the connector components related to Database Access (User) provisioning. These components include: Database Access (User) IT resource type Custom process form Process task and adapters (along with their mappings) User resource object Provisioning process Pre-populate rules
xml/xelluserDbAcess Trusted.xml	This XML file contains the configuration for the Xellerate User. You must import this file only if you plan to use the connector in trusted source reconciliation mode.

Note:

The files in the test directory are used only to run tests on the connector.

The "Step 3: Copying the Connector Files and External Code Files" section provides instructions to copy these files into the required directories.

Determining the Release Number of the Connector

You can use any one of the following methods to determine the release number of the connector.

Before Deployment

To determine the release number of a connector:

1. Extract the contents of the xliDatabaseAccess.jar file. This file is in the following directory on the installation media:

   Database Servers/Database User Management/lib
   
   

2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliDatabaseAccess.jar file.

   In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.

Note:

If you maintain a copy of the xliDatabaseAccess.jar file after deployment, you can use this method to determine the release number of the connector at any stage. After you deploy the connector, it is recommended that you use the "After Deployment" method, which is described in the following section.

After Deployment

To determine the release number of a connector that has already been deployed:

See Also:

Oracle Identity Manager Design Console Guide

1. Open the Oracle Identity Manager Design Console.

2. In the Form Designer, open the process form. The release number of the connector is the value of the Version field.