Oracle® Identity Manager Connector Guide for Database User Management Release 9.0.3 Part Number B32351-01 |
|
|
View PDF |
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for Database User Management is used to integrate Oracle Identity Manager with various databases.
Note:
Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.This chapter contains the following sections:
In Microsoft SQL Server and Sybase, database access entities can be divided into the following types:
Login (parent)
User (child)
Because the connector must provide user provisioning features in both these RDBMSs, each database access entity is handled using separate provisioning and reconciliation functions.
However, for Oracle Database and IBM DB2 UDB, the Create Login function is sufficient to create accounts for users. Therefore, the Create User function is not used for these RDBMSs.
The following sections provide information about the provisioning and reconciliation functions supported by the connector for each database access entity type:
The following table lists the connector functions corresponding to the login database access entity type.
Note:
Most of these functions are supported on all four RDBMSs: IBM DB2 UDB, Microsoft SQL Server, Oracle Database, and Sybase.Function | Type | Description | Supported on |
---|---|---|---|
Create Login | Provisioning | Creates a login in the database
Note: Running this function on Oracle Database would result in the creation of a user, but would not grant any privileges to the user. To provide the required privileges, run the Add Role or Grant function with the values CONNECT, RESOURCE, and SELECT ANY TABLE. For more information, refer to the description of the Add Role or Grant function. |
All |
Delete Login | Provisioning | Deletes a provisioned login | All |
Enable Login | Provisioning | Enables a disabled login | IBM DB2 UDB |
Disable Login | Provisioning | Disables a login | IBM DB2 UDB |
Default DB Updated | Provisioning | Updates the properties of a login in the database according to a change in the Default DB Updated attribute
You must add appropriate lookup codes (corresponding to valid database names) in the following lookup definitions:
|
Microsoft SQL Server and Sybase |
Full Name Updated | Provisioning | Updates the properties of a login in the database according to a change in the Full Name attribute | Sybase |
Default Role Updated | Provisioning | Updates the properties of a login in the database according to a change in the Default Role attribute
This function works only if the relevant role is already assigned to the Sybase login. You must add appropriate lookup codes (corresponding to valid roles) in the following lookup definition: Lookup.DB Role: For example, if a role named
|
Sybase |
Default Language Updated | Provisioning | Updates the properties of a login in the database according to a change in the Default Language attribute
You must add appropriate lookup codes (corresponding to valid roles) in the following lookup definition: UD_Lookup.Def_Lang: For example, if a language named
|
Microsoft SQL Server and Sybase |
Password Updated | Provisioning | Updates the properties of a login in the database according to a change in the Password Updated attribute
This function is run when the password in a process form is changed. For Sybase:
|
Microsoft SQL Server, Oracle Database, and Sybase |
Add Role or Grant | Provisioning | Adds a role to an existing login in the database
The required role must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid role names) in the following lookup definitions:
|
Oracle Database and Sybase |
Revoke Role | Provisioning | Revokes a role from an existing login in the database | Oracle Database and Sybase |
Add Tablespace | Provisioning | Adds a tablespace to an existing login in the database
The required tablespace must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid tablespaces) in the following lookup definition: UD_Lookup.DB_Tablespacenames: For example, if a tablespace named Code Key: Decode: Lang: Country: |
IBM DB2 UDB |
Delete Tablespace | Provisioning | Revokes a tablespace from an existing login in the database | IBM DB2 UDB |
Add Schema | Provisioning | Adds a schema to an existing login in the database
The required schema must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid schema names) in the following lookup definition: UD_Lookup.DB_Schemas: For example, if a schema named Code Key: Decode: Lang: Country: |
IBM DB2 UDB |
Delete Schema | Provisioning | Revokes a schema from an existing login in the database | IBM DB2 UDB |
Trusted Reconciliation for Login | Reconciliation | Creates login accounts in Oracle Identity Manager corresponding to reconciled logins from the database | All |
Create Login | Reconciliation | Reconciles logins | All |
Update Login | Reconciliation | Reconciles attributes of logins existing in Oracle Identity Manager | Microsoft SQL Server and Sybase |
Default DB Updated | Reconciliation | Reconciles changes in the Default DB attribute of logins existing in Oracle Identity Manager | Microsoft SQL Server and Sybase |
Full Name Updated | Reconciliation | Reconciles changes in the Full Name attribute of logins existing in Oracle Identity Manager | Sybase |
Default Role Updated | Reconciliation | Reconciles changes in the Default Role attribute of logins existing in Oracle Identity Manager | Microsoft SQL Server and Sybase |
Default Language Updated | Reconciliation | Reconciles changes in the Default Language attribute of logins existing in Oracle Identity Manager | Microsoft SQL Server and Sybase |
Add Role or Grant | Reconciliation | Reconciles newly added roles of logins existing in Oracle Identity Manager | Oracle Database and Sybase |
Add Tablespace | Reconciliation | Reconciles newly added tablespaces of logins existing in Oracle Identity Manager | IBM DB2 UDB |
Add Schema | Reconciliation | Reconciles newly added schemas of logins existing in Oracle Identity Manager | IBM DB2 UDB |
The following table lists the connector functions corresponding to the user database access entity type.
Note:
These functions are supported on only Microsoft SQL Server and Sybase.Function | Type | Description | Supported on |
---|---|---|---|
Create User | Provisioning | Creates a user corresponding to an existing login in the database
While running this function, you must provide the required value in the DB Name field. The required schema must be defined and valid in the target system. You must add appropriate lookup codes (corresponding to valid schema names) in the following lookup definitions:
|
Both |
Delete User | Provisioning | Deletes a provisioned user corresponding to an existing login in the database
This function can be run by running the Revoke Request function using the Request form in Oracle Identity Manager. |
Both |
Disable User | Provisioning | Disables an existing user in the database
This function revokes access to all tables for the specified user. |
Sybase |
Enable User | Provisioning | Enables a disabled existing user in the database
The provisioned account has default access to only a particular set of tables. This function grants all types of access privileges to the account for all system- and user-defined tables in the specified database. |
Sybase |
DB Group Updated | Provisioning | Updates the configuration of a user in the database according to a change in the DB Group attribute
If no input is provided in the User Group field of the process form, then the provisioned user is added to the default group, The required group must be defined and valid in the Sybase database. You must add appropriate lookup codes (corresponding to valid group names) in the following lookup definition: UD_Lookup.DB_Group: For example, if a group named
|
Sybase |
Add Role | Provisioning | Adds a role to an existing user in the database
The required role must be defined and valid on the target Microsoft SQL Server database. You must add appropriate lookup codes (corresponding to valid role names) in the following lookup definition: Lookup.DB Role-MSSQL: For example, if a role named
|
Microsoft SQL Server |
Revoke Role | Provisioning | Revokes a role from an existing user in the database | Microsoft SQL Server |
Create User | Reconciliation | Reconciles users that are created in the database | Both |
DB Group Updated | Reconciliation | Reconciles the updated DB Group attribute of existing users in Oracle Identity Manager | Sybase |
Add Role | Reconciliation | Reconciles newly added roles of existing logins in Oracle Identity Manager | Microsoft SQL Server |
This release of the connector supports the following languages:
English
Brazilian Portuguese
French
German
Italian
Japanese
Korean
Simplified Chinese
Spanish
Traditional Chinese
See Also:
Oracle Identity Manager Globalization Guide for information about supported special charactersThe elements that the reconciliation module extracts from the target system in order to construct reconciliation event records are given in the following table.
Field | IBM DB2 UDB | Microsoft SQL Server | Oracle Database | Sybase |
---|---|---|---|---|
Login | Yes | Yes | Yes | Yes |
userType | Yes | - | - | - |
Full Name | - | - | - | Yes |
DefaultTablespace | - | - | Yes | - |
dbName | Yes | - | - | - |
Roles | - | Yes | Yes | Yes |
schemaName | Yes | - | - | - |
tableSpaceName | Yes | - | - | - |
User | - | Yes | - | Yes |
Group | - | - | - | Yes |
Database | - | Yes | - | Yes |
The provisioning module can be divided into the following types:
The following fields are provisioned.
Field | IBM DB2 UDB | Microsoft SQL Server | Oracle Database | Sybase |
---|---|---|---|---|
Login | Yes | Yes | Yes | Yes |
Password | Yes | Yes | Yes | Yes |
Default DB | - | - | - | Yes |
Default Language | - | Yes | - | Yes |
Full Name | - | - | - | Yes |
Authentication Type | Yes | - | - | - |
Tablespace | - | - | Yes | - |
Datafile Size (in MB) | - | - | Yes | - |
Default Role | - | - | - | Yes |
DB2 Database | Yes | - | - | - |
DB2 User Type | Yes | - | - | - |
Role | - | - | Yes | Yes |
Tablespace Name | Yes | - | - | - |
Schema Name | Yes | - | - | - |
The following fields are provisioned.
Field | IBM DB2 UDB | Microsoft SQL Server | Oracle Database | Sybase |
---|---|---|---|---|
DB User | - | Yes | - | Yes |
DB Name | - | Yes | - | Yes |
DB Group | - | - | - | Yes |
DB Parent Login | - | Yes | - | Yes |
Authentication Type | - | Yes | - | - |
Role | - | - | - | Yes |
The files and directories that comprise this connector are compressed in the following directory on the installation media:
Database Servers\Database User Management
These files and directories are listed in the following table.
File in the Installation Media Directory | Description |
---|---|
lib\xliDatabaseAccess.jar |
This file contains the class files required for performing provisioning and reconciliation. |
Files in the resources directory |
Each of these resource bundle files contains language-specific information that is used by the connector. There are two resource bundle files for a particular language, one for each database access entity (Login and User).
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console. |
scripts\procGrantAllToUser.sql |
This file contains the code for the stored procedure that implements the Enable User function. |
scripts\procRevokeAllFromUser.sql |
This file contains the code for the stored procedure that implements the Disable User function. |
xml\xliDBAccessLogin_DM.xml |
This XML file contains definitions for the connector components related to Database Access (Login) provisioning. These components include:
|
xml\xliDBAccessScheduleTask_DM.xml |
This XML file contains definitions for the connector components related to Database User Management reconciliation. |
xml\xliDBAccessUser_DM.xml |
This XML file contains definitions for the connector components related to Database Access (User) provisioning. These components include:
|
The "Step 3: Copying the Connector Files" section provides instructions to copy these files into the required directories.
To determine the release number of the connector that you have deployed:
Extract the contents of the xliDatabaseAccess.jar
file. For a connector that has been deployed, this file is in the following directory:
OIM_home\xellerate\JavaTasks
Open the manifest.mf
file in a text editor. The manifest.mf
file is one of the files bundled inside the xliDatabaseAccess.jar
file.
In the manifest.mf
file, the release number of the connector is displayed as the value of the Version
property.
See Also:
Oracle Identity Manager Design Console Guide