B Attributes of the Reconciliation Scheduled Task

The following are the attributes of the reconciliation scheduled task:

• DeleteRecon

  This attribute is used to enable the Delete Reconciliation feature. The value can be True or False. If you enable Delete reconciliation, then you must ensure that the Server attribute points to the Microsoft Active Directory root context where information about deleted users is stored.

  Because Microsoft Active Directory does not keep track of deleted users, this mechanism (of moving deleted users to a specific OU) must be implemented by the directory administrator. In addition, in the case of trusted reconciliation, the users that are reconciled using the Delete Reconciliation function are marked as deleted by Oracle Identity Manager. In the case of nontrusted reconciliation, the Microsoft Active Directory resource object is revoked for such users.

  You must specify a value for this attribute.

• UseFieldMapping

  This attribute is used to enable the reconciliation of specific fields. The value can be True or False. If it is set to True, then the value of the FieldLookupCode attribute is used to find the field mappings stored in the lookup tables.

  Note:

  If the UseFieldMapping parameter is set to False, then some fields with binary values would be passed on to Oracle Identity Manager. The current release of Oracle Identity Manager cannot handle binary values.

  The following are some of the fields that have binary values:

  • msExchMailboxSecurityDescriptor

  • msExchMailboxGuid

  • showInAddressBook

  • msExchPoliciesIncluded

  • textEncodedORAddress

  • proxyAddresses

  The same issue is discussed in the Known Issues list in Chapter 4.

• FieldLookupCode

  This attribute provides the name of the lookup definition that provides the mapping between Microsoft Active Directory fields and virtual fields in Oracle Identity Manager.

  This attribute is used when there are multiple external systems that are being reconciled against a single Oracle Identity Manager resource object. In such a situation, it is not possible to use the existing reconciliation scheduled task. Therefore, you must specify the mappings between Microsoft Active Directory fields and virtual Oracle Identity Manager fields. These virtual fields are then mapped to the actual fields on the process form.

  This is illustrated by the following example:

  Suppose there are two systems, S1 and S2, that are being reconciled against a resource object called ADObject. In addition, the reconciliation parameters are p1, p2, and p3 for S1 and q1, q2, and q3 for S2. Because they are being reconciled against the same resource object, Oracle Identity Manager does not allow multiple mappings of the same field. For instance, if p1 and q1 both correspond to the user ID, then both of them cannot be mapped at the same time. To avoid this, you can use virtual mappings, in which case, p1, p2, p3, q1, q2, and q3 are mapped to the same virtual Oracle Identity Manager attributes. These attributes in turn are mapped on the resource object and provisioning process. Therefore, if the virtual Oracle Identity Manager attributes are x1, x2, and x3, then the mapping in the field maps is as follows:

  p1 is mapped to x1

  p2 is mapped to x2

  p3 is mapped to x3

  q1 is mapped to x1

  q2 is mapped to x2

  q3 is mapped to x3

• MaintainHierarchy

  This attribute is used to specify whether or not organization hierarchy must be maintained in Microsoft Active Directory. The value can be True or False.

  If this attribute is set to True, then the reconciliation scheduled task first creates an organization hierarchy similar to the organization hierarchy for Microsoft Active Directory in Oracle Identity Manager. It then performs reconciliation of users into the appropriate organization. The value of the XellerateOrg attribute is ignored.

  While using this option, you must ensure that duplicate organization names are not created. This is because Oracle Identity Manager does not allow duplicate organization names, even in separate organization trees.

  You must specify a value for this attribute.

• XellerateObject

  This attribute is used to specify the name of the Xellerate User resource object in Oracle Identity Manager on which trusted reconciliation is to be performed.

  The value must be Xellerate User. If you do not want trusted reconciliation to be performed, then change the value to false.

  You must specify a value for this attribute.

• Object

  This attribute is used to specify the name of the AD User resource object in Oracle Identity Manager on which reconciliation is to be performed.

  The value must be AD User. If you do not want trusted reconciliation to be performed, then change the value to false.

  You must specify a value for this attribute.

• Server

  This attribute specifies the IT resource for the Microsoft Active Directory server from which reconciliation is to be carried out.

  You must specify a value for this attribute.

• TransformLookupCode

  This attribute specifies the mapping between Microsoft Active Directory fields and the transformation to be applied to them. It is used if the values from external systems must be modified before they can be entered into Oracle Identity Manager. There is no restriction on custom modification. The following are examples of custom modifications:

  • Append a number at the end of the user ID.

  • Look up the field name from some external system, and set the value based on the field name.

  • Set custom types, such as Role or Xellerate Type in Oracle Identity Manager, based on the value of a field in Microsoft Active Directory.

  Because there can be a different transformation for every field reconciled from Microsoft Active Directory, the transform map gives a flexible way of specifying the field and the Java class that is used to transform it. The custom transformation classes must be compiled and kept in a JAR file in the JavaTasks directory.

  See Also:

  Appendix C

• UseTransformMapping

  This attribute is used to specify whether or not transform mappings accessed by using the TransformLookupCode attribute must be used. The value can be True or False.

  You must specify a value for this attribute.

• XellerateOrg

  This attribute specifies the name of the Oracle Identity Manager organization in which reconciled users are to be created. The name of this organization is used by default unless either the MaintainHierarchy attribute is set.

  You must specify a value for this attribute.

• MultiValueAttributes

  The value of this attribute is interpreted as a comma-separated list of the multivalued attributes in Microsoft Active Directory that must be imported in Oracle Identity Manager during reconciliation. When you use this value, remember that:

  • The corresponding child table (used to store the value of the multivalued field) must exist on the form for the resource object against which reconciliation takes place.

  • The name of the multivalued attribute field and its subfields must be the same as the name of the multivalued field.

  You must specify a value for this attribute.

• GroupObject

  This attribute is used to specify the name of the AD Group resource object in Oracle Identity Manager on which reconciliation is to be performed.

  The value must be AD Group. If you do not want trusted reconciliation to be performed, then change the value to false.

  You must specify a value for this attribute.