This chapter discusses the following topics:
Section 4.3, "Configuring Filtered Reconciliation to Multiple Resource Objects"
Section 4.7, "Configuring Resource and Access Rule Pre-Population Scheduled Tasks"
The ACF2 Reconcile All Users scheduled task performs full reconciliation. When you configure this scheduled task, it runs at specified intervals and fetches create and modify events on the target system for reconciliation.
To configure the Reconcile All Users scheduled task:
Log in to the Oracle Identity Manager Administrative and User Console.
Perform one of the following steps.
If you are using Oracle Identity Manager Release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.
If you are using Oracle Identity Manager Release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
Search for and open the scheduled task as follows:
If you are using Oracle Identity Manager Release 9.1.0.x, then:
On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.
In the search results table, click Edit the edit column for the scheduled task.\
On the Scheduled Task Details page, where the details of the scheduled task that you selected are displayed, click Edit.
If you are using Oracle Identity Manager Release 11.1.1, then:
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
Modify the details of the scheduled task as follows:
If you are using Oracle Identity Manager Release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:
Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.
Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 0.
Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.
Frequency: Specify the frequency at which you want the task to run.
If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
See Also:
Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule typesIn addition to modifying the job details, you can enable or disable a job.
Specify values for the attributes of the scheduled task as follows:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.If you are using Oracle Identity Manager Release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.
If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task. Table 4-1 describes the attributes of the scheduled task.
Table 4-1 Attributes of the Reconcile All Users Scheduled Task
| Attribute | Description |
|---|---|
|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
|
Resource Object |
Enter the name of the resource object against which reconciliation runs must be performed. Sample value: |
|
Trusted Resource Object |
Enter the name of the resource object against which trusted reconciliation runs must be performed. Sample value: |
|
MultiValuedAttributes |
Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma. Sample value: |
|
SingleValueAttributes |
Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database. |
|
TrustedReconciliation |
Enter whether the target system should be treated as a trusted source. Sample value: |
|
UsersList |
Enter a comma-separated list of user IDs to be reconciled. Note: This field is optional. If no user IDs are listed, then full reconciliation will be performed. Sample value: |
After specifying the attributes, perform one of the following steps:
If you are using Oracle Identity Manager Release 9.1.0.x, then click Save Changes to save the changes.
Note:
The Stop Execution option is not available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.If you are using Oracle Identity Manager Release 11.1.1, then click Apply to save the changes.
Note:
The Stop Execution option is available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. You can use the Scheduler Status page to either start, stop, or re-initialize the scheduler.Note:
This section describes an optional procedure. Perform this procedure only if you want to enable reconciliation of user status changes on CA ACF2.When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager. To configure reconciliation of user status changes made on CA ACF2:
In the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file, add the name of the Status field to the reconAttrs section.
Restart the LDAP Gateway for the changes to take effect.
In the Design Console:
See Also:
Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about the following stepsIn the OIMAcf2ResourceObject resource object, create the Status reconciliation field.
In the OIMAcf2ProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.
You might have created multiple resource objects to represent multiple user types in your organization. You use the Resource Object property of the Reconcile All Users scheduled task to specify the resource object that you want to use during reconciliation. You can enter more than one resource object in the value of the Resource Object property. In addition, you can include CA ACF2 attribute-value pairs to filter records for each resource object.
See Also:
Section 4.1, "Performing Full Reconciliation" for information about the Reconcile All Users scheduled taskThe following is a sample format of the value for the Resource Object property:
(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2
As shown in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.
Filter attributes should be surrounded by parentheses.
Apply the following guidelines while specifying a value for the Object property:
The names of the resource objects must be the same as the names that you specified while creating the resource objects by using the Design Console.
The CA ACF2 attribute names must be the same as the names used in the LDAP Gateway configuration files.
See Also:
Section 3.9, "Installing and Configuring the LDAP Gateway" for information about the LDAP Gateway configuration filesThe value must be a regular expression as defined in the java.util.regex Java package. Note that the find methodology of the regex matcher is used rather than the matches methodology. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.
Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1"
Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:
(ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT
Multiple filters can be applied to the attribute and to the same resource object. For example:
(ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT
The following is a sample value for the Object property:
(tsoProc:X)ACF2R01,(active:value1|value2|value3)ACF2ResourceObject2,(tso)ACF2ResourceObject24000,Resource
In this sample value:
(tsoProc:X)ACF2RO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the ACF2RO1 resource object.
(active:value1|value2|value3)ACF2ResourceObject2 represents a user with value1, value2, or value3 as their active date. Records that meet this criterion are reconciled with the ACF2ResourceObject2 resource object.
(tso)ACF2ResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the ACF2ResourceObject24000 resource object.
All other records are reconciled with the Resource resource object.
Apply the following guidelines while using the connector:
The subpool and the LDAP Gateway must be started before starting the Reconciliation Agent. If the LDAP Gateway is not available when the Reconciliation Agent is started, then an error is generated with RETCODE=-01 and ERRORNO=61.
The connector can accept and transmit any non-ASCII data to the mainframe, but the mainframe does not accept non-ASCII characters. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface.
Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system user profiles through provisioning operations on Oracle Identity Manager.
The following guideline applies only to a configuration in which a single LDAP Gateway connects to multiple installations of the target system:
If you configure the connector for trusted source reconciliation and set the idfTrusted property in the Reconcile All Users scheduled task to true in one of the target system installations on the mainframe, then it must be set to true in all installations that connect to the same LDAP Gateway. Otherwise, the connector will fail.
Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.
This section discusses the following topics related to configuring provisioning:
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.
When you install the connector on Oracle Identity Manager Release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 4.6, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1."
This following are types of provisioning operations:
See Also:
Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the types of provisioningThis section discusses the following topics:
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
If you are using Oracle Identity Manager Release 9.1.0.x, then:
From the Users menu, select Create.
On the Create User page, enter values for the OIM User fields and then click Create User.
If you are using Oracle Identity Manager Release 11.1.1, then:
On the Welcome to Identity Administration page, in the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
If you are using Oracle Identity Manager Release 9.1.0.x, then:
From the Users menu, select Manage.
Search for the OIM User and select the link for the user from the list of users displayed in the search results.
If you are using Oracle Identity Manager Release 11.1.1, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager Release 9.1.0.x, then:
On the User Detail page, select Resource Profile from the list at the top of the page.
On the Resource Profile page, click Provision New Resource.
If you are using Oracle Identity Manager Release 11.1.1, then:
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select OIMACF2ResourceObject from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data for ACF2 Advanced Details page, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Perform one of the following steps:
If you are using Oracle Identity Manager Release 9.1.0.x, click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.
If you are using Oracle Identity Manager Release 11.1.1, then:
Close the window displaying the "Provisioning has been initiated" message.
On the Resources tab, click Refresh to view the newly provisioned resource.
Note:
The information provided in this section is applicable only if you are using Oracle Identity Manager Release 11.1.1.A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.Section 4.5.1.2.1, "End User's Role in Request-Based Provisioning"
Section 4.5.1.2.2, "Approver's Role in Request-Based Provisioning"
The following steps are performed by the end user in a request-based provisioning operation:
See Also:
Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these stepsLog in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.
The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.
If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select OIMACF2ResourceObject, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish.
Effective Date
Justification
On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
To view details of the approval, on the Request Details page, click the Request History tab.
The following are steps performed by the approver in a request-based provisioning operation:
The following are steps that the approver can perform:
Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.
A message confirming that the task was approved is displayed.
Note:
It is assumed that you have performed the procedure described in Section 3.8, "Configuring Oracle Identity Manager for Request-Based Provisioning."On Oracle Identity Manager Release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the OIMACF2ProvisioningProcess process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the OIMAcf2ResourceObject resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
On Oracle Identity Manager Release 11.1.1, if you want to switch from direct provisioning back to request-based provisioning, then:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the OIMAcf2ProvisioningProcess process definition.
Select the Auto Save Form check box.
Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the OIMAcf2ResourceObject resource object.
Select the Self Request Allowed check box.
Click the Save icon.
The FindAllAccessRules and FindAllResourceRules scheduled tasks populate lookup tables with resource or access rule keys that can be assigned during user provisioning. When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource or access keys on the target system for reconciliation.
To configure the FindAllAccessRules or FindAllResourceRules scheduled task:
Log in to Oracle Identity Manager Administrative and User Console.
Perform one of the following steps:
If you are using Oracle Identity Manager Release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.
If you are using Oracle Identity Manager Release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
Search for and open the scheduled task as follows:
If you are using Oracle Identity Manager Release 9.1.0.x, then:
On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.
In the search results table, click Edit the edit column for the scheduled task.
On the Scheduled Task Details page, where the details of the scheduled task that you selected are displayed, click Edit.
If you are using Oracle Identity Manager Release 11.1.1, then:
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
Modify the details of the scheduled task as follows:
If you are using Oracle Identity Manager Release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:
Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.
Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 0.
Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.
Frequency: Specify the frequency at which you want the task to run.
If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
See Also:
Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule typesIn addition to modifying the job details, you can enable or disable a job.
Specify values for the attributes of the scheduled task as follows:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.If you are using Oracle Identity Manager Release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.
If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task. Table 4-2 describes the attributes of the scheduled task.
Table 4-2 Attributes of the FindAllAccessRules and FindAllResourceRules Scheduled Tasks
| Attribute | Description |
|---|---|
|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
|
Resource Object |
Enter the name of the resource object against which provisioning runs must be performed. Sample value: |
|
Lookup Code Name |
Enter the name of the lookup code where OIM will store the names of any resources to which the user belongs. Sample value: |
|
Recon Type |
Enter "Append" or "Replace". This attribute determines whether located memberships should be appended to the lookup, or replace the lookup values. If set to "Replace", existing lookup code values will be deleted. Sample value: |
After specifying the attributes, perform one of the following steps:
If you are using Oracle Identity Manager Release 9.1.0.x, then click Save Changes to save the changes.
Note:
The Stop Execution option is not available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.If you are using Oracle Identity Manager Release 11.1.1, then click Apply to save the changes.
Note:
The Stop Execution option is available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. You can use the Scheduler Status page to start, stop, or reinitialize the scheduler.