4 Using the Connector

This chapter discusses the following topics:

• Section 4.1, "Guidelines on Using the Connector"

• Section 4.2, "Scheduled Tasks for Lookup Field Synchronization"

• Section 4.3, "Configuring the Sources Lookup Field"

• Section 4.4, "Configuring Reconciliation"

• Section 4.5, "Configuring Account Status Reconciliation"

• Section 4.6, "Configuring Scheduled Tasks"

• Section 4.7, "Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x"

• Section 4.8, "Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2 or Later"

4.1 Guidelines on Using the Connector

Apply the following guidelines while using the connector:

• The subpool and the LDAP Gateway must be started before starting the Reconciliation Agent. If the LDAP Gateway is not available when the Reconciliation Agent is started, then an error is generated with RETCODE=-01 and ERRORNO=61.

• The Top Secret connector LDAP gateway encrypts ASCII data transmitting the encrypted message to the mainframe. The mainframe decrypts this message, as the in bound message is in ASCII format, it is translated to EBCDIC for mainframe processing. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface. (See bug 18268599 for related information)

• Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system accounts through provisioning operations on Oracle Identity Manager.

4.2 Scheduled Tasks for Lookup Field Synchronization

The following are the scheduled tasks for lookup field synchronization:

• Top Secret Find All Facilities

• Top Secret Find All Datasets

• Top Secret Find All Profiles

• Top Secret Find All Groups

These scheduled tasks populate lookup tables with facility, dataset, group, or profiles IDs that can be assigned during the user provisioning process. When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all facility, dataset, group, or profiles IDs on the target system for reconciliation.

Table 4-1 describes the attributes of the scheduled task.

Table 4-1 Attributes of the Find All Facilities, Find All Datasets, Find All Profiles and Find All Groups Scheduled Tasks

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMTopSecretResourceObject
Lookup Code Name	Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value: Lookup.profileNames Note: The value supplied for the Lookup Code Name should match the value set in the properties of the Lookup Field in the corresponding Top Secret child table form.
Recon Type	Enter "Append" or "Replace". This attribute determines whether the values from the target system will be appended to the current lookup, or replace the existing values in the lookup. If set to "Replace", the existing lookup will be deleted. Sample value: Replace
R2	Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: true

4.3 Configuring the Sources Lookup Field

The Lookup.SourceNames lookup definition is created in Oracle Identity Manager when you deploy the connector and is used to add and remove a user's access to a source on the mainframe. This connector includes a scheduled task to automatically populate the lookup field used for storing Top Secret source IDs. Table 4-0 describes the properties of the Find All Sources scheduled task.

Note:

The Find All Sources scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~sourceName" pairs based on the IT Resource and Find All Sources scheduled task property values.

Table 4-2 Attributes of the Find All Sources Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMTopSecretResourceObject
Sources List	Enter a comma-separated list of Top Secret sources. Sample value: TSO,R5
Lookup Code Name	Enter the name of the lookup code where Oracle Identity Manager will store the source entries. Sample value: Lookup.SourceNames
Recon Type	Enter "Append" or "Replace". This attribute determines whether "IT resource key~sourceName" pairs will be appended to the current lookup, or replace the existing values in the lookup. If set to "Replace", the existing lookup will be deleted. Sample value: Replace
R2	Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: true

However, you can also manually add additional values. To add additional sources for provisioning and reconciliation perform the following steps:

1. Log in to Oracle Identity Manager Design Console.

2. Expand Administration and then double-click Lookup Definition.

3. Search for the Lookup.SourceNames lookup definition.

4. Click Add.

5. In the Code Key column, enter the name of the source.

6. Enter the same value in the Decode column. The following is a sample entry: Code Key: R5 Decode: R5

7. Click the Save icon.

4.4 Configuring Reconciliation

The CA Top Secret Advanced connector supports both incremental reconciliation (sometimes referred to as real-time reconciliation) and full reconciliation. This section discusses the following topics related to configuring reconciliation:

• Section 4.4.1, "Full Reconciliation"

• Section 4.4.2, "Reconciliation Scheduled Tasks"

4.4.1 Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.When you run the Connector Installer, a scheduled job for user reconciliation (Top Secret Reconcile All Users) is automatically created in Oracle Identity Manager.To perform full reconciliation, run the Top Secret Reconcile All Users scheduled job. See Section 4.4.2.1, "Top Secret Reconcile All Users" for more information.

4.4.2 Reconciliation Scheduled Tasks

When you run the Connector Installer, the following reconciliation scheduled tasks are automatically created in Oracle Identity Manager:

• Section 4.4.2.1, "Top Secret Reconcile All Users"

• Section 4.4.2.2, "Top Secret Reconcile Deleted Users to OIM"

• Section 4.4.2.3, "Top Secret Reconcile Users to Internal LDAP"

• Section 4.4.2.4, "Top Secret Reconcile All LDAP Users"

4.4.2.1 Top Secret Reconcile All Users

The Top Secret Reconcile All Users scheduled task is used to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.

Table 4-3 describes the attributes of the scheduled task.

Table 4-3 Attributes of the Top Secret Reconcile All Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which reconciliation runs must be performed. Sample value: OIMTopSecretResourceObject
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: profiles,sources,groupIds,facilities
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in Oracle Identity Manager database.
UID Case	Enter either "upper" or "lower" for the case for the UID attribute value. Sample value: upper
UsersList	Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, all users on the target system will be reconciled. Sample value: userQA01,georgeb,marthaj,RST0354
R2	Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: true

4.4.2.2 Top Secret Reconcile Deleted Users to OIM

The Top Secret Reconcile Deleted Users to OIM scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.

When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.

Table 4-4 describes the attributes of the scheduled task.

Table 4-4 Attributes of the Top Secret Reconcile Deleted Users to Oracle Identity Manager Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value:TopSecretResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMTopSecretResourceObject
Recon Matching Rule Attributes	Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter "IT".Sample value: UID,IT

4.4.2.3 Top Secret Reconcile Users to Internal LDAP

The Top Secret Reconcile Users to Internal LDAP scheduled task is used to process the CFILE extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

Table 4-5 describes the attributes of the scheduled task.

Table 4-5 Attributes of the Top Secret Reconcile Users to Internal LDAP Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: tops

4.4.2.4 Top Secret Reconcile All LDAP Users

The Top Secret Reconcile All LDAP Users scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.

Table 4-6 describes the attributes of the scheduled task.

Table 4-6 Attributes of the Top Secret Reconcile All LDAP Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMTopSecretResourceObject
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: tops
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: profiles,sources,facilities,groupIds
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
LDAP Time Zone	Enter the time zone ID for the server on which the LDAP gateway is hosted. Sample value: EST
UID Case	Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper

4.4.3 Configuring Filtered Reconciliation to Multiple Resource Objects

Some organizations use multiple resource objects to represent multiple user types in their system. The Resource Object property of the Top Secret Reconcile All Users scheduled task is used to specify the resource object used during reconciliation, and you can enter more than one resource object in the value of the Resource Object attribute. Further, you can include CA Top Secret attribute-value pairs to filter records for each resource object.

See Also:

Section 4.4.2.1, "Top Secret Reconcile All Users" for information about the Top Secret Reconcile All Users scheduled task

The following is a sample format of the value for the Resource Object attribute:

(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2

As shown by RESOURCE_OBJECT2 in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object in the list. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.

Filter attributes should be surrounded by parentheses.

Apply the following guidelines while specifying a value for the Resource Object attribute:

• The names of the resource objects must be the same as the names that you specified while creating the resource objects in the Oracle Identity Manager Design Console.

• The CA Top Secret attribute names must be the same as the names used in the LDAP Gateway configuration files.

  See Also:

  Section 2.6, "Installing and Configuring the LDAP Gateway" for information about the LDAP Gateway configuration files

• The value must be a regular expression as defined in the java.util.regex Java package. Note that the find() API call of the regex matcher is used rather than the matches() API call. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.

  Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".

• Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:

  (ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT

• Multiple filters can be applied to the attribute and to the same resource object. For example:

  (ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT

The following is a sample value for the Resource Object attribute:

(tsoProc:X)TSSR01,(instdata:value1|value2|value3)TopSecretResourceObject2,(tso)TopSecretResourceObject24000,Resource

In this sample value:

• (tsoProc:X)TSSRO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the TSSRO1 resource object.

• (instdata:value1|value2|value3)TopSecretResourceObject2 represents a user with value1, value2, or value3 as their INSTDATA attribute value. Records that meet this criterion are reconciled with the TopSecretResourceObject2 resource object.

• (tso)TopSecretResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the TopSecretResourceObject24000 resource object.

• All other records are reconciled with the resource object.

4.5 Configuring Account Status Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes on CA Top Secret.

When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager. To configure reconciliation of user status changes made on CA Top Secret:

1. If using scheduled task reconciliation, in the Top Secret Reconcile All Users scheduled task, add the Status attribute to the SingleValueAttributes property list.

2. In the Design Console:

   See Also:

   Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for detailed information about the following steps

   • In the OIMTopSecretResourceObject resource object, create a reconciliation field to represent the Status attribute.

   • In the OIMTopsProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.

     See Bug 6668844 in Chapter 7, "Known Issues and Workarounds" for information about a limitation related to the OIM_OBJECT_STATUS field.

4.6 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table Table 4-7 lists the scheduled tasks that you must configure.

Table 4-7 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
Top Secret Find All Groups	This scheduled task is used to synchronize the values of group lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
TopSecret Find All Facilities	This scheduled task is used to synchronize the values of facilities lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
Top Secret Find All Datasets	This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
Top Secret Find All Profiles	This scheduled task is used to synchronize the values of profiles lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
Top Secret Find All Sources	This scheduled task is used to synchronize the values of source lookup fields in Oracle Identity Manager. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
Top Secret Reconcile All Users	This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see Section 4.4.2.1, "Top Secret Reconcile All Users."
Top Secret Reconcile Deleted Users to OIM	This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the Top Secret User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Section 4.4.2.2, "Top Secret Reconcile Deleted Users to OIM."
Top Secret Reconcile Users to Internal LDAP	This scheduled task is used to reconcile users from the target system to the internal LDAP store. For information about this scheduled task and its attributes, see Section 4.4.2.3, "Top Secret Reconcile Users to Internal LDAP."
Top Secret Reconcile All LDAP Users	This scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. For information about this scheduled task and its attributes, see Section 4.4.2.4, "Top Secret Reconcile All LDAP Users."

To configure a scheduled task:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     1. Log in to the Oracle Identity System Administration.

     2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

     3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

   • For Oracle Identity Manager release 11.1.2.x:

     1. Log in to Oracle Identity System Administration.

     2. In the left pane, under System Management, click Scheduler.

2. Search for and open the scheduled task as follows:

   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   2. In the search results table on the left pane, click the scheduled job in the Job Name column.

3. On the Job Details tab, you can modify the following parameters:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

4. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   • See "Reconciliation Scheduled Tasks" for the list of scheduled tasks and their attributes.

5. Click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Oracle Identity System Administration. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

4.7 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 4.7.3, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager."

This following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning

• Provisioning triggered by policy changes

See Also:

See Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

• Section 4.7.1, "Direct Provisioning"

• Section 4.7.2, "Request-Based Provisioning"

• Section 4.7.3, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager"

4.7.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

1. Log in to the Oracle Identity System Administration.

2. If you want to first create an OIM User and then provision a target system account, then:

   1. On the Welcome to Identity Administration page, in the Users region, click Create User.

   2. On the Create User page, enter values for the OIM User fields, and then click Save.

3. If you want to provision a target system account to an existing OIM User, then:

   1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

   2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

4. On the user details page, click the Resources tab.

5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

6. On the Step 1: Select a Resource page, select OIMTopSecretResourceObject from the list and then click Continue.

7. On the Step 2: Verify Resource Selection page, click Continue.

8. On the Step 5: Provide Process Data for Top Secret Advanced Details page, enter the details of the account that you want to create on the target system and then click Continue.

9. On the Step 5: Provide Process Data for Top Secret Profile Membership Details page, search for and select a profile for the user on the target system and then click Continue.

10. On the Step 5: Provide Process Data for Top Secret Facility Membership Details page, search for and select a facility for the user on the target system and then click Continue.

11. On the Step 5: Provide Process Data for Top Secret Sources Membership Details page, enter a source for the user on the target system and then click Continue.

12. On the Step 5: Provide Process Data for Top Secret Dataset Membership Details page, search for and select a dataset for the user on the target system and then click Continue.

13. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

14. Close the window displaying the "Provisioning has been initiated" message.

15. On the Resources tab, click Refresh to view the newly provisioned resource.

4.7.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

• Section 4.7.2.1, "End User's Role in Request-Based Provisioning"

• Section 4.7.2.2, "Approver's Role in Request-Based Provisioning"

4.7.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for detailed information about these steps

1. Log in to the Oracle Identity Self Service.

2. On the Welcome page, click Advanced in the upper-right corner of the page.

3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.

6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

7. From the Available Users list, select the user to whom you want to provision the account.

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

10. From the Available Resources list, select OIMTopSecretResourceObject, move it to the Selected Resources list, and then click Next.

11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the Request ID, then the Request Details page is displayed.

14. To view details of the approval, on the Request Details page, click the Request History tab.

4.7.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

1. Log in to the Oracle Identity System Administration.

2. On the Welcome page, click Self-Service in the upper-right corner of the page.

3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

4.7.3 Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager

Note:

It is assumed that you have performed the procedure described in Section 2.5, "Configuring Oracle Identity Manager for Request-Based Provisioning."

If you want to switch from request-based provisioning to direct provisioning, then:

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the OIMTopProvisioningProcess process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the OIMTopSecretResourceObject resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

If you want to switch from direct provisioning back to request-based provisioning, then:

1. Log in to the Design Console.

2. Enable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the OIMTopsProvisioningProcess process definition.

   3. Select the Auto Save Form check box.

   4. Click the Save icon.

3. If you want to enable end users to raise requests for themselves, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the OIMTopSecretResourceObject resource object.

   3. Select the Self Request Allowed check box.

   4. Click the Save icon.

4.8 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2 or Later

To perform provisioning operations in Oracle Identity Manager release 11.1.2 or later:

1. Log in to Oracle Identity Oracle Identity System Administration.

2. Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance created in Step 3, and then click Checkout.

5. Specify value for fields in the application form and then click Ready to Submit.

6. Click Submit.

7. If you want to provision entitlements, then:

   1. On the Entitlements tab, click Request Entitlements.

   2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

   3. Click Submit.