Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with Database User Management.
This connector supports IBM DB2 UDB, Microsoft SQL Server, Oracle Database, and Sybase target systems.
In Microsoft SQL Server and Sybase, database access entities can be divided into the following types:
Login: A login entity is used for authentication purposes.
User: A user entity is used for authorization or access control purposes.
Microsoft SQL Server and Sybase treat these entities as parent (Login) and child (User) elements. However, in Oracle Identity Manager, these entities are treated as separate, independent entities. In other words, the connector provides login provisioning as well as user provisioning features in both Microsoft SQL Server and Sybase.
In Oracle Database and IBM DB2 UDB, the Login and User entities are treated as a single entity. In this guide, that entity is referred to as the Login entity.
This chapter contains the following sections:
Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.
At some places in this guide, Database User Management has been referred to as the target system.
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
| Item | Requirement |
|---|---|
|
Oracle Identity Manager |
Oracle Identity Manager Release 9.1.0.1 and any later BP in this release track Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector supports. |
|
The target system can be any one of the following:
|
|
|
The external code consists of the following files:
Note: These JAR files are available in the corresponding database installation directories. |
|
|
Target system user account |
Depending on the target system, one of the following user account is required to configure the target system:
|
|
JDK |
JDK 1.4.2 |
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
If you are using an Oracle Identity Manager release that is 9.1.0.1 or later and earlier than Oracle Identity Manager Release 9.1.0.2 BP08, then use the 9.0.4.x version of this connector.
If you are using Oracle Identity Manager Release 9.1.0.2 BP08 or later and earlier than Oracle Identity Manager 11g Release 1 PS1 BP03 (11.1.1.5.3), then use the latest 9.1.x version of this connector.
If you are using Oracle Identity Manager 11g Release 1 PS1 BP03 (11.1.1.5.3) or later, or Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later, then use the latest 11.1.1.x version of this connector.
Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.
See Also:
The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about reconciliation configurations
The following table lists the target system Login entity attributes whose values are read from the database during target resource reconciliation:
| Target System Login Attribute | IBM DB2 UDB | Microsoft SQL Server | Oracle Database | Sybase |
|---|---|---|---|---|
|
Login Name (for Microsoft SQL Server and Sybase) Username (for Oracle Database and IBM DB2 UDB) |
Yes |
Yes |
Yes |
Yes |
|
userType |
Yes |
- |
- |
- |
|
Full Name |
- |
- |
- |
Yes |
|
Default Tablespace |
- |
- |
Yes |
- |
|
Temporary Tablespace |
- |
- |
Yes |
- |
|
Account Status |
- |
- |
Yes |
- |
|
Profile |
- |
- |
Yes |
- |
|
dbName |
Yes |
- |
- |
- |
|
Default Database |
- |
Yes |
- |
Yes |
|
Default Language |
- |
Yes |
- |
Yes |
|
Roles Note: This is a multivalued attribute. |
- |
- |
Yes |
Yes |
|
Privileges Note: This is a multivalued attribute. |
- |
- |
Yes |
- |
|
Schema Names Note: This is a multivalued attribute. |
Yes |
- |
- |
- |
|
Tablespace Names Note: This is a multivalued attribute. |
Yes |
- |
- |
- |
The following table lists the target system User entity attributes whose values are read from the database during target resource reconciliation:
| Target System User Attribute | Microsoft SQL Server | Sybase |
|---|---|---|
|
User |
Yes |
Yes |
|
Group |
- |
Yes |
|
Database |
Yes |
Yes |
|
Roles Note: This is a multivalued attribute. |
Yes |
- |
Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operations.
See Also:
The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about provisioning
For this target system, the provisioning module is divided into the following sections:
See Also:
The "Supported Functionality" section for information about the difference between these entities
Note:
Information in this section is applicable to all four supported target systems.
The following target system attributes are provisioned.
| Target System Login/User Attribute | IBM DB2 UDB | Microsoft SQL Server | Oracle Database | Sybase |
|---|---|---|---|---|
|
Login Name (for Microsoft SQL Server and Sybase) Username (for Oracle Database and IBM DB2 UDB) |
Yes |
Yes |
Yes |
Yes |
|
Password |
Yes |
Yes |
Yes |
Yes |
|
Default Database |
- |
Yes Note: If the target system is Microsoft SQL Server 2000, then you must select the default database during provisioning. |
- |
Yes |
|
Default Language |
- |
Yes |
- |
Yes |
|
Full Name |
- |
- |
- |
Yes |
|
Authentication Type |
- |
Yes |
- |
- |
|
Default Tablespace |
- |
- |
Yes |
- |
|
Temporary Tablespace |
- |
- |
Yes |
- |
|
Quota |
- |
- |
Yes |
- |
|
Database |
Yes |
- |
- |
- |
|
User Type |
Yes |
- |
- |
- |
|
Profile |
- |
- |
Yes |
- |
|
Account Status |
- |
- |
Yes |
- |
|
Roles Note: This is a multivalued attribute. |
- |
- |
Yes |
Yes |
|
Tablespace Names Note: This is a multivalued attribute. |
Yes |
- |
- |
- |
|
Schema Names Note: This is a multivalued attribute. |
Yes |
- |
- |
- |
|
Privileges Note: This is a multivalued attribute. |
- |
- |
Yes |
- |
Note:
Information in this section is applicable to Microsoft SQL Server and Sybase target systems.
The following target system attributes are provisioned.
| Target System User Attribute | Microsoft SQL Server | Sybase |
|---|---|---|
|
User |
Yes |
Yes |
|
Database Name |
Yes |
Yes |
|
Database Group |
- |
Yes |
|
Parent Login |
Yes |
Yes |
|
Authentication Type |
Yes |
- |
|
Roles Note: This is a multivalued attribute. |
Yes |
- |
The following sections provide information about the provisioning and reconciliation functions supported by the connector for each database access entity type:
The following table lists the connector functions corresponding to the login database access entity type.
Note:
Information in this section is applicable to all four supported target systems. The Supported on column of the table lists the target systems on which the functions are supported.
| Function | Type | Description | Supported on |
|---|---|---|---|
|
Create Login |
Provisioning |
Creates a login in the database Note: Running this provisioning operation on Oracle Database would result in the creation of a user, but would not grant any privileges to the user. In other words, the provisioned user would not be able to log in to the database. To provide the minimum required privileges to the provisioned user, run the Add Role or Grant Privilege provisioning operation with the values CONNECT, RESOURCE, and SELECT ANY TABLE. For more information, refer to the description of the Add Role or Grant function in this table. |
All |
|
Delete Login |
Provisioning |
Deletes a provisioned login |
All |
|
Enable Login |
Provisioning |
Enables a disabled login |
IBM DB2 UDB and Oracle Database |
|
Disable Login |
Provisioning |
Disables a login |
IBM DB2 UDB and Oracle Database |
|
Default Database Updated |
Provisioning |
Updates the properties of a login in the database according to a change in the Default Database attribute You must configure scheduled tasks to reconcile target system values for populating the following lookup definitions:
|
Microsoft SQL Server and Sybase |
|
Full Name Updated |
Provisioning |
Updates the properties of a login in the database according to a change in the Full Name attribute |
Sybase |
|
Default Language Updated |
Provisioning |
Updates the properties of a login in the database according to a change in the Default Language attribute You must configure scheduled tasks to reconcile target system values for populating the following lookup definitions:
|
Microsoft SQL Server and Sybase |
|
Password Updated |
Provisioning |
Updates the properties of a login in the database according to a change in the Password attribute This function is run when the password in a process form is changed. For Sybase:
|
Microsoft SQL Server, Oracle Database, and Sybase |
|
Add Role or Grant |
Provisioning |
Add roles to an existing login in the database The required role must be defined and valid in the target system. You must configure scheduled tasks to reconcile target system values for populating the following lookup definitions:
|
Oracle Database and Sybase |
|
Revoke Role |
Provisioning |
Revokes a role from an existing login in the database |
Oracle Database and Sybase |
|
Add Tablespace |
Provisioning |
Add tablespaces to an existing login in the database To fetch values from IBM DB2 UDB and copy them into the See "Configuring the Reconciliation Scheduled Tasks for Lookup Fields" for more information. |
IBM DB2 UDB |
|
Delete Tablespace |
Provisioning |
Revokes a tablespace from an existing login in the database |
IBM DB2 UDB |
|
Add Schema |
Provisioning |
Add schemas to an existing login in the database To fetch values from IBM DB2 UDB and copy them into the See "Configuring the Reconciliation Scheduled Tasks for Lookup Fields" for more information. |
IBM DB2 UDB |
|
Delete Schema |
Provisioning |
Revokes a schema from an existing login in the database |
IBM DB2 UDB |
|
Add Privileges |
Provisioning |
Adds or grants privileges to an existing login in the database To fetch values from Oracle Database and copy them into the See "Configuring the Reconciliation Scheduled Tasks for Lookup Fields" for more information. |
Oracle Database |
|
Revoke Privilege |
Provisioning |
Revokes a privilege from an existing login in the database |
Oracle Database |
|
Profile Name Updated |
Provisioning |
Updates the properties of a login in the database according to a change in the profile name attribute To fetch values from Oracle Database and copy them into the See "Configuring the Reconciliation Scheduled Tasks for Lookup Fields" for more information. |
Oracle Database |
|
Default Tablespace Updated |
Provisioning |
Updates the properties of a login in the database according to a change in the Default Tablespace attribute. |
Oracle Database |
|
Trusted Reconciliation for Login |
Reconciliation |
Creates Xellerate Users (OIM Users) corresponding to reconciled logins from the database |
All |
|
Target Resource Reconciliation for Login |
Reconciliation |
Reconciles login data from the target system to Oracle Identity Manager This data is used to create or update target system resources (accounts) assigned to OIM Users |
All |
|
Account Status |
Reconciliation |
Reconciles account status data from the target system to Oracle Identity Manager |
Oracle Database |
The following table lists the connector functions corresponding to the user database access entity type.
Note:
These functions are supported on only Microsoft SQL Server and Sybase.
| Function | Type | Description | Supported on |
|---|---|---|---|
|
Create User |
Provisioning |
Creates a user corresponding to an existing login in the database While creating a user, you must provide the required value in the Database Name field. You must configure scheduled tasks to reconcile target system values for populating the following lookup definitions:
|
Both |
|
Delete User |
Provisioning |
Deletes a provisioned user corresponding to an existing login in the database You can run this function (provisioning operation) by running the Revoke Request function using the Request form in Oracle Identity Manager. |
Both |
|
Disable User |
Provisioning |
Disables an existing user in the database This function revokes access to all tables for the specified user. |
Sybase |
|
Enable User |
Provisioning |
Enables a disabled existing user in the database The provisioned account has default access to only a particular set of tables. This function grants all types of access privileges to the account for all system- and user-defined tables in the specified database. |
Sybase |
|
Database Group Updated |
Provisioning |
Updates the configuration of a user in the database according to a change in the Database Group attribute Microsoft SQL Server Groups in Oracle Identity Manager are the same as roles in Microsoft SQL Server. To fetch values from the Microsoft SQL Server lookup field and copy them into this lookup definition, configure the Note: In this release, the Update Database Group provisioning operation is not supported on Microsoft SQL Server. This point is also mentioned under Bug 8274794 in the "Known Issues" chapter. Sybase If no input is provided in the User Group field of the process form, then the provisioned user is added to the default group, The required group must be defined and valid in the Sybase database. You must add appropriate lookup codes (corresponding to valid group names) in the For example, if a group named
|
Both |
|
Add Role |
Provisioning |
Add roles to an existing user in the database To fetch values from Microsoft SQL Server and copy them into the |
Microsoft SQL Server |
|
Revoke Role |
Provisioning |
Revokes a role from an existing user in the database |
Microsoft SQL Server |
|
Target Resource Reconciliation for User |
Reconciliation |
Reconciles user data from the target system to Oracle Identity Manager This data is used to create or update target system resources provisioned to OIM Users. There is no separate scheduled task for user entity reconciliation. User entities are reconciled along with logins when the login reconciliation scheduled task for Microsoft SQL Server and Sybase is run. Note: Trusted source reconciliation is supported only for logins in Microsoft SQL Server and Sybase. Users in these target systems cannot be reconciled as OIM Users. |
Both |
The connector supports the following languages:
Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
Oracle Identity Manager Globalization Guide for information about supported special characters
The files and directories on the installation media are listed in Table 1-2.
Table 1-2 Files and Directories On the Installation Media
| File in the Installation Media Directory | Description |
|---|---|
configuration/DatabaseAccess-CI.xml |
This XML file contains configuration information that is used during connector installation. |
lib/xliDatabaseAccess.jar |
This file contains the class files required for performing provisioning and reconciliation. During connector deployment, this file is copied into the following directories: OIM_HOME/xellerate/JavaTasks OIM_HOME/xellerate/ScheduleTask |
|
Files in the |
Each of these resource bundles contains language-specific information that is used by the connector. There are two resource bundles for a particular language, one for each database access entity (Login and User). During connector deployment, these resource bundles are copied into the following directory:
OIM_HOME/xellerate/connectorResources
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console. |
scripts/procGrantAllToUser.sql |
This file contains the stored procedures that create and grant the required roles to the Sybase user for connector operations. See "Configuring Sybase" for information about using this file. |
scripts/procRevokeAllFromUser.sql |
This file contains the stored procedures that revoke the roles granted to the Sybase user for connector operations. See "Configuring Sybase" for information about using this file. |
scripts/OimUser.sql |
This file contains SQL commands to create an Oracle Database user for connector operations. |
scripts/OimUserGrants.sql |
This file contains SQL commands that grants the required roles to the Oracle Database user for connector operations. |
scripts/OIM.bat |
On Microsoft Windows platforms, this BAT file is to be used to create the IT resource user for Oracle Database. When you run this BAT file, it calls the |
scripts/OIM.sh |
On UNIX platforms, this script file is to be used to create the IT resource user for Oracle Database. When you run this script file, it calls the |
config/LookUpQuery.properties |
This file contains the lists of lookup fields that can be reconciled by using the |
test/config/config.properties |
This testing-utility file contains the attributes for Oracle Identity Manager to connect to the target system and perform provisioning operations. |
test/config/log.properties |
This file is used to store logging messages that are generated when you run the testing utility. |
test/scripts/DBAccess.bat test/scripts/DBAccess.sh |
This file is used to start the testing utility. |
xml/xliDBAccessLogin_DM Nontrusted.xml |
This XML file contains definitions for the connector components related to Database Access (Login) provisioning. These components include:
|
xml/xliDBAccessUser_DM Nontrusted.xml |
This XML file contains definitions for the connector components related to Database Access (User) provisioning. These components include:
|
xml/xelluserDbAccess Trusted.xml |
This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode. |
| File in the Installation Media Directory | Description |
|---|---|
configuration/DatabaseAccess-CI.xml |
This XML file contains configuration information that is used during connector installation. |
lib/xliDatabaseAccess.jar |
This file contains the class files required for performing provisioning and reconciliation. During connector deployment, this file is copied into the following directories: OIM_HOME/xellerate/JavaTasks OIM_HOME/xellerate/ScheduleTask |
|
Files in the |
Each of these resource bundles contains language-specific information that is used by the connector. There are two resource bundles for a particular language, one for each database access entity (Login and User). During connector deployment, these resource bundles are copied into the following directory:
OIM_HOME/xellerate/connectorResources
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console. |
scripts/procGrantAllToUser.sql |
This file contains the stored procedures that create and grant the required roles to the Sybase user for connector operations. See "Configuring Sybase" for information about using this file. |
scripts/procRevokeAllFromUser.sql |
This file contains the stored procedures that revoke the roles granted to the Sybase user for connector operations. See "Configuring Sybase" for information about using this file. |
scripts/OimUser.sql |
This file contains SQL commands to create an Oracle Database user for connector operations. |
scripts/OimUserGrants.sql |
This file contains SQL commands that grants the required roles to the Oracle Database user for connector operations. |
scripts/OIM.bat |
On Microsoft Windows platforms, this BAT file is to be used to create the IT resource user for Oracle Database. When you run this BAT file, it calls the |
scripts/OIM.sh |
On UNIX platforms, this script file is to be used to create the IT resource user for Oracle Database. When you run this script file, it calls the |
config/LookUpQuery.properties |
This file contains the lists of lookup fields that can be reconciled by using the |
test/config/config.properties |
This testing-utility file contains the attributes for Oracle Identity Manager to connect to the target system and perform provisioning operations. |
test/config/log.properties |
This file is used to store logging messages that are generated when you run the testing utility. |
test/scripts/DBAccess.bat test/scripts/DBAccess.sh |
This file is used to start the testing utility. |
xml/xliDBAccessLogin_DM Nontrusted.xml |
This XML file contains definitions for the connector components related to Database Access (Login) provisioning. These components include:
|
xml/xliDBAccessUser_DM Nontrusted.xml |
This XML file contains definitions for the connector components related to Database Access (User) provisioning. These components include:
|
xml/xelluserDbAccess Trusted.xml |
This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode. |
Note:
The files in the test directory are used only to run tests on the connector.
You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the following JAR file:
OIM_HOME/xellerate/JavaTasks/xliDatabaseAccess.jar
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliDatabaseAccess.jar file.
In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.