This chapter is divided into the following sections:
After you deploy the connector, you must first reconcile all existing target system user records into Oracle Identity Manager. The following is a summary of the procedure:
Note:
In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
See Section 3.4, "Configuring Scheduled Tasks" for information about the procedure to configure scheduled tasks.
If you are using the target system as a target resource, then:
Configure and run the Lotus Notes Lookup Reconciliation scheduled task to synchronize lookup field values. See Section 3.2, "Scheduled Task for Lookup Field Synchronization" for information about the attributes of this scheduled task.
Configure and run the Lotus Notes User Reconciliation scheduled task to reconcile user records from the target system. See Section 3.3.4.1, "Scheduled Tasks for Reconciliation of User Records" for information about the attributes of this scheduled task.
Reconciled user records are converted into Lotus Notes resources assigned to OIM Users.
If you are using the target system as a trusted source, then configure and run the Lotus Notes Trusted User Reconciliation scheduled task to reconcile user records from the target system. See Section 3.3.4.1, "Scheduled Tasks for Reconciliation of User Records" for information about the attributes of this scheduled task.
Reconciled user records are converted into OIM Users.
The Lotus Notes Lookup Reconciliation scheduled task is used for lookup field synchronization. Table 3-1 describes the attributes of this scheduled task. The procedure to configure scheduled tasks is described later in the guide.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
Table 3-1 Attributes of the Lotus Notes Lookup Reconciliation Scheduled Task
| Attribute | Description |
|---|---|
|
ServerName |
Enter the name of the IT resource instance that the connector must use to reconcile data. |
|
LookupFieldName |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. The value can be either Default value: |
|
Group/CertifierOU |
Enter the name of the target system attribute from which values must be fetched. The value can be either Default value: |
As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
When you run the Lotus Notes User Reconciliation scheduled task, only target system records that are added or modified after the last time the scheduled task was run are fetched into Oracle Identity Manager. This is incremental reconciliation.
You can perform a full reconciliation run to fetch all existing target system records into Oracle Identity Manager. To perform a full reconciliation run:
While performing the procedure described in Section 3.4, "Configuring Scheduled Tasks," enter the following values for the specified attributes of the scheduled task:
LastName: nodata
OU: nodata
Batch size: All
Certifier: nodata
Group: nodata
If you configure the connector for trusted source reconciliation, then set the value of the TrustedTimeStamp IT resource parameter to None. If you configure the connector for target resource reconciliation, then set the value of the NonTrustedTimeStampIT resource parameter to None.
See Table 2-2 for information about these IT resource parameters.
After a full reconciliation run, the time stamp at which the reconciliation run ends is stored in the time stamp parameter of the IT resource. From the next reconciliation run onward, only target system records added or modified after the last reconciliation run are fetched to Oracle Identity Manager. In other words, incremental reconciliation is automatically activated from the next run onward.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
Creating a filter involves specifying a value for a target system attribute, which will be used in the query SELECT criteria to retrieve the records to be reconciled. You can specify values for any one or a combination of the following filter attributes, which are also target system attributes:
LastName
OU
Group
Certifier
If you want to use more than one target system attribute in the query criteria, then you must also specify the logical operator (AND or OR) that you want to apply to the combination of target system attributes that you select.
For example, suppose you specify the following values for these attributes:
LastName: Doe
OU: DEL
Group: All Access Group
Certifier: OU=Telecom/O=Example
Operator: OR
Because you are using the OR operator, during reconciliation, only user records for which any one of these criteria is met are reconciled. If you were to use the AND operator, then the user records that are reconciled are the ones that meet both criteria.
While deploying the connector, follow the instructions in Section 3.4, "Configuring Scheduled Tasks" to specify values for these attributes and the logical operator that you want to apply.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid these problems.
To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:
BatchSize: Use this attribute to specify the number of records that must be included in each batch. The default value is 1000.
NoOfBatches: Use this attribute to specify the total number of batches that must be reconciled. The default value is All.
If you specify a value other than All, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:
Suppose you specify the following values while configuring the scheduled tasks:
BatchSize: 20
NoOfBatches: 10
Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.
You specify values for the BatchSize and NoOfBatches attributes by following the instructions described in Section 3.3.4, "Reconciliation Scheduled Tasks."
You must specify values for the attributes of the following scheduled tasks:
Note:
See Section 3.4, "Configuring Scheduled Tasks" for the procedure.
Section 3.3.4.1, "Scheduled Tasks for Reconciliation of User Records"
Section 3.3.4.2, "Scheduled Task for Reconciliation of Deleted Users"
Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled tasks:
Lotus Notes User Reconciliation (scheduled task for target resource reconciliation)
Lotus Notes Trusted User Reconciliation (scheduled task for trusted source reconciliation)
Table 3-2 describes the attributes of both scheduled tasks.
Table 3-2 Attributes of the Scheduled Tasks for Reconciliation of User Records
| Attribute | Description | Default/Sample Value |
|---|---|---|
|
TargetRO |
Enter the name of the resource object. |
|
|
ServerName |
Enter the name of the IT resource instance that the connector must use to reconcile data. |
|
|
IsTrusted |
Specify whether the scheduled task must be used for trusted source reconciliation or target resource reconciliation. |
For trusted source reconciliation, set the value of this attribute to For target resource reconciliation, set the value of this attribute to |
|
LoginNameField |
Specify the name of the OIM User form field whose value must be used as the login name for the OIM User. You must ensure that the field you select is unique for each IBM Lotus Notes and Domino user. |
|
|
XellerateOrganisation |
Enter the default Oracle Identity Manager organization name that must be set for OIM Users created during trusted source reconciliation. Note: This attribute is used only during trusted source reconciliation. |
|
|
BatchSize |
Enter the number of records in each batch that must be fetched from the target system. This attribute is used during batched reconciliation. You must specify an integer value greater than zero. See Section 3.3.3, "Batched Reconciliation" for more information about this attribute. |
The default value is |
|
NoOfBatches |
Enter the number of batches to be reconciled. This attribute is used during batched reconciliation. The number of records in each batch is specified by the BatchSize attribute. See Section 3.3.3, "Batched Reconciliation" for more information. |
Specify Specify an integer value greater than zero if you want to reconcile only a fixed number of batches. |
|
LastName |
Enter the last name of the user whose records you want to reconcile. This attribute is used during limited reconciliation. If you do not want to use this filter attribute, then enter See Section 3.3.2, "Limited Reconciliation" for more information. |
The value can be either the last name or The default value is |
|
OU |
Enter the OU of the users whose records you want to reconcile. This attribute is used during limited reconciliation. If you do not want to use this filter attribute, then enter See Section 3.3.2, "Limited Reconciliation" for more information. |
The value can be either the OU of the users or The default value is |
|
Certifier |
Enter the name of the certifier for users whose records you want to reconcile. This attribute is used during limited reconciliation. If you do not want to use this filter attribute, then enter See Section 3.3.2, "Limited Reconciliation" for more information. |
The value can be either the certifier of the users or The default value is |
|
Group |
Enter the name of the group for users whose records you want to reconcile. This attribute is used during limited reconciliation. If you do not want to use this filter attribute, then enter See Section 3.3.2, "Limited Reconciliation" for more information. |
The value can be either the group of the users or The default value is |
|
Operator |
Enter the operator that you want to apply on the filter attributes. This attribute is used during limited reconciliation. See Section 3.3.2, "Limited Reconciliation" for more information. |
The value can be The default value is |
Table 3-3 describes the attributes of the scheduled task for reconciliation of deleted users.
Table 3-3 Attributes of the Lotus Notes Delete User Reconciliation Task Scheduled Task
| Attribute | Description |
|---|---|
|
ServerName |
Enter the name of the IT resource that the connector must use for reconciliation and provisioning operations. Default value: |
|
IsTrusted |
Enter |
|
TargetRO |
Enter |
|
LoginNameField |
Enter the attribute that you want to Parameter use as the login name for Xellerate User. Default value: Note: This attribute is used only if you configure the connector for trusted source reconciliation. |
This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.
Table 3-4 lists the scheduled tasks shipped as part of the connector.
Table 3-4 Scheduled Tasks for Lookup Field Synchronization and Reconciliation
| Scheduled Task | Description |
|---|---|
|
Lotus Notes Lookup Reconciliation |
This scheduled task is used for lookup field synchronization. |
|
Lotus Notes User Reconciliation |
This scheduled task is used for user reconciliation in target resource mode. |
|
Lotus Notes Trusted User Reconciliation |
This scheduled task is used for user reconciliation in trusted source mode. |
|
Lotus Notes Delete User Reconciliation Task |
This scheduled task is used for reconciliation of deleted user records. |
To configure a scheduled task:
Log in to the Administrative and User Console.
Perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.
If you are using Oracle Identity Manager release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
Search for and open the scheduled task as follows:
If you are using Oracle Identity Manager release 9.1.0.x, then:
On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.
In the search results table, click the edit icon in the Edit column for the scheduled task.
On the Scheduled Task Details page where the details of the scheduled task that you selected is displayed, click Edit.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
Modify the details of the scheduled task. To do so:
If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:
Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.
Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.
Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.
Frequency: Specify the frequency at which you want the task to run.
If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.
In addition to modifying the job details, you can enable or disable a job.
Specify values for the attributes of the scheduled task. To do so:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Attributes of the scheduled task are discussed in Section 3.3.4, "Reconciliation Scheduled Tasks."
If you are using Oracle Identity Manager release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.
If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.
After specifying the attributes, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.
Note:
The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.
If you are using Oracle Identity Manager release 11.1.1, then click Apply to save the changes.
Note:
The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.
Apply the following guidelines while performing provisioning:
You must enter values for the following mandatory attributes during provisioning operations:
Last Name
Server Name
Password
The IDFile Name and Mail File Name attributes are unique for each user. The Mail File Already Exists error message is displayed if you entering a file name that already exists on the target system.
While performing a Create User provisioning operation, you must specify values for the following certifier-related fields on the process form, even though they are not marked as mandatory fields:
Note:
See Section 3.8, "Guidelines on Performing Reconciliation" for more information about these fields.
Certifier ID File Path: Enter the path to the ID file of the certifier on the target.
Certifier Password: Enter the password of the certifier corresponding to the ID file that you specify as the value of the Certifier ID File Path parameter.
Organization Unit: Specify the OU to which the user belongs.
Note:
If an OU certifier is used, then the corresponding OU must be selected. However, if an organization certifier is used, then do not specify a value for the Organization Unit field.
If you specify True as the value of the Create Mail DB File In Bckgrnd IT resource parameter, then the connector does not check whether mail files are successfully created during Create User provisioning operations.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.
When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 3.7, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1."
This following are types of provisioning operations:
See Also:
Oracle Identity Manager Connector Concepts for information about the types of provisioning
This section discusses the following topics:
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
If you are using Oracle Identity Manager release 9.1.0.x, then:
From the Users menu, select Create.
On the Create User page, enter values for the OIM User fields and then click Create User.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Identity Administration page, in the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
If you are using Oracle Identity Manager release 9.1.0.x, then:
From the Users menu, select Manage.
Search for the OIM User and select the link for the user from the list of users displayed in the search results.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then:
On the User Detail page, select Resource Profile from the list at the top of the page.
On the Resource Profile page, click Provision New Resource.
If you are using Oracle Identity Manager release 11.1.1, then:
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select LOTUSRO from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data for LOTUSRO Details page, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 5: Provide Process Data for LOTUSRO Group Membership Details page, search for and select a group for the user on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.
If you are using Oracle Identity Manager release 11.1.1, then:
Close the window displaying the "Provisioning has been initiated" message.
On the Resources tab, click Refresh to view the newly provisioned resource.
Note:
The information provided in this section is applicable only if you are using Oracle Identity Manager release 11.1.1.
A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.
Section 3.6.2.1, "End User's Role in Request-Based Provisioning"
Section 3.6.2.2, "Approver's Role in Request-Based Provisioning"
The following steps are performed by the end user in a request-based provisioning operation:
See Also:
Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps
Log in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.
The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.
If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select LOTUSRO, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish.
Effective Date
Justification
On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
To view details of the approval, on the Request Details page, click the Request History tab.
The following are steps performed by the approver in a request-based provisioning operation:
The following are steps that the approver can perform:
Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.
A message confirming that the task was approved is displayed.
Note:
It is assumed that you have performed the procedure described in Section 2.3.1.6, "Enabling Request-Based Provisioning."
On Oracle Identity Manager release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the LOTUSRO process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the LOTUSRO resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
On Oracle Identity Manager release 11.1.1, if you want to switch from direct provisioning back to request-based provisioning, then:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the LOTUSRO process definition.
Select the Auto Save Form check box.
Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the LOTUSRO resource object.
Select the Self Request Allowed check box.
Click the Save icon.
Apply the following guidelines while performing provisioning:
Values of the following fields are not fetched from the target system during reconciliation:
Certifier ID File Path
Certifier Password
Organization Unit
When an account is created in Oracle Identity Manager through reconciliation of a new record from the target system, you must manually set values for these 3 fields. See Section 3.5, "Guidelines on Performing Provisioning" for information about setting values for these fields.