This appendix provides additional information about the following attributes of the reconciliation scheduled task:
DeleteRecon
This attribute is used to enable the Delete Reconciliation feature. The value can be yes
or no.
If you enable Delete reconciliation, then you must ensure that the Server
attribute points to the Microsoft Active Directory root context where information about deleted users is stored.
Because Microsoft Active Directory does not keep track of deleted users, this mechanism (of moving deleted users to a specific OU) must be implemented by the directory administrator. In addition, in the case of trusted source reconciliation, the users that are reconciled using the Delete Reconciliation function are marked as deleted by Oracle Identity Manager. In the case of nontrusted source reconciliation, the Microsoft Active Directory resource object is revoked for such users.
You must specify a value for this attribute.
FieldLookupCode
This attribute provides the name of the lookup definition that holds mappings between Microsoft Active Directory fields and virtual fields in Oracle Identity Manager.
This attribute is used when there are multiple external systems that are being reconciled against a single Oracle Identity Manager resource object. In such a situation, it is not possible to use the existing reconciliation scheduled task. Therefore, you must specify the mappings between Microsoft Active Directory fields and virtual Oracle Identity Manager fields. These virtual fields are then mapped to the actual fields on the process form.
This is illustrated by the following example:
Suppose there are two systems, S1 and S2, that are being reconciled against a resource object called ADObject.
In addition, the reconciliation parameters are p1, p2, and p3 for S1 and q1, q2, and q3 for S2. Because they are being reconciled against the same resource object, Oracle Identity Manager does not allow multiple mappings of the same field. For instance, if p1 and q1 both correspond to the user ID, then both of them cannot be mapped at the same time. To avoid this, you can use virtual mappings, in which case, p1, p2, p3, q1, q2, and q3 are mapped to the same virtual Oracle Identity Manager attributes. These attributes in turn are mapped on the resource object and provisioning process. Therefore, if the virtual Oracle Identity Manager attributes are x1, x2, and x3, then the mapping in the field maps is as follows:
MaintainHierarchy
This attribute is used to specify whether or not organization hierarchy must be maintained in Microsoft Active Directory. The value can be yes
or no.
If this attribute is set to yes,
then the reconciliation scheduled task first creates an organization hierarchy similar to the organization hierarchy for Microsoft Active Directory in Oracle Identity Manager. It then performs reconciliation of users into the appropriate organization. The value of the XellerateOrg
attribute is ignored.
While using this option, you must ensure that duplicate organization names are not created. This is because Oracle Identity Manager does not allow duplicate organization names, even in separate organization trees.
You must specify a value for this attribute.
TransformLookupCode
This attribute specifies the mapping between Microsoft Active Directory fields and the transformation to be applied to them. It is used if the values from external systems must be modified before they can be entered into Oracle Identity Manager. There is no restriction on custom modification. The following are examples of custom modifications:
Append a number at the end of the user ID.
Look up the field name from some external system, and set the value based on the field name.
Set custom types, such as Employee Type
or User Type
in Oracle Identity Manager, based on the value of a field in Microsoft Active Directory.
Because there can be a different transformation for every field reconciled from Microsoft Active Directory, the transform map gives a flexible way of specifying the field and the Java class that is used to transform it. The custom transformation classes must be compiled and kept in a JAR file in the JavaTasks
directory.
MultiValueAttributes
The value of this attribute is interpreted as a comma-separated list of the multivalued attributes in Microsoft Active Directory that must be imported in Oracle Identity Manager during reconciliation. When you use this value, remember that:
The corresponding child table (used to store the value of the multivalued field) must exist on the form for the resource object against which reconciliation takes place.
The name of the multivalued attribute field and its subfields must be the same as the name of the multivalued field.
You must specify a value for this attribute.