3 Using the Connector

This chapter is divided into the following sections:

• Section 3.1, "Performing First-Time Reconciliation"

• Section 3.2, "Lookup Field Synchronization"

• Section 3.3, "Configuring Reconciliation"

• Section 3.4, "Configuring Scheduled Tasks"

• Section 3.5, "Guidelines on Performing Provisioning"

• Section 3.6, "Performing Provisioning Operations"

• Section 3.7, "Configuring Provisioning in Oracle Identity Manager Release 11.1.2"

3.1 Performing First-Time Reconciliation

First-time reconciliation involves synchronizing lookup definitions in Oracle Identity Manager with the lookup fields of the target system, and performing full reconciliation. In full reconciliation, all existing user records from the target system are brought into Oracle Identity Manager.

The following is the sequence of steps involved in reconciling all existing user records:

Note:

In Oracle Identity Manager release 11.1.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.x.

See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

1. Perform lookup field synchronization by running the scheduled tasks provided for this operation.

   See Section 3.2, "Lookup Field Synchronization" for information about the attributes of the scheduled tasks for lookup field synchronization.

   See Section 3.4, "Configuring Scheduled Tasks" for information about running scheduled tasks.

2. Perform user reconciliation by running the scheduled task for user reconciliation.

   See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about the attributes of this scheduled task.

   See Section 3.4, "Configuring Scheduled Tasks" for information about running scheduled tasks.

After first-time reconciliation, depending on the mode in which you configure the connector, one of the following parameters of the eDirectory IT Resource IT resource is automatically set to the time stamp at which the reconciliation run began:

• For trusted source reconciliation, the Last Recon Trusted TimeStamp parameter is set.

• For target resource reconciliation, the Last Recon Target TimeStamp parameter is set.

See Also:

Section 2.2, "Installation" for information about the parameters of the IT resource

From the next reconciliation run onward, only target system user records that are added or modified after the time stamp stored in the IT resource are considered for incremental reconciliation. These records are brought to Oracle Identity Manager when you configure and run the user reconciliation scheduled task.

3.2 Lookup Field Synchronization

The following scheduled tasks are used for lookup fields reconciliation:

• eDirectory Organization Lookup Reconciliation Task

• eDirectory Role Lookup Reconciliation Task

• eDirectory Group Lookup Reconciliation Task

• eDirectory Profile Lookup Reconciliation Task

• eDirectory DomainScope Lookup Reconciliation Task

You must specify values for the attributes of these scheduled tasks. Table 3-1 describes the attributes of these scheduled tasks. Section 3.4, "Configuring Scheduled Tasks" describes the procedure to configure scheduled tasks.

Note:

This table describes the attributes of all the scheduled tasks for lookup field synchronization. Some of these attributes are not common to all the scheduled tasks.

Table 3-1 Attributes of the Scheduled Tasks for Lookup Field Synchronization

Attribute	Description
ConfigurationLookup	This attribute holds the name of the configuration lookup definition, which contains values that are used during connector operations. Default value: Lookup.EDIR.Configuration
AttrTask	The attribute holds the naming attribute of the object on the target system. Default value for organizations: o Default value for domain scope and organizational units: ou Default value for groups, roles, and profiles cn
LookupCodeName	This attribute holds the name of the lookup definition with which the values are to be synchronized. Default value for organizational units and organizations: Lookup.EDIR.Organization Default value for domain scope: Lookup.EDIR.DomainScope Default value for groups: Lookup.EDIR.UserGroup Default value for roles: Lookup.EDIR.AssignedRole Default value for profiles: Lookup.EDIR.Profile
ITResourceName	This attribute holds the name of the IT resource for setting up a connection with Novell eDirectory. Default value: eDirectory IT Resource
SearchContext	Enter the search context (DN of the user container) to be used for fetching lookup field values from the target system. Default value: o=PXED-DEV,dc=Company
ObjectClass	This attribute holds the name of the object class. Default value for organizational units and domain scope: OrganizationalUnit Default value for groups: group Default value for roles: rBSRole Default value for profiles: profile Default value for organizations: organization
CodeKeyLTrimStr	The default value of this attribute is [None]. Do not change this value.
CodeKeyRTrimStr	Enter the string value that must be right-trimmed from each value returned by the scheduled task. Sample value: ,o=PXED-DEV If there is nothing to be trimmed, then enter [NONE].
ReconMode	Enter REFRESH to completely refresh the existing lookup. Existing values in the lookup definition are deleted and then new values are added. Enter UPDATE if you want to update the lookup definition with new values. Existing values in the lookup definition are left untouched.
SearchFilter	Enter the query or filter that must be applied during a reconciliation run. See Section 3.3.2, "Limited Reconciliation" for more information. You can enter one of the following values: For organizational units and domain scope: (objectClass=OrganizationalUnit) For groups: (objectClass=Group) For roles: (objectClass=RBS:Role) For profiles: (objectClass=Profile) For organizations: (objectClass=organization)

3.3 Configuring Reconciliation

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Section 3.3.1, "Full Reconciliation vs. Incremental Reconciliation"

• Section 3.3.2, "Limited Reconciliation"

• Section 3.3.3, "Batched Reconciliation"

• Section 3.3.4, "Reconciliation Scheduled Tasks"

3.3.1 Full Reconciliation vs. Incremental Reconciliation

The Last Recon Trusted TimeStamp and Last Recon Target TimeStamp parameters of the IT resource store the time stamp at which a reconciliation run begins. During the next reconciliation run, the scheduled task fetches only target system records that are added or modified after the time stamp stored in the parameter for reconciliation. This is incremental reconciliation.

In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation. If you want to run full reconciliation, then ensure that no value is entered for the time-stamp parameter. In other words, the time-stamp parameter must be empty.

You can switch from incremental to full reconciliation at any time by not setting any value for the time-stamp parameter. If you want to continue with incremental reconciliation, then accept the default value of the time-stamp parameter.

3.3.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating a reconciliation filter.

For this connector, you create a filter by specifying a query condition as the value of the SearchFilter attribute of the scheduled tasks. The query condition must be in the LDAP format, as shown in the following sample value:

(objectclass=inetOrgPerson)

With this query condition, only records for users whose objectclass is inetOrgPerson are considered for reconciliation.

You can add multiple query conditions by using the ampersand (&) as the AND operator and the vertical bar (|) as the OR operator. For example, the following query condition is used to limit reconciliation to records of those users whose first name is John and objectclass is inetOrgPerson:

Note:

As shown in this sample value, you must enclose the query condition in parentheses.

(&(objectClass=inetOrgPerson)(givenname=John))

The following are sample query conditions that can be specified as the value of the SearchFilter attribute:

(&(objectClass=inetOrgPerson)(givenname=John))
(&(objectClass=inetOrgPerson)(sn=Doe))
(&(&(sn=Doe)(givenname=John))(objectClass=inetOrgPerson))
(|(|(sn=lastname)(givenname=firstname))(objectClass=inetOrgPerson))

The SearchFilter attribute is also present in the scheduled tasks for lookup field synchronization. You can select one of the following values in one of those scheduled tasks:

• For organizational units and domain scope: (objectClass=OrganizationalUnit)

• For groups: (objectClass=Group)

• For roles: (objectClass=RBS:Role)

• For profiles: (objectClass=Profile)

• For organizations: (objectClass=organization)

3.3.3 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:

• StartRecord: Use this attribute to specify the record number from which batched reconciliation must begin.

• BatchSize: Use this attribute to specify the number of records that must be included in each batch.

• NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. If you do not want to use batched reconciliation, specify All Available as the value of this attribute.

  Note:

  If you specify All Available as the value of this attribute, then the values of the StartRecord and BatchSize attributes are ignored.

You specify values for these attributes by following the instructions described in Section 3.3.4, "Reconciliation Scheduled Tasks."

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed. The log file provides the following information about batched reconciliation:

• Serial numbers of the batches that have been successfully reconciled

• User IDs associated with the records with each batch that has been successfully reconciled

• If the batched reconciliation run fails, then the serial number of the batch that has failed

3.3.4 Reconciliation Scheduled Tasks

This section discusses the following topics:

• Section 3.3.4.1, "User Reconciliation Scheduled Tasks"

• Section 3.3.4.2, "Group and Role Reconciliation Scheduled Task"

3.3.4.1 User Reconciliation Scheduled Tasks

The following scheduled tasks are used for user reconciliation:

• eDirectory User Trusted Recon Task

• eDirectory User Target Recon Task

• eDirectory User Trusted Delete Recon Task

• eDirectory User Target Delete Recon Task

You must specify values for the set of scheduled tasks that are used for the mode (target resource or trusted source) in which you are using the connector. Table 3-2 describes the attributes of these scheduled tasks.

Note:

This table describes the attributes of all the scheduled tasks for user reconciliation. Some of these attributes are not common to all the scheduled tasks.

Section 3.4, "Configuring Scheduled Tasks" describes the procedure to configure scheduled tasks.

Table 3-2 Attributes of the User Reconciliation Scheduled Tasks

Attribute	Description
UseTransformMapping	Enter yes to specify that you want to configure transformation of attributes during reconciliation. Otherwise, enter no. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information. In the eDirectory User Target Recon Task scheduled task, set this attribute to yes if you want to enable provisioning of the Home directories. See Step 6 of Section 4.9, "Linking the Home Directory Provisioning Operation with the Create User Provisioning Operation" for more information. Default value: no
Keystore	If you are planning to configure SSL communication between Oracle Identity Manager and the target system, then enter the name and full path of the Novell eDirectory keystore directory. If you are not planning to configure an SSL connection, then enter [NONE]. Sample value: E:\j2sdk1.4.2_05\jre\lib\security\cacerts
UserContainer	Enter the DN value of the organization from where users must be reconciled into Oracle Identity Manager. Default value: o=PXED-DEV,dc=Company
Organization	Enter the default organization for the OIM User. Default value: Xellerate Users
Role	Enter the default role for the OIM User. Default value: Consultant
StartRecord	Enter the number of the record from which the batched reconciliation process must begin. Default value: 1 See Section 3.3.3, "Batched Reconciliation" for information about batched reconciliation.
Batch Size	Enter the number of records that must be included in each batch fetched from the target system during a reconciliation run. Default value: 100 See Section 3.3.3, "Batched Reconciliation" for information about batched reconciliation.
NumberOfBatches	Enter the number of batches that must be reconciled. Default value: All Available (for reconciling all the users) Sample value: 50 See Section 3.3.3, "Batched Reconciliation" for information about batched reconciliation.
ConfigurationLookup	This attribute holds the name of the lookup definition that stores the configurable attributes used for connector operations. Value: Lookup.EDIR.Configuration
TransformLookupName	This attribute holds the name of the lookup definition that is used for transformation mapping. Value: Lookup.EDIR.Transformation
IT Resource	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: eDirectory IT Resource
Xellerate Type	This attribute holds the default employee type for the OIM User. Default value: End-User Administrator
TrustedResourceObjectName	This attribute holds the name of the resource object that is used in trusted reconciliation. Default value: Xellerate User
SearchFilter	Enter the search filter in LDAP format for fetching records from the target system during the reconciliation run. Default value: (objectclass=inetOrgPerson)
TargetResourceObjectName	This attribute holds the name of the resource object that is used in target reconciliation. Default value: eDirectory User
SearchBase	Enter the DN value of the user container from which users must be reconciled into Oracle Identity Manager. Default value: o=PXED-DEV,dc=Company

3.3.4.2 Group and Role Reconciliation Scheduled Task

Note:

You cannot reconcile group data and role data from the target system if you are using Oracle Identity Manager release 11.1.x. This issue is tracked by Bug 9799541 in Chapter 6, "Known Issues."

The eDirectory GroupOrRole Recon Task scheduled task is used for group or role reconciliation. Table 3-3 describes the attributes of this scheduled task.

Table 3-3 Attributes of the eDirectory GroupOrRole Recon Task Scheduled Task

Attribute	Description
ConfigurationLookup	This attribute holds the name of the lookup definition that stores configuration information used during connector operations. Default value: Lookup.EDIR.Configuration
Field Lookup Code	This attribute holds the name of the lookup definition that stores reconciliation field mappings for group or role connector operations.Provide the corresponding reconciliation look up mappings Default value: For group reconciliation: AttrName.ReconGroup.Map.EDIR For role reconciliation: AttrName.ReconRole.Map.EDIR
isRoleRecon	Enter yes if you want role reconciliation to be performed. Enter no if you want group reconciliation to be performed. Default value: yes
ITResourceName	This attribute holds the name of the IT resource that contains connection information to connect to Novell eDirectory. Default value: eDirectory IT Resource
MultiValued Attributes	Enter the list of multivalued attributes that you add for reconciliation and provisioning. See Section 4.2, "Adding New Multivalued Attributes for Target Resource Reconciliation" for information about adding multivalued attributes. The default value of this attribute is[NONE]. Sample value: owner|description
ResourceObjectName	Enter the name of the resource object into which groups or roles are to be reconciled. The value can be one of the following: For group reconciliation: eDirectory Group For role reconciliation: eDirectory Role
SearchBase	Enter the DN value from where the groups or roles are reconciled from the target system to Oracle Identity Manager. Sample value: ou=myou,dc=corp,dc=com or dc=corp,dc=com
SearchFilter	Enter the LDAP search filter that is used to locate groups or roles. See Section 3.3.2, "Limited Reconciliation" for more information. Sample values: (objectClass=Group) (objectClass=RBS:Role)

3.4 Configuring Scheduled Tasks

You can apply the procedure described in this section to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 3-4 lists the scheduled tasks that form part of the connector.

Table 3-4 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
eDirectory Organization Lookup Reconciliation Task	This scheduled task is used for organization lookup field synchronization. See Section 3.2, "Lookup Field Synchronization" for information about this scheduled task.
eDirectory Role Lookup Reconciliation Task	This scheduled task is used for role lookup field synchronization. See Section 3.2, "Lookup Field Synchronization" for information about this scheduled task.
eDirectory Group Lookup Reconciliation Task	This scheduled task is used for group lookup field synchronization. See Section 3.2, "Lookup Field Synchronization" for information about this scheduled task.
eDirectory DomainScope Lookup Reconciliation Task	This scheduled task is used for domain lookup field synchronization. See Section 3.2, "Lookup Field Synchronization" for information about this scheduled task.
eDirectory Profile Lookup Reconciliation Task	This scheduled task is used for profile lookup field synchronization. See Section 3.2, "Lookup Field Synchronization" for information about this scheduled task.
eDirectory User Trusted Recon Task	This scheduled task is used for user reconciliation when the target system is configured as a trusted source. See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about this scheduled task.
eDirectory User Target Recon Task	This scheduled task is used for user reconciliation when the target system is configured as a target resource. See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about this scheduled task.
eDirectory User Trusted Delete Recon Task	This scheduled task is used for reconciliation of deleted users when the target system is configured as a trusted source. See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about this scheduled task.
eDirectory User Target Delete Recon Task	This scheduled task is used for reconciliation of deleted users when the target system is configured as a target resource. See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about this scheduled task.
eDirectory GroupOrRole Recon Task	This scheduled task is used for reconciliation of groups and roles from the target system. See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about this scheduled task.

Depending on the Oracle Identity Manager release that you are using, perform the procedure described in one of the following sections:

• Section 3.4.1, "Configuring Scheduled Tasks on Oracle Identity Manager Release 9.0.1 through 9.0.3.2"

• Section 3.4.2, "Configuring Scheduled Tasks on Oracle Identity Manager Release 9.1.0.x or Release 11.1.x"

3.4.1 Configuring Scheduled Tasks on Oracle Identity Manager Release 9.0.1 through 9.0.3.2

To configure the reconciliation scheduled task:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed.

5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the FAILED status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the user-configurable attributes of the scheduled task. See Section 3.3.4, "Reconciliation Scheduled Tasks" for information about the values to be specified.

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

3.4.2 Configuring Scheduled Tasks on Oracle Identity Manager Release 9.1.0.x or Release 11.1.x

To configure a scheduled task:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 9.x or 11.1.1:

     1. Log in to the Administrative and User Console.

     2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

   • For Oracle Identity Manager release 11.1.2:

     1. Log in to Oracle Identity System Administration.

     2. In the left pane, under System Management, click Scheduler.

2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.x, expand Resource Management, and then click Manage Scheduled Task.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

     2. Click the System Management tab, and then click Scheduler.

     3. On the left pane, click Advanced Search.

3. On the page that is displayed, you can use any combination of the search options provided to locate a scheduled task. Click Search after you specify the search criteria.

   The list of scheduled tasks that match your search criteria is displayed in the search results table.

4. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then in the search results table, click the Edit icon in the Edit column for the scheduled task.

   • If you are using Oracle Identity Manager release 11.1.x, then select the link for the scheduled task from the list of scheduled tasks displayed in the search results table.

5. Modify the details of the scheduled task. To do so:

   1. If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:

      • Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

      • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

      • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

      • Frequency: Specify the frequency at which you want the task to run.

   2. If you are using Oracle Identity Manager release 11.1.x, then on the Job Details tab, you can modify the following parameters:

      • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

      Note:

      See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

      In addition to modifying the job details, you can enable or disable a job.

6. Specify values for the attributes of the scheduled task. To do so:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   • Attributes of the scheduled task are discussed in Section 3.3.4, "Reconciliation Scheduled Tasks."

   • If you are using Oracle Identity Manager release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.

   • If you are using Oracle Identity Manager release 11.1.x, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

7. After specifying the attributes, perform one of the following:

   • If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.

     Note:

     The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

   • If you are using Oracle Identity Manager release 11.1.x, then click Apply to save the changes.

     Note:

     The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.5 Guidelines on Performing Provisioning

Apply the following guideline while performing provisioning operations:

• While provisioning a Home directory, you must select the Container DN value on the Administrative and User Console.

3.6 Performing Provisioning Operations

See Also:

Section 3.7, "Configuring Provisioning in Oracle Identity Manager Release 11.1.2"

Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

This section discusses the following topics related to configuring provisioning:

• Section 3.6.1, "Provisioning Users"

• Section 3.6.2, "Provisioning Organizational Units, Groups, and Roles"

• Section 3.6.3, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1"

3.6.1 Provisioning Users

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 3.6.3, "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1."

The following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning

• Provisioning triggered by policy changes

See Also:

Oracle Identity Manager Connector Concepts for information about the types of provisioning

This section discusses the following topics:

• Section 3.6.1.1, "Direct Provisioning"

• Section 3.6.1.2, "Request-Based Provisioning"

3.6.1.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. If you want to first create an OIM User and then provision a target system account, then:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. From the Users menu, select Create.

     2. On the Create User page, enter values for the OIM User fields and then click Create User.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Identity Administration page, in the Users region, click Create User.

     2. On the Create User page, enter values for the OIM User fields, and then click Save.

3. If you want to provision a target system account to an existing OIM User, then:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. From the Users menu, select Manage.

     2. Search for the OIM User and select the link for the user from the list of users displayed in the search results.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

     2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

4. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. On the User Detail page, select Resource Profile from the list at the top of the page.

     2. On the Resource Profile page, click Provision New Resource.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the user details page, click the Resources tab.

     2. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

5. On the Step 1: Select a Resource page, select eDirectory User from the list and then click Continue.

6. On the Step 2: Verify Resource Selection page, click Continue.

7. On the Step 5: Provide Process Data for eDirectory User Details page, enter the details of the account that you want to create on the target system and then click Continue.

8. On the Step 5: Provide Process Data for User Role page, search for and select a role for the user on the target system and then click Continue.

9. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

10. The "Provisioning has been initiated" message is displayed. Perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. Close the window displaying the "Provisioning has been initiated" message.

      2. On the Resources tab, click Refresh to view the newly provisioned resource.

3.6.1.2 Request-Based Provisioning

Note:

The information provided in this section is applicable only if you are using Oracle Identity Manager release 11.1.1.

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

• Section 3.6.1.2.1, "End User's Role in Request-Based Provisioning"

• Section 3.6.1.2.2, "Approver's Role in Request-Based Provisioning"

3.6.1.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Advanced in the upper-right corner of the page.

3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.

6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

7. From the Available Users list, select the user to whom you want to provision the account.

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

10. From the Available Resources list, select eDirectory User, move it to the Selected Resources list, and then click Next.

11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.

14. To view details of the approval, on the Request Details page, click the Request History tab.

3.6.1.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Self-Service in the upper-right corner of the page.

3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

3.6.2 Provisioning Organizational Units, Groups, and Roles

See Also:

For Oracle Identity Manager release 9.0.1 through 9.0.3.2 or 9.1.0.x, see Oracle Identity Manager Administrative and User Console Guide for detailed information about these steps.

For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps.

To provision an organizational unit:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Create an organization. To do so:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. Expand Organizations, and then click Create.

     2. Specify a name and the type for the organization that you want to create, and then click Create Organization.

        The organization is created.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome page, click Administration in the upper-right corner of the page.

     2. On the Welcome to Identity Administration page, from the Organizations section, click Create Organization.

     3. On the Create Organization page, enter values for the Name, Type, and Parent Organization (optional) fields, and then click Save.

        The organization is created.

3. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. Select Resource Profile from the list.

     2. Click Provision New Resource.

        The Provision Resource to Organization page is displayed.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the organization details page, click the Resources tab.

     2. From the Actions menu, select Provision. Alternatively, click Provision on the toolbar. The Provision Resource to Organization page is displayed in a new window.

4. On the Step 1: Select a Resource page, search for and select the organizational unit you want to provision, and then click Continue.

5. On the Step 2: Verify Resource Selection page, verify the data that you provided, and then click Continue.

6. On the Step 5: Provide Process Data page, enter the details of the organizational unit that you want to provision and then click Continue.

7. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

8. The "Provisioning has been initiated" message is displayed. Perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, click Back to User Resource Profile. The Resource Profile page shows that the organizational unit has been provisioned to the organization.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. Close the window displaying the "Provisioning has been initiated" message.

     2. On the Resources tab, click Refresh to view the newly provisioned organizational unit.

To provision a group or role:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Search for and open the organization to which you want to provision a group or role by performing one of the following steps:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. From the Organizations menu, select Manage.

     2. Search for the organization and select the link for the organization from the list of organizations displayed in the search results.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Identity Administration page, in the Organizations section, click Advanced Search - Organizations, provide a search criterion, and then click Search.

        Alternatively, search for the organization by selecting Organizations from the list on the left pane.

     2. From the organizations displayed in the search results table, click the row containing the organization to which to want to provision a group or role.

        The organization details page is displayed.

3. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:

     1. On the Organization Detail page, select Resource Profile from the list at the top of the page.

     2. On the Resource Profile page, click Provision New Resource.

        The Provision Resource to Organization page is displayed.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the organization details page, click the Resources tab.

     2. From the Actions menu, select Provision. Alternatively, click Provision on the toolbar. The Provision Resource to Organization page is displayed in a new window.

4. On the Step 1: Select a Resource page, select one of the following options, and then click Continue:

   • Select the group option if you want to create a group.

     The default settings to enable provisioning of groups in organizational units in the AttrName.ProvGroup.EDIR.Map lookup definition are listed in the following table:

     Code key: Group Name

     Decode: cn

   • Select the role option if you want to create a role.

     The default settings to enable provisioning of roles in organizational units in the AttrName.ProvRole.EDIR.Map lookup definition are listed in the following table:

     Code key: Role Name

     Decode: cn

5. On the Step 2: Verify Resource Selection page, verify the data that you provided, and then click Continue.

6. On the Step 5: Provide Process Data page, depending on whether you have selected a group or role while performing Step 4, enter the group or role details, and then click Continue.

7. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

8. The "Provisioning has been initiated" message is displayed. Perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.0.1 through 9.0.3.2 or release 9.1.0.x, click Back to User Resource Profile. The Resource Profile page shows that the group or role has been provisioned to the organization.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. Close the window displaying the "Provisioning has been initiated" message.

     2. On the Resources tab, click Refresh to view the newly provisioned group or role.

3.6.3 Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1

Note:

It is assumed that you have performed the procedure described in Section 2.3.12, "Configuring Oracle Identity Manager for Request-Based Provisioning."

On Oracle Identity Manager release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the eDirectory User PD process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the eDirectory User resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

On Oracle Identity Manager release 11.1.1, if you want to switch from direct provisioning back to request-based provisioning, then:

1. Log in to the Design Console.

2. Enable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the eDirectory User PD process definition.

   3. Select the Auto Save Form check box.

   4. Click the Save icon.

3. If you want to enable end users to raise requests for themselves, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the eDirectory User resource object.

   3. Select the Self Request Allowed check box.

   4. Click the Save icon.

3.7 Configuring Provisioning in Oracle Identity Manager Release 11.1.2

To configure provisioning operations in Oracle Identity Manager release 11.1.2:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

1. Log in to Oracle Identity Administrative and User console.

2. Create a user. See the "Managing Users" chapter in Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information about creating a user.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance, and then click Checkout.

5. Specify values for fields in the application form and then click Ready to Submit.

6. Click Submit.

7. If you want to provision a resource to an existing OIM User, then:

   1. On the Users page, search for the required user.

   2. On the user details page, click Accounts.

   3. Click the Request Accounts button.

   4. Search for the Novell eDirectory application instance in the catalog search box and select it.

   5. Click Add to Cart.

   6. Click Checkout.

   7. Specify values for fields in the application form and then click Ready to Submit.

   8. Click Submit.