Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use JD Edwards EnterpriseOne either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.
Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.
At some places in this guide, JD Edwards EnterpriseOne has been referred to as the target system.
In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.
This chapter contains the following sections:
Section 1.5, "Lookup Definitions Used During Connector Operations"
Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning"
Section 1.7, "Connector Objects Used During Trusted Source Reconciliation"
Section 1.8, "Roadmap for Deploying and Using the Connector"
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
You can use one of the following releases of Oracle Identity Manager:
The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at
|
|
The target system can be any one of the following:
|
|
Target system user account |
JD Edwards EnterpriseOne user account to which the You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide. If this user account was not assigned the required rights, then a connection error would be thrown when Oracle Identity Manager tries to communicate with the target system. |
JDK |
The JDK version can be one of the following:
|
The connector supports the following languages:
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
For information about supported special characters supported by Oracle Identity Manager, see one of the following guides:
For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x:
Oracle Identity Manager Globalization Guide
For Oracle Identity Manager release 11.1.1:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
Figure 1-1 shows the connector integrating JD Edwards EnterpriseOne with Oracle Identity Manager.
The target system, JD Edwards EnterpriseOne, is based on a client-server architecture. The JD Edwards EnterpriseOne User Management connector leverages this architecture to perform connector operations by calling business functions (BSFNs) within the JD Edwards Enterprise server or connecting to the JD Edwards Database, as required.
During provisioning, adapters carry provisioning data submitted through the process form to the target system. The adapters establish a connection with the target system in one of the following ways:
If a BSFN for performing the required provisioning operation is available on the target system, then the adapter establishes a connection with the JD Edwards Enterprise Server by using JDB.
If there is no BSFN on the target system that can perform the required provisioning operation, then the adapter establishes a connection with the JD Edwards Database by using JDBj.
After the adapters establish a connection with the target system, the required provisioning operation is performed, and then the response from the target system is returned to the adapters.
Note:
In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
During reconciliation, a scheduled task establishes a connection with the JD Edwards Database by using JDBj. After the connection with the database is established, the user records that match the reconciliation criteria are retrieved, and passed on to the scheduled task, which brings the records to Oracle Identity Manager.
The following are features of the connector:
Section 1.4.1, "Support for Both Target Resource and Trusted Source Reconciliation"
Section 1.4.2, "Support for Both Full and Incremental Reconciliation"
Section 1.4.3, "Support for Adding New Attributes for Reconciliation and Provisioning"
You can use the connector to configure JD Edwards EnterpriseOne as either a target resource or trusted source of Oracle Identity Manager.
See Section 3.3, "Configuring Reconciliation" for more information.
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled from the next run of the user reconciliation.
You can perform a full reconciliation run at any time. See Section 3.3.1, "Full Reconciliation" for more information.
If you want to add to the standard set of single-valued attributes for reconciliation and provisioning, then perform the procedures described in Chapter 4, "Extending the Functionality of the Connector."
Lookup definitions used during connector operations can be divided into the following categories:
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Date Format lookup field to select a date format from the list of supported date formats. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following lookup definitions are populated with values fetched from the target system by the scheduled tasks for lookup field synchronization:
See Also:
Section 3.2, "Scheduled Task for Lookup Field Synchronization" for information about these scheduled tasks
Lookup.JDE.DateSeparationCharacter
Lookup.JDE.Language
Lookup.JDE.Roles
Lookup.JDE.LocalizationCountryCode
Lookup.JDE.DateFormat
Lookup.JDE.UniversalTime
Lookup.JDE.TimeFormat
Lookup.JDE.DecimalFormatCharacter
Table 1-2 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
Table 1-2 Other Lookup Definitions
Lookup Definition | Description of Values | Method to Specify Values for the Lookup Definition |
---|---|---|
Lookup.JDE.Configuration |
This lookup definition holds connector configuration entries that are used during reconciliation and provisioning. |
This lookup definition is preconfigured. You cannot add or modify entries in this lookup definition. |
Lookup.JDEReconciliation.FieldMap |
This lookup definition holds mappings between the JDE User resource object fields and target system attributes. |
This lookup definition is preconfigured. Table 1-3 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for user reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
Lookup.JDE.FastPathCreate |
This lookup definition enables you to set the JD Edwards FASTPATH feature for users. |
This lookup definition is preconfigured. You need not add entries in this lookup definition. |
The following sections provide information about connector objects used during target resource reconciliation and provisioning:
See Also:
The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about reconciliation
The following sections provide information about connector objects used during reconciliation:
Section 1.6.1, "User Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.2, "Role Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.3, "Reconciliation Rule for Target Resource Reconciliation"
Section 1.6.4, "Reconciliation Action Rules for Target Resource Reconciliation"
Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.
Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Target System Attribute | Description |
---|---|---|
User ID |
USER |
Login ID |
Language |
LNGP |
Language preference |
Date Format |
FRMT |
Date format |
Date Separation Character |
DSEP |
Date separation character |
Localization Country Code |
CTR |
Country Code |
Universal Time |
UTCTIME |
Time zone |
Time Format |
TIMEFORM |
Time format |
Decimal Format Character |
DECF |
Decimal format character |
Fast Path Create |
FSTP |
Fast redirect codes to navigate to frequently used JD Edwards applications such as Batch Versions and Automatic Accounting |
Disable User |
NA |
This is a check box to specify whether you want to enable or disable a user. Select the Disable User check box to disable a user. |
Table 1-4 provides information about role attribute mappings for target resource reconciliation and provisioning.
Table 1-4 Role Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Target System Role Attribute | Description |
---|---|---|
Role |
szRole |
Role name |
Include in *ALL |
cIncludedInALL |
Specifies whether the search must be performed in all environments or only a particular environment |
Effective Start Date |
jdEffectiveDate |
Date from which the role is effective for the user |
End Date |
jdExpirationDate |
Date from which the role is no longer valid for the user |
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules
The following is the process-matching rule:
Rule name: JDE Recon Rule
Rule element: User Login equals UserID
In this rule:
User Login is one of the following:
For Oracle Identity Manager release 9.0.1 through 9.0.3.2:
User ID attribute on the Xellerate User form.
For Oracle Identity Manager release 9.1.0.x or release 11.1.1:
User ID attribute on the OIM User form.
User ID is the User field of JD Edwards.
This rule supports the following scenarios:
You can provision multiple JD Edwards resources to the same OIM User, either on Oracle Identity Manager or directly on the target system.
You can change the user ID of a user on the target system.
This is illustrated by the following use cases:
Use case 1: You provision a JD Edwards account for an OIM User, and you also create an account for the user directly on the target system.
When the first rule condition is applied, no match is found. Then, the second rule condition is applied and it is determined that a second account has been given to the user on the target system. The second account is linked with the OIM User at the end of the reconciliation run.
Use case 2: An OIM User has a JD Edwards account. You then change the user ID of the user on the target system.
During the next reconciliation run, application of the first rule condition helps match the resource with the record.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for JDE Recon Rule. Figure 1-2 shows the reconciliation rule for target resource reconciliation.
Figure 1-2 Reconciliation Rule for Target Resource Reconciliation
Table 1-5 lists the action rules for target resource reconciliation.
Table 1-5 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:
For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the JDE Resource Object resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.
Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation
Table 1-6 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.
The following sections provide information about connector objects used during trusted source reconciliation:
Section 1.7.1, "User Attributes for Trusted Source Reconciliation"
Section 1.7.2, "Reconciliation Rule for Trusted Source Reconciliation"
Section 1.7.3, "Reconciliation Action Rules for Trusted Source Reconciliation"
Table 1-7 lists user attributes for trusted source reconciliation.
Table 1-7 User Attributes for Trusted Source Reconciliation
OIM User Form Field | Target System Attribute | Description |
---|---|---|
User ID |
USER |
Login ID |
First Name |
USER |
Login ID |
Last Name |
USER |
Login ID |
Employee Type |
NA |
Default value: |
User Type |
NA |
Default value: |
Organization |
NA |
Default value: |
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules
The following is the process matching rule:
Rule name: Trusted Source recon Rule
Rule element: User Login equals User ID
In this rule element:
User Login is one of the following:
For Oracle Identity Manager Release 9.0.1 through 9.0.3.x:
User ID attribute on the Xellerate User form.
For Oracle Identity Manager release 9.1.0.x or release 11.1.1:
User ID attribute on the OIM User form.
User ID is the User field of JD Edwards.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for Trusted Source recon Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.
Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation
Table 1-8 lists the action rules for target resource reconciliation.
Table 1-8 Action Rules for Trusted Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:
For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Xellerate User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.
Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation
The following is the organization of information in the rest of this guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Known Issues" lists known issues associated with this release of the connector.