After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.Note:
This chapter provides both conceptual and procedural information about customizing the connector. It is recommended that you read the conceptual information before you perform the procedures.As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
For this connector, you create a filter by specifying values for the CustomReconQuery, CompareType, and GroupTokenizerForCustomReconQuery of Scheduled Task attributes while performing the procedure described in the "Configuring the Reconciliation Scheduled Tasks" section.
You can use the following attributes to build the query condition:
Last Name
First Name
Default Login
Permanent or Temporary
By Token
By User Extension
Group
The following table lists sample query conditions:
| CustomReconQuery | CompareType | Description |
|---|---|---|
[none] |
Note: You can specify any value, but it must not be an empty value because scheduler does not allow empty values attributes. | Gets all users that are available in the target system |
Last Name=D |
Begins With |
Gets all users whose last name starts with D |
Last Name=Doe |
Equals To |
Gets all users with Doe as their last name |
Last Name=oe |
Contains |
Gets all users whose last name contains oe |
First Name=J |
Begins With |
Gets all users whose first name starts with J |
First Name=John |
Equals To |
Gets all users with John as their first name |
First Name=oh |
Contains |
Gets all user whose first name contains oh |
First Name |
With Empty Value |
Gets all users with empty values as first name |
First Name |
With Non Empty Value |
Gets all users with nonempty values as first name |
Default Login=j |
Begins With |
Gets all users whose default login starts with j |
Default Login=john |
Equals To | Gets all users with john as their default login |
Default Login=oh |
Contains |
Gets all users whose default login contains oh |
By Token |
Lost Tokens |
Gets all users with token status as Lost |
By Token |
All With Passwords |
Gets all users who have a password |
By Token |
All With Expired Tokens |
Gets all users with token status as Expired |
By User Extension |
All With Extension |
Gets all users that have extension data |
By User Extension |
All Without Extension |
Gets all users that do not have extension data |
By User Extension=key1 |
All With Extension Keys |
Gets all users that have extension data with key as key1 |
By User Extension=key1 |
All Without Extension Keys |
Gets all users that do not have extension data with key containing key1 |
Permanent or Temporary |
All Permanent |
Gets all permanent users |
Permanent or Temporary |
All Temporary |
Gets all temporary users |
If you want to reconcile users with more than one group, then you can specify multiple groups as the value of CustomReconQuery, for example, CustomReconQuery=grp1,grp2,grp3. In this example, the group names are separated by commas. You can specify the separator by specifying the value of GroupTokenizerForCustomReconQuery, as shown:
GroupTokenizerForCustomReconQuery=,
The following table lists sample query conditions with values for GroupTokenizerForCustomReconQuery:
| CustomReconQuery | CompareType | GroupTokenizerForCustomReconQuery | Description |
|---|---|---|---|
Group=grpParent,grpChild1
Note: If the group name consists of comma, you can specify any other separator, such as $. |
Note: You can specify any value, but it must not be an empty value because scheduler does not allow empty value for attributes. | $ |
Gets all users who belong to the grpParent,grpChild1 group |
Group=grpParent,grpChild1$ grpParent,grpChild2 |
Any value | $ | Gets all users who belong to the grpParent,grpChild1 group or the grpParent,grpChild2 group |
When you perform the procedure described in the "Importing the Connector XML Files" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure the scheduled task:
Log in to the Administrative and User Console.
Do one of the following:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2, expand Resource Management, and then click Manage Scheduled Task.
If you are using Oracle Identity Manager release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced.
Search for and open the scheduled task as follows:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2, then:
On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.
In the search results table, click the edit icon in the Edit column for the scheduled task.
On the Scheduled Task Details page where the details of the scheduled task that you selected is displayed, click Edit.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management section, click Search Scheduled Jobs.
On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
Modify the details of the scheduled task. To do so:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:
Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.
Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.
Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.
Frequency: Specify the frequency at which you want the task to run.
If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.In addition to modifying the job details, you can enable or disable a job.
Specify values for the attributes of the scheduled task. To do so:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then on the Attributes page, select the attribute from the Attribute list, specify a value in the field provided, and then click Update.
If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.
Table 3-1 describes the attributes of the scheduled task.
Table 3-1 Scheduled Task Attributes
| Attribute | Description | Sample Value |
|---|---|---|
|
|
Specifies whether or not reconciliation must be performed in trusted mode. |
|
|
|
Name of the IT resource. |
|
|
|
Name of the target system resource object corresponding to the RSA Authentication Manager User. |
|
|
|
Name of the target system resource object corresponding to the RSA Authentication Manager User Token, which was assigned to user. |
|
|
|
Name of the trusted source Resource Object. |
|
|
|
Specifies whether or not the users who have been deleted in the target system should be deleted in Oracle Identity Manager. |
|
|
|
Specifies the record number from which the reconciliation for If Scheduler Task fails after reconciling 10000 records, then you can specify the value of |
|
|
|
Specifies the number of records to be reconciled in a batch. Caution: If you specify a very high value for |
|
|
|
Specifies the lookup defintion name that contains the mapping between the CustomReconQuery field name and the target system equivalent number for that field name. RSA ACE Server API accepts numbers to indicate the field name in the target system. |
|
|
|
Specifies the lookup definition name, which contains the mapping between CompareType and its equivalent number in the target system. The CompareType is mentioned in the task scheduler. RSA ACE Server accepts numbers to indicate the operator on field to search for the mapping. |
|
|
|
Query condition on which reconciliation must be based. If you specify a query condition for this attribute, then the target system records are searched based on the query condition. If you want to reconcile all the target system records, then specify [None] as the value for this attribute. For more information about this parameter, refer to the "Limited Reconciliation" section. |
|
|
|
Specifies the type of comparison used in the query condition of CustomReconQuery. |
|
|
|
Indicates the memory allocated for each user in C code. Caution: If you specify a very low value for |
|
|
|
Specifies the name of the organization under which users are created during trusted source reconciliation. |
|
|
|
Specifies the user type created during trusted source reconciliation. If you reconcile users in trusted mode, then you must specify a value for this attribute. |
|
|
|
Specifies the type of employment of a user in trusted source reconciliation. |
|
|
|
Indicates the status of the list of users that need to be deleted while performing delete reconciliation in trusted mode. f you perform delete reconciliation in trusted mode, then you must specify the statuses, separated by a comma. |
|
|
|
Indicates the status of the list of users that needs to be deleted during target resource reconciliation. If you delete users during target resource reconciliation, then you must specify the statuses, separated by a comma. |
Enabled, Disabled, Provisioned |
|
|
Specifies the list of user IDs that must be excluded from trusted delete reconciliation. |
|
|
|
Specifies the token for the groups provided in CustomReconQuery. For more information about |
|
|
|
Specifies whether or not to generate a log file when performing reconciliation. The default value for the Note: The log file always appends the existing log file. As a result, the file size may exceed disk space. Therefore, set the value of When the value is set to |
|
|
|
Specifies the location in the Remote Manager where the log file is to be generated. The default value is Note: The Remote Manager absolute path is the location in which Remote Manager's |
|
After specifying the attributes, perform one of the following steps:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then click Save Changes to save the changes.
Note:
The Stop Execution option is not available in the Administrative and User Console. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.If you are using Oracle Identity Manager release 11.1.1, then click Apply to save the changes.
Note:
The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.Note:
Perform this procedure only if you want to configure the connector for multiple installations of RSA Authentication Manager.You may want to configure the connector for multiple installations of RSA Authentication Manager. The following example illustrates this requirement:
The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of RSA Authentication Manager. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of RSA Authentication Manager.
To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of RSA Authentication Manager.
To configure the connector for multiple installations of the target system:
See Also:
One of the following guides for detailed instructions on performing each step of this procedureFor Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Design Console Guide.
For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create and configure one IT resource for each target system installation.
The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.
Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that you need to modify only the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.
You can designate either a single or multiple installations of RSA Authentication Manager as the trusted source.
If required, modify the fields to be reconciled for the Xellerate User resource object.
When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the RSA Authentication Manager installation to which you want to provision the user.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.
When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in "Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1".
The following are types of provisioning operations:
See Also:
Oracle Identity Manager Connector Concepts for information about the types of provisioningThis section discusses the following topics:
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:
From the Users menu, select Create.
On the Create User page, enter values for the OIM User fields and then click Create User.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Identity Administration page, in the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:
From the Users menu, select Manage.
Search for the OIM User and select the link for the user from the list of users displayed in the search results.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:
On the User Detail page, select Resource Profile from the list at the top of the page.
On the Resource Profile page, click Provision New Resource.
If you are using Oracle Identity Manager release 11.1.1, then:
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select Auth Manager User from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data for Auth Manager User Details page, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 5: Provide Process Data for Auth Manager User page, search for and select a group for the user on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Perform one of the following steps:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.
If you are using Oracle Identity Manager release 11.1.1, then:
Close the window displaying the "Provisioning has been initiated" message.
On the Resources tab, click Refresh to view the newly provisioned resource.
Note:
The information provided in this section is applicable only if you are using Oracle Identity Manager release 11.1.1.A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.Section 3.3.2.1, "End User's Role in Request-Based Provisioning"
Section 3.3.2.2, "Approver's Role in Request-Based Provisioning"
The following steps are performed by the end user in a request-based provisioning operation:
See Also:
Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these stepsLog in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.
The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.
If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select Auth Manager User, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish.
Effective Date
Justification
On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
To view details of the approval, on the Request Details page, click the Request History tab.
The following are steps performed by the approver in a request-based provisioning operation:
The following are steps that the approver can perform:
Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.
A message confirming that the task was approved is displayed.
Note:
It is assumed that you have performed the procedure described in the "Configuring Oracle Identity Manager Release 11.1.1 for Request-Based Provisioning" section.On Oracle Identity Manager release 11.1.1, if you want to switch from request-based provisioning to direct provisioning, then:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Auth Manager User process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
Repeat this procedure to deselect the Auto Save Form check box for the Auth Manager Token process definition.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Auth Manager User resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
Repeat this procedure to deselect the Self Request Allowed check box for the Auth Manager Token process definition.
On Oracle Identity Manager release 11.1.1, if you want to switch from direct provisioning back to request-based provisioning, then:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Auth Manager User process definition.
Select the Auto Save Form check box.
Click the Save icon.
Repeat this procedure to select the Auto Save Form check box for the Auth Manager Token process definition.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Auth Manager User resource object.
Select the Self Request Allowed check box.
Click the Save icon.
Repeat this procedure to select the Self Request Allowed check box for the Auth Manager Token process definition.