Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Documentation Updates
• Conventions

What's New in the Oracle Identity Manager Connector for Database User Management?

• Software Updates
• Documentation-Specific Updates

1 About the Connector

• 1.1 Certified Components
• 1.2 Certified Languages
• 1.3 Connector Architecture
  • 1.3.1 Reconciliation Process
  • 1.3.2 Provisioning Process
• 1.4 Features of the Connector
  • 1.4.1 Mapping Standard and Custom Attributes for Reconciliation and Provisioning
  • 1.4.2 Predefined and Custom Reconciliation Queries
  • 1.4.3 Predefined and Custom Provisioning Statements
  • 1.4.4 Framework for Supporting Connector Operations on JDBC-Based Databases
  • 1.4.5 Support for Creating Global and External Users In Oracle Database
  • 1.4.6 Support for Configuring the Connector for Reconciling and Provisioning Object-Level Privileges in Oracle Database
  • 1.4.7 Dependent Lookup Fields
  • 1.4.8 Full and Incremental Reconciliation
  • 1.4.9 Limited (Filtered) Reconciliation
  • 1.4.10 Batched Reconciliation
  • 1.4.11 Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations
  • 1.4.12 Connection Pooling
  • 1.4.13 Support for Creating Connector Copies
  • 1.4.14 Transformation and Validation of Account Data
  • 1.4.15 Support for Reconciling Data About Deleted Login Entities
  • 1.4.16 Separate Scheduled Tasks for Reconciliation of Users, Logins, and Deleted Login Entities
  • 1.4.17 Support for SSL Communication Between the Target System and Oracle Identity Manager
  • 1.4.18 Support for Managing Authorization to Oracle Database Vault Realms
  • 1.4.19 Support for Configuring the Connector for Enterprise User Security
• 1.5 Lookup Definitions Used During Connector Operations
  • 1.5.1 Lookup Definitions Synchronized with the Target System
    • 1.5.1.1 Lookup Fields Synchronized with IBM DB2 UDB
    • 1.5.1.2 Lookup Fields Synchronized with Microsoft SQL Server
    • 1.5.1.3 Lookup Fields Synchronized with MySQL
    • 1.5.1.4 Lookup Fields Synchronized with Oracle Database
    • 1.5.1.5 Lookup Fields Synchronized with Sybase
  • 1.5.2 Preconfigured Lookup Definitions
    • 1.5.2.1 Lookup Definitions for IBM DB2 UDB
    • 1.5.2.2 Lookup Definitions for Microsoft SQL Server
    • 1.5.2.3 Lookup Definitions for MySQL
    • 1.5.2.4 Lookup Definitions for Oracle Database
    • 1.5.2.5 Lookup Definitions for Sybase
• 1.6 Connector Objects Used During Reconciliation
  • 1.6.1 Reconciliation Queries
  • 1.6.2 Target System Columns Used in Reconciliation
    • 1.6.2.1 Target System Columns Used in Target Resource Reconciliation
    • 1.6.2.2 Target System Columns Used in Trusted Source Reconciliation
  • 1.6.3 Reconciliation Rules
    • 1.6.3.1 Reconciliation Rules for Target Resource Reconciliation
    • 1.6.3.2 Reconciliation Rules for Trusted Source Reconciliation
    • 1.6.3.3 Viewing Reconciliation Rules in the Design Console
  • 1.6.4 Reconciliation Action Rules
    • 1.6.4.1 Reconciliation Action Rules for Target Resource Reconciliation
    • 1.6.4.2 Reconciliation Action Rules for Trusted Source Reconciliation
    • 1.6.4.3 Viewing Reconciliation Action Rules
• 1.7 Connector Objects Used During Provisioning
  • 1.7.1 Provisioning Functions
    • 1.7.1.1 Provisioning Functions for IBM DB2 UDB
    • 1.7.1.2 Provisioning Functions for Microsoft SQL Server
    • 1.7.1.3 Provisioning Functions for MySQL
    • 1.7.1.4 Provisioning Functions for Oracle Database
    • 1.7.1.5 Provisioning Functions for Sybase
  • 1.7.2 Attributes for Provisioning
    • 1.7.2.1 Attributes for Provisioning in IBM DB2 UDB
    • 1.7.2.2 Attributes for Provisioning in Microsoft SQL Server
    • 1.7.2.3 Attributes for Provisioning in MySQL
    • 1.7.2.4 Attributes for Provisioning in Oracle Database
    • 1.7.2.5 Attributes for Provisioning in Sybase
• 1.8 Roadmap for Deploying and Using the Connector

2 Deploying the Connector

• 2.1 Preinstallation
  • 2.1.1 Preinstallation on Oracle Identity Manager
    • 2.1.1.1 Files and Directories on the Installation Media
    • 2.1.1.2 Determining the Release Number of the Connector
    • 2.1.1.3 Creating a Backup of the Existing Common.jar File
  • 2.1.2 Preinstallation on the Target System
    • 2.1.2.1 Configuring Microsoft SQL Server
    • 2.1.2.2 Using External Code Files
• 2.2 Installation
  • 2.2.1 Running the Connector Installer
  • 2.2.2 Copying Files to the Oracle Identity Manager Host Computer
• 2.3 Postinstallation
  • 2.3.1 Postinstallation on Oracle Identity Manager
    • 2.3.1.1 Configuring the Target System As a Trusted Source
    • 2.3.1.2 Changing to the Required Input Locale
    • 2.3.1.3 Modifying the SVP Table
    • 2.3.1.4 Clearing Content Related to Connector Resource Bundles from the Server Cache
    • 2.3.1.5 Enabling Logging
    • 2.3.1.6 Modifying the Lookup.DBUM.MSSQL.TargetRecon.Role.Mapping Lookup Definition
    • 2.3.1.7 Configuring the Connector for Incremental Reconciliation
    • 2.3.1.8 Configuring Oracle Identity Manager for Request-Based Provisioning
  • 2.3.2 Creating the Administrator Account on Oracle Database Vault
  • 2.3.3 Configuring Secure Communication Between the Target System and Oracle Identity Manager
    • 2.3.3.1 Configuring Secure Communication Between IBM DB2 UDB and Oracle Identity Manager
    • 2.3.3.2 Configuring Secure Communication Between Microsoft SQL Server and Oracle Identity Manager
    • 2.3.3.3 Configuring Secure Communication Between MySQL and Oracle Identity Manager
    • 2.3.3.4 Configuring Secure Communication Between Oracle Database and Oracle Identity Manager
    • 2.3.3.5 Configuring Secure Communication Between Sybase and Oracle Identity Manager
  • 2.3.4 Determining Values for the JDBC URL and Connection Properties Parameters
    • 2.3.4.1 JDBC URL and Connection Properties for IBM DB2 UDB
    • 2.3.4.2 JDBC URL and Connection Properties for Microsoft SQL Server
    • 2.3.4.3 JDBC URL and Connection Properties for MySQL
    • 2.3.4.4 JDBC URL and Connection Properties for Oracle Database
    • 2.3.4.5 JDBC URL and Connection Properties for Sybase Adaptive Server Enterprise
  • 2.3.5 Configuring the IT Resource

3 Using the Connector

• 3.1 Setting Up Lookup Definitions in Oracle Identity Manager
  • 3.1.1 Setting Up the Configuration Lookup Definition for a Target Resource
  • 3.1.2 Setting Up the Configuration Lookup Definition for a Trusted Source
  • 3.1.3 Setting Up the ExclusionList Lookup Definition
• 3.2 Guidelines on Configuring Reconciliation
• 3.3 Scheduled Task for Lookup Field Synchronization
• 3.4 Configuring Reconciliation
  • 3.4.1 Performing Full Reconciliation
  • 3.4.2 Reconciliation Time Stamp
  • 3.4.3 Batched Reconciliation
  • 3.4.4 Configuring Limited Reconciliation
    • 3.4.4.1 Specifying a Value for the Custom Query Attribute
    • 3.4.4.2 Adding a Filter Parameter in the Reconciliation Query
  • 3.4.5 Reconciliation Scheduled Tasks
    • 3.4.5.1 Scheduled Tasks for Reconciling Data About Users and Logins
    • 3.4.5.2 Scheduled Tasks for Reconciling Data About Deleted Users or Logins
• 3.5 Configuring Scheduled Tasks
• 3.6 Guidelines on Performing Provisioning Operations
  • 3.6.1 Guidelines Common to Performing Provisioning Operations on Any Target System
  • 3.6.2 Guidelines on Performing Provisioning Operations in IBM DB2 UDB
  • 3.6.3 Guidelines on Performing Provisioning Operations in Microsoft SQL Server
  • 3.6.4 Guidelines on Performing Provisioning Operations in Oracle Database
  • 3.6.5 Guidelines on Performing Provisioning Operations in Sybase
• 3.7 Performing Provisioning Operations
  • 3.7.1 Direct Provisioning
  • 3.7.2 Request-Based Provisioning
    • 3.7.2.1 End User's Role in Request-Based Provisioning
    • 3.7.2.2 Approver's Role in Request-Based Provisioning
• 3.8 Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1

4 Extending the Functionality of the Connector

• 4.1 Guidelines on Extending the Functionality of the Connector
  • 4.1.1 Guidelines for Configuring Queries Used in Lookup Field Synchronization
  • 4.1.2 Guidelines for Configuring Queries Used in Reconciliation
  • 4.1.3 Guidelines Common to Configuring Both Types of Queries
  • 4.1.4 Guidelines on Modifying Predefined Attribute Mappings for Provisioning
• 4.2 Adding or Removing Attributes for Reconciliation
  • 4.2.1 Adding New Standard and Custom Attributes for Reconciliation
  • 4.2.2 Adding New Standard and Custom Multivalued Attributes for Target Resource Reconciliation
  • 4.2.3 Removing Attributes Used for Reconciliation
• 4.3 Adding or Removing Attribute Mappings for Provisioning
  • 4.3.1 Adding New Standard and Custom Attributes for Provisioning
  • 4.3.2 Adding New Standard and Custom Multivalued Attributes for Provisioning
  • 4.3.3 Removing Attributes for Provisioning
• 4.4 Modifying Field Lengths on the Process Form
• 4.5 Configuring the Connector for Multiple Installations of the Target System
  • 4.5.1 Enabling the Dependent Lookup Fields Feature
• 4.6 Configuring the Connector for Multiple Trusted Source Reconciliation
• 4.7 Configuring Reconciliation Queries
• 4.8 Configuring Validation of Data During Reconciliation and Provisioning
• 4.9 Configuring Transformation of Data During Reconciliation
• 4.10 Configuring the Connector for Reconciling and Provisioning Object-Level Privileges
  • 4.10.1 Configuring the Connector for Provisioning Object-Level Privileges
  • 4.10.2 Configuring the Connector for Reconciling Object-Level Privileges
• 4.11 Configuring the Connector for Reconciling and Provisioning Authorization to Oracle Database Vault Realms
  • 4.11.1 Configuring the Connector for Provisioning Authorization to Oracle Database Vault Realms
  • 4.11.2 Configuring the Connector for Reconciling Authorization to Oracle Database Vault Realms

5 Configuring the Connector for a JDBC-Based Database

• 5.1 Deploying the Connector
• 5.2 Creating an IT Resource for Your Database
• 5.3 Creating a Resource Object
• 5.4 Creating a Process Form
• 5.5 Adding Attributes for Provisioning
• 5.6 Creating Lookup Definitions Used During Connector Operations
• 5.7 Creating a Process Definition
• 5.8 Adding Process Tasks, Assigning Adapters, and Mapping Adapter Variables
• 5.9 Configuring Oracle Identity Manager for Request-Based Provisioning
• 5.10 Adding Attributes for Reconciliation
• 5.11 Guidelines on Creating or Configuring Queries Used for Reconciliation and Lookup Synchronization
• 5.12 Creating Scheduled Tasks
  • 5.12.1 Creating Scheduled Tasks on Oracle Identity Manager Release 9.1.0.x
  • 5.12.2 Creating Scheduled Jobs on Oracle Identity Manager Release 11.1.1
• 5.13 Configuring Status Reconciliation

6 Testing the Connector

7 Known Issues

A Preconfigured Lookup Definitions

• A.1 Lookup Definitions for IBM DB2 UDB
  • A.1.1 Lookup.DBUM.DB2.Configuration
  • A.1.2 Lookup.DBUM.DB2.Error.Mapping
  • A.1.3 Lookup.DBUM.DB2.ExclusionList
  • A.1.4 Lookup.DBUM.DB2.Parameter.Configuration
  • A.1.5 Lookup.DBUM.DB2.Provisioning.Validation
  • A.1.6 Lookup.DBUM.DB2.Query.Configuration
  • A.1.7 Lookup.DBUM.DB2.TargetRecon.Delete.Mapping
  • A.1.8 Lookup.DBUM.DB2.TargetRecon.Mapping
  • A.1.9 Lookup.DBUM.DB2.TargetRecon.QueryFilter
  • A.1.10 Lookup.DBUM.DB2.TargetRecon.Schema.Configuration
  • A.1.11 Lookup.DBUM.DB2.TargetRecon.Schema.Mapping
  • A.1.12 Lookup.DBUM.DB2.TargetRecon.Schema.QueryFilter
  • A.1.13 Lookup.DBUM.DB2.TargetRecon.Tablespace.Configuration
  • A.1.14 Lookup.DBUM.DB2.TargetRecon.Tablespace.Mapping
  • A.1.15 Lookup.DBUM.DB2.TargetRecon.Tablespace.QueryFilter
  • A.1.16 Lookup.DBUM.DB2.TargetRecon.Transformation
  • A.1.17 Lookup.DBUM.DB2.TargetRecon.UserTypeMapping
  • A.1.18 Lookup.DBUM.DB2.TargetRecon.Validation
  • A.1.19 Lookup.DBUM.DB2.TrustedRecon.Configuration
  • A.1.20 Lookup.DBUM.DB2.TrustedRecon.Delete.Mapping
  • A.1.21 Lookup.DBUM.DB2.TrustedRecon.ExclusionList
  • A.1.22 Lookup.DBUM.DB2.TrustedRecon.Mapping
  • A.1.23 Lookup.DBUM.DB2.TrustedRecon.QueryFilter
  • A.1.24 Lookup.DBUM.DB2.TrustedRecon.Transformation
  • A.1.25 Lookup.DBUM.DB2.TrustedRecon.Validation
  • A.1.26 Lookup.DBUM.DB2.UserType
  • A.1.27 Lookup.DBUM.DB2.WithGrantOption
• A.2 Lookup Definitions for Microsoft SQL Server
  • A.2.1 Lookup.DBUM.MSSQL.AuthType
  • A.2.2 Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateLogin
  • A.2.3 Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateUser
  • A.2.4 Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteLogin
  • A.2.5 Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteUser
  • A.2.6 Lookup.DBUM.MSSQL.AuthType.KeyMapping.DisableLogin
  • A.2.7 Lookup.DBUM.MSSQL.AuthType.KeyMapping.EnableLogin
  • A.2.8 Lookup.DBUM.MSSQL.Configuration
  • A.2.9 Lookup.DBUM.MSSQL.Error.Mapping
  • A.2.10 Lookup.DBUM.MSSQL.ExclusionList
  • A.2.11 Lookup.DBUM.MSSQL.Parameter.Configuration
  • A.2.12 Lookup.DBUM.MSSQL.Provisioning.Validation
  • A.2.13 Lookup.DBUM.MSSQL.Query.Configuration
  • A.2.14 Lookup.DBUM.MSSQL.TargetRecon.Auth.Mapping
  • A.2.15 Lookup.DBUM.MSSQL.TargetRecon.Delete.Login.Mapping
  • A.2.16 Lookup.DBUM.MSSQL.TargetRecon.Delete.User.Mapping
  • A.2.17 Lookup.DBUM.MSSQL.TargetRecon.Login.Mapping
  • A.2.18 Lookup.DBUM.MSSQL.TargetRecon.Login.Transformation
  • A.2.19 Lookup.DBUM.MSSQL.TargetRecon.Login.Validation
  • A.2.20 Lookup.DBUM.MSSQL.TargetRecon.QueryFilter
  • A.2.21 Lookup.DBUM.MSSQL.TargetRecon.Role.Mapping
  • A.2.22 Lookup.DBUM.MSSQL.TargetRecon.User.Mapping
  • A.2.23 Lookup.DBUM.MSSQL.TargetRecon.User.Transformation
  • A.2.24 Lookup.DBUM.MSSQL.TargetRecon.User.Validation
  • A.2.25 Lookup.DBUM.MSSQL.TrustedRecon.Configuration
  • A.2.26 Lookup.DBUM.MSSQL.TrustedRecon.Delete.Mapping
  • A.2.27 Lookup.DBUM.MSSQL.TrustedRecon.ExclusionList
  • A.2.28 Lookup.DBUM.MSSQL.TrustedRecon.Mapping
  • A.2.29 Lookup.DBUM.MSSQL.TrustedRecon.QueryFilter
  • A.2.30 Lookup.DBUM.MSSQL.TrustedRecon.Transformation
  • A.2.31 Lookup.DBUM.MSSQL.TrustedRecon.Validation
• A.3 Lookup Definitions for MySQL
  • A.3.1 Lookup.DBUM.MySQL.Configuration
  • A.3.2 Lookup.DBUM.MySQL.Error.Mapping
  • A.3.3 Lookup.DBUM.MySQL.ExclusionList
  • A.3.4 Lookup.DBUM.MySQL.Parameter.Configuration
  • A.3.5 Lookup.DBUM.MySQL.Provisioning.Validation
  • A.3.6 Lookup.DBUM.MySQL.Query.Configuration
  • A.3.7 Lookup.DBUM.MySQL.TargetRecon.Delete.Mapping
  • A.3.8 Lookup.DBUM.MySQL.TargetRecon.Mapping
  • A.3.9 Lookup.DBUM.MySQL.TargetRecon.QueryFilter
  • A.3.10 Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration
  • A.3.11 Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Mapping
  • A.3.12 Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.QueryFilter
  • A.3.13 Lookup.DBUM.MySQL.TargetRecon.Transformation
  • A.3.14 Lookup.DBUM.MySQL.TargetRecon.Validation
  • A.3.15 Lookup.DBUM.MySQL.TrustedRecon.Configuration
  • A.3.16 Lookup.DBUM.MySQL.TrustedRecon.Delete.Mapping
  • A.3.17 Lookup.DBUM.MySQL.TrustedRecon.ExclusionList
  • A.3.18 Lookup.DBUM.MySQL.TrustedRecon.Mapping
  • A.3.19 Lookup.DBUM.MySQL.TrustedRecon.QueryFilter
  • A.3.20 Lookup.DBUM.MySQL.TrustedRecon.Transformation
  • A.3.21 Lookup.DBUM.MySQL.TrustedRecon.Validation
• A.4 Lookup Definitions for Oracle Database
  • A.4.1 Lookup.DBUM.Oracle.AuthType
  • A.4.2 Lookup.DBUM.Oracle.AuthType.KeyMapping.CreateUser
  • A.4.3 Lookup.DBUM.Oracle.AuthType.KeyMapping.UpdateUser
  • A.4.4 Lookup.DBUM.Oracle.Configuration
  • A.4.5 Lookup.DBUM.Oracle.Error.Mapping
  • A.4.6 Lookup.DBUM.Oracle.ExclusionList
  • A.4.7 Lookup.DBUM.Oracle.Parameter.Configuration
  • A.4.8 Lookup.DBUM.Oracle.Provisioning.Validation
  • A.4.9 Lookup.DBUM.Oracle.Query.Configuration
  • A.4.10 Lookup.DBUM.Oracle.TargetRecon.Delete.Mapping
  • A.4.11 Lookup.DBUM.Oracle.TargetRecon.Mapping
  • A.4.12 Lookup.DBUM.Oracle.TargetRecon.Privilege.Configuration
  • A.4.13 Lookup.DBUM.Oracle.TargetRecon.Privilege.Mapping
  • A.4.14 Lookup.DBUM.Oracle.TargetRecon.Privilege.QueryFilter
  • A.4.15 Lookup.DBUM.Oracle.TargetRecon.QueryFilter
  • A.4.16 Lookup.DBUM.Oracle.TargetRecon.Role.Configuration
  • A.4.17 Lookup.DBUM.Oracle.TargetRecon.Role.Mapping
  • A.4.18 Lookup.DBUM.Oracle.TargetRecon.Role.QueryFilter
  • A.4.19 Lookup.DBUM.Oracle.TargetRecon.Transformation
  • A.4.20 Lookup.DBUM.Oracle.TargetRecon.Validation
  • A.4.21 Lookup.DBUM.Oracle.WithAdminOption
  • A.4.22 Lookup.DBUM.Oracle.TrustedRecon.Configuration
  • A.4.23 Lookup.DBUM.Oracle.TrustedRecon.Delete.Mapping
  • A.4.24 Lookup.DBUM.Oracle.TrustedRecon.ExclusionList
  • A.4.25 Lookup.DBUM.Oracle.TrustedRecon.Mapping
  • A.4.26 Lookup.DBUM.Oracle.TrustedRecon.QueryFilter
  • A.4.27 Lookup.DBUM.Oracle.TrustedRecon.Transformation
  • A.4.28 Lookup.DBUM.Oracle.TrustedRecon.Validation
• A.5 Lookup Definitions for Sybase
  • A.5.1 Lookup.DBUM.Sybase.Configuration
  • A.5.2 Lookup.DBUM.Sybase.Error.Mapping
  • A.5.3 Lookup.DBUM.Sybase.ExclusionList
  • A.5.4 Lookup.DBUM.Sybase.Parameter.Configuration
  • A.5.5 Lookup.DBUM.Sybase.Provisioning.Validation
  • A.5.6 Lookup.DBUM.Sybase.Query.Configuration
  • A.5.7 Lookup.DBUM.Sybase.TargetRecon.Delete.Login.Mapping
  • A.5.8 Lookup.DBUM.Sybase.TargetRecon.Delete.User.Mapping
  • A.5.9 Lookup.DBUM.Sybase.TargetRecon.Login.Mapping
  • A.5.10 Lookup.DBUM.Sybase.TargetRecon.Login.Transformation
  • A.5.11 Lookup.DBUM.Sybase.TargetRecon.Login.Validation
  • A.5.12 Lookup.DBUM.Sybase.TargetRecon.QueryFilter
  • A.5.13 Lookup.DBUM.Sybase.TargetRecon.Role.Mapping
  • A.5.14 Lookup.DBUM.Sybase.TargetRecon.User.Mapping
  • A.5.15 Lookup.DBUM.Sybase.TargetRecon.User.Transformation
  • A.5.16 Lookup.DBUM.Sybase.TargetRecon.User.Validation
  • A.5.17 Lookup.DBUM.Sybase.TrustedRecon.Configuration
  • A.5.18 Lookup.DBUM.Sybase.TrustedRecon.Delete.Mapping
  • A.5.19 Lookup.DBUM.Sybase.TrustedRecon.ExclusionList
  • A.5.20 Lookup.DBUM.Sybase.TrustedRecon.Mapping
  • A.5.21 Lookup.DBUM.Sybase.TrustedRecon.QueryFilter
  • A.5.22 Lookup.DBUM.Sybase.TrustedRecon.Transformation
  • A.5.23 Lookup.DBUM.Sybase.TrustedRecon.Validation
• A.6 Other Lookup Definitions
  • A.6.1 Lookup.DBUM.TargetRecon.StatusMapping
  • A.6.2 Lookup.DBUM.TrustedRecon.StatusMapping

Index