Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Oracle E-Business Suite as a managed (target) resource for Oracle Identity Manager.
In the account management (target resource) mode of the connector, information about users created or modified directly on Oracle E-Business Suite can be reconciled into Oracle Identity Manager. This data is used to provision (assign) resources to or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to the corresponding target system accounts.
Note:
At some places in this guide, Oracle E-Business Suite is referred to as the target system.This chapter is divided in the following sections:
Section 1.8, "Lookup Definitions Used During Connector Operations"
Section 1.9, "Roadmap for Deploying and Using the Connector"
Table 1-1 lists the certified components for the connector.
Table 1-1 Certified Components
Component | Requirement |
---|---|
You can use one of the following releases of Oracle Identity Manager:
|
|
You can use one of the following releases of Oracle E-Business Suite:
These applications may run on Oracle Database 10g or Oracle Database 11g, as either single database or Oracle RAC implementation. Note: Communication between Oracle Identity Manager and the target system can be in SSL or non-SSL mode. |
|
SoD engine |
If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install one of the following:
See Section 1.5.3, "SoD Validation of Entitlement Provisioning" for more information about the SoD feature. |
SSO system |
The target system can use one of the following single sign-on (SSO) solutions:
|
JDK |
The JDK requirement is as follows:
|
If you are using Oracle Identity Manager 11g Release 2 (11.1.2), then you must perform the steps mentioned in Metalink note 1535369.1 to ensure the connector works as expected.
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
Oracle Identity Manager Globalization Guide for information about supported special charactersNote:
In Oracle Identity Manager releases 11.1.x and 11.1.2.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager releases 11.1.x and 11.1.2.x.See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
The basic function of the connector is to enable management of user data on Oracle E-Business Suite through Oracle Identity Manager. In other words, Oracle E-Business Suite (the target system) is used as a managed or target resource of Oracle Identity Manager. You can create and manage target system accounts (resources) for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled (using scheduled tasks) and linked with existing OIM Users and provisioned resources.
Figure 1-1 shows the basic architecture of the connector. Data flow between the various components shown in this diagram is explained later in this chapter.
The following are features of the connector:
Section 1.5.1, "Oracle E-Business User Management Connectors"
Section 1.5.4, "Support for an SSO-Enabled Target System Installation"
Section 1.5.6, "Account Status Reconciliation and Provisioning"
Section 1.5.9, "Support for Full and Incremental Reconciliation"
Section 1.5.10, "Support for Limited (Filtered) Reconciliation"
An FND_USER record represents an Oracle E-Business Suite account. This record is the main component of the account data whose management is enabled by the connector. Depending on your configuration of the target system, there may be other user data components that must be managed by the connector:
Some applications in Oracle E-Business Suite require a user to have a person record in Oracle E-Business HRMS.
These users are either full-time employees of the organization or users (such as contract or part-time employees) who have been provided with access that is similar to the access provided to full-time employees. iExpense is an example of an application that requires users to have person (HRMS) records.
Some applications in the Oracle E-Business Suite require a user to have a record in Oracle E-Business TCA.
Typically, these users are representatives or employees of customers and vendors of your organization. iStore and iProcurement are examples of applications that require users to have TCA records.
The connector can be used to manage any one or a combination of FND_USER, HRMS, and TCA records. Three separate versions of the connector have been provided for this purpose. The following sections provide information about these three connectors:
The following section provides information that is common to all three connectors:
In the User Management connector, you can use the connector to create Oracle E-Business Suite accounts (FND_USER records) for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. These reconciled records are used to create and update Oracle E-Business Suite accounts assigned to OIM Users. These provisioning and reconciliation operations constitute the basic functions of the User Management connector.
The process form stores the User ID of the FND_USER record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value.
If required, you can also link an FND_USER record with an existing HRMS person record. Use of this feature arises when the FND_USER record is required to be linked with an HRMS person record for access to intranet applications such as iExpense.
On the target system, the person ID forms the link between the FND_USER record and HRMS person record. For an FND_USER record that is linked with an HRMS record, the value in the EMPLOYEE_ID column of the FND_USER table is the same as the value in the PERSON_ID column of the PER_ALL_PEOPLE_F table.
While provisioning or modifying an already provisioned Oracle E-Business Suite account (FND_USER record), you can specify the person ID of the HRMS person record with which you want to link the FND_USER record. If a match is found, then the person record is linked with the FND_USER record. This person ID constitutes the link between the FND_USER record and the HRMS person record.
In the User Management with HR Foundation connector, you can use the connector to create FND_USER records for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. This is the same as the basic function of the connector in the User Management connector. In addition, you can create a basic HRMS person record for the user in Oracle E-Business HRMS and link that record with the FND User. As mentioned earlier in this chapter, the existence of an HRMS record is a prerequisite for using some applications in the Oracle E-Business Suite, such as iExpense and iRecruitment. This linking of records can also take place during reconciliation.
Note:
In this guide, the basic HRMS record created by the connector is referred to as the HR Foundation record.During a Create User provisioning operation, the FND_USER record is created first and then the employee record is created. Next, the link between the FND_USER record and employee record is established. The connector does not check for an existing employee record with the First Name and Last Name values provided during the provisioning operation.
For FND_USER records that are linked with HRMS person records, the value in the EMPLOYEE_ID column in the FND_USER table is the same as the value in the PERSON_ID column of the PER_ALL_PEOPLE_F table.
Note:
You use the Manage HR Records parameter of the IT resource to enable the linking of HRMS Person records with FND_USER records. The IT resource is discussed later in this guide.The process form stores the User ID of the FND_USER record and the Person ID of the HRMS record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value. Similarly, all subsequent update operations (through reconciliation or provisioning) on the HRMS record are performed on the basis of the person ID value.
Guidelines on selecting the User Management with HR Foundation connector
You use the Oracle E-Business Employee Reconciliation connector to configure Oracle E-Business HRMS as a trusted source of Oracle Identity Manager. Ideally, Oracle Identity Manager only reconciles data from a trusted source. You do not perform provisioning (account management) operations on a trusted source.
The User Management with HR Foundation connector creates an HR Foundation record on Oracle E-Business HRMS. This is an account creation (that is, provisioning) operation.
As mentioned earlier, the HR Foundation record is a very basic HRMS person record. The connector supports only creation of and updates to this basic HRMS person record. These provisioning operations cannot be effective dated. For these reasons, you cannot use the connector to manage records on an Oracle E-Business HRMS installation.
In addition, to avoid conflicting data flows, it is strongly recommended that you do not configure a particular Oracle E-Business HRMS installation as both of the following:
A trusted source, by using the Oracle E-Business Employee Reconciliation connector
A target resource, by using the User Management with HR Foundation connector
Note:
If you want the connector to recognize links between HRMS person records and FND_USER records, then use the User Management connector.In the User Management with TCA Foundation connector, you can use the connector to create FND_USER records for OIM Users and to grant roles and responsibilities to these accounts. You can also reconcile newly created and modified FND_USER records from the target system. This is the same as the basic function of the User Management connector. In addition, you can create a basic TCA person-type party record for the user in Oracle E-Business TCA and link that record with the FND User. As mentioned earlier in this chapter, the existence of a TCA party record is a prerequisite for using some applications in the Oracle E-Business Suite, such as iStore. This linking of records can also take place during reconciliation.
Note:
In this guide, the basic TCA person-type party record created by the connector is referred to as the TCA Foundation record.During a create or modify FND_USER provisioning operation for a particular OIM User, the TCA party record is created the first time you specify First Name and Last Name values for that record. While creating the TCA party record, the connector does not check if another record with the same First Name and Last Name values exists. After the connector creates the TCA party record, the link established through the Party ID returned by Oracle E-Business TCA is used during subsequent updates of the TCA party record.
For FND_USER records that are linked with TCA party records, the value in the PERSON_PARTY_ID column in the FND_USER table is the same as the value in the PARTY_ID column of the HZ_PARTIES table.
Creating a person party ID internally creates or derives customer ID which is same as party ID and links this customer ID, party ID to the CUSTOMER_ID and PERSON_PARTY_ID columns of the FND_USER table, respectively. This connector supports provisioning and reconciliation of customer parties, but does not support provisioning and reconciliation of Suppliers or Vendors.
Note:
You use the Manage TCA Records parameter of the IT resource to enable the linking of TCA party records with FND_USER records. The IT resource is discussed later in this guide.The process form stores the User ID of the FND_USER record and the Party ID of the TCA record. All subsequent update operations (through reconciliation or provisioning) on the FND_USER record are performed on the basis of the User ID value. Similarly, all subsequent update operations (through reconciliation or provisioning) on the TCA record are performed on the basis of the Party ID value.
The following are similarities between the three connectors:
The basic provisioning and reconciliation function is the same in all three connectors:
The connector creates and updates FND_USER records.
Connector objects, such as process forms and resource objects, store data related to target system resources assigned to OIM Users. Each connector has its own set of these data objects.
Each connector can be installed independently of the other connectors.
Any combination of the connectors can be installed, in any order.
All three connectors support standard features such as SoD and integration with an SSO-enabled target system. These features are discussed in detail later in this chapter.
Table 1-2 summarizes the differences between the connectors.
Table 1-2 Differences Between the Connectors
Feature | User Management | User Management with HR Foundation | User Management with TCA Foundation |
---|---|---|---|
Provisioning function in addition to the basic provisioning function |
The connector can establish a link between an FND_USER record and an existing HRMS person record. The person ID of the FND_USER is used to establish and store the link. You specify the person ID during provisioning operations. |
The connector can establish a link between an FND_USER record and an HRMS person record. The existence of an HRMS person record is determined through the Employee Number and Business Group ID attributes of the HRMS person record. If an HRMS person record does not exist, then a basic HRMS person record (HR Foundation record) is created and then linked to the FND_USER record. If an HRMS person record exists, then the person record is linked with the FND_USER record. The person ID of the PER_ALL_PEOPLE_F is used to establish the link. You cannot specify the person ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field. |
The connector can establish a link between an FND_USER record and a TCA party (person-type) record. The party (person type) record is always created when you run a provisioning process. The PARTY_ID column of the HZ_PARTIES is brought back to Oracle Identity Manager by the API and is used to establish the link with the FND_USER record. You cannot specify the party ID while provisioning or modifying a provisioned resource. This value is displayed in the process form as a display-only field. |
Additional reconciliation function |
None |
During reconciliation, if the connector detects a link between an existing HRMS person record and an FND_USER record, then the same link is established in Oracle Identity Manager. After a link is established with an existing HRMS person record or an HR Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the HRMS person/HR Foundation record during reconciliation. |
During reconciliation, if the connector detects a link between an existing TCA party record and an FND_USER record, then the same link is established in Oracle Identity Manager. After a link is established with an existing TCA party record or a TCA Foundation record (through provisioning or reconciliation), the connector fetches changes to the FND_USER record and the TCA party/TCA Foundation record during reconciliation. |
Other features |
The additional provisioning function is always enabled. You cannot enable or disable that feature. |
You can enable and disable the additional provisioning and reconciliation functions by using the Manage HR Records parameter of the IT resource. |
You can enable and disable the additional provisioning and reconciliation functions by using the Manage TCA Records parameter of the IT resource. |
UMX roles and responsibilities are an integral part of the features offered by the target system. These roles and responsibilities are entitlements granted to target system users. An entitlement enables a user to access and use features of the target system to meet the user's job requirements.
Note:
A role can be seen as an alias for a particular responsibility or set of responsibilities. The connector provides similar features for working with both roles and responsibilities.You can use the connector to:
Synchronize data about entitlements available for assignment to users
See Section 3.2, "Scheduled Task for Lookup Field Synchronization" for more information.
Reconcile data about entitlements assigned to users
See Section 3.3.4, "Reconciliation Scheduled Tasks" for more information.
This connector supports the SoD feature. The following are the focal points of this software update:
The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager release. The SIL acts as a pluggable integration interface with any SoD engine.
The Oracle E-Business User Management connector is preconfigured to work with Oracle Applications Access Controls Governor as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.
The SoD engine processes role and responsibility entitlement requests that are sent through the connector. Potential conflicts in role and responsibility assignments can be automatically detected.
See Also:
Oracle Identity Manager Tools Reference for Release 9.1.0.2 for detailed information about the SoD feature
Section 2.3.1, "Configuring SoD" in this guide
Note:
This feature is available in all three connectors.Oracle E-Business Suite can be configured to use a single sign-on solution, such as Oracle Single Sign-On or Oracle Access Manager, to authenticate users. Oracle Single Sign-On uses Oracle Internet Directory as an LDAP-based repository for storing user records. Oracle Access Manager can use Microsoft Active Directory, Sun Java System Directory, or Novell eDirectory as the LDAP-based repository. You can configure the connector to work with either one of these SSO solutions during reconciliation and provisioning operations.
Figure 1-2 shows the architecture of the connector with the LDAP system. Data flow between the various components shown in this diagram is explained later in this chapter.
Note:
In this guide, the generic term LDAP system is used to refer to the LDAP system used by the SSO solution in your operating environment.Figure 1-2 Architecture of the Connector with Configured to Work with an SSO Solution
Oracle E-Business Suite allows future-dating (effective-dating) of account disable and account enable operations. For example, an administrator on the target system can specify that user John Doe's account must be disabled on 1-April-2009 by setting the Effective Date To that date for the account. This date is stored in the END_DATE column of the target system database table. Similarly, the day an account is revoked can be set in advance. The date for an event of this type is stored in the END_DATE column. For a particular future-dated change, when the current date equals the date stored in the START_DATE or END_DATE column, the appropriate change is made in the person's record on the target system.
The connector can detect and respond to these future-dated lifecycle events.
When you run any of the predefined queries, only records for which changes fall within the START_DATE and END_DATE range are fetched into Oracle Identity Manager.
Similarly, the connector can also respond to future-dated operations in which roles and responsibilities are granted or revoked.
When you enable an account on the target system, the Effective Date From field is set to the current date and the Effective Date To field is set to NULL on the target system.
When you disable an account on the target system, the Effective Date To field is set to the current date on the target system.
The same effect can be achieved through provisioning operations performed on Oracle Identity Manager. In addition, status changes made directly on the target system can be copied into Oracle Identity Manager during reconciliation.
See Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" for more information.
Reconciliation involves running a SQL query on the target system database to fetch the required user account records to Oracle Identity Manager. Predefined SQL queries are stored in a file in the connector deployment package. You can modify these SQL queries or add your own SQL queries for reconciliation.
See Section 1.6.1, "Reconciliation Queries" for information about the reconciliation queries.
The connector supports basic password management features. For a particular user, you can specify when the user's password must expire by using the following process form fields:
Password Expiration Type
You use the Password Expiration Type field to specify the factor (or measure) that you want to use to set a value for password expiration. You can select either Accesses
or Days
as the password expiration type.
Password Expiration Interval
In the Password Expiration Interval field, you specify the number of access or days for which the user must be able to use the password.
For example, if you specify Accesses
in the Password Expiration Type field and enter 20
in the Password Expiration Interval field, then the user is prompted to change the user's password at the twenty-first login. Similarly, if you specify Days
in the Password Expiration Type field and enter 100
in the Password Expiration Interval field, then the user is prompted to change the user's password on the hundred and first day after setting a new password.
In full reconciliation, all user records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, user records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.
The Last Execution Time and Batch Size scheduled task attributes are used to implement full and incremental reconciliation. If the Last Execution Time attribute is set to 0 and the Batch Size attribute is set to a non-zero value, then full reconciliation is performed. If the Last Execution Time attribute holds a non-zero value, then incremental reconciliation is performed.
See Section 3.3.4, "Reconciliation Scheduled Tasks" for more information.
To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can add conditions in the WHERE clause of the reconciliation query that you run.
See Section 3.3.3, "Configuring Limited Reconciliation" for more information.
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Section 3.3.2, "Batched Reconciliation" for more information.
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.
The configuration properties of the connection pool are part of the IT resource definition. Section 2.3.3.6, "Configuring the IT Resource" provides information about setting up the connection pool.
See Also:
The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliationThe connector is configured to perform target resource reconciliation with the target system. Data from newly created and updated target system records is brought to Oracle Identity Manager and used to create and update Oracle E-Business Suite resources provisioned to OIM Users.
Note:
The reconciliation process is the same for all three connectors. There are three scheduled tasks, one for each connector.The following is an overview of the steps involved in target resource reconciliation:
A SQL query is used to fetch target system records during reconciliation. All predefined SQL queries are stored in a properties file. Each query in the file is identified by a name. While configuring the scheduled tasks described in Section 3.3.4, "Reconciliation Scheduled Tasks", you specify the name of the query that you want to run as the value of the Query Name attribute.
The scheduled task is run at the time (frequency) that you specify. This scheduled task contains details of the mode of reconciliation you want to perform.
The scheduled task establishes a connection with the target system.
The scheduled task reads values that you set for the task attributes, maps the task attributes to parameters of the reconciliation query, formats the query, and then runs the query on the target system database.
The SQL query is run on the target system database. Target system records that meet the query criteria are fetched into Oracle Identity Manager. In addition:
If the target system is SSO-enabled, then the USER_GUID value is first read from the target system record. This USER_GUID value is then used to fetch the SSO User ID value from the LDAP system.
Note:
The USER_GUID and SSO User ID values are fetched by a query that is internal to the connector. The reconciliation query is not used for this purpose.If you use the User Management with HR Foundation connector, then HRMS Foundation data from HRMS person records is also fetched for all FND_USER users that are linked with HRMS users.
If you use the User Management with TCA Foundation connector, then TCA Foundation data from TCA Party records is also fetched for all FND_USER users that are linked with TCA users.
Each user record fetched from the target system is compared with existing target system resources assigned to OIM Users. The reconciliation rule is applied during the comparison process.
See Also:
Section 1.6.3, "Reconciliation Rule"The next step of the process depends on the outcome of the matching operation:
If a match is found between the target system record and a resource provisioned to an OIM User, then the resource is updated with changes made to the target system record.
If no match is found, then the target system user record is compared with existing OIM Users. The next step depends on the outcome of the matching operation:
If a match is found, then the target system record is used to provision a resource for the OIM User.
If no match is found, then the status of the reconciliation event is set to No Match Found.
The rest of this section discusses connector objects used during reconciliation:
Section 1.6.2, "Target System Columns Used in Reconciliation"
Section 1.6.4, "Reconciliation Action Rules for Target Resource Reconciliation"
As mentioned earlier in this chapter, a SQL query is used to fetch target system records during reconciliation. All predefined SQL queries are stored in the ebsUMQuery.properties file.
Note:
Depending on your requirements, you can modify existing queries or add your own query in the properties file. Alternatively, you can create and use your own properties file. Section 4.1, "Guidelines on Extending the Functionality of the Connector" provides more information.The predefined queries are used in conjunction with the Last Execution Time scheduled task attribute. This attribute stores the time stamp at which the last reconciliation run started. When the next reconciliation run begins, only target system records for which the LAST_UPDATE_DATE column value is greater than the value of the Last Execution Time attribute are fetched into Oracle Identity Manager. In other words, only records that were added or modified after the last reconciliation run started are considered for the current reconciliation run.
Note:
If the effective end date of a responsibility granted to a user is changed directly on the target system, then that account will not be reconciled in the next reconciliation run unless some other attribute of the account is also modified.You can specify a value for the Last Execution Time attribute. See Section 3.3.1, "Reconciliation Time Stamp" for more information.
The following are predefined queries in the ebsUMQuery.properties file:
UM_USER_RECON
This query is used to fetch users' FND_USER records. It is used in the User Management connector.
UM_USER_HRMS_RECON
This query is used to fetch users' FND_USER records and HRMS person records. It is used in the User Management with HR Foundation connector.
UM_USER_TCA_RECON
This query is used to fetch users' FND_USER records and TCA party records. It is used in the User Management with TCA Foundation connector.
UM_USER_RESPONSIBILITIES
This query is used to fetch data about users' responsibility entitlements.
UM_USER_ROLES
This query is used to fetch data about users' role entitlements.
Columns in the SELECT clause of each predefined query other than the ones for entitlements are directly mapped to process form fields by lookup definitions in Oracle Identity Manager.
For the User Management connector, Table 1-3 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserRecon lookup definition.
Table 1-3 Attribute Mappings for Reconciliation in the User Management Connector
Process Form Field | Target System Column | Description |
---|---|---|
Person ID |
PERSON_ID |
Person ID |
User ID |
USER_ID |
User ID This is a mandatory attribute. |
User Name |
USER_NAME |
User name This is a mandatory attribute. |
Description |
DESCRIPTION |
Description |
|
EMAIL_ADDRESS |
E-mail address |
Fax |
FAX |
Fax number |
Effective Date From |
START_DATE |
Date from which the account is active This is a mandatory attribute. |
Effective Date To |
END_DATE |
Date up to which the account is active |
For the User Management with HR Foundation connector, Table 1-4 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserHRMSRecon lookup definition.
Table 1-4 Attribute Mappings for Reconciliation in the User Management with HR Foundation Connector
Process Form Field | Target System Column | Description |
---|---|---|
User ID |
USER_ID |
User ID This is a mandatory attribute. |
User Name |
USER_NAME |
User name This is a mandatory attribute. |
Description |
DESCRIPTION |
Description |
|
EMAIL_ADDRESS |
E-mail address |
Fax |
FAX |
Fax number |
Effective Date From |
START_DATE |
Start date of the account This is a mandatory attribute. |
Effective Date To |
END_DATE |
End date of the account |
Note: The remaining attributes listed in this table are HR Foundation record attributes. |
||
Employee Number |
EMPLOYEE_NUMBER |
Employee number |
First Name |
FIRST_NAME |
First name |
Last Name |
LAST_NAME |
Last name |
Gender |
SEX |
Gender |
Person Type ID |
PERSON_TYPE_ID |
Person type ID |
Business Group ID |
BUSINESS_GROUP_ID |
Business group ID |
Hire Date |
ORIGINAL_DATE_OF_HIRE |
Hire date |
Person ID |
PERSON_ID |
Person ID |
For the User Management with TCA Foundation connector, Table 1-5 lists the target system columns and the process form fields to which they are mapped for reconciliation. These mappings are stored in the Lookup.EBS.UM.UserTCARecon lookup definition.
Table 1-5 Attribute Mappings for Reconciliation in the User Management with TCA Foundation Connector
Process Form Field | Target System Column | Description |
---|---|---|
User ID |
USER_ID |
User ID This is a mandatory attribute. |
User Name |
USER_NAME |
User name This is a mandatory attribute. |
Description |
DESCRIPTION |
Description |
|
EMAIL_ADDRESS |
E-mail address |
Fax |
FAX |
Fax number |
Effective Date From |
START_DATE |
Start date of the account This is a mandatory attribute. |
Effective Date To |
END_DATE |
End date of the account |
Note: The remaining attributes listed in this table are TCA Foundation record attributes. |
||
First Name |
PERSON_FIRST_NAME |
First name |
Last Name |
PERSON_LAST_NAME |
Last name |
Party ID |
PERSON_PARTY_ID |
Party ID |
For all three connectors, Table 1-6 lists mappings between the target system columns and the process form fields for responsibilities defined on the target system.
Table 1-6 Relationship Between Process Form Fields for Responsibilities and Target System Data Fields
Process Form Field | Target System Column | Description |
---|---|---|
Application Name |
Format of the value: IT_RESOURCE_KEY~APPLICATION_ID Sample value: 1~810 |
Combination of the IT resource key and the application ID on the target system Note: The IT resource key is a numeric value. |
Responsibility Name |
Format of the value: IT_RESOURCE_KEY~APPLICATION_ID~RESPONSIBILITY_ID Sample value: 1~810~2751 |
Combination of the IT resource key, application ID, and responsibility ID on the target system |
Effective Start Date |
START_DATE |
Start date of the responsibility assignment |
Effective End Date |
END_DATE |
End date of the responsibility assignment |
Security Group |
Format of the value: IT_RESOURCE_KEY~SECURITY_GROUP_ID Sample value: 1~1 |
Combination of the IT resource key and the security group ID on the target system. Note: The IT resource key is a numeric value. |
For all three connectors, Table 1-7 lists mappings between the target system columns and the process form fields for roles defined on the target system.
Table 1-7 Relationship Between Process Form Fields for Roles and Target System Data Fields
Process Form Field | Target System Column | Description |
---|---|---|
Application Name |
Format of the value: IT_RESOURCE_KEY~APPLICATION_ID Sample value: 1~260 |
Combination of the IT resource key and the application ID on the target system Note: The IT resource key is a numeric value. |
Role Name |
Format of the value: IT_RESOURCE_KEY~APPLICATION_ID~ROLE_ID Sample value: 1~260~UMX|UMX_TEST_ROLE |
Combination of the IT resource key, application ID, and role ID on the target system |
Start Date |
start_date |
Start date of the role assignment |
Expiration Date |
expiration_date |
End date of the role assignment |
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rulesThe following is the reconciliation rule:
Rule name for the User Management connector:
EBS UM Target Resource
Rule name for the User Management with HR Foundation connector:
EBS UM HRMS Target Resource
Rule name for the User Management with TCA Foundation connector:
EBS UM TCA Target Resource
Rule element for all three connectors: User Login Equals User Name
In this rule:
User Login is the field on the OIM User form.
User Name is the target system field.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for the rule name.
Table 1-8 lists the action rules for target resource reconciliation.
Table 1-8 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the resource object. The following are the names of the resource objects for each connector:
Resource object for the User Management connector:
eBusiness Suite User
Resource object for the User Management with HR Foundation connector:
eBusiness Suite User HR Foundation
Resource object for the User Management with TCA Foundation connector:
eBusiness Suite User TCA Foundation
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.
See Also:
The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioningProvisioning involves management of user accounts and assignment of responsibilities and roles to users in the target system. When you allocate (or provision) an Oracle E-Business Suite resource to an OIM User, the operation results in the creation of an account on Oracle E-Business Suite for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.
You can enable the Segregation of Duties (SoD) feature in Oracle Identity Manager for validation of role and responsibility provisioning. When SoD is enabled, a role or responsibility is granted to an OIM User's resource (account) only after the request for the role or responsibility clears the SoD validation process. If a conflicting role or responsibility is detected by the SoD engine, then the role or responsibility request is rejected.
Note:
the SoD validation process is asynchronous. The response from the SoD engine must be brought to Oracle Identity Manager by a scheduled task.The provisioning process can be started through one of the following events:
Direct provisioning
A user uses the Administrative and User Console to create a target system account for another user.
Request-based provisioning
A user creates a request for a target system account, role, or responsibility, and another user approves this request.
Provisioning triggered by access policy changes
An access policy related to accounts on the target system is modified. When an access policy is modified, it is reevaluated for all users to which it applies.
The following is an overview of the provisioning process:
The provisioning process is started through direct provisioning, request-based provisioning, or an access policy change.
If the target system is configured to work with Oracle Single Sign-On, then:
Note:
There must be a GUID for the user on the LDAP system before the user can be created on the target system. In other words, the user for whom the provisioning operation is being performed must have a record on the LDAP system.The connector first establishes a connection with the LDAP system used by Oracle Single Sign-On. To establish a connection, the connector uses information stored in the IT resource for the LDAP system.
From the LDAP system, the connector reads the GUID of the user for whom the provisioning operation is being performed and then adds the GUID to the provisioning data that will be passed on to the target system.
The connector establishes a connection with the target system, and passes the provisioning data to the FND APIs of the target system.
The target system APIs use the provisioning data to perform the required operation (create or update user). The actual steps performed depend on the connector that you are using:
In the User Management connector, the FND_USER record is created or updated. If the person ID is provided on the process form and a record with the same person ID exists on the target system, then that record is linked with the FND_USER record.
In the User Management with HR Foundation connector:
The HRMS person record (containing only HRMS Foundation data) is created or updated.
The FND_USER record is created or updated.
Note:
If the HRMS record is created, then the value in the Person_ID column of the PER_ALL_PEOPLE_F table is copied into the Employee_ID column in the FND_USER table.In the User Management with TCA Foundation connector:
The FND_USER record is created or updated.
The TCA Party record (containing only TCA Party foundation data) is created or updated.
Note:
If the TCA record is created, then the value in the PARTY_ID column of the HZ_PARTIES table is copied into the PERSON_PARTY_ID column in the FND_USER table.The target system APIs return the status of the operation to the connector.
The connector translates and displays (or logs) the status message returned by the FND APIs.
In an SoD-enabled Oracle Identity Manager system, the connector cannot grant roles or responsibilities directly to the provisioned user account. When a user performs the procedure to provision a role or responsibility, the details of the entitlement request (sent through direct or request-based provisioning) are sent to an SoD engine for conflict analysis. Based on the outcome of the SoD validation process, the entitlement request is either accepted or rejected.
The rest of this section discusses connector objects used during provisioning:
Note:
On Oracle Identity Manager release 9.1.0.x, you can create separate requests for provisioning:Target system resources to OIM Users.
Entitlements to OIM Users who have been provisioned target system resources.
On Oracle Identity Manager releases 11.1.x and 11.1.2.x, you can provision entitlements while provisioning a target system resource to an OIM User. In other words, you need not create a new request for provisioning entitlements.
Therefore, information provided in this section is applicable only if you are using Oracle Identity Manager release 9.1.0.x. If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then skip this section.
Roles and responsibilities defined on the target system are entitlements that can be assigned to a user during the Create User provisioning operation. In addition, an existing user can create requests for responsibilities and roles. If you enable SoD in your Oracle Identity Manager installation, then an entitlement is granted only after the SoD validation clears the request for the entitlement. Users can create entitlement requests for themselves. Alternatively, administrators can submit entitlement requests on behalf of a user.
Note:
The connector supports the scenario in which a single request is created for multiple responsibilities and a single approver is assigned the entire request.Request-based provisioning of responsibilities involves the following steps:
A request for a role or responsibility is created.
Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment" describes the procedure to create the request.
The request data is written to an object form.
When the object form is populated with data, it is sent for approval.
After the standard approval process, the SoD Checker process task is triggered. This process task is completed by running the GetSODCheckResultApproval scheduled task from the task scheduler.
Note:
The approver should not approve/deny this task manually while approving the request.After the SoD Checker process task is run and the SoD Check result is passed, the Human Approval task (if it has been defined) is triggered.
If the approval process clears the request, then the request data is sent to the process form. When this data reaches the target system, the responsibility is assigned to the user.
Note:
If SoD is not enabled or if the provisioning operation does not include entitlement provisioning, then the SODCheckStatus field remains in theSODCheckNotInitiated
state.If the approval process does not clear the request, then the status of the request is set to Denied.
Table 1-9 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations. The third column of this table specifies the connector in which the function is supported.
Note:
During a Create User provisioning operation, the EBS Create User adapter is used to populate values in all the target system attributes. Similarly, during an Update User provisioning operation, the EBS Update User performs this function.Table 1-9 Attribute Mappings for Provisioning
Process Form Attribute | Target System Attribute | Connector | Mandatory? |
---|---|---|---|
User Name |
User Name |
All |
Yes |
Password |
Password |
All |
Yes |
Description |
Description |
All |
|
|
|
All |
|
Fax |
Fax |
All |
|
Password Expiration Type This is a lookup field. |
Password Expiration Type |
All |
|
Password Expiration Interval |
Password Expiration Interval |
All |
|
Effective Date From |
Effective Dates From |
All |
Yes |
Effective Date To |
Effective Dates To |
All |
|
Person ID Note: This field can be edited in the User Management connector. It is a display-only field in the User Management with HR Foundation connector. |
Person ID Note: The Full Name corresponding to the person ID in HRMS person record is displayed on the UI with the label |
User Management and User Management with HR Foundation |
|
SSO User ID |
SSO User ID from the LDAP system Note: This attribute is not displayed on the target system UI. |
All |
|
User ID This is a display-only field. |
User ID Note: This attribute is not displayed on the target system UI. |
All |
|
SSO GUID This is a display-only field. |
GUID fetched from the LDAP system used by Oracle Single Sign-On This value is stored in the USER_GUID column of the FND_USER table. Note: This attribute is not displayed on the target system UI. |
All |
|
Employee Number |
Employee Number |
User Management with HR Foundation |
|
First Name |
First Name (in the User Management with HR Foundation connector) First Name (in the User Management with TCA Foundation connector) |
User Management with HR Foundation and User Management with TCA Foundation |
|
Last Name |
Last Name (in the User Management with HR Foundation connector) Last Name (in the User Management with TCA Foundation connector) |
User Management with HR Foundation and User Management with TCA Foundation |
|
Gender This is a lookup field. |
Sex |
User Management with HR Foundation |
|
Person Type ID |
Person Types |
User Management with HR Foundation |
|
Business Group ID |
Business Group ID Note: This attribute is not displayed on the target system UI. |
User Management with HR Foundation |
|
Party ID This is a display-only field. |
Party ID Note: The full name corresponding to the party ID in the TCA Party record is displayed on the target system UI with the label |
User Management with TCA Foundation |
|
Hire Date |
Latest Start Date |
User Management with HR Foundation |
|
Responsibility Child Form Fields (for all three connectors) |
|||
Application Name |
IT_RESOURCE_KEY~APPLICATION_ID |
All |
|
Responsibility Name |
IT_RESOURCE_KEY~APPLICATION_ID~RESPONSIBILITY_ID |
All |
Yes |
Effective Start Date |
Effective Dates From |
All |
|
Effective End Date |
Effective Dates To |
All |
|
Security Group |
IT_RESOURCE_KEY~SECURITY_GROUP_ID All |
All |
|
Roles Child Form Fields (for all three connectors) |
|||
Application Name |
IT_RESOURCE_KEY~APPLICATION_ID |
All |
|
Role Name |
IT_RESOURCE_KEY~APPLICATION_ID~ROLE_ID |
All |
Yes |
Start Date |
Start Date |
All |
|
Expiration Date |
Expiration Date |
All |
Table 1-10 lists provisioning functions and the corresponding adapters.
Note:
An Update provisioning operation on child data is not supported.Table 1-10 Provisioning Functions
Provisioning Function | Adapter | Stored Procedure in Wrapper Package |
---|---|---|
Create user |
EBS Create User |
OIM_FND_USER_PKG.CreateUser |
Create SSO-enabled user |
EBS Create User |
OIM_FND_USER_PKG.CreateUser |
Disable user |
EBS Disable User |
OIM_FND_USER_PKG.DisableUser |
Update Email |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Fax |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Password |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Description |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Effective Date From |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Effective Date To |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update SSO User ID |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Password Expiration Type |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Password Expiration Interval |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Update Person ID Note: This is applicable only in the User Management connector. |
EBS Update User |
OIM_FND_USER_PKG.UpdateUser |
Enable User |
EBS Enable User |
OIM_FND_USER_PKG.EnableUser |
Add Responsibility |
EBS Add Responsibility |
OIM_FND_USER_PKG.AddResp |
Remove Responsibility |
EBS Revoke Responsibility |
OIM_FND_USER_PKG.DelResp |
Add Role |
EBS Add Role |
WF_LOCAL_SYNCH_PKG.PropagateUserRole |
Remove Role |
EBS Revoke Role |
WF_LOCAL_SYNCH_PKG.PropagateUserRole |
Update User Name |
EBS Update Username |
OIM_FND_USER_PKG.change_user_name |
Functions Specific to the User Management with HR Foundation Connector |
||
Create Employee |
EBS Create User HRMS |
OIM_EMPLOYEE_WRAPPER.create_emp_api |
Delete User |
EBS Revoke Employee |
OIM_EMPLOYEE_WRAPPER.terminate_emp_api |
Delete User Note: It is recommended not to perform a delete employee operation on the target system. However, delete employee operation is configurable by setting the value of DELETE_EMP_RECORD to "Yes" in the Lookup.EBS.UMHRMS.Configuration lookup definition. The default value of DELETE_EMP_RECORD is set to "No" and hence needs to be changed to "Yes". |
EBS Revoke Employee |
OIM_EMPLOYEE_WRAPPER.delete_emp_api |
Update First Name |
EBS Update Employee |
OIM_EMPLOYEE_WRAPPER.update_person_api |
Update Last Name |
EBS Update Employee |
OIM_EMPLOYEE_WRAPPER.update_person_api |
Update Gender |
EBS Update Employee |
OIM_EMPLOYEE_WRAPPER.update_person_api |
Update Person Type ID |
EBS Update Employee |
OIM_EMPLOYEE_WRAPPER.update_person_api |
Update Business Group ID |
EBS Update Employee |
OIM_EMPLOYEE_WRAPPER.update_person_api |
Update Hire Date |
EBS Update Employee |
OIM_EMPLOYEE_WRAPPER.update_person_api |
Functions Specific to the User Management with TCA Foundation Connector |
||
Create Party of Person Type |
EBS Create User TCA |
OIM_TCA_WRAPPER.create_person_party_api |
Delete User |
EBS Revoke Party |
OIM_TCA_WRAPPER.disable_person_party_api |
Delete User Note: It is recommended not to perform a delete employee operation on the target system. However, delete employee operation is configurable by setting the value of DELETE_EMP_RECORD to "Yes" in the Lookup.EBS.UMHRMS.Configuration lookup definition. The default value of DELETE_EMP_RECORD is set to "No" and hence needs to be changed to "Yes". |
EBS Revoke Party |
OIM_TCA_WRAPPER.delete_person_party_api |
Update First Name |
EBS Update Party |
OIM_TCA_WRAPPER.update_person_party_api |
Update Last Name |
EBS Update Party |
OIM_TCA_WRAPPER.update_person_party_api |
When you deploy the connector, lookup definitions of the following types are created in Oracle Identity Manager:
Lookup definitions corresponding to lookup fields on the target system
Lookup definitions that store configuration information
The following sections discuss lookup definitions used by the connector:
Section 1.8.1, "Lookup Definitions That Are Common to All Three Connectors"
Section 1.8.2, "Lookup Definitions That Are Specific to the User Management Connector"
Table 1-11 describes lookup definitions that are common to all three connectors.
Table 1-11 Lookup Definitions Common to All Three Connectors
Lookup Definition | Code Key | Decode | Input Source |
---|---|---|---|
Lookup.EBS.Application |
Combination of the following elements:
Sample value: In this example, 1 is the number assigned to the IT resource for the target system installation and 694 is the application ID assigned to the application in the target system. |
Short name for the application in the target system Sample value: |
You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system. |
Lookup.EBS.SecurityGroup |
Combination of the following elements:
Sample value: In this example, 1 is the number assigned to the IT resource for the target system installation and 1 is the application ID assigned to the application in the target system. |
Short name for the Security Group Name in the target system Sample value: |
You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system. |
Lookup.EBS.Responsibility |
Combination of the following elements:
Sample value: 1~694~20903 In this sample value, 1 is the number assigned to the IT resource for the target system installation, 694 is the application ID, and 20903 is the responsibility ID. |
Responsibility name of the corresponding application in the target system Sample Value: |
You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system. |
Lookup.EBS.UMX.Roles |
Combination of three elements:
Sample value: In this example, 1 is the number assigned to the IT resource for the target system installation, FND-UMX is the short name for the application, and UMX_EXT_ADMN is the role name. |
Display name of the role on the target system Sample Value: |
You configure and run the eBusiness UM Lookup Definition Reconciliation scheduled task to populate this lookup definition with values from the target system. |
Lookup.EBS.PasswordExpirationType |
Unit of measurement for specifying the password expiration type The value can be one of the following: Accesses Days None |
Unit of measurement for specifying the password expiration type The value can be one of the following: Accesses Days None |
This lookup definition is preconfigured. You must not modify this lookup definition. |
Table 1-12 describes lookup definitions that are specific to the User Management connector.
Table 1-12 Lookup Definitions Specific to the User Management Connector
Lookup Definition | Code Key | Decode | Input Source |
---|---|---|---|
Lookup.EBS.UM.UserProvisioning |
Process form field name Sample value: UD_EBS_USER_USRNAME |
Corresponding argument of the stored procedure used for user provisioning Sample Value: x_user_name,1,varchar2,IN |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UM.UserRecon |
Reconciliation field of resource object Sample value: User Name |
Corresponding column names or column alias names used in reconciliation query Sample value: USER_NAME |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.Responsibility.Mapping Note: This lookup definition is used for entitlement provisioning. |
Name of the process form column for the responsibility attributes in the eBusiness Suite User Responsibility resource object |
Name of the process form column for the responsibility attribute in the eBusiness Suite User resource object |
This lookup definition is preconfigured. You must not modify this lookup definition. |
Lookup.EBS.Role.Mapping |
Name of the process form column for the role attributes in eBusiness Suite User Role resource object |
Name of the process form column for the role attribute in the eBusiness Suite User resource object |
This lookup definition is preconfigured. You must not modify this lookup definition. |
Lookup.EBS.UM.QueryFilters |
Filter parameters that you want to append to the reconciliation SQL query |
See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about the Decode value. |
See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition. |
Lookup.EBS.UM.Configuration |
Configurable data items used by the connector during both reconciliation and provisioning |
Values of the configurable parameters |
You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information. |
Table 1-13 describes lookup definitions that are specific to the User Management with HR Foundation connector.
Table 1-13 Lookup Definitions Specific to the User Management with HR Foundation Connector
Lookup Definition | Code Key | Decode | Input Source |
---|---|---|---|
Lookup.EBS.Gender |
Code for gender Sample value: |
Display name of gender Sample value: |
This lookup definition is preconfigured. You must not modify this lookup definition. |
Lookup.EBS.UM.UserHRMSProvisioning |
Process form field name Sample value: |
Information about the corresponding argument in the stored procedure used for user provisioning Sample Value: |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UM.UserHRMSRecon |
Reconciliation fields of resource object Sample value: |
Column names or column name alias used in the reconciliation query Sample value: |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UM.CreateEmployee |
Process form field name Sample value: |
Information about the corresponding argument in the stored procedure used for HRMS person record provisioning Sample Value: |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UM.UpdateEmployee |
Process form field name Sample value: |
Information about the corresponding argument in the stored procedure used for HRMS person record provisioning Sample Value: |
You must not modify or remove existing attributes in this lookup defintion. However, you can add or remove new attributes for provisioning. |
Lookup.EBS.HRMSResponsibility.Mapping Note: This lookup definition is used for request-based responsibility provisioning. |
Name of the process form column for the responsibility attributes in the eBusiness Suite User HR Foundation Responsibility resource object |
Name of the process form column for the responsibility attribute in the eBusiness Suite User HR Foundation resource object |
You must not modify this lookup definition. |
Lookup.EBS. HRMSRoles.Mapping Note: This lookup definition is used for request-based role provisioning. |
Name of the process form column for the role attributes in the eBusiness Suite User HR Foundation Role resource object |
Name of the process form column for the role attribute in the eBusiness Suite User HR Foundation resource object |
You must not modify this lookup definition. |
Lookup.EBS.UMHRMS.QueryFilters |
Filter parameters that you want to append to the reconciliation SQL query |
See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about the Decode value. |
See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition. |
Lookup.EBS.UMHRMS.EmployeeInfoMapping |
Name of the process form column for information about the HR Foundation person record |
Name of the column used for fetching the person record data from the target system database |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UMHRMS.Configuration |
Configurable data items used by the connector during both reconciliation and provisioning |
Values of the configurable parameters |
You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information. |
Table 1-14 describes lookup definitions that are specific to the User Management with TCA Foundation connector.
Table 1-14 Lookup Definitions Synchronized with the Target System
Lookup Definition | Code Key | Decode | Input Source |
---|---|---|---|
Lookup.EBS.UM.UserTCAProvisioning |
Process form field name Sample value: |
Information about the corresponding argument in the stored procedure used for user provisioning Sample Value: |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UM.PartyProvisioning |
Process form field name Sample value: |
Information about the corresponding argument in the stored procedure used for HRMS Person provisioning Sample Value: |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for provisioning. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UM.UpdateParty |
Process form field name Sample value: |
Information about the corresponding argument in the stored procedure used for HRMS Person provisioning Sample Value: |
You must not modify or remove existing attributes in this lookup defintion. However, you can add or remove new attributes for provisioning. |
Lookup.EBS.UM.UserTCARecon |
Reconciliation field of resource object Sample value: |
Column name or column alias name used in reconciliation query Sample value: |
This lookup definition is preconfigured. You modify this lookup definition only if you are adding or removing attributes for reconciliation. Chapter 4, "Extending the Functionality of the Connector" discusses the procedure. |
Lookup.EBS.UserTCAResponsibility.Mapping Note: This lookup definition is used for entitlement provisioning. |
Name of the process form column for the responsibility attributes in the eBusiness Suite User TCA Foundation Responsibility |
Name of the process form column for the responsibility attribute in the eBusiness Suite User TCA Foundation resource object |
You must not modify this lookup definition. |
Lookup.EBS. TCARoles.Mapping |
Name of the process form column for the role attributes in the eBusiness Suite User TCA Foundation Role resource object |
Name of the process form column for the role attribute in the eBusiness Suite User TCA Foundation resource object |
You must not modify this lookup definition. |
Lookup.EBS.UMTCA.QueryFilters |
Name of the process form column for information about the TCA Foundation person record |
Name of the column used for fetching the person record data from the target system database |
See Section 3.3.3, "Configuring Limited Reconciliation" for detailed information about this lookup definition |
Lookup.EBS.UMTCA.Configuration |
Configurable data items used by the connector during both reconciliation and provisioning |
Values of the configurable parameters |
You can modify some of entries in this lookup definition. See Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager" for more information. |
The following is the organization of information in the rest of this guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure to use the connector testing utility and the Diagnostic Dashboard for testing the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.