You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
These are the guidelines that you apply while using the connector.
The subpool and the LDAP Gateway must be started before starting the Reconciliation Agent. If the LDAP Gateway is not available when the Reconciliation Agent is started, then an error is generated with RETCODE=-01
and ERRORNO=61
.
The connector can accept and transmit any non-ASCII data to the mainframe, but the mainframe does not accept non-ASCII characters. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface.
Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system user profiles through provisioning operations on Oracle Identity Manager.
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.
The ACF2 Reconcile All Users scheduled task performs full reconciliation. When you configure this scheduled task, it runs at specified intervals and fetches create and modify events on the target system for reconciliation.
To configure the Reconcile All Users scheduled task:
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
See Also:
Performing Full Reconciliation for information about the Reconcile All Users scheduled taskThe following is a sample format of the value for the Resource Object property:
(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2
As shown in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.
Filter attributes should be surrounded by parentheses.
The names of the resource objects must be the same as the names that you specified while creating the resource objects by using the Design Console.
See Also:
Installing and Configuring the LDAP Gateway for information about the LDAP Gateway configuration files.The value must be a regular expression as defined in the java.util.regex Java package. Note that the find
methodology of the regex matcher is used rather than the matches
methodology. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.
Substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".
Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:
(ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT
Multiple filters can be applied to the attribute and to the same resource object. For example:
(ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT
The following is a sample value for the Object attribute:
(tsoProc:X)ACF2R01,(active:value1|value2|value3)ACF2ResourceObject2,(tso)ACF2ResourceObject24000,Resource
(tsoProc:X)ACF2RO1
represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the ACF2RO1 resource object.
(active:value1|value2|value3)ACF2ResourceObject2
represents a user with value1, value2, or value3 as their active date. Records that meet this criterion are reconciled with the ACF2ResourceObject2 resource object.
(tso)ACF2ResourceObject24000
represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the ACF2ResourceObject24000 resource object.
All other records are reconciled with the Resource resource object.
The ACF2 Reconcile LDAP Users scheduled task allows the administrator to reconcile users from the internal LDAP store to Oracle Identity Manager.
When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.
To configure the Reconcile LDAP Users to OIM scheduled task:
The ACF2 Deleted User Reconciliation to OIM scheduled task allows the administrator to reconcile deleted users from the target system to Oracle Identity Manager.
When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.
To configure the Deleted User Reconciliation to OIM scheduled task:
The ACF2 Find All Access Rules Task and ACF2 Find All Resource Rules Task scheduled tasks populate lookup tables with resource or access rule keys that can be assigned during user provisioning.
When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource or access keys on the target system for reconciliation.
To configure the ACF2 Find All Access Rules Task and ACF2 Find All Resource Rules scheduled task:
The ACF2 Reconcile LDAP Users scheduled task allows the administrator to reconcile users from the internal LDAP store to Oracle Identity Manager.
When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.
To configure the Reconcile LDAP Users to OIM scheduled task:
Uninstalling the connector deletes all the account related data associated with resource objects of the connector.