| Oracle® Identity Manager Connector Guide for Database Application Tables Release 9.1.0 Part Number E11194-03 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for Database Application Tables Release 9.1.0 Part Number E11194-03 |
|
|
View PDF |
This chapter contains the following sections:
The "Limited Reconciliation" section discusses the Customized Query and Use Native Query parameters.
The "Determining Values for the Database URL and Connection Properties Parameters" discusses the Database URL and Connection Properties parameters.
The "Creating the Connector" section describes the procedure to create the connector.
The "Performing Connector Operations" section provides a link to guidelines that you must apply when you start using the connector.
This section discusses the Customized Query and Use Native Query parameters. You apply the information in this section while performing the procedure described in "Step 2: Specify Parameter Values Page".
By default, all target system records that are added or modified after the previous reconciliation run are reconciled during the current reconciliation run. You can filter records for reconciliation by specifying the subset of newly added or modified records that must be reconciled. You implement this form of limited reconciliation by using a customized query for reconciliation.
You create a customized query by specifying a value for the Customized Query parameter. The value of this parameter becomes a component of the WHERE clause in the SQL query that is used to fetch records from the target system.
Note:
While performing the procedure described in "Step 2: Specify Parameter Values Page", if you specify a value for the Timestamp Attribute parameter, then you need not include the time-stamp column in the Customized Query parameter.The following are examples of the WHERE clause that you can specify as the value of the Customized Query parameter. In these examples, jdoe is the database user ID and employees is the name of the table that holds user data.
The following WHERE clause component returns records of employees whose last names begin with Roe and who belong to the Finance department.
jdoe.employees.last_name LIKE 'Roe%' & jdoe.employees.dept_id = 'Finance'
The following WHERE clause component returns records of employees who report to the manager with the ID 856 or employees who belong to the Finance department.
jdoe.employees.mgr_id = 856 | jdoe.employees.dept_id = 'Finance'
Note:
The value that you specify must not contain the keyword WHERE.
The value that you specify must not contain a SQL join between parent and child tables.
Instead of using the & and | operators, you can use any of the logical operators supported by the target system database. To specify the operators that you want to use, use the Use Native Query check box as follows:
Select the Use Native Query check box if you want to use logical operators that are native to the target system database.
Do not select the Use Native Query check box if you want to use the & and | operators.
If you do not want to use a customized query, then do not specify a value for this parameter. If you do not specify a value, then regular (that is, not limited) reconciliation is performed.
This section discusses the Database URL and Connection Properties parameters. You apply the information in this section while performing the procedure described in "Step 2: Specify Parameter Values Page".
The values that you specify for the Database URL and Connection Properties parameters depend on the target system:
The following are guidelines on specifying the Database URL and Connection Properties parameters:
Database URL parameter
Enter the following component of the connection URL as the value of the Database URL provider:
jdbc:db2://[SERVER_NAME[\INSTANCE_NAME][:PORT_NUMBER]]
In this format:
SERVER_NAME is the IP address (not the host name) of the target system host computer.
INSTANCE_NAME is the name of the target system database.
PORT_NUMBER is the port at which the target system database is listening.
The following is a sample value for the Database URL parameter:
jdbc:db2://192.168.16.76:50000
Connection Properties parameter
Enter the following component of the connection URL as the value of the Connection Properties parameter:
[,PROPERTY=VALUE[,PROPERTY=VALUE]] . . .
In this format:
PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
Note:
Semicolons must be changed to commas in the value that you specify.The following is a sample value for the Connection Properties parameter:
databaseName=sales,port=50000
If you enable SSL communication between IBM DB2/UDB and Oracle Identity Manager, then you must include the sslConnection, javax.net.ssl.trustStore, and javax.net.ssl.trustStorePassword properties in the value that you specify for the Connection Properties parameter. In other words, the following must be part of the string that you enter as the value of the parameter:
sslConnection=true,javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
For example:
sslConnection=true,Djavax.net.ssl.trustStore=C:/j2sdk1.4.2_12/jre/lib/security/cacerts,javax.net.ssl.trustStorePassword=changeit
Note:
In Microsoft SQL Server documentation, the term "connection URL" is used instead of "database URL."In Oracle Identity Manager release 9.1.0, the semicolon (;) is one of the special characters that cannot be entered in any of the fields of the Administrative and User Console. This restriction has been introduced for security reasons. However, a typical Microsoft SQL Server connection URL contains a semicolon-separated property-value pair in the following format:
jdbc:sqlserver://[SERVER_NAME[\INSTANCE_NAME][:PORT_NUMBER]][;PROPERTY=VALUE[;PROPERTY=VALUE]]
See Also:
The "Setting the Connection Properties" section on the Microsoft Web site for detailed information about the properties that you can specify by using this formatTo work around the restriction on entering semicolons, you can specify the connection URL as the value of the following provider parameters:
Database URL parameter
Enter the following component of the connection URL as the value of the Database URL provider:
jdbc:sqlserver://[SERVER_NAME[\INSTANCE_NAME][:PORT_NUMBER]]
In this format:
SERVER_NAME is the IP address (not the host name) of the target system host computer.
INSTANCE_NAME is the name of the target system database.
PORT_NUMBER is the port at which the target system database is listening.
The following is a sample value for the Database URL parameter:
jdbc:sqlserver://192.168.16.76:1433
Connection Properties parameter
Enter the following component of the connection URL as the value of the Connection Properties parameter:
[,PROPERTY=VALUE[,PROPERTY=VALUE]] . . .
In this format:
PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
Note:
Semicolons must be changed to commas in the value that you specify.The following is a sample value for the Connection Properties parameter:
databaseName=sales,port=1433
If you enable SSL communication between Microsoft SQL Server and Oracle Identity Manager, then you must include the encrypt and hostNameInCertificate properties in the value that you specify for the Connection Properties parameter. In other words, the following must be part of the string that you enter as the value of the parameter:
encrypt=true,hostNameInCertificate=HOST_NAME
Replace HOST_NAME with the host name given in the certificate that you use.
In addition, you must specify the location of the truststore if you import the certificate into a truststore other than the JVM truststore of Oracle Identity Manager. To specify the location of the truststore, include the following properties in the value that you specify for the Connection Properties parameter:
encrypt=true,hostNameInCertificate=HOST_NAME,trustStore=STORE_LOCATION,trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
The values that you specify for the Database URL and Connection Properties parameters depend on the security measures that you have implemented:
If you have configured only data encryption and integrity, then enter the following values:
Database URL parameter
While creating the connector, the value that you specify for the Database URL parameter must be in the following format:
jdbc:oracle:thin:@TARGET_HOST_NAME_or_IP_ADDRESS:PORT_NUM:sid
The following is a sample value for the Database URL parameter:
jdbc:oracle:thin:@ten.mydomain.com:1521:cust_db
Connection Properties parameter
After you configure data encryption and integrity, the connection properties are recorded in the sqlnet.ora file. The value that you must specify for the Connection Properties parameter is explained by the following sample scenario:
See Also:
Oracle Database Advanced Security Administrator's Guide for information about the sqlnet.ora fileSuppose the following entries are recorded in the sqlnet.ora file:
SQLNET.ENCRYPTION_SERVER=REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER=(3DES168, DES40, DES, 3DES112) SQLNET.CRYPTO_CHECKSUM_SERVER=REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)
While creating the connector, you must specify the following as the value of the Connection Properties parameter:
Note:
The property-value pairs must be separated by commas.
As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file.
oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5)
After you configure SSL communication, the database URL is recorded in the tnsnames.ora file. See Oracle Database Net Services Reference for detailed information about the tnsnames.ora file.
The following are sample formats of the contents of the tnsnames.ora file. In these formats, DESCRIPTION contains the connection descriptor, ADDRESS contains the protocol address, and CONNECT_DATA contains the database service identification information.
Sample Format 1:
NET_SERVICE_NAME= (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME)))
Sample Format 2:
NET_SERVICE_NAME= (DESCRIPTION_LIST= (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME))) (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME))))
Sample Format 3:
NET_SERVICE_NAME= (DESCRIPTION= (ADDRESS_LIST= (LOAD_BALANCE=on) (FAILOVER=off) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))) (ADDRESS_LIST= (LOAD_BALANCE=off) (FAILOVER=on) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME)))
If you have configured only SSL communication and imported the certificate that you create on the target system host computer into the JVM truststore of Oracle Identity Manager, then enter the following values:
Database URL parameter
While creating the connector, the value that you specify for the Database URL parameter must be derived from the value of NET_SERVICE_NAME in the tnsnames.ora file. For example:
Note:
As shown in this example, you must include only the(ADDRESS=(PROTOCOL=TCPS)(HOST=HOST_NAME)(PORT=2484)) element because you are configuring SSL. You need not include other (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) elements.jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
Connection Properties parameter
Whether or not you need to specify a value for the Connection Properties parameter depends on the truststore into which you import the certificate:
If you import the certificate into the truststore of the JVM that Oracle Identity Manager is using, then you need not specify a value for the Connection Properties parameter.
If you import the certificate into any other truststore, then while creating the connector, specify a value for the Connection Properties parameter in the following format:
javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
If both data encryption and integrity and SSL communication are configured, then:
Database URL parameter
While creating the connector, to specify a value for the Database URL parameter, enter a comma-separated combination of the values for the Database URL parameter described in the "Only Data Encryption and Integrity Is Configured" and "Only SSL Communication Is Configured" sections. For example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
Connection Properties parameter
While creating the connector, to specify a value for the Connection Properties parameter, enter a comma-separated combination of the values for the Connection Properties parameter described in the "Only Data Encryption and Integrity Is Configured" and "Only SSL Communication Is Configured" sections. For example:
oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5),javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file. When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
To navigate to the first Administrative and User Console page for creating generic technology connectors, log in to the Administrative and User Console, expand Generic Technology Connector, and then click Create.
From this point onward, page-wise instructions are provided in the following sections:
Note:
While performing the procedures described in these sections, you must read the instructions given in the corresponding sections of Oracle Identity Manager Administrative and User Console Guide. The latest version of this guide is on Oracle Technology Network.The following sections describe additional configuration procedures that can be performed after you create the connector:
On the Step 1: Provide Basic Information page, perform the following steps:
In the Name field, specify a name for the connector.
See the guidelines on specifying a name for a generic technology connector given in the "Step 1: Provide Basic Information Page" section of Oracle Identity Manager Administrative and User Console Guide.
If you want to use the connector for reconciliation, select Reconciliation and then perform the following steps:
From the Transport Provider list, select Database Application Tables Reconciliation Transport Provider.
From the Format Provider list, select Database Application Tables Reconciliation Format Provider.
If you want to use the connector to perform trusted source reconciliation with the target system, then select Trusted Source Reconciliation.
If you want to use the connector for provisioning, select Provisioning and then perform the following steps:
Note:
You can select only Reconciliation, only Provisioning, or both Reconciliation and Provisioning.Click Continue.
Figure 3-1 shows the Step 1: Provide Basic Information page on which sample entries have been made.
Figure 3-1 Step 1: Provide Basic Information Page
On the Step 2: Specify Parameter Values page, specify values for the provider parameters and then click Continue.
Table 3-1 lists the parameters that are displayed on the Step 2: Specify Parameter Values page. The display of parameters on this page depends on the options that you select on the Step 1: Provide Basic Information page. For example, the Target Date Format parameter is a provisioning-specific parameter and it is displayed only if you select Provisioning on the Step 1: Provide Basic Information page.
As mentioned in "Connector Architecture", some of the parameters are common to both provisioning and reconciliation providers. If you select both Reconciliation and Provisioning on the Step 1: Provide Basic Information page, then the common parameters are displayed twice on this page. Unless specified otherwise, the parameters listed in this table are common to both reconciliation and provisioning providers.
Note:
For parameters that are common (displayed twice), you must enter the same value in both fields. For example, suppose you enterdbapps as the value of the Database User ID parameter for provisioning. You must enter the same value for the Database User ID parameter for reconciliation.
Only the value entered for the first occurrence of the parameter is validated when you submit the data entered on the Step 2: Specify Parameter Values page. In the preceding example, if you enter an incorrect value in the Database User ID parameter for reconciliation, then this error is caught only when you try to use the connector for reconciliation.
Table 3-1 Parameters Displayed on the Step 2: Specify Parameter Values Page
| Parameter | Description |
|---|---|
|
Specify the JDBC driver class. For IBM DB2/UDB database: com.ibm.db2.jcc.DB2Driver For Microsoft SQL Server: |
|
|
Enter the database URL of the target database. The value that you specify depends on the database product that you are using. See "Determining Values for the Database URL and Connection Properties Parameters" for more information. |
|
|
Enter the user ID of the database user account that Oracle Identity Manager will use to connect to the target system. For example: |
|
|
Enter the password of the database user account that Oracle Identity Manager will use to connect to the target system. |
|
|
Enter the WHERE clause specifying the subset of newly added or modified records that you want to reconcile. See "Limited Reconciliation" for more information about this parameter. |
|
|
Select Use Native Query if you want to use logical operators native to the target system database in the value that you specify for the Customized Query parameter. Do not select Use Native Query if you want to use the & and | operators in the value that you specify for the Customized Query parameter. See "Limited Reconciliation" for more information about this parameter. |
|
|
Specify the connection properties of the target database. The value that you specify depends on the database product that you are using. See "Determining Values for the Database URL and Connection Properties Parameters" for more information. |
|
|
Enter the name of the parent table or view. The value that you must enter depends on the target system database: |
|
|
If you want to use the connector for trusted source reconciliation, then do not enter a value. If you want to use the connector for target resource reconciliation and if user data is spread across parent and child tables, then enter a comma-separated list of child table names. The guidelines for specifying the table names are the same as those described for the Parent Table/View Name parameter. |
|
|
If the primary key constraint cannot be set in the parent table, then enter the name of the column that uniquely identifies each row in the parent table. Similarly, if referential integrity constraints have not been set between parent and child tables, then use the Unique Attribute parameter to specify the name of the column that you want to use as the foreign key. The only requirement is that the name of the column must be the same in the parent and child tables. Note: If primary key and referential integrity constraints already exist and if you still specify a value for the Unique Attribute parameter, then the parameter is ignored and the integrity constraints defined in the database are used during reconciliation and provisioning. |
|
|
Enter the name of the column (in the parent table or view) that holds time-stamp information. Note: If the target system is Oracle Database, then you must ensure that the data type of the column is either Date or Timestamp. This parameter is used only during reconciliation. See the description of the Reconciliation Type parameter later in this table. |
|
|
If you want to include account status data in provisioning operations, then enter the name of the target system column that stores account status values. Note: This parameter is used only during provisioning. See "Configuring Account Status Provisioning" for details. |
|
|
If you want to include account status data in provisioning operations, then enter the name of the lookup definition described in "Configuring Account Status Provisioning". Note: This parameter is used only during provisioning. |
|
|
|
|
See "Step 2: Specify Parameter Values Page" in Oracle Identity Manager Administrative and User Console Guide for detailed information about this parameter. If you enter a value for the Target Date Format parameter, then you must specify the same value for the Database Date Format parameter for provisioning. Note: This parameter is used only during provisioning. It is recommended that you do not enter a value for this parameter. |
|
|
Enter a batch size (an integer value) for the reconciliation run. By using this parameter, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run. You should specify a batch size that optimizes the performance of the reconciliation run. Default value: |
|
|
Enter a value for this parameter only if you want reconciliation to stop automatically if the percentage of records that fail the validation checks to the total number of reconciliation records processed exceeds the specified value. See Also: Oracle Identity Manager Administrative and User Console Guide for detailed information about this parameter |
|
|
Enter a value for this parameter only if you specify a value for the Stop Reconciliation Threshold parameter. See Also: Oracle Identity Manager Administrative and User Console Guide for detailed information about this parameter |
|
|
See "Step 2: Specify Parameter Values Page" in Oracle Identity Manager Administrative and User Console Guide for detailed information about this parameter. If you want to validate the format of date values that are fetched from the target system during reconciliation, then enter a value for this parameter. Otherwise, do not enter a value for this parameter. If you enter a value for the Source Date Format parameter, then you must specify the same value for the Database Date Format parameter for reconciliation. Note: It is recommended that you do not enter a value for this parameter. |
|
|
If you are configuring the connector for trusted source reconciliation, then do not select this check box. If you are configuring the connector for target resource reconciliation and if you want to reconcile into Oracle Identity Manager the deletion of child data on the target system, then select this check box. |
|
|
Use this check box to specify whether you want to use the connector to perform incremental or full reconciliation. In incremental reconciliation, only target system records that are newly added or modified after the last reconciliation run are brought to Oracle Identity Manager. Reconciliation events are created for each of these records. In full reconciliation, all target system records are brought to Oracle Identity Manager. The optimized reconciliation feature identifies and ignores records that have already been reconciled in Oracle Identity Manager. Reconciliation events are created for the remaining records. If you select Incremental, then you must also specify a value for the Timestamp Attribute parameter. |
Figure 3-2 shows the first section of the Step 2: Specify Parameter Values page on which sample entries have been made.
Figure 3-2 First Section of the Step 2: Specify Parameter Values Page
Figure 3-3 shows the second section of the Step 2: Specify Parameter Values page on which sample entries have been made.
Figure 3-3 Second Section of the Step 2: Specify Parameter Values Page
Note:
See "Step 3: Modify Connector Configuration Page" in the "Creating Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide for detailed information about the terms and procedures given in this section.When you click Continue on the Step 2: Specify Parameter Values page, the generic technology connector framework tries to read metadata from the target system. If this operation is successful, then metadata is displayed on the Step 3: Modify Connector Configuration page in the form of data sets.
If metadata detection fails, then an error message is displayed and details of the cause of the error are recorded in the log file. If you encounter a metadata detection error, then you must fix it before resuming the procedure from the Step 2: Specify Parameter Values page.
Figure 3-4 shows a screenshot of the Step 3: Modify Connector Configuration page after metadata detection has run on the sample target system described in the "Step 2: Specify Parameter Values Page" section.
Figure 3-4 Step 3: Modify Connector Configuration Page After Metadata Detection
The elements displayed on the Step 3: Modify Connector Configuration page depend on the input that you provide on the Step 1: Provide Basic Information page and Step 2: Specify Parameter Values page. For example, if you select the Trusted Source Reconciliation check box on the Step 1: Provide Basic Information page, then the OIM - Account data sets and Provisioning Staging data sets are not displayed. See Table 22-3, "Display of Data Sets and Fields Under Various Input Conditions" in the "Creating Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide for more information.
You must perform the actions described in Table 3-2 by using the features provided by the Step 3: Modify Connector Configuration page.
Note:
You can perform these actions in any sequence. For example, you can create the reconciliation rule before you specify the data type for fields in the Reconciliation Staging and OIM data sets.
Some of the actions can be performed as parts of the same procedure. For example, while setting the data type and length of a field, you can also create a mapping between the field and a field in a different data set.
See "Adding or Editing Fields" of Oracle Identity Manager Administrative and User Console Guide for details.
See Appendix A, "An Example of the Procedure to Create Connectors" for sample steps.
Table 3-2 Actions to Be Performed on the Step 3: Modify Connector Configuration Page
| Action | Description |
|---|---|
|
Actions common to both target resource and trusted source configurations of the target system |
|
|
In the Reconciliation Staging and OIM data sets, you must designate fields as mandatory fields to duplicate NOT NULL constraints (including primary key constraints) of the target system tables. |
While adding or editing a field, you can select the Required check box to specify that the field is a mandatory field. In the Reconciliation Staging and OIM data sets, you must select the Required check box for fields that represent columns for which the NOT NULL constraint has been set. See Figure B-1. |
|
Create the reconciliation rule by creating a matching-only mapping between the primary key field of the Reconciliation Staging data set and the corresponding field of the OIM - User data set. |
During reconciliation, the reconciliation rule forms the basis of entity matching in which target system records are compared with existing OIM Users. See Oracle Identity Manager Connector Concepts for more information about the reconciliation rule. To create the reconciliation rule, you must create a matching-only mapping between the unique field (primary key) of the Reconciliation Staging data set and the corresponding field of the OIM - User data set. For example, you can create a matching-only mapping between the APP_USERID field of the Reconciliation Staging data set and the User ID field of the OIM - User data set. See Point 4 in Figure B-6. If the primary key is composed of more than one target system field (column), then create matching-only mappings between each primary key field and the corresponding field of the OIM - User data set. Note: The outcome of the entity-matching operation is determined by the reconciliation action rules that you configure. See "Modifying the Default Action Rules" for details. |
|
Set the attributes (such as the data type and length) for the fields of the Reconciliation Staging data sets and the OIM - Account data sets. |
At the end of the metadata detection process, default values for field attributes (such as the data type and length) are assigned to the fields displayed in the Reconciliation Staging and OIM - Account data sets. You must edit these fields and set the required attributes for them. For example, suppose the target system contains the HIRE_DATE and LAST_UPDATE columns. On the Step 3: Modify Connector Configuration page, you must edit the fields for these columns and set their data type to Date. Figure B-1 shows the Data Type list, which you can use to set the data type of a field. Note: If you select the Provisioning option on the Step 1: page, then after you create the connector, you must not modify the data type of the OIM - Account data sets fields. This is because a data type change does not result in the creation of a new version of the process form. |
|
Remove fields that are not required. |
You might not want to read data from (reconcile with) or send data to (provision to) some fields of the target system. You must remove such fields from all the data sets on the Step 3: Modify Connector Configuration page. Note: If you do not want to reconcile from or provision to the field that stores time-stamp values, then you can remove it from all the data sets. You can perform this action even if you have specified the name of the field as the value of the Timestamp Attribute parameter on the Step 2: Specify Parameter Values page. |
|
If required, create or edit mappings to establish new flow lines, transform data, and validate data. Note: This is not a mandatory action. |
In addition to the mappings created through metadata detection, you can create mappings to establish new data flow lines between fields of adjacent data sets. While adding or editing a mapping, you can add Transformation Providers to transform data that is in transit between fields of the following data sets:
While adding or editing a mapping, you can add Validation Providers to validate data before it is sent to the Reconciliation Staging data sets. |
|
If required, configure the exchange of account status data between the target system and Oracle Identity Manager. Note: This is not a mandatory action. |
See "Exchanging Account Status Data with the Target System" for more information. In addition, see Figure B-4, Figure B-5, and Figure B-6. |
|
Specify that you want to encrypt the storage, display, or both storage and display of fields that store confidential data in Oracle Identity Manager. |
The target system may store confidential data, such as salaries and passwords of employees. For fields of the OIM data sets that hold confidential data, you can specify that you want to encrypt the field values in the Oracle Identity Manager database (storage of the field) and on the Administrative and User Console (display of the field). See Figure B-3. |
|
Do not add the foreign key field. |
If a foreign key is defined in the target system, then the foreign key column is automatically identified during metadata detection. If the foreign key is not defined, then you must use the Unique Attribute parameter to specify the name of the column that links rows of the parent and child tables. In either case, the foreign key column (field) is not displayed on the Step 3: Modify Connector Configuration page. You must not add it on this page. |
|
Actions specific to configuring the target system as a target resource |
|
|
If required, convert fields to lookup fields. Note: This is not a mandatory action. |
If you are configuring the connector for provisioning, then you may want to create lookup fields on the process form. For example, during provisioning operations, you may want to select the Country Code value from a lookup field. The generic technology connector framework enables you to specify input sources for the lookup field. You can create a lookup field that uses columns from Oracle Identity Manager database tables as its input source. For example, if country code values are stored in any Oracle Identity Manager database table, then you can use the columns of that table as the input source for the Country Code lookup field. Alternatively, you can specify a lookup definition that you have created as the input source. This is discussed in "Using Lookup Definitions". |
|
Specify the key field for reconciliation matching. |
During target resource reconciliation, the key field for reconciliation matching is used to match target system accounts with accounts provisioned to existing OIM Users. This key field forms the basis of process matching that is performed during reconciliation. To specify the key field for reconciliation matching, create a matching-only mapping between the unique field of the Reconciliation Staging data set and the corresponding field of the OIM - Account data set. See Figure B-6. Note: You must not use the ID field to create the key field for reconciliation matching. Ensure that there are no mappings (of any kind) between the ID field and fields of any other data set. Multiple fields of the OIM - Account data set can be (matching-only) mapped to corresponding fields of the Reconciliation Staging data set to create a composite key field for reconciliation matching. Note: The outcome of the process-matching operation is determined by the reconciliation action rules that you configure. See "Modifying the Default Action Rules" for details. |
|
Actions specific to configuring the target system as a trusted source |
|
|
Remove password fields from all data sets. |
Reconciliation of password information is not supported in Oracle Identity Manager. You must remove password fields from all data sets. |
|
Ensure that the mandatory fields required for creation of an OIM User are present. |
If you are creating the connector for trusted source reconciliation and if the target system does not have columns for some of the mandatory fields of the OIM User form, then add these mandatory fields to the Reconciliation Staging data set and specify literal values as the input sources for these fields. The following are the mandatory fields of the OIM User form:
During trusted source reconciliation, you must ensure that there are target system fields that provide data for each of these mandatory OIM User fields. To ensure successful reconciliation, you must add fields corresponding to these target system fields in the Reconciliation Staging data set and specify literal values for the fields. To add a field:
See Figure B-7. |
|
If the target system has more columns than there are fields on the OIM User form, then create mappings between the UDFs that you created earlier and the corresponding fields of the Reconciliation Staging data sets. |
The target system may have more columns than there are fields on the OIM User form. For example, the target system may have the Designation column, which has no corresponding field on the OIM User form. To enable the creation of OIM Users during trusted source reconciliation, you must create a UDF for the Designation field on the OIM User form before you start creating the connector. See "Adding New User-Defined Fields for the OIM User" for more information. On the Step 3: Modify Connector Configuration page, you must create mappings between the UDFs in the OIM - User data set and corresponding fields of the Reconciliation Staging data sets. You use the Design Console to create UDFs. See Oracle Identity Manager Design Console Guide for information about creating UDFs. After you create the required UDFs, you must create mappings between them and the corresponding fields of the Reconciliation Staging data sets. See Figure B-7. |
Note:
This page is not displayed if you select the Trusted Source Reconciliation option on the Step 1: Provide Basic Information page.On the Step 4: Verify Connector Form Names page, click Continue.
Figure 3-5 shows the Step 4: Verify Connector Form Names page.
Figure 3-5 Step 4: Verify Connector Form Names Page
On the Step 5: Verify Connector Information page, click Save.
Note:
If you encounter any errors at this stage, then see "Errors Encountered at the End of the Connector Creation Process" in Oracle Identity Manager Administrative and User Console Guide for troubleshooting information.Creation of the connector involves creation of all the objects that constitute the connector. See the "Connector Objects Created by the Generic Technology Connector Framework" chapter in Oracle Identity Manager Administrative and User Console Guide for information about the connector objects that are created.
Except for the form names, the names of generic technology connector objects are in the GTC_NAME_GTC format, where GTC_NAME is the name that you assign to the connector.
For example, if you specify DBTables_conn as the name of the connector that you create, then all the connector objects (except the forms) are named DBTables_conn_GTC.
Table 3-3 lists the default action rules that are created when you create a connector for target resource reconciliation.
Table 3-3 Action Rules for Target Resource Reconciliation
| Rule Condition | Action |
|---|---|
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
Table 3-4 lists the default action rules that are created when you create a connector for trusted source reconciliation.
Table 3-4 Action Rules for Trusted Source Reconciliation
| Rule Condition | Action |
|---|---|
|
No matches found |
Create User |
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
You can modify these rule conditions and rule actions according to your requirements. See the "Resource Objects Form" section in Oracle Identity Manager Design Console Guide for information about this procedure.
Note:
If you use the Design Console to modify the objects (for example, the action rules), then do not use the Manage Generic Technology Connector feature to modify the generic technology connector. If you modify the connector, then all the modifications made by using the Design Console would be overwritten.This limitation is mentioned in the "Connector Objects" section in the "Known Issues of Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide.
See "Configuring Reconciliation" in the "Creating Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide.
See "Performing Connector Operations" in Oracle Identity Manager Connector Concepts for information about guidelines that you must apply when you start using the connector.
Updating Child Records
Database Application Tables connectors do not support Update Child Record provisioning operations in this release. To work around this problem, you must first delete the record and then add the record with the required data modified.
See Also:
The entry for Bug 6614311 in the "Known Issues" chapter
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|