1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications.

A custom application in your organization may use relational database tables as a repository for user data. This guide describes the procedure to create the connector for integrating these database tables with Oracle Identity Manager. After you integrate the tables with Oracle Identity Manager, you can use them either as a managed (target) resource or as an authoritative (trusted) source of user data for Oracle Identity Manager.

The connector that you create is known as a Database Application Tables connector. The following sample scenario describes the requirement that can be addressed by a Database Application Tables connector:

Example Inc. has some database-driven custom applications. These applications cannot be LDAP enabled, and they do not have any APIs for identity administration. The company wants to deploy an identity management and provisioning system that can be linked with their database.

The Database Application Tables connector is one of the solutions to this business problem. Example Inc. can use this connector to enable the exchange of user data between the database and Oracle Identity Manager.

Note:

In this guide:

• The database tables that store user data are collectively referred to as the target system.

• The computer on which the database is installed is referred to as the target system host computer.

In the target resource configuration, data about users created or modified on the target system is reconciled into Oracle Identity Manager and is used to create or update resources allocated to OIM Users. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the trusted source configuration, data about users created or modified on the target system is reconciled into Oracle Identity Manager and is used to create or update OIM Users.

Note:

• It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.

• See Oracle Identity Manager Connector Concepts for detailed information about connector deployment configurations.

This chapter discusses the following topics:

• Certified Deployment Configurations

• Certified Languages

• Features of the Connector

• Roadmap for Deploying and Using the Connector

1.1 Certified Deployment Configurations

Table 1-1 lists the certified deployment configurations for this connector.

Table 1-1 Certified Deployment Configurations

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 9.1.0 or later
Target systems	The target system can be database tables from any one of the following RDBMSs: IBM DB2/UDB Version 9.x running on Microsoft Windows, UNIX, and IBM z/OS platforms Microsoft SQL Server 2005 Oracle Database 10g, 11g
JDBC drivers	Depending on the target system that you use, you would need one of the following sets of JDBC drivers: For IBM DB2/UDB: For all platforms: db2jcc.jar For Microsoft Windows and UNIX platforms: db2jcc_license_cu.jar For IBM z/OS platforms: db2jcc_license_cisuz.jar For Microsoft SQL Server: sqljdbc.jar version 1.2 For Oracle Database Oracle Database 10g drivers Oracle Database 11g drivers Instructions to download and use these drivers are provided later in this guide.
Format in which user data is stored in the target system	You can use a Database Application Tables connector only if user data is stored in the target system in any one of the following formats: All user data is in a single table. User data is spread across one parent table and one or more child tables. This target system can be configured only as a target resource, and not as a trusted source. All user data is in a single updatable view (that is based on one or more tables). User data is spread across one updatable view (that is based on one or more tables) and one or more child views (that are based on one or more tables). This target system can be configured only as a target resource, and not as a trusted source. In other words, a trusted source cannot store child data. Note: If you use read-only views, then you must create INSTEAD OF triggers to enable modification of the read-only views during provisioning operations. This requirement has also been mentioned in "Using Read-Only Views".
Other requirements of the target system	The target system must meet the following requirements: The target system must not contain a column named ID. See "Ensuring That There Are No Target System Columns Named ID" for the description of a workaround to this requirement. Names of foreign key columns can be the same in parent and child tables. However, the names of all other columns in the parent table must be different from the names of columns in the child tables. See "Names of Fields" in the "Best Practices for Creating and Using Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide for more information. The latest version of this guide is available on Oracle Technology Network.

1.2 Certified Languages

The connector supports the following languages:

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Danish

• English

• French

• German

• Italian

• Japanese

• Korean

• Portuguese (Brazilian)

• Spanish

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.3 Features of the Connector

This section discusses the following topics:

• The "Connector Architecture" section describes the architecture of the connector.

• The following sections describe features of the target resource configuration:

  • Target Resource Reconciliation

  • Provisioning

• The "Trusted Source Reconciliation" section describes features of the trusted source configuration.

1.3.1 Connector Architecture

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of a Database Application Tables Connector

Description of "Figure 1-1 Architecture of a Database Application Tables Connector"

See Also:

Oracle Identity Manager Administrative and User Console Guide for conceptual information about providers and data sets

The latest version of this guide is available on Oracle Technology Network.

This diagram shows the providers that constitute the connector. The position of each provider is based on its role during reconciliation or provisioning.

The Transformation and Validation Providers are optional elements of the connector. Predefined Transformation and Validation Providers are shipped as part of the generic technology connector framework. Refer to Oracle Identity Manager Administrative and User Console Guide for information about these predefined providers.

The following predefined providers are the building blocks of the connector:

Note:

The provider parameters mentioned in this section are described later. While creating the connector, you specify values for these parameters. The providers use the parameter values to perform their intended function. For example, the Reconciliation and Provisioning Transport Providers use the Database URL parameter to connect to the target system.

Some of the parameters are common to both the provisioning and reconciliation providers. For example, the Database Driver parameter is common to both the Database Application Tables Reconciliation Transport Provider and the Database Application Tables Provisioning Transport Provider.

• Database Application Tables Reconciliation Transport Provider

  This provider uses a SQL query to fetch data from the target system. The column names for the SELECT clause of the SQL query are derived from the field mappings that you create while performing the procedure described in "Step 3: Modify Connector Configuration Page". The table names for the FROM clause are derived from the values of the Parent Table/View Name and Child Table/View Names parameters. The WHERE clause is derived from the value of the Customized Query parameter. This clause is optional. In other words, it is not mandatory to enter a value for the Customized Query parameter.

  If the primary key constraint cannot be set in the target system, then you use the Unique Attribute parameter to specify the name of the primary key column.

  If the primary key constraint has been set between the parent and child tables (or views), then the provider can automatically detect the primary key. In this scenario, the value of the Unique Attribute parameter is ignored.

  Similarly, if the target system is composed of more than one table or view, then this provider can automatically detect and use referential integrity constraints that have been set between the tables. However, if referential integrity constraints have not been set between parent and child tables, then you can use the Unique Attribute parameter to specify the name of the column that you want to use as the foreign key. The only requirement is that the name of the column must be the same in the parent and child tables.

  The result set fetched by the SQL query is in a format that is supported by the predefined Reconciliation Format Provider.

• Database Application Tables Reconciliation Format Provider

  This provider converts the format of data fetched by the Database Application Tables Reconciliation Transport Provider into a format supported by Oracle Identity Manager.

• Database Application Tables Provisioning Format Provider

  This provider converts the format of data sent from Oracle Identity Manager into a format supported by the target system.

• Database Application Tables Provisioning Transport Provider

  This provider uses INSERT, UPDATE, and DELETE statements to perform provisioning operations on the target system. Like the Database Application Tables Reconciliation Transport Provider, this provider can detect primary and foreign key constraints that are set in the target system. Similarly, if the primary and foreign keys have not been set in the target system, then the value of the Unique Attribute parameter is used during connector operations.

1.3.2 Target Resource Reconciliation

Target resource reconciliation involves fetching data about newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users. See Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation.

The scheduled task that you use to start a target resource reconciliation run is automatically created when you create the connector.

See Also:

The "Connector Objects Created by the Generic Technology Connector Framework" chapter in Oracle Identity Manager Administrative and User Console Guide on Oracle Technology Network.

Supported Target Resource Reconciliation Functions

The connector supports any of the following actions during a target resource reconciliation run:

• For each account created on the target system, a resource is assigned to the corresponding OIM User.

• Updates made to each account on the target system are propagated to the corresponding resource.

• Deletion of child data from accounts on the target system results in deletion of the same data from the resource. For example, if user John Doe is removed from the Leave Approvers group on the target system, then the same action is performed on the resource assigned to the OIM User John Doe.

Note:

Reconciliation of user account deletion on the target system is not supported in this release.

Reconciliation Rules

You create the reconciliation rule when you perform the procedure described in "Step 3: Modify Connector Configuration Page".

You can modify the default rule conditions and actions that are created automatically at the end of the connector creation process. The procedure is described later in this guide.

1.3.3 Provisioning

Provisioning involves creating or modifying a user's data on the target system through Oracle Identity Manager. See Oracle Identity Manager Connector Concepts for conceptual information about provisioning.

The connector supports the following provisioning functions:

• Create an account

• Update an account

• Enable an account

• Disable an account

• Delete an account

1.3.4 Trusted Source Reconciliation

The connector supports any of the following actions during a trusted source reconciliation run:

• For each newly created user on the target system, an OIM User is created.

• Updates made to each user on the target system are propagated to the corresponding OIM User.

Note:

Reconciliation of user account deletion on the target system is not supported in this release.

Reconciliation Rules

You create the reconciliation rule when you perform the procedure described in "Step 3: Modify Connector Configuration Page".

You can modify the default rule conditions and actions that are created automatically at the end of the connector creation process. The procedure is described later in this guide.

1.4 Roadmap for Deploying and Using the Connector

Note:

Before you start creating the connector, it is recommended that you read and familiarize yourself with the generic technology connector information in Oracle Identity Manager Administrative and User Console Guide. The latest version of this guide is available on Oracle Technology Network.

The following is a summary of the rest of the content in this guide:

• Chapter 2, "Tasks to Be Performed Before You Create the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system before you can start creating Database Application Tables connectors.

• Chapter 3, "Creating the Connector" describes the procedure to create Database Application Tables connectors. This procedure is based on the "Using the Administrative and User Console to Create the Generic Technology Connector" section in Oracle Identity Manager Administrative and User Console Guide.

• Chapter 4, "Known Issues" lists the known issues that you may encounter while using Database Application Tables connectors.

• Appendix A, "An Example of the Procedure to Create Connectors" demonstrates the procedure to create a Database Application Tables connector.

• Appendix B, "Screenshots of the Step 3: Modify Connector Configuration Page" presents screenshots of pages that you encounter while creating Database Application Tables connectors. These screenshots are referenced in Chapter 3.